VerSprite Weekly Threat Intelligence #24

VerSprite Weekly Threat Intelligence #24

Date Range: 21 July 2025 – 25 July 2025

Issue: 24th Edition

Reported Period Victimology

Security Triumphs of the Week

VerSprite Weekly Threat Intelligence Newsletter 2
International authorities disrupted BlackSuit ransomware through Operation Checkmate, crippling its infrastructure and global extortion capabilities, while Ukraine arrested a key XSS forum administrator. The UK proposed banning ransomware payments for critical infrastructure, supported by mandatory reporting rules, as global regulatory efforts expanded with New York’s water system mandates and U.S. maritime cybersecurity enforcement. Despite Lumma Stealer’s resurgence and Latin America’s banking Trojan threats, coordinated law enforcement actions and legal accountability measures—like Clorox’s $380M lawsuit over a breach—highlight growing public-private momentum to counter cybercrime.


BlackSuit Ransomware Infrastructure Seized by Authorities
International authorities disrupted BlackSuit ransomware operations by seizing critical infrastructure, including communication and extortion platforms, through Operation Checkmate. The multinational effort involved agencies from the U.S., Europol, UK, Germany, Ukraine, Lithuania, and Canada, alongside private partners like Bitdefender. BlackSuit employed double-extortion tactics, encrypting data and threatening leaks via dark web portals to pressure victims. The takedown cripples the group’s ability to extort payments or publish stolen data. Linked to predecessors like Royal or Conti ransomware, BlackSuit targeted healthcare, education, and government sectors. While experts warn of potential rebranding, the operation underscores growing global coordination against cybercrime.
Read full article: Gbhackers

Breach Roundup: Suspected XSS Cybercrime Forum Admin Arrested
A suspected administrator of the XSS cybercrime forum was arrested in Ukraine, disrupting a platform with 50,000 users involved in malware and stolen data sales. Clorox sued IT vendor Cognizant for $380 million, alleging negligence in a 2023 breach by Scattered Spider via compromised credentials. Lumma Stealer malware resurged post-takedown, adopting stealthier tactics. New York proposed cybersecurity rules for water systems, mandating incident reporting and access controls, while U.S. maritime cybersecurity regulations took effect. A new Coyote banking Trojan targeted Latin America using Windows tools to evade detection. Mexico City police data was leaked, and Dell faced extortion over synthetic data from a demo platform. Cyberattacks surged in Latin America, focusing on government and healthcare sectors.
Read full article: Bankinfosec

UK Government Set to Impose Ransomware Payment Ban
The UK government plans to implement a ransomware payment ban for critical infrastructure sectors like the NHS, alongside mandatory pre-payment reporting for other businesses. The Labour government aims to disrupt cybercriminal operations, with over 75% of respondents supporting the ban. Enforcement mechanisms, including civil or criminal penalties, remain undecided, and debates persist over allowing exceptions for national security or public health emergencies. A proposed 72-hour ransomware reporting mandate received the majority approval despite criticism about response prioritization. The measures, intended to enhance resilience against rising ransomware attacks, lack a clear implementation timeline.
Read full article: Bankinfosec


Security Setbacks of the Week

Critical sectors faced severe cyber disruptions, with state-aligned actors targeting aviation (Aeroflot), healthcare (AMEOS, Alpha Wellness), and U.S. intelligence (NRO, DOE) using advanced tactics like wiper malware, zero-day exploits, and phishing. Ransomware forced smaller healthcare providers to shut down, while third-party breaches compromised Allianz Life and exposed 100M Swedish records. High-profile leaks at Dior, SABO, and France Travail highlighted systemic data mismanagement, and dark web forum LeakZone’s own breach revealed criminal operational patterns. Regulatory actions, including HIPAA fines and arrests, underscored escalating risks amid global cyberespionage and infrastructure vulnerabilities.


Russia’s Flag Carrier Cancels Flights After Hack Attack
Aeroflot, Russia’s state-owned airline, canceled 47 flights after a cyberattack attributed to Belarusian pro-Ukrainian hacktivist groups Silent Crow and Cyber Partisans. The attackers claimed to have wiped 7,000 servers, erasing 22 TB of data, including emails, databases, and shared files, while stealing customer data for potential leaks. The groups allegedly infiltrated Aeroflot’s IT systems a year prior, compromising critical infrastructure like SharePoint and ERP systems. Silent Crow has previously targeted Russian entities, including telecom provider Rostelecom, while Cyber Partisans is known for disruptive attacks against Belarusian and Russian regimes, including railway sabotage. Kaspersky linked the groups to advanced tactics like phishing, Telegram-based backdoors, and wiper malware. The incident reflects ongoing cyber disruptions amid the Russia-Ukraine conflict.
Read full article: Bankinfosec

