Cybersecurity threats surged in July, from zero-day exploits and deepfake diplomacy to ransomware campaigns hitting governments and virtual infrastructure.
Cybercrime Breaking News
- Microsoft confirms active exploitation of SharePoint zero-day CVE-2025-53770 by ransomware gang Storm-2603.
- Lazarus Group plants malware in 230+ npm and PyPI packages in a massive developer-targeted espionage campaign.
- Iranian spyware DCHSpy resurfaces, exfiltrating WhatsApp and files from regime critics via fake VPN apps.
Cybersecurity Justice & Regulation
- Authorities dismantle pro-Russian NoName057(16), seize 100+ servers, and issue arrest warrants.
- A former U.S. soldier pleads guilty to telecom hacks and a $1M extortion scheme conducted while on duty.
- Ukrainian and French police arrest the suspected admin of dark web forum XSS.is, tied to €7M in criminal gains.
As global cybercrime escalates, July’s cases highlight not only evolving threat tactics but also the growing overlap between espionage, AI abuse, and high-profile digital extortion.
Cybercrime Breaking News
Microsoft warns of active global exploitation of a critical zero-day flaw (CVE-2025-53770) in on-premise SharePoint servers that allows persistent access via stolen cryptographic keys, urging immediate mitigation, patching, and investigation. Meanwhile, Chinese threat group Storm-2603 is exploiting the same vulnerability to deploy Warlock ransomware, with attacks targeting over 400 government and business systems worldwide.
A newly discovered version of the Iranian spyware DCHSpy is being used by the MuddyWater group to target regime critics by exfiltrating WhatsApp data, files, and other sensitive information via politically themed lures and malicious apps disguised as VPN or banking tools.
Chinese-linked cyber spies, tracked as “Fire Ant,” are targeting VMware ESXi virtualization infrastructure worldwide using stealthy tools to gain long-term, hard-to-detect access, according to cybersecurity researchers.
North Korean hackers from the Lazarus Group have embedded malware in over 230 open-source packages on npm and PyPI to spy on developers and infiltrate critical infrastructure in a sweeping espionage campaign that may have affected more than 36,000 users.
French authorities revealed that a Chinese-linked hacking group dubbed Houken exploited zero-day flaws in Ivanti CSA devices to infiltrate critical French sectors – including government, telecom, media, finance, and transport, using advanced rootkits and web shells, with evidence suggesting Houken operates as part of a multi-party access-broker scheme selling entry points to state-aligned actors.
BERT appears as a newly emerged ransomware group targeting Windows and Linux systems across healthcare, tech, and event sectors in Asia, Europe, and the U.S., using PowerShell loaders, privilege escalation, and rapid encryption methods – often shutting down ESXi virtual machines – with code tactics resembling REvil and Babuk.
Three previously unknown Chinese state-backed groups launched spear-phishing campaigns between March and June 2025 targeting Taiwan’s semiconductor industry and related investment analysts, deploying tools like Cobalt Strike and a custom backdoor called Voldemort through deceptive job applications and malicious PDF links.
IT giant Ingram Micro confirmed it was hit by ransomware just before the July 4 holiday, disrupting internal systems used to process and ship orders. The attack has been linked to the SafePay group, known for stealing large volumes of data in recent incidents across the tech and healthcare sectors.
Australian airline Qantas confirmed that hackers breached a third-party contact center, exposing data of 5.7 million customers – including names, emails, phone numbers, birthdates, and frequent flyer numbers – though the company says the leaked information isn’t sufficient to access accounts.
- Cybercriminals have created over 17,000 fake news websites impersonating outlets like CNN and BBC to promote fraudulent crypto investment schemes, targeting victims across 50+ countries with region-specific content and professional-looking scam platforms.
- Louis Vuitton confirmed data breaches in Turkey, South Korea, and the UK, exposing customer names and contact details; no financial data was compromised.
- Dell confirmed a hacker breached its product demo platform, but said no sensitive or customer data was exposed, as the system is isolated and contains only synthetic or public data.
- A social engineering attack on a third-party CRM system compromised personal data belonging to the majority of Allianz Life’s 1.4 million customers, as well as some employees and financial professionals, the company confirmed.
- A data breach at the Tea app exposed 72,000 user images – including 13,000 driver’s license selfies – after hackers accessed an unsecured legacy storage system, with the stolen data now circulating on cybercriminal forums.
The FBI and other federal agencies warned that the Interlock ransomware group is targeting healthcare and critical infrastructure in North America and Europe using deceptive tactics like fake browser updates and drive-by downloads, with victims selected opportunistically and ransom demands made in Bitcoin.
CISA has ordered federal agencies to patch the critical Citrix Bleed 2 vulnerability (CVE-2025-5777), warning it poses an “unacceptable risk” to national cybersecurity.
Google has uncovered a cyber campaign targeting end-of-life SonicWall SMA 100 appliances, where attackers use a custom backdoor and stolen credentials, including one-time password (OTP) seeds, to regain access, evade detection by wiping logs, and potentially exfiltrate data for extortion.
An Iranian-linked ransomware group, Pay2Key.I2P, is offering higher payouts to affiliates who launch attacks against U.S. and Israeli targets.
