Cyber Threat Intelligence 28 July 2025

NCSA_THAICERT

Vulnerabilities

Post SMTP Plugin Flaw Exposes 200K WordPress Sites To Hijacking Attacks
"More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account. Post SMTP is a popular email delivery plugin for WordPress that counts more than 400,000 active installations. It’s marketed as a replacement of the default ‘wp_mail()’ function that is more reliable and feature-rich. On May 23, a security researcher reported the vulnerability to WordPress security firm PatchStack. The flaw is now identified as CVE-2025-24000 and received a medium severity score of 8.8."
https://www.bleepingcomputer.com/news/security/post-smtp-plugin-flaw-exposes-200k-wordpress-sites-to-hijacking-attacks/

Malware

Rogue CAPTCHAs: Look Out For Phony Verification Pages Spreading Malware
"Bots have got a lot to answer for. They now make up over half of all internet traffic, and while some, such as Google’s web crawlers and fetchers, have legitimate purposes, nearly two-fifths are considered malicious. Their power can be harnessed for everything from posting inflammatory social media posts to launching distributed denial-of-service attacks and hijacking online accounts using, for example, previously breached passwords."
https://www.welivesecurity.com/en/cybersecurity/rogue-captchas-look-out-phony-verification-pages-spreading-malware/
In-Depth Analysis Of An Obfuscated Web Shell Script
"This analysis is a follow-up to the investigation titled ‘Intrusion into Middle East Critical National Infrastructure’ (full report here), conducted by the FortiGuard Incident Response Team (FGIR), which investigated a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East. The report revealed that threat actors had installed numerous web shell servers on the compromised system. In this follow-up, we conducted a deep analysis of one of these web shell servers, named UpdateChecker.aspx, which was deployed on the Microsoft IIS (Internet Information Services) server of the compromised system."
https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-an-obfuscated-web-shell-script
Inside The ToolShell Campaign
"FortiGuard Labs is currently tracking multiple threat actors targeting on-premises Microsoft SharePoint servers. This attack leverages a newly identified exploit chain dubbed "ToolShell." Threat actors are combining two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two fresh, zero-day variants (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution. Given the escalating threat, CISA has already added these CVEs to its catalog of Known Exploited Vulnerabilities, and FortiGuard Labs has issued a detailed Threat Signal. Except for the known attack using “spinstall0.aspx”, exploitation in the wild is accelerating, and this blog post will delve into real-world incidents from this ongoing wave of attacks."
https://www.fortinet.com/blog/threat-research/inside-the-toolshell-campaign
ToolShell: a Story Of Five Vulnerabilities In Microsoft SharePoint
"On July 19–20, 2025, various security companies and national CERTs published alerts about active exploitation of on-premise SharePoint servers. According to the reports, observed attacks did not require authentication, allowed attackers to gain full control over the infected servers, and were performed using an exploit chain of two vulnerabilities: CVE-2025-49704 and CVE-2025-49706, publicly named “ToolShell”. Additionally, on the same dates, Microsoft released out-of-band security patches for the vulnerabilities CVE-2025-53770 and CVE-2025-53771, aimed at addressing the security bypasses of previously issued fixes for CVE-2025-49704 and CVE-2025-49706. The release of the new, “proper” updates has caused confusion about exactly which vulnerabilities attackers are exploiting and whether they are using zero-day exploits."
https://securelist.com/toolshell-explained/117045/
Watch Out: Instagram Users Targeted In Novel Phishing Campaign
"A phishing campaign targeting Instagram users is doing the rounds. There are plenty of those around, but when we took a look at this particular email, it seemed a bit different to the normal phishing emails that point to scammy websites. The email looked like this, which is very similar to the one Instagram sends if it wants you to confirm your identity:"
https://www.malwarebytes.com/blog/news/2025/07/watch-out-instagram-users-targeted-in-novel-phishing-campaign
Safepay: Email Bombs, Phone Scams, And Really Big Ransoms
"When it comes to choosing a brand name, “SafePay” must be among the most boring of choices. It sounds more like a payment app than an organized crime group. There are no dragons or bugs or heads full of snakes, but the group behind the brand is skilled and ruthless. SafePay has been making a name for itself with strong encryption, data exfiltration and big ransom demands from a fast-growing list of victims. SafePay ransomware was first observed in October 2024, and later confirmed to have been active at least one month earlier. By the end of the first quarter of 2025, SafePay claimed over 200 victims, including managed service providers (MSPs) and small-to-midsize businesses (SMBs) across multiple sectors. The group has been relentless, claiming between 58-70 victims in May 2025, making it the most active ransomware group that month."
https://blog.barracuda.com/2025/07/25/safepay--email-bombs--phone-scams--and-really-big-ransoms
Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign And Capabilities: LOLBAS, VLC * Player, And Encrypted Shellcode
"The Arctic Wolf Labs team has identified a new campaign by cyber-espionage group Dropping Elephant targeting Turkish defense contractors, specifically a manufacturer of precision-guided missile systems. The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning more about unmanned vehicle systems. The attack leverages legitimate binaries (VLC Media Player and Microsoft Task Scheduler) for defense evasion through DLL side-loading techniques. This represents a significant evolution of this threat actor’s capabilities, transitioning from the x64 DLL variants observed in November 2024, to the current x86 PE executables with enhanced command structures."
https://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/
https://thehackernews.com/2025/07/patchwork-targets-turkish-defense-firms.html
Operation CargoTalon : UNG0901 Targets Russian Aerospace & Defense Sector Using EAGLET Implant.
"SEQRITE Labs APT-Team has recently found a campaign, which has been targeting Russian Aerospace Industry. The campaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one of the major aircraft production entities in Russia via using товарно-транспортная накладная (TTN) documents — critical to Russian logistics operations. The entire malware ecosystem involved in this campaign is based on usage of malicious LNK file EAGLET DLL implant, further executing malicious commands and exfiltration of data. In this blog, we will explore the technical details of the campaign. we encountered during our analysis. We will examine the various stages of this campaign, starting from deep dive into the initial infection chain to implant used in this campaign, ending with a final overview covering the campaign."
https://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/
https://thehackernews.com/2025/07/cyber-espionage-campaign-hits-russian.html
https://securityaffairs.com/180378/intelligence/operation-cargotalon-targets-russias-aerospace-with-eaglet-malware.html
The Ηоmоgraph Illusion: Not Everything Is As It Seems
"Since the creation of the internet, email attacks have been the predominant attack vector for spreading malware and gaining initial access to systems and endpoints. One example of an effective email compromise technique is a homograph attack. Attackers use this content manipulation tactic to evade content analysis and trick users by replacing Latin characters with similar-looking characters from other Unicode blocks. This article provides rare insights into real homograph attacks, and demonstrates the full chain of events that can potentially lead to exploitation of targets. We outline three cases that we detected in the wild. In each scenario, threat actors used homograph attacks in different contexts within email messages, to avoid natural language detections and reach target inboxes."
https://unit42.paloaltonetworks.com/homograph-attacks/

