Massive global investment scam uses fake news websites to target users across 50 countries

A major online investment scam is deceiving users worldwide through fake news websites designed to mimic trusted outlets like CNN, BBC, and CNBC. These pages, known as Baiting News Sites (BNS), are crafted to appear legitimate, featuring doctored stories that falsely claim support from celebrities, central banks, or financial brands to endorse “passive income” schemes.

Scammers push traffic to these fraudulent sites using sponsored ads on platforms like Google and Meta, often with sensationalist headlines and national symbols to boost credibility. Clicking on these ads redirects users to fake articles, which then lead to scam platforms like Trap10, Solara Vynex, or Eclipse Earn.

Once victims register, a staged follow-up process begins: professional-sounding agents make contact, request identity verification, and encourage crypto deposits. These scam sites simulate profits to maintain the illusion, pressuring victims to reinvest. Alongside financial losses, victims’ personal data is harvested for phishing and identity theft.

This sophisticated multi-phase scam highlights the growing risk posed by BNS campaigns globally.

New Ransomware group 'BERT' targets virtual machines for maximum disruption

A newly identified ransomware group, dubbed BERT, is making waves in the cyber security world for its advanced capability to forcibly terminate VMware ESXi virtual machines before encrypting data. First detected in April 2025, the group has rapidly expanded its reach across Asia, Europe, and the US.

BERT—also tracked as Water Pombero—uses a Linux variant that can detect and shut down virtual machines running on ESXi hosts, severely hindering recovery efforts. This approach prevents organisations from quickly migrating or backing up systems during an active attack.

The malware supports up to 50 concurrent threads, optimising speed and impact across large virtualised environments. BERT also targets Windows and Linux systems with PowerShell-based loaders that disable security defences before deploying the payload, primarily from Russian infrastructure.

The group’s tactics mirror elements of the infamous REvil ransomware and have been used against healthcare, tech, and event sectors. Cyber experts urge businesses to segment networks, isolate hypervisors, and maintain immutable backups.

Microsoft Patch Tuesday July 2025: 137 security flaws addressed

Microsoft’s July 2025 Patch Tuesday tackles a massive 137 vulnerabilities, including one publicly disclosed zero-day in SQL Server and 14 critical issues, most involving remote code execution (RCE).

The zero-day, CVE-2025-49719, could allow unauthenticated access to SQL Server memory. Admins are urged to install the latest SQL Server version and OLE DB drivers to mitigate the risk.

Critical RCE flaws were also fixed across Microsoft Office, SharePoint, and Hyper-V, including document-based exploits that trigger when a file is previewed. Notably, SharePoint’s CVE-2025-49704 is remotely exploitable with valid credentials.

AMD also disclosed two new side-channel vulnerabilities. Additional patches were released by Fortinet, Cisco, Google, SAP, and Ivanti, among others.

With 53 privilege escalation, 41 RCE, and 18 info disclosure bugs fixed, IT teams should prioritise updates. Microsoft strongly advises reviewing and patching systems immediately to reduce the risk of exploitation.

UK workers fear speaking up after Cyberattacks, says new research

A new report has revealed that 39% of UK office workers wouldn’t report a suspected cyberattack to their IT or cyber security team—even if they believed they were compromised. Despite 79% claiming confidence in spotting cyber threats, fear of blame or trouble keeps many silent.

Embarrassment and a desire to avoid “causing a fuss” were among the top reasons for not reporting incidents. Some employees (11%) even admitted they’d rather fix the issue themselves than notify IT.

While UK workers have a higher understanding of ransomware than peers in France and Germany, silence remains a significant risk. IBM data shows breaches lasting over 200 days cost 34% more, underscoring the urgency of early intervention.

Government data adds weight: in 2024, half of UK businesses and one-third of charities faced cyber incidents.

Suspected Indian APT targets European ministry with custom malware

Cyber security researchers at Trellix have attributed a targeted espionage campaign against a European foreign affairs ministry to DoNot Team—an APT group suspected of ties to India. Also known as APT-C-35 or Viceroy Tiger, the group has operated since 2016, typically targeting South Asian governments, NGOs, and defence entities.

This recent attack used spear-phishing emails impersonating defence officials to lure recipients into downloading a malicious RAR archive. Inside was LoptikMod, a custom remote access trojan that establishes persistence, exfiltrates data, and avoids detection with anti-VM and obfuscation techniques.

While the command and control server is now inactive, the campaign reflects an evolution in DoNot’s capabilities marking the first known use of LoptikMod against a European government.

Trellix researchers highlight this as a shift from opportunistic attacks to deliberate diplomatic intelligence gathering, potentially signalling broader intelligence tasking. Past victims have included entities in the UK and Norway, but this marks a notable escalation in targeting strategy.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.