Cyber Threat Intelligence Digest: Week 34

Executive Summary -
Highlights of Cyber Threat Intelligence Digest

Vulnerabilities

Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775 - Citrix has issued security updates to fix three critical vulnerabilities in NetScaler ADC and NetScaler Gateway, including one that has already been actively exploited in the wild. The flaws include CVE-2025-7775 (CVSS 9.2), a memory overflow bug that can lead to remote code execution or denial-of-service; CVE-2025-7776 (CVSS 8.8), another memory overflow issue causing crashes or unexpected behaviour; and CVE-2025-8424 (CVSS 8.7), an improper access control weakness in the management interface. Citrix confirmed exploitation of CVE-2025-7775 but withheld technical details. These vulnerabilities require specific configurations to be exploited, such as enabling certain virtual server types, IPv6 services, or management access to sensitive IPs.

The fixes are available in updated versions of NetScaler ADC and Gateway, with no workarounds provided. Citrix credited researchers from Horizon3.ai, Schramm & Partnerfor, and François Hämmerli for reporting the flaws. The exploitation of CVE-2025-7775 follows other recent NetScaler attacks, such as Citrix Bleed 2 (CVE-2025-5777). Adding urgency, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed CVE-2025-7775 in its Known Exploited Vulnerabilities catalogue as of August 26, 2025, mandating federal agencies to patch within 48 hours. This highlights the growing trend of attackers rapidly weaponising Citrix vulnerabilities for real-world attacks.

WordPress Patched CVE-2025-8592 Vulnerability in Inspiro WordPress Theme; No Active Exploitation Observed - On August 20, 2025, Inspiro released a security update addressing CVE-2025-8592, a high-severity vulnerability that affected all Inspiro theme versions up to and including 2.1.2. The patch was delivered in version 2.1.3, ensuring that users who upgrade are protected from potential exploitation. While there have been no reports of this vulnerability being actively abused in the wild, its severity warranted prompt action from the developers to prevent potential attacks.

The flaw, CVE-2025-8592, is a cross-site request forgery (CSRF) vulnerability. If successfully exploited, it allows attackers to trick a WordPress site administrator into executing a maliciously crafted request, resulting in the unauthorised installation of plugins from the WordPress repository. Such unauthorised changes could provide attackers with a foothold to compromise the entire website, leading to data loss, defacement, or service disruption. To mitigate this risk, organisations and site owners using the Inspiro theme are strongly urged to update to version 2.1.3 immediately, ensuring the security and integrity of their websites remain intact. 

Russian State-Sponsored Threat Group Static Tundra Exploits CVE-2018-0171 to Compromise Cisco Devices in Years-Long Cyberespionage Campaign - Since at least 2021, the Russian state-sponsored group Static Tundra has been exploiting CVE-2018-0171, a critical flaw in end-of-life Cisco IOS and IOS XE devices, according to Cisco Talos’ August 20, 2025, report. The group - assessed as a sub-cluster of Energetic Bear (Berserk Bear), linked to Russia’s FSB Centre 16 - targets telecommunications, higher education, and manufacturing organisations across multiple regions. By automating exploits, Static Tundra extracts sensitive configuration data and establishes persistent access for espionage, often through the Smart Install feature and weak or default SNMP community strings that provide administrative control.

Once access is gained, the attackers enable TFTP servers to exfiltrate configuration files and use SNMP abuse to alter device settings, create privileged accounts, deploy backdoors, and intercept traffic through GRE tunnels. For persistence, Static Tundra relies on stolen SNMP credentials, hidden local accounts, and in some cases the SYNful Knock implant, which enables stealthy command execution via crafted TCP SYN packets and survives reboots. To evade detection, the group manipulates TACACS+ logs and access control lists, ensuring covert operations. Despite Cisco patching the flaw in 2018, many organisations continue to operate unpatched legacy devices, leaving them exposed to ongoing state-sponsored exploitation.

