Weekly Threat Advisory: Cybersecurity Risks and Attack Trends
(28 July – 3 August 2025)
In this week’s cybersecurity bulletin, our analysts dissect major vulnerabilities, active attack campaigns, and evolving threat actor strategies observed across global digital landscapes. Organizations are urged to act promptly in applying patches and tightening defense protocols.
Key Vulnerabilities
1.1: macOS ‘Sploitlight’ Vulnerability (CVE-2025-31199)
Microsoft has revealed a serious macOS flaw, “Sploitlight”, allowing attackers to bypass Apple’s TCC (Transparency, Consent, and Control) protections via malicious Spotlight plugins. By abusing .mdimporter files and Spotlight processes, attackers can extract sensitive user data—like photo metadata, GPS coordinates, and search history—without consent.
iCloud syncing compounds the threat, exposing data across devices. Apple released a fix in macOS Sequoia 15.4 on March 31, 2025.
Mitigation Tips:
- Update all devices immediately
- Monitor .mdimporter plugin activity
- Restrict write access to ~/Library/Spotlight
- Use endpoint protection tools (e.g., Microsoft Defender)
1.2: Chrome Media Stream Exploit (CVE-2025-8292)
Google patched a high-severity use-after-free vulnerability in Chrome’s Media Stream component, allowing memory manipulation and potential arbitrary code execution via malicious web pages. Discovered on June 19, 2025, the flaw (CVE-2025-8292) could lead to data theft or unauthorized actions if exploited.
Mitigation:
- Update Chrome via Settings > About Chrome
- Enable auto-updates
- Avoid untrusted sites
- Apply patches to all Chromium-based browsers
Read more: https://chromereleases.googleblog.com/
1.3: CodeIgniter4 Remote Command Injection (CVE-2025-54418)
A critical command injection flaw in CodeIgniter4’s ImageMagick handler allows remote attackers to execute arbitrary commands via file names or text inputs during image processing. The vulnerability (CWE-78), discovered by Florence Nightingale, impacts millions of web apps and could lead to full server compromise.
Mitigation:
- Upgrade to CodeIgniter4 v4.6.2
- Switch to GD handler
- Sanitize inputs using preg_replace()
- Use getRandomName() or store() for uploads
- Enable WAF and monitor server logs
Read more: https://github.com/advisories/GHSA-9952-gv64-x94c
Attack Campaigns
2.1: 11,000 Android Devices Compromised by PlayPraetor Malware
Over 11,000 Android devices were infected via fake Google Play Store pages distributing malicious apps. The PlayPraetor malware, used in on-device fraud (ODF), gained Accessibility Service permissions on 72% of devices, targeting 200+ banking and crypto apps. It uses HTTP, HTTPS, WebSocket (port 8282), and RTMP (port 1935) for real-time C2 and credential theft.
Impacted Regions:
Europe (58%), Africa (22%), Americas (12%), Asia (8%) – with hotspots in Portugal, Spain, Morocco, Peru, and Hong Kong.
Mitigation:
- Uninstall malicious apps
- Disable Accessibility Services for unknown apps
- Enable Google Play Protect
- Deploy EDR solutions
2.2: APT Attacks on Maritime Industry
Over 100 cyberattacks since 2024 have hit global maritime entities. Threat actors exploit VSAT vulnerabilities (e.g., CVE-2022-22707), USB-based attacks, and AIS data manipulation, leading to ransomware, espionage, and operational disruption.
APT41 uses DUSTTRAP for stealth and data encryption.
Chinese & Russian groups deploy ShadowPad, VELVETSHELL, and target NATO-linked ports.
Hacktivists disrupt Israeli shipping via AIS spoofing.
Leaked dark web data includes ship blueprints and navigation data.
Mitigation:
- Patch CISA KEV vulnerabilities
- Enforce MFA
- Segment IT/OT networks
- Disable USB ports
- Run maritime-specific incident response drills
Read more: https://cyble.com/blog/cyberattacks-targets-maritime-industry/
Security News
3.1: Anubis Ransomware Targets Android & Windows
Anubis combines ransomware, data wipers, and banking trojans, delivered via spear-phishing. On Windows, it uses ECIES encryption, deletes backups, and escalates privileges. On Android, it steals credentials through keylogging, phishing overlays, and screen recording, spreading via SMS.
Targeted Sectors: Healthcare, Construction, Professional Services
Impact: 25% rise in ransomware victims, 53% increase in leak sites in 2024
Mitigation:
- Maintain offline backups
- Use MFA and EDR tools
- Deploy strong email filters
- Monitor for command-line anomalies
Read more: https://www.bitsight.com/blog/anubis-ransomware-group-overview-and-evolution
3.2: Atomic macOS Stealer (AMOS)
AMOS, first spotted in 2023, now provides persistent remote access via .helper binaries and .agent scripts in the home directory, executed by a LaunchDaemon (com.finder.helper). It spreads through cracked software sites and phishing campaigns posing as job interviews with infected DMG installers.
Impact: Detected in 120+ countries; top hits in U.S., France, Italy, U.K., Canada
Tactics:
String obfuscation
Sandbox detection via system_profiler
HTTP POST for C2
Mitigation:
- Avoid untrusted DMGs
- Enable Gatekeeper
- Deploy EDR solutions
- Train users on phishing awareness
Read more: https://blog.polyswarm.io/atomic-stealer-evolves
3.3: Goujian Spider Exploits NVDB Zero-Days
Goujian Spider, a Chinese APT, leverages zero-days listed in China’s NVDB before public CVE release, exploiting unpatched systems like Fortinet SSL-VPN, Ivanti, and Confluence.
Payloads & Techniques:
REDSAM exfiltrates design data, telemetry, SSO cookies
Injected via spoolsv.exe
Persistence: Scheduled Task “Windows LSM Cache”
Evasion: Prunes logs (Event IDs 4104, 4688, 1102)
11-day exploit window before CVE publication
Mitigation:
- Patch rapidly
- Monitor China NVDB
- Audit Scheduled Tasks
- Detect egress to /public/upload on TCP 443
Read more: https://archive.ph/Oac6R#selection-2853.0-2853.15
Recommendations:
Patch affected systems, monitor file upload handling, restrict access to untrusted plugins, and enhance user awareness training. For industry-specific threat assessments, contact our Cyber Threat Management team at at Crowe UAE, +971 55 343 8693, [email protected]