SmarterTools was breached by hackers exploiting a vulnerability in its own SmarterMail software through an unknown virtual machine set up by an employee that wasn’t being updated. “Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network,” SmarterTools COO Derek Curtis noted in a Feb. 3 post. “Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.” Network segmentation helped limit the breach, Curtis said, so the company website, shopping cart, account portal, and other services “remained online while we mitigated the issue. None of our business applications or account data were affected or compromised.”

SmarterTools Breach Comes Amid SmarterMail Vulnerability Warnings

Curtis said SmarterTools was compromised by the Warlock ransomware group, “and we have observed similar activity on customer machines.” In a blog post today, ReliaQuest researchers said they’ve observed SmarterMail vulnerability CVE-2026-23760 exploited in attacks “attributed with moderate-to-high confidence to ‘Storm-2603.’ This appears to be the first observed exploitation linking the China-based actor to the vulnerability as an entry point for its ‘Warlock’ ransomware operations.” ReliaQuest said other ransomware actors may be targeting a second SmarterMail vulnerability. “This activity coincides with a February 5, 2026 CISA warning that ransomware actors are exploiting a second SmarterMail vulnerability (CVE-2026-24423),” ReliaQuest said. “We observed probes for this second vulnerability alongside the Storm-2603 activity. However, because these attempts originated from different infrastructure, it remains unclear whether Storm-2603 is rotating IP addresses or a separate group is capitalizing on the same window. “Specific attribution matters less than the operational reality: Internet-facing servers are being targeted by multiple vectors simultaneously,” ReliQuest added. “Patching one entry point is insufficient if the adversary is actively pivoting to another or—worse—has already established persistence using legitimate tools.” Curtis said that once Warlock actors gain access, “they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.”

SmarterTools Breach Limited by Linux Use

Curtis said the SmarterTools breach affected networks at the company office and a data center “which primarily had various labs where we do much of our QC work, etc.” “Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts,” he wrote. “None of the Linux servers were affected.” He said Sentinel One “did a really good job detecting vulnerabilities and preventing servers from being encrypted.” He said that SmarterMail Build 9518 (January 15) contains fixes for the vulnerabilities, while Build 9526 (January 22) “complements those fixes with additional improvements and resolves lesser issues that have been brought to our attention and/or discovered during our internal security audits.” He said based on the company’s own breach and observations of customer incidents, Warlock actors “often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.” Common file names and programs abused by the threat actors have included:

• Velociraptor
• JWRapper
• Remote Access
• SimpleHelp
• WinRAR (older, vulnerable versions)
• exe
• dll
• exe
• Short, random filenames such as e0f8rM_0.ps1 or abc...
• Random .aspx files

“We hope this provides a fuller summary of what we have seen and what customers can look for in their own environments,” Curtis said. “We also hope it demonstrates that we are taking every possible step to prevent issues like this from occurring again and making every effort to consolidate what we’re seeing and sharing with our customers.”

The European Commission's central infrastructure for managing mobile devices was hit by a cyberattack on January 30, the Commission has revealed. The announcement said the European Commission mobile cyberattack was limited by swift action, but cybersecurity observers are speculating that the incident was linked to another recent European incident involving Netherlands government targets that was revealed around the same time.

European Commission Mobile Cyberattack Detailed

The European Commission’s Feb. 5 announcement said its mobile management infrastructure “identified traces of a cyber-attack, which may have resulted in access to staff names and mobile numbers of some of its staff members. The Commission's swift response ensured the incident was contained and the system cleaned within 9 hours. No compromise of mobile devices was detected.” The Commission said it will “continue to monitor the situation. It will take all necessary measures to ensure the security of its systems. The incident will be thoroughly reviewed and will inform the Commission's ongoing efforts to enhance its cybersecurity capabilities.” The Commission provided no further details on the attack, but observers wondered if it was connected to another incident involving Dutch government targets that was revealed the following day.

Dutch Cyberattack Targeted Ivanti Vulnerabilities

In a Feb. 6 letter (download, in Dutch) to the Dutch Parliament, State Secretary for Justice and Security Arno Rutte said the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) had been targeted in an “exploitation of a vulnerability in Ivanti Endpoint Manager Mobile (EPMM).” Rutte said the Dutch National Cyber ​​Security Centre (NCSC) was informed by Ivanti on January 29 about vulnerabilities in EPMM, which is used for managing and securing mobile devices, apps and content. On January 29, Ivanti warned that two critical zero-day vulnerabilities in EPMM were under attack. CVE-2026-1281 and CVE-2026-1340 are both 9.8-severity code injection flaws, affecting EPMM’s In-House Application Distribution and Android File Transfer Configuration features, and could allow unauthenticated remote attackers to execute arbitrary code on vulnerable on-premises EPMM installations without any prior authentication. “Based on the information currently available, I can report that at least the AP and the Rvdr have been affected,” Rutte wrote. Work-related data of AP employees, such as names, business email addresses, and telephone numbers, “have been accessed by unauthorized persons,” he added. “Immediate measures were taken after the incident was discovered. In addition, the employees of the AP and the Rvdr have been informed. The AP has reported the incident to its data protection officer. The Rvdr has submitted a preliminary data breach notification to the AP.” NCSC is monitoring further developments with the Ivanti vulnerability and “is in close contact” with international partners, the letter said. Meanwhile, the Chief Information Officer of the Dutch government “is coordinating the assessment of whether there is a broader impact within the central government.”

European Commission Calls for Stronger Cybersecurity Controls

The European Commission’s statement noted that “As Europe faces daily cyber and hybrid attacks on essential services and democratic institutions, the Commission is committed to further strengthen the EU's cybersecurity resilience and capabilities.” To that end, the Commission introduced a Cybersecurity Package on January 20 to bolster the European Union's cyber defenses. “A central pillar of this initiative is the Cybersecurity Act 2.0, which introduces a framework for a Trusted ICT Supply Chain to mitigate risks from high-risk suppliers,” the EC statement said.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been “silently” updating its Known Exploited Vulnerabilities (KEV) catalog when it concludes that vulnerabilities have been exploited by ransomware groups, according to a security researcher. CISA adds a “known” or “unknown” field next to the “Known To Be Used in Ransomware Campaigns?” entry in its KEV catalog. The problem, according to a blog post by Glenn Thorpe of GreyNoise, is the agency doesn’t send out advisories when a vulnerability changes from “unknown” to “known” vulnerabilities exploited by ransomware groups. Thorpe downloaded daily CISA KEV snapshots for all of 2025 and found that the agency had flipped 59 vulnerabilities in 2025 from “unknown” to “known” evidence of exploitation by ransomware groups. “When that field flips from ‘Unknown’ to ‘Known,’ CISA is saying: ‘We have evidence that ransomware operators are now using this vulnerability in their campaigns,’" Thorpe wrote. “That's a material change in your risk posture. Your prioritization calculus should shift. But there's no alert, no announcement. Just a field change in a JSON file. This has always frustrated me.” In a statement shared with The Cyber Express, CISA Executive Assistant Director for Cybersecurity Nick Andersen suggested that the agency is considering Thorpe’s input. “We continue to streamline processes and enrich vulnerability data through initiatives like the KEV catalog, the Common Vulnerabilities and Exposures (CVE) Program, and Vulnrichment,” Andersen said. “Feedback from the cybersecurity community is essential as CISA works to enhance the KEV catalog and advance vulnerability prioritization across the ecosystem.”

Microsoft Leads in Vulnerabilities Exploited by Ransomware Groups

Of the 59 CVEs that flipped to “known” exploitation by ransomware groups last year, 27% were Microsoft vulnerabilities, Thorpe said. Just over a third (34%) involved edge and network CVEs, and 39% were for CVEs before 2023. And 41% of the flipped vulnerabilities occurred in a single month, May 2025. The “Fastest time-to-ransomware flip” was one day, while the longest lag between CISA KEV addition and the change to “known” ransomware exploitation status was 1,353 days. The “Most flipped vulnerability type” was Authentication Bypass at 14% of occurrences.

