New Undetectable “Plague” Malware Targets Linux Servers for Persistent SSH Access
Security researchers have identified a highly evasive Linux backdoor called “Plague,” which has successfully avoided detection by all major antivirus vendors. This malware establishes persistent SSH access on compromised Linux servers, raising alarms within the IT security community due to its stealth techniques and effectiveness.
Discovery and Technical Characteristics
The “Plague” malware was discovered after researchers analyzed unusual network traffic and unexplained system modifications on several production Linux systems. Upon investigation, multiple Plague samples were uploaded to malware databases, yet none triggered alerts from established signature and heuristic scanners, indicating new techniques in detection evasion.
Plague leverages advanced process injection and kernel-level rootkit functionality to hide its presence. It disables logging of SSH-related events, modifies core authentication modules to insert authorized keys, and persists through reboot by altering system startup scripts. The binary frequently alters its own hash and file metadata, further complicating forensic analysis and automated detection.
Method of Initial Infection
The initial infection vector appears to be weak or default SSH credentials on exposed Linux servers. Attackers automate credential stuffing and brute-force attacks at scale, followed by the deployment of precompiled binaries customized for the specific kernel version of the target. Installation scripts escalate privileges where possible before deploying the full backdoor toolkit.
Impact and Mitigation Guidance
The threat from Plague is significant for organizations running publicly accessible Linux servers, especially those securing confidential data or handling network infrastructure. Security experts recommend immediate review of SSH access controls, frequent scanning for unauthorized SSH keys, and the implementation of memory forensics to detect suspicious in-memory artifacts not visible on disk. Patching known vulnerabilities and hardening SSH configurations are critical defense measures.
Ongoing Research and Response
Collaboration between major antivirus vendors and incident response teams is ongoing, aiming to dissect the latest samples and generate reliable detection signatures. Network defenders are advised to monitor for anomalous outbound SSH connections and implement behavioral analytics to spot indicators of compromise associated with Plague variants.
Akira Ransomware Exploits SonicWall Firewall 0-Day in New Campaigns
The Akira ransomware group has launched a highly targeted campaign exploiting a newly identified zero-day vulnerability in SonicWall firewall appliances. This attack has resulted in rapid compromise of critical network gateways, significantly elevating the risk profile for organizations relying on these devices for perimeter security.
Attack Vector and Exploit Details
In late July 2025, cybersecurity researchers observed a surge in intrusions against networks using SonicWall firewalls. The entry point was traced to a previously unknown software flaw enabling remote code execution on affected devices. The flaw allows unauthenticated attackers to deploy malicious binaries directly onto the firewall operating system.
Once inside, Akira operators deploy lateral movement tools to disable endpoint protections, access internal network file shares, and exfiltrate sensitive data before issuing ransomware payloads. Security teams have reported that standard detection mechanisms are often circumvented due to the privileged position of the compromised firewalls.
Indicators of Compromise and Defensive Actions
Threat intelligence partners have released a list of known malicious IP addresses used in the attacks, along with file hashes for the primary Akira ransomware binaries. SonicWall has acknowledged the vulnerability and initiated an emergency patching effort. Until patches are applied, organizations are urged to restrict management interface exposure, review VPN logs for unusual connections, and monitor for traffic indicative of command-and-control beaconing.
Broader Implications for Network Security
This campaign underscores the evolving threat landscape in which perimeter devices—often considered robust defenses—have become attractive targets for sophisticated ransomware gangs. Organizations are encouraged to adopt a layered security approach and to audit firewall configurations for signs of compromise proactively.
Qilin Ransomware Panel Breach Exposes Affiliate Network and Tactics
A major security breach within the Qilin ransomware operation has led to the public exposure of its affiliate panel credentials, offering rare insight into the internal workings of this prolific ransomware group. The leak provides unparalleled intelligence for defenders and researchers seeking to understand Ransomware-as-a-Service (RaaS) operations.
Nature and Scope of the Breach
On July 2025, investigators identified that login credentials for Qilin’s administrative infrastructure were circulating in cybercrime forums. Analysis of the exposed data revealed Qilin’s approach to affiliating criminal operators, managing campaign resources, and handling victim negotiations.
