Weekly Cyber Threat Bulletin: 10 July 2025
Marcelle Lee
7/10/20252 min read
Breaches and Exposures
Ingram Micro Suffers Ransomware Attack
On July 3, Ingram Micro, a major IT distribution company, experienced a significant outage caused by a ransomware attack attributed to the SafePay group. The incident disrupted internal systems and led to a partial infrastructure shutdown to contain the threat. While recovery efforts are ongoing, managed service provider customers have been affected. Initial access was reportedly gained through GlobalProtect VPN, likely via credential abuse, underscoring the importance of monitoring for employee credential exposure.
Vulnerabilities
CitrixBleed 2 Actively Exploited
The latest CitrixBleed vulnerability has reportedly been exploited in the wild for weeks. Tracked as CVE-2025–5777 and reported in June 2025, the vulnerability involves a memory buffer overread caused by insufficient input validation that can lead to credential exposure (sound familiar?) and impacts the NetScaler Application Delivery Controller (ADC) and NetScaler Gateway products. Proof of concept (PoC) exploits are available. Citrix has been accused of providing inadequate information about signs of potential exploitation.
has provided an excellentguideon threat hunting opportunities along with some preliminary indicators of compromise. TL;DR patch and hunt now.
Cybercrime
Tycoon 2FA PhaaS Platform Leverages .es Domains
DNSFilter’s latest research reveals that the Tycoon 2FA phishing-as-a-service (PhaaS) platform has expanded its infrastructure using Spanish country domains (.es). Active since 2023, Tycoon 2FA specializes in adversary-in-the-middle (AitM) attacks to bypass multi-factor authentication (MFA). The platform uses short-lived subdomains hosted on longer-lived root domains and obfuscation techniques such as nested encoding and Base91. The company analyzed over 11,000 unique FQDNs and identified 65 root domain indicators of compromise. Organizations should implement watch/block lists based on the provided indicators.
Insider Threat
IT Employee Sells Credentials to Threat Actors
Brazilian authorities have arrested a suspect linked to a massive cyberattack that siphoned over 540 million reais (approximately $100 million) from the country’s banking system. The breach impacted the Brazilian instant payment system Pix via C&M, a software company that connects financial institutions to the Central Bank to enable payment transactions. The suspect was an IT staffer at C&M and reportedly sold their credentials to threat actors, allowing access to the payment environment.
State Sponsored Activity
Iran’s Fox Kitten Ransomware Operations Expanding
Morphisec reported a resurgence of the Pay2Key ransomware, now rebranded as Pay2Key.I2P, linked to Iranian cyber warfare efforts targeting Western organizations. This evolved ransomware-as-a-service (RaaS) operation is tied to the Iran-nexus Fox Kitten threat group, which has been aggressively expanding, offering affiliates up to 80% of ransom profits, especially those aligned with Iran’s geopolitical interests. With over $4 million in ransom payments collected in just four months, Pay2Key.I2P combines ideological motives with financial incentives. The campaign includes a new Linux-targeted variant, and its infrastructure is promoted on Russian and Chinese underground forums. Organizations should review the information and indicators provided in the report for threat hunting activities.
Artificial Intelligence
AI Agents Need Security Awareness Training
A recent blog post from
SquareX Labs warns that widely-used browser-based AI agents are emerging as the new weakest link in cybersecurity. In one example, a user asked an agent to login into Salesforce, but the agent inadvertently logged into a fake site, exposing user credentials. Would the actual user have noticed the fake site? Maybe, but it seems that the agent needs some security awareness training. As AI becomes more integrated into everyday workflows, especially through browsers, organizations must rethink the risk versus benefit of using these tools until security matures.