All news with #threat report tag

European Ransomware Leak-Site Victims Spike in 2025

🔒 CrowdStrike's 2025 European Threat Landscape Report found a 13% year-on-year rise in ransomware victims across Europe, with the UK hardest hit. The study, covering leak sites from September 2024 to August 2025, identified 1,380 victims and noted that since January 2024 more than 2,100 organisations were named on extortion sites, with 92% involving file encryption and data theft. The report highlights Akira and LockBit as the most active groups and warns of persistent big-game hunting, growing vishing campaigns and an emerging Violence-as-a-Service threat landscape.

Aligning Security with Business Strategy: Practical Steps

🤝 Security leaders must move beyond a risk-only mindset to actively support business goals, as Jungheinrich CISO Tim Sattler demonstrates by joining his company’s AI center of excellence to advise on both risks and opportunities. Industry research shows significant gaps—only 13% of CISOs are consulted early on major strategic decisions and many struggle to articulate value beyond mitigation. Practical alignment means embedding security into initiatives, using business metrics to measure effectiveness, and prioritizing controls that enable growth rather than impede operations.

2025 European Threat Landscape: Extortion and State Activity

🔍 CrowdStrike’s 2025 European Threat Landscape Report reveals rising extortion and intensifying nation-state operations across Europe, with Big Game Hunting (BGH) actors naming roughly 2,100 Europe-based victims on more than 100 dedicated leak sites since January 1, 2024. The United Kingdom, Germany, Italy, France and Spain are most targeted, across sectors such as manufacturing, professional services, technology, industrials and retail. The report details an active cybercrime ecosystem — forums, encrypted apps and marketplaces — and notes enabling techniques like voice phishing and fake CAPTCHA lures, while geopolitical conflicts drive expanded Russian-, Chinese-, Iranian- and DPRK-linked operations.

China-Linked UNC6384 Exploits Windows LNK Vulnerability

🔒 A China-affiliated group tracked as UNC6384 exploited an unpatched Windows shortcut flaw (ZDI-CAN-25373, CVE-2025-9491) to target diplomatic and government entities in Europe between September and October 2025. According to Arctic Wolf, the campaign used spear-phishing links to deliver malicious LNK files that launch a PowerShell stager, sideload a CanonStager DLL, and deploy the PlugX remote access trojan. Microsoft says Defender detections and Smart App Control can help block this activity.

The Unified Linkage Model: Reframing Cyber Risk in Practice

🔗The Unified Linkage Model (ULM) reframes cyber risk by focusing on the relationships — not just individual assets — that allow vulnerabilities and adversaries to propagate across systems. Drawing on the Okta 2023 support-credential compromise, the model highlights three structural linkage types: adjacency, inheritance and trustworthiness. ULM shifts analysis from topology or isolated CVE lists to the connective tissue that enables systemic exposure. Applied correctly, it clarifies prioritization, accelerates impact analysis and unifies threat and vulnerability data into actionable risk pathways.

October 2025: Key Cybersecurity Stories and Guidance

🔒 As October 2025 concludes, ESET Chief Security Evangelist Tony Anscombe reviews the month’s most significant cybersecurity developments and what they mean for defenders. He highlights that Windows 10 reached end of support on October 14 and outlines practical options for affected users and organizations. He also warns about info‑stealing malware spread through TikTok videos posing as free activation guides and summarizes Microsoft’s report that Russia, China, Iran and North Korea are increasingly using AI in cyberattacks — alongside China’s accusation of an NSA operation targeting its National Time Service Center.

Trick, Treat, Repeat: Patch Trends and Tooling for Q3

🎃 Microsoft’s free Windows 10 updates have largely ended, with EEA consumers receiving free Extended Security Updates through Oct 14, 2026, while most other users must pay. Q3 telemetry shows roughly 35,000 CVEs through September, averaging about 130 new entries per day, and a rising set of Known Exploited Vulnerabilities (KEV) that widen vendor and network impact. Talos also launched the Tool Talk series, offering a hands-on guide to dynamic binary instrumentation with DynamoRIO for malware analysis and runtime inspection.

