ALERTS 2025 JULY HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
2025 January(36) February(50) March(77) April(54) May(54) June(65) July(50) August(54) SEPTEMBER(11) October(0) November(0) December(0)
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
| 25.7.25 | Chaos Ransomware Group Surfaces with Aggressive Tactics | A newly identified ransomware-as-a-service group called Chaos has rapidly gained traction, launching double extortion attacks primarily in the U.S., with additional victims in the U.K., India, and New Zealand. Cisco Talos links the group to former BlackSuit (Royal) operators based on overlapping tactics and tooling. | RANSOM | |
| 25.7.25 | Malicious Hangul Word Processor documents delivering RokRAT | In a change from previous distribution methods, a recent campaign saw the RokRAT malware delivered through Hangul Word Processor documents (.hwp) rather than previously observed .lnk files. The HWP document embeds a legitimate executable and a malicious DLL responsible for initial payload execution. | VIRUS | |
| 25.7.25 | Chinese APT Clusters Escalate Attacks on Taiwan's Semiconductor Sector | The Taiwanese semiconductor industry has become the primary target of a series of sophisticated spear-phishing campaigns orchestrated by three distinct Chinese state-sponsored threat actor groups: UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp. | ALERTS | APT |
| 25.7.25 | Recent malicious activities attributed to the UNG0002 threat group | A new cluster of malicious activities dubbed "Operation AmberMist" has been attributed to the threat group known as UNG0002. The attackers have been focusing on victims from various industry sectors and distributing miscellaneous payloads including Shadow RAT, Blister DLL Implant, and INET RAT. | GROUP | |
| 25.7.25 | DCHSpy malware distributed by the Seedworm APT group | A new campaign distributing mobile DCHSpy surveillanceware malware has been reported in the wild. The activity is attributed to the Seedworm APT group (aka MuddyWater). DCHSpy has the functionality to collect and exfiltrate various data from the compromised devices including: stored contacts, SMS messages, local files, call logs, WhatsApp messenger data and more. | VIRUS | |
| 25.7.25 | Greedy Sponge threat group distributes AllaKore RAT and SystemBC malware to Mexican organizations | A financially-motivated threat group known as Greedy Sponge has been reported to conduct a new campaign spreading AllaKore RAT and SystemBC malware to Mexican organizations. | ALERTS | VIRUS |
| 25.7.25 | New ACR Stealer variant features updates aimed at detection evasion | ACR Stealer is a C++based infostealer variant that emerged on the threat landscape last year. A new campaign distributing this malware has been reported now in the wild. | VIRUS | |
| 25.7.25 | New wave of extortion scam: "Hitman" threaten acid attacks in exchange for Litecoin | Lately, Symantec has observed a sudden theme change in extortion scam emails. In general, these emails make use of threatening language in order to extort money from the recipients. Scammers appear to have kicked off a new extortion scam campaign by imposing as professional hitmen offering services such as destruction to property or injury. | CRYPTOCURRENCY | |
| 25.7.25 | CVE-2025-53770 - Critical SharePoint Zero-Day vulnerability exploited in the wild | Microsoft has patched a zero-day vulnerability in SharePoint following reports of its exploitation in the wild. The vulnerability (CVE-2025-53770), dubbed ToolShell, affects on-premises SharePoint servers and gives an attacker unauthenticated access to vulnerable servers, allowing them to remotely execute code and access all content and file systems. | VULNEREBILITY | |
| 19.7.25 | Scanception: A sophisticated QR Code phishing campaign | A phishing campaign dubbed Scanception has been observed targeting organizations in key sectors such as healthcare, finance and others. The attack begins with phishing emails containing PDF attachments that appear legitimate but include embedded QR codes. | PHISHING | |
| 19.7.25 | SquidLoader malware targets financial institutions | A new campaign leveraging SquidLoader malware for malicious payload delivery has been reported to target financial institutions in Hong Kong, Singapore, China and Australia. The attack chain is initiated via targeted malspam disguised as invoice related correspondence. | CAMPAIGN | |
| 19.7.25 | KawaLocker Ransomware | KawaLocker (aka KAWA4096) is a new ransomware variant recently identified in the wild. The malware encrypts user data and appends random extensions to the locked files. Ransom note is dropped in form of a text file called “!!Restore-My-file-Kavva.txt” with the victims asked to contact the attackers via the Tox messenger for further instructions. | RANSOM | |
| 19.7.25 | Matanbuchus 3.0 | A newer version of the Matanbuchus malware loader has been observed in the wild. Recent attacks notably exploit Microsoft Teams’ external call feature, with attackers impersonating IT support staff to trick victims into running malicious PowerShell scripts disguised as a Notepad++ updater. | ALERTS | VIRUS |
