Major Incidents or Breaches

  • The FBI has seized all domains associated with BreachForums, operated by the ShinyHunters group, which was used as a portal for leaking corporate data obtained through ransomware and extortion attacks, including recent Salesforce-related incidents. Despite the takedown, ShinyHunters continues to issue extortion threats against Salesforce victims.
  • Two AI companion applications exposed millions of private chat records from over 400,000 users due to inadequate security controls.
  • A critical zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and TrioFox file sharing products is being actively exploited in the wild, allowing unauthenticated local attackers to access system files.
  • Sophisticated malware has been deployed in Oracle E-Business Suite (EBS) zero-day attacks, with exploitation believed to have started as early as July 10 and affecting dozens of organizations.
  • A large-scale DDoS attack was launched by the Aisuru botnet, leveraging compromised IoT devices hosted on major US ISPs.
  • Microsoft has observed a threat actor, Storm-2657, hijacking HR SaaS accounts to divert employee salary payments to attacker-controlled accounts; US universities have been specifically targeted in these payroll diversion attacks.

Newly Discovered Vulnerabilities

  • Fortra disclosed details of active exploitation of CVE-2025-10035, a critical vulnerability in GoAnywhere Managed File Transfer (MFT).
  • 13 unpatched vulnerabilities in Ivanti Endpoint Manager have been publicly released by the Zero Day Initiative (ZDI), permitting remote code execution and privilege escalation.
  • Juniper Networks released patches for over 200 vulnerabilities in Junos Space and Junos Space Security Director, including nine critical-severity flaws.
  • 175 malicious npm packages, collectively downloaded over 26,000 times, have been used in a credential phishing campaign.
  • Security researchers have detailed an active Stealit malware campaign abusing the Node.js Single Executable Application (SEA) feature, distributed via game and VPN installers.

Notable Threat Actor Activity

  • North Korean threat actors have expanded their fraudulent remote employment schemes to target nearly every industry hiring remote workers, including architectural design roles, using fake identities and documentation.
  • Chinese APT group Storm-2603 is abusing the Velociraptor digital forensics and incident response (DFIR) tool to gain persistent access to victim networks and facilitate ransomware deployment.
  • A coordinated campaign has been identified targeting Cisco, Fortinet, and Palo Alto Networks devices, with attacks originating from shared infrastructure.
  • The RondoDox botnet employs a “shotgun” approach, using more than 50 exploits against unpatched routers, DVRs, NVRs, CCTV systems, servers, and other network devices globally.

Trends, Tools, or Tactics of Interest

  • AI-generated deepfakes are proliferating, with OpenAI releasing an updated AI video and audio generation system, raising concerns about the acceleration and accessibility of deepfake creation.
  • The security industry is experiencing inadequate investment in deepfake detection, despite high organizational awareness and frequent encounters with AI-augmented threats.
  • Security Operations Centres (SOCs) are increasingly integrating AI-powered agents, with projections indicating significant transformation in SOC workflows by 2026.
  • Microsoft has added agentic AI capabilities to its Sentinel platform, previewing new security graph and MCP server features.
  • Attackers are leveraging malicious npm packages and abusing legitimate software features (e.g., Node.js SEA) to distribute malware and harvest credentials.
  • 1Password addressed a critical security gap in its AI browser agent, which posed risks of credential leakage.
  • Timely patch management is highlighted as a key defense against escalating ransomware attacks on manufacturing and industrial control system (ICS) environments.

Regulatory or Policy Developments Affecting the Security Industry

  • Apple has expanded its bug bounty program, doubling the maximum payout to $2 million for zero-click remote code execution vulnerabilities, with potential bonuses raising the maximum to $5 million. The program now includes new research categories and a more transparent reward structure.
  • Microsoft reminded users that Windows 11 23H2 Home and Pro editions will reach end of support in 30 days, after which security updates will cease.
  • Google Chrome will automatically revoke notification permissions for inactive websites to reduce user alert fatigue.
  • Apple voiced concerns over proposed age-verification laws, warning that increased data collection for compliance could heighten user privacy risks.
  • NIST is revising password guidance, indicating that excessively complex password requirements may no longer be necessary.