Russian Ransomware Gangs Adopt Open-Source AdaptixC2

🔒 AdaptixC2, an open-source command-and-control framework, has been adopted by multiple threat actors, including groups tied to Russian ransomware operations, prompting warnings about its dual-use nature. The tool offers encrypted communications, credential and screenshot managers, remote terminal capabilities, a Golang server, and a cross-platform C++ QT GUI client. Security firms Palo Alto Networks Unit 42 and Silent Push have analyzed its modular capabilities and traced marketing activity to a developer using the handle RalfHacker. Observed abuse includes fake Microsoft Teams help-desk scams and an AI-generated PowerShell loader used to deliver post-exploitation payloads.

AdaptixC2 Abused by Ransomware Operators Worldwide

⚠️ Silent Push reports a surge in malicious use of AdaptixC2, an open-source adversarial emulation framework that researchers say is now being delivered by the CountLoader malware as part of active ransomware operations. Deployments accelerated after new detection signatures were released, and public incident reports show increased sightings across multiple intrusions. Analysts flagged the developer alias RalfHacker and issued indicators covering Golang C2 traffic and unknown C++/QT executables.

Hezi Rash: Kurdish Hacktivist DDoS Campaigns Rising

🛡️ Hezi Rash is a Kurdish nationalist hacktivist collective formed in 2023 that has escalated to coordinated DDoS campaigns targeting entities perceived as hostile to Kurdish or Muslim communities. Their public rhetoric mixes nationalism, religion, and activism, and they have claimed attacks in response to symbolic provocations such as an anime scene depicting a burning Kurdish flag. Targets reported include anime platforms, media outlets, NGOs, and government services, causing intermittent service disruptions and demonstrating growing technical sophistication.

ThreatsDay: DNS Poisoning, Supply-Chain Heist, New RATs

🔔 This week's ThreatsDay bulletin highlights a critical BIND9 vulnerability (CVE-2025-40778) enabling DNS cache poisoning and a public PoC, along with widespread campaign activity from loaders, commodity RATs and supply-chain trojans. Other notable items include a guilty plea by a former defense employee for selling cyber-exploit components to a Russian broker, a new Linux Rust dual-personality evasion technique, and Avast's free decryptor for Midnight ransomware. Recommended defensive actions emphasize patching to the latest BIND9 releases, enabling DNSSEC, restricting recursion, and strengthening monitoring and authentication controls.

Ransomware Profits Decline as Fewer Victims Pay through 2024

🔍 A new Coveware study shows the ransomware economy is shifting: despite an increase in attacks, both average ransom amounts and the share of victims paying demands have fallen. In Q3 only 23% of victims paid, down from 28% in Q1 2024, and average payments dropped from around $377,000 last year to roughly $140,000 this year. Coveware attributes the change to better prevention and incident handling by organizations and growing pressure from authorities. Insurance provider Hiscox warns that 40% of paying victims still lose data, underscoring persistent recovery risks.

Email and Remote Access Drive 90% of Cyber Claims in 2024

📧 At-Bay's 2025 InsurSec analysis finds email and remote access were central to 90% of cyber insurance claims in 2024. Email accounted for 43% of incidents and fraud schemes commonly begin with credential theft, domain spoofing, and impersonation. Google Workspace was cited as the most secure mail provider, though claims rose; MDR services were highlighted as the most reliable defense against full encryption.

