VerSprite Weekly Threat Intelligence #48
Date
Follow Us
Date Range: 05 January 2026 – 09 January 2026
Issue: 48th Edition
Reported Period Victimology
Security Triumphs of the Week
This week highlighted significant cybersecurity successes, including Resecurity’s honeypot operation exposing Scattered Lapsus$ Hunters’ infrastructure and aiding law enforcement. Legal accountability advanced as stalkerware developer Bryan Fleming pleaded guilty, signaling stricter enforcement against malicious developers. Law enforcement disrupted high-profile criminal networks, deporting alleged $15B crypto scam leader Chen Zhi and linking recent crypto thefts to the 2022 LastPass breach. These efforts underscore progress in combating cybercrime through coordinated technical and legal measures, while exposing vulnerabilities in threat actor operations.
Cryptohack Roundup: Alleged Fraud Kingpin Deported to China
This week’s key cybersecurity incidents in digital assets include the deportation of alleged fraud kingpin Chen Zhi to China, linked to a $15 billion crypto scam network. Bitfinex hacker Ilya Lichtenstein was released early under prison reform. Unleash Protocol lost $3.9M due to an unauthorized smart contract upgrade. TRM Labs tied ongoing crypto thefts to the 2022 LastPass breach, exploiting weak passwords. Trust Wallet linked an $8.5M hack to the Sha1- Hulud supply chain attack. Flow Network’s freeze caused NFT loan defaults, while Ledger reported data exposure via a third-party provider. Kontigo reimbursed users after a $340K stablecoin breach.
Read full article: Bankinfosec
Notorious hacking collective returns – but researchers say they fell for a honeypot
The notorious hacking group Scattered Lapsus$ Hunters (SLH), a collective linked to Scattered Spider, Lapsus$, and ShinyHunters, resurfaced, claiming a breach of cybersecurity firm Resecurity. However, Resecurity revealed the breach was a honeypot operation, luring SLH into stealing fake data and exposing their infrastructure. The honeypot provided investigators with SLH’s IP addresses, linked accounts (including a US-based phone number), and timestamps, which were shared with law enforcement. This marks a significant setback for SLH, known for high-profile attacks like the 2025 Jaguar Land Rover breach. The incident raises prospects of arrests and highlights potential vulnerabilities in the group’s operations, including possible involvement of minors.
Read full article: Techradar
Stalkerware slinger pleads guilty for selling snooper software to suspicious spouses
Bryan Fleming, creator of stalkerware pcTattletale, pleaded guilty in a U.S. federal court for selling spyware designed to intercept communications and monitor partners/spouses without consent. The software secretly captured victims’ device activity, including messages, calls, and location data. Fleming faces up to 15 years in prison and fines. This marks only the second successful U.S. prosecution of a stalkerware vendor since 2014. The case highlights legal accountability for developers, not just users, potentially deterring U.S.-based firms marketing such tools as “parental control” software. pcTattletale’s 2024 hack exposed over 138,000 customer accounts and victim data. Kaspersky noted the rarity of prosecuting developers, signaling a shift in U.S. enforcement.
Read full article: Theregister
Security Setbacks of the Week
Cyberattacks surged globally, with state-sponsored groups like China’s Typhoon-linked actors targeting Taiwan’s infrastructure and US government entities, while ransomware gangs disrupted healthcare (Conduent, Covenant Health) and critical sectors (JLR, energy firms). Third-party breaches and legacy system vulnerabilities amplified risks, exposing millions of sensitive records. Ransomware activity spiked 50% since 2023, with LockBit 5.0 and transient groups evading law enforcement through rebranding and social engineering. CISA warned of exploited flaws in modern (HPE) and legacy (PowerPoint) systems, underscoring persistent threats to outdated and complex networks. These incidents highlight escalating hybrid warfare, systemic infrastructure vulnerabilities, and the compounding costs of cyberattacks.
