![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgld-sO-XyZHRo3psrP6P1m_VUToVZHdgMiEAfa81ScPVDD58DbkGHlCwlYTQ97sRtder0i_4GeqXty0CIvdR3ldULN5ngcWQCxFA0K9o-g0oc0KdyVW6Y1YoKM_DYxK2lNFjXnwslAM9VVx-9FIF26eoahxFbRfNCcza0NYf4V2Di83gO2HxT1fHgQTN8_/s728-rw-e365/recap.jpg\")
Malicious software is no longer just hiding—it’s trying to blend in. We’re now seeing code that mimics human behavior, logs activities like a team player, and even documents itself as if it were a helpful tool. Some threats now resemble developer tools more than traditional exploits. Others gain trust from open-source platforms or quietly construct themselves using AI-generated snippets. It’s not just about being malicious—it’s about being convincing.
In this week’s cybersecurity recap, we delve into how modern threats are becoming more social, more automated, and too sophisticated for traditional defense mechanisms to catch.
⚡ Threat of the Week
Secret Blizzard Conduct ISP-Level AitM Attacks to Deploy ApolloShadow — Russian cyberspies are leveraging local internet service providers’ networks to target foreign embassies in Moscow and likely gather intelligence from diplomats’ devices. The activity has been linked to the Russian advanced persistent threat (APT) known as Secret Blizzard (aka Turla). It likely involves utilizing an adversary-in-the-middle (AiTM) position within domestic telecom companies and ISPs that diplomats use for internet access to push a piece of malware called ApolloShadow. This suggests that the ISP may be cooperating with the threat actor to facilitate the attacks using the System for Operative Investigative activities (SORM) systems. Microsoft declined to disclose how many organizations were targeted or successfully infected in this campaign.
🔔 Top News
- Companies that Employed Hafnium Hackers Linked to Over a Dozen Patents — Threat actors linked to the notorious Hafnium hacking group have worked for companies that registered several patents for highly intrusive forensics and data collection technologies. The findings highlight China’s diverse private sector offensive ecosystem and an underlying problem with mapping tradecraft to a specific cluster, which may not accurately reflect the true organizational structure of the attackers. The fact that the threat actors have been attributed to three different companies shows that multiple companies may be working in tandem to conduct the intrusions and those companies may be providing their tools to other actors, leading to incomplete or misleading attribution. It’s currently not known how the threat actors came to possess the Microsoft Exchange Server flaws that were used to target various entities in a widespread campaign in early 2021. But their close relationship with the Shanghai State Security Bureau (SSSB) has raised the possibility that the bureau may have obtained access to information about the zero-days through some evidence collection method and passed it on to the attackers. The discovery also highlights another important aspect: China-based Advanced Persistent Threats (APTs) may actually consist of different companies that serve many clients owing to the contracting ecosystem, which forces these companies to collaborate on intrusions. In June 2025, Recorded Future revealed that a Chinese state-owned defense research institute filed a patent in late December 2024 that analyzes various kinds of intelligence, including OSINT, HUMINT, SIGINT, GEOINT, and TECHINT, to train a military-specific large language model in order to “support every phase of the intelligence cycle and improve decision-making during military operations.”
- Likely 0-Day SonicWall SSL VPN Flaw Used in Akira Ransomware Attacks — SonicWall SSL VPN devices have become the target of Akira ransomware attacks as part of a newfound surge in activity observed in late July 2025. Arctic Wolf Labs said that the attacks could be exploiting an as-yet-undetermined security flaw in the appliances, meaning a zero-day vulnerability, given that some of the incidents affected fully-patched SonicWall devices. However, the possibility of credential-based attacks for initial access hasn’t been ruled out. The development came as watchTowr Labs detailed multiple vulnerabilities in SonicWall SMA 100 Series appliances (CVE-2025-40596, CVE-2025-40597, and CVE-2025-40598) that an attacker could exploit to cause denial-of-service or code execution. “We stumbled across vulnerabilities that feel like they were preserved in amber from a more naïve era of C programming,” security researcher Sina Kheirkhah said. “While we understand (and agree) that these vulnerabilities are ultimately difficult – or in some cases, currently not exploitable – the fact that they exist at all is, frankly, disappointing. Pre-auth stack and heap overflows triggered by malformed HTTP headers aren’t supposed to happen anymore.”
