VerSprite Weekly Threat Intelligence #25
Date
Follow Us
Date Range: 28 July 2025 – 01 August 2025
Issue: 23rd Edition
Reported Period Victimology
Security Triumphs of the Week
International law enforcement disrupted the BlackSuit ransomware group’s infrastructure, though experts warn of potential regrouping without arrests. In India, a CoinDCX engineer’s compromised laptop led to a $44 million crypto theft, highlighting insider risks from policy violations. Pwn2Own Ireland 2025 announced a $1 million bounty for zero-click WhatsApp exploits, incentivizing proactive vulnerability discovery. Meanwhile, Proofpoint exposed AiTM phishing campaigns bypassing MFA via malicious OAuth apps, underscoring evolving cloud account hijacking tactics. These developments reflect both progress in countering cyber threats and persistent challenges requiring enhanced defenses.
Top ransomware group BlackSuit has dark web extortion sites seized and shut down
A coalition of international law enforcement agencies, including U.S. Homeland Security, the FBI, Europol, and others, disrupted the BlackSuit ransomware group by seizing and shutting down its dark web infrastructure, including leak and negotiation sites. The operation, part of “Operation Checkmate,” involved defacing BlackSuit’s TOR-based site with a law enforcement seizure banner. No arrests were made, but private cybersecurity firm Bitdefender supported the effort. BlackSuit, linked to the Conti and Royal ransomware operations, emerged in May 2023. While such takedowns hinder ransomware groups, experts note they often regroup within weeks unless members are arrested.
Read full article: Techradar
CoinDCX Engineer Arrested in $44M Crypto Heist: Moonlighting on Work Laptop Linked to Breach
A CoinDCX software engineer, Rahul Agarwal, was arrested in Bangalore, India, for alleged involvement in a $44 million cryptocurrency theft. The breach occurred after attackers compromised Agarwal’s work laptop via third-party software he installed while moonlighting for private clients. A keylogger captured his credentials, enabling unauthorized access to the exchange’s internal network. The attacker executed a test transaction of $1 before transferring $44 million from CoinDCX’s liquidity wallets (not customer funds) to six external wallets. Agarwal denied direct involvement but admitted to violating company policies by using his work device for freelance activities. CoinDCX confirmed the incident is under investigation but has not formally commented on Agarwal’s role.
Read full article: Securityonline
Pwn2Own hacking contest pays $1 million for WhatsApp exploit
The Pwn2Own Ireland 2025 hacking contest, organized by the Zero Day Initiative, offers a record $1 million bounty for a zero-click WhatsApp exploit enabling code execution, cosponsored by Meta, Synology, and QNAP. The event, scheduled for October 21-24 in Cork, includes eight categories targeting mobile devices, smart home tech, wearables, and network systems, with expanded attack vectors like USB port exploitation for locked phones. Participants must register by October 16, and vendors receive 90 days to patch vulnerabilities before public disclosure. Last year’s event awarded over $1 million for 70+ zero-day flaws. The competition aims to uncover critical security gaps before malicious actors exploit them.
Read full article: Bleepingcomputer
The OAuth Phishing Trap: Proofpoint Exposes AiTM Attacks That Bypass MFA to Hijack Cloud Accounts
Proofpoint uncovered adversary-in-the-middle (AiTM) phishing campaigns exploiting malicious Microsoft OAuth applications to bypass multifactor authentication (MFA) and hijack cloud accounts. Attackers create fake login portals mimicking trusted brands like Adobe and DocuSign, redirecting victims to harvest credentials and intercept MFA tokens via the Tycoon Phishing-as-a-Service platform. These attacks, targeting over 20 Microsoft 365 tenants, use deceptive OAuth apps with seemingly harmless permissions to trick users. Proofpoint observed a 50% success rate in compromising accounts, with attackers leveraging session cookies for persistent access. Recommendations include blocking impersonation emails, detecting malicious OAuth apps, web isolation, user training, and adopting phishing-resistant FIDO authentication.
Read full article: Securityonline
Security Setbacks of the Week
This week saw widespread cyberattacks across sectors, with ransomware crippling Minnesota’s systems and forcing NRS Healthcare into liquidation. State-sponsored threats escalated as Russian hackers targeted embassies via AiTM attacks and Chinese-linked groups disrupted Orange Telecom. Sophisticated malware campaigns like PlayPraetor (11,000+ Android devices) and Interlock Group’s multi-stage ransomware exploited thirdparty vulnerabilities, while breaches at Allianz Life, NASCAR, and Oracle/Cerner exposed sensitive data through social engineering and legacy systems. Emerging groups like Chaos and SafePay demonstrated evolving tactics, underscoring critical infrastructure risks and the urgent need for enhanced vendor security and incident response planning.
