Byer-Nichols Threat Brief July 15 2025

Season: 2

Published: July 18, 2025

By: Byer Co

The provided source is a cybersecurity threat brief from Byer-Nichols, covering the first half of July 2025. It highlights Qilin as the leading ransomware and notes that small businesses, particularly in the manufacturing and technology sectors in the U.S., are the most frequent victims. The report also identifies emerging adversaries like Gamaredon and Scattered Spider, lists actively exploited vulnerabilities including those in Wing FTP Server and Chromium V8, and details trending malware such as Anatsa and Gh0stRAT. Finally, it summarizes top cybersecurity news, ranging from browser zero-day attacks to the disruption of a North Korean IT worker scheme.

Link: Byer-Nichols Threat Brief July 15 2025

Keywords: marketing,SEO,cybersecurity,Digital Marketing

Episode Transcript

Download SRT file

00:00:00 - 00:00:04

Welcome back to Digital Rage. I'm Jeff at the producer here at Byer Company.

00:00:04 - 00:00:08

This is our first episode for a new collaboration called the Byer-Nichols

00:00:08 - 00:00:13

Threat Brief written by Cybersecurity Expert Jeremy Nichols. This will be a

00:00:13 - 00:00:18

twice a month report presenting data about the latest cybersecurity threats and

00:00:18 - 00:00:23

trends. This first episode will be published on July 21st and the data

00:00:23 - 00:00:27

covers July 1st through the 15th. Let's check it out.

00:00:27 - 00:00:32

Welcome to the Deep Dive. You know in cybersecurity it really feels like you're

00:00:32 - 00:00:36

trying to walk on quicksand sometimes. The ground's always shifting, threats

00:00:36 - 00:00:41

change constantly and just trying to keep up. Feels like a full-time job.

00:00:41 - 00:00:45

It absolutely can. But what if you could get the really crucial insights?

00:00:45 - 00:00:51

Those aha moments from the latest intelligence without having to weigh

00:00:51 - 00:00:54

through all the data yourself? Yeah that's the goal. Well that's exactly our

00:00:54 - 00:00:57

mission today. We're doing a deep dive into the buyer Nichols threat brief

00:00:57 - 00:01:04

cybersecurity data specifically for July 1st to 15th 2025. A very recent snapshot.

00:01:04 - 00:01:08

Exactly. Think of it as your shortcut to getting you know really well informed

00:01:08 - 00:01:13

quickly. Thirdly. This report gives us that precise picture of what's been

00:01:13 - 00:01:16

happening. The big rents where players critical vulnerabilities, those high

00:01:16 - 00:01:21

profile incidents, the stuff that makes headlines. And you're so right about

00:01:21 - 00:01:26

the dynamic nature. It moves incredibly fast. What was a major threat last month

00:01:26 - 00:01:32

might be well old news today or it's mutated into something else entirely.

00:01:32 - 00:01:36

Understanding these trends isn't just for security pros anymore is it? It's

00:01:36 - 00:01:41

becoming vital for pretty much everyone online. Absolutely. The speed is just yeah.

00:01:41 - 00:01:46

So this kind of focused look incredibly relevant. Okay let's jump right in then.

00:01:46 - 00:01:54

The evolving battlefield. First half of July 2025. One name really jumps out on

00:01:54 - 00:02:00

the ransomware front. Quailin. Quailin. It was responsible for what 16.3% of

00:02:00 - 00:02:04

attacks. That's huge. It is a significant chunk. Yeah. So what's behind that? Why was

00:02:04 - 00:02:08

Quailin hitting so hard during this period? Well Quailin's dominance isn't just about

00:02:08 - 00:02:12

how effective the malware itself is though it is effective. It's also about

00:02:12 - 00:02:16

its operational model. It's quite flexible making it accessible for various

00:02:16 - 00:02:19

bad actors. But what's really striking honestly when you look at who they're

00:02:19 - 00:02:23

hitting. Yeah. It's small businesses. They are just bearing the brunt of this. The

00:02:23 - 00:02:30

report says organizations with 500 employees or less get this accounted for 80.65

00:02:30 - 00:02:36

percent of victims. 80 percent. Wow. That's that's actually pretty alarming. It is

00:02:36 - 00:02:40

very alarming. Clearly the primary target group. And within that group are

00:02:40 - 00:02:44

their specific sectors getting hit harder? Yes definitely. Manufacturing leads

00:02:44 - 00:02:49

the pack at almost 16 percent, 15.94 percent. Okay. Followed pretty closely by

00:02:49 - 00:02:54

technology at 13.55 percent. Then you see construction, financial services,

00:02:54 - 00:02:59

retail kind of lining up behind them. So manufacturing and tech. Why those two do

00:02:59 - 00:03:02

you think is it just weaker defenses and smaller companies or something else

00:03:02 - 00:03:06

going on? It's definitely more nuanced than just weak defenses. Although you know

00:03:06 - 00:03:10

smaller security budgets can be a factor for manufacturing. It's often about

00:03:10 - 00:03:14

that mix of IT and OT operational technology. Right. The factory source stuff.

