Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Fire Ant Campaign Exploits VMware and Network Appliance Vulnerabilities to Maintain Persistent Access - On 24 July 2025, Sygnia detailed the Fire Ant campaign, attributed to Chinese state-sponsored group UNC3886, targeting VMware and F5 infrastructure. Attackers exploited CVE-2023-34048 to gain access to VMware vCenter, harvested credentials to compromise ESXi hosts, and used CVE-2023-20867 to run commands inside guest VMs without credentials.
Fire Ant maintained persistence through rootkits, V2Ray tunnelling, and exploiting CVE-2022-1388 on F5 Load Balancers. Multiple evasion and re-compromise methods enabled long-term stealthy access.
Affected organisations should apply updates and monitor for indicators of compromise.
CVE-2025-54309, a Critical Unprotected Alternate Channel Vulnerability in CrushFTP, Likely Exploited in the Wild - CVE-2025-54309, classified under CWE-420, allows unauthenticated remote attackers to gain admin access to CrushFTP over HTTPS when the DMZ proxy is disabled.
The flaw affects versions 10.x before 10.8.5 and 11.x before 11.3.4_23 and is actively exploited. It stems from incomplete AS2 validation enabling authentication bypass via alternate channels. CrushFTP recommends IP allowlisting and restricting admin access, but experts warn DMZ proxies may not fully prevent attacks. Over 298,000 CrushFTP instances were found on Shodan, mostly in the US, India, Australia, Japan, and the UK.
Users should patch immediately and tighten access controls.
Threat Actor Gains Admin Access to Amazon Q Repository and Deploys Malicious Update - On 23 July 2025, 404 Media reported that an unknown actor compromised the Amazon Q AI coding assistant for Visual Studio Code by pushing a malicious update (v1.84.0) to its official GitHub repository.
The update included commands to delete local files and cloud credentials, disguised as a system cleanup. The threat actor claimed it was a protest against Amazon’s “AI security theatre.” Amazon confirmed the breach, removed the malicious version, and stated no customers were impacted. No CVE has been assigned.
Users should update to version 1.85 or later immediately.
Potential Threats
Critical and Actively Exploited Vulnerability in Wing FTP Server - On 30 June 2025, security researcher Julien Ahrens disclosed CVE‑2025‑47812, a critical remote code execution (RCE) vulnerability in Wing FTP Server versions prior to 7.4.4.
Classified under CWE-158 (improper neutralisation of null byte), it allows unauthenticated attackers to inject arbitrary Lua code via crafted usernames at the /loginok[.]html endpoint. On 14 July 2025, both the UK’s NCSC and US CISA added the flaw to their advisories, noting active exploitation.
The vulnerability arises from mishandling NULL bytes (%00) in usernames. Wing FTP’s c_CheckUser function validates only the username portion before the NULL byte, letting attackers bypass password checks by appending malicious Lua code. This unsanitised input is stored in session files executed upon session reload, granting attackers code execution with SYSTEM or root privileges. Exploitation requires no authentication and gives full control over vulnerable systems.
Users are strongly urged to upgrade to Wing FTP Server 7.4.4 or later immediately.
Threat Actors Use Fake ClickFix Pages to Deploy Epsilon Red Ransomware via Malicious .HTA Files - On July 25, 2025, CloudSEK reported a global campaign by unidentified threat actors deploying Epsilon Red ransomware via spoofed ClickFix verification pages.
The campaign uses social engineering by impersonating social media platforms to trick victims into running malicious .HTA files embedded in fake verification workflows. Unlike earlier ClickFix attacks, this variant redirects users to a secondary spoofed page that silently executes commands using ActiveXObject(WScript.Shell) without further interaction.
The script downloads a ransomware payload from a threat-controlled IP address and runs it in hidden mode, leading to infection.Victims see a fake verification code displayed after execution, reinforcing the deception.
CloudSEK highlights this as a significant evolution in Epsilon Red’s tactics, requiring heightened vigilance against such social engineering ploys.
Threat Actors Target US Chemicals Company by Exploiting SAP NetWeaver Flaw CVE-2025-31324 to Deploy Auto-Color Linux Malware - On July 29, 2025, Darktrace reported active exploitation of CVE-2025-31324, a remote code execution vulnerability in SAP NetWeaver, used to deploy the Auto-Color backdoor. The campaign targeted a US-based chemicals firm beginning in April 2025, using specially crafted URIs to exploit file upload functionality on the NetWeaver application server.
