Cyber Security Weekly Briefing, 5-11 July
Microsoft fixes 132 vulnerabilities in its July update
Microsoft has released Patch Tuesday July 2025, fixing a total of 132 flaws, 14 of them listed as critical. Among the most notable are several remote code execution (RCE) vulnerabilities in widely used services such as Windows KDC Proxy (CVE-2025-49735, CVSSv3 8.1 depending on vendor) and SharePoint Server (CVE-2025-49704, CVSSv3 8.8 depending on vendor). Bugs have also been identified in Hyper-V (CVE-2025-48822, CVSSv3 8.6 according to vendor) and the NEGOEX security mechanism (CVE-2025-47981), the latter with a CVSSv3 of 9.8 according to Microsoft.
Despite the fact that none of these flaws have been actively exploited, Microsoft has classified several as “most likely” to be exploited. Cisco Talos has published a new set of Snort rules to detect exploit attempts for these vulnerabilities and urges firewall users to update their defense systems as soon as possible.
Bert: new cross-platform ransomware detected in global attacks
Trend Micro has identified the new Bert ransomware group, active since April and responsible for attacks against organizations in Asia, Europe and the US, including healthcare, technology and event services.
The ransomware affects Windows and Linux systems, and its initial access vector is still unknown, although it is reportedly in active development. Within the system, a PowerShell script disables security tools before executing the malware. Although it has not been attributed to a specific group, Russian infrastructure has been detected in its operation, which could suggest links to actors in that region. In addition, researchers note that Bert could be derived from the Linux variant of REvil, a group dismantled in 2021, as similarities were found in its code.
Illegitimate access through leaked ASP.NET keys
The Initial Access Broker Gold Melody, also known as Prophet Spider or UNC961, has been linked to an attack campaign that leverages leaked ASP.NET keys to compromise servers and sell access to other malicious actors.
According to Palo Alto Networks' Unit 42, the attackers employ ViewState deserialization techniques to execute malicious code in memory, evading many traditional EDR solutions. Microsoft had already warned in February 2025 about more than 3,000 public keys that could be exploited for this purpose. The victims are concentrated in sectors such as finance, logistics or technology, mainly in the USA and Europe. A peak of activity was detected between January and March 2025, with the use of post-exploitation tools such as port scanners and C# programs for privilege escalation.
The attack is notable for its persistence in memory and low forensic trace, making it difficult to detect without behavioral analysis on IIS servers.
Published a PoC for the CitrixBleed2 vulnerability
Researchers at watchTowr have recently published a PoC for CitrixBleed 2 (CVE-2025-5777, CVSSv3 of 9.3), increasing the risk of mass exploitation in the face of the low patching rate observed. The flaw consists of an out-of-memory read out of bounds on Citrix NetScaler ADC and Gateway devices, allowing unauthenticated attackers to extract sensitive data such as authentication tokens from system memory.
This makes it easier to hijack sessions, bypass MFA and gain unauthorized access to critical systems. The flaw affects devices configured as Gateway or AAA virtual servers. The attack consists of sending a manipulated HTTP POST request to the login endpoint, causing memory leakage in the XML response under the <InitialValue> tag. This technique allows obtaining valid tokens after multiple attempts.
New Anatsa campaign in North America
ThreatFabric has detected a new Anatsa banking Trojan campaign targeting the US and Canada. Distributed from Google Play, Anatsa hides in legitimate apps such as PDF readers that, after reaching thousands of downloads, receive an update with malicious code.
The Trojan allows credential theft, keylogging and transaction execution from the infected device. In this campaign, the malicious app was among the three most downloaded in its category and exceeded 50,000 installations. Its distribution, between June 24 and 30, introduced a fake update that deployed Anatsa and used a screen overlay that displayed a “scheduled maintenance” message when opening banking apps, hiding malicious activity and avoiding contact with support.
Instructions are sent from its C2 server, allowing it to adapt to banking targets.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →