OutcomesOne
July 1, 2025
•[ social, phishing, healthcare ]
A phishing attack compromised a single employees email account for about one hour at OutcomesOne, a Florida-based professional services firm providing health IT and medication management support to insurers and pharmacies. Attackers accessed PHI stored in the organizations email application server, exposing data of roughly 149,000 individuals including names, demographics, provider, insurance, and medication information. No Social Security numbers or financial data were involved.
Undisclosed rural Nebraska school district
June 30, 2025
•[ phishing, BEC ]
A rural Nebraska school district lost approximately $1.8 million to a phishing/BEC scheme that diverted funds from intended recipients.
At least one individual tricked by phony Chinese e-commerce sites (multiple brands)
June 30, 2025
•[ phishing ]
GovInfoSecurity roundup highlights campaigns using phony Chinese retail websites to mimic brands and defraud consumers; treated here as campaign-level item.
CoinMarketCap
June 20, 2025
•[ phishing, malicious code injection ]
Malicious JavaScript injected into CoinMarketCaps website altered displayed content to show a fake wallet verification pop-up; code removed within hours; no confirmed data or monetary theft reported.
NetVision (Cellcom Israel)
June 17, 2025
•[ phishing, vulnerability exploitation, hacktivism ]
Pro-Palestinian hackers exploited a vulnerability in NetVisions legacy email infrastructure to send forged phishing messages impersonating Israeli government domains; servers used for distribution of malicious emails; no confirmed data theft or ransom demand reported.
Unnamed hotels in Brazil
June 13, 2025
•[ phishing, financial, malware ]
TA558 used LLM-generated JS/PowerShell loaders in phishing emails (Portuguese/Spanish) to deploy Venom RAT against hotels (Brazil/Spanish-speaking markets), aiming to siphon guest credit-card data from hotel systems/OTAs; observed in summer 2025, with no named victims or outages.
Lexington-Richland School District 5
June 5, 2025
•[ ransomware, phishing, education ]
On June 3, 2025, Lexington-Richland School District 5 detected a network intrusion following a phishing email that disrupted systems, delayed summer school and staff bonuses. Over 1.03 TB of data has been confirmed under review. Though Interlock claimed responsibility, this is unverified. The district refused ransom demands and is offering credit monitoring to affected individuals.
Microsoft Outlook / Office 365 Customers
June 1, 2025
•[ social, phishing, technology ]
Threat actors abused Proofpoint and Intermedia email-link wrapping services to deliver phishing emails posing as Teams notifications and voicemails, leading to theft of Microsoft Outlook / Office 365 login credentials from global users. No encryption occurred; actor identity unknown.
Multiple diplomatic and international organizations (particpating in Gaza peace talks)
June 1, 2025
•[ espionage, social, phishing ]
Homeland Justice, an Iranian MOIS-linked group, compromised an Omani Embassy email account and used it to deliver spear-phishing attachments to diplomats and international mediators engaged in Gaza ceasefire negotiations. This was an espionage operation with no service disruption reported. ~72K+ malicious Word emails sent via spear-phishing from a compromised Omani Embassy in Paris account; targeted Egyptian officials, U.S. and Qatari mediators, and organizations such as UN, UNICEF, World Bank, and African Union during Gaza ceasefire talks
Undisclosed Kyrgyzstan organization
June 1, 2025
•[ phishing, malware, state-sponsored ]
A nation-state actor known as Bloody Wolf conducted spearphishing impersonating the Kyrgyz Ministry of Justice to deploy JAR loaders and install NetSupport RAT for persistent access to organizational systems; no data theft was reported.
Farmers Insurance (via third-party vendor)
May 29, 2025
•[ social, phishing, finance ]
Over 1.1 million customers impacted by breach via Salesforce-linked vendor breach. Exfiltration involved social engineering/vishing and malicious OAuth apps, with ShinyHunters and Scattered Spider providing access and exfiltration. Two years of identity protection offered.
Saifuddin Nasution Ismail (WhatsApp account)
May 28, 2025
•[ phishing, account takeover, government ]
WhatsApp account of Malaysias Home Minister hacked in late May 2025 and used via a foreign VPN to send malicious/phishing links to contacts; government confirmed account compromise Jun 2 2025; no evidence of large-scale data theft or system outage.
Undisclosed Tajikistan government agencies
May 22, 2025
•[ espionage, phishing, data collection ]
Researchers reported a Russia-aligned espionage campaign targeting Tajik government, academic, and research entities using phishing lures and macro-enabled docs to collect data.
Keir Giles (UK academic)
May 22, 2025
•[ social engineering, phishing, data leak ]
Targeted social-engineering campaign impersonating U.S. State Department tricked Keir Giles into generating app-specific passwords, allowing a nation-state actor to access his Gmail account data stored on Google servers; no evidence of intrusion into affiliated institutional networks.
Kurdish Government and Media Institutions
May 15, 2025
•[ cyber-espionage, phishing, data leak ]
Iran-linked threat actor MuddyWater (MOIS) conducted cyber-espionage operations against Kurdish government and media infrastructure in Iraq during MayJune 2025 using phishing and web-shells to steal credentials and internal documents; reported Jun 25 2025.
KazMunaiGas
May 5, 2025
•[ social, hack, phishing ]
A spear-phishing campaign disguised as internal HR communications delivered multi-stage malware to KMG employees. Attackers used a compromised business email, LNK downloader, PowerShell (DOWNSHELL), and DLL implant to establish reverse shell access. KMG later labeled it a phishing test.
Government entities (36, Central Asia & APAC)
May 1, 2025
•[ espionage, phishing, malware ]
Phishing lures and Telegram botbased malware were used by the ShadowSilk cluster to compromise 36 government entities across Central Asia and the Asia-Pacific region between May and July 2025. The campaign focused on espionage, enabling unauthorized access and data theft, and was publicly reported in August 2025 by The Hacker News.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, phishing ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in Canada using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, espionage, phishing ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in France using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, malware ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in United Arab Emirates using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
