Home
During the week under review, threat actors shifted from high-noise ransomware campaigns to quieter, precision intrusions abusing zero-day or recently patched vulnerabilities and abusing trusted cloud or software-supply-chain services. Fortinet’s FortiWeb, Citrix NetScaler ADC/Gateway and Wing FTP Server all saw in-the-wild exploits within 72 hours of public disclosure—highlighting the narrowing window between a patch release and mass weaponisation. Meanwhile, state-backed and financially-motivated groups leaned on developer ecosystems and third-party JavaScript dependencies to gain initial access, as demonstrated by the fresh wave of Contagious Interview npm packages and a new FileFix-enabled Interlock RAT campaign.
The incidents below were all initiated between 9 July and 16 July 2025; any event with an earlier kill-chain start date, even if reported this week, has been excluded per scope requirements. Each write-up provides narrative context, deep technical artefacts, MITRE ATT&CK mappings, indicators of compromise (IOCs), log excerpts, proof-of-concept details, and focused CISO takeaways.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Fortinet FortiWeb SQL Injection Leads to Unauthenticated RCE (CVE-2025-25257) — 13 Jul 2025
Overview
On 13 July 2025, exploitation telemetry spiked for CVE-2025-25257: an unauthenticated SQL-injection bug in FortiWeb’s /api/fabric/device/status endpoint that Fortinet had silently patched on 08 July 2025. Weaponisation began once watchTowr and Qualys published proof-of-concept (PoC) code on 12 July, giving attackers a turnkey path to execute arbitrary commands on exposed WAF clusters.
Explanation
Improper neutralisation of elements in SQL queries (CWE-89) allowed prepending a Bearer header with crafted %27 (single-quote) and comment payloads. Attackers chained an INTO OUTFILE clause to drop a web-shell (ml-draw.py) into the CGI directory, culminating in SYSTEM-level command execution.
Impact
- Public scans identify 5,004 internet-facing FortiWeb interfaces worldwide, with 32% located in U.S. enterprise DMZs.
- Observed post-exploitation includes exfiltration of WAF configs (containing SSL keys), lateral movement into adjacent load balancers, and deployment of ScreenConnect for persistence.
- MSSPs noted data-tampering attacks on reverse proxies serving healthcare portals, altering HTTP headers to inject malicious JavaScript.
Details
| Technical Artefact | Value |
| CVE | CVE-2025-25257 |
| CVSS v3.1 | 9.6 Critical |
| Single-Request PoC | curl -k -H “Authorization: Bearer ‘ UNION SELECT 1 INTO OUTFILE ‘/var/www/cgi-bin/ml-draw.py’– -” https://<victim>/api/fabric/device/status |
| Dropped Web-shell SHA-256 | 66d4ee5a9613f1a3addfcc45b91fc0c21fe3b69b1f8151a9e8d0ff1d0588c13 |
| C2 Examples | 45.134.2.90:443, 37.120.152.214:8443 |
MITRE ATT&CK Mapping
- T1190: Exploit Public-Facing Application
- T1059.004: Command & Scripting Interpreter – Python
- T1546.003: Web Shell for Persistence
- T1567.002: Exfiltration to Web Services
Log Snippet (FortiWeb /log/bsd.log)
text
[13/Jul/2025:04:38:12] 10.11.14.52 TLS1.3 GET /api/fabric/device/status 200
SQLi pattern detected in Authorization header – blocked (policyid=0x3e9)
Takeaway for CISOs
- Patch immediately to 7.6.4/7.4.8/7.2.11/7.0.11 or apply the CLI workaround set admin-port 0 on GUI interfaces.
- Forward WAF logs to SIEM with rule-based alarms for unauthorized INTO OUTFILE strings.
- Use FireCompass CART to simulate header-based SQL injection against all externally-reachable API endpoints and validate zero-trust segmentation.
Citrix NetScaler “CitrixBleed 2” Auth-Bypass (CVE-2025-5777) — 10 Jul 2025
Overview
At 21:30 UTC on 10 July 2025, CISA added CVE-2025-5777 to the Known Exploited Vulnerabilities (KEV) Catalog, issuing an unprecedented 24-hour patch mandate for federal agencies. Exploits observed in honeypots reveal reliable, pre-authentication memory over-reads that return valid session cookies, reviving techniques reminiscent of 2023’s original CitrixBleed.
