VerSprite Weekly Threat Intelligence

Date Range: 14 July 2025 – 18 July 2025

Issue: 23rd Edition

Reported Period Victimology

Security Triumphs of the Week

This week saw significant global cybersecurity victories, with international law enforcement dismantling ransomware groups (Diskstation, NoName057(16)), disrupting botnets (BadBox 2.0), and arresting threat actors linked to ransomware (Kasatkin, Vardanyan) and fraud networks. Coordinated operations across 12+ countries highlighted cross-border collaboration, while Google’s legal action and PyPI/Arch Linux’s malicious package removals underscored supply chain vulnerabilities. Insider threats and AI-driven scams were countered via proactive measures like Operation Chakra-V and judicial penalties for infrastructure abuse. These efforts emphasize evolving strategies to combat cybercrime’s transnational nature, balancing technical defenses, legal frameworks, and global cooperation.

• Google Sues BadBox 2.0 Botnet Operators Behind 10 million+ Infected Devices
  Google has filed a lawsuit against operators of the BadBox 2.0 botnet, which infected over 10 million uncertified Android-based devices (e.g., smart TVs) via pre-installed malware during manufacturing. The botnet exploited vulnerabilities in open-source Android systems lacking Google’s security features, enabling ad fraud, DDoS attacks, and traffic anonymization. Google’s Ad Traffic Quality team detected anomalies, prompting updates to Google Play Protect to block malicious apps and disrupt the network. Legal action under CFAA and RICO targets the criminal syndicate’s infrastructure and revenue streams, supported by FBI alerts on the botnet’s tactics. The case underscores risks in IoT supply chains and the need for global security standards.
  Read full article: Gbhackers

• French cops cuff Russian pro basketball player on ransomware charges
  Daniil Kasatkin, a 26-year-old Russian professional basketball player, was arrested in France on June 21 and faces U.S. extradition for allegedly acting as a ransomware gang negotiator. The group reportedly targeted 900 organizations, including U.S. federal agencies, between 2020 and 2022. Kasatkin’s lawyers deny the charges, claiming he lacks technical skills and purchased a compromised second-hand computer. The Russian embassy alleges restricted access to him, while his legal team argues delayed evidence review harms his case. Kasatkin, formerly with MBA Moscow and Penn State, risks career disruption if detained longer. U.S. authorities have not yet publicly disclosed evidence supporting the charges.
  Read full article: Theregister

• Authorities Take Down ‘Diskstation’ Ransomware Gang Targeting Synology NAS Globally
  Authorities in Italy, France, and Romania, supported by EUROPOL, dismantled the “Diskstation” ransomware gang targeting Synology NAS systems globally. The operation, led by Milan’s Cybersecurity Operations Center, followed attacks on Lombardy-based businesses, causing production shutdowns and ransom demands. Forensic and blockchain analysis traced the criminals, leading to arrests of Romanian nationals, including a 44-year-old suspect in pretrial detention. The gang exploited Synology NAS vulnerabilities to encrypt organizational data, impacting diverse sectors like graphic design, film production, and NGOs. Coordinated international efforts uncovered cross-border operations, highlighting the need for global collaboration against cybercrime.
  Read full article: Gbhackers

• Europol Says it Disrupted a Major Pro-Russian DDoS Crime Gang
  A joint international operation led by Europol and Eurojust disrupted the pro-Russian cybercrime group NoName057(16), responsible for DDoS attacks against Ukrainian and NATO-aligned targets. Operation Eastwood involved 12 countries, resulting in two arrests, 24 property searches, 100 disrupted servers, and the takedown of core infrastructure. The group targeted critical sectors like banking, defense, transportation, and energy across Europe. Recent attacks expanded to Ukraine’s allies, with Germany reporting 250 entities hit in 14 attack waves. Law enforcement notified over 1,000 supporters of legal consequences. This operation highlights ongoing efforts to counter cyber threats linked to geopolitical conflicts.
  Read full article: Techradar

• 14 Hackers Arrested in Massive Tax Fraud Scheme, Authorities Confirm
  Authorities arrested 14 individuals in a UK-Romania operation targeting a tax fraud network that stole personal data via phishing to file fraudulent claims exceeding £1 million. Thirteen suspects were detained in Romania, and one in England, facing charges like computer fraud and money laundering. The scheme exploited digital vulnerabilities to submit fake PAYE, VAT, and Child Benefit claims. Joint efforts by Romanian police, HMRC, and CPS highlighted crossborder collaboration, with electronic devices seized and ongoing investigations. Previous arrests in Bucharest indicate prolonged tracking of the group. HMRC urged public vigilance and reported minimal account breaches, emphasizing international cooperation to combat evolving cybercrime tactics.
  Read full article: Gbhackers

• France Nabs Russian Basketball Player in Ransomware Probe
  French authorities arrested Russian basketball player Daniil Kasatkin in June 2025 for alleged involvement in ransomware operations. U.S. authorities accuse Kasatkin of acting as a negotiator for a ransomware group targeting 900 organizations, including U.S. federal agencies, between 2020 and 2022. A Paris court held an extradition hearing, granting U.S. prosecutors 60 days to submit evidence. Kasatkin denies charges, claiming his computer was hacked, and his lawyer argues he lacks technical expertise. The Russian Embassy is seeking consular access. The case highlights challenges in prosecuting cybercriminals operating from countries like Russia, where state protection often impedes international law enforcement efforts.
  Read full article: Bankinfosec

