< ciso
brief />
Tag Banner

All news with #threat report tag

542 articles · page 21 of 28

Russian Hackers Hide Malware in Hyper‑V Alpine Linux VMs

🛡️The Russian-linked threat group Curly COMrades abused Microsoft Hyper-V on Windows hosts to deploy a hidden, minimal Alpine Linux VM that hosted custom implants: CurlyShell (reverse shell) and CurlCat (reverse proxy). By using the Hyper-V Default Switch and naming the VM "WSL," outbound C2 traffic appeared to originate from the legitimate host IP, enabling evasion of host-based EDRs. The campaign — active since mid-2024 and observed by Bitdefender with help from the Georgian CERT — also employed PowerShell scripts for LSASS Kerberos ticket injection and Group Policy-based account creation, leaving few forensic traces. Organizations are advised to monitor unexpected Hyper-V activation, abnormal LSASS access or tampering, PowerShell GPO deployments, and to implement network-level inspection and layered defenses.
read more →

DragonForce Emerges as Conti-Derived Ransomware Cartel

🛡️DragonForce, a ransomware operation built from leaked Conti source code, has restructured into a self-styled cartel that recruits affiliates and encourages branded variants. Researchers at Acronis report it retains Conti’s ChaCha20/RSA encryption, SMB-based network spreading, and multiple encryption modes while employing a hidden configuration system. Operators have pursued aggressive tactics — including defacing rival leak sites and aligning with access brokers like Scattered Spider — and have threatened victims with decryptor deletion and data leaks.
read more →

Identity Failures Now Top Source of Cloud Risk in 2025

🔒 ReliaQuest's Q3 2025 telemetry found identity-related weaknesses were responsible for 44% of true‑positive cloud alerts, including excessive permissions, misconfigured roles and credential abuse. The report warns credentials and cloud keys often appear on crime markets — sometimes for as little as $2 — while 99% of cloud identities are reportedly over‑privileged, enabling stealthy access. It also highlights how rapid DevOps deployments can replicate legacy vulnerabilities and urges adoption of short‑lived credentials, strict least‑privilege controls and CI/CD security automation.
read more →

Cybercriminals Use RMM Tools to Enable Cargo Theft

🚚 Proofpoint researchers report that cybercriminals are compromising transportation firms to facilitate physical cargo theft by abusing remote management and access tools. Attackers use social engineering — including fake load-board listings, email thread hijacking and targeted phishing — to deliver installers that deploy RMM and RAS utilities. Once inside, they perform reconnaissance, harvest credentials with tools such as WebBrowserPassView, and expand access, enabling organized-crime partners to bid on and steal shipments.
read more →

Cybercriminals Exploit RMM Tools to Steal Truck Cargo

🚚 Proofpoint warns that cybercriminals are increasingly deploying legitimate remote monitoring and management tools to compromise trucking and logistics firms, enabling cargo theft and financial gain. Working with organized crime, they target asset-based carriers, brokers and integrated providers—especially food and beverage shipments—using compromised emails, fraudulent load-board listings and booby-trapped MSI/EXE installers to deliver ScreenConnect, SimpleHelp and other RMMs. Once inside, attackers conduct reconnaissance, harvest credentials with tools like WebBrowserPassView, delete bookings, block dispatcher alerts and reassign loads to facilitate physical theft, often selling stolen cargo online or overseas.
read more →

Weekly Recap: Lazarus Web3 Attacks and TEE.Fail Risks

🔐 This week's recap highlights a broad set of high‑impact threats, from a suspected China‑linked intrusion exploiting a critical Motex Lanscope flaw to deploy Gokcpdoor, to North Korean BlueNoroff campaigns targeting Web3 executives. Researchers disclosed TEE.fail, a low‑cost DDR5 side‑channel that can extract secrets from Intel and AMD TEEs. Also noted: human‑mimicking Android banking malware, WSL‑based ransomware tactics, and multiple high‑priority CVEs.
read more →

