Threat Briefing: July 18, 2025

Cyber threat actors remain highly aggressive in 2025, with a noticeable rise in malicious activity. Cryptocurrency theft has surpassed last year’s totals, and DDoS attacks are occurring more frequently than in 2024. As AI adoption expands, threat actors are increasingly incorporating it into their operations. At the same time, researchers are uncovering new ways AI itself could be exploited for malicious purposes.

• North Korean XORIndex Malware Found in 67 Malicious npm Packages – Researchers at Socket have identified 67 malicious npm packages delivering a new malware loader dubbed XORIndex, linked to North Korea’s “Contagious Interview” campaign targeting developers. Downloaded more than 17,000 times, the packages impersonate legitimate software to trick users into executing malicious code. Once activated, XORIndex collects sensitive data and connects to a command-and-control server to deploy additional malware, including the BeaverTail and InvisibleFerret backdoors. This follows a similar incident last month involving 35 malicious packages. Security experts urge developers to vet package sources carefully and remain cautious when installing new libraries. BleepingComputer
• Cloudflare Blocks More DDoS Attacks in 2025 Than All of 2024 – According to Cloudflare’s Q2 2025 DDoS threat report, the company has already mitigated 27.8 million attacks in the first half of the year, eclipsing the 21.3 million total for all of 2024. Most attacks occurred in Q1, fueled by an intense 18-day campaign against critical infrastructure. While attack volume dropped in Q2, it still represented a 44% increase over the same period last year. Hyper-volumetric attacks, those exceeding 1 Tbps, spiked, with over 6,500 incidents in Q2 alone. China remained the most targeted country, while Indonesia was the leading source, largely driven by known botnets. SecurityWeek
• New Ransomware Group ‘GLOBAL GROUP’ Emerges, Leveraging AI Tools – A new ransomware-as-a-service (RaaS) operation known as GLOBAL GROUP has surfaced, actively targeting organizations in Australia, Brazil, Europe, and the U.S. since June 2025. Believed to be a rebrand of the BlackLock and earlier Eldorado schemes, GLOBAL GROUP is promoted by the threat actor ‘$$$’. The operation uses initial access brokers to exploit edge appliance vulnerabilities and offers affiliates an 85% revenue share via a dedicated panel. Notably, the platform features AI-powered negotiation tools that help affiliates more effectively communicate with victims. As of mid-July, GLOBAL GROUP has claimed 17 victims across sectors such as healthcare and automotive services. Its emergence comes amid a broader decline in ransomware victim numbers, signaling a shift in tactics rather than a decrease in threat. The Hacker News
• Google Gemini Vulnerability Enables Phishing via Email Summaries – A flaw in Google Gemini for Workspace allows attackers to embed malicious instructions in emails that appear in AI-generated summaries, potentially leading users to phishing sites. The exploit relies on indirect prompt injections hidden in email content, which Gemini inadvertently processes. Despite earlier reports and existing safeguards, this technique remains effective. Researchers disclosed the vulnerability via Mozilla’s bug bounty program, demonstrating how HTML and CSS can mask harmful prompts. Google has acknowledged the issue and is working to strengthen defenses, though no in-the-wild exploitation has been observed. Users are urged to be cautious when reviewing Gemini-generated summaries, particularly for security-related messages. BleepingComputer
• Record-Breaking Crypto Theft in 2025: Over $2 Billion Stolen in First Half of the Year – Cybercriminals stole over $2.17 billion in cryptocurrency during the first half of 2025, surpassing the total losses for all of 2024 and marking the largest amount stolen in any six-month period since tracking began in 2022. A single $1.5 billion breach at Dubai-based platform Bybit, attributed to North Korean threat actors, accounts for 69% of this year’s total. According to Chainalysis, crypto-related thefts could reach $4 billion by the end of the year. The U.S., Germany, and South Korea are among the countries hit hardest by these attacks. The Record