Cyber Briefing: 2025.07.17

Telegram APK malware uses 607 fake domains, SVG files deliver JavaScript attacks, SonicWall zero-day exploited, Air Serbia hit, Ukraine hacks Russian drone firm, and more.

Jul 17, 2025

🎉 Cyber Briefing Referral Giveaway Is Live!

We’re growing fast on Substack, and now you can help us grow and win rewards.

Here’s what you can earn by taking part:
🔹 10 referrals: Newsletter shoutout
🔹 25 referrals: One-year free subscription
🔹 50 referrals: Cybersecurity consultation
🔹 Top referrer (100+ referrals; see rules): $100 gift card

This small gesture is our way of thanking you for helping build a stronger, smarter cyber community.

Refer and Earn

👉 What's trending in cybersecurity today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. Malicious Telegram APK Campaign Uncovered

A widespread malware campaign is using 607 malicious domains, often with typosquatting, to distribute fake Telegram APKs that enable remote command execution on Android devices. This sophisticated operation, identified by Bfore.AI, targets users through deceptive phishing websites and exploits the Janus vulnerability to bypass security measures.

2. Stealthy JavaScript Attacks via SVG Files

Threat actors are transforming seemingly harmless SVG files into potent malware, bypassing email security to execute malicious JavaScript upon preview and redirecting victims to credential-stealing sites. This sophisticated technique leverages native browser rendering of SVGs, making traditional security controls that focus on executables or scripts ineffective.

3. SonicWall Zero-Day RCE Exploited

Google's Threat Intelligence Group (GTIG) has uncovered a sophisticated cyberattack campaign by UNC6148 targeting end-of-life SonicWall SMA 100 series appliances, exploiting stolen credentials and a new rootkit called OVERSTEP to maintain persistent access even on patched systems. This financially motivated group, potentially linked to ransomware operations, is using the OVERSTEP malware to intercept system calls, steal credentials, and evade detection, posing a significant challenge for organizations.

For more alerts, click here!

Check Jobs

💥 Cyber Incidents

4. Cyberattack Strikes Air Serbia

Air Serbia, Serbia's national airline, has been battling a significant cyberattack since early July, leading to disruptions including delayed payslip distribution for staff. The ongoing security incident has prompted multiple company-wide actions, such as forced password resets, restricted internet access, and the installation of new security software.

5. Ukrainian Hack Hits Russian Drone Firm

Ukraine's military intelligence (HUR) reportedly launched a cyberattack that "paralyzed" Gaskar Group, a major Russian drone supplier, in coordination with Ukrainian cyber volunteers. This operation allegedly gained access to and destroyed over 47 terabytes of technical drone production data, aiming to cripple the company's operations and provide intelligence to Ukrainian defense forces.

6. Customer Data Breach at Seychelles Bank

A hacker claims to have stolen and sold personal data, including sensitive government account information, from Seychelles Commercial Bank, which has acknowledged a cybersecurity incident but stated no funds were accessed. This breach raises concerns about the Seychelles' reputation as a tax haven and could potentially lead to a "Panama Papers"-like exposé.

For more incidents, click here!

Click to Read

📢 Cyber News

7. Chinese Firms Amplify U.S. Cyberattacks

A new economic model for cyber offense has dramatically increased spying attacks by Chinese government agencies, with U.S. officials stating that these attacks have more than doubled. Despite recent indictments, Chinese hackers are expanding their targets and exhibiting greater persistence once detected, indicating a "golden age of hacking" for China.

8. Ex-US Soldier Pleads Guilty in Telecom Hacks

Cameron John Wagenius has pleaded guilty to charges related to hacking into US telecommunications companies, including fraud and identity theft. The former US Army soldier was accused of hacking into AT&T and Verizon systems and leaking presidential call logs, according to the US Department of Justice.

9. Operation Eastwood Hits Pro-Russian Hackers

A large-scale international law enforcement operation, "Operation Eastwood," has successfully disrupted the activities of the pro-Russian hacking group NoName057(16). Coordinated by Europol and Eurojust, this effort involved authorities from numerous European countries and the United States, targeting the group's infrastructure and apprehending key individuals.

For more news, click here!

Check Events

📈Cyber Stocks

Cybersecurity stocks delivered mixed performance on Thursday, July 17, 2025, as investors weighed macroeconomic pressures, AI momentum, and company-specific developments.

Okta (OKTA) edged down 0.02% to $91.07, as concerns around enterprise IT spending and rising competition weighed on investor sentiment amid broader tariff-related volatility.
Radware (RDWR) rose 2.02% to $28.24, boosted by renewed investor interest ahead of its Q2 earnings and growing attention to its relative value within the cybersecurity sector.
CrowdStrike (CRWD) declined 0.60% to $470.45, pressured by valuation concerns following a conservative price target issued by Morgan Stanley.
Palo Alto Networks (PANW) gained 0.20% to $192.59, supported by continued investor confidence in its AI-driven growth strategy and strong industry positioning.
Fortinet (FTNT) slipped 1.41% to $103.44, as profit-taking followed recent technical strength and analyst upgrades, with investors turning cautious ahead of potential sector-wide softness.

💡 Cyber Tip

Watch Out for Hidden JavaScript in Malicious SVG Files

Threat actors are disguising malicious JavaScript inside SVG image files, allowing them to bypass email security filters and compromise users on preview. Once opened, these SVGs execute code in the browser that silently redirects victims to phishing pages designed to steal login credentials. Because no executable is downloaded, traditional security tools often miss the threat entirely.

✅ What you should do:

Avoid opening image file attachments from unknown or unexpected emails.
Configure email filters to block or quarantine unusual image file types unless absolutely necessary.
Use advanced security tools that can scan and analyze hidden content inside files.
Strengthen your organization’s email protection settings to block suspicious or impersonated messages.
Educate staff on the risks of previewing attachments and how to recognize deceptive file types

🔒 Why this matters:

These SVG-based attacks exploit native browser behavior to deliver malware invisibly. By bypassing traditional defenses and leaving no file footprint, they represent a growing class of stealthy threats that require deeper inspection and more advanced email protections.