Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
ToolShell Exploit Chain in Microsoft SharePoint (CVE-2025-53770/53771) Enables RCE, Data Theft, and Credential Compromise - On July 18, 2025, cybersecurity firm Eye Security published an analysis detailing an active mass exploitation campaign targeting on-premises Microsoft SharePoint servers using ToolShell, a zero-day exploit chain combining CVE-2025-53770 and CVE-2025-53771. While the exact number of compromised servers remains unclear, the attacks have likely affected thousands of small and medium-sized businesses that rely on the software. The Washington Post reported that the breaches have already affected “at least two” US federal agencies, as well as universities and energy companies.If successful, ToolShell gives threat actors cryptographic keys from SharePoint (the ValidationKey and DecryptionKey), which means they can re-enter the server even after patches are applied. SharePoint is often linked to Outlook, Teams, and OneDrive; a SharePoint compromise can thus enable access to email, files, and collaboration data across the network.
Threat Actors Exploit CVE-2025-0282 and CVE-2025-22457 to Deliver MDifyLoader with Cobalt Strike Beacon, Fscan, and vshell - On July 18, 2025, JPCERT/CC published an analysis detailing active exploitation of CVE-2025-0282 and CVE-2025-22457. CVE-2025-0282 and CVE-2025-22457 are critical stack-based buffer overflow vulnerabilities affecting Ivanti Connect Secure (ICS), Ivanti Policy Secure, and ZTA Gateways. According to JPCERT/CC, the campaign, active since December 2024, exploits CVE-2025-0282 and CVE-2025-22457 to gain initial access and subsequently deploy MDifyLoader with Cobalt Strike Beacon, the Go-based remote access trojan (RAT) vshell, and the Go-based network scanner Fscan.
Based on JPCERT/CC’s analysis, after gaining access to the internal network of target organisations, threat actors use legitimate binaries, such as Java Remote Method Invocation (RMI) Compiler (rmic.exe), “push_detect.exe”, and Python Interpreter (python.exe), to sideload MDifyLoader and a trojanized “python311.dll”. According to JPCERT/CC, MDifyLoader contains junk code and misleading function references to hinder reverse engineering and evade automated analysis. Also, the trojanized python311.dll patches ntdll.dll to disable Event Tracing for Windows (ETW).
Threat Actors Exploit CVE-2021-41773 in Apache HTTP Server to Deploy Linuxsys Cryptominer - On July 17, 2025, VulnCheck reported that unidentified threat actors are exploiting CVE-2021-41773, a high-severity path traversal vulnerability in Apache HTTP Server (version 2.4.49), to distribute the previously undocumented Linux cryptominer “Linuxsys”. While exploitation of CVE-2021-41773 has been observed since at least July 2025, the broader malware campaign dates back to 2021 and involves consistent techniques, tactics, and procedures (TTPs) used to exploit multiple vulnerabilities. Previously exploited vulnerabilities include CVE-2024-0012, CVE-2024-9474, CVE-2024-36401, CVE-2023-22527, CVE-2023-34960, and CVE-2023-38646.
The attack chain begins with threat actors scanning for vulnerable Apache HTTP Server instances, followed by exploitation of CVE-2021-41773 to gain remote command execution. With this access, they execute the shell script linux.sh from repositorylinux[.]org, which downloads the configuration file config.json and the linuxsys binary from five compromised legitimate websites. These include prepstarcenter[.]com, wisecode[.]it, dodoma[.]shop, portailimmersion[.]ca, and test.anepf[.]org.
Potential Threats
UNG0002 Multi-Stage Espionage Campaigns Targeting Asian Sectors Using RATs and Social Engineering - Between early 2025 and July 16, 2025, Seqrite Labs identified two espionage campaigns, “Operation Cobalt Whisper” and “Operation AmberMist”, attributed to a South Asia-based threat cluster tracked as UNG0002. These campaigns targeted critical infrastructure across China, Hong Kong, and Pakistan. The report describes the threat actor leveraging multiple delivery and evasion techniques to compromise and maintain access to targeted networks.
