July 28, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Jul 28, 2025
Kroll

This week’s briefing covers:

00:00 – Intro

00:38 [CAMPAIGN] Multiple Campaigns Targeting SharePoint With “ToolShell” Exploit
Key Takeways:

  • On-premise SharePoint exploitation ramped up sharply between July 18 and July 23.
  • Kroll is tracking five campaigns leveraging variants of the 'ToolShell' exploit.
  • Affected organizations should assume compromise and move to an incident response posture.

04:32 [VULNERABILITY] Cisco Confirms Active Exploitation of Multiple CVEs Targeting ISE Enabling Unauthenticated Root Access
Cisco has confirmed active exploitation of multiple critical vulnerabilities with CVSS scores of 10.0 (Critical) in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC).

05:27 [VULNERABILITY] CVE-2025-54309 - CrushFTP Vulnerability
A critical vulnerability in CrushFTP tracked as CVE-2025-54309 with a CVSS score of 9.0 is being actively exploited in the wild. The vulnerability affects versions of CrushFTP 10 (before 10.8.5) and CrushFTP 11 (before 11.3.4_23) when the DMZ proxy is not used, allowing attackers to gain admin access via HTTPS through improper AS2 validation.

06:28 [MALWARE SPOTLIGHT] XWORM Updated Technical Analysis
Ghost Crypt delivers a zipped archive to the victim containing a PDF Reader application, a DLL and a PDF file. When the archive is extracted and the application is launched to open the PDF, it also side-loads the DLL from the same directory. This DLL is the malicious component of the attack.

09:37 LUMMASTEALER Developer Returns After Takedown
The vulnerability CVE-2025-47812 in Wing FTP Server is actively exploited in the wild and carries a CVSS score of 10 (Critical). According to research from Huntress, this exploitation has taken from as early as July 1, 2025, only a day after the vulnerability’s disclosure on the June 30.

11:01 UK Announces Sweeping Ransomware Countermeasures
Key Takeways:

  • The UK bans public sector and Critical National Infrastructure (CNI) entities (NHS, councils, schools) from paying ransoms.
  • All businesses must notify the government of pre-payment.
  • Seventy-three percent of consultation support for payment ban; broad coalition endorsements (NCSC, Co-op, British Library).

12:02 [RANSOMWARE] FBI Warns about INTERLOCK Ransomware Group
Key Takeways:

  • The group uniquely uses compromised legitimate websites to trigger malware downloads, disguising payloads as Chrome or Edge updates—an uncommon but effective tactic in ransomware delivery.
  • INTERLOCK, or KTA379, is a financially motivated RaaS operation with a strong focus on North American and European healthcare providers, having already impacted high-profile organizations like DaVita and Texas Tech Health Sciences Center.
  • In addition to encrypting data, the group exfiltrates sensitive files and threatens public leaks. Persistence is maintained via PowerShell-based startup scripts, Windows Registry modifications and the use of remote access tools like NodeSnake RAT, AzCopy, and Cobalt Strike.

13:55 [RANSOMWARE] KTA470 Uses AI Chatbot for Negotiations
Key Takeways:

  • The threat actor known as $$$, previously linked to MAMONA and BLACK LOCK ransomware, has launched GLOBAL GROUP or KTA470 as a new RaaS offering with infrastructure, code, and negotiation tactics largely inherited from those past operations.
  • KTA470 integrates an AI-powered chatbot in its negotiation portal and offers a mobile-friendly affiliate panel, enabling affiliates to engage victims across time zones and languages with minimal human effort.
  • Despite using Tor and hidden services, exposed API metadata leaked real IP addresses and SSH credentials, tying GLOBAL GROUP’s backend infrastructure to the same Russian VPS provider used by MAMONA.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.