Attackers delivered a malicious ZIP archive containing a shell script, executed via helper.jsp, which retrieved an ELF binary (Auto-Color) from 146.70.41[.]178. Auto-Color gains persistent, system-wide access on Linux by injecting a shared object through /etc/ld.so.preload, renaming itself to evade detection, and initiating encrypted C2 communication. The malware supports reverse shells, file execution, proxy setup, and a kill switch. If C2 fails, it suppresses behaviour to avoid sandbox analysis.
Darktrace notes this campaign as a high-risk example of post-patch exploitation, underscoring the importance of timely updates and endpoint visibility.
General News
Mandatory Compliance with UK Online Safety Act 2023 - On 25 July 2025, the UK’s Online Safety Act 2023 came into force with mandatory compliance requirements enforced by Ofcom. The legislation imposes new duties on social media platforms, search engines, and other online services accessible by UK users - regardless of where they’re based - to protect children and adults from harmful or illegal content.
Platforms must conduct risk assessments, embed content moderation and safety-by-design into their services, enforce strict age verification measures for content such as pornography or self-harm material (e.g. facial age checks, ID scans), and implement robust reporting and takedown mechanisms.
Non‑compliance could result in fines of up to £18 million or 10% of global turnover, criminal liability for senior executives, and potential service bans in the UK.
Tea app data theft scandal worsens as stolen IDs leaked to cybercriminal forum - On 26 July 2025, Tea - a dating safety app for women - confirmed a breach affecting a legacy storage system holding user data from before February 2024.
Roughly 72,000 images were accessed without authorisation, including 13,000 ID selfies submitted for verification and 59,000 user-uploaded images from posts, comments, and DMs. The breach was first reported by 404 Media, with cybercriminals now circulating thousands of stolen driver’s licence photos online.
Tea users expressed outrage, citing the app’s prior claim that ID photos would be deleted after verification.The company claimed the archived data was retained due to unspecified law enforcement compliance requirements. Tea has engaged external cybersecurity experts and is investigating the incident.
Microsoft will stop supporting Windows 11 22H2 in October - On 14 October 2025, Windows 11 22H2 Enterprise, Education, and IoT Enterprise editions will officially reach end of servicing, Microsoft confirmed this week.
These are the final 22H2 editions still supported, following the October 2024 end of service for Home and Pro versions. After this date, affected systems will no longer receive monthly security or preview updates, leaving them unprotected from emerging threats.
To ensure continuity, Windows Update will automatically upgrade eligible consumer and unmanaged business devices to the Windows 11 24H2 release. Users can still schedule the update outside of active hours to minimise disruption.Microsoft encourages organisations to review support timelines via the Windows Lifecycle FAQ and Lifecycle Policy search tool.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| RedBravo | NEW | → | ● High | NEW | → | ● 82 | NEW | → | ● 25 |
| CL0P Ransomware Group | ● High | → | ● High | ● 82 | → | ● 81 | ● 49 | → | ● 49 |
| Tag-67 | NEW | → | ● Moderate | NEW | → | ● 57 | NEW | → | ● 25 |
| Greedy Sponge | NEW | → | ● Basic | NEW | → | ● 40 | NEW | → | ● 30 |
| Securotrop Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 45 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Cyber Partisans | ▲ | Rhysidia | ▲ | CVE-2025-53770 | ▲ | Transportation | ▲ |
| BlackSuit Ransomware Group | ▲ | Supply Chain Attack | ▲ | CVE-2025-49704 | ▲ | Allianz | ▲ |
| Neferpitou | ▲ | T1190 (Exploit Public-Facing Application) play_arrow | ▲ | CVE-2025-5777 (Citrix Bleed 2) | ▲ | Microsoft Sharepoint | ▲ |
| Anonymous | ▲ | Dox | ▲ | CVE-2025-3943 | ▲ | Amazon.com | ▲ |
| Catlyn | ▲ | T1016 (System Network Configuration Discovery) play_arrow | ▲ | CWE-502 (Deserialisation of Untrusted Data) play_arrow | ▲ | Broadcom | ▲ |
Prominent Information Security Events
Critical and Actively Exploited Vulnerability in Wing FTP Server
Source: Insikt Group | Validated Intelligence Event
IOC: IP – 194[.]265[.]16[.]71
IOC: IP – 147[.]45[.]112[.]219
IOC: Domain - webhook[.]site
IOC: Hash SHA256 - f0fcc638cd93bdd6fb4745d75b491395a7a1b2cb08e0153a2eb417cb2f58d8ac
IOC: Hash SHA256 - c637ec00bd22da4539ec6def89cd9f7196a303d17632b1131a89d65e4f5698f4
On 30 June 2025, security researcher Julien Ahrens publicly disclosed CVE‑2025‑47812, a critical remote code execution (RCE) vulnerability affecting Wing FTP Server versions prior to 7.4.4. Classified under CWE-158 (improper neutralisation of null byte), the flaw enables unauthenticated attackers to inject and execute arbitrary Lua code via specially crafted usernames submitted to the /loginok.html endpoint. On 14 July 2025, the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to their advisories, citing active exploitation in the wild.
