VerSprite Weekly Threat Intelligence #27
Date
Follow Us
Date Range: 11 August 2025 – 15 August 2025
Issue: 26th Edition
Reported Period Victimology
Security Triumphs of the Week
This week showcased significant global efforts to disrupt cybercrime: U.S. and international operations dismantled BlackSuit ransomware infrastructure, seized $300M+ in crypto linked to fraud, and sanctioned Russia-based Garantex for laundering ransomware funds. Europol leveraged historic encrypted data to dismantle a drug-money laundering network, while Ghanaian scammers were extradited for $100M+ romance/BEC schemes. A Kimsuky data leak exposed state-sponsored espionage tactics, underscoring persistent threats. These actions highlight enhanced cross-border collaboration, financial tracing, and infrastructure takedowns to degrade criminal resilience and protect critical sectors.
Law Enforcement Seizes BlackSuit Ransomware Servers Targeting U.S. Critical Infrastructure
A multinational law enforcement operation led by the U.S. Department of Justice dismantled infrastructure linked to the BlackSuit ransomware group (formerly Royal), seizing four C2 servers, nine domains, and over $1 million in cryptocurrency. The group targeted U.S. critical infrastructure sectors like healthcare and government using phishing, RDP exploits, and software vulnerabilities. Authorities employed a “disruption-first” strategy, combining technical takedowns with financial tracing to cripple ransomware operations. A joint FBI-CISA advisory detailed BlackSuit’s TTPs, including Cobalt Strike and Mimikatz, while urging defenses like MFA and patching. The operation highlights enhanced international collaboration to disrupt ransomware ecosystems, intercept money laundering, and reduce incentives for paying ransom. This approach aims to degrade threat actors’ resilience and protect critical sectors from evolving cyber threats.
Read full article: Gbhackers
Over $300 million in Cybercrime Crypto Seized in Anti-Fraud Effort
Over $300 million in cryptocurrency tied to cybercrime was seized through two global initiatives. The T3+ Global Collaborator Program, involving TRM Labs, TRON, Tether, and Binance, froze over $250 million in criminal assets since 2024, including $6 million from romance scams, by analyzing millions of transactions. Separately, a U.S.-Canada operation with Chainalysis led to freezing over $74 million via “Project Atlas” and “Operation Avalanche,” which identified 2,000 crypto wallets across 14 countries. Tether blacklisted $50 million in USDT to block scammers. Both efforts combined blockchain analytics and international collaboration to disrupt fraud, money laundering, and other financial crimes.
Read full article: Bleepingcomputer
Europol Mapped a Criminal Network by Analyzing Encrypted Comms – and Then Seized an Entire Hotel While Busting a Multi-Million Euro Laundering Ring
Europol dismantled a major organized crime network involved in cocaine trafficking and money laundering through Operation Sky ECC, leading to 10 arrests and the seizure of a hotel, properties, cash, and vehicles. The operation relied on analyzing encrypted communications from the Sky ECC service, shut down in 2021, which provided millions of messages used to track criminal activities. The network, linked to multi-ton cocaine shipments from South America to EU ports like Antwerp and Rotterdam, laundered over $40 million. Among those arrested was a leader wanted in Italy for murder and other serious crimes. The case underscores the dual-use challenge of encrypted platforms balancing privacy and criminal exploitation. Europol continues leveraging historic metadata from Sky ECC to target European criminal groups.
Read full article: Techradar
US Sanctions Crypto Exchange Tied to Russian Ransomware
The U.S. sanctioned Russia-based Garantex cryptocurrency exchange, its founders, and successor platform Grinex for laundering over $100 million tied to ransomware gangs like Conti and LockBit. Garantex, which lost its license in 2022 due to AML failures, created Grinex and a ruble-pegged token (A7A5) after a March 2024 law enforcement takedown froze $26 million. The token, backed by a sanctioned Russian bank, processed $51 billion by July. Sanctions target transactions involving A7A5 and six Russia-linked firms supporting the exchange. Analysis shows Garantex facilitated 70% of crypto flows from sanctioned entities, with operations continuing post-takedown. The U.S. links these activities to Russian sanctions evasion efforts since the Ukraine invasion.
Read full article: Bankinfosec
Notorious North Korean Hacking Group Kimsuky Gets Hacked Itself – Revealing Some of Its Deepest Secrets
The North Korean state-sponsored hacking group Kimsuky was compromised by a hacker identifying as an “artist,” resulting in an 8.9GB leak of sensitive data, including phishing logs, infrastructure details, and source code from South Korea’s Ministry of Foreign Affairs. The leak, hosted on Distributed Denial of Secrets, exposes tactics like phishing campaigns targeting military intelligence and universities, alongside tools such as Cobalt Strike loaders. The attacker criticized Kimsuky for prioritizing financial gain and political agendas over ethical hacking. While the breach may disrupt operations by exposing methods and forcing infrastructure changes, experts suggest it won’t dismantle the group due to its state-backed resources. The incident highlights vulnerabilities within even advanced threat actors but underscores Kimsuky’s persistent focus on espionage related to Korean Peninsula affairs.
