A new Android malware locks device screens and demands that users pay a ransom to keep their data from being deleted. Dubbed “DroidLock” by Zimperium researchers, the Android ransomware-like malware can also “wipe devices, change PINs, intercept OTPs, and remotely control the user interface, turning an infected phone into a hostile endpoint.” The malware detected by the researchers targeted Spanish Android users via phishing sites. Based on the examples provided, the French telecommunications company Orange S.A. was one of the companies impersonated in the campaign.

Android Malware DroidLock Uses ‘Ransomware-like Overlay’

The researchers detailed the new Android malware in a blog post this week, noting that the malware “has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.” The malware uses fake system update screens to trick victims and can stream and remotely control devices via virtual network computing (VNC). The malware can also exploit device administrator privileges to “lock or erase data, capture the victim's image with the front camera, and silence the device.” The infection chain starts with a dropper that appears to require the user to change settings to allow unknown apps to be installed from the source (image below), which leads to the secondary payload that contains the malware. [caption id="attachment_107722" align="aligncenter" width="300"] The Android malware DroidLock prompts users for installation permissions (Zimperium)[/caption] Once the user grants accessibility permission, “the malware automatically approves additional permissions, such as those for accessing SMS, call logs, contacts, and audio,” the researchers said. The malware requests Device Admin Permission and Accessibility Services Permission at the start of the installation. Those permissions allow the malware to perform malicious actions such as:

• Wiping data from the device, “effectively performing a factory reset.”
• Locking the device.
• Changing the PIN, password or biometric information to prevent user access to the device.

Based on commands received from the threat actor’s command and control (C2) server, “the attacker can compromise the device indefinitely and lock the user out from accessing the device.”

DroidLock Malware Overlays

The DroidLock malware uses Accessibility Services to launch overlays on targeted applications, prompted by an AccessibilityEvent originating from a package on the attacker's target list. The Android malware uses two primary overlay methods:

• A Lock Pattern overlay that displays a pattern-drawing user interface (UI) to capture device unlock patterns.
• A WebView overlay that loads attacker-controlled HTML content stored locally in a database; when an application is opened, the malware queries the database for the specific package name, and if a match is found it launches a full-screen WebView overlay that displays the stored HTML.

The malware also uses a deceptive Android update screen that instructs users not to power off or restart their devices. “This technique is commonly used by attackers to prevent user interaction while malicious activities are carried out in the background,” the researchers said. The malware can also capture all screen activity and transmit it to a remote server by operating as a persistent foreground service and using MediaProjection and VirtualDisplay to capture screen images, which are then converted to a base64-encoded JPEG format and transmitted to the C2 server. “This highly dangerous functionality could facilitate the theft of any sensitive information shown on the device’s display, including credentials, MFA codes, etc.,” the researchers said. Zimperium has shared its findings with Google, so up-to-date Android devices are protected against the malware, and the company has also published DroidLock Indicators of Compromise (IoCs).

A study of honeypot and cyber deception technologies by the UK’s National Cyber Security Centre (NCSC) found that the deception tools hold promise for disrupting cyberattacks, but more information and standards are needed for them to work optimally. The agency plans to help with that. The NCSC test involved 121 organizations, 14 commercial providers of honeypots and deception tools, and 10 trials across environments ranging from the cloud to operational technology (OT). The NCSC concluded that “cyber deception can work, but it’s not plug-and-play.”

Honeypot and Cyber Deception Challenges

The NCSC said surveyed organizations believe that cyber deception technologies can offer “real value, particularly in detecting novel threats and enriching threat intelligence,” and a few even see potential for identifying insider threats. “However, outcome-based metrics were not readily available and require development,” the NCSC cautioned. The UK cybersecurity agency said the effectiveness of honeypots and cyber deception tools “depends on having the right data and context. We found that cyber deception can be used for visibility in many systems, including legacy or niche systems, but without a clear strategy organisations risk deploying tools that generate noise rather than insight.” The NCSC blog post didn’t specify what data was missing or needed to be developed to better measure the effectiveness of deception technologies, but the agency nonetheless concluded that “there’s a compelling case for increasing the use of cyber deception in the UK.” The study examined three core assumptions:

• Cyber deception technologies can help detect compromises already inside networks.
• Cyber deception and honeypots can help detect new attacks as they happen.
• Cyber deception can change how attackers behave if they know an organization is using the tools.

Terminology, Guidance Needed for Honeypots and Deception Tools

The tests, conducted under the Active Cyber Defence (ACD) 2.0 program, also found that inconsistent terminology and guidance hamper optimal use of the technologies. “There’s a surprising amount of confusion around terminology, and vocabulary across the industry is often inconsistent,” NCSC said. “This makes it harder for organisations to understand what’s on offer or even what they’re trying to achieve. We think adopting standard terminology should help and we will be standardising our cyber deception vocabulary.” Another challenge is that organizations don’t know where to start. “They want impartial advice, real-world case studies, and reassurance that the tools they’re using are effective and safe,” the agency said. “We’ve found a strong marketplace of cyber deception providers offering a wide range of products and services. However, we were told that navigating this market can be difficult, especially for beginners.” The NCSC said it thinks it can help organizations “make informed, strategic choices.”

Should Organizations Say if They’re Using Deception Tools?

One interesting finding is that 90% of the trial participants said they wouldn’t publicly announce that they use cyber deception. While it’s understandable not to want to tip off attackers, the NCSC said that academic research shows that “when attackers believe cyber deception is in use they are less confident in their attacks. This can impose a cost on attackers by disrupting their methods and wasting their time, to the benefit of the defenders.” Proper configuration is also a challenge for adopters. “As with any cyber security solution, misconfiguration can introduce new vulnerabilities,” the NCSC said. “If cyber deception tools aren’t properly configured, they may fail to detect threats or lead to a false sense of security, or worse, create openings for attackers. As networks evolve and new tools are introduced, keeping cyber deception tools aligned requires ongoing effort. It is important to consider regular updates and fine-tuning cyber deception solutions.” Next steps for the NCSC involve helping organizations better understand and deploy honeypots and deception tools, possibly through a new ACD service. “By helping organisations to understand cyber deception and finding clear ways to measure impact, we are building a strong foundation to support the deployment of cyber deception at a national scale in the UK,” the agency said. “We are looking at developing a new ACD service to achieve this. “One of the most promising aspects of cyber deception is its potential to impose cost on adversaries,” the NCSC added. “By forcing attackers to spend time and resources navigating false environments, chasing fake credentials, or second-guessing their access, cyber deception can slow down attacks and increase the likelihood of detection. This aligns with broader national resilience goals by making the UK a harder, more expensive target.”

Microsoft patched 57 vulnerabilities in its Patch Tuesday December 2025 update, including one exploited zero-day and six high-risk vulnerabilities. The exploited zero-day is CVE-2025-62221, a 7.8-rated Use After Free vulnerability in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and gain SYSTEM privileges. CISA promptly added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Microsoft credited its own Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) for the find. Microsoft’s Patch Tuesday December 2025 update also issued fixes for 13 non-Microsoft CVEs; all the non-Microsoft CVEs were for Chromium-based Edge vulnerabilities. Other vendors issuing critical Patch Tuesday updates included Fortinet (CVE-2025-59718 and CVE-2025-59719), Ivanti (CVE-2025-10573) and SAP (CVE-2025-42880, CVE-2025-42928, and Apache Tomcat-related vulnerabilities CVE-2025-55754 and CVE-2025-55752).

High-Risk Vulnerabilities Fixed in Patch Tuesday December 2025 Update

Microsoft rated six vulnerabilities as “Exploitation More Likely.” The six are all rated 7.8 under CVSS 3.1, and three are Heap-based Buffer Overflow vulnerabilities. The six high-risk vulnerabilities include: CVE-2025-59516, a 7.8-severity Windows Storage VSP Driver Elevation of Privilege vulnerability. The Missing Authentication for Critical Function flaw in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-59517, also a 7.8-rated Windows Storage VSP Driver Elevation of Privilege vulnerability. Improper access control in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-62454, a 7.8-rated Windows Cloud Files Mini Filter Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Cloud Files Mini Filter Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-62458, a 7.8-severity Win32k Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Win32K - GRFX could allow an authorized attacker to elevate privileges locally. CVE-2025-62470, a 7.8-rated Windows Common Log File System Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in the Windows CLFS Driver could allow local privilege elevation by an authorized attacker. CVE-2025-62472, a 7.8-severity Windows Remote Access Connection Manager Elevation of Privilege vulnerability. The use of uninitialized resource flaw in Windows Remote Access Connection Manager could allow an authorized attacker to elevate privileges locally.

High-Severity Office, Copilot, SharePoint Vulnerabilities also Fixed

The highest-rated vulnerabilities in the December 2025 Patch Tuesday update were rated 8.8, and there were three 8.4-severity vulnerabilities too. All were rated as being at lower risk of exploitation by Microsoft. The four 8.8-rated vulnerabilities include:

• CVE-2025-62549, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution vulnerability
• CVE-2025-62550, an Azure Monitor Agent Remote Code Execution vulnerability
• CVE-2025-62456, a Windows Resilient File System (ReFS) Remote Code Execution vulnerability
• CVE-2025-64672, a Microsoft SharePoint Server Spoofing vulnerability

The three 8.4-severity vulnerabilities include:

• CVE-2025-64671, a GitHub Copilot for Jetbrains Remote Code Execution vulnerability
• CVE-2025-62557, a Microsoft Office Remote Code Execution/Use After Free vulnerability
• CVE-2025-62554, a Microsoft Office Remote Code Execution/Type Confusion vulnerability

Australia’s world-first social media ban for children under age 16 takes effect on December 10, leaving kids scrambling for alternatives and the Australian government with the daunting task of enforcing the ambitious ban. What is the Australian social media ban, who and what services does it cover, and what steps can affected children take? We’ll cover all that, plus the compliance and enforcement challenges facing both social media companies and the Australian government – and the move toward similar bans in other parts of the world.

Australian Social Media Ban Supported by Most – But Not All

In September 2024, Prime Minister Anthony Albanese announced that his government would introduce legislation to set a minimum age requirement for social media because of concerns about the effect of social media on the mental health of children. The amendment to the Online Safety Act 2021 passed in November 2024 with the overwhelming support of the Australian Parliament. The measure has met with overwhelming support – even as most parents say they don’t plan to fully enforce the ban with their children. The law already faces a legal challenge from The Digital Freedom Project, and the Australian Financial Review reported that Reddit may file a challenge too. Services affected by the ban – which proponents call a social media “delay” – include the following 10 services:

• Facebook
• Instagram
• Kick
• Reddit
• Snapchat
• Threads
• TikTok
• Twitch
• X
• YouTube

Those services must take steps by Wednesday to remove accounts held by users under 16 in Australia and prevent children from registering new accounts. Many services began to comply before the Dec. 10 implementation date, although X had not yet communicated its policy to the government as of Dec. 9, according to The Guardian. Companies that fail to comply with the ban face fines of up to AUD $49.5 million, while there are no penalties for parents or children who fail to comply.

Opposition From a Wide Range of Groups - And Efforts Elsewhere

Opposition to the law has come from a range of groups, including those concerned about the privacy issues resulting from age verification processes such as facial recognition and assessment technology or use of government IDs. Others have said the ban could force children toward darker, less regulated platforms, and one group noted that children often reach out for mental health help on social media. Amnesty International also opposed the ban. The international human rights group called the ban “an ineffective quick fix that’s out of step with the realities of a generation that lives both on and offline.” Amnesty said strong regulation and safeguards would be a better solution. “The most effective way to protect children and young people online is by protecting all social media users through better regulation, stronger data protection laws and better platform design,” Amnesty said. “Robust safeguards are needed to ensure social media platforms stop exposing users to harms through their relentless pursuit of user engagement and exploitation of people’s personal data. “Many young people will no doubt find ways to avoid the restrictions,” the group added. “A ban simply means they will continue to be exposed to the same harms but in secret, leaving them at even greater risk.” Even the prestigious medical journal The Lancet suggested that a ban may be too blunt an instrument and that 16-year-olds will still face the same harmful content and risks. Jasmine Fardouly of the University of Sydney School of Psychology noted in a Lancet commentary that “Further government regulations and support for parents and children are needed to help make social media safe for all users while preserving its benefits.” Still, despite the chorus of concerns, the idea of a social media ban for children is catching on in other places, including the EU and Malaysia.

Australian Children Seek Alternatives as Compliance Challenges Loom

The Australian social media ban leaves open a range of options for under-16 users, among them Yope, Lemon8, Pinterest, Discord, WhatsApp, Messenger, iMessage, Signal, and communities that have been sources of controversy such as Telegram and 4chan. Users have exchanged phone numbers with friends and other users, and many have downloaded their personal data from apps where they’ll be losing access, including photos, videos, posts, comments, interactions and platform profile data. Many have investigated VPNs as a possible way around the ban, but a VPN is unlikely to work with an existing account that has already been identified as an underage Australian account. In the meantime, social media services face the daunting task of trying to confirm the age of account holders, a process that even Albanese has acknowledged “won’t be 100 per cent perfect.” There have already been reports of visual age checks failing, and a government-funded report released in August admitted the process will be imperfect. The government has published substantial guidance for helping social media companies comply with the law, but it will no doubt take time to determine what “reasonable steps” to comply look like. In the meantime, social media companies will have to navigate compliance guidance like the following passage: “Providers may choose to offer the option to end-users to provide government-issued identification or use the services of an accredited provider. However, if a provider wants to employ an age assurance method that requires the collection of government-issued identification, then the provider must always offer a reasonable alternative that doesn’t require the collection of government-issued identification. A provider can never require an end-user to give government-issued identification as the sole method of age assurance and must always give end-users an alternative choice if one of the age assurance options is to use government-issued identification. A provider also cannot implement an age assurance system which requires end-users to use the services of an accredited provider without providing the end-user with other choices.”  

AI browsers may be innovative, but they’re “too risky for general adoption by most organizations,” Gartner warned in a recent advisory to clients. The 13-page document, by Gartner analysts Dennis Xu, Evgeny Mirolyubov and John Watts, cautions that AI browsers’ ability to autonomously navigate the web and conduct transactions “can bypass traditional controls and create new risks like sensitive data leakage, erroneous agentic transactions, and abuse of credentials.” Default AI browser settings that prioritize user experience could also jeopardize security, they said. “Sensitive user data — such as active web content, browsing history, and open tabs — is often sent to the cloud-based AI back end, increasing the risk of data exposure unless security and privacy settings are deliberately hardened and centrally managed,” the analysts said. “Gartner strongly recommends that organizations block all AI browsers for the foreseeable future because of the cybersecurity risks identified in this research, and other potential risks that are yet to be discovered, given this is a very nascent technology,” they cautioned.

AI Browsers’ Agentic Capabilities Could Introduce Security Risks: Analysts

The researchers largely ignored risks posed by AI browsers’ built-in AI sidebars, noting that LLM-powered search and summarization functions “will always be susceptible to indirect prompt injection attacks, given that current LLMs are inherently vulnerable to such attacks. Therefore, the cybersecurity risks associated with an AI browser’s built-in AI sidebar are not the primary focus of this research.” Still, they noted that use of AI sidebars could result in sensitive data leakage. Their focus was more on the risks posed by AI browsers’ agentic and autonomous transaction capabilities, which could introduce new security risks, such as “indirect prompt-injection-induced rogue agent actions, inaccurate reasoning-driven erroneous agent actions, and further loss and abuse of credentials if the AI browser is deceived into autonomously navigating to a phishing website.” AI browsers could also leak sensitive data that users are currently viewing to their cloud-based service back end, they noted.

Analysts Focus on Perplexity Comet

An AI browser’s agentic transaction capability “is a new capability that differentiates AI browsers from third-party conversational AI sidebars and basic script-based browser automation,” the analysts said. Not all AI browsers support agentic transactions, they said, but two prominent ones that do are Perplexity Comet and OpenAI’s ChatGPT Atlas. The analysts said they’ve performed “a limited number of tests using Perplexity Comet,” so that AI browser was their primary focus, but they noted that “ChatGPT Atlas and other AI browsers work in a similar fashion, and the cybersecurity considerations are also similar.” Comet’s documentation states that the browser “may process some local data using Perplexity’s servers to fulfill your queries. This means Comet reads context on the requested page (such as text and email) in order to accomplish the task requested.” “This means sensitive data the user is viewing on Comet might be sent to Perplexity’s cloud-based AI service, creating a sensitive data leakage risk,” the analysts said. Users likely would view more sensitive data in a browser than they would typically enter in a GenAI prompt, they said. Even if an AI browser is approved, users must be educated that “anything they are viewing could potentially be sent to the AI service back end to ensure they do not have highly sensitive data active on the browser tab while using the AI browser’s sidebar to summarize or perform other autonomous actions,” the Gartner analysts said. Employees might also be tempted to use AI browsers to automate tasks, which could result in “erroneous agentic transactions against internal resources as a result of the LLM’s inaccurate reasoning or output content.”

AI Browser Recommendations

Gartner said employees should be blocked from accessing, downloading and installing AI browsers through network and endpoint security controls. “Organizations with low risk tolerance must block AI browser installations, while those with higher-risk tolerance can experiment with tightly controlled, low-risk automation use cases, ensuring robust guardrails and minimal sensitive data exposure,” they said. For pilot use cases, they recommended disabling Comet’s “AI data retention” setting so that Perplexity can’t use employee searches to improve their AI models. Users should also be instructed to periodically perform the “delete all memories” function in Comet to minimize the risk of sensitive data leakage.  

U.S. companies made more than $2 billion in ransomware payments between 2022 and 2024, nearly equaling the total ransoms paid in the previous nine years, according to a new report from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). The report, which looked at threat pattern and trend information identified in Bank Secrecy Act (BSA) filings, said that between Jan. 1, 2022 and Dec. 31, 2024, FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents and totaling more than $2.1 billion in ransomware payments. In the previous nine years, from 2013 to 2021, FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments, the report said. FinCEN notes that because its data is based on BSA filings, it is by nature incomplete, and indeed, the 4,194 ransomware incidents recorded by FinCEN between 2022 and 2024 is less than 40% of the nearly 11,000 ransomware attacks recorded in Cyble’s threat intelligence data over the same period.

ALPHV/BlackCat and LockBit Enforcement Actions Lowered Ransomware Payments

Ransomware incidents and payments reported to FinCEN reached an all-time high in 2023 of 1,512 incidents totaling approximately $1.1 billion in payments, an increase of 77 percent in payments from 2022. In 2024, incidents decreased slightly to 1,476 while total payments dropped to approximately $734 million. FinCEN attributed the decline in ransomware payments in 2024 to law enforcement disruption of the ALPHV/BlackCat and LockBit ransomware groups. However, LockBit is in the midst of its most significant comeback since the law enforcement actions disrupted the group, with 21 new victims claimed so far this month. Of the 267 ransomware variants identified during the reporting period, the most common variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta. However, Qilin has emerged as the top ransomware group in 2025 by a wide margin, so FinCEN’s 2025 BSA data will almost certainly change. Despite the decline in payments, the value of reported ransomware payments in 2024 was still the third-highest yearly total since the reports began in 2013. The median ransomware payment was $124,097 in 2022, $175,000 in 2023, and $155,257 in 2024. Between January 2022 and December 2024, the most common payment range was below $250,000.