• Extradited Armenian Tied to Ryuk Ransomware Faces US Trial
  Karen Serobovich Vardanyan, an Armenian national extradited from Ukraine, faces a U.S. trial for allegedly aiding Ryuk ransomware attacks. Charged with conspiracy, fraud, and extortion, he pleaded not guilty and faces up to five years per charge if convicted. The FBI accuses him of identifying network vulnerabilities for Ryuk affiliates, leading to over $15 million in ransom payments via 1,610 bitcoins. Three co-conspirators—Levon Avetisyan (arrested in France) and two Ukrainians at large—were also charged. Ryuk, active until rebranding as Conti in 2020, targeted global entities, including governments and corporations. The case highlights international efforts to combat ransomware groups, with Ukrainian police aiding in arrests and seizures.
  Read full article: Bankinfosec

• PyPI Blocks Inbox.ru Domains After 1,500+ Fake Package Uploads
  PyPI blocked inbox.ru email domains following a campaign that created 250+ fraudulent accounts uploading 1,500+ empty packages, causing user confusion and security concerns. The fake projects, lacking functional code, exploited PyPI’s namespace, potentially enabling typosquatting or supply chain attacks. Attackers used automated scripts to rapidly create accounts and upload packages, peaking at 740 on June 30. PyPI removed all malicious projects and accounts, highlighting its reliance on blocklists and community reports to combat abuse. The incident underscores risk from AI-generated code recommendations, as a user was misled by a non-existent package suggestion. This emphasizes the need for user vigilance and enhanced repository monitoring to prevent namespace pollution and malware distribution.
  Read full article: Gbhackers

• Arch Linux pulls AUR packages that install Chaos RAT malware
  Arch Linux removed three malicious packages from the Arch User Repository (AUR) that installed the Chaos RAT malware. Uploaded by user “danikpapas” on July 16, the packages (“librewolf-fix-bin,” “firefox-patch-bin,” and “zen-browser-patched-bin”) referenced a GitHub repository hosting malicious code executed during installation. The malware enabled remote access, command execution, and data theft via a command-and-control server. The AUR lacks formal review processes, relying on user vigilance. Arch Linux removed the packages by July 18 and urged affected users to check for and delete the “systemd-initd” executable. The incident underscores risk in community-driven repositories.
  Read full article: Bleepingcomputer

• CBI Uncovers Noida Tech Support Scam Targeting Victims in UK and Australia
  The CBI dismantled a Noida-based tech support scam targeting UK and Australian victims through Operation Chakra-V. The syndicate impersonated legitimate tech support teams, using phishing, fake security alerts, and social engineering to extort funds via untraceable payments. Coordinated raids on July 7, 2025, uncovered live fraudulent operations, advanced VoIP infrastructure, and AI-driven tools to mask their identity. Collaboration with the FBI, UK NCA, and Microsoft enabled digital footprint analysis, leading to evidence seizure and an arrest. The operation highlights enhanced cross-border cooperation and proactive measures against cyber-enabled fraud, emphasizing digital forensics and global accountability. This crackdown disrupts transnational cybercrime networks, safeguarding victims and reinforcing cybersecurity governance.
  Read full article: Gbhackers

• British Citizen Sentenced for Islamophobic WiFi Hack at UK Train Stations
  British citizen John Andreas Wik received a 24-month suspended sentence for hacking free WiFi landing pages at UK train stations to spread Islamophobic content in September 2024. Redirected users encountered hateful messages referencing terrorist attacks, sparking public fear. Wik, then an employee of Global Reach Technology, abused his access to modify pages via company credentials. The investigation revealed premeditated intent to incite religious hatred. Alongside the suspended term, he must complete unpaid work, rehabilitation, and a victim surcharge. The case highlights risk of insider threats and the legal system’s stance against weaponizing digital platforms for hate. Authorities emphasized vigilance in securing public-facing infrastructure.
  Read full article: Gbhackers

Security Setbacks of the Week

State-backed cyber threats escalated as Chinese groups Salt Typhoon and others breached US infrastructure and Taiwan’s semiconductor sector, while Iranian actors targeted US water systems, signaling heightened geopolitical cyber risks. Healthcare and retail sectors faced massive breaches, exposing millions of sensitive records, with ransomware and phishing campaigns exploiting vulnerabilities in critical systems. Hypervolumetric DDoS attacks surged, alongside exploitation of zero-day vulnerabilities in Citrix, Ivanti, and Wing FTP, underscoring the urgent need for patching and adaptive defenses against evolving nation-state and criminal tactics.

• Chinese hackers were able to breach US National Guard and stay undetected for months
  Chinese state-backed hackers, Salt Typhoon, infiltrated US National Guard networks undetected for nine months (March–December 2024), stealing sensitive data including administrator credentials, network diagrams, and service members’ personal information. The breach exposed communications between states and territories, risking broader government/ military compromises. The group exploited vulnerabilities in Cisco routers, deploying custom malware like JumblePath. Linked to other “Typhoon” entities, their campaign aimed to establish persistent access to critical US infrastructure, potentially enabling disruption during geopolitical crises, such as tensions over Taiwan. Salt Typhoon has previously targeted telecom giants and critical infrastructure, highlighting systemic risks from unpatched systems.
  Read full article: Techradar

• Iranian Threat Actors Target U.S. Critical Infrastructure, Including Water Systems
  Iranian state-backed cyber actors, particularly Intelligence Group 13 under the IRGC’s Shahid Kaveh Cyber Group, are intensifying attacks on U.S. critical infrastructure, including water systems. The group employs advanced APT tactics, phishing, and custom malware to infiltrate industrial control systems (ICS), aiming to disrupt services and amplify psychological impact through propaganda channels like CyberAveng3rs. Operations are coordinated with IRGC entities (EWCD, Quds Force) and contractors, enabling deniable attacks via front companies such as Ayandeh Sazan Sepehr Aria. Recent incidents, like the Aliquippa water system breach, demonstrate efforts to pre-position malware for future sabotage. The group blends technical aggression with ideological narratives, signaling heightened risks to U.S. and allied infrastructure, necessitating defenses against both cyber intrusions and disinformation campaigns.
  Read full article: Gbhackers

