MONTHLY WRAP MONTHLY WRAP

Overview

The threat landscape has shifted from high-noise attacks to sophisticated operations exploiting trust mechanisms and UI vulnerabilities. Key developments include TapTrap affecting 76% of Android apps, ASP[.]NET View State cryptographic attacks, weaponized AI coding agent hallucinations, and hybrid hacktivist-cybercrime groups like Keymous+. Threat actors compromised critical sectors by abusing trusted infrastructure components while mobile and macOS malware evolved into full remote access tools. With traditional perimeter defenses now obsolete, organizations must adopt zero-trust architectures and dynamic monitoring to counter threats that succeed by exploiting existing trust relationships rather than deploying novel malware.

  • AI Tool Hallucination in Software Supply Chains: Threat actors exploited hallucinated package names generated by AI coding agents including, OpenAI Codex and Cursor AI. Fake packages were pre-registered on PyPI and npm, allowing attackers to introduce malware directly into CI/CD pipelines.
  • Android-Based Regional Malware Resurgence: Qwizzserial malware resurfaced in Central Asia, stealing SMS-based 2FA codes and banking data by posing as legitimate apps. Enhanced obfuscation and telemetry capabilities enabled long-term persistence and stealth.
  • Cryptographic Key Abuse via ASP[.]NET View State Attacks: TGR-CRI-0045leveraged stolen ASP[.]NET Machine Keys to execute memory-resident payloads through View State deserialization, evading disk-based detection while targeting U.S. and European finance and manufacturing sectors.
  • Emergence of Hybrid Hacktivist-Cybercrime Groups: Keymous+ blurred lines between activism and monetized attacks, launching 700+ DDoS campaigns while promoting DDoS-for-hire services. The group’s operations suggest a botnet-as-a-brand model focused on visibility and revenue.
  • Fileless Infostealers Using Stealthy Infection Chains: NordDragonScan used phishing lures, mshta[.]exe, and obfuscated HTA scripts to drop in-memory payloads while avoiding detection. The malware exfiltrated browser credentials, system screenshots, and network data via HTTP headers.
  • Invisible UI Exploits on Android Devices: The TapTrap exploit weaponized system-level animation transitions to intercept user taps without overlays, silently gaining sensitive permissions with 76% of scanned Play Store apps found vulnerable.
  • Kernel-Level Malware via Driver Signing Abuse: Over 620 malicious drivers and 80 compromised certificates were identified in ongoing campaigns that exploit Microsoft’s Windows Hardware Compatibility Program to deploy signed kernel-level malware undetected by standard security controls.
  • macOS Malware Expands into Remote Access: Atomic macOS Stealer (AMOS) evolved into a full RAT by adding persistent backdoors and command execution features. It bypassed macOS Gatekeeper protections using AppleScript and LaunchDaemons.
  • Mobile Malware Evolution with DTO Capabilities: Anatsa trojan operations in North America used staged apps on the Google Play Store to carry out Device Takeover Fraud. The malware dynamically updated its target list and achieved over 90,000 downloads before it was taken down.
  • Weaponized PDF Phishing with Voice and QR Payloads: TOAD campaigns used PDF attachments impersonating brands including PayPal and Microsoft to lure victims into calling fake support lines, where attackers installed remote access tools or harvested payment credentials.

Threat Landscape Overview

The cyber threat landscape in July 2025 reflected a continued shift away from high-noise, easily detected attacks toward operations rooted in stealth, persistence, and trust exploitation. Threat actors relied on refined techniques and familiar toolsets, repurposing them to bypass controls that users and defenders still assume to be secure. Common intrusion methods included manipulating user interface logic, exploiting identity systems, and abusing misconfigured authentication or cloud trust paths. These approaches enabled adversaries to maintain access quietly without triggering alerts or requiring custom malware development.

Mobile platforms, especially Android, remained a primary vector as attackers increasingly focused on abusing interface animations and overlays to hijack user interaction. These techniques granted access to sensitive permissions while appearing benign, making detection difficult even for aware users. In enterprise settings, attackers exploited cryptographic mismanagement, driver signing loopholes, and deserialization flaws to gain footholds in trusted infrastructure. State-aligned groups expanded their campaigns targeting sectors related to AI, quantum research, and government systems. At the same time, eCrime actors turned to poisoned development environments, cracked software portals, and embedded scripts in content-sharing platforms to scale their infections. In nearly every case, the success of these operations depended less on the new code and more on abusing what systems already trust.

Across all fronts, one pattern remained consistent: attackers exploited the growing complexity of digital environments, and the assumptions users and defenders make about what is safe. As traditional perimeter defenses continue to fall short, identity, behavior, and design flaws have become the primary points of exploitation. The convergence of espionage, cybercrime, and hacktivism has blurred lines, making attribution more difficult and defense more complicated. Organizations that continue to rely on static controls and legacy trust models are at increased risk. Resilience now depends on an organization’s ability to monitor dynamic activity, adapt to shifting threats, and anticipate how trust can be misused over time.