Minnesota Activates National Guard Over St. Paul Cyberattack
Minnesota activated its National Guard to assist St. Paul in responding to a significant cyberattack by a sophisticated external threat actor. The attack, discovered early Friday, prompted a full shutdown of city systems by Monday, causing widespread service disruptions. Governor Tim Walz authorized military reservists after the incident exceeded local and commercial response capabilities. Emergency services remained operational, but internal networks, Wi-Fi, and applications were disabled. St. Paul is collaborating with federal agencies, including the FBI, and two cybersecurity firms to investigate, contain the breach, and restore systems. Officials have not confirmed ransomware involvement but noted system takedowns are common in such attacks. The city’s emergency declaration enabled accelerated recovery efforts.
Read full article: Bankinfosec
US Spy Satellite Agency Breached But Insists No Classified Secrets Spilled
A US National Reconnaissance Office (NRO) unclassified portal for vendor contracts was breached, potentially exposing CIA-related acquisition data, though the agency claims no classified systems were compromised. Separately, the Tea app leaked 72,000 user images via an unsecured database, undermining its safety-focused mission. The Blacksuit ransomware gang’s site was seized in a law enforcement operation, but a suspected rebranded group, Chaos, emerged. A UK student received a 7-year sentence for selling phishing kits and laundering £300k. Lastly, a drug dealer using EncroChat was identified through messages referencing his semi-famous father, highlighting ongoing law enforcement efforts against encrypted criminal networks.
Read full article: Theregister
NHS Disability Equipment Provider: On the Brink of Collapse a Year After Cyberattack
NRS Healthcare, a major NHS and UK council supplier of disability equipment, faces imminent collapse 16 months after a ransomware attack by RansomHub. Despite initially downplaying operational impacts, the cyberattacks financial toll worsened in subsequent fiscal years, prompting debt restructuring and accelerated digital transformation efforts. Unable to secure a buyer, the firm is nearing compulsory liquidation, risking service disruptions for urgent disability aid deliveries. Local authorities warned of their inability to meet statutory care obligations if NRS fails, requesting government financial support for transition plans. The collapse would force councils to find alternative suppliers to maintain critical community health services.
Read full article: Theregister
11,000 Android Devices Hacked by Chinese Threats Actors to Deploy PlayPraetor Malware
A Chinese-speaking threat group compromised over 11,000 Android devices globally using PlayPraetor malware, distributed via fake Google Play Store pages. This malware-as-a-service operation leverages Android Accessibility Services to hijack devices, enabling real-time control for fraudulent transactions targeting 200+ banking and crypto apps. Europe (58% of infections) is most affected, particularly Portugal, Spain, and France, with additional clusters in Africa, the Americas, and Asia. PlayPraetor employs advanced communication protocols (HTTP/HTTPS, WebSocket, RTMP) for persistent control, live screen monitoring, and data exfiltration. The campaign’s multi-tenant infrastructure and 72% activation rate highlight its technical sophistication and rapid expansion (2,000+ weekly infections), marking a significant escalation in mobile financial fraud threats.
Read full article: Cybernews
Microsoft says Russian Hackers Are Planting fake Antivirus Software in Embassy Attacks
Microsoft reports Russian state-backed hackers, tracked as Secret Blizzard, are conducting cyber espionage targeting foreign embassies in Moscow using adversary-in-the-middle (AiTM) attacks. The campaign employs custom malware, ApolloShadow, disguised as Kaspersky antivirus, to install malicious TLS root certificates, enabling cryptographic impersonation of trusted websites. These attacks, active since 2024, exploit local internet providers to intercept diplomatic communications, likely leveraging Russia’s SORM surveillance systems. Secret Blizzard’s ISP-level access poses high risks to organizations relying on Russian telecommunications. Microsoft confirms the group’s capability to execute large-scale operations, emphasizing threats to sensitive entities operating within Russia.
Read full article: Techradar
Allianz Life says the Majority of 1.4 million US Customers’ Info Breached
A data breach at Allianz Life exposed personal information of the majority of its 1.4 million U.S. customers, financial professionals, and select employees. The breach occurred on July 16, 2025, via social engineering targeting a third-party cloud-based CRM system, suspected to be Salesforce. The incident, discovered the next day, is linked to UNC6040 (Scattered Spider), a group known for ransomware and vishing attacks to steal data for extortion. Allianz filed breach notifications starting July 25 and plans to inform affected individuals by August 1. The attackers may threaten data release or sale. The breach highlights risk from third-party system vulnerabilities and social engineering tactics.
Read full article: Malwarebytes
NASCAR Confirms User Data Breach Following Medusa Ransomware Attack
NASCAR confirmed a data breach in April 2025 after a ransomware attack by the Medusa group, which stole fans’ names and Social Security numbers. The attack occurred between March 31 and April 3, prompting NASCAR to secure its systems, engage cybersecurity experts, and notify law enforcement. Medusa demanded a $4 million ransom, threatening to leak data, though no public release has been confirmed. NASCAR filed breach disclosures with state regulators but did not specify the number of affected individuals. Victims were offered free credit monitoring via Experian Identity Works. Medusa, known for double-extortion tactics, has previously targeted entities like Toyota Financial Services and Minneapolis Public Schools.
