Ransomware attacks have soared 30% since late last year, and they’ve continued that trend so far in 2026, with many of the attacks affecting software and manufacturing supply chains. Those are some of the takeaways of new research published by Cyble today, which also looked at the top ransomware groups, significant ransomware attacks, new ransomware groups, and recommended cyber defenses. Ransomware groups claimed 2,018 attacks in the last three months of 2025, averaging just under 673 a month to end a record-setting year. The elevated attack levels continued in January 2026, as the threat groups claimed 679 ransomware victims. In the first nine months of 2025, ransomware groups claimed an average of 512 victims a month, so the recent trend has been more than 30% above that, Cyble noted. Below is Cyble’s chart of ransomware attacks by month since 2021, which shows a sustained uptrend since mid-2025.

Qilin Remains Top Ransomware Group as CL0P Returns

Qilin was once again the top ransomware group, claiming 115 victims in January. CL0P was second with 93 victims after claiming “scores of victims” in recent weeks in an as-yet unspecified campaign. Akira remained among the leaders with 76 attacks, and newcomers Sinobi and The Gentlemen rounded out the top five (chart below). [caption id="attachment_109255" align="aligncenter" width="845"] Top ransomware groups January 2026 (Cyble)[/caption] “As CL0P tends to claim victims in clusters, such as its exploitation of Oracle E-Business Suite flaws that helped drive supply chain attacks to records in October, new campaigns by the group are noteworthy,” Cyble said. Victims in the latest campaign have included 11 Australia-based companies spanning a range of sectors such as IT, banking and financial services (BFSI), construction, hospitality, professional services, and healthcare. Other recent CL0P victims have included “a U.S.-based IT services and staffing company, a global hotel company, a major media firm, a UK payment processing company, and a Canada-based mining company engaged in platinum group metals production,” Cyble said. The U.S. once again led all countries in ransomware attacks (chart below), while the UK and Australia faced a higher-than-normal attack volume. “CL0P’s recent campaign was a factor in both of those increases,” Cyble said. [caption id="attachment_109256" align="aligncenter" width="831"] Ransomware attacks by country January 2026 (Cyble)[/caption] Construction, professional services and manufacturing remain opportunistic targets for threat actors, while the IT industry also remains a favorite target of ransomware groups, “likely due to the rich target the sector represents and the potential to pivot into downstream customer environments,” Cyble said (chart below). [caption id="attachment_109258" align="aligncenter" width="819"] Ransomware attacks by industry January 2026 (Cyble)[/caption]

Ransomware Attacks Hit the Supply Chain

Cyble documented 10 significant ransomware attacks from January in its blog post, many of which had supply chain implications. One was an Everest ransomware group compromise of “a major U.S. manufacturer of telecommunications networking equipment ... Everest claims the data includes PDF documents containing sensitive engineering materials, such as electrical schematics, block diagrams, and service subsystem documentation.” Sinobi claimed a breach of an India-based IT services company. “Samples shared by the attackers indicate access to internal infrastructure, including Microsoft Hyper-V servers, multiple virtual machines, backups, and storage volumes,” Cyble said. A Rhysida ransomware group attack on a U.S. life sciences and biotechnology instrumentation company allegedly exposed sensitive information such as engineering blueprints and project documentation. A RansomHouse attack on a China-based electronics manufacturing for the technology and automotive manufacturers nay have exposed “extensive proprietary engineering and production-related data,” and “data associated with multiple major technology and automotive companies.” An INC Ransom attack on a Hong Kong–based components manufacturer for the global electronics and automotive industries may have exposed “client-related information associated with more than a dozen major global brands, plus confidential contracts and project documentation for at least three major IT companies.” Cyble also documented the rise of three new ransomware groups: Green Blood, DataKeeper and MonoLock, with DataKeeper and MonoLock releasing details on technical and payment features aimed at attracting ransomware affiliates to their operations.  

Hacktivists became significantly more dangerous in 2025, moving beyond their traditional DDoS attacks and website defacements to target critical infrastructure and ransomware attacks. That’s one of the conclusions of a new blog post from Cyble adapted from the threat intelligence company’s 2025 Threat Landscape report. The trend began in earnest with Z-Pentest’s targeting of industrial control systems (ICS) in late 2024, and grew from there. Cyble said it expects those attacks to continue to grow in 2026, along with growing use of custom tools by hacktivists and “deepening alignment between nation-state interests and hacktivists.”

Hacktivist Attacks on Critical Infrastructure Soar

Z-Pentest was the most active of the hacktivist groups targeting ICS, operational technology (OT) and Human Machine Interface (HMI) environments. Dark Engine (Infrastructure Destruction Squad) and Sector 16 also persistently targeted ICS environments, while Golden Falcon Team, NoName057(16), TwoNet, RipperSec, and Inteid also claimed multiple ICS attacks. HMI and web-based Supervisory Control and Data Acquisition (SCADA) interfaces were the systems most frequently targeted by hacktivists. Virtual Network Computing (VNC) environments were targeted less frequently, but “posed the greatest operational risks to several industries,” Cyble said. Building Management Systems (BMS) and Internet of Things (IoT) or edge-layer controllers were also targeted by the groups, reflecting a wider trend toward exploiting poorly secured IoT interfaces. Europe was the primary region targeted by pro-Russian hacktivist groups, with Spain, Italy, the Czech Republic, France, Poland, and Ukraine the most frequent targets of those groups.

State Interests and Hacktivism Align

Cyble also noted increasing alignment between hacktivist groups and state-aligned interests. When Operation Eastwood disrupted NoName057(16)’s DDoS infrastructure in July 2025, the group rapidly rebuilt its capacity and resumed operations against Ukraine, the EU, and NATO, “underscoring the resilience of state-directed ecosystems,” Cyble said. U.S. indictments “further exposed alleged structured cooperation between Russian intelligence services and pro-Kremlin hacktivist fronts,” the blog post said. The Justice Department revealed GRU-backed financing and direction of the Cyber Army of Russia Reborn (CARR) and state-sanctioned development of NoName057(16)’s DDoSia platform. Z-Pentest has also been identified as part of the CARR ecosystem and linked to GRU. Pro-Ukrainian hacktivist groups are less formally connected to state interests, but groups like the BO Team and the Ukrainian Cyber Alliance launched data destruction, encryption and wiper attacks targeting “key Russian businesses and state machinery,” and Ukrainian actors also claimed to pass exfiltrated datasets to national intelligence services. Hacktivist groups Cyber Partisans BY (Belarus) and Silent Crow significantly compromised Aeroflot’s IT environment in a long-term breach, claiming to exfiltrate more than 20TB of data, sabotaging thousands of servers, and disrupting airline systems, a breach that was confirmed by Russia’s General Prosecutor. Other hacktivists aligned with state interests include BQT.Lock (BaqiyatLock, aligned with Hezbollah) and Cyb3r Av3ngers/Mr. Soul Team, which has been linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and has also targeted critical infrastructure.

Hacktivist Sightings Surge 51%

Cyble said hacktivist sightings surged 51% in 2025, from 700,000 in 2024 to 1.06 million in 2025, “with the bulk of activity focused on Asia and Europe.” “Pro-Russian state-aligned hacktivists and pro-Palestinian, anti-Israel collectives continued to be the primary drivers of hacktivist activity throughout 2025, shaping the operational tempo and geopolitical focus of the threat landscape,” the researchers said. India, Ukraine and Israel were the countries most targeted by hacktivist activity in 2025 (chart below). [caption id="attachment_108842" align="aligncenter" width="825"] Hacktivist attacks by country in 2025 (Cyble)[/caption] Government & Law Enforcement, Energy & Utilities, Education, IT, Transportation & Logistics, and Manufacturing saw the most growth in hacktivist attacks, while the Agriculture & Livestock, Food & Beverages, Hospitality, Construction, Automotive, and Real Estate also saw increasing attack numbers. “Hacktivism has evolved into a geopolitically charged, ICS-focused threat, continuing to exploit exposed OT environments and increasingly weaponizing ransomware as a protest mechanism,” Cyble said. “In 2026, hacktivists and cybercriminals will increasingly target exposed HMI/SCADA systems and VNC takeovers, aided by public PoCs and automated scanning templates, creating ripple effects across the energy, water, transportation, and healthcare sectors,” the researchers predicted.

Cyble’s Annual Threat Landscape Report for 2025 documents a cybercrime environment that remained volatile even as international law enforcement agencies escalated disruption efforts. Large-scale takedowns, arrests, and infrastructure seizures failed to slow adversaries for long. Instead, cybercriminal ecosystems fractured, reorganized, and re-emerged across decentralized platforms, encrypted messaging channels, and invitation-only forums. The ransomware landscape, in particular, demonstrated a capacity for rapid regeneration that outpaced enforcement pressure.  According to Cyble’s report, ransomware was the most destabilizing threat category throughout 2025. Attacks expanded across government, healthcare, energy, financial services, and supply-chain-dependent industries. Many groups moved away from encryption-centric campaigns toward extortion-only operations, relying on data theft, public exposure, and reputational damage to extract payment. This shift reduced operational friction and shortened attack cycles, making traditional detection and containment models less effective.  Artificial intelligence further reshaped attacker operations. Cyble observed AI-assisted automation being embedded into multiple stages of the kill chain. Negotiation workflows were partially automated. Malware became more polymorphic. Intrusion paths were adapted in real time as defenses responded. These developments increased attack velocity while compressing dwell time, forcing defenders to operate with narrower margins for response. 

Measured Threat Activity Across Underground Ecosystems 

CRIL tracked 9,817 confirmed cyber threat incidents across forums, marketplaces, and leak sites during 2025. These incidents impacted organizations spanning critical infrastructure, government agencies, and law enforcement entities.  [caption id="attachment_108748" align="aligncenter" width="946"] sectors and regions targeted by threat actors in 2025 (Source: Cyble)[/caption] The breakdown of activity was heavily skewed toward monetized data exposure. 6,979 incidents involved breached datasets or compromised information advertised for sale. Another 2,059 incidents centered on the sale of unauthorized access, including credentials, VPN entry points, and administrative footholds. Government, law enforcement agencies (LEA), BFSI, IT & ITES, healthcare, education, telecommunications, and retail remained in the most consistently targeted sectors.  Geographic analysis showed a clear concentration of activity in Asia, where 2,650 incidents affected organizations through breaches, leaks, or access sales. North America followed with 1,823 incidents, while Europe and the United Kingdom recorded 1,779 incidents. At the country level, the United States, India, Indonesia, France, and Spain experienced the highest volume of targeting during the year. 

Ransomware Growth and Structural Expansion 

Cyble’s Annual Threat Landscape Report quantifies the scale of ransomware’s expansion over time. From 2020 to 2025, ransomware incidents increased by 355%, rising from roughly 1,400 attacks to nearly 6,500. While 2023 marked the largest year-over-year surge, 2025 produced the second-largest spike, with 47% more attacks than observed across the prior two years combined.  The ransomware landscape also broadened structurally. CRIL identified 57 new ransomware groups and 27 new extortion-focused groups emerging in 2025 alone. More than 350 new ransomware strains surfaced during the year, many derived from established codebases such as MedusaLocker, Chaos, and Makop. Rather than consolidating, the ecosystem continued to fragment, complicating attribution and enforcement. 

Affiliate Mobility and Repeat Victimization 

One of the most consequential trends documented in the Annual Threat Landscape Report was the recurrence of victim targeting. CRIL observed 62 organizations listed by multiple ransomware groups within the same year, sometimes within weeks. Across a five-year window, more than 250 entities suffered ransomware attacks more than once.  [caption id="attachment_108750" align="aligncenter" width="945"] Ransomware attack trends between 2020 and 2025 (Source: Cyble)[/caption] This pattern reflected widespread affiliate mobility. Ransomware-as-a-Service operators shared affiliates who moved between platforms, relisted victims, and reused stolen data to sustain pressure. Groups such as Cl0p, Qilin, Lynx, INC Ransom, Play, LockBit, and Crypto24 repeatedly claimed overlapping victims during short timeframes.  Several new groups, including Devman and Securotrop, initially operated within established RaaS programs before developing independent tooling and infrastructure. This progression blurred the line between affiliate and operator and further decentralized the ransomware landscape. 

Law Enforcement Pressure and Criminal Countermoves 

Law enforcement activity intensified throughout 2025. Authorities disrupted operations tied to CrazyHunters and 8Base and arrested or indicted affiliates associated with Black Kingdom, Conti, DoppelPaymer, RobbinHood, Scattered Spider, DiskStation, Ryuk, BlackSuit, and Yanluowang.  These actions forced tactical changes but did not suppress activity. CRIL confirmed insider recruitment efforts by Scattered Spider, LAPSUS$ Hunters, and Medusa. Other groups, including Play and MedusaLocker, publicly referenced similar recruitment strategies through announcements on their data leak sites. The ransomware landscape responded to enforcement pressure by becoming opaquer rather than less active. 

Tactical Shifts Toward Extortion-Only Models 

Operational realignment became more visible in 2025. Hunters International abandoned its RaaS model and rebranded as World Leaks, repositioning itself as an Extortion-as-a-Service provider while maintaining cross-relationships with RaaS operators such as Secp0. Analysis also indicated that Everest redirected part of its activity toward extortion-only campaigns, reducing reliance on encryption payloads.  [caption id="attachment_108751" align="aligncenter" width="291"] Rebranded ransomware groups reported in 2025 (Source: Cyble)[/caption] The year also saw widespread rebranding. Hunters International became World Leaks. Royal re-emerged as Chaos. LockBit 3.0 evolved into LockBit 4.5 and later 5.0. HelloKitty resurfaced as Kraken. At the same time, numerous groups dissolved or ceased operations, including ALPHV/BlackCat, Phobos/8Base, Cactus, RansomHub, and CrazyHunter. 

Victimology and Sector Impact 

Ransomware victimology data revealed 4,292 victims in the Americas, 1,251 in Europe and the UK, 589 across Asia and Oceania, and 202 within META-region organizations. The United States accounted for 3,527 victims, followed by Canada (360), Germany (251), the United Kingdom (198), Brazil (111), Australia (98), and India (67).  Sectoral impact remained uneven but severe. Manufacturing recorded 600 impacted entities, with industrial machinery and fabricated metal manufacturers bearing the brunt. Healthcare followed with 477 victims, where general hospitals and specialty clinics were repeatedly targeted to exploit the sensitivity of Personal Health Information. Construction, professional services, IT & ITES, BFSI, and government organizations also experienced sustained pressure. 

Supply Chain Exploitation and Infrastructure Risk 

Supply chain compromise emerged as a defining feature of the 2025 ransomware landscape. Cl0p’s exploitation of the Oracle E-Business Suite vulnerability CVE-2025-61882 affected more than 118 entities worldwide, primarily in IT & ITES. Among these victims were six organizations classified as critical infrastructure industries. Fog ransomware actors compounded supply chain risk by leaking GitLab source code from multiple IT firms.  Government and law enforcement agencies in the United States were targeted aggressively, with more than 40 incidents impacting essential public services. Semiconductor manufacturers in Taiwan and the United States remained priority targets due to their role as global production hubs. European semiconductor developers also faced attacks, though at lower volumes. 

High-Impact Incidents and Strategic Targeting 

Healthcare attacks continued to cause operational disruption, with repeated exposure of PHI used to intensify extortion pressure. Telecom providers faced sustained risk due to large-scale theft of customer PII, which threat actors actively traded and reused for downstream fraud. In several cases, ransomware groups removed breach disclosures from leak sites shortly after publication, suggesting successful ransom payments or secondary data sales.  Aerospace and defense organizations experienced fewer incidents but higher impact. One of the most significant events in 2025 was the attack on Collins Aerospace, which disrupted operations across multiple European airports and exposed proprietary defense technologies. Telemetry indicated disproportionate targeting of NATO-aligned defense developers.  Cyble’s Annual Threat Landscape Report makes one conclusion unavoidable: ransomware is no longer a disruption-driven threat; it is an intelligence-led, adaptive business model that thrives under pressure. The data from 2025 shows an ecosystem optimized for speed, affiliate mobility, and supply-chain leverage, with AI now embedded deep into extortion workflows and intrusion paths.   The Cyble Annual Threat Landscape Report provides complete datasets, regional breakdowns, threat actor analysis, and tactical intelligence drawn directly from CRIL’s monitoring of underground ecosystems. Readers can download the report to access the detailed findings, charts, and threat mappings referenced throughout this analysis.  Organizations looking to operationalize this intelligence can also book a Cyble demo to see how Cyble’s AI-powered threat intelligence platform translates real-world adversary data into actionable defense, combining automated threat hunting, supply-chain risk visibility, and predictive analytics driven by Cyble’s latest generation of agentic AI. 

The telecommunications sector, a cornerstone of national infrastructure, continued to remain under the radar of both ransomware and nation-state actors in 2025, revealed Cyble’s Telecommunications Sector Threat Landscape Report 2025.   The convergence of high-value subscriber data, geopolitical relevance, and complex digital ecosystems made the industry a persistent focal point for a wide spectrum of threat actors, including ideologically driven hacktivist groups.   “Telecommunications networks sit at the intersection of digital trust, national security, and everyday life. As threat actors continue to become more coordinated and persistent, telecom providers are no longer just service operators—they need to become frontline defenders of critical infrastructure,” said Mandar Patil, Founding Member & SVP at Cyble. 

Why the Telecommunication Sector Remains a Prime Target 

Telecom organizations were consistently targeted for their extensive repositories of Personally Identifiable Information (PII), including call records, billing details, and customer credentials. This data carries high resale value in underground markets, where compromised network access and customer databases are traded as commodities. The strategic importance of telecommunication networks in geopolitical conflicts further increased their attractiveness, as disruptions can have far-reaching economic and societal consequences.  Exposure through internet-facing infrastructure and reliance on third-party service providers amplified risk across the sector. These factors allowed threat actors to exploit vulnerabilities at multiple points, enabling both immediate financial exploitation and long-term network persistence. 

Ransomware Activity and Dominant Threat Groups 

Cyble documented 444 security incidents affecting the global telecommunication sector in 2025, including 90 confirmed ransomware attacks. Ransomware activity has increased fourfold since 2021. A total of 34 ransomware groups were identified, though the majority of attacks were driven by a small number of highly active actors.   The most prolific groups, Qilin, Akira, and Play, accounted for nearly 39% of all observed incidents. Qilin led with 16 attacks, primarily targeting organizations in the United States while expanding its operations into Europe and Asia. 

Supply Chain Impact and Regional Trends 

The impact of cyberattacks extended across the entire telecommunication ecosystem. While major carriers such as AT&T and Orange were among the most visible victims, threat actors also targeted internet infrastructure providers and manufacturers of communications equipment. This approach disrupted operations across interconnected systems, increasing the overall impact of ransomware campaigns.  Regionally, the Americas experienced the highest number of incidents, with the United States accounting for 47 attacks. Several telecom companies, including Verizon, AT&T, and Lumen Technologies, had reported breaches ahead of the U.S. elections in late 2024. In 2025, opportunistic actors continued to monetize data believed to have been exfiltrated during those earlier intrusions, particularly large volumes of customer PII. 

Nation-State Espionage and Hacktivist Disruption 

Beyond financially motivated crime, nation-state actors played a critical role in shaping the threat landscape. The China-linked Salt Typhoon campaign demonstrated sustained espionage efforts against global telecommunication providers by exploiting vulnerabilities in network-edge devices from vendors such as Cisco and Fortinet. These intrusions focused on long-term surveillance and the theft of sensitive call records, compromising hundreds of organizations. Geopolitically motivated hacktivism further contributed to disruption across the sector. Pro-Russian groups claimed intrusions into Ukrainian telecommunication infrastructure, using Distributed Denial-of-Service (DDoS) attacks, website defacements, and data leaks as part of broader ideological campaigns. 

Persistent Pressure and Emerging Patterns 

A defining trend in 2025 was the sustained, year-long activity of dominant ransomware groups. Qilin, in particular, maintained a consistent attack tempo throughout the year. One notable incident involved a U.S.-based telecom company appearing on the leak sites of both INC Ransom and Qilin within the same month. Additionally, isolated late-year activity linked to LockBit suggested residual operations by affiliates despite earlier law enforcement disruptions.  Overall, the telecommunication sector in 2025 faced a highly hostile environment marked by ransomware concentration, nation-state espionage, and an active underground economy trading stolen data and access.   “What we are witnessing is not a series of isolated attacks, but a sustained campaign against the telecom ecosystem. Organizations that fail to prioritize visibility, resilience, and supply-chain security will continue to face compounded risk in an increasingly contested cyber landscape,” Patil concluded.  For deeper insights into ransomware activity, nation-state threats, and telecom security risks, check out Cyble's  Telecommunications Sector Threat Landscape Report 2025.

After stabilizing in 2024, the growth of known exploited vulnerabilities accelerated in 2025. That was one conclusion from Cyble’s analysis of CISA’s Known Exploited Vulnerability (KEV) catalog data from 2025. After growing at roughly 21% in 2023, with 187 vulnerabilities added to the CISA KEV catalog that year, growth slowed to about 17% in 2024, with 185 vulnerabilities added. Growth in exploited vulnerabilities reaccelerated in 2025, with 245 vulnerabilities added to the KEV database, for a roughly 20% growth rate. The KEV catalog ended 2025 with 1,484 software and hardware flaws at high risk of attack. The 245 flaws added in 2025 is also more than 30% above the trend of 185 to 187 vulnerabilities added the previous two years. Cyble also examined vulnerabilities exploited by ransomware groups, the vendors and projects with the most KEV additions (and several that actually improved), and the most common exploited software weaknesses (CWEs).

Older Vulnerabilities Added to CISA KEV Also Grew

Older vulnerabilities added to the CISA KEV catalog also grew in 2025, Cyble said. After adding an average of 65 older vulnerabilities to the KEV catalog in 2023 and 2024, CISA added 94 vulnerabilities from 2024 and earlier to the catalog in 2025, an increase of nearly 45% from the 2023-2024 average. The oldest vulnerability added to the KEV catalog last year was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. The oldest vulnerability in the catalog remains CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used by ransomware groups, Cyble said. CISA removed at least one vulnerability from the KEV catalog in 2025. CVE-2025-6264 is a Velociraptor Incorrect Default Permissions vulnerability that CISA determined had “insufficient evidence of exploitation,” Cyble noted.

Vulnerabilities Targeted in Ransomware Attacks

CISA marked 24 of the vulnerabilities added in 2025 as known to be exploited by ransomware groups, Cyble said. Those vulnerabilities include some well-known flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities targeted by the CL0P ransomware group. Vendors with multiple vulnerabilities targeted by ransomware groups included Fortinet, Ivanti, Microsoft, Mitel, Oracle and SonicWall.

Projects and Vendors with the Most Exploited Vulnerabilities

Microsoft once again led all vendors and projects in CISA KEV additions in 2025, with 39 vulnerabilities added to the database, up from 36 in 2024. Apple, Cisco, Google Chromium. Ivanti and Linux each had 7-9 vulnerabilities added to the KEV catalog. Several vendors and projects actually improved in 2025, with fewer vulnerabilities added than they had in 2024, “suggesting improved security controls,” Cyble said. Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware were among those that saw a decline in KEV vulnerabilities.

Most Common Software Weaknesses

Eight software and hardware weaknesses (common weakness enumerations, or CWEs) were “particularly prominent among the 2025 KEV additions,” Cyble said, noting that the list is similar to the 2024 list. The most common CWEs in the 2025 CISA KEV additions were:

• CWE-78 – OS Command Injection – accounted for 18 of the 245 vulnerabilities.
• CWE-502 – Deserialization of Untrusted Data – was  a factor in 14 of the vulnerabilities.
• CWE-22 – Path Traversal – appeared 13 times.
• CWE-416 – Use After Free – was a flaw in 11 of the vulnerabilities.
• CWE-787 – Out-of-bounds Write – accounted for 10 of the vulnerabilities.
• CWE-79 – Cross-site Scripting – appeared 7 times.
• CWE-94 (Code Injection) and CWE-287 (Improper Authentication) appeared 6 times each.

 

Cyble researchers have identified a sophisticated attack campaign that uses obfuscation, a unique User Account Control (UAC) bypass and other stealthy techniques to deliver a unified commodity loader and infect systems with Remote Access Trojans (RATs) and infostealers. The malware campaign targets the Manufacturing and Government sectors in Europe and the Middle East, with a specific focus on Italy, Finland, and Saudi Arabia, but shares common features with other attack campaigns, suggesting a shared malware delivery framework used by multiple “high-capability” threat actors. “The primary objective is the exfiltration of sensitive industrial data and the compromise of high-value administrative credentials,” Cyble Research and Intelligence Labs (CRIL) said in a blog post published today.

Sophisticated Attack Campaign Uses Loader Shared by ‘High-capability’ Threat Actors

The sophisticated commodity loader at the heart of the campaign is “utilized by multiple high-capability threat actors,” Cyble said. “Our research confirms that identical loader artifacts and execution patterns link this campaign to a broader infrastructure shared across multiple threat actors,” the researchers said. The CRIL researchers describe “a striking uniformity of tradecraft, uncovering a persistent architectural blueprint that serves as a common thread. Despite the deployment of diverse malware payloads, the delivery mechanism remains constant.” Standardized methodology includes the use of steganography to conceal payloads within image files, the use of string reversal and Base64 encoding for obfuscation, and delivering encoded payload URLs directly to the loader. The threat actors also “consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.” Cyble said researchers from Seqrite, Nextron Systems, and Zscaler, have documented similar findings in other campaigns, including “identical class naming conventions and execution patterns across a variety of malware families and operations.” The researchers shared code samples of the shared loader architecture and noted, “This consistency suggests that the loader might be part of a shared delivery framework used by multiple threat actors.” The loaders have been observed delivering a variety of RATs and infostealers, such as PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos. “This indicates the loader is likely shared or sold across different threat actor groups,” Cyble said. “The fact that multiple malware families leverage these class naming conventions as well as execution patterns ... is further testament to how potent this threat is to the target nations and sectors,” Cyble added.

Campaign Uses Obfuscation, UAC Bypass

The campaign documented by Cyble uses “a diverse array of infection vectors,” such as Office documents that weaponize CVE-2017-11882, malicious SVG files, ZIP archives containing LNK shortcuts, and a unique User Account Control (UAC) bypass. One sample used an LNK file and PowerShell to download a VBS loader, along with the UAC bypass method. The UAC bypass technique appears in later stages of the attack, where the malware monitors process creation events and triggers a UAC prompt when a new process is launched, “tricking the system or user into granting elevated privileges under the guise of a routine operation” and “enabling the execution of a PowerShell process with elevated privileges after user approval.” “The discovery of a novel UAC bypass confirms that this is not a static threat, but an evolving operation with a dedicated development cycle,” the researchers added. “Organizations, especially in the targeted regions, should treat ‘benign’ image files and email attachments with heightened scrutiny.” The campaign starts as a phishing campaign masquerading as standard Purchase Order communications. Image files are hosted on legitimate delivery platforms and contain steganographically embedded payloads, “allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic.” The threat actors use a sophisticated “hybrid assembly” technique to “trojanize” open-source libraries. “By appending malicious functions to trusted open-source libraries and recompiling them, the resulting files retain their authentic appearance and functionality, making signature-based detection extremely difficult,” the researchers said. The infection chain is also engineered “to minimize forensic footprint,” including script obfuscation, steganographic extraction, reflective loading to run code directly in memory, and process injection to hide malicious activity within legitimate system processes. The full Cyble blog takes an in-depth technical look at one sample and also includes recommendations, MITRE tactics, techniques and procedures (TTPs), and Indicators of Compromise (IoCs).