The breach encompasses administrator and affiliate logins, transactional records, victim communications, and payment details. This dataset exposes the scale of Qilin’s activities, the geographic diversity of its affiliates, and the operational security measures employed to conceal their identities.
Operational Techniques and Insights
Qilin’s platform includes robust access management, allowing affiliates to independently launch attacks and manage ransom communications. The panel logs indicate a rapid onboarding process, detailed reporting dashboards for ransom payments, and automated deployment tools for malware samples.
The exposed data also hints at collaboration and intelligence-sharing between Qilin and other ransomware outfits, including guidance materials for avoiding law enforcement detection. Security analysts are now sifting through these documents to correlate known incidents and refine detection signatures for Qilin attacks.
Implications for Defenders and Law Enforcement
This breach is a valuable source of threat actor intelligence, arming defenders with new indicators of compromise, attack methodologies, and payment tracing opportunities. Law enforcement agencies worldwide are leveraging the leaked data to support attribution, victim notification, and takedown operations.
Threat Actors Exploiting EDR Free Trials to Disable Endpoint Protections
Security researchers have revealed a new attack technique that leverages free trials of legitimate Endpoint Detection and Response (EDR) solutions to covertly bypass and even uninstall existing security products, giving attackers unfettered access to target endpoints.
Mechanism of Exploitation
Attackers trick organizations into installing trial versions of EDR platforms by phishing IT administrators, exploiting brand trust in popular security products. Once installed, trial software often requests elevated privileges and prompts the administrator to remove or disable existing endpoint protections to avoid conflicts, which attackers exploit for persistent system compromise.
Advanced attack variants automate the installation process and use social engineering techniques to trick victims into disabling built-in security measures entirely, creating a window for further exploitation and lateral movement.
Observed Impact and Response Strategies
Successful attacks result in the wholesale disabling of endpoint visibility, making it challenging for security operations teams to spot malicious activity or recover evidence post-compromise. Experts urge organizations to restrict administrative privileges, verify the legitimacy of any new software installs, and educate IT personnel about this emerging threat.
SafePay Ransomware Surges with Multi-National Attack Spree
The SafePay ransomware group has rapidly expanded its operations, striking more than 260 organizations in recent weeks in a multi-national attack campaign. Since its emergence in 2024, SafePay has leveraged advanced evasion tactics and supply-chain attacks to achieve widespread impact.
Attack Methods and Infection Chains
SafePay initially infiltrates corporate networks via phishing campaigns and software supply chain compromises. The group employs custom loaders to deploy ransomware payloads only after extensive network reconnaissance and data exfiltration. Infected systems experience rapid encryption of critical business files and the display of sophisticated ransom notes demanding payments in cryptocurrency.
Evidence suggests that SafePay operators also seek out and erase local and cloud backups prior to data encryption, compounding victim recovery challenges. The group’s infrastructure is highly modular, allowing adaptive targeting across a wide range of enterprise environments, from healthcare to manufacturing.
Global Response and Recommendations
Governments and cybersecurity firms in affected regions are coordinating threat intelligence sharing and victim assistance programs. Defensive recommendations include heightened scrutiny of inbound email attachments, regular testing of incident recovery procedures, and implementation of offline backups to reduce ransomware impact.
Singapore’s Defensive Response to Ongoing State-Linked APT Operations
Singapore’s cybersecurity leadership has issued public statements detailing the country’s countermeasures against state-linked Advanced Persistent Threat (APT) campaigns, particularly from group UNC3886. The nation’s defensive posture emphasizes sector-wide collaboration and the integration of advanced AI-driven threat intelligence.
Nature of the Threat and Ongoing Attacks
The APT campaigns involve persistent phishing, supply chain compromise, and exploitation of zero-day vulnerabilities in both government and private sector networks. Attackers are known for using custom malware, data exfiltration tools, and sophisticated evasion techniques—including living-off-the-land binaries.
