San Mateo, CA, July 14, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
At a glance
Iranian hackers target U.S. transport and manufacturing
Iranian state-sponsored threat actors have escalated cyberattacks on U.S. critical infrastructure, with a 133% surge in activity during May and June 2025, primarily targeting the Transportation and Manufacturing sectors. Nozomi Networks tracked 28 incidents and linked them to six APT groups: MuddyWater, APT33, OilRig, CyberAv3ngers, FoxKitten, and Homeland Justice. MuddyWater led the campaign with at least five confirmed breaches. Attackers are focusing on operational technology and industrial control systems, signaling a shift in Iran’s cyber warfare strategy. CISA and DHS have issued urgent advisories, calling for additional security measures to be implemented within critical infrastructure. Security researchers note that CyberAv3ngers reused command and control infrastructure from previous malware campaigns, which they feel indicates confidence in their operational security measures as well as a calculated approach to resource management. Read more.
Bluetooth bugs expose millions of cars to takeover
Researchers at PCA Cyber Security have uncovered four critical vulnerabilities, collectively called “PerfektBlue,” in the OpenSynergy BlueSDK Bluetooth stack used in automotive systems. The flaws impact millions of vehicles, including models from Mercedes-Benz, Volkswagen, and Skoda, and potentially a fourth undisclosed automaker. These vulnerabilities are easily exploitable via Bluetooth and could allow remote code execution through infotainment systems if attackers successfully pair with them. The Hacker News reports that “obtaining code execution on the In-Vehicle Infotainment (IVI) system enables an attacker to track GPS coordinates, record audio, access contact lists, and even perform lateral movement to other systems and potentially take control of critical software functions of the car, such as the engine.” Read more.
Qantas breach hits 5.7 million customers
Qantas has confirmed a data breach affecting 5.7 million customers after a cyberattack on a third-party platform used by its contact center. The breach, believed to be linked to the threat group Scattered Spider, exposed names, emails, Frequent Flyer details, and, for some individuals, addresses, dates of birth, phone numbers, gender, and even meal preferences. Qantas emphasized that no passwords, financial data, or passport details were compromised. CEO Vanessa Hudson stated that customers are being contacted with more information about their affected data and that “since the incident, we have put in place a number of additional cyber security measures to further protect our customers data, and are continuing to review what happened.” Read more.
McDonald’s flaw exposes 64 million job seekers
Job seekers interacting with “Olivia,” the AI chatbot screening applicants for McDonald’s, faced a major data breach risk. Security researchers Ian Carroll and Sam Curry discovered that Paradox.ai, the company behind Olivia, had left the system vulnerable due to “123456” being the password required to access administrative features on McHire.com. Logging in provided them with access to over 64 million application records, which contained names, contact information, and chat transcripts. “Had someone exploited this, the phishing risk would have actually been massive,” said Curry, noting that applicants would be “eager and waiting for emails back.” McDonald’s blamed Paradox.ai, which acknowledged the flaws, emphasized no malicious access occurred, and pledged to launch a bug bounty program. “We do not take this matter lightly, even though it was resolved swiftly and effectively,” said Paradox.ai’s chief legal officer, Stephanie King. “We own this.” Read more.
SatanLock ransomware group announces shutdown
The ransomware group SatanLock has abruptly announced its shutdown, stating via Telegram and its Dark Web leak site that “files will all be leaked today.” Active only since April, SatanLock rapidly gained notoriety after compromising 67 organizations. Some of its victims also appeared on other ransomware leak sites, hinting at connections with other threat actors. The announcement follows a similar one from Hunters International, which is closing its operations while releasing free decryptors; however, it has already reemerged under the new name “World Leaks” and is now focused on data theft. It’s unclear if SatanLock is actually shutting down or also attempting to rebrand itself. Read more.