Taiwanese infrastructure suffered over 2.5 million Chinese cyberattacks per day in 2025, report reveals
Taiwan’s National Security Bureau reported a significant rise in cyberattacks from China in 2025, averaging 2.63 million daily incidents a 6% annual increase and 113% surge since 2023. These attacks targeted critical infrastructure, including hospitals, banks, and government agencies, often coinciding with Chinese military patrols near Taiwan or key political events, such as speeches by Taiwanese leaders. The Bureau labeled this a “hybrid war” strategy by China to destabilize Taiwan’s governance and societal functions. Chineselinked hacking groups like Volt Typhoon and Brass Typhoon were implicated in espionage and data theft aligned with China’s national interests. Despite China’s routine denials of cyber aggression, researchers highlight patterns linking these activities to state objectives.
Read full article: Techradar
Hackers claim breach of engineering firm, offer sale of info on three major US utilities
Hackers claim to have breached Pickett and Associates, a U.S. engineering firm, stealing over 800 sensitive files tied to major utilities like Tampa Electric, Duke Energy Florida, and American Electric Power. The data, including LiDAR scans, transmission corridor maps, and design files, is being sold for ~$600,000 on dark web forums. Duke Energy confirmed an investigation into the breach, while Pickett declined to comment. The attackers also offered data from Germany’s Enerparc AG, indicating a focus on critical infrastructure. The stolen information could aid in infrastructure risk assessment or attacks. This incident highlights rising threats to energy and utility sectors globally.
Read full article: Techradar
Conduent Hack Victim Count Soars by at Least 50%
Hackers claim to have breached Pickett and Associates, a U.S. engineering firm, stealing over 800 sensitive files tied to major utilities like Tampa Electric, Duke Energy Florida, and American Electric Power. The data, including LiDAR scans, transmission corridor maps, and design files, is being sold for ~$600,000 on dark web forums. Duke Energy confirmed an investigation into the breach, while Pickett declined to comment. The attackers also offered data from Germany’s Enerparc AG, indicating a focus on critical infrastructure. The stolen information could aid in infrastructure risk assessment or attacks. This incident highlights rising threats to energy and utility sectors globally.
Read full article: Bankinfosec
New Zealand Probes Ransomware Hack of Health Portal
New Zealand is investigating a ransomware attack on healthcare provider Manage My Health, impacting approximately 126,000 patients. The Kazu ransomware group claimed responsibility, threatening to leak 4.15 terabytes of stolen data unless a $60,000 ransom is paid by January 15. The breach, detected on December 30, exploited weak domain encryption and endpoint security, with experts criticizing the company’s outdated systems and lack of basic security measures. Health Minister Simeon Brown called the incident “unacceptable,” pledging a government review of third-party data access. Cybersecurity analysts highlighted systemic vulnerabilities in New Zealand’s healthcare infrastructure, including legacy systems prone to exploitation. Manage My Health faced backlash for delayed breach notifications, with some users learning of the incident via social media.
Read full article: Bankinfosec
Congressional staff emails hacked as part of Salt Typhoon campaign
Chinese state-sponsored hacking group Salt Typhoon targeted US House committee staffers handling China-related, foreign affairs, and defense matters, compromising their email systems. The breach’s full scope, including whether elected officials’ emails were accessed, remains unclear. The FBI and White House have not publicly addressed the incident, while China dismissed the claims as baseless. Salt Typhoon, part of a broader “Typhoon” nexus linked to Chinese cyber-espionage, previously breached US telecom firms and European networks. The group employs stealth tactics like DLL sideloading and zero-day exploits. This incident underscores ongoing concerns about Chinese cyber-espionage targeting critical US infrastructure and government entities.
Read full article: Techradar
One of the largest US broadband providers investigates breach
Brightspeed, a major U.S. fiber broadband provider serving millions, is investigating a potential breach after the Crimson Collective hacking group claimed to steal personal data of over 1 million customers. The stolen data allegedly includes names, emails, phone numbers, addresses, partial payment details, and account records. The group announced the breach on Telegram, threatening to release samples unless contacted. Brightspeed has not confirmed the incident but stated it is rigorously investigating the reported cybersecurity event. The company, operating in 20 states, has expanded rapidly, targeting underserved markets with its fiber network. Authorities and customers remain awaiting further updates as the investigation continues.
