Threat Briefing: June 6, 2025

Cybercriminals are increasingly using advanced tactics—like voice phishing, AI-generated content, and legitimate remote access tools—to breach organizations and steal sensitive data. Groups such as UNC6040 and the Silent Ransom Group rely heavily on social engineering to gain access, while Play ransomware has compromised around 900 organizations through double-extortion attacks.

• DOJ Moves to Seize $7.74 Million Laundered by North Korean IT Worker Scam – The U.S. Department of Justice is seeking the forfeiture of $7.74 million tied to a scheme in which North Korean IT workers posed as remote employees at U.S. companies. Using fake identities, the workers secured jobs, earned income in cryptocurrency, and funneled the funds overseas, where they were laundered and sent back to North Korea. The operation was allegedly orchestrated by North Korean officials Sim Hyon Sop and Kim Sang Man, who used fraudulent documents and crypto wallets to conceal the activity. The DOJ’s action is part of a broader effort to disrupt North Korea’s illicit revenue streams. Investigators also found that some Americans were unknowingly involved in facilitating the scam. The Record
• CFOs Targeted in Sophisticated Spear-Phishing Campaign Using Remote Access Tool – A targeted spear-phishing campaign is impacting CFOs and financial executives across multiple regions by deploying a legitimate remote access tool, NetBird. The attack begins with an email offering a “strategic opportunity” and directs recipients to a CAPTCHA-protected phishing link that delivers a malicious ZIP file. This file launches a multi-stage VBScript that installs NetBird, creates hidden user accounts, and establishes persistent remote access. To evade detection, the campaign removes desktop shortcuts and uses encrypted redirect URLs to mask its activity. The Hacker News
• Play Ransomware Gang Linked to 900 Breaches Since 2022, Warn Cyber Agencies – The Play ransomware group has compromised approximately 900 organizations worldwide since 2022, according to a joint advisory from U.S. and Australian cybersecurity authorities. Known for its double-extortion tactics, Play encrypts victims’ systems and threatens to leak stolen data. The group has recently exploited vulnerabilities in SimpleHelp remote management software, chaining exploits to gain access and avoid detection. Victims are typically contacted via unique email addresses using domains like @gmx.de or @web[.]de, and in some cases, attackers escalate pressure through phone calls to help desks or customer service teams to coerce ransom payments. SecurityWeek
• UNC6040 Uses Voice Phishing to Access Salesforce Data Through Social Engineering – Threat group UNC6040 is targeting multinational organizations by socially engineering employees to gain unauthorized access to Salesforce environments. Using voice phishing tactics, the attackers impersonate IT support personnel in convincing phone calls, tricking victims into installing a malicious version of Salesforce’s Data Loader tool. This gives the group access to sensitive data, which is then exfiltrated for extortion. The campaign specifically targets English-speaking employees and relies entirely on human manipulation rather than technical exploits. Both Google and Salesforce have issued warnings about the increasing use of voice phishing in such attacks. Dark Reading
• U.S. Government Seizes 145 Domains Tied to BidenCash Criminal Marketplace – The U.S. government has seized approximately 145 domains associated with BidenCash, a criminal marketplace that trafficked stolen credit card data and personal information. Since launching in March 2022, BidenCash has served over 117,000 users, facilitated the sale of more than 15 million payment card numbers, and generated over $17 million in illicit profits. The seized domains now redirect to law enforcement-controlled servers to disrupt further criminal activity. Authorities also confiscated cryptocurrency linked to the platform’s illegal transactions. U.S. Attorney’s Office, Eastern District of Virginia