{"id":9943,"date":"2025-06-20T14:01:28","date_gmt":"2025-06-20T11:01:28","guid":{"rendered":"https:\/\/cyberone.bg\/?p=9943"},"modified":"2025-11-10T13:37:34","modified_gmt":"2025-11-10T10:37:34","slug":"weekly-cybersecurity-report-week-25-2025","status":"publish","type":"post","link":"https:\/\/cyberone.bg\/en\/weekly-cybersecurity-report-week-25-2025","title":{"rendered":"Weekly Cybersecurity Report | Week 25, 2025"},"content":{"rendered":"

As your dedicated cybersecurity services provider,\u00a0Cyberone<\/a><\/strong>\u00a0equips you with timely and in-depth information about current cyber attacks. Discover a weekly cybersecurity report of the latest exploits and breaches shaping the ever-evolving cybersecurity landscape.<\/p>\n

Weekly Cybersecurity Report | Week 25, 2025<\/h2>\n

\u00a0<\/p>\n

Information security updates and events from the past we<\/u><\/strong>ek<\/u><\/strong><\/p>\n

1 Hackers hacked Iranian TV channels and broadcast calls for rebellion against the regime<\/strong><\/h3>\n

Channels affiliated with the Iranian opposition reported a widespread hack of Iranian TV channels, during which hackers broadcast messages calling on the Iranian public to take to the streets and revolt against the regime. Among the channels hacked was the government-run IRIB network.<\/p>\n

The messages broadcast showed women cutting their hair, a symbolic gesture well remembered from the major protests that broke out in Iran about two and a half years ago. The protests broke out following the death of Mehsa Amini, a young Iranian woman of Kurdish origin, after she was beaten by Iranian morality police in Tehran.<\/p>\n

The IRIB network, which is owned and directly supervised by the Iranian regime, serves as one of the government\u2019s main propaganda tools. The hack is a significant symbolic blow to the regime and demonstrates the vulnerabilities of government media systems.<\/p>\n

2 Iran\u2019s AFTA Center for Strategic Management publishes investigation into attack that hit Sepha Bank\u2019s core systems \u2013 njRAT malware infiltrated email server<\/strong><\/h3>\n

Iran is now publishing an official investigation into the attack that targeted Sepha Bank, one of the country\u2019s key government banks.<\/p>\n

According to the report, this was a large-scale attack that was apparently carried out by a sophisticated state actor, they claim, and included remote control, data theft, and infection of workstations.<\/p>\n

\u2013 Attack tool: The infiltration was carried out using njRAT malware, a type of Remote Access Trojan, which allowed attackers to control internal systems, steal sensitive files, and monitor the bank\u2019s email traffic. The report includes precise documentation of the PowerShell code that was used to download the RAT to the infected workstations.<\/p>\n

\u2013 Infiltration vector: The malware was apparently introduced through the MDaemon server, an old internal email platform that the bank also operated on outdated operating systems such as Windows Server 2003. The attackers identified the vulnerabilities and exploited them to inject the malicious code through external IP addresses.<\/p>\n

\u2013 Attack stages: According to the report, the infiltration began with a phishing campaign or through an unsecured connection, continued by downloading a malicious file from the server and ending with full control of the bank\u2019s internal infrastructure.<\/p>\n

Internal reactions in Iran: The report admits that this was a serious attack, and reveals that the bank\u2019s defenses, including antivirus, failed to initially identify the threat. Only after an in-depth analysis was the full infrastructure deployed against the bank discovered.<\/p>\n

This is a strategic infiltration into the heart of an Iranian financial system, using remote control tools and sophisticated infrastructure.<\/p>\n

3\u00a0 \u201cWith a Dog\u201d \u2013 Iran issues a government cyber alert, slows down the Internet and closes the stock exchange, there is no doubt that the impact is felt in Iran<\/strong><\/h3>\n

The Tehran regime has issued a series of official statements, both from the Presidential Strategic Management Center and from the government spokeswoman, indicating heavy pressures in cyberspace.<\/p>\n

Details of the announcements:<\/p>\n

\u2013 The AFTA Center for Strategic Management of the Presidency has issued a government cyber alert that will be in effect from June 21 to June 31, 2025<\/p>\n

\u2013 The alert includes a requirement for all system, IT and information security managers to immediately prepare and strictly implement a protection policy<\/p>\n