Ransomware Groups Target Edge Devices

Edge devices accounted for a high number of the flipped vulnerabiities, Thorpe said. Fortinet, Ivanti, Palo Alto and Check Point Security edge devices were among the flipped CVEs. “Ransomware operators are building playbooks around your perimeter,” he said. Thorpe said that 19 of the 59 flipped vulnerabilities “target network security appliances, the very devices deployed to protect organizations.” But he added: “Legacy bugs show up too; Adobe Reader vulnerabilities from years ago suddenly became ransomware-relevant.” Authentication bypasses and RCE vulnerabilities were the most common, “as ransomware operators prioritize ‘get in and go’ attack chains.” The breakdown by vendor of the 59 vulnerabilities “shouldn't surprise anyone,” he said. Microsoft was responsible for 16 of the flipped CVEs, affecting SharePoint, Print Spooler, Group Policy, Mark-of-the-Web bypasses, and more. Ivanti products were affected by 6 of the flipped CVEs, Fortinet by 5 (with FortiOS SSL-VPN heap overflows standing out), and Palo Alto Networks and Zimbra were each affected by 3 of the CVEs. “Ransomware operators are economic actors after all,” Thorpe said. “They invest in exploit development for platforms with high deployment and high-value access. Firewalls, VPN concentrators, and email servers fit that profile perfectly.” He also noted that the pace of vulnerability exploitation by ransomware groups accelerated in 2025. “Today, ransomware operators are integrating fresh exploits into their playbooks faster than defenders are patching,” he said. Thorpe created an RSS feed to track the flipped vulnerabilities; it’s updated hourly.

Ransomware attacks have soared 30% since late last year, and they’ve continued that trend so far in 2026, with many of the attacks affecting software and manufacturing supply chains. Those are some of the takeaways of new research published by Cyble today, which also looked at the top ransomware groups, significant ransomware attacks, new ransomware groups, and recommended cyber defenses. Ransomware groups claimed 2,018 attacks in the last three months of 2025, averaging just under 673 a month to end a record-setting year. The elevated attack levels continued in January 2026, as the threat groups claimed 679 ransomware victims. In the first nine months of 2025, ransomware groups claimed an average of 512 victims a month, so the recent trend has been more than 30% above that, Cyble noted. Below is Cyble’s chart of ransomware attacks by month since 2021, which shows a sustained uptrend since mid-2025.

Qilin Remains Top Ransomware Group as CL0P Returns

Qilin was once again the top ransomware group, claiming 115 victims in January. CL0P was second with 93 victims after claiming “scores of victims” in recent weeks in an as-yet unspecified campaign. Akira remained among the leaders with 76 attacks, and newcomers Sinobi and The Gentlemen rounded out the top five (chart below). [caption id="attachment_109255" align="aligncenter" width="845"] Top ransomware groups January 2026 (Cyble)[/caption] “As CL0P tends to claim victims in clusters, such as its exploitation of Oracle E-Business Suite flaws that helped drive supply chain attacks to records in October, new campaigns by the group are noteworthy,” Cyble said. Victims in the latest campaign have included 11 Australia-based companies spanning a range of sectors such as IT, banking and financial services (BFSI), construction, hospitality, professional services, and healthcare. Other recent CL0P victims have included “a U.S.-based IT services and staffing company, a global hotel company, a major media firm, a UK payment processing company, and a Canada-based mining company engaged in platinum group metals production,” Cyble said. The U.S. once again led all countries in ransomware attacks (chart below), while the UK and Australia faced a higher-than-normal attack volume. “CL0P’s recent campaign was a factor in both of those increases,” Cyble said. [caption id="attachment_109256" align="aligncenter" width="831"] Ransomware attacks by country January 2026 (Cyble)[/caption] Construction, professional services and manufacturing remain opportunistic targets for threat actors, while the IT industry also remains a favorite target of ransomware groups, “likely due to the rich target the sector represents and the potential to pivot into downstream customer environments,” Cyble said (chart below). [caption id="attachment_109258" align="aligncenter" width="819"] Ransomware attacks by industry January 2026 (Cyble)[/caption]

Ransomware Attacks Hit the Supply Chain

Cyble documented 10 significant ransomware attacks from January in its blog post, many of which had supply chain implications. One was an Everest ransomware group compromise of “a major U.S. manufacturer of telecommunications networking equipment ... Everest claims the data includes PDF documents containing sensitive engineering materials, such as electrical schematics, block diagrams, and service subsystem documentation.” Sinobi claimed a breach of an India-based IT services company. “Samples shared by the attackers indicate access to internal infrastructure, including Microsoft Hyper-V servers, multiple virtual machines, backups, and storage volumes,” Cyble said. A Rhysida ransomware group attack on a U.S. life sciences and biotechnology instrumentation company allegedly exposed sensitive information such as engineering blueprints and project documentation. A RansomHouse attack on a China-based electronics manufacturing for the technology and automotive manufacturers nay have exposed “extensive proprietary engineering and production-related data,” and “data associated with multiple major technology and automotive companies.” An INC Ransom attack on a Hong Kong–based components manufacturer for the global electronics and automotive industries may have exposed “client-related information associated with more than a dozen major global brands, plus confidential contracts and project documentation for at least three major IT companies.” Cyble also documented the rise of three new ransomware groups: Green Blood, DataKeeper and MonoLock, with DataKeeper and MonoLock releasing details on technical and payment features aimed at attracting ransomware affiliates to their operations.  

The BreachForums marketplace has suffered a leak, exposing the identities of nearly 324,000 cybercriminals. This incident highlights a critical shift in cyberattacks, creating opportunities for law enforcement while demonstrating the risks associated with breaches in the cybercriminal ecosystem.

The post BreachForums Breach Exposes Names of 324K Cybercriminals, Upends the Threat Intel Game appeared first on Security Boulevard.

A cyberattack by Russian state-sponsored threat actors that targeted at least 30 wind and solar farms in Poland relied on default credentials, lack of multi-factor authentication (MFA) and outdated and misconfigured devices, according to a new report on the December 2025 incident by CERT Polska, the Polish computer emergency response team. The new report underscores the difficulty of securing critical infrastructure systems, which frequently rely on outdated devices that are difficult to update. In the Polish energy grid attack, credential and configuration errors compounded the vulnerabilities. CERT Polska attributed the campaign to Static Tundra, a group linked to Russia’s Federal Security Service (FSB) Center 16 unit, but a Dragos report on one of the Polish energy grid incidents attributed the activity to the ELECTRUM subgroup of Sandworm, a threat group linked to the GRU, Russia's military intelligence service, that was implicated in destructive attacks on the Ukraine power grid a decade ago. The Polish report notes that the DynoWiper malware used in the latest attacks “contains certain similarities to wiper-type tools3 associated with the activity cluster publicly known as ‘Sandworm’ and ‘SeashellBlizzard,’” but the report adds, “Despite identifying commonalities in behavioral characteristics and overall architecture, the level of similarity is too low to attribute DynoWiper to previously used wiper families.” The attackers’ activities began between March and May 2025, months before the December 29 attack.

Polish Energy Grid Attack Could Have Been Worse

The CERT Polska report said the December attack “resulted in a loss of communication between the facilities and distribution system operators (DSOs), but it did not affect ongoing electricity generation” or impact the stability of the Polish power system. “It should be noted, however, that given the level of access obtained by the attacker, there was a risk of causing a disruption in electricity generation at the affected facilities,” the report said. “Even if such a disruption had occurred, analyses indicate that the combined loss of capacity across all 30 facilities would not have affected the stability of the Polish power system during the period in question.” Dragos noted that in its incident response case, the attackers “gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site,” an attack the company called “very alarming.” “This is the first major cyber attack targeting distributed energy resources (DERs), the smaller wind, solar, and CHP facilities being added to grids worldwide,” Dragos said. “Unlike the centralized systems impacted in electric grid attacks in 2015 and 2016 in Ukraine, these distributed systems are more numerous, require extensive remote connectivity, and often receive less cybersecurity investment. This attack demonstrates they are now a valid target for sophisticated adversaries.” “An attack on a power grid at any time is irresponsible, but to carry it out in the depths of winter is potentially lethal to the civilian population dependent on it,” Dragos added. “It is unfortunate that those who attack these systems appear to deliberately choose timing that maximizes impact on civilian populations.”

