All news with #threat report tag

🧨 Check Point Research details the Shai-Hulud 2.0 campaign, a rapid and extensive npm supply-chain attack observed in November 2025. Between 21–23 November attackers compromised hundreds of npm packages and over 25,000 GitHub repositories by abusing the npm preinstall lifecycle script to execute payloads before installation completed. The report outlines techniques, scale, and practical mitigations to help organizations protect development pipelines.

🛡️ A BlueVoyant survey finds 97% of organizations were negatively impacted by a supply chain breach, up sharply from 81% in 2024. The State of Supply Chain Defense: Annual Global Insights Report 2025, published 20 November, shows many firms are maturing TPRM programs and shifting oversight into cyber or IT teams. Despite increased maturity, respondents report persistent issues such as lack of executive buy-in, compliance-first approaches, limited integration with enterprise risk frameworks, and a trend of adding vendors faster than they add visibility or remediation capacity.

🔍 Google Threat Intelligence Group (GTIG) details a three-year espionage campaign by APT24 deploying the obfuscated BADAUDIO downloader to deliver AES-encrypted payloads, including Cobalt Strike beacons. The actor evolved from broad strategic web compromises to targeted supply-chain abuse of a Taiwanese digital marketing firm and spear-phishing lures. BADAUDIO uses DLL search order hijacking, control-flow flattening, and cookie-based beaconing to retrieve decrypted payloads in memory. GTIG added related domains and files to Safe Browsing, issued victim notifications, and published IOCs and YARA rules to support detection and mitigation.

🛡️ This week's ThreatsDay Bulletin highlights a surge in espionage, zero-day exploits, and organized crypto laundering across multiple countries. MI5 warned that Chinese operatives are using LinkedIn profiles and fake recruiters to target lawmakers and staff, while researchers disclosed critical flaws like a pre-auth RCE in Oracle Identity Manager and a resource-exhaustion bug in the Shelly Pro 4PM relay. The bulletin also details malicious browser extensions, new macOS stealer NovaStealer, high-profile arrests and sanctions, and continued pressure on crypto-mixing services. Patch, update, and verify identities to reduce exposure.

🔒 PlushDaemon, a China-linked APT, has deployed a network implant called EdgeStepper to hijack DNS on compromised routers and redirect update traffic to attacker-controlled servers, according to ESET. The MIPS32 Go-built implant modifies iptables to forward UDP port 53 to a local proxy that substitutes legitimate update IPs with malicious ones. Using the hijacked channel, a downloader chain (LittleDaemon, DaemonicLogistics) delivers the espionage backdoor SlowStepper, enabling credential theft, document exfiltration and audio/video capture.

🔍 Google filed a court complaint alleging a "cybercriminal group in China" sold branded "Lighthouse" phishing kits that let unsophisticated fraudsters run large-scale SMS and e-commerce scams. The kits bundle hundreds of fake-website templates, domain setup tools, and subscription licenses offered weekly, monthly, seasonal, annual, or permanent. Campaigns often begin with texts about overdue tolls or package redelivery and sometimes appear as ads (including ads that persisted until Google suspended accounts). Victims who click are redirected to fraudulent sites that solicit passwords, credit card numbers, or payments purportedly accepted via wallets such as Google Pay.

🔒 Check Point Research reports a significant increase in Black Friday–themed domain registrations, with about 1 in 11 newly registered domains classified as malicious. Brand impersonation is a primary tactic: roughly 1 in 25 new domains referencing marketplaces like Amazon, AliExpress, and Alibaba are flagged. Attackers create convincing fake storefronts that copy logos, layouts, and imagery to harvest credentials and payment data, with recent campaigns impersonating HOKA and AliExpress demonstrating active phishing tied to seasonal promotions.

🔒 CTM360 reports a large-scale campaign, dubbed HackOnChat, that deploys deceptive web portals and impersonation pages to compromise WhatsApp accounts worldwide. Attackers rapidly create thousands of malicious URLs on inexpensive domains and web-building platforms, luring users with fake security alerts and lookalike login pages. Once accounts are taken, they are abused to defraud contacts, harvest sensitive data, and expand the scam.

🛡️ Researchers from the Socket Threat Research Team uncovered a new npm malware campaign operated by threat actor dino_reborn, distributed across seven packages that executed immediately and fingerprinted visitors. The packages used Adspect proxying and cloaking to distinguish researchers from victims, delivering branded fake CAPTCHAs and dynamic redirects to malicious crypto sites. Anti-analysis measures disabled developer tools and user interactions to hinder inspection.

🔒 Security researchers from Socura and Flare found around 460,000 compromised credentials tied to FTSE 100 domains across clear- and dark-web crime communities, including 28,000 entries from infostealer logs. The report notes many companies had thousands of leaks and that password hygiene remains poor, with 59% having at least one user using 'password'. It recommends MFA, passkeys, password managers, conditional access and proactive leak monitoring.