UNG0002 initially gained access through spearphishing emails that delivered ZIP archives containing LNK and VBS files. The threat actor also employed the ClickFix technique, in which spoofed websites mimicked legitimate portals and prompted users to paste PowerShell commands copied to their clipboard. These scripts were designed to execute on the target system without user awareness. Additionally, resume-themed decoy documents were tailored to specific sectors, including fake profiles of game user interface designers and students from well-known academic institutions. Execution relied on scripting mechanisms such as VBScript, batch files, and PowerShell. The threat actor also used living-off-the-land binaries (LOLBins) and Windows scriptlets to launch payloads discreetly. Persistence was achieved through scheduled tasks named SysUpdater and UtilityUpdater, which enabled long-term access. The threat actor abused DLL sideloading by executing legitimate binaries, such as rasphone.exe and Node-Webkit, to load malicious implants.
PoisonSeed Threat Actors Abuse FIDO Cross-Device Sign-In Feature to Bypass Hardware-Based MFA Protections - On 17 July 2025, cybersecurity firm Expel revealed that those behind the previously documented “PoisonSeed” campaign are misusing FIDO’s cross-device sign-in feature in a novel phishing campaign aimed at enterprise users. This feature enables authentication on one device by approving a login session from a second device holding a registered passkey - typically via scanning a QR code or using Bluetooth.
This method does not exploit any flaw in FIDO2 itself; instead, it abuses its legitimate fallback mechanism - hybrid transport - by avoiding proximity-based verification (for instance, Bluetooth). The threat actors utilise adversary-in-the-middle (AitM) phishing infrastructure to intercept credentials and manipulate the cross-device sign-in flow, effectively weakening FIDO2’s security by bypassing the requirement for physical interaction with hardware security keys.
The infection chain starts with phishing emails that direct victims to a spoofed Okta login page hosted on the newly registered domain okta[.]login-request[.]com. After entering their credentials, victims are redirected to aws-us3-manageprod[.]com, masquerading as the next step in the authentication process. Both domains are hosted on Cloudflare, lending an air of legitimacy and helping to evade detection. The phishing backend then relays the stolen credentials to the genuine login portal via AitM infrastructure and initiates a cross-device sign-in request in place of a physical FIDO key prompt. The genuine portal generates a QR code for authentication, which the phishing site displays back to the victims. When victims scan the QR code with their registered MFA app, the login session initiated by the attackers is completed.
BruteForceAI, Login Brute-Force Tool that Uses LLMs for Intelligent Form Analysis and Automated Credential Attacks, Published on GitHub - On July 19, 2025, security researcher Mor David published BruteForceAI. BruteForceAI is a Python-based login brute-force tool that uses Large Language Models (LLMs) to intelligently analyse HTML content and identify form selectors. It also automates credential attacks with human-like behaviour patterns. Per David, BruteForceAI aims to bridge artificial intelligence (AI) with offensive security by eliminating the need for hard-coded selectors and enabling adaptive brute-force or password spray attacks even against complex, JavaScript-heavy login interfaces.
Based on the repository, BruteForceAI requires a list of target URLs, usernames, and passwords, and optionally an LLM backend (Ollama or Groq) to perform intelligent HTML analysis and extract the correct login form selectors before executing credential attacks. Once provided, BruteForceAI initialises the specified LLM backend and loads a model to analyse each target URL. It uses the LLM to parse the HTML content and identify key login form elements such as username fields, password inputs, and submit buttons, even in complex or obfuscated DOM structures. BruteForceAI then stores this selector metadata in a local SQLite database (bruteforce.db) to ensure repeatable, stateful attacks. During analysis, BruteForceAI can randomise User-Agent headers, route traffic through a proxy, retry failed selector detection attempts, and display a live browser window for debugging or stealth evasion. It also supports automatic model selection defaults and fallback behaviour if model names or providers aren't specified explicitly.
General News
UK moves forward with plans for mandatory reporting of ransomware attacks - The British government’s proposals to overhaul its ransomware strategy reached a minor milestone on Tuesday as the Home Office published its formal response to a consultation on amending the law, but questions remain regarding how effective the measures will be.
