Welcome to this week’s Cybersecurity Recap. We’re taking a look at essential updates from July 21-27, 2025, on this planet of digital threats and defenses.
This week has seen vital developments that spotlight the continued dangers of cyber assaults and the necessity for fixed consciousness. There’s a severe SharePoint vulnerability that places organizations in danger.
We’ve additionally seen superior assaults concentrating on VMware infrastructure, together with an increase in new threats and cyber assaults which can be altering international safety methods.
This recap offers key insights and sensible recommendation that can assist you keep knowledgeable and safe. Let’s dive into what occurred and what it means for you.
Cyber Assaults
Ransomware Destroys 158-Yr-Outdated Logistics Agency by way of Weak Password
A single compromised password enabled a ransomware gang to devastate KNP Logistics, a historic UK-based firm, resulting in the lack of 730 jobs and an entire operational shutdown. The assault underscores the extreme dangers related to insufficient password hygiene in vital infrastructure.
Learn extra:
APT41 Targets African Authorities with Impacket Instruments
Chinese language-linked hackers APT41 launched a focused espionage marketing campaign towards African authorities IT companies, utilizing Impacket’s Atexec and WmiExec modules for lateral motion and malware deployment. They embedded inside community particulars in payloads and compromised a SharePoint server for command-and-control. This marks elevated APT41 exercise within the area since late 2022.
Learn extra:
DeerStealer Malware Unfold by way of Faux Google Authenticator Websites
Menace actors are abusing Home windows Run prompts to ship DeerStealer, an info-stealer that extracts browser credentials, crypto wallets, and app information from over 800 extensions. Distributed by means of misleading websites mimicking official instruments, it makes use of Telegram bots for sufferer monitoring and employs obfuscation for evasion. Campaigns typically contain GitHub-hosted payloads with XOR encryption.
Learn extra:
US Nuclear Company Breached in SharePoint Zero-Day Assaults
Unknown hackers exploited a Microsoft SharePoint vulnerability chain to infiltrate the Nationwide Nuclear Safety Administration, a part of the Division of Vitality. The breach affected a small variety of techniques however spared categorized information; restoration is underway. This follows a 2019 APT29 intrusion by way of SolarWinds.
Learn extra:
UNC3944 Exploits VMware vSphere for Ransomware Deployment
The UNC3944 group (aka Scattered Spider) is social-engineering IT helpdesks to reset passwords, escalate privileges, and entry vSphere environments. They modify GRUB bootloaders for root entry, set up reverse shells, and extract area information offline earlier than encrypting VMs. Defenses emphasize multi-factor authentication and monitoring.
Learn extra:
Gaming Mouse Software program Contaminated with Malware from the Official Website
Endgame Gear’s web site was hacked, distributing trojanized drivers for his or her OP1w 4K V2 mouse between late June and mid-July 2025. The malware enabled distant entry, evading some antivirus software program like Home windows Defender. The corporate quietly changed information with out full disclosure, prompting customers to scan techniques.
Learn extra:
Threats
Interlock Ransomware Targets Important Infrastructure
Interlock ransomware, energetic since September 2024, employs a double extortion mannequin by encrypting and exfiltrating information from victims in North America and Europe. It typically spreads by way of drive-by downloads disguised as pretend browser updates or safety software program, utilizing the ClickFix social engineering method to trick customers into executing malicious PowerShell instructions. This has impacted companies and demanding sectors, with ransom notes directing victims to a .onion URL for negotiations. Notably, it focuses on digital machines whereas sparing bodily servers, however defenders ought to deploy strong EDR instruments to mitigate dangers.
Learn extra:
New ClickFake Interview Assault Leveraging ClickFix
The ClickFake Interview marketing campaign, linked to North Korean actors just like the Lazarus Group, targets job seekers in cryptocurrency corporations by mimicking official interview websites. It makes use of the ClickFix tactic, presenting pretend error messages or CAPTCHAs that immediate customers to run malicious instructions, resulting in backdoor installations on Home windows and macOS. This has seen a 517% surge in detections from late 2024 to early 2025, deploying threats like infostealers and ransomware.
Learn extra:
Menace Actors Concentrating on Linux SSH Servers
Poorly managed Linux SSH servers are below assault by way of brute-force and dictionary strategies to guess credentials, enabling the set up of DDoS bots, coinminers, and scanning instruments. Attackers scan for open port 22, deploy malware like ShellBot or XMRig, and generally promote breached entry on the darkish internet. Suggestions embody sturdy, repeatedly up to date passwords and firewall protections to dam unauthorized entry.
Learn extra:
Lumma Stealer Distributed by way of Faux Cracked Software program
Lumma Stealer, a malware-as-a-service since 2022, spreads by means of pretend cracked software program and keygens promoted by way of malvertising and search engine manipulation. Victims are tricked into downloading password-protected loaders that execute by way of PowerShell, typically bypassing antivirus with open-source evasion strategies. Current campaigns have focused international industries, together with telecom, utilizing pretend CAPTCHAs to provoke infections.
Learn extra:
Stealthy Backdoor Hidden in WordPress Plugins
A brand new backdoor malware hides in WordPress’s mu-plugins folder, which auto-runs and evades admin panel detection. It fetches obfuscated payloads utilizing ROT13 encoding, shops them within the database, and creates hidden admin accounts for persistent entry. This permits attackers to put in malicious plugins, suppress logs, and preserve management even after elimination makes an attempt.
Learn extra:
SharePoint Zero-Day Exploited for Ransomware Assaults
A zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) has been exploited since July 18, 2025, affecting over 400 organizations, together with U.S. authorities entities. Attackers, recognized as Storm-2603, deploy ransomware like Warlock, shifting from espionage to information encryption and extortion. Microsoft has issued emergency patches, urging instant updates to forestall additional compromises.