Potential Threats

Threat Actors Use UpCrypter Malware in Ongoing Phishing Campaign Targeting Multiple Industries - On August 25, 2025, Fortinet disclosed a global phishing campaign delivering the UpCrypter malware, which is being used against sectors including manufacturing, technology, healthcare, construction, retail, and hospitality. UpCrypter acts as a loader to deploy multiple remote access trojans (RATs), granting attackers full control of compromised systems. The identity of the threat actor behind the campaign remains unknown.

The attack chain starts with phishing emails posing as missed voicemail alerts or purchase orders. These contain malicious HTML attachments that lead victims to spoofed websites tailored with their domains and logos. Victims are then served ZIP files with obfuscated JavaScript droppers that run PowerShell commands to install UpCrypter. Once installed, the malware establishes persistence, evades analysis, and deploys RATs like PureHVNC, DCRat, and Babylon RAT for extensive remote access. 

TA-NATALSTATUS Uses Redis Misconfigurations and Employs Rootkit-like Techniques in Global Cryptojacking Campaign Targeting Exposed Servers - On August 21, 2025, CloudSEK reported on TA-NATALSTATUS, a cryptojacking threat actor active since at least 2020. The group primarily targets exposed Redis servers across the U.S., Europe, Russia, India, and the Asia-Pacific region. Initially limited to simple cryptominer deployments, TA-NATALSTATUS has grown into a more advanced operation capable of stealthy infrastructure takeovers for long-term persistence. The actor exploits unauthenticated Redis servers on port 6379, using legitimate commands to install malicious cron jobs that grant ongoing access.

Once inside, the group disables security protections, hides binaries, blocks Redis ports, and removes competing miners while securing its foothold through SSH keys, file locks, and a “dead man’s switch” script that reinstalls malware if removed. Infected hosts are then equipped with additional scripts to scan for new Redis targets and expand operations. Despite these aggressive tactics, TA-NATALSTATUS remains focused on cryptojacking, with no evidence of lateral movement or data theft outside Redis environments. 

Threat Actors Abuse VPS Services to Hijack SaaS Accounts and Conduct Phishing Activity - On August 21, 2025, Darktrace reported that threat actors exploited commercial virtual private server (VPS) infrastructure to gain unauthorised access to software-as-a-service (SaaS) accounts across multiple customer networks. The actors leveraged VPS services from providers including Hivelocity, Host Universal, Hyonix, and Mevspace to bypass geolocation-based defences, evade location-based security checks, and remove phishing-related emails from user mailboxes after compromising accounts. The activity highlights a sophisticated approach to bypassing traditional security measures and maintaining stealth within affected environments.

Darktrace observed unusual login activity beginning in March 2025, with multiple incidents in May, including logins from VPS-linked addresses simultaneous with legitimate user activity in different locations. The threat actors used multifactor authentication via token claims, created mailbox rules with vague names, deleted phishing emails, changed recovery settings, and sent spam messages. Additional indicators included DNS requests to rapidly changing domains and installation of Splashtop remote access software on a domain controller. Insikt Group analysed the indicators of compromise (IOCs), prioritising VPS and hosting provider IPs linked to phishing and suspicious logins as primary entities, while consumer ISP addresses and common VPN exit nodes were classified as related entities.

General News

H1 2025 Malware and Vulnerability Trends - The first half of 2025 (H1 2025) highlighted a rapidly evolving threat landscape characterised by the combination of persistent legacy threats and advanced new tactics. Disclosed CVEs increased by 16% compared to H1 2024, with threat actors actively exploiting 161 vulnerabilities, nearly half of which were linked to malware or ransomware campaigns. Microsoft products remained the most targeted, while edge security and gateway devices were frequently exploited for initial access. Malware trends shifted from dedicated information stealers toward more versatile remote access trojans (RATs) such as AsyncRAT, XWorm, and Remcos, which combine data theft with persistent access. Legacy malware like Sality also saw a resurgence, demonstrating that older tools still provide value for modern attackers.