Read full article: Techradar
Covenant Health Notifying 480K Patients of 2025 Data Theft
Covenant Health is alerting 478,188 patients about a May 2025 ransomware attack by the Qilin gang, which stole 852 GB of sensitive data, including Social Security numbers, medical records, and treatment details. Initially reported as affecting 7,900 individuals, the breach’s scope expanded significantly. Qilin, linked to prior healthcare attacks like the 2024 Synnovis incident disrupting UK hospitals, claimed responsibility but hasn’t listed Covenant on its leak site. Covenant disabled system access during the attack and later enhanced IT security. The breach underscores ongoing risks posed by ransomware groups targeting healthcare entities globally.
Read full article: Bankinfosec
Personal data on over 700,000 exposed by Illinois government agency
The Illinois Department of Human Services (IDHS) exposed sensitive personal data of over 700,000 individuals through publicly accessible maps intended for internal use. The breach, discovered in September 2025, compromised addresses, case details, and medical assistance plan information for 32,000 Division of Rehabilitation Services clients and 670,000 Medicaid/ Medicare Savings Program recipients. Exposed data included names, demographics, and case statuses, raising identity theft risks. Access was restricted post-discovery, and affected individuals were notified, but no credit monitoring services were offered. IDHS found no evidence of data misuse but urged vigilance. The incident highlights vulnerabilities in handling sensitive public-sector data.
Read full article: Techradar
Historic LastPass breach enabling cryptocurrency theft, investigation reveals
The 2022 LastPass breach continues to fuel cryptocurrency theft, with attackers cracking stolen password vaults to access crypto wallets. Researchers at TRM Labs report $35 million stolen, laundered via mixing services and Russian exchanges, while MetaMask’s findings suggest losses may reach $100 million. Cybercriminals targeted weak master passwords and seed phrases stored in vaults, enabling delayed, multi-wave thefts. Despite encryption, bruteforce attacks succeeded against simple credentials. Stolen funds were converted to Bitcoin and obscured through laundering tools. The breach underscores long-term risks of compromised vaults and the critical need for strong password practices in securing crypto assets.
Read full article: Techradar
Jaguar Land Rover wholesale volumes plummet 43% in cyberattack aftermath
Jaguar Land Rover (JLR) reported a 43.3% year-on-year decline in Q3 wholesale volumes, driven by a September cyberattack that halted production for weeks, disrupted global supply chains, and delayed distribution. Retail sales fell 25.1%, with significant regional declines in North America (64.4%), Europe (47.6%), and China (46%). The incident, claimed by Scattered Lapsus$ Hunters, cost JLR £196 million directly and contributed to an estimated £2.1 billion loss to the UK economy. The UK government provided £1.5 billion in support, while production normalized only by mid-November. The attack also impacted UK GDP growth, slowing it to 0.2% in Q3.
Read full article: Theregister
Ransomware attacks kept climbing in 2025 as gangs refused to stay dead
Ransomware attacks surged in 2025, with over 8,000 global victims reported on leak sites a 50% increase from 2023 despite law enforcement takedowns like the BlackSuit operation. Emsisoft’s report highlights a fragmented threat landscape, with ransomware groups proliferating into the hundreds, rebranding frequently, and shifting affiliates between operations. While high-profile gangs like Qilin and Cl0p remained active, smaller, transient crews dominated, evading sustained disruption. Attack methods increasingly relied on phishing, stolen credentials, and social engineering rather than technical exploits. Persistent affiliate networks and effective social engineering tactics suggest attacks will continue rising. Law enforcement actions disrupted specific groups but failed to curb overall activity as attackers adapted swiftly.