Swiss-Based Healthcare Network AMEOS Responding to Attack
Swiss healthcare network AMEOS Group suffered a cyberattack, prompting it to take IT systems offline across 100+ European facilities. The breach involved brief unauthorized access, risking exposure of patient, employee, and partner data. AMEOS warned affected individuals to watch for scams leveraging stolen information and reported the incident to regulators and law enforcement. Forensic experts and tightened security measures were deployed, though no confirmed data leakage was reported. The attack highlights ongoing threats to European healthcare, exemplified by a recent UK ransomware incident linked to a patient’s death due to disrupted services. AMEOS continues investigating with authorities.
Read full article: Bankinfosec

Another Medical Practice Closes Its Doors After Cyberattack
A Georgia-based medical practice, Alpha Wellness & Alpha Medical Centre, permanently closed in April following a ransomware attack by the RansomHub gang. The breach, reported to HHS, compromised data of 1,714 patients, including personal and health information. The attack disrupted operations, forcing the 12-year-old practice to shut down. This follows similar closures of smaller healthcare providers like Pinehurst Radiology and St. Margaret’s Health, which faced insurmountable financial and operational challenges post-attack. Experts highlight ransomware’s disproportionate impact on smaller entities due to recovery costs, inadequate insurance, and regulatory burdens. Recommendations include securing robust cyber insurance and participating in threat-sharing networks to mitigate risks.
Read full article: Bankinfosec

Hackers Breach Intelligence Portal Used by the CIA and Other Agencies
A critical intelligence portal operated by the National Reconnaissance Office (NRO), used by the CIA and other agencies, was breached by unidentified hackers. The compromised Acquisition Research Center website exposed sensitive contract details, including proprietary data linked to the CIA’s Digital Hammer program—a classified initiative focused on advanced surveillance, counterintelligence, and AI-driven technologies targeting Chinese threats. Concurrently, Chinese state-sponsored groups exploited SharePoint vulnerabilities to infiltrate the Department of Energy’s nuclear security network. Experts attribute the NRO breach to a sophisticated state-sponsored actor, likely China, highlighting vulnerabilities in unclassified systems handling sensitive data. These incidents underscore escalating cyber threats from China and Russia against U.S. intelligence infrastructure.
Read full article: Gbhackers

Women’s Dating App “Tea” Data Leak Exposes 13,000 User Selfies
The women-only dating safety app Tea experienced a data breach exposing 72,000 user images, including 13,000 sensitive selfies and photo IDs from pre-February 2024 accounts. Unauthorized access occurred via a legacy storage system vulnerability linked to older infrastructure. The breach, discovered on July 25th, compromised verification documents archived for cyber-bullying prevention but excluded emails, phone numbers, or post-2024 user data. Tea engaged cybersecurity experts, secured systems, and stated no evidence links leaked photos to specific users. The app, which previously required ID verification for safety, removed this requirement in 2023 but retained legacy data, now addressing the security gap.
Read full article: Gbhackers

Leak Zone Dark Web Forum Breach Exposes 22 million User IPs and Locations
A data breach at LeakZone, a dark web forum for trading hacking tools, exposed 22 million user records, including IP addresses, locations, and ISP details. UpGuard discovered an unprotected Elasticsearch database logging three weeks of traffic (June 25–July 18), revealing high engagement (1M daily requests). Despite 109,000 registered users, 185,000 unique IPs were logged, indicating widespread VPN/proxy use. Heavy users relied on VPNs like Cogent Communications, while 5% used public proxies. Traffic patterns excluded direct Chinese connections, suggesting routing through international proxies. The breach highlights cybercriminals’ privacy measures but exposes vulnerabilities, offering law enforcement insights into operational patterns and identity risks for less-protected users.
Read full article: Gbhackers

Insurance giant Allianz Life says data on over a million US customers stolen in breach – here’s how to stay protected
Allianz Life Insurance disclosed a cyberattack compromising sensitive data of approximately 1.4 million U.S. customers, financial professionals, and employees. The breach occurred on July 16, 2025, via a third-party cloud-based CRM system accessed through social engineering by suspected threat actor ShinyHunters. Exposed data includes personally identifiable information, heightening risks of phishing, identity theft, and fraud. Allianz Life contained the incident, notified the FBI, and is contacting affected individuals. No evidence suggests broader network compromise. Customers are advised to monitor accounts, use tools like HaveIBeenPwned, and employ password managers for protection.
Read full article: Techradar

Major breach sees 100 million data records on citizens leaked – here’s what we know
A major data breach exposed over 100 million sensitive records of Swedish citizens and organizations via an unsecured Elasticsearch server. The database, attributed to Danish fintech firm Risika by Cybernews researchers, contained detailed financial, behavioral, and personal data, including identity numbers, addresses, debt records, and tax information. Risika denied ownership, suggesting a third party mishandled data licensed from them. The server was secured after researchers reported it. The incident highlights risks of third-party data mismanagement, though the exact source remains disputed.
Read full article: Techradar

French government agency breach may have exposed data on 340k jobseekers
France Travail, the national employment agency, suffered a cyberattack exposing personal data of approximately 340,000 jobseekers, including names, addresses, emails, phone numbers, and agency IDs. Attackers exploited the Kairos platform, used for managing training programs. While financial data wasn’t compromised, the breach raises risks of phishing and identity theft via fraudulent job offers. This follows a March 2024 incident affecting 43 million individuals, France’s largest cyberattack. Three suspects linked to the prior breach were arrested for impersonating advisors, though no group claimed responsibility. Users are urged to remain vigilant against unsolicited communications.
Read full article: Techradar