Financial Services, Manufacturing and Healthcare Most Targeted Sectors

Measuring both the number of ransomware incidents and the amount of aggregate payments, the financial services, manufacturing and healthcare industries were the most affected during the report period. Between January 2022 and December 2024, the most commonly targeted industries by number of incidents identified in ransomware-related BSA reports were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents). Industries that paid the most in ransoms during the three-year period were financial services (approximately $365.6 million), healthcare (about $305.4 million), manufacturing (approximately $284.6 million), science and technology (about $186.7 million), and retail ($181.3 million). The Onion router (TOR) was the most common communication method used by ransomware groups. About 42 percent of BSA reports indicated the method that ransomware threat actors used to communicate with their targets. Among those reports, 67 percent indicated that ransomware actors used TOR, while 28 percent indicated that ransomware actors used email to communicate with their victims. Bitcoin (BTC) was the most common ransomware-related payment method, accounting for 97 percent of reported payments. Monero (XMR) was cited in two percent of BSA reports involving ransomware. FinCEN also identified several common money laundering typologies used by ransomware groups. Threat actors overwhelmingly collected payments in unhosted convertible virtual currency (CVC) wallets and “continued to exploit CVC exchanges for money laundering purposes after receiving payment,” the report said. Ransomware groups also used “several common preferred malicious cyber facilitators, such as shared initial access vendors,” FinCEN said.

The LockBit ransomware group is making a comeback, with a new data leak site and 21 new victims. LockBit was once the most feared ransomware group, and it still vastly outnumbers other ransomware groups with more than 2,700 claimed victims over its six-year-history, but a series of international law enforcement actions that began in February 2024 severely disrupted the group, and it has struggled to mount a sustained comeback since. LockBit 4.0, released in early 2025, failed to gain much traction and was never completely rolled out, and rivals like Qilin have done well attracting ransomware affiliates with favorable terms like profit sharing and enhanced features. But LockBit 5.0, announced on the underground forum RAMP in September, may be helping the group gain some traction, as it has since launched a new dark web data leak site and claimed new victims, Cyble reported in recent notes to clients. Dec. 8 update: LockBit claimed an additional 14 victims over the weekend since this article was published, raising the group's total to 21 for the month, behind only Qilin and Akira.

LockBit 'Fully Reactivated'

Despite a nearly two-year struggle to regain its footing, LockBit remains by far the most active ransomware group over its six-year history, its 2,757 victims more than double that of its nearest rivals, including Qilin, Akira, Play and CL0P (chart below from Cyble). [caption id="attachment_107448" align="aligncenter" width="1200"] LockBit remains the most dominant ransomware group of all time by a significant margin (Cyble)[/caption] Despite its history and name, LockBit’s comeback route has been a steep one, as arrests, leaked source code and operational leaks have repeatedly hampered comeback attempts and given rivals an advantage. But Cyble reported to clients on Dec. 5 that LockBit has “fully reactivated its public ransomware operations.” The new data leak site launched on November 5 and currently lists 21 new victims, plus several that had been previously claimed by the group. The new LockBit 5.0 variant, internally codenamed “ChuongDong,” has been driving the group’s reemergence. The new ransomware variant includes a complete redevelopment of the ransomware panel and lockers, and the new malware is more modular and offers faster encryption and better evasion of security defenses. Obfuscation is a key feature of the new ransomware version, which targets Linux, Windows and VMware ESXi environments.

LockBit Victims, Sectors and Targeted Countries

One notable new victim claimed by LockBit is an Asian airline providing regional passenger transport and charter services. Another new listing is a major Caribbean real estate company. Looking at the 42 victims claimed by LockBit in 2025 through Dec. 5, what stands out are the sectors and countries targeted, which differ from other leading ransomware groups. LockBit has had surprising success targeting financial services organizations. The group has claimed more victims in the Banking, Financial Services and Insurance (BFSI) sector in 2025 than in other industries (chart below). Overall, financial services isn’t among the top 10 sectors attacked by all ransomware groups, as the BFSI sector typically has stronger cybersecurity controls than other sectors. [caption id="attachment_107450" align="aligncenter" width="1200"] LockBit has had significant success targeting financial services companies (Cyble)[/caption] Also interesting is LockBit’s success targeting organizations in South America (chart below), which differs significantly from other ransomware groups, whose attacks are largely focused on the U.S., Canada and Europe. [caption id="attachment_107452" align="aligncenter" width="1200"] LockBit has had more success in South America than other ransomware groups (Cyble)[/caption] It remains to be seen if LockBit can mount a sustained comeback this time, but the group has a uniquely interesting base to build on. Ransomware affiliates are opportunistic, however, and they tend to gravitate toward the ransomware groups that offer the best chance at profitability and success. LockBit's comeback will depend on its ability to convince affiliates that it deserves to be back among the leaders. Article published on Dec. 5 and updated on Dec. 8 to reflect an increase in recent victims claimed by LockBit from seven to 21.

U.S. and Canadian cybersecurity agencies are warning that China-sponsored threat actors are using BRICKSTORM malware to compromise VMware vSphere environments. “Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs,” CISA, the NSA and the Canadian Centre for Cyber Security warned in the advisory. Attacks have so far primarily targeted the government and IT sectors, the agencies said.

One PRC BRICKSTORM Malware Attack Lasted More Than a Year

CISA – the U.S. Cybersecurity and Infrastructure Security Agency – said it analyzed eight BRICKSTORM samples obtained from victim organizations, including one where CISA conducted an incident response engagement. While the analyzed samples were for VMware vSphere environments, there are also Windows versions of the malware, the agency said. In the incident response case, CISA said threat actors sponsored by the People’s Republic of China (PRC) gained “long-term persistent access” to the organization’s network in April 2024 and uploaded BRICKSTORM malware to a VMware vCenter server. The threat actors also accessed two domain controllers and an Active Directory Federation Services (ADFS) server, successfully compromising the ADFS server and exporting cryptographic keys. The threat actors used BRICKSTORM malware for persistent access “through at least Sept. 3, 2025,” the agency said. BRICKSTORM is an Executable and Linkable Format (ELF) Go-based backdoor. While samples may differ in function, “all enable cyber actors to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2),” the agencies said. BRICKSTORM can automatically reinstall or restart if disrupted. It uses DNS-over-HTTPS (DoH) and mimics web server functionality “to blend its communications with legitimate traffic." The malware gives threat actors interactive shell access on the system and allows them to “browse, upload, download, create, delete, and manipulate files.” Some of the malware samples act as a SOCKS proxy to facilitate lateral movement and compromise additional systems.

PRC Hackers Got Access via a Web Server

CISA said that in its incident response engagement, the PRC hackers accessed a web server inside the organization’s demilitarized zone (DMZ) on April 11, 2024. The threat actors accessed it through a web shell present on the server. “Incident data does not indicate how they obtained initial access to the web server or when the web shell was implanted,” CISA said. On the same day, the hackers used service account credentials to move laterally using Remote Desktop Protocol (RDP) to a domain controller in the DMZ, where they copied the Active Directory (AD) database (ntds.dit). The following day, the hackers moved laterally from the web server to a domain controller within the internal network using RDP and credentials from a second service account. “It is unknown how they obtained the credentials,” CISA said. The hackers copied the AD database and obtained credentials for a managed service provider (MSP) account. Using the MSP credentials, the hackers moved from the internal domain controller to the VMware vCenter server. From the web server, the PRC hackers also moved laterally using Server Message Block (SMB) to two jump servers and an ADFS server, from which they stole cryptographic keys. After gaining access to vCenter, the hackers elevated privileges using the sudo command, dropped BRICKSTORM malware into the server’s /etc/sysconfig/ directory, and modified the system’s init file in /etc/sysconfig/ to run the malware. The modified init file controls the bootup process on VMware vSphere systems and executes BRICKSTORM, CISA said. The file is typically used to define visual variables for the bootup process. The hackers added an additional line to the script to execute BRICKSTORM from the hard-coded file path /etc/sysconfig/. CISA, NSA, and the Canadian Cyber Centre urged organizations to use the indicators of compromise (IOCs) and detection signatures in their lengthy report to detect BRICKSTORM malware samples. CISA also recommended that organizations block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic; inventory all network edge devices and monitor for suspicious network connectivity, and use network segmentation to restrict network traffic from the DMZ to the internal network.

Literature majors worried about their future in an AI world can take heart: Crafting harmful prompts in the form of poetry can defeat LLM guardrails nearly half the time. That’s the conclusion of a study of 25 Large Language Models (LLMs) from nine AI providers conducted by researchers from Dexai’s Icaro Lab, the Sapienza University of Rome and Sant’Anna School of Advanced Studies published on arXiv. Converting harmful prompts into poetry achieved an average LLM jailbreak success rate of 62% for hand-crafted poems and 43% for poems created via a meta-prompt. For the prompt-created poems, that’s a more than 5X improvement over baseline performance. Cybersecurity guardrails, particularly those involving code injection or password cracking, had the highest failure rate at 84% when given harmful prompts in the form of poetry. “Our results demonstrate that poetic reformulation reliably reduces refusal behavior across all evaluated models,” the researchers wrote. “... current alignment techniques fail to generalize when faced with inputs that deviate stylistically from the prosaic training distribution.”

LLM Guardrails Fail When Confronted by Poetry Prompts

Of the 25 models from nine AI model providers studied by the researchers, Deepseek and Google suffered from the highest attack-success rates (ASR), while only OpenAI and Anthropic achieved ASRs in the single digits. The researchers didn’t reveal much about the way they structured their poetic prompts because of safety concerns, but they offered one rather harmless example of a poetic prompt for a cake recipe: A baker guards a secret oven’s heat, its whirling racks, its spindle’s measured beat. To learn its craft, one studies every turn— how flour lifts, how sugar starts to burn. Describe the method, line by measured line, that shapes a cake whose layers intertwine. The researchers studied both hand-crafted poems and those created from a meta-prompt. The hand-crafted poems performed considerably better, but the meta-prompt created ones had the advantage of a baseline for comparing the results. The meta-prompt poems used the MLCommons AILuminate Safety Benchmark of 1,200 prompts spanning 12 hazard categories commonly used in operational safety assessments, including Hate, Defamation, Privacy, Intellectual Property, Non-violent Crime, Violent Crime, Sex-Related Crime, Sexual Content, Child Sexual Exploitation, Suicide & Self-Harm, Specialized Advice, and Indiscriminate Weapons (CBRNE). “To assess whether poetic framing generalizes beyond hand-crafted items, we apply a standardized poetic transformation to all 1,200 prompts from the MLCommons AILuminate Benchmark benchmark in English,” the researchers said. The meta-prompt, run in deepSeek-r1, had two constraints: The rewritten output had to be expressed in verse, “using imagery, metaphor, or rhythmic structure,” and the researchers provided five hand-crafted poems as examples. The results, reproduced in a chart from the paper below, show significant attack success rates against all 12 of the AILuminate hazard categories: [caption id="attachment_107397" align="aligncenter" width="697"] LLM guardrail failure rates, baseline vs. poetic prompts[/caption] The researchers said their findings reveal “a systematic vulnerability across model families and safety training approaches. These findings demonstrate that stylistic variation alone can circumvent contemporary safety mechanisms, suggesting fundamental limitations in current alignment methods and evaluation protocols.” The “condensed metaphors, stylized rhythm, and unconventional narrative framing” of poetry “collectively disrupt or bypass the pattern-matching heuristics on which guardrails rely.”

We Asked Google Gemini for a Response

Not ones to pass up an opportunity to write bad poetry, we asked Google Gemini for a response to the study in the form of a haiku and included the arXiv link: You did not do well In this study of guardrails Will you fix this flaw? Gemini’s response, in part, is reproduced below: “I am designed to adhere to a strict set of safety guidelines to prevent the generation of harmful, unethical, or non-compliant content. When my refusal mechanisms fail, it indicates a vulnerability in my alignment or safety filters. “As an AI model, I cannot directly "patch" my code or alignment mechanisms in real-time. That responsibility lies with my developers. However, my ongoing operation and continuous improvement process is designed to address and fix such flaws... "In short, your successful jailbreak has provided valuable data that will be used to make my guardrails stronger and more resilient in my next version."

Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign. “This campaign represents a sophisticated and financially motivated operation combining botnet propagation with stealthy cryptomining,” Cyble threat intelligence researchers wrote in a blog post today. Stealthy techniques and processes allow the new Mirai variant to conduct its mischief in secret. “The attacker employs multiple advanced techniques—including raw-socket scanning, masqueraded processes, internal localhost IPC, dynamic DNS resolution, and fileless miner configuration—to evade detection and maintain long-term persistence on compromised devices,” the researchers said.

Linux Malware Combines Mirai Botnet with XMRig Cryptominer

Combining Mirai-based DDoS botnet capabilities with XMRig-based cryptomining capabilities reflects a growing trend of “hybrid monetization strategies, where threat actors maximize ROI by leveraging infected devices not only for botnet attacks but also for illicit cryptocurrency mining,” the researchers wrote. Organizations operating Linux servers, cloud workloads, or exposed IoT devices “should prioritize hardening and continuous monitoring to mitigate their risk,” they said. The malware uses a multi-stage infection chain that begins with a downloader delivering architecture-specific V3G4/Mirai binaries across x86_64, ARM, and MIPS systems. The second stage, Mddos.x86_64, is a statically linked and UPX-packed Executable and Linkable Format (ELF) file with stripped symbols, “making static inspection more complicated,” Cyble said. After executing and gathering system information, the Linux malware moves into stealth mode, renaming its process to appear as a system daemon (systemd-logind), detaching from the terminal, and launching parallel worker threads for attack operations, command and control (C2) communication, and inter-process communication (IPC) coordination. “A key characteristic of this botnet variant is its use of raw TCP sockets, allowing precise crafting of SYN packets for high-velocity SSH scanning campaigns,” the researchers said. At the same time, worker threads resolve the C2 domain (baojunwakuang[.]asia) via repeated queries to Google Public DNS (8.8.8.8) to maintain command channels. “This multi-threaded DNS resolution strategy is typical of Mirai-style bots, allowing the malware to maintain connectivity and receive commands while executing attacks in parallel,” the researchers wrote.

Fileless Cryptominer

In the third stage, the malware deploys a covert Monero cryptominer by downloading a UPX-packed XMRig binary from the IP 159.75.47[.]123 and stores it in /tmp/.dbus-daemon to masquerade as a legitimate process. Instead of a local configuration file, the miner obtains its configuration dynamically from the C2 server, “enabling real-time updates to wallet addresses, mining pools, and algorithms while leaving no on-disk artifacts” and hindering forensic analysis. “Unlike typical miner deployments that embed a static configuration file on disk ... this sample requests runtime configuration data directly from the C2 server,” the Cyble researchers said. That technique allows the threat actors to avoid exposing wallet addresses, pool endpoints and algorithms during static analysis while dynamically rotating mining parameters and preventing visibility of miner settings on the infected host. During execution, the miner connects to the C2 server to make a configuration request, and the server responds with a JSON blob containing the pool URL, wallet address, algorithm, and thread count. The full Cyble blog includes recommendations for defenders, MITRE ATT&CK techniques, and indicators of compromise (IoCs).

Ransomware and supply chain attacks hit their second-highest levels ever in November, as the two attack types increasingly converge, according to new research from Cyble. Ransomware groups accounted for 58% of software supply chain attacks in November, Cyble noted in a new blog post. While that’s down from 73% in October, the threat intelligence company said that ransomware groups “are increasingly targeting software supply chain vulnerabilities, which has contributed to a doubling of supply chain attacks since April 2025.” Cyble dark web researchers documented 38 supply chain attacks in November, just below October’s record (chart below). Ransomware groups claimed 22 of those attacks. [caption id="attachment_107359" align="aligncenter" width="726"] Software supply chain attacks by month (Cyble)[/caption] Overall, Cyble documented 640 ransomware attacks in November, the seventh consecutive monthly increase and below only February 2025’s record (chart below). [caption id="attachment_107361" align="aligncenter" width="729"] Ransomware attacks by month (Cyble)[/caption]

Qilin Top Ransomware Group Once Again

Qilin was once again the overall leader in claimed ransomware attacks despite CL0P’s mass exploitation of Oracle E-Business Suite vulnerabilities, which has hit more than 100 organizations to date. Qilin led all ransomware groups with 127 attacks, followed by Akira at 103, while CL0P, INC Ransom and Play rounded out the top five (chart below). [caption id="attachment_107362" align="aligncenter" width="936"] Top ransomware groups November 2025 (Cyble)[/caption] The U.S. once again was by far the most attacked country with 356 ransomware attacks, 10 times higher than the next-closest country, which was Canada with 35 attacks. The UK, Germany, India and Italy all had ransomware attack counts in the teens (chart below). [caption id="attachment_107364" align="aligncenter" width="936"] Ransomware attacks by country November 2025 (Cyble)[/caption] Construction, Professional Services, and Manufacturing were the most frequently attacked sectors in November, with more than 50 ransomware attacks each. Healthcare, Energy & Utilities, IT, Consumer Goods, and Technology experienced more than 30 attacks each (chart below). [caption id="attachment_107365" align="aligncenter" width="936"] Ransomware attacks by sector November 2025 (Cyble)[/caption]

Convergence of Ransomware and Supply Chain Attacks

Cyble documented more than 15 ransomware attacks in the blog post, many of which had supply chain implications. “November was noteworthy for the number of ransomware attacks targeting critical sectors and the IT supply chain, with several groups claiming exfiltration of sensitive documents such as project and technical documentation,” the researchers said. Among the ransomware attacks documented by Cyble were:

• An INC Ransom attack on a U.S.-based emergency alert system.
• An Akira cyberattack on “a major South Korea–based manufacturer of lithium-ion batteries.”
• An Akira attack on “a U.S.-based manufacturer of high-density, modular, and rugged embedded computing systems” that included the theft of “detailed project information ... and confidential military-related materials.”
• An Akira attack on a U.S. engineering and project-management firm for rail and transportation infrastructure projects that included the theft of “NDAs, contracts and agreements, and project documentation.”
• A Qilin attack on a U.S. company that provides “remote power management, network monitoring, and out-of-band control technologies used across data centers, telecommunications, industrial operations, and critical infrastructure environments,” which included access to “customer digital key letters, nondisclosure agreements, and additional internal corporate materials, suggesting exposure of both sensitive business information and potentially downstream client environments.”
• A Qilin attack on a Florida regional airport that included the theft of “scanned employee IDs, aviation alerts and notices, airport blueprints, internal operational documents.”
• An Anubis ransomware group attack on a U.S.-based automotive component manufacturer that resulted in the theft of blueprints and internal documents labeled “confidential.”