🔍 This joint analysis from Google Threat Intelligence and Mandiant describes UNC1549 activity observed from late 2023 through 2025 against aerospace, aviation, and defense organizations. The group commonly exploited trusted third‑party relationships, VDI breakouts, and highly targeted spear phishing to gain access, then deployed custom backdoors and tunneling tools to maintain stealth. The report provides IOCs, YARA rules, and detection guidance for Azure and enterprise environments.

🔒 This week's recap highlights a surge in quiet, high-impact attacks that abused trusted software and platform features to evade detection. Researchers observed active exploitation of Fortinet FortiWeb (CVE-2025-64446) to create administrative accounts, prompting CISA to add it to the KEV list. Law enforcement disrupted major malware infrastructure while supply-chain and AI-assisted campaigns targeted package registries and cloud services. The guidance is clear: scan aggressively, patch rapidly, and assume features can be repurposed as attack vectors.

⚠️CISA, the FBI and international partners warn that the Akira ransomware gang has extended its attack surface beyond Windows, VMware ESXi and Hyper‑V to now target Nutanix AHV and Linux servers. The group exploits exposed VPNs, unpatched network appliances and backup platforms, rapidly exfiltrates data and employs a double‑extortion model. Akira uses tunneling tools like Ngrok, remote‑access abuse (AnyDesk, LogMeIn), and cryptography (ChaCha20 with RSA) to encrypt and leak files. Organizations should prioritize MFA, timely patching, segmented networks and protection of backup and hypervisor consoles.

🔒 LinkedIn has emerged as a major vector for phishing, with a growing share of attacks moving off email and onto social and messaging platforms. Attackers exploit in‑app DMs, account takeovers, and AI automation to target executives and high‑value roles, often aiming to compromise SSO providers such as Microsoft Entra and Google Workspace. Because these messages bypass traditional email security and lack inbox quarantine tools, browser-based defenses and SSO/MFA hygiene are recommended to detect and block evasive campaigns. The article outlines five reasons this shift increases enterprise risk.

🔒 A joint US and international advisory on 14 November attributes approximately $244.17m in illicit proceeds to the Akira ransomware group since late September 2025. The advisory reports rapid data exfiltration in some incidents and details exploitation of SonicWall CVE-2024-40766, expansion to Nutanix AHV disk encryption, and attacks leveraging SSH and unpatched Veeam servers. Operators employ initial access brokers, tunnelling tools and remote access software such as AnyDesk to persist and evade detection. Organisations are urged to prioritise patching, enforce phishing-resistant MFA, and maintain offline backups.

🔒 Q3 2025 saw an unprecedented decentralization of ransomware, with Check Point Research tracking a record 85 active groups and roughly 1,592 disclosed victims across numerous leak sites. Despite enforcement actions and multiple takedowns, affiliates quickly reconstitute or rebrand, spawning 14 new ransomware brands this quarter. The return of LockBit 5.0 — with updated Windows, Linux and ESXi variants and individualized negotiation portals — suggests a possible shift back toward centralization, while marketing-driven actors like DragonForce further complicate attribution and response.

🔍 The ransomware landscape in Q3 2025 reached a critical inflection point: despite law enforcement takedowns earlier in the year, attacks remained at historically high levels. Check Point Research identified 1,592 new victims across 85 active extortion groups, a 25% year‑over‑year increase. While major brands such as RansomHub and 8Base disappeared, numerous smaller actors rapidly filled the void, driving unprecedented RaaS fragmentation and complicating response efforts.

🔐 CISA and partner agencies published an updated advisory on Nov. 13, 2025, detailing new indicators, tactics, and detection guidance related to Akira ransomware. The update documents expanded targeting across Manufacturing, Education, IT, Healthcare, Financial, and Food and Agriculture, and links activity to groups such as Storm-1567 and Punk Spider. Key findings include exploitation of edge and backup vulnerabilities, use of remote management tools for defense evasion, and a faster, more destructive Akira_v2 variant that complicates recovery.

🔐 This ThreatsDay Bulletin surveys major cyber activity shaping November 2025, from exploited Cisco zero‑days and active malware campaigns to regulatory moves and AI-related leaks. Highlights include CISA's emergency directive after some Cisco updates remained vulnerable, a large-scale study finding 65% of AI firms leaked secrets on GitHub, and a prolific phishing operation abusing Facebook Business Suite. The roundup stresses practical mitigations—verify patch versions, enable secret scanning, and strengthen incident reporting and red‑teaming practices.

📈 Check Point Research found a continued uptick in global cyber assaults in October 2025, with organizations experiencing an average of 1,938 attacks per week. That represents a 2% increase from September and a 5% rise year‑over‑year. The report attributes the growth to an explosive expansion of ransomware operations and emerging risks tied to generative AI, while the education sector remained the most heavily targeted. Security teams are urged to strengthen detection, patching and access controls to counter increasingly automated and AI‑assisted threats.