Huge data breach at Australian fashion giant – 3.5 million users at risk, here’s what we know so far
A significant data breach at Australian fashion brand SABO exposed sensitive information of up to 3.5 million users due to an unencrypted, publicly accessible database. Security researcher Jeremiah Fowler discovered the 292 GB database containing names, addresses, emails, phone numbers, and shipping documents stored in PDFs. Each PDF held data for 50 customers, suggesting the total affected individuals could be far higher. The leaked data spanned from 2015 to 2025, mixing outdated and current details. SABO secured the database hours after being notified but did not respond to inquiries, leaving exposure duration and potential prior access unresolved. The company operates three stores in Australia and reported $18 million annual revenue.
Read full article: Techradar

Dior begins sending data breach notifications following major cyber incident
Dior has started notifying customers affected by a January 2025 cyberattack, discovered in May, which exposed personal data including names, contact details, birthdates, government IDs, and Social Security numbers. Payment information remained unaffected. The company offered 24-month credit monitoring and enhanced security measures. Stolen data risks targeted phishing and identity theft, prompting warnings to customers. The breach impacted Korean and Chinese clients, with potential legal repercussions in South Korea for delayed reporting. No threat actors have claimed responsibility, and data hasn’t surfaced on the dark web.
Read full article: Techradar

US Nuclear Agency Breach Tied to SharePoint Zero-Days
A U.S. National Nuclear Security Administration breach was linked to China-aligned hackers exploiting two SharePoint zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) via the ToolShell campaign. Over 400 global organizations, including U.S. federal and state agencies and foreign governments, were compromised through four attack waves. Microsoft attributed the attacks to Chinese threat groups Linen Typhoon, Violet Typhoon, and Storm-2603, issuing emergency patches and mitigation steps for on-premises SharePoint servers. The breach impacted a small number of non-classified Department of Energy systems, which are being restored. Researchers warn that publicly released exploit code could spur further attacks by nation-state and cybercrime groups. Cloud-based SharePoint systems remain unaffected.
Read full article: Bankinfosec

Feds Fine Surgery Practice $250K in Ransomware Breach
A New York surgery practice, Syracuse ASC, was fined $250,000 by HHS for HIPAA violations following a 2021 Pysa ransomware attack that compromised 25,000 patients’ data. Federal investigators found the practice failed to conduct a thorough security risk analysis and delayed breach notifications. The settlement includes a two-year corrective plan requiring risk assessment, policy updates, and staff training. This marks HHS OCR’s 14th ransomwarerelated enforcement action, emphasizing compliance with security rules amid rising cyberattacks. The incident underscores vulnerabilities in healthcare entities neglecting HIPAAmandated safeguards.
Read full article: Bankinfosec

Silicon Valley engineer admits theft of US missile tech secrets
A Silicon Valley engineer, Chenguang Gong, pleaded guilty to stealing sensitive US military technology trade secrets, including missile defense systems and satellite surveillance tools, while working for defense contractors. The dual Chinese American citizen transferred over 3,600 proprietary files to personal devices, particularly after accepting a job at a competitor in 2023. Gong had participated in China’s state-backed “talent programs” since 2014, seeking financial rewards for sharing advanced tech expertise. The stolen data, valued at hundreds of millions, risked compromising US national security if acquired by foreign adversaries. The FBI uncovered his thefts through digital audits and surveillance following his abrupt job changes. Gong faces up to 10 years in prison after admitting to the crimes.
Read full article: Theregister


The New Emerging Threats

Emerging threats highlight a surge in AI-augmented attacks, hypervisor exploitation, and malware-as-a-service proliferation. Cybercriminals like Scattered Spider target VMware vSphere via social engineering, while APT28’s LAMEHUG embeds LLMs for dynamic command execution, signaling a shift toward AI-driven espionage. Android MaaS platforms and macOS RATs like AMOS lower entry barriers for non-technical actors, enabling polymorphic malware and data theft. State-sponsored groups (Chinese, Iranian, Russianlinked) exploit geopolitical tensions, targeting defense, aviation, and critical infrastructure with advanced phishing, zero-days, and stealthy payloads. Mitigation demands AIintegrated defenses, hypervisor isolation, MFA, and proactive threat intelligence to counter evolving tactics.

