July 24, 2025 – Cyber Briefing

First time seeing this? Join us on Substack!

🚨 Cyber Alerts

1. Interlock Ransomware Threat Alert

The US government has issued an alert regarding Interlock ransomware, which targets organizations through drive-by download attacks and employs a double extortion model by encrypting virtual machines and exfiltrating data. This ransomware, active since September 2024, targets both Windows and Linux systems and has been observed to compromise critical infrastructure, businesses, and other organizations in North America and Europe.

2. Backdoor Found in WP Plugins

A sophisticated WordPress malware campaign has been discovered operating through the rarely monitored mu-plugins directory, giving attackers persistent access to compromised websites while evading traditional security measures. The malicious code, identified as wp-index.php, exploits WordPress’s “must-use plugins” functionality to maintain continuous operation without the possibility of deactivation through the admin panel..

3. GitLab Patches Key Vulnerabilities

GitLab has released urgent security patches for its Community and Enterprise Editions to address multiple vulnerabilities, including two high-severity cross-site scripting (XSS) issues affecting Kubernetes proxy functionality. All self-managed GitLab installations are strongly advised to upgrade immediately to mitigate these significant security risks.

💥 Cyber Incidents

4. Beluga Vodka Ransomware Attack Reported

Beluga, a Russian premium vodka producer owned by NovaBev Group, experienced a sophisticated ransomware attack on July 14, 2025, that severely disrupted its IT infrastructure and operational capabilities. The company has refused to negotiate with the cybercriminals, instead engaging external cybersecurity experts to aid in recovery and forensic analysis, with preliminary findings suggesting no customer personal data was compromised.

5. Data Breach Affects 340K Jobseekers

France Travail, the French employment agency, recently experienced a data breach exposing the personal information of 340,000 jobseekers, including names, addresses, phone numbers, and jobseeker statuses. This incident, caused by an infostealer malware compromising a partner’s account, marks the second data breach for the agency in two years.

6. Hackers Use Ransomware on SharePoint Servers

Microsoft has reported that Chinese “threat actors,” including state-sponsored hackers, have exploited vulnerabilities in its on-premises SharePoint servers, leading to breaches in hundreds of government agencies and organizations, primarily in the US. The company has released security updates and urged users to install them to prevent further attacks by the identified hacking groups.

📢 Cyber News

7. Altman Flags Looming AI Fraud Crisis

OpenAI CEO Sam Altman warns of a potential “fraud crisis” due to AI’s ability to impersonate individuals, particularly highlighting the vulnerability of voice authentication in financial institutions. These concerns were raised during a Federal Reserve interview, where Altman also discussed AI’s economic impact and OpenAI’s increasing presence in Washington D.C. to engage with policymakers.

8. XSS Forum Admin Arrested in Kyiv

Europol, in collaboration with French and Ukrainian authorities, has announced the arrest of the suspected administrator of XSS.is (formerly DaMaGeLaB), a major Russian-speaking cybercrime forum. The arrest, which took place in Kyiv on July 22, 2025, follows a 2021 investigation and has also led to the seizure of the XSS.is clearnet domain.

9. Google OSS Rebuild Exposes Malicious Code

Google has launched OSS Rebuild, a new initiative designed to enhance the security of open-source package ecosystems and prevent software supply chain attacks. This project aims to provide verifiable build information for packages across major registries, helping users confirm a package’s origin and detect tampering.

For more news click here

Get Shield 360

💡 Cyber Tip

Hidden WordPress Backdoors Use Must-Use Plugins to Evade Detection

Security researchers have uncovered a stealthy malware campaign targeting WordPress sites through the rarely monitored mu-plugins directory. Attackers deploy a persistent backdoor using a file called wp-index.php, which cannot be disabled via the admin panel. The malware uses obfuscation, hidden admin users, and database-stored payloads to maintain control over compromised sites while avoiding traditional file-based detection methods.

✅ What you should do:

• Regularly inspect the mu-plugins directory for unfamiliar files or scripts.
• Monitor your WordPress database for unusual entries in the options table, especially hidden payloads.
• Audit all admin accounts to detect unauthorized users like “officialwp.”
• Use security plugins that include database scanning and behavior-based anomaly detection.
• Keep your WordPress core, themes, and plugins updated and backed up.

🔒 Why this matters:

This malware avoids standard detection by hiding in places most tools don’t check. Its use of persistent, database-based payloads and concealed admin users allows attackers to maintain full control of your site. Proactive monitoring of both filesystem and database activity is essential for WordPress security.

📚 Cyber Book

Game Hacking: Developing Autonomous Bots for Online Games by Nick Cano

Get Book ➤ https://amzn.to/46qGbLi

Click to See Events

That concludes today’s briefing. You can check the top headlines here!

Copyright © 2025 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.