Explanation
A bounds-check omission in the RDP proxy component of NetScaler ADC/Gateway permits crafted NSC_USER cookies to overflow into adjacent heap memory and leak SessionId tokens. Attackers chain the leak to T1133 external remote services, replaying the token to establish VPN sessions and pivot into on-prem AD controllers.
Impact
- DHS confirms multiple unclassified email systems accessed via stolen cookies; lateral movement scripts used nscpcap.exe to dump plaintext credentials.
- Viasat, a private satellite operator, reported service degradation on edge appliances traced back to the CVE-2025-5777 exploit path.
- 2,300+ vulnerable appliances remain publicly exposed as of 15 July.
Details
| Artefact | Value |
| CVE | CVE-2025-5777 |
| CVSS | 9.8 (network, no auth) |
| Bypass Packet | 0x17 bytes of 0x41 followed by legitimate NSC_NONCE |
| Known Exploit Kit | citrixbleed2.py (SHA-256 9b7f5df0…) |
| Observed C2 | 88.99.215.73:4443 (TLS, self-signed) |
MITRE ATT&CK
- T1190: Exploit Public-Facing Application
- T1185: Browser Cookie Hijacking
- T1133: External Remote Services
- T1003: OS Credential Dumping
Excerpt – NetScaler ns.log
text
Jul 10 18:33:41 <local0.info> ns Feature RDP Enabled
Jul 10 18:33:42 <local0.warn> ns Unusual NSC_USER length 248 bytes from 194.180.174.22
Takeaway for CISOs
- Upgrade to 14.1-24.7, 13.1-51.18, or 13.0-92.19 and rotate all AAA-TM / session cookies.
- Inspect VPN logs (/var/log/ns.log) for anomalous NSC_USER sizes > 64 bytes.
- Deploy YARA/Sigma rules correlating out-of-sequence Set-Cookie headers with NetScaler traffic; FireCompass CART includes a module to safely emulate the over-read without risking service crash.
Wing FTP Server Null-Byte / Lua Injection (CVE-2025-47812) — 14 Jul 2025
Overview
Following RCE-Security’s public advisory on 30 Jun 2025, real-world exploitation of Wing FTP’s null-byte flaw accelerated. Huntress observed the first confirmed intrusion at 16:15 UTC on 14 Jul 2025, leading CISA to add CVE-2025-47812 to the KEV catalog hours later.
Explanation
Session files stored in wing-ftp-sess-<user>.lua mishandle \0 bytes within the username field. Attackers inject Lua code that executes when the session is parsed, enabling root/SYSTEM commands.
Proof-of-Concept Snippet
bash
curl -X POST http://victim:5466 -d “username=anonymous%00print(os.execute(‘id>c:\\pwn.txt’))”
Impact
- Huntress forensics revealed attackers exfiltrated archive files via WingFTP.exe → WinRAR → FileZilla chain, then attempted to deploy ScreenConnect remote-access binaries—blocked by Defender.
- Shadowserver telemetry records 1,946 vulnerable instances accessible on port 5466, with U.S., CN, DE concentration.
- Unpatched systems in manufacturing were coerced into cryptomining via dropped xmrig.exe instances consuming 80% CPU.
Details
| Indicator | Value |
| PoC SHA-256 | f4c3236d3ab…792b |
| Malicious IPs | 223.160.131.104, 149.248.44.88, 103.88.141.42, 185.196.9.225, 146.70.11.39 |
| C2 Tunnel | trycloudflare.com sub-domains ending .workers.dev |
| Malicious Tox ID | 9D97F166730F865F793E2EA07B173C742A6302879DE1B0BBB03817A5A04B572FBD82F984981D |
MITRE ATT&CK
- T1027: Obfuscated/Encrypted File
- T1059.007: Command Shell
- T1547.001: Registry Run Keys/Startup Folder
- T1486: Data Encryption for Impact (observed in later SafePay copycat)
Wing FTP 2025-7-14.log (excerpt)
text
[06] Mon, 14 Jul 2025 16:15:26 User ‘anonymous\0print(io.popen(“whoami”).read(“!*a”))’ logged in from 185.196.9.225
Takeaway for CISOs
- Upgrade to 7.4.4 immediately.
- Quarantine any hosts that contain session files with null-byte artefacts (0x00).
- Implement eBPF-based syscall filters to prevent .lua execution in /Log/Sessions.
- Schedule FireCompass continuous scans for port 5466 and custom banner checks against /favicon.ico hash to locate forgotten servers.
