Cybersecurity firm Hunress has warned of active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) in the wild. Organizations running Wing FTP Server should update to the fixed version, version 7.4.4, as soon as possible.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high-risk vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway, to its Known Exploited Vulnerabilities catalog. The flaw, dubbed ‘Citrix Bleed 2,’ allows attackers to bypass authentication due to insufficient input validation, specifically when the device is set up as a Gateway or AAA virtual server.
This week, Microsoft released its July 2025 Patch Tuesday security updates, addressing more than 130 vulnerabilities across its products. Among the fixes is a patch for a previously disclosed vulnerability in Microsoft SQL Server. The flaw, tracked as CVE-2025-49719, is an information disclosure issue in SQL Server that could allow a remote, unauthenticated attacker to access sensitive data by reading uninitialized memory.
Nippon Steel Solutions Corporation (NSSOL) confirmed a cybersecurity breach resulting from a zero-day vulnerability in its network devices, leading to unauthorized access to internal servers and a potential data leak. NSSOL launched an investigation, which revealed that a third party had gained unauthorized access to sensitive internal data.
A research team from the University of Toronto has shown that Rowhammer-style attacks can be successfully executed on GPUs, using the new method dubbed "GPUHammer." They demonstrated the attack on an Nvidia GPU, using it to disrupt the accuracy of machine learning models. Rowhammer attacks exploit repeated access to DRAM rows to induce bit flips in neighboring memory areas, a vulnerability known for over a decade.
Trellix researchers have uncovered a cyber espionage campaign conducted by the DoNot APT group, targeting a European foreign affairs ministry. The attack used a malicious Google Drive link, which delivered a RAR archive containing malware previously linked to the DoNot APT.
Chinese cybersecurity firm QiAnXin has discovered a previously unknown cyber-espionage group, dubbed ‘NightEagle’ (aka APT-Q-95 and APT-C-78), allegedly operating from North America. The group has been active since at least 2023, targeting China’s high-tech sectors, including chipmakers, quantum technology firms, AI companies, and the military-industrial complex. NightEagle is described as highly stealthy, well-funded, and technically sophisticated, reportedly using a suspected Microsoft Exchange zero-day exploit to gain covert access to networks.
PAN’s Unit42 report details several most prominent ClickFix campaigns observed so far in 2025. Notably, distributors of the NetSupport remote access Trojan (RAT) have introduced a new loader to enhance their attacks. Meanwhile, operators behind the Latrodectus malware are employing a new ClickFix-themed campaign to lure victims. Additionally, the Lumma Stealer campaign has expanded its reach, targeting various industries with updated and more sophisticated techniques.
The Unit42 researchers also uncovered an ongoing campaign involving a threat actor tracked as TGR-CRI-0045, believed to be linked to the broader group Gold Melody (also known as UNC961 or Prophet Spider). The campaign exploits leaked Machine Keys used in ASP.NET applications, enabling attackers to breach organizations across Europe and the United States.
The Bundeswehr has recently been targeted by a series of cyberattacks believed to have been orchestrated by Russian cybercriminals, affecting two of its military suppliers. One attack in mid-June hit a Hesse-based company providing satellite communications. Another breach involved an engineering firm in Lower Saxony with access to sensitive documents, including Germany’s national defense strategy. Preliminary findings indicate that the Ministry of Defense’s internal networks were not compromised.
CYFIRMA has uncovered a sophisticated cyber-espionage campaign orchestrated by the Pakistan-based threat actor APT36 (aka Transparent Tribe) targeting personnel in India’s defense sector. More recently, APT36 has shifted its focus to Linux-based environments, particularly targeting systems running BOSS Linux, a distribution widely deployed across Indian government agencies.
In a separate report the cybersecurity company detailed a malware campaign hosted on GitHub, involving malicious payloads disguised as “Free VPN for PC” and “Minecraft Skin Changer.” Once executed, the dropper file Launch.exe deploys Lumma Stealer, a well-known info-stealing malware. The campaign uses techniques like process injection, DLL side-loading, and stealthy execution to evade detection and compromise user systems.
GreyNoise has uncovered a new variant of a scraper botnet. It has been observed across more than 3,600 unique IP addresses worldwide, with most of the targeted systems located in the United States and the United Kingdom. A significant portion of the botnet’s infrastructure is based in Taiwan, GreyNoise says, accounting for 54% of the identified IPs, followed by Japan, Bulgaria, and France.
New Polyswarm’s report details the SparkKitty malware that has been targeting iOS and Android devices since early 2024, primarily affecting users in Southeast Asia and China. It infiltrates both official app stores and untrusted websites, often disguised as legitimate apps. Once installed, it steals all images from a device’s gallery, aiming to extract sensitive information such as cryptocurrency wallet seed phrases.
Cybersecurity firm Red Canary released an updated report on Mocha Manakin, a threat actor using the paste and run technique (also known as Clickfix or fakeCAPTCHA), to trick users into running malicious scripts. It delivers various payloads, such as LummaC2, HijackLoader, and Vidar. Mocha Manakin deploys a custom NodeJS-based backdoor called NodeInitRAT, which establishes persistence, performs system reconnaissance, and communicates with attacker-controlled servers via HTTP, often using Cloudflare tunnels. NodeInitRAT can execute arbitrary commands and deliver further payloads to compromised machines.
Over one million users have unknowingly installed browser extensions that turn their browsers into proxies for a web scraping botnet. The extensions include a library called Mellowtel, which activates when users are inactive, disables security protections, and loads remote websites in hidden iframes to scrape data. Cybersecurity firm SecureAnnex discovered Mellowtel in 245 extensions across Chrome, Edge, and Firefox. The library appears linked to Olostep, a company offering a powerful web scraping API. SecureAnnex believes Mellowtel functions as a backend for Olostep, helping route scraping traffic through users’ browsers.
AnyRun relased technical analysis of Ducex, a Chinese Android packer found in Triada malware samples. Its primary objective is to hinder static and dynamic analysis and evade detection. Ducex complicates debugging by verifying APK signatures, self-debugging via fork and ptrace, and terminating execution if tools like Frida, Xposed, or Substrate are detected. Notably, the Triada payload is concealed within Ducex’s own classes.dex file, appended as a large, encrypted section beyond the legitimate code, reducing the chance of being spotted as a separate malicious file.
In the first quarter of 2025, SafePay ransomware incidents rose sharply, affecting over 200 victims globally, including managed service providers (MSPs) and small-to-midsize businesses (SMBs) across various sectors, according to Acronis. Unlike typical ransomware groups that use a ransomware-as-a-service (RaaS) model, SafePay operates under centralized control, handling its own infrastructure, operations, and negotiations. The group uses such techniques as RDP and VPN access exploitation, credential theft, privilege escalation, and living-off-the-land to infiltrate networks, steal data, and encrypt files. SafePay was recently linked to a major ransomware attack on global IT distributor Ingram Micro. Currently, it remains unclear whether SafePay is a new group or a rebrand of an older one. Its malware shows similarities to the LockBit ransomware family, particularly the LockBit 3.0 (or LockBit Black) builder leaked in 2022.
A cybercrime group known as BERT has begun targeting organizations across Asia, Europe, and the United States with ransomware attacks that affect both Windows and Linux platforms. Tracked by Trend Micro as ‘Water Pombero,’ BERT has already compromised multiple victims in sectors such as healthcare, technology, and event services since April.
The relatively new ransomware group SatanLock has announced its shutdown. The group made the announcement via its official Telegram channel and Dark Web leak site. Victim listings that were previously available on its .onion site have been removed, replaced by a message saying that all files will be leaked.
The Shellter Project has confirmed that its commercial AV/EDR evasion tool Shellter Elite has been weaponized by hackers after a customer leak. According to Elastic Security Labs, financially motivated threat actors have been using Shellter to distribute info-stealer malware since late April 2025. The campaigns appear to involve version 11.0 of Shellter Elite, which was released on April 16, 2025.
Italian authorities have apprehended Xu Zewei, a 33-year-old Chinese national, suspected of involvement in a state-sponsored hacking campaign targeting US Covid-19 vaccine research. Xu was detained following an international warrant from the United States, which is seeking his extradition. He is allegedly linked to the China-backed hacking group Hafnium (also known as Silk Typhoon), believed to be behind the 2021 Microsoft email server breaches.
The US Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Song Kum Hyok, a senior North Korean official linked to the Reconnaissance General Bureau and the Andariel hacking group, for running a scheme that placed North Korean IT workers in US jobs using stolen American identities. The workers posed as US citizens to gain remote employment. OFAC also sanctioned Russian national Gayk Asatryan and four of his companies for collaborating with North Korean entities to illegally bring workers into Russia.
French authorities have arrested Russian professional basketball player Daniil Kasatkin on suspicion of being involved in a ransomware gang. US authorities allege that Kasatkin participated in cyberattacks between 2020 and 2022 that targeted around 900 companies, including two federal institutions. Kasatkin is accused of negotiating ransom payments.
Ukrainian cyberpolice dismantled a criminal group involved in stealing money from citizens’ bank accounts. The criminals called victims pretending to help with transferring their mobile phone number to a new SIM card. During this process, the victim’s original SIM was blocked, and the phone number was transferred to a SIM controlled by the criminals. Gaining control over the victims’ financial phone numbers, the group accessed online banking systems and transferred funds from victims’ accounts to cards controlled by accomplices, then withdrew cash from ATMs.
The FBI, in cooperation with international law enforcement including the Dutch fiscal police, has seized the domain names of several gaming piracy websites, notably NSW2U.com, a long-time target of Nintendo. It remains unclear if any arrests or charges have been made in connection with the operation, the TorrentFreak reported.
Four people under the age of 21 have been arrested in connection with a string of cyberattacks that disrupted operations at several major UK retailers, including Marks & Spencer, the Co-op, and Harrods. The suspects, males aged 17 and 19, and a 20-year-old woman, were detained at their homes in the West Midlands and London. All are being questioned by the NCA’s National Cyber Crime Unit on suspicion of Computer Misuse Act offences, blackmail, money laundering, and involvement in organized crime. Electronic devices were seized during the raids.
Brazilian authorities have arrested a 48-year-old programmer in connection with a massive cyberattack that targeted Brazilian software firm C&M and led to the theft of R$1 billion (approximately $185 million) from six major banks. João Nazareno Roque, a junior back-end developer at C&M, was allegedly recruited by hackers in a bar in São Paulo. According to police, Roque sold his work credentials for R$5,000 (about $900) and later received an additional R$10,000 ($1,800) to execute malicious commands on C&M’s internal systems.
Ukraine has introduced a new sanctions package targeting Russian and international crypto-related entities. The list includes 19 major Russian crypto miners, 17 digital asset issuers, and five crypto exchanges. Also, sanctioned entities include A7, issuer of the ruble-backed stablecoin A7A5, and non-Russian firms such as Cyprus-based Tokentrust Holdings, Kazakhstan-based EXMO, and UAE-based AWX Solutions FZ.
A recent investigation by Nikkei Asia has revealed that researchers from 14 academic institutions across eight countries, including Japan, South Korea, and China, embedded hidden prompts in academic manuscripts to manipulate artificial intelligence tools into giving positive reviews.
An imposter using an artificially generated voice impersonated Secretary of State Marco Rubio in communications with three foreign ministers and two US politicians. The perpetrator reportedly contacted the targets in mid-June using the encrypted messaging app Signal,” with the goal of gaining access to information or accounts.”