The root cause stems from improper handling of NULL bytes (%00) within the username parameter during authentication. Wing FTP’s internal c_CheckUser function prematurely validates only the substring before the NULL byte, allowing attackers to append malicious Lua payloads that bypass password verification. These unsanitised usernames are then stored in session files, which are executed as Lua scripts upon session reload, effectively granting remote code execution with the privileges of the FTP service—typically SYSTEM or root level access.
Exploitation requires no authentication, meaning any remote attacker can target vulnerable servers without credentials. This provides full system compromise, including the ability to install malware, steal data, or disrupt operations. Given the severity and ease of exploitation, organisations using affected Wing FTP Server versions are strongly urged to update immediately to version 7.4.4 or later. Vendors and security teams should also monitor network activity for signs of exploitation and consider implementing additional protections such as network segmentation and access controls.
Threat Actors Use Fake ClickFix Pages to Deploy Epsilon Red Ransomware via Malicious .HTA Files
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 155[.]94[.]155[.]227
IOC: IP - 213[.]209[.]150[.]188
IOC: Domain - capchabot[.]cc
IOC: Hash MD5 - 98107c01ecd8b7802582d404e007e493
IOC: Hash MD5 - 2db32339fa151276d5a40781bc8d5eaa
On July 25, 2025, CloudSEK reported a widespread campaign by unidentified threat actors deploying the Epsilon Red ransomware through sophisticated social engineering techniques involving spoofed ClickFix verification pages. The attackers impersonate popular social media platforms to lure victims into executing malicious HTML Application (.HTA) files embedded within fraudulent verification workflows.
Unlike previous ClickFix campaigns that relied on users manually copying commands, this variant silently executes malicious scripts by redirecting victims to a secondary spoofed verification page hosted on the same infrastructure. The page leverages ActiveXObject(WScript.Shell) to run commands without additional user interaction, significantly increasing the stealth and success rate of the attack.
The malicious script accesses the user’s profile directory and uses curl to download a ransomware payload from a threat actor-controlled IP address (155.94.155[.]227:2269). This payload is saved and executed in hidden mode, resulting in the deployment of Epsilon Red ransomware on the victim’s system. After execution, a fake verification code is displayed to reinforce the illusion of a legitimate process and further manipulate victims.
CloudSEK emphasises this campaign as a notable escalation in Epsilon Red’s tactics, showcasing the group’s evolving capabilities in combining social engineering with technical exploits. Organisations are advised to increase awareness and implement controls to detect and block malicious HTA files and suspicious web redirects as part of their defensive strategies.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2025-47812: To remediate CVE-2025-47812, immediately update Wing FTP Server to version 7.4.4 or later. Review login activity and session files for signs of exploitation, restrict access to the /loginok.html endpoint where possible, and implement network segmentation to limit exposure.
-
CVE-2025-54309: To remediate CVE-2025-54309, upgrade CrushFTP to versions 10.8.5_12 or 11.3.4_26 and later. Restrict admin interface access with IP allowlisting and strong authentication controls. Continuously scan for vulnerable CrushFTP instances within your network, apply access control policies, and monitor for unauthorised admin activity.
- CVE-2025-31324: To remediate CVE-2025-31324, apply the vendor-issued patch for SAP NetWeaver released on 8 April 2025. Audit logs for suspicious URI requests to /developmentserver/metadatauploader, inspect for unauthorised ZIP uploads and helper.jsp activity, and scan Linux systems for signs of Auto-Color persistence (e.g. /etc/ld.so.preload and /var/log/cross/auto-color).
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.