Content 

01. News Bites
  • ‘CitrixBleed 2’ Bug Threatens NetScaler Gateways: Patch Now, Experts Warn

  • Hacktivist group Noname057(16) targets NATO and allies in new DDoS campaign

  • BlueNoroff Impersonates Zoom Contacts to Breach Crypto Firms

  • North Korean Hackers Target Devs with Malicious npm Packages

  • Nucor Confirms Data Theft in Steel Sector Cyberattack



02. Conclusion

Quick News Bites

‘CitrixBleed 2’ Bug Threatens NetScaler Gateways: Patch Now, Experts Warn

A newly discovered critical vulnerability in Citrix NetScaler ADC and Gateway—now dubbed “CitrixBleed 2”—is raising alarms in the cyber security community due to its similarity to the widely exploited CitrixBleed flaw from 2023. Tracked as CVE-2025-5777, the flaw allows unauthenticated attackers to access out-of-bounds memory on vulnerable public-facing devices, potentially leaking session tokens, credentials, and other sensitive data.

Security researcher Kevin Beaumont compared it to the previous CitrixBleed bug, warning that attackers could hijack active user sessions and bypass multi-factor authentication. A second vulnerability, CVE-2025-5349, also impacts the NetScaler Management Interface.

Citrix has released updates and urges all users to patch immediately. Admins are advised to kill all ICA and PCoIP sessions post-update to prevent attackers from using stolen session tokens—advice some organisations ignored during the 2023 incident, leading to ransomware and espionage attacks.

Over 56,500 NetScaler endpoints are currently exposed online. Older unsupported versions will not receive fixes.

Hacktivist group Noname057(16) targets NATO and allies in new DDoS campaign

Pro-Russian hacktivist group Noname057(16) has released a fresh list of distributed denial of service (DDoS) targets via its Telegram channel. Published on 24 June 2025, the list includes over 20 websites linked to government, defence, NGO, and commercial sectors across the United States, Belgium, Israel, the Netherlands, Ukraine, Norway, and Italy.

Notable targets include multiple NATO-related domains such as nato-pa.int, cmre.nato.int, and sto.nato.int, as well as city government websites in Israel and NGO platforms in the Netherlands and Ukraine.

The group often uses Check Host to verify the effectiveness of their attacks by showing the unavailability of targeted sites. While the impact appears limited to temporary service disruption, the campaign continues to highlight growing hacktivist activity aimed at NATO and its allies.

These politically motivated DDoS attacks are part of broader influence operations tied to ongoing geopolitical tensions.

BlueNoroff Impersonates Zoom Contacts to Breach Crypto Firms

Cyber security researchers have reported a sophisticated social engineering campaign by North Korea-linked group BlueNoroff (APT38), targeting cryptocurrency and financial firms via Zoom. The group, active since March, impersonates known contacts during video calls to manipulate victims into installing malware disguised as audio repair tools.

A notable case on 28 May involved a Canadian gambling firm, where attackers used a fake Zoom SDK update with hidden commands to deploy infostealer malware. The script established persistence using LaunchDaemon and disguised payloads like “icloud_helper,” exfiltrating wallet data and browser credentials.

The campaign spans North America, Europe, and Asia-Pacific, focusing on crypto, fintech, and gaming sectors. While sophisticated, it requires moderate technical skill and poses a medium-level threat to firms managing digital assets.

We advise the verifying of Zoom meeting participants, training staff on impersonation tactics, and blocking unauthorised scripts at the endpoint level.

North Korean Hackers Target Devs with Malicious npm Packages

A new wave of North Korea’s “Contagious Interview” campaign is targeting job seekers with malicious npm packages designed to infect developer systems with info-stealers and backdoors.

Security researchers discovered 35 npm packages submitted via 24 accounts, downloaded over 4,000 times. Masquerading as legitimate libraries (e.g. react-plaid-sdk, vite-plugin-next-refresh), the packages deploy the BeaverTail infostealer and InvisibleFerret backdoor, both linked to DPRK threat actors.

The campaign begins with fake recruiters on LinkedIn offering coding tests hosted on Bitbucket. Victims are urged to run embedded malicious code, often while screen sharing. The infection chain includes the HexEval Loader (for fingerprinting and payload delivery), BeaverTail (for browser and wallet theft), InvisibleFerret (a persistent backdoor), and, in some cases, a cross-platform keylogger.

This marks the latest in an ongoing series of attacks by the Lazarus Group using npm as a delivery vector. Developers are urged to treat unsolicited job offers with caution and use containerised environments when testing unknown code.

Nucor Confirms Data Theft in Steel Sector Cyberattack

Nucor, North America’s largest steel producer and recycler, has confirmed that threat actors behind a recent cyberattack also stole data from its IT systems. The company, which employs over 32,000 staff and reported $30.73 billion in revenue last year, initially disclosed the breach in May after halting production at some facilities and isolating systems to contain the incident.

In a recent SEC filing, Nucor revealed that limited data was exfiltrated by the attackers. While it hasn’t disclosed the nature of the data or whether systems were encrypted, the company is evaluating the impact and will notify affected parties as required by law.

Nucor says affected operations have resumed and that the attackers no longer have network access. No ransomware group has claimed responsibility to date, but experts note that data theft is often part of double-extortion tactics. Investigations with external cybersecurity experts and law enforcement are ongoing.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.