In July 2022, spyware activity saw a notable increase following a quieter June. Reports indicated that developers of mercenary spyware were particularly active in exploiting common vulnerabilities and exposures (CVEs). This spike in activity raised questions about whether it was due to other threat actors being less active during the summer months.

During July 2022, several zero-day vulnerabilities were exploited to distribute spyware. Notably, CVE-2022-2294, affecting Google Chrome, was exploited by the Israeli spyware vendor Candiru. Additionally, Microsoft’s CVE-2022-22047 was used by the mercenary group Knotweed to deploy Subzero spyware. These incidents highlighted a concerning trend of spyware developers closely linking their activities with newly disclosed vulnerabilities.

The Follina vulnerability, disclosed at the end of May 2022, continued to be a significant concern in July. It allowed threat actors to execute PowerShell commands without user interaction. On July 6, Fortinet researchers reported a phishing campaign that utilized Follina to distribute the Rozena backdoor, enabling attackers to take control of Windows systems. This incident underscored the ongoing exploitation of unpatched vulnerabilities in the cybersecurity landscape.