Cyberwar between Russia and Ukraine: Updates
Two new pro-Russian hacktivist groups, IT Army of Russia and TwoNet, have recently emerged, coordinating DDoS attacks, data theft, and insider recruitment against Ukraine and its allies, as part of a broader shift in tactics and alliances among pro-Russian cyber actors.
A Russian court sentenced a man to 16 years in a high-security prison for launching pro-Ukraine cybe rattacks that damaged critical infrastructure and disrupted local company systems, in one of several treason cases tied to cyber activity since the war began.
Cybersecurity and AI
An unknown actor used AI to impersonate U.S. Secretary of State Marco Rubio on Signal, leaving deepfake voicemails for foreign ministers and lawmakers, prompting a State Department investigation into the growing threat of voice cloning in diplomacy.
Cybersecurity Justice
An international law enforcement operation has disrupted the pro-Russian hacker group NoName057(16), dismantling over 100 servers, issuing arrest warrants for key members, and warning hundreds of online supporters aiding their DDoS attacks on Ukraine and allied nations.
The BlackSuit ransomware gang’s darknet extortion sites were seized in an international law enforcement operation led by U.S. Homeland Security Investigations, marking a major blow to the group responsible for over $500 million in ransom demands.
The U.S. Treasury sanctioned Russian bulletproof hosting provider Aeza Group for enabling ransomware groups, info-stealer operations, and darknet drug markets targeting global victims. Several affiliated companies and key executives were also designated, following joint actions with U.K. authorities and arrests by Russian law enforcement.
A U.S. woman has been sentenced to over eight years in prison for running a scheme that helped North Korean operatives pose as American remote workers using stolen identities, enabling them to earn millions from over 300 U.S. companies and funnel funds to North Korea’s weapons program.
UK police arrested four suspects, aged 17 to 20, in connection with ransomware attacks that disrupted operations at M&S, Co-op, and Harrods.
Ukrainian authorities, with support from France and Europol, arrested the suspected administrator of the dark web forum XSS.is, a long-running Russian-language marketplace for malware, stolen data, and ransomware services, accused of enabling cybercriminal activity and earning over €7 million in illicit profits.
The FBI, with help from Dutch authorities, seized and dismantled several major piracy websites used to illegally download Nintendo Switch and PS4 games, citing over 3.2 million downloads and $170 million in losses.
Microsoft shut down 3,000 Outlook and Hotmail accounts linked to North Korean IT workers who used AI-enhanced identities, voice-changing software, and fake documentation to infiltrate global tech jobs and generate millions in crypto for the regime.
Ransomware gang Hunters International announced it is shutting down and offering free decryption tools to victims, though experts question the tools’ effectiveness and suspect the group may be rebranding as the extortion-focused World Leaks, potentially continuing ties to the dismantled Hive operation.
- A 21-year-old former U.S. Army soldier pleaded guilty to hacking multiple telecom companies, stealing call records, and attempting to extort over $1 million while on active duty.
- Romanian police arrested 13 people and UK authorities detained one more in a coordinated crackdown on a phishing-based tax fraud ring that stole personal data to claim millions in fraudulent UK tax refunds.
- Spanish police arrested a 19-year-old computer science student and an accomplice for allegedly leaking personal data of top officials and journalists, with authorities calling them a serious national security threat linked to far-right Telegram channels and potential cyberterrorism.
- A former UK law enforcement officer has been jailed for stealing 50 Bitcoin – now worth over £4.4 million – from a darknet drug trafficker’s seized wallet and laundering the funds through crypto mixers and debit cards.
CISA and Sandia National Laboratories have launched Thorium, a free, scalable malware analysis platform that automates forensic workflows by integrating commercial, open-source, and custom tools to help cyber defenders rapidly assess and respond to threats.
Japanese police released a free decryptor for Phobos and 8Base ransomware, following a global law enforcement takedown that dismantled the group’s infrastructure, led to multiple arrests, and revealed over $16 million extorted from victims since 2019.
FinTech Updates
Over $40 million was stolen from decentralized exchange GMX in a cyber attack, with the hacker quickly laundering the funds and prompting the platform to offer a 10% bounty for their return. The attacker has now returned the stolen assets after accepting a $5 million bounty, though legal consequences may still be possible.
Indian crypto exchange CoinDCX lost $44 million from an internal operational account in a breach that didn’t affect customer funds, with the company pledging to cover losses and offering rewards for help recovering the stolen assets.
Cybersecurity News Across The Globe
- Brazilian police arrested a software company employee accused of aiding hackers in a $100 million cyber heist that exploited the country’s PIX instant payment system, affecting at least six financial institutions.
- Thailand’s Ministry of Labor website was restored after being defaced by the Devman ransomware gang, which claimed to have stolen 300 GB of sensitive data and demanded $15 million, though officials say no internal systems were breached.
- Indonesia has extradited a Russian national to Moscow, where he is accused of selling sensitive personal data from Russian law enforcement databases via a Telegram channel between 2018 and 2021.
Want to find out more about:
- Courier Networks Are Under Attack – Here’s How MXDR Keeps Them Moving
- DORA Compliance Made Simple: Strengthen Your Cybersecurity
- AMATAS Expands its Dual CREST Accreditation with Two Additional Certifications for Offensive Vulnerability Scanning
Listen to the latest episodes from AMATAS Cybersecurity Podcast.
AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.
