All news in category “Threat and Trends Reports”

🔒 German SMEs face a sharp rise in ransomware and data-exfiltration incidents, with leak-site publications more than quadrupling from 2021 to 2024. Authorities report that 80% of analyzed ransomware incidents targeted small and medium-sized enterprises, often using double extortion. Attackers favor targeted phishing—executives receive on average 57 such attempts yearly—and many firms lack adequate defenses amid staffing shortages and overly complex security stacks.

📄 PDF files are a ubiquitous, convenient format that cybercriminals increasingly abuse as lures, with ESET telemetry placing PDFs among the top malicious attachment types. Attack techniques include embedded scripts, hidden links, malformed objects that exploit reader vulnerabilities, and files that merely masquerade as .pdf while actually being executables or archives. Verify sender context, enable Protected View or sandboxing, consider disabling JavaScript in your PDF reader, and scan or sandbox suspicious attachments before opening; when in doubt, confirm via a separate channel.

🔒 Chief information security officers (CISOs) play a strategic role in physical security when systems such as badges, keycards and video surveillance are tied to IT and grant access to critical assets. This article outlines ten essential measures—from hardening data centers and mapping physical–cyber connections to securing IoT and surveillance systems—that CISOs should coordinate with facilities, legal and physical security teams. Implementing these controls reduces risk and supports incident response and compliance.

🔍 GreyNoise has observed a roughly 500% rise in IP addresses scanning Palo Alto Networks login portals, primarily emulating GlobalProtect and PAN-OS profiles. Activity peaked on October 3 with more than 1,285 unique IPs—typical daily scans are usually under 200—while most sources were geolocated to the United States with smaller clusters in the UK, Netherlands, Canada, and Russia. GreyNoise classified 91% of the IPs as suspicious and 7% as malicious, noting clusters with distinct TLS fingerprints and warning this reconnaissance could precede exploitation attempts; administrators should verify device exposure and monitoring.

🔍 GreyNoise observed a nearly 500% surge in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, jumping from about 200 to roughly 1,300 unique IPs. The firm classified 93% of those IPs as suspicious and 7% as malicious, with most activity geolocated to the U.S. and smaller clusters in the U.K., the Netherlands, Canada and Russia. GreyNoise noted the traffic was targeted and structured and shared a dominant TLS fingerprint with recent Cisco ASA scans.

🛡️ Check Point researchers report that the Rhadamanthys information stealer (v0.9.2) has been updated to collect extensive device and browser fingerprints and to deliver payloads via steganography embedded in WAV, JPEG and PNG files. The operator—initially known as kingcrete2022 and now marketing as RHAD security/Mythical Origin Labs—offers the malware as a tiered MaaS product with subscription plans and enterprise options. The sample includes sandbox-evasion checks, an embedded Lua runner for plugins, obfuscated configurations, and a PNG-based payload decryption step that requires a shared secret.

🔒 Manufacturers face growing, targeted cyber threats driven by legacy OT, complex supply chains, and high-value IP. Attackers increasingly use credential theft, social engineering and sophisticated malware to achieve prolonged access, data theft and ransomware extortion that can halt production and ripple across partners. Building resilience with MFA, prompt patching and continuous detection such as MDR — offering 24/7 threat monitoring, expert hunting and rapid containment — reduces downtime and strengthens supply chain security while aligning with Zero Trust principles.

🔒 A seasoned US CISO was targeted in a months-long pig-butchering scam that used a fabricated recruitment process posing as Gemini Crypto, including LinkedIn outreach, SMS, WhatsApp messages and a likely deepfaked video interview. The attackers groomed the target from May–September 2025, offered a fictitious CISO role, and asked him to buy $1,000 in crypto on Coinbase as "training." The candidate declined, documented the exchange, and warned peers; analysts say these long-game social engineering campaigns and malware-laced "test" assignments are increasingly common and financially damaging.

🛡️ HackerOne paid $81 million to white-hat hackers over the past 12 months, supporting more than 1,950 bug bounty programs and offering vulnerability disclosure, penetration testing, and code security services. The top 100 programs paid $51 million between July 1, 2024 and June 30, 2025, and the top 10 alone accounted for $21.6 million. AI-related vulnerabilities jumped over 200%, with prompt injection up 540%, while 70% of surveyed researchers reported using AI tools to improve hunting.

📄 Researchers at Varonis have identified a sophisticated phishing toolkit called MatrixPDF that embeds prompts, JavaScript, and external redirects inside seemingly legitimate PDF files to target Gmail users. Attackers exploit Gmail's preview and desktop PDF readers: a blurred preview displays a prompt to 'open secure document' that directs victims to external payloads, while embedded scripts can fetch malware if a user grants permission. Because the malicious content is only retrieved after user interaction, Gmail's automated scanners and attachment sandboxes can be bypassed. Security experts recommend stronger webmail controls, robust attachment sandboxing, endpoint detection, and frequent, realistic user awareness training.

