Daily Brief

Iranian ransomware group reactivates after five years, now named “Pay2Key.I2P,” offers cash for cyberattacks on the US and Israel. Updated malware builds on 2020's Pay2Key with features from Mimic ransomware, promising 80% payouts for attacks on "enemies of Iran." Morphisec researchers used undercover communication to gather intelligence on Pay2Key.I2P's operations and malware. The affiliation between Pay2Key.I2P, Pioneer Kitten, and Mimic ransomware signals a blend of Iranian state-sponsored cyber initiatives and organized global cybercrime. Pay2Key.I2P operational enhancements include the use of I2P networks for anonymity and expanded target strategies to include Linux systems. Within four months of operation, the group claimed to have collected over $4 million from 50 ransom payments. The group advertises its ransomware-as-a-service on darknet forums in Russia and China while also targeting American corporations following recent U.S.-Iran tensions. U.S. Homeland Security has issued an advisory alerting to the elevated threat level, urging increased network defenses against Iranian cyber threats.

Microsoft’s first Patch Tuesday of 2025 includes 130 new fixes, with a notable absence of actively exploited vulnerabilities. A critical vulnerability, CVE-2025-47981, rated at 9.8 CVSS, risks remote code execution through a buffer overflow in SPNEGO protocols. Office applications received significant attention with 16 patches; four critical vulnerabilities could allow remote code execution without user interaction. Critical AMD processor-related fixes were released, targeting early EPYC and Ryzen chips, emphasizing their lower risk but essential update requirement. CVE-2025-49717 in SQL Server introduces a complex remote code execution threat through a buffer overflow, though it's deemed less likely to be exploited. Updates included 16 additional fixes for Windows Routing and Remote Access Service and five for Microsoft’s BitLocker encryption system, with higher exploit likelihood. Adobe paralleled Microsoft’s patch release, emphasizing updates for ColdFusion and Experience Manager Forms due to critical vulnerabilities. SAP also issued security updates, including patches for vulnerabilities rated at a CVSS 10 in their Supplier Relationship Management and a 9.9 in S/4HANA and SCM systems.

M&S confirmed a network breach via a sophisticated impersonation attack, which led to a ransomware incident involving DragonForce malware. The breach occurred when attackers impersonated an M&S employee, deceiving a third-party IT support provider into resetting the employee's password. IT outsourcing company Tata Consultancy Services, providing help desk support for M&S, is suspected to have inadvertently facilitated the breach. The ransomware attack involved double-extortion tactics, potentially including stealing about 150GB of data and encrypting servers, threatening data release if a ransom was not paid. M&S chose not to interact directly with the ransomware operators and engaged professional negotiation services to handle the situation. Despite the attack and potential data theft, there has been no public confirmation of a ransom payment, though it was discussed with national authorities. The incident highlights ongoing vulnerabilities in retail security systems and the effectiveness of social engineering as an attack vector.

Samsung unveils major security upgrades for the upcoming One UI 8 on Galaxy devices, focusing on data security and privacy enhancements. Introduction of Knox Enhanced Encrypted Protection (KEEP), designed to create isolated environments within apps to store and encrypt sensitive data. Upgrades to Knox Matrix include stronger management of device security across all connected Galaxy devices and automatic user sign-out during identity forgery detection. Implementation of quantum-resistant technologies in Samsung’s Secure WiFi to protect against future quantum-based threats. Enhanced security features aim to safeguard user inputs and data across AI-driven tools including personalized updates, photo searches, and more. Users advised to upgrade to the new release to benefit from robust security measures and review their data privacy settings. One UI 8 expected to launch with new Galaxy Z Fold 7 and Z Flip 7 models, with updates soon to be available for older models as well.

A novel tapjacking attack called TapTrap allows malicious apps to deceive Android users through invisible UI manipulations, gaining unauthorized access to device permissions and data. Developed by researchers from TU Wien and the University of Bayreuth, TapTrap exploits Android's animation features to obfuscate real actions intended by the system, effectively remaining undetected by users. This technique utilizes zero-permission apps, initiating a transparent activity over a legitimate one, misleading users to click on seemingly benign options which are, in fact, permissions for malicious activities. Research shows that 76% of apps in the Google Play Store might be vulnerable to such attacks due to the common presence of susceptible activity components. Despite the introduction of Android 16, vulnerabilities to TapTrap attacks persist, with official confirmations of mitigation strategies yet to be fully implemented in future system updates. A video demonstration involving a game app has illustrated how TapTrap could manipulate a user into unknowingly granting camera access via a web browser. Google has acknowledged the problem and is actively working on fixes to enhance protections against such tapjacking techniques, with updates expected in forthcoming Android versions.