00:03:14 - 00:03:18

Exactly. That OT is often older, maybe less secure. And now it's increasingly

00:03:18 - 00:03:21

connected to the main IT network. Creates a sort of perfect storm for

00:03:21 - 00:03:24

attackers, a really vulnerable spot. Okay. That makes sense. And tech companies.

00:03:24 - 00:03:29

For tech, it's often about the data they hold. Intellectual property, customer

00:03:29 - 00:03:33

info. And sometimes ironically, they're seen as a stepping stone. A gateway to

00:03:33 - 00:03:38

bigger targets. Precisely. Hitting a smaller tech vendor can sometimes give

00:03:38 - 00:03:44

attackers access further up the supply chain. Hmm. And geographically. Where are

00:03:44 - 00:03:48

these attacks concentrated? The concentration is pretty stark there too.

00:03:48 - 00:03:54

The USA accounts for almost half 49% of victims. 49%. Then you've got Canada,

00:03:54 - 00:03:59

Italy, the UK, Germany following behind. So heavily Western focused, it seems.

00:03:59 - 00:04:03

It does seem that way. Yeah. It shows that even though cybercrime is global,

00:04:03 - 00:04:07

the attackers could be anywhere. The impact often clusters in areas with,

00:04:07 - 00:04:11

you know, high digital adoption and economic activity. Okay. Let's sort of unpack

00:04:11 - 00:04:15

this. So the picture is small businesses, especially manufacturers and tech

00:04:15 - 00:04:19

firms, mostly in the US. It's fascinating how clear that target profile is.

00:04:19 - 00:04:24

It really is. Not just who, but how their specific weaknesses are exploited.

00:04:24 - 00:04:28

Right. Now moving beyond the main targets, the report talks about trending

00:04:28 - 00:04:34

adversaries. Groups like Gameraidon, scattered spider, silk typhoon, Tag 140, UNC,

00:04:34 - 00:04:39

5174, Void or Acne. What makes these groups trending?

00:04:39 - 00:04:43

Trending usually means their activity level has spiked. Or perhaps they're

00:04:43 - 00:04:47

using new methods, new TTPs, tactics, techniques and procedures that have

00:04:47 - 00:04:51

really caught the eye of security researchers. They're either busier or smarter,

00:04:51 - 00:04:54

basically. Kind of. Yeah. It signals they're becoming more effective or maybe

00:04:54 - 00:04:57

more innovative in how they attack. It shows how agile these groups are.

00:04:57 - 00:05:02

They adapt constantly. Like startups, but for crime. Yeah. Not a bad analogy,

00:05:02 - 00:05:06

unfortunately. Always iterating. And on the malware side, the report flags

00:05:06 - 00:05:12

the NOTSA and goes DRAT. A NOTSA that rings a bell. Banking Trojan, right?

00:05:12 - 00:05:16

That's its main game. Yes. A NOTSA is typically focused on stealing financial

00:05:16 - 00:05:19

credentials, trying to get into bank accounts, authorized transactions, very

00:05:19 - 00:05:23

direct financial threat. Okay. And goes DRAD Strat. That sounds more like

00:05:23 - 00:05:30

general spying. Reload access. Exactly. Go to Strat is a remote access Trojan.

00:05:30 - 00:05:34

It gives the attacker persistent backdoor control over a compromised

00:05:34 - 00:05:38

machine. So they can do pretty much anything.

00:05:38 - 00:05:42

More or less, exfiltrate data, monitor user activity, even use that machine to

00:05:42 - 00:05:45

launch further attacks deeper into a network.

00:05:45 - 00:05:49

Its prevalence is a big worry because it represents that deep, persistent access,

00:05:49 - 00:05:54

hitting both individuals and companies hard. So we've got direct theft with

00:05:54 - 00:05:58

NOTSA and deep system compromise with Goaches Strat.

00:05:58 - 00:06:02

Both trending. And if you connect that to the trending adversaries,

00:06:02 - 00:06:06

it shows this constant churn, new groups, persistent malware types, the

00:06:06 - 00:06:10

landscape just keeps adapting at this incredible speed. Attackers don't stand still.