Mumbai, India – December 19, 2026 — ET Edge has recognized Beenu Arora, CEO & Co-Founder of Cyble, as one of India’s Impactful CEOs 2025, honoring visionary leaders who demonstrate exceptional leadership, innovation, and measurable impact in shaping the future of business and technology. The ET Edge Impactful CEO recognition honors leaders who drive transformation through strategic, purpose-driven leadership. Beenu Arora’s inclusion highlights his continued focus on advancing cybersecurity innovation and strengthening digital trust globally. 

Purpose-Driven Leadership Behind Cyble’s Global Growth

Under Beenu Arora’s leadership, Cyble has grown into a globally recognized cybersecurity intelligence provider, delivering AI-powered threat intelligence and digital risk protection to help enterprises and governments proactively combat threats across surface, serious, and dark web ecosystems. Beenu’s leadership philosophy centers on purposeful innovation, customer focus, and empowering teams to address real-world security challenges at scale. He has led Cyble through rapid global expansion while fostering a culture of integrity, collaboration, and continuous learning. His focus on AI-driven, actionable intelligence has positioned Cyble as a trusted partner in an increasingly complex cyber threat landscape.  “This recognition by ET Edge is deeply humbling and reinforces our belief that cybersecurity is no longer just a technology challenge; it is a business and societal imperative,” said Beenu Arora, CEO & Co-Founder of Cyble. This honor belongs to the entire Cyble team, whose passion, innovation, and commitment to protecting the digital ecosystem inspire everything we do.  He further added, “Our focus remains on building intelligence-led, AI-driven solutions that help organizations anticipate risks, make informed decisions, and enhance their long-term digital resilience. We are committed to creating a safer and more trusted digital future for businesses and governments around the world.” The ET Edge Impactful CEO 2025 recognition underscores Cyble’s growing global influence and highlights Beenu Arora’s role as a forward-thinking leader driving innovation and resilience in cybersecurity.

About Cyble 

Founded as an AI-first cybersecurity company, Cyble delivers real-time threat intelligence, digital risk protection, and predictive cyber defense solutions to enterprises and governments worldwide. Trusted by Fortune 500 organizations and public sector agencies, Cyble is committed to making the digital world safer through intelligent, autonomous cybersecurity.  For more information on Cyble’s Agentic AI-powered cybersecurity solutions, visit www.cyble.com.  Media Contact: 📧 enquiries@cyble.com 📞 +1 888 673 2067 

Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign. “This campaign represents a sophisticated and financially motivated operation combining botnet propagation with stealthy cryptomining,” Cyble threat intelligence researchers wrote in a blog post today. Stealthy techniques and processes allow the new Mirai variant to conduct its mischief in secret. “The attacker employs multiple advanced techniques—including raw-socket scanning, masqueraded processes, internal localhost IPC, dynamic DNS resolution, and fileless miner configuration—to evade detection and maintain long-term persistence on compromised devices,” the researchers said.

Linux Malware Combines Mirai Botnet with XMRig Cryptominer

Combining Mirai-based DDoS botnet capabilities with XMRig-based cryptomining capabilities reflects a growing trend of “hybrid monetization strategies, where threat actors maximize ROI by leveraging infected devices not only for botnet attacks but also for illicit cryptocurrency mining,” the researchers wrote. Organizations operating Linux servers, cloud workloads, or exposed IoT devices “should prioritize hardening and continuous monitoring to mitigate their risk,” they said. The malware uses a multi-stage infection chain that begins with a downloader delivering architecture-specific V3G4/Mirai binaries across x86_64, ARM, and MIPS systems. The second stage, Mddos.x86_64, is a statically linked and UPX-packed Executable and Linkable Format (ELF) file with stripped symbols, “making static inspection more complicated,” Cyble said. After executing and gathering system information, the Linux malware moves into stealth mode, renaming its process to appear as a system daemon (systemd-logind), detaching from the terminal, and launching parallel worker threads for attack operations, command and control (C2) communication, and inter-process communication (IPC) coordination. “A key characteristic of this botnet variant is its use of raw TCP sockets, allowing precise crafting of SYN packets for high-velocity SSH scanning campaigns,” the researchers said. At the same time, worker threads resolve the C2 domain (baojunwakuang[.]asia) via repeated queries to Google Public DNS (8.8.8.8) to maintain command channels. “This multi-threaded DNS resolution strategy is typical of Mirai-style bots, allowing the malware to maintain connectivity and receive commands while executing attacks in parallel,” the researchers wrote.

