0bj3ctivityStealer targets multiple sectors in global phishing campaign
Trellix researchers observed a campaign delivering 0bj3ctivityStealer via phishing emails. The campaign primarily targets the United States, Germany, and Montenegro, with noticeable activity also observed in other countries in Europe, North America, Southeast Asia, and Australia. The most targeted sectors include government institutions and manufacturing companies. The phishing email includes the subject ‘Quotation offer’ and a low-quality image of a fake purchase order that, once clicked on, redirects the user to JavaScript hosted on the Mediafire cloud service. The JavaScript is an obfuscated PowerShell script that downloads a JPG image, which hides a .NET DLL, VMDetector Loader, using steganography. VMDetector Loader creates a scheduled task for persistence and fetches the final payload, 0bj3ctivityStealer, which is injected into the Regasm executable using process hollowing. 0bj3ctivityStealer uses junk code, randomised names for functions and variables, virtualised environment detection, and encoding for strings to prevent analysis. The malware targets Chrome, Edge, and Gecko-based browsers, instant messaging applications, email credentials, and cryptocurrency. It uses Telegram for unidirectional C2 communication and SMTP to exfiltrate stolen information.
Operation CargoTalon targets Russian aerospace and defense sector with EAGLET backdoor
Seqrite researchers observed an ongoing campaign, dubbed operation CargoTalon, targeting the Russian aerospace and defense sector. The campaign has targeted employees of Voronezh Aircraft Production Association and military recruitment with spearphishing emails that deliver a DLL implant, dubbed EAGLET. The campaign involves a multi-stage attack chain, beginning with a malicious ZIP email attachment containing a DLL and a LNK file. The LNK file is used to execute the malicious DLL and spawns a decoy pop-up, with PowerShell used to run the script in the background. EAGLET is then executed, sometimes alongside a decoy XLS file embedded within the implant. The campaign has been attributed to the threat actor UNG0901.
SilverTerrier targets global aerospace and transportation organisations with BEC scams
Security researcher Brian Krebs detailed a phishing campaign targeting the transportation and aviation industries. In one instance, the attackers tricked an executive working in the transportation industry to enter their credentials into a fake Microsoft 365 login portal, enabling them to mine the target’s inbox for past communications related to invoices. The threat actors modified some of the messages with new invoice demands and sent them out to some of the company’s customers and partners, leveraging a spoofed domain. The email address tied to the spoofed domain can be associated with at least 240 phishing domains registered in 2024 or 2025. Almost all of the domains mimic legitimate domains tied to global companies within the aerospace or transportation industries. The associated infrastructure has been attributed to the SilverTerrier cybercrime group, based in Nigeria.
Dropping Elephant APT targets Turkish defense industry
In July 2025, Arctic Wolf researchers observed a new campaign by the suspected Indian cyberespionage group, Dropping Elephant, targeting Turkish defense contractors, specifically a manufacturer of precision-guided missile systems. The campaign coincides with heightened defense cooperation between Turkey and Pakistan and recent India-Pakistan military tensions, suggesting a possible geopolitical motive. Dropping Elephant uses spearphishing emails purporting to be conference invitations to the Unmanned Aerial Vehicle conference that took place on July 28th and July 29th, 2025 in Istanbul, to deliver a malicious LNK file. A five-stage PowerShell-based execution chain is used to deliver malicious payloads. To evade detection, the attackers use legitimate binaries for VLC Media Player and Microsoft Task Scheduler. Dropping Elephant appears to have significantly developed its capabilities, with the group transitioning from x64 DLL variants observed in November 2024 to the current use of x86 PE executables. An observed two-month preparation timeline from domain registration to active operations also indicates a highly targeted and well-planned campaign.
Multiple custom tools and backdoors used against Southwest Asia telecommunications industry
Between February and November 2024, Palo Alto Networks Unit 42 researchers observed multiple incidents targeting the telecommunications industry in Southwest Asia. The activity, tracked as CL-STA-0969, includes attacking and leveraging interconnected mobile roaming networks, as well as the use of several tools to provide resilient remote control for future objectives. Initial access was achieved via SSH brute force, after which the attackers deployed the AuthDoor backdoor, which shares similarities with the SLAPSTICK backdoor, and the Cordscan network scanning and packet capture utility. Other backdoors deployed include GTPDoor, EchoBackdoor, ChronosRAT, and NoDepDNS, with the SGSN Emultator tool also used to bypass firewall restrictions and network intrusion detection systems. To escalate privileges, the threat actor exploited CVE-2016-5195, CVE-2021-4034 and CVE-2021-3156. Different shell scripts were used to establish a reverse SSH tunnel. Other tools used in the attacks include Microsocks proxy, fast reverse proxy, FScan, and Responder. CL-STA-0969 is believed to be associated with a nation-state nexus, with observed activity and victimology heavily overlapping with activity attributed to Liminal Panda.
Ransomware
Free Decryptor Released for AI-Powered FunkSec RansomwareGBHackers On Security – Jul 30 2025Gunra Ransomware Group Unveils Efficient Linux VariantTrend Micro – Jul 29 2025Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware CloudSEK Blog – Jul 25 2025BlackSuit ransomware extortion sites seized in Operation CheckmateBleeping Computer – Jul 24 2025Unmasking the new Chaos RaaS group attacksTalos Intelligence Blog – Jul 24 2025
Financial Services
UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion EvasionGroup-IB – Jul 30 2025Sealed Chain of Deception: Actors leveraging Node[.]JS to Launch JSCealCheckPoint – Research – Jul 29 2025Romania Warns of Financial Scam Impersonating its Newly Re-Appointed Minister of FinanceThe Cyber Express – Jul 29 2025RedHook: A New Android Banking Trojan Targeting Users In VietnamCyble Blog – Jul 28 2025ToxicPanda: The Android Banking Trojan Targeting EuropeBitSight Security Ratings Blog – Jul 28 2025
Geopolitics
China’s Covert Capabilities | Silk Spun From HafniumSentinelLabs – Jul 30 2025Sonatype uncovers global espionage campaign in open source ecosystemsSonatype – Jul 30 2025Pro-Ukrainian hackers claim massive cyberattack on Russia’s AeroflotReuters – Jul 28 2025Nation Group hit by 200 million cyberattacks in Cambodian IO campaignThe Nation – Thailand – Jul 27 2025Hive0156 Hackers Targeting Government and Military Organizations to Deploy REMCOS RATGBHackers On Security – Jul 24 2025
High Priority Vulnerabilities
Name | Software | Base Score | Temp Score | |
---|---|---|---|---|
CVE-2023-2533 | NG | 8.4 | 8.8 | |
Related: Remote code execution flaw in PaperCut NG and PaperCut MF actively exploited | ||||
CVE-2025-31324 | NetWeaver | 9.8 | 9.4 | |
Related: SAP NetWeaver flaw exploited in Auto-Color backdoor attack | ||||
CVE-2022-1388 | BIG-IP | 9.8 | 9.4 | |
Related: Fire Ant leverages multi-layered attack kill chains to target VMware EXSi and vCenter | ||||
CVE-2025-5394 | Alone Plugin | 9.8 | 7.1 | |
Related: Attackers Actively Exploiting Critical Vulnerability in Alone Theme | ||||
CVE-2021-36260 | Product | 9.8 | 5.5 | |
Related: Linux mount command leveraged in command injection attacks against Hikvision devices |