| 19.7.25 | New Lcrypt0rx ransomware variant observed in campaigns also delivering H2miner malware | According to the latest report from Fortinet, a new H2miner malware campaign has been found to overlap with Lcrypt0rx ransomware deployments. Lcrypt0rx is a VBScript-based variant that appends .lcryx extension to the encrypted files. | RANSOM | |
| 17.7.25 | Emmenhtal leveraged by MaaS operators in recent campaigns | In a recent report published by Cisco Talos, researchers highlighted recent campaigns that used Emmenhtal to deliver various payloads. One campaign included the Emmenhtal loader contained within a phishing mail archive attachment, while another hosted Emmenhtal on various GitHub repositories to deliver the Amadey payload. | CAMPAIGN | |
| 17.7.25 | New wave of Tech Support Scams exploits legitimate chat platforms and uses brand impersonation | Tech/Fund Support scam techniques are continuously evolving to appear more legitimate. Previously, scammers included phone numbers in phishing emails, relying on victims to initiate contact. | SPAM | |
| 17.7.25 | DeadLock Ransomware | Another ransomware actor known as "DeadLock" has been observed making the rounds. Upon successful compromise, encrypted files are appended with a .dlock extension. At this time, it is unconfirmed whether the actor engages in double-extortion tactics (i.e., threatening to sell data if the ransom is not paid). | RANSOM | |
| 17.7.25 | XWorm disguised as Epstein Files | Amid renewed public interest in the Epstein case and debates around the release of related files, cybercriminals are leveraging this topical news for social engineering lures. One actor has been observed spreading XWorm, a known commodity malware often sold on Telegram channels and underground forums, disguised as fake Epstein files (Epstein files2.exe). | ALERTS | VIRUS |
| 17.7.25 | Many branches in the AsyncRAT tree | A recently published report highlights the extensive branching of derivative RATs traceable to AsyncRAT. AsyncRAT is a highly modular Remote Access Trojan that fundamentally allows an attacker to control a compromised system. | VIRUS | |
| 17.7.25 | Octalyn Stealer Targets Crypto, VPNs, and Browser Data via Deceptive Forensic Toolkit | Octalyn Stealer is a sophisticated new malware masquerading as a legitimate forensic toolkit on GitHub. Designed for large-scale data theft and exfiltration, it illicitly targets sensitive user data, including VPN configurations, browser credentials (passwords, cookies, auto-fill, browsing history), and critical cryptocurrency wallet information for Bitcoin, Ethereum, Litecoin, and Monero. | VIRUS | |
| 17.7.25 | Konfety mobile malware | Konfety is a mobile malware variant identified in a recent distribution campaign. The malware employs an unique technique of malforming the file ZIP structure in an effort to avoid detection and forensic analysis. | ALERTS | VIRUS |
| 17.7.25 | CVE-2025-52488 - DNN platform vulnerability | CVE-2025-52488 is a recently disclosed vulnerability affecting DNN Platform, which is an open-source web content management system (CMS) based on the .NET Framework. | VULNEREBILITY | |
| 17.7.25 | New mobile crypto-stealing malware SparkKitty | A new mobile crypto-stealing malware, SparkKitty, has infiltrated Android and iOS devices via Google Play and the Apple App Store. | VIRUS | |
| 17.7.25 | WeevilProxy malware targets cryptocurrency users | WeevilProxy is a new malware variant observed to be targeting prevalently cryptocurrency users. The campaigns' main propagation relies on arbitrary advertising campaigns via Google ads or miscellaneous social networks. | CRYPTOCURRENCY | |
| 17.7.25 | Global - a new BlackLock ransomware variant | Global is a new ransomware variant believed to be a rebrand of the BlackLock ransomware strain. According to the report published by the EclecticIQ researchers, the malware is sold as part of a Ransomware-as-a-Service (RaaS) offering by the threat actors previously associated with an older ransomware family known as Mamona. | ALERTS | RANSOM |
| 17.7.25 | Interlock RAT via FileFix scheme | A newly observed Interlock RAT variant is being delivered through PHP scripts, marking a shift from previous JavaScript-based methods. | VIRUS | |
| 17.7.25 | New variant of macOS malware ZuRu observed in the wild | Researchers have observed a new macOS-based ZuRu malware variant being spread in the wild. The malware is distributed via trojanized macOS application bundles and it is leveraging the open-source Khepri framework for performing post-infection activities. | VIRUS | |
| 17.7.25 | Web Injection Campaign: JSFireTruck | Palo Alto Networks Unit 42 has uncovered a large-scale campaign, dubbed JSFireTruck, that injects heavily obfuscated JavaScript into legitimate websites. | HACKING | |
| 17.7.25 | Amos Stealer Adds Backdoor | In a significant shift, researchers have observed that Atomic macOS Stealer (AMOS) has added a persistent backdoor to its payload, enabling long-term remote access to infected Macs. | VIRUS | |
| 17.7.25 | Sainbox RAT delivered via fake software installers | A new campaign delivering a variant of Gh0stRAT dubbed Sainbox RAT via fake software installers have been reported in the wild. The attackers masquerade the malware binaries as apps well known in China such as DeepSeek, Sogou or WPS Office. | CAMPAIGN | |