Coordinating Minister for National Security, K. Shanmugam, outlined ongoing investments in SOC modernization and real-time sharing of threat data among critical infrastructure operators. Singapore’s cyber crisis response teams are heavily engaged in incident remediation and digital forensics.
Broader Geopolitical Context
Singapore’s proactive transparency seeks to foster trust with global partners and deter future cyber-espionage activities. Regional cooperation is being prioritized to counteract the transnational nature of the threat.
Malicious Weaponized RMM Tools Target European Organizations
A dynamic cyber campaign has emerged using legitimate but weaponized Remote Monitoring and Management (RMM) tools to silently embed persistent access within enterprise networks. European financial and technology organizations have been particularly affected.
Tactics and Infection Workflow
Attackers use spear-phishing and social engineering tactics to persuade IT staff to install trusted RMM tools—such as AnyDesk or TeamViewer—on key network devices. Once installed, the attackers repurpose the legitimate remote access features for silent lateral movement and data staging.
The campaign leverages RMM whitelisting practices within antivirus policies, bypassing many detection controls and remaining largely invisible to network defenders until sensitive data is exfiltrated or business operations are disrupted.
Mitigation and Detection
Experts recommend closely auditing all RMM installations, restricting remote access to predefined secure channels, and monitoring for abnormal activity related to remote desktop sessions. Enhanced user education and access policy reviews are advised to curb this rising threat.
Orange Experiences Major Service Disruption Following Cyberattack
Orange, one of Europe’s largest telecommunications providers, suffered a disruptive cyberattack that impacted services for both corporate and individual customers. Operational disruptions ranged from internet outages to degraded mobile and enterprise solutions across multiple geographies.
Attack Timeline and Technical Effects
The incident, reported in late July 2025, involved coordinated actions that targeted core network management systems. Service disruptions were compounded by attempts to overload internal support infrastructure, making real-time customer assistance unavailable for extended periods.
While details of the intrusion vector are still under investigation, preliminary assessments indicate a combination of social engineering and targeted exploitation of legacy network devices may have allowed attackers initial access.
Restoration Efforts and Follow-Up
Orange’s security and engineering teams launched emergency incident response measures, including network segmentation, refresher authentication cycles for administrators, and expanded forensic collection. Post-incident reviews are focusing on identifying potential data breaches and enhancing preemptive monitoring measures.
City of Saint Paul Enlists National Guard Following Ransomware Attack
An aggressive ransomware attack against the City of Saint Paul prompted Minnesota Governor Tim Walz to deploy the National Guard in support of municipal IT recovery efforts. The attack crippled city services, including emergency response, public records, and financial systems.
Timeline of the Incident and Immediate Impacts
Attackers encrypted vital data stores and attempted to exfiltrate sensitive personal and municipal data. The city’s IT staff, overwhelmed by the breadth of the attack, requested additional state and federal resources. Digital forensic units were brought in to contain the spread and begin restoration of affected services.
The involvement of National Guard cyber units reflects the growing role of military and defense resources in responding to significant domestic cyber incidents with potential public safety ramifications.
Broader Implications
This episode highlights evolving trends in ransomware tactics targeting local governments with critical infrastructure and limited cybersecurity resources. Other municipalities are reviewing their own incident preparedness based on lessons learned from Saint Paul’s experience.
TCC Bypass Vulnerability Could Leak Apple Intelligence Cached Data
Security researchers have identified a critical Transparency, Consent, and Control (TCC) bypass that endangers privacy for Apple device users by exposing cached information managed by new Apple Intelligence features, including geolocation and biometric data.
Technical Details
The bypass allows adversaries to access sensitive data despite user-imposed privacy restrictions. Attackers leverage specifically crafted processes to circumvent sandboxing and access cached Apple Intelligence data. The vulnerability poses a particular risk on devices where physical access is possible or in cases where malware is executed with user-level privileges.
Response and Recommendations
Apple is actively working to mitigate the flaw in upcoming software updates. In the interim, users should minimize the exposure of sensitive device features, apply security patches promptly, and monitor security advisories for remediation progress.