• Hackers Launched Massive DDoS Attack with 7.3 Tbps and 4.8 billion Packets Per Second
  Cloudflare mitigated record-breaking DDoS attacks in Q2 2025, including a 7.3 Tbps and 4.8 Bpps assault, marking a surge in hyper-volumetric attacks. Attacks exceeding 100 million pps rose 592% quarterly, while HTTP DDoS attacks spiked 129% year-over-year. Key targets included telecommunications, internet services, IT, gaming, and gambling sectors. Emerging threats exploited legacy protocols (DNS, SYN floods) and VM-based botnets, 5,000x stronger than IoT variants. Ransom DDoS incidents increased 68%, with geopolitical motives observed, such as strikes on media during Pride Month. Cloudflare emphasized autonomous defenses like real-time fingerprinting and adaptive cloud-based mitigation to counter evolving threats.
  Read full article: Gbhackers

• China-Backed Hackers Intensify Attacks on Taiwan Chipmakers
  Chinese state-aligned hackers escalated cyberespionage campaigns against Taiwan’s semiconductor sector between March and June 2025, targeting manufacturers, supply chain firms, and financial analysts. Three groups—UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp—used spear-phishing to deploy malware like Cobalt Strike, Voldemort, and HealthKick. UNK_FistBump impersonated job seekers via compromised university emails, while UNK_DropPitch focused on investment professionals with fake firms. UNK_SparkyCarp employed fake login portals to steal credentials. The attacks align with China’s strategic push for semiconductor self-sufficiency amid global export controls. Proofpoint links the activity to China’s economic initiatives, highlighting Taiwan’s critical role in global chip supply chains and financial markets.
  Read full article: Bankinfosec

• UK’s Co-op Retailer Hit by Cyberattack, 6.5 million Members’ Data Exposed
  The UK’s Co-op retailer suffered a major cyberattack in April 2024, exposing personal data of all 6.5 million members, including names, addresses, and contact information. CEO Shirine Khoury-Haq confirmed the breach, emphasizing its emotional toll on staff and members, though financial data remained secure. Law enforcement arrested four suspects linked to the attack and breaches at other retailers, with charges including blackmail and organized crime. Co-op’s IT team contained the breach, provided evidence to authorities, and is restoring systems. The retailer partnered with The Hacking Games initiative to recruit cybersecurity talent through schools, aiming to deter future cybercrime. This incident underscores persistent cybersecurity risks in retail despite preventive efforts.
  Read full article: Gbhackers

• Major breach at medical billing giant sees data on 5.4 million users stolen – here’s what we know
  Episource, a U.S. healthcare data firm, experienced a cyberattack between January 27 and February 6, 2025, compromising sensitive data of 5.4 million individuals. Stolen information included health records, insurance IDs, Social Security numbers, diagnoses, treatments, and personal details. The breach was detected on February 6, prompting network shutdowns, third-party forensic investigations, and law enforcement involvement. Episource confirmed the incident in filings with U.S. health authorities and began notifying affected users by late April 2025. The company warned of heightened risks of phishing, identity theft, and scams due to the highly sensitive nature of the stolen data. Healthcare organizations remain prime targets for cybercriminals exploiting such data for fraud.
  Read full article: Techradar

• Texas Drug, Alcohol Testing Firm Hack Affects Nearly 750,000
  A Texas-based drug and alcohol testing firm, The Alcohol & Drug Testing Service (TADTS), disclosed a July 2024 cyberattack affecting 748,763 individuals, including sensitive data like Social Security numbers, financial details, and biometric information. The Bian Lian cybercrime group claimed responsibility. TADTS reported the breach to regulators, law enforcement, and implemented security upgrades, though no fraud has been confirmed. This follows a similar 2024 breach at DISA Global Solutions, impacting 3.3 million individuals. Both incidents face potential class-action lawsuits alleging inadequate data protection. TADTS’ breach highlights vulnerabilities in third-party testing firms handling sensitive government-mandated data.
  Read full article: Bankinfosec

• Seychelles Commercial Bank Confirms Customer Data Breach
  Seychelles Commercial Bank confirmed a data breach exposing personal information of internet banking customers, including names, emails, phone numbers, and account details. A hacker, “ByteToBreach,” claimed responsibility, exploiting vulnerability in Oracle WebLogic Server and stealing 2.2 GB of data, later sold on Dark Forums. The attacker accessed decryption keys from the bank’s IT environment, enabling partial decryption of sensitive data. The bank suspended online services, initiated an investigation with authorities, and assured no financial theft occurred. The hacker attempted extortion by contacting customers directly, alleging a cover-up. The breach raises concerns due to Seychelles’ status as a tax haven, potentially mirroring high-profile leaks like the Panama Papers.
  Read full article: Bankinfosec

• Dermatology, Imaging Hacks Expose 3.3 million Patients’ PHI
  Two major healthcare data breaches in 2025 exposed over 3.3 million patients’ protected health information. Anne Arundel Dermatology reported a breach affecting 1.9 million individuals due to a three-month network server hack (February-May 2025), compromising names, medical data, and insurance details. Radiology Associates of Richmond disclosed a 2024 incident impacting 1.42 million patients, with unauthorized access to systems exposing Social Security numbers and health records. Both breaches rank among the top five health data incidents reported to HHS in 2025. Multiple class-action lawsuits allege negligence in safeguarding patient data, though neither entity confirmed data misuse. The incidents highlight persistent cybersecurity risks in healthcare networks handling sensitive information.
  Read full article: Bankinfosec

