All news with #threat report tag

🔒 The 2026 Microsoft Data Security Index explores how organizations can harness generative AI while protecting sensitive information and maintaining productivity. Based on responses from more than 1,700 security leaders, the report highlights three priorities: consolidating fragmented tools into unified platforms, managing AI-driven workflows securely, and leveraging generative AI to strengthen security operations. It recommends practical approaches using Microsoft Purview for continuous discovery and governance and Microsoft Security Copilot for automated investigation with human oversight.

🔴 Cloudflare says the Aisuru/Kimwolf botnet launched a record DDoS campaign on December 19 that peaked at 31.4 Tbps and about 200 million requests per second. The attacks, dubbed The Night Before Christmas, targeted telecommunications and IT providers and hit Cloudflare’s dashboard and infrastructure. Sources were identified as compromised Android TVs rather than typical IoT routers, and most bursts lasted one to two minutes. Cloudflare reports the attacks were detected and mitigated automatically without triggering internal alerts.

📈 The Identity Theft Resource Center (ITRC) reports a record 3,332 US data "compromises" in 2025, a 5% rise from 2024. Despite the higher incident count, individual victims fell to 279 million from 1.4 billion, driven by the absence of large-scale "mega breaches" seen in 2023. Financial services was the hardest-hit sector with 739 compromises (22%). The ITRC warned that opaque breach notices—70% lacked attack type—undermine consumer protection and urged Zero Trust, stronger identity verification and greater transparency.

🔒 Talos Incident Response (Talos IR) reports that in Q4 2025 threat actors again favored exploitation of public-facing applications, appearing in nearly 40% of engagements, while phishing rose to the second-most common initial access vector. Notable exploit activity targeted Oracle E-Business Suite (CVE-2025-61882) and React2Shell (CVE-2025-55182), and attackers rapidly weaponized these flaws close to disclosure. Talos also observed deployment of APT-linked implants such as BadCandy and AquaShell, plus campaigns that targeted Native American tribal organizations for credential harvesting. The report emphasizes timely patching, strong MFA controls, centralized logging, and rapid incident response to limit impact.

🔍 CrowdStrike details that LABYRINTH CHOLLIMA has diverged into three distinct DPRK-linked adversaries — GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a narrowed espionage-focused LABYRINTH CHOLLIMA. Each subgroup maintains dedicated malware families and targeting priorities: GOLDEN and PRESSURE focus on cryptocurrency and fintech thefts while core LABYRINTH targets industrial, defense, and logistics sectors. Despite operational separation, shared tools and infrastructure point to centralized coordination within the DPRK cyber ecosystem.

🔒 Researchers at Pillar Security warn of large-scale campaigns that probe and exploit exposed LLM and MCP endpoints to steal compute, exfiltrate context data, and resell API access. In recent weeks, honeypots captured roughly 35,000 attack sessions linked to Operation Bizarre Bazaar and a parallel MCP reconnaissance effort that leverage Shodan/Censys scanners, automated validators, and a criminal marketplace. Threat actors target unprotected Ollama, vLLM and OpenAI-compatible endpoints and are marketing discounted access via a site called The Unified LLM API Gateway. Organizations must require authentication, audit MCP exposure, apply rate limits, block known malicious ranges, and treat AI endpoints with the same rigor as APIs and databases immediately.

⚠️ A coordinated late-December cyberattack targeted distributed energy resource (DER) sites across Poland, impacting roughly 30 facilities including combined heat and power (CHP) plants and wind and solar dispatch systems. Researchers at Dragos say attackers damaged OT equipment beyond repair and wiped Windows hosts while disabling remote monitoring, though generation continued and no outages occurred. Dragos links the operation with moderate confidence to the cluster it calls Electrum, noting overlaps with Sandworm/APT44 and ties to destructive wipers used in Ukraine.

🔒 The FBI has seized the RAMP cybercrime forum, replacing both its Tor and clearnet sites with an official seizure notice and switching DNS to FBI-controlled name servers. The action potentially grants investigators access to forum records — email addresses, IP logs, private messages and other data — that could identify and lead to arrests of negligent threat actors. RAMP, launched in July 2021 by the actor known as Orange, became a prominent hub for ransomware groups to advertise operations, recruit affiliates, and trade network access.

⚖️ A Virginia man who co-created Empire Market pleaded guilty to federal drug conspiracy charges after facilitating roughly $430 million in illicit transactions from 2018 to 2020. The Tor-accessible marketplace, modeled after AlphaBay, reached about 1.68 million registered users and listed 166,029 controlled-substance offerings. Court filings say the operators used cryptocurrency to launder proceeds, employed moderators to resolve disputes, and oversaw sales by vendors that included heroin, methamphetamine, cocaine and fentanyl; the defendant agreed to substantial cryptocurrency and property forfeitures.

🛡️ The Cyber Security Report 2026 analyzes global attack activity and shows how adversaries are evolving into faster, more automated, and more coordinated operators. It documents AI-driven attacks, expanded ransomware operations, identity abuse, and multi-channel social engineering across hybrid and edge environments. The report highlights the deliberate combination of techniques at scale and outlines defensive priorities to address these integrated threats.

