For the latest discoveries in cyber research for the week of 6th July, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
- The International Criminal Court (ICC) disclosed a sophisticated cyber‐security incident in late June 2025, its second such event in recent years. The intrusion, which occurred in June 2025, was promptly detected and contained, and the full extent of the impact is under investigation.
- Australian airline Qantas suffered a cyber incident after attackers targeted an offshore call center and accessed a third-party customer service platform, affecting records of up to 6 million customers. Stolen data includes personal data and frequent flyer numbers. Qantas contained the incident, notified authorities and customers, enlisted forensic teams, and is enhancing support and security.
- Ingram Micro, an American distributor of information technology products and services, was hit by a ransomware attack that resulted in the shutdown of internal systems, including its website, online ordering platforms, the Xvantage distribution platform, and the Impulse license provisioning platform. The ransomware gang SafePay claimed responsibility for the attack.
- Spanish telecom provider Telefónica suffered a possible cyber-attack by a threat actor affiliated with the Hellcat ransomware gang. The threat actor claims to exfiltrate 106 GB of sensitive internal data, including more than 385,000 files. The data includes information related to employees and business clients tied to European and Latin American subsidiaries.
- Gloucester County, Virginia, fell victim of a ransomware attack that resulted in the theft of sensitive information belonging to 3,527 current and former government employees. The attack led to significant personal data exposure, including Social Security numbers, bank account details and medical information. The BlackSuit ransomware gang claimed responsibility for the incident after the county reportedly refused to negotiate a ransom.
- The Swiss health-promotion non-profit Radix confirmed it was hit by a ransomware attack, resulting in data theft and encryption. The group’s clients include various federal administration offices, whose data was stolen and published on the dark web.
- German charity organization Welthungerhilfe was targeted by a ransomware-as-a-service group demanding 20 BTC ($2.1 million) for stolen data. The organization refused to pay, shut down affected systems, and engaged cybersecurity experts. Humanitarian operations remain unaffected while authorities investigate the incident.
- Columbia University has suffered a data breach that resulted in the theft of up to 460 gigabytes of sensitive information after a hacktivist with a political agenda accessed targeted IT systems. The stolen data reportedly includes at least 1.8 million Social Security numbers belonging to employees, applicants, students, and their family members.
VULNERABILITIES AND PATCHES
THREAT INTELLIGENCE REPORTS
- Check Point Research have uncovered a surge in cybercrime activity targeting Amazon Prime Day 2025, with over 1,000 new domains resembling Amazon appearing in June—87% of which are flagged as malicious or suspicious. The fraudulent domains are designed to harvest login credentials via phishing pages that mimic legitimate Amazon sign-in portals, aimed to lure victims into entering personal information or payment details on fake websites.
- Researchers analyzed the “Scattered Spider” financially motivated cybercriminal group. The threat actor targets individuals rather than exploiting software vulnerabilities directly, employing social engineering and living-off-the-land techniques to penetrate organizations across telecom, gaming, transportation, and retail.
- The Hunters International ransomware group announced it is shutting down, providing free decryption tools to previous victims, though their effectiveness is questioned by incident responders. Researchers say that the group is transitioning to operate as an extortion-only platform known as World Leaks, with strong operational and code similarities to Hive ransomware.
- Researchers have discovered “RondoDox,” a sophisticated botnet that infects TBK DVRs and Four‑Faith routers by exploiting CVE‑2024‑3721 and CVE‑2024‑12856. After gaining access, the malware covertly establishes persistence, disguises its traffic as gaming or VPN packets, downloads additional payloads via secure connections, and enables devices to launch distributed denial‑of‑service (DDoS) attacks.
