Skip to main content
Skip to footer
China-linked Linen Typhoon, Violet Typhoon, and Storm-2603 exploit ToolShell SharePoint flaws
Microsoft researchers observed two Chinese nation-state actors, Linen Typhoon and Violet Typhoon, and the suspected China-based threat actor, Storm-2603, exploiting two recently disclosed SharePoint server vulnerabilities, tracked as CVE-2025-49706 and CVE-2025-49704, to gain initial access. The exploitation activity, publicly reported as ToolShell, began as early as July 7th, 2025, and involved the threat actors using a POST request to the ToolPane endpoint. Post-exploitation activity has involved web shells containing commands to retrieve MachineKey data and return results via a GET request, enabling the threat actors to steal key material. Storm-2603 has additionally deployed ransomware. The ToolShell exploit is related to bypasses of the two vulnerabilities, tracked as CVE-2025-53770 and CVE-2025-53771. Proof-of-concept exploits have since been made available, with the researchers expecting threat actors to continue to integrate available exploits into their attacks. To date, over 400 servers and 148 organisations have reportedly been breached using ToolShell. Microsoft recently released security updates for all supported versions of SharePoint impacted by the vulnerabilities. Customers are urged to update SharePoint Server 2016, SharePoint Server 2019, and SharePoint Subscription Edition immediately.
LameHug malware uses LLM to generate data theft and reconnaissance commands
CERT-UA discovered a new malware family, dubbed LameHug, that is using a large language model (LLM) to generate commands to be executed on compromised Windows systems. The malware was discovered on July 10th, 2025, after CERT-UA received reports about malicious emails sent from compromised accounts and impersonating ministry officials attempting to distribute the malware to executive government bodies. LameHug is written in Python and relies on the Hugging Face API to interact with the Qwen 2.5-Coder-32B-Instruct LLM, which can convert natural language descriptions into executable code in multiple languages or shell commands. The emails contain a ZIP attachment that includes a LameHug loader, with at least three variants observed. LameHug executes system reconnaissance and data theft commands, which are used to collect system information and save it to a TXT file, recursively search for documents on key Windows directories, and exfiltrate data using SFTP or HTTP POST requests.
Iranian security firm found to support APT39 attacks targeting airlines and other companies
Security researcher Nariman Gharib analysed a series of leaked internal documents belonging to the Iranian security firm, Amnban, Sharif Advanced Technologies, which revealed their facilitation of a state-sponsored operation designed to harvest millions of global airline passengers’ personal data. Details within the leaked documents allude to Amnban working for the advanced persistent threat group APT39, which is connected to Iran’s Ministry of Intelligence and Security. Among the targeted airlines are Royal Jordanian, Turkish Airlines, Rwanda Airlines, and Wizz Air, among others, and freight and logistics companies.
APT41 observed targeting African government IT services
Kaspersky researchers identified the advanced persistent threat (APT) group APT41 coordinating a targeted attack against government IT services in Africa, involved the use of hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware. One of the C2s was a compromised SharePoint server within the victim’s infrastructure. The attack was first identified after observing the use of the WmiExec module from the Impacket toolkit, with the Atexec module also leveraged to create scheduler tasks. The attackers briefly paused their operations, before probing for running processes and occupied ports, likely to identify whether any security solutions were installed. The attackers ultimately delivered Cobalt Strike and a custom agent via DLL sideloading, and also used a modified version of the Pillager utility to gather sensitive information, as well as RawCopy and Mimikatz.
Phishing campaign targets npm maintainer tokens to upload malicious packages
Socket researchers warned of an ongoing phishing campaign targeting npm token maintainers via emails spoofing the nmpjs[.]org email domain. The emails aim to steal the maintainer’s credentials to hijack their account and publish malicious versions of the packages directly to the registry. The malicious versions attempt to execute a DLL on Windows machines and may enable remote code execution. Identified malicious releases include ‘eslint-config-prettier’, ‘eslint-plugin-prettier’, ‘synckit’, ‘@pkgr/core’, and ‘napi-postinstall’. The researchers expect additional maintainers to be targeted, with developers advised to check their lockfiles, audit recent installs, enable two-factor authentication on npm, and pin exact versions.
Ransomware
Joint Advisory Issued on Protecting Against Interlock RansomwareCISA Alerts – Jul 22 2025UK Confirms Ransomware Payment Ban for Public Sector and CNIInfosecurity Today – Jul 22 2025NailaoLocker Ransomware’s “Cheese”NCSC-FI Daily News – Jul 19 2025Authorities released free decryptor for Phobos and 8base ransomwareSecurity Affairs – Jul 18 2025Getting to the Crux (Ransomware) of the MatterHuntress.com – Jul 18 2025
Financial Services
Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload – wiz.ioWiz Blog – Jul 23 2025Coyote malware abuses Windows accessibility framework for data theftBleeping Computer – Jul 22 2025Credential Theft and Remote Access Surge as AllaKore, PureRAT, and Hijack Loader ProliferateThe Hacker News – Jul 22 2025Iranian Hackers MuddyWater Use Fake VPN and Banking Apps to Distribute DCHSpy to GovernmentsTechNadu – Jul 22 2025Uncovering Chinese Dark Web Syndicates and Money Mule Pipeline to Indian BanksThreat Reports – CloudSEK – Jul 15 2025
Geopolitics
DCHSpy Android Spyware Linked to Iran’s MuddyWater APT, Targets Geopolitical Foes with Starlink LuresSecurityonline.info – Jul 23 2025Singapore warns China-linked group UNC3886 targets its critical infrastructureSecurity Affairs – Jul 20 2025Ukrainian hackers wipe databases at Russia’s Gazprom in major cyberattack, intelligence source saysThe Kyiv Independent – Jul 18 2025Operation Overload’s underwhelming influenceISDGlobal.org – Jul 17 2025Digital occupation: Pro-Russian bot networks target Ukraine’s occupied territories on TelegramAtlanticCouncil.org – Jul 16 2025
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2025-53770 | SharePoint Enterprise Server | 9.8 | 9.4 | |
| Related: ToolShell SharePoint zero-days under active exploitation | ||||
| CVE-2025-54309 | CrushFTP | 9.8 | 7.7 | |
| Related: CrushFTP warns of active exploitation of recently patched vulnerability | ||||
| CVE-2025-2775 | On-Prem | 7.5 | 7.3 | |
| Related: CISA Warns: SysAid Flaws Under Active Attack Enable Remote File Access and SSRF | ||||
| CVE-2025-20282 | Identity Services Engine Software | 10.0 | 9.4 | |
| Related: Multiple maximum-severity flaws patched in Cisco ISE and ISE-PIC | ||||
| CVE-2025-5777 | NetScaler Gateway | 9.8 | 9.4 | |
| Related: Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public | ||||