APT28 Hackers Unveil First LLM-Powered Malware, Enhancing Attack Techniques with AI
CERT-UA identified LAMEHUG, the first malware embedding large language models (LLMs) into its attack chain, attributed to Russia-linked APT28. Targeting Ukrainian officials via phishing emails, the malware uses Python executables to execute dynamically generated commands via Hugging Face’s API, enabling reconnaissance and data exfiltration. Variants employ evolving tactics, including AI-themed lures and multiple exfiltration methods (SFTP, HTTP). The campaign, assessed as experimental, highlights APT28’s exploration of AI-driven cyber espionage. Security measures like AI-aware defenses, behavioral analysis, and SASE platforms are recommended to counter such evolving threats. This marks a shift toward AIaugmented attacks, challenging traditional detection methods.
Read full article: Gbhackers

Atomic macOS Stealer Upgraded with Remote Access Backdoor
The Atomic macOS Stealer (AMOS) has evolved into a sophisticated remote access trojan (RAT) by integrating a persistent backdoor, enabling attackers to execute commands, deploy payloads, and maintain long-term control over infected macOS systems. Previously focused on stealing sensitive data like passwords and crypto wallets, AMOS now employs macOSspecific features, such as hidden binaries and LaunchDaemons, to survive reboots and evade detection. Distributed via phishing and fake software targeting crypto users and freelancers, it uses sandbox detection and string obfuscation to hinder analysis. Affiliated with Russian developers, AMOS operates as malware-as-a-service, impacting over 120 countries, with advanced capabilities aligning it with APT tactics. Security experts urge enhanced endpoint detection, behavior monitoring, and user caution to counter its growing global threat.
Read full article: Gbhackers

Scattered Spider Exploiting VMware vSphere
Scattered Spider, a cybercriminal group linked to retail, airline, and insurance sector breaches, is exploiting VMware vSphere by targeting Active Directory integrations. Using social engineering, they manipulate help desks to gain credentials, pivot to vSphere environments, and deploy ransomware or exfiltrate data rapidly. Their focus on ESXi hypervisors is often under-defended and lacking multifactor authentication—allows them to bypass traditional endpoint defenses. Mandiant warns that compromised vSphere access enables attackers to disrupt critical systems, clone sensitive data, and spread ransomware across virtual environments. Vulnerabilities stem from insecure configurations, domain-joined ESXi hosts, and poor integration with security tools. Mitigation includes isolating hypervisors from Active Directory, enforcing phishing-resistant MFA, and restricting administrative access. This shift highlights the growing risk of hypervisor-level attacks evading conventional security measures.
Read full article: Bankinfosec

Android Malware-as-a-Service Gets Cheaper, packing 2FA Interception
The article discusses the growing prevalence of Android Malware-as-a-Service (MaaS) platforms like PhantomOS and Nebula, which offer subscription-based, ready-to-deploy malware kits for as low as $300 monthly. These services enable even non-technical criminals to execute advanced attacks, including intercepting 2FA codes via SMS/OTP, evading antivirus detection through crypting, and deploying phishing overlays mimicking legitimate apps. Features like remote device control via Telegram bots, automated data exfiltration, and silent app installations lower entry barriers, mirroring ransomware-as-a-service models. MaaS providers emphasize undetectable payloads using cryptographic obfuscation and exploit kits for mass infections, while underground markets monetize compromised devices and botnet rentals. This trend industrializes cybercrime, transforming sophisticated attacks into affordable, plug-and-play operations.
Read full article: Gbhackers

NoName057(16) Hackers Target 3,700 Unique Devices Over the Last 13 Months
The pro-Russian hacktivist group NoName057(16) conducted extensive DDoS attacks against 3,700+ European government and public-sector targets over 13 months, primarily opposing nations opposing Russia’s Ukraine invasion. Using the volunteer-driven DDoSia platform, they launched application-layer attacks via encrypted, multi-tiered infrastructure aligned with Russian time zones. Ukraine (29.47%), France, Italy, and Sweden were top targets, with government entities (41%) most impacted. The group recruits via Telegram, deploying Gobased tools to anonymize attacks. Law enforcement’s Operation Eastwood disrupted some activities in 2025, but the group persists. Mitigation requires DDoS defenses, threat monitoring, and geopolitical awareness amid state-backed hacktivism trends.
Read full article: Gbhackers

AI-Powered Cyber Attacks Utilize ML Algorithms to Deploy Malware and Circumvent Traditional Security
AI-powered cyber-attacks are increasingly leveraging machine learning (ML) to bypass traditional security, with 59% of organizations reporting a rise in such threats. Attackers use unsupervised ML to analyze data, adapt tactics, and execute multi-stage operations, including hyper-realistic phishing (e.g., Arup’s $25M deepfake scam) and polymorphic malware like LummaC2 Stealer. Network exploits, such as AI-driven DDoS botnets (TaskRabbit breach), and data exfiltration via traffic mimicry (HealthEquity breach) highlight evolving risks. These tactics align with MITRE ATT&CK frameworks, automating reconnaissance, access, and data theft. Defenses require layered strategies: encrypted traffic analysis, network detection tools, DLP systems, and micro segmentation to counter stealthy, adaptive threats. Proactive monitoring and AI-integrated security are critical to mitigate financial and compliance impacts.
Read full article: Gbhackers

