Cyware Monthly Threat Intelligence, July 2025

Monthly Threat Briefing • August 1, 2025
Monthly Threat Briefing • August 1, 2025
In a positive stride for cybersecurity, CISA has unveiled two powerful open-source tools, Thorium and the Eviction Strategies Tool. Developed with Sandia National Laboratories, Thorium automates malware and forensic analysis, processing over 10 million files per hour to supercharge incident response. The Eviction Strategies Tool, built with MITRE, helps defenders craft tailored response playbooks using frameworks like ATT&CK and D3FEND. Meanwhile, Romanian and U.K. authorities, aided by Europol and Eurojust, dismantled a €580,000 ATM fraud ring exploiting transaction reversal techniques. In regulatory progress, New York has proposed new cybersecurity rules for water systems, aligning with federal guidelines and setting the stage for improved OT and IT infrastructure protection.
In troubling developments, cyber threats surged across the globe. North Korean group UNC4899 exploited LinkedIn and Telegram job lures to hijack cloud environments like AWS and Google Cloud, bypassing MFA to steal millions in cryptocurrency. Russian state hackers Secret Blizzard targeted foreign embassies in Moscow using adversary-in-the-middle (AiTM) tactics and the stealthy ApolloShadow malware to hijack systems at the ISP level. Scattered Spider attackers compromised VMware ESXi servers using social engineering, password resets, and disk-swap attacks to deploy ransomware and steal Active Directory data. Meanwhile, the SarangTrap campaign leveraged fake dating apps to steal sensitive data from Android and iOS users, with over 250 malicious apps and 88 phishing domains uncovered.
Emerging cyber threats highlight growing risks across platforms. The newly uncovered "Man in the Prompt" attack exploits browser extensions to intercept and exfiltrate data from AI tools like ChatGPT and Google Gemini, even when Gemini is inactive. On Android, the DoubleTrouble banking Trojan is spreading via Discord-hosted APKs, using real-time screen recording, phishing overlays, and MFA bypass techniques to steal sensitive data. Meanwhile, the H2Miner botnet and AI-generated Lcrypt0rx ransomware have resurfaced, deploying malware like Kinsing, using flawed yet destructive tactics like MBR overwrites. A new Konfety malware variant also uses an “evil twin” package technique, advanced obfuscation, and ad SDKs to distribute payloads and evade detection.