Read full article: Techradar
Ghanaians Extradited to Face US Romance Scam and BEC Charges
Four Ghanaian nationals were extradited to the U.S. to face charges for orchestrating romance scams and business email compromise (BEC) schemes that defrauded U.S. victims of over $100 million between 2016 and 2023. The defendants, part of a Ghana-based criminal group, allegedly used fake identities to exploit vulnerable individuals, including elderly victims, and laundered funds through U.S. shell companies. The group employed “sakawa” tactics, involving fraudulent emails mimicking legitimate businesses to redirect payments. Three suspects are in custody, while one remains at large. The case highlights cross-border collaboration to combat cybercrime, with another recent extradition involving a Ghanaian socialite accused of similar fraud targeting elderly Americans.
Read full article: Bankinfosec
Security Setbacks of the Week
State-sponsored threat actors exploited critical vulnerabilities to target global infrastructure, with Chinese groups breaching Canada’s House of Commons via a SharePoint zero-day and Russian hackers compromising U.S. judiciary systems and Norwegian dams. Ransomware and phishing campaigns disrupted Dutch healthcare, French telecoms, and UK immigration services, while North Korean operatives stole cryptocurrency via IT worker schemes. Systemic cybersecurity gaps persisted in sectors like automotive (Royal Enfield) and crypto (LuBian’s $14.5B theft), exacerbated by unpatched Citrix flaws and weak encryption. Urgent mitigations, zero-trust architectures, and international collaboration are critical to counter escalating APT and cybercrime threats.
Hackers Breach Canadian Government Via Microsoft Exploit
Hackers exploited a Microsoft SharePoint vulnerability to breach Canada’s House of Commons, compromising a database containing personal details, device information, and contact data of elected officials and staff. The attack, linked to Chinese state-affiliated groups Linen Typhoon and Violet Typhoon, targeted government and critical sectors globally. Microsoft issued an emergency patch, while CISA warned the flaw allows unauthorized access to SharePoint systems. Mandiant emphasized urgent mitigations beyond patching, citing risks of ransomware and espionage. Canadian authorities are investigating with national security partners, though specifics remain undisclosed. The incident underscores heightened risks from advanced persistent threats exploiting zero-day vulnerabilities.
Read full article: Bankinfosec
Breach Roundup: Russian Hackers Attacked Norwegian Dam
The article highlights several cybersecurity incidents from the past week. Russian hackers reportedly attacked a Norwegian dam, remotely opening floodgates without causing major damage, amid warnings of escalating Russian hybrid warfare tactics. Spain faced criticism for retaining Huawei in a 5G security advisory role despite U.S. and EU pressure. A cyberattack disrupted systems at the Pennsylvania Attorney General’s Office, potentially linked to unpatched Citrix vulnerabilities. Hackers leaked internal data from North Korea’s Kimsuky group, exposing tools and phishing campaigns. Microsoft patched a critical Kerberos zero-day flaw, while a researcher received a record $250,000 bounty for a Chrome sandbox escape vulnerability.
Read full article: Bankinfosec
Federal Judiciary Breach Highlights Poor Cybersecurity
A breach of the U.S. federal judiciary’s court filing system, attributed to Russian hackers, exposed sensitive sealed records, intensifying concerns over inadequate cybersecurity. Critics blame reliance on user fees for IT funding, which limits modernization efforts and congressional oversight. The judiciary reported blocking 200 million cyber threats in 2024 but acknowledged outdated systems requiring urgent replacement. Experts warn breaches risk exposing national security data, intellectual property, and high-profile cases like Epstein’s. Recent reforms include a $74 million funding request for cybersecurity upgrades in FY2026, pending legislative approval. Persistent foreign threats highlight the need for immediate systemic improvements.
Read full article: Bankinfosec
Data Theft from Dutch Cancer Screening Lab Affects 485,000
A Dutch clinical diagnostics laboratory, Clinical Diagnostics NMDL, suffered a data theft impacting 485,000 participants in a national cervical cancer screening program. The breach, claimed by cybercrime gang Nova, exposed sensitive personal and health data, including names, addresses, test results, and citizen service numbers. Eurofins Scientific, the lab’s parent company, reportedly paid a multi-million-euro ransom to prevent data leaks. Bevolkingsonderzoek Nederland (BVO NL), overseeing the screening program, suspended services with the lab and launched an independent investigation. The incident follows other recent European healthcare cyberattacks, including disruptions to UK pathology services and Swiss hospitals. Authorities warn affected individuals to remain vigilant against potential fraud.
Read full article: Bankinfosec
Bouygues Telecom Hack Exposes Data of 6.4 million Customers
Bouygues Telecom suffered a cyberattack exposing personal data of 6.4 million customers, with attackers exploiting network vulnerabilities like SQL injection or credential stuffing. Compromised data included names, contact details, and billing records. The company contained the breach using forensic analysis, patched vulnerabilities, and implemented multifactor authentication. Regulatory compliance was ensured via prompt notification to France’s CNIL under GDPR and initiating a criminal investigation. Affected customers received guidance on protective measures, including password changes and credit monitoring. The incident underscores the need for telecom providers to adopt advanced defenses like zerotrust architectures and AI-driven threat detection.
