New Report: 2025 SANS CTI Survey

Download Report

Weekly Cyber Round-up

Intelligence Report

July 17, 2025

UNC6148 targets SonicWall SMA 100 devices with OVERSTEP backdoor

Mandiant researchers observed an ongoing campaign, attributed to the financially-motivated threat actor UNC6148, targeting patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. The group is deploying a previously unknown C-based backdoor/user-mode rootkit, dubbed OVERSTEP, which is used to modify the appliance’s boot process to maintain persistence, steal credentials, and conceal its components. Scanning activity dates back to at least October 2024, with the group likely exploiting a known vulnerability to steal administrator credentials and one-time password (OTP) seeds before the appliance is updated. Upon gaining access, the group establishes an SSL-VPN session and spawns a reverse shell, likely via the exploitation of a zero-day flaw. SonicWall has confirmed reports of other impacted organisations and updated its advisory for CVE-2024-38475 to recommend OTP seed rotation. The OVERSTEP backdoor and deployment mechanism appears to be a direct evolution of the wafxsummary tool, while overlaps with World Leaks and Abyss ransomware were also observed, possibly hinting at a data leak and extortion operation.

 

Get the alert delivered directly to your inbox

Large-scale phishing campaign leverages fake job listings to steal user credentials

In June 2025, Fortra researchers observed an ongoing large-scale email phishing campaign leveraging fake job listings for major brands. The emails initially notify the recipient of a job opportunity they may be interested in, before a second email prompts the recipient to schedule a call with a recruiter. Clicking the ‘Schedule Call’ button redirects the user to different pages based on the threat actors’ use of a phishing kit or a phishing template. In one variation, the user is redirected to a fake Calendly site, where they are prompted to select a date and time for the meeting before the page requests their Facebook credentials, which are sent to the threat actors via a Telegram message. In a second variation, the user is redirected to a fake staffing firm domain that presents the user with a personal information form before presenting a Google sign-in screen. A similar campaign uses fake Red Bull job offers. The emails contain a link that redirects to a reCAPTCHA screen, followed by a Glassdoor-style fake job description, and a fake Facebook login page.

Increase in fake receipt generators facilitates counterfeit goods scams

Group-IB researchers detailed the growth of fake receipt generators that allow threat actors to create counterfeit receipts for well-known brands, to facilitate the resell of fake or stolen items. One prominent fake receipt generator, MaisonReceipts, operates on a subscription basis, enabling users to opt for a one-month subscription or a lifetime plan to generate receipts for over 21 brands. MaisonReceipts supports mobile and desktop platforms and supports customisation in German and American formats, as well as multiple currencies. The receipt generator also uses a variety of social media messaging apps and social networks for population, including Telegram, YouTube, TikTok, and X, with users granted access to a Discord server after subscribing. The Discord server currently hosts over 30,000 members and functions as real-time customer support.

Multiple Chinese-nexus threat actors target Taiwanese semiconductor industry for espionage

Between October 2024 and June 2025, Proofpoint researchers observed four Chinese state-sponsored threat actors conducting spear phishing campaigns against the Taiwanese semiconductor industry, likely for espionage. In May and June 2025, UNK_FistBump used compromised university email addresses to send phishing emails to recruitment and HR personnel of Taiwan-based semiconductor-related organisations. The emails contained either an archive or PDF attachment that delivered Cobalt Strike Beacon and a customised variant of the Voldemort backdoor. In April and May 2025, UNK_DropPitch targeted multiple large investment banks in a phishing campaign that specifically focused on individuals specialising in financial investment analysis of Taiwanese semiconductor and technology sectors. The campaign initially delivered the HealthKick backdoor via a sideloaded DLL downloaded from a link within a phishing email, before switching to the delivery of a raw TCP reverse shell in May 2025. An additional campaign was also observed in March 2025, with UNK_SparkyCarp targeting a Taiwanese semiconductor industry company in a credential phishing attack by leveraging a custom adversary-in-the-middle framework. UNK_ColtCentury was also observed targeting a similar organisation in October 2024, likely to deploy the SparkRAT backdoor. 