🛡️ FortiGuard Labs reports that the long-running cyber-espionage group Confucius has shifted tactics against Microsoft Windows users, moving from document stealers like WooperStealer to Python-based backdoors such as AnonDoor. The change, observed between December 2024 and August 2025, favors persistent access and command execution over simple data exfiltration. Researchers describe layered evasion and persistence techniques including DLL side-loading, obfuscated PowerShell, scheduled tasks and stealthy exfiltration to minimize detection. Targeting remains focused in South Asia, particularly Pakistan.

🔍 Check Point Research found a marked rise in Amazon Prime Day scams during the first three weeks of September 2025, driven by malicious domains, phishing emails, and credential-harvesting pages that mimic legitimate Amazon communications. Attackers are exploiting urgency and trusted branding to capture login and payment details. Consumers and organizations should verify senders and domains, enable MFA, apply robust email filters, and monitor account activity to reduce exposure.

🔐 FortiGuard Labs documents the Confucius espionage group’s shift from document-stealing malware to a stealthy Python-based backdoor targeting Microsoft Windows. Recent campaigns used spear-phishing with weaponized Office PPSX files, malicious LNK loaders, and staged PowerShell installers to deploy runtimes and execute AnonDoor modules. The actor leveraged DLL side-loading, scheduled tasks, and HKCU registry Load persistence to maintain stealth and periodic execution. Fortinet urges layered defenses, updated signatures, and user training to mitigate these threats.

🔍 Zimperium zLabs’ analysis of 800 Android and iOS free VPN apps found widespread privacy and security weaknesses, including outdated libraries, weak encryption, and misleading privacy disclosures. The report highlights concrete failures such as vulnerable OpenSSL builds (including Heartbleed-era versions), roughly 1% of apps permitting Man-in-the-Middle decryption, and about 25% of iOS apps lacking valid privacy manifests. Researchers warn excessive permission requests and private entitlements increase risk, especially in BYOD and remote-work environments, and recommend stronger security models, endpoint visibility and zero-trust approaches.

🔒 Kaspersky analyzed a global phishing campaign that uses convincing fake voting pages to hijack WhatsApp accounts. Attackers lure victims with personalized requests and multilingual scam pages; when users click Vote they’re prompted for the phone number linked to their account and shown a single‑use verification code. Victims who then enter or paste that code in their WhatsApp app inadvertently activate a remote WhatsApp Web session, giving attackers full access. Immediately check Linked devices, disconnect unknown sessions, and follow Kaspersky’s recovery and prevention guidance.

🔔 From unpatched vehicles to hijacked clouds, this ThreatsDay bulletin outlines active threats and defensive moves across endpoints, cloud, browsers, and vehicles. Observers reported internet-wide scans exploiting PAN-OS GlobalProtect (CVE-2024-3400) and campaigns that use weak MS‑SQL credentials to deploy XiebroC2 for persistent access. New AirBorne CarPlay/iAP2 flaws can chain to take over Apple CarPlay in some cases without user interaction, while attackers quietly poison browser preferences to sideload malicious extensions. On defence, Google announced AI-driven ransomware detection for Drive and Microsoft plans an Edge revocation feature to curb sideloaded threats.

🛡️ SOC teams can close persistent detection gaps by adopting a continuous detection workflow that links early threat feeds, interactive sandboxing, and live threat lookups. ANY.RUN survey data shows unified stages deliver faster investigations, clearer triage, and reduced MTTR. Early filtering reduces Tier‑1 noise, sandboxes expose evasive payloads in realtime, and threat lookup provides historical context so analysts can validate and act with confidence.

🔍 Cisco Talos details UAT-8099, a Chinese-speaking cybercrime group that compromises reputable IIS servers to conduct SEO fraud and steal high-value credentials, certificates and configuration files. The actors exploit file-upload weaknesses to deploy ASP.NET web shells, enable RDP, create hidden administrative accounts and install VPN/reverse-proxy tools for persistence. They automate operations with custom scripts, deploy Cobalt Strike via DLL sideloading and install multiple BadIIS variants to manipulate search rankings and redirect mobile users to ads or gambling sites. Talos published IoCs, Snort/ClamAV signatures and mitigation guidance.

📣 The EU security agency's ENISA Threat Landscape 2025 report, analyzing 4,875 incidents from 1 July 2024 to 30 June 2025, finds phishing was the initial access vector in 60% of intrusions, with vulnerability exploitation at 21%. Botnets and malicious applications accounted for 10% and 8% respectively, and 68% of intrusions led to follow-up malware deployment. ENISA highlights AI-powered phishing exceeded 80% of social engineering globally by early 2025 and warns of attacks aimed at critical digital supply chain dependencies and high-value targets such as outdated mobile and OT systems.

🛡️ Modern disaster recovery and business continuity require a ground-up rebuild to address distributed data, evolving cyberthreats, climate-driven disruptions, and strict breach-reporting obligations. Key elements include executive sponsorship, standing interdisciplinary teams, AI-assisted discovery and classification, continuous and immutable backups aligned with a 3-2-1-1-0 approach, and the design of a minimum viable business to restore core functions. Frequent, gamified tabletop exercises and automated validation complete a resilient program.