Read full article: Theregister
LockBit 5.0 Sustains Global Ransomware Dominance
LockBit 5.0 remains a dominant global ransomware threat, leveraging its Ransomware-as-aService (RaaS) model to target diverse sectors, including IT, law firms, and religious institutions. Despite law enforcement efforts, the group persists through constant upgrades, with LockBit 5.0 enhancing automation and adaptability for affiliates. Attacks follow a three-stage methodology: breaching via exploits or phishing, escalating network privileges, and deploying encryption/data exfiltration tools. The group employs psychological tactics, offering “Premium Criminal Branding Services” in ransom notes to pressure victims, alongside a Data Leak Site to publicly shame non-compliant targets. Financial losses from extortion and recovery costs have reached billions, underscoring LockBit’s operational efficiency and resilience. Organizations are urged to bolster defenses against rapid data theft and encryption tactics.
Read full article: Securityonline
CISA warns of active attacks on HPE OneView and legacy PowerPoint
CISA warned of active exploitation of two vulnerabilities: a critical flaw in HPE OneView (CVE-2025-37164) and a legacy Microsoft PowerPoint flaw (CVE-2009-0556). The HPE vulnerability (CVSS 10) allows unauthenticated remote code execution, risking large-scale network control; a PoC exploit emerged shortly after its December 2025 patch. The 15-year-old PowerPoint flaw enables code execution via malicious files, targeting outdated Office installations. Both were added to CISA’s KEV catalog, requiring federal agencies to patch by January 2026. CISA urged prioritizing these patches, monitoring the KEV catalog, and avoiding unsolicited attachments. The advisory highlights risks from both modern infrastructure flaws and legacy systems still in use.
Read full article: Malwarebytes
The New Emerging Threats
Emerging threats highlight state-sponsored and criminal actors exploiting trusted platforms and AI tools to bypass defenses. Russian and Chinese groups target critical sectors via phishing, Linux malware, and shared infrastructure, while North Korean actors employ QR code phishing to hijack credentials. Malicious browser extensions, fake npm packages, and Google Cloud abuse demonstrate supply chain risks, alongside AI-generated malware and deepfakes raising governance challenges. Attackers increasingly weaponize legitimate services, requiring heightened scrutiny of permissions, code sources, and multi-factor authentication to mitigate evolving espionage and data theft campaigns.
This new malware campaign is stealing chat logs via Chrome extensions
A new malware campaign dubbed “prompt poaching” is targeting users via malicious Chrome extensions, stealing AI chatbot conversations and browser data. Researchers identified two spoofed extensions mimicking a legitimate AI tool, collectively used by 900,000 users, which exfiltrated chat logs and tab URLs to command servers every 30 minutes. These extensions disguised data harvesting as anonymous analytics collection. Similar cases, like Urban VPN Proxy (6M+ installs), highlight risks even from highly rated extensions on official stores, which have stolen credentials, payment data, and screenshots. The trend underscores growing threats from seemingly trustworthy browser add-ons, emphasizing the need for heightened vigilance when granting permissions.
Read full article: Techradar
BlueDelta Espionage: Russian Hackers Abuse Free Apps to Target Energy Sector
BlueDelta, a Russian GRU-linked hacking group, has intensified cyber espionage against energy and government sectors in Europe and the Middle East. Their 2025 campaign used credential-harvesting attacks via fake login pages mimicking Outlook, Google, and Sophos VPN portals, hosted on free services like Webhook.site and ngrok. Targets included Turkish energy researchers, European think tanks, and organizations in Uzbekistan and North Macedonia. The group employed legitimate PDFs as lures, such as climate and geopolitical reports, to redirect victims to phishing sites. Custom JavaScript automated credential theft and redirection to legitimate portals, evading detection. This abuse of disposable, trusted infrastructure complicates defense efforts for critical sectors.
Read full article: Securityonline
New China-linked hackers breach telcos using edge device exploits
A China-linked threat actor tracked as UAT-7290 has expanded its cyber-espionage operations to target telecommunications providers in Southeastern Europe, alongside its usual focus on South Asia. Active since 2022, the group employs Linux-based malware, public exploits for edge device vulnerabilities, and SSH brute-force attacks to breach networks. Their toolkit includes custom implants like RushDrop, DriveSwitch, SilentRaid, and Bulbature, which enable persistence, command execution, and operational relay infrastructure (ORB) setup. The group collaborates with other China-aligned actors, sharing infrastructure linked to malware like ShadowPad and Cobalt Strike. Cisco Talos highlights ties to Chinese hosts via a reused TLS certificate and provides indicators of compromise for defense. The campaign underscores evolving threats to critical network infrastructure.
