Daily Brief

Cybercrime group Storm-2657 has been targeting U.S. university employees since March 2025 to hijack salary payments through sophisticated phishing attacks. Microsoft identified 11 compromised accounts at three universities, leading to phishing emails sent to nearly 6,000 accounts across 25 universities. The attacks exploit social engineering tactics and lack of multifactor authentication (MFA) to compromise Workday accounts, though other HR SaaS platforms may also be vulnerable. Phishing emails use themes like campus illness warnings and faculty misconduct to deceive recipients into clicking malicious links. Attackers employ adversary-in-the-middle (AITM) techniques to steal MFA codes, allowing access to Exchange Online and manipulation of payroll settings. Compromised accounts are used to distribute further phishing emails, with attackers enrolling their own devices as MFA to maintain access. Microsoft has contacted affected customers and provided guidance on implementing phishing-resistant MFA to mitigate these attacks. The FBI reported over 21,000 business email compromise complaints in 2024, highlighting the financial impact of such schemes.

China-aligned threat actor UTA0388 has been linked to spear-phishing campaigns across North America, Asia, and Europe, deploying a Go-based malware, GOVERSHELL, via tailored phishing emails. Campaigns involve emails mimicking legitimate organizations to socially engineer targets into downloading malicious payloads, often using cloud services like Netlify and OneDrive for hosting. The phishing strategy has evolved to include rapport-building techniques, enhancing the credibility of the emails before delivering the malicious links. GOVERSHELL, a successor to the HealthKick malware, utilizes DLL side-loading for execution, with five variants identified, demonstrating active development and adaptability. UTA0388 has exploited OpenAI's ChatGPT for generating phishing content and aiding malicious workflows, though the associated accounts have been banned. The campaigns focus on geopolitical targets, particularly in Asia, with recent attacks on European institutions, including a Serbian government department. The use of automation and large language models suggests a sophisticated approach with minimal human oversight, posing significant challenges for detection and prevention.

The RondoDox botnet is actively targeting 56 vulnerabilities across over 30 device types, including DVRs, NVRs, CCTV systems, and web servers, since June. Utilizing an "exploit shotgun" strategy, RondoDox deploys multiple exploits simultaneously, increasing infection rates despite generating significant network noise. The botnet has expanded its arsenal to include vulnerabilities such as CVE-2024-3721 and CVE-2024-12856, with a focus on n-day flaws from Pwn2Own competitions. RondoDox exploits older, unpatched vulnerabilities in end-of-life devices and newer flaws in supported hardware, posing a persistent threat to unupdated systems. Trend Micro identified 18 additional command injection vulnerabilities in devices like D-Link NAS units and Linksys routers, lacking official CVE assignments. To mitigate risks, organizations should apply the latest firmware updates, replace end-of-life equipment, and secure networks by segmenting critical data and changing default credentials. The botnet's rapid adaptation of Pwn2Own exploits signals a need for vigilance and proactive patch management to safeguard against evolving threats.

The ClayRat spyware campaign targets Android users in Russia, using fake apps like WhatsApp and TikTok to lure victims through phishing websites and Telegram channels. Once installed, the spyware can exfiltrate SMS messages, call logs, and device information, and even send messages or place calls from the victim's device. The malware aggressively propagates by sending malicious links to contacts in the victim's phone book, utilizing compromised devices as distribution vectors. Over 600 samples and 50 droppers have been detected in 90 days, with new obfuscation layers to evade detection and security defenses. Attackers use bogus websites and Telegram channels to distribute APK files, exploiting platform restrictions to bypass security measures in Android 13 and later versions. ClayRat requests to become the default SMS application, enabling it to capture sensitive content and further disseminate the malware. The threat is compounded by findings that pre-installed apps on budget Android smartphones in Africa may also expose sensitive data and operate with elevated privileges.

Huntress Labs uncovered a sophisticated attack chain culminating in the deployment of PureRAT, a commercially available remote access trojan (RAT), demonstrating advanced threat actor capabilities. The campaign begins with a phishing email containing a ZIP archive, utilizing DLL sideloading to execute a malicious payload, showcasing traditional yet effective initial access techniques. Multiple stages of the attack employ obfuscation and encryption, including Base85, Base64, RC4, and AES, to hide payloads and evade detection, reflecting tactical evolution. The threat actor transitioned from Python-based info-stealers to .NET executables, leveraging process hollowing and reflective DLL loading for enhanced persistence and control. PureRAT's capabilities include extensive surveillance, data theft, and potential for follow-on attacks, posing significant risks to compromised systems. Indicators suggest the involvement of actors linked to PXA Stealer, with infrastructure pointing to Vietnam, indicating a maturing operator with global implications. The campaign illustrates the necessity of defense-in-depth strategies, emphasizing the importance of monitoring for specific behaviors and maintaining a resilient security posture.