Read full article: Gbhackers
Royal Enfield Reportedly Targeted in Ransomware Attack, Hackers Claim Data Encryption
Royal Enfield faces a ransomware attack with hackers claiming full system compromise, encrypting servers, and wiping backups. The attackers demand payment within 12 hours, threatening to auction stolen data via private bids. The company confirmed a cybersecurity incident, initiated response protocols, and is collaborating with experts and law enforcement. Industry reports highlight a 45% rise in automotive sector attacks in 2025, driven by interconnected systems and valuable intellectual property. Potential data exposure risks include customer information, financial records, and proprietary designs, risking regulatory penalties and reputational damage. Operational disruptions temporarily affected online orders and workshop services, while stakeholders await resolution amid growing ransomware threats globally.
Read full article: Gbhackers
UK Immigration System Targeted by Hackers – Dangerous New Phishing Campaign Hits Sponsorship Management System
A phishing campaign targeting the UK Home Office’s Sponsorship Management System (SMS) was uncovered by Mimecast, aiming to steal accounts via deceptive emails and cloned login pages. Attackers mimic official communications, directing victims to captcha-gated fake sites to harvest credentials. Compromised accounts enable fraud, including selling access on the dark web, extortion via stolen data, and generating fraudulent Certificates of Sponsorship (CoS). The campaign threatens organizations with sponsor licenses and risks undermining the UK immigration system. Stolen credentials could also facilitate fake job offers and costly visa schemes. Vigilance, URL verification, and skepticism toward urgent requests are critical defenses. Indicators of compromise are detailed in Mimecast’s blog.
Read full article: Techradar
The Biggest Heist of All Time Involved Over $14 billion of Crypto Being Stolen – and It Went Undetected for Five Years
The LuBian cryptocurrency mining pool suffered the largest crypto theft in history, with over 127,000 Bitcoins (valued at $14.5 billion in 2025) stolen in 2020. The breach, undetected for five years, was attributed to weak security architecture, including a private key generation system using only 32 bits of entropy, enabling brute-force attacks via a gaming PC. Over 5,000 wallets were compromised without triggering alarms. The hacker retained the stolen funds, avoiding large-scale laundering. LuBian, once touted as the “safest” mining pool, collapsed in 2021. The incident underscores systemic cybersecurity failures in crypto infrastructure, emphasizing the need for robust encryption and transparency. The hacker was later arrested.
Read full article: Techradar
Cyberattack on Dutch Prosecution Service is Keeping Speed Cameras Offline
A cyberattack exploiting Citrix vulnerabilities on July 17 disrupted the Dutch Public Prosecution Service, preventing the reactivation of speed cameras across A (highways) and N (regional connector) roads. Fixed, average-speed, and mobile flex cameras remain offline, though their locations are undisclosed. The Central Processing Office (CVOM) confirmed the outage, attributing delays to post-attack recovery complexities. The phased system restoration began August 5, prioritizing email functionality by August 7, with full recovery timelines uncertain. Dutch authorities linked the breach to Citrix NetScaler zero-days exploited since May, impacting critical infrastructure. Coordination with judicial and law enforcement partners continues to minimize disruptions to legal processes and public safety.
Read full article: Theregister
Telco Giant Colt Suffers Attacks, Takes Systems Offline
Colt Technology Services experienced a cyber incident starting August 12, forcing it to take internal systems offline, including its customer portal and Voice API platform. The company stated no evidence of compromised customer or employee data, attributing the disruption to an attack on internal infrastructure. Third-party experts are assisting with recovery efforts. However, the WarLock ransomware group later claimed responsibility, alleging theft of 1 million documents containing employee salaries and personal data, contradicting Colt’s initial assurances. The group attempted to sell the data for $200,000, though these claims remain unverified. Colt continues restoring services while advising customers to use alternative support channels. Investigations into the attack’s origin and impact are ongoing.
Read full article: Theregister
US Scrambles to Recoup $1M+ Nicked by NORKs
The US Department of Justice is pursuing over $1 million allegedly stolen by three North Korean IT operatives from a New York cryptocurrency company. Using fake identities, including Bong Chee Shen (Chang Nam Il), the trio exploited a vulnerability in the company’s crypto wallet, siphoning Tether tokens and laundering funds through blockchain layers. The FBI seized the stolen assets via Tether Limited and aims to return them. Chang, linked to prior crypto thefts in Atlanta and Serbia, and two others (posing as Joshua Charles Palmer and Chris Yu) used forged IDs to infiltrate the firm. The case highlights North Korea’s use of IT worker schemes to fund its military, with the US offering a $5M reward for related intel.
Read full article: Theregister
Cryptohack Roundup: Do Kwon Pleads Guilty in $40B Fraud Case
This week’s key incidents include Terraform Labs’ Do Kwon pleading guilty to fraud charges linked to the $40B collapse of TerraUSD and Luna, facing up to 25 years. Trump signed an order shielding banks from crypto-related regulatory scrutiny. Credix vanished after a $4.5M hack, suspected of an exit scam. Odin.fun lost $7M in a Bitcoin liquidity exploit, while a malware campaign stole $1M via fake Firefox crypto wallet extensions. These events underscore ongoing fraud, regulatory shifts, and vulnerabilities in crypto ecosystems.
