July 7, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Jul 7, 2025
Kroll

This week’s briefing covers:

00:00 - Intro

00:50 [CAMPAIGN] RecipeLister Adware Hints at Backdoor Capabilities
The campaign has recently affected a high volume of customers across varied sectors due to its nature of drive-by compromise initial access. This article describes some of the key indicators and findings so far, to assist in immediate threat hunting or detection creation.

03:25 [CAMPAIGN] FileFix Now Deployed in the Wild
Kroll has observed that the “FileFix” technique covered in the Threat Intelligence bulletin released on June 30 has already been deployed in the wild. Kroll has been tracking the campaign since July 3, following the discovery of malicious sites by security researcher “Executemalware.”

[VULNERABILITY] Critical Sudo Vulnerability Allows Priv Esc to Root
The flaw arises from unsafe handling of the --chroot (-R) option, where sudo processes user-provided configurations (including nsswitch.conf) from within the chroot environment before validating user privileges. This allows a local attacker to construct a malicious chroot with crafted NSS configuration that forces sudo to load attacker-controlled shared libraries as root, effectively bypassing authentication.

05:01 [CAMPAIGN] Heightened Iranian Cyber Threat to U.S Entities
A joint statement across U.S. government agencies has strongly urged organizations to remain vigilant for potential cyber activity targeting U.S. critical infrastructure. They note that Iranian cyber actors were observed pivoting toward opportunistic attacks against U.S. networks, leveraging weak credentials and unpatched vulnerabilities—especially in OT environments.

06:18 [CAMPAIGN] KTA405 (Aka Siver Fox) using DeepSeek Lures
The Chinese speaking espionage and financially motivated actor KTA405 (Aka Siver Fox) has be observed targeting citizens of Taiwan with malware lures in the form of fake DeepSeek large language model (LLM) software installers.

[CAMPAIGN] North Korean IT Workers
Microsoft has detailed North Korea using AI to aid in their insertion of workers into Fortune 500 companies with the goal of accessing sensitive data and obtaining funds. Microsoft states that the recent use of AI has allowed the state to expand the scope of their campaign.

07:22 [RANSOMWARE] Ransomware Roundup
A new ransomware has been analyzed by Any Run, they have identified as DEVMAN, that appears to be a variant on previous DragonForce samples. DragonForce runs as a Ransomware-as-a-Service, which alludes to the fact that affiliates can create variations of the ransomware, which appears to be the case with DEVMAN.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.