BankBot-YNRK and DeliveryRAT: New Android Banking Threats

🔒 Cybersecurity researchers CYFIRMA and independent analyst F6 have disclosed two active Android trojans—BankBot‑YNRK and DeliveryRAT—that harvest financial and device data from compromised phones. BankBot‑YNRK impersonates an Indonesian government app, performs device fingerprinting and anti-emulation checks, abuses accessibility services to steal credentials and automate transactions, and communicates with a command server. DeliveryRAT, promoted via a Telegram bot, lures Russian users with fake delivery and marketplace apps and delivers malware-as-a-service variants that collect notifications, SMS and call logs and can hide their launchers. Users should avoid untrusted APKs, review permissions, and keep devices updated—Android 14 reduces some accessibility-based abuses.
read more →

HttpTroy Backdoor Poses as VPN Invoice in Kimsuky Attack

🔒 Security researchers at Gen Digital disclosed a targeted Kimsuky campaign that delivered a previously undocumented backdoor called HttpTroy, hidden inside a ZIP attachment masquerading as a VPN invoice. The multi-stage chain used a Golang dropper, a loader dubbed MemLoad and a DLL backdoor executed via a scheduled task named "AhnlabUpdate" to achieve persistence. HttpTroy provides extensive remote-control capabilities and communicates with a C2 server over HTTP, while employing layered obfuscation to hinder analysis and detection.
read more →

European Ransomware Leak-Site Victims Spike in 2025

🔒 CrowdStrike's 2025 European Threat Landscape Report found a 13% year-on-year rise in ransomware victims across Europe, with the UK hardest hit. The study, covering leak sites from September 2024 to August 2025, identified 1,380 victims and noted that since January 2024 more than 2,100 organisations were named on extortion sites, with 92% involving file encryption and data theft. The report highlights Akira and LockBit as the most active groups and warns of persistent big-game hunting, growing vishing campaigns and an emerging Violence-as-a-Service threat landscape.
read more →

2025 European Threat Landscape: Extortion and State Activity

🔍 CrowdStrike’s 2025 European Threat Landscape Report reveals rising extortion and intensifying nation-state operations across Europe, with Big Game Hunting (BGH) actors naming roughly 2,100 Europe-based victims on more than 100 dedicated leak sites since January 1, 2024. The United Kingdom, Germany, Italy, France and Spain are most targeted, across sectors such as manufacturing, professional services, technology, industrials and retail. The report details an active cybercrime ecosystem — forums, encrypted apps and marketplaces — and notes enabling techniques like voice phishing and fake CAPTCHA lures, while geopolitical conflicts drive expanded Russian-, Chinese-, Iranian- and DPRK-linked operations.
read more →

Ransomware Profits Decline as Fewer Victims Pay through 2024

🔍 A new Coveware study shows the ransomware economy is shifting: despite an increase in attacks, both average ransom amounts and the share of victims paying demands have fallen. In Q3 only 23% of victims paid, down from 28% in Q1 2024, and average payments dropped from around $377,000 last year to roughly $140,000 this year. Coveware attributes the change to better prevention and incident handling by organizations and growing pressure from authorities. Insurance provider Hiscox warns that 40% of paying victims still lose data, underscoring persistent recovery risks.
read more →

BlueNoroff (Lazarus) GhostCall and GhostHire Campaigns

🛡️ A Kaspersky GReAT analysis describes two BlueNoroff campaigns—GhostCall and GhostHire—linked to the Lazarus threat actor and focused on the cryptocurrency sector. GhostCall targets executives, often on macOS, using investor-themed social engineering and fake meeting portals that prompt malicious updates and downloads. GhostHire lures blockchain developers with job offers and Telegram bots that point to GitHub test tasks or archived files with tight deadlines; performing the tasks leads to infection. The campaigns share a common management infrastructure and multiple infection chains; technical details and indicators of compromise are published on Securelist.
read more →

