Ransomware Attacks Continue to Evade Defenses Despite Security Efforts

A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.

The Picus Blue Report 2025, based on over 160 million attack simulations, reveals that organizations detect only 1 out of 7 simulated attacks. This indicates significant gaps in threat detection and response capabilities, primarily due to log collection failures, misconfigured detection rules, and performance issues. These failures leave networks vulnerable to compromise, escalation of privileges, and data exfiltration. The report identifies key issues such as log source coalescing, unavailable log sources, and inefficient filtering as major contributors to SIEM rule failures. Continuous validation of SIEM rules is essential to maintain effectiveness against evolving threats. The report also shows that prevention dropped from 69% to 62% in one year, and that 54% of attacker behaviors generated no logs, making entire attack chains unfold with zero visibility. Only 14% of attacker behaviors triggered alerts, and data exfiltration was stopped just 3% of the time, leaving a critical stage effectively unprotected. The report highlights the need for Breach and Attack Simulation (BAS) to validate security defenses continuously.

The North Korean threat group Scarcruft (APT37) has launched a campaign targeting South Korea with a combination of infostealers, backdoors, and ransomware. The campaign, dubbed ChinopuNK, began in July 2025 and includes multiple malware tools designed for espionage and financial gain. The attacks start with phishing emails containing decoy documents about postal code updates. Once opened, these documents download NubSpy, a backdoor that uses the PubNub cloud service for command-and-control (C2) communication. The group also deploys ChillyChino, a PowerShell backdoor rewritten in Rust, and VCD ransomware, which encrypts specific file paths tailored to individual targets. In September 2025, a new phishing campaign, Operation HanKook Phantom, was discovered. This campaign targets individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers. The campaign uses spear-phishing emails with a lure for a "National Intelligence Research Society Newsletter" containing a ZIP archive attachment with a Windows shortcut (LNK) masquerading as a PDF document. The LNK file drops RokRAT malware, which is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. RokRAT exfiltrates data via Dropbox, Google Cloud, pCloud, and Yandex Cloud. The campaign also involves a PowerShell script that deploys a dropper, which then runs a next-stage payload to steal sensitive data while concealing network traffic as a Chrome file upload. The lure document used in this instance is a statement issued by Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers' Party of Korea, rejecting Seoul's efforts at reconciliation. Additionally, a modular backdoor malware for the macOS platform, ChillyHell, has resurfaced with a new version. This malware gives attackers remote access and allows them to drop payloads or brute-force passwords. The new ChillyHell sample was uploaded to VirusTotal on May 2, 2025, and was notarized by Apple in 2021. The malware has multiple persistence mechanisms and can exfiltrate data, drop additional payloads, enumerate user accounts, and perform local password cracking. Apple revoked notarization of the developer certificates associated with the malware once notified by Jamf. A new malware family, ZynorRAT, has been discovered, targeting Windows, Linux, and macOS systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration, system enumeration, and arbitrary command execution. The North Korea-linked threat actors associated with the Contagious Interview campaign have been attributed to a previously undocumented backdoor called AkdoorTea, along with tools like TsunamiKit and Tropidoor. The campaign targets software developers across all operating systems, Windows, Linux, and macOS, particularly those involved in cryptocurrency and Web3 projects. The campaign involves impersonated recruiters offering lucrative job roles over platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List. The attacks deliver several pieces of malware such as BeaverTail, InvisibleFerret, OtterCookie, GolangGhost, and PylangGhost. WeaselStore's functionality is similar to BeaverTail and InvisibleFerret, focusing on exfiltration of sensitive data from browsers and cryptocurrency wallets. TsunamiKit is a malware toolkit designed for information and cryptocurrency theft, first discovered in November 2024. TsunamiKit comprises several components, including TsunamiLoader, TsunamiInjector, TsunamiInstaller, TsunamiHardener, and TsunamiClient. TsunamiClient incorporates a .NET spyware and drops cryptocurrency miners like XMRig and NBMiner. Tropidoor is a sophisticated payload linked to the DeceptiveDevelopment group, sharing code with PostNapTea and LightlessCan. AkdoorTea is a remote access trojan delivered by a Windows batch script, sharing commonalities with Akdoor and NukeSped (Manuscrypt). The DeceptiveDevelopment campaign targets developers associated with cryptocurrency and decentralized finance projects with fake job offers aimed at information theft and malware infection. The campaign supplies stolen developer information to North Korea’s fraudulent IT workers, who use it to pose as job seekers and land remote work at unsuspecting companies. The campaign involves tight collaboration with North Korea’s network of fraudulent IT workers, tracked as WageMole. The North Korean IT workers operate in teams, focusing on obtaining work in Western countries, particularly the US, and in Europe, targeting France, Poland, Ukraine, and Albania. The North Korean IT workers impersonate real companies and engineers, producing engineering drawings with falsified approval stamps, and focus on self-education in web programming, blockchain, English, and AI integration.

