FileFix Ransomware Threat, Konfety Malware Evasion, Crypto Users Targeted – Cybersecurity News [July 14, 2025]

Attackers are getting creative again, using copy-paste tricks to drop malware, hiding Android threats inside broken app files, and setting up entire fake startups to steal crypto. Developers are being targeted through tampered npm packages, while a newly exposed Wing FTP flaw is already under active abuse. With techniques evolving fast, staying patched and alert is more important than ever. Read on to stay a step ahead! 

Implementing SPF, DKIM, DMARC, and strong email security is also key to defending against phishing and malware threats.

Interlock Ransomware Introduces FileFix Tactic to Distribute Malware 

Hackers behind Interlock ransomware are shifting tactics, using a new trick called “FileFix” to quietly plant remote access trojans (RATs) on victims’ systems. 

Researchers from The DFIR Report and Proofpoint have seen a rise in Interlock activity, with attackers first using the KongTuke web injector, luring victims through fake CAPTCHA checks and sneaky clipboard tricks that led users to run PowerShell scripts launching a Node.js-based RAT. In June, a PHP version appeared, delivered the same way.  

However, the attackers recently switched to the FileFix method invented by security researcher mr.d0x, which helps them leverage trusted Windows features like File Explorer and HTA apps. Instead of clicking suspicious links, victims are tricked into pasting a disguised PowerShell command, posing as a file path, into the address bar. This fetches the PHP RAT from trycloudflare.com, which then runs PowerShell commands to collect network and system data, exfiltrating it as JSON.  

They have also spotted attackers probing Active Directory, hunting backups, and moving laterally via RDP. For now, it is best to be cautious about copying or pasting commands from untrusted sources and to keep security tools updated. 

Android Malware ‘Konfety’ Evades Detection Using Corrupted APK Files 

A fresh wave of Konfety Android malware has surfaced, rigged with a corrupted ZIP structure and clever tricks to slip past security scans. 

It is masquerading as legitimate applications that imitate familiar names on Google Play. Konfety does not deliver any real functions and bombards users with hidden ads through the CaramelAds SDK. It then gathers details about installed apps and system settings and reroutes victims to shady sites or installs other unwanted apps. Zimperium’s researchers uncovered how the malware conceals its harmful code inside encrypted DEX files that activate only while running, letting the attackers load new malicious components whenever they choose.  

Konfety also tampers with APK internals; it falsely marks files as encrypted to trigger fake password prompts, and labels crucial files with unsupported BZIP compression so popular analysis tools crash or fail to read them. Android, however, quietly ignores these tricks and lets the app run, helping the malware stay hidden.  

Beyond that, Konfety erases its icon and adjusts its behavior depending on the victim’s location. The best course of action against this is not downloading anything from third-party app stores and sticking to trusted sources. 

Bogus Gaming and AI Brands Target Crypto Users with Malware 

Cryptocurrency users are being targeted in a long-running fraud where attackers pose as fake startups to push malware that steals digital assets on both Windows and macOS. 

These scams involve social media profiles of supposed AI, gaming, and Web3 enterprises that seem authentic, complete with blogs, team pages, and whitepapers. Attackers contact victims via social media platforms, offering small payments for trying out new software. Victims are then sent to professional-looking websites and prompted to download an app using a registration code.  

On Windows, this triggers a fake Cloudflare screen while malware installs in the background. On macOS, a disguised installer deploys Atomic macOS Stealer (AMOS), which can grab browser data, crypto wallet contents, and documents. Some variants even log into user activity and ensure the malware starts with each login. The campaign is still ongoing and using identities like BeeSync, Pollens AI, Swox, and others to lure users. 

Again, you should avoid downloading software from unknown sources, even if they look professional, and be cautious of unsolicited offers on social media or emails. 

Threat Actors Conceal XORIndex Malware in 67 Malicious npm Packages. 

Threat actors have uploaded sixty-seven malicious packages to the Node Package Manager (npm) to deliver a new malware loader named XORIndex, aiming to compromise developer systems. 

Researchers from Socket discovered these packages, which have been downloaded over 17,000 times and are linked to the broader Contagious Interview campaign that relies on fake job offers to lure developers. This operation has been active for months, with a previous wave in April involving 35 packages carrying information stealers and backdoors. In the latest attack, the threat actors used names resembling legitimate tools, like vite-meta-plugin and postcss-preloader, to blend in. 

When unsuspecting developers installed any of these packages, a ‘postinstall’ script silently launched XORIndex Loader, which gathered host data and sent it to a command-and-control server on Vercel infrastructure. The server responded by deploying backdoors, including BeaverTail and InvisibleFerret, providing control over the infected machines.  

It is best to scrutinize package names carefully, verify publisher reputations, and test unfamiliar code in controlled environments before deploying it. 

Hackers Exploit Remote Code Execution Vulnerability in Wing FTP Server 

Hackers wasted no time exploiting a severe flaw in Wing FTP Server, striking just a day after technical details of the vulnerability were published. 

Security experts have uncovered attacks where intruders ran reconnaissance commands and created new user accounts to maintain access. At the center is CVE-2025-47812, a high-risk bug mixing a null byte issue with Lua code injection, letting unauthenticated attackers execute system-level commands. Wing FTP, widely used in enterprises for secure file transfers, can run Lua scripts, an ability that now turns into a weakness.  

Researcher Julien Ahrens revealed that unsafe handling of null-terminated strings in C++ and poor input sanitization in Lua allowed attackers to slip null bytes into usernames, bypassing checks and injecting malicious code into session files. Alongside this flaw, Ahrens reported three more-password leaks via crafted URLs (CVE-2025-27889), lack of sandboxing (CVE-2025-47811), and path disclosures through oversized cookies (CVE-2025-47813).  

Although fixes landed in version 7.4.4 in May, threat actors were seen sending malicious login requests and attempting to download payloads using certutil and cURL, suggesting coordinated scanning and exploitation. Organizations should patch to 7.4.4 immediately or lock down web access and monitor servers closely to avoid compromise.