eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Critical RCE Vulnerability in Roundcube Webmail Disclosed
Bottom Line: Roundcube issued a security advisory for a critical Remote Code Execution (RCE) vulnerability found within its webmail platform. As Proof-of Concept (PoC) exploit code is available, impacted organizations should apply recommended patches immediately.
On June 1st, Roundcube issued an advisory, warning of a critical vulnerability found within Roundcube Webmail. Roundcube Webmail is a free and open-source web-based email client, used by web hosting providers, email service providers, and educational and government institutions. The vulnerability, CVE-2025-49113 (CVSS: 9.9), allows for authenticated attackers to achieve Remote Code Execution (RCE) via PHP Object Deserialization. Roundcube released security patches for the vulnerability, along with the advisory on June 1st, which include versions 1.6.11 and 1.5.10. Roundcube credits Kirill Firsov, the founder and CEO of FearsOFF, for reporting the vulnerability.
On the same day, FearsOFF released limited technical details on CVE-2025-49113, and indicated that they would publish Proof-of-Concept (PoC) exploit code at a later date, once impacted organizations had a chance to patch vulnerable instances of Roundcube Webmail. Within their report, FearsOFF indicated that this vulnerability has been within Roundcube Webmail for 10 years, and that it impacts over 53 million hosts, as Roundcube Webmail is often bundled by hosting providers and control panels, such as cPanel, Plesk, and ISPConfig.
On June 5th, it was reported that threat actors had been able to reverse-engineer the security patch released by Roundcube, and develop an exploit for CVE-2025 49113. The exploit was being sold on underground forums as a One-Day vulnerability, a term used to describe vulnerabilities where a patch is available but has yet to be applied. The seller claims that Roundcube is the “second most popular webmail portal after OWA” and acknowledges that successful exploitation requires a valid username and password, but that attackers can “extract it from the logs” or it can be brute forced.
After the exploit was listed for sale, FearsOFF updated their analysis of CVE-2025-49113 to include PoC exploit code. FearsOFF indicated that because the technical details of the exploit were no longer private, it was “in the best interest of defenders, blue teams, and the broader security community to publish a full technical breakdown”. As PoC exploit code for the vulnerability is available, impacted organizations are urged to apply the recommended security patches as soon as possible.
eSentire Threat Intelligence Analysis:
At the time of writing, there are currently no reports confirming active exploitation of CVE-2025-49113. However, when PoC exploit code for critical vulnerabilities is released, increased attacks against impacted products are often observed. PoC exploit code for a vulnerability lowers the bar for attacks to be conducted, allowing threat actors of various skill levels to make use of it, with reports of this being done quickly. As such, eSentire's Threat Intelligence team assesses that exploitation of CVE-2025-49113 will likely be observed in the near future.
Within their report, FearsOFF notes that bug bounty programs, such as Crowdfence, offer large rewards for RCE vulnerabilities relating to Roundcube, with a bounty of up to $50,000 USD. The reward provided for RCE exploits signals how severe such a vulnerability within Roundcube can be. Webmail servers can be attractive targets for threat actors, given the amount of sensitive information that they handle, and can be targeted in both financial and espionage related attacks.
Vulnerabilities within Roundcube have been recently targeted by Russian state-sponsored APT groups UNC1151, Winter Vivern (TA473), and APT 28 (Fancy Bear, Forest Blizzard) in Operation RoundPress. In each of these instances, exploitation of Roundcube vulnerabilities were used to perform espionage-related attacks, through the theft of sensitive information. Although the vulnerabilities exploited by these threat actors were not RCE-related, these examples underscore how critical a vulnerability within Roundcube can be, and the type of data that threat actors may get access to.
As exploitation of the vulnerability requires an attacker to possess valid credentials, organizations should implement Multi-Factor Authentication (MFA) to protect against brute force attacks or stolen credentials. Given the severity of the vulnerability and the availability of PoC exploit code, organizations that are running vulnerable instances of Roundcube Webmail should apply the recommended security patches as soon as possible. eSentire's Managed Vulnerability Service (MVS) has plugins in place to identify assets vulnerable to CVE-2025-49113. eSentire's Threat Response Unit (TRU) is continuing to track this topic for further information and detection opportunities.
