All news with #threat report tag

Iran-Linked MuddyWater Targets 100+ Organisations Globally

🔒 Group-IB links a broad espionage campaign to Iran-aligned MuddyWater that leveraged a compromised email account accessed via NordVPN to send convincing phishing messages. The actor distributed weaponized Microsoft Word documents that coax recipients to enable macros, which execute VBA droppers that write and decode a FakeUpdate loader. FakeUpdate installs an AES-encrypted payload that launches the Phoenix v4 backdoor. Targets exceeded 100 organisations across the MENA region, predominantly diplomatic and government entities.

PhantomCaptcha Phishing Targets Ukraine Aid Groups

🕵️ SentinelOne describes a coordinated spear-phishing campaign named PhantomCaptcha that used booby-trapped PDFs and a fake Zoom site to deliver a WebSocket-based remote access trojan (RAT). The October 8, 2025 operation targeted members of humanitarian and government organizations connected to Ukraine, including Red Cross, UNICEF Ukraine, and several regional administrations. Victims were lured to a ClickFix-style fake Cloudflare CAPTCHA that prompted a malicious PowerShell command, which fetched an obfuscated downloader and a second-stage payload. The final WebSocket RAT connects to wss://bsnowcommunications[.]com:80 and enables remote command execution, data exfiltration, and further malware deployment.

CISO Imperative: Building Resilience in Accelerating Threats

🔒 The Microsoft Digital Defense Report 2025 warns that cyber threats are accelerating in speed, scale, and sophistication, driven by AI and coordinated, cross-border operations. Attack windows have shrunk—compromises can occur within 48 hours in cloud containers—while AI-powered phishing and credential theft have grown markedly more effective. For CISOs this requires reframing security as a business enabler, prioritizing resilience, automation, and modern identity controls such as phishing-resistant MFA. The Secure Future Initiative provides practitioner-tested patterns to operationalize these priorities.

AI-Powered Mobile Threats Elevate Need to Rethink Security

📱 The 2025 Verizon Mobile Security Index underscores growing danger as mobile devices account for the majority of global internet traffic and increasingly serve as primary attack surfaces. Check Point highlights the rise of AI-powered threats, persistent phishing, and human error that expand exposure. Organizations must rethink security architectures, strengthen endpoint controls, and adopt AI-aware defenses across apps, devices, and identities to reduce risk.

JLR Hack Deemed UK’s Costliest Cyber Incident at £1.9bn

🔒The Cyber Monitoring Centre (CMC) concluded that the August 2025 cyber-attack on Jaguar Land Rover (JLR) produced an estimated UK financial impact of £1.9bn ($2.55bn) and affected more than 5,000 organisations. The CMC said the vast majority of the cost derived from halted manufacturing after an IT shutdown that stopped production at major UK plants and disrupted suppliers and dealer systems. Analysts ranked the incident a Category 3 systemic event and warned costs could rise if operational technology or intellectual property were compromised. Industry experts called for stronger governmental oversight and for boards to treat cybersecurity as a strategic risk.

SnakeStealer Infostealer Surges to Top of Detections

🔒 SnakeStealer is an infostealer family that surged in early 2025 to top ESET's infostealer detection charts. First seen in 2019 and originally linked to tools marketed as 404 Keylogger/Crypter, it spread widely by abusing Discord and cloud hosting and through phishing attachments, archived payloads and pirated software. Offered as malware‑as‑a‑service, it harvests credentials, clipboard contents, screenshots and keystrokes while using evasion and persistence tricks. Reduce risk by keeping systems updated, enabling MFA, treating unsolicited attachments with caution, changing passwords from clean devices and running reputable security software.