Read full article: Bleepingcomputer
FBI warns about Kimsuky hackers using QR codes to phish U.S. orgs
The FBI warns that North Korean state-backed hackers Kimsuky (APT43) are using QR code phishing (“quishing”) to target U.S. organizations involved in North Korea policy, research, and government operations. Attackers send spearphishing emails with malicious QR codes, redirecting victims to fake login pages to steal credentials or session tokens, bypassing multifactor authentication (MFA) via mobile device exploitation. The tactic evades traditional email security by leveraging compromised accounts and unmanaged mobile devices outside standard network monitoring. Targets include think tanks, advisory firms, and academic institutions, with attackers posing as legitimate entities like conference organizers. The FBI advises organizations to verify QR code sources, implement mobile device management, and enforce MFA. Victims are urged to report incidents to the FBI’s Cyber Squad or IC3.
Read full article: Bleepingcomputer
Yes, criminals are using AI to vibe-code malware
Criminals are increasingly using AI-powered “vibe-coding” tools to develop malware, leveraging platforms like OpenAI and others to automate attack creation, though errors in AIgenerated code (e.g., typos, ineffective evasion techniques) often undermine effectiveness. Palo Alto Networks’ SHIELD framework proposes security controls, including human code reviews, input validation, and least-privilege access, to mitigate risks. Despite these threats, half of organizations lack AI usage limits, exposing vulnerabilities. Attackers also deploy “security theater” AI-generated code mimicking attacks but failing in execution due to rushed, unvalidated outputs. Hallucinations (e.g., “readme.txtt” ransom notes) highlight AI’s reliability issues. Enterprises are urged to adopt strict AI governance and tools like SHIELD to balance innovation with security.
Read full article: Theregister
Guloader Malware Rides Wave of Fake Performance Reports
A new phishing campaign distributes Guloader malware via emails impersonating HR departments, exploiting fears of employee layoffs. The emails contain a RAR attachment with a disguised executable file that deploys Guloader, which then downloads Remcos RAT from Google Drive. Remcos enables remote surveillance, including keylogging, screen capture, and data theft. Attackers use the trusted domain to bypass security, with stolen data exfiltrated via C2 server 196.251.116.219. ASEC warns users to scrutinize unsolicited emails and update passwords to mitigate risks.
Read full article: Securityonline
NodeCordRAT: The Trojan Hiding in NPM to Steal Crypto via Discord
A new Remote Access Trojan (RAT) named NodeCordRAT was discovered in malicious npm packages disguised as cryptocurrency libraries. Distributed via three fake packages mimicking bitcoinjs tools, the malware steals Chrome credentials, MetaMask wallet data, and sensitive .env files. It uses Discord’s API for command-and-control, embedding malicious traffic within legitimate platform activity. Stolen data is uploaded via Discord messages using hardcoded bot tokens. Despite removal from npm, researchers warn of ongoing supply chain risks. Developers are urged to verify library authenticity, especially in crypto-related projects.
Read full article: Securityonline
Phishing campaign abuses Google Cloud services to steal Microsoft 365 logins
A phishing campaign exploits Google Cloud services to send convincing emails from legitimate Google addresses, bypassing spam filters. Attackers use Google Cloud Application Integration’s free credits to route victims through authentic Google domains, redirecting them to a fake Microsoft 365 login page after CAPTCHA checks. Credentials entered here are stolen. Google has blocked these campaigns, clarifying it involves tool misuse, not infrastructure compromise. Users are advised to verify login page URLs, avoid urgent email links, enable multi-factor authentication, and access services directly via trusted apps. The attack highlights phishing tactics abusing trusted platforms to enhance credibility.
