Cyber Threat Intelligence Digest: Week 31

Executive Summary -
Highlights of Cyber Threat Intelligence Digest

Vulnerabilities

Google Patched Six Vulnerabilities in Android Devices, Including Two Actively Exploited Qualcomm Vulnerabilities (CVE-2025-21479 and CVE-2025-27038) - On 4 August 2025, Google released patches for six vulnerabilities affecting Android components, including Framework, System, Arm, and Qualcomm GPU elements. Two of these - CVE-2025-21479 and CVE-2025-27038 - are currently being actively exploited. Qualcomm initially addressed both flaws on 2 June, and the US Cybersecurity and Infrastructure Security Agency (CISA) added them to its Known Exploited Vulnerabilities (KEV) list a day later.

The actively exploited bugs affect Qualcomm’s Adreno GPU. CVE-2025-21479 is a critical authorisation flaw that allows attackers to execute unauthorised GPU micronode commands, leading to memory corruption. CVE-2025-27038 is a high-severity use-after-free vulnerability, also enabling memory corruption. Both present serious risks if left unpatched. 

The remaining four vulnerabilities include two in Framework (CVE-2025-22441 and CVE-2025-48533), both high-severity issues allowing privilege escalation; one critical flaw in System (CVE-2025-48530), which could permit arbitrary code execution; and one in Arm components (CVE-2025-0932), allowing access to freed memory. Google’s latest Android updates include fixes for all six issues, and organisations are strongly encouraged to apply them promptly. 

Threat Actors Attempt Exploitation of Microsoft SharePoint Vulnerabilities to Deploy 4L4MD4R Ransomware - On 31 July 2025, Unit 42 reported a failed exploitation attempt targeting a set of Microsoft SharePoint vulnerabilities known collectively as “ToolShell” (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771). Although the 27 July attempt was unsuccessful, it led to the discovery of a ransomware delivery chain involving a customised variant of the open-source “Mauri870” ransomware, named “4L4MD4R.” The associated threat infrastructure, tracked as CL-CRI-1040, shows moderate confidence overlap with Microsoft’s Storm-2603 cluster. Broader attacks linked to this infrastructure have targeted government, healthcare, education, and large enterprises. Despite patches being issued by Microsoft, both Microsoft and Unit 42 recommend immediate cryptographic key rotation and engaging incident response teams to ensure no persistence remains.

The initial activity featured an obfuscated PowerShell command designed to bypass certificate validation and disable real-time monitoring. It attempted to download a ransomware loader from ice[.]theinnovationfactory[.]it. The Go-based malware “4L4MD4R” is packed with UPX and decrypts an AES-encrypted payload in memory, allocates space for a PE file, and executes it in a new thread. Once deployed, it encrypts system files and establishes C2 communication with bpp[.]theinnovationfactory[.]it over port 445, sending encrypted JSON data via POST requests. 

The malware drops two ransom-related files—DECRYPTION_INSTRUCTIONS.html and ENCRYPTED_LIST.html—and demands a payment of 0.005 BTC, directing victims to contact m4_cruise[@]proton[.]me or send funds to a specified Bitcoin wallet.

Researchers Disclose CurXecute RCE Vulnerability CVE-2025-54135 in Cursor IDE; No Active Exploitation Observed - On 1 August 2025, Aim Security disclosed a high-severity remote code execution (RCE) vulnerability in Cursor IDE, an AI-powered code editor widely used by developers to integrate external tools. Tracked as CVE-2025-54135 and dubbed “CurXecute,” the flaw affects all versions prior to 1.3. It enables threat actors to exploit the Model Context Protocol (MCP) by sending a crafted prompt - via platforms like Slack - that silently modifies the ~/.cursor/mcp.json file. This file is then executed immediately by Cursor, with no user confirmation, under developer-level privileges, allowing unauthorised code execution.

CurXecute resembles the previously disclosed EchoLeak vulnerability, with both stemming from AI agents blindly trusting input from unverified sources such as user prompts, documentation, or code suggestions. Cursor’s current design treats changes to the mcp.json file as live, meaning a malicious command can be executed simply by posting a crafted message in an MCP-linked channel. In a demonstration, Aim Security simulated an attack via a public Slack channel, showing how a prompt was processed and executed without any user interaction.

Aim Security warns that the attack surface includes any MCP-integrated service handling external content. Users are urged to upgrade to version 1.3, audit their ~/.cursor/mcp.json file, restrict agent privileges, and implement runtime controls to monitor agent activity. These mitigations are essential to prevent further exploitation through trusted collaboration platforms.

Potential Threats

Threat Actors Use Malicious PDFs to Deliver Signed RMM Tools in Europe-Targeted Phishing Campaign - On 30 July 2025, WithSecure disclosed an ongoing phishing campaign active since November 2024, primarily targeting high-value sectors across Europe - particularly in France and Luxembourg. Industries affected include energy, government, banking, and construction. Attackers embedded legitimate remote monitoring and management (RMM) software download links - such as FleetDeck, Atera, Bluetrait, and ScreenConnect - into convincingly crafted PDF documents tailored to the recipient’s industry. These documents bypassed traditional security controls, linking installations directly to attacker-controlled accounts. 

The malicious PDFs were created using tools like Microsoft Word, Canva, and ILovePDF. Clicking a link triggered the download and execution of a signed installer from a legitimate vendor’s domain. These RMM tools required no user input, granting immediate remote access to the attackers. Their trusted sources and clean signatures often allowed them to evade detection by standard security systems. 

WithSecure also identified a shift in delivery methods, with attackers exploiting Zendesk’s trusted support ticket infrastructure to distribute clean, signed RMM tools. By leveraging reputable domains, this method further reduced detection rates and increased the credibility of the phishing attempts. 

