Microsoft threat intelligence team has uncovered a cyberespionage campaign orchestrated by the Russian state-backed actor Secret Blizzard (aka VENOMOUS BEAR, Uroburos, Snake, Blue Python, Turla, Wraith, ATG26, and Waterbug), targeting foreign embassies in Moscow since at least 2024. The group uses an adversary-in-the-middle (AiTM) technique, likely enabled through lawful intercept capabilities, to deploy its custom ApolloShadow malware. The malware installs a rogue trusted root certificate, often disguised as Kaspersky Anti-Virus, to intercept and manipulate encrypted traffic. This allows Secret Blizzard to maintain long-term access to diplomatic devices and collect sensitive intelligence. The US Cybersecurity and Infrastructure Security Agency (CISA) attributes Secret Blizzard to the Russian Federal Security Service (FSB Center 16).
Validin has shared an infrastructure analysis and Indicators of Compromise (IoCs) related to Laundry Bear (aka Void Blizzard), a Russian state-sponsored APT group active since at least April 2024. The group primarily conducts cyber-espionage targeting NATO countries and Ukraine. It has gained initial access through stolen credentials or session cookies and employed spear-phishing tactics using domain typosquats.
Check Point has provided an in-depth report on tactics, techniques, and procedures (TTPs) of Storm-2603 (a group observed exploiting the recent SharePoint vulnerabilities known as ToolShell), along with a technical breakdown of the ak47c2, a custom malware framework used in their attacks and their different ransomware payloads. Microsoft linked the group to Lockbit and Warlock ransomware use. A separate Check Point report describes a malicious campaign, dubbed ‘JSCEAL’, which has been actively targeting cryptocurrency apps users since March 2024. The operation exploits malicious advertisements to distribute fake crypto trading apps and deploy advanced malware designed to steal sensitive financial data.
Threat actors have been observed exploiting a now-patched critical vulnerability in SAP NetWeaver to deploy the Auto-Color backdoor in a targeted attack against a US-based chemicals company in April 2025. According to a report from cybersecurity firm Darktrace, the attack, which took place in mid-April, exploited CVE-2025-31324, a critical flaw in SAP NetWeaver application servers that allows attackers to upload arbitrary files, potentially leading to remote code execution and full system compromise.
Chinese companies believed to be affiliated with the state-sponsored hacking group known as Silk Typhoon (Hafnium) has been linked to over a dozen technology patents for intrusive forensics and data collection technologies, according to the latest SentinelLab’s findings. The patents, analyzed by the team, mention tools for encrypted endpoint data collection, forensic access to Apple devices, and remote control of routers and smart home systems.
Palo Alto Networks' Unit 42 has released a report detailing a malicious campaign it tracks as CL-STA-0969 targeting telecom networks in Southwest Asia. The attackers targeted interconnected mobile roaming systems but there’s no evidence of data exfiltration or that the intruders attempted to track or communicate with target devices within mobile networks. The threat actor installed tools for long-term access and control, including Cordscan, which suggests the attackers were interested in tracking victim locations. Unit 42 believes with high confidence that this activity is linked to a nation-state, likely the group known as Liminal Panda.
The latest Domaintool’s report provides a glimpse into DPRK IT workers ecosystem, including key actors, GitHub aliases, laundering flows, shell companies, fake domains, platform infiltration, wallet infrastructure, and global enablers. In addition, here’s a Flashpoint report detailing how North Korean threat actors operate and what techniques they use.
On the same note, Sonatype spotted a new campaign it linked to the North Korean hacking outfit Lazarus Group that embeds malicious code directly in open source package registries.
Cyble Research and Intelligence Labs (CRIL) discovered a new Android banking trojan called ‘RedHook’ targeting users in Vietnam. It spreads through fake government and banking websites, giving attackers full control over infected devices. RedHook uses WebSocket to communicate with a live command-and-control server and supports over 30 remote commands. The malware combines phishing, remote access, and keylogging, and uses Android’s MediaProjection API to capture screen content. Code hints suggest it may have been developed by a Chinese-speaking group.
New research found that AI-generated code fails security checks in 45% of cases, often introducing critical OWASP Top 10 vulnerabilities. Java had the highest risk, with a 72% failure rate. One of the most common flaws was Cross-Site Scripting, which AI tools failed to prevent in 86% of relevant examples.