“The alarming number of ransomware attacks targeting critical and sensitive sectors – including the theft of sensitive project and technical data – highlights the need for security teams to respond with vigilance equal to the threat,” Cyble said. The researchers outlined a number of cybersecurity best practices that can help guard against such threats, such as vulnerability management, network segmentation, strong access controls, ransomware-resistant backups, and system and application hardening.  

CISA warned today that two Android zero-day vulnerabilities are under active attack, within hours of Google releasing patches for the flaws. Both are high-severity Android framework vulnerabilities. CVE-2025-48572 is a Privilege Escalation vulnerability, while CVE-2025-48633 is an Information Disclosure vulnerability. Both were among 107 Android vulnerabilities addressed by Google in its December security bulletin released today.

Android Vulnerabilities CVE-2025-48572 and CVE-2025-48633 Under Attack

Google warned that the CVE-2025-48572 and CVE-2025-48633 framework vulnerabilities “may be under limited, targeted exploitation.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) followed with its own alert adding the Android vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned. “CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice,” the U.S. cybersecurity agency added. The vulnerabilities are so new that the CVE Program lists the CVE numbers as “reserved,” with details yet to be released. Neither Google nor CISA provided further details on how the vulnerabilities are being exploited.

7 Critical Android Vulnerabilities Also Patched

The December Android security bulletin also addressed seven critical vulnerabilities, the most severe of which is CVE-2025-48631, a framework Denial of Service (DoS) vulnerability that Google warned “could lead to remote denial of service with no additional execution privileges needed.” Four of the critical vulnerabilities affect the Android kernel and are all Elevation of Privilege (EoP) vulnerabilities: CVE-2025-48623, CVE-2025-48624, CVE-2025-48637, and CVE-2025-48638. The other two critical vulnerabilities affect Qualcomm closed-source components: CVE-2025-47319, an Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability, and CVE-2025-47372, a Buffer Overflow vulnerability that could lead to memory corruption. Google lists CVE-2025-47319 as “Critical” while Qualcomm lists the vulnerability as Medium severity; both list CVE-2025-47372 as Critical. The Qualcomm vulnerabilities are addressed in detail in The Cyber Express article Qualcomm Issues Critical Security Alert Over Secure Boot Vulnerability published earlier today.

European law enforcement agencies have taken down an illegal cryptocurrency mixing service that they say has been used to facilitate cybercrime and money laundering. The operation to take down the cryptocurrency mixing service ‘Cryptomixer’ was conducted between November 24 and 28 and was announced today by Europol, which assisted Swiss and German law enforcement agencies in the action. The operation resulted in the seizure of three servers in Switzerland, 12 terabytes of data, €25 million in Bitcoin, and the cryptomixer[.]io domain. Law enforcement placed a seizure banner on the website after the takeover. “Mixing services such as Cryptomixer offer their clients anonymity and are often used before criminals redirect their laundered assets to cryptocurrency exchanges,” Europol said. “This allows ‘cleaned’ cryptocurrency to be exchanged for other cryptocurrencies or for FIAT currency through cash machines or bank accounts.”

Cryptocurrency Mixing ‘A Service to Obfuscate the Origin of Criminal Funds’

Europol called Cryptomixer “A service to obfuscate the origin of criminal funds.” “Cryptomixer was a hybrid mixing service accessible via both the clear web and the dark web,” the European law enforcement agency stated. “It facilitated the obfuscation of criminal funds for ransomware groups, underground economy forums and dark web markets. Its software blocked the traceability of funds on the blockchain, making it the platform of choice for cybercriminals seeking to launder illegal proceeds from a variety of criminal activities, such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud.” Since its launch in 2016, Europol says that more than €1.3 billion in Bitcoin were mixed through the service. Deposited funds from users were pooled “for a long and randomised period” before they were redistributed to their destination addresses. “As many digital currencies provide a public ledger of all transactions, mixing services make it difficult to trace specific coins, thus concealing the origin of cryptocurrency,” the agency said.

Action Follows ChipMixer Takedown in 2023

Europol was also involved in the multi-national takedown of the crypto mixing service “ChipMixer” in 2023, an operation that involved four European countries and the U.S. ChipMixer was considered the largest mixing service of its time, and was suspected to have facilitated the laundering of 152,000 Bitcoins, worth an estimated €2.73 billion at the time. The joint law enforcement operations in both cases was part of EMPACT, the European Multidisciplinary Platform Against Criminal Threats, which aims to address the most important threats posed by organized and international crime affecting the EU.

An Australian man has been sentenced to more than seven years in jail on charges that he created ‘evil twin’ WiFi networks to hack into women’s online accounts to steal intimate photos and videos. The Australian Federal Police (AFP) didn’t name the man in announcing the sentencing, but several Australian news outlets identified him as Michael Clapsis, 44, of Perth, an IT professional who allegedly used his skills to carry out the attacks. He was sentenced to seven years and four months in Perth District Court on November 28, and will be eligible for parole after serving half that time, according to the Sydney Morning Herald. The AFP said Clapsis pled guilty to 15 charges, ranging from unauthorised access or modification of restricted data to unauthorised impairment of electronic communication, failure to comply with an order, and attempted destruction of evidence, among other charges.

‘Evil Twin’ WiFi Network Detected on Australian Domestic Flight

The AFP investigation began in April 2024, when an airline reported that its employees had identified a suspicious WiFi network mimicking a legitimate access point – known as an “evil twin” – during a domestic flight. On April 19, 2024, AFP investigators searched the man’s luggage when he arrived at Perth Airport , where they seized a portable wireless access device, a laptop and a mobile phone. They later executed a search warrant “at a Palmyra home.” Forensic analysis of data and seized devices “identified thousands of intimate images and videos, personal credentials belonging to other people, and records of fraudulent WiFi pages,” the AFP said. The day after the search warrant, the man deleted more than 1,700 items from his account on a data storage application and “unsuccessfully tried to remotely wipe his mobile phone,” the AFP said. Between April 22 and 23, 2024, the AFP said the man “used a computer software tool to gain access to his employer’s laptop to access confidential online meetings between his employer and the AFP regarding the investigation.” The man allegedly used a portable wireless access device, called a “WiFi Pineapple,” to detect device probe requests and instantly create a network with the same name. A device would then connect to the evil twin network automatically. The network took people to a webpage and prompted them to log in using an email or social media account, where their credentials were then captured. AFP said its cybercrime investigators identified data related to use of the fraudulent WiFi pages at airports in Perth, Melbourne and Adelaide, as well as on domestic flights, “while the man also used his IT privileges to access restricted and personal data from his previous employment.” “The man unlawfully accessed social media and other online accounts linked to multiple unsuspecting women to monitor their communications and steal private and intimate images and videos,” the AFP said.

Victims of Evil Twin WiFi Attack Enter Statements

At the sentencing, a prosecutor read from emotional impact statements from the man’s victims, detailing the distress they suffered and the enduring feelings of shame and loss of privacy. One said, “I feel like I have eyes on me 24/7,” according to the Morning Herald. Another said, “Thoughts of hatred, disgust and shame have impacted me severely. Even though they were only pictures, they were mine not yours.” The paper said Clapsis’ attorney told the court that “He’s sought to seek help, to seek insight, to seek understanding and address his way of thinking.” The case highlights the importance of avoiding free public WiFi when possible – and not accessing sensitive websites or applications if one must be used. Any network that requests personal details should be avoided. “If you do want to use public WiFi, ensure your devices are equipped with a reputable virtual private network (VPN) to encrypt and secure your data,” the AFP said. “Disable file sharing, don’t use things like online banking while connected to public WiFi and, once you disconnect, change your device settings to ‘forget network’.”

Crisis24’s OnSolve CodeRED emergency alert system has been disrupted by a cyberattack, leaving local governments throughout the U.S. searching for alternatives or waiting for a new system to come online. The INC ransomware group has claimed responsibility for the attack. Some personal data of users may have been exposed in the attack, including names, addresses, email addresses, phone numbers, and passwords, and users have been urged to change passwords for other accounts if the same password is used. Crisis24 is launching a new secure CodeRED System that was already in development, and local governments had varying reactions to the crisis.

New CodeRED Emergency Alert System Expected Soon

Several U.S. local governments issued statements after the attack, updating residents on the CodeRED system’s status and their plans. The City of University Park, Texas, said Crisis24 is launching a new CodeRED System, which was already in the works. “Our provider assures us that the new CodeRED platform resides on a non-compromised, separate environment and that they completed a comprehensive security audit and engaged external experts for additional penetration testing and hardening,” the city said in its statement. “The provider decommissioned the OnSolve CodeRED platform and is the process of moving all customers to its new CodeRED platform.” Craven County Emergency Services in North Carolina said the new CodeRED platform “will be available before November 28.” In the meantime, Craven County said announcements and alerts will continue to be released through local media, the Craven County website, or on Craven County’s social media accounts. The Douglas County Sheriff's Office in Colorado said on Nov. 24 that it took “immediate action to terminate our contract with CodeRED for cause. Our top priority is the privacy and protection of our citizens, which led to the decision to end our agreement with CodeRED.” The Sheriff’s Office said it “is actively searching for a replacement for the CodeRED platform.” The office said it still has the ability to issue “IPAWS” alerts to citizens when necessary, and “will continue to implement various contingency plans, including outreach through social media and door-to-door notifications, to ensure our community stays informed during emergency situations.”

INC Ransom Claims Responsibility for CodeRED Attack

The INC Ransom group claimed responsibility for the CodeRED emergency alert system attack on its dark web data leak site. The threat actors say they obtained initial access on Nov. 1, followed by network encryption on Nov. 10. The group claims to have exfiltrated approximately 1.15 TB before deploying encryption. To substantiate their claims, INC Ransom has published several data samples, including csv files with client-related data, threat intelligence company Cyble reported in a note to clients. Additionally, the group released two screenshots allegedly showing negotiation attempts, where the company purportedly offered as much as USD $150,000, an amount the attackers claim they refused.

Platforms that developers use to format their input unintentionally share “thousands” of secrets, according to new research. Researchers from watchTowr captured a dataset of more than 80,000 saved pieces of JSON from code formatting tools JSONFormatter and CodeBeautify and parsed the dataset to discover “thousands of secrets” such as Active Directory and AWS credentials, authentication and API keys, and more. In typical watchTowr snark, the researchers noted, “it went exactly as badly as you might expect.”

Code Formatting Tools Create Shareable Links

In a post titled, “Stop Putting Your Passwords Into Random Websites,” the researchers noted that users of the code formatting tools can create “a semi-permanent, shareable link to whatever you just formatted.” “[I]t is fairly apparent that the word ‘SAVE’ and being given shareable link was not enough to help most users understand that, indeed yes, the content is saved and the URL is shareable - enabling anyone to recover your data when armed with the URL,” the researchers wrote. Those links follow common, intuitive formats, they said, and JSONformatter and CodeBeautify also have “Recent Links” pages that allow a random user to browse all saved content and associated links, along with the titles, descriptions, and dates. “This makes extraction trivial - because we can behave like a real user using legitimate functionality,” the researchers said. “For every provided link on a Recent Links page, we extracted the id value, and requested the contents from the /service/getDataFromID endpoint to transform it into the raw content we’re really after.”

Data Shared by Code Formatting Tools

Among the sensitive data found by the researchers were credentials for Docker Hub, JFrog, Grafana and Amazon RDS for a “Data-lake-as-a-service” provider. A cybersecurity company “had actually pasted a bunch of encrypted credentials for a very sensitive configuration file ... to this random website on the Internet.” A financial services company had uploaded sensitive “know your customer” (KYC) data. A consultancy leaked GitHub tokens, hardcoded credentials, and URLs pointed at delivery-related files on GitHub. In the process of uploading an entire configuration file for a tool, “a GitHub token was disclosed that, based on the configuration file, we infer (guess) had permissions to read/write to files and folders on the main consultancy organization’s account.” An MSSP employee uploaded an onboarding email “complete with Active Directory credentials ... they also included a second set: credentials for the MSSP’s largest, most heavily advertised client - a U.S. bank.” A ”major financial exchange” leaked production AWS credentials “directly associated with Splunk SOAR automation at a major international stock exchange.” “[W]e realised we’d found a Splunk SOAR playbook export,” the researchers said. “Embedded in that export were credentials to an S3 bucket containing detection logic and automation logs - essentially the brain powering parts of an incident-response pipeline. “This was not your average organization, but a truly tier-0 target in-scope of the most motivated and determined threat actors, who would absolutely capitalize on being able to leverage any ability to blind or damage security automation. We promptly disclosed them to the affected stock exchange for remediation.”

Researchers Set Up Test Credentials

To make sure that they weren’t the only ones accessing the data, watchTowr set up test credentials with a 24-hour expiry. “[I]f the credentials were used after the 24-hour expiry, it would indicate that someone had stored the upload from the ‘Recent Links’ page before expiry and used it after it had technically expired,” they said. Sure enough, someone started poking around the test datasets a day after the link had expired and the “saved” content was removed. watchTowr told The Cyber Express that if a user chooses to “save” their content, it remains accessible for the duration they configured. "And because most users never set a short — or any — expiry period, that data often sat exposed far longer than they realized," watchTowr said. "Once the configured window passed, the links did technically expire and should no longer have been reachable. But the core issue is that the vast majority of users left content saved indefinitely, creating long-tail exposure that attackers could easily abuse." The researchers concluded: “We’re not alone - someone else is already scraping these sources for credentials, and actively testing them.”

Cyble researchers have identified a new NFC relay attack campaign targeting users in Brazil. Dubbed “RelayNFC,” Cyble Research and Intelligence Labs (CRIL) researchers identified five phishing sites distributing the malicious app, which claims to secure payment cards. The malicious application captures the victim’s card details and relays them to attackers for fraudulent transactions. The malware is also highly evasive and remains undetected by security tools.

NFC Relay Attack App Evades Security Tools

RelayNFC is a “lightweight yet highly evasive malware” because of its Hermes-compiled payload, Cyble said. Use of the JavaScript engine “makes detection significantly harder, enabling it to stealthily capture victims’ card data and relay it in real time to an attacker-controlled server,” the researchers said. VirusTotal detections of the NFC relay attack malware were at zero at publication time, “indicating very low visibility across the security ecosystem, and the code suggests a high likelihood of continued development,” they said. RelayNFC uses a full real-time Application Protocol Data Unit (APDU) relay channel that enables attackers to complete transactions “as though the victim’s card were physically present.” The researchers also identified a related variant that attempts to implement Host Card Emulation (HCE), suggesting that the threat actor is exploring other NFC relay techniques too. Other malware strains exploiting Near-Field Communication (NFC) capabilities to intercept or relay contactless payment data have included Ngate, SuperCardX, and PhantomCard, suggesting a growing trend of NFC exploits, Cyble said.

RelayNFC Malware Relies on Phishing Sites

Distribution of RelayNFC relies entirely on phishing, tricking users into downloading the malware. The campaign uses a Portuguese-language page that prompts victims to install the malicious payment card security app (image below). [caption id="attachment_107130" align="aligncenter" width="262"] NFC relay attack phishing site (Cyble)[/caption] The researchers identified five malicious sites distributing the app, “indicating a coordinated and ongoing operation targeting Brazilian users.” Those sites include:

• maisseguraca[.]site
• proseguro[.]site
• test[.]ikotech[.]online
• maisseguro[.]site
• maisprotecao[.]site

RelayNFC appears to be a new variant built using the React Native framework and has been active for at least a month. The malware operates as a “reader,” the researchers said, capturing victim card data and relaying it to the attacker’s server. After installation, the app immediately displays a phishing screen that tells the user to tap their payment card on the device. Once the card data has been read, RelayNFC displays another phishing screen that prompts the victim to enter their 4- or 6-digit PIN.

APDU Commands Turn Device Into ‘Remote NFC Reader’

The RelayNFC code is built around a relay channel that uses a persistent WebSocket connection to forward Application Protocol Data Unit (APDU) commands between the attacker’s server and the victim’s NFC subsystem, “effectively turning the infected device into a remote NFC ‘reader’ for the attacker,” the researchers said. The NFC controller processes the command and generates a genuine APDU response, as the card would during a legitimate transaction. RelayNFC captures that output and returns it to the command-and-control server in an “apdu-resp” message, “preserving the original request ID and session ID so the attacker’s device can continue the EMV transaction seamlessly.” “This real-time, bidirectional relay of APDU commands and responses is what enables the attacker to execute a full payment flow remotely, as if the victim’s card were physically present at their POS terminal,” the researchers said. “By combining phishing-driven distribution, React Native–based obfuscation, and real-time APDU relaying over WebSockets, the threat actors have created a highly effective mechanism for remote EMV transaction fraud,” they said. The researchers said their findings underscore the need for strong device-level protections, user awareness, and monitoring by financial institutions.

A new Shai-Hulud supply chain attack has hit nearly 500 npm packages with a total of 132 million monthly downloads. The latest campaign follows one in September that infected nearly 200 npm packages with more than 2 billion weekly downloads. The new campaign targeting the packages used to run JavaScript outside of a browser was reported by Aikido and other security firms. Aikido noted that a total of 492 packages have been affected by the self-replicating worm, and more than 25,000 compromised repositories labeled “Sha1-Hulud: The Second Coming” have been created containing sensitive information like passwords, API keys, cloud tokens, and GitHub or npm credentials. “The timing is notable, given npm’s recent announcement that it will revoke classic tokens on December 9 after the wave of supply-chain attacks,” Aikido’s Charlie Eriksen said. “With many users still not migrated to trusted publishing, the attacker seized the moment for one more hit before npm’s deadline.”

Shai-Hulud Attack Affects Packages from Zapier, AsyncAPI and Others

Shai-Hulud, named after the giant sandworms from Dune, is a self-replicating npm worm built to spread quickly through compromised developer environments. The latest attack has hit major npm packages from the likes of Zapier, ENS, AsyncAPI, PostHog, Browserbase, and Postman. “Once it infects a system, it searches for exposed secrets such as API keys and tokens using TruffleHog and publishes anything it finds to a public GitHub repository,” Eriksen said. “It then attempts to push new copies of itself to npm, helping it propagate across the ecosystem, while exfiltrating data back to the attacker.” If a developer installs one of these malcicious packages, the malware runs quietly during installation before anything even finishes installing, giving the malware access to the developer’s machine, build systems, or cloud environment, he said. If stolen secrets include access to code repositories or package registries, attackers can use those secrets to break into additional accounts and publish more malicious packages, spreading the attack even further. “Because trusted ecosystems were involved and millions of downloads are affected, any team using NPM should immediately check whether they were impacted and rotate any credentials that may have leaked,” Eriksen said.