• Email Hack Affects at Least 24 Cancer Care Practices
  A phishing attack targeting Integrated Oncology Network (ION), owned by Cardinal Health, compromised email and SharePoint accounts in December 2024, affecting 24 cancer care practices across 12 states and exposing data of nearly 123,000 patients. Breached information included sensitive details like names, diagnoses, treatment data, and Social Security numbers. ION notified affected practices by June 2025, with HHS OCR listing 24 entities reporting the incident. The breach represents nearly a quarter of major email-related healthcare breaches in 2025. Experts emphasize enhanced phishing training, layered security, and proactive defense strategies to counter AI-driven threats. Healthcare organizations are urged to adopt zero-trust approaches and automate incident response.
  Read full article: Bankinfosec

• Threat Actors Exploit Ivanti Connect Secure Flaws to Deploy Cobalt Strike Beacon
  Threat actors exploited Ivanti Connect Secure vulnerabilities (CVE-2025-0282, CVE-2025-22457) from December 2024 to July 2025 to deploy MDifyLoader and Cobalt Strike Beacon. Attackers used DLL hijacking, RC4 encryption, and obfuscation to inject malware, leveraging tools like vshell (a multi-platform RAT) and Fscan for reconnaissance. Postcompromise activities included credential harvesting via brute-force attacks, lateral movement using MS17-010, and persistence via scheduled tasks or Windows services. Evasion tactics involved masquerading legitimate files, ETW bypass, and encrypted C2 channels. JPCERT/ CC warns of continued attacks, urging organizations to patch vulnerabilities and monitor VPN appliances.
  Read full article: Gbhackers

• Hackers Actively Exploited CitrixBleed 2 Flaw Ahead of PoC Disclosure
  Threat actors exploited the critical CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler appliances two weeks before its public proof-of-concept (PoC) release on July 4, 2025. Initial attacks began on June 23, with targeted exploitation traced to Chinese IPs, suggesting advanced persistent threat or nation-state involvement. GreyNoise detected early activity, and CISA confirmed exploitation by July 9, adding it to the Known Exploited Vulnerabilities catalog. Attackers focused on reconnaissance-driven targeting rather than broad scans, highlighting heightened sophistication. Organizations are urged to patch immediately, deploy dynamic IP blocking, and monitor for compromise indicators to mitigate risks.
  Read full article: Gbhackers

• Wing FTP Vulnerability Actively Exploited Globally
  A critical vulnerability (CVE-2025-47812, CVSS 10.0) in Wing FTP Server is being actively exploited globally, enabling remote code execution via null byte injection in usernames. Attackers bypass authentication to inject malicious Lua code into session files, executing commands with system/root privileges. Over 5,000 servers with exposed web interfaces are at risk, primarily in the U.S., China, Germany, the U.K., and India. Exploits involve downloading malware via tools like certutil, detected as Trojan: Win32/Ceprolad.A. Public proof-of-concept code and weak credentials heighten risks. Users must upgrade to version 7.4.4, audit logs for anomalies, and monitor for unauthorized accounts like “wingftp.”
  Read full article: Bankinfosec

The New Emerging Threats

Emerging cyber threats showcase adversaries’ increasing sophistication in evading detection through obfuscation, trusted protocols, and social engineering. Supply chain attacks (malicious npm packages), DNS tunneling, and QR code phishing exploit overlooked vectors, while AI-enhanced Iranian APT campaigns and SquidLoader variants target critical infrastructure with stealth. Crypto-jacking and AsyncRAT variants blend psychological tactics with technical evasion, and protestware highlights open-source ecosystem vulnerabilities. Attackers increasingly abuse legitimate platforms (Vercel, Google) and multimedia formats (WAV, PDFs) to bypass defenses. Persistent innovation in malware delivery, infrastructure reuse, and cross-platform adaptability underscores the need for behavioral analysis, DNS monitoring, and proactive dependency audits to mitigate evolving risks.

• Hackers Abuse DNS Blind Spots to Stealthily Deliver Malware
  Cybersecurity researchers identified a method where hackers exploit DNS TXT records to covertly distribute malware by splitting files into hexadecimal segments stored across multiple domains. This technique bypasses traditional defenses, allowing attackers to reassemble malicious payloads via DNS requests. Evidence from 2021-2022 shows malware like “Joke Screenmate” and encoded PowerShell scripts (linked to Covenant C2 infrastructure) being delivered through domains such as “felix.stf. whitetreecollective[.]com” and “drsmitty[.]com.” The activity, traced back to 2017, highlights abuse of DNS infrastructure for persistence, undetected data storage and retrieval. Organizations are urged to enhance DNS monitoring to detect anomalous TXT record patterns and suspicious domain behaviors.
  Read full article: Gbhackers

• New QR Code Attacks Through PDFs Bypass Detection and Steal Credentials
  A sophisticated phishing campaign dubbed “Scanception” uses QR codes embedded in PDFs to bypass security controls and steal credentials. Attackers send emails mimicking enterprise communications, directing users to scan QR codes that lead to malicious sites via trusted platforms like Google or YouTube, evading detection. Over 600 unique phishing PDFs were identified, with 80% undetected on VirusTotal. The campaign employs adversary-in-the-middle tactics to intercept credentials and MFA codes, targeting sectors globally, including healthcare, finance, and tech. Multi-page PDFs and evasion techniques complicate static analysis. Security teams are advised to enhance awareness training and monitor for anomalous redirects.
  Read full article: Gbhackers

