< ciso
brief />
Tag Banner

All news with #threat report tag

542 articles · page 20 of 28

Ransomware Fragmentation Peaks as LockBit Re-emerges

🔒 Q3 2025 saw an unprecedented decentralization of ransomware, with Check Point Research tracking a record 85 active groups and roughly 1,592 disclosed victims across numerous leak sites. Despite enforcement actions and multiple takedowns, affiliates quickly reconstitute or rebrand, spawning 14 new ransomware brands this quarter. The return of LockBit 5.0 — with updated Windows, Linux and ESXi variants and individualized negotiation portals — suggests a possible shift back toward centralization, while marketing-driven actors like DragonForce further complicate attribution and response.
read more →

Ransomware Fragmentation and Rising Attacks in Q3 2025

🔍 The ransomware landscape in Q3 2025 reached a critical inflection point: despite law enforcement takedowns earlier in the year, attacks remained at historically high levels. Check Point Research identified 1,592 new victims across 85 active extortion groups, a 25% year‑over‑year increase. While major brands such as RansomHub and 8Base disappeared, numerous smaller actors rapidly filled the void, driving unprecedented RaaS fragmentation and complicating response efforts.
read more →

CISA Updates Advisory: Akira Ransomware Evolution Update

🔐 CISA and partner agencies published an updated advisory on Nov. 13, 2025, detailing new indicators, tactics, and detection guidance related to Akira ransomware. The update documents expanded targeting across Manufacturing, Education, IT, Healthcare, Financial, and Food and Agriculture, and links activity to groups such as Storm-1567 and Punk Spider. Key findings include exploitation of edge and backup vulnerabilities, use of remote management tools for defense evasion, and a faster, more destructive Akira_v2 variant that complicates recovery.
read more →

ThreatsDay Bulletin: Key Cybersecurity Developments

🔐 This ThreatsDay Bulletin surveys major cyber activity shaping November 2025, from exploited Cisco zero‑days and active malware campaigns to regulatory moves and AI-related leaks. Highlights include CISA's emergency directive after some Cisco updates remained vulnerable, a large-scale study finding 65% of AI firms leaked secrets on GitHub, and a prolific phishing operation abusing Facebook Business Suite. The roundup stresses practical mitigations—verify patch versions, enable secret scanning, and strengthen incident reporting and red‑teaming practices.
read more →

Global Cyber Attacks Surge in October 2025: Ransomware Rise

📈 Check Point Research found a continued uptick in global cyber assaults in October 2025, with organizations experiencing an average of 1,938 attacks per week. That represents a 2% increase from September and a 5% rise year‑over‑year. The report attributes the growth to an explosive expansion of ransomware operations and emerging risks tied to generative AI, while the education sector remained the most heavily targeted. Security teams are urged to strengthen detection, patching and access controls to counter increasingly automated and AI‑assisted threats.
read more →

Microsoft Secure Future Initiative — November 2025 Report

🔐 Microsoft’s November 2025 progress report on the Secure Future Initiative outlines governance expansion, engineering milestones, and product hardening across Azure, Microsoft 365, Windows, Surface, and Microsoft Security. The update highlights measurable gains — a nine-point rise in security sentiment, 95% employee completion of AI-attack training, 99.6% phishing-resistant MFA enforcement, and 99.5% live-secrets detection and remediation. It also introduces AI-first security capabilities, new detections, and 10 actionable SFI patterns to help customers improve posture.
read more →

Weekly Recap: Hidden VMs, AI Leaks, and Mobile Spyware

🛡️ This week's recap highlights sophisticated, real-world threats that bypass conventional defenses. Actors like Curly COMrades abused Hyper-V to run a hidden Alpine Linux VM and execute payloads outside the host OS, evading EDR/XDR. Microsoft disclosed the Whisper Leak AI side-channel that infers chat topics from encrypted traffic, and a patched Samsung zero-day was weaponized to deploy LANDFALL spyware to select Galaxy devices. Time-delayed NuGet logic bombs, a new criminal alliance (SLH), and ongoing RMM and supply-chain abuses underscore rising coordination and stealth—prioritize detection and mitigations now.
read more →

