Summer 2025 scorched more than asphalt — it tested the resilience of every SOC, IT team, and cyber responder worldwide. From ransomware groups like Qilin and Interlock targeting hospitals to stealthy exploitation of SharePoint servers, attackers didn’t take a vacation — they launched a full-scale offensive. This report breaks down major attack waves, CVEs abused, and what defenders need to implement before autumn brings the next storm.

🏥 Healthcare Hit Hard: Interlock, Rhysida, and Qilin

🧨 Interlock’s Deceptive FileFix PowerShell Loader

• Initial Access: Delivered via email attachments disguised as invoice scripts
• Loader: FileFix.ps1 — a PowerShell dropper masquerading as a file utility
• Execution: Users double-click shortcut/EXE in File Explorer, invoking hidden PowerShell code

# Interlock-like file launcher (obfuscated variant)
powershell -exec bypass -windowstyle hidden -c "IEX (Get-Content 'C:\Users\Public\Doc\FileFix.ps1' -Raw)"

🧪 Sigma Rule – FileFix-like PowerShell Abuse

title: Suspicious PowerShell FileFix Execution
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains: 'Get-Content'
    CommandLine|contains: 'FileFix.ps1'
  condition: selection
level: high
tags:
  - attack.execution
  - attack.t1059.001

📤 Rhysida – Fast-Acting Ransomware With Public Extortion

• Attacked Florida Hand Center July 8, 2025
• Stole and leaked driver’s licenses, x-rays, and insurance PDFs
• Leak site hosted over Tor; ransom window: 7 days

🦠 Qilin’s Fortinet Exploit Chain

• CVE-2024-21762: SSL VPN Path Traversal
• CVE-2024-55591: FortiOS heap overflow → remote code execution
• Payloads: Encrypted Cobalt Strike beacon or custom ransomware

🧪 Suricata Rule – Fortinet Exploit Attempt

alert http any any -> any any (msg:"Fortinet CVE-2024-21762 exploit attempt"; content:"/remote/login"; http_uri; content:"..%2f.."; http_uri; sid:20252421762; rev:1;)

🛍️ Retail Attacks Surge: Scattered Spider, DragonForce, and Insider Social Engineering

🕷️ Scattered Spider Targets UK and US Brands

Scattered Spider (UNC3944) used advanced social engineering to gain internal access:

• Helpdesk impersonation over phone + chat
• MFA fatigue + SIM swap follow-up
• Typosquatted domains and ID spoofing via public leaks

🧪 Sigma Rule – MFA Push Abuse Detection

title: Multiple MFA Push Attempts - Fatigue Attack
logsource:
  category: authentication
  product: okta
detection:
  selection:
    eventType: 'mfa.challenge.send'
    outcome.result: 'CHALLENGE'
    count: '>5'
  condition: selection
level: medium
tags:
  - attack.credential_access
  - attack.t1111

🔥 DragonForce’s Ransomware-as-a-Service Push

• Claimed breach of Belk (US retailer) between May 7–11, 2025
• 156 GB exfiltrated: HR records, SSNs, email, order logs
• Victim data leaked after negotiations failed

🧪 Zeek Detection – Data Exfil Over TLS

event: ssl.log
  if (ssl.server_name in ["belk.com", "belkcorp.com"] &&
      ssl.cert.subject contains "Let's Encrypt" &&
      ssl.cipher == "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" &&
      connection.bytes_out > 100000000) {
        notice("Possible exfiltration over TLS")
}

🏛️ State-Aligned Cyber Conflict: Geopolitics by Code

• 🔥 Predatory Sparrow took down Iran’s Bank Sepah (June 14–17)
• 💸 Burned $90M in crypto by breaching Nobitex and sending to Ethereum burn wallets
• 📢 June 30: DHS/CISA alert re: Iran-backed retaliation targeting US/EU infra

🔎 Indicators of Geopolitical Campaigns

• Use of burner infrastructure (hosting for infosec-news[.]click, gov-insight[.]org)
• DNS tunneling tools (Iodine, dnscat2)
• Credential theft via VPN appliances, phishing PDFs signed with fake DigiCert

💥 ToolShell Campaign – SharePoint Zero-Day Chain

🔓 CVEs in Play

• CVE-2025-53770: Unauthenticated RCE in SharePoint Workflow
• CVE-2025-49704 & CVE-2025-49706: Auth bypass + malicious macro injection

🧬 YARA Rule – ToolShell Web Shell Deployment

rule ToolShellWebShell
{
  meta:
    author = "SOCDFIR Threat Lab"
    description = "Detects ToolShell campaign web shell in SharePoint uploads"
  strings:
    $a = "<%@ Page Language=\"C#\" Debug=\"true\" %>"
    $b = "System.Diagnostics.Process"
    $c = "ExecuteCommand"
  condition:
    all of ($a, $b, $c)
}

🧪 Splunk Query – ToolShell CVE Exploit Attempt

index=sharepoint sourcetype="sp-logs"
"workflow.aspx" AND ("cmd=" OR "debug=true") AND status!=200
| stats count by src_ip, uri_path, user_agent

🧪 Simulate These Threats to Validate Your Defenses

If you haven’t tested your defenses against these TTPs yet, you’re flying blind. Simulate what Interlock, Qilin, and Scattered Spider actually do — not just what your AV claims to detect.

Use adversary emulation frameworks like Atomic Red Team, Caldera, or custom PowerShell scenarios to replicate:

• PowerShell loader execution and obfuscation techniques
• SharePoint RCE web shell deployments
• Credential access via social engineering and MFA fatigue
• Fortinet and VPN exploit chains

Detection engineering without validation is guesswork. Run it in a lab. Break your defenses. Fix what you find. Then do it again.

🔚 Final Thoughts: Summer Set the Bar Higher

Summer 2025 was a wake-up call. If attackers aren’t slowing down, neither can we. The most damaging incidents this season weren’t driven by “advanced” malware — they were driven by bad assumptions, social engineering, and ignored patches. If you’re only monitoring for signatures, you’re a step behind. If your team isn’t practicing how to detect lateral movement, they’re not ready.

The heat’s not over. It just moved indoors — into your network, your users, and your stack of unfinished patch tickets.

Get ready for what’s next. Or get caught unprepared.