Credential and Configuration Mistakes Exploited in Polish Energy Grid Attack

In the Polish energy grid attack, the attackers exploited a long list of outdated and misconfigured devices and default and static credentials that weren’t secured with MFA. The Polish report noted that in each affected facility, a FortiGate device served as both a VPN concentrator and a firewall. “In every case, the VPN interface was exposed to the Internet and allowed authentication to accounts defined in the configuration without multi‑factor authentication,” the report said. The report noted that it’s a common practice in the industry to reuse the same accounts and passwords across multiple facilities. “In such a scenario, the compromise of even a single account could have enabled the threat actor to identify and access other devices where the same credentials were used,” CERT Polska said. The networks of the targeted facilities often contained segregated VLAN subnets, but as the attackers had administrative privileges on the device, “These privileges were likely used to obtain credentials for a VPN account with access to all subnets,” the report said. “Even if no such account had existed, the attacker, having administrator-level access, could have modified the device configuration to enable equivalent access.” In one incident, the attacker gained access to the SSL‑VPN portal service of a FortiGate device located at the organization’s network perimeter by using “multiple accounts that were statically defined in the device configuration and did not have two‑factor authentication enabled.” After gaining access, the attackers used bookmarks defined in the configuration file to access jump hosts via RDP, the report said. Analysis of a FortiGate device configuration file indicated that some users had statically configured target user credentials, which enabled connections to the jump host from the SSL‑VPN portal without the need for additional local or domain user credentials. The attacker also made configuration changes that included a new rule that allowed connections using any protocol and IP address to a specified device and disabling network traffic logging. Using the Fortinet scripting mechanism, the attacker also created scripts for further credential exfiltration and to modify security settings, which were executed weekly. The report also detailed numerous out-of-date or misconfigured operational technology (OT) devices, many with default credentials, such as Hitachi and Mikronika controllers, and secure update features that weren’t enabled. In the case of Hitachi Relion 650 v1.1 IEDs, the default FTP account hadn’t been disabled in accordance with the manufacturer’s recommendations. In cases where an HMI used unique credentials for the local administrator account, “unsuccessful password‑breaking attempts were observed. In those cases, the HMI was not damaged.” The attackers also pivoted to cloud services, the report said.

Microsoft has released an emergency fix for an actively-exploited zero-day vulnerability affecting Microsoft Office. The vulnerability, CVE-2026-21509, is labeled a Microsoft Office Security Feature Bypass vulnerability that exploits the software weakness CWE-807 (Reliance on Untrusted Inputs in a Security Decision). Microsoft doesn’t say what threat actor is exploiting the vulnerability or how it’s being exploited, and doesn’t even acknowledge the researchers who discovered the vulnerability, but the software giant’s advisory includes lengthy mitigation guidance for users of Office 2016 and 2019, who must wait for a forthcoming Microsoft emergency fix.

Microsoft Emergency Fix for Office 2016 and 2019 Coming Soon

Microsoft said that customers on Office 2021 and later “will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect.” Office 2016 and 2019 customers will have to wait for a forthcoming security update, but can protect themselves by applying registry keys as instructed (included below). Office Client 2016 and 2019 updates “will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE,” Microsoft said. The 7.8-rated vulnerability requires user interaction to be exploited. An attacker would have to send a malicious Office file and convince users to open it for an exploit to be successful. It is the second actively exploited zero-day vulnerability fixed by Microsoft this month, following CVE-2026-20805 fixed on Patch Tuesday. Microsoft has also released out-of-band Windows and Windows Server fixes this month for Windows and Outlook bugs. Microsoft said the new CVE-2026-21509 fix addresses a vulnerability that bypasses OLE (Object Linking and Embedding) mitigations in Microsoft 365 and Microsoft Office that protect users from vulnerable COM (Component Object Model)/OLE controls. COM/OLE is the framework that allows content from one application to be integrated into another, such as from an Excel spreadsheet into a Word document. The Preview Pane is not an attack vector, Microsoft noted.

Office 2016 and 2019 Mitigations

Microsoft said Office 2016 and 2019 customers can apply registry keys as described for immediate protection. Microsoft recommends first backing up your registry and exiting all Microsoft Office applications. Start the Registry Editor by tapping Start or pressing the Windows key on your keyboard,  then typing regedit and pressing enter.

Step 1

Locate the proper registry subkey. It will be one of the following: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit MSI Office, or 32-bit MSI Office on 32-bit Windows) or HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit MSI Office on 64-bit Windows) or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit Click2Run Office, or 32-bit Click2Run Office on 32-bit Windows) or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit Click2Run Office on 64-bit Windows) Note: The COM Compatibility node may not be present by default and may need to be added by right-clicking the Common node and choosing Add Key.

Step 2

Add a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and choosing Add Key. Within that new subkey, add one new value by right-clicking the new subkey and choose New > DWORD (32-bit) Value, naming the new REG_DWORD value Compatibility Flags and assigning it a value of 400. Exit Registry Editor and start your Office application. Microsoft offered the following example: In Office 2016, 64-bit, on Windows you would locate this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ If the COM Compatibility node doesn't exist, you'll need to create it. Then add a subkey with the name {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}. The resulting path in this case is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}. To that subkey, add a REG_DWORD value called Compatibility Flags with a value of 400.  

The ShinyHunters and CL0P threat groups have returned with new claimed victims. ShinyHunters has resurfaced with a new onion-based data leak site, with the group publishing data allegedly stolen from three victims, with two apparently linked to recent vishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft and Google, which can lead to compromises of connected enterprise applications and services. In an email to The Cyber Express, a ShinyHunters spokesperson said “a lot more victims are to come from the new vishing campaign.” The CL0P ransomware group, meanwhile, has claimed 43 victims in recent days, its first victims since its exploitation of Oracle E-Business Suite vulnerabilities last year netted more than 100 victims. The group reportedly was targeting internet-facing Gladinet CentreStack file servers in its latest extortion campaign, but the threat group has posted no technical details to support the new claims.

ShinyHunters Returns

ShinyHunters has resurfaced following 2025 campaigns that saw breaches of PornHub and Salesforce environments and a “suspicious insider” at CrowdStrike. The group, which has also gone by Scattered LAPSUS$ Hunters, has claimed three new victims, all of whom have had confirmed breaches in recent weeks. One of the claimed victims is SoundCloud, which confirmed a breach in mid-December that the company said “consisted only of email addresses and information already visible on public SoundCloud profiles and affected approximately 20% of SoundCloud users.” Investment firm Betterment is another claimed victim with a recent confirmed breach. While it’s not clear if the incident is related to the ShinyHunters claims, the company reported a January 9 incident in which “an unauthorized individual gained access to certain Betterment systems through social engineering. This means the individual used identity impersonation and deception to gain access, rather than compromising our technical infrastructure. The unauthorized access involved third-party software platforms that Betterment uses to support our marketing and operations.” The third claimed victim is financial data firm Crunchbase, which confirmed a data exfiltration incident in a statement to SecurityWeek. ShinyHunters told The Cyber Express that only Crunchbase and Betterment are from the SSO vishing campaign. “We are releasing victims from many of our previous campaigns and ongoing campaigns onto our data leak site, not exclusively the SSO vishing campaign data thefts,” the spokesperson said. Meanwhile, a threat actor who goes by “LAPSUS-GROUP” has emerged recently on the BreachForums 5.0 cybercrime forum claiming data stolen from a Canadian retail SaaS company, but ShinyHunters told The Cyber Express that the actor is an “impersonator group” and has no connection to ShinyHunters.

CL0P Claims 43 New Victims

The Cl0p ransomware group appears to have launched a new extortion campaign, although it is not clear what vulnerabilities or services the group is targeting. The group listed 21 new victims last week, and then another 22 over the weekend. Alleged victims include a major hotel chain, an IT services company, a UK payment processing firm, a workforce management company, and a Canada-based mining company. In a note to clients today, threat intelligence company Cyble wrote, “At the time of reporting, Cl0p has not disclosed technical details, the volume or type of data allegedly exfiltrated, nor announced any ransom deadlines for these victims. No proof-of-compromise samples have been published. We continue to monitor the situation for further disclosures, validation of the victim listings, or escalation by the group.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five enterprise software flaws to its Known Exploited Vulnerabilities (KEV) Catalog in an 18-hour span. On January 22, CISA added vulnerabilities from Versa and Zimbra to the KEV catalog, along with flaws affecting Vite and Prettier developer tools. Today, CISA added a VMware vCenter Server vulnerability to the KEV catalog, the tenth exploited vulnerability added to the catalog this year. Per typical practice, CISA didn’t name the threat actors exploiting the vulnerabilities or say how the flaws are being exploited, noting only that “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” None of the vulnerabilities were marked as known to be exploited by ransomware groups.

