Edition: June 30–July 6, 2025
(Real threats from this week, real skills for every week.)

TL;DR — What You’ll Learn This Week

• Hunters International ransomware shuts down, offers free decryption
• Catwatchful spyware leaks 62,000 user logins
• QR code phishing scams impersonate trusted brands
• Critical Cisco flaw grants root access
• Shift Drill: Triage a phishing QR code attack

---

Welcome to SOC Skills Weekly — your go-to spot for turning real-world cyber threats into practical Security Operations Center (SOC) skills. Whether you’re new to cybersecurity, switching careers, or sharpening your analyst instincts, this series helps you detect faster, respond smarter, and build job-ready skills to stand out.

We break down the week’s top threats into beginner-friendly lessons and hands-on drills. No need to be perfect — just show up, try the challenges, and grow with the community.

New to SOC work? Start with the “Watch For” tips and the Shift Drill. Don’t stress about getting everything right — post your thoughts or questions in the comments, and we’ll learn together!

---

This Week’s Incidents: Real Threats, Real Lessons

Each threat below is a chance to practice how SOC analysts triage (quickly assess), hunt (search for clues), and respond (take action) to real-world attacks. Ask yourself: “How would I handle this in a SOC?”

---

1. Hunters International Ransomware Shuts Down

BleepingComputer

MITRE Techniques: T1486 – Data Encrypted for Impact (locking files to demand ransom), T1566.001 – Spearphishing Attachment (using fake email attachments to deliver malware)

Analyst Debrief
In July 2025, the Hunters International ransomware group announced it was shutting down and released free decryption tools for victims. This followed “recent developments” (likely law enforcement pressure). Ransomware locks files on computers, demanding payment to unlock them. Hunters International likely started attacks with phishing emails containing malicious attachments, like fake PDFs, to infect systems. Even with their shutdown, stolen data could still be used for follow-up scams or sold on the dark web.

Key Red Flags:

• Emails with unexpected attachments (e.g., .pdf, .docx) from unknown senders
• Files on your computer suddenly locked with strange extensions (e.g., .locked)
• Unusual network activity, like data leaving to unknown servers

“Why are my files suddenly locked, and why is my computer sending data somewhere weird?”

Watch For

• Suspicious email attachments from unknown sources
• Files with odd extensions or ransom notes on your system
• Strange outbound traffic in network logs

Tip for Beginners: Always back up important files to an external drive or cloud. If you get a ransom note, don’t pay — report it to your IT team or a SOC analyst immediately.

---

2. Catwatchful Spyware Leaks 62,000 User Logins

SecurityWeek

MITRE Techniques: T1517 – Access Application Data (stealing data from apps), T1533 – Data from Local System (collecting sensitive info from devices)

Analyst Debrief
In July 2025, a security researcher found a flaw in Catwatchful, an Android spyware app marketed as “child monitoring” software. This flaw exposed the usernames and passwords of 62,000 users, including the app’s admin. Spyware secretly tracks devices, stealing data like messages, photos, or passwords. The leak happened due to an SQL vulnerability (a weakness in the app’s database), letting attackers access sensitive data. This shows how even malicious apps can backfire, exposing their own users.

Key Red Flags:

• Apps requesting excessive permissions (e.g., access to camera, messages, or files)
• Unusual app behavior, like high data usage or battery drain
• Unknown apps installed on your device

“Why is this app I didn’t install using so much data?”

Watch For

• Unfamiliar apps on company or personal devices
• High network activity from unknown apps in logs
• User reports of slow devices or odd pop-ups

Tip for Beginners: Check your phone’s app permissions regularly. If an app asks for access it doesn’t need (e.g., a game wanting your camera), it’s a red flag. Report it to your IT team.

---

3. QR Code Phishing Scams Impersonating Trusted Brands

Malwarebytes

MITRE Techniques: T1566.002 – Spearphishing Link (fake links in emails to steal info), T1204.001 – User Execution: Malicious Link (tricking users into clicking bad links)

Analyst Debrief
In July 2025, hackers sent emails pretending to be from trusted brands like Microsoft, PayPal, DocuSign, and Geek Squad. These emails contained QR codes or fake phone numbers, tricking users into scanning codes or calling scammers. Scanning the QR code led to fake login pages that stole passwords, while phone calls connected victims to scammers posing as support staff. This “callback phishing” relies on social engineering (manipulating trust) to bypass email filters.

Key Red Flags:

• Emails with QR codes asking you to scan for “support” or “login”
• Phone numbers in emails that don’t match official company contacts
• Urgent requests to call or scan a code to “fix an issue”

“Why is PayPal asking me to scan a QR code to log in?”

Watch For

• Emails with QR codes or unexpected phone numbers
• User reports of fake support calls or suspicious login pages
• Traffic to unknown domains after QR code scans in network logs

Tip for Beginners: Never scan a QR code from an email unless you’re 100% sure it’s legit. Always check a company’s official website or contact number directly.