Read full article: Malwarebytes
Fake WinRAR downloads hide malware behind a real installer
A new malware campaign distributes fake WinRAR installers via Chinese websites, using layered obfuscation to evade detection. The malicious file employs multiple stages, including a legitimate WinRAR installer to reduce suspicion and a password-protected HTA file that unpacks Winzipper malware in memory. This backdoor enables remote control, data theft, and further malware deployment. The attack leverages UPX-packed executables with anomalies and self-extracting archives to execute malicious components automatically. Indicators include domains like winrar-tw[.]com and filenames such as setup.hta. Users are advised to download software only from trusted sources and use updated anti-malware tools.
Read full article: Malwarebytes
UK regulators swarm X after Grok generated nudes from photos
UK regulators, including Ofcom and the ICO, are investigating X (formerly Twitter) over reports that its AI chatbot, Grok, generated non-consensual sexual imagery, including child abuse material. Ofcom demanded urgent clarification on compliance with the Online Safety Act, which mandates platforms to prevent and remove such content. The Internet Watch Foundation found Grok-produced Category C child abuse images being upgraded to more severe categories via other AI tools. UK officials warned X to address the issue swiftly, citing potential fines up to £18 million or 10% of global revenue. The case tests the enforcement strength of the Online Safety Act, particularly against AI-generated deepfakes. X has not yet publicly responded to the allegations.
Read full article: Theregister
Vulnerability Spotlight: Critical Exposures Unveiled
Critical vulnerabilities across multiple platforms dominated cybersecurity risks this week, with Trend Micro’s Apex Central facing SYSTEM-level RCE (CVE-2025-69258) and Centreon’s monitoring software exposing authentication bypass/SQL injection flaws. Apache NimBLE’s Bluetooth stack vulnerabilities enabled encrypted connection eavesdropping, while Foomuuri’s firewall management flaws permitted local security control bypass. Notably, n8n automation servers (CVE-2026-21858) became susceptible to unauthenticated takeover via webhook exploits. Chinese-speaking threat actors were observed weaponizing VMware ESXi zero-days pre-disclosure, highlighting advanced persistent threats. All vendors issued critical patches, though delayed updates in selfhosted environments and restricted mitigation guidance amplify exposure risks.
Public Exploit Released: Critical Trend Micro Flaw Grants SYSTEM Access
A critical remote code execution (RCE) vulnerability (CVE-2025-69258, CVSS 9.8) in Trend Micro’s Apex Central (on-premise) allows unauthenticated attackers to execute malicious code with SYSTEM privileges via DLL hijacking. Two high-severity denial-of-service (DoS) flaws (CVE-2025-69259 and CVE-2025-69260, CVSS 7.5) were also patched, enabling system crashes without authentication. Affected versions below Build 7190 on Windows are vulnerable. Trend Micro released Critical Patch Build 7190 to address these issues, urging immediate updates despite potential exploit complexity. Tenable disclosed the vulnerabilities and published proof-of-concept exploit code.
Read full article: Securityonline
Critical Centreon Alert: 9.8 Severity Flaw Exposes IT Monitoring
A critical vulnerability (CVSS 9.8) in Centreon’s IT monitoring software exposes systems to severe risks, including authentication bypass and SQL injection. The flaw could allow attackers to compromise monitoring infrastructure, potentially leading to unauthorized access, data manipulation, or service disruption. The issue highlights critical security gaps in authentication mechanisms and database interactions. SysAdmins are urged to review configurations and apply patches immediately. The report emphasizes the broader implications for organizations relying on Centreon for infrastructure visibility. Full technical details remain restricted to supporters, limiting public mitigation guidance.
Read full article: Securityonline
Bluetooth Broken? Apache NimBLE Flaws Enable Spoofing & Eavesdropping
The Apache Software Foundation patched four vulnerabilities in Apache NimBLE, an opensource Bluetooth stack. Two critical flaws (CVE-2025-62235 and CVE-2025-52435) allow authentication bypass via spoofing and eavesdropping on encrypted connections by downgrading security. These affect NimBLE versions up to 1.8.0, exposing IoT devices to proximity-based attacks. Two lower-severity bugs (CVE-2025-53477 and CVE-2025-53470) risk crashes or memory corruption. Version 1.9.0 addresses all issues, urging immediate updates to prevent unauthorized access and data interception.