• North Korea Floods NPM Registry with Malware
  North Korean threat actors intensified software supply chain attacks by uploading 67 malicious packages to the npm Registry, targeting JavaScript developers through the ongoing Contagious Interview campaign. The packages downloaded over 17,000 times, deployed XORIndex and HexEval malware loaders to steal sensitive data like cryptocurrency wallets and browser credentials. XORIndex employs advanced obfuscation and collects system telemetry, exfiltrating data via legitimate platforms like Vercel. The attack chain progresses through stages, including BeaverTail for data harvesting and InvisibleFerret backdoor for persistent access. Campaign tactics include reused infrastructure, rapid account aliasing, and memory-only execution to evade detection. Researchers warn of continued evolution in tools and techniques, emphasizing persistent threats to open-source ecosystems.
  Read full article: Bankinfosec

• New Veeam-Themed Phishing Attack Uses Weaponized WAV File to Target Users
  A new phishing campaign impersonates Veeam Software, using voicemail-themed emails with weaponized WAV file attachments to distribute malware. Attackers exploit trust in Veeam’s backup solutions, claiming expired licenses to create urgency. The WAV files, disguised as voicemails, may conceal malicious scripts via steganography, leveraging vulnerabilities in media players for remote code execution or ransomware deployment. The campaign employs a spray-and-pray approach, targeting both affiliated and non-affiliated users for scalability. Multimedia formats like WAV bypass traditional email security filters, which often prioritize scanning executable files. Organizations are advised to enhance email security with advanced threat detection, user education, and multi-factor authentication. This attack highlights evolving tactics blending social engineering with technical exploits.
  Read full article: Gbhackers

• New Surge of Crypto-Jacking Hits Over 3,500 Websites
  A new crypto-jacking campaign has infected over 3,500 websites using stealthy JavaScript miners, evading detection through advanced obfuscation and throttled CPU usage to avoid performance spikes. Unlike earlier resource-heavy attacks, this campaign employs Web Workers and WebSockets for low-profile mining, leveraging compromised sites to deploy multistage payloads linked to prior Magecart infrastructure. The scripts probe device capabilities, execute parallel mining tasks, and communicate with command-and-control servers, blending malicious traffic within legitimate protocols. Cybersecurity experts warn of its persistence and recommend enhanced defenses like stricter Content Security Policies and AI-driven traffic analysis. This resurgence highlights crypto-jacking’s evolution into a subtle, long-term threat within modern web ecosystems.
  Read full article: Gbhackers

• Iranian Threat Actors Use AI-Generated Emails to Target Cybersecurity Researchers and Academics
  Iranian state-backed APT groups, including APT35 and APT33, have intensified cyber operations targeting U.S. and European entities, leveraging AI-enhanced phishing campaigns against cybersecurity researchers and academics. APT35 employs hyper-realistic, AIgenerated emails impersonating industry leaders to build trust and evade detection, while APT33 focuses on OT disruption using wiper malware. Pro-Iranian hacktivists amplify attacks via DDoS on financial and municipal systems, alongside ICS scanning and dark web propaganda. Recent alerts highlight vulnerabilities in critical infrastructure, particularly energy, defense, and utilities, with risks of sabotage via compromised industrial protocols. Defensive measures include OT network segmentation, advanced phishing detection, and real-time monitoring of threat intelligence.
  Read full article: Gbhackers

• Hackers Use DNS Queries to Evade Defenses and Exfiltrate Data
  Cybercriminals are leveraging DNS tunneling to bypass security controls and exfiltrate data by encoding information within DNS queries and responses. This method exploits typically underinspected DNS traffic to establish covert communication channels for command-and-control (C2) operations. Attackers compromise domain name servers, deploying malware that exchanges encoded instructions via DNS lookups, enabling actions like credential theft or file manipulation. Tools such as DNSCat2, Sliver, and DNS Exfiltrator utilize diverse DNS record types (A, TXT, CNAME) to mask malicious traffic. Organizations are countering with enhanced monitoring of query patterns and specialized detection systems, though balancing security with DNS functionality remains challenging. The trend underscores the need to secure foundational protocols against evolving threats.
  Read full article: Gbhackers

• SquidLoader Deploys Stealthy Malware with Near-Zero Detection to Evade Security Measures
  A new SquidLoader variant targets Hong Kong financial institutions with advanced stealth, achieving near-zero detection via anti-analysis techniques and multi-stage obfuscation. It deploys via Mandarin-language phishing emails with password-protected RAR attachments, masquerading as legitimate documents. The malware evades analysis using anti-debugging, blacklisting process, and novel anti-emulation tactics like delayed APC execution. It mimics Kubernetes traffic to contact C2 servers, deploying Cobalt Strike Beacons for remote access. Campaigns with similar low-detection samples target Singapore, China, and Australia, using tailored phishing lures. Financial entities are urged to monitor IOCs and prioritize behavioral defenses against this evolving threat.
  Read full article: Gbhackers

• Threat Actors Deploy 28+ Malicious Packages to Spread Protestware Scripts
  Socket’s Threat Research Team identified 28+ malicious npm packages deploying protestware targeting Russian/Belarusian domains, disrupting UI interactions and playing the Ukrainian anthem. The scripts activate after a 3-day delay for repeat visitors, leveraging language and domain checks. Originating from the widely used SweetAlert2 library, the code spread via dependencies, affecting unrelated projects through unvetted code reuse. Over 2,000 instances were found, impacting packages with thousands of downloads, highlighting supply chain risks. This protestware underscores vulnerabilities in open-source ecosystems, urging developers to audit dependencies and adopt proactive threat detection tools.
  Read full article: Gbhackers