SonicWall confirmed a breach affecting all customers using its cloud backup service, exposing firewall configuration backup files to unauthorized access. The breach involves MySonicWall accounts, a portal for managing product access and cloud backups, impacting operational security for users. Exposed files contain AES-256-encrypted credentials and configuration data, potentially easing exploitation of firewalls by threat actors. SonicWall collaborated with Mandiant to investigate the breach, advising customers to reset account credentials and follow remediation guidance. Approximately 5% of SonicWall's firewall customers use the cloud backup service, but all such users are now confirmed affected by this incident. Customers can verify if their devices are impacted by checking the 'Product Management → Issue List' on MySonicWall. Continuous monitoring of MySonicWall alerts is recommended for updated information on affected devices and further protective actions.

SonicWall disclosed unauthorized access to firewall configuration backup files for customers using its cloud backup service, raising concerns about potential targeted attacks. The compromised files contain encrypted credentials and configuration data, posing an increased risk despite the encryption. SonicWall is actively notifying affected partners and customers and has released tools for device assessment and remediation. Users are urged to log in and verify their devices, with priority levels assigned to assist in remediation efforts. The breach affected less than 5% of SonicWall's customers, but the information in the files could facilitate exploitation of related firewalls. SonicWall advises immediate action for users with cloud backup features, offering further guidance for those with incomplete serial number displays. This incident follows a recent advisory for customers to reset credentials after exposure of firewall configuration backup files.

SonicWall has revealed that all customers using its MySonicWall cloud backup service were affected by a cybersecurity breach, contradicting earlier claims of a limited impact. The breach involved unauthorized access to firewall configuration backup files, which contain critical network settings and policies, posing a significant security risk. Initial reports suggested only 5% of users were impacted; however, further investigation confirmed the breach affected every user of the cloud backup service. SonicWall has advised customers to delete existing cloud backups, change credentials, and recreate backup files locally to mitigate potential risks. The company has enhanced its infrastructure security with stronger authentication controls and additional logging to prevent future incidents. Despite the breach, SonicWall maintains that other MySonicWall services and customer devices were not compromised. The incident raises concerns about the security of cloud-stored sensitive data and the need for robust backup strategies. SonicWall has not identified the threat actors involved, nor confirmed if any data was exfiltrated or leaked, leaving the full scope of the breach uncertain.

North Korean cyber actors have stolen an estimated $2 billion in cryptocurrency in 2025, marking the largest annual total recorded. The Bybit hack in February accounted for $1.46 billion of the stolen assets, with other significant breaches affecting LND.fi, WOO X, and Seedify. The increasing focus on high-net-worth individuals reflects a shift in targeting strategy, exploiting weaker security measures compared to businesses. North Korean hackers utilize advanced identity theft techniques to secure remote tech jobs, funneling earnings into the regime's nuclear program. The fraudulent IT worker scheme has reportedly contributed up to $1 billion to North Korea's nuclear ambitions over the past five years. Okta's data reveals a diverse range of targets, with one in two not being tech firms and one in four not based in the U.S. The regime's cyber-enabled theft operations underscore the growing reliance on illicit activities to fund state objectives.

Token theft is increasingly responsible for security breaches in SaaS environments, bypassing traditional security measures like multi-factor authentication and posing significant risks to organizations. Recent incidents, including breaches at Slack, CircleCI, Cloudflare, and Salesloft, demonstrate how stolen tokens can lead to unauthorized access and data compromise. The proliferation of SaaS applications, known as SaaS sprawl, has expanded the attack surface, with many organizations lacking visibility into their token usage and third-party integrations. Tokens such as OAuth access tokens and API keys often act as credentials, granting attackers access to systems without further authentication checks. Legacy security solutions are inadequate for monitoring app-to-app connections, necessitating the adoption of dynamic SaaS security platforms to manage and secure token usage. Organizations are encouraged to improve token hygiene by identifying, controlling, and monitoring their tokens and SaaS integrations to prevent unauthorized access. Implementing regular oversight and approval processes for third-party app integrations can mitigate risks associated with over-privileged and unvetted applications.