Elephant APT Group Exploits VLC Player and Encrypted Shellcode in Attacks on Defense Sector
The Dropping Elephant APT group (aka Patchwork) targeted Turkish defense contractors involved in precision-guided missile systems via a spear-phishing campaign impersonating a 2025 Istanbul conference. Attackers used malicious LNK files to deploy a multi-stage chain exploiting VLC Player (DLL side-loading) and encrypted shellcode for reconnaissance, evasion, and data exfiltration. The campaign, linked to geopolitical tensions, leveraged domains mimicking legitimate sites and employed optimized x86 payloads with sandbox detection, screenshot capture, and C2 communication via roseserve[.]org. Arctic Wolf highlighted defense evasion tactics, including LOLBAS abuse and infrastructure mimicking Turkish entities, urging enhanced email security, EDR, and threat intelligence. The operation reflects the group’s shift toward streamlined, espionage-focused tooling.
Read full article: Gbhackers

Threat Actors Using .hwp Files to Distribute RokRAT Malware and Evade Detection Mechanisms
AhnLab ASEC identified a campaign using malicious. hwp documents to distribute RokRAT malware, shifting from traditional LNK-based methods. Attackers exploit OLE objects in these South Korea-targeted files to auto-extract executables (e.g., ShellRunas.exe) and malicious DLLs into %TEMP%, evading detection. A hyperlink triggers DLL side-loading, leveraging legitimate Microsoft-signed tools to execute code. RokRAT retrieves a steganographic image from Dropbox, decrypting shellcode for memory-only execution to avoid disk artifacts. The malware enables data theft, keylogging, and C2-driven commands, aligning with North Korean APT tactics. ASEC provided IOCs and recommends monitoring %TEMP%, restricting macros/ hyperlinks, and behavioral analysis to counter such threats.
Read full article: Gbhackers

Chinese Hackers Launch Targeted Campaign to Infect Windows Systems with Ghost RAT and PhantomNet Malware
Chinese state-linked APT actors conducted coordinated cyberespionage campaigns (Operation GhostChat and PhantomPrayers) targeting the Tibetan diaspora around the Dalai Lama’s 90th birthday. Attackers compromised legitimate websites, deploying malicious redirects to distribute trojanized software (e.g., fake chat apps, prayer tools) that installed Ghost RAT or PhantomNet malware. These backdoors enabled data theft, surveillance, and system control via encrypted C2 channels. Techniques included DLL sideloading, shellcode injection, and multi-layer payload decryption to evade detection. The campaigns exploited cultural events for social engineering, aligning with Chinese APT TTPs like native API abuse and obfuscated command execution. Zscaler attributes the activity to groups like TA428, emphasizing risks to vulnerable communities and the need for enhanced endpoint security.
Read full article: Gbhackers

Operation CargoTalon Targets Russian Aerospace & Defense to Deploy EAGLET Implant
Operation CargoTalon is a spear-phishing campaign targeting Russia’s Voronezh Aircraft Production Association (VASO) using malicious logistics documents (TTN) as decoys. The attack deploys the EAGLET implant via PowerShell scripts and LNK files, masquerading as ZIP archives and spawning decoy XLS files to evade detection. EAGLET, a C++-based DLL, establishes C2 communication, exfiltrates data, and enables remote shell execution, leveraging infrastructure linked to Romanian hosting provider MivoCloud SRL. The campaign shares tooling and tactics with the Head Mare group (UNG0901 cluster), focusing on espionage against Russian aerospace and defense sectors. SEQRITE attributes this activity to advanced threats exploiting critical infrastructure under U.S. sanctions.
Read full article: Gbhackers

Iranian Hackers Target Global Airlines to Steal Sensitive Data
APT39, an Iranian state-sponsored hacker group linked to Iran’s Ministry of Intelligence, exploited the Iranian firm Amnban to conduct cyber espionage targeting global airlines and freight companies. Posing as a legitimate security consultancy, Amnban harvested sensitive passenger data—including passport details and contact information—enabling surveillance and identity theft. The group employed social engineering, fake LinkedIn profiles, and phishing to infiltrate airlines like Emirates, Qatar Airways, and Turkish Airlines, as well as firms such as FedEx and DHL. Leaked data revealed ties between Amnban’s leadership, including FBIsanctioned individuals, and APT39’s intelligence-gathering operations. The breach underscores vulnerabilities in Iran’s cyber ecosystem and risks to international aviation security, urging enhanced countermeasures against state-backed threats.
Read full article: Gbhackers

Microsoft: SharePoint attacks now officially include ransomware infections
Microsoft confirmed ransomware attacks targeting on-premises SharePoint servers via exploits against vulnerabilities CVE-2025-49704 (remote code execution) and CVE-2025-49706 (spoofing). The China-linked Storm-2603 group deploys Warlock ransomware, disables Microsoft Defender, uses web shells for persistence, and steals credentials via Mimikatz. Over 400 organizations, including the US Energy Department, were compromised. Two Chinese state-backed groups (Linen/Violet Typhoon) are also linked to SharePoint attacks. Patches for SharePoint 2016, 2019, and Subscription Edition are available, with urgent calls for mitigation as proof-of-concept exploits circulate.
Read full article: Theregister


Vulnerability Spotlight: Critical Exposures Unveiled

Critical vulnerabilities across software supply chains, enterprise systems, and IoT devices dominated the security landscape, with attackers exploiting npm package hijacking, VMware privilege escalation flaws, and TP-Link NVR command injections to achieve remote code execution and data exfiltration. High-risk industrial router vulnerabilities (Weidmueller) and Chromium sandbox escapes (CVE-2025-6558) highlighted risks to critical infrastructure and browsers, while Synology, Sophos, and Mitel patched RCE flaws in widely used enterprise products. Cisco ISE and CrushFTP faced active exploitation of unpatched systems, alongside WordPress plugin account hijacking affecting 200,000 sites. Coordinated vendor patches and urgent updates remain critical, with 2FA adoption and network hardening emphasized to mitigate escalating supply chain and credential-based attacks.

