July 2025 brought intensified ransomware and espionage activities, defined by sophisticated zero-day exploits, surging infostealer and extortion campaigns, and attackers creatively repurposing known techniques with new payloads.
Old Tricks, New Campaigns
Attackers have a habit of recycling previous techniques.
Last year, we highlighted the use of handcrafted Office files in phishing campaigns and proposed mitigation strategies. In July, we observed the same technique re-emerging in the wild.
Learn how attackers are using malformed Office files and how to protect yourself in our detailed article.
SharePoint on Fire
Critical Microsoft SharePoint vulnerabilities are being actively exploited worldwide by multiple threat groups.
The result? Ransomware and infostealers deployed across hundreds of organizations - including U.S. federal agencies.
As always, patching delays = threat actor advantage. Don’t wait - deploy security updates ASAP.
Ransomware at Full Force
Ransomware operations intensified, driven by highly organized groups deploying multi-platform payloads and double-extortion (exfiltrate & encrypt) tactics. Threat actors like Lynx and Everest executed targeted attacks against critical infrastructure, manufacturing, and IT services, demanding multi-million dollar ransoms.
Ever wondered what negotiating with ransomware operators actually looks like? Watch our short video to get a behind-the-scenes look.
Malware Hidden in Steam Game
A game called Chemia, released on Steam Early Access, was found to contain multiple malware strains - Vidar Stealer, Fickle Stealer, and HijackLoader. These were used to steal credentials, hijack browsers, and enable future payload drops.
Chemia was advertised as an "adventurous survival game" - and it seems it made survival part of real life, too. The campaign underscores how even trusted platforms like Steam can be abused for large-scale malware distribution.
National Guard Deployed After Cyberattack
The city of St. Paul, Minnesota faced a devastating cyberattack that targeted city networks, prompting the National Guard to step in and support recovery efforts. Threat actors exfiltrated sensitive data and deployed ransomware, disrupting public services. Authorities are still investigating the attack, which highlights growing threats to critical infrastructure.
Contextal Platform includes a special data firewall mode for critical infrastructure protection.
Hafnium-Linked Hacker Arrested in Italy
On July 3, Italian authorities arrested Xu Zewei, a hacker connected to the Chinese state-sponsored group Hafnium, responsible for targeting Microsoft Exchange servers.
The attacks caused widespread compromise of sensitive data, including COVID-19 research, intellectual property, and confidential communications - leading to estimated multi-billion-dollar damages globally. This arrest underscores increased international cooperation against severe cyber espionage threats.
Good Practices & Key Takeaways
July showed how rapidly threat actors adapt, scale, and target critical systems. Based on this month’s incidents, here are key actions every organization should consider:
Segment critical infrastructure
Use strict network segmentation and enable special protective modes (like Contextal Platform’s data firewall) for essential services.
Patch aggressively
Prioritize known exploited vulnerabilities like SharePoint and Chrome zero-days (CVE-2025-49704, CVE-2025-6554).
Vet third-party apps and platforms
Even trusted platforms like Steam can carry malware. Audit all new software before deployment.
Back up critical data
Combine strong backup strategies with user awareness to reduce the impact of ransomware and phishing threats.
Thank you for reading.
With decades of cybersecurity expertise, we’re here to help you stay ahead of emerging threats.
Have questions or need guidance? Reach out to our expert team.
Stay safe!