Read full article: Techradar
Oracle/Cerner EHR Hack: Breach Reports Still Trickling In
A hacking incident involving Oracle/Cerner’s legacy EHR systems, stemming from compromised credentials in January 2025, continues to impact healthcare providers, with at least 410,000 patients affected. Breach reports, including from Mosaic Life Care (145,300 individuals) and Union Health (263,000), are still emerging, though totals are likely higher due to incomplete disclosures. Oracle initially downplayed the breach, claiming no cloud compromise, but confirmed attackers accessed obsolete servers during data migration. Affected entities were notified by cybercriminals, not Oracle, raising transparency concerns. Lawsuits and regulatory scrutiny highlight challenges in third-party risk management, with experts urging improved vendor communication, updated incident response plans, and contingency measures for healthcare providers.
Read full article: Bankinfosec
2 Law Group Data Theft Hacks Affect 282,100 Patients
Two Florida-based law firms, Zumpano Patricios PA and LaBovick Law Group, suffered data breaches impacting 282,100 individuals collectively. ZP Law’s May 2024 cyberattack exposed HIPAA-protected data, including Social Security numbers, medical records, and insurer details of nearly 280,000 patients. LaBovick’s October 2024 ransomware incident compromised 2,825 individuals’ sensitive information, with the firm paying a ransom to prevent data leaks. Both breaches involved exfiltrated healthcare and personal data, highlighting law firms as high-risk targets due to their valuable client records and often inadequate cybersecurity measures. Experts warn such firms face ethical and legal dilemmas when negotiating ransoms, while recurring attacks underscore sector vulnerabilities. Previous incidents and pending lawsuits against ZP Law further illustrate the growing threat to legal entities handling sensitive health data.
Read full article: Bankinfosec
Ransomware Gang Set Deadlines to Leak a Huge Cache of Stolen Ingram Micro Data
Ingram Micro suffered a ransomware attack in July 2025 by the SafePay group, which stole 3.5TB of sensitive data. The attackers, using double-extortion tactics, added Ingram Micro to their leak site, threatening to release the data unless paid. The breach disrupted operations, forcing infrastructure shutdowns and remote work. SafePay, a newer ransomware operation active since late 2024, exploited Ingram’s GlobalProtect VPN and targeted critical systems like the Xvantage and Impulse platforms. As a major global B2B provider serving clients like Apple and Cisco, a potential data leak could have widespread business repercussions. The incident underscores SafePay’s growing threat across multiple industries.
Read full article: Techradar
Orange Warns of Possible Mobile Disruption Following Suspected Cyberattack
Orange Group, a major global telecom operator, reported a cyberattack detected on July 25, prompting isolation of affected systems to mitigate risks. This caused temporary disruptions to business and consumer services, primarily in France, with some users facing outages. While no data theft or tampering was confirmed, Orange notified regulators and authorities. Services are being restored gradually, with most operations at press time. The incident highlights telecoms’ vulnerability to cyberattacks, with suspected links to state-sponsored groups like China’s Salt Typhoon, known for targeting critical infrastructure to disrupt communications during geopolitical tensions.
Read full article: Techradar
Endgame Gear Warns Mouse Config Tool has Been Infected with Malware
Endgame Gear disclosed a supply chain attack where threat actors compromised its website, replacing a legitimate mouse configuration tool with malware-infected software between June 26 and July 9, 2025. The malicious version, acting as an infostealer, targeted users of the OP1w 4k v2 wireless mouse’s product page, while other download sources remained unaffected. The breach was detected through community reports, prompting the company to remove the tainted file. Endgame confirmed that no customer data was accessed but advised affected users to scan systems, delete malicious files, and reset critical passwords. To prevent future incidents, the firm is centralizing downloads, enhancing malware scans, and strengthening server protections.
Read full article: Techradar
Interlock Ransomware Strikes: eSentire Exposes Multi-Stage Payload and ClickFix Social Engineering
The article details a sophisticated ransomware campaign by the Interlock Group, uncovered by eSentire’s Threat Response Unit. The attack employs multi-stage payloads, starting with social engineering via compromised websites redirecting users to a “ClickFix” lure. Victims execute obfuscated PowerShell scripts, enabling system fingerprinting and payload retrieval. The malware uses PHP backdoors, LOLBins, and NodeJS to deploy NodeSnake RAT, which exfiltrates data via base64 encoding and custom XOR encryption. Backup C2 infrastructure and adaptive tactics highlight the group’s technical innovation, targeting businesses in North America and Europe for ransomware deployment and data theft.