NPM ‘is’ Package with 2.8M Weekly Downloads Exploited in Attack on Developers
A sophisticated phishing campaign compromised the npm ‘is’ package (2.8M weekly downloads) by hijacking maintainer accounts via spoofed emails directing to a typosquatted domain. Attackers stole npm tokens to publish malicious versions (3.3.1, 5.0.0) containing a JavaScript loader that evades detection via obfuscation and in-memory execution. The malware establishes WebSocket connections for data exfiltration and remote code execution, harvesting sensitive files like. npmrc and SSH keys. A Windows-specific payload (Scavenger) in related packages steals browser data. The attack impacted multiple high-download packages, exploiting supply chains via CI/CD pipelines. Maintainers urge 2FA adoption, scoped tokens, and tools like Socket for threat detection.
Read full article: Gbhackers

Critical VGAuth Flaw in VMware Tools Grants Full System Access
Security researchers identified critical vulnerabilities (CVE-2025-22230 and CVE-2025-22247) in VMware Tools’ VGAuth service, enabling SYSTEM privilege escalation on Windows VMs. The first flaw allows authentication bypass via predictable named pipe hijacking, while the second leverages path traversal and symlink manipulation for arbitrary file deletion/write. Exploits grant attackers full system control through DLL hijacking or Windows Installer abuse. Affected versions include VMware Tools 12.5.0 and earlier. Broadcom patched the issues in versions 12.5.1/12.5.2 by randomizing pipe names, validating paths, and disabling symlinks by default. All VMware Windows VM users should urgently apply updates to mitigate these highrisk local privilege escalation threats.
Read full article: Gbhackers

TP-Link Network Video Recorder Vulnerability Enables Arbitrary Command Execution
TP-Link disclosed critical vulnerabilities (CVE-2025-7723 and CVE-2025-7724) in its VIGI NVR1104H-4P V1 and NVR2016H-16MP V2 devices, allowing arbitrary command execution. The flaws include authenticated (CVSS 8.5) and unauthenticated (CVSS 8.7) OS command injection risks, with the latter posing higher threats due to no credential requirements. Exploitable by adjacent network attackers, these vulnerabilities risk data breaches, device control, and lateral network attacks. TP-Link released firmware updates (versions 1.1.5 and 1.3.1) to mitigate risks. Organizations must prioritize patching affected devices to prevent unauthorized access and ensure surveillance system integrity. Immediate updates are critical to avoid exposure.
Read full article: Gbhackers

Weidmueller Industrial Routers Exposed to Remote Code Execution Flaws
High-severity vulnerabilities in Weidmueller’s IE-SR-2TX industrial routers allow remote code execution with root privileges, risking complete device compromise and industrial network infiltration. Five CVEs (CVSS 8.8–9.8) affect specific models (IE-SR-2TX-WL, 4G-EU, 4G-USV), enabling attackers to manipulate processes, steal data, or pivot within networks. Patches (firmware V1.49/V1.62) were released alongside advisories (VDE-2025-052) through coordinated disclosure involving CERT@VDE, ONEKEY, and Dragos. Weidmueller recommends immediate firmware updates, password changes, network exposure reduction, and access restrictions. Organizations must prioritize updates to mitigate exploitation risks in critical infrastructure environments.
Read full article: Gbhackers

CISA Alerts on Google Chromium Input Validation Flaw Actively Exploited
CISA issued a critical alert regarding an actively exploited input validation flaw (CVE-2025-6558) in Google Chromium’s ANGLE and GPU components, enabling sandbox escape attacks via malicious HTML. The vulnerability impacts browsers using Chromium, including Microsoft Edge and Opera, risking millions of users. Attackers could bypass security boundaries to execute arbitrary code and deploy payloads. CISA added it to its Known Exploited Vulnerabilities catalog, mandating remediation by August 12, 2025. Organizations must apply patches, follow BOD 22-01 guidance, or discontinue vulnerable products. Immediate action is urged due to active exploitation and high-risk potential.
Read full article: Gbhackers

