ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.
Digital forensics is shifting from reactive to strategic. Join CyberWire Daily host Dave Bittner on Wednesday, June 11 at 1:00pm ET for a live discussion with experts from Magnet Forensics on key insights from the State of Enterprise DFIR Report. Learn how top teams are evolving their tools, workflows, and talent to reduce risk and respond faster to complex incidents. Register now to join live or access it on-demand.
An international law enforcement operation coordinated by Europol and Eurojust has dismantled infrastructure used by popular initial access malware strains. The operation targeted Qakbot, Trickbot, Bumblebee, Lactrodectus, Hijackloader, DanaBot, and Warmcookie. Europol notes that these malware strains are frequently used to stage ransomware: "From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain."
The US Justice Department has indicted a 48-year-old Russian national, Rustam Rafailevich Gallyamov, as the alleged leader of a group of criminals who developed and deployed the Qakbot malware. The DOJ said in a press release, "Gallyamov developed, deployed, and controlled the Qakbot malware beginning in 2008. From 2019 onward, Gallyamov allegedly used the Qakbot malware to infect thousands of victim computers around the world in order to establish a network, or 'botnet,' of infected computers. As alleged, once Gallyamov gained access to victim computers, he provided access to co-conspirators who infected the computers with ransomware, including Prolock, Dopplepaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and Cactus. In exchange, Gallyamov was allegedly paid a portion of the ransoms received from ransomware victims."
After the Qakbot botnet was shuttered by law enforcement in 2023, Gallyamov allegedly began using social engineering attacks to gain initial access to organizations before deploying ransomware.
The Justice Department has also filed a civil forfeiture complaint against over $24 million in cryptocurrency seized from Gallyamov.
EclecticIQ warns that a Chinese cyberespionage actor tracked as "UNC5221" is exploiting a recently patched vulnerability chain (CVE-2025-4427 and CVE-2025-4428) affecting Ivanti Endpoint Manager Mobile (EPMM). Ivanti patched the two vulnerabilities last week, noting that the flaws were under active exploitation at the time of disclosure. The two flaws can be chained together to achieve unauthenticated remote code execution.
EclecticIQ notes that the threat actor has used the exploit to target entities in "healthcare, telecommunications, aviation, municipal government, finance, and defense across Europe, North America, and the Asia-Pacific region."
Today's issue includes events affecting China, Russia, and the United States.
Following the spiders: Investigating Lactrodectus malware (Expel) Lactrodectus malware is the latest infostealing malware on the market utilizing the Click-Fix technique. Here's what you need to know.
Mysterious hacking group Careto was run by the Spanish government, sources say (TechCrunch) The elusive hacking group Careto was never publicly linked to a specific government, but TechCrunch has learned researchers concluded privately that the Spanish government was behind the group.
60 malicious npm packages caught mapping developer networks (Developer Tech News) The npm registry is once again in the spotlight, this time battling a malware campaign using malicious packages to map developer networks.
Chinese-speaking hackers targeting US municipalities with Cityworks bug (The Record) Since January, cybersecurity experts have seen Chinese-speaking hackers exploiting a bug impacting a tool used by local governments to manage critical infrastructure assets and other services.
Grandpa-conning crook jailed over sugar-coated drug scam (The Register) : Callous fraudster tricked elderly gents into smuggling meth hidden in chocolate truffles
New Google program targeting children with AI chatbot may violate FTC privacy rules (The Record) Children with parent-controlled Google accounts will automatically be able to access the AI-powered Gemini chatbot unless a parent opts out.
For a complete running list of events, please visit the Event Tracker.
CyberWiseCon Europe 2025 (Vilnius and virtual, Lithuania, May 21 - 23, 2025) CyberWiseCon is a premier IT security conference that brings together cybersecurity experts, industry leaders, and IT professionals from around the Europe.
NICE Conference (Denver, Colorado, USA, Jun 1 - 4, 2025) The NICE Conference is the annual convening of community members and thought leaders from education, government, industry, and non-profits to explore ways of developing a skilled cybersecurity workforce ready to meet the challenges of the future. This event provides an opportunity to share best practices from around the world and across sectors in order to build the workforce we need to confront cybersecurity risks today and in years to come.
2025 Space Regulatory Bootcamp (Albuquerque and Virtual, New Mexico, USA, Jun 10 - 11, 2025) ACSP's Bootcamps educate new and established space professionals on must-know fundamentals and arm them for success. The 2025 Space Regulatory Bootcamp, hosted in Albuquerque, New Mexico, is a two day comprehensive industry deep dive with advanced training and meaningful networking. Learn directly from leading subject matter experts on topics including space law, export controls, space telecommunications, government contracting, and more.
AWS re:Inforce 2025 (Philadelphia, Pennsylvania, USA, Jun 16 - 18, 2025) AWS re:Inforce is our annual, immersive, cloud-security learning event delivering hands-on training and collaboration with AWS experts. It’s your opportunity to learn about the latest AWS security innovations, get direct access to the AWS teams and partners who build the security tools you rely on, and connect with cloud security peers from around the world. You’ll leave with actionable next steps to raise your security posture.