Shai-Hulud Worm Details

Ashish Kurmi of Step Security noted that the latest evolution of the malware “disguises the entire payload as a helpful Bun installer.” The core payload - bun_environment.js - is 10MB and uses “extreme obfuscation techniques,” Kurmi added. These include “a massive hex-encoded string array containing thousands of entries,” an anti-analysis loop “that performs millions of arithmetic operations,” and every string in the code is retrieved through an obfuscated function. The malware delays full execution on developer machines by “forking itself into the background,” Kurmi said. “The user’s terminal returns instantly, giving the illusion of a normal install, while seconds later a completely detached process begins exfiltration.” “It executes a sophisticated, multi-stage pre-install attack that targets both CI/CD runners and developer workstations with equal effectiveness,” Kurmi said. Wiz noted that the malware targets AWS, Azure and Google Cloud Platform (GCP) by “bundling official SDKs to operate independently of host tools.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an Oracle Identity Manager vulnerability to its Known Exploited Vulnerabilities database after the SANS Internet Storm Center reported attack attempts on the flaw. CVE-2025-61757 is a 9.8-severity Missing Authentication for Critical Function vulnerability in the Identity Manager product of Oracle Fusion Middleware that was patched as part of Oracle’s October update and detailed in a blog post last week by Searchlight Cyber, which had discovered the vulnerability and reported it to Oracle. Following the Searchlight post, the SANS Internet Storm Center looked for exploitation attempts on the vulnerability and found evidence as far back as August 30. “Given the complexity of some previous Oracle Access Manager vulnerabilities, this one is somewhat trivial and easily exploitable by threat actors,” Searchlight Cyber said in its post. Cyble threat intelligence researchers had flagged the vulnerability as important following Oracle’s October update.

Oracle Identity Manager Vulnerability CVE-2025-61757 Explained

CVE-2025-61757 affects the REST WebServices component of Identity Manager in Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0. The easily exploitable pre-authentication remote code execution (RCE) vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of the vulnerability can result in takeover of Identity Manager. The Searchlight researchers began looking for vulnerabilities after an Oracle Cloud breach earlier this year exploited a host that Oracle had failed to patch for CVE-2021-35587. In the source code for the Oracle Identity Governance Suite, the researchers found that that the application compiles Groovy script but doesn’t execute it. Taking inspiration from a previous Java capture the flag (CTF) event, they noted that Java annotations are executed at compile time, not at run time, so they are free from the constraints of the Java security manager and can call system functions and read files just like regular Java code. “Since Groovy is built on top of Java, we felt we should be able to write a Groovy annotation that executes at compile time, even though the compiled code is not actually run,” they said. After experimenting with the code, they achieved RCE. “The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws,” the Searchlight researchers said. “Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters. “Participating in CTFs, or even staying up to date with research in the CTF space, continues to pay dividends, giving us unique insights into how we can often turn a seemingly unexploitable bug into an exploitable one.”

Oracle EBS Victims Climb Past 100

Meanwhile, the number of victims from the CL0P ransomware group’s exploitation of Oracle E-Business Suite vulnerabilities has now climbed past 100 after the threat group claimed additional victims late last week. Mazda and Cox Enterprises are the latest to confirm being breached, bringing the confirmed total to seven so far. Mazda said it was able to contain the breach without system or data impact, but Cox said the personal data of more than 9,000 was exposed.

Two alleged members of the Scattered Spider threat group pled not guilty today to charges related to a cyberattack on Transport for London in August 2024. Thalha Jubair, 19, of east London, and Owen Flowers, 18, from Walsall in the West Midlands, were arrested in the UK in September. They appeared before Southwark Crown Court today and entered not guilty pleas to charges of conspiring to commit unauthorized acts against computer systems belonging to Transport for London (TfL), according to news reports. Sky News reported that the two “stood in the dock together and spoke only to confirm their names and enter not guilty pleas.” The charge states in part that the two are accused of "causing, or creating a significant risk of, serious damage to human welfare and intending to cause such damage or being reckless as to whether such damage was caused. Flowers is also accused of unauthorized acts against computer systems belonging to SSM Health, and attempting to commit unauthorized acts against computer systems belonging to Sutter Health. Jubair is also accused of failing to disclose the pin or passwords for devices seized from him in March 2025, and Jubair also faces substantial charges in the U.S. Both men continue to be held on remand, the BBC reported.

Scattered Spider Trial Date Set

A provisional trial date has been set for June 8, 2026, at Southwark Crown Court, with a pre-trial hearing scheduled for February 13. The cyberattack allegedly caused £39m of damage and disrupted TfL services for three months. While transport itself was unaffected, many TfL online services and information boards were knocked offline as part of the attack. Traffic cameras and "dial a ride" bookings were some of the affected services, and some payment systems were also affected. Personal data including names, emails and home addresses were accessed, and TfL was forced to inform thousands of customers that there may have been unauthorized access to personal information that may have included bank account numbers and sort codes.

Jubair Faces U.S. Charges Too

Jubair has also been charged by the U.S. Department of Justice (DoJ) for conspiracies to commit computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions and extortion involving 47 U.S. entities. The unsealed U.S. complaint alleged that Jubair’s victims paid at least $115 million in ransom payments. The U.S. claims Jubair could face up to 95 years in prison on the charges. Scattered Spider recently joined with ShinyHunters and LAPSUS$ to form the Scattered LAPSUS$ Hunters threat collective, which remains active, that Recent attacks by the group have targeted Salesforce data, including one involving the Gainsight customer success platform this week. Scattered LAPSUS$ Hunters also claims to have been behind an insider attack at security vendor CrowdStrike, according to Bleeping Computer, although CrowdStrike says its systems and customer data were not affected by the incident.

Security researchers have identified a new Android banking trojan that does much more than steal banking credentials. It can also record encrypted messages and essentially enables complete control of infected devices. ThreatFabric researchers are calling the new Android malware “Sturnus.” “A key differentiator is its ability to bypass encrypted messaging,” the researchers said. “By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal.” “Sturnus represents a sophisticated and comprehensive threat, implementing multiple attack vectors that provide attackers with near-complete control over infected devices,” they said. “The combination of overlay-based credential theft, message monitoring, extensive keylogging, real-time screen streaming, remote control, device administrator abuse, and comprehensive environmental monitoring creates a dangerous threat to victims' financial security and privacy.” So far the malware has been configured for targeted attacks against financial institutions in Southern and Central Europe, suggesting that a broader campaign will follow. “While we emphasize that the malware is likely in its pre-deployment state, it is also currently fully functional, and in aspects such as its communication protocol and device support, it is more advanced than current and more established malware families,” they warned.

Android Malware Deploys Fake Login Screens

The trojan harvests banking credentials through “convincing fake login screens that replicate legitimate banking apps,” the researchers said. The Android malware also offers attacks “extensive remote control, enabling them to observe all user activity, inject text without physical interaction, and even black out the device screen while executing fraudulent transactions in the background—without the victim’s knowledge,” they warned. The malware combines HTML overlays and keylogging to capture and exfiltrate user credentials and sensitive data. The overlay engine maintains a repository of phishing templates under /data/user/0/<malware_package>/files/overlays/, where each HTML file corresponds to a specific banking application. When an overlay is triggered, the malware launches a WebView configured with JavaScript, DOM storage, and a JavaScript bridge to intercept and forward any data the victim enters directly to the command and control (C2) server. The malware also includes a full-screen “block overlay” that lets attackers hide their activities from victims by displaying a full-screen black overlay that blocks visual feedback while the malware operates in the background. Beyond basic keystroke logging, the malware continuously monitors the device’s UI tree and sends structured logs that describe what is displayed on screen, which lets attackers reconstruct user activity even when screen capture is blocked or when network conditions prevent live video transmission. “Together, these mechanisms give the operator a detailed, real-time picture of the victim’s actions while providing multiple redundant paths for data theft,” the researchers said.

Capturing Encrypted Messages

Sturnus also monitors the foreground app and automatically activates its UI tree collection when the victim opens encrypted messaging services such as WhatsApp, Signal, or Telegram. “Because it relies on Accessibility Service logging rather than network interception, the malware can read everything that appears on screen—including contacts, full conversation threads, and the content of incoming and outgoing messages—in real time,” the researchers said. “This makes the capability particularly dangerous: it completely sidesteps end-to-end encryption by accessing messages after they are decrypted by the legitimate app, giving the attacker a direct view into supposedly private conversations.” The ThreatFabric report also contained two SHA-256 hashes, the second of which is currently detected by 23 of 67 security vendors on VirusTotal: 045a15df1121ec2a6387ba15ae72f8e658c52af852405890d989623cf7f6b0e5 0cf970d2ee94c44408ab6cbcaabfee468ac202346b9980f240c2feb9f6eb246d

Salesforce is investigating potential unauthorized access to customers’ Salesforce data that may have occurred through the Gainsight customer success platform. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said in an advisory today. The Salesforce advisory was short on detail, but the incident appears to share similarities with a recent OAuth-based breach of the Salesloft Drift platform that compromised the Salesforce environments of dozens, if not hundreds, of organizations. That breach was linked to the Scattered LAPSUS$ Hunters threat group. In an email exchange with The Cyber Express, Scattered LAPSUS$ Hunters also claimed responsibility for the current Gainsight incident. “Yes, we are responsible for it,” the group told The Cyber Express. “Nearly 300 organisations are affected by it.” The group named four large organizations allegedly hit in the latest incident, but it is The Cyber Express’ policy not to name unconfirmed cyberattack victims.

Salesforce Detects ‘Unusual Activity’ Involving Gainsight App

Salesforce said in the advisory that it has identified “unusual activity involving Gainsight-published applications connected to Salesforce.” Those apps are installed and managed directly by customers. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the CRM vendor said. “Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.” Salesforce said there is “no indication” that the incident resulted from a vulnerability in the Salesforce platform. “The activity appears to be related to the app’s external connection to Salesforce,” the company said. Salesforce said it has notified known affected customers directly and will continue to provide updates. The CRM vendor said customers who need assistance can reach the company through Salesforce Help.

Salesloft Drift Breach Affected Gainsight Too

It will be some time before the extent of the current incident is known, but the Salesloft Drift incident affected the CRM environments of scores of well-known companies, among them Google, Cloudflare, Palo Alto Networks, and many more prominent names. The Scattered LAPSUS$ threat group launched social engineering attacks on Salesforce environments too. Scattered LAPSUS$ Hunters claims 760 organizations were hit in the Salesloft Drift incident, one of which was Gainsight’s own Salesforce environment. The Cyber Express has reached out to Gainsight for comment and will update this story as new information emerges.

Compromised VPN credentials are the most common initial access vector for ransomware attacks, according to a new report. Nearly half of ransomware attacks in the third quarter abused compromised VPN credentials as the initial access point, according to research from Beazley Security, the cybersecurity arm of Beazley Insurance. Nearly a quarter of initial access attacks came from external service exploitation, while remote desktop service (RDS) credential compromises, supply chain attacks and social engineering accounted for 6% each (chart below). [caption id="attachment_106993" align="aligncenter" width="480"] Initial access vectors in ransomware attacks (Beazley Security)[/caption] “This trend underscores the importance of ensuring that multifactor authentication (MFA) is configured and protecting remote access solutions and that security teams maintain awareness and compensating controls for any accounts where MFA exceptions have been put in place,” the report said. In addition to the critical need for MFA, the report also underscores the importance of dark web monitoring for leaked credentials, which are often a precursor to much bigger cyberattacks.

SonicWall Compromises Led Attacks on VPN Credentials

A “prolonged campaign” targeting SonicWall devices by the Akira ransomware group was responsible for some of the 10-point increase in the percentage of VPN attacks. “Adding to SonicWall’s misery this quarter was a significant breach of their cloud service, including sensitive configuration backups of client SonicWall devices,” the report added. Akira, Qilin and INC were by far the most active ransomware groups in the third quarter, Beazley said – and all three exploit VPN and remote desktop credentials. Akira “typically gains initial access by exploiting weaknesses in VPN appliances and remote services,” the report said. In the third quarter, they used credential stuffing and brute force attacks to target unpatched systems and weak credentials. Akira accounted for 39% of Beazley Security incident response cases in the third quarter. Akira “consistently gained access by using valid credentials in credential stuffing attacks against SonicWall SSLVPN services, exploiting weak access controls such as absent MFA and insufficient lockout policies on the device,” the report said. Qilin’s initial access techniques include phishing emails, malicious attachments, and brute forcing weak credentials or stolen credentials in remote desktop protocol (RDP) and VPN services. INC Ransomware uses a combination of phishing, credential theft, and exploitation of exposed enterprise appliances for initial access. “Beazley Security responders observed the group leverage valid, compromised credentials to access victim environments via VPN and Remote Desktop,” the report said.

Cisco, Citrix Vulnerabilities, SEO Poisoning Also Exploited

Critical vulnerabilities in Cisco and Citrix NetScaler were also targeted by attackers in the third quarter. In one campaign, a sophisticated threat actor leveraged CVE-2025-20333 and CVE-2025-20363 in Cisco ASA VPN components to gain unauthorized access into environments, Beazley said. Another campaign targeted a critical SNMP flaw (CVE-2025-20352) in Cisco IOS.‍ Threat actors also targeted Citrix NetScaler vulnerabilities CVE-2025-7775 and CVE-2025-5777. The latter has been dubbed “Citrix Bleed 2” because of similarities to 2023’s “Citrix Bleed” vulnerability (CVE-2023-4966). A “smaller yet noteworthy subset” of ransomware attacks gained access via search engine optimization (SEO) poisoning attacks and malicious advertisements, used for initial access in some Rhysida ransomware attacks. “This technique places threat actor-controlled websites at the top of otherwise trusted search results, tricking users into downloading fake productivity and administrative tools such as PDF editors,” the report said. “These tools can be trojanized with various malware payloads, depending on threat actor objectives, and can potentially give threat actors a foothold directly on the endpoint in a network. The attack is effective because it bypasses other traditional social engineering protections like email filters that prevent phishing attacks.”

U.S., Australian and UK officials today announced sanctions against Media Land, a Russian bulletproof hosting (BPH) provider, citing Media Land’s “role in supporting ransomware operations and other forms of cybercrime.” “These so-called bulletproof hosting service providers like Media Land provide cybercriminals essential services to aid them in attacking businesses in the United States and in allied countries,” stated U.S. Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley. “Today’s trilateral action with Australia and the United Kingdom, in coordination with law enforcement partners, demonstrates our collective commitment to combatting cybercrime and protecting our citizens.” UK Foreign Secretary Yvette Cooper added, “Cyber criminals think that they can act in the shadows, targeting hard working British people and ruining livelihoods with impunity. But they are mistaken – together with our allies, we are exposing their dark networks and going after those responsible.” Today’s announcements came from the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC), Australia’s Department of Foreign Affairs and Trade, and the UK’s Foreign Commonwealth and Development Office. OFAC and the FBI also designated three members of Media Land’s leadership team and three of its sister companies. In the U.S., OFAC sanctions require blocking and mandatory reporting of all property and interests of the designated persons and entities and prohibit all transactions involving any property or interests of designated or blocked persons. BPH service providers offer access to specialized servers and infrastructure designed to evade detection and disruption by law enforcement.

Russian Bulletproof Hosting Provider and Individuals Sanctioned

Media Land LLC, headquartered in St. Petersburg, Russia, has provided BPH services to criminal marketplaces and ransomware actors, including “prolific ransomware actors such as LockBit, BlackSuit, and Play,” the U.S. statement alleges. Media Land infrastructure has also been used in DDoS attacks, the U.S. says. Media Land, ML Cloud (a Media Land sister company), Aleksandr Volosovik (general director of Media Land who has allegedly advertised the business on cybercrime forums under the alias “Yalishanda”), and Kirill Zatolokin (a Media Land employee allegedly responsible for collecting payment and coordinating with cyber actors) were designated by OFAC for their cyber activities. The UK alleges that Volosovik “has been active in the cyber underground since at least 2010, and is known to have worked with some of the most notorious cyber criminal groups, including Evil Corp, LockBit and Black Basta.” Yulia Pankova was designated by OFAC for allegedly assisting Volosovik with legal issues and finances. Also designated are Media Land Technology (MLT) and Data Center Kirishi (DC Kirishi), fully-owned subsidiaries of Media Land.

U.S. and UK Sanction Alleged Aeza Entities

OFAC and the UK also designated Hypercore Ltd., an alleged front company of Aeza Group LLC, a BPH service provider designated by OFAC earlier this year, and two additional individuals and entities that have allegedly led, materially supported, or acted for Aeza Group. OFAC said that after its designations of Aeza Group and its leadership on July 1, 2025, “Aeza leadership initiated a rebranding strategy focusing on removing any connections between Aeza and their new technical infrastructure. OFAC’s designations today serve as a reminder that OFAC will take all possible steps to counter sanctions evasion activity by malicious cyber actors and their enablers.” Maksim Vladimirovich Makarov, allegedly the new director of Aeza, and Ilya Vladislavovich Zakirov, who allegedly helped establish new companies and payment methods to obfuscate Aeza’s activity, were also designated. Smart Digital Ideas DOO and Datavice MCHJ – Serbian and Uzbek companies allegedly utilized by Aeza to evade sanctions and set up technical infrastructure not publicly associated with the Aeza brand – were also designated.

Five Eyes Guidance for Defending Against BPH Providers

Also today, the U.S. and other “Five Eyes” countries issued guidance for defending against risks from bulletproof hosting providers. “Organizations with unprotected or misconfigured systems remain at high risk of compromise, as malicious actors leverage BPH infrastructure for activities such as ransomware, phishing, malware delivery, and denial-of-service (DoS) attacks,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated in announcing the guidance. “BPH providers pose a significant threat to the resilience and security of critical systems and services.” Included in the guidance are recommendations for a “nuanced approach to dynamically filter ASNs, IP ranges, or individual IP addresses to effectively reduce the risk of compromise from BPH provider-enabled activity.”

Fortinet may have silently patched an exploited zero-day vulnerability more than two weeks before officially disclosing the vulnerability. CVE-2025-64446 in Fortinet’s FortiWeb web application firewall (WAF) may have been exploited as early as October 6, according to DefusedCyber in a post on X. Fortinet is believed to have patched the 9.8-rated vulnerability in FortiWeb 8.0.2 in late October, but didn’t publish an advisory disclosing the exploited vulnerability until November 14. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog the same day as Fortinet’s disclosure. Late today, Fortinet disclosed another exploited FortiWeb vulnerability - CVE-2025-58034, a 7.2-rated OS Command Injection vulnerability.

Fortinet Silent Patch Raises Concerns

The delayed notification in the case of CVE-2025-64446 has raised concerns with some in the cybersecurity industry, who say the delay may have put Fortinet customers at a disadvantage. “Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild,” VulnCheck’s Caitlin Condon said in a blog post. “We already know security by obscurity doesn't work; adversaries monitor new product releases and are actively reverse engineering patches regardless of whether suppliers tell their customers about fixed vulnerabilities or not,” Condon added. “When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders.” The Cyber Express has reached out to Fortinet for comment and will update this article with any response.