Sanctions Undermine Nation-State Cyber Ecosystems Globally

🔒 A new RUSI report published on 28 October finds cyber-related sanctions seldom fully disrupt state-backed attacks by themselves but can "toxify" networks, forcing intermediaries and collaborators to distance themselves from named actors. The study highlights the US as the most effective practitioner due to long-standing legal frameworks and coordinated use of diplomatic, legal and technical tools, while the EU and UK face operational and coordination limits. RUSI urges clearer strategic goals, cross-domain integration and targeted action against enablers like exchanges and service providers to boost impact.
read more →

Early Threat Detection: Protecting Growth and Revenue

🔎 Early detection turns cybersecurity from a reactive cost into a business enabler. Investing in continuous visibility, threat intelligence, and rapid detection reduces incident costs, preserves uptime, and protects revenue and reputation. Solutions such as ANY.RUN's Threat Intelligence Feeds and TI Lookup deliver real-time IOCs, context-enriched analyses, and STIX/TAXII-ready integrations so SOCs can prioritize and act faster, lowering MTTR and operational burden.
read more →

Cybersecurity Becomes Top Challenge for Financial Sector

🔒 A recent PPI survey of 50 banks and 53 insurers in Germany reports a sixfold rise in cyberattacks compared with 2021. Sixty-four percent of respondents now view cyberattacks as the sector's top challenge, ahead of digitization, credit quality and regulation. Firms cite low employee awareness and difficulty with real-time detection; malware installation and IT disruption are the most frequent attack types.
read more →

Ransomware Payments Plunge as Victims Stop Paying Ransoms

🔒 Coveware reports ransomware payment rates have fallen to a record low — just 23% of victims paid in Q3 2025, continuing a multi-year decline from 28% in Q1 2024. Over 76% of incidents now involve data exfiltration, and theft-only cases see payments drop to 19%. Average and median ransoms fell to $377,000 and $140,000, respectively, as attackers pursue more targeted victims.
read more →

Qilin Ransomware: Over 40 Victims Listed Monthly in 2025

🔒 Cisco Talos reports that Qilin ransomware sustained a surge through the second half of 2025, publishing more than 40 victim listings per month on its leak site and peaking at roughly 100 postings in June and August. The group uses a double-extortion model, encrypting systems and threatening to publish stolen data if ransoms are not paid. Operating as a RaaS, Qilin and its affiliates have heavily targeted manufacturing, professional/scientific services and wholesale trade. Investigators observed use of Cyberduck, standard Windows utilities for file viewing, and dual encryptors that spread laterally via PsExec and encrypt multiple network shares.
read more →

Europol Raises Alarm Over Caller ID Spoofing Crisis

🚨 Europol has issued a Position Paper warning of a rising wave of caller ID spoofing, where criminals falsify numbers to impersonate banks, government bodies or relatives. The agency estimates global losses around €850m annually and reports spoofing now underpins roughly 64% of phone- and SMS-related fraud. Europol calls for harmonized technical standards, stronger cross-border cooperation and regulatory convergence to make spoofing harder to perpetrate and easier to investigate.
read more →

LeetAgent and Dante: ForumTroll Toolset Revealed Report

🔍 Our GReAT team reconstructed ForumTroll’s infection chain and identified the malware family dubbed LeetAgent, delivered via spear‑phishing and an exploit of CVE-2025-2783 in Google Chrome when recipients were lured with invitations to the Primakov Readings. Further analysis linked the same delivery tools to the commercial spyware Dante (formerly developed by Hacking Team, now Memento Labs), which uses modular plugins, per‑victim encryption keys and a timed self‑destruct mechanism. Initial detections were made by Kaspersky XDR; full technical details and IOCs have been compiled for APT subscribers.
read more →

Exposure Management in 2025: Trends, Risks, and Response

🔒 Intruder’s 2025 Exposure Management Index analyzes scans from over 3,000 small and midsize businesses to show defenders adapting under mounting pressure. High-severity vulnerabilities rose nearly 20% year‑on‑year, even as 89% of resolved critical flaws were remediated within 30 days (up from 75% in 2024). The report highlights AI-driven exploit development, growing attack surfaces from cloud, shadow IT and supply‑chain risk, and faster remediation at smaller firms.
read more →