Read full article: Bankinfosec
The New Emerging Threats
Emerging threats in July 2025 highlight ransomware campaigns (Crypto24, Qilin) exploiting legitimate tools, Linux/macOS vulnerabilities, and MFA bypass via AI-driven phishing kits like PoisonSeed. Advanced malware frameworks (PS1Bot, FireWood) and Android Trojans (PhantomCard) leverage stealthy techniques, NFC theft, and MaaS models, while ERMAC V3.0’s source code leak exposes criminal infrastructure flaws. Critical sectors face APTstyle attacks (Charon ransomware) and social engineering via platforms like GitHub and Teams. Defenses require Zero Trust, patching, phishing-resistant MFA, and enhanced monitoring of lateral movement and anomalous tool usage.
Ransomware Actors Combine Legitimate Tools with Custom Malware to Evade Detection
The Crypto24 ransomware campaign employs legitimate tools and custom malware to infiltrate high-profile organizations in finance, manufacturing, and technology sectors globally. Attackers use PSExec, AnyDesk, and Google Drive for lateral movement, remote access, and data exfiltration, while leveraging Windows utilities like net.exe to blend malicious activities with routine operations. Custom tools like RealBlindingEDR disable EDR systems by exploiting vulnerable drivers from vendors such as Trend Micro and Kaspersky. Persistence is achieved via hidden scripts, scheduled tasks, and services mimicking svchost.exe. Post-compromise tactics include credential theft via keyloggers, RDP manipulation, and abuse of uninstallers to deploy ransomware. Defenses recommended include Zero Trust frameworks, least privilege enforcement, MFA, and monitoring for anomalous tool usage. Regular audits, offline backups, and updated security solutions are critical to mitigating prolonged attacker dwell times.
Read full article: Gbhackers
Threat Actors Leverage CrossC2 to Extend Cobalt Strike to Linux and macOS
Threat actors are exploiting CrossC2, an unofficial tool extending Cobalt Strike to Linux and macOS, to target Active Directory infrastructures. The campaign combines CrossC2 with tools like PsExec and Plink for lateral movement, alongside a custom Nim-based loader (ReadNimeLoader) enabling in-memory execution via DLL side-loading. Attackers leverage Linux servers as entry points, exploiting limited EDR coverage to maintain persistence. Global impact is confirmed via VirusTotal data, with ties to BlackBasta ransomware through shared tactics and infrastructure. Anti-analysis techniques include XOR encryption, junk code, and dynamic key generation. JPCERT/CC released a parser to extract CrossC2 configurations, urging enhanced Linux monitoring and EDR adoption.
Read full article: Gbhackers
PS1Bot: Multi-Stage Malware Framework Targeting Windows Systems
Cisco Talos researchers identified PS1Bot, a multi-stage malware framework targeting Windows systems since early 2025, distributed via malvertising and SEO-poisoned ZIP archives. The malware employs obfuscated scripts to deploy PowerShell-based payloads, leveraging in-memory execution to evade detection while polling C2 servers. Its modular design includes reconnaissance, screen capture, data theft (browsers, crypto wallets), keylogging, and system surveys, using WMI queries and temporary file storage for stealth. Persistence is achieved via Startup folder LNK files and randomized directories. PS1Bot shares infrastructure and code patterns with AHK Bot and Skitnet, indicating an evolving threat ecosystem. Organizations are advised to monitor PowerShell activity and malvertising lures.
Read full article: Gbhackers
New NFC-Based PhantomCard Malware Targets Android Banking Users
ThreatFabric identified PhantomCard, a sophisticated Android Trojan exploiting NFC technology to steal banking card data via fraudulent “card protection” apps. Targeting primarily Brazilian users, the malware relays EMV card details and PINs through criminal servers, enabling unauthorized transactions at POS/ATMs. It leverages the NFU Pay Malware-as-aService platform, rebranded by a Brazilian actor (“Go1ano developer”) for local distribution. The malware’s bidirectional relay bridges victims’ physical cards to remote terminals, complicating fraud detection. Financial institutions are urged to enhance transaction monitoring and educate users on suspicious app requests. PhantomCard underscores rising NFC-based threats and the risks of global MaaS reseller models.
Read full article: Gbhackers
Qilin Ransomware Dominates July with Over 70 Claimed Victims
The Qilin ransomware group emerged as July 2025’s most active threat actor, claiming 73 victims (17% of 423 global incidents) via its aggressive ransomware-as-a-service model. INC Ransom followed with 59 attacks, targeting critical infrastructure. Ransomware activity rose for the third consecutive month, with the U.S. most impacted (223 victims), followed by Canada and European nations. Professional services and construction sectors faced the highest attacks, while 25 critical infrastructure incidents involved government, energy, and telecoms. Nearly 40 new ransomware variants emerged, exploiting vulnerabilities like Citrix NetScaler and Microsoft SharePoint flaws. Major breaches included SafePay (3.5TB exfiltrated) and Akira (defense contractor data stolen), underscoring escalating cyber threats.
