Weekly Cybersecurity Recap - 7 July 2025

Introduction

From sophisticated phishing scams leveraging AI tools to a massive Android ad fraud scheme taken down, the cybersecurity landscape continues to evolve rapidly. Organizations face challenges from legacy software weaknesses, supply chain attacks, and malicious browser extensions that target cryptocurrencies. This roundup highlights last week's most important developments in cyber threats, best practices, and vulnerabilities that demand attention.

Threat Campaigns and Malware

TAG-140 Deploys DRAT V2 RAT, Targeting Indian Government, Defense, and Rail Sectors

A hacking group suspected to have ties with Pakistan has been intensifying attacks on Indian government agencies using an upgraded variant of the DRAT remote access trojan. Recorded Future’s Insikt Group attributes this activity to TAG-140, which overlaps with the broader SideCopy operation - a sub-cluster of the long-running Transparent Tribe (APT36). This persistent threat actor is known for targeting sensitive defense and government assets.

Massive Android Fraud Operations Uncovered: IconAds, Kaleidoscope, SMS Malware, NFC Scams

Researchers from HUMAN uncovered and disrupted a massive ad fraud scheme dubbed IconAds, involving 352 malicious Android apps. These apps loaded hidden, out-of-context ads while concealing their icons to prevent removal. At its peak, the operation generated 1.2 billion ad bid requests daily, with most fraudulent traffic coming from Brazil, Mexico, and the United States. Google has since removed these apps from the Play Store, but the scale of the fraud underscores persistent mobile threats.

Over 40 Malicious Firefox Extensions Target Cryptocurrency Wallets, Stealing User Assets

Cybersecurity experts have identified over 40 malicious Firefox extensions designed to steal crypto wallet secrets from unsuspecting users. The large-scale campaign has been ongoing since at least April 2025, with new malicious extensions still being uploaded to the Firefox Add-ons store. This persistent threat places users’ digital assets at risk and highlights the need for careful scrutiny of browser add-ons.

Vercel's v0 AI Tool Weaponized by Cybercriminals to Rapidly Create Fake Login Pages at Scale

Threat actors have been abusing Vercel’s v0 AI design tool to churn out convincing fake login pages that closely mimic legitimate brands. v0 allows easy creation of landing pages and full-stack apps from simple prompts, and scammers have weaponized this capability to run sophisticated phishing campaigns. One identity services provider discovered such abuse targeting its own customer. After responsible disclosure, Vercel blocked the phishing sites, but the incident highlights the risk of AI being co-opted by cybercriminals.

Phishing Scammers Push for Callbacks in Latest Innovation

Cybercriminals continue to refine their social engineering tactics, now pushing victims toward callback phishing. In these attacks, targets receive emails that persuade them to call a scammer-controlled number, where attackers then exploit social engineering to extract sensitive data or payments. By getting victims to initiate contact, scammers can bypass traditional email security filters and prey on human emotions to compromise security.

Vulnerabilities and Supply Chain Risks

Forminator WordPress Plugin Vulnerability Exposes 400,000 Websites to Takeover

A critical vulnerability (CVE-2025-6463) in the popular Forminator plugin allows attackers to delete arbitrary files and take over WordPress sites. With over 600,000 active installations, the plugin’s flaw stems from insufficient validation in file deletion functions. This vulnerability threatens hundreds of thousands of sites with data loss and full compromise if left unpatched.

IDE Extensions Pose Hidden Risks to Software Supply Chain

Integrated development environments (IDEs) are widely used for modern software development, but researchers warn that malicious extensions can slip through verification checks. As organizations embrace IDEs to streamline development, these hidden risks threaten the integrity of the software supply chain. Attackers can use compromised extensions to plant backdoors or steal sensitive code, making rigorous vetting essential.

Strategy and Best Practices

Need to develop OT cybersecurity programs to bridge IT and engineering cultures, defend from cyber threats

Organizations with operational technology (OT) systems need to modernize their security programs to address unique risks. Mature OT security includes strong governance, real-time risk assessment, and updated asset inventories, but many companies still rely on outdated models. This leaves legacy equipment vulnerable to modern threats like ransomware and nation-state attacks, highlighting the urgent need to bridge IT and engineering cultures.

10 cybersecurity best practices for organizations in 2025

A strong cybersecurity posture demands both timeless defenses and new approaches to evolving threats. Best practices include air-gapped backups, frequent employee training, and layered security controls to reduce the impact of breaches. CISOs must balance established fundamentals with proactive strategies to stay resilient in a rapidly changing threat landscape.

Mitigating AI Threats: Bridging the Gap Between AI and Legacy Security

As artificial intelligence reshapes workflows with LLMs and agentic systems, legacy security tools are falling behind. Organizations need a layered defense that combines advanced monitoring, human-centric tools, and adaptive policies. Without these updates, businesses risk falling prey to AI-specific threats like covert prompt engineering and rapidly evolving malware patterns.