Microsoft's July Patch Tuesday Shatters Records with 622 Vulnerabilities, Including Actively Exploited Zero-Days
Microsoft's July Patch Tuesday addresses an unprecedented 622 vulnerabilities, featuring 62 critical flaws and three zero-days, two of which are under active exploitation, signaling a new era of AI-accelerated vulnerability research.

Microsoft's July Patch Tuesday has set a new record, addressing a staggering 622 vulnerabilities, a number that dwarfs previous monthly totals and even surpasses the entirety of some past years. Among these, 62 are classified as critical severity, and three are zero-days, with two already being actively exploited in the wild. This surge represents a significant escalation in the vulnerability landscape, a trend Microsoft attributes to the accelerating pace of AI-driven vulnerability research.
Historically, July has been a relatively quiet month for patching, with previous years seeing only a handful of advisories. This year's deluge, however, signals a potential paradigm shift. The sheer volume of patches presents a formidable challenge for organizations, potentially overwhelming their change management and patching processes. The traditional cycle of testing, reviewing stability, and deploying patches is now under immense pressure, raising concerns about whether IT departments can keep pace with the demand.
The implications of this patch flood extend beyond just the volume. The article posits that just as Microsoft is leveraging advanced AI for vulnerability discovery, so too are other vendors and threat actors. This means organizations are not only facing a higher quantity of vulnerabilities but also potentially more sophisticated exploits emerging at an accelerated rate. The question remains whether companies, especially those with fewer resources than Microsoft, can adapt their security practices to this new reality.
This situation raises critical questions about prioritization. When every patch cycle feels like a "fire drill," the effectiveness of emergency responses diminishes. The article suggests that what might be a "hot summer" for patching could evolve into a sustained period of high-alert security operations, marked by frequent Critical Vulnerability (KEV) and Exploit Prediction Scoring System (EPSS) notifications. This constant pressure taxes already strained security teams.
Beyond the broad implications of Microsoft's patch release, the article also details a new campaign by UAT-11795, a financially motivated, Russian-speaking adversary. This group has been targeting users in the U.S. and Europe since at least June 2025, employing trojanized software installers for popular tools like Webex, Zoom, and MobaXterm. These installers deliver a custom Python-based remote access tool known as "Starland RAT."
The Starland RAT serves as an initial entry point, enabling the deployment of further malicious payloads, most notably a bespoke, in-memory PowerShell command-and-control (C2) implant called the "WLDR agent." This campaign is opportunistic, casting a wide net and turning seemingly innocuous software downloads into full-blown compromises. UAT-11795 utilizes advanced evasion techniques, including bypassing AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows), and employs a blockchain-anchored fallback mechanism for persistent C2 communication.
Once inside a compromised system, the attackers rapidly deploy secondary payloads such as CastleStealer and Remcos RAT. These tools are designed to exfiltrate high-value credentials and cryptocurrency assets, underscoring the financially motivated nature of the campaign. The article advises users to be educated on social engineering tactics like ClickFix and the dangers of unofficial software downloads, while security teams should monitor for suspicious execution of mshta.exe and unusual PowerShell activity, especially scripts running from memory or creating unexpected scheduled tasks.
This confluence of record-breaking patch volumes driven by AI advancements and sophisticated, targeted campaigns highlights the evolving and increasingly challenging threat landscape. Organizations must prepare for a sustained period of heightened security vigilance, focusing on efficient patch management, user education, and robust endpoint detection capabilities to navigate these turbulent times.