Home 
From 28 July to 4 August 2025, threat actors leveraged novel AI-assisted malware, zero-day chains against on-prem SharePoint, critical command-injection in CI/CD pipelines, and advanced social-engineering playbooks. Fourteen CVEs reached Critical severity, including two actively exploited zero-days. Dark-web chatter intensified around Medusa and BlackSuit takedown fallout, with ransomware affiliates trading victim data and custom tooling on underground forums.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Emerging Hacking Techniques
- AI-Generated Polyglot Malware “Koske” for In-Memory Rootkits
Overview - Discovered 29 July. Linux cryptomining malware uses polyglot JPEG images embedding C rootkit code and shell-script payloads.
Explanation - Attackers upload two JPEG polyglots via misconfigured servers. One executes as a compiled .so rootkit in memory; the other drops a stealthy shell script for persistent cron-job installation.
Impact/Risk - Evades AV and EDR; undetectable fileless persistence.
Takeaway for CISO - Monitor JupyterLab and web-upload endpoints; restrict image-file mime types.
- QR-Abuse for FIDO Bypass (“PoisonSeed”)
Overview - Reported 31 July. QR based FIDO authentication bypass lures victims into scanning attacker-controlled QR which silently completes genuine FIDO challenge.
Explanation - Adversary crafts login session QR; victim’s authenticator signs; session hijacked. No key theft required.
Impact/Risk - Defeats hardware-based MFA; stealth capture of sessions.
Takeaway for CISO - Enforce explicit user consent flows; monitor anomalous FIDO challenge origins.
New Critical CVEs & Attack Campaigns
| CVE | Affected Component | Discovery Date | Technique | Impact/Risk | Takeaway for CISO |
| CVE-2025-53770 | Microsoft SharePoint ToolShell RCE | 7 Jul – 28 Jul | Unauthenticated ASP.NET web-shell injection | MachineKey theft; persistent access | Patch immediately; rotate MachineKeys; restart IIS |
| CVE-2025-54416 | tj-actions/branch-names GitHub Action | 30 Jul | Command-injection via unvalidated branch name | CI/CD compromise; arbitrary code exec | Block untrusted actions; enforce least privilege for Actions |
| CVE-2025-5394 | “Alone” WordPress Theme | 12 Jul – 31 Jul | Arbitrary plugin install; file upload RCE | Site takeover; backdoor deployment | Update theme; audit for rogue admin; scan admin-ajax requests |
| CVE-2025-31700 CVE-2025-31701 | Dahua ONVIF cameras | 30 Jul | Buffer-overflow in ONVIF/file-upload handlers | Remote root; device hijack | Apply firmware patch; segment camera networks; monitor ONVIF logs |
| CVE-2025-20281 | Cisco ISE root-escape zero-day | 28 Jul | Command-injection; Docker sandbox breakout | Unauthenticated root on ISE appliances | Update ISE; restrict API access; monitor exec calls |
Underground Intelligence & Ransomware Chatter
- BlackSuit Takedown Fallout
After U.S. HSI seized BlackSuit forums (24 Jul), affiliates migrated negotiations to “Chaos”-branded Tor nodes, trading new victim data sets and custom encryption tools. Screenshots circulated showing RSA-4096 double-encrypt negotiation panels. - Medusa Ransomware Data Exchanges
Leaked NASCAR staff maps and PII on “BreachForums” re-emergence (1 Aug). Affiliates offered “buy-back” decryption keys at 50% discount. Payload breakdown diagrams show multi-stage loader → C2 via Telegram bots. - Scattered Spider ESXi Attacks
27 Jul-2 Aug saw VMware ESXi targeted by phone-based help-desk social engineering → over 30 hypervisor encryptions. Mandiant flow diagrams depict lateral move from management console to datastore encryption.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
