This week in cybersecurity has been nothing short of intense, with developments spanning global law enforcement action, large scale data breaches, and sophisticated malware campaigns. Authorities arrested four individuals in connection with a major cyberattack targeting UK retail giants M&S, Co-op, and Harrods, marking a significant breakthrough in an ongoing probe. Meanwhile, Qantas confirmed a breach affecting 5.7 million customers, raising fresh concerns about data protection in the aviation industry.

Microsoft’s July 2025 Patch Tuesday rolled out crucial fixes for 137 vulnerabilities, 14 of them rated “critical”, highlighting persistent risks across enterprise environments. In parallel, the DoNot APT group has broadened its scope to target European foreign ministries using its new LoptikMod malware.

The threat landscape continues to evolve with attackers weaponising the leaked Shellter tool in red teaming campaigns to deliver infostealers, while researchers uncovered “PerfektBlue,” a critical Bluetooth exploit putting millions of vehicles at risk through compromised infotainment systems. Finally, CTM360 exposed a sprawling network of over 17,000 fake news sites driving global investment scams, underscoring the scale of cyber-enabled fraud.

Let’s dive into the top stories shaping the security landscape this week.

Four Arrested in Major Cyberattack Probe Targeting M&S, Co-op and Harrods

UK authorities have arrested four individuals in connection with devastating cyberattacks on major retailers M&S, Co-op, and Harrods. The National Crime Agency (NCA) coordinated the early morning raids, seizing electronic devices and detaining suspects on charges including blackmail, money laundering and computer misuse.

The attacks, which began in mid-April, involved ransomware and led to massive disruption. M&S estimates losses of €348 million (£300 million) and expects full IT recovery by late 2024, while Co-op experienced weeks of stock shortages.

Hackers stole sensitive data from both customers and staff, and attempted extortion via offensive emails. Harrods also confirmed it was targeted but avoided major impact.

NCA Cyber Crime Unit chief Paul Foster called the arrests a “significant step,” though international investigations are ongoing to ensure full accountability.

Qantas Confirms Breach of 5.7 Million Customer Records

Qantas has admitted a significant cyber attack on a third-party contact centre platform in Manila, compromising personal data for approximately 5.7 million unique customers. The exposed information includes names, email addresses, frequent flyer numbers, and for about 1.7 million people, additional details like addresses, birth dates, phone numbers, gender, and meal preferences. Crucially, no financial information including credit card details, passwords, PINs, or passport data—was accessed, and frequent flyer accounts remain intact thanks to MFA protections.

In the wake of the breach, Qantas has received contact from a potential cybercriminal and is collaborating closely with the Australian Federal Police (AFP) and cybersecurity specialists to authenticate the outreach and manage the situation. The airline has launched a dedicated support portal, begun notifying affected customers and implemented enhanced security protocols. Experts highlight the risk of scammers exploiting the stolen data for targeted phishing, urging individuals to remain alert.

Customers are advised to monitor communications closely, avoid sharing sensitive information and follow guidance from the Australian Cyber Security Centre to safeguard against fraudulent schemes.

Microsoft’s July 2025 Patch Tuesday Fixes 137 Vulnerabilities, 14 Rated “Critical”

On July 8, 2025, Microsoft released security updates addressing at least 137 vulnerabilities across Windows and related software, 14 of which were designated as critical. Among the most concerning is CVE 2025 47981, a pre-authentication remote code execution flaw impacting Windows clients (10/1607+) and servers, rated CVSS 9.8, and noted as particularly likely to be exploited.

Also requiring urgent attention is CVE 2025 49719, a publicly disclosed SQL Server information, leak vulnerability affecting versions from 2016 through 2022, with proof of concept code available. In addition, four critical remote code execution bugs were patched in Office (CVE 2025 49695, CVE 2025 49696, CVE 2025 49697, CVE 2025 49702), two of which can be triggered via the Preview Pane without any user action.

Other high severity fixes include a Microsoft Defender SmartScreen bypass (CVE 2025 49740, CVSS 8.8) and a privilege escalation issue in Microsoft Configuration Manager (CVE 2025 47178, CVSS 8.0), which could let low‑privilege users execute SQL commands as the SMS service account.

No bugs fixed this month are yet known to be actively exploited, but given the criticality and scope of the vulnerabilities, administrators are strongly advised to apply updates promptly and thoroughly review systems exposed to SQL Server, Office and Configuration Manager.

DoNot APT Expands to Target European Foreign Ministries Using LoptikMod Malware

The India linked DoNot APT (also known as APT‑C‑35 or Origami Elephant) has expanded its cyber espionage operations to include European foreign ministries.

In a recent spear phishing campaign analysed by Trellix, attackers sent emails impersonating defence officials complete with diplomatic subject lines such as “Italian Defence Attaché Visit to Dhaka, Bangladesh” that contained links to Google Drive hosting a password protected RAR archive. Once opened, the archive deployed the custom LoptikMod Windows malware, which established persistence via scheduled tasks, leveraged anti-VM and obfuscation techniques, and communicated encrypted system data to a command‑and‑control server for further instructions and data theft.

This operation highlights the group’s continuing focus on governmental and diplomatic targets and reinforces the need for robust cybersecurity defences across European foreign affairs organisations.

Hackers Weaponise Leaked Shellter Tool to Deploy Infostealers in Red Teaming Campaigns

Cybercriminals have hijacked a leaked version of Shellter Elite v11.0, a powerful red‑teaming and evasion framework, to stealthily distribute infostealer and RAT malware since April 2025.

Elastic Security Labs uncovered multiple financially motivated campaigns deploying payloads like ArechClient2/Sectop RAT and Rhadamanthys—packaged to bypass antivirus and endpoint detection tools. These campaigns included phishing lures on YouTube and MediaFire-hosted archives, contrasting the tool’s original purpose for ethical security testing.

Following the public disclosure, the vendor identified the source of the leak and released a hotfix, limiting future access to strictly vetted users.

Millions of Vehicles at Risk via “PerfektBlue” Bluetooth Exploit in Infotainment Systems

Security researchers at PCA Cyber Security have uncovered critical vulnerabilities in OpenSynergy’s BlueSDK Bluetooth stack, used widely across automotive infotainment systems, which enable remote code execution through what they term the ‘PerfektBlue’ attack. By exploiting multiple chained flaws (CVE 2024 45431/32/33/34), attackers who manage to pair, even with a single click, can remotely hijack a vehicle’s infotainment unit. From there, malicious actors can track the vehicle’s location, eavesdrop on internal conversations, extract contact information, and potentially traverse to more critical systems like steering or braking, raising concerns over full control.

Demonstrated on Mercedes Benz, Skoda, and Volkswagen models, this vulnerability was initially patched in September 2024 however, PCA delayed public disclosure until now to ensure widespread adoption of updates.

Car owners and manufacturers are advised to apply Bluetooth stack patches promptly to prevent remote attacks.

CTM360 Uncovers 17,000+ Fake News Sites Fueling Global Investment Scams

A new CTM360 report reveals an extensive scam operation using over 17,000 Baiting News Sites (BNS) across more than 50 countries to drive users into fraudulent investment platforms. These fake news sites mimic trusted outlets like CNN, BBC, and CNBC, publishing fabricated stories that steer readers through clickbait ads on platforms such as Google and Meta toward bogus trading sites like Trap10 and Eclipse Earn.

The scam unfolds in two stages. Firstly, the victims are lured by professional looking ads and fake content, secondly, they’re contacted by “investment advisors” who request personal IDs and cryptocurrency deposits. Fake dashboards show illusory profits while victims are pressured into deeper investments.

CTM360’s Webhunt and Scam Navigator tools have mapped the entire pipeline, from bait sites to data harvesting and monetisation, and continue to support takedowns and global threat intelligence.

Cheap TLDs like .xyz, .click, and .shop are commonly used, alongside the strategic compromise of legitimate sites via subfolders to evade rapid takedown.

Regional customisation, employing local language, media branding and influencers enhances legitimacy. CTM360 warns users searching for online passive income opportunities to beware fake news and scams that exploit trust and data for secondary phishing or identity theft.

If you would like to discover how Secora Consulting can assist you in keeping your business secure, please get in touch by filling out the form below 👇.