Versa, Zimbra and VMware Enterprise Software Flaws

The Versa Concerto vulnerability is CVE-2025-34026, a 9.2-severity Improper Authentication vulnerability in the SD-WAN orchestration platform’s Traefik reverse proxy configuration that could allow an attacker to access administrative endpoints, including the internal Actuator endpoint, for access to heap dumps and trace logs. The issue affects Concerto from 12.1.2 through 12.2.0, although the National Vulnerability Database (NVD) notes that “Additional versions may be vulnerable.” Project Discovery revealed the vulnerability and two others last year. CVE-2024-37079 is a 9.8-rated Broadcom VMware vCenter Server out-of-bounds write/heap-overflow vulnerability in the implementation of the DCERPC protocol. “A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution,” the NVD entry says. The Cyber Express noted in a June 2024 article on CVE-2024-37079 and two other vCenter vulnerabilities, “With the global usage of the impacted product and the history of leveraging flaws impacting vCenter, there is strong potential for threat actors to leverage these critical vulnerabilities also.” CVE-2025-68645 is an 8.8-rated Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 that allows improper handling of user-supplied request parameters in the RestFilter servlet. “An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory,” says the NVD database.

Vite and Prettier Code Tool Vulnerabilities

CVE-2025-54313 is a high-severity embedded malicious code vulnerability affecting the eslint-config-prettier package for the Prettier code formatting tool that stems from a supply chain attack last July. The embedded malicious code in eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 can execute an install.js file that launches the node-gyp.dll malware on Windows, NVD notes. CVE-2025-31125 is a medium-to-high severity Improper Access Control vulnerability affecting Vite ViteJS, a frontend tooling framework for JavaScript. The vulnerability can expose the content of non-allowed files when apps explicitly expose the Vite dev server to the network. Th vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

Hacktivists became significantly more dangerous in 2025, moving beyond their traditional DDoS attacks and website defacements to target critical infrastructure and ransomware attacks. That’s one of the conclusions of a new blog post from Cyble adapted from the threat intelligence company’s 2025 Threat Landscape report. The trend began in earnest with Z-Pentest’s targeting of industrial control systems (ICS) in late 2024, and grew from there. Cyble said it expects those attacks to continue to grow in 2026, along with growing use of custom tools by hacktivists and “deepening alignment between nation-state interests and hacktivists.”

Hacktivist Attacks on Critical Infrastructure Soar

Z-Pentest was the most active of the hacktivist groups targeting ICS, operational technology (OT) and Human Machine Interface (HMI) environments. Dark Engine (Infrastructure Destruction Squad) and Sector 16 also persistently targeted ICS environments, while Golden Falcon Team, NoName057(16), TwoNet, RipperSec, and Inteid also claimed multiple ICS attacks. HMI and web-based Supervisory Control and Data Acquisition (SCADA) interfaces were the systems most frequently targeted by hacktivists. Virtual Network Computing (VNC) environments were targeted less frequently, but “posed the greatest operational risks to several industries,” Cyble said. Building Management Systems (BMS) and Internet of Things (IoT) or edge-layer controllers were also targeted by the groups, reflecting a wider trend toward exploiting poorly secured IoT interfaces. Europe was the primary region targeted by pro-Russian hacktivist groups, with Spain, Italy, the Czech Republic, France, Poland, and Ukraine the most frequent targets of those groups.

State Interests and Hacktivism Align

Cyble also noted increasing alignment between hacktivist groups and state-aligned interests. When Operation Eastwood disrupted NoName057(16)’s DDoS infrastructure in July 2025, the group rapidly rebuilt its capacity and resumed operations against Ukraine, the EU, and NATO, “underscoring the resilience of state-directed ecosystems,” Cyble said. U.S. indictments “further exposed alleged structured cooperation between Russian intelligence services and pro-Kremlin hacktivist fronts,” the blog post said. The Justice Department revealed GRU-backed financing and direction of the Cyber Army of Russia Reborn (CARR) and state-sanctioned development of NoName057(16)’s DDoSia platform. Z-Pentest has also been identified as part of the CARR ecosystem and linked to GRU. Pro-Ukrainian hacktivist groups are less formally connected to state interests, but groups like the BO Team and the Ukrainian Cyber Alliance launched data destruction, encryption and wiper attacks targeting “key Russian businesses and state machinery,” and Ukrainian actors also claimed to pass exfiltrated datasets to national intelligence services. Hacktivist groups Cyber Partisans BY (Belarus) and Silent Crow significantly compromised Aeroflot’s IT environment in a long-term breach, claiming to exfiltrate more than 20TB of data, sabotaging thousands of servers, and disrupting airline systems, a breach that was confirmed by Russia’s General Prosecutor. Other hacktivists aligned with state interests include BQT.Lock (BaqiyatLock, aligned with Hezbollah) and Cyb3r Av3ngers/Mr. Soul Team, which has been linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and has also targeted critical infrastructure.

Hacktivist Sightings Surge 51%

Cyble said hacktivist sightings surged 51% in 2025, from 700,000 in 2024 to 1.06 million in 2025, “with the bulk of activity focused on Asia and Europe.” “Pro-Russian state-aligned hacktivists and pro-Palestinian, anti-Israel collectives continued to be the primary drivers of hacktivist activity throughout 2025, shaping the operational tempo and geopolitical focus of the threat landscape,” the researchers said. India, Ukraine and Israel were the countries most targeted by hacktivist activity in 2025 (chart below). [caption id="attachment_108842" align="aligncenter" width="825"] Hacktivist attacks by country in 2025 (Cyble)[/caption] Government & Law Enforcement, Energy & Utilities, Education, IT, Transportation & Logistics, and Manufacturing saw the most growth in hacktivist attacks, while the Agriculture & Livestock, Food & Beverages, Hospitality, Construction, Automotive, and Real Estate also saw increasing attack numbers. “Hacktivism has evolved into a geopolitically charged, ICS-focused threat, continuing to exploit exposed OT environments and increasingly weaponizing ransomware as a protest mechanism,” Cyble said. “In 2026, hacktivists and cybercriminals will increasingly target exposed HMI/SCADA systems and VNC takeovers, aided by public PoCs and automated scanning templates, creating ripple effects across the energy, water, transportation, and healthcare sectors,” the researchers predicted.

Ransomware and supply chain attacks set records in 2025, with ransomware attacks up more than 50% and supply chain attacks nearly doubling – trends that suggest further trouble ahead in 2026. Those are some of the data points from a new blog and annual threat landscape report from threat intelligence company Cyble. There were 6,604 ransomware attacks in 2025, 52% higher than the 4,346 attacks claimed by ransomware groups in 2024, according to Cyble data. And the year ended on an upswing for threat groups, with a near-record 731 ransomware attacks in December, behind only February 2025’s record totals (chart below). [caption id="attachment_108784" align="aligncenter" width="729"] Ransomware attacks by month 2021-2025 (Cyble)[/caption] Ransomware groups remained resilient and decentralized in 2025, and ransomware affiliates were quick to gravitate toward new leaders like Qilin in the wake of law enforcement disruptions.

Supply Chain Attacks Soared in 2025

Supply chain attacks soared by 93% in 2025, according to Cyble dark web researchers, as supply chain attacks claimed by threat groups surged from 154 incidents in 2024 to 297 in 2025 (chart below). [caption id="attachment_108785" align="aligncenter" width="717"] Supply chain attacks by month 2024-2025 (Cyble)[/caption] “As ransomware groups are consistently behind more than half of supply chain attacks, the two attack types have become increasingly linked,” Cyble noted. Supply chain attacks have declined since setting a record in October, but Cyble noted that “they remain above even the elevated trend that began in April 2025.” Every industry and sector tracked by Cyble was hit by a software supply chain attack in 2025, but the IT and Technology sectors were by far the most frequently hit because of the potential for expanding attacks into downstream customer environments. The sophistication of those attacks also grew. Supply chain attacks in 2025 “expanded far beyond traditional package poisoning, targeting cloud integrations, SaaS trust relationships, and vendor distribution pipelines,” Cyble said. “Adversaries are increasingly abusing upstream services—such as identity providers, package registries, and software delivery channels—to compromise downstream environments on a large scale.” Attacks on Salesforce through third-party integrations is one such example, as attackers “weaponized trust between SaaS platforms, illustrating how OAuth-based integrations can become high-impact supply chain vulnerabilities when third-party tokens have been compromised.”

Qilin Dominated Following RansomHub’s Decline

Qilin emerged as the leading ransomware group in April after RansomHub was hit by a possible act of sabotage by rival Dragonforce. Qilin claimed another 190 victims in December, besting a resurgent Lockbit and other leaders such as newcomer Sinobi. Qilin claimed 17% of all ransomware victims in 2025, well ahead of Akira, CL0P, Play and SafePay (chart below). Cyble noted that of the top five ransomware groups in 2025, only Akira and Play also made the list in 2024, as RansomHub and Lockbit declined and Hunters apparently rebranded as World Leaks. [caption id="attachment_108788" align="aligncenter" width="936"] 2025's top ransomware groups (Cyble)[/caption] Cyble documented 57 new ransomware groups, 27 new extortion groups and more than 350 new ransomware strains in 2025. Those new strains were “largely based on the MedusaLocker, Chaos, and Makop ransomware families,” Cyble said. Among new groups, Devman, Sinobi, Warlock and Gunra have targeted critical infrastructure, particularly in Government & Law Enforcement and Energy & Utilities, at an above-average rate. RALord/Nova, Warlock, Sinobi, The Gentlemen and BlackNevas have focused on the IT, Technology, and Transportation & Logistics sectors. The U.S. was by far the most attacked country, suffering 55% of all ransomware attacks in 2025. Canada, Germany, the UK, Italy and France rounded out the top six (chart below). [caption id="attachment_108789" align="aligncenter" width="936"] 2025 ransomware attacks by country (Cyble)[/caption] Construction, professional services and manufacturing were the industries most targeted by ransomware groups, followed by healthcare and IT (chart below). [caption id="attachment_108791" align="aligncenter" width="936"] 2025 ransomware attacks by sector (Cyble)[/caption] “The significant supply chain and ransomware threats facing security teams as we enter 2026 require a renewed focus on cybersecurity best practices that can help protect against a wide range of cyber threats,” Cyble concluded, listing best practices such as segmentation and strong access control and vulnerability management.

Infostealer infections compounded by a lack of multi-factor authentication (MFA) have resulted in dozens of breaches at major global companies and calls for greater MFA use. The issue came to light in a Hudson Rock post that detailed the activity of a threat actor operating under the aliases “Zestix” and “Sentap.” The threat actor has auctioned data stolen from the corporate file-sharing portals of roughly 50 major global enterprises, targeting ShareFile, OwnCloud, and Nextcloud instances “belonging to critical entities across the aviation, robotics, housing, and government infrastructure sectors,” the report said, taking pains to note that lack of MFA was the primary cause. “... these catastrophic security failures were not the result of zero-day exploits in the platform architecture, but rather the downstream effect of malware infections on employee devices combined with a critical failure to enforce Multi-Factor Authentication (MFA),” the report said. Cyble’s threat intelligence database contains 56 dark web reports and client advisories on Zestix and Sentap going back to mid-2024, and the threat actor appears be connected to a significantly older X/Twitter account, according to a May 2025 Cyble profile. DarkSignal recently did an extensive profile of the threat actor.

Infostealers and No MFA Make Attacks Easy

The Hudson Rock report looked at 15 data breaches claimed by Zestix/Sentap and noted a common attack flow:

• Infection: “An employee inadvertently downloads a malicious file. The infostealer executes and harvests all saved credentials and browser history.”
• Aggregation: “These logs are aggregated in massive databases on the dark web. Zestix parses these logs specifically looking for corporate cloud URLs (ShareFile, Nextcloud).”
• Access: “Zestix simply uses the valid username and password extracted from the logs. Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door. No exploits, no cookies – just a password.”

“The era where brute-force attacks reigned supreme is waning,” the report said. “In its place, the Infostealer ecosystem has risen to become the primary engine of modern cybercrime. “Contrary to attacks involving sophisticated cookie hijacking or session bypasses, the Zestix campaign highlights a far more pedestrian – yet equally devastating – oversight: The absence of Multi-Factor Authentication (2FA).” Zestix relies on Infostealer malware such as RedLine, Lumma, or Vidar to infect personal or professional devices – and sometimes the gap between malware infection and exploitation is a long one, as old infostealer logs have led to new cyberattacks in some cases. “A critical finding in this investigation is the latency of the threat,” Hudson Rock said. “While some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them. This highlights a pervasive failure in credential hygiene; passwords were not rotated, and sessions were never invalidated, turning a years-old infection into a present-day catastrophe.”

ownCloud Calls for Greater MFA Use

ownCloud responded to the report with a call for greater MFA use by clients. In a security advisory, the company said, “The ownCloud platform was not hacked or breached. The Hudson Rock report explicitly confirms that no zero-day exploits or platform vulnerabilities were involved.” Stolen credentials from infostealer logs were "used to log in to ownCloud accounts that did not have Multi-Factor Authentication (MFA) enabled. As the report notes: ‘No exploits, no cookies—just a password.’” ownCloud said clients should immediately enable MFA on their ownCloud instances if they haven’t done so already. “MFA adds a critical second layer of verification that prevents unauthorized access even when credentials are compromised,” the company said. Recommended steps include:

• Enabling MFA on all user accounts using ownCloud’s two-factor authentication apps
• Resetting passwords for all users and requiring “strong, unique credentials”
• Reviewing access logs for suspicious activity
• Invalidating active sessions to force re-authentication with MFA

 

After stabilizing in 2024, the growth of known exploited vulnerabilities accelerated in 2025. That was one conclusion from Cyble’s analysis of CISA’s Known Exploited Vulnerability (KEV) catalog data from 2025. After growing at roughly 21% in 2023, with 187 vulnerabilities added to the CISA KEV catalog that year, growth slowed to about 17% in 2024, with 185 vulnerabilities added. Growth in exploited vulnerabilities reaccelerated in 2025, with 245 vulnerabilities added to the KEV database, for a roughly 20% growth rate. The KEV catalog ended 2025 with 1,484 software and hardware flaws at high risk of attack. The 245 flaws added in 2025 is also more than 30% above the trend of 185 to 187 vulnerabilities added the previous two years. Cyble also examined vulnerabilities exploited by ransomware groups, the vendors and projects with the most KEV additions (and several that actually improved), and the most common exploited software weaknesses (CWEs).

Older Vulnerabilities Added to CISA KEV Also Grew

Older vulnerabilities added to the CISA KEV catalog also grew in 2025, Cyble said. After adding an average of 65 older vulnerabilities to the KEV catalog in 2023 and 2024, CISA added 94 vulnerabilities from 2024 and earlier to the catalog in 2025, an increase of nearly 45% from the 2023-2024 average. The oldest vulnerability added to the KEV catalog last year was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. The oldest vulnerability in the catalog remains CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used by ransomware groups, Cyble said. CISA removed at least one vulnerability from the KEV catalog in 2025. CVE-2025-6264 is a Velociraptor Incorrect Default Permissions vulnerability that CISA determined had “insufficient evidence of exploitation,” Cyble noted.

Vulnerabilities Targeted in Ransomware Attacks

CISA marked 24 of the vulnerabilities added in 2025 as known to be exploited by ransomware groups, Cyble said. Those vulnerabilities include some well-known flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities targeted by the CL0P ransomware group. Vendors with multiple vulnerabilities targeted by ransomware groups included Fortinet, Ivanti, Microsoft, Mitel, Oracle and SonicWall.

Projects and Vendors with the Most Exploited Vulnerabilities

Microsoft once again led all vendors and projects in CISA KEV additions in 2025, with 39 vulnerabilities added to the database, up from 36 in 2024. Apple, Cisco, Google Chromium. Ivanti and Linux each had 7-9 vulnerabilities added to the KEV catalog. Several vendors and projects actually improved in 2025, with fewer vulnerabilities added than they had in 2024, “suggesting improved security controls,” Cyble said. Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware were among those that saw a decline in KEV vulnerabilities.

Most Common Software Weaknesses

Eight software and hardware weaknesses (common weakness enumerations, or CWEs) were “particularly prominent among the 2025 KEV additions,” Cyble said, noting that the list is similar to the 2024 list. The most common CWEs in the 2025 CISA KEV additions were:

• CWE-78 – OS Command Injection – accounted for 18 of the 245 vulnerabilities.
• CWE-502 – Deserialization of Untrusted Data – was  a factor in 14 of the vulnerabilities.
• CWE-22 – Path Traversal – appeared 13 times.
• CWE-416 – Use After Free – was a flaw in 11 of the vulnerabilities.
• CWE-787 – Out-of-bounds Write – accounted for 10 of the vulnerabilities.
• CWE-79 – Cross-site Scripting – appeared 7 times.
• CWE-94 (Code Injection) and CWE-287 (Improper Authentication) appeared 6 times each.

 

Two cybersecurity experts charged with deploying ALPHV BlackCat ransomware against five companies have pleaded guilty to federal charges in the case, the U.S. Department of Justice announced today. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were indicted in the BlackCat ransomware case in October. Together with an unnamed co-conspirator, they “successfully deployed the ransomware known as ALPHV BlackCat between April 2023 and December 2023 against multiple victims located throughout the United States,” the Justice Department said today. The two face sentencing in March for conspiring to obstruct commerce through extortion.

Misusing ‘Trusted Access and Technical Skill’

Martin and the co-conspirator worked as ransomware negotiators for DigitalMint, a Chicago-based company that specializes in mitigating cyberattacks, while Goldberg was an incident response manager at Sygnia Cybersecurity Services. DigitalMint and Sygnia have publicly stated they were not targets of the investigation and have cooperated fully with law enforcement. “These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” stated Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Goldberg and Martin used trusted access and technical skill to extort American victims and profit from digital coercion,” added U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida. “Their guilty pleas make clear that cybercriminals operating from within the United States will be found, prosecuted, and held to account.”

BlackCat Ransomware Case Netted More Than $1 million

According to the Justice Department, the three men agreed to pay the ALPHV BlackCat administrators a 20% share of any ransom payments they received in exchange for the ransomware and access to ALPHV BlackCat’s extortion platform. “After successfully extorting one victim for approximately $1.2 million in Bitcoin, the men split their 80% share of this ransom three ways and laundered the funds through various means,” the Justice Department said. The five unnamed victim companies targeted by the co-conspirators included:

• A medical device company based in Tampa, Florida
• A pharmaceutical company based in Maryland
• A doctor’s office based in California
• An engineering company based in California
• A drone manufacturer based in Virginia

The Tampa medical device company paid a $1.27 million ransom; it is not clear if other ransom payments were made. The Justice Department placed the guilty pleas in the context of priori law enforcement actions aimed at disrupting ALPHV BlackCat, including the development of a decryption tool that that the U.S. says saved global victims nearly $100 million in ransom payments. The Justice Department said Goldberg and Martin each pleaded guilty to one count of “conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion in violation of 18 U.S.C. § 1951(a).” The defendants are scheduled to be sentenced on March 12, 2026, and face a maximum penalty of 20 years in prison. The cybersecurity industry has faced a number of insider incidents in recent months, including a “suspicious insider” at CrowdStrike and a former cybersecurity company official who pled guilty to stealing trade secrets to sell them to a Russian buyer. In the Goldberg and Martin case, corporate assets do not appear to have been misused.

Cyble researchers have identified a sophisticated attack campaign that uses obfuscation, a unique User Account Control (UAC) bypass and other stealthy techniques to deliver a unified commodity loader and infect systems with Remote Access Trojans (RATs) and infostealers. The malware campaign targets the Manufacturing and Government sectors in Europe and the Middle East, with a specific focus on Italy, Finland, and Saudi Arabia, but shares common features with other attack campaigns, suggesting a shared malware delivery framework used by multiple “high-capability” threat actors. “The primary objective is the exfiltration of sensitive industrial data and the compromise of high-value administrative credentials,” Cyble Research and Intelligence Labs (CRIL) said in a blog post published today.

Sophisticated Attack Campaign Uses Loader Shared by ‘High-capability’ Threat Actors

The sophisticated commodity loader at the heart of the campaign is “utilized by multiple high-capability threat actors,” Cyble said. “Our research confirms that identical loader artifacts and execution patterns link this campaign to a broader infrastructure shared across multiple threat actors,” the researchers said. The CRIL researchers describe “a striking uniformity of tradecraft, uncovering a persistent architectural blueprint that serves as a common thread. Despite the deployment of diverse malware payloads, the delivery mechanism remains constant.” Standardized methodology includes the use of steganography to conceal payloads within image files, the use of string reversal and Base64 encoding for obfuscation, and delivering encoded payload URLs directly to the loader. The threat actors also “consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.” Cyble said researchers from Seqrite, Nextron Systems, and Zscaler, have documented similar findings in other campaigns, including “identical class naming conventions and execution patterns across a variety of malware families and operations.” The researchers shared code samples of the shared loader architecture and noted, “This consistency suggests that the loader might be part of a shared delivery framework used by multiple threat actors.” The loaders have been observed delivering a variety of RATs and infostealers, such as PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos. “This indicates the loader is likely shared or sold across different threat actor groups,” Cyble said. “The fact that multiple malware families leverage these class naming conventions as well as execution patterns ... is further testament to how potent this threat is to the target nations and sectors,” Cyble added.

Campaign Uses Obfuscation, UAC Bypass

The campaign documented by Cyble uses “a diverse array of infection vectors,” such as Office documents that weaponize CVE-2017-11882, malicious SVG files, ZIP archives containing LNK shortcuts, and a unique User Account Control (UAC) bypass. One sample used an LNK file and PowerShell to download a VBS loader, along with the UAC bypass method. The UAC bypass technique appears in later stages of the attack, where the malware monitors process creation events and triggers a UAC prompt when a new process is launched, “tricking the system or user into granting elevated privileges under the guise of a routine operation” and “enabling the execution of a PowerShell process with elevated privileges after user approval.” “The discovery of a novel UAC bypass confirms that this is not a static threat, but an evolving operation with a dedicated development cycle,” the researchers added. “Organizations, especially in the targeted regions, should treat ‘benign’ image files and email attachments with heightened scrutiny.” The campaign starts as a phishing campaign masquerading as standard Purchase Order communications. Image files are hosted on legitimate delivery platforms and contain steganographically embedded payloads, “allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic.” The threat actors use a sophisticated “hybrid assembly” technique to “trojanize” open-source libraries. “By appending malicious functions to trusted open-source libraries and recompiling them, the resulting files retain their authentic appearance and functionality, making signature-based detection extremely difficult,” the researchers said. The infection chain is also engineered “to minimize forensic footprint,” including script obfuscation, steganographic extraction, reflective loading to run code directly in memory, and process injection to hide malicious activity within legitimate system processes. The full Cyble blog takes an in-depth technical look at one sample and also includes recommendations, MITRE tactics, techniques and procedures (TTPs), and Indicators of Compromise (IoCs).

The CL0P ransomware group appears to be targeting internet-facing Gladinet CentreStack file servers in its latest extortion campaign. The Curated Intelligence project said in a LinkedIn post that incident responders from its community “have encountered a new CLOP extortion campaign targeting Internet-facing CentreStack file servers.” Cyble said in a note to clients today that CL0P appears to be readying its dark web data leak site (DLS) for a new wave of victims following its exploitation of Oracle E-Business Suite vulnerabilities that netted more than 100 victims. “Monitoring of Cl0p's DLS indicates recent archiving and grouping of all previously listed victims associated with Oracle E-Business Suite exploitation under different folders, a move that strongly suggests preparation for a new wave of data leak publications,” Cyble said. “This restructuring activity is assessed to be linked to the ongoing exploitation of Gladinet CentreStack, with Cl0p likely staging victims for coordinated disclosure similar to its prior mass-extortion campaigns. No victim samples or deadlines related to the CentreStack victims have been published yet.”