A massive browser hijacking campaign has targeted users of Chrome and Edge through malicious extensions, affecting over 2.3 million users. Initially harmless, these browser extensions, including a popular color picker from Geco, were later updated with malware that enabled surveillance and data theft. These extensions, despite performing their stated functions such as color selection, covertly tracked user activity, captured URLs, and could redirect browsers to attacker-specified sites. Koi Security researchers discovered the campaign, dubbed RedDirection, which includes 18 different malicious extensions available in both the Chrome Web Store and Microsoft's Edge Add-ons. The malware functionality in these extensions was not present from the beginning; instead, it was inserted during subsequent updates, which were automatically installed without users' interaction. The affected extensions offer various utilities like emoji keyboards, weather forecasts, and VPN services but secretly perform background activities that compromise users’ privacy. Investigations into the incident are ongoing, and neither Google nor Microsoft has yet responded to inquiries regarding how these extensions passed their security checks.

Hackers have exploited the Shellter red teaming tool to spread Lumma Stealer and SectopRAT malware following a license leak by a customer. Shellter, designed to evade antivirus systems, was compromised despite stringent security measures and vetting processes in place since February 2023. Elastic Security Labs reported that starting from late April 2025, the stolen versions of Shellter were used in various infostealer campaigns. Shellter’s version 11.0, released on April 16, 2025, has been utilized in cybercriminal operations, reported after its sale on a cybercrime forum. The malware spread includes methods like embedding malicious payloads into legitimate programs through self-modifying shellcode. Attack vectors involved sponsorship scams targeting content creators and fraudulent gaming modifications distributed via YouTube. The security industry faces increased challenges in mitigating threats due to weaponized legitimate tools, as seen with earlier instances involving Cobalt Strike and Brute Ratel C4. The Shellter Project criticized Elastic's disclosure approach, highlighting a tension between public safety priorities and the handling of vulnerabilities.

Microsoft's July 2025 Patch Tuesday addressed 137 vulnerabilities, including a zero-day flaw in the Microsoft SQL Server. The zero-day vulnerability, identified as CVE-2025-49719, involved information disclosure through improper input validation and could be remotely exploited. Among the resolved issues are 14 Critical vulnerabilities, with 10 allowing remote code execution, one for information disclosure, and two related to AMD side channel attacks. The zero-day vulnerability was publicly disclosed before an official fix was available, highlighting ongoing security challenges. Several critical vulnerabilities in Microsoft Office and SharePoint were also patched, which could allow remote code execution from specially crafted documents or internet-based exploits. Aside from Microsoft, other vendors also issued updates and advisories addressing security concerns within their products in July 2025. Administrators are advised to update affected systems promptly to mitigate potential threats from these vulnerabilities.

Cybersecurity experts uncovered a malware operation affecting 90,000 North American users, involving a trojan named Anatsa disguised as a "PDF Update" app on Google Play. The malicious app deployed fake overlay screens claiming banking services were down for maintenance to steal banking credentials. Anatsa, also known as TeaBot and Toddler, has been active since 2020 and utilizes dropper apps to deliver malware after initially appearing benign. The malware can execute credential theft, keylogging, and Device-Takeover Fraud (DTO) to perform unauthorized transactions directly from the victims' devices. The attack pattern includes creating legitimate-looking apps on Google Play, gaining user trust, and later embedding harmful updates. The malware receives updates on targeted financial institutions from an external server to adapt to different banks dynamically. Anatsa's operations are characterized by intermittent active and dormant periods, helping it evade detection and maintain effectiveness. Although the malicious app and its developer have been removed from Google Play, it reached significant download milestones before detection.

The rapid evolution of cyber threats is outpacing the capabilities of traditional data protection tools, necessitating a shift to cloud-native cyber resilience strategies. Attackers are increasingly using sophisticated methods such as GenAI for malware creation and social engineering, targeting not just large enterprises but also smaller entities and cloud environments. Regulatory pressures are intensifying, with stringent global mandates on data privacy, sovereignty, and recovery, which many existing tools cannot meet without significant manual oversight. The costs associated with data sprawl across multi-cloud, SaaS, and edge environments are mounting, emphasizing the need for centralized, cost-effective data protection solutions. Cloud-native platforms for cyber resilience differ from traditional cloud-based backups by offering proactive threat hunting, AI-powered detection, and seamless integration with broader security infrastructures. Industry recognition, such as Druva’s leadership in Gartner's Magic Quadrant, highlights the growing importance and acceptance of cloud-native solutions in enterprise data security. To effectively counter modern cyber risks, organizations must adopt intelligent, fully managed cloud-native solutions that not only back up data but also enhance overall cyber resilience.