Jaguar Land Rover (JLR) has confirmed a data breach following a recent cyberattack that disrupted its operations. The attack, which forced JLR to shut down systems and instruct staff not to report to work, involved data theft. The company is collaborating with the U.K. National Cyber Security Centre (NCSC) to investigate the incident. A group called 'Scattered Lapsus$ Hunters', associated with Lapsus$, Scattered Spider, and ShinyHunters, has claimed responsibility for the breach, sharing screenshots of an internal JLR SAP system and claiming ransomware deployment. This attack is part of a broader pattern of Salesforce data theft attacks, which have impacted numerous organizations this year. The FBI has issued a flash alert on UNC6040 and UNC6395, groups targeting Salesforce platforms, exploiting OAuth tokens and using vishing campaigns. The group 'Scattered Lapsus$ Hunters 4.0' announced it is shutting down on September 12, 2025, possibly to avoid law enforcement attention. However, cybersecurity researchers believe the group will continue conducting attacks quietly despite their claims of going dark. ShinyHunters and Scattered Spider, two distinct cybercrime groups, have been collaborating on attacks, leveraging each other's strengths in large-scale data theft and social engineering. This collaboration has targeted major companies across multiple sectors, including retail, insurance, and aviation. The groups have used tactics such as vishing, domain spoofing, and VPN obfuscation for data exfiltration. Recent attacks have impacted Farmers Insurance, with 1.1 million customers affected by a breach involving a third-party vendor's Salesforce database. The group 'Scattered Lapsus$ Hunters' claimed access to Google's Law Enforcement Request System (LERS) and the FBI's eCheck background check system, raising concerns about potential impersonation of law enforcement to gain access to sensitive user data. Google confirmed the creation of a fraudulent account in its LERS platform but stated that no data was accessed. The groups have been observed using similar domain formats and registry characteristics, suggesting a coordinated effort. This collaboration poses a significant threat to organizations, requiring a shift in defensive strategies to focus on behavioral patterns and proactive detection measures. The groups are now targeting Salesforce customers and may expand to financial services and technology providers. A new Telegram channel emerged, conflating ShinyHunters, Scattered Spider, and LAPSUS$, claiming to develop a ransomware-as-a-service solution. BreachForums has been commandeered by international law enforcement and turned into a honeypot. Workday confirmed a breach involving a third-party CRM system, likely linked to ShinyHunters' Salesforce attacks. Attackers used social engineering to impersonate Workday's HR department, gaining access to business contact information. Workday quickly blocked access to the compromised system and adopted additional internal security measures. The attack on Allianz Life involved the theft of personal information of 1.1 million individuals, impacting nearly 1.4 million customers. The stolen data includes email addresses, names, genders, dates of birth, phone numbers, and physical addresses. The attackers used a malicious OAuth app to gain access to Salesforce instances, and the extortion demands were signed as coming from ShinyHunters, a known extortion group. The breach was first reported by TechCrunch and confirmed by Allianz Life on July 16. The compromised data was hosted on a Salesforce database, affecting multiple companies. Scattered Spider has resumed attacks targeting the financial sector, despite previous claims of going 'dark'. The group gained initial access by socially engineering an executive's account and resetting their password via Azure Active Directory Self-Service Password Management. They accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network. The group attempted to exfiltrate data from Snowflake, Amazon Web Services (AWS), and other repositories. Their recent activity undercuts claims of ceasing operations, suggesting a strategic move to evade law enforcement pressure. Scattered Spider is part of a broader online entity called The Com and shares significant overlap with ShinyHunters and LAPSUS$. The group's retirement claims are likely a strategic retreat to reassess practices, refine tradecraft, and evade ongoing efforts to disrupt their