News Week: July 28th to August 3rd, 2025

Remote Code Execution in PaperCut Software Draws Ransomware Gang Interest

A recently patched remote code execution (RCE) flaw in PaperCut NG/MF (CVE-2023-2533) is now actively exploited, prompting CISA to urge immediate action. The bug enables attackers to change security settings or run arbitrary code if an authenticated admin clicks a crafted link, often via cross-site request forgery (CSRF). While current incidents haven’t been linked to ransomware, PaperCut servers have a history of compromise. In 2023, ransomware gangs including LockBit, Clop, and Bl00dy exploited earlier PaperCut RCE vulnerabilities such as CVE-2023-27350, along with CVE-2023-27351, to steal sensitive data. Iranian state-backed groups Muddywater and APT35 also joined these campaigns. With over 1,100 servers exposed online, unpatched systems remain prime targets. CISA has added CVE-2023-2533 to its Known Exploited Vulnerabilities Catalog, mandating U.S. federal agencies to patch by August 18, and advising all organizations to act swiftly to block potential ransomware infiltration.

FBI Seizes $2.4M in Bitcoin from Chaos Ransomware Affiliate

The FBI has confiscated over $2.4 million in Bitcoin from “Hors,” an affiliate of the new Chaos ransomware operation linked to cyberattacks on Texas companies. The seizure, totaling 20.289 BTC, is tied to ransomware-related extortion and follows a civil forfeiture complaint by the U.S. Department of Justice. Chaos is believed to be a rebrand of the BlackSuit ransomware group, which itself evolved from the Royal (Quantum) ransomware gang—direct successors to the notorious Conti ransomware operation that disbanded in 2022. Conti’s members splintered into multiple ransomware factions after their takedown. BlackSuit, pressured by law enforcement after high-profile attacks, adopted a new encryptor before reemerging as Chaos. Researchers confirm strong links between Chaos and BlackSuit through encryption methods, ransom note design, and attack tools. With BlackSuit’s dark web sites recently seized, investigators may have uncovered this wallet during ongoing probes into ransomware variants Conti, Royal, Quantum, BlackSuit, and Chaos ransomware activities.

Orange Confirms Cyberattack with Possible Links to Salt Typhoon

French telecom giant Orange has disclosed a cyberattack detected on July 25, 2025, affecting one of its information systems. Orange Cyberdefense swiftly isolated the compromised system, minimizing impact but causing temporary service disruptions for business and consumer customers in France. While no evidence of data theft has been found, the incident is under investigation and authorities have been notified. Although Orange has not attributed the attack, it resembles breaches tied to China’s state-backed Salt Typhoon cyber-espionage group, which has previously targeted telecom providers like AT&T, Verizon, Lumen, and Viasat. Salt Typhoon’s campaigns have compromised telecom networks in dozens of countries. This follows a February breach at Orange Romania, where a threat actor named “Rey” claimed to have stolen vast internal data. Serving 294 million customers across Europe, Africa, and the Middle East, Orange remains on high alert to prevent further cyber intrusions.

SAP NetWeaver Exploit Deploys Auto-Color Linux Malware

Hackers are exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy the Linux-based Auto-Color malware in targeted attacks. Darktrace’s investigation into an April breach of a U.S. chemicals company revealed that the flaw, used as a zero-day since at least mid-March according to Mandiant, enables unauthenticated remote code execution by allowing malicious binary uploads. Auto-Color is known for advanced evasion tactics, including privilege-aware execution, rootkit functionality, reverse shells, and stealth persistence via ld.so.preload. If its command-and-control server is unreachable, the malware suppresses malicious activity, making analysis difficult. First documented in February 2025, Auto-Color has since been weaponized by ransomware actors and Chinese state-backed hackers. The zero-day’s exploitation surged after SAP released a patch in April, with reports from ReliaQuest, Onapsis, and watchTowr confirming active attacks. Administrators are urged to apply SAP’s security updates immediately to protect against this evolving threat.

SafePay Ransomware Threatens Massive Ingram Micro Data Leak

The SafePay ransomware gang claims to have stolen 3.5TB of data from IT giant Ingram Micro, threatening to publish it on their dark web leak site. Active since September 2024, SafePay has targeted over 260 known victims and often exfiltrates sensitive files before encrypting systems. The group has quickly risen in prominence, filling the gap left by dismantled or weakened ransomware operations like LockBit, BlackCat (ALPHV), Conti, Royal, Quantum, BlackSuit, and Chaos. Earlier this month, Ingram Micro suffered a global outage attributed to SafePay, forcing employees to work remotely and prompting a full reset of passwords and MFA credentials. While many systems were restored within days, the company has not officially confirmed SafePay’s involvement or the theft of data. The incident underscores the ongoing ransomware threat landscape, where groups evolve or rebrand—often sharing tactics and tools—to maintain pressure on high-value global targets.

ShinyHunters Extortion Attacks Target Salesforce Data at Global Brands

ShinyHunters, tracked as UNC6040 and UNC6240, is linked to recent Salesforce data-theft campaigns impacting Qantas, Allianz Life, LVMH, Adidas, and more. Using vishing and phishing—often impersonating IT support—the group tricks employees into connecting a malicious Salesforce Data Loader app, enabling large-scale data theft. The attacks mirror activity from overlapping groups like Scattered Spider (UNC3944), The Com, and members tied to the defunct Lapsus$ collective, all known for targeting aviation, retail, and insurance sectors. ShinyHunters’ previous high-profile extortions include Snowflake, PowerSchool, Oracle Cloud, AT&T, NitroPDF, Wattpad, and MathWay, often selling stolen data or privately extorting victims. Researchers believe these threat clusters sometimes operate in lockstep, sharing tactics and victims. While Salesforce confirms its platform remains uncompromised, the incidents highlight the need for MFA, least privilege, and tight control over connected apps to defend against ShinyHunters, Scattered Spider, and related cyber-extortion networks.

Russian State Hackers Exploit ISP Access for Adversary-in-the-Middle Attacks

Microsoft has revealed that Secret Blizzard—also known as Turla, Waterbug, and Venomous Bear—is conducting adversary-in-the-middle (AiTM) attacks against diplomatic missions in Moscow by leveraging local ISP access. This Russian FSB-linked group uses its adversary position to redirect victims to malicious captive portals, delivering ApolloShadow malware disguised as a Kaspersky update. Once installed, the malware adds a trusted root certificate, enabling long-term adversary control over web traffic for espionage. Active since at least 2024, these campaigns exploit Russia’s domestic surveillance systems, including SORM, to enhance adversary reach. Turla’s adversary tactics have previously targeted embassies, NATO members, NASA, and EU ministries, and even hijacked Iranian OilRig and Pakistani Storm-0156 infrastructure to mislead attribution. Known for unconventional methods—like controlling malware via Britney Spears Instagram comments—Secret Blizzard remains one of the most persistent adversary actors in global cyber-espionage, with ISP-level access making their AiTM operations especially dangerous.

Akira Ransomware Surge Targets SonicWall Devices, Possible Zero-Day Suspected

A surge in Akira ransomware attacks since mid-July is targeting SonicWall firewall devices, with Arctic Wolf warning of a likely zero-day vulnerability in SSL VPN services. Akira, active since March 2023, has compromised over 300 organizations globally, following in the footsteps of major ransomware families like LockBit, BlackCat (ALPHV), Conti, Royal, Quantum, BlackSuit, Chaos, and SafePay. Notable Akira victims include Nissan, Hitachi, and Stanford University, with the group amassing over $42 million in ransom payments. In this latest campaign, attackers gained access via SSL VPN accounts—potentially using brute force, credential stuffing, or exploiting the suspected zero-day—before rapidly encrypting data. Arctic Wolf observed VPN logins from hosting providers, a tactic also seen in past ransomware campaigns. Admins are urged to disable SonicWall SSL VPNs, review logs, and apply security patches, especially for SMA 100 appliances, which are already being targeted with OVERSTEP rootkit malware by other threat actors.

Conclusion

In conclusion, the evolving threat landscape—from advanced ransomware operations like Akira, Chaos, and SafePay to state-backed cyber-espionage groups such as Salt Typhoon and Secret Blizzard—underscores the urgent need for proactive defense strategies. Zero-day vulnerabilities, adversary-in-the-middle attacks, and targeted data extortion campaigns demand continuous vigilance and rapid response to protect critical systems and sensitive information.

As experts in ransomware recovery and cybersecurity, we provide specialized solutions including Ransomware Recovery Services, Ransomware Negotiation Services, Cyber Defense Academy, Cybersecurity Risk Assessment, and Incident Response Retainer. Reach out to our team today to strengthen your defenses and respond effectively to emerging threats.