Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Threat Actors Exploit CVE-2025-47812 in Wing FTP to Execute Commands via Null Byte Injection - On July 10, 2025, Huntress reported that CVE-2025-47812, a critical remote code execution flaw in Wing FTP Server (versions before 7.4.4), was being actively exploited.
The vulnerability lets unauthenticated attackers gain root or SYSTEM-level access by injecting Lua code through a null byte in the username field. Attackers exploited this by sending crafted login requests, causing the server to execute malicious commands when session data was later deserialised.This vulnerability poses a serious threat due to the ease of exploitation and the high level of access it grants without requiring authentication. This type of attack can be used to gain full control of the underlying system, exfiltrate sensitive data, deploy malware, or establish persistent backdoors.
CVE-2025-25257, a Critical SQL Injection Vulnerability in Fortinet FortiWeb's Fabric Connector - On July 11, 2025, cybersecurity firm watchTowr disclosed a critical SQL injection vulnerability (CVE-2025-25257) affecting the Fabric Connector component of Fortinet FortiWeb. This flaw allows remote, unauthenticated attackers to send specially crafted HTTP or HTTPS requests to execute SQL commands, potentially leading to remote code execution (RCE).
The vulnerability lies in the get_fabric_user_by_token function, which is used for authentication between Fortinet products, making it a valuable attack vector for gaining unauthorised access to systems integrated within the Fortinet ecosystem.
The vulnerability affects multiple FortiWeb versions: 7.6.0 to 7.6.3, 7.4.0 to 7.4.7, 7.2.0 to 7.2.10, and 7.0.0 to 7.0.10.
CVE-2025-5777, a Critical Pre-Auth Memory Disclosure Vulnerability in NetScaler ADC and Gateway - On July 11, 2025, The Record and Akamai Security Intelligence Group reported details on CVE-2025-5777, a critical memory disclosure vulnerability affecting Citrix NetScaler ADC and Gateway devices dubbed "Citrix Bleed 2." Originally disclosed by Citrix on June 17, 2025, the flaw is now under active exploitation in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalogue on July 10, highlighting its severity. The issue affects multiple versions of NetScaler, including several End-of-Life releases, putting numerous systems at risk.
The vulnerability arises from improper memory initialisation in the HTTP POST login handler on appliances configured as Gateway or AAA virtual servers. When exploited, attackers can extract valid session tokens from memory, allowing them to hijack authenticated user sessions—even those protected by multi-factor authentication (MFA). Due to the high risk of unauthorised access, CISA issued an emergency directive requiring federal agencies to patch vulnerable systems within 24 hours of the KEV listing.
Potential Threats
Indian-Linked DoNot APT Group Uses Spearphishing to Deploy LoptikMod in Cyberespionage Campaign Targeting European Foreign Affairs Ministry - On July 8, 2025, cybersecurity firm Trellix reported that the Indian-linked DoNot (APT-C-35) group launched a cyberespionage campaign targeting an unnamed European foreign affairs ministry.
The group used spearphishing emails masquerading as messages from European defence officials to trick recipients into downloading LoptikMod malware. This malware, used exclusively by DoNot since 2018, is designed to maintain persistent access to diplomatic networks and steal sensitive data, including communications and multi-factor authentication (MFA) credentials.
The phishing emails contained a Google Drive link leading to a malicious RAR archive named SyClrLtr.rar, which included an executable (notflog[.]exe) disguised as a PDF. When launched, the malware secretly collects key system metadata such as the CPU model, operating system details, username, hostname, and ProcessorID. This information-gathering step is part of the malware's effort to map the target environment and facilitate further exploitation and data exfiltration.
New Remcos RAT v7.0 Unveiled With Upgraded Capabilities - On July 8, 2025, BreakingSecurity released Remcos v7.0, describing it as "the most advanced and refined edition to date".
Remcos is a commercial remote administration tool (RAT) commonly abused by cybercriminals for unauthorised control and surveillance of Windows systems.
Per BreakingSecurity, Remcos v7.0 introduces major technology improvements, performance upgrades, improved diagnostics, stronger system integration, and enhanced usability specific for remote administration, red teaming, and enterprise endpoint control.
Qilin Ransomware Group Expands Global Reach with Rust-Based Payloads and Affiliate Customisation - On July 10, 2025, Cyberint released an analysis of the Qilin Ransomware Group, detailing the group's broad operations targeting industries across multiple countries, including the U.S., U.K., France, Japan, and others. Qilin uses a Rust-based variant of Agenda ransomware, which is capable of infecting both Windows and ESXi systems, increasing its versatility and effectiveness in large-scale attacks.
One notable case involved a July 1, 2025 attack on a U.S. financial advisory firm, where Qilin reportedly stole around 340 GB of sensitive data, including client records, internal emails, and financial documents.