Fileless Cryptominer

In the third stage, the malware deploys a covert Monero cryptominer by downloading a UPX-packed XMRig binary from the IP 159.75.47[.]123 and stores it in /tmp/.dbus-daemon to masquerade as a legitimate process. Instead of a local configuration file, the miner obtains its configuration dynamically from the C2 server, “enabling real-time updates to wallet addresses, mining pools, and algorithms while leaving no on-disk artifacts” and hindering forensic analysis. “Unlike typical miner deployments that embed a static configuration file on disk ... this sample requests runtime configuration data directly from the C2 server,” the Cyble researchers said. That technique allows the threat actors to avoid exposing wallet addresses, pool endpoints and algorithms during static analysis while dynamically rotating mining parameters and preventing visibility of miner settings on the infected host. During execution, the miner connects to the C2 server to make a configuration request, and the server responds with a JSON blob containing the pool URL, wallet address, algorithm, and thread count. The full Cyble blog includes recommendations for defenders, MITRE ATT&CK techniques, and indicators of compromise (IoCs).

Cyble researchers have identified a new NFC relay attack campaign targeting users in Brazil. Dubbed “RelayNFC,” Cyble Research and Intelligence Labs (CRIL) researchers identified five phishing sites distributing the malicious app, which claims to secure payment cards. The malicious application captures the victim’s card details and relays them to attackers for fraudulent transactions. The malware is also highly evasive and remains undetected by security tools.

NFC Relay Attack App Evades Security Tools

RelayNFC is a “lightweight yet highly evasive malware” because of its Hermes-compiled payload, Cyble said. Use of the JavaScript engine “makes detection significantly harder, enabling it to stealthily capture victims’ card data and relay it in real time to an attacker-controlled server,” the researchers said. VirusTotal detections of the NFC relay attack malware were at zero at publication time, “indicating very low visibility across the security ecosystem, and the code suggests a high likelihood of continued development,” they said. RelayNFC uses a full real-time Application Protocol Data Unit (APDU) relay channel that enables attackers to complete transactions “as though the victim’s card were physically present.” The researchers also identified a related variant that attempts to implement Host Card Emulation (HCE), suggesting that the threat actor is exploring other NFC relay techniques too. Other malware strains exploiting Near-Field Communication (NFC) capabilities to intercept or relay contactless payment data have included Ngate, SuperCardX, and PhantomCard, suggesting a growing trend of NFC exploits, Cyble said.

RelayNFC Malware Relies on Phishing Sites

Distribution of RelayNFC relies entirely on phishing, tricking users into downloading the malware. The campaign uses a Portuguese-language page that prompts victims to install the malicious payment card security app (image below). [caption id="attachment_107130" align="aligncenter" width="262"] NFC relay attack phishing site (Cyble)[/caption] The researchers identified five malicious sites distributing the app, “indicating a coordinated and ongoing operation targeting Brazilian users.” Those sites include:

• maisseguraca[.]site
• proseguro[.]site
• test[.]ikotech[.]online
• maisseguro[.]site
• maisprotecao[.]site

RelayNFC appears to be a new variant built using the React Native framework and has been active for at least a month. The malware operates as a “reader,” the researchers said, capturing victim card data and relaying it to the attacker’s server. After installation, the app immediately displays a phishing screen that tells the user to tap their payment card on the device. Once the card data has been read, RelayNFC displays another phishing screen that prompts the victim to enter their 4- or 6-digit PIN.

APDU Commands Turn Device Into ‘Remote NFC Reader’

The RelayNFC code is built around a relay channel that uses a persistent WebSocket connection to forward Application Protocol Data Unit (APDU) commands between the attacker’s server and the victim’s NFC subsystem, “effectively turning the infected device into a remote NFC ‘reader’ for the attacker,” the researchers said. The NFC controller processes the command and generates a genuine APDU response, as the card would during a legitimate transaction. RelayNFC captures that output and returns it to the command-and-control server in an “apdu-resp” message, “preserving the original request ID and session ID so the attacker’s device can continue the EMV transaction seamlessly.” “This real-time, bidirectional relay of APDU commands and responses is what enables the attacker to execute a full payment flow remotely, as if the victim’s card were physically present at their POS terminal,” the researchers said. “By combining phishing-driven distribution, React Native–based obfuscation, and real-time APDU relaying over WebSockets, the threat actors have created a highly effective mechanism for remote EMV transaction fraud,” they said. The researchers said their findings underscore the need for strong device-level protections, user awareness, and monitoring by financial institutions.