All news in category “Threat and Trends Reports”

🔔 This week's ThreatsDay Bulletin highlights a packed week of cross-cutting threats: a Mirai variant dubbed Broadside exploiting TBK DVRs (CVE-2024-3721), widespread exploitation of React2Shell (CVE-2025-55182), and the leak of a ValleyRAT builder that includes a signed kernel-mode rootkit. Law enforcement actions ranged from Europol's 193 arrests in a VaaS crackdown to multiple national detentions, while Apple and Google issued broad spyware alerts. Researchers flagged >10,000 Docker Hub images leaking secrets and 19 malicious VS Code extensions that used a PNG disguise to deliver trojans, underscoring persistent supply-chain and user-facing risks.

🔍 Elastic Security Labs has detailed a Windows backdoor named NANOREMOTE that leverages the Google Drive API to stage payloads and exfiltrate data, making detection more difficult. The C++ implant implements a robust task manager for queued uploads and downloads with pause, resume and cancel capabilities and exposes 22 command handlers for reconnaissance, execution and file transfer. Researchers also observed a WMLOADER dropper and an uploaded artifact linking NANOREMOTE to the FINALDRAFT family, indicating likely code reuse.

🔍 The Cybersecurity and Infrastructure Security Agency (CISA), with MITRE/HSSEDI, released the 2025 CWE Top 25, highlighting the most exploited software weaknesses that enable data theft, system compromise, and service disruption. The list is designed to help developers, security teams, and procurement managers prioritize fixes and adopt Secure by Design practices. CISA urges organizations to integrate the Top 25 into vulnerability management and procurement decisions to reduce risk and downstream costs.

🤖 Robotic Process Automation (RPA) bots are rapidly becoming first‑class Non‑Human Identities (NHIs) that streamline provisioning, deprovisioning and credential handling while reducing human error. Left unmanaged, bot identities and embedded secrets expand the attack surface and enable privilege misuse or lateral movement. Organizations should treat bots like human users — using secrets managers, PAM, JIT access and unified IAM with Zero Trust controls to preserve least‑privilege and maintain auditability.

🔐 Unit 42 details activity by Hamas-affiliated Ashen Lepus using a new modular .NET suite named AshTag, alongside custom loaders and revised C2 techniques to evade detection. The actors targeted Arabic-speaking government and diplomatic entities across the Middle East, delivering malware via RAR archives, DLL sideloading, and payloads hidden in benign HTML. Operators improved encryption and domain masquerading and performed hands-on exfiltration using Rclone. Organizations should monitor the provided IOCs and strengthen EDR and egress controls.

🐱 The article argues organisations often exist in a 'pre-breach' or "quantum breach" state — effectively both breached and not until they observe their environments. It warns that perimeter-focused measures can be insufficient when attackers steal credentials or use social engineering, and that deploying EDR/XDR without skills can create signal overload. Connolly recommends vendor-led MDR services as a practical path to continuous detection, hunting and remediation.

🔔 The Identity Theft Resource Center's 2025 Business Impact Report found that 81% of US small businesses experienced a data or security breach in the past year, and 38% raised prices as a result. Respondents attributed 41% of incidents to AI-enabled attacks, while external actors and malicious insiders were cited by 43% and 42% respectively. The ITRC warns that adoption of protections such as MFA is falling and advises SMBs to focus on people, process and technology defenses including out-of-band verification and AI-driven detection tools.

🔒 CISOs must position security investments as strategic enablers that directly support corporate objectives rather than as purely technical upgrades. Presentations should connect proposed solutions to outcomes like entering new markets, protecting margins, ensuring compliance, and improving resilience. Use concrete scenarios, cost models, and recovery timelines to show how investments reduce probability and impact of incidents while improving operational stability. Tailor messaging to the board’s maturity and speak in terms of risk, return, and shareholder value.

🔒 Managed Extended Detection and Response (MXDR) enables organizations to augment understaffed security teams with experienced analysts who provide continuous monitoring and rapid response. Providers deliver 24/7 coverage, broad sensor visibility, and immediate containment actions such as endpoint isolation. MXDR can reduce the need to hire internal specialists, but organizations must evaluate vendors carefully for expertise, data protection, and configurability.

🔒 A November scan by threat intelligence firm Flare found 10,456 Docker Hub images exposing credentials, including live API tokens for AI models and production systems. The leaks span about 101 organizations — from SMBs to a Fortune 500 company and a major national bank — and often stem from mistakes like committed .env files, hardcoded tokens, and Docker manifests. Flare urges immediate revocation of exposed keys, centralized secrets management, and active SDLC scanning to prevent prolonged abuse.

