All news with #threat report tag

🔐 Microsoft’s November 2025 progress report on the Secure Future Initiative outlines governance expansion, engineering milestones, and product hardening across Azure, Microsoft 365, Windows, Surface, and Microsoft Security. The update highlights measurable gains — a nine-point rise in security sentiment, 95% employee completion of AI-attack training, 99.6% phishing-resistant MFA enforcement, and 99.5% live-secrets detection and remediation. It also introduces AI-first security capabilities, new detections, and 10 actionable SFI patterns to help customers improve posture.

🛡️ This week's recap highlights sophisticated, real-world threats that bypass conventional defenses. Actors like Curly COMrades abused Hyper-V to run a hidden Alpine Linux VM and execute payloads outside the host OS, evading EDR/XDR. Microsoft disclosed the Whisper Leak AI side-channel that infers chat topics from encrypted traffic, and a patched Samsung zero-day was weaponized to deploy LANDFALL spyware to select Galaxy devices. Time-delayed NuGet logic bombs, a new criminal alliance (SLH), and ongoing RMM and supply-chain abuses underscore rising coordination and stealth—prioritize detection and mitigations now.

🔍 The ESET research team released its APT Activity Report covering April–September 2025, summarizing operations by state-aligned hacking groups. The report details espionage, disruptive attacks and monetized campaigns targeting government and corporate networks across multiple regions. Notably, the Russia-aligned group Sandworm deployed several data wipers against Ukraine's grain sector, an apparent attempt to harm economic resilience. ESET Chief Security Evangelist Tony Anscombe outlines key findings in an accompanying video and encourages readers to consult the full report for technical specifics.

🛡️ ESET's APT Activity Report covering Q2–Q3 2025 reports that Russian-aligned Sandworm deployed new data wipers, identified as Zerolot and Sting, against Ukrainian targets including government bodies and critical sectors such as energy, logistics and grain. The firm assessed the activity as likely intended to weaken Ukraine's economy. The findings, published on 6 November 2025, also note increased espionage and tool-sharing among other Russia-aligned groups.

🛡️ This bulletin catalogues a broad set of 2025 incidents showing cybercrime’s increasing real-world impacts. Microsoft patched three Windows GDI flaws (CVE-2025-30388, CVE-2025-53766, CVE-2025-47984) rooted in gdiplus.dll and gdi32full.dll, while Check Point warned partial fixes can leave data leaks lingering. Threat actors expanded toolsets and infrastructure — from RondoDox’s new exploits and TruffleNet’s AWS abuse to FIN7’s SSH backdoor and sophisticated phishing campaigns — and law enforcement action ranged from large fraud takedowns to prison sentences and cross-border crackdowns.

🔒 Bitdefender has been named a Representative Vendor in the 2025 Gartner Market Guide for Managed Detection and Response for the fourth consecutive year. The recognition reflects Bitdefender’s human-driven MDR approach, combining 24x7 analyst-led response, AI-driven analytics, and proactive exposure management. Gartner inclusion is based on client visibility and service orientation rather than ranking, highlighting providers that meet its inclusion criteria.

🔍 ESET Research summarizes notable APT operations observed from April through September 2025, highlighting activity by China-, Iran-, North Korea-, and Russia-aligned groups. The report documents increased use of adversary-in-the-middle techniques, targeted spearphishing (including emails sent from compromised internal inboxes), and expanded campaigns against government, energy, healthcare, and maritime sectors. Notable tools and threats include BLOODALCHEMY, SoftEther VPN infrastructure, a WinRAR zero-day exploit, and a newly identified Android spyware family named Wibag. Findings are based on ESET telemetry and verified analysis.

🔒 The Google Threat Intelligence Group (GTIG) released a report documenting a clear shift: adversaries are moving beyond benign productivity uses of AI and are experimenting with AI-enabled operations. GTIG observed state-sponsored actors from North Korea, Iran and the People's Republic of China using AI for reconnaissance, tailored phishing lure creation and data exfiltration. Threats described include AI-powered, self-modifying malware, prompt-engineering to bypass safety guardrails, and underground markets selling advanced AI attack capabilities. Google says it has disrupted malicious assets and applied that intelligence to strengthen classifiers and its AI models.

🛡️ The Google Threat Intelligence Group (GTIG) released a November 2025 report describing how adversaries are evolving beyond productivity uses of AI to operationalize novel offensive capabilities. GTIG observed state-sponsored actors (including North Korea, Iran, and the People’s Republic of China) and criminal groups using AI for reconnaissance, tailored phishing-lure generation, prompt-based guardrail evasion, and AI-powered polymorphic malware. Google reports it has disabled malicious assets and applied this intelligence to strengthen both its classifiers and AI model defenses.

⚠️Google's Threat Intelligence team reports a shift from experimentation to operational use of AI by threat actors, including AI-enabled malware and prompt-based command generation. GTIG highlighted PROMPTSTEAL, linked to APT28 (FROZENLAKE), which queries a Hugging Face LLM to generate scripts for reconnaissance, document collection, and exfiltration, while adopting greater obfuscation and altered C2 methods. Google disabled related assets, strengthened model classifiers and safeguards with DeepMind, and urges defenders to update threat models, monitor anomalous scripting and C2, and incorporate threat intelligence into model- and classifier-level protections.

🔍 Google Threat Intelligence Group (GTIG) reports an operational shift from adversaries using AI for productivity to embedding generative models inside malware to generate or alter code at runtime. GTIG details “just-in-time” LLM calls in families like PROMPTFLUX and PROMPTSTEAL, which query external models such as Gemini to obfuscate, regenerate, or produce one‑time functions during execution. Google says it disabled abusive assets, strengthened classifiers and model protections, and recommends monitoring LLM API usage, protecting credentials, and treating runtime model calls as potential live command channels.

🔍 Proofpoint attributes a previously unseen cluster, UNK_SmudgedSerpent, to targeted attacks on U.S. academics and foreign‑policy experts between June and August 2025. The adversary used tailored political lures and credential‑harvesting landing pages, at times distributing an MSI that deployed legitimate RMM software such as PDQ Connect. Tactics resemble Iranian-linked groups and included impersonation of think‑tank figures to increase credibility.

📱 Security researchers at Zscaler report a 67% year-on-year rise in Android-targeted malware after finding 239 malicious apps on Google Play that were downloaded 42 million times. The analysis covers more than 20 million mobile requests observed between June 2024 and May 2025 and highlights productivity and Tools apps as common vectors. Sectors such as manufacturing and energy were disproportionately targeted, with the energy sector seeing a 387% spike in mobile attacks.

🔐 Microsoft Incident Response (DART) uncovered a covert backdoor named 'SesameOp' in July 2025 that leverages the OpenAI Assistants API as a command-and-control channel. The malware uses an obfuscated DLL loader, Netapi64.dll, and a .NET component, OpenAIAgent.Netapi64, to fetch compressed, encrypted commands and return results via the API. Microsoft recommends firewall audits, EDR in block mode, tamper protection and cloud-delivered Defender protections to mitigate the threat.

🔎 Trustwave SpiderLabs has identified a coordinated alliance now operating as Scattered LAPSUS$ Hunters (SLH), merging reputational capital from Scattered Spider, ShinyHunters and LAPSUS$. The collective presents a unified operational brand, complete with a named "Operations Centre," centralized narrative and affiliate-driven extortion model. Analysis attributes fewer than five core operators managing roughly 30 personas and highlights Telegram as a persistent command-and-branding hub. Trustwave warns this consolidation aims to fill the vacuum left by the collapse of BreachForums and to sustain public, intimidation-based extortion tactics.

🛡️The Russian-linked threat group Curly COMrades abused Microsoft Hyper-V on Windows hosts to deploy a hidden, minimal Alpine Linux VM that hosted custom implants: CurlyShell (reverse shell) and CurlCat (reverse proxy). By using the Hyper-V Default Switch and naming the VM "WSL," outbound C2 traffic appeared to originate from the legitimate host IP, enabling evasion of host-based EDRs. The campaign — active since mid-2024 and observed by Bitdefender with help from the Georgian CERT — also employed PowerShell scripts for LSASS Kerberos ticket injection and Group Policy-based account creation, leaving few forensic traces. Organizations are advised to monitor unexpected Hyper-V activation, abnormal LSASS access or tampering, PowerShell GPO deployments, and to implement network-level inspection and layered defenses.

🛡️DragonForce, a ransomware operation built from leaked Conti source code, has restructured into a self-styled cartel that recruits affiliates and encourages branded variants. Researchers at Acronis report it retains Conti’s ChaCha20/RSA encryption, SMB-based network spreading, and multiple encryption modes while employing a hidden configuration system. Operators have pursued aggressive tactics — including defacing rival leak sites and aligning with access brokers like Scattered Spider — and have threatened victims with decryptor deletion and data leaks.

🔒 ReliaQuest's Q3 2025 telemetry found identity-related weaknesses were responsible for 44% of true‑positive cloud alerts, including excessive permissions, misconfigured roles and credential abuse. The report warns credentials and cloud keys often appear on crime markets — sometimes for as little as $2 — while 99% of cloud identities are reportedly over‑privileged, enabling stealthy access. It also highlights how rapid DevOps deployments can replicate legacy vulnerabilities and urges adoption of short‑lived credentials, strict least‑privilege controls and CI/CD security automation.

🚚 Proofpoint researchers report that cybercriminals are compromising transportation firms to facilitate physical cargo theft by abusing remote management and access tools. Attackers use social engineering — including fake load-board listings, email thread hijacking and targeted phishing — to deliver installers that deploy RMM and RAS utilities. Once inside, they perform reconnaissance, harvest credentials with tools such as WebBrowserPassView, and expand access, enabling organized-crime partners to bid on and steal shipments.

🚚 Proofpoint warns that cybercriminals are increasingly deploying legitimate remote monitoring and management tools to compromise trucking and logistics firms, enabling cargo theft and financial gain. Working with organized crime, they target asset-based carriers, brokers and integrated providers—especially food and beverage shipments—using compromised emails, fraudulent load-board listings and booby-trapped MSI/EXE installers to deliver ScreenConnect, SimpleHelp and other RMMs. Once inside, attackers conduct reconnaissance, harvest credentials with tools like WebBrowserPassView, delete bookings, block dispatcher alerts and reassign loads to facilitate physical theft, often selling stolen cargo online or overseas.