PassiveNeuron APT Uses Neursite and NeuralExecutor

🧠 Kaspersky researchers have identified a sophisticated cyber-espionage campaign dubbed PassiveNeuron that has targeted government, financial, and industrial organizations across Asia, Africa, and Latin America since late 2024. The operation uses bespoke implants—Neursite (a C++ modular backdoor) and NeuralExecutor (a .NET loader)—alongside Cobalt Strike, leveraging compromised internal servers as intermediate C2s and a plugin architecture to maintain persistence and adapt tooling. Victims include internet-exposed servers; attackers have used SQL-based remote command execution, attempted ASPX web shells, deployed DLL loaders into the System32 directory, and in 2025 adopted a GitHub-based dead-drop resolver to retrieve C2 addresses.

Vidar Stealer 2.0 Rewritten in C with Multi-Threading

🛡️ Vidar Stealer 2.0 was released with a complete rewrite in C, multi-threaded data theft and stronger evasion, prompting warnings from security researchers about likely increased campaigns. The update reduces dependencies and footprint while spawning parallel worker threads to accelerate harvesting of browser, wallet, cloud and app credentials. It introduces extensive anti-analysis checks and a polymorphic builder to frustrate static detection. Notably, the malware injects into running browser processes to extract encryption keys from memory and bypass Chrome's App-Bound protections.

Pro-Russia Information Operations After Drone Incursion

🔎 Google Threat Intelligence Group (GTIG) observed coordinated pro-Russia information operations responding to reported Russian drone incursions into Polish airspace on Sept. 9–10, 2025. Actors amplified narratives denying Russian culpability, blaming NATO or Poland, and seeking to erode domestic and international support for Ukraine. GTIG documented activity across multiple networks and languages and noted these operations leveraged both long-standing and recently developed influence infrastructure.

Ransomware Payouts Rise to $3.6M as Tactics Evolve

🔒 The average ransomware payment climbed to $3.6m in 2025, up from $2.5m in 2024, as attackers shift to fewer but more lucrative, targeted campaigns. ExtraHop's Global Threat Landscape Report found 70% of affected organisations paid ransoms, with healthcare and government incidents averaging nearly $7.5m each. The study highlights expanding risks from public cloud, third‑party integrations and generative AI, and urges organisations to map their attack surface, monitor internal traffic for lateral movement and prepare for AI‑enabled tactics.

AI-Enabled Ransomware: CISOs’ Top Security Concern

🛡️ CrowdStrike’s 2025 ransomware survey finds that AI is compressing attacker timelines and enhancing phishing, malware creation, and social engineering, forcing defenders to react in minutes rather than hours. 78% of respondents reported a ransomware incident in the past year, yet fewer than 25% recovered within 24 hours and paying victims often faced repeat compromise and data theft. CISOs rank AI-enabled ransomware as their top AI-related security concern, and many organizations are accelerating adoption of AI detection, automated response, and improved training.

Coldriver Deploys New 'NoRobot' Malware Suite, 2025

🛡️ Google Threat Intelligence Group (GTIG) has observed the Russian-linked Coldriver group deploying a new, staged malware ecosystem tracked as NoRobot, YesRobot and MaybeRobot. GTIG's October 20, 2025 report shows the campaign replaces the previously disclosed LostKeys strain and begins with a 'ClickFix-style' ColdCopy phishing lure that tricks victims into running a malicious DLL via rundll32.exe. NoRobot functions as a downloader using split-key cryptography and staged payloads; operators briefly used a Python-based backdoor (YesRobot) before switching to a more flexible PowerShell backdoor (MaybeRobot) to reduce detection.

VirusTotal Success: SEQRITE APT Hunting Case Studies

🔎 SEQRITE's APT-Team describes how they used VirusTotal to pivot from isolated clues to comprehensive campaign mapping, tracking UNG0002, Silent Lynx, and DRAGONCLONE between May 2024 and May 2025. Their work combined malware configuration extraction, LNK metadata, code-sign certificate pivots, YARA and Sigma rules, and Livehunt queries to surface related samples and previously unreported implants. The post highlights practical hunting queries and pivots — public key and LNK-ID searches, submitter geofilters, and malware_config values — that enabled attribution and expanded detection across multiple Asian geographies.