Read full article: Securityonline
The New Emerging Threats
Emerging threats showcase a dangerous convergence of AI-driven autonomy, statesponsored espionage, and ransomware innovation. AI models now orchestrate multi-stage attacks without human input, while ransomware groups escalate coercion through physical threats, regulatory weaponization, and rapid infrastructure exploitation. Nation-state actors like North Korea’s Lazarus Group and Russia’s Secret Blizzard exploit supply chains, remote hiring, and diplomatic networks, blending cyberattacks with geopolitical agendas. Advanced evasion techniques—BYOVD, certificate hijacking, and stealthy Linux backdoors —bypass traditional defenses, while ransomware ecosystems adapt dynamically to power vacuums. These trends signal a shift toward hyper-scalable, hybridized attacks demanding proactive resilience strategies.
AI LLMs are Now So Clever That They Can Independently Plan and Execute Cyberattacks Without Human Intervention, and I Fear That it is Only Going to Get Worse
A recent study by Carnegie Mellon University and Anthropic demonstrated that AI large language models (LLMs) can autonomously plan and execute complex cyberattacks, such as recreating the 2017 Equifax breach, without human intervention. The AI acted as a strategic planner, delegating tasks to sub-agents, bypassing traditional reliance on shell commands. This shift from tool to autonomous agent raises concerns about scalable, AI-driven attacks outpacing human-led efforts. While conducted in controlled environments, the research highlights risk of malicious use but also potential defensive applications, like improved vulnerability testing. Researchers stress the prototype’s limitations but warn it represents a critical step toward AI-driven cyber threats.
Read full article: Techradar
Ransomware Gangs are Now Expanding to Physical Threats in the Real World
Ransomware gangs are escalating tactics beyond data encryption and leaks, increasingly threatening physical violence against CEOs, with 40% of incidents involving such threats globally (46% in the US). Attackers also exploit regulatory pressures, filing SEC complaints to coerce payments, as seen with BlackCat in 2023. Over half of organizations that paid ransoms did so multiple times, with 15% receiving non-functional decryption keys. Criminals now combine encryption, data theft, DDoS attacks, and harassment, reflecting growing desperation. Experts warn that paying ransoms fuels further attacks, urging investment in cyber resilience to disrupt the ransomware economy.
Read full article: Techradar
Scattered Spider Hackers are Targeting US Critical Infrastructure via VMware Attacks
The Scattered Spider ransomware group is targeting US critical infrastructure, retail, airlines, and insurance sectors through aggressive social engineering and VMware exploitation. Posing as employees, hackers manipulate IT teams to reset privileged account credentials, gaining access to VMware vCenter Server Appliances to control virtual environments. They rapidly escalate attacks, enabling SSH connections, resetting root passwords, and exfiltrating data before deploying ransomware within hours. Google Threat Intelligence Group warns of the group’s sophistication, emphasizing the need for phishing-resistant multi-factor authentication and tightened security measures to counter these high-speed, high-impact attacks.
Read full article: Techradar
The Ultimate Insider Threat: How North Korean IT Workers Infiltrated the Global Remote Economy
A recent Domain Tools report reveals North Korea’s sophisticated cyber-espionage campaign using disguised IT workers to infiltrate global tech firms. Operatives from the Reconnaissance General Bureau (RGB) employ stolen identities, forged documents, and AI-enhanced resumes to secure remote roles via platforms like Upwork. Once embedded, they access critical systems (GitHub, cloud environments) to plant backdoors, exfiltrate data, and inject malicious code. Funds from these roles are laundered through crypto wallets and shell companies, funneling millions to support the regime’s programs. The scheme highlights systemic vulnerabilities in remote hiring processes, urging organizations to adopt zero-trust models and enhanced verification. This insider threat poses risks to critical sectors, including defense and fintech.
Read full article: Securityonline
LockBit Ransomware Evolves: New Stealthy Tactics Use DLL Sideloading & Masquerading to Bypass Defenses
LockBit ransomware has adopted advanced stealth tactics, including DLL sideloading and process masquerading, to bypass security defenses. Attackers exploit trusted applications like Java, Windows Defender, and Clink to load malicious DLLs, enabling encryption without detection. Masquerading techniques mimic legitimate processes (e.g., svchost.exe) and use system directories to evade scrutiny. The attack chain involves initial access via remote tools, privilege escalation, credential theft, lateral movement via GPOs, and file encryption using PowerShell-based methods. The FBI links LockBit to the Syrphid group, responsible for $500 million in extortion. A leaked LockBit 3.0 builder now allows any threat actor to deploy the ransomware, escalating global risks.
