All news with #threat report tag

📣 The EU security agency's ENISA Threat Landscape 2025 report, analyzing 4,875 incidents from 1 July 2024 to 30 June 2025, finds phishing was the initial access vector in 60% of intrusions, with vulnerability exploitation at 21%. Botnets and malicious applications accounted for 10% and 8% respectively, and 68% of intrusions led to follow-up malware deployment. ENISA highlights AI-powered phishing exceeded 80% of social engineering globally by early 2025 and warns of attacks aimed at critical digital supply chain dependencies and high-value targets such as outdated mobile and OT systems.

🔎 Researchers at Palo Alto Networks have attributed two years of coordinated espionage to a previously unreported Chinese-aligned threat actor dubbed Phantom Taurus. The group targets government and telecommunications organizations across Africa, the Middle East, and Asia, focusing on foreign ministries, embassies, geopolitical events and military operations to maintain persistent covert access. Its toolkit includes a new IIS web-server backdoor suite called NET-STAR, DNS- and remote-access tools, in-memory implants and a wide mix of dual-use utilities. Operators have shifted from Exchange mailbox harvesting via ProxyLogon and ProxyShell exploits to targeted SQL database searches and WMI-driven data extraction.

🔐 Fortinet’s 2025 Global Threat Landscape Report underscores that two fundamentals — protecting against phishing and keeping software up to date — remain the most effective defenses. Attackers are scaling campaigns with automation and generative AI to produce more convincing messages, and they combine email, SMS, and voice techniques to raise success rates. Organizations should strengthen employee training, deploy MFA, and adopt centralized or automated patch management to reduce exposure and limit lateral movement.

🔍 The 2025 Unit 42 Global Incident Response Report shows that 84% of investigated incidents involved activity across multiple attack fronts and 70% spanned at least three vectors, underscoring coordinated, multidomain campaigns. Attackers move laterally across cloud, SaaS, IT and OT, exploiting identities, misconfigurations and vulnerabilities. The report recommends unified telemetry, AI-driven behavioral analytics and stronger identity controls to improve detection and accelerate response.

🔍 Bitdefender's 2025 assessment highlights rising secrecy after breaches, a widening leadership-to-frontline disconnect, and an urgent shift to shrink enterprise attack surfaces. The report, combining surveys of over 1,200 IT and security professionals across six countries and analysis of 700,000 incidents, shows 84% of high-severity attacks leverage Living Off the Land techniques. Organizations are prioritizing attack surface reduction and simplification to improve resilience and detection.

⚠️ ENISA reports the EU cyber threat landscape has worsened, identifying ransomware as the single most damaging threat due to widespread encryption and costly recoveries. By frequency, DDoS incidents dominate (77% of reported cases), though they typically cause shorter-lived outages. The agency's analysis of 4,875 incidents from July 2024 to June 2025 also highlights concentrated attacks on public administration and a rapid rise in AI-assisted social engineering.

⚠️ Enterprises face an unprecedented surge in disclosed vulnerabilities — over 20,000 in H1 2025 — with roughly 35% (6,992) accompanied by public exploit code, according to Flashpoint. Security leaders are urged to adopt risk-based patching and intelligence-led remediation that prioritizes remotely exploitable and actively exploited flaws while factoring in business context. Relying solely on CVE and the NVD is increasingly impractical due to enrichment delays; experts recommend integrating threat context, exposure management, and CTEM-style operations to concentrate limited resources on what truly matters.

⚠️Manufacturing organizations now face an average of 1,585 cyberattacks per week, a 30% year‑over‑year rise, and ransomware remains the predominant threat. Incidents can incur losses that reach hundreds of millions and in some cases force insolvency. Deep supplier connectivity amplifies exposure because a single compromised vendor can cascade disruption across industries. The report urges executives to prioritize resilience, segmentation, and third‑party risk management.

🔍 Unit 42 documents a newly designated Chinese-aligned threat actor, Phantom Taurus, which uses a previously undocumented .NET malware suite called NET-STAR to target IIS web servers. The actor focuses on government and telecommunications organizations across the Middle East, Africa and Asia and has shifted from email theft to direct database exfiltration. The report outlines technical behaviors, in-memory fileless execution, and mitigation guidance for Palo Alto Networks protections.

🔍 Cisco Talos and Palo Alto Networks Unit 42 describe concurrent campaigns distributing a revised PlugX variant and the long‑running Bookworm RAT against telecommunications and manufacturing organizations across Central and South Asia and ASEAN countries. Talos found that the PlugX sample borrows RainyDay and Turian techniques — DLL side‑loading of a Mobile Popup Application, XOR‑RC4‑RtlDecompressBuffer payload processing and reuse of RC4 keys — and includes an embedded keylogger. Researchers note the PlugX configuration now mirrors RainyDay’s structure, suggesting links to Lotus Panda/Naikon or shared tooling, while Unit 42 highlights Bookworm’s modular leader/DLL architecture, UUID-encoded shellcode variants, and use of legitimate-looking C2 domains to blend with normal traffic.

⚠️ Google Threat Intelligence Group says a Chinese-aligned cluster has used the BRICKSTORM backdoor in intrusion campaigns since at least March 2025 against US legal and technology firms, SaaS providers and outsourcing companies. Attackers focused on harvesting emails and files from key individuals and establishing long-term footholds. The group, tracked as UNC5221, exploited zero-days, deployed BRICKSTORM on VMware appliances, and used credential theft and persistence mechanisms to evade detection. Google and partners have published detection guidance and a Mandiant scanner script to help identify infections.

🛡️ The Gcore Radar Q1–Q2 2025 report shows a 41% year-on-year rise in DDoS attacks, with total incidents reaching 1.17 million and a record 2.2 Tbps peak. Attacks are getting longer, more sophisticated, and increasingly multi-vector, with technology (≈30%) overtaking gaming (19%) as the primary target. Gcore emphasizes integrated WAAP and global filtering capacity to mitigate these risks.

🔍 SecurityScorecard's assessment found that 53% of selected Indian vendors experienced at least one third-party breach in the past year, with outsourced IT operations and managed service providers representing 63% of those incidents. The study evaluated 15 prominent Indian suppliers across 10 industries using security ratings based on patching cadence, DNS health, IP reputation, and endpoint, network and app security, and concluded that 27% of vendors received an F while 25% earned an A. It recommends continuous monitoring of third- and fourth-party ecosystems, prioritizing certificate management and patching, and using cybersecurity ratings to inform procurement and ongoing vendor oversight.

🧩DeceptiveDevelopment is a North Korea-aligned actor active since 2023 that leverages advanced social-engineering to compromise software developers across Windows, Linux and macOS. Operators pose as recruiters on platforms like LinkedIn and deliver trojanized codebases and staged interviews using a ClickFix workflow to trick victims into executing malware. Their multiplaform toolset ranges from obfuscated Python and JavaScript loaders to Go and .NET backdoors that exfiltrate crypto, credentials and sensitive data. ESET's white paper and IoC repository provide full technical analysis and telemetry.

🔒 Ransomware can do more than encrypt files — it can disable alarms and create physical security vulnerabilities. In a recent episode of the Smashing Security podcast, hosts discuss how a ransomware-related outage at the Natural History Museum in Paris preceded a late-night theft of €600,000 in gold. The show also covers a new npm supply-chain worm dubbed Shai Hulud that has infected over 180 packages and quietly exfiltrated secrets, plus odd stories about ads appearing on consumer appliances.

🔎 This Unit 42 case study applies the Unit 42 Attribution Framework to link the Bookworm remote access Trojan to the Chinese APT group Stately Taurus by combining malware analysis, tooling, OPSEC, infrastructure, victimology, and timelines. Analysts highlighted embedded PDB paths, a UUID-based shellcode encoding technique, and co-occurrence with a custom tool named ToneShell. Overlapping C2 IPs and domains, consistent targeting in Southeast Asia, and closely aligned compile times supported a high-confidence attribution. Palo Alto Networks also lists protections across WildFire, NGFW, URL/DNS filtering, Cortex XDR, and incident response contact options.

🛰️ Recorded Future has attributed a widespread cyber-espionage cluster to a Chinese state-sponsored actor it has named RedNovember, which overlaps with Microsoft's Storm-2077. From June 2024 to July 2025 the group targeted internet-facing perimeter appliances and used a mix of open-source and commercial tooling — notably Pantegana, Spark RAT and Cobalt Strike — to gain persistent access across government and private-sector networks worldwide. Attacks exploited known CVEs in VPNs, firewalls and other security appliances and leveraged a Go-based loader derived from LESLIELOADER, while administration infrastructure relied on VPN services such as ExpressVPN and Warp.

🔍 A malicious npm package named Fezbox was discovered using QR-code steganography to conceal and deliver a credential-stealing payload. The package fetched a QR image from a remote URL, waited roughly 120 seconds, decoded embedded code and executed it to extract usernames and passwords from browser cookies. Socket's AI-based scanner flagged the behavior; the package, which had at least 327 downloads, was removed after a takedown request to the npm security team.

🛡️ Darktrace has uncovered a ShadowV2 campaign that combines a GitHub CodeSpaces-hosted Python command-and-control framework, a Docker-based spreader, and a Go-based RAT to operate a DDoS-as-a-service platform. Attackers target exposed Docker daemons on AWS EC2 to build on-victim images and deploy malware via environment variables, reducing forensic artifacts. The platform exposes an OpenAPI-driven UI and multi-tenant API enabling HTTP/HTTP2 floods, UAM bypasses, and other configurable attack options.

🔒 On 29 August 2025 Huntress analysts identified a previously unseen ransomware variant they named Obscura after its embedded ransom note. The binary was placed in the domain NETLOGON scripts folder, enabling propagation via AD replication, and the actor created scheduled tasks to run it across hosts. Obscura requires administrative privileges, attempts to delete volume shadow copies and terminates roughly 120 security and backup processes. It uses Curve25519/X25519 key exchange and XChaCha20 for file encryption and writes a decoded ransom note to C:\README-OBSCURA.txt.