Who, Where and How: APT Attacks Q2–Q3 2025 Report Overview

🔍 The ESET research team released its APT Activity Report covering April–September 2025, summarizing operations by state-aligned hacking groups. The report details espionage, disruptive attacks and monetized campaigns targeting government and corporate networks across multiple regions. Notably, the Russia-aligned group Sandworm deployed several data wipers against Ukraine's grain sector, an apparent attempt to harm economic resilience. ESET Chief Security Evangelist Tony Anscombe outlines key findings in an accompanying video and encourages readers to consult the full report for technical specifics.
read more →

Sandworm Deploys New Wiper Malware in Ukraine Q2–Q3 2025

🛡️ ESET's APT Activity Report covering Q2–Q3 2025 reports that Russian-aligned Sandworm deployed new data wipers, identified as Zerolot and Sting, against Ukrainian targets including government bodies and critical sectors such as energy, logistics and grain. The firm assessed the activity as likely intended to weaken Ukraine's economy. The findings, published on 6 November 2025, also note increased espionage and tool-sharing among other Russia-aligned groups.
read more →

ThreatsDay Bulletin: Cybercrime Trends and Major Incidents

🛡️ This bulletin catalogues a broad set of 2025 incidents showing cybercrime’s increasing real-world impacts. Microsoft patched three Windows GDI flaws (CVE-2025-30388, CVE-2025-53766, CVE-2025-47984) rooted in gdiplus.dll and gdi32full.dll, while Check Point warned partial fixes can leave data leaks lingering. Threat actors expanded toolsets and infrastructure — from RondoDox’s new exploits and TruffleNet’s AWS abuse to FIN7’s SSH backdoor and sophisticated phishing campaigns — and law enforcement action ranged from large fraud takedowns to prison sentences and cross-border crackdowns.
read more →

Bitdefender Named Representative Vendor in 2025 Gartner Guide

🔒 Bitdefender has been named a Representative Vendor in the 2025 Gartner Market Guide for Managed Detection and Response for the fourth consecutive year. The recognition reflects Bitdefender’s human-driven MDR approach, combining 24x7 analyst-led response, AI-driven analytics, and proactive exposure management. Gartner inclusion is based on client visibility and service orientation rather than ranking, highlighting providers that meet its inclusion criteria.
read more →

ESET APT Activity Report Q2–Q3 2025: Key Findings Overview

🔍 ESET Research summarizes notable APT operations observed from April through September 2025, highlighting activity by China-, Iran-, North Korea-, and Russia-aligned groups. The report documents increased use of adversary-in-the-middle techniques, targeted spearphishing (including emails sent from compromised internal inboxes), and expanded campaigns against government, energy, healthcare, and maritime sectors. Notable tools and threats include BLOODALCHEMY, SoftEther VPN infrastructure, a WinRAR zero-day exploit, and a newly identified Android spyware family named Wibag. Findings are based on ESET telemetry and verified analysis.
read more →

GTIG Report: AI-Enabled Threats Transform Cybersecurity

🔒 The Google Threat Intelligence Group (GTIG) released a report documenting a clear shift: adversaries are moving beyond benign productivity uses of AI and are experimenting with AI-enabled operations. GTIG observed state-sponsored actors from North Korea, Iran and the People's Republic of China using AI for reconnaissance, tailored phishing lure creation and data exfiltration. Threats described include AI-powered, self-modifying malware, prompt-engineering to bypass safety guardrails, and underground markets selling advanced AI attack capabilities. Google says it has disrupted malicious assets and applied that intelligence to strengthen classifiers and its AI models.
read more →

