San Mateo, CA, July 7, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Hunters ransomware ends operations and offers free decryptors
Hunters International, a prolific ransomware-as-a-service (RaaS) group, announced that it is shutting down operations and offering free decryption tools to victims. “After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with,” the cybercrime gang said. “As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.” Victims can now request decryption software and recovery assistance via the gang’s dark web portal. It is believed that increasing law enforcement scrutiny and declining profits have caused the group to rebrand and focus on its extortion-only successor, World Leaks. Read more.
FBI says Salt Typhoon hackers “largely contained”
The FBI says Chinese Salt Typhoon hackers behind a major U.S. telecommunications breach are currently “largely contained” and “dormant” within compromised networks. However, the criminal group still poses a serious threat. FBI Cyber Division chief Brett Leatherman told CyberScoop that “Salt Typhoon, even though it was [an] espionage campaign, had access to telecommunications infrastructure… You can pivot from access in support of espionage to access in support of destructive action.” Nine U.S. telecom companies were breached, with more victims revealed through international information sharing. Leatherman said that removing hackers from telecom networks is challenging because the longer they remain, the more ability they have to “create points of persistence.” Read more.
Catwatchful flaw leaks victim data
A critical security flaw in the Catwatchful Android spyware operation has exposed thousands of its users and the personal data of over 26,000 victims, according to security researcher Eric Daigle. Catwatchful, disguised as a parental monitoring app, secretly steals photos, messages, locations, and even ambient audio from targeted phones, uploading the data to servers under the control of the spyware’s operators. The exposed database, obtained by TechCrunch, contained customer emails, plaintext passwords, and details linking Uruguayan developer Omar Soca Charcov to the operation. Daigle reported that the spyware’s API was unauthenticated, allowing anyone to access the database. Despite Google Play Protect updates designed to detect Catwatchful, the operation remains active, utilizing Google’s Firebase to store stolen data. Read more.
North Korean macOS malware targets crypto
North Korean state-sponsored hackers are using advanced macOS malware, known as NimDoor, to target cryptocurrency and Web3 organizations, according to researchers from SentinelLabs. The attacks employ social engineering to impersonate trusted contacts on Telegram and trick victims into downloading a fake Zoom SDK update. The malware, written in the increasingly popular Nim language, employs complex multi-stage attack chains that combine AppleScript, C++, and Nim binaries. These techniques make detection difficult and allow for persistent system access. “North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains,” the researchers wrote. “However, Nim’s rather unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.” Read more.
Phishing awareness training doesn’t work
A new large-scale study casts doubt on the effectiveness of common phishing awareness programs, suggesting they have a minimal measurable impact on employee cybersecurity. Researchers from UC San Diego, UCSD Health, and the University of Chicago tested various training methods across nearly 20,000 healthcare employees, finding only minor improvements from interactive training, while static courses showed no benefit and even increased risk in some cases. These results align with a 2021 ETH Zurich study, which found that awareness training can sometimes make employees feel falsely secure, thereby increasing their susceptibility to phishing. Experts suggest shifting the burden off employees through technical defenses, such as hardware-based two-factor authentication, if current awareness programs are proving largely ineffective. Read more.
U.S. sanctions Russian host Aeza
The U.S. Treasury has sanctioned Russia-based Aeza Group, a bulletproof hosting (BPH) provider accused of supporting ransomware gangs, phishing operations, and dark web marketplaces with reliable, takedown-resistant infrastructure. Sanctions also target Aeza’s UK branch, subsidiaries, and four individuals, including CEO Arsenii Penzev, arrested in April for allegedly facilitating drug trafficking via BlackSprut. Aeza has hosted infrastructure for ransomware groups, including BianLian and LockBit, as well as pro-Russian influence campaigns, such as Doppelganger. These sanctions follow similar actions against other BPH providers, part of global efforts to disrupt cybercrime networks and dismantle the critical services enabling them. Read more.
International Criminal Court hit with cyberattack
The International Criminal Court (ICC) has suffered a new “sophisticated and targeted” cyberattack, the tribunal confirmed on June 30. The incident has been contained through the ICC’s internal alert and response systems, though a full impact analysis remains underway. The Court is seeking support from the international community as it works to mitigate any fallout and safeguard its operations. This marks the second major cyber incident for the ICC, following a 2023 espionage-related attack interpreted as an effort to undermine its mandate. With investigations spanning Ukraine, Palestine, Sudan, Libya, and others, and arrest warrants issued for high-profile figures like Vladimir Putin and Benjamin Netanyahu, the ICC remains a likely target for nation-state cyber operations. Courts globally have faced similar threats, as seen in high-profile breaches in Australia and the U.S. that exposed sensitive court proceedings and documents. Read more.
AT&T adds SIM swap account lock
AT&T has expanded its Wireless Account Lock feature to all customers to combat the rising threat of SIM-swapping and account takeover attacks. The tool, which had been gradually rolled out earlier this year, mirrors protections already offered by T-Mobile, Verizon, and Google Fi. Available through AT&T’s mobile app, the lock restricts critical account changes, such as SIM swaps, number transfers, and billing updates. Users receive alerts of any modifications to maintain transparency. Prepaid accounts also benefit from adapted protections. Business customers can apply tailored restrictions via a Business Account Lock. Amid increasing mobile account hijacking incidents, experts emphasize the importance of layered security, including multi-factor authentication and hardware-based tools. The move follows growing concern after breaches such as Salt Typhoon’s telecom attack, which targeted high-profile U.S. government officials. Read more.
FBI warns of health data scams
The FBI has issued a warning about cybercriminals impersonating health fraud investigators to steal sensitive personal and medical information from Americans. “These criminals are sending emails and text messages to patients and health care providers, disguising them as legitimate communications from trusted health care authorities,” the FBI said. The messaging is designed to pressure victims into revealing protected health details and financial information or making reimbursements for fake service overpayments. The FBI urges caution when receiving unsolicited messages requesting personal data and advises verifying communications directly with healthcare providers. In 2024, imposter scams cost Americans $2.95 billion, while overall cybercrime losses reached $16.6 billion, driven by tactics such as business email compromise (BEC) targeting healthcare organizations. Read more.
Cybercriminals are weaponizing Facebook ads
Cybercriminals are exploiting Facebook’s advertising platform to distribute malware and steal cryptocurrency wallet credentials, leveraging the popularity of Pi Network. The campaign, which has been active since June 24, 2025, coincides with Pi2Day and has deployed over 140 deceptive ad variations worldwide. The ads masquerade as official Pi promotions, offering fake mining apps and fraudulent wallet access to trick users into revealing their 24-word recovery phrases or downloading malware. Bitdefender reports two primary attack vectors: phishing pages mimicking Pi Wallet interfaces and malicious applications disguised as Pi mining software. These apps deliver multi-stage malware designed to steal passwords, wallet keys, and sensitive data while maintaining persistence and evading detection. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
