All news in category “Threat and Trends Reports”

🔐 Outsourcing critical IT and cybersecurity has shifted from a cost-saving tactic to a systemic fragility driver. The article explains how single-vendor failures — highlighted by SolarWinds and MOVEit — can cascade across industries, amplified by cloud adoption, talent shortages and subcontractor opacity. It warns that AI-driven agents, regulatory fragmentation, and geopolitical exposures turn vendor compromises into national and economic security risks. Boards, CISOs and regulators must adopt trust-by-design, stress tests and AI resilience measures.

🔍 Ransomware activity in 2025 remained high, with 306 groups and 7,902 victims listed on data leak sites, according to Ransomware.live. While coordinated takedowns and anti-cybercrime actions were quieter than in 2024, both emergent collectives (Scattered Spider, Lapsus$, ShinyHunters) and established syndicates continued to generate incidents. The most prolific actors — Qilin, Akira and Clop — claimed the largest shares of victims, and the United States accounted for nearly half of the reported targets.

📦Brushing scams involve sellers sending unsolicited, low‑value items to random addresses to create fake purchase histories and post 5‑star reviews. Attackers obtain names and mailing addresses from breaches, people‑search services or public scraping, then use fake buyer accounts to place and rate orders. Parcels can signal compromised data and sometimes include QR codes that lead to phishing or malware. If you receive an unexpected item, check accounts, enable MFA, and report it to the marketplace.

🛡️ Jamf researchers found a new MacSync variant delivered as a code-signed, notarized Swift application inside a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, enabling it to bypass macOS Gatekeeper checks without any direct Terminal interaction. The Mach-O binary carried a valid signature tied to Developer Team ID GNJLS3UYZ4, which Apple revoked after a report. The dropper decodes an encoded payload on disk and the stealer uses multiple evasions — inflating the DMG with decoy PDFs, wiping execution scripts, and performing internet checks to avoid sandboxed analysis — before harvesting credentials, browser data, iCloud keychain items, cryptocurrency wallet data, and files.

📦 Cybercriminals are exploiting the holiday rush, with NordVPN reporting an 86% month-over-month increase in malicious postal service websites. Fraudsters impersonate carriers such as DHL and USPS, using smishing and phishing links to steal data; DHL spoof sites rose 206% while USPS impersonations jumped 850% in one month. Consumers are urged to avoid unsolicited tracking links, verify tracking numbers on official carrier sites or apps, inspect sender details for altered domains, and report suspicious messages to carriers or the FTC.

🔐 Palo Alto Networks' Unit42 reports that RansomHouse has upgraded its ransomware-as-a-service to a multi-layered, dual-key encryption model that significantly complicates recovery. The new encryptor, tracked as Mario, generates a 32-byte primary and an 8-byte secondary key and performs interlocking encryption passes that hinder linear decryption. Targeting VMware ESXi hosts and backups (e.mario files) and paired with the MrAgent deployment utility, the change raises impact and undermines static signature detection.

⚡ Over the past week attackers exploited flaws in edge and network products from Fortinet, SonicWall, Cisco, and WatchGuard, targeting firewalls and appliances to gain deeper access. Browser extensions and Android TVs were abused for data theft and botnet recruitment. Campaigns by groups such as Ink Dragon, Kimsuky, and LongNosedGoblin deployed implants and innovative delivery chains, highlighting the urgent need for rapid patching, inventory verification, and tighter controls on trusted systems.

🔒 Cybercriminals and state-sponsored actors are increasingly abusing OAuth device authorization to hijack enterprise Microsoft 365 accounts, often bypassing multifactor protections. Proofpoint reports campaigns have surged since September 2025 and shifted from targeted voice-phishing to scalable email-based social engineering. Attackers prompt victims to enter short-lived device codes on Microsoft’s verification page, validating tokens and granting access. Tools such as SquarePhish2 and Graphish automate the flow and lower the skill barrier for large-scale attacks.

🔒 An effective Incident Response plan must combine impact analysis, communications, clear roles, threat awareness, testing, and modular simplicity. The article outlines six essential components—including Business Impact Analysis, a comprehensive communications strategy, defined response roles, visibility across the threat landscape, regular testing, and modular playbooks—that help organizations maintain resilience during major outages or cyberattacks. Experts emphasize practical playbooks, pre-approved message templates, and disciplined After-Action Reviews to reduce downtime and ensure continuous improvement.

🔒 RansomHouse has upgraded its encryptor to a multi-layered variant called 'Mario', shifting from a single-pass linear transform to a two-stage process that uses a 32-byte primary key and an 8-byte secondary key. The change increases entropy, speeds processing, and aims to improve reliability on modern targets. It also introduces dynamic chunk sizing with intermittent encryption for files over 8GB, complicating static analysis. The updated binary targets VM files, appends the .emario extension, drops a How To Restore Your Files.txt ransom note, and Unit 42 warns this upgrade makes decryption and reverse engineering notably harder.