🔧 Staff+ security engineers should move from being individual problem-solvers to force multipliers by enabling others, automating enforcement, and shaping security strategy. The article recommends practical mechanisms—policy-as-code, paved paths, mentorship trees—and disciplined delegation to scale impact. It urges embedding security via shift-left practices, reusable reference architectures, and cautious AI-assisted tooling. During incidents, act as an orchestrator, set inflection points, and bridge teams with leadership to preserve strategic influence.

🔍 This analysis examines leaked communications and recent incidents to reveal how modern threat actors organize, adapt and blur the lines between criminal, contractor and researcher roles. Leaked BlackBasta chats show internal discord, leadership opacity, technical debt and disputes over revenue and workload. The EncryptHub case highlights a solo operator who both conducted malware and credited vulnerability disclosures to Microsoft, illustrating the growing hybridization of actor identities. Finally, BlackLock’s open recruitment for "traffers" demonstrates how the ransomware supply chain is becoming commoditized and industrialized.

🖼️ Many vendor and lab reports — from Gartner and Forrester market quadrants to specialist tests like AV‑Comparatives, SE Labs and MITRE Engenuity’s ATT&CK Evaluations — offer distinct, valuable perspectives on endpoint security. Security teams should selectively combine these assessments to triangulate performance, match operational requirements, and validate vendor claims before procurement decisions.

🛡️ In November 2025, organizations faced an average of 2,003 cyber-attacks per week, a 3% rise from October and 4% above November 2024. Check Point Research attributes the increase to a surge in ransomware, broader attack surfaces and growing exposure from internal use of generative AI tools. The education sector was hit hardest, averaging 4,656 attacks per organization per week. These trends elevate operational, data and recovery risks across industries.

🛡️ Sonatype reports that 13% of Log4j downloads in 2025 — roughly 40 million of 300 million Maven Central downloads analyzed — remain vulnerable to the CVSS 10.0 Log4Shell flaw first disclosed four years ago. The vendor describes this as corrosive risk, where fixes exist but unsafe versions continue to spread because consumers don’t upgrade or transitive dependencies reintroduce bad releases. Sonatype highlights noisy SCA alerts, set-and-forget dependencies and poor selection criteria as root causes. It urges using SCA and artifact repositories to map exposure, automating upgrade PRs, enforcing repository guardrails and adopting new metrics to reduce unnecessary risk.

🔒 Recent research from the Wiz Customer Incident Response Team shows attackers are using exposed GitHub Personal Access Tokens (PATs) to retrieve GitHub Action Secrets and pivot into cloud environments. A read-level PAT can leverage GitHub’s API code search to locate secret references like "${{ secrets.SECRET_NAME }}" — and because those search API calls are not logged, discovery is stealthy. Once obtained, cloud provider credentials let attackers spin up resources, exfiltrate data, install malware, or persist while often evading detection. Organizations should treat PATs as privileged credentials: enforce expiration and rotation, remove cloud secrets from workflows, apply least privilege, and improve monitoring and developer training.

🤖 The 2025 DORA companion guide highlights that AI acts as an amplifier, boosting strengths and exposing weaknesses across teams. Drawing on a cluster analysis of nearly 5,000 technology professionals, it identifies seven foundational capabilities — including a clear AI stance, healthy and AI-accessible data, strong version control, small-batch workflows, user-centric focus, and quality internal platforms — that increase the odds of positive outcomes. The guide maps seven team archetypes to help leaders diagnose where to start and offers a Value Stream Mapping facilitation to direct efforts toward system-level constraints so AI-driven productivity scales safely.

🔁 The article traces redundancy from tangible rack-level practices to fragile cloud and software-defined environments. It argues that physical diversity, disciplined configuration management and automation remain essential as networks span BGP, SD-WAN, edge devices and cloud control planes. Real resilience requires policy alignment, diverse DNS and routing protections and rehearsed pre-mortems so backups are usable when they matter most.

🛡️Recorded Future's Insikt Group attributes rapid expansion of a modular loader ecosystem to an actor named GrayBravo, noting the distribution of a loader called CastleLoader under a malware-as-a-service model. The report identifies four distinct operational clusters that employ phishing, ClickFix campaigns, malvertising, and impersonation to deliver CastleLoader and secondary payloads such as CastleRAT and NetSupport RAT. These campaigns target logistics and enterprise software users and leverage multi-tiered C2 infrastructure and fraudulent platform accounts to increase credibility and resilience.

🔍 FortiGuard IR analysts discovered that an obscure ETL file, AutoLogger-Diagtrack-Listener.etl, can retain historical process execution data useful for post-incident forensics. Parsing ETW payloads exposed ProcessStarted events including ImageName, ProcessID, ParentProcessID and sometimes CommandLine entries that revealed deleted tools. Controlled testing showed creating the autologger and setting AllowTelemetry=3 often produced an empty file, indicating the DiagTrack service may populate the file only under undocumented conditions. Further research is needed to understand when and how this telemetry is written.