All news with #threat report tag

ESET APT Activity Report Q2–Q3 2025: Key Findings Overview

🔍 ESET Research summarizes notable APT operations observed from April through September 2025, highlighting activity by China-, Iran-, North Korea-, and Russia-aligned groups. The report documents increased use of adversary-in-the-middle techniques, targeted spearphishing (including emails sent from compromised internal inboxes), and expanded campaigns against government, energy, healthcare, and maritime sectors. Notable tools and threats include BLOODALCHEMY, SoftEther VPN infrastructure, a WinRAR zero-day exploit, and a newly identified Android spyware family named Wibag. Findings are based on ESET telemetry and verified analysis.

Google: Cyber-Physical Attacks to Rise in Europe 2026

🚨 Google Cloud Security's Cybersecurity Forecast 2026 warns of a rise in cyber-physical attacks across EMEA targeting energy grids, transport and digital infrastructure. The report highlights increased state-sponsored espionage from Russia and China and anticipates these operations may form hybrid warfare combined with information operations to erode public trust. It also flags supply-chain compromises of managed service providers and software dependencies, and notes that cybercrime — including ransomware aimed at ERP systems — will remain a major disruptive threat to ICS/OT. Analysts further expect adversaries to increasingly leverage AI and multimodal deepfakes.

Smashing Security #442: Clock Hack and Rogue Negotiators

🕒 In episode 442 of Smashing Security, Graham Cluley and guest Dave Bittner examine a state-backed actor that spent two years tunnelling toward a nation's master clock, creating the potential for widespread disruption to time-sensitive systems. They also discuss a disturbing case where ransomware negotiators allegedly turned rogue and carried out their own hacks. The discussion highlights investigative findings, operational impacts, and lessons for defenders tasked with protecting critical infrastructure.

Securing Critical Infrastructure: Europe’s Risk-Based Rules

🔒 In this Deputy CISO post, Freddy Dezeure of Microsoft explains how recent EU laws are reshaping cybersecurity for critical infrastructure. He argues that NIS2 and DORA broaden the CISO role across IT, OT, IoT, AI, and supply chains and push for stronger board-level accountability. The piece emphasizes a risk-based, prioritized approach—focusing on a few high-impact controls such as phishing-resistant multifactor authentication, comprehensive asset inventory, timely patching, and resilience testing.

UNK_SmudgedSerpent Targets Academics and Policy Experts

🛡️ Proofpoint has identified a previously unknown cluster it calls UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. Attackers initiated benign, topical conversations and used think‑tank impersonation alongside an OnlyOffice‑styled link that led to health-themed domains harvesting credentials and delivering a ZIP with an MSI. The installer deployed remote monitoring and management tooling — notably PDQConnect and later ISL Online — and although email activity paused in early August, related infrastructure later surfaced hosting TA455-linked malware, leaving attribution unresolved.

GTIG Report: AI-Enabled Threats Transform Cybersecurity

🔒 The Google Threat Intelligence Group (GTIG) released a report documenting a clear shift: adversaries are moving beyond benign productivity uses of AI and are experimenting with AI-enabled operations. GTIG observed state-sponsored actors from North Korea, Iran and the People's Republic of China using AI for reconnaissance, tailored phishing lure creation and data exfiltration. Threats described include AI-powered, self-modifying malware, prompt-engineering to bypass safety guardrails, and underground markets selling advanced AI attack capabilities. Google says it has disrupted malicious assets and applied that intelligence to strengthen classifiers and its AI models.

GTIG report: Adversaries adopt AI for advanced attacks

⚠️ The Google Threat Intelligence Group (GTIG) reports that adversaries are evolving beyond simple productivity uses of AI toward operational misuse. Observed behaviors include state-sponsored actors from North Korea, Iran and the People's Republic of China using AI for reconnaissance, automated phishing lure creation and data exfiltration. The report documents AI-powered malware that can generate and modify malicious scripts in real time and attackers exploiting deceptive prompts to bypass model guardrails. Google says it has disabled assets linked to abuse and applied intelligence to improve classifiers and harden models against misuse.

SmudgedSerpent Targets U.S. Policy Experts Amid Tensions

🔍 Proofpoint attributes a previously unseen cluster, UNK_SmudgedSerpent, to targeted attacks on U.S. academics and foreign‑policy experts between June and August 2025. The adversary used tailored political lures and credential‑harvesting landing pages, at times distributing an MSI that deployed legitimate RMM software such as PDQ Connect. Tactics resemble Iranian-linked groups and included impersonation of think‑tank figures to increase credibility.

SMS Fraud Losses to Fall 11% in 2026, Juniper Finds

📉 Juniper Research predicts an 11% decline in consumer SMS fraud losses in 2026, dropping from $80bn in 2025 to $71bn. The firm credits reduced messaging volumes and stronger operator security—especially enhanced firewall capabilities—for making it harder for fraudsters to conceal malicious traffic. Nevertheless, large-scale smishing campaigns, PhaaS platforms and the transition to RCS keep risks elevated and require ongoing defensive improvements.

Hundreds of Malware Android Apps Downloaded 42 Million

📱 Security researchers at Zscaler report a 67% year-on-year rise in Android-targeted malware after finding 239 malicious apps on Google Play that were downloaded 42 million times. The analysis covers more than 20 million mobile requests observed between June 2024 and May 2025 and highlights productivity and Tools apps as common vectors. Sectors such as manufacturing and energy were disproportionately targeted, with the energy sector seeing a 387% spike in mobile attacks.