---

Rapid Threat Roundup – High Signal Reads

1. Ingram Micro Ransomware Outage

• Summary: IT distributor Ingram Micro faced a global outage due to a SafePay ransomware attack, disrupting systems and services.
• Why it matters: Ransomware can cripple businesses. Beginners should watch for unusual system slowdowns or locked files.
• BleepingComputer

2. Sinaloa Cartel Hacks FBI Surveillance

• Summary: The Sinaloa drug cartel used hacked cameras and phones to spy on FBI agents and identify informants in 2018, exposing surveillance weaknesses.
• Why it matters: Even trusted systems can be compromised. Check for unusual device activity, like cameras turning on unexpectedly.
• Malwarebytes

3. Critical Cisco Vulnerability (CVE-2025-20309)

• Summary: A flaw in Cisco Unified Communications Manager allowed hackers to gain root access using hardcoded credentials.
• Why it matters: Unpatched software is a hacker’s dream. Beginners should ensure systems are updated regularly.
• The Hacker News

4. North Korean IT Worker Scams

• Summary: US authorities seized 29 domains and raided 21 “laptop farms” used by North Korean hackers posing as IT workers to steal funds.
• Why it matters: Fake identities can infiltrate companies. Watch for unusual login patterns or unknown devices.
• The Hacker News

5. Europol Busts $540M Crypto Scam

• Summary: A crypto fraud ring laundering $540 million was dismantled, with arrests in Spain and other countries.
• Why it matters: Crypto scams are rising. Be cautious of emails or sites promising quick profits.
• The Hacker News

6. Android Malware Surges 151%

• Summary: Mobile malware targeting Android devices spiked in 2025, with coordinated attacks stealing data like photos and crypto wallets.
• Why it matters: Mobile devices are common in workplaces. Check for suspicious apps or high data usage.
• Malwarebytes

7. Critical Sudo Flaws in Linux

• Summary: Two vulnerabilities in the Sudo tool let local attackers gain root access on Linux systems.
• Why it matters: Linux is widely used in servers. Ensure systems are patched to avoid privilege escalation.
• The Hacker News

---

Shift Drill – Apply What You’ve Learned: QR Code Phishing Attack

Scenario: You’re a SOC analyst on shift when a user reports an email claiming to be from PayPal, urging them to scan a QR code to “verify your account.” Your initial triage reveals the email is from [email protected] (note the “1” instead of “l”) and the QR code links to secure-paypal-verify.es, a suspicious domain.

Read the Malwarebytes breakdown for context
New to phishing? It’s when hackers use fake emails or messages to trick you into sharing personal info, like passwords.

Complete the questions below and share your answers in the Crushing Security forum.

No pressure to be perfect! Share your thoughts, partial answers, or questions in the forum. If you’re stuck, ask the community — we’re here to help.
Why this matters: Spotting phishing emails and guiding users safely is a core SOC task that protects organizations.

Start Here – Build Your Analyst Instincts
If you’re new, focus on spotting the basics and explaining clearly. Answer these to think like an analyst:

1. Identify two suspicious details in the email (e.g., sender address, QR code domain) that indicate it’s a phishing attempt.
2. Explain why a QR code in a PayPal email is a red flag, even without technical expertise.
3. Describe how you’d warn a non-technical coworker about this email in simple terms — what’s dangerous, and what should they do instead?

Tip for Beginners: Sketch the attack flow (e.g., email → QR code → fake login page → stolen credentials) on paper to visualize how the scam works. This helps you spot patterns in future attacks.

(Optional): Level Up – Triage, Hunt, and Respond
Ready to act like a pro SOC analyst? You have 10 minutes to prepare a quick update for your shift lead. (Newbies, skip this or try it later!)

1. Check the domain secure-paypal-verify.es using a tool like VirusTotal. What would you look for to confirm it’s malicious?
2. Choose one Indicator of Compromise (IOC) (e.g., the sender address [email protected] or the domain secure-paypal-verify.es) to search for in email logs to identify other users targeted by this campaign.
3. Outline your step-by-step process to investigate if anyone scanned the QR code or visited the suspicious domain. Specify which logs (e.g., email, firewall, SIEM) and tools (e.g., Splunk, VirusTotal) you’d use.
4. Create a detection rule (in plain words or pseudocode) for your SIEM to flag similar QR code phishing emails. Include conditions like sender domain typos or suspicious QR code links.

---

Shift Recap – From Threat to Action

---

What Next?

Reading about threats is just the start — applying what you learn builds real SOC skills. Practice these to grow your confidence and portfolio!

This Week’s Starter Pack

• Real Threats → Real SOC Skills, Vol. 1: Phishing Detection
  Learn phishing tactics and detection techniques.
• Challenge 1: Phishing Analysis – DocuSign Impersonation
  Practice spotting phishing emails like the QR code scam.
• Tool of the Week: VirusTotal
  Use VirusTotal to safely check suspicious QR code links or domains.

Want the Full Arsenal?

• All Real Threats → Real SOC Skills Volumes
  Explore past deep dives and challenges.
• All Skill Challenges (Tracker Hub)
  Find drills by threat type or skill level.
• Phishing Training Hub
  Deep-dive into phishing with guided learning paths.

---

Catch Up on Past Issues

Old threats still teach timeless skills — attackers reuse tricks!
Browse Past SOC Skills Weeklies

Lock In — Don’t Miss Out!

Want the next threat breakdowns, drills, and tools in your inbox?
Join the Crushing Security Newsletter

Make It Better!

Got ideas to improve this series? Suggest new threats, tools, or tweaks. Drop your thoughts below or DM Steve.

---

Tags: phishing, ransomware, spyware, qr-code-attacks, soc-skills, beginner-cybersecurity