Public consultations are a regular part of the British legislative process. In this case, the Home Office set out three key policy ideas to tackle the ransomware crisis and solicited public feedback to justify forthcoming legislation. The three key policy ideas are a ban on payments by organisations working in the public sector or in critical national infrastructure; a requirement for victims to notify the government before making any extortion payments; and a mandatory reporting requirement so all victims inform law enforcement of attacks.
The formal response published Tuesday, cataloguing feedback for and against the measures, follows a series of high-profile ransomware incidents affecting the country, including several that left multiple high-street grocery store shelves empty and one that contributed to the death of a hospital patient in London.
Dell Technologies Confirms Breach of Customer Solution Centres; World Leaks Claims Responsibility - On July 21, 2025, BleepingComputer reported that Dell Technologies confirmed a breach affecting its Customer Solution Centres, a standalone environment used to test and showcase its products. Dell stated that the system operates independently from its internal network and customer infrastructure, and that the accessed files consist of artificial datasets, publicly available resources, test outputs, and system information. The company also identified an outdated contact list among the accessed materials.
Although Dell Technologies did not attribute the breach to a specific threat actor, the World Leaks Ransomware Group claimed responsibility, stating it had exfiltrated 1.3TB of data and posted sample files on its extortion website. According to BleepingComputer, the leaked data appears to include configuration scripts, system backups, and internal passwords used during provisioning. Dell has not commented on the group’s claim or the published files.
Indian CoinDCX Breach Leads to $44.2 Million in Losses From Internal Wallet Compromise - On July 19, 2025, Indian cryptocurrency exchange CoinDCX (coindcx[.]com) disclosed a security breach involving unauthorised access to an internal operational wallet associated with a partner exchange, which led to the theft of cryptocurrency assets. CoinDCX CEO Sumit Gupta stated that customer assets remained unaffected, the compromised wallet was promptly isolated to contain the attack, and the platform continued to operate. At the time of writing, the identity of the threat actor remains unknown.
According to on-chain investigator ZachXBT, the incident allegedly involved the theft of $44.2 million and reportedly began when a threat actor funded their wallet with 1 ETH from Tornado Cash, a cryptocurrency mixer commonly used to obscure the origin of funds. This allowed the attacker to operate from a wallet that appeared new and unrelated to prior malicious activity, enabling the transfer and laundering of the stolen assets.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| RedGolf | ● High | → | ● High | ● 82 | → | ● 82 | ● 35 | → | ● 30 |
| CL0P Ransomware Group | ● High | → | ● High | ● 82 | → | ● 81 | ● 49 | → | ● 49 |
| UNG0002 | NEW | → | ● Basic | NEW | → | ● 35 | NEW | → | ● 25 |
| Голиа | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| BlackByte Ransomware Group | ● Basic | → | ● Basic | ● 40 | → | ● 45 | ● 40 | → | ● 46 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| RedBravo | ▲ | Zero Day Exploit | ▲ | CVE-2025-53770 | ▲ | Microsoft Sharepoint | ▲ |
| Storm2603 | ▲ | Cyber spying | ▲ | CVE-2025-49706 | ▲ | Energy and Natural Resources | ▲ |
| Unit 1948 | ▲ | T1583.001 (Domains) | ▲ | CVE-2025-53771 | ▲ | Investment | ▲ |
| RedGolf | ▲ | TA0042 (Resource Development) | ▲ | CVE-2025-49704 | ▲ | Dell Technologies | ▲ |
| UNG0002 | ▲ | KaWaLocker (Kawa4096) | ▲ | CVE-2025-54309 | ▲ | Microsoft Servers | ▲ |
Prominent Information Security Events
Threat Actors Exploit CVE-2025-0282 and CVE-2025-22457 to Deliver MDifyLoader with Cobalt Strike Beacon, Fscan, and vshell
Source: Insikt Group | Validated Intelligence Event
IOC: IP – 172[.]237[.]6[.]207
IOC: Domain - Api[.]openedr[.]eu[.]org
IOC: Domain - query[.]datasophos[.]com
IOC: Hash SHA256 - 48f3915fb8d8ad39dc5267894a950efc863bcc660f1654187b3d77a302fd040f
IOC: Hash SHA256 - 54350d677174269b4dc25b0ccfb0029d6aeac5abbbc8d39eb880c9fd95691125
In a report published on 18 July 2025, JPCERT/CC detailed the active exploitation of two critical vulnerabilities - CVE-2025-0282 and CVE-2025-22457 - affecting Ivanti Connect Secure, Ivanti Policy Secure, and ZTA Gateways. These stack-based buffer overflow vulnerabilities have been exploited since December 2024 by threat actors seeking initial access to victim networks. Once inside, the attackers deploy MDifyLoader, which is designed to sideload a trojanised Python DLL and eventually execute a Cobalt Strike Beacon in memory. The campaign also uses legitimate binaries such as rmic.exe and python.exe to evade detection and employs various obfuscation techniques to hinder analysis.