Read full article: Gbhackers
FireWood Malware Targets Linux Systems for Command Execution and Data Theft
A new FireWood malware variant targeting Linux systems was discovered by Intezer, enhancing stealth and persistence for espionage. This Linux RAT, linked to historical “Project Wood” campaigns and tentatively associated with China-aligned Gelsemium, employs kernellevel rootkits and TEA encryption to evade detection. It infiltrates via web shells, enabling remote command execution, credential theft, and long-term system access. The updated variant streamlines evasion by deferring permission checks, simplifying C2 communication loops, and altering persistence file paths. Command handling was refined, removing obsolete functions and introducing auto-kill capabilities. Despite technical upgrades, core espionage goals remain, prioritizing adaptability in covert data exfiltration and operational resilience.
Read full article: Gbhackers
EncryptHub Turns Brave Support into a Dropper; MMC Flaw Completes the Run
Trustwave SpiderLabs identified a campaign by the EncryptHub group (aka LARVA-208/Water Gamayun) exploiting Brave Support and the CVE-2025-26633 MMC flaw to deploy malware via manipulated .msc files. Attackers use social engineering via Microsoft Teams to gain remote access, executing PowerShell scripts that fetch payloads from domains like cjhsbam[.]com. The attack chain drops infostealers (e.g., Fickle Stealer) and ransomware, leveraging Golang tools like SilentCrystal to evade detection via fake directories. Fake platforms like rivatalk.net distribute malicious MSI installers, while SOCKS5 proxies enable persistent C2 communication. Mitigations include patching CVE-2025-26633, user training, and monitoring anomalous PowerShell/MMC activity.
Read full article: Gbhackers
Source Code of ERMAC V3.0 Malware Exposed by ‘changemeplease’ Password
A significant breach exposed ERMAC V3.0’s source code, a banking trojan targeting 700+ financial apps, due to the weak password “changemeplease.” Discovered by Hunt.io in March 2024, the leak revealed the Malware-as-a-Service platform’s infrastructure, including backend, frontend, and exfiltration components. ERMAC 3.0 expanded its capabilities with form injection techniques and anti-analysis checks. Critical vulnerabilities like hardcoded tokens and open API registration were identified, enabling potential disruption of operations. The leak offers insights for countermeasures, highlighting cybercriminals’ security flaws despite advanced encryption and geo-restrictions. This exposure underscores evolving mobile malware threats and risks from poor security practices.
Read full article: Gbhackers
SmartLoader Malware Masquerades as Legitimate GitHub Repository to Infect Users
AhnLab uncovered a campaign distributing SmartLoader malware via fake GitHub repositories posing as legitimate projects offering game cheats, software cracks, and tools. These repos, optimized in search results, trick users into downloading malicious archives containing obfuscated scripts and payloads. Upon execution, SmartLoader establishes persistence, captures system data, and communicates with C2 servers to fetch additional payloads like Rhadamanthys infostealer, which steals sensitive data. The malware leverages trusted platforms and sophisticated obfuscation to evade detection. Users are advised to verify repository authenticity, check author credibility, and use endpoint detection tools. The campaign highlights risk of downloading software from unofficial sources despite polished appearances.
Read full article: Gbhackers
New Charon Ransomware Uses DLL Sideloading and Anti-EDR Tactics in Targeted Attacks
Trend Micro identified the Charon ransomware targeting Middle Eastern public sector and aviation entities using APT-style tactics. It employs DLL sideloading via a legitimate Edge.exe to load malicious code, decrypt layered payloads and injects into svchost.exe to evade detection. Charon encrypts files with a hybrid scheme (Curve25519 and ChaCha20), skips critical system files, and deletes backups. It terminates security processes, uses anti-EDR tools, and spreads via network shares. Custom ransom notes reference victims directly, suggesting tailored attacks. Mitigation includes securing DLL loading, monitoring process chains, restricting lateral movement, and maintaining offline backups.
Read full article: Gbhackers
PoisonSeed Phishing Kit Bypasses MFA to Steal Credentials from Users and Organizations
The PoisonSeed threat actor has deployed an advanced phishing kit since April 2025 to bypass multi-factor authentication (MFA) and steal credentials from organizations and individuals. Targeting major CRM and email services like Google, SendGrid, and Mailchimp, the kit uses spear-phishing emails with malicious links redirecting victims to spoofed domains. It employs “Precision-Validated Phishing,” embedding encrypted victim emails in URLs and cookies to validate targets via fake Cloudflare challenges. Acting as an Adversary-in-theMiddle (AitM), the kit captures credentials, 2FA codes, SMS, and API keys, enabling unauthorized access and automated email list extraction for crypto scams. Built with React and hosted on infrastructure linked to NICENIC and Cloudflare, it evades detection through obfuscation. Mitigation requires phishing-resistant MFA (e.g., FIDO2), enhanced monitoring, and user awareness.
