Scattered Spider Imitators, New RaaS Emerges, Fake Apps Threaten – Cybersecurity News [July 28, 2025]

From arrests slowing down major hacker groups to new threats quickly taking their place, this week has been full of movement in the cybersecurity space. Threat actors are shifting tactics, launching new ransomware groups, targeting telecoms, and using fake mobile apps to steal and extort. Even major airlines and telecom giants like Aeroflot and Orange haven’t been spared. Here’s a roundup of the key cyber incidents and developments of the week.

Scattered Spider Arrests Slow Attacks, But Imitators Keep Pressure on Cyber Defenses

Google Cloud’s Mandiant Consulting says attacks from the Scattered Spider hacking group have slowed following recent arrests in the U.K., but warns organizations not to relax.

The group (UNC3944) aggressively targeted industries like retail, airlines, and transportation, and usually aimed at VMware ESXi hypervisors where they used tactics like phishing, push bombing, SIM swapping, and fake employee personas to trick IT staff, bypass multi-factor authentication, and install remote access tools. They also relied on stolen credentials from underground markets and Warzone RAT, Raccoon Stealer, Vidar, and Ratty malware to access systems and gather data.

Cloud storage platforms like Mega were used for data theft, and Snowflake environments were often exploited with thousands of queries to exfiltrate information rapidly. In some recent cases, they deployed DragonForce ransomware to encrypt servers. Although activity from this specific group has paused, others like UNC6040 are continuing similar attacks and authorities from the U.S., Canada, and Australia have released updated guidance.

Organizations should use this downtime to study the group’s methods and strengthen their defenses now.

New Chaos RaaS Fills Void After BlackSuit Takedown, Targets U.S. Victims for $300K

A new ransomware-as-a-service group called Chaos has surfaced, believed to be formed by ex-members of BlackSuit, whose dark web sites were recently seized during Operation Checkmate.

Chaos has been active since February 2025, targeting U.S. victims using phishing emails and voice-based scams to trick users into installing Microsoft Quick Assist. Once inside, attackers deploy remote management tools like AnyDesk and Splashtop to stay connected, exfiltrate data using GoodSync, delete logs and security tools, and then encrypt files using fast, multi-threaded ransomware that avoids detection.

They’re connected to older ransomware tools with the same name, but do use similar tactics, including in ransom notes and encryption methods. The FBI also seized $2.4 million in crypto linked to a Chaos member. Meanwhile, other groups like Gunra and Epsilon Red are shifting tactics and expanding platforms.

To stay protected, regularly update software, monitor RMM activity, and train staff to detect phishing and voice scams.

Fake Mobile Apps Used to Steal Data and Extort Users Across Asian Networks

A large-scale mobile malware campaign is actively targeting Android and iOS users across Asia using fake dating, cloud storage, and social apps to steal personal data.

Codenamed SarangTrap by Zimperium, this operation centers on South Korea and involves over 250 Android apps and 80 fake domains. The domains mimic app store pages to trick users into downloading malware that steals contacts, images, and other data while pretending to be real apps. On Android, users are asked to enter an invitation code which triggers the malware’s functions, giving it access to SMS, contacts, and files. iOS users are lured into installing configuration profiles, allowing the attackers to extract data. Some victims are then blackmailed.

Other similar campaigns use fake Telegram apps with QR codes, malware posing as Indian financial services targeting users in Bangladesh and the Gulf, and new banking trojans like RedHook in Vietnam. These threats exploit accessibility services, bypass app signatures, and even use malware kits available for rent.

That’s why it’s best to stick to trusted app stores, deny suspicious permissions, and regularly check for unknown profiles or apps on your phone.

Cyberattack Forces Aeroflot to Ground Multiple Flights

Russia’s flagship airline Aeroflot has been hit by a cyberattack that led to over 60 flight cancellations and major delays across its operations.

Hacktivist groups ‘Silent Crow’ and ‘Cyberpartisans BY’ from Ukraine and Belarus have claimed responsibility. They announced they had infiltrated Aeroflot’s systems for over a year, mapped the network, and destroyed key infrastructure. The attackers claim to have gained access to 122 hypervisors, 43 ZVIRT virtualization setups, around 100 iLO interfaces, and four Proxmox clusters. They also say they exfiltrated flight history databases, data from executive workstations, personnel monitoring systems, and servers used for recording internal phone calls.

On the day of the attack, they reportedly wiped 7,000 physical and virtual servers, erasing 12TB of databases, 8TB of shared Windows files, and 2TB of internal email. The groups have threatened to publish stolen data that could expose Russian passengers. Aeroflot has not confirmed the breach, but its ongoing technical issues and continued flight disruptions point to serious internal damage.

If you’re an Aeroflot traveller, you should monitor official channels and delay non-essential bookings until systems are fully restored.

Orange Confirms Cyberattack on Its Systems

Orange, one of the largest telecom operators globally, has confirmed a cyberattack on one of its information systems, detected and isolated on July 25 by its cybersecurity arm, Orange Cyberdefense.

The breach led to service disruptions, mainly affecting some business clients and a few consumer services in France. The organization said teams acted quickly to contain the issue and limit impact, though the isolation steps caused temporary outages. Orange has reported the incident to authorities and filed a complaint. So far, there’s no evidence of customer or organizational data being stolen.

The attackers haven’t been named, but the incident follows a pattern similar to breaches linked to China’s Salt Typhoon group, which has previously targeted major telecoms in the U.S. and other countries. Recent victims tied to that campaign include Comcast, Digital Realty, and satellite firm Viasat. Earlier this year, Orange’s Romanian division was also hit in a separate breach. Orange serves 294 million customers globally and operates under Orange Business for corporate services.

Customers are advised to monitor their accounts and stay updated on further communication from Orange.