- UNC2891 Breaches ATM Network via 4G Raspberry Pi in Cyber-Physical Attack — The threat actor known as UNC2891 has been observed targeting Automatic Teller Machine (ATM) infrastructure using a 4G-equipped Raspberry Pi as part of a covert attack. The cyber-physical attack involved the adversary leveraging their physical access to install the Raspberry Pi device and have it connected directly to the same network switch as the ATM, effectively placing it within the target bank’s network. The end goal of the infection was to deploy the CAKETAP rootkit on the ATM switching server and facilitate fraudulent ATM cash withdrawals. UNC2891 is assessed to share tactical overlaps with another threat actor called UNC1945 (aka LightBasin), which was previously identified compromising managed service providers and striking targets within the financial and professional consulting industries. UNC1945 is also known for its attacks aimed at the telecom sector.
- Active Exploitation of Alone WordPress Theme Flaw — Threat actors are actively exploiting a critical security flaw in “Alone – Charity Multipurpose Non-profit WordPress Theme” to take over susceptible sites. The vulnerability, tracked as CVE-2025-5394 (CVSS score: 9.8), is an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3. It has been fixed in version 7.8.5 released on June 16, 2025. In the observed attacks, the flaw is averaged to upload a ZIP archive containing a PHP-based backdoor to execute remote commands and upload additional files. Alternatively, the flaw has also been weaponized to deliver fully-featured file managers and backdoors capable of creating rogue administrator accounts.
- Multiple Flaws Patched in AI Code Editor Cursor — Several security vulnerabilities have been addressed in Cursor, including one high-severity bug (CVE-2025-54135 aka CurXecute) that could result in remote code execution (RCE) when processing external content from a third-party model context protocol (MCP) server. “If chained with a separate prompt injection vulnerability, this could allow the writing of sensitive MCP files on the host by the agent,” Cursor said. “This can then be used to directly execute code by adding it as a new MCP server.” Also addressed in Cursor version 1.3 is CVE-2025-54136 (CVSS score of 7.2), which could have allowed attackers to swap harmless MCP configuration files for a malicious command, without triggering a warning. “If an attacker has write permissions on a user’s active branches of a source repository that contains existing MCP servers the user has previously approved, or an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution,” the company said.
️🔥 Trending CVEs
Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.
This week’s list includes — CVE-2025-7340, CVE-2025-7341, CVE-2025-7360 (HT Contact Form plugin), CVE-2025-54782 (@nestjs/devtools-integration), CVE-2025-54418 (CodeIgniter4), CVE‑2025‑4421, CVE‑2025‑4422, CVE‑2025‑4423, CVE‑2025‑4424, CVE‑2025‑4425, CVE‑2025‑4426 (Lenovo), CVE-2025-6982 (TP-Link Archer C50), CVE-2025-2297 (BeyondTrust Privilege Management for Windows), CVE-2025-5394 (Alone theme), CVE-2025-2523 (Honeywell Experion PKS), CVE-2025-54576 (OAuth2-Proxy), CVE-2025-46811 (SUSE), CVE-2025-6076, CVE-2025-6077, and CVE-2025-6078 (Partner Software).
📰 Around the Cyber World
- Critical RCE in @nestjs/devtools-integration — A critical remote code execution flaw (CVE-2025-54782, CVSS score: 9.4) has been uncovered in @nestjs/devtools-integration, a NestJS npm package downloaded over 56,000 times per week. The package sets up a local development server with an endpoint that executes arbitrary code inside a JavaScript “sandbox” built with node:vm module and the now-abandoned safe-eval, ultimately allowing for execution of untrusted user code in a sandboxed environment, Socket said. Further analysis has found that the sandbox is trivially escapable and because the server is accessible on localhost, any malicious website can trigger code execution on a developer’s machine via CSRF using the inspector/graph/interact endpoint. “Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine,” Nestjs maintainer Kamil Mysliwiec said in an advisory. “By chaining these issues, a malicious website can trigger the vulnerable endpoint and achieve arbitrary code execution on a developer’s machine running the NestJS devtools integration.”
- Attackers Exploit Compromised Email Accounts for Attacks — Threat actors are increasingly using compromised internal or trusted business partner email accounts to send malicious emails to obtain initial access. “Using a legitimate trusted account affords an attacker numerous advantages, such as potentially bypassing an organization’s security controls as well as appearing more trustworthy to the recipient,” Talos said. The disclosure comes as bad actors are also continuing to exploit Microsoft 365’s Direct Send feature to deliver phishing emails that appear to originate from within the organization by using a spoofed internal From address and increases the likelihood of success of social engineering attacks. The messages are injected into Microsoft 365 tenants via unsecured third-party email security appliances used as SMTP relays. “This tactic allows attackers to send malicious payloads to Microsoft 365 users with increased credibility, often resulting in successful delivery despite failed authentication checks,” Proofpoint said.
- <