Upon execution, MDifyLoader decrypts and runs a Cobalt Strike v4.5 Beacon, establishing encrypted communications with external command-and-control (C2) servers. The trojanised Python DLL also decodes and executes Fscan, a Go-based network scanner, which is used to identify vulnerable services and exploit weaknesses such as MS17-010. Attackers then brute-force network services to harvest credentials and move laterally via RDP and SMB. For persistence, they deploy the vshell RAT, create new domain accounts, register malware as services or scheduled tasks, and maintain multiple backdoors. Notably, vshell avoids execution on Chinese-language systems, indicating likely regional targeting or development origin. The Insikt Group has released a Nuclei template to help detect vulnerable ICS instances, with further technical details and indicators of compromise (IoCs) provided by JPCERT/CC.
Threat Actors Exploit CVE-2021-41773 in Apache HTTP Server to Deploy Linuxsys Cryptominer
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 103[.]193[.]177[.]152
IOC: Domain - repositorylinux[.]org
IOC: Hash SHA1 - 52d31b33b3dcd31bc515df70da6925deb93e2473
IOC: Hash SHA1 - 7797530e1b7216fa1c7467e06008ac38e02f5a0a
On 17 July 2025, cybersecurity firm VulnCheck reported that unknown threat actors are actively exploiting a critical vulnerability—CVE-2021-41773—in Apache HTTP Server version 2.4.49. This path traversal flaw allows attackers to execute remote commands and has recently been used to distribute a previously undocumented Linux-based cryptominer named “Linuxsys.” Although exploitation of this specific vulnerability has been noted since at least July 2025, the larger malware campaign traces back to 2021, involving a consistent set of tactics, techniques, and procedures (TTPs) across several other known vulnerabilities.
The attack begins with scans for vulnerable servers, followed by the execution of a malicious script (linux.sh) hosted on a suspicious domain. This script downloads both the mining binary and a configuration file from a network of compromised legitimate websites. Once deployed, Linuxsys uses typical XMRig settings to mine Monero cryptocurrency via the hashvault.pro pool, with earnings sent to the attackers' wallet. To ensure persistence, another script (cron.sh) is run, and evidence suggests a potential Windows version of the malware exists as well. The operation’s use of trusted domains with valid SSL certificates aids in evading detection. VulnCheck has attributed recent activity to a specific IP address and released detection rules for security tools like Suricata and Snort.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2025-0282: To remediate CVE-2025-0282, immediately patch affected Ivanti products to the latest secure versions, run the Integrity Checker Tool, investigate for compromise, perform factory resets if needed, rotate credentials, and implement ongoing threat monitoring and patch management.
-
CVE-2025-22457: To remediate CVE-2025-22457, immediately patch affected Ivanti appliances, disconnect any unpatched systems, run the Integrity Checker Tool, reset compromised devices, rotate credentials, monitor for suspicious activity, and report any breaches to the appropriate authorities.
-
CVE-2021-41773: To remediate CVE-2021-41773, upgrade Apache HTTP Server to version 2.4.51 or later, disable the mod_cgi module if not required, restrict access to sensitive directories using proper configuration (e.g. Require all denied), and monitor logs for signs of exploitation or unauthorised file access.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.