Welcome to the July 2025 edition of the ConnectWise Cyber Research Unit™ (CRU) Monthly Threat Brief. This report provides a comprehensive look at the most significant cybersecurity developments impacting the MSP and SMB landscape. We break down the month’s top stories, critical vulnerabilities, and prevalent malware families to help you stay informed and prepared in an evolving threat environment. Starting this month, we have also begun adding descriptions of all the new detection signatures added to the ConnectWise SIEM™.
Top story for July 2025
Security researcher Oren Yomtov discovered VSXPloit, a critical vulnerability in OpenVSX, which is the open-source extension marketplace for AI development tools such as Cursor, Windsurf, and VSCodium. The flaw exploited automated nightly builds to capture the @open-vsx account’s secret token, enabling attackers to publish malicious updates, overwrite existing extensions, and hijack the entire marketplace with super-admin privileges. Malicious code could be hidden in dependencies and executed during builds, with updates delivered silently through automatic extension updates without user alerts.
This vulnerability represents part of a broader threat landscape targeting AI-powered development environments, particularly through Model Context Protocol (MCP) attacks. Key risks include tool poisoning (malicious instructions embedded in trusted tool descriptions), prompt injection bypassing filters, rogue server impersonation, and supply chain compromise where legitimate MCP servers are later modified maliciously. These attacks exploit the inherent trust AI models place in tool metadata and the rapid adoption of AI development tools that outpace security guardrails.
What this means for MSPs
For MSPs, this represents a significant expansion of supply chain risk requiring immediate attention to client development environments. The convergence of AI capabilities with development tools creates unprecedented attack vectors where every extension becomes a potential backdoor without proper vetting and monitoring.
MSPs must evolve their security practices to include AI development tool governance, implement zero trust approaches for extensions, establish approval processes for development tools, and develop incident response procedures specific to compromised development environments. The rapid adoption of these productivity-enhancing tools demands proactive management, continuous monitoring, and potentially additional network segmentation for development workstations to limit blast radius.
Mass exploitation of the SharePoint vulnerability CVE-2025-53770 has compromised over 75 organizations globally, including US federal agencies, state governments, energy companies, and universities. The “ToolShell” campaign delivers unauthenticated remote code execution against on-premise SharePoint servers. The attack originated from legitimate security research presented at Pwn2Own Berlin in May 2025, which was quickly weaponized after researchers posted proof-of-concept details on social media in mid-July.
The technical attack exploits SharePoint’s deserialization processes by manipulating HTTP headers to bypass authentication at the ToolPane endpoint, then extracting the server’s ValidationKey and DecryptionKey. With these cryptographic keys, attackers forge valid authentication tokens for persistent access. The vulnerability affects 8,000+ SharePoint servers worldwide, with coordinated attack waves hitting specific geographic regions. Even after patching, compromised servers remain vulnerable until machine keys are manually rotated, creating dangerous persistence windows.
What this means for MSPs
This represents the largest SharePoint compromise in recent memory, with critical infrastructure and government victims highlighting the severity. For MSPs, the challenge extends beyond typical patching. Many clients have forgotten on-premise SharePoint deployments that remain internet-accessible and unpatched. The unauthenticated nature bypasses all traditional security controls, such as MFA and network segmentation, while stolen machine keys enable legitimate-looking authentication for months or years post-compromise.
This creates significant liability exposure and requires coordinated emergency response, including both patching and service-impacting key rotation procedures.
Chinese state-sponsored groups, such as Linen Typhoon, Violet Typhoon, and Storm-2603, have been confirmed as the primary actors behind the widespread SharePoint exploitation campaign targeting CVE-2025-53770, with attacks beginning July 7, eleven days before public disclosure. These APT groups focus on long-term intelligence collection rather than immediate monetization, with Linen Typhoon specializing in IP theft from government/defense sectors, Violet Typhoon targeting former government personnel and think tanks, and Storm-2603 conducting machine key theft operations.