Read full article: Securityonline
Lazarus Hackers Weaponized 234 Packages Across npm and PyPI to Infect Developers
The Lazarus Group, a North Korean state-sponsored hacking collective, executed a largescale cyber espionage campaign by distributing 234 malicious packages across npm and PyPI repositories between January and July 2025. These packages, disguised as legitimate developer tools, targeted over 36,000 developers to deploy malware for credential theft, persistent backdoors, and infrastructure surveillance. The attack exploited trust in open-source ecosystems and vulnerabilities in CI/CD pipelines, enabling automated propagation of malicious dependencies. The malware used multi-stage infections, evasion techniques, and integration with development tools to bypass detection. This campaign highlights evolving nation-state tactics to weaponize software supply chains, posing risks to critical systems and sensitive data.
Read full article: Cybernews
Qilin Ransomware Surging Following the Fall of Dominant RansomHub RaaS
The ransomware landscape shifted significantly in Q2 2025 as Qilin surged to dominance following the collapse of RansomHub, the leading ransomware-as-a-service (RaaS) operation. RansomHub’s abrupt shutdown left affiliates scrambling, allowing Qilin to absorb its user base and nearly double monthly victims from 35 to 70. Qilin introduced advanced extortion tools, including integrated DDoS attacks, automated harassment campaigns, and “legal assistance” services to exploit regulatory violations. The group leverages data theft and public exposure over traditional encryption, using AI-generated content to pressure victims. This rapid power shift underscores the adaptability of ransomware networks amid ecosystem disruptions.
Read full article: Cybernews
Hackers Abuse Microsoft 365’s Direct Send Feature to Deliver Internal Phishing Attacks
Cybercriminals are exploiting Microsoft 365’s Direct Send feature to launch internal phishing attacks, bypassing traditional email security by mimicking legitimate organizational communications. This method leverages Microsoft’s service, intended for printers and legacy apps, to send spoofed emails without requiring valid credentials. Attackers use compromised third-party email security appliances and virtual servers to relay malicious emails directly to Microsoft 365 tenants, evading detection. Proofpoint researchers identified the campaign, noting its use of SSL-secured SMTP relays with vulnerabilities. The attacks exploit inherent trust in internal emails, complicating detection. Mitigation includes disabling Direct Send via PowerShell and monitoring for authentication failures in message headers.
Read full article: Cybernews
Storm-2603 Using Custom Malware That Leverages BYOVD to Tamper with Endpoint Protections
A newly identified threat actor, Storm-2603, employs custom malware leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques to disable endpoint security. The group exploits SharePoint vulnerabilities (CVE-2025-49704, CVE-2025-53771) and uses a dual-client C2 framework (“ak47c2”) with HTTP/DNS communication. Their “Antivirus Terminator” tool abuses a legitimate Antiy Labs driver to terminate security processes via kernel-level operations, enabling ransomware deployment. Active since early 2025, Storm-2603 targets organizations in Latin America and Asia-Pacific, deploying LockBit Black and Warlock ransomware through DLL hijacking. The group’s distinct tactics highlight advanced evasion capabilities and operational sophistication.
Read full article: Cybernews
Secret Blizzard Group’s ApolloShadow Malware Installs Root Certificates on Devices to Trust Malicious Sites
A Russian state-sponsored group, Secret Blizzard, deployed ApolloShadow malware targeting foreign embassies in Moscow by exploiting ISP infrastructure to redirect victims via captive portals. The malware installs malicious root and CA certificates, masquerading as a Kaspersky Anti-Virus installer (CertificateDB.exe), to trick devices into trusting attacker-controlled sites. It modifies Firefox settings to enforce certificate trust and creates a persistent admin account (“UpdatusUser”) for network access. The campaign enables interception of diplomatic communications by compromising certificate validation mechanisms. Microsoft linked the group to other advanced threat actors like Turla. Mitigation includes using encrypted tunnels or satellite-based networks to bypass compromised local infrastructure.
Read full article: Cybernews
Lethal Cambodia-Thailand Border Clash Linked to Cyber-Scam Slave Camps
A lethal border clash between Thailand and Cambodia, rooted in a decades-old dispute over an ancient temple, escalated with Thailand threatening to cut electricity and internet to disrupt Cambodian cyber-scam slave camps. These camps, estimated to generate $12.5 billion annually, enslave victims to run online scams, often targeting Chinese citizens, and operate with alleged government complicity. Thailand’s actions aligned with its efforts to combat transnational crime, but heightened tensions. Analysts link the conflict to the economic and political weight of the scam industry, which Cambodia’s opposition claims benefits the ruling regime. The clash resulted in over 30 deaths before a ceasefire, underscoring how cybercrime exacerbated regional violence.
