CXO Monthly Roundup, June 2025: Zenith Live, Data@Risk Report, DanaBleed, and Black Hat SEO

The CXO Monthly Roundup provides the latest ThreatLabz research, alongside insights on other cyber-related subjects that matter to technology executives. In June, I spoke at Zenith Live ’25 (AMS) about how organizations can harness the power of Zero Trust and AI to fight AI cyberthreats. Our ThreatLabz research team also released a report on the challenges of securing data in cloud environments, explained DanaBleed (a malware memory leak introduced by the malware’s own authors), and showed how threat actors are using the popularity of AI to lure users onto malicious webpages to distribute malware.

Zenith Live ’25 Recap

Figure 1: Deepen Desai presenting at Zenith Live 2025 in Las Vegas.

As organizations continue to embrace digital transformation, the threat landscape is evolving, becoming more sophisticated with the integration of AI and advanced attack methods. At Zenith Live 2025, I had the opportunity to address these challenges during my keynote and share actionable strategies to help enterprises mitigate cyber risks effectively.

Understanding Key Threats

• AI-powered attacks: Threat actors are leveraging AI to automate malware development, reconnaissance, and exploitation.
• Zero-Day exploits: Vulnerabilities in legacy architectures, such as VPNs and firewalls, are a primary target for attackers. In 2024, a third party research showed that these weaknesses contributed to 60% of successful ransomware attacks.
• Insider threats: Social engineering and nation-state supply chain attacks are growing concerns as attackers increasingly focus on privileged users.

Zscaler's Role in Mitigating Risks

Zscaler Zero Trust Exchange is uniquely positioned to help organizations address these challenges. Key capabilities include:

• AI-driven, real-time advanced threat protection
• AI powered user to app and device segmentation to contain the blast radius
• ThreatLabz research, intelligence, and collaboration

Preventing Attacks Across Four Key Stages

Most advanced attacks follow four key stages: discovery, compromise, lateral propagation, and data theft. To address these, I outlined a security playbook for CXOs during the keynote:

1. Minimize external attack surface
2. Preventing compromise
3. Preventing lateral propagation
4. Preventing data loss

Learnings and Lessons

I also shared a vishing-based attack scenario that highlights how adversaries progress through external attack surface discovery, use AI tools to compromise an initial user system, deploy malware, and facilitate lateral propagation within the network. Additionally, I discussed key tactics, techniques, and procedures (TTPs) uncovered from prominent ransomware groups like Black Basta.

You can watch a video of the keynote here.

Zscaler ThreatLabz 2025 Data@Risk Report

The Zscaler ThreatLabz 2025 Data@Risk Report sheds light on the challenges facing data security in today’s cloud-first, AI-driven enterprise environments. With businesses increasingly relying on AI applications and SaaS platforms, data leaks are growing exposing sensitive information, including source code.

Key findings from over 1.2 billion blocked data loss incidents include:

• Tools like ChatGPT and Microsoft Copilot accounted for 4.2 million sensitive data leakage incidents, impacting personal, medical, and proprietary information.
• Apps like Salesforce, Google Drive, and Microsoft SharePoint drove 872 million data loss violations, primarily involving PII, medical data, and credit card numbers.
• File sharing services such as Google Drive and OneDrive saw massive leakage of sensitive files, with source code alone being leaked 26.6 billion times.
• Nearly 104 million data loss events were linked to email-related transactions.

The U.S., India, and the U.K. (highlighted in the map below) lead in total violations.

Figure 2: Map showing U.S., India, and the U.K. as the top violators.

The report emphasizes that organizations should implement advanced solutions to monitor sensitive data across channels to prevent leaks and breaches. For a deeper dive into the vulnerabilities and the steps needed to mitigate them, check out the full Zscaler ThreatLabz 2025 Data@Risk Report.

DanaBleed: Exposing DanaBot Through a Critical Vulnerability

Zscaler ThreatLabz uncovered a critical programming flaw in DanaBot's command-and-control (C2) server protocol, known as DanaBleed, which inadvertently caused a memory leak that persisted from June 2022 to early 2025.

The DanaBleed vulnerability exposed sensitive data like:

• Operational and infrastructure details
• Process notes
• Usernames
• IP addresses of affiliates
• Backend details
• Cryptographic keys
• SQL statements
• Changelog updates

In June 2022, the developer of DanaBot introduced a change to the C2 protocol that unintentionally caused the C2 server to leak snippets of its process memory in responses to infected victims.

To learn more about how the DanaBot memory leak works, visit DanaBleed: DanaBot C2 Server Memory Leak Bug.

Black Hat SEO Exploits AI Keywords to Distribute Malware

Zscaler ThreatLabz published a technical analysis of a threat campaign where threat actors are creating AI-themed websites designed to manipulate search engine rankings (via Black Hat SEO) and attract unsuspecting users into downloading malware.

When a user searches for AI keywords like “luma ai blog”, the malicious page often appears in one of the top results, as shown in the figure below.

Figure 3: Example Google search result for AI-based topics leading to malware.

Once the victim clicks on the search result, a webpage similar to the following will appear:

Figure 4: Example AI-themed website designed to lure victims into installing malware.

When users visit these websites, they are redirected through a series of hidden steps, ultimately leading to the delivery of malware such as Vidar Stealer, Lumma Stealer, and Legion Loader.

In the case of Vidar and Lumma, they both have very similar attack chains. The NSIS installer includes files with a .docm extension embedded in different folders. While the extension suggests that the files are Microsoft Word macro-enabled documents, they are in fact components of the malware payload. Upon execution of the NSIS installer, these files are combined in the proper sequence to generate an AutoIT loader executable and an obfuscated AutoIT script, which act as the delivery mechanism for the malware payload (e.g., Lumma or Vidar Stealer).

Figure 5: The attack chain illustrating the distribution process of Lumma and Vidar Stealer.

To learn more about how Legion Loader is delivered in this threat campaign, visit Black Hat SEO Poisoning Search Engine Results For AI to Distribute Malware.

About ThreatLabz

ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.

The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its more than 9,000 customers, securing over 500 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI/ML and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.