Synology BeeDrive for Desktop on Windows Vulnerabilities Let Hackers Run Malicious Code
Synology addressed critical vulnerabilities in its BeeDrive desktop app for Windows, enabling attackers to execute malicious code or delete files remotely. Three CVEs (CVE-2025-54158, CVE-2025-54159, CVE-2025-54160) with CVSS scores of 7.5–7.8 allow local privilege escalation, remote file deletion, and path traversal attacks. Exploits include missing authentication/authorization controls and improper path restrictions, risking system compromise or data loss. Discovered by researcher Zhao Runzi, these flaws affect both local and remote users. Synology released patched version 1.4.2-13960, urging immediate upgrades as no mitigation exists. The vulnerabilities underscore the necessity of timely software updates for data-sensitive applications.
Read full article: Gbhackers

Critical Sophos Firewall Flaws Allow Pre-Auth RCE
Sophos disclosed critical vulnerabilities in its Firewall products, including two preauthentication remote code execution (RCE) flaws (CVE-2025-6704 and CVE-2025-7624) affecting SPX and legacy SMTP proxy components. These impact devices running versions 21.5 GA or older, with specific configurations, potentially compromising 0.05–0.73% of deployments. Additional high-severity flaws (CVE-2025-7382, CVE-2024-13974) and a medium-severity SQL injection (CVE-2024-13973) were patched via hotfixes. Sophos automatically applied fixes for enabled systems, urging users to verify updates. No active exploitation has been observed.
Read full article: Gbhackers

Mitel warns critical security flaw could let hackers completely bypass logins
Mitel addressed two critical vulnerabilities in its products: an authentication bypass flaw (9.4/10 severity) in MiVoice MX-ONE’s Provisioning Manager, allowing admin access without user interaction, and a high-severity SQL injection (CVE-2025-52914) in MiCollab enabling arbitrary command execution. Patches were released for affected MX-ONE versions (7.3 to 7.8 SP1) and MiCollab. Mitel advises users to update immediately, restrict MX-ONE’s internet exposure, and secure network access. No active exploitation has been observed, but unpatched systems risk attacks. Organizations should prioritize updates to mitigate potential breaches.
Read full article: Techradar

Apache Jena Vulnerability Allows Arbitrary File Access
Critical vulnerabilities in Apache Jena (CVE-2025-49656 and CVE-2025-50151) allow administrative users to bypass directory restrictions, enabling arbitrary file creation and access outside designated server paths via the Fuseki server. These flaws affect all versions up to 5.4.0, permitting potential data exfiltration or system compromise. Exploitation involves abusing admin privileges to manipulate file paths in configurations or the admin UI. Patched in version 5.5.0, the update enforces path validation and restricts file operations. Organizations are urged to upgrade immediately or restrict admin access and monitor file activity if patching is delayed.
Read full article: Gbhackers

Cisco Alerts on ISE RCE Vulnerability Actively Exploited
Cisco has warned of active exploitation targeting three critical RCE vulnerabilities (CVE-2025-20281, CVE-2025-20282, CVE-2025-20337) in its Identity Services Engine (ISE) and ISE-PIC products, all rated CVSS 10.0. These flaws allow unauthenticated attackers to execute arbitrary commands with root privileges via API exploits or file upload bypasses in ISE/ISE-PIC releases 3.3 and 3.4. Cisco confirmed no workaround exists and urged immediate patching, with fixed versions 3.3 Patches 7 and 3.4 Patch 2. The vulnerabilities impact all configurations of affected releases, enabling remote adversaries to compromise systems without credentials. Organizations must prioritize applying updates to secure network access control infrastructure against potential attacks.
Read full article: Gbhackers

Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks
A critical vulnerability (CVE-2025-24000) in the Post SMTP WordPress plugin exposes over 200,000 sites to admin account hijacking. The flaw, caused by insufficient access controls in REST API endpoints, allows low-privileged users to access email logs containing sensitive data like password reset links. Attackers could exploit this to intercept emails, reset admin credentials, and take over sites. A patch (version 3.3.0) was released on June 11, but only 48.5% of users have updated, leaving over 200,000 installations vulnerable. Additionally, 24.2% of users remain on outdated 2.x versions, exposing them to further risks. Urgent updates are recommended to mitigate exploitation.
Read full article: Bleepingcomputer

Top file transfer tool CrushFTP says a thousand servers are still vulnerable to cyberattack, so patch now
A critical vulnerability (CVE-2025-54309, severity 9.0) in CrushFTP file transfer tool allows remote attackers to gain admin access via HTTPS. Patched in early July 2025, around 1,000 servers running older versions (pre-10.8.5 and 11.3.4_23) remain vulnerable. Active exploitation was observed by July 18, potentially as a zero-day. Attackers reverse-engineered the flaw, targeting unpatched instances, though DMZ proxy users are unaffected. CrushFTP urges immediate patching and restoration of backups for compromised systems. Shadowserver data indicates ongoing risks, with notifications sent to vulnerable organizations.
Read full article: Techradar


In-Depth Expert CTI Analysis

Global law enforcement disrupted major ransomware operations like BlackSuit and cybercrime forums, yet state-sponsored threats escalated with Chinese, Russian, and Iranian APTs targeting critical infrastructure, defense, and aviation sectors. Ransomware attacks crippled healthcare providers, forcing closures, while vulnerabilities in VMware, SharePoint, and industrial systems exposed widespread risks. Emerging AI-driven attacks, MaaS platforms, and LLM-embedded malware highlight evolving tactics, stressing the need for proactive patching, supply chain security, and AI-integrated defenses. Regulatory moves like the UK’s proposed ransomware payment ban aim to curb incentives, but persistent rebranding and geopolitical hacktivism underscore the challenge of sustained global coordination against cybercrime.