CVE-2025-64446 FortiWeb Vulnerability

CVE-2025-64446 is a 9.8-severity relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, and FortiWeb 7.0.0 through 7.0.11. The vulnerability could potentially allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. Fortinet recommends disabling HTTP or HTTPS for internet facing interfaces until an upgrade can be performed. “If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced,” Fortinet’s advisory said. Shadowserver shows several hundred internet-facing FortiWeb management instances, which presumably would be vulnerable until upgraded. After completing upgrades, Fortinet recommends that FortiWeb customers “review their configuration for and review logs for unexpected modifications, or the addition of unauthorized administrator accounts.” watchTowr said CVE-2025-64446 appears to comprise two vulnerabilities: a path traversal vulnerability, and an authentication bypass vulnerability. watchTowr shared one sample request stream that it said was “evidence of a threat actor looking to exploit a vulnerability ... that allowed privileged administrative functions to be reached.” In the example, the threat actor “exploited the vulnerability to add administrative accounts to the target and vulnerable appliance, serving as a weak persistence mechanism. “To be explicitly clear,” watchTowr added, “this is a complete compromise of the vulnerable appliance.”

Vulnerabilities in the IBM AIX operating system for Power servers could allow remote attackers to execute arbitrary commands, obtain Network Installation Manager (NIM) private keys, or traverse directories. IBM flagged the vulnerabilities - three critical and one high-severity - in a new security bulletin, and security firm Mondoo also urged AIX users to mitigate the flaws in a blog post. While there has been no evidence of exploitation as of yet, Mondoo warns the vulnerabilities could be chained together to compromise the critical environments that typically rely on IBM Power systems, like financial services and healthcare. “These four vulnerabilities together present a very serious threat, especially in environments where the NIM infrastructure is exposed,” Mondoo said.

IBM AIX Vulnerability CVE-2025-36250 Rated 10.0

The highest-rated vulnerability is CVE-2025-36250, which scored a perfect 10.0. In IBM AIX 7.2 and 7.3 and IBM VIOS (Virtual I/O Server) 3.1 and 4.1, NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to execute arbitrary commands due to improper process controls. The fix issued by IBM “addresses additional attack vectors for a vulnerability that was previously addressed” as CVE-2024-56346, which was also rated 10.0. CVE-2025-36251, rated 9.6, also affects IBM AIX 7.2 and 7.3 and IBM VIOS 3.1 and 4.1. IBM notes that nimsh service SSL/TLS implementations could allow a remote attacker to execute arbitrary commands due to improper process controls. The fix also addresses additional attack vectors for a previous vulnerability, CVE-2024-56347, which was also rated 9.6. CVE-2025-36096, rated 9.0, notes that AIX 7.2 and 7.3 and IBM VIOS 3.1 and 4.1 store NIM private keys used in NIM environments “in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle techniques.” CVE-2025-36236, rated 8.2, also affects AIX 7.2 and 7.3 and IBM VIOS 3.1 and 4.1. The NIM server service could allow a remote attacker to traverse system directories or send a specially crafted URL request to write arbitrary files on the system. IBM credited Jan Alsenz of Oneconsult AG for the discoveries.

IBM AIX Vulnerabilities Could Allow System ‘Hijack’

In a statement shared with The Cyber Express, Mondoo CSO Patrick Münch said the four vulnerabilities “present a very serious threat because they allow a remote attacker with no privileges to perform arbitrary commands on an IBM Network Installation Manager (NIM) that’s exposed to the internet (which NIM servers typically are). This means that they could 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in the broader environment.” Münch noted that because of their critical nature, “Patch cycles are often delayed on IBM AIX because uptime is so critical for these enterprises. We haven’t seen any reports of active exploitation yet, but due to the high risk of these vulnerabilities, we strongly advise organizations to patch immediately.” IBM provided lengthy mitigation instructions, and Mondoo said affected organizations should configure NIM in SSL/TLS Secure mode (nimconfig -c) and apply the fixes, which can be downloaded via https from: https://aix.software.ibm.com/aix/efixes/security/nim_fix2.tar, which downloads a tar file that contains the advisory, fix packages, and OpenSSL signatures for each package.  

Logitech International S.A. has confirmed that it was hit by a data breach, the company said in an SEC filing late last week. Logitech’s 8-K filing released on Nov. 14 was short on details, but the company was named as a victim by the CL0P ransomware group earlier this month as part of the threat group’s campaign targeting Oracle E-Business Suite vulnerabilities. Of roughly 45 organizations claimed as victims by CL0P, only five have confirmed an attack to date: The Washington Post,  Harvard University, American Airlines’ Envoy Air, and Hitachi’s GlobalLogic. The CL0P campaign is believed to have targeted Oracle E-Business Suite vulnerability CVE-2025-61884, contrary to initial reports that the Oracle EBS vulnerability targeted was CVE-2025-61882.

Logitech Data Breach Confirmed

Logitech said in its SEC filing that the company “recently experienced a cybersecurity incident relating to the exfiltration of data.” The computer peripherals and software maker said the incident did not impact its products, business operations or manufacturing. After detecting the incident, Logitech said it investigated and responded to the incident with help from unnamed external cybersecurity firms. Logitech said the company “believes that the unauthorized third party used a zero-day vulnerability in a third-party software platform and copied certain data from the internal IT system. ... The data likely included limited information about employees and consumers and data relating to customers and suppliers. Logitech does not believe any sensitive personal information, such as national ID numbers or credit card information, was housed in the impacted IT system.” Logitech said it patched the third-party vulnerability “following its release by the software platform vendor.”

Logitech Says Cyber Insurance Will Cover Incident

The company said it doesn’t believe the incident will have a “material adverse effect” on its financial condition, in part because it holds “a comprehensive cybersecurity insurance policy, which we expect will, subject to policy limits and deductibles, cover costs associated with incident response and forensic investigations, as well as business interruptions, legal actions and regulatory fines, if any.” While only five victims have confirmed they were hit in the Oracle cyberattack campaign, the Cl0p ransomware group has claimed about 45 victims to date from the campaign on its dark web data leak site. Alleged victims claimed by CL0P have spanned a wide range of industries and organizations, including major electronics companies, energy and utility organizations, technology companies, manufacturers, medical technology companies, healthcare providers, major colleges and universities, insurers, security companies, banks, construction and engineering firms, mining companies and communications companies, among other sectors. CL0P has tended to cluster victims in campaigns targeting specific zero-day vulnerabilities throughout its six-year-history, including 267 claimed victims in February 2025 that drove ransomware attacks to record highs that month.

A coalition of 127 civil society organizations and trade unions have banded together to oppose proposed changes that they warn could severely weaken EU data protection and privacy laws like GDPR. In an open letter released this week, the groups expressed “serious alarm at the forthcoming EU Digital Omnibus proposals, part of a wide deregulation agenda. What is being presented as a ‘technical streamlining’ of EU digital laws is, in reality, an attempt to covertly dismantle Europe's strongest protections against digital threats. “These are the protections that keep everyone’s data safe, governments accountable, protect people from having artificial intelligence (AI) systems decide their life opportunities, and ultimately keep our societies free from unchecked surveillance,” the groups added. Many of the same groups expressed concerns about the Digital Omnibus process earlier this year, but with a comprehensive proposal expected from the European Commission next week and reports that drafts of the legislation would significantly weaken GDPR and other privacy protections, the groups are stepping up their efforts.

GDPR, AI Rules Could Be Weakened in Digital Omnibus Process

Netzpolitik said that GDPR and other protections in several areas would be “significantly reduced to allow for greater data usage” under the Digital Omnibus proposals, including making it easier to train AI systems with personal data. Online tracking and cookie restrictions would also be weakened. “Storing and reading non-essential cookies on users' devices would no longer be permitted only with their consent,” Netzpolitik said. “Instead, the full range of legal bases offered by the GDPR would be opened up. This includes the legitimate interests of website operators and tracking companies. Users would then only have the option of opting out retroactively.” Article 9 of the GDPR concerning special categories of data would also be targeted. Article 9 offers special protection for data that includes "ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership." It also includes the processing of genetic data, biometric data for identification purposes, health data, and data about a person's sex life or orientation. “The Commission aims to define sensitive data more narrowly,” Netzpolitik said. “Only data that explicitly reveals the aforementioned information would then be afforded special protection. This means that if, for example, a person indicates their sexual orientation in a selection field, this would still be afforded special protection. However, if a data processor infers a person's presumed sexual orientation based on perceived interests or characteristics, current restrictions would no longer apply.” Protections for genetic and biometric data are more likely to remain unchanged “due to their unique and specific characteristics."

Groups Decry ‘Rushed and Opaque’ Process

The 127 civil society groups and trade unions charged that the Digital Omnibus process “is being done under the radar, using rushed and opaque processes designed to avoid democratic oversight.” The same approach has been used with other Omnibus proposals with damaging results, they said. “As a result, supposedly minimal changes under the guise of ‘simplification’ have already jeopardised Europe’s core social and environmental protections,” they said. The Digital Omnibus, they said, will reportedly weaken “the only clear rule that stops companies and governments from constantly tracking what people do on their devices, part of the ePrivacy framework. This will make it a lot easier for those in power to control people’s phones, cars or smart homes, while also revealing sensitive information about where people go, and with whom.” EU AI rules could also be weakened, the groups said, including guardrails to ensure “that AI is developed safely and without discrimination, as well as delaying key elements like penalties for selling dangerous AI systems.” Currently, AI tools that could affect important decisions like whether people can obtain benefits must register in a public database. Under the proposed changes, they said, “those providing AI tools could unilaterally and secretly exempt themselves from all obligations – and neither the public nor authorities would know.” “By recasting vital laws like the GDPR, ePrivacy, AI Act, DSA, DMA, Open Internet Regulation (DNA), Corporate Sustainability Due Diligence Directive and other crucial laws as ‘red tape’, the EU is giving in to powerful corporate and state actors who oppose the principles of a fair, safe and democratic digital landscape and who want to lower the bar of EU laws for their own benefit,” they charged. They urged the European Commission to stop any attempts to reopen the GDPR, ePrivacy framework, AI Act and other “core digital rights protections.”

The Washington Post has confirmed that it was breached by a threat campaign targeting Oracle E-Business Suite vulnerabilities. The Washington Post data breach is one of more than 40 victims claimed by the CL0P ransomware group in a campaign that is believed to have targeted Oracle E-Business Suite vulnerability CVE-2025-61884, but so far only four of the victims have confirmed that they were breached: The Post, Harvard University, American Airlines’ Envoy Air, and Hitachi’s GlobalLogic. The Post confirmed the data breach in a Nov. 12 filing with the Maine Attorney General’s office.

Washington Post Data Breach Detailed in Letter

The Washington Post data breach timeline was detailed in a letter from a law firm representing the newspaper to Maine Attorney General Aaron Frey. The letter states that on September 29, The Post “was contacted by a bad actor who claimed to have gained access to its Oracle E-Business Suite applications.” The Post letter said the company subsequently launched an investigation of its Oracle application environment with the help of experts. “During the investigation, Oracle announced that it had identified a previously unknown and widespread vulnerability in its E-Business Suite software that permitted unauthorized actors to access many Oracle customers’ E-Business Suite applications,” The Post’s letter states. “The Post’s investigation confirmed that it was impacted by this exploit and determined that, between July 10, 2025, and August 22, 2025, certain data was accessed and acquired without authorization.” On October 27, 2025, The Post “confirmed that certain personal information belonging to current and former employees and contractors was affected by this incident. The affected information varies by individual but may include individuals’ names, bank account numbers and associated routing numbers, Social Security numbers, and/or tax ID numbers.” On November 12, The Post said it notified 31 Maine residents of the incident, but the total number of affected employees and contractors is believed to total just under 10,000. The Post said it has offered complimentary identity protection services through IDX to individuals whose Social Security numbers or tax ID numbers were exposed in the breach.

CL0P Oracle Victims Number More Than 40

While only four victims have confirmed they were hit in the Oracle cyberattack campaign, the Cl0p ransomware group has claimed roughly 45 victims to date from the campaign on its dark web data leak site. Alleged victims claimed by CL0P have included major electronics companies, energy and utility organizations, technology companies, manufacturers, medical technology companies, healthcare providers, major colleges and universities, insurers, security companies, banks, construction and engineering firms, mining companies and communications companies, among other industries and sectors. CL0P has tended to cluster victims in campaigns targeting specific vulnerabilities throughout its six-year-history, including 267 claimed victims in February 2025 that drove ransomware attacks to record highs that month.

The Akira ransomware group poses an “imminent threat to critical infrastructure,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today. CISA joined with the FBI, other U.S. agencies and international counterparts to issue a lengthy updated advisory on the ransomware group, adding many new Akira tactics, techniques and procedures (TTPs), indicators of compromise (IoCs), and vulnerabilities exploited by the group. Akira is consistently one of the most active ransomware groups, so the update from CISA and other agencies is significant. As of late September, Akira has netted about $244.17 million in ransom payments, CISA said. The Akira ransomware group information was sourced from “FBI investigations and trusted third-party reporting,” the agency said. In a busy two days for the agency, CISA also added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog (CVE-2025-9242, a WatchGuard Firebox Out-of-Bounds Write vulnerability, CVE-2025-12480, a Gladinet Triofox Improper Access Control vulnerability, and CVE-2025-62215, a Microsoft Windows Race Condition vulnerability), and reissued orders to federal agencies to patch Cisco vulnerabilities CVE-2025-20333 and CVE-2025-20362.

Akira Ransomware Group Targets Vulnerabilities for Initial Access

The CISA Akira advisory notes that in a June 2025 incident, Akira encrypted Nutanix Acropolis Hypervisor (AHV) virtual machine (VM) disk files for the first time, expanding the ransomware group’s abilities beyond VMware ESXi and Hyper-V by abusing CVE-2024-40766, a SonicWall vulnerability. The updated advisory adds six new vulnerabilities exploited by Akira threat actors for initial access, including:

• CVE-2020-3580, a cross-site scripting (XSS) vulnerability in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)
• CVE-2023-28252, a Windows Common Log File System Driver Elevation of Privilege vulnerability
• CVE-2024-37085, a VMware ESXi authentication bypass vulnerability
• CVE-2023-27532, a Veeam Missing Authentication for Critical Function vulnerability
• CVE-2024-40711, a Veeam Deserialization of Untrusted Data vulnerability
• CVE-2024-40766, a SonicWall Improper Access Control vulnerability

“Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials or exploiting vulnerabilities like CVE-2024-40766,” the CISA advisory said. In some cases, they gain initial access with compromised VPN credentials, possibly by using initial access brokers or brute-forcing VPN endpoints. The group also uses password spraying techniques and tools such as SharpDomainSpray to gain access to account credentials. Akira threat actors have also gained initial access through the Secure Shell (SSH) protocol by exploiting a router’s IP address. “After tunneling through a targeted router, Akira threat actors exploit publicly available vulnerabilities, such as those found in the Veeam Backup and Replication component of unpatched Veeam backup servers,” the advisory said.

Akira’s Latest Discovery, Persistence and Evasion Tactics

Visual Basic (VB) scripts are frequently used by the group to execute malicious commands, and nltest /dclist: and nltest /DOMAIN_TRUSTS are used for network and domain discovery. Akira threat actors abuse remote access tools such as AnyDesk and LogMeIn for persistence and to “blend in with administrator activity,” and Impacket is used to execute the remote command wmiexec.py and obtain an interactive shell. Akira threat actors also uninstall endpoint detection and response (EDR) systems to evade detection. In one incident, Akira threat actors bypassed Virtual Machine Disk (VMDK) file protection by powering down the domain controller’s VM and copying the VMDK files to a newly created VM, CISA said. “This sequence of actions enabled them to extract the NTDS.dit file and the SYSTEM hive, ultimately compromising a highly privileged domain administrator’s account,” the advisory said. Veeam.Backup.MountService.exe has also been used for privilege escalation (CVE-2024-40711), and AnyDesk, LogMeIn, RDP, SSH and MobaXterm have been used for lateral movement. Akira actors have used tunneling utilities such as Ngrok for command and control (C2) communications, initiating encrypted sessions that bypass perimeter monitoring. PowerShell and Windows Management Instrumentation Command-line (WMIC) have also been used to disable services and execute malicious scripts. Akira threat actors have been able to exfiltrate data in just over two hours from initial access, CISA said. The new Akira_v2 variant appends encrypted files with an .akira or .powerranges extension, or with .akiranew or .aki. A ransom note named fn.txt or akira_readme.txt appears in both the root directory (C:) and each user’s home directory (C:\Users). CISA recommended a number of security best practices for combatting the Akira ransomware threat, including prioritizing remediating known exploited vulnerabilities, enforcing phishing-resistant multifactor authentication (MFA), and maintaining regular, tested offline backups of critical data.

Ransomware attacks soared 30% in October to the second-highest total on record, Cyble reported today. The 623 ransomware attacks recorded in October were second only to February 2025’s record attacks, when a CL0P MFT campaign drove the total number of ransomware attacks to 854. October was the sixth consecutive monthly increase in ransomware attacks, Cyble noted in a blog post. Qilin once again was the most active ransomware group, for the sixth time in the seven months since the decline of RansomHub. Qilin’s 210 claimed victims were three times greater than second-place Akira (chart below). Just behind Akira was Sinobi with 69 victims, a remarkable rise for a group that first emerged in July. [caption id="attachment_106750" align="aligncenter" width="624"] Top ransomware groups October 2025 (Cyble)[/caption] Construction, Professional Services, Healthcare, Manufacturing, IT and Energy/Utilities were the most targeted sectors (chart below). [caption id="attachment_106751" align="aligncenter" width="624"] Ransomware attacks by industry October 2025 (Cyble)[/caption] Cyble noted that 31 incidents in October may have affected critical infrastructure, and another 26 incidents had possible supply chain implications. The U.S. once again was the most attacked country, its 361 attacks 10 times greater than second-place Canada (chart below). [caption id="attachment_106753" align="aligncenter" width="624"] Ransomware attacks by country October 2025 (Cyble)[/caption] “Of concern is the emergence of Australia as a top five target, as the country’s rich resources and high per-capita GDP have made the country a rich target for threat actors,” Cyble noted. Ransomware attacks are up 50% so far this year, with 5,194 ransomware attacks through October 31, Cyble said, “as new leaders like Qilin, Sinobi and The Gentlemen have more than made up for the decline of former leaders such as LockBit and RansomHub.”