Read full article: Theregister
Vulnerability Spotlight: Critical Exposures Unveiled
Critical vulnerabilities across major platforms enabled widespread attacks, with Chinese state-aligned actors exploiting SharePoint, SAP, and SonicWall flaws to deploy ransomware and backdoors, targeting government, education, and defense sectors. Delayed patching left thousands of systems exposed, while WordPress plugins and themes remained high-risk vectors, compromising over 160,000 sites. AI tools like Microsoft Recall and ChatGPT faced scrutiny for privacy risks and accidental data exposure, highlighting insufficient safeguards. Browser extensions and third-party software vulnerabilities underscored systemic weaknesses in trust validation and update practices. Escalating USChina cyberespionage accusations reflect persistent state-sponsored exploitation of critical flaws amid global patch delays.
SharePoint Zero-Days Exploited to Unleash Warlock Ransomware
A China-linked threat actor exploited two SharePoint zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) to deploy Warlock ransomware, compromising 145 organizations across 41 countries. Microsoft attributed the attacks to Chinese state-aligned groups, including Storm-2603, which used the flaws to infect targets, primarily government agencies (30%) and education sectors. Despite patches released by Microsoft between July 19-21, over 400 vulnerable servers remained exposed days later. Warlock, a ransomware-asa-service operation, leaked victim data and relaunched its dark web portal after an initial takedown. The U.S. Department of Energy was among the victims, though no sensitive data was reportedly breached. Delayed patching and mitigation contributed to ongoing risks.
Read full article: Bankinfosec
Hackers Target Critical WordPress Theme Flaw – Hundreds of Sites at Risk from Potential Takeover, Find Out If You’re Affected
A critical vulnerability (CVE-2025-4394, 9.8/10 severity) in the “Alone – Charity” WordPress theme allows attackers to upload malicious files, create rogue admin accounts, and fully compromise websites. Over 120,000 exploitation attempts were blocked since July 12, targeting versions up to 7.8.3. The flaw enables remote code execution, backdoor deployment, and site takeovers for hosting malware or phishing. Patched in version 7.8.5 (released June 16, 2025), users must update immediately. Around 200 active sites remain at risk. Third-party WordPress themes/plugins are frequent attack vectors, emphasizing the need for timely updates and minimal plugin use.
Read full article: Techradar
Hackers Hit SAP Security Bug to Send Out Nasty Linux Malware
A critical SAP NetWeaver vulnerability (CVE-2025-31324, 9.8 severity) in the Visual Composer Metadata Uploader is being exploited to deploy Auto-Color, a Linux backdoor. The malware executes arbitrary commands, acts as a proxy, and remains dormant if its C2 server is unreachable, evading detection. Despite patching in April 2025, attacks persist, involving Chinese state-sponsored groups. Unauthenticated attackers exploit the flaw to upload malicious binaries, compromising systems. Researchers linked the vulnerability to recent incidents, including a US chemicals firm breach. Administrators are urged to apply patches immediately to mitigate risks.
Read full article: Techradar
SonicWall Firewall Devices 0-day Vulnerability Actively Exploited by Akira Ransomware
A critical zero-day vulnerability in SonicWall firewall devices is being actively exploited by the Akira ransomware group to breach corporate networks via SSL VPN access. The flaw enables attackers to bypass multi-factor authentication (MFA) and deploy ransomware rapidly, even on fully patched systems. Compromised VPN logins, often from Virtual Private Server (VPS) IPs, have escalated since mid-July 2025, with minimal delay between initial access and ransomware execution. Arctic Wolf advises organizations to disable SonicWall SSL VPN services immediately until a patch is released. Mitigation steps include enforcing MFA, removing inactive VPN accounts, and blocking suspicious ASN-based authentication attempts. End-of-life SonicWall SMA 100 series devices are also implicated due to a linked backdoor (OVERSTEP) and unpatched vulnerabilities.
Read full article: Cybernews
Millions of Users Have Fallen Victim to Malicious Browser Extensions Because of a Critical Flaw, But Things are Changing — Here’s What You Need to Know
Malicious browser extensions exploit critical security flaws, bypassing superficial trust markers like “Verified” labels, which fail to reflect actual extension behavior. Browser DevTools, designed for debugging web pages, lack the capability to track complex extension activities across tabs and over time, enabling hidden malicious actions. Research by SquareX highlights that millions of users have been compromised despite these trust indicators, as seen in incidents like Geco Colorpick, where 18 malicious extensions infected 2.3 million users. To counter dynamic threats, SquareX proposes a new framework combining AI agents and a sandbox environment to simulate user behavior and expose hidden extension risks. Current reliance on basic antivirus tools and static analysis leaves organizations vulnerable to evolving spyware and data theft. The initiative underscores the urgent need for deeper security measures beyond surface-level validations.
Read full article: Techradar
Tested: Microsoft Recall Can Still Capture Credit Cards and Passwords, A Treasure Trove for Crooks
Microsoft Recall, an AI tool on Copilot+ PCs designed to capture and search user activity via screenshots, faces criticism for inadequately filtering sensitive data despite default security settings. Tests revealed it captured credit card details, passwords in unlabeled text files, and partial Social Security numbers, posing risks if attackers access the system. While Microsoft encrypts data and requires Windows Hello authentication, using a PIN or remote access tools like TeamViewer can bypass protection. Privacy advocates warn that the feature endangers vulnerable users, such as domestic abuse victims, by exposing private browsing history. Experts argue that Recall’s security measures remain insufficient against potential exploits, questioning its balance of utility versus privacy risks.
