Cyber OSINT Overview, Jul 7 - Jul 13, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Microsoft’s July 2025 Patch Tuesday addressed 130 vulnerabilities and was a major point of discussion. The release was highlighted by CVE-2025-47981, a critical, potentially wormable remote code execution (RCE) vulnerability in the Windows SPNEGO NEGOEX protocol with a CVSS score of 9.8. This flaw requires no user interaction or authentication, prompting widespread alerts for immediate patching. Advisories also covered other critical RCE vulnerabilities affecting Microsoft Office, SharePoint, and Windows Routing and Remote Access Service (RRAS), underscoring the broad impact of this month’s updates.

• Multiple vulnerabilities in Citrix NetScaler ADC and Gateway products were a key focus, especially following reports of active exploitation. The out-of-bounds read vulnerability, CVE-2025-5777, dubbed “Citrix Bleed 2,” gained significant attention due to its potential for exposing sensitive session tokens. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and issued a rare 24-hour patching directive for federal agencies. The incident has drawn comparisons to the widely exploited Citrix Bleed vulnerability from 2023, prompting urgent calls for patching and threat hunting.

• Numerous security advisories addressed vulnerabilities in the Linux Kernel, highlighting the continuous effort required to secure this foundational open-source component. The reported flaws could allow local attackers to cause a denial-of-service (DoS), escalate privileges, or manipulate data. The frequent patching cycle, noted across multiple government CERT alerts and vendor updates, underscores the critical importance of maintaining up-to-date kernels to protect a wide array of systems, from servers to embedded devices.

• Multiple security vendors and agencies released a high volume of advisories for enterprise and Industrial Control Systems (ICS) products. CISA published thirteen advisories for ICS equipment from vendors like Siemens, Delta Electronics, Advantech, and KUNBUS, highlighting critical risks such as remote code execution, authentication bypass, and path traversal. Additionally, vendors including Fortinet, Ivanti, SAP, and Adobe released patches for numerous critical vulnerabilities in their respective products, indicating a broad and coordinated effort to address security gaps across enterprise and industrial environments.

Critical Vulnerabilities #

• Microsoft released a patch for CVE-2025-47981, a critical (CVSS 9.8) remote code execution vulnerability in the Windows SPNEGO Extended Negotiation (NEGOEX) protocol. This heap-based buffer overflow flaw can be exploited remotely by an unauthenticated attacker without any user interaction. Due to these characteristics, the vulnerability has the potential for worm-like self-propagation across networks, posing a significant risk to all modern Windows client and server operating systems. Immediate patching is strongly recommended.

• Multiple vulnerabilities are being actively exploited in Citrix NetScaler ADC and Gateway appliances, including an out-of-bounds read flaw (CVE-2025-5777) that can lead to sensitive information disclosure, such as session tokens. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and issued an emergency directive requiring federal agencies to patch within 24 hours. The vulnerability, dubbed “Citrix Bleed 2,” can be exploited remotely without authentication, and organizations are urged to patch immediately and perform threat hunting, as patching does not remediate an existing compromise.

• A critical remote code execution vulnerability (CVE-2025-47812) with a CVSS score of 10.0 is being actively exploited in Wing FTP Server versions prior to 7.4.4. The vulnerability is a null byte and Lua injection flaw that allows an attacker with anonymous or valid credentials to inject and execute arbitrary system commands with root or SYSTEM privileges. Attackers have been observed using the exploit to download malicious files and install remote management tools. Users are strongly urged to upgrade to version 7.4.4 or later immediately.

• Multiple critical vulnerabilities have been disclosed in Siemens Industrial Control Systems (ICS) products, impacting industrial operations worldwide. In Siemens SINEC NMS, flaws including SQL injection (CVE-2025-40735) and a missing authentication vulnerability (CVE-2025-40736) could allow an unauthenticated attacker to execute arbitrary code and gain full control. Siemens TIA Administrator contains vulnerabilities (CVE-2025-23364, CVE-2025-23365) that allow for privilege escalation and arbitrary code execution. These vulnerabilities pose a significant risk to critical manufacturing and energy sectors, necessitating immediate updates and network segmentation.

