Patch Tuesday notes. Iranian ransomware gang offers bonuses for hitting US and Israeli targets.

Announcement

TAC Partners with N2K to Strengthen Cybersecurity Workforce

N2K is excited to announce our partnership with The Technology Advancement Center (TAC), a leading nonprofit cybersecurity training provider. Through this collaboration, TAC has integrated N2K’s extensive library of certification practice tests and adaptive study tools into their cybersecurity training programs. Together, N2K and TAC aim to enhance workforce readiness, address critical cyber talent gaps, and accelerate certification success across the industry. Learn more here: https://www.n2k.com/tac-partnership.

Summary

By the CyberWire staff

At a glance.

Patch Tuesday notes.
Iranian ransomware gang offers bonuses for hitting US and Israeli targets.
Threat actor targets diplomats with Marco Rubio deepfakes.

Patch Tuesday notes.

Microsoft yesterday issued fixes for 130 flaws, including ten with a severity score of "Critical." The most serious of these is an RCE vulnerability affecting the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism (CVE-2025-47981). The company also fixed four critical RCE flaws affecting Office (CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702). The Register notes that this is Microsoft's first Patch Tuesday of 2025 with no actively exploited flaws.

Adobe has released patches for 58 vulnerabilities across multiple products, including three critical flaws affecting Adobe Connect, ColdFusion, and Adobe Experience Manager (AEM) Forms on JEE, SecurityWeek reports. Adobe urges users to prioritize patching the AEM Forms flaw (CVE-2025-49533), which has been assigned a CVSS score of 9.8 and can lead to arbitrary code execution.

SAP has issued new or updated security notes for 31 vulnerabilities, including five critical flaws. Notably, CVE-2025-30012 was upgraded to a severity score of 10 after it was found that unauthenticated attackers could exploit the flaw to execute arbitrary commands with administrative privileges.

ThreatLocker, the Zero Trust solution that stops ransomware in its tracks

Ransomware is a growing threat to businesses — but ThreatLocker stops it before it can execute. Built for business environments, ThreatLocker is a Zero Trust cybersecurity solution that puts you in control. With default deny, application control, and ringfencing, only approved software runs. It’s easy to install, simple to manage, and powerful enough to meet enterprise demands. Protect your organization with a solution that blocks ransomware at the source — without adding complexity to your stack.

Iranian ransomware gang offers bonuses for hitting US and Israeli targets.

The Iranian ransomware-as-a-service operation Pay2Key.I2P is offering 10% bonuses to affiliates who target US and Israeli entities, according to researchers at Morphisec. Affiliates will receive an 80% profit share (up from 70%) for targeting countries opposed to Iran. The researchers note that Pay2Key has links to the Tehran-sponsored cyberespionage group Fox Kitten and is closely tied to the Mimic ransomware operation. Pay2Key has collected over $4 million in ransom payments since the group surfaced in February 2025.

Are You Future Ready? Secure Your Machine Future With Confidence.

CyberArk is the leader behind the world’s most comprehensive machine identity security solution. With capabilities that span secrets, certificate management and workload identities, we enable customers to secure more machine identity use cases with the right level of privilege control. Find out exactly how we’re helping modern organizations secure their machine future.

Threat actor targets diplomats with Marco Rubio deepfakes.

An unknown individual used voice deepfakes to impersonate US Secretary of State Marco Rubio in social engineering attacks targeting "at least five non-Department individuals, including three foreign ministers, a U.S. governor, and a U.S. member of Congress," according to a State Department cable obtained by the Washington Post. The threat actor was likely attempting to gain access to sensitive information or accounts.

SecurityWeek cites a US official as saying the social engineering attempts were "not very sophisticated," but the State Department is warning diplomats to be on the lookout for similar tactics.

Notes.

Today's issue includes events affecting Iran, Israel, and the United States.

Attacks, Threats, and Vulnerabilities

18 Malicious Chrome and Edge Extensions Disguise as Everyday Tools (Infosecurity Magazine) Researchers from Koi Security have detected 18 malicious Chrome and Edge extensions masquerading as benign productivity and entertainment tools

Legitimate Shellter Pen-Testing Tool Used in Malware Attacks (SecurityWeek) A stolen copy of Shellter Elite shows how easily legitimate security tools can be repurposed by threat actors when vetting and oversight fail.

New spyware strain steals data from Russian industrial companies (The Record) Moscow-based cybersecurity firm Kaspersky said the campaign has already affected over 100 victims across several dozen Russian organizations, but did not disclose the specific targets.

Marketplace

Judge OKs sale of 23andMe — and its trove of DNA data — to a nonprofit led by its founder (NPR) The DNA data of millions of people who used 23andMe's services won't be sold to a pharmaceutical company. A bankruptcy judge greenlighted the sale of the remnants of the firm, including its wealth of genetic data, to a nonprofit led by co-founder Anne Wojcicki.

Litigation, Investigation, and Law Enforcement

Mental Health Provider Fined $225K for Lack of Risk Analysis (BankInfoSecurity) A Texas mental healthcare provider's failure to conduct a comprehensive risk analysis resulted in a $225,000 federal fine after regulators investigated a data leak

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

International Space Station Research and Development Conference (Seattle, Washington, USA, Jul 28 - 31, 2025) At ISSRDC, learn how to harness the International Space Station (ISS) and the unique conditions of space to help solve your most pressing research and development (R&D) challenges.

DEF CON 33 (Las Vegas, Nevada, USA, Aug 7 - 10, 2025) DEF CON is one of the oldest continuously running hacker conventions around, and also one of the largest.

39th Annual Small Satellite Conference (Salt Lake City, Utah, USA, Aug 11 - 13, 2025) During the 39th Annual Small Satellite Conference, we will delve into the innovations, demands, and cross-market collaborations shaping the future of satellite capabilities and driving new opportunities allowing us to collectively reach new horizons.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 07.09.25