The group typically initiates breaches through phishing emails containing malicious links to infiltrate networks. Cyberint's report underscores the group's growing threat across global sectors and highlights the critical need for organisations to strengthen their email security and incident response capabilities.
General News
UK launches vulnerability research program for external experts - The UK's National Cyber Security Centre (NCSC) has announced the launch of a new Vulnerability Research Initiative (VRI) aimed at enhancing collaboration with the broader cybersecurity community. While the NCSC already conducts internal research into vulnerabilities across various technologies, the VRI will run alongside this work, providing a structured program to accelerate the discovery and sharing of critical security findings.
Through the VRI, the NCSC will work closely with external vulnerability researchers, assigning them specific objectives such as identifying flaws in targeted products, evaluating mitigation strategies, and responsibly disclosing vulnerabilities via the agency's Equities Process. This structured partnership is intended to boost the UK's ability to proactively address cyber threats, particularly those affecting critical infrastructure, businesses, government systems, and citizens.
As part of the initiative, participating researchers will also be required to submit detailed reports on the tools and methodologies used during their investigations. This will help the NCSC build a knowledge base of best practices for vulnerability research. The agency also plans to involve experts in emerging fields, including AI-driven vulnerability discovery, to stay ahead of rapidly evolving cyber threats.
Qantas confirms personal data of over a million customers leaked in breach - On July 9, 2025, Qantas Airways revealed that over one million customers had sensitive personal data including phone numbers, birth dates, or home addresses, accessed in a major cybersecurity breach, marking one of the most significant cyber incidents in Australia in recent years. In addition, another four million customers had their names and email addresses compromised during the same attack.
Qantas clarified that the affected data came from a breached database originally believed to contain six million records. However, after removing duplicates, the airline confirmed that 5.7 million unique customer records were exposed. The company had disclosed the breach the previous week, but only now detailed the scale and nature of the compromised information.
This breach is considered Australia's most high-profile cyberattack since major incidents targeting Optus and Medibank in 2022. Those earlier breaches led to the implementation of mandatory cyber resilience laws, underscoring the growing urgency for stronger cybersecurity protections across critical sectors like aviation, telecommunications, and healthcare.
Infostealers Actively Attacking macOS Users in The Wild to Steal Sensitive Data - The cybersecurity landscape is experiencing a sharp increase in macOS-targeted information-stealing malware, signalling a notable shift from the historically Windows-dominated threat environment. This trend reflects the growing recognition among cybercriminals that macOS is no longer a niche platform, especially in enterprise settings where Apple devices are increasingly used.
These emerging macOS infostealers are highly sophisticated, designed to harvest sensitive data such as browser credentials, cookies, and autofill information. Such data can be exploited by ransomware operators and initial access brokers to facilitate further attacks, including network infiltration and data extortion. The level of precision and targeting is unprecedented for macOS, highlighting a maturing threat landscape.
The rise of these threats is a strategic response to the broader adoption of Apple systems in corporate environments. Unlike typical Windows malware, these macOS-specific strains utilise platform-specific attack techniques to evade traditional detection and defence mechanisms. This development underscores the urgent need for organisations to strengthen macOS-focused cybersecurity strategies and update endpoint protection tools accordingly.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| BlueDelta | ● High | → | ● High | ● 86 | → | ● 87 | ● 25 | → | ● 25 |
| D4rk 4rmy Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 35 |
| RebornVC Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
| TGR-CRI-0045 | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| Global Ransomware Group | ● Basic | → | ● Basic | ● 30 | → | ● 40 | ● 31 | → | ● 31 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| RedMike | ▲ |
Supply Chain Attack |
▲ | CVE-2025-6558 | ▲ |
Big One |
▲ |
|
Lynx Ransomware Group |
▲ |
Lynx Ransomware |
▲ | CVE-2025-47812 | ▲ |
Elmo |
▲ |
|
Dragon Force Group |
▲ |
Nitrogen Ransomware |
▲ | CVE-2025-33073 | ▲ |
Ministry of Defence (United Kingdom) |
▲ |
|
Anonymous |
▲ |
Explot |
▲ | CVE-2023-4966 (Citrix Bleed) | ▲ |
X |
▲ |
|
Qilin (Agenda) Ransomware Group |
▲ |
Sarcoma Ransomware |
▲ |
CVE-2025-6965 |
▲ |
COOP Group |
▲ |
Prominent Information Security Events
Threat Actors Exploit CVE-2025-47812 in Wing FTP to Execute Commands via Null Byte Injection
Source: Insikt Group | Validated Intelligence Event
IOC: IP – 223[.]160[.]131[.]104
IOC: SHA256 – f0fcc638cd93bdd6fb4745d75b491395a7a1b2cb08e0153a2eb417cb2f58d8ac
IOC: SHA256 – c637ec00bd22da4539ec6def89cd9f7196a303d17632b1131a89d65e4f5698f4
IOC: CVE-2025-47812
On July 10, 2025, Huntress reported active exploitation of CVE-2025-47812, a critical remote code execution vulnerability in Wing FTP Server. The flaw affects versions prior to 7.4.4 and allows unauthenticated threat actors to execute system commands with root or SYSTEM privileges by injecting Lua code through a null byte in the username field of the web interface. Huntress observed exploitation activity on July 1, 2025, involving multiple IP addresses and attempts to download and execute malicious payloads. Censys identified more than 5,000 internet-facing Wing FTP Server instances with exposed web interfaces, including deployments in China, Germany, India, the UK, and the US.
