Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 26 July - 1 August
SonicWall patches new critical flaw in SMA 100 devices
SonicWall has warned of a critical authenticated arbitrary file upload vulnerability, which could allow attackers to remotely execute code. The flaw, tracked as CVE-2025-40599 (CVSSv3 of 9.1 according to CISA) is caused by an unrestricted file upload issue in device web management interfaces. This can allow remote threat actors with administrative privileges to upload arbitrary files to the system.
Despite this condition and the fact that SonicWall has not yet found evidence of active exploitation of the flaw, SMA 100 devices are already reportedly being targeted for attacks using compromised credentials, according to reports provided by Google Threat Intelligence Group. The vulnerability does not affect SonicWall SSL VPN products in the SMA1000 series or SSL-VPN running on SonicWall firewalls.
For its part, SonicWall strongly recommends that users of SMA 100 series products (SMA 210, 410 and 500v) upgrade to the patched version.
UNC3944 compromises VMware ESXi environments using advanced techniques
In mid-2025, Google Threat Intelligence detected a sophisticated campaign by the UNC3944 group (related to Scattered Spider), targeting sectors such as retail, aviation, and insurance in the US. The group uses aggressive social engineering to breach help desks, obtain privileged credentials, and access VMware vSphere environments.
Using “living-off-the-land” tactics, they manipulate Active Directory to escalate privileges and compromise vCenter, installing the Teleport backdoor. They then access the ESXi hypervisor, copy virtual disks from domain controllers, and exfiltrate data without being detected by EDR solutions. They subsequently sabotage backup systems and execute ransomware from the hypervisor itself.
The recommended defense is based on three pillars: preventive hardening (SSH blocking, MFA, VM encryption), architectural integrity (segmentation of critical identities, elimination of authentication loops), and advanced detection through log correlation and high-fidelity alerts.
Russian APT Laundry Bear targets NATO infrastructure with fake domains
The Dutch intelligence services (AIVD and MIVD), together with Microsoft Threat Intelligence, have identified Laundry Bear (also known as Void Blizzard) as a Russian state-backed APT group, active since April 2024. This actor has launched espionage campaigns against NATO countries, Ukraine and various European and US entities, including NGOs and police forces.
Laundry Bear uses stolen credentials, session cookies and fake domains in sophisticated phishing attacks. Further investigation revealed an extensive infrastructure based on typosquatting domains, malicious redirects, and the use of services such as Mailgun, Cloudflare and SMTP2GO. Techniques employed include CNAME strings, self-signed certificates, and themed subdomains such as login and okta. In addition, multiple spoofed domains linked to government and corporate entities were detected mimicking legitimate services to steal credentials.
Authorities warn about the possible reactivation of the group and recommend active monitoring of these indicators.
ToxicPanda: banking Trojan attacks Android mobiles in Portugal and Spain
The ToxicPanda banking malware has compromised more than 4,500 Android devices, mainly in Portugal (3,000 cases) and Spain (1,000), establishing itself as a significant threat in Europe by early 2025. Initially detected in Asia in 2022, the malware has evolved with advanced capabilities to steal banking credentials through fake screen overlays, SMS interception and full device control through accessibility services.
The Trojan is distributed via malicious APKs hosted on compromised domains or fake update sites, masquerading as Google Chrome. It requests up to 58 permissions and uses anti-emulation techniques to avoid scanning in virtual environments. It particularly affects budget phones from brands such as Samsung, Xiaomi and Oppo. In addition, the infrastructure uses DGA, DES and AES encryption, and domains linked to Cloudflare, while its persistence is ensured by reactivation after uninstallation and forced closing of system windows.
Removal requires tools such as ADB. It is recommended to avoid APKs outside official shops and to check permissions granted to apps.
GOLD BLADE perfects its infection chain with RedLoader
The cybercriminal group GOLD BLADE (also known as RedCurl or Red Wolf) has deployed a new infection chain in its recent campaigns, targeting human resources personnel via phishing emails with fake candidate documents. This technique, observed in July 2025, combines malicious LNKs and legitimate Adobe binaries to remotely load its RedLoader malware.
The attack starts with a PDF that links to a ZIP file with an LNK that runs conhost.exe, connecting to a domain controlled by the attackers via WebDAV. From there, an Adobe-signed executable is downloaded that loads a malicious DLL (RedLoader stage 1) without writing malicious files to disk. A scheduled task then downloads RedLoader stage 2, which establishes communications with the C2, performs Active Directory reconnaissance and facilitates data exfiltration.
Sophos recommends enabling restriction policies to block LNK and offers specific signatures to detect these variants.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