• A critical unauthenticated SQL injection vulnerability (CVE-2025-25257) has been found in the FortiWeb Web Application Firewall. The flaw exists in the GUI component and can be exploited via crafted HTTP or HTTPS requests, potentially leading to unauthorized SQL command execution and a full system compromise. Although no active exploitation was reported at the time of disclosure, Fortinet products are frequent targets. Organizations are strongly advised to upgrade to a patched version or disable the HTTP/HTTPS administrative interface as a temporary mitigation.

• Multiple vulnerabilities have been discovered in Git for non-Windows systems, including a critical arbitrary file write flaw (CVE-2025-48384). This vulnerability can be exploited during a git clone --recursive operation on a malicious repository, potentially leading to remote code execution by writing a malicious Git Hook script. Proof-of-concept exploits are publicly available, and the vulnerability affects Git CLI versions 2.50.0 and prior, as well as the GitHub Desktop client for macOS. Developers are urged to update to a patched version immediately.

• A chain of four vulnerabilities, collectively dubbed “PerfektBlue,” affects the BlueSDK Bluetooth stack used in millions of vehicles from Mercedes-Benz, Volkswagen, Skoda, and another unnamed manufacturer. The most critical flaw (CVE-2024-45434) is a use-after-free bug in the AVRCP service. An attacker within Bluetooth range could chain these vulnerabilities to achieve remote code execution on the vehicle’s infotainment system, potentially accessing GPS data, audio, and contacts. The complex automotive supply chain has delayed patching, leaving many vehicles exposed.

Major Incidents #

• McDonald’s experienced a significant data exposure through its AI-powered hiring chatbot, McHire, developed by Paradox.ai. Security researchers discovered that an insecure API allowed access to the personal information of approximately 64 million job applicants. The researchers gained access to the administrator interface of a test restaurant using a simple default password, from which they were able to pivot and access the sensitive applicant data. McDonald’s has since remediated the vulnerability.

• Major UK retailers, including Marks & Spencer (M&S), Co-op, and Harrods, were targeted by significant cyberattacks attributed to the Scattered Spider group. The attacks disrupted online services, contactless payments, and led to the theft of customer data. In response, M&S was forced to take its online store offline for nearly seven weeks. The UK’s National Crime Agency (NCA) has since arrested four individuals in connection with these incidents.

• The Australian airline Qantas suffered a data breach affecting up to 6 million customers after a third-party customer service platform used by an offshore call center was compromised. The exposed data includes personal information and frequent flyer numbers. Qantas stated that it has contained the incident, notified the relevant authorities, and is enhancing its security measures. This breach highlights the significant risks associated with third-party service providers and their access to sensitive customer data.

• A fire at the Ramses Central Exchange, a key telecommunications datacenter in Egypt, caused a major internet disruption across the country. National connectivity dropped to as low as 44% of ordinary levels, affecting critical services such as banking, mobile payments, and online trade. The prolonged outage, which lasted over 48 hours, highlights the vulnerability of critical infrastructure and the widespread economic and social impact of such incidents.

• The technology distributor Ingram Micro experienced a significant outage caused by a ransomware attack attributed to the SafePay group. The attack led to the shutdown of internal systems, including its website and online ordering platforms like Xvantage and Impulse. The disruption, which began before a major holiday weekend, affected customer operations and highlighted the ongoing threat of ransomware to critical supply chain and distribution services.

• Luxury fashion brand Louis Vuitton disclosed that its UK operation was hit by a cyberattack on July 2, resulting in the theft of customer data. The compromised information includes names, contact details, and purchase histories. The company reassured customers that financial data was not accessed but warned of potential phishing and fraud attempts. This incident follows similar breaches at other LVMH brands, including Dior and Louis Vuitton’s Korean division, indicating a pattern of attacks against the luxury retail sector.

• The gaming community faced a significant security incident when the PC version of ‘Call of Duty: WWII’ was temporarily taken offline due to reports of a remote code execution (RCE) vulnerability. Players reported that attackers were able to hijack their PCs during live multiplayer matches, enabling actions like forcing shutdowns and displaying unwanted content. The incident highlights the risks associated with older game titles, particularly those using peer-to-peer networking, and prompted the game to be pulled from Microsoft’s Game Pass service pending a fix.

