Something strange happened in Michigan. Hospital printers began printing ransom notes—unsolicited, automatic, and very real. The INC ransomware gang had landed inside McLaren Health Care’s network and decided to introduce themselves through a deeply unsettling channel: the very machines used to print patient instructions.
And that’s just the tip of the iceberg in this month’s Threat Intelligence Brief.
From Citrix zero-days being actively exploited, to fake SonicWall clients stealing VPN credentials, to insurance giants falling prey to quiet data theft campaigns—we’ve unpacked the high-impact takeaways below. Consider this a pulse check on today’s threat landscape—and a warning signal to act before it’s your turn.
743,000 Patients. One Ransomware Note. Zero Warning.
The McLaren Health Care breach started in July 2024. The investigation finished ten months later. In the meantime, phone lines went dead. IT systems went dark. Visitors were told to bring handwritten medical notes. And somewhere in Bay City, a hospital printer coughed out a ransom note from a foreign adversary.
“The attacker maintained access to the hospital’s systems for 17 days. No one knew.”
This is McLaren’s second major breach in two years. The previous one impacted 2.2 million people.
Patterns like this don’t just raise eyebrows—they demand action.
Citrix Bleed Has a Sequel
If you thought you patched Citrix already, check again. Two new vulnerabilities—CVE-2025-6543 and CVE-2025-5777—are now being exploited in real time.
One’s a memory overflow flaw that can crash your appliance. The other, a session token leak that lets attackers hijack active sessions, skip MFA, and operate quietly inside your systems for days.
These flaws require no rocket science. Just unpatched NetScaler instances, used in gateway mode, and attackers get a free pass.
Rapid7, Tenable, ReliaQuest—they all agree: patch immediately. There are no workarounds. These are not hypotheticals. Exploits have been observed.
Aflac Breached—But Not by Ransomware
This one flew under the radar. On June 20, Aflac disclosed a breach.
No ransomware. No headlines. But a breach nonetheless—most likely tied to Scattered Spider, the cybercrime gang with a resume that includes MGM, Twilio, Coinbase, and Reddit.
What’s different this time? The attack wasn’t loud. It was surgical. In and out. Possibly millions of customer, agent, and employee records exposed.
Modern attackers aren’t kicking down doors anymore. They’re quietly picking locks—and leaving almost no trace.
Read Blog | When the Perimeter Fails: Microsegmentation as the Last Line of Defense
VPN Credentials for Sale, Courtesy of a Fake SonicWall
Attackers have started distributing a fake version of SonicWall NetExtender—digitally signed by a shady company but believable enough to pass a casual glance. Users download what looks like a legit VPN client. It isn’t.
Once installed, it silently siphons usernames, passwords, and domain info to a remote server (IP: 132.196.198.163, in case you’re blocking traffic). Two modified binaries, same endgame: full access.
If your download didn’t come directly from SonicWall, assume it’s already compromised.
DDoS Is Back—and It’s Not Playing Around
FS-ISAC dropped a sobering report: A single DDoS campaign in 2024 took down multiple banks for days.
These attacks are no longer brute force—they’re tailored, persistent, and convincingly human. They exploit APIs. They mimic behaviors. They dodge detection.
That’s why the DDoS Maturity Model is a must-read. It breaks down five levels of readiness and tells you where you really stand—not where you hope you are.
Access Our Threat Advisory to Know More About the DDoS Maturity Model
OT Attacks Are Now Military Grade
UAC-0001 (likely APT28) is back, targeting ICS systems running on Windows servers. The tools? BEARDSHELL. SLIMAGENT. Malware disguised as Microsoft macros. Shellcode hidden in PNG files. C2 channels routed through Signal and obscure storage APIs.
CERT-UA and ESET documented how a single Word doc—named “Act.doc”—launched a full system compromise via COM hijacking and in-memory payloads. All it took was one macro-enabled doc sent over Signal.
If you’re managing OT systems and haven’t disabled macros by now… you’re walking a tightrope without a net.
This Is Not Normal. But It’s the New Reality.
None of these threats are normal. But they’re happening. And fast.
What connects all of them?
- Quiet persistence over noisy destruction
- Real-world consequences (not just data, but care delivery, financial operations, trust)
- Zero-day exploits already in use—not theoretical
- Attackers blending off-the-shelf tools with government-grade stealth
But there are answers—and action steps you can take today.
- Limit lateral movement by enforcing zero-trust principles, especially in sensitive sectors like healthcare and finance.
- Audit your MFA setup and lock down session token handling—because bypassing MFA is now routine for advanced attackers.
- Step up phishing defenses. Social engineering is no longer amateur-hour. These actors are fluent in your workflows.
- , yes—but moPatch fastre importantly, monitor API usage, enforce least privilege, and prepare for when (not if) perimeter defenses fail.
- And if you rely on VPNs or cloud-based infrastructure? Check your sources. Even a fake installer with a legit-looking signature can crack the door wide open.
If you’re responsible for securing critical services, these aren’t exceptions. They’re your early warnings.
This month’s brief lays out the full picture: critical vulnerabilities, exploit timelines, attacker playbooks, patch guidance, IOCs, and even advanced models like the DDoS Maturity Framework. It shows you how, why, and what to do next.
From fake VPN installers to stealthy OT attacks and memory-leaking zero-days—these threats are already in motion. The full report connects the dots so you can get ahead of them.
Grab the July Threat Intelligence Brief. Read the attack flows. Spot the weak links. Because the attackers already have.
If you want to know how the ColorTokens platform can help, you can request a demo. Or start a no-obligation consultation with one of our top cybersecurity advisors.