CL0P May Be Targeting Gladinet CentreStack Vulnerabilities

It’s not clear if the CL0P campaign is exploiting a known or zero-day vulnerability, but in a comment on the LinkedIn post, Curated Intelligence said that an October Huntress report is “Likely related.” That report focused on CVE-2025-11371, a Files or Directories Accessible to External Parties vulnerability in Gladinet CentreStack and TrioFox that was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on Nov. 4. In a Dec. 10 report, Huntress noted that threat actors were also targeting CVE-2025-30406, a Gladinet CentreStack Use of Hard-coded Cryptographic Key vulnerability, and CVE-2025-14611, a Gladinet CentreStack and Triofox Hard Coded Cryptographic vulnerability. CVE-2025-30406 was added to the CISA KEV catalog in April, and CVE-2025-14611 was added to the KEV database on Dec. 15. In a Dec. 18 update to that post, Huntress noted the Curated Intelligence findings and said, “At present, we cannot say definitively that this is exploitation by the cl0p ransomware gang, but considering the timing of this reporting, we felt it was prudent to share this recent threat intel.” The latest release on Gladinet's CentreStack website as of December 8 is version 16.12.10420.56791, Huntress noted. “We recommend that potentially impacted Gladinet customers update to this latest version immediately and ensure that the machineKey is rotated,” the blog post said. Curated Intelligence noted that recent port scan data shows more than 200 unique IPs running the “CentreStack - Login” HTTP Title, “making them potential targets of CLOP who is exploiting an unknown CVE (n-day or zero-day) in these systems.”

CL0P’s History of File Transfer Attacks

Curated Intelligence noted that CL0P has a long history of targeting file sharing and transfer services. “This is yet another similar data extortion campaign by this adversary,” the project said. “CLOP is well-known for targeting file transfer servers such as Oracle EBS, Cleo FTP, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, GoAnywhere, among others.” CL0P’s exploitation of Cleo MFT vulnerabilities led to a record number of ransomware attacks earlier this year, and CL0P has also successfully exploited Accellion FTA vulnerabilities. The group’s ability to successfully exploit vulnerabilities at scale has made it a top five ransomware group over its six-year-history (image below from Cyble). [caption id="attachment_107950" align="aligncenter" width="1200"] CL0P is a top five ransomware group over its six-year history (Cyble)[/caption]

France is investigating whether “foreign interference” was behind remote access trojan (RAT) malware that was discovered on a passenger ferry. The ferry malware was “capable of allowing the vessel's operating systems to be controlled remotely,” Le Monde reported today, citing the Interior Minister. Interior Minister Laurent Nuñez told France Info radio that hacking into a ship's data-processing system “is a very serious matter ... Investigators are obviously looking into interference. Yes, foreign interference.” Nuñez would not speculate if the attack was intended to interfere with the ship’s navigation and he did not specifically name Russia, but he said, "These days, one country is very often behind foreign interference." The office of the Paris prosecutor said it had opened an investigation into a suspected attempt "by an organized group to attack an automated data-processing system, with the aim of serving the interests of a foreign power.”

Latvian Arrested in Ferry Malware Case

Two crew members, a Latvian and a Bulgarian, were detained after they were identified by Italian authorities, but the Bulgarian was later released. The Latvian was arrested and charged after the malware was found on the 2,000-passenger capacity ferry the Fantastic, which is owned by the Italian shipping company GNV, while it was docked in France's Mediterranean port of Sète. GNV said it had alerted Italian authorities, saying in a statement that it had "identified and neutralized an attempt at intrusion on the company's computer systems, which are effectively protected. It was without consequences," France 24 reported. Christian Cevaer, director of the France Cyber Maritime monitor, told AFP that any attempt to take control of a ship would be a "critical risk" because of "serious physical consequences" that could endanger passengers. Cevaer said such an operation would likely require a USB key to install the software, which would require "complicity within the crew." The investigation is being led by France's domestic intelligence service, the General Directorate for Internal Security (DGSI), as a sign of the importance of the case, France 24 said. After cordoning off the ship in the port, the Fantastic was inspected by the DGSI, “which led to the seizure of several items,” France 24 said. After technical inspections ruled out any danger to passengers, the ship was cleared to sail again. Searches were also conducted in Latvia with the support of Eurojust and Latvian authorities. Meanwhile, the Latvian suspect’s attorney said the investigation “will demonstrate that this case is not as worrying as it may have initially seemed,” according to a quote from the attorney as reported by France 24.

Ferry Malware Follows French Interior Ministry Attack

The ferry malware incident closely follows a cyberattack on the French Interior Ministry’s internal email systems that led to the arrest of a 22-year-old man in connection with the attack. The cyberattack was detected overnight between Thursday, December 11, and Friday, December 12, and resulted in unauthorized access to a number of document files. Nuñez described the incident as more serious than initially believed. Speaking to France Info radio, he said, “It’s serious. A few days ago, I said that we didn’t know whether there had been any compromises or not. Now we know that there have been compromises, but we don’t know the extent of them.” Authorities later confirmed that the compromised files included criminal records, raising concerns about the sensitivity of the exposed information.

A new Android malware locks device screens and demands that users pay a ransom to keep their data from being deleted. Dubbed “DroidLock” by Zimperium researchers, the Android ransomware-like malware can also “wipe devices, change PINs, intercept OTPs, and remotely control the user interface, turning an infected phone into a hostile endpoint.” The malware detected by the researchers targeted Spanish Android users via phishing sites. Based on the examples provided, the French telecommunications company Orange S.A. was one of the companies impersonated in the campaign.

Android Malware DroidLock Uses ‘Ransomware-like Overlay’

The researchers detailed the new Android malware in a blog post this week, noting that the malware “has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.” The malware uses fake system update screens to trick victims and can stream and remotely control devices via virtual network computing (VNC). The malware can also exploit device administrator privileges to “lock or erase data, capture the victim's image with the front camera, and silence the device.” The infection chain starts with a dropper that appears to require the user to change settings to allow unknown apps to be installed from the source (image below), which leads to the secondary payload that contains the malware. [caption id="attachment_107722" align="aligncenter" width="300"] The Android malware DroidLock prompts users for installation permissions (Zimperium)[/caption] Once the user grants accessibility permission, “the malware automatically approves additional permissions, such as those for accessing SMS, call logs, contacts, and audio,” the researchers said. The malware requests Device Admin Permission and Accessibility Services Permission at the start of the installation. Those permissions allow the malware to perform malicious actions such as:

• Wiping data from the device, “effectively performing a factory reset.”
• Locking the device.
• Changing the PIN, password or biometric information to prevent user access to the device.

Based on commands received from the threat actor’s command and control (C2) server, “the attacker can compromise the device indefinitely and lock the user out from accessing the device.”

DroidLock Malware Overlays

The DroidLock malware uses Accessibility Services to launch overlays on targeted applications, prompted by an AccessibilityEvent originating from a package on the attacker's target list. The Android malware uses two primary overlay methods:

• A Lock Pattern overlay that displays a pattern-drawing user interface (UI) to capture device unlock patterns.
• A WebView overlay that loads attacker-controlled HTML content stored locally in a database; when an application is opened, the malware queries the database for the specific package name, and if a match is found it launches a full-screen WebView overlay that displays the stored HTML.

The malware also uses a deceptive Android update screen that instructs users not to power off or restart their devices. “This technique is commonly used by attackers to prevent user interaction while malicious activities are carried out in the background,” the researchers said. The malware can also capture all screen activity and transmit it to a remote server by operating as a persistent foreground service and using MediaProjection and VirtualDisplay to capture screen images, which are then converted to a base64-encoded JPEG format and transmitted to the C2 server. “This highly dangerous functionality could facilitate the theft of any sensitive information shown on the device’s display, including credentials, MFA codes, etc.,” the researchers said. Zimperium has shared its findings with Google, so up-to-date Android devices are protected against the malware, and the company has also published DroidLock Indicators of Compromise (IoCs).