Emerging Threats #

• Threat actors are increasingly using AI to enhance social engineering attacks, including sophisticated phishing and voice-cloning scams. An AI-powered attack impersonated the US Secretary of State using deepfake voice and text messages sent via Signal to other high-level government officials. Similarly, AI-generated search engine summaries have been observed suggesting phishing sites instead of legitimate login pages. These incidents demonstrate a growing trend of leveraging AI to create highly convincing and targeted attacks that bypass traditional defenses and manipulate human trust.

• Malicious browser extensions are being used to compromise end-user devices at scale, affecting millions of users on both Chrome and Edge. These extensions, often disguised as legitimate tools like volume boosters or VPNs, are used to scrape data, hijack user sessions by intercepting web traffic, and redirect users to malicious sites. In one campaign, extensions turned nearly a million browsers into a botnet for a paid web-scraping service. This trend highlights the significant risk posed by the browser as an attack surface and the need for greater scrutiny of extensions, even those from official web stores.

• The LogoKit phishing kit is being used in widespread campaigns targeting government, banking, and logistics sectors. This toolkit automates the creation of convincing phishing pages by dynamically fetching company logos and favicons based on the victim’s email domain, which is passed as a URL parameter. The phishing sites, often hosted on legitimate services like AWS S3 to evade detection, use Cloudflare Turnstile to appear more credible. This tactic allows attackers to efficiently scale their credential theft operations across various industries with minimal manual effort.

• The Iranian-backed ransomware-as-a-service (RaaS) group Pay2Key has resurfaced as Pay2Key.I2P, demonstrating advanced capabilities and clear geopolitical motivations. Linked to the Fox Kitten APT and Mimic ransomware, the group is offering an 80% profit share for affiliates who attack Western targets, particularly in the US and Israel. This resurgence highlights a trend of ideologically driven ransomware campaigns that merge financial extortion with state-aligned cyber warfare objectives, expanding their attack surface with new tools like a Linux-targeted ransomware build.

• An Initial Access Broker (IAB) campaign, attributed with medium confidence to Gold Melody (UNC961), is exploiting leaked ASP.NET Machine Keys to compromise IIS servers. This technique allows the attacker to perform View State deserialization attacks, executing malicious payloads directly in the server’s memory. This in-memory approach minimizes forensic artifacts, making the intrusion difficult to detect. The IAB uses custom Go-based tooling for persistence and reconnaissance, targeting organizations across finance, manufacturing, and transportation sectors in Europe and the US.

• The DoNot APT group (APT-C-35), linked to Indian state interests, has expanded its operations to target European government entities. A recent spear-phishing campaign impersonated European defense officials to lure victims into downloading the LoptikMod malware from a Google Drive link. This malware is designed to exfiltrate system information and maintain persistence. This shift from its traditional focus on South Asian targets indicates a broadening of the group’s cyber-espionage objectives and capabilities.

• The AI supply chain is becoming a significant attack vector, with attackers hiding malicious code in open-source models and packages. In one notable incident, a malicious extension for the Cursor AI IDE, named ‘solidityai.solidity-1.0.9’, was used to download and execute the Quasar backdoor and a crypto stealer, leading to the theft of $500,000 from a blockchain developer. This highlights the risk of using unvetted open-source components in development environments and the need for robust AI supply chain security measures.

Regulatory and Policy Updates #

• CISA has added several actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch them on accelerated timelines. Notably, CVE-2025-5777, a flaw in Citrix NetScaler products, was given an emergency 24-hour remediation deadline due to the unacceptable risk it poses. Other additions include older vulnerabilities in PHPMailer (CVE-2016-10033) and Ruby on Rails (CVE-2019-5418), reinforcing the importance of patching both new and legacy systems to defend against active threats.