• Cracked Apps Delivering Infostealers Identified as Leading Attack Vector in June 2025
  In June 2025, cracked software and keygens distributing infostealers emerged as a primary attack vector, leveraging SEO poisoning to promote malicious sites. ASEC identified evolving infostealer variants like ACRStealer, which uses advanced evasion tactics such as HTTP domain spoofing and anti-analysis techniques. Automated systems enabled real-time threat mitigation, though reduced LummaC2 activity caused a decline in overall infostealer volumes. Attackers increasingly abuse legitimate platforms to host deceptive links, while execution methods favor direct EXE files and DLL-SideLoading. New evasion strategies include embedding decompression passwords in images and fake installers triggering phishing workflows. Organizations are urged to adopt behavioral analysis and monitor ATIP for updated threat intelligence.
  Read full article: Gbhackers

• Dark Partners Hacker Group Drains Crypto Wallets Using Fake AI Tools and VPN Services
  Dark Partners, a financially motivated cybercrime group, has targeted global cryptocurrency users since May 2025 via 250+ malicious domains impersonating AI tools, VPN services, and software brands. Their campaigns deploy macOS Poseidon Stealer and Windows PayDay Loader through SEO-poisoned sites and social engineering, stealing wallets, credentials, and data. Infrastructure includes global C2 servers focusing on crypto, tech, and financial sectors. The group uses stolen code-signing certificates, anti-sandboxing, and modular payloads to evade detection. Defenses require EDR with behavioral analytics, certificate validation, and user awareness training. Future threats include AI-generated lures and NFT ecosystem targeting, demanding proactive IoC monitoring and threat intelligence sharing.
  Read full article: Gbhackers

• New AsyncRAT Forks Discovered Featuring Screamer Tool and USB Malware Spreader
  Cybersecurity researchers identified two advanced AsyncRAT variants incorporating psychological warfare and improved propagation. The first variant uses a “Screamer” plugin to manipulate audio APIs, generating high-frequency sounds to disorient victims. The second deploys a USB spreader exploiting autorun functionality to infect air-gapped networks via removable drives. Both forks leverage upgraded .NET implementations and MessagePack serialization for efficiency, while retaining cryptographic elements from earlier AsyncRAT lineages. The malware combines AMSI/ETW bypass techniques with multi-vector attacks, complicating signature-based detection. Organizations are advised to monitor abnormal audio/ USB activity and inspect WebSocket-based C2 traffic. These variants highlight AsyncRAT’s evolution from open-source roots into sophisticated hybrid threats.
  Read full article: Gbhackers

Vulnerability Spotlight: Critical Exposures Unveiled

Critical vulnerabilities across major platforms dominated the past week, with multiple highseverity flaws enabling remote code execution (RCE) and system compromise. Microsoft faced risks from SharePoint XML deserialization exploits and Windows Server 2025’s “Golden dMSA” flaw, while CrushFTP, Lighthouse Studio, and LaRecipe disclosed actively exploited zero-days requiring urgent patching. Network security tools like Cisco ISE, FortiWeb, and Forescout SecureConnector were also compromised via unauthenticated attacks, SQLi, and privilege escalation. Third-party risks emerged through Shopify’s Consentik plugin data leaks and Laravel’s LaRecipe SSTI vulnerability. Widespread exploitation underscores the necessity for immediate updates, enhanced input validation, and rigorous monitoring of privileged access and third-party integrations.

• Golden dMSA Flaw Exposes Firms to Major Credential Theft
  A critical flaw in Windows Server 2025’s delegated Managed Service Accounts (dMSAs), dubbed “Golden dMSA,” enables attackers to generate passwords for all service accounts across an Active Directory Forest. Exploiting predictable time-based components in password structures, attackers with access to the KDS root key can bypass domain boundaries, harvest credentials, and maintain persistent access indefinitely. Microsoft acknowledged the vulnerability but noted dMSAs were not designed to defend against domain controller breaches. The indefinite lifespan of KDS keys and disabled protections like Credential Guard exacerbate risks. Detection is challenging due to a lack of default logging for KDS key compromises, requiring manual auditing. Organizations are urged to prioritize strict governance and monitoring of KDS keys.
  Read full article: Bankinfosec

• CVE-2025-54309: CrushFTP Targeted in Active Exploits Due to Unpatched Zero-Day Vulnerability
  A critical zero-day vulnerability (CVE-2025-54309, CVSS 9.0) in CrushFTP file transfer servers are under active exploitation, allowing attackers to compromise systems via HTTP(S). The flaw impacts versions 10 (below 10.8.5) and 11 (below 11.3.4_23), with attackers leveraging reverse-engineered code changes to reactivate a previously patched bug. Exploits reuse prior attack scripts to deploy malware or manipulate servers. Indicators include unauthorized user.XML modifications, suspicious admin accounts, and abnormal login entries. CrushFTP advises restoring clean backups, monitoring logs, and hardening defenses via IP restrictions, updates, and DMZ architectures. Unpatched systems remain at high risk.
  Read full article: Securityonline

• Critical SharePoint RCE Vulnerability Exploited via Malicious XML in Web Part
  A critical remote code execution (RCE) vulnerability in Microsoft SharePoint allows attackers to execute arbitrary code via malicious XML in web parts. The flaw stems from insecure deserialization during web part processing, particularly in the AddParsedSubObject() method, which parses XML content and triggers unsafe BinaryFormatter deserialization. Attackers exploit this by embedding crafted XML payloads in web parts, leveraging classes like SPThemes to achieve code execution. Exploitation occurs through endpoints like / _vti_bin/webpartpages.asmx, requiring no authentication, enabling full server compromise. Microsoft has released patches, though specific CVE details remain unclear. Organizations are urged to update SharePoint immediately, restrict web service access, and monitor for suspicious activity.
  Read full article: Gbhackers

