ARTICLE
4 July 2025

Ankura CTIX FLASH Update - July 1, 2025

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Recent cybersecurity analyses reveal that malware like GIFTEDCROOK has advanced from simple browser data theft to a highly targeted espionage tool. Primarily aimed at Ukrainian government and military data.
United States Technology

Malware Activity

From Basic Data Stealers to Sophisticated Espionage and Persistent Malware Campaigns

Recent cybersecurity analyses reveal that malware like GIFTEDCROOK has advanced from simple browser data theft to a highly targeted espionage tool. Primarily aimed at Ukrainian government and military data. It now employs complex techniques such as macro-laden phishing emails with military-themed content to exfiltrate sensitive documents, cookies, and authentication details. While evading detection through segmented ZIP archives and trace-cleaning scripts. Concurrently, Chinese-speaking targets face threats from campaigns mimicking popular software like WPS Office and Sogou. Distributing malware such as Sainbox RAT and stealthy rootkits via malicious MSI installers. Attributed to the Chinese hacking group Silver Fox, these operations leverage legitimate-looking files and open-source tools to maintain persistent access. Highlighting a disturbing trend of increasingly sophisticated, stealthy cyber espionage efforts that threaten critical infrastructure and sensitive information worldwide. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

Threat Actor Activity

Scattered Spider Targets Aviation Sector with Sophisticated Social Engineering and Ransomware Tactics

Scattered Spider, a cybercriminal group known for its adept use of social engineering, is actively targeting the aviation industry following previous campaigns against retail, finance, and insurance sectors. According to researchers, the group (also tracked as UNC3944 or Muddled Libra) relies on impersonation tactics to deceive IT help desks, enabling them to bypass multi-factor authentication (MFA), harvest credentials from high-value targets like CISOs and CFOs, and gain unauthorized access to internal systems. The FBI confirmed these operations in a June 27 alert, warning that Scattered Spider is using ransomware and data extortion as part of its arsenal and is now targeting not only airlines but also their third-party IT providers. Recent cyber incidents affecting WestJet and Hawaiian Airlines, while not formally attributed to the group, reflect the tradecraft associated with Scattered Spider. Investigators have also linked earlier attacks on UK retailers like M&S and The Co-op to the group, which leveraged stolen credentials from IT vendor Tata Consultancy Services. With the aviation sector now in its sights, CTIX analysts urge all industries to strengthen identity verification processes, closely monitor MFA reset activity, and report incidents swiftly to prevent further compromise.

Vulnerabilities

CitrixBleed 2: Emerging Threat from CVE-2025-5777 Raises Exploitation Fears

A critical vulnerability in Citrix NetScaler ADC and Gateway appliances, tracked as CVE-2025-5777 and dubbed "CitrixBleed 2", has raised significant concern among cybersecurity professionals due to its similarity to the previously exploited CitrixBleed flaw (CVE-2023-4966). This out-of-bounds memory read vulnerability allows unauthenticated attackers to access restricted memory, steal session tokens, and hijack user sessions, effectively bypassing multi-factor authentication (MFA). Although Citrix claims there's no confirmed exploitation of CVE-2025-5777, cybersecurity firm ReliaQuest reports indicators of active abuse, including session hijacking, reuse of sessions across suspicious IPs, and Active Directory reconnaissance using tools like ADExplorer64.exe. Over 1,200 exposed appliances remain unpatched, and while nearly 70,000 NetScaler instances are visible online, around 135 are confirmed to run vulnerable versions. Compounding the threat, many of these appliances are also vulnerable to CVE-2025-6543, which is actively being exploited in denial-of-service (DoS) attacks. CTIX analysts urge administrators to apply all recent Citrix patches, terminate active sessions, and monitor for suspicious activity, as experts warn CitrixBleed 2 may soon become a widespread attack vector.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More