CrowdStrike: Rise in Physical Attacks on Privileged Users

🔒 CrowdStrike's 2025 analysis documents a sharp rise in physical attacks and kidnappings tied to cyber intrusions, concentrated in Europe. The report cites the January 2025 kidnapping of a Ledger co‑founder and records 17 similar incidents in Europe from January through September 2025, 13 of them in France. Consultants warn attackers increasingly pair cyber operations with real‑world violence, driving organizations to strengthen physical and executive security and adjust incident response playbooks.

Asset Management: The Essential Foundation for Defense

🔍 Threat intelligence is valuable but only effective when organizations maintain reliable asset management. Asset management—the inventory, monitoring, and administration of hosts—provides the foundational visibility needed to detect, patch, and prevent intrusions. Bradley Duncan cites historic malware like Emotet and Qakbot to show how poor asset hygiene enabled massive infections and urges proactive measures such as Unit 42's Attack Surface Assessment.

Malicious Android Apps on Google Play Reach 42M Downloads

🔒 A Zscaler report found 239 malicious Android apps on Google Play that were downloaded a combined 42 million times between June 2024 and May 2025, driven largely by adware, spyware, and banking trojans. Telemetry shows a 67% year-over-year increase in mobile-targeted malware, with adware now comprising roughly 69% of detections and spyware up 220% YoY. Zscaler highlights evolving strains such as Anatsa, Android Void, and Xnotice, and advises timely updates, strict app permissions, disabling unnecessary Accessibility access, and regular Play Protect scans.

Scattered LAPSUS$ Hunters Unite ShinyHunters Alliance

🔎 Trustwave SpiderLabs has identified a coordinated alliance now operating as Scattered LAPSUS$ Hunters (SLH), merging reputational capital from Scattered Spider, ShinyHunters and LAPSUS$. The collective presents a unified operational brand, complete with a named "Operations Centre," centralized narrative and affiliate-driven extortion model. Analysis attributes fewer than five core operators managing roughly 30 personas and highlights Telegram as a persistent command-and-branding hub. Trustwave warns this consolidation aims to fill the vacuum left by the collapse of BreachForums and to sustain public, intimidation-based extortion tactics.

Cybersecurity Forecast 2026: AI, Cybercrime, Nation-State

🔒 The Cybersecurity Forecast 2026 synthesizes frontline telemetry and expert analysis from Google Cloud security teams to outline the most significant threats and defensive shifts for the coming year. The report emphasizes how adversaries will broadly adopt AI to scale attacks, with specific risks including prompt injection and AI-enabled social engineering. It also highlights persistent cybercrime trends—ransomware, extortion, and on-chain resiliency—and evolving nation‑state campaigns. Organizations are urged to adapt IAM, secure AI agents, and harden virtualization controls to stay ahead.

How Social Engineering Works — Unlocked 403 Podcast S2E6

🔍 In this episode of Unlocked 403, host Becks speaks with Alena Košinárová, a software engineer at ESET, to unpack the psychological tactics behind social engineering and why people fall for scams even when they know better. They discuss how public information and social media amplify attackers' effectiveness and outline practical measures to reduce exposure. The segment balances behavioral insight with clear, actionable defenses.

Cloudflare analysis confirms Turkmenistan IP changes

🔍 Cloudflare researchers revisited historic telemetry to assess reports that Turkmenistan experienced an unprecedented easing of IP address blocking in mid‑2024 and may have been testing a new firewall. Using Radar metrics, they observed a clear surge in HTTP requests beginning in mid‑June, alongside shifts in TCP reset and timeout patterns. These connection anomalies manifested at different stages of the TCP lifecycle across multiple autonomous systems, and while the data cannot provide attribution, the observed patterns are consistent with large‑scale filtering or firewall testing.

Weekly Recap: Lazarus Web3 Attacks and TEE.Fail Risks

🔐 This week's recap highlights a broad set of high‑impact threats, from a suspected China‑linked intrusion exploiting a critical Motex Lanscope flaw to deploy Gokcpdoor, to North Korean BlueNoroff campaigns targeting Web3 executives. Researchers disclosed TEE.fail, a low‑cost DDR5 side‑channel that can extract secrets from Intel and AMD TEEs. Also noted: human‑mimicking Android banking malware, WSL‑based ransomware tactics, and multiple high‑priority CVEs.

Continuous Exposure Management Transforms SOC Ops Today

🔍 SOC analysts are increasingly overwhelmed by alert volume and contextual blind spots that force extensive manual triage. Continuous exposure management brings environment-specific intelligence into existing EDR, SIEM, and SOAR workflows to prioritize assets, validate exploitability, and visualize attack paths. By correlating exposures with MITRE ATT&CK techniques and automating remediation workflows, teams reduce false positives, accelerate investigations, and harden detections over time.

Hacktivists Target Internet-Exposed Industrial Controls

⚠️ The Canadian Centre for Cyber Security warns hacktivists are increasingly exploiting internet-accessible industrial control systems (ICS), citing recent intrusions that affected a water utility, an oil and gas automated tank gauge (ATG), and a farm's grain-drying silo. Attackers manipulated pressure, fuel-gauge, and environmental controls, creating safety and service disruptions. The alert urges secure remote access via VPNs with MFA and inventories of OT assets. Provincial and municipal coordination is recommended to protect sectors lacking cybersecurity oversight.