Threat Briefing: August 1, 2025

Although law enforcement successfully disrupted the infrastructure of the BlackSuit ransomware group, several members quickly resurfaced in a new group, demonstrating how swiftly cyber threat actors can adapt and regroup. Meanwhile, the impact of the SharePoint vulnerabilities continues to grow, with over 400 organizations now affected. The exploitation of these flaws has been attributed to Chinese cyber threat actors.

• Chaos Ransomware Emerges as Likely Successor to BlackSuit – Chaos is believed to be formed by ex-members of the BlackSuit group, which evolved from Royal and Conti. It uses double extortion tactics—encrypting data and stealing it to pressure victims, and primarily targets organizations in the U.S., U.K., New Zealand, and India. The group deploys a fast, cross-platform ransomware variant with anti-analysis features. Chaos operates as a ransomware-as-a-service (RaaS), promoted on Russian-language forums. Despite the recent takedown of BlackSuit in Operation Checkmate, Chaos remains active, threatening victims with data leaks, DDoS attacks, and reputational damage. Dark Reading
• Chinese Firm Linked to Offensive Cyber Patents and Silk Typhoon – Researchers have uncovered over 10 offensive cybersecurity patents filed by Shanghai Firetech, a company allegedly tied to China’s Silk Typhoon threat group. The patents outline tools for surveillance, data theft, and targeting Apple devices, capabilities not previously linked to known actors like Hafnium. Experts say Firetech’s tech may support broader cyber operations, complicating attribution as China increasingly uses private contractors. The findings highlight the expanding reach of state-sponsored cyber threats. The Record
• AI-Generated Linux Cryptominer ‘Koske’ Targets Misconfigured Servers – Cybersecurity researchers have uncovered Koske, a sophisticated, AI-generated Linux cryptominer targeting misconfigured internet-facing servers. Capable of mining up to 18 cryptocurrencies, including Monero and Ravencoin, Koske features clean, well-documented code likely written with minimal human input. To evade detection, it hides executables in polyglot JPEG files using AI-generated panda images. The malware includes advanced persistence techniques such as rootkit installation, cron jobs, and proxy reconfiguration to maintain access and control. Dark Reading
• Microsoft SharePoint Flaws Hit 400+ Organizations – Zero-day vulnerabilities in on-prem SharePoint servers have compromised over 400 organizations, including U.S. federal agencies and critical infrastructure. China-linked groups, Storm-2603, Linen Typhoon, and Violet Typhoon, used the “ToolShell” exploit to bypass MFA and gain remote access. Microsoft released emergency patches (CVE-2025-53770 and CVE-2025-53771), but many systems remain exposed. U.S. agencies report limited impact, but investigations are ongoing. CyberScoop
• “Ghost Students” Exploit Admissions and Financial Aid Systems – Fraudulent applicants—known as “ghost students”—are using stolen identities or celebrity names to gain admission and financial aid from higher education institutions. Often powered by bots or scammers, these fake students drain limited resources and displace legitimate applicants. In response, the U.S. Department of Education is rolling out stricter ID verification for first-time applicants. Experts warn that AI tools are accelerating the creation of fake applications and even generating coursework to maintain enrollment. Schools are being urged to adopt stronger identity checks, including biometrics and liveness detection, to combat the growing threat. Dark Reading