The Information Commissioner’s Office (ICO) has fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million people in the UK. The data breach occurred in August 2022 and was the result of two isolated incidents that, when combined, enabled a hacker to gain unauthorized access to LastPass’ backup database. The stolen information included customer names, email addresses, phone numbers, and stored website URLs. While the data breach exposed sensitive personal information, the ICO confirmed there is no evidence that hackers were able to decrypt customer passwords. This is due to LastPass’ use of a ‘zero knowledge’ encryption system, which ensures that master passwords and vaults are stored locally on customer devices and never shared with the company.

Incident One: Corporate Laptop Compromised

The first incident involved a LastPass employee’s corporate laptop based in Europe. A hacker gained access to the company’s development environment and obtained encrypted company credentials. Although no personal information was taken at this stage, the credentials could have provided access to the backup database if decrypted. LastPass attempted to mitigate the hacker’s activity and believed the encryption keys remained safe, as they were stored outside the compromised environment in the vaults of four senior employees.

Incident Two: Personal Device Targeted

The second incident proved more damaging. The hacker targeted one of the senior employees who had access to the decryption keys. Exploiting a known vulnerability in a third‑party streaming service, the attacker gained access to the employee’s personal device. A keylogger was installed, capturing the employee’s master password. Multi‑factor authentication was bypassed using a trusted device cookie. This allowed the hacker to access both the employee’s personal and business LastPass vaults, which were linked by a single master password. From there, the hacker obtained the Amazon Web Service (AWS) access key and decryption key stored in the business vault. Combined with information taken the previous day, this enabled the extraction of the backup database containing customer personal information.

ICO’s Findings and Fine on LastPass UK

The ICO investigation concluded that LastPass failed to implement sufficiently strong technical and security measures, leaving customers exposed. Although the company’s zero knowledge encryption protected passwords, the exposure of personal data was deemed a serious failure. John Edwards, UK Information Commissioner, stated: “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details, and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to reduce risks of attack. LastPass customers had a right to expect their personal information would be kept safe and secure. The company fell short of this expectation, resulting in the proportionate fine announced today.”

Lessons for Businesses

The ICO has urged all UK businesses to review their systems and procedures to prevent similar risks. This case underscores the importance of restricting system access, strengthening cybersecurity measures, and ensuring that employees’ personal devices do not become weak points in corporate networks. While password managers remain a recommended tool for managing login details, the incident shows that even trusted providers can fall short if internal safeguards are not sufficiently strong. The £1.2 million fine against LastPass UK Ltd serves as a clear reminder that companies handling sensitive data must uphold the highest standards of security. Although customer passwords were protected by the company’s zero knowledge encryption system, the exposure of personal information has left millions vulnerable. The ICO’s ruling reinforces the need for constant vigilance in the face of growing cyber threats. For both businesses and individuals, the message is straightforward: adopt strong security practices, conduct regular system reviews, and implement robust employee safeguards to reduce the risk of future data breaches.

2025 will be remembered as the year cyber threats reached a breaking point. With nearly 6,000 ransomware incidents, more than 6,000 data breaches, and over 3,000 sales of compromised corporate access, enterprises across the globe faced one of the most dangerous digital landscapes on record. Manufacturing plants halted production, government agencies struggled to contain leaks, and critical infrastructure endured direct hits. Cyble Global Cybersecurity Report 2025 highlights that ransomware attacks surged 50% year-over-year. Not only this, the Global Cybersecurity Report 2025 stated that data breaches climbed to their second-highest level ever, and the underground market for stolen access flourished. Together, these figures reveal not just isolated events, but a systemic escalation of cybercrime that is reshaping the way organizations must defend themselves.

Cyble Global Cybersecurity Report 2025: A Year of Escalation

The Cyble Global Cybersecurity Report 2025 documented 5,967 ransomware attacks, representing a 50% increase year-over-year. Alongside this, 6,046 data breaches and leaks were recorded, the second-highest level ever observed. The underground market for compromised initial access also thrived, with 3,013 sales fueling the global cybercrime economy. Daksh Nakra, Senior Manager of Research and Intelligence at Cyble, described 2025 as a “Major power shift in the threat landscape,” noting that new ransomware groups quickly filled the void left by law enforcement crackdowns. The combination of supply chain attacks and rapid weaponization of zero-day vulnerabilities created what he called “a perfect storm” for enterprises worldwide.

Ransomware Landscape Transformed

Two groups stood out in 2025. Akira ransomware emerged as the second-most prolific group behind Qilin, launching sustained campaigns across Construction, Manufacturing, and Professional Services. Its opportunistic targeting model allowed it to compromise nearly every major industry vertical. Meanwhile, CL0P ransomware reaffirmed its reputation as a zero-day specialist. In February 2025, CL0P executed a mass campaign exploiting enterprise file transfer software, posting hundreds of victims in a single wave. Consumer Goods, Transportation & Logistics, and IT sectors were among the hardest hit.

Key Ransomware Statistics

• 5,967 total ransomware attacks in 2025 (50% increase year-over-year)
• The manufacturing sector most targeted, suffering the highest operational disruption
• Construction, Professional Services, Healthcare, and IT are among the top five targets
• The United States experienced the majority of attacks; Australia entered the top-five list for the first time
• 31 incidents directly impacted critical infrastructure

Data Breaches Near Record Levels

Government and law enforcement agencies were disproportionately affected, accounting for 998 incidents (16.5% of total breaches). The Banking, Financial Services, and Insurance (BFSI) sector followed with 634 incidents. Together, these two sectors represented more than a quarter of all breaches, highlighting attackers’ focus on sensitive citizen data and financial information. The sale of compromised corporate access continued to fuel cybercrime. Cyble’s analysis revealed 3,013 access sales, with the Retail sector most heavily targeted at 594 incidents (nearly 20%). BFSI followed with 284 incidents, while Government agencies accounted for 175 incidents.

Vulnerabilities Drive Attack Surge

Cyble Global Cybersecurity Report 2025 further highlighted that critical flaws in widely deployed enterprise technologies served as primary entry points. Among the most exploited were:

• CVE-2025-61882 (Oracle E-Business Suite RCE) – leveraged by CL0P
• CVE-2025-10035 (GoAnywhere MFT RCE) – exploited by Medusa
• Multiple vulnerabilities in Fortinet, Ivanti, and Cisco products with CVSS scores above 9.0

In total, 94 zero-day vulnerabilities were identified in 2025, with 25 scoring above 9.0. Over 86% of CISA’s Known Exploited Vulnerabilities catalog entries carried CVSS ratings of 7.0 or higher, with Microsoft, Fortinet, Apple, Cisco, and Oracle most frequently affected.

Geopolitical Hacktivism Surges

According to Cyble's global cybersecurity report 2025, hacktivist activity reached an unprecedented scale, with over 40,000 data leaks and dump posts impacting 41,400 unique domains. Much of this activity was driven by geopolitical conflicts:

• The Israel-Iran conflict triggered operations by 74 hacktivist groups
• India-Pakistan tensions generated 1.5 million intrusion attempts
• North Korea’s IT worker fraud schemes infiltrated global companies
• DDoS attacks, website defacements, and breaches targeted governments and critical infrastructure

Industry-Specific Insights

• Manufacturing: Most attacked sector due to reliance on OT/ICS environments and low tolerance for downtime
• Construction: Heavily targeted by Akira; time-sensitive projects created maximum pressure points
• Professional Services: Law firms and consultancies compromised for sensitive client data and supply chain leverage
• Healthcare: Continued to face attacks from groups like BianLian, Abyss, and INC Ransom due to critical data availability needs
• IT & ITES: Service providers exploited to enable cascading supply chain attacks against downstream customers

Outlook

The numbers from Cyble Global Cybersecurity Report 2025 highlight that ransomware is up by 50%, thousands of breaches, and a booming underground economy for compromised access. With critical infrastructure, government agencies, and high-value industries increasingly in the crosshairs, the Cyble global cybersecurity report 2025 highlights the urgency for global enterprises to strengthen defenses against a rapidly evolving threat landscape.

For a full analysis, the Global Cybersecurity Report 2025 is available at Cyble Research Reports.