Pro-Russian hacktivist group TwoNet shifted focus from DDoS attacks to targeting critical infrastructure, recently claiming an attack on a decoy water treatment facility. The decoy, set up by Forescout researchers, was designed to monitor adversarial tactics, revealing TwoNet's operational methods and timeline. TwoNet gained initial access using default credentials and exploited an XSS vulnerability, CVE-2021-26829, to announce their presence with a HMI pop-up alert. The attackers engaged in disruptive actions, including disabling real-time updates by removing PLCs and altering HMI setpoints, without attempting privilege escalation. TwoNet's activities include targeting SCADA interfaces in critical infrastructure and offering cybercrime services, such as RaaS and hacker-for-hire, on their Telegram channel. Forescout advises critical infrastructure organizations to enhance security by implementing strong authentication, network segmentation, and protocol-aware detection systems. This incident reflects a broader trend of hacktivist groups evolving from DDoS attacks to more sophisticated operations targeting operational technology and industrial control systems.

The State Service for Special Communications and Information Protection (SSSCIP) reported a significant rise in AI-driven cyber attacks by Russian hackers targeting Ukraine in the first half of 2025. A total of 3,018 cyber incidents were recorded, marking an increase from 2,575 incidents in the latter half of 2024, with local authorities and military entities facing heightened threats. Noteworthy incidents include the use of WRECKSTEEL malware by UAC-0219, targeting Ukrainian state administration and critical infrastructure, with AI tools suspected in its development. APT28, also known as UAC-0001, exploited cross-site scripting vulnerabilities in Roundcube and Zimbra webmail software to execute zero-click attacks, compromising credentials and email data. Russian cyber operations are synchronized with kinetic military actions, with Sandworm (UAC-0002) targeting energy, defense, and research sectors, illustrating a hybrid warfare strategy. Hackers increasingly abuse legitimate services like Dropbox and Google Drive for hosting malware and phishing pages, expanding their use of these platforms for data exfiltration. The ongoing cyber conflict emphasizes the need for enhanced cybersecurity measures and international cooperation to mitigate the evolving threat landscape posed by AI-enhanced attacks.

A critical vulnerability in the Service Finder WordPress theme, CVE-2025-5947, allows attackers to bypass authentication and access any account, including administrator roles. The flaw, with a CVSS score of 9.8, stems from inadequate validation of user cookie values during the account switching process. Exploitation of this vulnerability can lead to site hijacking, enabling attackers to insert malicious code or host malware. The issue affects all theme versions up to 6.0 and has been patched with the release of version 6.1 on July 17, 2025. Over 13,800 exploitation attempts have been detected since August 1, 2025, though the success rate remains unclear. The theme has been purchased by over 6,100 customers, highlighting the potential widespread impact of this vulnerability. Administrators are urged to update to the latest version and audit their sites for any suspicious activity to mitigate risks.

Hackers claim to have accessed 1.6 TB of data from Discord's Zendesk support system, impacting 5.5 million users, including government IDs and partial payment information. Discord refutes the hackers' claims, stating only 70,000 government ID photos were exposed, and denies the breach was directly on their platform, attributing it to a third-party service. The breach reportedly occurred via a compromised account from a business process outsourcing provider, highlighting vulnerabilities in outsourced support systems. Attackers allege access to Discord's internal systems allowed them to disable multi-factor authentication and retrieve sensitive user data, including email addresses and phone numbers. The threat actors demanded a ransom of $5 million, later reduced to $3.5 million, threatening to leak the data if not paid, but Discord has refused to comply. This incident underscores the risks associated with third-party service integrations and the importance of securing outsourced vendor relationships. Discord's response includes denying the hackers' claims and refusing to negotiate, emphasizing their stance against rewarding illegal activities.

A new FileFix attack variant employs cache smuggling to secretly download malicious files, bypassing security software and posing as a Fortinet VPN Compliance Checker. The attack was discovered by cybersecurity researcher P4nd3m1cb0y and detailed further by Expel's Marcus Hutchins, showcasing sophisticated social engineering tactics. The attack uses a padded network path to conceal a PowerShell command that extracts a malicious ZIP file from Chrome's cache, evading traditional security scans. Cache smuggling allows malware to be stored as a fake image in browser cache, bypassing detection by security tools scanning for direct downloads or web requests. Ransomware gangs and other threat actors have quickly adopted this technique, integrating it into their campaigns to enhance stealth and effectiveness. Palo Alto Unit 42 identified a new ClickFix kit, IUAM ClickFix Generator, automating the creation of similar lures, expanding the attack ecosystem. The ClickFix Generator supports OS-specific payloads, increasing the threat's adaptability and reach across different operating systems. Organizations must prioritize employee education on avoiding execution of commands copied from websites to mitigate risks from such social engineering attacks.