Learn extra:
Vulnerabilities
CISA Warns of Microsoft SharePoint Server Zero-Day RCE Exploit
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a vital zero-day vulnerability in Microsoft SharePoint Server to its Recognized Exploited Vulnerabilities catalog. Tracked as CVE-2025-12345, this flaw permits distant code execution (RCE) with out authentication, doubtlessly enabling attackers to compromise delicate information or deploy malware on affected servers. Microsoft launched a patch of their newest safety replace, urging instant software to mitigate dangers.
Learn extra:
Researchers Uncover SS7 Protocol Bypass Assault Approach
Safety consultants have detailed a brand new assault methodology that bypasses the Signaling System 7 (SS7) protocol, generally utilized in cellular networks for name routing and SMS supply. This exploit permits adversaries to intercept communications, spoof identities, or disrupt companies by manipulating community indicators. Telecom suppliers are suggested to implement enhanced authentication and monitoring to counter these threats, which have been noticed in focused espionage campaigns.
Learn extra:
Cisco ISE RCE Vulnerabilities Actively Exploited within the Wild
Cisco has confirmed energetic exploitation of a number of vital RCE flaws in its Identification Companies Engine (ISE), together with CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337. These unauthenticated vulnerabilities allow attackers to execute arbitrary code as root, doubtlessly resulting in full system compromise. Patches can be found for ISE variations 3.3 and three.4. Admins ought to improve instantly to forestall unauthorized entry.
Learn extra:
Google Chrome Hit by Kind Confusion Assaults in V8 Engine
A high-severity sort confusion vulnerability (CVE-2024-12053) in Chrome’s V8 JavaScript engine has been exploited, permitting distant attackers to execute code by way of crafted internet pages. This might lead to information theft or malware set up. Google patched it in model 131.0.6778.108—customers ought to confirm their browser is up to date to keep away from drive-by assaults.
Learn extra:
Mozilla Releases Firefox 141 with Fixes for Important Vulnerabilities
Mozilla’s Firefox 141 replace addresses 18 vulnerabilities, together with high-impact reminiscence security bugs and flaws in JavaScript dealing with (e.g., CVE-2025-8027 and CVE-2025-8028). These might allow arbitrary code execution or privilege escalation on 64-bit techniques. The discharge additionally patches reasonable points like sandbox bypasses—replace now to safe your shopping.
Learn extra:
SonicWall SMA 100 Sequence Weak to Important RCE Flaw
SonicWall has issued patches for a vital authenticated RCE vulnerability (CVE-2025-40599) in SMA 100 home equipment, stemming from unrestricted file uploads. Attackers with admin credentials might add and execute malicious information. Whereas this particular flaw has not but been exploited, associated assaults on SMA units have been reported. Apply updates to variations 10.2.1.0-17sv or later.
Learn extra:
Different Information
Wireshark 4.4.8 Launched with Bug Fixes
The most recent model of the favored community protocol analyzer, Wireshark 4.4.8, focuses on stability enhancements and protocol updates. This launch addresses a number of bugs, together with crashes associated to Bluetooth course of IDs and fuzz testing assertions. It builds on options from 4.4.0 like automated profile switching and enhanced show filter support1. Out there for Home windows, macOS, and supply code.
Learn extra:
Kali Linux Boosts Raspberry Pi Wi-Fi Capabilities
Kali Linux 2025.1 introduces new packages—brcmfmac-nexmon-dkms and firmware-nexmon—that allow native monitor mode and packet injection on Raspberry Pi’s onboard Wi-Fi. This leverages the Nexmon framework to beat {hardware} limitations in Broadcom/Cypress chipsets, simplifying wi-fi safety assessments with out exterior adapters. Set up is now streamlined for fashions together with the Raspberry Pi 5.
Learn extra:
Arrest of Key Russian Cybercrime Discussion board Admin
Ukrainian authorities arrested the suspected administrator of XSS.is, a significant Russian-language cybercrime discussion board with over 50,000 customers. The platform facilitated stolen information gross sales, hacking instruments, and ransomware companies, producing an estimated €7 million for the admin. The arrest follows a four-year investigation involving French police and Europol, with the suspect additionally linked to a personal messaging service for criminals.
Learn extra:
WhoFi: AI Wi-Fi Tech Tracks People With out Cameras
Researchers unveiled WhoFi, an AI system that makes use of Wi-Fi indicators to determine and monitor people with as much as 95.5% accuracy. It analyzes channel state data (CSI) distortions brought on by human our bodies, creating distinctive biometric signatures much like fingerprints. The expertise works with out visible enter and may detect gestures, elevating privateness issues for surveillance functions.
Learn extra:
BreachForums Resurfaces After FBI Takedown
Infamous hacking website BreachForums is again on-line, reportedly revived by admin ShinyHunters utilizing the identical domains regardless of an FBI seizure earlier this month. The platform, a hub for malware and stolen information, was briefly defaced by regulation enforcement, however operators regained management by way of a site registrar enchantment. This marks one other revival for the location, successor to RaidForums.
Learn extra:
Bulletproof Internet hosting Supplier Aeza Shifts Infrastructure
Sanctioned bulletproof internet hosting agency Aeza Group is migrating over 2,100 IPs to a brand new autonomous system (AS211522) to evade U.S. Treasury penalties. Detected on July 20, 2025, this transfer follows OFAC actions towards Aeza for enabling ransomware and information theft. The shift to Hypercore LTD infrastructure goals to maintain companies for cybercriminals.
Learn extra:
