Svoboda Cybersecurity Brief July 08, 2025
Jul 08, 2025CitrixBleed 2 Exploit Poses Critical Risk to NetScaler Devices
Researchers have released proof-of-concept exploits for CitrixBleed 2 (CVE-2025-5777), a critical flaw in Citrix NetScaler ADC and Gateway devices. The vulnerability allows attackers to steal session tokens by sending malformed POST requests, similar to the original CitrixBleed bug exploited by ransomware groups in 2023. Citrix claims no active exploitation, but evidence suggests attacks since mid-June.
Impact: Session hijacking and network breaches.
Mitigation: Apply patches immediately and terminate active sessions after review.
Source: BleepingComputer
Hunters International Ransomware Shuts Down, Releases Decryptors
The Hunters International ransomware group has abruptly ceased operations, releasing free decryption keys for all victims. The gang, linked to 300+ attacks since late 2023, reportedly rebranded as “World Leaks” earlier this year, shifting focus to data extortion.
Source: SecurityWeek
Atomic macOS Stealer Gains Persistent Backdoor Capability
A new version of Atomic macOS infostealer now includes a backdoor (“.helper” binary) that enables remote command execution and persistence via LaunchDaemons. The malware targets cryptocurrency owners and freelancers, with campaigns observed in 120+ countries.
Impact: Full device compromise and data exfiltration.
Mitigation: Monitor for hidden files (.agent, .helper) and suspicious scheduled tasks.
Source: BleepingComputer
Qantas Confirms Extortion After 6M Customer Records Stolen
Qantas admitted threat actors are extorting the airline following a June 30 contact center breach exposing names, emails, phone numbers, and frequent flyer data. The attack is linked to Scattered Spider’s social engineering tactics against aviation targets.
Source: BleepingComputer
North Korean IT Workers Infiltrate 100+ US Companies
US authorities disrupted a North Korean scheme where IT workers used fake identities to gain employment at US firms, stealing sensitive data including ITAR-regulated defense tech. $900K in crypto was stolen from an Atlanta blockchain company.
Source: The Hacker News
Shellter Red Team Tool Leaked, Abused for Infostealer Delivery
Shellter confirmed its commercial evasion tool (Shellter Elite v11.0) was leaked and abused to deliver Rhadamanthys, Lumma, and Arechclient2 stealers via YouTube comments and phishing emails since April. Elastic Security detected the misuse but didn’t notify Shellter.
Source: BleepingComputer
Ingram Micro Services Disrupted by Ransomware Attack
The IT distributor took systems offline after a Friday ransomware attack, disrupting customer portals and order processing. SafePay group claims responsibility, alleging data theft.
Source: SecurityWeek
$140M Bank Heist Linked to Insider Credential Sale
A Brazilian C&M employee sold bank access for $920, enabling hackers to steal from six banks. The insider executed commands via Notion but was arrested July 3. $30-40M was converted to crypto via Latin American OTC markets.
Source: BleepingComputer
Batavia Spyware Targets Russian Industrial Orgs
Kaspersky uncovered a phishing campaign delivering Batavia spyware via contract-themed emails since July 2024. The malware uses VBE scripts, Delphi payloads, and C++ stealers to harvest documents and screenshots.
Source: BleepingComputer
SEO Poisoning Spreads Oyster Loader via Fake IT Tools
Arctic Wolf found 8,500 SMB users targeted by malvertising pushing trojanized PuTTY/WinSCP clones (e.g., putty[.]run). The campaign installs Oyster loader via scheduled tasks executing twain_96.dll every 3 minutes.
Source: The Hacker News
Dutch Police Arrest Phishing Ring Targeting ABN AMRO Customers
Five youths (14-21 years old) were arrested in Lelystad for sending fake bank letters with QR codes that redirected to phishing sites. The group stole credentials from at least six victims.
Source: DataBreaches.net
Share this brief: https://svo.bz/Y8ky
If you want to support us, you can donate here: Donate