TRENDING TOPICS JULY 31, 2025

Update: SafePay Ransomware Group Claims Ingram Micro Breach 

SafePay ransomware operators have officially taken credit for the large-scale cyberattack on Ingram Micro, one of the world’s largest IT distribution companies, listing the firm on their leak site after weeks of silence. The group claims to have exfiltrated 3.5 terabytes of data during the intrusion, threatening to release it publicly within three days, an extension of their initial seven-day ransom deadline. Ingram Micro disclosed the attack on July 5th, stating that it swiftly implemented containment measures, including taking systems offline, deploying mitigation controls, and initiating an investigation with the assistance of leading cybersecurity experts while notifying law enforcement. By July 7th, Ingram Micro had begun restoring its business processes and declared the incident “contained and remediated” by July 8th. By July 9th, the company confirmed that all global operations were fully operational, emphasizing its commitment to minimizing disruption for customers and vendor partners. Investigative sources indicate that SafePay likely exploited Ingram Micro’s Palo Alto Networks GlobalProtect VPN as the initial entry vector, potentially using stolen credentials or misconfigured gateways to gain unauthorized access. This aligns with SafePay’s historical tactics, which often combine stealthy initial access with large-scale data exfiltration before initiating ransom demands. The listing of Ingram Micro on SafePay’s leak site highlights the significant risk that the attackers may follow through on their threat to publish the stolen data, raising concerns about supply chain exposure among Ingram Micro’s extensive customer base. Cybersecurity experts warn that while Ingram Micro successfully restored operations, the confirmed data theft and SafePay’s continued extortion attempt signal a significant risk of secondary attacks, data abuse, and reputational fallout for both the company and its business ecosystem. We will continue to monitor and provide updates as new information is released. 

APT Hackers Target Maritime Industry with Ransomware Campaigns Amid Geopolitical Tensions 

The maritime industry, which underpins nearly 90% of global trade, has become a primary target for APT groups blending state-sponsored espionage with ransomware operations. Over 100 documented attacks in the past year highlight an unprecedented escalation in this sector, driven by the strategic value of ports, cargo systems, and fleet management infrastructure. Cyble researchers have linked campaigns to groups like Mustang Panda, which have breached shipping firms in Norway, Greece, and the Netherlands, embedding malware into onboard operational systems via USB-based vectors that circumvent perimeter defenses. These attacks are often geopolitically motivated: pro-Palestinian hacktivists manipulate AIS (Automatic Identification System) data to track and disrupt Israeli-linked vessels, Russian actors focus on European ports assisting Ukraine, and Chinese APTs infiltrate classification societies that certify ships globally. This convergence of cyber-espionage and financially motivated ransomware illustrates how traditional nation-state tactics are merging with cybercrime-for-profit models, amplifying the operational risks for maritime operators. The technical depth of these campaigns underscores the complexity of defending maritime networks. APT41 has deployed the DUSTTRAP framework, enabling stealthy malware like ShadowPad and VELVETSHELL to persist within ship navigation systems and port infrastructure. Infected USB drives remain a critical infection vector, facilitating the direct delivery of air-gapped malware into operational technology environments. Once embedded, attackers can encrypt cargo manifests, disrupt navigation, and paralyze port logistics while simultaneously exfiltrating sensitive operational intelligence for future campaigns. The sophistication and scale of these attacks demonstrate a strategic shift toward hybrid operations, requiring maritime organizations to adopt hardened OT defenses, enforce strict network segmentation, and integrate threat intelligence-driven detection to combat both nation-state and financially motivated actors. Organizations are advised to add segmentation for VSAT networks and enforce strict USB device controls to reduce the risk of APT-driven ransomware infections in maritime OT environments. 

ShinyHunters Exploit Salesforce via Vishing, Targeting Global Enterprises 

ShinyHunters (UNC6040) is conducting a sophisticated data theft campaign targeting Salesforce CRM customers, impacting high-profile companies, including Qantas, Allianz Life, LVMH, and Adidas. In early June, Google warned that threat actors were targeting Salesforce customers in social engineering attacks. The attackers rely on vishing (voice phishing) to impersonate IT support staff and manipulate employees into visiting Salesforce’s connected app setup page. Victims are then convinced to enter a “connection code,” which links a malicious OAuth app—sometimes renamed “My Ticket Portal”—to the company’s Salesforce instance. In parallel, attackers deploy phishing pages spoofing Okta login portals to steal credentials and MFA tokens. Once access is obtained, attackers focus on key Salesforce data objects, including “Accounts” and “Contacts,” which are exfiltrated for private email-based extortion attempts. Although Salesforce has not been breached at the platform level, these incidents exploit weak access policies and insufficient security controls within customer environments. If victims refuse to pay, security analysts warn that ShinyHunters will likely follow its historical pattern of leaking stolen data publicly, as seen in the Snowflake breaches. The campaign’s attribution has been complicated by overlaps with Scattered Spider (UNC3944), which has also targeted similar industries using social engineering-heavy tactics. Recorded Future intelligence suggests potential collaboration or shared members between these groups, with some researchers theorizing that ShinyHunters operates as an “extortion-as-a-service” collective for other threat actors. Notably, ShinyHunters has maintained operations despite several arrests linked to prior breaches, including attacks against Snowflake, PowerSchool, and AT&T. Salesforce has reiterated that its infrastructure remains secure but strongly advises customers to enforce MFA, restrict connected apps, apply the principle of least privilege, and implement trusted IP login ranges. Additionally, organizations should leverage Salesforce Shield for monitoring high-risk activity and designate security contacts for rapid incident response. This campaign highlights the growing convergence of social engineering, SaaS exploitation, and cloud-native extortion, underscoring the need for proactive SaaS-specific defense strategies. 

APT28 Deploys AI-Powered Malware Targets Organizations via Compromised Email Accounts 

The Russian state-backed group APT28 (Fancy Bear) has unveiled LameHug, the first publicly known malware to integrate large language models (LLMs) for dynamic command generation and automated execution. According to CERT-UA, the campaign began with spearphishing emails sent from compromised official accounts, impersonating Ukrainian government entities. These emails delivered malicious ZIP files containing a PyInstaller-compiled executable that, once launched, connected to Hugging Face’s Qwen 2.5-Coder-32B-Instruct API. By leveraging this model, LameHug can generate reconnaissance and data theft commands on the fly, allowing attackers to evade static detection mechanisms and dynamically adapt their operations. The malware enumerates system, network, and domain details using native Windows utilities before exfiltrating sensitive documents via SFTP or HTTP POST. Analysis of LameHug revealed additional variants, including AI_generator_uncensored_Canvas_PRO_v0.9[.]exe and image[.]py, potentially using alternate exfiltration methods and uncensored LLM models for enhanced automation. CERT-UA also linked the campaign to Russia’s GRU Unit 26165, aligning it with APT28’s historical tactics, such as credential phishing and lateral movement through RDP and SMB. The reliance on external LLM APIs introduces unique risks, including prompt injection and API misuse for obfuscation, marking a new frontier in malware design. Security experts recommend threat hunting for artifacts like suspicious process executions (whoami[.]exe, ipconfig[.]exe, wmic[.]exe), outbound connections to Hugging Face’s API, and malicious file creations in C:\ProgramData. Defense strategies include EDR deployment, LLM activity monitoring, phishing awareness training, and automated incident response workflows to mitigate this emerging class of AI-augmented cyber threats.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.