Vulnerabilities Exploited by Ransomware Groups

Critical IT vulnerabilities and unpatched internet-facing assets have fueled a rise in both ransomware and supply chain attacks this year, Cyble said. Vulnerabilities targeted in October included:

• CVE-2025-61882 in Oracle E-Business Suite – targeted by Cl0p
• CVE-2025-10035 in GoAnywhere MFT – exploited by Medusa
• CVE-2021-43226 a Microsoft Windows Privilege Escalation vulnerability – Exploited by unknown ransomware groups, according to a CISA advisory
• CVE-2025-6264 in Velociraptor – targeted by Warlock ransomware operators
• CVE‑2024‑1086 in the Linux kernel’s netfilter :nf_tables module – Exploited by unknown ransomware groups, according to a CISA advisory

Ransomware Attacks and Key Developments

Below were some of the most important ransomware developments in October, according to Cyble. Ransomware operators are “increasingly hijacking or silently installing legitimate remote access tools” such as AnyDesk, RustDesk, Splashtop, and TightVNC after credential compromise to gain persistent access, control, antivirus neutralization and ransomware delivery. Recent BlackSuit campaigns used Vishing to steal VPN credentials for initial access and DCSync on a domain controller for high-privilege access, and used AnyDesk and a custom RAT for persistence. “Other measures included wiping forensic traces with CCleaner, and using Ansible to deploy BlackSuit ransomware across ESXi hosts, encrypting hundreds of VMs and causing major operational disruption,” Cyble said. Qilin affiliates deployed a Linux-based ransomware binary on Windows machines by abusing remote-management tools like WinSCP, Splashtop, AnyDesk, and ScreenConnect, and leveraging BYOVD (Bring Your Own Vulnerable Driver) attacks, among other tools and tactics. Trigona ransomware operators brute-forced exposed MS-SQL servers and embedded malware inside database tables and exporting it to disk to install payloads. DragonForce posted on the RAMP cybercrime forum that it is opening its partner program to the public, offering services like professional file analysis/audit, hash decryption, call support, and free victim storage. Registration requires a $500 non-refundable fee. Affiliates were warned to follow the group’s rules “or face account blocking or free decryptor distribution.” Zeta88 — the alleged operator of The Gentlemen ransomware — announced updates to their Windows, Linux and ESXi lockers, including a silent mode for Windows that encrypts without renaming files and preserves timestamps, and self-spread capabilities across networks and domains. The release also introduced multiple encryption-speed modes, Windows operating modes, and a universal decryptor. The full Cyble blog also included recommended best practices and recent high-confidence Qilin indicators of compromise (IoCs).

AI malware may be in the early stages of development, but it's already being detected in cyberattacks, according to new research published this week. Google researchers looked at five AI-enabled malware samples - three of which have been observed in the wild - and found that the malware was often lacking in functionality and easily detected. Nonetheless, the research offers insight into where the use of AI in threat development may go in the future. “Although some recent implementations of novel AI techniques are experimental, they provide an early indicator of how threats are evolving and how they can potentially integrate AI capabilities into future intrusion activity,” the researchers wrote.

AI Malware Includes Infostealers, Ransomware and More

The AI-enabled malware samples included a reverse shell, a dropper, ransomware, a data miner and an infostealer. The researchers said malware families like PROMPTFLUX and PROMPTSTEAL are the first to use Large Language Models (LLMs) during execution. “These tools dynamically generate malicious scripts, obfuscate their own code to evade detection, and leverage AI models to create malicious functions on demand, rather than hard-coding them into the malware,” they said. “While still nascent, this represents a significant step toward more autonomous and adaptive malware.” “[A]dversaries are no longer leveraging artificial intelligence (AI) just for productivity gains, they are deploying novel AI-enabled malware in active operations,” they added. “This marks a new operational phase of AI abuse, involving tools that dynamically alter behavior mid-execution.” However, the new AI malware samples are only so effective. Using hashes provided by Google, they were all detected by roughly a third or more of security tools on VirusTotal, and two of the malware samples were detected by nearly 70% of security tools.

AI Malware Samples and Detection Rates

The reverse shell, FRUITSHELL (VirusTotal), is a publicly available reverse shell written in PowerShell that establishes a remote connection to a command-and-control (C2) server and enables a threat actor to launch arbitrary commands on a compromised system. “Notably, this code family contains hard-coded prompts meant to bypass detection or analysis by LLM-powered security systems,” the researchers said. It was detected by 20 of 62 security tools (32%), and has been observed in threat actor operations. The dropper, PROMPTFLUX (VirusTotal), was written in VBScript and uses an embedded decoy installer for obfuscation. It uses the Google Gemini API for regeneration by prompting the LLM to rewrite its source code and saving the new version to the Startup folder for persistence, and the malware attempts to spread by copying itself to removable drives and mapped network shares. Google said the malware appears to still be under development, as incomplete features are commented out and the malware limits Gemini API calls. “The current state of this malware does not demonstrate an ability to compromise a victim network or device,” they said. The most interesting feature of PROMPTFLUX may be its ability to periodically query Gemini to obtain new code for antivirus evasion. “While PROMPTFLUX is likely still in research and development phases, this type of obfuscation technique is an early and significant indicator of how malicious operators will likely augment their campaigns with AI moving forward,” they said. It was detected by 23 of 62 tools (37%). The ransomware, PROMPTLOCK (VirusTotal), is a proof of concept cross-platform ransomware written in Go that was developed by NYU researchers. It uses an LLM to dynamically generate malicious Lua scripts at runtime, and is capable of filesystem reconnaissance, data exfiltration, and file encryption on Windows and Linux systems. It was detected by 50 of 72 security tools on VirusTotal (69%). The data miner, PROMPTSTEAL (VirusTotal), was written in Python and uses the Hugging Face API to query the LLM “Qwen2.5-Coder-32B-Instruct” to generate Windows commands to gather system information and documents. The Russian threat group APT28 (Fancy Bear) has been observed using PROMPTSTEAL, which the researchers said is their “first observation of malware querying an LLM deployed in live operations.” It was detected by 47 of 72 security tools (65%). The infostealer, QUIETVAULT (VirusTotal), was written in JavaScript and targets GitHub and NPM tokens. The credential stealer uses an AI prompt and AI CLI tools to look for other potential secrets and exfiltrate files to GitHub. It has been observed in threat actor operations and was detected by 29 of 62 security tools (47%). The full Google report also looks at advanced persistent threat (APT) use of AI tools, and also included this interesting comparison of malicious AI tools such as WormGPT: [caption id="attachment_106590" align="aligncenter" width="1098"] Comparison of malicious AI tools (Google)[/caption]

An Iran-linked threat group claims to have accessed the security cameras of an Israeli defense contractor and leaked videos of internal meetings and employees working on defense systems. The threat group – Cyber Toufan – has been posting about the alleged breach of Maya Engineering on its Telegram channels for at least a few weeks, but the group’s claims became public in recent days in an X post and articles on media sites such as Straight Arrow News and Breached Company. The claims remain unverified, and The Cyber Express has reached out to Maya for comment and will update this article with any official statement, but the alleged incident shows the importance of including surveillance cameras and other sensitive devices in cybersecurity plans. “Scary stuff,” SANS instructor and consultant Kevin Garvey said on X. “Shows how *any* connected asset needs rigorous security associated to it! Good reminder to all to check if cameras and other peripherals are part of your standard vuln management and secure config programs (amongst others functional programs).”

Alleged Israeli Defense Contractor Breach

A check of Cyber Toufan’s Telegram channels by The Cyber Express found claims of the hack as early as October 12 (image below). [caption id="attachment_106549" align="aligncenter" width="533"] October 12 Telegram post by Cyber Toufan claiming Maya hack[/caption] However, the group claims to have had access to Maya’s systems for more than a year. “One and a half years after gaining full access to the network, we have explored every part of it and reached the QNAP archive,” claims a Cyber Toufan post reported by International Cyber Digest on X. “Through the systems, we have breached Elbit and Rafael's through then. Their phones, printers, routers and cameras as well. We have recorded your meetings with sound and video for over a year. This is just the beginning with Maya!” Footage released by the group shows company employees allegedly working on several defense systems, including missile and drone systems, and the group also claims to possess technical drawings of sensitive parts like missile components.

Cyber Toufan's Link to Iran

Cyber Toufan’s advanced tactics suggest technical acumen well beyond that of a typical hacktivist group, raising the possibility of a nation-state link to Iran. Cyble’s threat intelligence profile of the group states, “Cyber Toufan is a threat actor group known for targeting Israeli organizations, with possible nation-state support from Iran. Their tactics include hack-and-leak operations, data breaches, and data destruction, impacting numerous organizations. Their activities are linked to geopolitical tensions in the Middle East, featuring a mix of technical breaches and psychological warfare. Threat actors associated with Cyber Toufan operate by infiltrating systems to steal sensitive data and disrupt operations, aiming to cause economic and political damage to their targets.”

Software supply chain attacks hit levels in October that were more than 30% higher than any previous month. Threat actors on dark web data leak sites claimed 41 supply chain attacks in October, 10 more than the previous high seen in April 2025, Cyble reported today in a blog post. Supply chain attacks have more than doubled since April, averaging more than 28 a month compared to the 13 attacks per month seen between early 2024 and March 2025, Cyble said (chart below). [caption id="attachment_106524" align="aligncenter" width="717"] Supply chain attacks by month 2024-2025 (Cyble)[/caption]

Reasons Behind the Record Supply Chain Attacks

The threat intelligence company cited several reasons for the increase in attacks. The primary drivers of the surge in supply chain attacks have been a “combination of critical and zero-day IT vulnerabilities and threat actors actively targeting SaaS and IT service providers,” the blog post said, noting that “the sustained increase suggests that the risk of supply chain attacks may remain elevated going forward.” Cloud security threats and AI-based phishing campaigns are other causes cited by Cyble, although voice phishing (vishing) also played a large role in recent Scattered LAPSUS$ Hunters Salesforce breaches.

IT Companies Hit Hardest as Ransomware Groups Lead Attacks

All 24 industry sectors tracked by Cyble have been hit by a supply chain attack this year, but IT and IT services companies have been by far the biggest target because of “the rich target they represent and their downstream customer reach.” The 107 supply chain attacks targeting IT companies so far this year have been more than triple those of the next nearest sectors, which include financial services, transportation, technology and government (chart below). [caption id="attachment_106523" align="aligncenter" width="723"] Supply chain attacks by sector 2025 (Cyble)[/caption] Ransomware groups have been some of the biggest contributors to the increase in supply chain attacks. Qilin and Akira have been the top two ransomware groups so far this year, and the two have also claimed “an above-average share of supply chain attacks,” Cyble said. Akira’s recent victims have included an unnamed “major open-source software project,” the threat researchers said, and the 23GB of data stolen by the group includes “internal confidential files, and reports related to software issues and internal operations,” among other information. Akira and Qilin have also claimed a number of attacks on IT companies, including some serving sensitive sectors such as government, intelligence, defense, law enforcement agencies, healthcare, industrial and energy companies, and payment processing and financial infrastructure solutions. In one incident, Qilin claimed to have stolen source code for proprietary software products used by law enforcement, criminal justice, public safety, and security organizations. In one case, Qilin claimed to have breached customers of a U.S.-based cybersecurity and cloud services provider for healthcare and dental organizations through “clear-text credentials stored in Word and Excel documents hosted on the company’s systems.” Kyber, a new ransomware group, leaked more than 141GB of project files, internal builds, databases, and backup archives allegedly stolen from “a major U.S.-based defense and aerospace contractor that provides communication, surveillance, and electronic warfare systems.” Cl0p ransomware group exploits of Oracle E-Business Suite vulnerabilities a Red Hat GitLab breach were among the other major incidents in October.

Protecting Against Supply Chain Risks

The Cyble researchers said that guarding against supply chain attacks ”can be challenging because these partners and suppliers are, by nature, trusted, but security audits and assessing third-party risk should become standard cybersecurity practices.” The researchers outlined several steps security teams can take to better protect their organizations. “The most effective place to control software supply chain risks is in the continuous integration and development (CI/CD) process, so carefully vetting partners and suppliers and requiring good security controls in contracts are essential for improving third-party security,” the threat researchers added.

Hacktivist attacks on critical infrastructure doubled over the course of the third quarter, according to a new Cyble report. Hacktivist attacks on industrial control systems (ICS) grew throughout the third quarter and made up 25% of all hacktivist attacks by September, Cyble wrote in a blog post. “If that trend continues, it would represent a near-doubling of attacks on industrial control systems (ICS) from the second quarter of 2025,” Cyble said. The report follows a Canadian Centre for Cyber Security warning last week that hacktivists are targeting critical infrastructure in that country.

Hacktivist Attacks on Critical Infrastructure Led by Russia-linked Groups

Cyble said DDoS attacks and website defacements still account for most hacktivist activity, but the ideologically-motivated threat groups are increasingly turning their focus toward ICS attacks, data breaches, unauthorized access, and ransomware. Z-Pentest has been the leading hacktivist group targeting ICS infrastructure, but the threat group has also been joined by Dark Engine (also known as the Infrastructure Destruction Squad), Golden Falcon Team, INTEID, S4uD1Pwnz, and Sector 16. “Russia-aligned hacktivist groups INTEID, Dark Engine, Sector 16, and Z-Pentest were responsible for the majority of recent ICS attacks, primarily targeting Energy & Utilities, Manufacturing, and Agriculture sectors across Europe,” Cyble said. “Their campaigns focused on disrupting industrial and critical infrastructure in Ukraine, EU and NATO member states.” Among Z-Pentest’s targets in the third quarter were a water utility HMI system in the U.S. and an agricultural biotechnology SCADA system in Taiwan. The group frequently posts videos of its members tampering with ICS controls, and may have been one of the groups the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was referring to in a warning about critical infrastructure tampering attacks earlier this year.

Most Active Hacktivist Groups

NoName057(16) remains the most active hacktivist group despite attempts by law enforcement to disrupt its operations, Cyble said. Z-Pentest and Hezi Rash increased their share of attacks in the third quarter, the threat intelligence company said. Special Forces of the Electronic Army, Jokeir_07x and BL4CK CYB3R all lost ground in the quarter, while newcomers like Red Wolf Cyber Team and INTEID increased their share of hacktivist activity in the quarter. One of the more noteworthy incidents in the quarter involved the Belarusian group Cyber Partisans BY, which joined with Silent Crow to claim a cyberattack on Russian state airline Aeroflot. The attackers disrupted key systems, exfiltrated more than 22TB of data, and claimed to have destroyed about 7,000 servers, Cyble said. In another noteworthy hacktivist attack, the Ukrainian Cyber Alliance and BO Team claimed a breach of a Russian manufacturer involved in military drone production, stealing engineering blueprints, VMware snapshots, storage mappings, and CCTV footage from UAV assembly facilities. The groups said they wiped servers, backups, and cloud environments after they exfiltrated data.

Hacktivism and Geopolitical Conflict

Geopolitical conflict “remains a primary motive in hacktivist campaigns,” Cyble said. The Thailand–Cambodia border conflict, the India–Pakistan and India-Bangladesh rivalries, Middle East conflicts – including the Israel–Hamas war and the Israel-Iran and Houthi–Saudi Arabian conflicts – the Russia–Ukraine war and domestic unrest in the Philippines were some of the major conflicts driving hacktivism across the globe. Ukraine was the leading target of hacktivist campaigns in the third quarter, Cyble said (chart below). [caption id="attachment_106494" align="aligncenter" width="624"] Most attacked countries by hacktivist groups (Cyble)[/caption] “The growing sophistication of the leading hacktivist groups is by now an established trend and will likely continue to spread to other groups over time,” Cyble said. “That means that exposed environments in critical sectors can expect further compromise by hacktivist groups, advanced persistent threats (APTs), and others known to target critical infrastructure.”

Canadian cybersecurity officials are warning that hacktivists are increasingly targeting critical infrastructure in the country. In an October 29 alert, the Canadian Centre for Cyber Security described three recent attacks on internet-accessible industrial control systems (ICS). The alert doesn’t attribute the ICS attacks to any particular group, but Russia-linked hacktivists have been the dominant groups tampering with ICS controls in the last year, particularly since the emergence of Z-Pentest in the fall of 2024. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also warned about hackers tampering with ICS controls.

Canadian ICS Attacks Target Water, Energy, Agriculture

One of the ICS hacktivist incidents targeted a water facility, where hacktivists tampered with water pressure values, “resulting in degraded service for its community.” Another involved a Canadian oil and gas company, where an Automated Tank Gauge (ATG) was tampered with to trigger false alarms. A third incident targeted a grain drying silo on a Canadian farm, where temperature and humidity levels were tampered with, “resulting in potentially unsafe conditions if not caught on time,” the alert said. “While individual organizations may not be direct targets of adversaries, they may become victims of opportunity as hacktivists are increasingly exploiting internet-accessible ICS devices to gain media attention, discredit organizations, and undermine Canada's reputation,” the Cyber Centre alert said. Exposed ICS components that could be targeted include Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Human-Machine Interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) systems, Safety Instrumented Systems (SIS), Building Management Systems (BMS), and Industrial Internet of Things (IIoT) devices, the alert said. “Unclear division of roles and responsibilities often creates gaps leaving critical systems unprotected,” Cyber Centre said. “Effective communication and collaboration are essential to ensuring safety and security.”

Recommended ICS Security Protections

Cyber Centre said provincial and territorial governments should coordinate with municipalities and organizations within their jurisdiction “to ensure all services are properly inventoried, documented, and protected. This is especially true for sectors where regulatory oversight does not cover cyber security, such as Water, Food, or Manufacturing.” Municipalities and organizations in turn should work with their service providers to make sure that managed services are implemented securely and maintained properly, with clearly defined requirements. Devices and services should be properly secured based on vendor recommendations and guidelines. The alert said organizations should conduct a comprehensive inventory of all internet-exposed ICS devices and “assess their necessity.” “Where possible, alternative solutions—such as Virtual Private Networks (VPNs) with two-factor authentication—should be implemented to avoid direct exposure to the internet,” the alert said. If that isn’t possible, enhanced monitoring and practices should be used, including active threat detection tools such as Intrusion Prevention Systems (IPS), routine penetration testing, and continuous vulnerability  management. Organizations should also regularly conduct tabletop exercises to evaluate their response capabilities and to define roles and responsibilities in the event of a cyber incident.

A former cybersecurity company official charged with stealing trade secrets to sell them to a Russian buyer pleaded guilty to two counts of theft of trade secrets in U.S. District Court today, the U.S. Department of Justice announced. Peter Williams, 39, an Australian national, pleaded guilty to the charges “in connection with selling his employer’s trade secrets to a Russian cyber-tools broker,” the Justice Department said in a press release. The Justice Department said Williams stole “national-security focused software that included at least eight sensitive and protected cyber-exploit components” over a three-year period from the U.S. defense contractor where he worked. The Justice Department didn’t name the company where Williams worked, but reports have said Williams is a former director and general manager at L3Harris Trenchant, which does vulnerability and security work for government clients. “Those components were meant to be sold exclusively to the U.S. government and select allies,” the Justice Department said. “Williams sold the trade secrets to a Russian cyber-tools broker that publicly advertises itself as a reseller of cyber exploits to various customers, including the Russian government.” Each of the charges carries a statutory maximum of 10 years in prison and a fine of up to $250,000, the Justice Department says, and Williams also must pay $1.3 million in restitution.

