---
title: "Lumma Infostealer Returns, Coyote Malware Exploits, Interlock Ransomware Alert, Cybersecurity News [July 21, 2025] | DuoCircle"
description: "Lumma Infostealer Returns, Coyote Malware Exploits, Interlock Ransomware Alert, Cybersecurity News [July 21."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-31-of-2025/"
---

Quick Answer

Cybersecurity headlines for the week of July 21, 2025\. The Lumma infostealer resurfaced after Microsoft and law enforcement seized roughly 2,300 domains in May, with operators rebuilding infrastructure on Cloudflare alternatives. Coyote banking malware became the first known strain to abuse the Windows UI Automation accessibility framework, reading account numbers directly from banking and crypto sites in Brazil. CISA and the FBI issued a joint advisory on rising Interlock ransomware activity targeting healthcare, government, and manufacturing in the US and UK. A US healthcare network reported a breach exposing patient data, and Dior notified US customers of a data breach affecting personal information from a January 2025 intrusion.

Lumma Infostealer Returns, Coyote Malware Exploits, Interlock Ransomware Alert, Cybersecurity News \[July 21, 2025\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/07/Lumma-Infostealer-Returns-Coyote-Malware-Exploits-Interlock-Ransomware-Alert---Cybersecurity-News-July-21-2025-1.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-31-of-2025%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Lumma%20Infostealer%20Returns%2C%20Coyote%20Malware%20Exploits%2C%20Interlock%20Ransomware%20Alert%2C%20Cybersecurity%20News%20%5BJuly%2021%2C%202025%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-31-of-2025%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-31-of-2025%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-31-of-2025%2F&title=Lumma%20Infostealer%20Returns%2C%20Coyote%20Malware%20Exploits%2C%20Interlock%20Ransomware%20Alert%2C%20Cybersecurity%20News%20%5BJuly%2021%2C%202025%5D "Share on Reddit") [ ](mailto:?subject=Lumma%20Infostealer%20Returns%2C%20Coyote%20Malware%20Exploits%2C%20Interlock%20Ransomware%20Alert%2C%20Cybersecurity%20News%20%5BJuly%2021%2C%202025%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-31-of-2025%2F "Share via Email") 

![cybersecurity news](https://media.mailhop.org/duocircle/images/2025/07/spf-record-generator-3672.jpg) 

From [malware sneaking](https://www.cnbc.com/2025/05/21/microsoft-malware-windows.html) in through fake game cheats to ransomware hitting hospitals, this week’s cyber stories are anything but quiet. Lumma’s back in action, Coyote’s abusing Windows in clever ways, and even Dior couldn’t dodge a data breach. If you use the internet (and who doesn’t?), here’s what you should be **paying attention to**.

## Lumma Infostealer Resurfaces Following Law Enforcement Crackdown

The [Lumma infostealer malware](https://www.trendmicro.com/en%5Fus/research/25/g/lumma-stealer-returns.html) is making a steady comeback after a major law enforcement operation in May took **down over 2,300 domains** and parts of its infrastructure.

_Despite this disruption, Lumma wasn’t completely shut down. The group quickly confirmed the takedown on cybercrime forums, claiming their main server was wiped remotely but not seized_. They began restoring systems almost immediately. Over time, they rebuilt the malware-as-a-service (MaaS) platform and regained credibility within criminal circles. [Trend Micro reports](https://www.trendmicro.com/en%5Fus/research/25/g/lumma-stealer-returns.html) that Lumma is now nearly **back to pre-takedown levels**, using new command-and-control domains and shifting its cloud hosting from Cloudflare to Selectel, a Russian provider, to avoid future takedowns.

[![cloud hosting](https://media.mailhop.org/duocircle/images/2025/07/spf-record-3149.jpg)](https://media.mailhop.org/duocircle/images/2025/07/spf-record-3149.jpg)

The malware is being spread through four key methods-fake software cracks promoted through search manipulation, [fake CAPTCHA pages](https://www.malwarebytes.com/blog/news/2025/03/fake-captcha-websites-hijack-your-clipboard-to-install-information-stealers) on compromised sites that load the malware via PowerShell, [malicious GitHub repos](https://www.darkreading.com/threat-intelligence/dozens-malicious-copycat-repos-github) offering fake game cheats, and videos or posts on **YouTube and Facebook** that link to infected download sites. These tactics are designed to bypass detection and target users across multiple channels.

Lumma is active again, so you should avoid downloading cracked software or clicking suspicious ads and links.