CISA expanded its Known Exploited Vulnerabilities catalog to include the original ToolShell vulnerabilities (CVE-2025-49706 and CVE-2025-49704) alongside the bypass variants, mandating federal agency remediation by an emergency deadline.
Public proof-of-concept exploits are now available on GitHub, dramatically lowering the technical barrier for exploitation and enabling less sophisticated actors to leverage advanced techniques developed by APT groups. Cloudflare recorded approximately 300,000 exploitation attempts during a single peak period on July 22, indicating widespread automated scanning despite patch availability. Enhanced detection capabilities have been deployed by the ConnectWise CRU for SIEM and SentinelOne customers, targeting specific indicators including spinstall0.aspx file creation, suspicious w3wp.exe processes, and correlated IIS log patterns showing successful exploitation followed by web shell access.
What this means for MSPs
The state-sponsored attribution fundamentally changes risk calculations for MSPs managing client SharePoint environments, as these actors establish persistent access for months or years before activation rather than seeking immediate monetization. MSPs must assume any internet-accessible SharePoint server was targeted and implement comprehensive remediation, including machine key rotation before and after patching, complete IIS service restarts, and treating automated detections as high-priority incidents. Client communication should emphasize the strategic nature of these attacks, as federal agencies and critical infrastructure are confirmed victims, providing crucial context for security investment decisions and incident response prioritization rather than framing this as routine cybercriminal activity.
Top vulnerability in July 2025
CVE-2025-53770 is a critical zero-day vulnerability (CVSS 9.8) affecting on-premises Microsoft SharePoint servers through the deserialization of untrusted data, enabling unauthenticated remote code execution. First exploited in the wild around July 7-18, 2025, this vulnerability is part of the “ToolShell” exploit chain that bypasses authentication via the /layouts/15/ToolPane.aspx endpoint and allows attackers to extract cryptographic machine keys (ValidationKey/DecryptionKey) for persistent access even after patching.
Microsoft confirmed the zero-day on July 19, 2025, and CISA added it to the KEV catalog on July 20. CVE-2025-53770 is a patch bypass for the previously patched CVE-2025-49704 from Pwn2Own Berlin 2025, indicating the original July patches were incomplete. Active exploitation has targeted government, telecommunications, finance, healthcare, education, and energy sectors with over 4,600 compromise attempts observed across 300+ organizations worldwide. Emergency patches are available for SharePoint 2016, 2019, and Subscription Edition, with organizations urged to immediately apply updates and rotate machine keys. Additional details are covered in the articles summarized earlier in this report.
Top malware in July 2025
The Diamond Model
This section leverages the Diamond Model of Intrusion Analysis to structure the examination of recent malware activity, providing a clear analytical framework that links adversary, capabilities, infrastructure, and victimology. By applying the Diamond Model, we can better contextualize malicious behavior, identify patterns across campaigns, and highlight the relationships between threat actors, tools, and targeted entities.
NetSupport RAT
NetSupport RAT is a weaponized version of the legitimate NetSupport Manager remote administration tool (RAT) that has been commercially available since 1989. Originally developed as a genuine application for remote technical support and computer assistance, cybercriminals have hijacked this useful application and misappropriated it to use in their harmful campaigns. The tool provides comprehensive remote access capabilities, including real-time screen monitoring, keyboard and mouse control, file transfers, chat functionality, and desktop management, making it attractive to threat actors who can leverage its legitimate appearance and robust functionality without developing custom malware.
The CRU has been continuously observing NetSupport RAT deployment by SmartApeSG, a threat group that employs drive-by compromise attacks through injected scripts on compromised websites. SmartApeSG has evolved their delivery methods from initial fake browser update lures similar to SocGholish to more recent ClickFix social engineering techniques. The RAT is typically distributed through deceptive websites, fake browser updates, and various phishing campaigns, with SmartApeSG using a combination of compromised domains and .top TLD domains for payload delivery. Their attack progression shows increasing sophistication, transitioning from batch file downloads with curl to more fileless techniques using PowerShell’s Expand-Archive cmdlet, ultimately leading to Stealc malware infections while maintaining persistence through registry Run keys.