Anatsa, a banking trojan, was again found disguised as a legitimate app on Google Play, this time mimicking a PDF viewer with over 50,000 downloads. The malware activates upon the app's installation, targeting users of North American banking apps by overlaying fake notifications about banking maintenance to conceal its activities. Threat Fabric researchers have monitored Anatsa's presence on Google Play for years, noting repeated incidents where the trojan achieved significant download milestones through trojanized utility and productivity apps. In a recent modus operandi, the operators keep the initial versions of these apps clean and later push an update that introduces malicious code to download and install the Anatsa payload. Upon infection, Anatsa connects to its command-and-control server to receive instructions and list of apps to monitor, enabling unauthorized access and fraudulent transactions. The most recent affected app, 'Document Viewer – File Reader' by 'Hybrid Cars Simulator, Drift & Racing,' delivered its trojan payload between June 24 and 30, following an update six weeks post-release. Google has since removed the malicious app, and affected users are advised to uninstall the app, run a full system scan, and reset their banking credentials. Users are advised to download apps only from trusted publishers, scrutinize user reviews, check app permissions, and limit the number of installed apps to enhance security.

Nearly a dozen Chrome extensions with 1.7 million installs discovered to have malicious capabilities, allowing user tracking and data redirection. Extensions masquerade as useful tools (e.g., VPNs, volume boosters) but execute harmful activities in the background via Chrome Extensions API. Koi Security identified the harmful extensions, noting some still persist in the Chrome Web Store despite previous alerts. These extensions capture and transmit user data to remote servers, which also hold the capability to redirect users to potentially harmful websites. Google's auto-update feature unintentionally propagates these malicious updates to users without explicit consent or notification. The malicious code was added in updates after initial installation, hinting at external compromise of previously safe extensions. Additional malicious extensions found in Microsoft Edge's official store, with total user impact estimated over 2.3 million from both stores. Researchers recommend immediate removal of affected extensions, clearing of browser data, system malware checks, and monitoring for irregular account activities.

Virtual desktop and application virtualization are critical for remote and hybrid work setups, prioritizing flexibility, scalability, and security. Virtual environments face cyber threats due to centralized structures and vulnerabilities in remote access protocols. Implementing Zero Trust architecture and Multi-Factor Authentication (MFA) ensures that only authenticated users and trusted devices access the virtual settings. TruGrid SecureRDP enhances security by preventing exposure of firewall ports and implementing MFA to protect against credential-based threats. The product leverages global fiber optics to optimize network performance, reducing latency and packet loss, crucial for maintaining efficient virtual desktop operations. TruGrid SecureRDP simplifies regulatory compliance and licensing management while providing tools to scale virtual desktop infrastructure effectively as organizations grow. Enhanced user experience is achieved through smoother remote desktop performance, addressing common user frustrations and supporting broader adoption. Future enhancements in virtual desktop technologies will continue to address performance and security, aiming to support the growing trend of remote workforces.

Researchers found nearly a dozen malicious extensions in Google's Chrome Web Store, cumulatively downloaded 1.7 million times. These extensions, disguised as legitimate tools like VPNs and emoji keyboards, could track users, steal browser activity, and redirect to potentially harmful URLs. Some of the problematic extensions, such as ‘Volume Max — Ultimate Sound Booster,’ were previously flagged for suspicious activities but remained unconfirmed for malicious behavior until now. The harmful functionalities, hidden in background service workers using the Chrome Extensions API, capture and exfiltrate user data to remote servers. Despite the malicious updates, Google's auto-update feature deployed these versions without user interaction, raising concerns about silent update practices. Extensions originally safe at launch may have been compromised over time, introducing malware through updates by potentially external actors. Koi Security also discovered similar malicious extensions in the Microsoft Edge store, affecting an additional 600,000 downloads. Recommendations include immediate removal of the identified extensions, clearing browser data, system malware checks, and monitoring for account irregularities.

SUSE has launched "SUSE Sovereign Premium Support," targeting European organizations concerned about data sovereignty. This service ensures that support is strictly provided within a specific region, complying with local data sovereignty laws and reducing dependence on non-European entities. The traditional follow-the-sun support model is avoided to prevent data transfers that could violate regional data sovereignty regulations. SUSE's initiative reflects a broader trend where companies, including tech giants like AWS and Microsoft, are actively addressing European data sovereignty concerns through local solutions. CEO Dirk-Peter van Leeuwen highlighted a significant interest in developing technology that can be built and supported within Europe, though he noted minimal migration away from major hyperscalers. The move by SUSE is seen as a response to the increasing demand for digital autonomy in Europe, especially in light of evolving geopolitical climates and local regulatory demands. The additional cost for the sovereign support service is around 15%, which some customers are willing to pay to ensure compliance and maintain data within controlled regions.