Breaches/Hacks/Leaks

NASCAR Confirms Medusa Ransomware Breach After $4M Demand
"In April 2025, Hackread.com exclusively reported that the Medusa ransomware group had claimed responsibility for breaching the National Association for Stock Car Auto Racing (NASCAR) and was demanding a $4 million ransom. NASCAR has now confirmed that its systems were indeed compromised, validating Hackread.com’s earlier reporting."
https://hackread.com/nascar-ransomware-confirm-medusa-ransomware-data-breach/
https://therecord.media/nascar-confirms-data-breach
Advisor To Brit Tech Contractors Qdos Confirms Client Data Leak
"Business insurance and employment status specialist Qdos has confirmed that an intruder has stolen some customers personal data, according to a communication to tech contractors that was seen by The Register. Qdos yesterday emailed clients on its database to confirm a "recent data security incident affecting one of our web applications: mygoqdos.com, that may have involved data relating to you and your business." It says it was alerted to the issue on June 19 and launched a probe with the help of third party cyber security expert."
https://www.theregister.com/2025/07/25/ir35_advisor_qdos_confirms_data_breach/
Allianz Life Confirms Data Breach Impacts Majority Of 1.4 Million Customers
"Insurance company Allianz Life has confirmed that the personal information for the "majority" of its 1.4 million customers was exposed in a data breach that occurred earlier this month. "On July 16, 2025, a malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life Insurance Company of North America (Allianz Life)," an Allianz Life spokesperson told BleepingComputer. "The threat actor was able to obtain personally identifiable data related to the majority of Allianz Life's customers, financial professionals, and select Allianz Life employees, using a social engineering technique.""
https://www.bleepingcomputer.com/news/security/allianz-life-confirms-data-breach-impacts-majority-of-14-million-customers/
https://securityaffairs.com/180445/data-breach/allianz-life-data-breach-exposed-the-data-of-most-of-its-1-4m-customers.html

General News

US Targets North Korea’s Illicit Funds: $15M Rewards Offered As American Woman Jailed In IT Worker Scam
"An Arizona woman was sentenced to prison for her role in a North Korean fake IT worker scheme that hit more than 300 companies and generated over $17 million in illicit revenue. The woman, Christina Marie Chapman, 50, of Litchfield Park, was charged in May last year with running a laptop farm to help North Koreans hide their location. She pleaded guilty in February 2025. According to court documents, between October 2020 and October 2023, she helped North Korean IT workers obtain employment at US companies using the stolen identities of Americans, and received and hosted laptops from the targeted companies at her home."
https://www.securityweek.com/us-targets-north-koreas-illicit-funds-15m-rewards-offered-as-american-woman-jailed-in-it-worker-scam/
https://www.theregister.com/2025/07/24/laptop_farmer_north_korean_it_scam_sentenced/
https://www.bleepingcomputer.com/news/security/us-woman-sentenced-to-8-years-in-prison-for-running-laptop-farm-helping-north-koreans-infiltrate-300-firms/
https://www.darkreading.com/remote-workforce/north-korea-it-worker-rampage-doj
https://thehackernews.com/2025/07/us-sanctions-firm-behind-n-korean-it.html
https://therecord.media/arizona-woman-sentenced-north-korean-laptop-farm
https://cyberscoop.com/state-department-reward-north-korea-it-worker-scheme/
https://securityaffairs.com/180398/intelligence/arizona-woman-sentenced-for-aiding-north-korea-in-u-s-it-job-fraud-scheme.html
https://hackread.com/arizona-woman-jailed-help-north-korea-it-job-scam/
Cyber Career Opportunities: Weighing Certifications Vs. Degrees
"Welcome to Dark Reading's "Career Conversations with a CISO" video series, showcasing advice on breaking into and advancing within the cybersecurity field from those who have been there. In this conversation with Dark Reading Associate Editor Kristina Beek, longtime CISO Melina Scotto shares her journey from aspiring opera singer to cybersecurity leader, having served as a top security head for federal contractors and Fortune 500 companies. Throughout her 30-year career, she witnessed cybersecurity transform from basic border protection to a comprehensive approach addressing lateral movement, AI-enabled threats, the cloud, and a range of different critical business risks that place cyber at the core of any successful enterprise."
https://www.darkreading.com/cybersecurity-operations/cyber-career-opportunities-certifications-degrees
Why Security Nudges Took Off
"The appeal of nudging — that is, guiding users in the right direction — is clear: It meets users where they are. A timely reminder before accessing sensitive data, a pop-up when risky behavior is detected, a contextual security tip at login, a security issue about to reach its remediation deadline — these are all common examples. Done well, nudges can improve security awareness and encourage better behavior without blocking productivity. They offer a more human-centered alternative to strict enforcement or reactive controls."
https://www.darkreading.com/cybersecurity-operations/why-security-nudges-took-off
The Young And The Restless: Young Cybercriminals Raise Concerns
"Cybercriminal groups are attracting a significant number of tech-savvy minors, lured by money, a sense of community, or scoring online fame with little concern for the risks of prosecution, government and private-sector experts warn. In a July 23 alert, the FBI's Internet Crime Complaint Center (IC3) noted that one growing group, Hacker Com, has attracted a wide variety of English-speaking minors to "a broad community of technically sophisticated cyber criminals." In early July, the UK's National Crime Agency (NCA) arrested four people — a 20-year-old woman, two 19-year-old males, and a 17-year-old male — in connection with the cyberattacks against and disruption of two retailers, Marks & Spencer and the Co-op."
https://www.darkreading.com/cyber-risk/young-cybercriminals-raise-concerns
Can Security Culture Be Taught? AWS Says Yes
"Too many organizations lack what experts describe as a "strong security culture," which leaves them extremely vulnerable to repeated attacks and unacceptable risks. But can a security culture be built from scratch? Security culture is broadly defined as an organization's shared strategies, policies, and perspectives that serve as the foundation for its enterprise security program. For many years, infosec leaders have preached the importance of a strong culture and how it cannot only strengthen the organization's security posture but also spur increases in productivity and profitability."
https://www.darkreading.com/cybersecurity-operations/can-security-culture-be-taught-aws-says-yes
Predictive AI: The “Quiet Catalyst” Behind The Future Of Cybersecurity
"Patterned, predictive, and purposeful – the future of cybersecurity that Group-IB is helping envision and build. New and evolving cyberattacks are forcing us to move away from being random and reactive in our cyber defenses. Soon, traditional defenses won’t cut anymore. The shift toward predictive analytics marks a critical change: one where cyber defense becomes intentional, intelligence-led, and always a step ahead. But what exactly is predictive analytics in cybersecurity? And how does it power new-age defenses?"
https://www.group-ib.com/blog/predictive-ai/
BreachForums Resurfaces On Original Dark Web (.onion) Address
"The notorious cybercrime and hacker platform BreachForums has mysteriously resurfaced on its original dark web .onion domain. The site appears to be fully restored, including its infrastructure, user-leaked databases, official breach listings and forum posts. For your information, in early April 2025, both the clearnet and dark web domains of BreachForums went offline without explanation. Members speculated about possible law enforcement action or a forum seizure."
https://hackread.com/breachforums-resurface-original-dark-web-onion-address/
Digital Sovereignty Becomes a Matter Of Resilience For Europe
"In this Help Net Security interview, Benjamin Schilz, CEO of Wire, discusses Europe’s push for digital sovereignty through initiatives like Gaia-X and the EU AI Act. As the continent redefines its technological future, the focus shifts from regulation to building resilient, European-owned digital infrastructure. Schilz also discusses how open-source and decentralized technologies are key to securing Europe’s strategic autonomy."
https://www.helpnetsecurity.com/2025/07/25/benjamin-schilz-wire-european-digital-sovereignty/
What 50 Companies Got Wrong About Cloud Identity Security
"Most organizations still miss basic identity security controls in the cloud, leaving them exposed to breaches, audit failures, and compliance violations. A new midyear benchmark from Unosecur found that nearly every company scanned had at least one high-risk issue, with an average of 40 control failures per organization. The report analyzed diagnostic scan data from 50 enterprises across industries and regions between January and June 2025. Unlike survey-based studies, the findings are based on direct control checks aligned with standards like ISO 27001/27002, PCI DSS, and SOC 2. The goal: provide a reproducible view of where cloud identity practices fall short and how to fix them."
https://www.helpnetsecurity.com/2025/07/25/organizations-cloud-identity-security/
DNS Security Is Important But DNSSEC May Be a Failed Experiment
"Last week I turned on DNSSEC (Domain Name System Security Extensions) for the systemsapproach.org domain. No need to applaud; I was just trying to get an understanding of what the barriers to adoption might be while teaching myself about the technology. It turns out that, if you have your domain hosted by a big provider (we happen to use GoDaddy), it's easy to turn on DNSSEC. But I think it says a lot that it took us this long (and the stimulus of working on a new security book) to get us to turn on DNSSEC. By contrast, we would never think of running a website in 2025 without HTTPS."
https://www.theregister.com/2025/07/25/systems_approach_column_dns_security/
Blame a Leak For Microsoft SharePoint Attacks, Researcher Insists
"A week after Microsoft told the world that its July software updates didn't fully fix a couple of bugs, which allowed miscreants to take over on-premises SharePoint servers and remotely execute code, researchers have assembled much of the puzzle — with one big missing piece. How did the attackers, who include Chinese government spies, data thieves, and ransomware operators, know how to exploit the SharePoint CVEs in such a way that would bypass the security fixes Microsoft released the following day?"
https://www.theregister.com/2025/07/26/microsoft_sharepoint_attacks_leak/

อ้างอิง
Electronic Transactions Development Agency(ETDA)