HomeSecurity ResourcesThreat BriefingsVerSprite Weekly Threat Intelligence

VerSprite Weekly Threat Intelligence

Date Range: 07 July 2025 – 11 July 2025

Issue: 22nd Edition

Reported Period Victimology

Security Triumphs of the Week

This week saw significant international law enforcement actions against cyber threats, including the arrest of a Chinese national linked to state-sponsored espionage targeting U.S. vaccine research, UK arrests of Scattered Spider members disrupting major retailers, and a Russian ransomware negotiator’s extradition. Dutch and U.S. sanctions targeted semiconductor theft to Russia and a bulletproof hosting provider aiding ransomware groups, while Russia weaponized cyber-treason charges for propaganda. These cases underscore global efforts to counter state-aligned and criminal cyber operations, emphasizing persistent vulnerabilities in critical infrastructure and supply chains despite growing cross-border collaboration.

US arrests Silk Typhoon hacker accused of stealing Covid research and mass email hacking
A 33-year-old Chinese national, Zewei Xu, was arrested in Italy for alleged cyberespionage on behalf of China, targeting U.S. COVID-19 vaccine research at the University of Texas in 2020. The FBI accuses Xu of being part of the state-sponsored hacking group Silk Typhoon (Hafnium), which stole data on U.S. policies and compromised thousands of global systems. Xu faces extradition to the U.S. on charges of wire fraud and aggravated identity theft, with potential sentences totaling 25 years. Silk Typhoon is linked to broader Chinese state-sponsored cyberattacks, including operations by groups like Volt Typhoon against U.S. critical infrastructure. The arrest highlights ongoing tensions over Chinese cyber-espionage activities targeting sensitive research and government systems.
Read full article: Techradar

French cops cuff Russian pro basketball player on ransomware charges
Daniil Kasatkin, a 26-year-old Russian professional basketball player, was arrested in France on June 21 and faces U.S. extradition for allegedly acting as a ransomware gang negotiator. The group reportedly targeted 900 organizations, including U.S. federal agencies, between 2020 and 2022. Kasatkin’s lawyers deny the charges, claiming he lacks technical skills and purchased a compromised second-hand computer. The Russian embassy alleges restricted access to him, while his legal team argues delayed evidence review harms his case. Kasatkin, formerly with MBA Moscow and Penn State, risks career disruption if detained longer. U.S. authorities have not yet publicly disclosed evidence supporting the charges.
Read full article: Theregister

Europol Dismantles Massive Crypto Investment Scam Targeting 5000+ victims Worldwide
Europol and international law enforcement dismantled a major cryptocurrency investment fraud network, defrauding over 5,000 victims globally and laundering €460 million. Operation BORRELLI, led by Spain’s Guardia Civil with support from Estonia, France, the U.S., and Europol, resulted in five arrests in Spain on June 25, 2025. The group used a Hong Kongbased corporate structure, payment gateways, and crypto exchanges to obscure illicit funds. Europol provided critical coordination and digital forensic expertise since 2023. The investigation remains ongoing, highlighting the sophistication of online fraud, which Europol warns is an escalating “epidemic” fueled by AI-driven tactics. This case underscores the need for global collaboration against increasingly complex financial crimes.
Read full article: Gbhackers

British Police Bust Four Scattered Spider Suspects in England
British police arrested four individuals linked to the Scattered Spider hacking group, including a 19-year-old Latvian man, two males aged 17 and 19, and a 20-year-old woman, in connection with April ransomware attacks targeting retailers M&S, Co-op, and Harrods. The attacks caused significant disruptions, including supply chain issues and an estimated £300 million loss for M&S. Scattered Spider, known for social engineering, SIMswapping, and ransomware partnerships like Alphv and DragonForce, has targeted over 100 global organizations since 2022. The group’s use of native English speakers to bypass defenses complicates mitigation efforts. Authorities highlighted the arrests as critical for disrupting operations, urging organizations to bolster security. The breach at M&S involved compromised third-party credentials from Tata Consulting Services, underscoring vulnerabilities in supply chains. Experts warn such attacks expose systemic risks, with potential for state-aligned adversaries to replicate tactics at scale.
Read full article: Bankinfosec

Ex-ASML engineer who stole chip tech for Russia gets three years in Dutch prison
A former ASML and NXP engineer was sentenced to three years in a Dutch prison for stealing semiconductor technology secrets and sharing them with Russia via encrypted platforms. Convicted of hacking and violating EU sanctions, he transferred confidential files on chip manufacturing processes to a Russian contact, reportedly linked to the FSB, earning €40,000. While he admitted copying and transmitting proprietary data, prosecutors couldn’t prove direct sales of stolen files or link the payment conclusively. The court acquitted him on charges related to setting up a production line due to insufficient evidence. NXP emphasized a zero-tolerance policy toward data theft, supporting the prosecution. The case underscores corporate espionage risks involving sanctioned states.
Read full article: Theregister

Looking Tough: Russia Trumpets Pro-Ukraine Hacker Arrests
Russian authorities are publicizing arrests of citizens accused of cyber-enabled treason for aiding Ukraine, likely to counter negative war narratives amid economic strain and high military casualties. Highlighted cases include a Siberian man sentenced to 16 years for hacking critical infrastructure and a medical programmer jailed for leaking military data to Ukraine. While some claims may hold truth, experts note these arrests serve as propaganda to distract from Russia’s wartime challenges. Cyber operations between both nations involve hacktivists, state-backed attacks, and scams targeting civilians. Russia’s restricted judicial transparency and FSB intimidation tactics complicate verification. Economic decline and Ukrainian recruitment of Russian hackers, leveraging historical ties, further fuel the cyber conflict.
Read full article: Bankinfosec

