Skip to content

Cyber Threat Weekly – #85

Derek Krein
3 min read

The week of June 30th through July 6th, roughly 325 cyber news articles were reviewed.  A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about brute force attacks and multi-factor authentication (MFA).

So many attack campaigns could have been prevented with phishing resistant multi-factor authentication.  With the many phishing kits specializing in bypassing MFA, phishing resistant MFA is no longer a nice to have.  Are our identity and access management programs mature enough to take on the next level of attack?

Let’s start with Java Debug Wire Protocol (JDWP) interfaces targeted.  Hunters International ransomware gang appears to be rebranding.  Brand impersonation, PDF’s, and callback phishing.  Commercial AV/EDR evasion framework abused by infostealers.

Malicious Windows shortcut files examined.  Scattered Spider recent attack observations.


Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.


CISA Known Exploited Vulnerabilities – June 30th to July 6th:

CVE-2025-6543 – Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability:
The bug, a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

CVE-2025-48928 – TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability: 
This vulnerability is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump.

CVE-2025-48927 – TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability:
This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI.

CVE-2025-6554 – Google Chromium V8 Type Confusion Vulnerability:
Allows a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.


Attackers Targeting Java Debug Wire Protocol (JDWP) Interfaces

Researchers honeypot got hit with an interesting attack.  Abusing the JDWP interface and deploying a customized XMRig crypto-miner payload.  The threat actors covered their tracks using mining pool proxies to hide their wallet addresses.  The JDWP is a Java debug capability.

https://thehackernews.com/2025/07/alert-exposed-jdwp-interfaces-lead-to.html

https://www.wiz.io/blog/exposed-jdwp-exploited-in-the-wild

https://viz.greynoise.io/tags/java-debug-wire-protocol-scanner


Hunters International Rebranding into the Extortion-Only WorldLeaks

The Ransomware-as-a-Service (RaaS) operators announced they are shutting down.  They are offering free decryption software for those affected.  Widely believed to be a rebrand of Hive ransomware, Hunters International now appears to be rebranding to the WorldLeaks data extortion only group.

https://www.bleepingcomputer.com/news/security/hunters-international-ransomware-shuts-down-after-world-leaks-rebrand/

https://www.group-ib.com/blog/hunters-international-ransomware-group/


Recent Brand Impersonation via PDF Phishing Observed

Researchers share multiple social engineering techniques delivered over email via PDF recently.  Brand impersonation was the starting point, QR code via PDF, entire emails via PDF, and telephone-oriented attack delivery where the attackers get the victim to call them.  Social engineering is always in style.

https://www.malwarebytes.com/blog/news/2025/07/microsoft-paypal-docusign-and-geek-squad-faked-in-callback-phishing-scams

https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliveries-for-phish/


SHELLTER – Commercial Evasion Framework Abused by Infostealers

Designed to evade AV/EDR for red teams and sanctioned security evaluations.  Unfortunately, bad actors have gotten a hold of it.  Researchers have found SHELLTER used in multiple infostealers since April 2025. 

https://www.elastic.co/security-labs/taking-shellter


Exploiting Malicious Windows LNK Files

Analysis of 30,000 recent Windows shortcut .lnk files indicates a breakdown of four categories.  Researchers describe each technique and provide examples.  As the abuse LNK files continues to grow, it’s important to understand how they can easily be abused by threat actors.

https://unit42.paloaltonetworks.com/lnk-malware/


CrowdStrike Shares Recent Scattered Spider Observations

It appears the threat actors are up to the same games they always play.  Social engineering of privileged accounts for initial access starts it off.  Lateral movement to SaaS and cloud environments, and VMware vCenter and ESXi environments.  TTPs and common attack methods are shared.

https://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #84

The week of June 23rd through June 29th, roughly 381 cyber news articles were reviewed.  A light-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about social engineering and hacking the human. Once mainly abused by nation-state threat actors, social engineering has become the go

Members Public

Cyber Threat Weekly – #83

The week of June 16th through June 22nd, roughly 361 cyber news articles were reviewed.  A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about cybersecurity hygiene and security theater.  Are we just going through the motions?  A top priority should be identities, especially

Members Public

Cyber Threat Weekly – #82

The week of June 9th through June 15th, about 361 cyber news articles were reviewed.  A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about threat exposure management, the new vulnerability management.  Let’s define vulnerable: open to attack or damage.  For decades vulnerabilities