• CVE-2025-34300 (CVSS 10): Critical RCE Flaw in Lighthouse Studio’s CGI Scripts Threatens Survey Servers Worldwide
  A critical remote code execution (RCE) vulnerability (CVE-2025-34300, CVSS 10) was identified in Lighthouse Studio’s Perl CGI scripts, enabling unauthenticated attackers to execute arbitrary code on survey-hosting servers. The flaw stems from unsafe use of Perl’s eval() function in the ciwweb.pl script’s templating engine, allowing attackers to inject malicious commands via specially crafted survey URLs. Exploitation bypasses prior mitigations by duplicating query parameters, affecting all script versions. Sawtooth Software released patched version 9.16.14, but manual updates are required due to the lack of auto-updated features. Organizations must urgently patch all script instances, as unpatched copies across directories amplify risks. Global survey servers remain exposed until legacy scripts are fully removed.
  Read full article: Securityonline

• Cisco ISE maximum severity flaw lets hackers execute root code
  A critical vulnerability (CVE-2025-20337) in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector allowed attackers to execute arbitrary code with root privileges via crafted API requests without authentication. Cisco patched the flaw in versions 3.3 Patches 7 and 3.4 Patch 2. The flaw, discovered by GMO Cybersecurity’s Kentaro Kawane, stemmed from insufficient input validation. ISE is a network security management tool, while ISE-PIC collects user/device identity data. Though no active exploitation is reported, unpatched systems remain at high risk. Cisco urges immediate updates to prevent potential attacks leveraging this critical vulnerability.
  Read full article: Techradar

• FortiWeb SQL Injection (CVE-2025-25257) Added to CISA KEV After Active Exploitation, PoC Available!
  A critical SQL injection vulnerability (CVE-2025-25257) in Fortinet’s FortiWeb web application firewall, with a CVSS score of 9.6, has been actively exploited, prompting its addition to CISA’s Known Exploited Vulnerabilities catalog. The flaw allows unauthenticated attackers to execute arbitrary SQL commands via crafted HTTP/HTTPS requests, leading to remote code execution (RCE) through public proof-of-concept exploits. Fortinet confirmed compromises, including web shell deployments, and released patches in versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11. Federal agencies must remediate by August 8, 2025. Immediate upgrades are urged for affected users to mitigate risks.
  Read full article: Securityonline

• CVE-2025-4660 (CVSS 8.7) in Forescout SecureConnector Allows Remote Endpoint Hijack, PoC Publishes
  A critical vulnerability (CVE-2025-4660, CVSS 8.7) in Forescout SecureConnector allows remote attackers to hijack Windows endpoints by exploiting misconfigured permissions on a named pipe (_FS_SC_UNINSTALL_PIPE). Attackers can redirect the agent to a rogue server, bypass certificate checks, and execute arbitrary SYSTEM-level commands, enabling data theft, file manipulation, or full control. Affected versions include 11.1.02.1019 through 11.3.6 on Windows, while Linux/macOS remain unaffected. Forescout patched the flaw in version 11.3.7, urging immediate upgrades. Proof-of-concept exploit code has been published, highlighting the urgency of mitigation.
  Read full article: Securityonline

• VMware fixes four ESXi zero-day bugs exploited at Pwn2Own Berlin
  VMware has addressed four zero-day vulnerabilities in ESXi, Workstation, Fusion, and Tools, exploited during the Pwn2Own Berlin 2025 hacking contest. Three critical flaws (CVE-2025-41236, CVE-2025-41237, CVE-2025-41238) with a 9.3 severity rating allowed guest virtual machines to execute code on the host via VMXNET3, VMCI, and PVSCSI component flaws. A fourth flaw (CVE-2025-41239, 7.1 severity) involved information disclosure in VMware Tools for Windows. Researchers from STARLabs SG, REverse Tactics, and Synacktiv demonstrated these exploits at the event, earning significant rewards. VMware urges users to update affected products immediately, as no workaround exists. The patches mitigate risks of host-level compromise and data exposure.
  Read full article: Bleepingcomputer

• LaRecipe Tool with 2.3M Downloads Found Vulnerable to Full Server Takeover
  A critical Server-Side Template Injection (SSTI) vulnerability (CVE-2025-53833) was discovered in LaRecipe, a Laravel documentation package with over 2.3 million downloads. The flaw, rated 10.0 on the CVSS scale, allows unauthenticated attackers to execute arbitrary code remotely via network attacks, potentially leading to full server compromise. Affected versions (prior to 2.8.1) risk exposure of sensitive data, privilege escalation, and system takeover due to improper input sanitization. The vulnerability stems from insecure template handling, enabling attackers to inject malicious commands. A patch in version 2.8.1 addresses the issue, and users are urged to update immediately. This highlights critical risks in third-party dependencies and the necessity for prompt security updates in development ecosystems.
  Read full article: Gbhackers

• Faulty Shopify plugin puts hundreds of websites at risk of invasive attacks – find out how to stay safe
  A major Shopify plugin, Consentik, designed for GDPR compliance, exposed sensitive data via a publicly accessible Kafka server for over 100 days. The leak, discovered by Cybernews researchers, included Shopify Personal Access Tokens, Facebook Auth Tokens, and analytics data, risking store takeovers, phishing, and fraudulent ad campaigns. The plugin, developed by Omegatheme and used by 4,180 stores, had a trusted reputation but left merchants vulnerable to malicious actors. The server was secured in late May 2025, though potential prior breaches remain unclear. Affected businesses should reset tokens and audit access.
  Read full article: Techradar

In-Depth Expert CTI Analysis

A surge in sophisticated cyber threats emerged globally, with state-aligned actors and criminal groups exploiting supply chain vulnerabilities and critical infrastructure flaws. International law enforcement disrupted major operations including Google’s takedown of the BadBox 2.0 botnet, Europol’s dismantling of ransomware groups, and UK-Romania tax fraud arrests. Chinese, Iranian, and North Korean APTs targeted semiconductors, healthcare, and energy sectors using AI-enhanced phishing and zero-day exploits. Critical vulnerabilities in platforms like Citrix NetScaler, VMware, and Microsoft SharePoint highlighted systemic risks, while novel attack vectors like DNS tunneling and QR code phishing underscored evolving evasion tactics. The incidents emphasize the need for cross-border collaboration, proactive patch management, and enhanced monitoring of open-source ecosystems to counter hybrid cyber-physical threats.