US government cracks down on bulletproof hosting provider helping to prop up cybercrime gangs
The US government sanctioned Russia-linked Aeza Group, a bulletproof hosting (BPH) provider, and its affiliates for supporting ransomware groups like BianLian and infostealers Meduza and Lumma. Aeza facilitated cybercrime by ignoring law enforcement requests, enabling attacks on US Critical infrastructure and organizations. The UK National Crime Agency assisted in identifying a UK front company, leading to sanctions against Aeza International. Three Russian individuals tied to Aeza were also targeted. While US entities are barred from engaging with Aeza, its predominantly Russian client base may limit the sanctions’ impact. Concurrently, US authorities seized domains linked to Lumma malware, underscoring ongoing efforts to disrupt cybercriminal infrastructure.
Read full article: Techradar

Security Setbacks of the Week

Ransomware attacks and third-party breaches dominated cybersecurity incidents, with Ingram Micro disrupted by SafePay’s VPN exploitation and Qantas compromised via a customer service platform linked to Scattered Spider. Misconfigured cloud storage exposed millions of sensitive records at TalentHook and Rockerbox, while Android malware like Anatsa and IconAds infiltrated official app stores, evading detection. Luxury brands, including Louis Vuitton Korea, faced targeted breaches amid rising retail-sector threats, and healthcare data remained vulnerable, with hacking causing 258 breaches in 2025. State-linked Chinese firms, exposed in the Salt Typhoon leak, highlighted persistent espionage risks, underscoring systemic gaps in cloud security, app vetting, and third-party oversight.

Ransomware Attack Halts Ingram Micro Operations
Ingram Micro, a global tech distributor, faced a ransomware attack attributed to the SafePay group, causing widespread system outages and disrupting customer access to licensing and backend services. The attack, potentially exploiting Palo Alto GlobalProtect VPN vulnerabilities, led to prolonged operational issues, with users reporting unresolved website and portal outages. SafePay, active since late 2024, employs tactics like stolen VPN credentials, file encryption (.safepay), and data exfiltration using tools like WinRAR. While Ingram Micro confirmed the incident, it remains unclear if data was stolen or systems encrypted. The group, linked to over 220 victims, targets global sectors via exposed RDP endpoints and legacy systems. Investigations into the breach are ongoing.
Read full article: Bankinfosec

Dangerous Android malware targets US banking apps – 50,000 people already affected, make sure you’re not next
A dangerous Android banking trojan, Anatsa, was discovered in the Google Play Store via the “Document Viewer – File Reader” app, which had over 50,000 downloads. Published by “Hybrid Cars Simulator, Drift & Racing,” the app initially functioned normally but received a malicious update between June 24-30, transforming it into a banking trojan. Anatsa targets North American banking apps, deploying overlays to steal login credentials and enabling unauthorized transactions. Google removed the app, but Anatsa has repeatedly infiltrated the Play Store, with prior incidents involving hundreds of thousands of downloads. Affected users should uninstall the app, run Play Protect scans, and reset banking credentials. This highlights ongoing challenges in preventing malware distribution on official app stores.
Read full article: Techradar

Qantas confirms 5.7 million customers impacted by data breach
Qantas confirmed a cyberattack in June 2025 compromised data of 5.7 million customers, including names, email addresses, postal addresses, birthdates, phone numbers, and Frequent Flyer details. Payment data, passwords, and financial information remained secure. The breach originated via a third-party customer service platform. While unclaimed, the attack aligns with tactics of Scattered Spider, a group targeting airlines via social engineering. Qantas is notifying affected customers and monitoring data exposure. The FBI recently warned about Scattered Spider’s activities amid multiple airline breaches globally.
Read full article: Techradar

Over 26 million resumes exposed in top CV maker data breach – here’s what we know
A misconfigured Azure Blob storage database belonging to TalentHook, a cloud-based applicant tracking system, exposed over 26 million resumes and CVs containing sensitive personal information of US job seekers, including names, contact details, education, and employment history. Discovered by Cybernews researchers, the unprotected database remained publicly accessible, posing significant risks of phishing and malware attacks by threat actors targeting individuals actively seeking employment. Despite notifications, TalentHook has not confirmed securing the database, leaving it potentially open to exploitation. While no evidence of misuse exists yet, the breach highlights vulnerabilities in third-party recruitment platforms. The incident underscores the need for stringent access controls to protect sensitive user data.
Read full article: Techradar

Louis Vuitton says customer data was leaked following cyberattack
Louis Vuitton Korea confirmed a cyberattack resulting in the theft of customer data, excluding financial information. The breach involved unauthorized access to systems, prompting infrastructure security measures and government notifications. This incident aligns with a trend of cyberattacks targeting luxury brands, including Cartier, Dior, and Victoria’s Secret in mid-2025. While unconfirmed, Scattered Spider—a group known for industry-specific attacks—is suspected in these breaches. The FBI recently warned of their focus on retail sectors, though details on the Louis Vuitton breach’s timing, methods, or ransom demands remain undisclosed. Luxury brands continue to face heightened cybersecurity risks.
Read full article: Techradar