🔒 Kaspersky outlines eight practical cybersecurity resolutions to take into 2026 after a transformative 2025 marked by sweeping internet laws and widespread AI adoption. The guidance covers legal awareness, safer access methods, and mitigation against document-leak risks. It also warns about new scam tactics, urges cautious AI use, subscription audits, longevity practices for devices, and strengthened smart‑home security.

🔒 Cybersecurity teams disclosed linked campaigns that abuse cracked-software sites and compromised YouTube accounts to deliver modular loaders CountLoader and GachiLoader. CountLoader 3.2 is distributed via malicious ZIPs hosted on MediaFire and uses a renamed Python binary invoked through mshta.exe to establish persistence with scheduled tasks that mimic Google and fetch next-stage payloads. Check Point described GachiLoader, an obfuscated Node.js loader spread through a "YouTube Ghost Network" that deploys novel PE injection via a Kidkadi stage. Both campaigns emphasize in-memory execution, signed-binary abuse, removable-media spread, and sophisticated evasion.

🔒 Cyber criminals are increasingly recruiting insiders at banks, telecoms, and tech firms to obtain network and cloud access. Darknet adverts offer payouts ranging from $3,000 to $15,000 for account credentials or direct access, and threat actors target crypto exchanges, banks, and major cloud providers. Effective prevention requires employee education, enforced access controls, and active darknet monitoring.

🔒 The article argues that cybersecurity succeeds when practitioners replace damaging mindsets with sustainable ones. It highlights six common but harmful beliefs—security as a destination, security only for specialists, the idea that security always gets harder, treating security as a product, assuming criminals control priorities, and chasing perfect metrics—and explains how each fosters burnout and reactive behavior. The author recommends reframing security as a continuous, shared discipline embedded in daily operations and development lifecycles to improve resilience and team cohesion.

📌 2025 left a clear imprint: ransomware operations matured into highly organized, profitable cartels such as Qilin, industrial targets like Jaguar Land Rover suffered major operational and financial damage, and early reports of AI-orchestrated espionage raised concerns about automated, scalable kill chains. Talos highlights week’s headlines—Fortinet zero-days (CVE-2025-59718, CVE-2025-59719), Microsoft update regressions affecting WSL VPNs, and a large AWS crypto-mining campaign driven by compromised IAM credentials. The guidance is pragmatic: double down on identity and access management, monitor service accounts, prioritize incident response basics, and care for your people to reduce burnout heading into 2026.

🔐 CISOs are rethinking how they spend reclaimed time, prioritizing innovation and transformation over constant firefighting. Leaders want to eliminate tactical debt—closing out lingering POAMs, patching unpatched systems and remediating misconfigurations—to free resources for strategic foresight. They plan to break down silos between AppSec, CloudSec and GRC with automation and AI, creating a unified view of risk and on-demand compliance evidence. Above all, CISOs aim to make security a human-led business enabler that empowers teams, reduces burnout and embeds privacy-by-design into engineering.

🔔 This week's ThreatsDay Bulletin highlights a rapid reshaping of old tools and fresh abuse of familiar systems across fraud, malware, and infrastructure. Notable incidents include a cross-border scam ring dismantled in Ukraine that defrauded hundreds for over €10 million, the modular SantaStealer infostealer sold as malware-as-a-service, and a WhatsApp device-linking hijack dubbed GhostPairing. Security teams should verify linked sessions, reduce exposed management endpoints, and prioritize timely patching and credential hygiene.

🕵️ ESET researchers discovered a previously undocumented China-aligned APT, named LongNosedGoblin, after investigation of compromises at a Southeast Asian governmental network with additional targeting of Japan. The group abuses Active Directory Group Policy for deployment and lateral movement and relies on cloud services (OneDrive, Google Drive, Google Docs) for C2 and exfiltration. Notable custom tools include NosyDoor, NosyHistorian, NosyStealer and NosyLogger, which use multi-stage loaders, AMSI bypasses and scheduled-task persistence. ESET published IoCs and recommends hardening Group Policy, auditing scheduled tasks and monitoring cloud storage for suspicious files.

🛡️ HMRC has received over 135,500 scam reports since February 2025, including about 4,800 tied to its Self Assessment system, and warns scams will rise ahead of the January 31, 2026 filing deadline. Fraudsters impersonate HMRC via phone, email and text to pressure victims into paying fake bills, disclosing personal data or installing malware. HMRC says it shut 25,000 phishing sites and numbers in the last 10 months and urges people to protect, recognize and report suspicious contacts to phishing@hmrc.gov.uk.

📘 The Future Report, produced with youth consultancy Livity, surveyed over 7,000 teenagers (13–18) across France, Greece, Ireland, Italy, Poland, Spain and Sweden about their digital lives and expectations. It finds that 40% use AI daily or almost daily and that 81% of users report AI improved aspects of learning or creativity. Teens are largely optimistic yet express concerns about over-reliance, skill erosion and information trustworthiness. The report recommends stronger digital literacy, safety measures and meaningful youth participation in design and policy.