Proactive Defense and Strategic Foresight

Proactive defense demands robust supply chain security, exemplified by Google’s legal action against BadBox 2.0 and PyPI’s domain-blocking measures, mitigating risks from compromised IoT devices and typosquatting. Strategic foresight requires anticipating geopolitical cyber campaigns, as seen in Salt Typhoon’s infrastructure targeting and Iranian APT ICS intrusions, necessitating hardened protocols and cross-sector intelligence sharing. Global collaboration, like EUROPOL’s ransomware takedowns and DNS tunneling countermeasures, underscores the shift from reactive patching to preemptive infrastructure disruption. Investments in AI-driven threat detection, zero-trust architectures, and behavioral analysis are critical to counter evolving ransomware, DDoS, and social engineering tactics, ensuring resilience against both current and emergent adversarial innovation.

Evolving Ransomware and Malware Tactics

Ransomware and malware tactics are rapidly evolving, with attackers exploiting IoT supply chains (e.g., BadBox 2.0 botnet), leveraging geopolitical motives (NoName057(16) DDoS campaigns), and targeting critical infrastructure via APT groups (Salt Typhoon, Iranian IRGC). Sophisticated phishing techniques, such as QR code scams and weaponized WAV files, bypass traditional defenses, while state-aligned actors employ AI-driven social In-Depth Expert CTI Analysis VerSprite Weekly Threat Intelligence Newsletter 20 engineering and DNS tunneling for stealth. Ransomware syndicates increasingly professionalized roles, as seen in negotiator arrests, and exploits zero-days (CitrixBleed 2, SharePoint RCE). Open-source repositories (PyPI, npm) face supply chain attacks, and novel malware variants (AsyncRAT, SquidLoader) deploy anti-analysis and psychological warfare tactics. Global collaboration remains critical to counter these threats.

State-Sponsored and Organized Cybercrime Convergence

The convergence of state-sponsored and organized cybercrime is increasingly evident, with nation-states leveraging criminal tactics—ransomware, botnets, supply chain attacks —to advance geopolitical agendas while obscuring attribution. Recent operations reveal blurred lines: Russian-aligned groups like NoName057(16) conducted DDoS attacks on NATO targets, while Chinese APTs (Salt Typhoon) infiltrated U.S. infrastructure, mirroring criminal methodologies. Iranian actors targeted critical systems with ransomware-like encryption, blending sabotage with psychological warfare. Criminal syndicates, such as Ryuk/Conti affiliates, now exhibit state-level sophistication, exploiting zero-days and laundering funds via cryptocurrency. This symbiosis erodes traditional boundaries, enabling states to outsource deniable operations and criminals to access advanced tools. Global collaboration and hardened supply chains are critical to counter this hybrid threat landscape.

Operational and Tactical Implications

Operational Implications: The surge in supply chain compromises (BadBox 2.0, npm, AUR) demands stricter vendor vetting and automated repository monitoring. Geopolitically motivated attacks (NoName057(16), Salt Typhoon) necessitate cross-border intelligence sharing and preemptive infrastructure hardening. Legal actions (Google, Vardanyan) highlight the need for global frameworks to prosecute cybercriminals shielded by state actors. Healthcare and critical infrastructure breaches underscore sector-specific risks, requiring tailored defenses like zero-trust and OT segmentation.

Tactical Implications: Rapid patching (CitrixBleed 2, Wing FTP) and dynamic IP blocking mitigate exploit risks. Behavioral analysis counters AI-driven phishing (Scanception) and stealthy crypto-jacking. DNS/TXT abuse and tunneling require enhanced traffic monitoring. Insider threats (Wik) demand stricter access controls and activity logging. Proactive VerSprite Weekly Threat Intelligence Newsletter 21 measures include isolating legacy protocols, enforcing MFA, and adopting AI-augmented threat detection to counter evolving malware (AsyncRAT, SquidLoader).

Forward-Looking Recommendations

• Enforce global IoT security standards to mitigate supply chain compromises and mandate vendor compliance with certified firmware.
• Prioritize zero-trust architectures, AI-driven anomaly detection, and automated patch management to counter evolving ransomware and APT tactics.
• Strengthen open-source repository security via mandatory code audits, namespace monitoring, and AI-assisted threat detection.
• Expand cross-border law enforcement collaboration for rapid infrastructure takedowns and adversarial disruption.
• Mandate multi-factor authentication, DNS traffic analysis, and behavioral analytics to combat phishing, DNS tunneling, and credential theft.
• Invest in OT/ICS network segmentation, real-time threat intelligence sharing, and industrial protocol safeguards.
• Accelerate legacy system modernization, prioritizing vulnerability remediation in critical infrastructure and healthcare sectors.
• Develop regulatory frameworks for cryptocurrency tracing and blockchain forensic capabilities to disrupt illicit financing.
• Enhance insider threat programs, secure third-party integrations, and enforce strict access controls for public-facing platforms.
• Promote cybersecurity workforce development through public-private training initiatives and red team exercises.

Additional Resources & Contact

VerSprite on LinkedIn

VerSprite on Twitter

Email VerSprite