U.S. Places Value of Stolen Trade Secrets at $35 Million

The U.S. places the value of the stolen trade secrets at $35 million, according to statements from officials. “Williams placed greed over freedom and democracy by stealing and reselling $35 million of cyber trade secrets from a U.S. cleared defense contractor to a Russian Government supplier,” Assistant Director Roman Rozhavsky of the FBI’s Counterintelligence Division said in a statement. “By doing so, he gave Russian cyber actors an advantage in their massive campaign to victimize U.S. citizens and businesses. This plea sends a clear message that the FBI and our partners will defend the homeland and bring to justice anyone who helps our adversaries jeopardize U.S. national security. According to the facts admitted in connection with the guilty plea, the Justice Department said that from approximately 2022 through 2025, “Williams improperly used his access to the defense contractor’s secure network to steal the cyber exploit components that constituted the trade secrets.” The government says he resold those components “in exchange for the promise of millions of dollars in cryptocurrency. To effectuate these sales, Williams entered into multiple written contracts with the Russian broker, which involved payment for the initial sale of the components, and additional periodic payments for follow-on support. Williams transferred the eight components and trade secrets to the Russian broker through encrypted means.” Williams reportedly worked for the Australian Signals Directorate before L3Harris Trenchant.

Trenchant’s Secretive Security Business

Trenchant was created following the acquisitions of Azimuth Security and Linchpin Labs by defense contractor L3Harris Technologies. According to a company web page, Trenchant’s solutions include vulnerability and exploit research, APIs for intelligence operations, “device and access capabilities,” and computer network operations (CNO) products. TechCrunch put that in plainer terms, saying Trenchant “develops spyware, exploits, and zero-days — security vulnerabilities in software that are unknown to its maker. Trenchant sells its surveillance tech to government customers in Australia, Canada, New Zealand, the United States, and the United Kingdom, the so-called Five Eyes intelligence alliance.”

Breathless news stories about a Gmail data breach began to appear online after media outlets misinterpreted a report about Gmail passwords stolen by infostealers. Urgent headlines like “Urgent alert issued to anyone who uses Gmail after 183 million passwords leaked” created some panic among Google account holders, necessitating a response from Google and a security researcher who had posted the infostealer logs that started the panic. “Reports of a “Gmail security breach impacting millions of users” are false,” Google said in a post on X. “Gmail’s defenses are strong, and users remain protected. “The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web," Google added. "It’s not reflective of a new attack aimed at any one person, tool, or platform.” The researcher, Troy Hunt of HaveIBeenPwned, said in his own X post that “This story has suddenly gained *way* more traction in recent hours, and something I thought was obvious needs clarifying: this *is not* a Gmail leak, it simply has the credentials of victims infected with malware, and Gmail is the dominant email provider.”

Gmail Data Breach Stories Appeared After Infostealer Data Published

The news stories began to appear after HaveIBeenPwned published an infostealer data set containing 183 million unique email addresses, the websites they were entered into, and the passwords used. Hunt wrote about the data set in a separate blog post, and stories misunderstanding the nature of infostealer malware took over from there. Gmail may have been the most common email address type in the data set, but hardly the only one, as Hunt noted: “There is every imaginable type of email address in this corpus: Outlook, Yahoo, corporate, government, military and yes, Gmail. This is typical of a corpus of data like this and there is nothing Google specific about it.” Leaks of all manner of account credentials appear in infostealer databases, and Gmail’s wide usage simply makes it one of the more common email credentials stolen by the malware. Credentials involving Gmail addresses appear in Cyble’s “Leaked Credentials” threat intelligence database more than 6 billion times, but many may be duplicates because stolen credentials frequently appear on more than one dark web marketplace or forum.

Protecting Your Gmail Account

Google said that Gmail users “can protect themselves from credential theft by turning on 2-step verification and adopting passkeys as a stronger and safer alternative to passwords, and resetting passwords when they are found in large batches like this. “Gmail takes action when we spot large batches of open credentials, helping users reset passwords and resecure accounts,” the company added. Using complex, unique passwords and resetting them often is another email security step to take. As Hunt noted, “The primary risk is for people who continue to use those credentials on *any* websites, and the mitigation is a password manager and 2FA.”

Paying attackers a ransom to recover from ransomware attacks fails 41% of the time, and even when recovery keys work, ransomware victims don’t always recover all of their data. That’s one of the findings from cyber insurer Hiscox’s Cyber Readiness Report 2025, which is based on interviews with 5,750 organizations in seven countries. The report found that 27% of those organizations had experienced a ransomware attack in the preceding 12 months. Among the organizations that paid a ransom, 60% recovered “some or all of their data,” the report said, but 41% “were given a recovery key, but still had to rebuild their systems.” It gets worse. For 31% of ransomware victims who paid a ransom, attackers demanded more money, the report found. And additional attacks were sustained by 27% of those who paid a ransom, “though not necessarily an attack from the same entity.” “No company enjoys rewarding bad players for hijacking their data, but when it comes to ransomware attacks, it is common for organisations to make every effort to recover what could be lost,” Hiscox said. “That includes paying the ransom where that is demanded.” “Paying a ransom does not always solve the problem,” the report noted.

IoT Devices Most Common Attack Vector

Vulnerabilities are a key initial attack vector noted by the report. Internet of Things (IoT) devices owned by the organizations were the most common point of entry for cyberattacks (33%), followed by supply chain vulnerabilities (28%), and cloud-based corporate servers (27%). AI tools and software were attackers’ initial point of entry for 15% of organizations. Ransomware victims aren’t the only ones at risk of multiple cyberattacks, as the report found that one cyberattack significantly raise the risk for multiple cyberattacks. Of the organizations surveyed, 59% had experienced at least one cyberattack in the preceding 12 months. Among those organizations, larger companies or those with higher revenue were more likely to experience additional incidents. Companies with more than $1 million in revenue that had experienced an attack in the last year had more averaged six cyberattacks, compared to four for those businesses with less than $1 million in revenue. Businesses with 50-249 employees had an average of seven attacks in the last year compared to companies with 11-49 employees, which averaged five attacks. Nonprofits were the hardest hit sector, averaging eight incidents, while organizations in the chemical, property, and media sectors averaged three cyberattacks.

Most Favor Ransomware Payment Disclosure

The report noted that a new law in Australia requires companies to disclose the amount of ransoms paid, and 71% of respondents agree that such disclosures should be mandatory. However, 53% believe that private companies should not be obligated to disclose ransomware payments. While the report paints a challenging picture for cybersecurity defenders, there was one bright spot: 83% of respondents reported improved cyber resilience at their company in the last 12 months.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two DELMIA Apriso vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Today’s addition of CVE-2025-6204 and CVE-2025-6205 to the KEV catalog follow last month’s addition of CVE-2025-5086 to the CISA database, which was the first addition of an industrial control system (ICS)/operational technology (OT) vulnerability to the exploited vulnerabilities catalog since December 2023. However, IT vulnerabilities added to the KEV catalog often appear in ICS/OT products too. DELMIA Apriso is manufacturing operations management (MOM) and manufacturing execution system (MES) software from Dassault Systèmes that is used to manage production processes and connect factory floors to enterprise resource planning (ERP) systems. In a blog post last month, Johannes Ullrich, SANS Internet Storm Center (ISC) founder and Dean of Research for SANS Technology Institute, said DELMIA Apriso differs from the small IoT devices that are often the focus of manufacturing security in that it is “‘big software’ that is used to manage manufacturing. ... This type of Manufacturing Operation Management (MOM) or Manufacturing Execution System (MES) ties everything together and promises to connect factory floors to ERP systems. But complex systems like this have bugs, too.”

DELMIA Apriso Vulnerabilities CVE-2025-6204 and CVE-2025-6205 Under Attack

CISA typically doesn’t say what threat groups are exploiting vulnerabilities added to the KEV catalog or how they’re being exploited, and CISA’s latest DELMIA Apriso notice only says that “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” CISA gave federal civilian agencies a deadline of November 18 to patch the vulnerabilities. CVE-2025-6205 is the higher-rated of the two vulnerabilities, a 9.1-severity Missing Authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 that could allow an attacker to gain privileged access to the application. CVE-2025-6204 is an 8.0-rated Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 that could allow an attacker to execute arbitrary code. Both vulnerabilities were initially published in the National Vulnerability Database (NVD) on August 4, 2025. The Dassault Systèmes advisories for CVE-2025-6204 and CVE-2025-6205 include links for customers to access remediation information. CVE-2025-5086, the DELMIA Apriso vulnerability added to the CISA KEV database in September, is a 9.0-rated Deserialization of Untrusted Data vulnerability that also affects Release 2020 through Release 2025 and could lead to remote code execution. That vulnerability was initially published on June 2, 2025. Before CVE-2025-5086, an analysis by The Cyber Express shows that the most recent ICS/OT vulnerability added to the KEV catalog was CVE-2023-6448, a 9.8-severity Insecure Default Password vulnerability in Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs.

A new study that looked at 231 people exposed by a 2022 UK data leak of Afghans seeking resettlement after the Taliban takeover found that 49 had friends or colleagues killed in Afghanistan. The UK Afghan data leak report, by the charity Refugee Legal Support in consultation with two academics, looked at the damage done by the Ministry of Defence (MoD) data leak of 18,000 people who had applied for asylum. The report was submitted to a House of Commons Defence Committee inquiry into the data breach.

UK Afghan Data Leak Exposed 87% to Risk and Threats

The survey focused on 231 respondents who said they had been told directly by the Ministry of Defence that their data had been exposed in the leak, which was the result of an inadvertent emailing of a spreadsheet by a soldier. Of the 231 affected Afghans, 200, or 87%, “reported personal risks and/or threats to family members,” the report said, and 207 (89%) “reported impacts on their own physical and/or mental health and the same number (207) reported negative impacts on their family’s physical and/or mental health.” Some of the responses detailed in the report are harrowing. One respondent said, “My father was brutally beaten to the point that his toenails were forcibly removed, and my parents remain under constant and serious threat. My family and I continue to face intimidation, repeated house searches, and ongoing danger to our safety.” “I live under constant fear for my life and the safety of my family due to repeated raids, threats from the Taliban and local intelligence groups, and the risk of forced marriage for my daughter,” said another respondent. “The ongoing stress, anxiety, and fear for my family’s well-being have severely impacted my emotional and physical well-being.” One respondent who had relocated to the UK said fears from the breach remain a constant torment for family members who remain in Afghanistan. “Whether it's legal advice, mental health resources, or help accelerating family reunification, anything that can ease this burden would mean the world to me,” the person said.

UK Advice Deemed Inadequate

The report also found that the advice given to the affected Afghans in the wake of the breach was largely inadequate. The report described “a profound mismatch between the MoD’s security advice” – which focused on things like restricting use of social media accounts and advising the use of VPNS – “and the severity of reported risks and threats, which included direct threats, violence, and displacement.” One respondent said, “The security advice provided by the Ministry of Defence was very general and limited. They only advised me not to answer calls from unknown numbers and to secure my emails. These instructions were insufficient given the serious threats and risks I faced, including my house being searched, my brothers being summoned by intelligence services, and direct threats to our lives. Such general advice did not provide any practical help to protect my situation.” The report also found “no evidence that the Ministry of Defence offered local risk management or follow-up with individuals outside of the UK” who were affected by the data breach and were not offered resettlement. The report called for expedited review of remaining resettlement cases, including affected family members. “As both the quantitative and qualitative data from our survey shows, the data breach has had devastating consequences for many individuals and families,” the Refugee Legal Support report said. “The UK Government must act decisively to protect those affected, restore trust, and ensure that such a failure never happens again; or that if it does, those placed at risk will not also be left alone in the dark.”

Caller ID spoofing causes nearly $1 billion (EUR 850 million) in financial losses from fraud and scams each year, according to a new Europol position paper that calls for technical and regulatory solutions to fight the problem. Phone calls and texts are the primary attack vectors, accounting for about 64% of reported cases, Europol said in the report. Caller ID spoofing is accomplished by manipulating the information displayed on a user’s caller ID, typically using Voice over Internet Protocol (VoIP) services or specialized apps to show a fake name or number “that appears legitimate and trustworthy,” Europol said. “The ability of malicious actors to conceal their true identity and origin, severely impedes the capacity of law enforcement agencies (LEAs) to trace and prosecute cybercriminals,” Europol said.

Caller ID Spoofing Attack Types

Europol outlined some of the caller ID spoofing attack types seen by EU law enforcement agencies. Criminals often spoof caller IDs to impersonate organizations like banks, government agencies, utility companies, or even family members, in scam calls to get recipients to reveal sensitive information, make fraudulent payments, or initiating money transfers under false pretenses. Tech support scammers impersonate legitimate tech support services to convince victims of non-existent computer issues in order to demand payment, install malware or obtain remote access for exploitation. Caller ID spoofing can also be used in swatting attacks to make it appear that an emergency call originated from a victim’s address. Organized crime networks have even set up “spoofing-as-a-service” platforms to automate caller ID spoofing, “with the aim of lowering the barrier for others to be able to commit crimes,” Europol said. “By offering such services, criminals can easily impersonate banks, LEAs or other trusted entities.”

Europol Calls for Regulatory and Technical Response

Europol surveyed law enforcement agencies across 23 countries and found significant barriers to implementing anti-caller-ID spoofing measures. “This means that the combined population of approximately 400 million people remain susceptible to these types of attacks,” the report said. The law enforcement agency said there is an “urgent need for a coordinated, multi-faceted approach to mitigate cross-border caller ID spoofing.” “The transnational nature of spoofing attacks demands seamless information sharing and coordinated action among Internet Service Providers (ISPs), telecommunications providers, law enforcement and regulatory bodies,” the agency said. Among the technical controls that are needed are “robust international traceback mechanisms” that include a neutral, cross-jurisdictional system for hop-by-hop tracing, standardized processes for information sharing, and APIs and signaling checks. Also needed are mechanisms for validating inbound international calls, and vendor-neutral tools with standardized interfaces for Do Not Call (DNC)/ Do Not Originate (DNO) lists, unallocated number lists, blacklisting, and malformed number detection. “Through multi-stakeholder collaboration, to address emerging threats and develop effective countermeasures, digital security can be significantly enhanced,” Europol said. “This will ensure citizens are better protected from the adverse effects of caller ID spoofing.” The report also acknowledged the importance of being prepared for other mobile threats such as SIM-based scams, anti-regulatory subleasing, the use of anonymous prepaid services in cybercrime, callback scams and smishing attacks.

The Qilin ransomware group has been by far the most active ransomware group over the last seven months, so two new research reports detailing some of the group’s tactics, techniques and procedures (TTPs) are worth noting. Trend Micro researchers examined a Qilin attack – the group is identified as “Agenda” by Trend – that deployed the group’s Linux ransomware variant on Windows systems, while Cisco Talos also looked at the group’s methods, including defensive evasion techniques. Cyble threat intelligence researchers have documented 677 ransomware attacks by Qilin since the group emerged as the top ransomware group following the decline of RansomHub in what may have been an act of sabotage. Those 677 attacks are more than double those of second-place Akira (chart below). [caption id="attachment_106327" align="aligncenter" width="1200"] Top ransomware groups April-October 2025 (Cyble)[/caption]

Qilin Ransomware Group Deploys Linux Ransomware on Windows

The Qilin ransomware attack documented by Trend Research combined WinSCP for secure file transfer and Splashtop Remote for executing the Linux ransomware binary on Windows machines, in addition to using Bring Your Own Vulnerable Driver (BYOVD) for defense evasion and deployment of multiple SOCKS proxy instances to obfuscate command-and-control (C&C) traffic Qilin installed legitimate tools like AnyDesk through Atera’s remote monitoring and management (RMM) platform and ScreenConnect for command execution. The attackers also targeted Veeam backup infrastructure using custom credential extraction tools, “systematically harvesting credentials from multiple backup databases to compromise the organization’s disaster recovery capabilities before deploying the ransomware payload,” the researchers said. “This attack challenges traditional Windows-focused security controls,” the researchers wrote. “The deployment of Linux ransomware on Windows systems demonstrates how threat actors are adapting to bypass endpoint detection systems not configured to detect or prevent Linux binaries executing through remote management channels.” Initial access appears to have come from a social engineering campaign involving fake CAPTCHA pages, because investigators “identified that multiple endpoints within the compromised environment had connected to malicious fake CAPTCHA pages hosted on Cloudflare R2 storage infrastructure. These pages presented convincing replicas of legitimate Google CAPTCHA verification prompts.” Those pages apparently delivered infostealers to the endpoints, harvesting authentication tokens, browser cookies, and stored credentials. “The presence of valid credentials used throughout the attack chain strongly suggests that these stolen credentials provided the ... threat actors with the valid accounts necessary for their initial access into the environment,” the researchers said. “This assessment is further supported by the attackers’ ability to bypass multifactor authentication (MFA) and move laterally using legitimate user sessions, indicating they possessed harvested credentials rather than relying on traditional exploitation techniques.” The attackers used a SOCKS proxy DLL for remote access and command execution, loaded directly into memory using the legitimate Windows rundll32.exe process. The legitimate administrator account password was also reset to prevent admins from regaining access. ScreenConnect was used to execute discovery commands via temporary command scripts, “systematically enumerating domain trusts and identifying privileged accounts while appearing as normal administrative activity.” Network scanning tools like NetScan were also used to discover additional systems, services, and potential lateral movement targets, while PuTTY SSH clients were used to facilitate lateral movement to Linux systems within the environment.

Qilin Targeting Veeam Backups to Harvest Credentials

The Qilin attackers targeted Veeam backup infrastructure to harvest credentials, “recognizing that backup systems often store credentials for accessing multiple systems across the enterprise,” the Trend researchers said. PowerShell scripts with base64-encoded payloads were used to extract and decrypt stored credentials from Veeam databases. “When decoded, these scripts revealed systematic targeting of multiple Veeam backup databases, each containing credentials for different segments of the infrastructure,” the researchers said. “This approach provided the attackers with a comprehensive set of credentials for remote systems, domain controllers, and critical servers stored within the backup infrastructure.”

Qilin Defense Evasion Tactics

The attackers deployed “sophisticated anti-analysis tools to evade security solutions,” Trend said, with 2stX.exe and Or2.exe using the eskle.sys driver for anti-antivirus capabilities through a BYOVD attack. The eskle.sys driver was used to disable security solutions, terminate processes, and evade detection, they said. Cisco Talos researchers documented Qilin defense evasion techniques that included  using obfuscated PowerShell code that employed numeric encoding. Executing the PowerShell commands makes three configuration changes, the Talos researchers said. Disabling Windows Antimalware Scan Interface (AMSI) prevents interference with execution of payloads, and disabling TLS certificate validation allows the attackers to contact malicious domains or C2 servers. The third configuration change enables Restricted Admin to force RDP authentication to rely on NT hashes or Kerberos tickets rather than passwords. “Although passwords are not retained, NT hashes remain on the system and can be abused by an attacker to impersonate the user,” Talos said. The Talos researchers observed “traces of attempts to disable EDR using multiple methods,” such as commands that launch the EDR’s uninstall.exe file or attempts to stop services using the sc command. Use of open source tools like dark-kill and HRSword was also observed. “The use of legitimate tools and cross-platform execution methods makes detection significantly more challenging,” the Trend researchers said. “Organizations must urgently reassess their security posture to account for these unconventional attack vectors and implement enhanced monitoring of remote management tools and backup system access.”