• Microsoft has finalized plans for Windows 10 Extended Security Updates (ESU) as the operating system’s end-of-support date of October 14, 2025, approaches. Commercial customers will face a tiered pricing model starting at $61 per device for the first year, with costs doubling annually for up to three years. For consumers, Microsoft is offering a free one-year ESU subscription to those who use Windows Backup or Microsoft Rewards, providing a temporary bridge for users on hardware ineligible for a Windows 11 upgrade.

• The US Treasury Department has sanctioned individuals and companies involved in North Korea’s illicit IT worker schemes. The sanctions target a North Korean national linked to the Andariel hacking group and a Russian man whose companies employed North Korean IT workers. These schemes generate revenue for North Korea’s weapons programs and pose an insider threat, as these workers have been known to introduce malware into corporate networks. This action underscores the international effort to disrupt North Korea’s funding streams derived from cybercrime and illicit labor.

• The Healthcare and Public Health Sector Coordinating Council (HSCC) testified before the U.S. Senate, urging significant reforms to national healthcare cybersecurity policy. Citing budget constraints and the increasing threat landscape, the HSCC called for a pause on HIPAA Security Rule updates to allow organizations to focus resources on current threats. They also advocated for enhanced visibility into critical infrastructure, reauthorization of government-industry collaboration channels like CIPAC, and greater cybersecurity accountability for third-party vendors to improve the sector’s overall resilience.

• The European Union’s new Product Liability Directive (PLD) now explicitly classifies software, including AI and digital services, as ‘products.’ This change subjects them to strict liability, meaning non-compliance with cybersecurity requirements or a failure to provide necessary security updates can be legally considered a product defect. This regulatory shift increases the accountability of software and AI developers, forcing them to prioritize security-by-design principles to mitigate potential legal and financial risks.

• The UK’s Intelligence and Security Committee of Parliament released a report on Iran, highlighting its ‘ferociously well-resourced’ intelligence services and significant asymmetric strength in cyber capabilities. The report states that Iranian espionage poses a considerable threat to the UK and its interests. This assessment aligns with a joint alert from US agencies warning of potential targeted cyber activity by Iranian-affiliated actors against US critical infrastructure, underscoring the geopolitical tensions manifesting in cyberspace.

• Let’s Encrypt has begun issuing free TLS certificates for IP addresses, a shift from its traditional domain-only model. This initiative aims to enhance security for devices accessed directly via IP, such as home IoT devices and servers without a domain name. While intended to improve encryption accessibility, security experts caution that this could also be abused by phishing campaigns, as attackers could use a valid, browser-trusted certificate for a malicious IP-based site, potentially lulling users into a false sense of security.

Security Operations #

• New frameworks are emerging to help organizations manage AI-related security risks. The Cloud Security Alliance (CSA) released its ‘Artificial Intelligence Controls Matrix,’ a vendor-agnostic framework for securely developing and operating AI systems. Concurrently, SANS Institute and OWASP have partnered to standardize a comprehensive set of AI security controls. These initiatives aim to provide actionable guidance for developers and security teams to address the unique challenges posed by AI, from data poisoning and model theft to prompt injection and supply chain attacks.

• The security industry is advocating for a shift in how AI and LLM systems are tested, moving beyond static prompt engineering. Experts argue that effective penetration testing must treat these systems as conversational and account for their ability to interpret intent, which can be manipulated by attackers. Recommended practices include scenario-driven testing that explores adversarial context manipulation, running AI modules in sandboxed environments, and implementing human-in-the-loop reviews for any actions involving elevated access or critical decision-making.

• Oligo Security has introduced the Application Attack Matrix, a new, open-source framework designed to complement MITRE ATT&CK by focusing specifically on application-layer threats. The matrix aims to fill gaps in existing frameworks by providing a more granular taxonomy for categorizing attacks that exploit application vulnerabilities, such as various types of code injection and supply chain compromises. This community-driven effort is intended to help security teams better understand, define, and defend against attacks that occur within the application context, regardless of the underlying infrastructure.

• 0patch has released micropatches for ‘WSPCoerce,’ a coerced authentication vulnerability in the Windows Search Protocol that Microsoft has classified as a ‘wont-fix’ issue. This technique allows an attacker to force a target system to authenticate to an attacker-controlled machine, revealing NTLM credentials that can be used in relay attacks. The micropatches prevent this by restricting remote search requests to the target machine itself, thereby neutralizing the threat on both currently supported and legacy Windows systems where disabling NTLM is not feasible.