Industries Targeted

  • Financial Sector: Anatsa, Qwizzserial, and NordDragonScan targeted banking users through mobile overlays, credential harvesting, and DTO fraud. View State deserialization attacks also targeted web-facing infrastructure in U.S. financial organizations.
  • Government & Diplomacy: NightEagle exploited Microsoft Exchange zero-days in intelligence-driven campaigns against AI, semiconductor, and defense entities, aiming to extract intellectual property and maintain internal footholds.
  • Healthcare & Clinical Systems: PDF-based callback phishing and credential theft via fake support portals compromised healthcare billing platforms and clinical SaaS systems due to inadequate user verification.
  • Manufacturing & Industrial Control Systems: RingReaper targeted Linux systems using io_uring abuse to bypass EDR controls, while compromised WordPress sites delivered malware to engineering and ICS environments via legitimate content management interfaces.
  • Technology & Developer Ecosystems: AI hallucination exploits and slopsquatting attacks leveraged developer trust in coding agents and open repositories, compromising CI/CD workflows and introducing supply chain risks.

Most Active Threat Actors

  • AMOS Operators (Russian-linked eCrime): Updated Atomic macOS Stealer with persistent remote access features, keylogging, and hidden LaunchDaemons. Distributed through cracked software channels and phishing campaigns.
  • Blind Eagle (Latin America-focused APT): Targeted Colombian and Argentine financial institutions using AsyncRAT and Remcos. The group leveraged open directories and reused SSL certificates, prioritizing speed and volume over stealth while still maintaining full remote access capabilities. Delivered via phishing campaigns using regionally-tailored lures and hosted infrastructure.
  • Keymous+ (Hybrid Actor): Conducted 700+ DDoS operations in 2025, masking commercial DDoS-for-hire services under a pseudo-hacktivist identity. Promoted EliteStress attack services via social media and shared branding with NoName057(16).
  • NightEagle (APT-Q-95): Used a zero-day in Microsoft Exchange to implant persistent loaders and Chisel tunneling tools inside sensitive environments. Focused on sectors including AI, quantum research, and defense.
  • NordDragonScan Operator (eCrime): Deployed a stealth infostealer using advanced obfuscation, HTA-based delivery, and registry persistence and exfiltrated browser and system data to C2 infrastructure via custom headers.
  • Pro-Russian Hacktivist Alliance (Multiple Groups): IT Army of Russia and TwoNet escalated from DDoS to targeting OT systems in the energy and water sectors. Operations suggest coordination and shared tooling across campaigns.
  • TA829 & UNK_GreenSec (Espionage-Cybercrime Blend): Shared infrastructure and tactics, including the use of SlipScreen, TransferLoader, and IPFS-hosted payloads. Focused on malware staging and stealth post-exploitation activity.
  • TGR-CRI-0045 (eCrime): Exploited leaked ASP.NET Machine Keys to deploy memory-resident payloads via HTTP POST requests. Targeted web servers across the U.S. and EU sectors, including financial and manufacturing verticals.

Hunter Insights

As we move into the next couple of months, several key trends are expected to accelerate based on current threat patterns and intelligence. Mobile malware targeting Android devices is expected to intensify dramatically, building on the 151% surge already documented in the first half of 2025. Expect September and October to see a continued escalation in banking Trojans, such as Mamont, and sophisticated spyware operations, particularly as cybercriminals capitalize on back-to-school financial activities and early holiday shopping periods. The emergence of AI-enhanced social engineering attacks is expected to gain momentum, with deepfake-enabled fraud becoming increasingly accessible to mid-tier threat actors following successful high-profile incidents.

Supply chain attacks leveraging AI vulnerabilities will become the dominant concern for enterprise security teams, as threat actors exploit the growing deployment of AI tools across business operations. Organizations should prepare for an increase in attacks targeting third-party AI model repositories and API integrations, as malicious models and data poisoning campaigns become more covert and challenging to detect. The convergence of hacktivist operations with cybercrime-as-a-service offerings will blur traditional attribution lines, creating more unpredictable attack patterns that combine ideological motivations with profit-driven tactics. Defenders must anticipate that the specialized cybercrime marketplace will continue fragmenting, with threat actors focusing on specific attack chain segments to maximize efficiency and evade detection.

Vulnerability Asset Management

Why Context Matters More Than Technology

Asset criticality shifts with your business calendar. What looks routine in March becomes mission-critical in December. Take payroll systems. They hum along quietly for most of the year. Then year-end processing hits, and suddenly they're carrying your entire employee compensation strategy. Marketing workstations follow the same pattern. They seem unremarkable until they're supporting a product launch that drives 40% of your revenue. The best IT leaders already know this. They build flexibility into their risk assessments because they understand that context matters more than the asset itself.

The part most people overlook is how backup processes work in practice. Technical redundancy is only half the story. If your primary system fails, that manual workaround process might buy you 24 hours of breathing room. That changes everything about how you calculate risk. The companies getting this right don't just focus on preventing system failures. They focus on having options when failures happen anyway. They train people on manual processes before emergencies hit. They map out which assets become critical during specific business events. Most importantly, they treat backup processes as business processes, not just IT processes.

Try this exercise with your next risk assessment. Instead of rating assets by technical importance, rate them by business calendar events. Which systems become critical during quarter-end? Which ones matter most during product launches or seasonal peaks? Then ask what manual processes could keep you running if those systems failed during those high-stakes periods. You might discover that your most significant risks aren't where you thought they were.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.