Akira dominated ransomware and extortion activity in July, with Qilin remaining active, albeit not at the levels observed in June. Throughout July, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities:
- Akira was the most active threat group in July, responsible for almost 30% of all ransomware and extortion activity, followed by Qilin, the most active threat group in June, which accounted for nearly 12% of all incidents in July. Arete also observed several engagements in July with a new threat actor calling themselves the Sinobi Group. The Sinobi Group demonstrates multiple similarities with the Lynx ransomware group, including overlapping code and infrastructure, and a Tor chat and data leak site that is almost a carbon copy of Lynx’s. However, as Lynx continues to operate under its original name, it remains unclear whether Sinobi is a rebrand or a subgroup spawned from a sale or sharing of the Lynx encryptor or infrastructure.
- In July, multiple threat groups exploited critical zero-day vulnerabilities in Microsoft’s SharePoint. The vulnerabilities impact on-premises SharePoint Server products and allow for remote code execution. Microsoft addressed the vulnerabilities in security updates, which can be found here. If affected organizations have not yet done so, it is critical for them to immediately install the security updates.
- In July, the Interlock ransomware group was observed deploying a new remote access trojan (RAT) via a variation of the ClickFix technique called “FileFix.” ClickFix attacks use deceptive CAPTCHA challenges to trick users into executing malicious PowerShell scripts and gain unauthorized access to victim networks. FileFix operates similarly, but uses Windows tools like File Explorer to trick users into executing malicious PowerShell scripts. Once deployed, the new RAT performs various functions, including collecting information on the victim’s system, determining privileges, setting up C2 channels, and deploying additional malware.
As in June, Arete observed 14 unique identified ransomware and extortion groups in July:
Sources
- Arete Internal
Related Resources
![]()
Google Gemini Flaw Hijacks Email Summaries for Phishing
Google Gemini email summary flaw lets attackers hide malicious instructions in emails, leading users to phishing sites without clicking links.
Read more![]()
Ransomware Trends & Data Insights: June 2025
June 2025 saw Qilin dominate ransomware activity and law enforcement shift focus to cybercrime infrastructure. Discover key trends and group activity insights.
Read more![]()
First We Mine, Then We Hack
A malware campaign disguised as Minecraft mods on GitHub is stealing credentials and crypto wallets. Over 1,500 users are affected. Learn more.
Read more