• The concept of an Isolated Recovery Environment (IRE) is gaining importance as a critical defense against destructive ransomware attacks. Unlike traditional disaster recovery sites, an IRE is a fully segregated environment with no shared authentication or persistent network links to production systems. Its purpose is to store immutable backups and provide a clean, secure space to restore and validate critical systems after a major compromise where production backups are also assumed to be compromised. This approach is crucial for ensuring business continuity when adversaries deliberately target backup infrastructure.

• The implementation of foundational cybersecurity controls, such as CIS Controls 1 (Inventory and Control of Enterprise Assets) and 2 (Inventory and Control of Software Assets), remains a key focus for security teams. Community discussions highlight the challenges and strategies involved in achieving comprehensive asset visibility, which is crucial for effective vulnerability management and risk reduction. These discussions emphasize the need for robust asset management processes and tools to build a strong security posture from the ground up.

• Estonia has enhanced its national mobile application, ‘Eesti äpp’, with a new digital identity verification feature. This allows users to prove their identity directly from their smartphone by presenting a QR code containing their ID card or passport data to service providers. While this function is currently limited to Estonia and does not replace the physical document, it represents a significant step in digital identity innovation. The initial launch saw high user interest, causing temporary technical glitches, but the service was quickly restored.

Wins #

• The UK’s National Crime Agency (NCA) arrested four individuals in connection with a series of high-profile cyberattacks against major retailers, including Marks & Spencer, Co-op, and Harrods. The suspects, aged 17 to 20, face charges of blackmail, money laundering, and Computer Misuse Act offenses. This law enforcement action is a significant step in disrupting the activities of the prolific Scattered Spider cybercrime group, which has been linked to these disruptive retail attacks as well as intrusions at numerous other companies.

• An attacker who exploited a vulnerability in the GMX decentralized exchange to steal $42 million in cryptocurrency has returned the funds. The hacker agreed to accept a $5 million bug bounty from the platform in exchange for returning the stolen assets. This incident highlights a growing trend in the DeFi space where projects negotiate with white-hat or grey-hat hackers to recover stolen funds, though it does not absolve the attacker of potential legal liability.

• Italian authorities arrested a Chinese national, Xu Zewei, at the request of the United States for his alleged role in the 2020-2021 Microsoft Exchange Server hack. The indictment accuses Xu of acting on behalf of China’s Ministry of State Security to target U.S. universities and researchers involved in COVID-19 research. This arrest is a significant development in holding state-sponsored actors accountable for major cyber-espionage campaigns.

• The FBI successfully seized and dismantled several major online marketplaces known for distributing pirated video games, including unreleased titles. The domains, including nsw2u.com and game-2u.com, were responsible for an estimated 3.2 million illegal downloads and approximately $170 million in losses to game developers and publishers. This action marks a significant disruption to a prominent video game piracy network.

• French authorities arrested Russian professional basketball player Daniil Kasatkin at the request of the United States. Kasatkin is suspected of being a negotiator for a ransomware gang that allegedly attacked 900 organizations, including U.S. federal agencies, between 2020 and 2022. This arrest demonstrates the international cooperation involved in pursuing individuals linked to major ransomware operations.

• Indonesian authorities have extradited a Russian citizen, Alexander Zverev, to Russia. Zverev is accused of operating a Telegram channel that sold sensitive personal data obtained from Russian law enforcement and mobile operator databases. This extradition marks a victory in the fight against illicit data brokerage and highlights international cooperation in prosecuting cybercriminals who profit from stolen information.

• A U.S. appeals court has revived a lawsuit filed by El Salvadoran journalists against the Israeli spyware firm NSO Group. The Ninth Circuit Court of Appeals vacated a lower court’s decision to dismiss the case, which was based on the argument that California was not the appropriate forum. This ruling allows the journalists to proceed with their case in U.S. court, representing a significant step in holding spyware manufacturers accountable for their alleged role in targeting journalists and activists.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.