Elastic discovered a NodeJS-based information stealer dubbed ‘NOVABLIGHT,’ developed and sold by a French-speaking group. It spreads through fake video game downloads and includes modular capabilities for data exfiltration using platforms like Telegram and Discord.
A new Cyfirma’s report examines Raven Stealer, an information-stealing malware developed primarily in Delphi and C++, designed to extract sensitive data from victim systems. The malware specifically targets Chromium-based browsers (such as Chrome and Edge), extracting passwords, cookies, saving payment details, and autofill information.
CyberProof threat researchers team have analyzed a case of Oyster backdoor infection aka Broomstick or CleanupLoader. The Oyster backdoor campaigns have been active since at least 2023, often tricking users into downloading malicious installers for legitimate software such as Google Chrome and Microsoft Teams. Like other malicious loaders, the Oyster backdoor is frequently used to facilitate ransomware infections, including those linked to the Rhysida strain.
Gunra ransomware operation has added a Linux variant to its arsenal capable of running up to 100 encryption threads in parallel and supporting partial encryption. It also allows attackers to control how much of each file gets encrypted and allows for the option to keep RSA-encrypted keys in separate keystore files.
A recent spear-phishing campaign has been discovered distributing the VIP keylogger through malicious email attachments. The attack leverages AutoIt scripts to execute the malware. Once the attachment is opened and the malware is run, the VIP keylogger installs itself on the victim's system. It then captures keystrokes, extracts credentials from popular web browsers such as Chrome, Microsoft Edge, and Firefox, and monitors clipboard activity to steal sensitive information.
A notorious cybercrime group known as Scattered Spider has launched a new wave of targeted attacks against VMware ESXi hypervisors, with a focus on organizations in the retail, airline, and transportation sectors across North America. Scattered Spider employs social engineering tactics to gain initial access, according to Google's Mandiant team. The attackers impersonate employees in phone calls to IT help desks, manipulating support staff into resetting credentials or granting elevated access. Once inside, they exploit trusted administrative tools and access pathways to maintain stealth and control. In parallel, cybersecurity agencies in the US, UK, Canada, and Australia have warned that Scattered Spider is intensifying its operations by targeting enterprise data storage systems after gaining initial access through impersonation of IT help desks.
Security researchers at Outpost24 have released a report detailing a financially motivated cybercriminal group tracked as “Lionishackers” known for exfiltrating and selling corporate databases, and persistent activity in underground forums.
Unknown threat actors have compromised the GitHub organization account of the talent network Toptal in what appears to be a highly targeted supply chain attack. The attackers used the access to publish 10 malicious packages to the npm registry. The malicious packages, which were downloaded roughly 5,000 times before being removed, contained payloads capable of exfiltrating GitHub authentication tokens and destroying victim systems.
Endgame Gear, a German manufacturer of high-performance gaming peripherals, has issued a security alert after discovering that a version of its configuration tool for the OP1w 4k v2 wireless mouse was compromised with malware and distributed via its official website.
A hacker breached Amazon’s AI-powered development tool the Q Developer Extension for Visual Studio Code injecting a data-wiping prompt into its codebase. The compromised version, 1.84.0, was released publicly on July 17 via Microsoft’s Visual Studio Code marketplace, where Amazon Q has nearly one million installs. In response, Amazon launched an internal investigation and released a clean version, 1.85.0, on July 24.
Russian national airline Aeroflot was forced to cancel more than 40 flights following what it described as a major failure in its information systems. A hacking group known as Silent Crow has claimed responsibility for what it called a devastating cyberattack.
Cybercrime forum Leak Zone left an unsecured Elasticsearch database exposed to the internet. The database, accessible to anyone with a web browser, contained over 22 million records detailing the IP addresses and login timestamps of users accessing the forum. The exposed records date as recently as June 25 and were updating in real time before the database was taken offline.
Spanish authorities have arrested a suspected hacker in Roses (Girona) for launching a series of cyberattacks against Spanish banks, a driving school, and a public university. According to the Mossos d'Esquadra, the individual, who possessed advanced technical skills, published and sold stolen personal data of employees and clients, as well as internal company documents, on the dark web.
German authorities have released a long awaited statement on the seizure of the technical infrastructure of the Blacksuit/Royal ransomware group. The press release doesn’t mention whether any arrests were made in connection to the operation.