Read full article: Gbhackers
Hackers are now mimicking government websites using AI – everything you need to know to stay safe
Hackers leveraged generative AI to create near-identical clones of Brazilian government websites, including portals for driver’s licenses and job applications, to steal personal data and funds. The fraudulent sites employed SEO poisoning to rank higher in search results, mimicking official URLs (e.g., “govbrs[.]com”) to evade detection. Victims were tricked into submitting sensitive information like CPF numbers and making payments via Brazil’s Pix system, redirecting funds to attackers. Analysis by Zscaler ThreatLabz revealed AI-generated code patterns, such as TailwindCSS styling and structured comments, indicating automated replication of legitimate sites. Experts warn such attacks could escalate, urging organizations to adopt Zero Trust frameworks and enhance verification practices to mitigate risks..
Read full article: Techradar
Vulnerability Spotlight: Critical Exposures Unveiled
Critical vulnerabilities across widely used software and infrastructure components were actively exploited, highlighting escalating cyberespionage and systemic risks. Russianaligned groups like RomCom weaponized WinRAR and Citrix NetScaler zero-days for targeted attacks, while critical flaws in Cisco, F5, FortiSIEM, and Microsoft Exchange exposed networks to DoS, data tampering, and RCE. Supply chain threats persisted via compromised Docker images and WordPress plugins, enabling server takeovers. Statealigned actors leveraged geopolitical alignments, while unpatched systems in automotive APIs and VPNs risked physical and digital compromise. Urgent patching, strict certificate validation, and proactive monitoring remain critical amid heightened exploitation of highseverity vulnerabilities
Russian Hackers Exploit WinRAR Zero-Day
A Russian-speaking hacking group, RomCom (aka Storm-0978), exploited a WinRAR zeroday vulnerability (CVE-2025-8088) in targeted cyberespionage campaigns since July 2025. The path traversal flaw allowed attackers to embed malicious code via phishing emails disguised as job applications, leveraging Windows NTFS file system attributes to hide payloads. RomCom, previously focused on ransomware, has shifted to Kremlin-aligned espionage post-Ukraine invasion, deploying malware variants like Mythic Agent, SnipBot, and RustyClaw. The attacks involved reconnaissance to ensure highly targeted infections, with sectors aligned with Russian geopolitical interests. A separate group, Paper Werewolf, also exploited the flaw against Russian companies. WinRAR patched the vulnerability on July 31 after Eset researchers reported it.
Read full article: Bankinfosec
Cisco IOS, IOS XE, and Secure Firewall Flaws Allow Remote DoS Attacks
Cisco issued a high-severity advisory on August 14, 2025, addressing six critical vulnerabilities (CVE-2025-20224 to CVE-2025-20254) in IKEv2 protocol implementations across IOS, IOS XE, and Secure Firewall products. These flaws allow unauthenticated remote attackers to trigger denial-of-service (DoS) conditions via crafted IKEv2 packets, causing system crashes, memory leaks, or resource exhaustion. IOS/IOS XE devices may restart abruptly, while ASA/ FTD firewalls could require manual reboots to restore VPN functionality. Detection methods include checking active IKEv2 configurations via CLI commands. Cisco released patches for affected systems, with no available workarounds, urging immediate updates. Vulnerabilities do not impact IOS XR, Meraki, or FMC products.
Read full article: Gbhackers
Palo Alto GlobalProtect Vulnerability Allows Privilege Escalation via Certificate Bypass
A vulnerability (CVE-2025-2183) in Palo Alto Networks’ GlobalProtect VPN client allows attackers with adjacent network access to escalate privileges via improper certificate validation. Exploiting this flaw enables installation of malicious root certificates, bypassing security controls to deploy signed malware. Affected systems include Windows and Linux versions, while Android, iOS, and macOS remain unaffected. Palo Alto rated it medium severity (CVSS 4.5) and released patches (6.3.3-h2/6.2.8-h3 for Windows, 6.3.3+ for Linux). Mitigation requires updates, strict certificate validation, and removing untrusted root certificates. No active exploitation has been observed; the flaw was identified internally.
Read full article: Gbhackers
Critical WordPress Plugin Vulnerability Puts 70,000+ Sites at Risk of Remote Code Execution
A critical vulnerability (CVE-2025-7384, CVSS 9.8) in the “Database for Contact Form 7, WPforms, Elementor forms” WordPress plugin exposes over 70,000 sites to remote code execution. The flaw stems from improper input sanitization in the plugin’s get_lead_detail function, enabling unauthenticated attackers to inject malicious PHP objects. Combined with a POP chain in Contact Form 7, attackers can delete critical files like wp-config.php, leading to server compromise or denial of service. Exploitation risks include data theft, malware deployment, and full site takeover. Administrators must immediately update to patched version 1.4.4 and monitor for suspicious file changes. The vulnerability’s ease of exploitation and severe impact warrant urgent remediation.