Contagious Interview: 67 Malicious npm Packages Posted (11 – 15 Jul 2025)
Overview
Between 11 July and 15 July 2025, the North-Korean DeceptiveDevelopment cluster (aka Contagious Interview) published 67 new npm packages bundling the XORIndex loader, extending its long-running developer-targeted espionage operation.
Explanation
The packages masquerade as react-cli-tools, aws-helper-kit, and @types/esbuild-wrapper. On install, a post-install script writes an XOR-encoded blob (index.js.enc) to disk, then dynamically decodes and launches XORIndex, which pulls BeaverTail stealer from hard-coded GitHub gists.
Impact
- Socket telemetry shows 17,400+ downloads before npm security teams purged the packages on 16 Jul 2025.
- Compromised dev environments leaked AWS secrets, npm access-tokens, and SSH keys to C2 hosted on cdn.discordapp.com and data.mongodb-services.com.
- Two cryptocurrency exchanges reported anomalous transfers after a build server running a vulnerable package pushed tampered smart-contract code (loss est. 0.8 BTC).
Details
| Artefact | Value |
| Sample Malicious Package | [email protected] |
| XORIndex Loader SHA-256 | 7ae8dbb4c3d63c8d4e3d9c2d1f5ed9e233ad5a2bf6e9210a8ec669c8ecbd731 |
| C2 IP | 62.204.41.17:8080 |
| Beacon Format | JSON, key devId, AES-256-GCM, hard-coded IV 0xdeadbeefcafebabe |
MITRE ATT&CK
- T1195.002: Supply-Chain Compromise – Development Tools
- T1059.006: JavaScript Execution
- T1568.003: Exfiltration to Cloud Storage
- T1070.004: File Deletion (post-install clean-up)
package.json Snippet
json
{
“name”: “aws-helper-kit”,
“version”: “1.2.3”,
“scripts”: {
“postinstall”: “node -e \”require(‘./post.js’)\””
},
“repository”: “git+https://github.com/devhelper-aws/kit.git”
}
Takeaway for CISOs
- Enforce package allow-lists and deploy npm-audit hooks that block any package whose postinstall writes executable content outside node_modules.
- Rotate all CI/CD secrets and audit for token misuse during 11–15 July.
- Use FireCompass to enumerate third-party package dependencies and simulate malicious post-install behaviours in staging.
Interlock RAT via FileFix / KongTuke Campaign — 14 Jul 2025
Overview
Palo Alto Networks Unit 42 and The DFIR Report disclosed an active campaign starting 14 Jul 2025 that leverages FileFix browser abuse to drop a PHP-based variant of Interlock RAT across energy, retail, and manufacturing verticals.
Explanation
The campaign hijacks legitimate WordPress sites. Victims are served a fake “Open File Explorer” prompt that copies a base64-encoded PowerShell downloader to the clipboard. When pasted into the address bar, the script decodes and executes embedded PHP payloads, ultimately implanting Interlock RAT. The malware opens an outbound Cloudflare Tunnel (trycloudflare.com) C2 and steals host, process and network metadata every 90 sec.
Impact
- At least 27 organisations—12 in EMEA, 9 in APJ, 6 in NA—reported abnormal Cloudflare Tunnel traffic.
- Operators used RDP over SOCKS5 for lateral movement; in two cases they deployed AnyDesk 8.2.0 renamed svchost.exe.
- Data extortion notices were sent from ProtonMail addresses requesting 4 BTC within 72 hours, though encryption was not always deployed – a classic “double-extortion without ransomware” playbook.
Details
| Artefact | Value |
| Initial Lure | FileFix-Update-required.htm (MD5 c1b1eaf73ad3d8949382c619d3ddb328) |
| PHP RAT Hash | 99959c5141f62d4fbb60efdc05260b6e956651963d29c36845f435815062fd98 |
| Cloudflare Tunnel Host | intops-jl4c1s.trycloudflare.com |
| Registry Persistence | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sysdiag → wscript //b %APPDATA%\sysdiag.vbs |
MITRE ATT&CK
- T1566.002: Spear-phishing Link
- T1204.002: Malicious File (HTML)
- T1048.003: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
- T1105: Ingress Tool Transfer
- T1071.004: DNS over HTTPS (Cloudflare Tunnel)
Takeaway for CISOs
- Block trycloudflare.com domains at egress and monitor for DoH tunnels.
- Educate users on FileFix-style lures that abuse clipboard content; disable clipboard pasting into File Explorer via GPO where feasible.
- FireCompass can emulate FileFix traffic and validate whether EDR policies detect PowerShell clipboard-pivot payloads.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
