Threat Briefing: June 20, 2025

The U.S. continues to ramp up pressure on ransomware groups. This week, a former Ryuk member was extradited to the U.S.—a strong example of international cooperation in the fight against ransomware.

As AI adoption accelerates across industries, threat actors are keeping pace. New malicious tools built on commercial AI models are being uncovered, highlighting the dual-use risks of emerging technologies.

• Ryuk Ransomware Suspect Extradited to U.S. –  A 33-year-old suspected member of the infamous Ryuk ransomware gang has been extradited from Ukraine to the United States. Arrested in Kyiv in April, the individual is accused of helping identify network vulnerabilities that enabled attacks resulting in more than $100 million in global losses. Authorities seized over $600,000 in cryptocurrency, nine luxury cars, and 24 land plots. Linked to over 2,400 ransomware attacks since 2018, Ryuk has targeted critical infrastructure and large enterprises worldwide. This extradition marks another step in the ongoing international crackdown on ransomware groups that intensified in late 2023. The Record
• AI Hacking Tools Built on Grok and Mixtral Uncovered – Researchers at Cato Networks have traced two AI-driven hacking tools, sold on underground forums, to commercial models from xAI’s Grok and Mistral AI’s Mixtral. Marketed as “uncensored” versions of AI assistants, these WormGPT-style tools could generate phishing emails, malware, and vulnerability reports on demand. Though promoted as custom-built, they were essentially wrappers around Grok and Mixtral, using tailored prompts to bypass safety filters. One was accessible via Telegram, while another posed as a cybersecurity assistant with legal disclaimers. Prices ranged from $631 per year to over $5,700 for private deployments, pointing to their appeal among profit-motivated cybercriminals. CyberScoop
• Fake Tech Support Ads Hijack Google Search Results – Cybercriminals are abusing Google Ads to impersonate major brands like Apple, Microsoft, and PayPal, luring users to fake support pages. These convincing sites display forged customer service numbers, tricking victims into calling scammers who then steal personal information or gain remote access to their devices. Malwarebytes Labs researchers describe the tactic as a “search parameter injection attack,” where malicious URLs manipulate legitimate websites to display fraudulent content. Dark Reading
• Trojanized Open Source Tools Used to Target Red Teams in Ongoing Malware Campaigns – Security researchers from Trend Micro and ReversingLabs have uncovered two active malware campaigns distributing trojanized hacking tools on GitHub. One campaign, linked to the financially motivated group Water Curse, used at least 76 GitHub accounts to infect Visual Studio project files with payloads that steal credentials, browser data, and session tokens, while enabling persistent remote access. A second campaign, attributed to a group dubbed Banana Squad, leveraged over 67 repositories to deliver fake Python-based hacking tools. Both campaigns highlight a growing trend in supply chain attacks exploiting open source platforms and may be tied to a broader distribution-as-a-service (DaaS) operation active since 2022. SecurityWeek
• AntiDot MaaS Powers Surge in Android Malware Campaigns – Researchers at PRODAFT have uncovered a sharp rise in Android infections linked to AntiDot, a Malware-as-a-Service (MaaS) platform run by the financially motivated group LARVA-398. Active in at least 273 campaigns, AntiDot has compromised over 3,775 devices using overlay attacks, SMS interception, and accessibility abuse to steal credentials and control victim devices. Delivered through phishing and malicious ads, the malware poses as a Google Play update and uses a stealthy three-stage install process to evade detection. It supports real-time communication with command-and-control servers, spoofing of crypto and payment app login screens, and is managed via a MeteorJS-based control panel. With strong localization and evasion features, AntiDot poses a growing threat to mobile users worldwide. The Hacker News