🛡️ Zscaler ThreatLabz identified two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, that targeted Indian government entities in September 2025. Gopher Strike relied on tailored phishing PDFs that display a fake update prompt and selectively deliver an ISO payload only to requests originating from India and Windows User-Agents. Sheet Attack abused legitimate services such as Google Sheets, Firebase, and email for command-and-control. The intrusions deploy Golang tools — GOGITTER, GITSHELLPAD, and GOSHELL — to maintain persistence, execute commands, and stage a Cobalt Strike Beacon.

🔎 Zscaler ThreatLabz in September 2025 uncovered two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, aimed at Indian government entities. Gopher Strike used phishing PDFs with a fake Adobe update that conditionally delivers an ISO to Indian Windows hosts, deploying a Golang downloader, GOGITTER, which establishes VBScript-based persistence and scheduled-task execution. Sheet Attack abused legitimate services such as Google Sheets, Firebase and email for command-and-control, while a lightweight backdoor, GITSHELLPAD, and a padded loader, GOSHELL, were used to ultimately deliver Cobalt Strike.

🛡️ In 2025–2026 Android ecosystems saw a sharp rise in malware distributed via sideloading, fake app stores and messaging platforms, alongside a surge in NFC-based cash-out schemes. Kaspersky highlights prolific families such as ClayRat, rising Trojan bankers and preinstalled firmware threats like Triada, and documents social-engineered VPN and relay attacks. The report emphasizes strict mobile hygiene and recommends Kaspersky for Android to detect trojanized APKs, block phishing and mitigate NFC exploits.

🔍 PeckBirdy is a previously undocumented, JScript-based command-and-control framework active since 2023 that researchers have linked to China-aligned APT activity across Asia. Trend Micro observed the framework used in multiple roles — watering-hole controller, reverse shell and C2 server — deployed via living-off-the-land binaries and browser-based social engineering. Modular implants such as HOLODONUT and MKDOOR extend capabilities with in-memory execution and attempts to evade Microsoft Defender, complicating detection and response.

🔐 Modern ransomware has evolved from a technical encryption problem into a psychology-driven extortion industry where stolen data, legal exposure, and reputation risk are the primary levers. Flare's 2025 analysis documents a fragmented, collaborative attacker ecosystem and a shift to pressure-first tactics like public shaming and identity abuse. Security teams must expand playbooks beyond backups to include legal and communications readiness, targeted configuration audits, and prioritized remediation based on active exploit intelligence.

⚠️ The Google Threat Intelligence Group (GTIG) has observed widespread exploitation of WinRAR via the critical path traversal vulnerability CVE-2025-8088, which attackers use to drop payloads into the Windows Startup folder by abusing Alternate Data Streams (ADS). Adversaries—from government-backed Russian and Chinese groups to financially motivated operators—craft RAR archives that conceal decoy documents and hidden ADS entries to achieve persistence. Defenders should prioritize installing the WinRAR patch, enable Safe Browsing protections, and hunt for ADS extraction activity and newly created Startup-folder LNK/HTA/BAT artifacts.

🔐 Most of this week's threats exploited trusted systems and routine workflows rather than new techniques, achieving access with low friction and high persistence. Incidents ranged from targeted spear‑phishing that delivered the FALSECUB backdoor to widespread malvertising campaigns distributing .NET RATs and the TamperedChef infostealer. Google Project Zero detailed a multi‑stage Pixel zero‑click chain, vendors disclosed DLL side‑loading and WSL abuse, and supply‑chain exposures and large reconnaissance sweeps were widely observed. Administrators should prioritize patching, plugin hygiene, and tightening automated support and supply‑chain controls.

🌐 At the World Economic Forum in Davos, Fortinet highlighted that cybercrime has evolved into a transnational economic system driven by specialization, automation, and AI. Leaders emphasized an acute imbalance: attackers benefit from low-risk, high-reward models while defenders are hindered by fragmented collaboration, jurisdictional limits, and a widening skills gap. Participants called for scaling structured, incentive-driven collaboration and validated community intelligence, together with targeted training and technology investment, to shift the economics in favor of defenders.

🤝 At Davos, Fortinet argues that cybercrime has evolved into an economic system sustained by specialized markets such as ransomware collectives and Cybercrime-as-a-Service. Attackers are leveraging automation and AI to scale and personalize campaigns, while defenders remain constrained by fragmented jurisdictions, voluntary sharing, and an enduring skills gap. The piece calls for scalable, incentive-driven collaboration, trusted reporting, expert validation, and stronger law enforcement partnerships to shift the economics in favor of defenders.

🔍 VulnCheck’s State of Exploitation 2026 report finds 28.96% of known exploited vulnerabilities (KEVs) were exploited before or on the day they were disclosed, up from 23.6% in 2024. In 2025 the firm observed exploitation of 884 vulnerabilities — a 15% year‑over‑year increase — across hundreds of vendors and products. Network edge devices (191 KEVs), content management systems (163) and open source software (129) were the most targeted, while operating systems saw the highest share of zero‑day and one‑day exploits. The report also notes time‑to‑exploitation patterns remained consistent and that ransomware attribution often lagged initial exploit disclosures.