Cloud Cryptomine to Zero Day Exploits: This Week’s Cybersecurity Roundup
This week matters because adversaries are ramping up their fight over cloud environments, and are using our misconfigurations to power cryptomining, weaponizing sophisticated malware, compromising SharePoint servers, and forcing enterprises to quickly re-think their AI governance frameworks.
The attacks range from high-impact zero-day exploits in on-prem SharePoint systems to GenAI tools leaking sensitive data. The themes are evident-cloud attacks, strange malware tactics, supply-chain gaps, and the need to patch quickly, to name a few.
What the reader gets is solid, actionable intelligence to help defenders act clearly and purposefully in defending against these threats.
1. Cryptomining in the Cloud: Soco404 & Koske
Soco404 leverages Google Sites to hide Linux and Windows cryptominer payloads inside fake 404 pages, exposing PostgreSQL and Tomcat services. It persists via cron jobs and masquerades as system services. Koske uses AI-generated malware that is delivered to the user via panda-image polyglots with shell scripts and rootkits – infecting misconfigured JupyterLab servers to operate completely in memory
aquasec.com.
Risk: cloud misconfigurations, stealth mining, high compute theft.
Defense: audit public-facing services, restrict access to databases, watch for anomalous behavior.
Source: The Hacker News
2. The Dangers of Using Chinese GenAI Tools
As reported by Harmonic Security, 7.95% of users sampled in a study of employees in the U.S./U.K. utilized Chinese GenAI tools such as DeepSeek, Qwen, Kimi Moonshot. There were 1,059 users identified and 535 distinct events where sensitive data – source code, M&A docs, PII, legal and financial info – was uploaded to the platforms.
Why does this matter? These tools operate under non-transparent policies, meaning that uploaded data may remain on the platform, reused for training purposes, and in some case, could even be leaked under Chinese law, creating compliance and IP risk.
What to do? Enforce real-time monitoring and shadow-AI detection, provide alerts or blocks to discourage unsanctioned use, offer approved GenAI tools as recognized safe alternatives, and educate employees about data risks.
Source: The Hacker News
3. GenAI Compliance Reference Guide
An enterprise-focused checklist (OWASP Top 10-based) covers components such as API access controls, data sanitization, data retention policies, threat modelling, audit logging, and compliance workflows.
The primary components include sections on access governance, compliance pipelines consisting of AI governance components, usage audit, and risk mitigation approaches. Adapt it for use as a template for your internal AI governance policies and risk-alerting frameworks.
4. Mitel Critical Vulnerability Bypass
A critical authentication bypass vulnerability impacting Mitel MiVoice MX‑ONE’s Provisioning Manager allows unauthenticated attackers to gain administrative or user-level access to the Provisioning Manager (essentially acting as an external admin user) via publicly available open, exposed, uncontained, unquarantined systems. The vulnerability exists because of an improper access control vulnerability. Rated CVSS 9.4, the vulnerability affects affected versions 7.3 through 7.8 SP1; the patch for MXO‑15711_78SP0 and SP1 was released by Mitel on July 23–24, 2025.
Impact: Telecom operators, VoIP and collaboration infrastructure exists within the attack surface.
Defense: Mitel patch immediately, restrict external access to Provisioning Manager, enable multi-factor authentication, monitor for potential authentication misuse, and await logical review of supervisory structures themselves.
Source: Mitel
5. Fire Ant Exploits VMware Vulnerability
The Fire Ant cyber espionage group has been exploiting VMware ESXi and vCenter vulnerabilities (including CVE‑2023‑34048 and CVE‑2023‑20867) to achieve hypervisor-level code execution, extract the vpxuser service‑account, deploy persistent backdoors, delete logs, and pivot into guest virtual machines. In short, a pervasive and stealthy delayed attack campaign that was unobservable using traditional endpoint defenses.
Mitigation: Patch VMware systems without delay and restrict their management interfaces, employ high degrees of network segmentation and monitoring at the hypervisor layer.
Source: Sygnia
6. CastleLoader Malware Infected 469 Apps
CastleLoader malware has improperly acquired 469 devices using fake Cloudflare-themed phishing pages and impersonated GitHub repositories, convincing users to run PowerShell commands that share info-stealers and RATs (RedLine, NetSupport, and SectopRAT).
Recommendations: Vet third-party installers, scan code environments, implement endpoint behavior monitoring around downloads, and train users on clipboard phishing and malicious execution mechanisms.
7. China-based APT for Counterfeit Dalai Lama Scheme
An espionage group from China carried out impersonation of the Dalai Lama in phishing operations called Operation GhostChat and Operation PhantomPrayers. The targets were mainly Tibetan people, who were rerouted through compromised but legitimate websites that then infected them with Gh0st RAT or PhantomNet backdoors.
Tactic: Utilizes trust and affinity with regard to geo-political initials to compel victims to act.
Defense: Utilize phishing awareness training, supervise for domains impersonating? high-termed respected entities, execute multifactor authentication, and monitor sensitive entry points.
8. Storm‑2603 Exploits Unpatched SharePoint flaws
The Storm‑2603 group has been actively exploiting two unpatched SharePoint Server flaws (CVE‑2025‑49704 and CVE‑2025‑49706) since at least July 7, 2025 to install Warlock ransomware via spinstall0.aspx web shells as well as to conduct credential harvesting and lateral movement.
Impact: Corporations lose files, get compromised internally, and deploy ransomware out into the environment.
Controls: Harden SharePoint configuration, patch, audit permissions, and monitor privileged actions in Active Directory and web-shell actions.
Source: Microsoft
9. Stealth Backdoors via New Malware
Recent articles covering the emergence of stealthy backdoor malware placed somewhere in CI/CD pipelines, or through compromised dependencies sourced from developers or the software supply chain. Backdoors frequently go unnoticed and only externally observed over multiple builds or environments.