The Cost of a Call: From Voice Phishing to Data Extortion
Bottom Line: The financially motivated threat group UNC6040 has been identified using voice phishing tactics in order to compromise Salesforce, Okta, and Microsoft 365 environments, facilitating data theft and extortion through manipulation of IT support roles.
On June 4th, the Google Threat Intelligence Group (GTIG) published a report outlining a recent voice phishing (vishing) campaign attributed to the threat actor group UNC6040. The campaign involved the compromise of organizations’ Salesforce environments, enabling unauthorized access to sensitive data. Notably, the attackers employed social engineering techniques rather than exploiting any inherent vulnerabilities within the Salesforce platform. Following the breach, the threat actors engaged in data extortion activities.
UNC6040 is a financially motivated threat cluster that impersonated IT support personnel in the vishing campaign primarily targeting English-speaking counterparts of multinational organizations. During these vishing calls, the attackers tricked victims into authorizing a malicious connected application, a modified version of the legitimate Salesforce Data Loader. The genuine Data Loader application is designed to facilitate bulk data import and export within Salesforce records. Upon obtaining authorization for the malicious application, the attackers were able to query and exfiltrate sensitive data from the compromised Salesforce environment. UNC6040 actors were also observed directing victims, via vishing calls, to a phishing page impersonating Okta to facilitate the authorization of the malicious Salesforce Data Loader application. The threat actors utilized user credentials obtained through the vishing calls to move laterally within the targeted networks, accessing and exfiltrating sensitive data across other cloud platforms, including Microsoft 365 and Okta.
The UNC6040 campaign also included data extortion activities, leveraging the information exfiltrated during the vishing attacks. These extortion attempts surfaced after a significant delay following the initial compromise and were accompanied by claimed associations with the ShinyHunters threat group. Additionally, the GTIG identified links between UNC6040, and the threat group collective known as "The Com," based on observed overlaps in Tactics, Techniques, and Procedures (TTPs), as well as shared infrastructure.
eSentire Threat Intelligence Analysis:
Vishing is a commonly employed social engineering tactic used to infiltrate an organization's network. In such attacks, threat actors typically do not exploit any specific vulnerabilities within the hosted applications. Instead, by impersonating IT support personnel, as they did in the UNC6040 campaign, they can gain the victim’s trust, making it easier to carry out the attack while evading detection. Vishing attacks saw a significant rise in 2025 and with threat actors using AI tools the attacks are likely to increase in the future.
The UNC6040 vishing campaign employed sophisticated social engineering techniques to deceive victims into authorizing a malicious application that closely resembled a legitimate one. By modifying the authentic Salesforce Data Loader application, the attackers were able to ensure user authorization while minimizing suspicion. To further conceal their operations, the threat actors utilized the commercial Virtual Private Network (VPN) service Mullvad to mask their network activity. UNC6040 demonstrates a high level of proficiency in social engineering, a strong understanding of Salesforce cloud infrastructure, and the capability to implement effective defense evasion techniques.
In addition to Salesforce, the threat actors also targeted other cloud platforms, including Microsoft 365 and Okta. Unauthorized access to sensitive data within Microsoft 365 poses a significant risk to an organization’s confidential information. Moreover, compromising an organization’s Okta environment could grant attackers broad access to the entire cloud infrastructure, as Okta often serves as a central identity and access management platform.
As reported by Google, the significant delay between the initial compromise and the onset of data extortion activities suggests that UNC6040 may have collaborated with a threat actor specializing in monetizing stolen data. Although claims of affiliation with the ShinyHunters threat group may have been used to amplify the perceived threat and increase extortion pressure, it is essential for organizations to critically assess and verify such claims before considering any engagement or compliance with the attackers' demands. ShinyHunters is a well known cybercriminal group recognized for conducting high-profile data breaches and selling stolen data on dark web forums.
