CloudSEK Updates

Cybercriminals target fans and F1 teams around the July 27, 2025, Belgian Grand Prix. They use phishing, fake tickets, social media scams, and fraudulent merchandise sites. Recent incidents include a 2024 phishing campaign via the official Grand Prix email. Fans must verify sources and enable 2FA; teams need employee training and network segmentation to combat these evolving threats.

CloudSEK discovered a new Epsilon Red ransomware campaign targeting users globally via fake ClickFix verification pages. Active since July 2025, threat actors use social engineering and impersonate platforms like Discord, Twitch, and OnlyFans to trick users into executing malicious .HTA files through ActiveX. This leads to silent payload downloads and ransomware deployment. Users are urged to disable ActiveX, block attacker IPs, and train against such lures.

In July 2025, CloudSEK analyzed how misinformation and recycled breach data—from forums, media, and researchers—flood threat intel teams with false alarms. High-profile cases like the “16 Billion Credential Leak” and ICMR breach were inflated using old or fake data. This noise wastes up to 25% of security teams’ time. The report offers a clear framework to verify breach legitimacy, reduce alert fatigue, and focus on real, high-priority cyber threats.

A critical flaw (CVE-2025-20309, CVSS 10.0) in Cisco Unified Communications Manager lets attackers gain root access via hard-coded credentials in versions 15.0.1.13010-1 to 13017-1. Over 1,000 internet-exposed assets are at risk globally, especially in the US and Asia. Likely targets include VoIP and government networks. Immediate patching, access restrictions, and log monitoring are strongly advised to prevent system compromise.

As fintechs rush to simplify lending, they’re also unknowingly exposing massive security blind spots—exposed APIs, weak authentication, and zero encryption. This blog dives into real-world findings from BeVigil scans that uncovered full account takeovers and critical data leaks in major banking platforms. If you're in digital lending, this isn’t just a wake-up call—it’s your blueprint to survival.

Cybercriminals are exploiting DeepSeek’s rising popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek’s branding to appear legitimate, bypass security measures, and infect unsuspecting victims. CloudSEK’s Threat Research Team has uncovered a malicious domain distributing malware via deceptive verification buttons. Learn how to spot these scams, secure your accounts with MFA, and avoid becoming the next victim! Stay informed and shield your data NOW before it’s too late! 🔥

CloudSEK’s TRIAD team created this report based on an analysis of the increasing trend of cryptocurrency counterfeiting, in which tokens impersonate government organizations to provide some legitimacy to their “rug pull” scams. An example of this scam is covered in this report where threat actors have created a counterfeit token named “BRICS”. This token is aimed at exploiting the focus on the BRICS Summit held in Kazan, Russia, and the increased interest in investments and expansion of the BRICS government organization which comprises different countries (Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates)

In a chilling new twist on an old threat, cybercriminals are once again targeting YouTube creators—this time with an insidiously clever technique dubbed Clickflix. Masquerading as legitimate brand collaborations, attackers lure content creators into executing malicious PowerShell scripts that silently steal browser credentials, crypto wallet data, and more. CloudSEK's latest investigation dives deep into this fast-evolving campaign, exposing how the attackers weaponize fake Microsoft portals, manipulate clipboard actions, and maintain stealthy persistence. If you’re a creator, security professional, or simply curious about the latest in malware innovation—this report is a must-read.

The Lumma Stealer malware campaign is exploiting compromised educational institutions to distribute malicious LNK files disguised as PDFs, targeting industries like finance, healthcare, technology, and media. Once executed, these files initiate a stealthy multi-stage infection process, allowing cybercriminals to steal passwords, browser data, and cryptocurrency wallets. With sophisticated evasion techniques, including using Steam profiles for command-and-control operations, this malware-as-a-service (MaaS) threat highlights the urgent need for robust cybersecurity defenses. Stay vigilant against deceptive phishing tactics to protect sensitive information from cyber exploitation.