Microsoft has updated its previous advisory to add more details on a China-linked threat actor it tracks Storm-2603, which is actively exploiting a chain of critical SharePoint vulnerabilities to deploy Warlock ransomware. The campaign leverages the spoofing vulnerability (CVE-2025-49706) and the remote code execution bug (CVE-2025-49704) in unpatched on-premises SharePoint servers. The attackers are using the flaws to deploy a malicious web shell named spinstall0.aspx, allowing them to run commands via SharePoint's w3wp.exe process.
Microsoft rolled out emergency security updates as part of its July Patch Tuesday release. Shortly after, the company reclassified the vulnerabilities under new identifiers, CVE-2025-53770 and CVE-2025-53771, after discovering that attackers had managed to breach even fully patched SharePoint servers. The company released additional fixes for SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016. The tech giant said it has been observin Chinese threat actors exploiting SharePoint zero-day vulnerability chain, dubbed ‘ToolShell’, to compromise dozens of organizations worldwide, including entities in government (such as US Nuclear agency), telecommunications, and software sectors. Cybersecurity firm CrowdStrike said it observed hundreds of exploitation attempts targeting over 160 customer environments. According to CrowdStrike, the attack involves a deserialization vulnerability that allows attackers to upload a malicious .aspx webshell (spinstall0.aspx) onto compromised SharePoint servers.
More than 1,000 internet-accessible CrushFTP servers are vulnerable to hijack attacks via a critical security flaw, tracked as CVE-2025-54309. The vulnerability, which stems from improperly handled AS2 validation, allows threat actors to gain administrative access to the software's web interface.
SonicWall is urging customers to patch their SMA 100 series appliances (SMA 210, 410, and 500v) to address a critical vulnerability (CVE-2025-40599) that could allow remote code execution. The flaw stems from an unrestricted file upload issue in the devices' web management interfaces, potentially allowing attackers with admin access to upload malicious files. The vulnerability does not impact SMA 1000 series products or SSL-VPN on SonicWall firewalls.
A Russian-aligned threat actor, tracked as Hive0156 continues its attacks on Ukrainian government and military personnel, according to IBM X-Force. The group's tactics closely align with those of a threat actor tracked by CERT-UA as UAC-018. Hive0156 primarily uses weaponized Microsoft LNK and PowerShell files to deliver and execute the Remcos Remote Access Trojan (RAT), enabling remote control and data exfiltration.
The National Cybersecurity Response Team of Ukraine (CERT-UA) has warned of an ongoing campaign targeting the national security and defense sector. The attacks, attributed with moderate confidence to the Russian-linked cyber espionage group UAC-0001 aka APT28, leverage a sophisticated new tool named ‘Lamehug’, a Python-based malware using large language model (LLM) capabilities.
The UK Government sanctioned three units of Russia’s military intelligence agency (GRU), along with 18 of its military intelligence officers. The GRU units named have been involved in a years-long operations, including cyberattacks, disinformation campaigns, and even acts of physical violence.
A joint report by OpenMinds and the Digital Forensic Research Lab (DFRLab) reveals that a network of 3,634 automated Telegram accounts systematically targeted Ukrainian populations in Russian-occupied territories from January 2024 to April 2025. The bots posted tailored pro-Russian messages designed to influence local sentiment, distinguishing their content from broader messaging across Russia and Ukraine. The disinformation campaign focused on three main themes: pro-Russian propaganda, anti-Ukrainian narratives, and abstract anti-war messaging promoting peaceful coexistence.
The Russian aerospace and defense industries have been targeted in a cyber espionage campaign dubbed ‘Operation CargoTalon’, linked to a threat group tracked as UNG0901. The attackers deployed a backdoor called EAGLET, which gathers system data and connects to a remote server to receive and execute commands. The malware enables shell access and file transfers, though the exact payloads remain unknown due to the C2 server being offline. Seqrite also found evidence of similar EAGLET-based campaigns against the Russian military, with overlaps in code and tactics seen in another threat group, Head Mare, which also targets Russian entities.
Arctic Wolf Labs has spotted a new campaign orchestrated by the APT group known as Dropping Elephant, targeting Turkish defense contractors, including a key manufacturer of precision-guided missile systems. The attack is delivered via malicious LNK files masquerading as conference invitations related to unmanned vehicle systems. It employs a five-stage execution chain and uses living-off-the-land binaries (LOLBAS), including VLC Media Player and Microsoft Task Scheduler, for DLL side-loading and defense evasion.