00:06:10 - 00:06:13

Relentless innovation on their side. Yeah. Which brings us to vulnerabilities,

00:06:13 - 00:06:17

the open doors they're walking through. Right. The CVEs. The report list

00:06:17 - 00:06:22

actively exploited CVEs. It interestingly includes some brand new 2025 ones already. Like CVE,

00:06:22 - 00:06:28

2025, 478, 12 in the WingFTP server. And CVE 2025, 655, 4 in Chromium V8.

00:06:28 - 00:06:33

Yeah. Seeing 2025 CVEs exploited this early in the year is, well, it's concerning.

00:06:33 - 00:06:36

What's the significance there? Yeah. Especially the Chromium one.

00:06:36 - 00:06:40

Well, a CVE, as you know, common vulnerabilities and exposures is a known flaw.

00:06:40 - 00:06:45

The fact that attackers are jumping on these 2025 ones immediately shows how fast they operate.

00:06:45 - 00:06:51

And the Chromium V8 one, that's particularly critical because Chromium is the engine behind so

00:06:51 - 00:06:57

many browsers. Chrom, Edge, others. A flaw there exposes a massive number of users worldwide.

00:06:57 - 00:07:02

It's a huge attack surface. Wow. Okay. And there were others mentioned too.

00:07:02 - 00:07:07

Telemessage, Microsoft SQL Server. Yep. Showing a range of systems already under fire with these

00:07:07 - 00:07:12

fresh vulnerabilities. But here's something that also caught my eye. The list wasn't just new CVEs.

00:07:12 - 00:07:17

It included older ones too. From 2014, 2016, 2019, things affecting PHP,

00:07:17 - 00:07:20

Mail, or Ruby on Rails. Why are these still being actively exploited years later?

00:07:20 - 00:07:24

Shouldn't they be patched by now? Well, that's the million dollar question, isn't it? It really

00:07:24 - 00:07:29

boils down to a fundamental ongoing problem, patching discipline. People just aren't doing it.

00:07:29 - 00:07:35

Often, no. Especially perhaps in smaller organizations or with older legacy systems,

00:07:35 - 00:07:41

they just don't get updated consistently. So these known flaws, flaws with readily available patches,

00:07:41 - 00:07:48

sometimes for years, they remain unaddressed. Making easy targets, low hanging fruit. Exactly.

00:07:48 - 00:07:54

Attackers don't always need super sophisticated zero-day exploits when they know plenty of doors

00:07:54 - 00:07:59

are just left unlocked with old known vulnerabilities. It's like knowing a house has a faulty

00:07:59 - 00:08:05

lock that was reported years ago and just trying to handle. Precisely. It raises that crucial question.

00:08:05 - 00:08:10

Why, despite fixes being available for so long, are these still working for the bad guys?

00:08:10 - 00:08:15

It really points to organizational practice or lack thereof. The human element or maybe organizational

00:08:15 - 00:08:20

inertia is often the weakest link. Okay, so this is where it gets really interesting, I think. Beyond

00:08:20 - 00:08:25

the stats and the CVE numbers, the report dives into some specific high-profile incidents.

00:08:25 - 00:08:30

Real-world stuff. Yeah, the headline grabbers. Let's look at a few. First, those browser attacks,

00:08:30 - 00:08:35

a Chrome zero-day, and these foxy-wallet Firefox attacks. What made those stand out?

00:08:35 - 00:08:40

Well, the Chrome zero-day is alarming because zero-day means the flaw was actively exploited before

00:08:40 - 00:08:46

Google even knew about it. So no defense ready. Right. No patch available initially. Millions of

00:08:46 - 00:08:50

users potentially expose until a fix could be developed and rolled out. It's like finding out there's

00:08:50 - 00:08:54

a secret door to your house you never knew existed and someone's already using it. It's scary thought.

00:08:54 - 00:09:01

And foxy-wallet. That highlights attacks targeting browser extensions. Things people willingly

00:09:01 - 00:09:07

install, thinking they're safe, but they've been poisoned with spyware. It shows how attackers abuse

00:09:07 - 00:09:12

trusted channels. Okay, so attacking us right where we live online, the browser. Now get this one.

00:09:12 - 00:09:20

This detail just leaps out. An employee apparently got paid $920. $920. Yeah, just $920 for

00:09:20 - 00:09:27

00:09:27 - 00:09:32

What does that tell you? That tiny payment for such a massive outcome. It speaks volumes,

00:09:32 - 00:09:36

doesn't it? First, about the insider threat, whether someone was tricked or was complicit.