Hundreds of Android apps band together in massive scam campaign targeting millions – here’s what we know
A major ad fraud campaign involving 352 malicious Android apps, dubbed IconAds, was uncovered by HUMAN Security researchers. These apps hid their icons post-installation to evade removal and bombarded users with unauthorized, out-of-context ads, generating up to 1.2 billion daily bid requests. Primarily targeting users in Brazil, Mexico, and the U.S., the apps bypassed Google Play Store defenses but have since been removed. Active since 2019, the campaign highlights recurring threats, as developers frequently adapt with new apps and obfuscation tactics. Users are advised to scrutinize app reviews and download counts to avoid similar scams.
Read full article: Techradar

Venture capital giant IdeaLab confirms breach, says private data was stolen in attack
Idealab confirmed a cyberattack from October 2024, exposing sensitive data of employees, contractors, and dependents. The breach, attributed to ransomware group Hunters International, involved stolen names and variable data. Hunters International leaked the data after failed extortion, then disbanded and released decryption keys, possibly rebranding as “World Leaks” to evade law enforcement. Idealab offered affected individuals 24 months of identity theft protection via IDX. The group’s shutdown motives remain speculative, with experts linking it to operational rebranding. The attack’s full impact and data specifics remain undisclosed.
Read full article: Techradar

Rockerbox Data Leak – 245,949 User Records Exposed Including SSNs and Driver’s Licenses
A misconfigured, publicly accessible AWS S3 bucket exposed 245,949 sensitive records from Rockerbox, a tax-credit consultancy, including Social Security numbers, driver’s licenses, payroll data, and military discharge forms. The unencrypted 286.9 GB repository allowed unauthorized access via simple HTTP requests, potentially enabling identity theft, tax fraud, and social engineering. Attackers could exploit predictable file structures and inconsistent access controls to harvest data for synthetic identities or phishing campaigns. The breach stemmed from improper bucket permissions (Everyone: READ/ LIST), highlighting cloud security gaps. Despite rapid takedown, pre-exposure data theft risks remain. The incident underscores regulatory risks under FTC Safeguards Rule and emphasizes the need for strict bucket policies, encryption, and continuous monitoring.
Read full article: Cybernews

11 Google-Verified Chrome Extensions Infected Over 1.7 million Users
A sophisticated browser hijacking campaign, “RedDirection,” infected over 1.7 million users via 11 Google-verified Chrome extensions, with 2.3 million total infections across Chrome and Edge. Malicious extensions, including productivity and entertainment tools, delivered malware through silent updates after years of appearing benign. These updates enabled surveillance, URL tracking, and redirection to fraudulent sites via command-and-control servers. Attackers exploited trust signals like verification badges and high install counts, bypassing marketplace security. The campaign highlights systemic vetting failures, as extensions evaded detection despite Google and Microsoft’s verification processes. Koi Security urges users to uninstall affected extensions and improve third-party code oversight to mitigate such threats.
Read full article: Gbhackers

Hacks Lead Health Data Breach Trends So Far in 2025
Hacking incidents, including ransomware, remain the leading cause of major health data breaches in 2025, with 258 breaches affecting 28.8 million individuals. Mid-year reports show 345 breaches impacting 29.9 million people, a decline from 2024’s 52.7 million. Third-party vendors accounted for 37% of breaches but over half of affected individuals, including Episource’s 5.4 million-victim ransomware attack. The largest breach involved Yale New Haven Health (5.5 million). Unauthorized access incidents, like Serviceaide’s 483,000-person leak, were secondary. Placeholder breach figures (e.g., 500 individuals) suggest totals may rise post-investigation, mirroring 2024’s Change Healthcare incident.
Read full article: Bankinfosec

Chinese Data Leak Reveals Salt Typhoon Contractors
A data leak analyzed by SpyCloud exposed Chinese private hacking firms operating as the Salt Typhoon threat actor, linked to government-backed cyber operations. The leak revealed contracts and communications connecting these firms to Chinese military suppliers, including the PLA Unit 61419, and agencies like the Beijing Foreign Affairs Office. Identified contractors include Sichuan Juxinhe Network Technology, while others like Beijing Huanyu Tiangiong remain unpublicized. The datasets also tied Salt Typhoon to breaches in U.S. telecom networks and highlighted customers such as academic institutes with cyber warfare ties. This leak underscores China’s reliance on hack-for-hire ecosystems, echoing prior incidents like the 2024 iSoon breach, where insiders profit by selling state data. Researchers confirm these findings align with Salt Typhoon’s historical tactics and China’s use of front companies for deniable cyber espionage.
Read full article: Bankinfosec

The New Emerging Threats

Emerging threats showcase a surge in AI-driven attacks and cross-platform exploitation, with agentic AI enabling autonomous phishing across Slack, Teams, and voicemails. Critical vulnerabilities in eSIM protocols and IoT devices (e.g., RondoDox botnet) expose infrastructure risks, while supply chain compromises via malicious VS Code/npm packages and GitHub tools like GitPhish highlight open-source ecosystem weaknesses. Ransomware groups (SafePay, Pay2Key) and APTs (DoNot, NightEagle) leverage advanced evasion, geopolitical alignment, and zero-day exploits. Offline ransomware (Mamona) and AIenhanced social engineering underscore the need for adaptive defenses, holistic monitoring, and updated patching to counter evolving hybrid cybercrime-state threats.