Singapore’s authorities released a security advisory warning that a China-linked cyber espionage group known as UNC3886 is targeting Singapore’s critical infrastructure. The threat actor’s TTPs include the use of zero-days in Fortinet, VMware, Juniper devices (e.g., CVE-2023-34048, CVE-2022-41328); deploying custom malware such as MOPSLED, RIFLESPINE, REPTILE, TINYSHELL variants, VIRTUALSHINE, VIRTUALPIE, CASLTETAP, LOOKOVER; use of living-off-the-land methods, SSH credential harvesting, backdoors via Google Drive, GitHub C2, deep persistence even on network and virtualization infrastructure; disabling logging and tampering forensic artifacts.
According to a new report by cybersecurity firm Sygnia, a sophisticated cyber-espionage group linked to China is targeting virtualization infrastructure globally. The attackers, tracked under the name “Fire Ant,” are compromising VMware ESXi hypervisors used in enterprise networks. Leveraging custom tools to maintain long-term access while avoiding detection by standard security systems, the campaign resembles tactics used by the known Chinese-linked group UNC3886.
Zscaler ThreatLabz released a report detailing two separate China-linked malicious campaigns targeting the Tibetan community. Dubbed ’Operation GhostChat’ and ’Operation PhantomPrayers’, the campaigns took advantage of increased online activity around the Dalai Lama's 90th birthday to distribute the Ghost RAT and the PhantomNet backdoor respectively, in multi-stage attacks.
Security researchers at Lookout Threat Lab have spotted a mobile forensics application named Massistant, reportedly used by law enforcement in China to extract sensitive data from smartphones. Believed to be the successor to a 2019 surveillance tool called MFSocket, Massistant is not distributed through official app stores and requires physical access to a device for installation.
A separate Lookout’s report details an Iran-affiliated malware campaign involving a new version of the DCHSpy Android spyware being spread under the guise of apps like Earth VPN, Comodo VPN, Hide VPN, and Hazrat Eshq.
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned three North Korean individuals, Kim Se Un, Jo Kyong Hun, and Myong Chol Min,and a company, Korea Sobaeksu Trading Company, for their roles in fraudulent IT worker schemes. The operations involved North Korean tech workers using fake or stolen identities to gain employment at US companies, generating revenue for the North Korean government.
In the meantime, Christina Marie Chapman, an American citizen, was sentenced to 102 months in prison for her involvement in a fraudulent scheme that helped North Korean IT workers pose as US citizens to secure remote jobs at over 300 US companies. The scheme generated over $17 million in illicit revenue for Chapman and North Korea. Chapman pleaded guilty to conspiracy, identity theft, and money laundering. She was also ordered to serve three years of supervised release, forfeit nearly $285,000, and pay a $176,850 judgment.
Two separate malware campaigns, dubbed ‘Soco404’ and ‘Koske’, have been targeting cloud environment vulnerabilities and misconfigurations to deploy cryptocurrency miners. Soco404, observed by Wiz, attacks both Linux and Windows systems by deploying platform-specific malware and uses process masquerading to hide its malicious activity as legitimate system processes. Meanwhile, Koske, detailed by Aqua, is a Linux-focused threat suspected to be developed with help from a large language model. It propagates through misconfigured servers like JupyterLab by exploiting them to execute hidden payloads embedded in panda-themed JPEG images. The payloads include a C-based rootkit leveraging LD_PRELOAD to conceal malware files and a shell script that downloads cryptocurrency miners, both running entirely in memory to avoid disk detection.
The ScamEmpire project released an interesting report on the inner workings of scam call centers and a network of tech tools and services they rely to conduct fraud.
Ukrainian law enforcement agencies, in cooperation French police, and Europol took action against the XSS.is cybercrime forum, which had over 50,000 registered users, including notorious hacker groups like REvil, LockBit, Conti, and Qilin. The platform’s services were used to launch cyberattacks on banking systems, government institutions, and major corporations in the US and the EU. According to the police, authorities were able to discover the location of the forum’s administrator and partially disrupt the infrastructure used by the platform.
On the same note, the dark web extortion sites of the BlackSuit ransomware operation were reportedly seized as part of an international law enforcement operation. The BlackSuit gang, believed to have been active since April or May 2023, operated as a private ransomware group. Unlike ransomware-as-a-service (RaaS) models, BlackSuit did not lease its tools to other cybercriminals. BlackSuit is believed to be a rebranded version of the Royal ransomware group previously linked to the Conti ransomware network, one of the most notorious and closely watched cybercriminal organizations associated with Russian threat actors.
Japan’s National Police Agency (NPA) has released a free decryption tool for victims of the Phobos and 8Base ransomware groups.
The FBI has released a public warning about IRL Com, a subgroup of the larger online threat group known as The Com (short for The Community). The Com is an international, English-speaking network made up mostly of minors who engage in various cybercrimes. IRL Com members often collaborate around shared goals and offer “swatting-for-hire” services via social media and messaging apps. They use technology to hide their identities and are typically paid in cryptocurrency. Internal conflicts within the group frequently lead to swatting and doxing among members.