Read full article: Gbhackers
CISA Alerts on N-able N-Central Deserialization and Injection Flaw Under Active Exploitation
CISA issued urgent alerts for two critical vulnerabilities (CVE-2025-8875 and CVE-2025-8876) in N-able N-Central, actively exploited in attacks. CVE-2025-8875 involves insecure deserialization enabling command execution, while CVE-2025-8876 allows command injection via improper input sanitization. Both flaws risk network compromise and unauthorized access. CISA added these to its Known Exploited Vulnerabilities catalog, mandating remediation by August 20, 2025. Organizations must apply vendor mitigations immediately or discontinue use if unresolved. The platform’s widespread use in remote management amplifies risks, urging prioritized action to prevent systemic breaches.
Read full article: Gbhackers
Infamous XZ Backdoor Found Hidden in Docker Images for Over a Year
The XZ Utils backdoor, attributed to pseudonymous developer ‘Jia Tan’, persists in Debianbased Docker images on Docker Hub over a year after its discovery. Initially targeting Linux distributions via liblzma.so to enable remote SSH access, the backdoor remains in at least 12 Debian images from March 2024, propagating to over 35 downstream images. Despite community mitigations, these compromised artifacts risk cloud infrastructure and CI/CD pipelines, with Debian maintainers deferring removal. The backdoor’s use of IFUNC resolvers highlights advanced supply chain threats requiring binary-level monitoring. Binarly’s tools, like XZ.fail, detect such tampering, emphasizing the need for proactive defenses against persistent, sophisticated attacks.
Read full article: Gbhackers
Microsoft Exchange Server Flaws Allow Network-Based Spoofing and Data Tampering
Microsoft disclosed critical vulnerabilities in Exchange Server (CVE-2025-25007 and CVE-2025-25005) enabling network-based spoofing and data tampering. The spoofing flaw (CVSS 5.3) allows remote attackers to impersonate users without authentication, while the tampering vulnerability (CVSS 6.5) permits low-privilege attackers to alter emails, configurations, or sensitive data. A related Windows Graphics Component privilege escalation flaw (CVE-2025-49743) could further compromise systems. Internet-facing Exchange servers are at heightened risk. Microsoft urges immediate patching, enhanced monitoring for suspicious email activity, and temporary restrictions on external email processing. These flaws threaten email integrity, emphasizing the need for prompt security updates to mitigate exploitation risks.
Read full article: Gbhackers
Critical FortiSIEM Vulnerability Allows Attackers to Execute Malicious Commands, PoC Found in the Wild
A critical OS command injection vulnerability (CVE-2025-25256, CVSS 9.8) in FortiSIEM allows unauthenticated attackers to execute arbitrary commands via CLI requests, with active exploits observed. Affected versions include FortiSIEM 7.3 to 6.6, requiring immediate upgrades or migration for older releases. Exploitation risks full system compromise, enabling log manipulation, monitoring disruption, and lateral movement. Temporary mitigation involves blocking port 7900 (phMonitor), though patching remains critical. Fortinet urges organizations to prioritize updates, audit deployments, and monitor for compromises. The public’s vulnerability exploit availability heightens urgency for global remediation efforts.
Read full article: Gbhackers
NCSC: Citrix NetScaler Flaw (CVE-2025-6543) is Actively Exploited to Breach Organizations
The NCSC warns that a critical Citrix NetScaler zero-day vulnerability (CVE-2025-6543) is being actively exploited, enabling remote code execution and deployment of web shells for persistent access. Attacks since May 2025 targeted Dutch critical infrastructure, with threat actors erasing forensic traces, complicating detection and analysis. Despite Citrix’s June 2025 patch, compromised systems may remain breached due to hidden backdoors. Additional vulnerabilities (CVE-2025-5349, CVE-2025-5777) were identified in global Citrix deployments, though exploitation is unconfirmed. The NCSC urges organizations to investigate systems, apply defense-in-depth strategies, and monitor shared IOCs. Attribution remains unclear, but tactics suggest advanced, possibly state-aligned threat actors.
Read full article: Gbhackers
Critical Vulnerability in Carmaker Portal Allows Hackers to Unlock Cars Remotely
A critical vulnerability in a major automaker’s dealer portal allowed attackers to remotely unlock, start, and track vehicles by exploiting hidden registration forms and API flaws. Discovered by researcher Eaton Zveare, the flaw bypassed invite-token validation and rolebased checks, enabling attackers to forge national admin accounts, transfer vehicle ownership via VIN or owner names, and control cars through the official app. The issue affected vehicles with telematics modules dating to 2012. Attackers could also abuse user-impersonation features to bypass session controls and 2FA. The automaker patched backend systems, validated user roles, and notified customers to update credentials. The incident underscores risk from overprivileged enterprise systems and the need for zero-trust API validation in connected vehicle ecosystems.
Read full article: Gbhackers
In-Depth Expert CTI Analysis
This week’s threat landscape underscores intensified global efforts to disrupt ransomware ecosystems and cybercrime financing through coordinated law enforcement actions, exemplified by the takedown of BlackSuit infrastructure and $300M+ cryptocurrency seizures. State-aligned actors exploited critical vulnerabilities in Citrix, Microsoft, and Cisco systems, targeting critical infrastructure and government entities, while ransomware groups like Qilin and Charon demonstrated evolving TTPs. Persistent supply chain risks emerged from compromised Docker images and leaked ERMAC malware code, alongside sophisticated phishing campaigns bypassing MFA. The convergence of financial tracing, sanctions targeting crypto laundering, and urgent patching of zero-days highlights the dual focus on crippling adversary operations and hardening defenses amid escalating crossborder cyber threats.
Proactive Defense and Strategic Foresight
Proactive defense demands leveraging threat intelligence to preempt adversarial tactics, as seen in the BlackSuit takedown via infrastructure seizures and financial tracing, disrupting ransomware ecosystems. Strategic foresight requires anticipating evolving threats like AIdriven phishing clones and CrossC2 exploitation, necessitating Zero Trust frameworks, hardened encryption, and Linux EDR adoption. The Citrix NetScaler and Microsoft SharePoint breaches underscore urgency in patching and defense-in-depth to counter APTs. Sanctioning Garantex and crypto seizures highlight disrupting financial flows, while FireWood’s stealth and ERMAC’s leaked code reveal adversaries’ adaptability. Organizations must prioritize AI-enhanced monitoring, supply chain audits, and resilience against ransomware’s systemic risks to critical infrastructure.
Evolving Ransomware and Malware Tactics
Ransomware and malware tactics continue evolving with increased sophistication, leveraging legitimate tools (Cobalt Strike, Mimikatz), zero-day exploits (Citrix NetScaler, WinRAR), and AI-driven phishing to bypass defenses. Groups like Qilin and Charon employ hybrid encryption, APT-style lateral movement, and RaaS models, targeting critical infrastructure for maximum disruption. Financial ecosystems face strain via cryptocurrency laundering (Garantex, Tether) and cross-border asset seizures. State-aligned actors exploit In-Depth Expert CTI Analysis VerSprite Weekly Threat Intelligence Newsletter 19 geopolitical tensions, while MFA bypass (PoisonSeed) and Linux-focused malware (FireWood, CrossC2) highlight expanding attack surfaces. Proactive defense requires Zero Trust frameworks, enhanced monitoring of toolchains, and international collaboration to dismantle infrastructure and financial networks.
State-Sponsored and Organized Cybercrime Convergence
The convergence of state-sponsored and organized cybercrime is accelerating, evidenced by shared tactics, infrastructure, and financial networks. State actors increasingly leverage ransomware groups for deniable attacks, as seen in Russian-aligned BlackSuit and sanctioned crypto exchanges like Garantex, while North Korean IT operatives fund military programs via cybercrime. Advanced persistent threats (APTs) exploit vulnerabilities similarly to criminal gangs, with Chinese groups targeting SharePoint and Citrix flaws. Ransomware-as-a-service models, crypto laundering, and encrypted platforms blur lines, enabling mutual benefit. This symbiosis complicates attribution, amplifies global risks to critical infrastructure, and demands unified defenses combining intelligence sharing, proactive patching, and financial disruption.
Operational and Tactical Implications
- Global law enforcement collaboration is disrupting ransomware and crypto laundering networks.
- State-sponsored and criminal groups are converging, complicating attribution and response.
- Critical infrastructure remains a consistent, high-value target for adversaries.
- Financial disruption (sanctions, asset seizures) is proving effective in weakening threat actors.
- Rapid zero-day exploitation (Citrix, SharePoint, WinRAR) demands accelerated patching.
- Abuse of legitimate IT tools (Cobalt Strike, PSExec, AnyDesk) requires anomaly monitoring.
- Supply chain risks (Docker, WordPress, automotive APIs) highlight need for SBOM and validation.
- Advanced phishing/MFA bypass kits require phishing-resistant MFA and stronger identity controls.
Forward-Looking Recommendations
- Prioritize international collaboration to disrupt ransomware ecosystems via coordinated infrastructure takedowns, financial tracing, and sanctions against crypto exchanges facilitating illicit transactions.
- Adopt AI-driven threat detection and zero-trust architectures to counter evolving ransomware, phishing, and supply chain attacks exploiting vulnerabilities like Citrix NetScaler and Microsoft SharePoint.
- Mandate phishing-resistant MFA (e.g., FIDO2) and rigorous patching protocols, particularly for critical infrastructure sectors, to mitigate risks from APTs and zero-day exploits.
- Enhance blockchain analytics partnerships to trace and freeze illicit crypto flows, leveraging initiatives like T3+ and Project Atlas to target cross-border money laundering.
- Strengthen legal frameworks to hold encrypted service providers accountable for criminal exploitation while balancing privacy rights, informed by operations like Sky ECC.
- Invest in proactive monitoring of Linux systems and EDR solutions to counter CrossC2, FireWood, and other advanced threats targeting under-secured environments.
- Implement sector-specific defenses for healthcare, automotive, and telecoms, including air-gapped backups, API security validation, and NFC fraud detection mechanisms.
- Accelerate software supply chain security via binary-level integrity checks and SBOM adoption to prevent persistent backdoors like XZ Utils in critical infrastructure.
- Expand cybersecurity funding for judicial and public sector IT modernization to protect sensitive data from state-aligned threat actors exploiting legacy systems.
- Develop global incident response playbooks for ransomware, integrating cryptocurrency seizure protocols and cross-border extradition processes to deter threat actors.