Proactive Defense and Strategic Foresight

Proactive defense demands leveraging global collaboration and threat intelligence to disrupt adversaries preemptively, as demonstrated by Operation Checkmate’s infrastructure takedowns and UK ransomware payment bans. Strategic foresight requires anticipating evolving tactics: AI-driven attacks, hypervisor exploitation, and state-sponsored campaigns targeting critical infrastructure. Organizations must prioritize patching, secure third-party ecosystems, and adopt AI-aware defenses to counter adaptive threats like MaaS platforms and APT malware. Healthcare and public sector breaches underscore the need for resilience frameworks, while geopolitical hacktivism highlights the role of cross-border coordination. Investments in behavioral analytics, micro segmentation, and zero-trust architectures are critical to mitigate risks from supply chain compromises and emerging vulnerabilities.

Evolving Ransomware and Malware Tactics

Ransomware and malware tactics continue evolving with increased sophistication, leveraging AI, hypervisor-level attacks, and malware-as-a-service (MaaS) models. Recent operations like BlackSuit’s double extortion and Scattered Spider’s VMware vSphere exploitation highlight adversaries’ shift toward infrastructure compromise and social engineering. MaaS platforms (e.g., PhantomOS) democratize advanced attacks, while In-Depth Expert CTI Analysis VerSprite Weekly Threat Intelligence Newsletter 20 APTs like APT28 integrate LLMs for dynamic command execution. Critical vulnerabilities in SharePoint, VMware Tools, and Chromium are weaponized rapidly, enabling ransomware deployment and data exfiltration. Healthcare and critical infrastructure remain prime targets, with smaller entities facing existential risks. Global law enforcement disruptions underscore the need for proactive patching, AI-driven defenses, and cross-sector collaboration to counter adaptive threats.


State-Sponsored and Organized Cybercrime Convergence

The convergence of state-sponsored and organized cybercrime is intensifying, evidenced by ransomware groups like BlackSuit leveraging Conti/Royal infrastructure with potential state-tolerated operations, while APT28 (Russia) and Chinese groups exploit zero-days in U.S. nuclear and intelligence systems. Proxied hacktivism (Silent Crow, Cyber Partisans) and Iranian APT39’s airline espionage via front companies blurs lines between geopolitical agendas and criminal profit. State-aligned actors adopt cybercrime TTPs—AI-driven phishing, ransomware-as-a-service, and malware-as-a-service—to obscure attribution, while criminal groups access nation-state tools, amplifying global disruption. This symbiosis erodes traditional threat boundaries, demanding unified defenses against hybrid campaigns targeting critical infrastructure, healthcare, and national security.


Operational and Tactical Implications

Operational Implications: Tighten third-party risk management with mandatory security reviews and contract clauses after Allianz’s CRM breach and Clorox’s post-incident lawsuit exposure. Expand ransomware playbooks to include payment-ban contingencies, especially for UK- or New York-regulated critical-infrastructure assets. Prioritize patching pipelines for on-prem SharePoint, VMware Tools, and Weidmueller/TP-Link OT firmware—high-risk footholds used in recent campaigns. Allocate resources for cross-sector tabletop exercises reflecting Operation Checkmate: practice rapid takedown coordination with private CTI partners and law-enforcement liaisons.

Tactical Implications: Block or closely monitor traffic to newly seized BlackSuit C2 domains to detect rebrand attempts; update IDS signatures for double-extortion TTPs. Deploy Suricata/YARA rules for Lumma Stealer, PhantomOS MaaS loaders, and Latin-American banking Trojans seen in the report. Enforce strict egress controls and MFA on SharePoint and VMware vSphere portals to mitigate zero-day and social-engineering intrusions. Strengthen email filters against ShinyHunters’ social-engineering lures. Hunt for long-dwell wiper or backdoor implants in aviation and OT environments, replicating Aeroflot attack chains and Belarusian hacktivist TTPs.


Forward-Looking Recommendations

  • Prioritize patching critical vulnerabilities in widely used software (e.g., VMware, SharePoint, Chromium) and enforce strict update protocols for third-party systems to mitigate supply chain risks.
  • Adopt zero-trust architectures with phishing-resistant MFA and network micro segmentation, particularly for hypervisors and cloud environments targeted by ransomware groups like Scattered Spider.
  • Enhance AI-driven threat detection and behavioral analytics to counter evolving AIpowered attacks, including polymorphic malware and LLM-augmented espionage tools.
  • Strengthen third-party risk management frameworks, including mandatory security audits for vendors handling sensitive data, following breaches at Allianz, Cognizant, and Risika.

Additional Resources & Contact

VerSprite on LinkedIn

VerSprite on Twitter

Email VerSprite