Read full article: Securityonline
Wide Open Firewall: Critical Foomuuri Flaws Let Local Users Take Control
The article details critical vulnerabilities (CVE-2025-67603 and CVE-2025-67858) in Foomuuri, a Linux firewall manager, allowing local users to bypass security controls. The flaws stemmed from missing authentication in Foomuuri’s D-Bus service, enabling unprivileged users to alter firewall configurations, reassign network zones, or trigger denial-of-service. A second flaw permitted arbitrary input manipulation, risking log spoofing or JSON configuration hijacking. Patched in version 0.31, the update enforces Polkit authentication, input validation, and systemd hardening. Users are urged to upgrade immediately to mitigate local privilege escalation and firewall integrity risks.
Read full article: Securityonline
Maximum-severity n8n flaw lets randos run your automation server
A critical vulnerability (CVE-2026-21858) in the n8n automation platform allows unauthenticated attackers to execute arbitrary code and take full control of servers. The flaw, scoring a CVSS 10.0, stems from improper webhook processing, enabling attackers to manipulate HTTP headers and escalate to remote code execution. With over 100,000 servers potentially exposed, compromised instances risk granting access to sensitive systems like cloud storage, APIs, and databases. n8n patched the issue in version 1.121.0, but self-hosted environments may remain vulnerable due to delayed updates. The severity lies in n8n’s role as a central hub for organizational workflows, amplifying the breach impact. Users are urged to patch immediately.
Read full article: Theregister
VMware ESXi zero-days likely exploited a year before disclosure
Chinese-speaking threat actors exploited VMware ESXi zero-days (CVE-2025-22224/22225/22226) over a year before their March 2025 disclosure, using a toolkit developed as early as February 2024. Attackers compromised SonicWall VPNs to gain initial access, pivoted via Domain Admin accounts, and deployed an exploit chain (MAESTRO, MyDriver.sys, VSOCKpuppet) enabling VM escape to hypervisor-level control. Evidence from PDB paths in binaries suggests the toolkit targeted ESXi 8.0 Update 3, with components possibly designed for modular reuse. Huntress linked the activity to Chinese-speaking developers, noting simplified Chinese in code and potential intent to share/sell the toolkit. Organizations are urged to patch ESXi and monitor with provided detection rules.
Read full article: Bleepingcomputer
In-Depth Expert CTI Analysis
This week’s CTI analysis highlights escalating ransomware and state-sponsored threats, with LockBit 5.0 and Qilin targeting critical infrastructure, healthcare, and energy sectors, while Chinese groups like Salt Typhoon and North Korea’s Kimsuky intensified espionage campaigns. Third-party breaches, including Conduent and Covenant Health, exposed systemic vulnerabilities in vendor ecosystems, compounded by unpatched legacy software (HPE OneView, Microsoft PowerPoint) and novel attack vectors like AI-generated malware and QR code phishing. Law enforcement scored limited wins via honeypot operations against Scattered Lapsus$ Hunters and stalkerware prosecutions, but ransomware groups proliferated through rebranding and affiliate networks. Critical vulnerabilities in IoT (Apache NimBLE), firewalls (Foomuuri), and automation tools (n8n) underscored persistent risks from delayed patching and insecure configurations.
Proactive Defense and Strategic Foresight
Proactive defense demands leveraging threat intelligence to anticipate adversarial tactics, as demonstrated by Resecurity’s SLH honeypot operation and CISA’s KEV catalog prioritization. Strategic foresight must address systemic risks: third-party vulnerabilities (Conduent, IDHS), ransomware’s adaptive evolution (LockBit 5.0, Qilin), and state-aligned campaigns (Salt Typhoon, UAT-7290). The surge in AI-driven threats, legacy exploit abuse (CVE-2009-0556), and critical infrastructure targeting (Pickett, Brightspeed) underscore the need for continuous monitoring, zero-trust frameworks, and cross-sector collaboration. Organizations must preemptively harden supply chains, enforce strict AI governance, and invest in resilience to mitigate cascading impacts from delayed breach disclosures and geopolitical cyber aggression.
Evolving Ransomware and Malware Tactics
Ransomware and malware tactics continue evolving with increased sophistication, leveraging AI, supply chain compromises, and psychological pressure. RaaS models like LockBit 5.0 automate attacks and employ data leak shaming, while groups exploit legacy vulnerabilities (e.g., 15-year-old PowerPoint flaws) and critical infrastructure (HPE OneView). Third-party breaches amplify impacts, as seen in Conduent and Covenant Health incidents. State-sponsored actors (Salt Typhoon, BlueDelta) target geopolitical entities via credential harvesting and zero-days. Emerging threats include AI-generated malware (“vibe-coding”) and QR phishing (quishing) bypassing MFA. Defenders face challenges from fragmented ransomware affiliates, rapid rebranding, and attackers abusing trusted platforms (Google Cloud, npm) to evade detection. Proactive patching, zero-trust frameworks, and enhanced third-party monitoring remain critical.
State-Sponsored and Organized Cybercrime Convergence
The convergence of state-sponsored and organized cybercrime is accelerating, evidenced by overlapping tactics, infrastructure, and objectives. Chinese APTs like Salt Typhoon and UAT-7290 target critical infrastructure and government entities, aligning with geopolitical goals, while ransomware groups (LockBit, Qilin) monetize attacks with state-like precision. The Scattered Lapsus$ Hunters’ infrastructure exposure via a honeypot underscores criminal groups’ vulnerabilities, mirroring state actors’ operational risks. North Korea’s Kimsuky employs advanced phishing tactics akin to cybercriminal campaigns, blurring lines between espionage and profit. Shared exploitation of legacy vulnerabilities (HPE, Microsoft) and supply chain attacks (Sha1-Hulud, NodeCordRAT) highlight mutual technical dependencies. This symbiosis enables deniability for states and amplifies criminal impact, necessitating coordinated global defense frameworks.
Operational and Tactical Implications
Operational Implications: Persistent ransomware campaigns, state-sponsored espionage, and third-party vulnerabilities necessitate robust cross-sector threat intelligence sharing and proactive defense strategies. Critical infrastructure sectors must prioritize securing legacy systems, enforcing strict access controls, and validating third-party vendors to mitigate cascading risks from supply chain attacks.
Tactical Implications: Organizations should immediately patch high-severity vulnerabilities (e.g., HPE OneView, Trend Micro), enforce multi-factor authentication, and monitor for credential leaks tied to historical breaches like LastPass. Defenders must counter evolving tactics, including AI-generated malware, QR code phishing, and trusted platform abuse, via continuous staff training, AI governance frameworks, and network segmentation to limit lateral movement.
Forward-Looking Recommendations
- Enhance third-party risk management with continuous vendor assessments and data minimization to mitigate supply chain breaches.
- Adopt zero-trust architecture to counter credential-based attacks, particularly in critical infrastructure and government sectors.
- Prioritize patching of legacy systems and critical vulnerabilities (e.g., HPE OneView, VMware ESXi) to prevent hypervisor-level compromises.
- Implement AI governance frameworks like SHIELD to detect AI-generated malware and validate code integrity.
- Strengthen multi-factor authentication (MFA) and enforce strict password policies for encrypted vaults to combat credential-stuffing attacks.
- Expand geopolitical threat intelligence sharing to counter state-aligned actors targeting energy, telecom, and defense sectors.
- Mandate mobile device management (MDM) solutions to address QR code phishing and unmanaged device vulnerabilities.
- Accelerate migration from deprecated protocols (e.g., SHA-1) and insecure Bluetooth stacks (Apache NimBLE) in IoT ecosystems.
- Develop ransomware-specific incident response playbooks with offline backups and decryption contingency planning.
- Legislate stricter liability for developers of spyware and insecure IoT/firewall management tools to enforce secure-by-design principles.
