SafePay, unsafe day.
Ingram Micro suffers a ransomware attack by the SafePay gang. Spanish police dismantle a large-scale investment fraud ring. The SatanLock ransomware group says it is shutting down. Brazilian police arrest a man accused of stealing over $100 million from the country’s banking system. Qantas confirms contact from a “potential cybercriminal” following its recent customer data breach. The XWorm RAT evolves to better evade detection. Cybercriminals ramp up fraudulent domains ahead of Amazon Prime day. Apple sues a former engineer allegedly stealing confidential data. Our guest is Rob Allen, Chief Product Officer at Threat Locker, discussing why 'Default Deny' could be the Antidote to Security Fatigue. AI image editing blurs the evidence.
Today is Monday July 7th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Ingram Micro suffers a ransomware attack by the SafePay gang.
Ingram Micro, a major global IT distributor, suffered a ransomware attack by the SafePay gang last Thursday, leading to an ongoing outage of its website and ordering systems. Employees discovered ransom notes on their devices, although it’s unclear if files were encrypted. Sources say attackers likely breached the company via its GlobalProtect VPN platform. Impacted services include its AI-powered Xvantage distribution platform and Impulse license provisioning, while Microsoft 365, Teams, and SharePoint remain operational. Initially, Ingram Micro did not disclose the attack, citing only IT issues. SafePay, active since November 2024 with over 220 victims, uses VPN breaches and password spraying to infiltrate targets. On Sunday, Ingram Micro confirmed the ransomware incident, stating it’s working with cybersecurity experts to investigate and restore systems.
Spanish police dismantle a large-scale investment fraud ring.
Spanish police have dismantled a large-scale investment fraud ring that caused over $11.8 million (€10 million) in damages. In coordinated raids across Barcelona, Madrid, Mallorca, and Alicante, 21 suspects were arrested, and officers seized seven luxury cars and more than $1.5 million (€1.3 million) in cash and crypto. The group began operations in 2022, targeting victims nationwide with fake investments in crypto, tech stocks, and gold via manipulated websites and call centers posing as professional advisors. Victims saw fake profits and could make small withdrawals initially, before losing larger sums to blocked withdrawals and fake “processing fees.” The call centers had “panic buttons” to erase data during raids. This operation follows recent major fraud takedowns in Spain, including a $540 million crypto scam dismantled last week.
The SatanLock ransomware group says it is shutting down.
The SatanLock ransomware group announced it is shutting down and plans to leak all stolen victim data today. The group, active since April 2025, posted the news on its Telegram channel and dark web site, which now displays a shutdown notice. SatanLock had listed 67 victims, though over 65% were already on other ransomware leak sites, suggesting shared infrastructure. Linked to groups like Babuk-Bjorka and GD Lockersec, SatanLock’s sudden closure remains unexplained.
Brazilian police arrest a man accused of stealing over $100 million from the country’s banking system.
Brazilian police arrested João Roque, an IT employee at software company C&M, for his role in a cyberattack that stole over 540 million reais ($100 million) from the country’s banking system. Hackers breached C&M, which connects banks to Brazil’s instant payment platform, PIX, used by over 76% of the population. Roque admitted selling his credentials to hackers who recruited him earlier this year. The attack targeted financial institutions, not individual clients, and losses from just one bank reached $100 million. Police believe at least four others were involved. The fraud occurred overnight via fake PIX transactions. Brazil’s Central Bank suspended parts of C&M’s operations. C&M stated the breach was due to social engineering, not system flaws.
Qantas confirms contact from a “potential cybercriminal” following its recent customer data breach.
Qantas has confirmed contact from a “potential cybercriminal” following its recent customer data breach. The airline is verifying the individual’s authenticity and has involved the Australian Federal Police but declined to share further details. The breach, contained on June 30, compromised personal data including names, emails, phone numbers, dates of birth, and Frequent Flyer numbers of potentially up to six million customers. No credit card, financial, or passport data was affected. Attackers targeted a third-party customer servicing platform via a call center. Qantas has not detected further threat activity and says its systems remain secure. Customers were notified by email on July 2 and 3 and warned to watch for phishing attempts, as Qantas will never request passwords or sensitive login details.
A healthcare data processing firm reports a data breach.
Arbor Associates Inc., which processes data for healthcare providers, reported a breach compromising patient data. Detected on April 17, 2025, the breach occurred between April 15–17. Exposed information includes names, contact details, birth dates, biological sex, service dates, CPT and diagnosis codes, medical record numbers, and insurance provider names. The number of affected individuals and attack details remain undisclosed. Arbor has set up a helpline and urges patients to review statements for errors and monitor credit reports for suspicious activity.
The XWorm RAT evolves to better evade detection.
The XWorm Remote Access Trojan (RAT) has evolved with advanced stagers and loaders to evade detection. Widely used for keylogging, remote desktop access, data theft, and command execution, XWorm now targets sectors like software supply chains and gaming. Recent campaigns paired XWorm with AsyncRAT for initial access, later deploying ransomware crafted from the leaked LockBit Black builder. XWorm’s infection chain is highly dynamic, using multiple file types and scripting languages (PowerShell, VBS, JavaScript, .NET executables) delivered via phishing emails mimicking invoices and shipping notices. It employs Base64 encoding, AES encryption, and tampers with Windows security features like AMSI and ETW to avoid detection. XWorm also spreads via removable media, uses persistence mechanisms, and disables Microsoft Defender, making it a persistent threat for security teams worldwide.
Cybercriminals ramp up fraudulent domains ahead of Amazon Prime day.
Ahead of Amazon Prime Day on July 8, 2025, cybercriminals are ramping up phishing attacks targeting shoppers. Researchers at CheckPoint security say over 1,000 Amazon-like domains were registered in June alone, with 87% flagged as malicious. Many use “Amazon Prime” in their names to trick users into entering login credentials on fake sites. Common tactics include spoofed websites mimicking Amazon’s checkout and phishing emails claiming “refund errors” to lure clicks. With these scams rising before Prime Day, extra caution can prevent identity theft, unauthorized purchases, and stolen gift card balances.
Apple sues a former engineer allegedly stealing confidential data.
Apple has filed a lawsuit against former employee Di Liu for allegedly stealing confidential data related to its Vision Pro headset and sharing it with Snap, his current employer. Liu, who worked at Apple for seven years as a senior product design engineer, reportedly transferred proprietary Vision Pro design, hardware testing, and unreleased capability files to his personal cloud storage before resigning. Apple claims Liu misled them about his departure, citing family reasons instead of joining Snap, to avoid offboarding protocols that would cut his access. Forensic analysis revealed he deleted evidence from his MacBook to hide the transfers. Apple is seeking the immediate return of its trade secrets, financial damages, and access to Liu’s devices and cloud accounts. Snap denied any involvement in Liu’s actions.
AI image editing blurs the evidence.
In Maine, the Westbrook Police Department tried to jazz up its drug bust photo by adding its badge using ChatGPT. Unfortunately, officers didn’t realize AI image editing works like an overenthusiastic intern – it changed the entire photo. Facebook followers quickly noticed the garbled text and eerie gloss, prompting the department to delete it and issue an apology. Their statement blamed a “photoshop app,” but WGME revealed it was actually ChatGPT’s image generator, which treated the uploaded photo as a prompt to create a brand-new masterpiece. Hilariously, the AI even removed some drugs from the evidence photo. Locals wondered how no one spotted the glaring differences. Lesson learned: next time, just set a badge on the table.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
And that’s the CyberWire Daily, brought to you by N2K CyberWire.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