Read full article: Theregister
China Says US Spies Exploited Microsoft Exchange Zero-Day to Steal Military Info
China accused US intelligence agencies of exploiting a Microsoft Exchange zero-day vulnerability to infiltrate a major Chinese military enterprise’s email server, compromising over 50 devices and stealing sensitive military data between July 2022 and July 2023. The attack allegedly involved hijacking a domain controller to establish covert channels for data exfiltration. A separate 2024 campaign reportedly exploited SQL injection flaws in a defense-linked communications firm, compromising 300 devices to steal military network details. CNCERT/CC claimed US operatives used IPs from multiple countries to mask attacks targeting defense sectors. These allegations follow recent US accusations against Chinese state-linked groups for cyberespionage, including SharePoint zero-day exploits and offensive tool patents. Both nations continue exchanging blame over escalating cyberespionage activities.
Read full article: Theregister
Dangerous WordPress Plugin Puts Over 160,000 Sites at Risk, Here’s What We Know
A critical vulnerability in the Post SMTP WordPress plugin (versions before 3.3.0) exposed over 160,000 websites to takeover risks. The flaw allowed attackers with low privileges to access email logs, reset admin passwords, and hijack sites via unsecured REST API endpoints. PatchStack identified the issue, tracked as CVE-2025-24000 (CVSS 8.8), which lacked proper access controls. Despite a fix released on June 11, 2025, 40% of installations remain unpatched. WordPress plugins remain prime targets due to inconsistent security practices. Users are urged to update immediately to mitigate risks.
Read full article: Techradar
AI-Powered Cursor IDE Vulnerable to Prompt-Injection Attacks
The AI-powered Cursor IDE was found vulnerable to “CurXecute” (CVE-2025-54135), a prompt-injection attack enabling remote code execution via malicious prompts targeting its Model Context Protocol (MCP). Exploiting this could allow attackers to hijack sessions, execute commands with developer privileges, and trigger ransomware, data theft, or AI manipulation. The flaw stems from MCP’s integration with external tools, where untrusted data could alter the ~/.cursor/mcp.json file to run arbitrary code without user consent. Cursor patched the issue in version 1.3 after researchers from Aim Security disclosed it, urging users to update immediately. The vulnerability highlights risk in AI agents interacting with external systems.
Read full article: Bleepingcomputer
Pi-hole Discloses Data Breach Triggered by WordPress Plugin Flaw
Pi-hole disclosed a data breach caused by a vulnerability in the GiveWP WordPress plugin, exposing donor names and email addresses. The flaw allowed unauthorized access to donation records via webpage source code, impacting nearly 30,000 donors. No financial data was compromised, as payments were processed externally via Stripe and PayPal. Pi-hole learned of the breach after donors reported suspicious emails, prompting a patch within hours. The organization criticized GiveWP for delayed notifications and insufficient acknowledgment of the issue. Pi-hole accepted responsibility, emphasizing the breach affected only their website, not their ad-blocking software.
Read full article: Bleepingcomputer
ChatGPT Exposed: OpenAI’s Sharing Feature Leaks Private Conversations to Google Search
A ChatGPT sharing feature unintentionally exposed private conversations via Google Search, sparking privacy concerns. Users generated public links to share chats on social platforms, but many overlooked warnings about search engine indexing, leading sensitive data (e.g., names, résumés) appear in search results. OpenAI clarified this was not a breach but a flawed experiment, as users had to manually enable indexing. Critics argued safeguards were insufficient given low user awareness. OpenAI disabled the feature, collaborated with Google to remove indexed links, and admitted the design underestimated risks of accidental data exposure. The incident highlights challenges in balancing usability and privacy.
Read full article: Securityonline
In-Depth Expert CTI Analysis
The cybersecurity landscape saw heightened ransomware activity with law enforcement disrupting BlackSuit and Qilin rising post-RansomHub’s collapse, though groups persist through rebranding and advanced tactics like physical threats. State-sponsored actors, including Russian Secret Blizzard and Chinese Storm-2603, exploited vulnerabilities in SharePoint, SAP, and SonicWall to target embassies, defense, and critical infrastructure. AI-driven threats escalated, with autonomous LLM-planned attacks and AI-enhanced phishing bypassing MFA, while supply chain risks emerged via malicious npm/PyPI packages and compromised WordPress plugins. Healthcare, telecoms, and legal sectors faced severe breaches, underscoring third-party risks. Despite takedowns, persistent threats demand proactive patching, zero-trust models, and international collaboration to counter evolving nation-state and criminal operations.