Rise in Attacks on PHP Servers, IoT and Cloud Gateways

🔒 Qualys' Threat Research Unit reports a sharp rise in attacks targeting PHP servers, IoT devices and cloud gateways, driven by botnets such as Mirai, Gafgyt and Mozi exploiting known CVEs and misconfigurations. Researchers highlight active exploitation of flaws like CVE-2022-47945 (ThinkPHP RCE), CVE-2021-3129 (Laravel Ignition) and aging test/debug artifacts such as CVE-2017-9841, while attackers also harvest exposed AWS credentials. Qualys urges continuous visibility, timely patching, removal of debugging tools in production and managed secret stores to reduce risk.

Protecting Moldova’s 2025 Parliamentary Election Online

🛡️ Cloudflare assisted the Moldovan Central Election Commission (CEC) during the September 28, 2025 parliamentary vote, rapidly onboarding election sites and deploying mitigations under the Athenian Project. On election day Cloudflare mitigated over 898 million malicious requests across multiple DDoS waves, including a peak of 324,333 rps, keeping official result reporting and civic sites online. Automated defenses and coordination with STISC ensured no interruptions to public access and authoritative information.

Atroposia RAT Kit Lowers Barrier for Cybercriminals

⚠️ Researchers at Varonis have identified a turnkey remote access trojan called Atroposia, marketed on underground forums with subscription tiers starting at $200 per month. The kit combines advanced features — hidden remote desktop takeover, encrypted C2 channels, UAC bypass for persistence, an integrated vulnerability scanner, clipboard capture, DNS hijacking and bulk exfiltration — into a low‑skill, plug‑and‑play package. Enterprises should prioritize behavioral monitoring, rapid containment, multi‑factor authentication, restricted admin access and rigorous patching to detect and mitigate attacks enabled by such commoditized toolsets.

Investment Scams Mimicking Crypto and Forex Surge in Asia

🔍 Group-IB's research warns of a rapid rise in fake investment platforms across Asia that mimic cryptocurrency and forex exchanges to defraud victims. Organized, cross-border groups recruit via social media and messaging apps, deploying polished trading interfaces, automated chatbots and complex back-end systems to extract payments. The report maps two analytical models — Victim Manipulation Flow and Multi-Actor Fraud Network — and urges banks and regulators to monitor reused infrastructure and tighten KYC controls.

BiDi Swap: Bidirectional Text Trick Makes Fake URLs Look Real

🔍 Varonis Threat Labs highlights BiDi Swap, a technique that exploits Unicode bidirectional rendering to make malicious URLs appear legitimate. By mixing Right-to-Left and Left-to-Right scripts, attackers can visually move parameters, paths, or subdomains into the apparent host name to facilitate phishing and spoofing. Browser defenses vary — some highlight domains or flag lookalikes while others leave gaps — so the report urges user caution and vendor improvements.

Atroposia RAT Adds Local Vulnerability Scanner, UAC Bypass

🛡️ Atroposia is a new malware-as-a-service platform offering a modular remote access trojan for a $200 monthly subscription, combining persistent access, stealthy remote desktop, data theft, and a built-in local vulnerability scanner. Researchers at Varonis say the RAT can bypass UAC, perform host-level DNS hijacks, capture credentials and clipboard data, and compress and exfiltrate targeted files with minimal traces. Its vulnerability-audit plugin identifies missing patches and outdated software so attackers can prioritize exploits, making it particularly dangerous in corporate environments. Users should download only from official sources, avoid pirated software and torrents, and refrain from executing unfamiliar commands found online.

Quarter of Scam Victims Report Considering Self-Harm

⚠️ A new 2025 Consumer Impact Report from the Identity Theft Resource Center (ITRC) finds identity fraud is driving severe mental and financial harm, with one quarter of surveyed consumers saying they seriously considered self-harm after an incident. The figure rises to 68% among self-identified victims but falls to 14% for those who contacted the ITRC, underscoring the value of professional support. The study of 1,033 general consumers also highlights rising repeat victimisation, large monetary losses — including more than 20% losing over $100,000 and 10% losing at least $1m — social media account takeovers as the most common crime, and widespread concern that AI will be a major battleground for identity security.