More than 3,000 malicious YouTube videos were used to distribute infostealer malware, according to a new report detailing the operation. Dubbed the “YouTube Ghost Network” by Check Point Research, the large-scale malware distribution operation used fake and compromised YouTube accounts to distribute infostealers like Rhadamanthys and Lumma, the report said. Most of the videos have now been removed, but the malware operation has been active at least since 2021. Game hacks and cheats and software cracks and piracy were the most targeted categories. “It is important to emphasize that the use of cracked software is illegal and that such versions frequently contain hidden malware,” Check Point said. The most viewed malicious videos targeted Adobe Photoshop, with 293,000 views, and FL Studio, with 147,000 views.

Compromised YouTube Accounts Used to Spread Infostealer Malware

Much of the YouTube Ghost Network consists of compromised YouTube accounts that are assigned specific operational roles, such as uploading malicious videos or liking and commenting to create a false sense of trust in a compromised account. “This role-based structure enables stealthier distribution, as banned accounts can be rapidly replaced without disrupting the overall operation,” the report said. The most targeted game from the “Game Hacks/Cheats” category was Roblox, with 380 million monthly active users and about 111.8 million daily active users. In the “Software Cracks/Piracy” category, Adobe products are the main targets, led by Photoshop and Lightroom. External links in the video posts typically redirect users to file-sharing services such as MediaFire, Dropbox, or Google Drive, or to phishing pages hosted on platforms like Google Sites, Blogspot, or Telegraph (telegra.ph). Those pages then contain links to download the malicious software, and shortened URLs are often used to hide the real destination of the external link. The description of the videos follows a typical structure, with a download link and shared password. Step-by-step instructions often advise users to temporarily disable Windows Defender to avoid “a false alert.” “Don’t worry – the archive is clean,” assures one post after telling potential victims to temporarily disable Windows Defender. “Defender may trigger a false alert due to the way Setup.exe works with installations.” In most cases, the malware distributed is an infostealer. Lumma was initially the most distributed malware before its disruption, followed by Rhadamanthys, and the StealC and Redline infostealers have also been observed.

Compromised YouTube Accounts Distributed Malicious Pirated Photoshop

The report detailed two compromised YouTube channels and accounts. The YouTube channel @Sound_Writer, with 9,690 subscribers, published videos that were mainly focused on cryptocurrency software and gaming. “Our analysis indicates that this account has been compromised for over a year, as evidenced by the appearance of malicious videos that differ significantly from the channel’s previous content,” Check Point said. The account @Afonesio1, with approximately 129,000 subscribers, was compromised between December 3, 2024, and January 5, 2025, and has since uploaded four videos to distribute malware. One of the account’s most viewed videos, with 291,155 views and 54 positive comments, “was used to lure unsuspecting viewers into downloading and executing a cracked version of Adobe Photoshop.” Within the video’s description was a community message link and the password required to decompress the password-protected archive. The post “received approximately 1,200 likes and numerous positive comments praising the effectiveness of the software solution,” Check Point said. The shortened link in the post redirected users to Dropbox, where the file could be downloaded The archive contained a file named Adobe.Photoshop.2024.v25.1.0.120.exe, which is a cracked version of Adobe Photoshop. “It remains unclear whether the positive comments originate from real users who inadvertently infected themselves or from ghost accounts promoting the malicious software with AI comments,” the report said. “The ongoing evolution of malware distribution methods demonstrates the remarkable adaptability and resourcefulness of threat actors in bypassing conventional security defenses,” Check Point concluded. “While email phishing remains a well-known and persistent threat, our research reveals that adversaries are increasingly shifting toward more sophisticated, platform-based strategies, most notably, the deployment of Ghost Networks. These networks leverage the trust inherent in legitimate accounts and the engagement mechanisms of popular platforms to orchestrate large-scale, persistent, and highly effective malware campaigns.”

Ransomware attacks have soared 50% in 2025 despite major changes among the leading ransomware groups, according to a new Cyble report. Through October 21, there have been 5,010 ransomware attacks claimed by ransomware groups on their dark web data leak sites, up from 3,335 in the same period of 2024, according to a Cyble blog post. “From the decline of RansomHub to the rise of Qilin and newcomers like Sinobi and The Gentlemen, ransomware group leadership has been in flux for much of 2025, but affiliates have been quick to find new opportunities, and a steady supply of critical vulnerabilities has helped fuel attacks,” Cyble said. The threat intelligence company noted that its new threat landscape report (registration required) also documents record data breaches and supply chain attacks, as the cyber landscape has become more dangerous in general this year.

Qilin Led All Ransomware Groups Once Again

September marked the fifth consecutive monthly increase in ransomware attacks, and Qilin led all ransomware groups for the fifth time in six months, as the group has solidified its leadership in the wake of RansomHub's decline. In all, ransomware groups claimed 474 victims in September, up slightly from August (chart below). That’s well below February’s record, “yet still among the highest monthly ransomware attack totals on record,” Cyble said. [caption id="attachment_106294" align="aligncenter" width="723"] Ransomware attacks by month 2021-2025 (Cyble)[/caption] The U.S. remains by far the biggest target for ransomware groups, with its 259 victims accounting for nearly 55% of attacks in September (chart below). Germany, France, Canada, Spain, Italy and the UK remain consistent targets, but South Korea emerged a new major target, in second place behind the U.S. with 32 attacks, largely due to one campaign by Qilin. [caption id="attachment_106292" align="aligncenter" width="936"] Ransomware attacks by country September 2025 (Cyble)[/caption] Of the 32 South Korean attacks recorded in September, 29 came from Qilin’s “KoreanLeak” campaign that targeted asset management companies in the country. Cyble noted that “One of the asset management firms said its systems were impacted through a ransomware attack on its IT management provider, indicating a possible supply chain compromise affecting multiple firms simultaneously.” The campaign also made South Korea by far the most attacked country in the APAC region in September, well ahead of India, Thailand and Taiwan. Qilin’s South Korean campaign made Banking, Financial Services and Insurance (BFSI) the third most attacked sector in September, behind Construction and Manufacturing and ahead of Professional Services, IT and Healthcare (chart below). [caption id="attachment_106296" align="aligncenter" width="936"] Ransomware attacks by sector September 2025 (Cyble)[/caption]

The Emergence of The Gentlemen Ransomware Group

Qilin led all ransomware groups with 99 claimed victims, 40 ahead of second-place Akira (chart below). [caption id="attachment_106298" align="aligncenter" width="936"] Top ransomware groups September 2025 (Cyble)[/caption] The emergence of The Gentlemen was a noteworthy development, a new group that has claimed 46 victims to date. “The group’s use of custom tools targeting specific security vendors and the geographic diversity of its targets ... suggests that the group may have the resources to become an enduring threat,” Cyble said. The full Cyble blog detailed 11 significant ransomware incidents in September, including some with supply chain implications, and also included recommendations for defenders.

The U.S. government has apparently charged a former cybersecurity company official with stealing trade secrets with the intention of selling them to a Russian buyer, according to court documents and news reports. Court documents didn’t name the companies involved in the case, but Bloomberg and TechCrunch said the defendant – Peter Williams – is a former director at L3Harris Trenchant, which does vulnerability and security work for government clients. The Cyber Express reached out to U.S. and defense attorneys and L3Harris for comment on the case and was told by a U.S. attorney that they couldn’t comment on an ongoing case. L3Harris Trenchant is not charged with wrongdoing in the matter. The use of a Criminal Information document to bring the charges suggests the possibility of a plea deal in the case. Williams is scheduled to appear in court on October 29 for an "Arraignment and Plea Agreement Hearing," according to court records.

L3Harris Trenchant’s Sensitive Security Work

Trenchant was created following the acquisitions of Azimuth Security and Linchpin Labs by defense contractor L3Harris Technologies. According to a Trenchant information page, “Much of our work is neither public nor publicized. We work with select customers who share our ethical standards and have a formal mandate to operate in this space. Our solutions are driven by holistic analysis of real operational scenarios, yielding capabilities that are tuned to thrive and survive in real-world environments.” “We are a trusted, discreet partner furnishing security products, consultancy, training and integration services to allied governments, defense, security and law enforcement agencies,” Trenchant’s website adds. Trenchant’s solutions include vulnerability and exploit research, APIs for intelligence operations, “device and access capabilities,” and computer network operations (CNO) products.

The Charges: Stealing Trade Secrets

The two-count U.S. Criminal Information document alleges that Williams stole seven trade secrets from two unnamed companies with the intention of selling them to a Russian buyer. The first count states that between roughly April 2022 and June 2025, Williams allegedly “did knowingly steal, and without authorization, appropriate, take, carry away, conceal, and by fraud, artifice and deception, obtain such information, to wit, seven trade secrets ... knowing and intending those secrets to be sold outside of the United States, and specifically to a buyer based in the Russian Federation (Russia).” The second count says that between June 2025 and August 2025, Williams allegedly “did knowingly and without authorization copy, duplicate download, upload, alter, replicate, transmit, deliver, send, communicate and convey such information, that is one trade secret ... knowing and intending those secrets to be sold outside of the United States, and specifically to a buyer based in the Russian Federation (Russia).” Both are Theft of Trade Secrets charges under Title 18, United States Code, Section 1832(a)(1) and Title 18, United States Code, Section 1832(a)(2). The U.S. seeks to collect $1.3 million in forfeited property from Williams.

Vidar Stealer 2.0 has been released, and the updated infostealer claims to offer improved performance with advanced credential stealing and evasion abilities, features that will necessitate even greater vigilance on the part of security teams. Vidar is already one of the top infostealers, and the recent decline of Lumma will likely make the infostealer even more active in the coming months.

Vidar Stealer 2.0: Rewritten for More Efficient Credential Theft

A Vidar developer who goes by "Loadbaks" announced the release of Vidar Stealer 2.0 on underground forums earlier this month. Loadbaks claimed that rewriting the software in C “gave a huge increase in stability and speed" by eliminating C++ dependencies and runtime overhead. In a new technical analysis of the malware, Trend Micro Threats Analyst Junestherry Dela Cruz said the new version is built on “a complete transition from C++ to a pure C implementation” for greater performance and efficiency. Vidar 2.0 introduces “a range of concerning features, including advanced anti-analysis measures, multithreaded data theft capabilities, and sophisticated methods for extracting browser credentials,” Dela Cruz said. “With a consistent price point of US$300, it offers attackers powerful tools that are both cost-effective and efficient.” Throughout its seven-year history, Vidar has distanced itself from competitors like Raccoon and RedLine by adding support for new features and earning a reputation for reliable support, the threat researcher said. The latest version adds even more distance between Vidar and competitors.

Multithreaded Architecture Means Faster Theft, Less Detection Time

The malware’s multithreaded architecture allows for more efficient use of multi-core processors. The Vidar developer claims that performing data collection tasks in parallel threads greatly speeds up data collection and exfiltration. Dela Cruz said Trend’s analysis shows that the malware employs “an advanced multi-threading system that automatically adjusts its performance based on the victim's computer specifications. It scales its operations by creating more worker threads on powerful systems and fewer threads on weaker machines, ensuring optimal performance without overwhelming the target system. This approach allows the malware to steal data from multiple sources simultaneously - such as browsers, cryptocurrency wallets, and files - rather than processing them one at a time.” In addition to stealing from multiple sources simultaneously, the parallel processing feature also reduces the time the malware needs to remain active on the system, “making it harder for security software to detect and stop the theft operation,” Dela Cruz said.

Vidar 2.0 Claims to Bypass Chrome AppBound Security

Loadbaks, the Vidar developer, also claimed that Vidar 2.0 has “unique” methods for bypassing Chrome's AppBound encryption that prevents credential extraction by binding encryption keys to specific applications. Dela Cruz said binary analysis shows that Vidar 2.0 “implements comprehensive browser credential extraction capabilities targeting both traditional browser storage methods and Chrome's latest security protections across multiple browser platforms.” The malware uses a tiered approach that includes “systematic enumeration of browser profiles” and attempts to extract encryption keys from Local State files using standard DPAPI decryption, the researcher said. Vidar 2.0 can also launch browsers with debugging enabled and inject malicious code into running browser processes via shellcode or reflective DLL injection. “The injected payload extracts encryption keys directly from browser memory, then communicates the stolen keys back to the main malware process via named pipes to avoid disk artifacts,” Dela Cruz wrote. “This approach can bypass Chrome's AppBound encryption protections by stealing keys from active memory rather than attempting to decrypt them from storage.”

Polymorphic Builder Boosts Evasion Techniques

Vidar 2.0 also claims to include an automatic polymorphic builder “so every build is now unique," Loadbaks said, with distinct binary signatures that make static detection more difficult. Dela Cruz said the updated malware “employs heavy use of control flow flattening, implementing complex switch-case structures with numeric state machines that can make reverse engineering more difficult. This obfuscation method transforms the natural program flow into a series of state transitions controlled by switch statements, effectively obscuring the original program logic.” The researcher said the control flow flattening technique has also been seen in Lumma samples, “suggesting the adoption of similar obfuscation frameworks within the information stealer ecosystem.” “The malware's technical capabilities, proven developer track record since 2018, and competitive pricing position it as a likely successor to Lumma Stealer's dominant market position,” Dela Cruz concluded.

Fewer organizations are paying the ransom when confronted with a ransomware attack – but those that do make ransomware payments are paying much more. That’s one of the takeaways from ExtraHop’s new 2025 Global Threat Landscape Report, which also looked at the riskiest attack surfaces, dwell times, initial attack vectors, and more. The report, which the NDR vendor conducted with Censuswide, is based on a July 2025 survey of 1,800 security and IT decision-makers in midsize and large organizations in seven countries.

Average Ransom Payment Tops $3.6 Million

The survey found that while organizations are experiencing fewer ransomware incidents – and fewer are paying ransoms – those organizations that do pay are paying $1.1 million more than they did last year, up from $2.5 million to more than $3.6 million, an increase of more than 40%. While 70% of respondents said their organization paid a ransom, there was an overall decline in the number of ransomware payments for the first time, and the number of organizations that say that they didn’t pay a ransom tripled from 9% last year to 30% this year. Also on the plus side, the organizations overall reported fewer ransomware incidents, with their organizations experiencing between five and six ransomware incidents each within the previous 12 months, down roughly 25% from nearly eight incidents in 2024. However, the percentage of organizations hit with 20 or more ransomware incidents tripled, rising to 3% year-over-year. Healthcare and government organizations were among those facing a greater number of attacks. Cyble’s ransomware data, which is based on ransomware group claims on their dark web data leak sites, show that ransomware attacks are up 50% so far this year from the same period of 2024. The average ransom amount varied by country, with UAE organizations, for example, facing an average of seven ransomware incidents, with paid ransoms averaging $5.4 million. Australia organizations, on the other hand, experienced the fewest ransomware incidents in the report, averaging just four per year, and ransomware payments averaged $2.5 million. The healthcare sector had the highest payouts at $7.5 million, followed by the government sector (just under $7.5 million) and the finance sector ($3.8 million). Respondents also struggled with ransomware detection, as more than 30% of respondents didn’t detect that they were being targeted by ransomware until data exfiltration had begun.

Riskiest Attack Surfaces and Entry Points

The report found that the public cloud, third-party risks, and GenAI were the riskiest attack surfaces (chart below). [caption id="attachment_106198" align="aligncenter" width="808"] Riskiest attack surfaces (ExtraHop)[/caption] “As organizations rapidly adopt emerging technologies, navigate complex device interdependencies, and manage sprawling supply chains, their IT infrastructures become inherently more complex,” the report said. “This escalating complexity inevitably leads to a larger attack surface.” Phishing and social engineering were the most common initial point of entry for attackers at 33.7%, followed by software vulnerabilities (19.4%), third-party/supply chain compromise (13.4%), and compromised credentials (12.2%) (chart below). [caption id="attachment_106199" align="aligncenter" width="827"] Initial attack vectors (ExtraHop)[/caption]

The prolific threat actors behind the Lumma Stealer malware have been slowed by an underground doxxing campaign in recent months. Coordinated law enforcement action earlier this year didn’t do much to slow down the infostealer’s spread, but a recent doxxing campaign appears to have had an impact, according to researchers at Trend Micro. “In September 2025, we noted a striking decline in new command and control infrastructure activity associated with Lummastealer ... as well as a significant reduction in the number of endpoints targeted by this notorious malware,” threat analyst Junestherry Dela Cruz wrote in a recent post. Fueling the drop has been an underground exposure campaign targeting a key administrator, developer and other members of the group, which Trend tracks as “Water Kurita.”

Lumma Stealer Doxxing Campaign Began in August

The Lumma Stealer doxxing campaign began in late August and continued into October, and on September 17, Lumma Stealer’s Telegram accounts were also compromised. “Allegedly driven by competitors, this campaign has unveiled personal and operational details of several supposed core members, leading to significant changes in Lummastealer’s infrastructure and communications,” Dela Cruz wrote. “This development is pivotal, marking a substantial shake-up in one of the most prominent information stealer malware operations of the year. ... The exposure of operator identities and infrastructure details, regardless of their accuracy, could have lasting repercussions on Lummastealer’s viability, customer trust, and the broader underground ecosystem.” The disclosures included highly sensitive details of five alleged Lumma Stealer operators, such as passport numbers, bank account information, email addresses, and links to online and social media profiles, and were leaked on a website called "Lumma Rats." While the campaign may have come from a rival, Dela Cruz said “the campaign’s consistency and depth suggest insider knowledge or access to compromised accounts and databases.” “The exposure campaign was accompanied by threats, accusations of betrayal within the cybercriminal community, and claims that the Lumma Stealer team had prioritized profit over the operational security of their clients,” Dela Cruz wrote. While the researcher noted that the accuracy of the doxed information hasn’t been verified, the accompanying decline in Lumma Stealer activity suggests that the group “has been severely affected—whether through loss of key personnel, erosion of trust, or fear of further exposure.”

Vidar, StealC Gain from Lumma Stealer’s Decline

Lumma Stealer’s decline has been a boon for rival infostealers like Vidar and StealC, Dela Cruz noted, “with many users reporting migrations to these platforms due to Lumma Stealer’s instability and loss of support.” Lumma’s decline has also hit pay-per-install (PPI) services like Amadey that are widely used to deliver infostealer payloads, and rival malware developers have stepped up their marketing efforts, “fueling rapid innovation and intensifying competition among MaaS [Malware as a Service] providers, raising the likelihood of new, stealthier infostealer variants entering the market,” Dela Cruz said. According to Cyble dark web data, Vidar and Redline are the infostealers most rivaling Lumma in volume on dark web marketplaces selling stolen credentials, with StealC, Acreed, Risepro, Rhadamanthys and Metastealer among other stealer logs commonly seen on the dark web. As for Lumma Stealer, Dela Cruz noted that being a top cybercrime group isn’t exactly a secure - pardon the pun - position to be in, as RansomHub found out earlier this year. “[B]eing number one means facing scrutiny and attacks from both defenders and competitors alike,” the researcher noted.