Implementing [SPF](https://autospf.com/blog/spf-guide-understanding-sender-policy-framework/), [DKIM](/resources/what-is-dkim), and [DMARC](/resources/what-is-dmarc) can help prevent [domain spoofing](https://www.infosecurity-magazine.com/news/infosec2025-email-domains-spoofing/) and reduce the risk of phishing campaigns like those used in these cyberattacks.

## Coyote Malware Exploits Windows Accessibility Features to Steal Data

A new version of the [Coyote banking trojan](https://www.akamai.com/blog/security-research/active-exploitation-coyote-malware-first-ui-automation-abuse-in-the-wild) is now using a built-in Windows accessibility feature to spy on **users and identify visits** to banking and crypto exchange sites.

[![ crypto platforms ](https://media.mailhop.org/duocircle/images/2025/07/spf-record-check-3149.jpg)](https://media.mailhop.org/duocircle/images/2025/07/spf-record-check-3149.jpg)

The feature, known as [Microsoft UI Automation (UIA)](https://en.wikipedia.org/wiki/Microsoft%5FUI%5FAutomation), is meant to help assistive technologies interact with app interfaces. However, the malware uses it to quietly scan a browser’s interface and extract web addresses, checking them against a list of 75 targeted banks and crypto platforms like Binance, Banco do Brasil, and CaixaBank. If it doesn’t find a match through a window title, it digs deeper using **UIA to inspect tabs** or address bars for matches.

Coyote was [first spotted in early 2024](https://www.kaspersky.com/about/press-releases/coyote-ugly-kaspersky-unveils-banking-trojan-targeting-over-60-institutions) and mainly targets Brazilian users. It still relies on keylogging and phishing for some apps, but this UIA-based method helps it track activity across websites in a way that often **evades security tools**. The researchers at Akamai who had earlier warned of this threat have now also confirmed real-world attacks occurring since February 2025.

The method is limited to reconnaissance, but it could evolve, so it’s best to avoid downloading unknown apps and keep your system and antivirus software updated.

## CISA, FBI Issue Alert on Rising Interlock Ransomware Activity

[The FBI, CISA, HHS, and MS-ISAC](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a) have issued a joint advisory warning of rising Interlock ransomware activity targeting **businesses and critical infrastructure**, particularly in the healthcare sector.

_Interlock, active since September 2024, uses double extortion; stealing data before encrypting it to pressure victims into paying ransoms_. They’ve recently claimed attacks on major organizations like DaVita and Kettering Health, [stealing over 1.5TB of data](https://www.secureblink.com/cyber-security-news/massive-1-5-tb-data-breach-hits-largest-us-addiction-treatment-exposing-patients). The group is also tied to earlier ClickFix incidents and has deployed the NodeSnake remote access trojan in previous attacks on UK universities.

[![ stealing over 1.5TB of data ](https://media.mailhop.org/duocircle/images/2025/07/sender-policy-framework-3149.jpg)](https://media.mailhop.org/duocircle/images/2025/07/sender-policy-framework-3149.jpg)

The group’s tactics include [drive-by downloads](https://thehackernews.com/2024/07/fakebat-loader-malware-spreads-widely.html) from hacked websites, which is an uncommon approach among [ransomware groups](https://thehackernews.com/2025/03/the-new-ransomware-groups-shaking-up.html). They also employ a newer method called FileFix, where they trick users into running malicious scripts by exploiting trusted Windows elements like File Explorer and .HTA files. The latest advisory highlights fresh [indicators of compromise (IOCs)](https://www.fortinet.com/resources/cyberglossary/indicators-of-compromise) collected as **recently as June 2025**. It also has a set of defenses organizations can adopt, such as DNS filtering, firewalls, and employee training.

Even right now, Interlock is active, so it’s **best to update your systems** regularly, use [multifactor authentication](https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA), and educate teams to spot phishing and social engineering attempts.

## Leading and Established Healthcare Network Reports Security Breach

_AMEOS Group, which is a major healthcare provider in Central Europe, disclosed a cyberattack that may have exposed sensitive data belonging to patients, employees, and partners across its network_.

The breach affected all their IT systems over more than **100 facilities across** Germany, Austria, and Switzerland. Despite having what it described as “extensive security measures,” [AMEOS confirmed](https://www.ameos.eu/datenschutz/datenschutzvorfall-gem-art-34-dsgvo/) that external attackers gained unauthorized access, potentially compromising personal and professional contact details. Now, as part of its legal obligation under [GDPR](https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp), AMEOS issued a public statement acknowledging the incident.

[![GDPR](https://media.mailhop.org/duocircle/images/2025/07/spf-record-tester-3149.jpg)](https://media.mailhop.org/duocircle/images/2025/07/spf-record-tester-3149.jpg)

In response to the attack, they immediately shut down all IT systems and disconnected all **internal and external networks**. They’ve also hired [cybersecurity](/) and forensic experts to support the investigation, and the relevant data protection authorities have been informed. A criminal complaint has also been filed.

AMEOS stated that it cannot rule out the risk of data misuse and pledged to inform affected individuals as soon as its ongoing investigation concludes.

## Dior Notifies U.S. Customers of Data Breach Incident

Dior is [informing U.S. customers of a data breach](https://www.documentcloud.org/documents/26017370-customer-notification-letter-template-0-0/) that exposed personal information during a cybersecurity incident in January 2025.

[![data breach incident](https://media.mailhop.org/duocircle/images/2025/07/windows-smtp-service-8901.jpg)](https://media.mailhop.org/duocircle/images/2025/07/windows-smtp-service-8901.jpg)

_The luxury brand discovered the breach months later in May and began an investigation, where they found that an unauthorized party was able to access a database containing client data_. Said data included names, contact details, addresses, dates of birth, and, in some cases, even [Social Security numbers](https://www.investopedia.com/terms/s/ssn.asp) or government IDs. However, no payment details were compromised.

Dior says they promptly tried to contain the breach and did not find any signs of further unauthorized access. The incident appears connected to a larger attack linked to the ShinyHunters group, who allegedly breached a [third-party vendor](https://www.upguard.com/blog/third-party-vendor) affecting multiple LVMH brands. Similar disclosures have already come from Dior’s South Korea and China operations, and Louis Vuitton has also reported related breaches in the **UK, Turkey, and South Korea**. Dior has not confirmed how many U.S. customers were affected, but law enforcement has been informed, and external experts have been brought in.

Impacted users are advised to stay alert for scams and can enroll in free credit monitoring and ID theft protection **until October 31, 2025**.

## Topics

cyber securityDKIMDMARCNewsSecurityspfUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 6m  LastPass Users Phished, Amazon Down US, UK Cybersecurity Boost, Cybersecurity News \[March 02, 2026\]  Mar 9, 2026 ](/blog/announcements/cyber-security-news-update-week-10-of-2026/)[  News 6m  Vapor Apps Malware, Coinbase Phishing Scam, Medusa Ransomware Attack , Cybersecurity News \[March 17, 2025\]  Mar 24, 2025 ](/blog/announcements/cyber-security-news-update-week-13-of-2025/)[  News 6m  PowerSchool Data Extortion, Cellcom Cyberattack Confirmed, Hackers Exploit Gaps, Cybersecurity News \[May 19, 2025\]  May 26, 2025 ](/blog/announcements/cyber-security-news-update-week-22-of-2025/)[  News 6m  GitHub Backdoor Threat, Cartier Data Breach, Fake RubyGems Steal, Cybersecurity News \[June 02, 2025\]  Jun 9, 2025 ](/blog/announcements/cyber-security-news-update-week-24-of-2025/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Lumma Infostealer Returns, Coyote Malware Exploits, Interlock Ransomware Alert, Cybersecurity News [July 21, 2025]","description":"Lumma Infostealer Returns, Coyote Malware Exploits, Interlock Ransomware Alert, Cybersecurity News [July 21.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-31-of-2025/","datePublished":"2025-07-28T16:24:49.000Z","dateModified":"2025-08-01T17:05:46.000Z","dateCreated":"2025-07-28T16:24:49.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-31-of-2025/"},"articleSection":"announcements","keywords":"cyber security, DKIM, DMARC, News, Security, spf, Updates","wordCount":1052,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/07/spf-record-generator-3672.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Lumma Infostealer Returns, Coyote Malware Exploits, Interlock Ransomware Alert, Cybersecurity News [July 21, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-31-of-2025/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Lumma Infostealer Returns, Coyote Malware Exploits, Interlock Ransomware Alert, Cybersecurity News [July 21, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-31-of-2025/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Lumma Infostealer Returns, Coyote Malware Exploits, Interlock Ransomware Alert, Cybersecurity News [July 21, 2025]","description":"Lumma Infostealer Returns, Coyote Malware Exploits, Interlock Ransomware Alert, Cybersecurity News [July 21.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-31-of-2025/","datePublished":"2025-07-28T16:24:49.000Z","dateModified":"2025-08-01T17:05:46.000Z","dateCreated":"2025-07-28T16:24:49.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-31-of-2025/"},"articleSection":"announcements","keywords":"cyber security, DKIM, DMARC, News, Security, spf, Updates","wordCount":1052,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/07/spf-record-generator-3672.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```