Threat Matrix: November 2025
The latest news from the digital underbelly and how to protect your business
Blog
/
Threat Matrix: July 2025
Threat Matrix: July 2025
The latest news from the digital underbelly and how to protect your business
Welcome to the July edition of Upfort’s Threat Matrix! Forget summer beaches—we’ve got breaches galore. This month’s highlights include a major SharePoint exploit, a massive insurance provider breach, and a spoofing campaign targeting educators (yes, even during summer break).
It’s a dangerous digital world out there, but we’re here to help you stay a step ahead.
Want to know how protected your company really is? Take two minutes to complete our interactive cybersecurity checklist or get a free cybersecurity risk assessment to uncover exploitable vulnerabilities in your network.
Microsoft patches actively exploited SharePoint zero-day used in ToolShell attacks
Microsoft has issued an emergency fix for a critical SharePoint Server vulnerability (CVE-2025-53770) that attackers are actively exploiting in the wild. The flaw—rated 9.8/10 in severity—allows unauthenticated remote code execution on vulnerable on-prem SharePoint instances through deserialization of untrusted data.
The attacks, dubbed “ToolShell”, are already impacting U.S. federal and state agencies, along with organizations worldwide. The exploit chain also includes a path traversal bug (CVE-2025-53771) to deepen system access. Notably, SharePoint Online is not affected.
No user interaction is required to exploit the flaw—just a network connection to the vulnerable server. Microsoft urges all on-prem SharePoint users to apply the security patch immediately.
How to protect your business: Install Microsoft’s emergency patch without delay if you use SharePoint Server. If patching isn’t possible immediately, restrict network access to the server and monitor for signs of compromise. Consider migrating to SharePoint Online for improved security posture.
Tea app data leak exposes private messages and selfies, sparking privacy backlash
Tea, a social app designed to offer a safe space for women, has suffered a data breach that leaked private messages, selfies, and personal details like phone numbers and profiles. In a disturbing twist, attackers created a “Facesmash”-style website where leaked photos could be rated—turning a platform intended for empowerment into a tool for harassment and public shaming.
Tea says it is working with third-party cybersecurity experts and law enforcement to investigate and contain the breach. The full scope of the data exposure is still being assessed.
How to protect your business: Apps that handle sensitive user content must encrypt data at rest and in transit, perform regular security audits, and implement strict access controls. Be transparent with users during incidents, and establish clear protocols for breach response and law enforcement coordination.
Allianz Life breach exposes personal data of customers and employees via third-party system
Allianz Life has confirmed a significant data breach that exposed personal information belonging to the majority of its 1.4 million customers, as well as financial professionals and select employees. The breach, which occurred on July 16, was the result of a threat actor exploiting a third-party cloud-based CRM platform using social engineering tactics.
Although Allianz has not disclosed the full number of affected individuals, it acknowledged in filings that notifications will begin around August 1. The company has reported the incident to the FBI and stated there is no evidence that other systems were compromised. It has not revealed whether it received any demands from attackers or if the breach is linked to known groups like Scattered Spider, which has recently targeted other insurers.
How to protect your business: If your business relies on third-party platforms to store customer data, conduct regular vendor security assessments and limit the data shared. Train employees to recognize social engineering attacks, and ensure multi-factor authentication is enforced for all external systems.
Hackers spoof Department of Education grant portal in phishing campaign
Threat actors are impersonating the U.S. Department of Education’s G5 grant management portal in an active phishing campaign targeting educators, nonprofits, and grant administrators. Fake domains mimicking the G5 login page are being used to steal credentials and access sensitive grant data, change payment instructions, or launch further attacks.
Researchers at BforeAI’s PreCrime Labs attribute the spike to political disruption following recent news of 1,400 layoffs at the DoE. The spoofed pages use realistic design, JavaScript-based credential exfiltration, and Cloudflare’s CDN to evade detection and appear legitimate. As of late July, much of the malicious infrastructure remains live.
How to protect your business: If your organization handles government funding or interacts with federal grant systems, train staff to verify URLs, bookmark official login pages, and avoid clicking login links in emails. Implement domain allowlists and use threat intelligence feeds to block known phishing infrastructure.
New Linux malware uses “panda pics” to hide crypto-mining rootkit
A new malware campaign dubbed Koske is targeting Linux systems by disguising its payload as cute panda images. According to AquaSec, the malware is believed to have been developed using automation tools or AI like large language models, and it installs stealthy CPU/GPU-optimized cryptominers on compromised devices.
The attackers gain access through exposed JupyterLab instances, then download polyglot files—valid JPEGs that double as malicious scripts. One payload installs a C-based rootkit that hides itself using LD_PRELOAD, while the other runs a shell script from memory to maintain persistence and evade detection. Koske supports mining 18 different coins and adapts in real time if a pool or coin becomes unavailable.
How to protect your business: If you use JupyterLab or other development tools, secure them with authentication and never expose them to the internet without proper access controls. Regularly monitor for unauthorized processes, check for strange cron jobs or custom services, and scan for modified system files. Stay up to date with Linux patches and restrict outbound traffic to prevent cryptominer downloads.
Steam game used to spread infostealer malware via early access download
Hackers have compromised the early access Steam game Chemia to distribute malware that steals sensitive user data. The attack was discovered by Prodaft, who say the threat actor—known as EncryptHub or Larva-208—injected malicious files into the game’s install package hosted on Steam.
The attackers used HijackLoader to gain persistence and download the Vidar infostealer, followed shortly by Fickle Stealer, a tool that grabs saved passwords, cookies, autofill data, and crypto wallet info. The malware hides in the background, allowing the game to run normally while compromising players’ systems.
This is the third case of Steam malware in 2025, and all have involved early access titles—raising concerns about the platform’s review process for non-final game builds.
How to protect your business: Advise employees to avoid downloading early access or unofficial software—especially on work devices. Restrict installation privileges to prevent unauthorized apps. Use endpoint protection to detect malware like infostealers, and consider blocking gaming platforms on company networks if not needed for business.
UK moves to ban ransomware payments by public sector
The UK government is taking bold steps to disrupt the ransomware economy by banning public sector organizations from paying ransoms to cybercriminals. The proposed law would apply to local councils, schools, and the National Health Service (NHS)—entities frequently targeted in ransomware campaigns.
Officials say the goal is to “smash the cybercriminal business model” by making public services less appealing targets. The move follows years of mounting ransomware attacks that have crippled key institutions, from the British Library to Marks & Spencer, and cost the UK economy millions annually.
Private companies won’t be banned from paying ransoms but must notify the government if they plan to do so, helping assess risks related to sanctioned groups. A new mandatory reporting system will also give law enforcement better visibility into ransomware trends and support investigations.
How to protect your business: Stay ahead of ransomware threats by implementing layered defenses, employee training, and offline backups. Reporting incidents and avoiding ransom payments can limit attackers’ leverage—and help dismantle their financial incentive structure.