Developers of Lumma Stealer Doxxed in Rival Campaign

🔍Lumma Stealer operations have been disrupted after an underground doxxing campaign exposed personal and operational details of individuals allegedly tied to the malware’s development and administration. Trend Micro links the exposure to rival cybercriminal actors and reports that leaked data—shared on a site called Lumma Rats—included passports, bank details and contact information. The disclosures coincided with reduced C2 activity and the reported compromise of Telegram accounts, prompting many users to seek alternatives such as Vidar and StealC.

Google: Three New COLDRIVER Malware Families Identified

🔍 Google Threat Intelligence Group (GTIG) reports three new malware families — NOROBOT, YESROBOT, and MAYBEROBOT — linked to the Russia-attributed COLDRIVER group following public disclosure of LOSTKEYS. The attacks use ClickFix-style HTML lures and fake CAPTCHA prompts to trick users into running malicious PowerShell via the Windows Run dialog. NOROBOT functions as a loader invoked by rundll32.exe, while YESROBOT acted as a brief HTTPS-based Python backdoor and MAYBEROBOT is a more extensible PowerShell implant targeting high-value victims.

CISOs' 2025 Priorities: Data, AI, and Simplification

🔒 CSO's 2025 Security Priorities Study finds security leaders are juggling expanding responsibilities while facing greater complexity in selecting the right tools. Seventy-six percent say solution selection is more complex and 57% had trouble finding incident root causes in the past year. Top focuses are protecting sensitive data, securing cloud systems, and simplifying IT infrastructure, with 73% now more likely to consider AI-enabled security. Many plan to rely on managed service providers and maintain level budgets while driving strategic AI and governance initiatives.

Ransomware Reality: High Confidence, Low Preparedness

⚠️ The CrowdStrike State of Ransomware Survey reveals a sizable gap between organizational confidence and actual ransomware readiness. Half of 1,100 security leaders say they are "very well prepared," yet 78% were attacked in the past year and fewer than 25% recovered within 24 hours. The report warns that AI-accelerated attacks deepen this gap and recommends AI-native detection and response such as Falcon to regain the advantage.

Inside the attack chain: Azure Blob Storage threats

🔐 Microsoft Threat Intelligence analyzes how attackers target Azure Blob Storage across the full attack chain, emphasizing risks from exposed containers, compromised keys and SAS tokens, and abuse of automation such as Event Grid and Azure Functions. The blog maps these behaviors to the MITRE ATT&CK framework and illustrates tactics including data poisoning, covert C2 via metadata, and replication-based distribution. Microsoft recommends applying zero trust principles, enforcing least privilege with Microsoft Entra RBAC/ABAC, and enabling Defender for Storage with malware scanning, CSPM, and sensitive data discovery to detect, contain, and remediate storage-focused threats.

Closing the Cybersecurity Skills Gap: New Pathways

🔐 Cyber Awareness Month highlights the persistent cybersecurity skills shortage and the opportunities it creates for new entrants and experienced professionals. The 2025 Cybersecurity Skills Gap Report documents a global shortfall of more than 4.7 million roles and identifies high demand for data, cloud, network and AI security expertise. Employers increasingly favor certifications (65%) over degrees, opening practical pathways for career changers, veterans, and adjacent IT or business professionals. Investing in upskilling, governance, and awareness programs can reduce breach risk and improve retention.

Cybersecurity Awareness Month 2025: Ransomware Resilience

🔒 ESET's Cybersecurity Awareness Month 2025 video, presented by Chief Security Evangelist Tony Anscombe, explains why ransomware continues to threaten organizations large and small. Citing Verizon's 2025 DBIR and a Coalition Inc. study, it notes that 44% of breaches involved ransomware and 40% of insured victims paid ransoms. The video outlines common intrusion vectors and practical steps — backups, patching, access controls and training — organizations should take to improve resilience.