Agentic AI Is Fueling a Rise of Deepfake Phishing Scams
A critical vulnerability in GSMA TS.48 Generic Test Profile (v6.0 and earlier) allows attackers with physical device access to clone eSIM profiles using exposed keys, enabling rogue applet installation and potential data manipulation. Exploitation requires activating test profiles and bypassing verification, risking unauthorized network access, communication interception, or full eSIM takeover. The flaw stems from predictable Remote Applet Management (RAM) keys in test profiles, impacting pre-v7.0 eSIM products. Kigen released an OS patch blocking unauthorized applet loading and updated test profiles with randomized keys, distributed via OTA updates. GSMA’s revised TS.48 v7.0 restricts test profiles to secure variants, urging manufacturers to
Read full article: Bankinfosec

New eSIM Hack Allows Attackers to Clone Your eSIM Profile
A critical vulnerability in GSMA TS.48 Generic Test Profile (v6.0 and earlier) allows attackers with physical device access to clone eSIM profiles using exposed keys, enabling rogue applet installation and potential data manipulation. Exploitation requires activating test profiles and bypassing verification, risking unauthorized network access, communication interception, or full eSIM takeover. The flaw stems from predictable Remote Applet Management (RAM) keys in test profiles, impacting pre-v7.0 eSIM products. Kigen released an OS patch blocking unauthorized applet loading and updated test profiles with randomized keys, distributed via OTA updates. GSMA’s revised TS.48 v7.0 restricts test profiles to secure variants, urging manufacturers to avoid test profiles in production and apply patches promptly to mitigate risks.
Read full article: Gbhackers

Weaponized AI Extension Used by Hackers to Swipe $500,000 in Crypto
A Russian blockchain engineer lost $500,000 in crypto due to a malicious AI IDE extension posing as a Solidity syntax tool on the Open VSX registry. The fake “Solidity Language” extension, leveraging inflated downloads and recency to outrank legitimate versions, deployed PowerShell scripts installing remote access tools and malware (Quasar backdoor, stealer) to siphon wallet credentials. Attackers persisted by reuploading the extension under a typo-squatted username post-removal. Additional malicious npm packages and VS Code extensions used similar tactics, exploiting obfuscated scripts and image-hosted payloads. The incident highlights risks in opensource ecosystems, urging developers to verify tools and adopt modern cybersecurity defenses to counter evolving threats.
Read full article: Gbhackers

Weaponized Termius App Delivers Latest ZuRu Malware to macOS Users
A new variant of the macOS. ZuRu malware is targeting users via a trojanized Termius SSH client, distributed as a malicious .dmg file inflated with embedded binaries. The malware employs a modified Khepri C2 framework, using a renamed helper app to load malicious components while maintaining legitimate functionality. It achieves persistence via Launch Daemon and checks for payload updates by comparing MD5 hashes. The C2 beacon, decrypted with a 13-byte XOR key, communicates over port 53 to evade detection, enabling file theft, reconnaissance, and command execution. Despite evolved tactics, attackers reuse domain patterns and persistence methods. SentinelOne detects the threat, while unprotected organizations are urged to monitor listed IoCs.
Read full article: Gbhackers

GitPhish: New Tool Automates GitHub Device Code Phishing Attacks
GitPhish is a new open-source tool automating GitHub Device Code Phishing attacks, which exploit OAuth 2.0 Device Authorization Grant flows to compromise organizations’ repositories. It streamlines large-scale attacks by generating real-time device codes upon target interaction, bypassing the 15-minute expiration challenge. Features include professional GitHub Pages-hosted phishing sites, dynamic code generation, and CLI/web dashboard operation modes. Designed for red teams and security professionals, it enables realistic attack simulations to test defenses against OAuth-based social engineering. The tool requires Python and a GitHub token for setup, with documentation and demos available. GitPhish aims to improve detection capabilities and organizational resilience against evolving phishing threats.
Read full article: Gbhackers

Supply Chain Attack Unleashed via Compromised VS Code Extension
A supply chain attack targeted cryptocurrency developers through a compromised Visual Studio Code extension (ETHcode) with nearly 6,000 installations. Attackers submitted a malicious GitHub pull request on June 17, 2024, introducing a harmful dependency (“keythereum-utils”) via two lines of code. The payload executed obfuscated JavaScript, triggering hidden PowerShell processes to download secondary malware. The attack exploited VS Code’s automatic updates, spreading undetected until Microsoft removed the extension on June 26. The incident highlights vulnerabilities in open-source ecosystems, particularly for high-value blockchain developers, emphasizing the need for stricter dependency reviews and security tools.
Read full article: Gbhackers

SafePay Ransomware Unleashed: New LockBit 3.0 Variant Hits 200+ MSPs & SMBs Worldwide
A new ransomware group, SafePay, emerged in Q1 2025 as a significant global threat, targeting over 200 MSPs and SMBs worldwide. Operating centrally without the RaaS model, SafePay manages its infrastructure and negotiations directly, enhancing stealth and security. The ransomware is a modified LockBit 3.0 variant, leveraging leaked source code with evasion upgrades, including dynamic API resolution and language-based infection avoidance. It exploits compromised RDP connections to disable defenses, exfiltrate data via WinRAR and FileZilla, and encrypt files with AES and RSA, appending the “.safepay” extension. SafePay’s attacks, including a breach disrupting Ingram Micro’s services, highlight its technical sophistication and destructive potential, positioning it among 2025’s most dangerous threats.
Read full article: Securityonline

