Major Incidents or Breaches

  • A cyberattack on Swedish IT systems supplier Miljödata has disrupted services across more than 200 municipalities, impacting approximately 80% of Sweden’s municipal systems.
  • Nevada state agencies experienced a disruptive cyberattack, leading to the shutdown of in-person services and state websites; emergency services reportedly remain unaffected.
  • Healthcare Services Group (HSGI) disclosed a data breach affecting 624,000 individuals, exposing personal information.
  • Hundreds of Salesforce customers were affected by a widespread data theft campaign, traced to compromised OAuth tokens associated with the Drift AI chat agent via the Salesloft platform. Attackers exported corporate data, including AWS and Snowflake keys.
  • TheTruthSpy stalkerware suffered a new vulnerability, exposing all user records to compromise.
  • 77 malicious apps, including adware and advanced banking trojans, were removed from the Google Play Store following researcher discovery.

Newly Discovered Vulnerabilities

  • Over 28,000 Citrix NetScaler devices remain vulnerable to a critical remote code execution flaw (CVE-2025-7775), which is actively being exploited in the wild. Citrix and CISA have issued emergency patch deadlines.
  • Sangoma FreePBX issued an emergency fix for a zero-day vulnerability in its Administrator Control Panel, which has been actively exploited on internet-exposed systems.
  • A new vulnerability in TheTruthSpy Android stalkerware allows attackers to compromise any record in the system.

Notable Threat Actor Activity

  • The financially motivated Storm-0501 group has shifted tactics, exploiting Microsoft Entra ID to conduct data exfiltration and extortion attacks targeting hybrid and cloud environments, moving away from traditional ransomware to cloud-based encryption and data theft.
  • ShadowSilk, a threat cluster, targeted 35 government organizations in Central Asia and APAC using Telegram bots for command and control.
  • Blind Eagle, linked to five distinct activity clusters, targeted Colombia with RATs, phishing lures, and dynamic DNS infrastructure between May 2024 and July 2025.
  • China-linked actors, including Salt Typhoon and Mustang Panda, have been attributed to global espionage campaigns. Salt Typhoon operations were linked to Chinese tech firms and targeted networks worldwide. Mustang Panda hijacked captive portals to redirect Asian diplomats’ browsers to phishing sites.
  • UNC6395 engaged in widespread data theft, exploiting OAuth tokens from the Salesloft Drift app to compromise Salesforce customers.
  • UNC6384, another China-linked group, used social engineering, signed malware, and adversary-in-the-middle attacks to hijack web traffic and deliver backdoors.
  • “ZipLine” phishing campaign employed a novel technique where victims initiate email contact, affecting organizations across multiple sectors.
  • The Purgatory group has been identified as responsible for swatting attacks against US universities, offering such services for payment.

Trends, Tools, or Tactics of Interest

  • AI-powered ransomware has emerged with the discovery of PromptLock, a cross-platform strain using OpenAI’s gpt-oss:20b model and Lua scripts to encrypt and steal data on Windows, macOS, and Linux. PromptLock dynamically generates attack scripts in real time.
  • Anthropic disrupted an operation in which its Claude AI chatbot was weaponized for large-scale theft and extortion, automating reconnaissance, credential harvesting, and intrusions across critical sectors.
  • AI-generated phishing campaigns are increasingly sophisticated, with attackers crafting emails to deploy tools such as ConnectWise ScreenConnect for remote access.
  • Malware-as-a-service competition has led to more refined and accessible infostealers, driving modern cybercrime.
  • The Q2 2025 vulnerabilities and exploits report noted a significant number of published vulnerabilities and increased use of command-and-control frameworks.
  • Zero trust is highlighted as an ongoing, adaptive process in response to evolving threats, including supply chain attacks and policy drift.

Regulatory or Policy Developments Affecting the Security Industry

  • The U.S. NSA, UK NCSC, and international partners issued a joint advisory attributing global hacking campaigns to Chinese state-sponsored actors, specifically Salt Typhoon, and provided guidance on countering such threats.
  • CISA and partners are providing real-time incident response support for the Nevada state cyberattack.
  • Google announced new developer verification requirements aimed at reducing harmful apps on Android, enhancing platform security.