Phishing, Malware, Breach and Open-Source Security
Notable security news for the week of July 20-26th, 2025, brought to you by the F5 Security Incident Response Team. This week, your editor is Dharminder. In this edition, I have security news about an attacker who compromised an executive's Microsoft 365 account, accessed invoice from the emails, altered it and send a fraudulent request from a newly identical domain, Malware which was embedded into the Steam early access game Chemia, Attackers exploited SharePoint vulnerability to breach US Nuclear Weapons agency, and "OSS Rebuild" a new initiative to enhance open-source software security.
We at F5 SIRT invest a lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency, please contact F5 SIRT.
Ok, let’s get started and see the details of the security news.
Phishers Impersonate Executive to Launch Sophisticated BEC Scam
A transportation company executive’s Microsoft 365 account was compromised via a fake login page. Attackers accessed invoice-related email threads, altered payment instructions, and sent fraudulent requests from a nearly identical domain. One customer transferred a six-figure sum before the fraud was discovered.
The impersonating domain was registered with roomservice801@gmail.com, linked to over 240 look-alike domains registered in 2024–25. Most mimic aviation, aerospace, or logistics firms. WHOIS history ties these to aliases like “Justy John” and other email accounts (e.g., justyjohn50@yahoo.com), part of an infrastructure dating back to 2012. Many use reused Nigerian phone numbers and overlapping identity markers. Palo Alto Networks Unit 42 attributes the campaign to SilverTerrier, a Nigerian cybercrime syndicate active since 2014 and known for large-scale business email compromise (BEC). Despite arrests in 2022, the group remains active due to continuous recruitment and low risk of prosecution.
BEC attacks were the 7th most reported cybercrime in 2024 and the 2nd most costly, with nearly $2.8 billion in losses. A 2025 survey revealed 63% of organisations experienced at least one BEC incident. Some of the recommended defenses are to train employees on phishing recognition, monitor look-alike domain registrations, enforce strict email authentication (e.g., DMARC, SPF, DKIM), and use the Financial Fraud Kill Chain to attempt fund recovery. Vigilance and rapid response are essential, as attackers move quickly after gaining access.
Malware Embedded in Steam Early Access Game Targets Gamers
A threat actor known as EncryptHub (aka Larva‑208) covertly injected malware into the Steam Early Access game Chemia, developed by Aether Forge Studios. The initial compromise occurred on July 22, 2025, when HijackLoader was added—this loader installs itself persistently and downloads further malware, including Vidar infostealer. Within three hours, Fickle Stealer was deployed via a DLL file and PowerShell script, harvesting data from browsers, password managers, cookies, and cryptocurrency wallets
Chemia, a survival crafting game offered through Steam’s playtest feature, had no real online presence under its developer’s name. This raised concerns. Prodaft said that HijackLoader gets its command-and-control address from a Telegram channel. The malware runs quietly in the background without affecting gameplay, so players don’t know it’s infected.
EncryptHub used the same malware before in a big phishing and social engineering campaign that hacked over 600 organizations since mid-2024. After it was found out, Chemia was taken out of Steam, but it is still not sure if it is safe after being taken out.
The attack shows a worrying trend: malware delivered through trusted platforms like Steam, especially early access titles with minimal vetting. It highlights the risks of downloading software only because “Steam-vetted.” For now, the game is still listed on Steam, but its safety is uncertain. Until Steam issues an official update, it's best to avoid downloading it, run anti-malware scans, use strong endpoint protection, and be cautious with any playtest.
https://www.malwarebytes.com/blog/news/2025/07/steam-games-abused-to-deliver-malware-once-again
US Nuclear Weapons Agency Breached via SharePoint Exploits
Unknown attackers breached the U.S. National Nuclear Security Administration (NNSA) by exploiting a Microsoft SharePoint zero-day vulnerability. The NNSA, under the Department of Energy (DOE), oversees the U.S. nuclear weapons stockpile. DOE confirmed the intrusion but reported minimal impact due to widespread use of Microsoft 365 and existing cybersecurity defenses. No classified systems were compromised.
The same exploit chain, known as ToolShell, was used against multiple U.S. and international organizations, including the Department of Education, Florida’s Department of Revenue, Rhode Island’s General Assembly, and several government entities in Europe and the Middle East.
Security firms Eye Security and Check Point discovered widespread exploitation dating back to July 7, with over 400 servers infected and at least 148 organizations compromised. These include national governments, telecoms, and tech firms. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the related CVE-2025-53770 to its catalog of known exploited vulnerabilities, mandating immediate mitigation.
Microsoft and Google attributed the campaign to Chinese state-sponsored groups: Linen Typhoon, Violet Typhoon, and Storm-2603. Investigations into other actors are ongoing. Previously, the NNSA was also breached in 2019 by APT29, a Russian SVR-affiliated group, during the SolarWinds supply-chain attack.
This incident underscores persistent threats targeting critical infrastructure and the urgency of patching vulnerable on-premises systems. The attack highlights state actors’ use of zero-day exploits to gain long-term access to sensitive networks globally.
OSS Rebuild — Enhancement to open source security
Google has launched OSS Rebuild, a platform designed to enhance trust in open-source software (OSS) ecosystems by increasing transparency and security in software supply chains. OSS is now the main source of 77% of modern applications and is worth over $12 trillion worldwide. This makes it a key part of digital infrastructure and a growing target for sophisticated supply chain attacks.
While existing initiatives like Security Scorecard, PyPI’s Trusted Publishers, and npm’s SLSA support offer partial protection, they often place the burden on package maintainers and lack end-to-end solutions. OSS Rebuild addresses this by using declarative builds, build instrumentation, and network monitoring within the SLSA (Supply-chain Levels for Software Artifacts) framework to generate trustworthy, reproducible security metadata.
The platform automatically rebuilds packages for major ecosystems including PyPI, npm, and Crates.io, comparing rebuilt artifacts against upstream originals using semantic analysis. It normalizes variations (like compression differences) and generates SLSA Provenance attestation. This lets users verify the package’s origin, understand its build process, and generate enhanced SBOMs (Software Bill of Materials).
Most packages are processed automatically, with manual support available for those requiring extra configuration. OSS Rebuild is also looking into using AI to understand natural language build instructions. This will let the platform automate the creation of even complex packages without much human help.
In summary, OSS Rebuild offers a scalable, transparent solution to improving the integrity of open-source package ecosystems and helps mitigate supply chain threats across languages and platforms.
https://security.googleblog.com/2025/07/introducing-oss-rebuild-open-source.html
https://thehackernews.com/2025/07/google-launches-oss-rebuild-to-expose.html
