30.06.25 Threat Report
This week’s threat report: from Russian state hackers exploiting Gmail’s authentication systems to a data breach at Ahold Delhaize, leaking sensitive employee information. Glasgow City Council is battling major disruption after a cyberattack, while threat actors are using CapCut’s popularity to distribute credential-stealing malware through fake installers. And in the aviation sector, Scattered Spider group has launched a new campaign targeting IT help desks to hijack high-value accounts.
1. Russian APT29 Exploits Gmail
Russian state-sponsored group APT29 (also known as Midnight Blizzard or Cozy Bear) has been caught exploiting the OAuth2 protocol used by Gmail to infiltrate cloud email environments without triggering standard alerts. This sophisticated campaign leverages token-based authentication to maintain persistent access.
How It Works
Attackers use stolen OAuth refresh tokens, bypassing passwords and MFA protections. This method allows them to maintain access invisibly, exploiting Gmail APIs to read mail, exfiltrate data, and observe internal conversations without triggering suspicious login alerts.
Potential Impact
-
Undetected surveillance of sensitive communications
-
Data exfiltration and reputational damage
-
Extended dwell time before discovery, enabling wider compromise
Recommendations
-
Revoke unauthorised OAuth tokens and audit third-party app access
-
Enable domain-wide alerting on suspicious OAuth activity
-
Review and restrict OAuth scopes granted to third-party apps
-
Adopt zero-trust principles and conditional access policies
2. Retail Giant Ahold Delhaize Breach
Multinational retail giant Ahold Delhaize has confirmed a breach affecting staff data, stemming from a third-party payroll provider compromise. While customer systems remain unaffected, sensitive HR information—possibly including pay slips and addresses—was exposed.
Incident Details
The breach was linked to a security failure at a payroll software supplier. Ahold Delhaize was notified by the Dutch Data Protection Authority, prompting internal investigations.
Potential Impact
-
Identity theft risks for employees
-
Regulatory scrutiny and GDPR repercussions
-
Damage to brand trust and employee relations
Recommendations
-
Notify affected employees and offer identity monitoring services
-
Reassess supplier due diligence and data sharing agreements
-
Ensure third-party vendors meet cybersecurity standards
-
Conduct tabletop exercises for supply chain breach scenarios
3. Cyberattack on Glasgow City Council
Glasgow City Council is managing a serious cyberattack that has impacted key internal systems, including payroll and social care. The full extent is yet to be disclosed, but the event has caused notable operational disruption.
Incident Details
The council’s IT teams are working with external specialists to investigate. Meanwhile, systems remain offline, affecting city services and administrative functions.
Potential Impact
-
Disruption to essential public services
-
Possible data breach involving resident records
-
Reputational harm and public trust erosion
Recommendations
-
Activate incident response protocols and ensure business continuity plans are in place
-
Prioritise restoration of critical citizen-facing services
-
Perform forensic analysis to understand the scope and entry points
-
Conduct a post-incident review and bolster defences against repeat attacks
4. Fake CapCut Install Used to Spread Info-Stealing Malware
Cybercriminals are exploiting the popularity of CapCut, a video editing app, by spreading trojanised versions embedded with malware. Victims are lured through fake websites and advertisements, often appearing at the top of search results.
Attack Mechanism
Users seeking to download CapCut outside official app stores are tricked into installing fake installers that deploy RedLine Stealer—a known info-stealer malware that captures credentials, browser data, and crypto wallet information.
Potential Impact
-
Compromise of personal and corporate accounts
-
Data leakage, including passwords and browser sessions
-
Malware persistence and additional payload drops
Recommendations
-
Educate employees about software download risks and trusted sources
-
Implement web filtering to block malicious or spoofed domains
-
Deploy EDR tools capable of detecting info-stealers like RedLine
-
Monitor for unauthorised data exfiltration from endpoints
5. Scattered Spider Targets Aviation
The threat actor group Scattered Spider, known for targeting large enterprises, has launched a new campaign aimed at aviation companies. Using targeted social engineering tactics, the attackers impersonate employees to trick IT help desks into resetting passwords and granting access to critical accounts.
Attack Strategy
Attackers gather personal and corporate information to convincingly pose as employees in urgent situations. Once they gain initial access via a help desk, they escalate privileges and move laterally through corporate systems, often aiming for data exfiltration or extortion.
Potential Impact
-
Compromise of privileged accounts in aviation firms
-
Operational disruption and regulatory risk
-
Potential for ransomware deployment or data leaks
Recommendations
-
Train IT support staff to verify identities beyond caller ID and urgency
-
Implement strict account recovery procedures with multiple verification steps
-
Monitor for unusual help desk activity and account resets
-
Review and harden access controls for sensitive systems
Threat Intelligence
Stay ahead of emerging cyber threats with real-time insights from our Threat Intelligence service. Contact us to find out more.