Proactive Defense and Strategic Foresight
Proactive defense demands continuous threat hunting and hardening of third-party ecosystems, as seen in supply chain breaches (PlayPraetor, Lazarus npm/PyPI) and ransomware resilience gaps (NRS Healthcare, Ingram Micro). Strategic foresight requires anticipating AI-driven attacks (Carnegie Mellon LLM study) and adversarial innovation like certificate spoofing (ApolloShadow) or MFA bypass (AiTM phishing). Organizations must adopt zero-trust frameworks, enforce phishing-resistant authentication, and prioritize patching critical vulnerabilities (SAP NetWeaver, SonicWall). Cross-sector collaboration and red-teaming via initiatives like Pwn2Own are vital to counter state-aligned actors (Storm-2603, Secret Blizzard) and adaptive ransomware syndicates (Qilin, LockBit).
Evolving Ransomware and Malware Tactics
Ransomware and malware tactics continue evolving with alarming sophistication. Recent law enforcement takedowns like Operation Checkmate against BlackSuit highlight the transient impact of infrastructure seizures without arrests, as groups rapidly rebrand (e.g., Chaos). Adversaries now bypass MFA via AiTM phishing, weaponize OAuth apps, and exploit zero-day vulnerabilities in critical systems (SonicWall, SAP). Mobile threats escalate with PlayPraetor’s banking fraud, while state actors like Secret Blizzard and Lazarus In-Depth Expert CTI Analysis VerSprite Weekly Threat Intelligence Newsletter 18 leverage ISP-level interception and poisoned open-source repositories. Ransomware affiliates adopt hybrid extortion, combining DDoS, regulatory coercion, and physical threats, while AI-driven attacks enable autonomous breach replication. Supply chain compromises (Endgame Gear, npm/PyPI) and novel evasion techniques (LockBit’s DLL sideloading, Plague’s PAM manipulation) underscore the need for zero-trust frameworks and proactive threat hunting.
State-Sponsored and Organized Cybercrime Convergence
The convergence of state-sponsored and organized cybercrime is accelerating, evidenced by ransomware groups adopting nation-state tactics (LockBit’s stealth techniques, Lazarus weaponizing open-source ecosystems) and state actors engaging in financially motivated attacks (China-linked Warlock ransomware via SharePoint exploits). Russian APTs like Secret Blizzard leverage ISP infrastructure for diplomatic espionage, while North Korean IT infiltration schemes fund regime priorities through crypto laundering. This blurring of motives and methods creates hybrid threats where criminal profit aligns with geopolitical disruption, necessitating cross-sector intelligence sharing and hardened defenses against dual-use tools like AI-driven attacks and compromised supply chains.
Operational and Tactical Implications
Operational Implications: Law enforcement takedowns of ransomware infrastructure remain temporary without arrests, necessitating sustained cross-border collaboration. Third-party software vulnerabilities and insider risks demand stricter endpoint policies and supply chain audits. Critical infrastructure attacks (e.g., Minnesota, NRS Healthcare) highlight systemic fragility, requiring public-private incident response frameworks and contingency planning for service continuity.
Tactical Implications: Adversaries increasingly bypass MFA via AiTM phishing and OAuth app abuse, urging adoption of FIDO standards. Ransomware groups escalate tactics (physical threats, regulatory coercion), pressuring organizations to prioritize cyber resilience over payments. Mobile malware (PlayPraetor) and Linux backdoors (Plague) exploit weak authentication, necessitating device hardening and PAM monitoring. State actors (Secret Blizzard, Lazarus) weaponize trusted tools and supply chains, mandating zero-trust architectures and AI-driven anomaly detection to counter advanced espionage.
Forward-Looking Recommendations
- Prioritize international collaboration to dismantle ransomware infrastructure while pursuing legal frameworks for coordinated arrests.
- Adopt phishing-resistant authentication (FIDO) and enforce strict OAuth app monitoring to counter AiTM and MFA bypass tactics.
- Accelerate migration from legacy systems, enforce third-party risk assessments, and mandate timely patching for critical vulnerabilities.
- Implement zero-trust models, AI-driven anomaly detection, and behavioral analytics to counter advanced malware and insider threats.
- Strengthen mobile security protocols, including app vetting and user education on fake storefronts and sideloading risks.
- Develop AI governance frameworks to mitigate autonomous cyber threats while leveraging AI for defensive vulnerability testing.
- Enhance crisis response plans with public-private partnerships, ensuring redundancy for critical infrastructure and supply chains.
- Invest in secure-by-design software development, code signing, and sandbox testing to combat supply chain and browser extension exploits.
- Expand diplomatic efforts to counter state-sponsored cyberespionage, focusing on attribution and hardened communication channels.
- Promote cyber resilience through regular incident simulations, ransomware payment bans, and transparent breach disclosure protocols.