Mobile malware threats continued to expand, particularly in the financial sector. Android banking trojans adopted virtualisation-based overlays and near-field communication (NFC) relay attacks to bypass defences and facilitate real-world financial fraud. Ransomware actors increasingly relied on affiliate-driven models, providing ready-made payloads and infrastructure while introducing stealth techniques, including protected payloads and novel loaders to evade detection. Magecart campaigns also evolved, using multi-stage infection chains and sophisticated obfuscation to inject malicious scripts at critical moments, such as during checkout, reflecting a trend toward modular, evasive attacks across web and payment ecosystems.

Overall, H1 2025 underscored a fragmented and expanding threat environment, where both novel and legacy tools are leveraged across diverse attack surfaces. Key observations include attackers’ preference for low-friction, high-impact exploits, with state-sponsored actors quickly weaponising vulnerabilities, and ransomware tactics emphasising persistent access, encryption, and exfiltration. Mobile threats grew in sophistication, while NFC-based contactless payment fraud emerged as a rising risk. Organisations are advised to prioritise patching of internet-facing systems, enhance behavioural and C2 monitoring, strengthen mobile security policies, and invest in threat intelligence to keep pace with evolving tactics such as malware repackaging and advanced evasion techniques. 

Google to Verify All Android Developers in 4 Countries to Block Malicious Apps - Google has announced plans to verify the identity of all developers who distribute Android apps, including those distributing outside the Play Store. Starting gradually in October 2025 and expanding to all developers by March 2026, the new verification requirements will take effect in September 2026 in Brazil, Indonesia, Singapore, and Thailand. The goal is to ensure that apps installed on certified Android devices come from verified developers, making it harder for malicious actors to quickly distribute harmful apps after previous ones are removed.

The verification process will not significantly impact developers distributing through the Google Play Store, as they typically already meet the requirements through the existing Play Console process. Google is also preparing a separate console for student and hobbyist developers. These changes aim to prevent impersonation of legitimate developers and the distribution of fake apps via third-party marketplaces, where sideloading risks remain a concern. This mandate complements existing security measures in countries like Singapore, Thailand, Brazil, and India that block potentially dangerous sideloaded apps.

Google emphasises that this new verification layer strengthens user security while maintaining user choice. It builds on previous measures, such as requiring new organisation accounts to provide a D-U-N-S number for added trust. The move also comes amid broader potential reforms to the Play Store ecosystem, including the possibility of distributing competing app stores and providing rivals with access to its app catalogue, following antitrust rulings like the 2020 Epic Games lawsuit. The initiative reflects Google’s effort to establish a consistent baseline of developer accountability across Android while combating malware and scams.

Weak Passwords and Compromised Accounts: The Alarming Rise in Password Cracking Success - The Picus Security Blue Report 2025 highlights that despite widespread awareness of advanced cyber threats, the most effective attacks still rely on compromised credentials and cracked passwords. Empirical data from over 160 million attack simulations shows that password cracking succeeded in 46% of tested environments in the first half of 2025, nearly doubling the rate from the previous year. Weak passwords and outdated hashing algorithms continue to leave critical systems vulnerable, and organisations’ focus on sophisticated new threats often comes at the expense of enforcing basic password hygiene and modern authentication practices.

The report identifies valid accounts (MITRE ATT&CK T1078) as the most exploited attack vector, with attackers leveraging compromised credentials to move laterally, escalate privileges, and infiltrate critical systems undetected. Infostealers and ransomware groups frequently rely on these accounts to maintain long dwell times and exfiltrate sensitive data while bypassing traditional perimeter defences. Survey results showed that 46% of environments had at least one password hash cracked and converted to cleartext, underscoring the failure of many organisations to secure internal accounts with adequate controls, multi-factor authentication (MFA), or robust password policies.

To strengthen defences against credential abuse, organisations must enforce complex password requirements, eliminate outdated hashing methods, and implement MFA for all sensitive accounts. Regular validation of credential defences through simulated attacks is critical for identifying vulnerabilities, while enhanced behavioural monitoring and data loss prevention (DLP) measures help detect and mitigate malicious activity. The Blue Report 2025 demonstrates that while perimeter defences remain important, a stronger focus on identity security, credential validation, and internal controls is essential to mitigate one of the most pervasive and impactful cyber threats facing organisations today. 

Threat Actor Weekly Graph

Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.

Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.

Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.

Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.