Skip to main content
Back to Threat Intelligence
July 28, 2025Threat AdvisoryBy Matt Johnson

Cyber Threat Intel - Monday | July 28, 2025

Global Threats, Local Impact: This Week's Cyber Risk Update

Nation-state actors exploiting SharePoint zero-days, a coordinated attack wiping 7,000 servers at Russia's largest airline, and AI-driven fraud reaching a new scale. Here's what you need to know going into the week ahead.

This past week has been a loud reminder that cyber threats are growing in speed, scale, and sophistication. From nation-state actors exploiting enterprise systems to AI-driven fraudsters executing multi-million-dollar scams, the digital threat landscape is evolving at a relentless pace.

In this week's roundup, we unpack three major developments: an urgent Microsoft SharePoint vulnerability, a massive cyberattack crippling Russian airline operations, and the explosive rise of AI-enhanced scams. Here's what you need to know to protect your organization going into the week ahead.

1

Microsoft SharePoint Zero-Day Exploited by Nation-State Hackers

What Happened

Multiple Chinese-linked threat groups - identified as Storm-2603, Linen Typhoon, and Violet Typhoon - are exploiting critical zero-day vulnerabilities in Microsoft SharePoint on-premises environments. These exploits are being used to deploy the "Warlock" and LockBit ransomware strains, compromising enterprise systems and data.

Timeline

July 7, 2025

Vulnerability publicly disclosed

July 10, 2025

Microsoft patch issued

July 20+

Exploits detected bypassing the patch - repatching required

Impact

  • Thousands of vulnerable servers exposed globally
  • Remote code execution (RCE) enables full control of compromised servers
  • Exploits are bypassing standard AMSI protections

Required Mitigation

  • Re-patch all SharePoint servers immediately - even if you applied the July 10 patch
  • Rotate ASP.NET machine keys and restart IIS services
  • Isolate public-facing SharePoint instances from internal networks
  • Monitor for indicators of compromise, including new .aspx files in /_layouts/
2

Aeroflot Disrupted by Coordinated Cyberattack

What Happened

Aeroflot, Russia's largest airline, experienced widespread flight cancellations and IT outages after a massive cyberattack reportedly led by the Belarusian "Cyber Partisans" and Ukrainian group "Silent Crow." The attackers claim to have infiltrated systems for nearly a year before executing the destructive phase.

7,000

Servers wiped

20 TB

Data stolen

100+

Flights disrupted

~1 year

Dwell time

What Was Stolen

Exfiltrated data reportedly includes surveillance footage, travel logs, and executive communications. Russian state authorities have opened investigations.

Why It Matters for SMBs

This is one of the most significant aviation cyber incidents of 2025. It demonstrates how cyber warfare is moving beyond disruption and toward long-term infiltration and intelligence gathering - a tactic increasingly mirrored in commercial sector attacks. The one-year dwell time underscores why continuous monitoring and anomaly detection are non-negotiable.

3

AI-Powered Scams: The New "Nuclear Bomb"

What Happened

Scammers are using deepfake videos, voice cloning, and AI-driven reconnaissance to execute financial fraud at unprecedented scale. A recent case in Australia saw $20 million stolen via a manipulated virtual meeting featuring a fake CEO constructed with real-time AI audio and video.

Key Tactics

  • AI-enhanced phishing - personalized and adaptive at scale
  • Deepfake voice and video calls bypassing verification
  • Automated social engineering pipelines

Emerging Risks

  • Business Email Compromise (BEC) at unprecedented scale
  • Zero-day deepfakes bypassing identity checks
  • Reduced human suspicion due to hyper-realism

Response Strategy

  • Refresh employee awareness training with specific AI scam scenarios
  • Adopt voice and visual verification protocols for financial approvals
  • Implement advanced behavioural detection tools across endpoints
  • Establish out-of-band confirmation for wire transfers and executive requests
High

Threat Actor Highlights

Storm-2603 / Linen Typhoon / Violet Typhoon

China-linked

Three overlapping Chinese-nexus groups coordinating SharePoint exploitation campaigns. Primary objectives are espionage and ransomware deployment targeting government, defence, and enterprise sectors.

Cyber Partisans / Silent Crow

Belarus / Ukraine-linked

Hacktivist-aligned groups targeting Russian critical infrastructure and government systems. Demonstrate sophisticated long-dwell capabilities previously associated with nation-state actors.

From Intelligence to Action

These developments are more than isolated incidents - they reflect a maturing threat landscape where cybercriminals leverage enterprise tools, nation-state tactics, and AI-driven automation. Your organization's defenses need to keep pace.

Your Week-Ahead Checklist

  • Audit and re-patch SharePoint servers, even if patched on July 10
  • Implement network segmentation for critical infrastructure and servers
  • Review MFA enforcement and consider out-of-band voice verification for high-value actions
  • Launch a tabletop exercise simulating AI-driven phishing or BEC scenarios
  • Verify EDR coverage extends to SharePoint application servers
  • Review email gateway rules to flag or sandbox archive attachments

About SOClogix

SOClogix specializes in providing cyber threat intelligence, 24/7 monitoring, and managed detection and response (MDR) tailored for SMBs and mid-market organizations. Our mission is to help businesses stay ahead of evolving threats with actionable intel, proactive defense, and rapid incident response.

If your organization needs help assessing cyber risks, responding to threats, or enhancing your security posture, the experts at SOClogix are here to help. Contact us today for tailored threat intelligence, managed security services, and proactive protection that keeps your business secure.

Matt Johnson

Matt Johnson

CEO & Founder, SOClogix

Full bio →
Threat AdvisorySharePointZero-DayRansomwareAI ScamsBECNation-StateAeroflotSMB Security