Weekly Summary Cyberattacks July 31-August 06

GenAI Used to Impersonate Brazil's Govt Websites   

According to information dated August 5, 2025, researchers at Zscaler ThreatLabz have uncovered a sophisticated phishing campaign targeting Brazilian citizens by impersonating government entities such as the State Department of Traffic and the Ministry of Education. The campaign utilizes generative AI tools (DeepSite AI and BlackBox AI) to create realistic clones of official government websites. These phishing pages are designed to collect sensitive personal information and extract payments through Brazil's Pix instant payment system. The threat actors behind the campaign replicate the visual and structural elements of legitimate government websites with striking accuracy, including the use of TailwindCSS and FontAwesome for styling, and even detailed developer-style code comments, strong indicators of AI-generated code. These phishing pages are artificially promoted to the top of search engine results using SEO poisoning techniques, significantly increasing the likelihood of user interaction. There is also evidence suggesting the campaign may have been distributed via e-mail. The campaigns culminate in a fraudulent payment request of R$87.40, supposedly for processing or registration fees, which are sent via Pix but transferred directly to the threat actors.

PXA Stealer Distributed via Telegram Harvests 200K Passwords and Credit Card Data   

According to information dated August 4, 2025, SentinelLABS and Beazley Security have uncovered an evolving cybercriminal campaign leveraging the Python-based PXA Stealer, an infostealer attributed to Vietnamese-speaking threat actors. The operation integrates advanced anti-analysis techniques, legitimate software sideloading, Telegram-based automation, and stealthy infrastructure to facilitate data theft and resale at scale. Over 4,000 unique victim IP addresses across 62 countries have been identified, with notable concentrations in South Korea, the United States, the Netherlands, Hungary, and Austria. The threat actors utilize phishing and social engineering tactics to lure victims into executing malicious compressed archives that include legitimate, signed applications (e.g., Haihaisoft PDF Reader or Microsoft Word 2013) bundled with sideloaded malicious DLLs. Once executed, the malware installs a Python interpreter, fetches further payloads and encrypted RAR files, and ultimately deploys PXA Stealer. The malware exfiltrates sensitive information, including over 200,000 unique passwords, hundreds of credit card records, and more than 4 million browser cookies, as well as autofill data, session tokens, and cryptocurrency wallet data. This data is automatically transmitted to Telegram bots and channeled into a broader underground marketplace.

Qilin Ransomware Affiliate Panel Login Credentials Exposed Online   

According to information dated August 1, 2025, an internal conflict within the Qilin Ransomware Group was publicly exposed when one of its affiliates, known as hastalamuerte, accused Qilin's core operators of conducting an exit scam. The affiliate claimed to have been defrauded of $48,000 and posted this allegation on a dark web forum on July 31, 2025. Shortly after the accusation, a user named Nova, apparently affiliated with a rival ransomware group, leaked credentials and access to Qilin's internal affiliate panel, hosted on a Tor onion service. Nova included a warning in Russian, claiming that the FBI and security researchers had infiltrated Qilin's infrastructure, and that any funds transferred to Qilin could be immediately seized. The subsequent investigation into hastalamuerte revealed an extensive technical footprint. The affiliate was found using a Themida-packed sample of Mimikatz, uploaded to GitHub on July 27, 2024. Two HTML files acted as execution parents for this payload, ultimately writing file2.exe (a renamed copy of Mimikatz) to the local system. The actor also uploaded a Russian-language repository titled Netexecru, a cheat sheet for NetExec, a red-team framework commonly used for credential access, lateral movement, and privilege escalation within Windows Active Directory environments. This suggests the affiliate's operational focus was on enterprise Windows networks. 

Unmasking Interlock Group's Evolving Malware Arsenal 

According to information dated July 31, 2025, cybersecurity researchers from eSentire’s Threat Response Unit (TRU) uncovered a sophisticated multi-stage campaign operated by the ransomware gang Interlock Group. This group has been targeting businesses across North America and Europe, using a blend of phishing, social engineering, and malware toolsets to deploy ransomware, steal data, and establish long-term access to compromised systems. The campaign showcases the group’s capability to blend PowerShell, PHP, NodeJS, and compiled C components, supported by fake error messages, persistence via registry keys, reconnaissance tools, and encoded file exfiltration. Victim files were often base64-encoded and dropped in C:\Users\Public\ with .log extensions before exfiltration. Their findings emphasize the importance of process monitoring, LOLBin detection, and phishing awareness training to defend against such sophisticated multi-tiered threats. 

Free Decryptor Released for AI-Powered FunkSec Ransomware   

Cybersecurity researchers at Avast have released a free decryptor for the FunkSec ransomware, a malware strain now considered defunct. FunkSec had affected 113 known victims, based on its presence on the group’s ransomware leak site. Initially, the group relied solely on data exfiltration and extortion before transitioning to full data encryption. FunkSec is noted for incorporating artificial intelligence into approximately 20% of its operations. AI was used mainly to generate phishing templates and auxiliary tools rather than in core malware development. Despite its sophistication, many ransomware samples were flawed and failed to execute correctly. The ransomware encrypts files using the Rust programming language and the orion-rs cryptographic library (version 0.17.7), employing Chacha20 encryption and Poly1305 MAC for ensuring data integrity. Encrypted files bear the “.funksec” extension, and each folder includes a ransom note named “README-{random}.md”. A comprehensive list of file extensions is excluded from encryption, generally covering multimedia, backups, programming files, and widely used document formats. Avast's decryptor comes as a 64-bit executable and can be run with administrative privileges through a wizard interface. Users can choose specific directories to decrypt and are encouraged to back up encrypted files before decryption begins. A 32-bit version of the decryptor is also available for compatibility.