Mac AMOS infostealer adds stealth backdoor
According to cybersecurity firm Moonlock, the Atomic macOS Stealer (AMOS), a prominent infostealer targeting Apple desktops, has been upgraded with a backdoor, significantly increasing its threat level. Previously focused on stealing cryptocurrency data through cracked software and phishing scams, AMOS now enables attackers to gain persistent access, execute remote tasks, and exert extended control over infected Macs. This marks only the second known large-scale macOS backdoor deployment after one used by North Korean hackers, whose capabilities still exceed those of other developers. However, Moonlock warns that “the upgrade to AMOS represents a significant escalation in both capability and intent, whether the changes were made by the original malware authors or by someone else modifying the code.” Read more.
Chrome extensions steal data from 2 million users
Nearly a dozen Chrome extensions with over 1.7 million downloads have been flagged for malicious behavior, including tracking users, harvesting browsing activity, and redirecting traffic. Koi Security researchers discovered the extensions, which masqueraded as tools such as color pickers, VPNs, and emoji keyboards. Many of the extensions were verified and well-reviewed. Some still remain prominently featured on the Chrome Web Store. Researchers note that the extensions did not contain malicious code in initial versions but were later updated to be weaponized. Koi Security discovered that malicious extensions are also present in the official Microsoft Edge store, with a total count of 600,000 downloads. “Combined, these eighteen extensions have infected over 2.3 million users across both browsers, creating one of the largest browser hijacking operations we’ve documented,” the researchers said. Read more.
Scattered Spider widens phishing targets
Check Point researchers have identified approximately 500 suspected phishing domains associated with the cybercrime group Scattered Spider. Signaling a likely expansion beyond previously targeted sectors such as retail, tech, and aviation, the new domains impersonate firms in industries including manufacturing, medtech, financial services, and enterprise platforms. “While not all domains are confirmed to be actively malicious, their alignment with known tactics, techniques, and procedures (TTPs) strongly suggests targeting intent,” the researchers said. Scattered Spider is known for using advanced social engineering and typosquatted domains to bypass MFA and infiltrate organizations, particularly through third-party IT providers. Post-compromise tools include legitimate remote access apps and malware, such as Mimikatz and Raccoon Stealer. Read more.
SafePay ransomware disrupts Ingram Micro
IT giant Ingram Micro has confirmed that a ransomware attack is behind the ongoing outage affecting its global operations. The attack, first reported by BleepingComputer, began early Thursday when employees discovered ransom notes linked to the SafePay ransomware group on their devices. Ingram Micro took critical systems offline after the breach, impacting its Xvantage distribution and Impulse license platforms. Internal services, such as Microsoft 365 and Teams, remain operational. Sources suggest the attackers exploited Ingram Micro’s GlobalProtect VPN, a known tactic of the SafePay gang, which has amassed over 220 victims since late 2024. Ingram Micro initially withheld details, only confirming the attack on Sunday. “The Company took steps to secure the relevant environment… and is working diligently to restore the affected systems,” the company stated, apologizing for the disruption. SafePay typically uses compromised credentials and VPN exploits to infiltrate corporate networks. Read more.
Amazon Prime Day scams surge with fake sites
Security experts are urging Amazon shoppers to stay vigilant even after Prime Day, warning that fraudsters ramped up phishing campaigns and fake websites to exploit the event last week. Researchers at Check Point revealed that over 1,000 Amazon-related domains were registered in June alone, with 87% flagged as malicious or suspicious. Criminals commonly set up counterfeit Amazon login and checkout pages to steal credentials, leading to unauthorized purchases or identity theft. Phishing emails, often disguised as urgent messages about refunds or account problems, are also still circulating. One recent scam used the subject “Refund Due – Amazon System Error” to lure victims to a fake login page. Experts advise shoppers to avoid clicking links in unsolicited emails, verify website addresses, enable two-factor authentication, and use secure payment methods. “Cyber threats around Prime Day are no accident,” warned Omer Dembinsky of Check Point. “With the right habits, shoppers can enjoy deals without falling for the bait.” Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