Risk: Long-term accessibility to production.
Defense: Require SBOM use, check code signatures, and share/verify at runtime.
Source: The Hacker News
10. New Methods to Detect Kerberoasting
Two security researchers presented their detection methods for Kerberoasting attacks, which focuses on the attack method of targeting Kerberos service tickets. In this finding, the researchers leveraged scaling the use of meter requests and sustainability, through examining abnormalities in ticket requests, duration of ticket use activity, and metrics on service time usage by each ticket, which security personnel can use to showcase early historic actions of lateral movement.
Benefit: Provides increased telemetry visibility in Active Directory environments, allowing defenders to discover offensive pre-operations, before they become actionable privileged escalations, or discovery of credentials through exfiltration actions.
11. Google Launches OSS Rebuild Program
Google announced their new OSS Rebuild Program, which will attempt to recompile widely-used open-source packages while also using hardened toolchains. The program proposes to provide transparency and surface unknown hidden dependencies.
How it helps: Supposedly it will provide additional security in as much as it will illuminate any modification, expectant behaviors, or, risks that were implemented early on before the open-source component becomes integrated into enterprise products and/or utilized into cloud services.
Source: Google
12. Urgent CISA Patch Advisory
CISA issued a high-priority patch advisory for vulnerabilities related to Mitel, VMware, SharePoint, and CrushFTP, that are already being actively exploited.
Highlight: Organizations should adopt centralized patch dashboards and tracking systems to prioritize vulnerabilities, reduce exposure windows, and ensure compliance with national cybersecurity mandates.
Source: CISA
13. Credential Theft & Remote Access Tool Abuse
Some attackers phish for credentials to install legitimate remote access tools such as AnyDesk or TeamViewer to keep a stealthy presence. These RATs often escape notice as they are commonly used in IT circles.
Defense: Monitor privileged accounts, enforce MFA, and flag anomalies in remote access behavior.
Source: Arctic Wolf
14. SharePoint Zero‑Day Exploits
Several APTs actively exploit unpatched SharePoint vulnerabilities to obtain access to internal documents and escalate privileges.
Emphasis: Such attacks place an emphasis on the urgency for organizations to monitor during Microsoft’s patch cycle and apply patches with an utmost priority to avoid lateral movements and data theft.
Source: Checkpoint
15. Iran‑Linked DCHSpy Android Malware
DCHSpy is an Android-based surveillance tool installed by Iranian threat actors via malicious sideloaded apps.
Target: Political activists and dissidents in the Middle East and elsewhere.
Recommendation: Promote app verification, deploy mobile threat detection, and conduct awareness training for users around mobile-specific attack vectors.
Source: Lookout
16. China-Linked Targeted Campaigns
Different APT groups in China have been performing multistage and advanced attacks targeting entities, infrastructure, and supply chains. These include phishings with fake personas, deployment of malware, and operations for persistence.
Trend: These campaigns perform social engineering followed by malware installation for years of espionage and data theft. To defend, one must apply layered threat detection.
Source: SECURELIST
17. AI in Zero-Trust: New Role
Yet AI has embraced Zero Trust in behavior-based authentication, anomaly scoring, and adaptive access controls. Unless these AI tools are adequately secured, they might themselves become the new attack surface.
Defend by deploying AI-driven threat detection, continuously monitoring for anomalies within the AI systems, and securing the AI components well.
Source: The Hacker News
18. PoisonSeed Hackers Bypass FIDO Keys
PoisonSeed abuses a fallback mechanism in FIDO2 authentication, inducing victims to scan malicious QR codes in the cross-device sign-in process.
Risk: Hardware token systems could be vulnerable to sophisticated phishing attacks or compromise at the device level.
Recommendation: Combine FIDO with behavioral analytics and risk-based multifactor approaches.
Source: Expel
19. 3,500 Sites Hijacked for Cryptocurrency Mining
The attackers have been compromising over 3,500 kayachite sites to run JavaScript-based cryptominer processes directly in visitors’ browsers; the processes use WebAssembly and WebSockets to remain hidden.
Scale: Thousands compromised; full degrades performance and resource consumption.
Defense: Scanning web traffic, integrity monitoring, and enforcing Content Security Policy.
Source: cside
20. Exploiting the Critical Flaw in CrushFTP
A critical vulnerability (CVE-2025-54309) in CrushFTP allows unauthenticated remote attackers to elicit administrative access on unpatched servers.
Mitigation: Apply vendor patches and monitor file server activity while restricting access.
Note: Nearly 1,000 servers remain vulnerable due to delays in patching.
Source: CrushFTP
Conclusion
This week’s summary is focused on an important change in the threat landscape with attackers leveraging cloud misconfigurations, weaponized supply chain vulnerabilities, the circumvention of hardware-based MFA, and the exploitation of unmanaged GenAI tools. These new tactics are representative of a more evolved, multi-layer disruption to cybercrime.
Key Takeaways
Patch quickly and smartly.
Secure your cloud infrastructure and APIs.
Govern GenAI with strong policy, monitoring, and training
Strengthen identity controls and anomaly detection.
Want to stay one step ahead of today’s cyber threats? Enroll in a Cyber Security and Ethical Hacking Course in India with hands-on training, real-world attack simulations, and industry-recognized certification. Build the skills SOC teams and ethical hackers use daily start your journey with Boston Institute of Analytics today.
Cyber Security Course in Mumbai | Cyber Security Course in Bengaluru | Cyber Security Course in Hyderabad | Cyber Security Course in Delhi | Cyber Security Course in Pune | Cyber Security Course in Kolkata | Cyber Security Course in Thane | Cyber Security Course in Chennai