\u2013 Government spokeswoman Fatma Mohajrani added in a separate message: Evacuation messages that arrive by SMS should not be considered, they are part of psychological warfare<\/p>\n

\u2013 The speed of browsing in Iran is being temporarily slowed as a \u201cproactive move for network stability\u201d<\/p>\n

\u2013 The Iranian capital market is closed to the public \u201cin order to protect citizens\u2019 capital\u201d<\/p>\n

Iran officially admits to heavy pressures on its digital infrastructure. While the regime struggles with attempts to destabilize it from within, the impact of external moves, apparently also in the cyber arena, is beginning to seep into the Iranian public.<\/p>\n

4\u00a0 Iran admits: The scale of the attack on the Nobitex exchange is much more serious than initial estimates<\/strong><\/h3>\n

Iran is forced to admit that the attack on the Nobitex crypto exchange, which began with a localized intrusion, turned out to be a large-scale takeover of all the company\u2019s systems.<\/p>\n

A statement published a short time ago by Iranian officials stated that:<\/p>\n

\u2013 The company\u2019s internal systems are completely infected<\/p>\n

\u2013 The attackers had access to employees\u2019 Gmail accounts and social networks<\/p>\n

\u2013 The scope of the leak \u201ceven exceeds the events that struck the transportation company Snap\u201d<\/p>\n

\u2013 For comparison, Snap, which provides transportation and food delivery services throughout Iran (like Uber), experienced a cyberattack in late 2023 in which user details, addresses and internal operational information, including real-time driver locations, were leaked. The incident caused the shutdown of critical services and severely damaged public trust.<\/p>\n

5 Iran has begun a gradual shutdown of the country\u2019s internet network \u2013 initially partially, with estimates that this will lead to an almost complete shutdown soon.<\/strong><\/h3>\n

At the same time, Iran is trying to place the blame on Israel, claiming that it was Israel that launched a large-scale cyberattack on the country\u2019s digital infrastructure, with the aim of disrupting services for residents.<\/p>\n

However, it is important to emphasize that Iran has a regular policy of shutting down the network during times of security or civil tensions. For example, in November 2019 \u2013 following widespread protests \u2013 the country was almost completely cut off from the network for several days.<\/p>\n

Tools such as VPNs or other bypass solutions are not necessarily effective, as the Iranian regime controls the Internet access gateways and sometimes even blocks HTTPS traffic.<\/p>\n

Alongside this, a national intranet (National Information Network \u2013 NIN) operates in Iran, which allows residents to access websites and systems under the regime\u2019s supervision even when completely disconnected from the global Internet.<\/p>\n

\u00a0<\/p>\n

The cybersecurity attacks highlighted in this report aren\u2019t just incidents, they\u2019re blueprints of the adversary\u2019s arsenal. To protect your business you need the right partner. Cyberone is here to help! Check out our services<\/a>.<\/em><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

As your dedicated cybersecurity services provider,\u00a0Cyberone\u00a0equips you with timely and in-depth information about current cyber attacks. Discover a weekly cybersecurity report of the latest exploits and breaches shaping the ever-evolving cybersecurity landscape. Weekly Cybersecurity Report | Week 25, 2025 \u00a0 Information security updates and events from the past week 1 Hackers hacked Iranian TV channels […]<\/p>\n","protected":false},"author":6,"featured_media":8609,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[65],"class_list":["post-9943","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-weekly-cyber-updates","tag-weekly-cybersecurity-report"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cyberone.bg\/en\/wp-json\/wp\/v2\/posts\/9943","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberone.bg\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberone.bg\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberone.bg\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberone.bg\/en\/wp-json\/wp\/v2\/comments?post=9943"}],"version-history":[{"count":1,"href":"https:\/\/cyberone.bg\/en\/wp-json\/wp\/v2\/posts\/9943\/revisions"}],"predecessor-version":[{"id":9944,"href":"https:\/\/cyberone.bg\/en\/wp-json\/wp\/v2\/posts\/9943\/revisions\/9944"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberone.bg\/en\/wp-json\/wp\/v2\/media\/8609"}],"wp:attachment":[{"href":"https:\/\/cyberone.bg\/en\/wp-json\/wp\/v2\/media?parent=9943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberone.bg\/en\/wp-json\/wp\/v2\/categories?post=9943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberone.bg\/en\/wp-json\/wp\/v2\/tags?post=9943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}