Cyware Daily Threat Intelligence, July 24, 2025
Daily Threat Briefing • July 24, 2025
Storm-2603 is slipping through SharePoint’s cracks and locking the doors behind it. The suspected China-based threat group is exploiting two SharePoint vulnerabilities to deploy Warlock ransomware. The group uses Mimikatz for credential theft and moves laterally with PsExec. At least 400 organizations have already been impacted.
When your router has more holes than a sieve, it’s time to worry. Researchers uncovered several critical vulnerabilities in Weidmueller IE-SR-2TX industrial routers. These flaws allow remote attackers to gain root-level code execution, posing a significant risk to industrial networks and critical infrastructure.
Chaos by name, chaos by method. A new RaaS group called Chaos is conducting high-impact ransomware campaigns through a number of tactics, using remote management tools for long-term access. Chaos supports multiple platforms and avoids politically sensitive or healthcare-related victims, offering automated control panels and individualized encryption keys per infection.
Top Malware Reported in the Last 24 Hours
Storm-2603 drops Warlock ransomware
Storm-2603, a suspected China-based threat actor, is actively exploiting vulnerabilities in SharePoint to deploy Warlock ransomware on unpatched systems. The attacks leverage CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, an RCE vulnerability, enabling initial access through a web shell payload. Once inside, the threat actor executes commands using the w3wp.exe process to validate privileges and disable Microsoft Defender protections. Storm-2603 employs techniques such as creating scheduled tasks and modifying IIS components to ensure persistent access. Credential harvesting is conducted using Mimikatz, while lateral movement is achieved with tools like PsExec. The campaign has already compromised at least 400 victims, with connections to other Chinese hacking groups like APT27 and APT31.
New Chaos ransomware group emerges with threats
Chaos is a new RaaS group conducting big-game hunting and double extortion attacks, using spam flooding, voice-based social engineering, and RMM tools for persistent access. The ransomware employs multi-threaded selective encryption, anti-analysis techniques, and targets both local and network resources. Victims are primarily in the U.S., with fewer cases in the U.K, New Zealand, and India, and Chaos avoids targeting BRICS/CIS countries, hospitals, and government entities. Chaos is actively promoted in Russian-speaking dark web forums and offers cross-platform compatibility for Windows, ESXi, Linux, and NAS systems. The ransomware uses unique encryption keys for files, rapid encryption speeds, and automated panels for managing targets and communications.
Chinese hackers spread PhantomNet and Ghost RAT
Two cyber campaigns, Operation GhostChat and Operation PhantomPrayers, targeted the Tibetan community around the Dalai Lama's 90th birthday. These campaigns were attributed to a China-nexus APT group. Attackers compromised legitimate websites and redirected users to malicious sites, distributing malware such as Ghost RAT and PhantomNet backdoors through multi-stage infection chains. Operation GhostChat involved a fake webpage mimicking tibetfund[.]org, tricking users into downloading a backdoored version of the Element messaging app. Operation PhantomPrayers used a malicious application disguised as "prayer check-in" software, employing social engineering and advanced encryption techniques.
Top Vulnerabilities Reported in the Last 24 Hours
Bugs in Weidmueller Industrial Routers
Multiple high-severity vulnerabilities have been discovered in Weidmueller Industrial Routers, potentially enabling attackers to execute arbitrary code with root privileges on affected devices. These flaws—CVE-2025-41663, CVE-2025-41687, CVE-2025-41661, CVE-2025-41683, and CVE-2025-41684—impact several models within the IE-SR-2TX router series, widely used in industrial networks and critical infrastructure. Among the identified vulnerabilities, CVE-2025-41663 and CVE-2025-41687 are rated as critical with a CVSS score of 9.8, while others range from high to critical severity. Exploiting these vulnerabilities could lead to complete system compromise, allowing attackers to manipulate industrial processes or steal sensitive information.
Actively exploited Chromium flaw, warns CISA
The CISA issued a critical alert regarding a severe input validation vulnerability, designated CVE-2025-6558, in Google Chromium. This flaw, which affects the ANGLE and GPU components, allows remote attackers to execute sandbox escape attacks using specially crafted HTML pages. The vulnerability poses significant risks not only to Google Chrome users but also to other browsers like Microsoft Edge and Opera that rely on the Chromium engine, potentially impacting millions globally. CISA added this vulnerability to its KEV catalog, indicating active exploitation in real-world scenarios, which has raised considerable concern within cybersecurity communities due to its potential for serious attacks.
Threats in Spotlight
Soco404: Multi-platform cryptomining campaign
Wiz Research identified the Soco404 cryptomining campaign, which exploits vulnerabilities across cloud environments to deploy platform-specific malware. Attackers disguise malicious activity using techniques like process masquerading and persistence mechanisms such as cron jobs and shell initialization files. Payloads are embedded in fake 404 HTML pages hosted on compromised websites, including those built using Google Sites. The campaign targets PostgreSQL instances, leveraging their COPY ... FROM PROGRAM functionality to achieve remote code execution. Attackers use automated scans and various tools (e.g., wget, curl, PowerShell) to exploit entry points and deliver payloads.