What if the biggest cybersecurity risks aren’t flaws at all—but features working as intended? This week’s cyber incidents shine a spotlight on a new and troubling trend:
attackers aren’t just exploiting vulnerabilities—they’re taking advantage of the way things are supposed to work. Misused APIs, default trust settings, outdated routers, and socially engineered workflows are proving to be just as dangerous as zero-days.

From nation-state surveillance campaigns to phishing operations and critical infrastructure attacks, this week’s stories illustrate how the boundaries between misconfiguration, oversight, and outright exploitation are increasingly blurred. It’s no longer enough to patch your systems—now you have to rethink how they’re designed and used.

 This Week in Cybersecurity: Top 5 Threats You Should Know (July 2025)

1. LapDogs ORB Network: Over 1,000 Routers Compromised in Global Espionage Campaign

A China-linked APT group has constructed a massive covert surveillance operation dubbed LapDogs, leveraging over 1,000 compromised SOHO routers across five countries. The campaign uses known Linux vulnerabilities to implant ShortLeash, a stealthy backdoor that converts everyday routers and IoT devices into Operational Relay Boxes (ORBs). These ORBs act as persistent entry points, facilitating encrypted
command-and-control (C2) traffic and lateral movement into sensitive networks.

Why it matters: This operation reveals how attackers weaponize aging consumer-grade infrastructure to bypass enterprise defenses. It’s not the router’s job to protect a nation—but its compromise could endanger one.

2. Iranian Hackers Target Israeli Cybersecurity Experts

The Iranian state-aligned group APT35 (a.k.a. Charming Kitten) has escalated its spear-phishing campaign targeting Israel-based cybersecurity professionals, professors, and journalists. The campaign uses convincing Google Meet links, fake interview requests, and cloned Gmail login pages. Attackers are contacting targets through email and WhatsApp to increase credibility.

Why it matters: Cyber professionals are now themselves targets—not just defenders. This attack underscores how threat actors are expanding beyond traditional government or corporate targets to exploit trust within the infosec community itself.

3. Citrix NetScaler Under Fire for Dual 0-Days

Two actively exploited zero-day vulnerabilities (CVE-2025-6543 and CVE-2025-5777) have rocked Citrix’s NetScaler ADC platform. The flaws allow memory overflow and unauthorized remote access, raising alarms across enterprises that rely on NetScaler for VPN and application delivery. While patches are available, incomplete details on
exploitation methods have left many scrambling to assess exposure.

Why it matters: NetScaler is deeply embedded in enterprise IT stacks. Even a short exploitation window could offer attackers privileged access to core business applications—underscoring the importance of prompt patching and real-time telemetry.

4. U.S. House Bans WhatsApp on Official
Devices

The U.S. House of Representatives has officially banned WhatsApp from all government-issued devices, citing opaque data handling and potential foreign influence. Despite WhatsApp’s end-to-end encryption, lawmakers expressed concern over how metadata and message storage are managed, especially given Meta’s ownership and international hosting practices.

Why it matters: The decision reflects a broader shift in policy thinking—where metadata and app governance are now as important as message content. It’s a cautionary tale for any platform operating in sensitive environments.

5. Akamai’s XMRogue: A Weapon Against Cryptomining Botnets

Akamai has released XMRogue, a novel proof-of-concept that targets cryptomining botnets not by disinfecting systems, but by financially starving them. By spoofing login attempts to mining pools using the attacker’s wallet, XMRogue causes the pool to temporarily block the attacker—disrupting the profit model behind the botnet.

Why it matters: It’s a shift in strategy—from cleanup to counterattack. While not a full solution, it represents an emerging trend in threat disruption: hit attackers where it hurts—their wallets.

 Also in the Headlines: Expanded Developments

Airline Cyber Incidents Under Investigation

Multiple major airlines reported outages and IT disruptions this week, with at least one launching a formal cyber investigation. The FBI has warned of increased activity from the Scattered Spider group, known for sophisticated social engineering and SIM-swapping attacks.

What’s unfolding: Critical infrastructure like aviation is under increasing pressure. The concern isn’t just disruption—it’s the potential access to crew systems, flight paths, or passenger data.

 Outlook Malware Campaigns Surge

Outlook users are the target of a new malware wave that hijacks email threads to spread banking trojans, info stealers, and ransomware. Messages appear to come from trusted senders in ongoing threads, with malicious links deeply embedded in reply to chains.

What to watch: This tactic drastically reduces suspicion from recipients, bypassing even well-trained employees. Email security filters and behavioural monitoring are more essential than ever.

 BreachForums Admins Taken Down

French authorities arrested five top administrators of BreachForums, including notorious hacker IntelBroker, in a coordinated global sting. The U.S. is seeking extradition. 

Why it’s important: BreachForums was a major hub for stolen data trading, responsible for breaches affecting healthcare, education, and government sectors. Its takedown is a rare and welcome blow to the cybercrime economy.

 Canada Bans Hikvision Over Security Concerns

Citing national security risks, Canada has ordered Chinese surveillance tech firm Hikvision to shut down operations and banned its use in government systems. 

Geopolitical impact: The move aligns with growing efforts by Western
nations to reduce reliance on Chinese tech in critical infrastructure. Similar
reviews are ongoing in the U.K., U.S., and EU.

 Quick Bytes: Headlines That Matter

• Microsoft is decoupling security modules from the Windows kernel to avoid global outages like the CrowdStrike crash.
• New Outlook token-stealing malware poses risk to cloud access.
• REvil ransomware group leaders released in Russia, prompting international concern.
• Python package found to be intentionally destructive, part of a growing trend of software supply chain threats.
• Chinese hackers hit South Korean infrastructure, continuing regional tensions.
• AndroxGh0st botnet evolves, now exfiltrating API keys and credentials at scale.
• CapCut scam emails target iOS users, disguising fraudulent invoices as app receipts.
• Smartwatch malware used to exfiltrate air-gapped data, hinting at increasingly creative attack methods.
• Bluetooth vulnerabilities put wireless headsets and mics at risk of eavesdropping.
• Rust promoted as a secure-by-default language by U.S. cyber agencies for future software systems.

Conclusion: What This Week Tells Us

This week’s incidents remind us that cybersecurity isn’t just about patching holes—it’s about rethinking the architecture. Attackers are increasingly manipulating systems as designed, weaponizing trust, default settings, and human behaviour to achieve their
goals. Whether it’s nation-state actors building hidden botnets, criminals hijacking email threads, or policy responses to app insecurity, the trend is clear:

The perimeter is long gone. Assumptions are the new attack surface.

Security leaders must focus not just on detection and response but also on architectural risk, user behaviour, and systemic exposure. The challenge ahead isn’t just to stop the breach—but to predict where trust will be misused next.

Reference:

The Hacker News. (2025b, July 3). ⚡ weekly recap: Airline Hacks, Citrix 0-day, Outlook malware, banking trojans and more. https://thehackernews.com/2025/06/weekly-recap-airline-hacks-citrix-0-day.html