DoNot APT Expands to Europe: Targets Foreign Ministry with LoptikMod Malware via Google Drive Phishing
The DoNot APT group, a cyber-espionage threat active since 2016, has expanded its operations to target a European foreign ministry using Google Drive phishing to deliver the LoptikMod malware. The campaign involved spear-phishing emails impersonating defense officials, directing victims to a malicious RAR archive that deploys a multi-stage infection chain. Malware employs obfuscation, anti-analysis techniques, and persistence mechanisms via scheduled tasks to exfiltrate system metadata to a command-and-control server. Trellix attributes the activity to DoNot APT based on infrastructure and tactics, signaling a strategic shift toward European diplomatic targets for intelligence gathering. This reflects the group’s evolving tactics and alignment with geopolitical objectives.
Read full article: Securityonline

Iranian Ransomware “Pay2Key.I2P” Resurfaces on I2P Network, Offering 80% Profit for Targeting Western Enemies
The Iranian ransomware operation Pay2Key.I2P has reemerged on the I2P anonymized network, targeting Western entities with ties to Iran’s geopolitical adversaries. Operated by actors linked to the Fox Kitten APT group and Mimic ransomware, the RaaS platform offers affiliates an 80% profit share, incentivizing attacks that blend cybercrime with state-aligned objectives. The campaign has reportedly collected over $4 million in ransoms within four months, utilizing advanced evasion techniques like obfuscated PowerShell scripts, anti-analysis tools, and a Linux-compatible variant to broaden its reach. Hosted on I2P, the operation features referral systems, earnings dashboards, and recruitment from Russian and Chinese darknet forums. Its payload disables security tools and deploy delayed execution mechanisms, underscoring its technical sophistication. Morphisec warns this convergence of Iranian cyber warfare and criminal profit models poses a significant threat to Western organizations.
Read full article: Securityonline

NightEagle APT Unleashes Custom Malware and Zero-Days to Infiltrate Industrial Systems
The NightEagle APT group (APT-Q-95) has targeted China’s high-tech, military, and AI sectors since 2023 using custom malware and zero-day exploits to steal intelligence. Their tactics include rapid infrastructure shifts, a Go-based “SynologyUpdate.exe” malware for network penetration, and memory-resident payloads on Exchange servers to evade detection. The group exploits undisclosed Exchange vulnerabilities to exfiltrate emails and operates primarily during Beijing nighttime, suggesting North American origins. Qian Pangu identified malicious domains like “synologyupdates.com” and tools to detect threats, urging organizations to inspect Exchange systems for suspicious activity. Mitigation involves automated tools like Qianxin’s APT-Q-95 Exchange Memory Self-Check and multi-platform threat analysis.
Read full article: Gbhackers

Security researchers discover dangerous malware that’s small, fast, can work locally, and doesn’t need a master command – here’s what you need to know
Security researchers identified Mamona, a new ransomware strain operating locally on Windows without command-and-control servers, evading network-based detection. It executes as a standalone binary, delays execution via a modified ping command (127.0.0.7), then self-deletes to minimize forensic traces. The malware encrypts files, appends .HAes extensions, and drops a ransom note, blending with normal activity to delay response. Its offline, self-contained design bypasses traditional antivirus tools reliant on network traffic analysis. Wazuh recommends behavior-based detection using Sysmon logs, custom rules for ransom notes/ping delays, and real-time YARA scans to trigger remediation. The ransomware’s simplicity lowers entry barriers for attackers, highlighting gaps in conventional defenses and the need for adaptive security strategies.
Read full article: Gbhackers

Hundreds of DVRs and routers are being hijacked to form another major botnet
Okta researchers warn that the GenAI tool v0.dev, developed by Vercel, is being exploited by threat actors to create convincing phishing websites mimicking legitimate sign-in pages. These sites, hosted on Vercel’s infrastructure, leverage AI-generated logos and designs to evade detection, targeting services like Microsoft 365 and cryptocurrency platforms. The tool’s natural language interface lowers technical barriers, enabling even inexperienced attackers to build fraudulent sites. Despite mitigation efforts, AI’s widespread use complicates prevention. Okta advises organizations to enforce multi-factor authentication tied to original domains and update cybersecurity training to address AI-driven phishing risks. Additionally, GenAI tools are increasingly citing fake URLs, amplifying credential theft threats.
Read full article: Techradar

Vulnerability Spotlight: Critical Exposures Unveiled

Critical vulnerabilities across Citrix, Laravel, ServiceNow, and automotive systems are being actively exploited, enabling session hijacking, RCE, and data exfiltration. Rapid weaponization of flaws like Citrix Bleed 2 and Wing FTP’s Lua injection highlights attackers’ agility in targeting unpatched systems, with legacy vulnerabilities in Ruby on Rails and Zimbra remaining persistent threats. Widespread exposure of sensitive keys (e.g., Laravel APP_KEY) and poor update practices amplify risks, while novel automotive exploits demonstrate expanding attack surfaces. Urgent patching, credential rotation, and enhanced logging are critical as threat actors leverage memory-based attacks and authentication bypasses to compromise enterprise networks, cloud platforms, and connected devices.

Attackers Actively Exploit ‘Citrix Bleed 2’ Vulnerability
Attackers are actively exploiting two critical vulnerabilities, CVE-2025-5777 (Citrix Bleed 2) and CVE-2025-6543, in Citrix NetScaler ADC and Gateway devices. Citrix Bleed 2 allows session hijacking and MFA bypass by leaking memory to steal authentication tokens, while CVE-2025-6543 is a zero-day memory overflow flaw. Over 18,000 internet-exposed Citrix systems remain, with ~25% unpatched against CVE-2025-5777. Citrix urges immediate patching and session termination, as unpatched end-of-life versions (12.1, 13.0) are vulnerable. Exploits enable unauthorized access, with forensic traces like nonprintable characters in logs indicating compromise. Security firms warn of active exploitation but withhold full exploit details to limit attacker advantage.
Read full article: Bankinfosec

Wing FTP Server RCE Vulnerability Under Active Exploitation
A critical remote code execution (RCE) vulnerability (CVE-2025-47812) in Wing FTP Server versions prior to 7.4.4 is being actively exploited, allowing attackers to execute code at root/SYSTEM level via Lua injection. The flaw stems from improper null-byte handling in the username parameter during authentication. Exploitation involves injecting malicious Lua code through manipulated POST requests to the loginok.html endpoint, enabling system compromise, reconnaissance, and payload delivery. Attacks began within 24 hours of the June 30, 2025, disclosure, with observed attempts deploying tools like ScreenConnect and malicious executables. Organizations must update to version 7.4.4 immediately and monitor logs for truncated usernames or anomalous session files. Forensic artifacts in logs and session directories aid detection.
Read full article: Gbhackers

Laravel APP_KEY Flaw Exploited to Trigger Remote Code Execution on Hundreds of Apps
A critical Laravel vulnerability allows attackers to exploit exposed APP_KEYs for remote code execution (RCE) via insecure deserialization of decrypted data. Researchers found over 650,000 Laravel instances, with 6,000+ APP_KEYs exposed on GitHub, leading to 400+ vulnerable applications. Attackers leverage tools like phpggc to exploit gadget chains in Laravel versions 5.1–11.34.2+, enabling RCE. Poor security practices, including exposed .env files (63% of cases) and leaked credentials, amplify risks. GitGuardian detected 10,000+ unique APP_KEYs since 2025, with 4 confirmed exploitable RCE cases. The findings underscore urgent needs for improved secret management and monitoring in Laravel apps.
Read full article: Gbhackers

ServiceNow Platform Vulnerability Enables Attackers to Exfiltrate Sensitive Data
A critical vulnerability (CVE-2025-3648) in ServiceNow’s platform, dubbed “Count(er) Strike,” allows attackers to exfiltrate sensitive data via record count UI manipulation. Exploiting weak Access Control List (ACL) evaluations, attackers with minimal privileges can infer data from tables in ITSM, CSM, HRSD, and GRC modules by observing query responses. The flaw leverages ServiceNow’s “dot-walking” feature and could enable anonymous users to extract credentials, PII, or financial records. ServiceNow has patched the issue with Query ACLs and Security Data Filters, urging customers to review table configurations and ACL settings. No confirmed exploits were reported pre-patch, but urgent mitigation is advised due to widespread impact.
Read full article: Gbhackers

FortiOS Buffer Overflow vulnerability Enables Remote Code Execution by Attackers
A critical heap-based buffer overflow vulnerability (CVE-2025-24477) in FortiOS allows authenticated attackers to execute arbitrary code via the cw_stad daemon, posing remote code execution risks. Affected versions include FortiOS 7.6, 7.4, and 7.2, with specific FortiWifi models vulnerable when configured as wireless clients. Though rated medium severity (CVSS 4.0), successful exploitation could enable privilege escalation and full system compromise. Fortinet internally identified the flaw and released patches (7.6.3, 7.4.8, 7.2.12) to address it. Organizations must prioritize upgrades, particularly if using impacted FortiWifi devices. The authentication requirement limits exploitability, but compromised credentials could escalate threats.
Read full article: Gbhackers

CISA Alerts on Active Exploit of Ruby on Rails Path Traversal Flaw
CISA issued an urgent alert about active exploitation of a critical path traversal vulnerability (CVE-2019-5418) in Ruby on Rails’ Action View component, added to its Known Exploited Vulnerabilities catalog. The flaw allows attackers to manipulate HTTP headers to access sensitive server files, risking exposure of credentials, source code, and system data. Despite being five years old, vulnerability remains unpatched in many systems, increasing exploitation risks. Federal agencies must remediate it by July 28, 2025, per CISA’s directive. Organizations are urged to apply patches, follow mitigation guidance, or discontinue affected services. The alert underscores the persistent threat of older vulnerabilities and the need for proactive patch management.
Read full article: Gbhackers

