Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 19-25 July
Microsoft patches two new 0-day exploits in ToolShell attacks against SharePoint
Microsoft has released emergency updates to fix two 0-day vulnerabilities (CVE-2025-53770, CVSSv3 9.8 according to vendor, and CVE-2025-53771, CVSSv3 6.3 according to Microsoft) in SharePoint Server. These flaws were exploited in active attacks under the name ToolShell, initially discovered during the Pwn2Own Berlin 2024 contest, and affect SharePoint 2019 and Subscription Edition.
The attackers managed to circumvent previous patches and compromise more than 50 organisations worldwide. Microsoft recommends immediately installing updates KB5002754 (SharePoint 2019) and KB5002768 (Subscription Edition), and performing a machine key rotation via PowerShell or Central Admin. It is also advised to check the system and IIS logs for suspicious activity, such as the creation of the malicious spinstall0.aspx file or POST requests to the ToolPane.aspx file.
If evidence is found, it is recommended to initiate a full forensic investigation of the server and network.
APT35 launches AI phishing campaigns against Western researchers
Analysts at CyberProof have detected a new campaign by Iranian group APT35 (also known as Charming Kitten) that uses artificial intelligence to launch sophisticated phishing attacks targeting cybersecurity researchers and academics in Western countries.
Unlike previous campaigns focused on espionage, these operations seek to directly compromise those who research and defend against cyberthreats. Leveraging advanced language models, attackers generate emails that accurately mimic industry figures, including references to research, conferences and emerging threats. The goal is to build long-term relationships with victims to extract sensitive information or gain access to research networks.
This evolution in APT35 tactics represents a strategic shift in the geopolitical conflict, framed by rising tensions following the Israeli and US bombings of Iran in June 2025.
CISA adds two SharePoint vulnerabilities to its KEV catalog
CISA has warned of two Microsoft SharePoint vulnerabilities, CVE-2025-49704 and CVE-2025-49706 (CVSSv3 scores of 8.8 and 6.5 according to the manufacturer, respectively), which have been added to its catalog of known exploited vulnerabilities (KEV) based on active exploitation testing. Therefore, Federal Civil Executive Branch (FCEB) agencies must fix the vulnerabilities before July 23, 2025.
The inclusion of both flaws, one involving identity theft and the other remote code execution (RCE), collectively tracked as ToolShell, in the KEV catalog came after Microsoft revealed that Chinese groups such as Linen Typhoon and Violet Typhoon exploited the flaws to target local SharePoint servers beginning on July 7, 2025. Microsoft also refers to CVE-2025-53770 and CVE-2025-53771 (CVSSv3 scores of 9.8 and 6.5 according to the manufacturer, respectively), considered patch omissions for CVE-2025-49704 and CVE-2025-49706, respectively.
In addition, watchTowr Labs reported that it had internally devised a method to exploit CVE-2025-53770 by bypassing the antimalware scanning interface (AMSI), a mitigation measure described by Microsoft.
New variant of Konfety malware evades scanning and spoofs legitimate apps
Zimperium researchers have detected a new variant of the Konfety Android malware, which uses advanced evasion techniques such as malformed ZIP structures, encrypted DEX and BZIP compression not supported by analysis tools. This malware disguises itself as legitimate apps using a tactic known as evil twin, distributing itself in third-party app shops.
Although it is neither spyware nor a RAT, it includes a secondary DEX that decrypts and executes at runtime, allowing additional modules to be loaded dynamically. Its capabilities include exfiltration of device information, redirection to malicious sites, forced installation of apps, and use of the CaramelAds SDK to display hidden ads. It also uses geofencing and hides its icon after installation.
This approach is reminiscent of other cases such as SoumniBot, where compression and metadata are manipulated to make analysis more difficult. It is recommended to avoid APKs from unofficial sources.
UNG0002: Advanced cyber-espionage campaigns in Asia
The UNG0002 threat group has been identified by Seqrite Labs as responsible for targeted espionage campaigns against organisations in China, Hong Kong and Pakistan since May 2024. Under operations Cobalt Whisper and AmberMist, the group has evolved from using familiar tools such as Cobalt Strike and Metasploit, to developing custom implants such as Shadow RAT and INET RAT.
In the most recent campaign, its targets have expanded to video game companies, software development and academic institutions. UNG0002 employs advanced social engineering techniques, including the ClickFix method, which uses fake CAPTCHAs to execute malicious scripts. It is also notable for its use of LNK files and DLL sideloading techniques with legitimate applications to evade detection.
The infrastructure, usernames and tactics employed point to an organisationally backed actor, possibly aligned with Southeast Asian state interests.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