00:09:36 - 00:09:44

But more profoundly, it shows the incredible, almost unbelievable value of even seemingly small pieces

00:09:44 - 00:09:51

of information. A single login bought for less than a grand unlocked access to $140 million.

00:09:51 - 00:09:56

The leverage is astronomical. It completely changes how you think about a minor security

00:09:56 - 00:10:01

lapse, right? Absolutely. It underscores how attackers can turn a tiny crack into a catastrophic

00:10:01 - 00:10:05

breach. And maybe it says something uncomfortable about the risk reward calculation someone might

00:10:05 - 00:10:09

make. Yeah, definitely food for thought. The report also mentioned a few other things quickly.

00:10:09 - 00:10:15

The US DOJ busting a North Korean IT worker scheme. Right. Highlighting state-sponsored activity,

00:10:15 - 00:10:20

often financially motivated to fund other operations. Shows law enforcement is active on that front.

00:10:20 - 00:10:25

And please taking down an investment fraud wing that stole 10 million. Classic cybercrime for

00:10:25 - 00:10:30

profit. Huge driver for a lot of this activity. Also, Hunters International Ransomware apparently

00:10:30 - 00:10:37

shut down, but then rebranded as world leaks. The rebrand. Very common tactic in the Ransomware

00:10:37 - 00:10:42

world. They shut down one brand maybe because it's getting too much heat or it's reputation

00:10:42 - 00:10:47

a shot and then they pop up under a new name, often using the same underlying infrastructure or tools.

00:10:47 - 00:10:54

Helps evade detection for a while. Sneaky. And finally, a North American ABT group

00:10:54 - 00:11:00

using an exchange zero day against China. Yeah, that points to the geopolitical side of things.

00:11:00 - 00:11:05

Advanced persistent threats, often state linked, engaging in espionage or disruption against

00:11:05 - 00:11:10

other nations. Using powerful zero day exploits for targeted attacks. It's a whole different

00:11:10 - 00:11:15

layer of cyber activity. Okay, so let's try to wrap this up to summarize what we've gone through

00:11:15 - 00:11:21

today for you, the listener. This first half of July 2025 really showed us a few key things.

00:11:21 - 00:11:26

We saw small businesses taking a massive hit, especially manufacturing and tax. A huge percentage.

00:11:26 - 00:11:31

We saw this constant evolution, new agile adversaries, new malware, like an ATSA and Ghostsrat.

00:11:31 - 00:11:37

But also those old unpatched vulnerabilities still causing major problems years later.

00:11:37 - 00:11:42

Still providing easy entry points. And then we saw the real world impacts. Yeah, massive bank

00:11:42 - 00:11:47

heist from tights initial compromises, state sponsored activity, browser attacks, hitting everyday

00:11:47 - 00:11:53

users. It's all very tangible. Absolutely. And understanding these trends, seeing these patterns,

00:11:53 - 00:11:57

it's just crucial for everyone now. It doesn't matter if you run a small shop,

00:11:57 - 00:12:03

work in a big tech firm, or honestly, just browse the web. These insights help you grasp the risks

00:12:03 - 00:12:08

out there. So what does this all really mean for you? I think the big takeaway is that cyber security

00:12:08 - 00:12:13

isn't just an IT department problem anymore. Not at all. It's really a shared responsibility.

00:12:13 - 00:12:18

It affects all of us. Every click we make, every app we download, every system that doesn't get

00:12:18 - 00:12:24

patched, it's all part of the picture. Being informed, like you are by tuning in, is honestly your

00:12:24 - 00:12:28

first line of defense. Well said. And maybe to leave you with one final thought to chew on,

00:12:28 - 00:12:33

building on that high story. Yeah. Given that an employee received only $920,

00:12:33 - 00:12:39

less than $1,000 for credentials that enabled $140 million set. What does that tell us about

00:12:39 - 00:12:44

how the digital underground actually values information right now? And maybe more importantly,

00:12:44 - 00:12:49

how should it change our perception for what we consider a minor security lapse? Think about

00:12:49 - 00:12:53

the potential ripple effects, the sheer scale of impact that can come from even the smallest

00:12:53 - 00:12:58

most early level of vulnerability or mistake. Reach out to us at jbuyer.com for comments and

00:12:58 - 00:13:03

questions. Follow us at buyer company on social media. And if you'd be so kind, please rate and

00:13:03 - 00:13:07

review us in your podcast app.