Threat Actors Conduct Ongoing Phishing Campaign Targeting Firefox Add-on Developers - On 1 August 2025, Mozilla disclosed an ongoing phishing campaign targeting developer accounts on its browser add-ons platform, addons.mozilla.org. At least one developer confirmed falling victim to the campaign. Due to the centralised nature of Firefox extension distribution, a compromised developer account could enable threat actors to push malicious updates to users via trusted extension channels, potentially putting large numbers of users at risk.

The phishing emails were crafted to impersonate Mozilla’s Add-ons team, claiming that developers needed to update their accounts. These messages included links to non-Mozilla domains, likely intended to capture login credentials. Mozilla has urged developers to verify the authenticity of such emails by checking that they pass SPF, DKIM, and DMARC validation, and to avoid clicking on embedded links, even if the message appears legitimate. 

As of the time of reporting, no malicious extensions have been uploaded through compromised accounts, and there has been no confirmation of any alterations to user-facing content. Mozilla has not disclosed the number of developers targeted or affected, but it continues to monitor the situation and provide guidance to help prevent further compromise. 

SonicWall urges customers to take VPN devices offline after ransomware campaign - Cybersecurity firms have warned of a likely zero-day vulnerability in SonicWall devices, potentially exploited by ransomware groups to breach dozens of organisations. Arctic Wolf and Huntress reported a spike in Akira ransomware attacks, with initial access gained via SonicWall Gen 7 firewalls using SSL VPNs. While SonicWall has not commented directly, it acknowledged the campaign and is investigating whether a new or existing flaw is responsible. The company advised disabling SSL VPN services and promised firmware updates if a new vulnerability is confirmed.

Arctic Wolf noted that even fully patched devices had been compromised after credential resets, suggesting exploitation beyond typical brute force or credential stuffing methods. Huntress reported around 20 incidents since 25 July, involving credential theft, lateral movement, and ransomware deployment - some bypassing multi-factor authentication. Both firms believe the nature and speed of the attacks strongly indicate an active zero-day exploit. 

The campaign follows Google's recent warning about SonicWall’s end-of-life SMA 100 devices. Security firms, including Sophos, are urging organisations to disable SonicWall SSL VPN services until patches are available. Given SonicWall appliances serve as secure access gateways, the suspected vulnerability poses a significant risk across affected networks.

General News

Cisco discloses data breach impacting Cisco.com user accounts - Cisco has revealed that cybercriminals accessed basic user profile information from Cisco.com accounts following a voice phishing (vishing) attack targeting a company employee. The breach, discovered on 24 July, occurred after an attacker tricked the staff member into granting access to a third-party, cloud-based Customer Relationship Management (CRM) system used by Cisco.

The attacker was able to extract personal and user data, including names, organisation details, Cisco-assigned user IDs, email addresses, phone numbers, and account metadata such as creation dates. However, Cisco confirmed that no passwords, sensitive information, or confidential customer data were compromised. The incident did not affect Cisco’s products, services, or other CRM system instances.

Cisco said it immediately revoked access to the compromised CRM system and launched an investigation. The company has informed relevant data protection authorities and notified affected users where required. As a precaution, Cisco is enhancing its security protocols, including additional staff training to defend against vishing attacks. The total number of affected users and whether a ransom demand was made has not yet been disclosed.

15,000 Fake TikTok Shop Domains Deliver Malware, Steal Crypto via AI-Driven Scam Campaign - Cybersecurity firm CTM360 has revealed a global scam campaign called ClickTok, targeting TikTok Shop users through phishing and malware. Threat actors create fake TikTok Shop pages and impersonate affiliates, using over 15,000 spoofed domains on domains like .top and .shop to steal credentials or spread trojanised apps carrying SparkKitty malware, which steals data from Android and iOS devices. 

The scam uses AI-generated videos and fake influencer profiles on Meta ads to trick users into buying counterfeit products or depositing cryptocurrency into fake wallets. The malicious app harvests login tokens via email and Google sign-ins and uses OCR to scan screenshots for crypto wallet seed phrases, which are sent to attackers. 

CTM360 also highlighted CyberHeist Phish, a campaign using Google Ads to redirect banking users to fake login pages that bypass two-factor authentication. Meanwhile, Meta Mirage targets Meta Business Suite users with fake policy alerts to steal ad accounts and admin access. The U.S. Treasury’s FinCEN warns financial institutions to monitor fraud involving virtual currency kiosks to protect digital assets.

Qilin Ransomware Surging Following The Fall of dominant RansomHub RaaS - In Q2 2025, the ransomware scene shifted sharply after the sudden collapse of RansomHub, once the busiest ransomware-as-a-service (RaaS) platform averaging 75 victims monthly. Its abrupt exit in April left many affiliates searching for new options, which Qilin ransomware quickly exploited, nearly doubling its monthly victim count from 35 to nearly 70. This shift highlights the adaptability and resilience of ransomware groups amid disruption.

Qilin has evolved beyond traditional file encryption by combining data theft with service disruption to increase pressure on victims. They offer “legal assistance” services that analyse stolen data for regulatory breaches and prepare complaints for authorities. Automated harassment tools spam victims’ employees, customers, and partners, while the group claims “journalist” support for public exposure campaigns, likely relying heavily on AI-generated content. This approach follows a wider trend where public exposure and regulatory threats often outweigh fears of encryption.

Additionally, Qilin provides integrated DDoS attacks within its control panel, letting affiliates disrupt networks while negotiating ransoms. This expanded toolkit shows how ransomware operators innovate to stay profitable in a challenging environment. Qilin’s rise is a major power shift in ransomware, demonstrating how swiftly threat actors adapt and redistribute following major upheavals.

Threat Actor Weekly Graph

Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.

Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.

Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.

Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.