activities. Scattered Spider may regroup or rebrand under a different alias in the future, similar to ransomware groups. The group's farewell letter is viewed as a strategic retreat to complicate attribution efforts and evade law enforcement. Scattered Spider's recent activity includes targeted intrusions against a U.S. banking organization, using sophisticated tactics to evade detection. The UK National Crime Agency (NCA) has arrested two teenagers, Owen Flowers and Thalha Jubair, linked to the Scattered Spider hacking collective. Owen Flowers, 18, from Walsall, and Thalha Jubair, 19, from East London, are scheduled to appear at Westminster Magistrates Court. Flowers was previously arrested in September 2024 for his alleged involvement in the Transport for London (TfL) attack and was released on bail. Additional evidence links Flowers to attacks against U.S. healthcare companies, including SSM Health Care Corporation and Sutter Health. Thalha Jubair was charged with conspiracies to commit computer fraud, money laundering, and wire fraud, affecting at least 47 U.S. organizations. Jubair and his accomplices have received at least $115 million in ransom payments from victims. The TfL cyberattack in August 2024 disrupted internal systems and online services, and compromised customer data including names, contact details, and addresses. TfL provides transportation services to over 8.4 million Londoners through its surface, underground, and Crossrail transport systems. In May 2023, TfL experienced another security breach when the Clop ransomware gang stole data from one of its suppliers' MOVEit Managed File Transfer (MFT) servers. A member of the notorious cybercrime group Scattered Spider has turned himself in to authorities in Las Vegas. The suspect, identified by the FBI's Las Vegas Cyber Task Force, faces charges including extortion and computer-related crimes. The Clark County District Attorney's Office is seeking to transfer the juvenile to the criminal division to face charges as an adult. Meanwhile, two other suspected members, Thalha Jubair and Owen Flowers, were arrested in the UK for their involvement in the Transport for London (TfL) hack. Despite the group's announcement of shutting down operations, security researchers remain skeptical, pointing to evidence of continued activity. Three members of Scattered Spider were arrested in September 2025, following their announcement of shutting down operations. Noah Urban, a key member of Scattered Spider, was sentenced to ten years in prison for his role in SIM-swapping and cybercrime activities. Urban's role involved social engineering to gain access to sensitive systems, using tactics such as SIM-swapping and phishing. Urban's activities included breaching T-Mobile's customer service portal and exploiting a Twilio employee's credentials. The group 0ktapus, which includes Scattered Spider members, was involved in high-profile breaches, including the theft of personal information from Gemini Trust. A man from West Sussex was arrested in connection with a ransomware attack that disrupted operations at several European airports, including Heathrow. The ransomware variant used in the attack was identified as HardBit, described as an "incredibly basic" variant. The attack affected Collins Aerospace baggage and check-in software, causing flight delays at multiple airports. The Co-operative Group in the U.K. reported a loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack caused a revenue reduction of £206 million ($277 million) and additional losses of £20 million ($27 million) expected for the second half of 2025. The Co-op Group operates 2,300 food retail stores and 59 franchise stores. The cyberattack forced the Co-op to shut down parts of its IT systems, causing disruptions to back-office and call-center services. Scattered Spider affiliates were responsible for the Co-op cyberattack, stealing personal data of 6.5 million members. The Co-op had to rebuild its Windows domain controllers and extend system unavailability due to the attack. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response to the attack prevented encryption but resulted in significant financial impact and operational disruptions. The Co-op implemented manual processes, rerouted items, and offered discounts to mitigate the impact of the cyberattack. The Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco, due to the cyberattack. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.