To safeguard organizational environments against breaches like those caused by the UNC6040 vishing campaign, it is strongly recommended that organizations implement strict access management controls. This includes enforcing Multi-Factor Authentication (MFA), limiting access privileges based on roles (Principle of Least Privilege), regularly reviewing and auditing user access, and monitoring for unusual authentication or authorization activity. Employee awareness training on social engineering tactics, such as impersonation and vishing, is crucial in reducing the risk of credential compromise. With the rise in threat actor abuse of the Data Loader application, organizations can implement the best practices to protect Salesforce instances which include restricting access through IP addresses and using Salesforce Shield.
Newly Identified Wiper Malware Targets Critical Infrastructure in Ukraine
Bottom Line: An unidentified Russian APT group has been observed targeting Ukrainian critical infrastructure with a newly discovered wiper malware dubbed PathWiper. This deployment signals a resurgence in the use of wiper malware by Russian APT groups post Russia's invasion of Ukraine.
On June 5th, Cisco Talos released a report about a cyberattack conducted by a Russia-linked Advanced Persistent Threat (APT) actor targeting critical infrastructure in Ukraine. The attacker deployed a previously unknown wiper malware called “PathWiper.” The attackers leveraged a legitimate endpoint administration framework, suggesting prior access to its administrative console, to push commands and malicious files to the linked endpoints. PathWiper was deployed via a batch script, which executed a VBScript that dropped the main wiper binary on target machines. Cisco Talos highlighted that the deployment approach mimicked a standard administrative utility’s console, indicating familiarity with the victim’s environment.
PathWiper exhibits a comprehensive and targeted wiping methodology where it enumerates and collects details on connected storage media, including physical drive names, volume names and paths, and network drive paths. The malware systematically overwrites critical NTFS artifacts such as $MFT, $Boot, $Bitmap, and the Master Boot Record (MBR) with random data, effectively destroying the filesystem structure. Volumes are dismounted before wiping using low-level system calls, maximizing the success of data corruption. It operates with multi threaded execution, targeting each drive and volume path individually for destruction. The end objective of the wiper malware is to corrupt the MBR and NTFS-related artifacts.
eSentire Threat Intelligence Analysis:
Russian wiper malware attacks targeting Ukraine, pre-date the 2022 invasion of Ukraine. In 2015, the Russian state-sponsored APT group Sandworm (aka. BlackEnergy, Voodoo Bear, IRIDIUM, Seashell Blizzard, APT44) targeted the Ukrainian power grid with BlackEnergy malware, leading to widespread but temporary disruptions of power. The same group conducted additional wiper malware campaigns between 2016-2018. It is likely that these early attacks acted as a testing ground for the disruptive capabilities of wiper malware against critical infrastructure. The start of Russia’s 2022 invasion of Ukraine included hybrid-warfare tactics, where wiper malware attacks were carried out in tandem with kinetic attacks. Wiper malware used during the invasion had varying success rates and is not believed to have significantly aided Russia’s war efforts. Wiper activity was limited through 2024. The discovery of PathWiper may indicate a renewed interest by Russian threat actors in wiper malware.
The report does not specify which APT group is responsible for the attacks, but it notes some similarities to HermeticWiper, which was utilized in the attacks of 2022. The broader implications of this attack are concerning, as the emergence of wiper variants like PathWiper indicates a targeted effort to disrupt Ukrainian infrastructure. Sentinel Labs reported a wiper dubbed Acid Rain impacting Ukrainian organizations since January 2022, preceding the full-scale invasion. The attack impacted communication inside of Ukraine and disrupted 5,800 Enercon wind turbines in Germany. A similar report was provided by Microsoft Threat Intelligence in January 2021 on a new wiper malware impacting dozens of Ukrainian organizations in the government, non-profit, and IT industries.
Although wipers were heavily used during the initial warfare phase of the conflict, use declined over time; the emergence of a new strain three years later is particularly significant. It is probable that wiper malware will be a major component in future conflicts due to its ability to cause significant disruptions. These attacks are primarily of value to state-sponsored threat actors, as there is no means to monetize the destruction of data. It would be valuable to hacktivist groups, but hacktivist operations tend to lack the required sophistication to cause widespread disruptions. Iranian state-sponsored groups appear to be aware of this, and have impersonated hacktivists in order to deploy wiper malware against Israeli based organizations. It is likely that other state affiliated groups will adopt similar tactics in the future.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