| 17.7.25 | Cloudflare temporary tunnels used to serve up payloads | A recently observed campaign leverages legitimate cloud services like TryCloudflare to host and deliver highly evasive RATs such as AsyncRAT, XWorm, VenomRAT, and Remcos. | CAMPAIGN | |
| 17.7.25 | SafePay ransomware | SafePay is a ransomware variant initially discovered back last year. Over the time the attackers behind this strain have been reported to compromise over 200 victims across various sectors. | RANSOM | |
| 17.7.25 | Mobile Threat: Qwizzserial | In mid-2025, researchers observed a sharp rise in Qwizzserial, a newly discovered Android malware designed to steal banking credentials and intercept SMS-based two-factor authentication codes. | VIRUS | |
| 12.7.25 | CVE-2025-47812 – Wing FTP Server vulnerability exploited in the wild | CVE-2025-47812 is a recently disclosed Remote Code Execution (RCE) vulnerability affecting Wing FTP Server, which is a cross-platform file transfer software. | ALERTS | VULNEREBILITY |
| 12.7.25 | New Pay2Key ransomware campaign leverages I2P network | A ransomware-as-a-service (RaaS) operation distributing a new variant of the Pay2Key malware has been reported in the wild. Dubbed as Pay2Key.I2P the campaign has been linked to the activities of the Fox Kitten APT group. | RANSOM | |
| 12.7.25 | Malicious scripts lead to XWorm RAT | Campaigns distributing the XWorm remote access trojan often leverage various scripting languages. The most frequently observed malicious scripts include batch files, and those written in Visual Basic, JavaScript, and PowerShell. | VIRUS | |
| 12.7.25 | Phishing Campaign Masquerades as "Ordre des Experts-Comptables" Document | Symantec has observed a phishing campaign leveraging a deceptive HTML attachment disguised as an official document from l’Ordre des Experts-Comptables, the French national order of chartered accountants. | CAMPAIGN | |
| 9.7.25 | NordDragonScan infostealer | NordDragonScan is a new Windows-based infostealing malware variant identified by the researchers from Fortinet. Recently observed campaigns leverage malicious .HTA files in order to deliver infostealing payload to the intended victims. | ALERTS | VIRUS |
| 9.7.25 | RondoDox botnet | RondoDox is new botnet identified recently by the researchers from Fortinet. RondoDox has been reported to leverage two high severity vulnerabilities for spreading: CVE-2024-3721 and CVE-2024-12856. | BOTNET | |
| 9.7.25 | Datebug APT attacks against BOSS Linux systems | Datebug threat group (also known as APT36 or Transparent Tribe) has been reported to conduct a new campaign targeting the BOSS Linux systems. | APT | |
| 9.7.25 | NimDoor - a Nim-based malware for macOS | NimDoor is a newly identified macOS malware variant for the macOS platform. Compiled in the Nim programming language, the malware targets Web3 and Cryptocurrency-related platforms. The attackers leverage social engineering tactics to approach their victims. | VIRUS | |
| 6.7.25 | Malicious Abuse of ConnectWise (ScreenConnect) | Over the past several months, we have observed a sharp increase in the malicious use of the popular Remote Monitoring and Management (RMM) tool ConnectWise by ransomware operators, Initial Access Brokers, APTs, and other eCrime actors. | APT | |
| 6.7.25 | Remcos malspam campaign starts with a tar archive | A recently observed Remcos campaign began with a malicious email containing a .tar archive attachment. The archive contains a .lnk file which launches PowerShell to download the Remcos payload. | CAMPAIGN | |
| 6.7.25 | Janela RAT delivered in a recent campaign | Janela RAT (Remote Access Trojan) is a modified variant of a malware known as BX RAT. Janela RAT has been previously seen spread in campaigns targeting banking users from the LATAM region. | VIRUS | |
| 6.7.25 | Blackmoon’s expanding arsenal | The Blackmoon banking trojan, known for targeting users of online financial services, particularly in South Korea, has evolved into a more deceptive and multi-functional threat. | VIRUS | |
| 6.7.25 | DEVMAN - a new DragonForce ransomware variant | DEVMAN is a new customized ransomware variant from the DragonForce malware family. The malware encrypts data and appends .DEVMAN extension to locked files. | RANSOM | |
| 6.7.25 | GIFTEDCROOK malware upgraded for document theft via Telegram | An enhanced version of the GIFTEDCROOK malware, operated by the UAC-0226 threat group has been reported, marking a significant upgrade from its earlier capabilities first observed in February 2025. | VIRUS | |
| 2.7.25 | Braodo infostealer hosts downloaded components on GitHub | A recently observed campaign involving Braodo stealer malware leveraged GitHub to house multiple components downloaded in the attack chain. | ALERTS | VIRUS |
| 2.7.25 | CVE-2025-4322: WordPress Motors theme privilege escalation vulnerability | CVE-2025-4322 is a critical unauthenticated privilege escalation vulnerability (CVSS 9.8) affecting the WordPress Motors theme in versions up to 5.6.67. | VULNEREBILITY | |
| 2.7.25 | EmailJS and HubSpot Abused in CCMA Phishing Scheme | A new phishing campaign is circulating under the guise of a legal summons from South Africa’s Commission for Conciliation, Mediation and Arbitration (CCMA), leveraging urgency and fear to pressure recipients into action. | PHISHING | |