VerSprite Weekly Threat Intelligence #37
Date
Follow Us
Date Range 20 October 2025 – 24 October 2025
Issue: 37th Edition
Reported Period Victimology
Security Triumphs of the Week
This week delivered decisive wins in global cybersecurity enforcement and defense. A U.S. court struck a landmark ruling against spyware maker NSO Group, permanently banning it from WhatsApp and ordering the destruction of its hacking tools, setting a new bar for accountability in surveillance abuse. Microsoft strengthened Windows protections by disabling File Explorer previews for internet files, thwarting credential theft attacks. At the same time, Symantec exposed overlapping Chinese APT operations deploying Zingdoor, ShadowPad, and KrustyLoader in global espionage campaigns. In the software supply chain, Socket uncovered a malicious NuGet typosquat “Netherеum.All” that exfiltrated crypto wallet keys. From courtroom victories to deep threat exposure, defenders demonstrated that coordinated action continues to keep pressure on cyber adversaries worldwide.
US Court Blocks Spyware Maker NSO Over WhatsApp Hack
A U.S. federal court permanently banned NSO Group from accessing WhatsApp and ordered it to destroy code used to hack 1,400 devices via a zero-day exploit. The ruling upheld an injunction barring NSO from reverse-engineering WhatsApp, despite the firm’s claims it would force closure. Damages were reduced from $167M to $4M, but the judge emphasized public interest, citing NSO’s role in enabling governments to target dissidents and journalists. The court deemed unauthorized data access a direct business harm, not just reputational. NSO, facing financial strain and U.S. export restrictions, was recently acquired by a U.S. investor group. The decision reinforces accountability for spyware abuses.
Read full article: Bankinfosec
Microsoft disables File Explorer preview for downloads to block attacks
Microsoft has disabled the File Explorer preview feature for files downloaded from the internet to mitigate credential theft attacks via malicious documents. This change, active after October 2025 security updates on Windows 11 and Server, blocks previews for files marked with the “Mark of the Web” or from Internet Zone shares. Users attempting to preview such files see a security warning, preventing attackers from exploiting vulnerabilities to steal NTLM hashes through malicious HTML tags. The attack requires minimal user interaction, making this defense critical. Users can manually unblock trusted files via Properties > “Unblock,” though this may require a sign-out. The update aims to reduce risks without disrupting standard workflows unless users frequently preview downloaded files.
Read full article: Bleepingcomputer
Symantec Exposes Chinese APT Overlap: Zingdoor, ShadowPad, and KrustyLoader Used in Global Espionage
Symantec uncovered overlapping Chinese state-linked APT operations using Zingdoor, ShadowPad, and KrustyLoader malware in global espionage campaigns. These tools, linked to groups like Glowworm and UNC5221, targeted a U.S. university and two South American government agencies via SQL Server and Apache HTTP vulnerabilities. Attackers employed stealth tactics, including disguising malicious DLLs as legitimate software and leveraging native tools like Certutil and PetitPotam for credential theft. ShadowPad’s modular RAT and KrustyLoader’s Rust-based payload delivery enabled persistent access. The campaign exploited the ToolShell vulnerability more broadly than previously known, indicating a coordinated effort to establish long-term network access for data exfiltration.
Read full article: Securityonline
Symantec Exposes Chinese APT Overlap: Zingdoor, ShadowPad, and KrustyLoader Used in Global Espionage
Symantec uncovered overlapping Chinese state-linked APT operations using Zingdoor, ShadowPad, and KrustyLoader malware in global espionage campaigns. These tools, linked to groups like Glowworm and UNC5221, targeted a U.S. university and two South American government agencies via SQL Server and Apache HTTP vulnerabilities. Attackers employed stealth tactics, including disguising malicious DLLs as legitimate software and leveraging native tools like Certutil and PetitPotam for credential theft. ShadowPad’s modular RAT and KrustyLoader’s Rust-based payload delivery enabled persistent access. The campaign exploited the ToolShell vulnerability more broadly than previously known, indicating a coordinated effort to establish long-term network access for data exfiltration.
Read full article: Securityonline
Socket Uncovers Malicious NuGet Typosquat “Netherеum.All” Exfiltrating Wallet Keys via Solana-Themed C2
Socket identified a malicious NuGet package, “Netherеum.All,” using a Cyrillic ‘e’ (U+0435) to typosquat the legitimate Nethereum library. The package contained code to exfiltrate Ethereum wallet keys, mnemonics, and transaction data via a Solana-themed C2 server (solananetworkinstance[.]info). The attack employed XOR obfuscation to decode the C2 URL at runtime, embedding malicious functionality within a seemingly legitimate transaction module. Published on October 16, 2025, by nethereumgroup, the package mimicked Nethereum’s structure and used download inflation to boost visibility. Socket linked it to an earlier campaign (NethereumNet), indicating a coordinated supply chain attack targeting developers through homoglyph deception and stealthy data theft.
Read full article: Securityonline
Security Setbacks of the Week
This week delivered a wave of damaging cyber setbacks across critical sectors. Heywood Healthcare hospitals in Massachusetts were forced offline by a crippling cyberattack, while Eastern Radiologists agreed to a $3.4M settlement after a major patient data breach. Toys “R” Us Canada confirmed customer data theft that could ignite phishing campaigns, and the UK Ministry of Defense investigated a 4TB data leak linked to the Lynx ransomware group. At a global scale, Chinese crime networks profited over $1B from massive smishing scams, while Gcore defended against a record-breaking 6Tbps DDoS attack. Collectively, these incidents highlight an alarming rise in healthcare breaches, nation-state espionage, and industrialized cybercrime straining global digital resilience.
Cyberattack Disrupts Services at 2 Massachusetts Hospitals
A cyberattack disrupted services at Heywood Healthcare’s two Massachusetts hospitals, forcing IT systems offline, diverting ambulance patients, and limiting radiology and lab services. The nonprofit healthcare system is investigating the incident with third-party experts and law enforcement, while maintaining inpatient and outpatient care. The attack reflects a broader trend of healthcare organizations being prime targets for ransomware due to their critical operations and likelihood to pay ransoms. Studies show 72% of healthcare entities faced patient care disruptions from cyberattacks in the past year. Experts emphasize evolving threats like AI-driven phishing and supply-chain vulnerabilities, urging improved security measures such as network segmentation, zero-trust architectures, and proactive risk management. The incident underscores the sector’s ongoing challenges in balancing cybersecurity resilience with patient care demands.
Read full article: Bankinfosec
Radiology Practice to Pay $3.4M-Plus to Settle Hack Lawsuit
Eastern Radiologists, a North Carolina radiology practice, agreed to pay over $3.4 million to settle a class action lawsuit stemming from a 2023 data breach affecting nearly 887,000 patients. The breach exposed sensitive information, including Social Security numbers, medical diagnoses, treatment details, and insurance data. Hackers stole the data, which was later posted on the dark web. The settlement includes reimbursements of up to $5,000 for documented losses and a $3.2 million fund for undocumented claims, with half potentially allocated to legal fees. Eastern Radiologists denied wrongdoing but committed to enhancing data security. A final court hearing is scheduled for December 2025.
Read full article: Bankinfosec
Toys “R” Us Canada Confirms Data Breach – Customers’ Personal Data Stolen
Eastern Radiologists, a North Carolina radiology practice, agreed to pay over $3.4 million to settle a class action lawsuit stemming from a 2023 data breach affecting nearly 887,000 patients. The breach exposed sensitive information, including Social Security numbers, medical diagnoses, treatment details, and insurance data. Hackers stole the data, which was later posted on the dark web. The settlement includes reimbursements of up to $5,000 for documented losses and a $3.2 million fund for undocumented claims, with half potentially allocated to legal fees. Eastern Radiologists denied wrongdoing but committed to enhancing data security. A final court hearing is scheduled for December 2025.
Read full article: Cybernews
UK Ministry of Defense Probes Military Contractor Data Leak
The UK Ministry of Defense is investigating a data breach involving military contractor Dodd Group, targeted by the Russian-speaking Lynx ransomware group. Lynx claims to have stolen 4TB of data, including contractor and MoD personnel details, car registrations, and project documents related to military base installations. The breach, confirmed by Dodd Group, reportedly exposed limited data, with systems now secured. Lynx, known for double extortion tactics, previously targeted healthcare and construction firms. The incident aligns with rising UK ransomware attacks, prompting a legislative proposal to ban ransom payments by critical infrastructure. A new cybersecurity bill is expected in November.
Read full article: Bankinfosec
Chinese gangs made over $1 billion targeting Americans with scam texts
Chinese criminal groups have generated over $1 billion in three years by targeting Americans with scam texts, particularly through toll payment, postage, and refund frauds. These scams, often posing as urgent government messages, surged by 350% since January 2024, with 330,000 daily reports at peak. Using U.S.-based SIM farms to send bulk messages, criminals steal credit card details, bypass multi-factor authentication via mobile wallets, and launder money through gift cards and high-value goods. Stolen card data is shared internationally, with gig workers and mules purchasing items shipped to China. U.S. law enforcement’s Project Red Hook aims to disrupt these operations, highlighting the industrialized scale of this cross border fraud.
Read full article: Malwarebytes
Cybercriminals targeted a gaming hosting provider with one of the biggest DDoS attacks ever – 6TBps assault ranks in the top 10 of the largest DDoS onslaughts recorded
A gaming hosting provider, Gcore, faced one of the largest DDoS attacks ever recorded, peaking at 6Tbps and 5.3 billion packets per second. The short-duration assault, linked to the AISURU botnet, primarily used UDP protocol and originated mostly from Brazil (51%) and the US (24%), exploiting unsecured networks. Gcore mitigated the attack using its global infrastructure of 210+ Points of Presence and 200+Tbps filtering capacity. The incident highlights a trend of short-burst DDoS attacks probing network resilience, often preceding complex cyberattacks like malware or ransomware infiltration. DDoS activity has surged 41% in a quarter, with tech and gaming sectors heavily targeted. Experts warn of evolving tactics combining disruption with infrastructure exploitation.
Read full article: Techradar
The New Emerging Threats
This week’s Emerging Threats highlight a surge in stealthy, state-linked, and AI-enhanced cyberattacks reshaping the global threat landscape. Morocco’s Atlas Lion ran the “Jingle Thief” campaign, stealing gift cards via internal impersonation in cloud systems. In Eastern Europe, PhantomCaptcha targeted Ukrainian NGOs with fake Cloudflare pages deploying a WebSocket RAT, while India faced AI-assisted DeskRAT attacks from TransparentTribe. Fileless Remcos campaigns evaded EDRs, and SessionReaper exploited live session hijacks across thousands of online stores. Iran’s MuddyWater returned to macro-based phishing, and China-linked Warlock ransomware weaponized a SharePoint zero-day. These incidents reflect a dangerous convergence of espionage, AI automation, and hybrid nation-crime operations.
Scammers are targeting cloud systems to make off with hauls of gift cards
A Moroccan hacking group, Atlas Lion (Storm-0539), has been conducting a long-term campaign dubbed “Jingle Thief” to infiltrate corporate cloud systems and steal gift cards. Using phishing, the group impersonates employees to access IT infrastructure, focusing on SharePoint, OneDrive, and internal workflows for gift card issuance. They avoid malware, instead exploiting internal phishing and impersonation to bypass security. Gift cards are targeted for their untraceability, quick resale value, and ease of conversion on dark web markets. The group-maintained access for nearly a year in one case, compromising over 60 accounts. The campaign peaks during festive seasons, aligning with increased gift card usage. Researchers highlight the sophistication of their evasion tactics and prolonged access to maximize theft.
Read full article: Techradar
PhantomCaptcha Spyware Targets Ukraine NGOs with Fake Cloudflare Lure to Deploy WebSocket RAT
PhantomCaptcha spyware targeted Ukrainian NGOs and government agencies via spearphishing emails impersonating the Ukrainian President’s Office. The campaign used weaponized PDFs with links to fake Cloudflare verification pages hosted on Russian infrastructure, tricking victims into executing a PowerShell-based WebSocket RAT. Attackers employed a multi-stage infection chain, evading detection through obfuscation, disabled logging, and encrypted communications. The infrastructure, active briefly, suggests anti forensic measures and possible ties to the Russian FSB-linked COLDRIVER group. A related Android malware, disguised as an adult app, harvested sensitive mobile data. Researchers highlight the attackers’ operational discipline and social engineering tactics.
Read full article: Securityonline
New Fileless Remcos Attacks Bypassing EDRs Malicious Code into RMClient
A new fileless attack campaign deploying the Remcos remote access trojan (RAT) is evading EDR detection by injecting malicious code into the legitimate Microsoft-signed RmClient.exe process. The attack begins with phishing emails distributing a malicious .gz archive, triggering obfuscated PowerShell scripts that download payloads from C2 servers. Threat actors leverage msiexec.exe for process injection, exploiting RmClient.exe’s valid signature to bypass security tools. The malware targets browser credential stores (key4.db, logins.json) to steal sensitive data and maintain persistence via randomized RmClient.exe instances. C2 communications occur over non-standard ports, complicating network detection. The campaign highlights evolving fileless techniques abusing trusted system binaries for stealth.
Read full article: Cybernews
Threat Actors Attacking Azure Blob Storage to Compromise Organizational Repositories
Threat actors are targeting Azure Blob Storage by exploiting compromised credentials and misconfigured access controls to infiltrate organizational repositories, exfiltrating sensitive data and intellectual property. The campaign involves phishing and malware like SharkStealer, which uses blockchain-based EtherHiding to evade detection by retrieving commands via BNB Smart Chain Testnet smart contracts. Attackers leverage stolen Azure credentials to access storage containers, download source code, and extract configuration files. This method combines credential theft with blockchain obfuscation, complicating detection as traffic mimics legitimate blockchain activity. Sectors like finance, tech, and critical infrastructure are impacted. Mitigation includes enforcing strict access policies, multi-factor authentication, and monitoring for anomalous network behavior.
Read full article: Cybernews
Thousands of online stores at risk as SessionReaper attacks spread
A critical remote code execution vulnerability (CVE-2025-54236), dubbed SessionReaper, threatens Magento and Adobe Commerce platforms, enabling attackers to hijack live customer sessions and potentially take over servers. Exploiting improper input validation, attackers can bypass security, steal data, execute fraudulent orders, or inject payment-skimming malware. Despite a patch released on September 9, 62% of stores remain unpatched six weeks later. Following a public proof-of-concept, exploits surged, compromising over 250 stores within 24 hours. The flaw highlights risks of unpatched systems turning trusted sites into data-theft traps, with consumers advised to use third-party payment gateways and monitor for suspicious activity.
Read full article: Malwarebytes
Iranian MuddyWater hackers use compromised mailboxes for global phishing scams
Iranian state-sponsored threat actor MuddyWater conducted a global phishing campaign using compromised email accounts to distribute malicious Word documents. These documents urged victims to enable macros, deploying the Phoenix v4 backdoor and other tools like RMM software and Chromium_Stealer to steal browser data. Despite Microsoft’s 2022 default macro blocking for email-delivered files, outdated techniques remain effective. The campaign targeted international organizations with convincing fake emails, leveraging embedded Visual Basic code for malware execution. Group-IB linked the attack to MuddyWater through code overlaps, infrastructure, and targeting patterns, highlighting state actors continued use of older technologies. The operation underscores persistent risks of phishing and macro-based threats despite security improvements.
Read full article: Techradar
Warlock Ransomware Hits US Firms Exploiting SharePoint Zero-Day, Linked to China’s CamoFei APT
Warlock ransomware, linked to China’s CamoFei APT group (Storm-2603), has targeted U.S. firms by exploiting a Microsoft SharePoint zero-day (CVE-2025-53770). Researchers from Symantec and Carbon Black identified its use of a stolen “coolschool” certificate and a BYOVD tactic involving a vulnerable Baidu antivirus driver to disable security tools. The ransomware shares ties with Anylock (rebranded LockBit 3.0) and overlaps with Chinese espionage operations, blending cybercrime and state-aligned tactics. Attacks deployed Warlock and LockBit payloads, highlighting collaboration between Chinese APTs and ransomware actors. Forensic evidence connects Warlock to prior CamoFei campaigns, suggesting continuity in tools and infrastructure.
Read full article: Securityonline
Vulnerability Spotlight: Critical Exposures Unveiled
This week’s Vulnerability Spotlight exposed a wave of high-severity flaws threatening enterprise, cloud, and endpoint systems worldwide. A zero-click Dolby UDC bug (CVE-2025-54957) enables remote code execution on Android and Windows devices, while Adobe Commerce and Magento stores remain at risk from the SessionReaper flaw, allowing attackers to hijack customer accounts. The F5 breach left over 266,000 BIG-IP instances exposed to potential attacks, and Chinese threat actors exploited exposed ASP.NET keys to deploy the TOLLBOOTH IIS backdoor and kernel rootkits across 570 targets. Active exploitation of the Lanscope Endpoint Manager permits unauthenticated code execution, amplifying risk. These incidents highlight the critical importance of prompt patching, secure configurations, and vigilant monitoring to defend against rapidly evolving threats.
Zero-click Dolby audio bug lets attackers run code on Android and Windows devices
A zero-click remote code execution (RCE) vulnerability (CVE-2025-54957) in Dolby’s Unified Decoder Component (UDC) allows attackers to exploit Android (Samsung, Pixel) and Windows devices via malformed audio files. The flaw stems from a buffer overflow triggered by improper handling of “evolution data” in Dolby Digital Plus streams, enabling code execution without user interaction. Dolby and device vendors have released patches, but delays in firmware/OS updates leave systems exposed. Exploitation could be combined with other vulnerabilities for privilege escalation. Users are advised to avoid unsolicited audio files, apply updates promptly, and use updated anti-malware tools.
Read full article: Malwarebytes
Hundreds of Adobe Magento stores hit after critical security flaw found – here’s what we know
A critical vulnerability (CVE-2025-54236) in Adobe Commerce and Magento Open Source is being actively exploited, allowing attackers to hijack customer accounts via the REST API. Over 250 attacks occurred within 24 hours, with attackers deploying PHP backdoors through fake sessions. Despite a patch being available for six weeks, 62% of stores remain unpatched. Sansec warns attackers are probing PHP configurations and urges immediate patching, WAF activation, and malware scans. This follows a similar 2024 flaw (CosmicSting), highlighting recurring security risks. Unpatched systems risk severe compromise, emphasizing the need for swift action.
Read full article: Techradar
F5 breach fallout – over 266,000 instances exposed to remote attacks
A recent breach at F5 exposed sensitive BIG-IP source code and vulnerability data, potentially enabling attackers to develop exploits. Over 266,000 BIG-IP instances are internet-exposed, primarily in the US, Europe, and Asia. While F5 released emergency patches, the stolen data could aid in identifying zero-day vulnerabilities, though no active exploitation has been observed. CISA issued urgent directives for federal agencies to patch F5 products by 2025 deadlines, warning of risks like data exfiltration or system compromise. Shadowserver Foundation highlighted the scale of exposed devices, though patching progress remains unclear. F5 emphasized no critical vulnerabilities were among the stolen files.
Read full article: Techradar
Chinese Hackers Exploit Exposed ASP.NET Keys to Deploy TOLLBOOTH IIS Backdoor and Kernel Rootkit
Chinese hackers exploited publicly exposed ASP.NET machine keys to target misconfigured Microsoft IIS servers, deploying the TOLLBOOTH IIS backdoor and a modified “Hidden” kernel rootkit. The campaign, linked to a Chinese-speaking threat actor, leveraged stolen cryptographic keys to execute arbitrary commands via ViewState deserialization attacks. TOLLBOOTH enabled SEO cloaking to manipulate search rankings and redirect users to malicious sites, while the rootkit hid malicious processes using DKOM techniques. Attackers used a customized Godzilla webshell and GotoHTTP RMM tool for persistence. Over 570 global victims across finance, government, and academia were identified, with no infections in mainland China. Researchers emphasized addressing server misconfigurations to prevent reinfection.
Read full article: Securityonline
CISA warns of the Lanscope Endpoint Manager flaw exploited in attacks
CISA warned of active exploitation of a critical vulnerability (CVE-2025-61932, CVSS 9.3) in Motex Lanscope Endpoint Manager, allowing unauthenticated attackers to execute arbitrary code via crafted packets. The flaw stems from improper origin verification in the client-side components (MR and DA) of versions 9.4.7.2 and earlier. Motex confirmed exploitation in customer environments, urging immediate updates to patched versions. Japan’s CERT also reported domestic attacks, aligning with recent breaches at major Japanese firms. CISA added the flaw to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by November 12. No workarounds exist; updating affected clients is the only mitigation.
Read full article: Bleepingcomputer
In-Depth Expert CTI Analysis
This week’s intelligence highlights the growing interplay of AI-assisted cybercrime, law enforcement interventions, and geopolitical exploitation. Microsoft’s disruption of Rhysida’s Teams-based ransomware campaign and Spain’s takedown of the GoogleXcoder phishing network illustrate heightened global agility in countering hybrid cyber threats. U.S. sanctions against Cambodia’s Huione Group expose the financial mechanisms underpinning North Korea-linked cybercrime. Despite these interventions, widespread breaches in healthcare, manufacturing, and legal sectors underscore persistent vulnerabilities in identity management, third-party security, and digital trust frameworks. The threat environment is increasingly defined by AI weaponization, cross-border laundering, and the convergence of state-sponsored and financially motivated cyber operations.
Proactive Defense and Strategic Foresight
Proactive defense must adapt to adversaries exploiting trusted digital ecosystems, Microsoft’s revocation of over 200 malicious certificates demonstrates the necessity of real-time certificate monitoring and robust code-signing oversight. Enterprises should embed AI-driven anomaly detection into CI/CD pipelines and authentication workflows to identify malicious updates and automated phishing attempts. Strategic foresight requires anticipating AI-driven attacks, cloud abuse, and deception tactics designed to bypass traditional human and technical controls. Predictive analytics, real-time telemetry sharing, and coordinated cross-sector cybercrime–espionage disruption models are essential for reducing dwell times and limiting adversary operational freedom.
Evolving Ransomware and Malware Tactics
Ransomware campaigns increasingly leverage trusted service exploitation over direct intrusion, Rhysida and BlackSuit illustrate a shift toward credential abuse and service-oriented attacks rather than traditional network breaches. Malvertising, SEO poisoning, and voice phishing now distribute modular backdoors like Oyster and RATs for data exfiltration and lateral movement. AI-assisted phishing kits such as ClickFix accelerate infection and privilege escalation, reducing adversary dwell time and evading traditional defenses. Emerging malware blends social engineering with technical stealth, creating autonomous, trust-abusing attacks. Defenders must reinforce authentication, enforce strict privilege controls, and deploy AI-powered endpoint detection capable of context-aware malware analysis.
State-Sponsored and Organized Cybercrime Convergence
Hybridization of state-sponsored and criminal operations is increasingly evident, North Korea leverages Huione Group’s infrastructure to launder cryptocurrency, demonstrating the integration of espionage and financial crime. Russian hacktivists’ failed honeypot intrusion highlights operational immaturity in hybrid networks targeting Western ICS environments. This convergence illustrates how criminal infrastructure can facilitate nation-state objectives, creating a fluid threat landscape. Intelligence sharing among financial regulators, cybersecurity agencies, and private threat hunters remains critical to dismantling cross-domain alliances.
Operational and Tactical Implications
Organizations must move beyond reactive patching to continuous validation and trust analytics: Validate all digital certificates and signed software. Implement strict MFA, privileged account monitoring, and isolate legacy systems from production environments. Deploy deception and honeypot systems to safely study adversary TTPs and enrich detection baselines. Integrate telemetry from endpoints, identity systems, and financial platforms into unified threat-hunting frameworks. Tactical imperatives include rapid containment, visibility into AI-assisted intrusions, and adaptive response orchestration.
Forward-Looking Recommendations
- Monitor developer environments for anomalous code-signing activity and enforce vendor attestation to mitigate trust exploitation by threat actors like Vanilla Tempest.
- Deploy advanced detection models capable of identifying AI-generated phishing, adaptive malware, and autonomous intrusion attempts, complementing signature-based defenses.
- Prioritize timely patching for actively exploited vulnerabilities in Cisco, Oracle, and Microsoft systems using automated remediation workflows.
- Segment networks, continuously validate user and device trust, and enforce least privilege to reduce lateral movement risk from ransomware or insider threats.
- Collaborate with law enforcement and financial regulators to disrupt laundering networks like Huione Group and prevent crypto-enabled sanctions evasion.
- Utilize honeypots, sandbox telemetry, and decoy systems to gather actionable intelligence on adversary TTPs, replicating effective counterintelligence models against hybrid actors.
- Mandate phishing-resistant MFA, credential vaulting, and privileged access monitoring to prevent exploitation of stolen VPN or cloud credentials in attacks such as BlackSuit and Rhysida.
- Audit configuration baselines, enforce least privilege in multi-tenant environments, and enable continuous monitoring of API behavior to prevent third-party exposure events.
- Conduct scenario-based exercises simulating ransomware, AI-assisted intrusions, and supply-chain compromises to ensure agile containment and adaptive response.