Governments in Southeast Asia targeted with HazyBeacon backdoor

Since late 2024, Palo Alto Networks Unit 42 researchers have observed a cluster of suspicious activity, tracked as CL-STA-200, targeting governmental entities in Southeast Asia with a previously unknown Windows backdoor, dubbed HazyBeacon. The campaign aims to collect sensitive information such as information about recent tariffs and trade disputes. HazyBeacon leverages AWS Lambda URLs as C2 infrastructure, allowing the attackers to invoke serverless functions directly over HTTPS and blend their C2 traffic with legitimate AWS communications. The backdoor is deployed via DLL sideloading alongside a legitimate Windows executable and creates a Windows service named ‘msdnetsvc’ to establish persistence, ensuring that HazyBeacon is loaded even after rebooting the system. Once the malware starts beaconing to the attacker-controlled Lambda URL endpoint, it begins receiving commands to execute and additional payloads to download. Target files are compiled into a ZIP file and attempted to be exfiltrated using Google Drive and Dropbox.

Ransomware

KAWA4096’s Ransomware Tide: Rising Threat With Borrowed StylesSpiderLabs Blog – Jul 16 2025Newly Emerged GLOBAL GROUP RaaS Expands Operations with AI-Driven Negotiation ToolsThe Hacker News – Jul 15 2025Ransomware Gangs Attack Clinical and Pathology LaboratoriesThe HIPAA Journal – Jul 15 2025Ransomware in Italy, strike at the Diskstation gang: hacker group leader arrested in MilanDataBreaches.net – Jul 14 2025KongTuke FileFix Leads to New Interlock RAT VariantThe DFIR Report – Blog – Jul 14 2025BlackSuit: A Hybrid Approach with Data Exfiltration and EncryptionCybereason – Blog – Jul 11 2025MEDUSA RANSOMWARE EXPOSED BY RANSOMEDVCMedium Cybersecurity – Jul 10 2025

Financial Services

Stealthy SquidLoader Malware Targets Hong Kong Financial Firms with Evasive Cobalt Strike AttacksSecurityonline.info – Jul 17 2025Old Miner, New Tricks Fortinet – Jul 16 2025Seychelles Commercial Bank Confirms Customer Data BreachBankInfoSecurity – Jul 15 2025Fake Android Money Transfer App Targeting Bengali-Speaking UsersMcAfee Labs – Other Blogs – Jul 15 2025Crypto Wallets Continue to be Drained in Elaborate Social Media ScamDarktrace – Jul 10 2025

Geopolitics

UNG0002: Regional Threat Operations Tracked Across Multiple Asian JurisdictionsSeqrite Blog – Jul 16 2025National Guard hacked by Chinese ‘Salt Typhoon’ campaign for nearly a year, DHS memo saysNBCNews.com – Jul 15 2025Ukrainian hackers claim to have destroyed servers of Russian drone makerTechCrunch – Jul 15 2025Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware LoaderSocket – Jul 14 2025Is Cyber the Next Stage of War in the Middle East Conflict?Symantec Enterprise Blogs – Jul 10 2025

High Priority Vulnerabilities

Name Software Base
Score
Temp
Score
CVE-2025-6558 Chrome 6.3 6.0
Related: Zero-day among high-severity flaws patched in Google Chrome
CVE-2025-47812 Wing FTP Server 10.0 9.4
Related: Maximum-severity Wing FTP Server flaw actively exploited
CVE-2025-49812 HTTP Server 7.4 5.4
Related: Opossum desynchronization attack targets TLS-based application protocols
CVE-2025-7503 AppFHE1 9.8 9.5
Related: Maximum-severity flaw discovered in V380 CCTV IP camera
CVE-2024-55556 Crater Invoice 5.6 5.6
Related: Over 600 Laravel apps vulnerable to RCE due to exposed APP_KEYs on GitHub

Get the full report
delivered to your inbox

By filling out and submitting this request you give us your consent to use and store the information you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.