GTIG Report: Adversaries Experimenting with AI Tools

🛡️ The Google Threat Intelligence Group (GTIG) released a November 2025 report describing how adversaries are evolving beyond productivity uses of AI to operationalize novel offensive capabilities. GTIG observed state-sponsored actors (including North Korea, Iran, and the People’s Republic of China) and criminal groups using AI for reconnaissance, tailored phishing-lure generation, prompt-based guardrail evasion, and AI-powered polymorphic malware. Google reports it has disabled malicious assets and applied this intelligence to strengthen both its classifiers and AI model defenses.
read more →

Cloud CISO: Threat Actors' Growing Use of AI Tools

⚠️Google's Threat Intelligence team reports a shift from experimentation to operational use of AI by threat actors, including AI-enabled malware and prompt-based command generation. GTIG highlighted PROMPTSTEAL, linked to APT28 (FROZENLAKE), which queries a Hugging Face LLM to generate scripts for reconnaissance, document collection, and exfiltration, while adopting greater obfuscation and altered C2 methods. Google disabled related assets, strengthened model classifiers and safeguards with DeepMind, and urges defenders to update threat models, monitor anomalous scripting and C2, and incorporate threat intelligence into model- and classifier-level protections.
read more →

GTIG: Threat Actors Shift to AI-Enabled Runtime Malware

🔍 Google Threat Intelligence Group (GTIG) reports an operational shift from adversaries using AI for productivity to embedding generative models inside malware to generate or alter code at runtime. GTIG details “just-in-time” LLM calls in families like PROMPTFLUX and PROMPTSTEAL, which query external models such as Gemini to obfuscate, regenerate, or produce one‑time functions during execution. Google says it disabled abusive assets, strengthened classifiers and model protections, and recommends monitoring LLM API usage, protecting credentials, and treating runtime model calls as potential live command channels.
read more →

SmudgedSerpent Targets U.S. Policy Experts Amid Tensions

🔍 Proofpoint attributes a previously unseen cluster, UNK_SmudgedSerpent, to targeted attacks on U.S. academics and foreign‑policy experts between June and August 2025. The adversary used tailored political lures and credential‑harvesting landing pages, at times distributing an MSI that deployed legitimate RMM software such as PDQ Connect. Tactics resemble Iranian-linked groups and included impersonation of think‑tank figures to increase credibility.
read more →

Hundreds of Malware Android Apps Downloaded 42 Million

📱 Security researchers at Zscaler report a 67% year-on-year rise in Android-targeted malware after finding 239 malicious apps on Google Play that were downloaded 42 million times. The analysis covers more than 20 million mobile requests observed between June 2024 and May 2025 and highlights productivity and Tools apps as common vectors. Sectors such as manufacturing and energy were disproportionately targeted, with the energy sector seeing a 387% spike in mobile attacks.
read more →

OpenAI Assistants API Abused by 'SesameOp' Backdoor

🔐 Microsoft Incident Response (DART) uncovered a covert backdoor named 'SesameOp' in July 2025 that leverages the OpenAI Assistants API as a command-and-control channel. The malware uses an obfuscated DLL loader, Netapi64.dll, and a .NET component, OpenAIAgent.Netapi64, to fetch compressed, encrypted commands and return results via the API. Microsoft recommends firewall audits, EDR in block mode, tamper protection and cloud-delivered Defender protections to mitigate the threat.
read more →

Scattered LAPSUS$ Hunters Unite ShinyHunters Alliance

🔎 Trustwave SpiderLabs has identified a coordinated alliance now operating as Scattered LAPSUS$ Hunters (SLH), merging reputational capital from Scattered Spider, ShinyHunters and LAPSUS$. The collective presents a unified operational brand, complete with a named "Operations Centre," centralized narrative and affiliate-driven extortion model. Analysis attributes fewer than five core operators managing roughly 30 personas and highlights Telegram as a persistent command-and-branding hub. Trustwave warns this consolidation aims to fill the vacuum left by the collapse of BreachForums and to sustain public, intimidation-based extortion tactics.
read more →