Threat actors initiated the attack by sending crafted login requests to loginok.html, using null bytes to disrupt input parsing and inject Lua code into session files. When users accessed other pages, such as dir[.]html, the server deserialised the modified session data and executed embedded commands. Huntress identified Lua functions that decoded hex-encoded payloads using certutil and curl. Threat actors conducted system reconnaissance and created new user accounts. They attempted to install ScreenConnect by dropping a Lua-based installer, but Huntress found no evidence that the installation occurred. Soon after, the Wing FTP service (WFTPServer.exe) crashed during execution of the malicious session data.
Microsoft Defender identified one of the payloads as Ceprolad and blocked its execution. Huntress linked the activity to oversized session files and malformed username entries in domain logs, which served as forensic evidence of the Lua injection process.
Indian-Linked DoNot APT Group Uses Spearphishing to Deploy LoptikMod in Cyberespionage Campaign Targeting European Foreign Affairs Ministry
Source: Insikt Group | Validated Intelligence Event
IOC: IP – 64[.]52[.]80[.]252
IOC: SHA256 – 5317f22c60a4e08c4caa28bc84f653b1902fa082d2d1d7fcf2cd0ce1d29798d6
IOC: SHA256 – 4d036e0a517774ba8bd31df522a8d9e327202548a5753e5de068190582758680
IOC: Domain – totalservices[.]info
On July 8, 2025, Trellix reported that the Indian-linked DoNot (APT-C-35) state-sponsored group targeted an unspecified European foreign affairs ministry in a cyberespionage campaign. Do not use spearphishing emails impersonating European defence officials with diplomatic themes such as "Italian Defence Attaché Visit to Dhaka, Bangladesh", leading to the deployment of LoptikMod malware. LoptikMod has been used exclusively by the group since 2018 for establishing persistent access to diplomatic networks and exfiltrating sensitive information, including communications and multi-factor authentication (MFA) credentials.
The spearphishing email contains a Google Drive link directing to a malicious archive, SyClrLtr.rar. The archive includes an executable file, notflog[.]exe, disguised as a PDF document. When executed, this file drops a batch script (djkggosj.bat) into the %TEMP% directory and creates a scheduled task (PerformTaskMaintain) for persistence. Static analysis of notflog[.]exe reveals the string "Loptik", a known indicator of LoptikMod.
LoptikMod employs obfuscated binary-encoded strings, minimal import tables, dynamic application programming interface (API) resolution, and anti-virtual machine (VM) techniques to evade detection. Upon execution, the malware collects system metadata, including CPU model, operating system information, username, hostname, and ProcessorID. It encrypts the data with Advanced Encryption Standard (AES), encodes it in base64, and transmits output via HTTPS POST request to the command-and-control (C2) server totalservices[.]info to establish communication and execute further commands. Based on the server response, LoptikMod downloads a secondary payload, socker.dll, to the local application directory. It then drops additional batch script (sfs.bat) that creates a scheduled task (MicorsoftVelocity) to run the DLL's export function, enabling persistent access and data exfiltration.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-47812: Organisations using vulnerable versions of Wing FTP Server are strongly urged to update to version 7.4.4 or later to mitigate the risk.
- CVE-2025-25257: Since the issue allows for potentially full system compromise, organisations using impacted versions are strongly advised to upgrade to the patched releases — 7.6.4, 7.4.8, 7.2.11, or 7.0.11 — to mitigate the risk.
- CVE-2025-5777: To mitigate the threat, organisations should upgrade to the latest secure NetScaler versions: 14.1-43.56 or later, 13.1-58.32 or later, 13.1-FIPS/NDcPP 13.1-37.235 or later, and 12.1-FIPS 12.1-55.328 or later. Additionally, administrators should terminate all active ICA and PCoIP sessions to ensure any stolen session tokens are invalidated, preventing further session hijacking. Prompt remediation is essential to protect sensitive systems from ongoing exploitation.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.