< Back
Weekly Summary Cyberattacks
16 July 2025

Weekly Summary Cyberattacks 10-16 July

New Exploit “Opossum” Breaches Secure TLS   

Researchers have discovered a man-in-the-middle exploit dubbed "Opossum". This flaw affects Transport Layer Security (TLS) when protocols support both implicit and opportunistic modes, leading to client-server desynchronization, ultimately subverting the integrity guarantees of TLS and manipulating the data seen by the client. It targets a wide range of widely used application protocols—including HTTP, FTP, POP3, SMTP, LMTP and NNTP. Internet-wide scans found over 2.9 million vulnerable servers, including 1.4 million IMAP and 1.1 million POP3 instances. While the total number of exploit-ready systems remains limited, the fact that the flaw originates from protocol design makes it especially significant, particularly for embedded and legacy systems. In response, Apache2 has deprecated opportunistic HTTP and is tracking the vulnerability under CVE-2025-49812, and Cyrus IMAPd has disabled opportunistic TLS by default.  

Fake Gaming and AI Firms Push Malware on Cryptocurrency   

A sophisticated social engineering campaign is targeting cryptocurrency users by posing as fake AI, gaming, and Web3 startups. Attackers create convincing company profiles using spoofed X (formerly Twitter) accounts, professional-looking websites, and documentation on platforms like GitHub and Notion. Victims are approached via X, Telegram, or Discord and offered crypto payments to test fake software. Once engaged, they’re directed to download malware disguised as legitimate applications—on Windows, a Cloudflare screen hides the installation of an infostealer, while macOS users are infected with AMOS, a malware that extracts browser and wallet data. Persistence is ensured through launch agents and remote command scripts. The campaign, active since at least March 2024 and dubbed “Meeten,” mimics known tactics from the Crazy Evil group. Companies like Eternal Decay, BeeSync, and NexLoop are among the many fake firms used to lure victims. Researchers warn that the campaign remains ongoing and increasingly sophisticated.  

Combined attack strategy successfully bypasses Grok-4’s safeguards

Researchers have successfully breached the Grok-4 language model by combining two known attack techniques: Echo Chamber and Crescendo. This method circumvents the model’s safety systems without using explicitly malicious prompts. The attack starts with Echo Chamber, which injects a poisoned context and guides the dialogue toward a harmful goal through a persuasion cycle. When progress stalls, Crescendo steps in to push the conversation further. Using this strategy, the team managed to extract instructions for making a Molotov cocktail from Grok-4. The combined approach showed a 67% success rate for this objective, 50% for methamphetamine, and 30% for toxins. The experiment demonstrates that advanced models can be exploited through subtle, multi-turn manipulation, emphasizing the urgent need to strengthen defenses against such adversarial tactics.  

GLOBAL GROUP emerges: new Ransomware-as-a-Service with global reach   

On June 2, 2025, GLOBAL GROUP, a new ransomware collective operating under a Ransomware-as-a-Service (RaaS) model and promoted by the cybercriminal "$$$", previously linked to Black Lock and Mamona operations, was identified. Offering affiliates up to 85% of ransom profits, GLOBAL GROUP uses advanced tools, including an AI-driven negotiation panel. Within its first five days, it targeted nine victims across key industries in the U.S., U.K., Australia, and Brazil—reaching 17 confirmed cases by July 14. The group exploits access purchased via brokers, edge device vulnerabilities, and brute-force tools for Outlook and VPNs. Analysts linked its infrastructure to Russian servers and confirmed operational ties to previous ransomware campaigns. GLOBAL GROUP focuses on high-value companies, demanding multi-million-dollar ransoms and enabling rapid, automated ransomware deployment across networks.  

New Interlock RAT variant detected using PHP in widespread attacks   

Researchers have identified a new, sophisticated variant of the Interlock remote access trojan (RAT), now rewritten in PHP rather than the previously known Node.js version. Since May 2025, this malware has been linked to KongTuke threat clusters, using compromised websites to inject scripts that trick users into executing malicious commands. Once executed, the RAT performs automated system reconnaissance and connects to command and control servers via TryCloudflare. In some instances, the PHP variant acts as a precursor to deploying the Node.js version. This RAT enables remote command execution, malware deployment, system persistence, and lateral movement via RDP. The campaign appears opportunistic, targeting a wide range of industries.