Critical Vulnerabilities in KIA Infotainment Let Attackers Inject Code with PNG Files
Critical vulnerabilities in KIA vehicle infotainment systems allow attackers to execute malicious code via manipulated PNG files. The flaws stem from a buffer overflow in the image parsing library, enabling code injection when images are processed via USB, Bluetooth, or updates. Exploits grant system-level access, risking vehicle control (e.g., unlocking, starting), data theft, and CAN bus network infiltration. Tracked as CVE-2020-8539, vulnerability highlights risks from poor file validation in integrated automotive systems. KIA issued firmware patches, urging users to update software and avoid untrusted media sources. This underscores growing cybersecurity challenges in connected vehicles.
Read full article: Gbhackers

CISA Issues Alert Over Actively Exploited Flaw in Zimbra Collaboration Suite
CISA issued a critical alert regarding an actively exploited SSRF vulnerability (CVE-2019-9621) in Synacor’s Zimbra Collaboration Suite (ZCS), allowing attackers to force servers into unauthorized requests, potentially enabling code execution or data theft. The flaw affects ZCS versions up to 8.6.0, 8.7.0–8.7.11, and 8.8.0–8.8.10. Evidence links exploitation to sophisticated threat actors, though ransomware ties remain unconfirmed. CISA mandated federal agencies and urged private organizations to apply patches by July 28, 2025, or discontinue use if unpatched. Failure to mitigate risks severe incidents like data breaches or operational disruption. The alert emphasizes urgent patching to counter evolving threats.
Read full article: Gbhackers

Comodo Internet Security 2025 Flaws Allow Remote Code Execution with SYSTEM Privileges
Critical vulnerabilities in Comodo Internet Security 2025 (version 12.3.4.8162) expose systems to SYSTEM-level remote code execution. Flaws include improper SSL certificate validation (CVE-2025-7095), enabling MITM attacks to deliver malicious updates; a path traversal vulnerability (CVE-2025-7098) allowing arbitrary file writes, such as to the Windows Startup folder; and insufficient manifest integrity checks (CVE-2024-7251) permitting unauthorized code execution. Exploits enable persistent malware deployment, privilege escalation, and full system control. Users are urged to patch immediately, enforce network protections against spoofing, and restrict update sources to official servers. These issues underscore risks in certificate validation and update security practices.
Read full article: Gbhackers

Critical D-Link 0-click Vulnerability Allows Remote Attackers to Crash the Server
A critical zero-click vulnerability (CVE-2025-7206) in D-Link DIR-825 Rev.B 2.10 routers allows remote attackers to crash the HTTP server via a stack-based buffer overflow. The flaw stems from improper handling of the “language” parameter in the switch_language.cgi endpoint, which writes untrusted input to NVRAM without validation. Exploitation requires no authentication, enabling denial-of-service by sending oversized language values and triggering subsequent ASP page requests. This disrupts VPNs, guest networks, and IoT management. Mitigations include applying firmware patches, restricting web interface access, and monitoring for abnormal POST requests. D-Link has yet to release an official fix.
Read full article: Cybernews

IDE Extensions Like VSCode Allow Attackers to Bypass Trust Checks and Deliver Malware to Developer Systems
OX Research uncovered critical security flaws in popular IDEs like VSCode, Visual Studio, IntelliJ IDEA, and Cursor, enabling attackers to bypass verification checks and distribute malicious extensions. By manipulating network requests and file values, researchers demonstrated how harmful extensions could appear “verified” (e.g., via Microsoft’s blue checkmark) while executing arbitrary code, such as unauthorized command execution. These vulnerabilities extend across platforms, exploiting weak validation processes to maintain trusted status despite malicious payloads. Attackers could distribute tainted extensions via platforms like GitHub, leveraging developer trust in community-shared tools. The findings highlight systemic risks in IDE extension ecosystems, urging vendors to strengthen validation and code scrutiny to prevent malware infiltration.
Read full article: Gbhackers

Juniper Security Director Alert: Critical Flaw Allows Unauthenticated Access to Sensitive Resources
A critical vulnerability (CVSS 9.6) in Juniper Security Director was disclosed, enabling unauthenticated attackers to bypass authentication and access sensitive resources. The flaw stems from missing authorization checks, potentially allowing unauthorized system access or data exposure. The report, dated July 11, 2025, highlights significant risks to network security, urging immediate patching. Full details of the vulnerability are restricted to paid supporters, limiting public accessibility. Juniper users are advised to apply updates promptly to mitigate exploitation risks. This flaw underscores ongoing challenges in securing network management platforms against authentication bypass threats.
Read full article: Securityonline

Hackers Exploit IIS Machine Keys to Breach Organizations
A threat group tracked as TGR-CRI-0045, linked to Gold Melody, exploited leaked ASP.NET Machine Keys to breach organizations in Europe and the U.S. between January and March 2025. Targeting sectors like finance and manufacturing, they used ASP.NET View State deserialization to execute malicious payloads in server memory via the __VIEWSTATE parameter, minimizing forensic traces. The group leveraged tools like ysoserial.net and custom binaries (e.g., “updf”) for command execution and privilege escalation. Attacks focused on initial access, with no observed lateral movement, suggesting intent to sell access. Researchers recommend securing Machine Keys, enabling View State MAC signing, and enhancing logging to detect such memory-based exploits.
Read full article: Gbhackers

In-Depth Expert CTI Analysis

State-sponsored cyber-espionage and ransomware operations dominated global threats, with Chinese groups like Silk Typhoon and Russian-linked actors targeting critical infrastructure, research, and diplomatic entities. Ransomware groups Scattered Spider and SafePay exploited third-party vulnerabilities, disrupting supply chains and retail sectors, while Iranian Pay2Key and new variants like Mamona highlighted evolving criminal-state alliances. Critical vulnerabilities in Citrix, Laravel, and IoT devices saw rapid exploitation, compounded by supply chain breaches via malicious extensions (ETHcode) and app store malware (Anatsa). Espionage campaigns leveraged AI-driven phishing and zero-day exploits, underscoring systemic risks from unpatched systems and insecure cloud configurations. These trends emphasize escalating cyber threats blending geopolitical objectives, criminal profit, and technical sophistication.

Proactive Defense and Strategic Foresight

Recent cyber incidents underscore the critical need for proactive defense and strategic foresight to counter evolving threats. State-sponsored actors like Silk Typhoon and Salt Typhoon exploit vulnerabilities in critical infrastructure and research sectors, emphasizing the necessity of robust patch management, zero-trust architecture, and third-party risk assessments. The resurgence of ransomware groups (SafePay, Scattered Spider) and novel attack vectors—AI-driven phishing, IoT botnets, and supply chain compromises—highlight the importance of behavioral analytics, cross-platform monitoring, and threat intelligence sharing. Organizations must prioritize adaptive security strategies, including continuous vulnerability remediation, secure-by-design development, and red-team simulations, to preemptively mitigate risks posed by both criminal and nation-state adversaries. Proactive investment in AI-driven detection and geopolitical threat modeling will be pivotal in navigating the escalating cyber landscape.

Evolving Ransomware and Malware Tactics

Ransomware and malware tactics continue evolving with increased sophistication, leveraging state-aligned actors, supply chain vulnerabilities, and AI-driven social engineering. Groups like Scattered Spider and SafePay exploit third-party credentials, In-Depth Expert CTI Analysis VerSprite Weekly Threat Intelligence Newsletter 22 encrypted data exfiltration, and modified LockBit variants to bypass defenses. Statesponsored actors, including Iranian Pay2Key and Chinese Salt Typhoon, blend cybercrime with geopolitical agendas via bulletproof hosting and hack-for-hire ecosystems. Malware campaigns increasingly abuse trusted platforms—Google Play Store apps, verified Chrome extensions—to deploy banking trojans and browser hijackers. RaaS models persist, while novel tactics like offline ransomware (Mamona) and AI-generated phishing evade detection. Critical vulnerabilities in Citrix, Laravel, and IoT devices are rapidly weaponized, underscoring the need for proactive patching and cross-channel security integration.

State-Sponsored and Organized Cybercrime Convergence

The convergence of state-sponsored and organized cybercrime is escalating, evidenced by Chinese groups like Silk Typhoon targeting vaccine research, Russian ransomware actors negotiating ransoms, and Iranian operations like Pay2Key blending profit with geopolitical objectives. State-aligned actors increasingly adopt criminal tactics—ransomware, supply chain attacks, and credential theft—while cybercriminals leverage state resources for scale and impunity. Leaked contracts tie Chinese private firms to PLA cyber-espionage, while Russian arrests for “cyber treason” mask wartime propaganda. Sanctions against Aeza Group and arrests of Scattered Spider members highlight global efforts to disrupt this nexus, yet jurisdictional limits and encrypted ecosystems persist. This symbiosis demands enhanced cross-border collaboration, intelligence-sharing, and adaptive defenses to counter evolving hybrid threats.

Operational and Tactical Implications

The operational landscape reflects heightened risks from state-sponsored cyberespionage (e.g., Silk Typhoon, Salt Typhoon) targeting critical sectors, necessitating robust APT detection and cross-sector intelligence sharing. Tactically, ransomware groups (Scattered Spider, SafePay) exploit third-party vulnerabilities and social engineering, demanding enhanced supply chain audits and MFA enforcement. The rise of AI-driven phishing and deepfakes requires integrated, cross-channel security strategies. Cloud misconfigurations (TalentHook, Rockerbox) and IoT botnets (RondoDox) underscore the urgency of strict access controls and firmware updates. VerSprite Weekly Threat Intelligence Newsletter 23 Law enforcement disruptions (Aeza sanctions, arrests) highlight the need for global collaboration, while evolving malware (Mamona, macOS.ZuRu) emphasizes behavior-based detection over signature reliance.

Forward-Looking Recommendations

Enhance supply chain security by enforcing strict third-party vendor assessments, multi-factor authentication, and continuous monitoring of privileged access to mitigate risks from compromised credentials and lateral movement.
Prioritize patching of critical vulnerabilities (e.g., Citrix NetScaler, Laravel, ServiceNow) and adopt zero-trust architectures to limit exploitation of legacy systems and exposed services.
Implement AI-driven threat detection and cross-channel security frameworks to counter evolving AI-generated phishing, deepfakes, and multi-platform social engineering campaigns.
Strengthen cloud infrastructure with mandatory encryption, least-privilege access controls, and automated audits to prevent misconfigured storage buckets and unauthorized data exposure.
Invest in ransomware resilience through offline backups, network segmentation, and proactive threat hunting to disrupt encryption, data exfiltration, and C2 communications.
Expand collaboration with law enforcement and intelligence-sharing platforms to track state-aligned APTs, cybercriminal affiliates, and emerging TTPs in real time.