WEEKLY TOP TEN: July 07, 2025, 16:00 GMT
- Hide Your RDP: Password Spray Leads to RansomHub Deployment
The DFIR Report documented a sophisticated RansomHub ransomware attack that began with password spraying against exposed RDP servers, leading to complete network compromise within 118 hours. Threat actors leveraged tools including Mimikatz credential harvesting, Atera/Splashtop remote access tools for persistence, and Rclone for SFTP data exfiltration of 2.03 GB before deploying ransomware network-wide. This case study demonstrates critical RDP security vulnerabilities and the evolution of ransomware tactics using living-off-the-land techniques. - Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
Unit 42 researchers analyzed three critical Apache remote code execution vulnerabilities affecting millions of installations: CVE-2025-24813 in Apache Tomcat enables RCE via partial PUT requests, while CVE-2025-27636 and CVE-2025-29891 in Apache Camel allow RCE through header bypass attacks. Palo Alto Networks detected over 125,000 exploit attempts from 70+ countries immediately following disclosure, with attackers using publicly available Nuclei scanner templates. Emergency patches are available for all affected Apache Tomcat and Apache Camel versions. - Over 1,200 Citrix Servers Unpatched Against Critical Auth Bypass Flaw
Security researchers identified over 1,200 unpatched Citrix NetScaler ADC and Gateway appliances vulnerable to CVE-2025-5777, dubbed “Citrix Bleed 2,” enabling unauthenticated session hijacking and credential theft attacks. ReliaQuest reports medium confidence of active exploitation targeting enterprise networks, with attack indicators including hijacked web sessions and Active Directory LDAP reconnaissance. Citrix has released critical security patches and recommends immediate session termination following system updates. - Filefix Part 2: Social Engineering via HTML Applications
Security researcher mrd0x disclosed a new FileFix attack variant that bypasses Windows Mark of the Web (MOTW) protections by exploiting Chrome and Microsoft Edge HTML saving functionality. The social engineering attack tricks victims into saving malicious .hta files disguised as backup codes, which execute without Windows security warnings due to browser behavior with the “Webpage, Complete” save format. Organizations can mitigate this Windows security bypass by disabling mshta.exe execution capabilities. - From PTH to P0wned: Abuse of Pickle Files in AI Model Supply Chains
Rapid7 Labs discovered supply chain attacks targeting AI developers through weaponized PyTorch model files (.pth) uploaded to Hugging Face that are exploiting Python pickle deserialization vulnerabilities. The malicious machine learning models deploy Go-based remote access trojans (RATs) communicating with VShell C2 infrastructure hidden behind Cloudflare Tunnel when loaded via torch.load() functions. This AI security threat leads to critical risks in machine learning model supply chains and the need for ML model validation. - Taking SHELLTER: Commercial Evasion Framework Abused In-The-Wild
Elastic Security Labs identified threat actors using the leaked Shellter Elite v11.0 commercial evasion framework in RHADAMANTHYS, LUMMA, and ARECHCLIENT2 infostealer campaigns since April 2025. The advanced malware evasion tool employs polymorphic code generation, API hooking bypasses, AES-128 payload encryption, and vectored exception handler proxying to evade EDR and antivirus detection. All analyzed samples contain identical hardcoded license expiry dates, indicating widespread distribution of a single compromised commercial license. - 600,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability
A critical WordPress security vulnerability (CVE-2025-6463, CVSS 8.8) in the popular Forminator plugin exposes over 600,000 WordPress websites to complete takeover through arbitrary file deletion attacks. The WordPress plugin vulnerability allows unauthenticated attackers to delete critical files, including wp-config.php, forcing sites into setup mode for full compromise. WPMU DEV released Forminator version 1.44.3 security patch on June 30, 2025, with immediate updates strongly recommended. - FoxyWallet: 40+ Malicious Firefox Extensions Exposed
Researchers from Koi Security have exposed a malware campaign involving 40+ malicious Firefox browser extensions impersonating popular cryptocurrency wallets, including MetaMask, Coinbase Wallet, Trust Wallet, and Phantom, to steal seed phrases and private keys. The Firefox malware campaign has been active since April 2025, using fake reviews, cloned open-source wallet code, and identical branding to deceive crypto users. Russian-language code comments suggest Russian threat actors, with Mozilla removing most extensions but several remaining active. - Cisco Unified Communications Manager Static SSH Credentials Vulnerability
Cisco disclosed maximum-severity vulnerability CVE-2025-20309 (CVSS 10.0) affecting Unified Communications Manager (CUCM) and CUCM SME systems with hardcoded static SSH root credentials that cannot be changed or deleted. The critical Cisco security flaw affects Engineering Special Releases 15.0.1.13010-1 through 15.0.1.13017-1, allowing unauthenticated remote attackers full root access and arbitrary command execution. Cisco released emergency patches in CUCM version 15SU3, with exploitation detectable through SSH login entries in system logs. - macOS NimDoor: DPRK Threat Actors Target Web3 and Crypto Platforms
SentinelLABS discovered the North Korean APT group’s campaign “NimDoor,” targeting Web3 and cryptocurrency organizations using sophisticated Nim-compiled malware delivered through fake Zoom SDK social engineering attacks. The DPRK malware campaign employs advanced macOS techniques, including process injection, WebSocket Secure (WSS) communications, and signal-based persistence mechanisms previously unseen in macOS threats. The North Korean cyberattack exfiltrates browser credentials, macOS Keychain data, and Telegram chat histories using multi-stage C++, Nim, and AppleScript components.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk, and using multiple sources when available:
