Executive Summary A newly identified backdoor, HttpTroy , has been observed in a sophisticated, targeted cyberattack campaign against South Korean organizations. This campaign, attributed to the North Korean advanced persistent threat group Kimsuky , leverages a spear-phishing email masquerading as a legitimate VPN invoice to deliver a multi-stage malware payload. The infection chain culminates in the deployment of the HttpTroy backdoor, which provides attackers with compreh

Executive Summary Publication Date: November 2025 In October 2025, Ukrainian national Yuriy Igorevich Rybtsov, known by the alias "MrICQ," was extradited from Italy to the United States to face charges stemming from his role as a developer for the infamous Jabber Zeus cybercrime group. This group, active since at least 2009, is responsible for orchestrating a series of highly sophisticated cyberattacks that leveraged custom variants of the ZeuS banking trojan to steal tens

Executive Summary On November 3, 2025, the Balancer decentralized finance (DeFi) protocol suffered a critical security breach resulting in the theft of over $128 million in digital assets from its V2 pools . The attack exploited vulnerabilities in the protocol’s smart contract logic, specifically targeting precision rounding errors and invariant manipulation within the Balancer V2 vaults . The incident affected deployments across multiple blockchains, including Ethereum , Ba

Executive Summary Cybercriminals are increasingly exploiting legitimate Remote Monitoring and Management (RMM) tools to infiltrate logistics and freight networks, resulting in a surge of sophisticated attacks targeting the global supply chain. Since mid-2025, threat actors have orchestrated highly organized campaigns, often in collaboration with traditional organized crime groups, to gain unauthorized access to trucking carriers, freight brokers, and logistics companies. By

Executive Summary A new Android malware family, dubbed Crocodilus , has been observed in the wild targeting users in Spain and Turkey, with confirmed infections exceeding 1,200 devices and over $2.8 million in cryptocurrency assets stolen within two weeks. Crocodilus leverages advanced abuse of Android accessibility services to perform device takeover, mute system alerts, and harvest sensitive credentials, including crypto wallet seed phrases. The malware is distributed via t

Executive Summary A highly sophisticated supply-chain attack has been identified targeting blockchain and smart contract developers through a counterfeit Solidity extension distributed on the Open VSX marketplace. This malicious extension, camouflaged as a legitimate development tool, was engineered to compromise developer environments, resulting in the confirmed theft of at least $500,000 in cryptocurrency. The campaign demonstrates advanced threat actor tradecraft, levera

Executive Summary The Open VSX registry, an open-source alternative to the Microsoft Visual Studio Marketplace for VS Code -compatible extensions, experienced a significant supply-chain security incident in 2025. Privileged access tokens were inadvertently leaked by developers in public repositories, enabling threat actors to publish malicious extensions to the Open VSX registry. The attack, identified as the GlassWorm campaign, leveraged these tokens to distribute malwar

Executive Summary On October 30, 2025, a threat actor gained unauthorized access to the University of Pennsylvania’s ( Penn ) internal systems by compromising an employee’s PennKey Single Sign-On (SSO) account. This breach enabled the attacker to access multiple critical platforms, including Salesforce Marketing Cloud , Qlik , SAP , and SharePoint , resulting in the exfiltration of sensitive data belonging to approximately 1.2 million donors, alumni, and students. The compro

Executive Summary On October 31, 2025, the University of Pennsylvania experienced a coordinated campaign in which offensive emails with the subject "We got hacked (Action Required)" were sent to students, alumni, and faculty from various university email addresses, including those associated with the Graduate School of Education. The emails claimed that university data had been stolen and threatened to leak sensitive information, while also containing highly offensive languag

Executive Summary Ribbon Communications , a major U.S. telecommunications and networking provider, experienced a prolonged network breach attributed to a nation-state actor. The intrusion began as early as December 2024 and was detected in September 2025, with public disclosure following on October 23, 2025 ( TechCrunch , BleepingComputer , GovInfoSecurity ). The attackers accessed Ribbon’s IT network for nearly a year, compromising files belonging to several customers store

Executive Summary A critical zero-day vulnerability in Motex Lanscope Endpoint Manager (tracked as CVE-2025-61932 ) has been exploited in the wild by a sophisticated China-linked threat actor known as Tick (also referred to as Bronze Butler , Daserf , REDBALDKNIGHT , Stalker Panda , Stalker Taurus , and Swirl Typhoon ). This vulnerability enables remote, unauthenticated attackers to execute arbitrary commands with SYSTEM privileges on vulnerable on-premise installations of

Executive Summary A newly identified malware family, Airstalk , has emerged as a significant threat in the cybersecurity landscape, representing a sophisticated supply chain attack attributed to a suspected nation-state actor. Airstalk leverages the trusted AirWatch (now VMware Workspace ONE UEM) MDM API as a covert command-and-control (C2) channel, enabling attackers to exfiltrate sensitive browser data and screenshots from compromised endpoints. The malware is distributed

Executive Summary Russian law enforcement authorities have arrested three individuals in Moscow and the surrounding region, suspected to be the primary developers and operators of the Meduza Stealer malware. This action follows a significant breach in May 2025, where the group used Meduza Stealer to exfiltrate confidential data from a government institution in Astrakhan, Russia. The malware, which has been active since mid-2023, is a sophisticated information stealer distri

Executive Summary A highly sophisticated cyber-espionage campaign orchestrated by the Chinese-affiliated threat group UNC6384 has been observed targeting European diplomatic entities. The campaign leverages a recently disclosed Windows shortcut vulnerability, ZDI-CAN-25373 (now tracked as CVE-2025-9491 ), to deliver the notorious PlugX remote access trojan ( RAT ) through advanced spearphishing and social engineering tactics. The operation demonstrates rapid vulnerability

Executive Summary Russian ransomware gangs have escalated their operational sophistication by weaponizing the open-source AdaptixC2 command-and-control (C2) framework for advanced cyberattacks. Originally developed for legitimate red teaming and penetration testing, AdaptixC2 has been rapidly adopted by threat actors due to its modular, cross-platform architecture, robust encryption, and flexible post-exploitation capabilities. Intelligence from multiple OSINT sources confi

Executive Summary The Qilin ransomware group, also known as Agenda , has recently escalated its threat profile by orchestrating sophisticated hybrid attacks that combine a Linux-based ransomware payload with a Bring Your Own Vulnerable Driver (BYOVD) exploit. This dual-pronged approach enables adversaries to target both Windows and Linux environments, bypassing traditional endpoint defenses and maximizing operational disruption. The group’s latest campaigns leverage cross-p

Executive Summary The Smishing Triad represents a sophisticated, China-linked cybercrime syndicate orchestrating one of the largest global phishing operations ever observed, leveraging over 194,000 malicious domains since early 2024. This campaign primarily exploits SMS-based phishing, or smishing, to target mobile users across more than 120 countries, including the United States, Germany, the United Kingdom, France, and numerous others. By impersonating trusted entities su

Executive Summary Recent threat intelligence from leading cybersecurity vendors, including ESET , has confirmed that North Korean state-sponsored actors, specifically the Lazarus Group (also known as APT38 or HIDDEN COBRA ), are actively targeting European companies in the unmanned aerial vehicle (UAV) and drone technology sector. This campaign, identified as a new wave of Operation DreamJob , employs advanced social engineering, trojanized open-source software, and custom

Executive Summary A critical and highly sophisticated supply chain attack has emerged, leveraging a self-propagating malware known as GlassWorm to infect Visual Studio Code (VS Code) extensions. The campaign primarily targets the OpenVSX marketplace but has also breached the official Microsoft VS Code Marketplace . GlassWorm employs advanced evasion techniques, including invisible Unicode character obfuscation, and utilizes decentralized, blockchain-based command and cont

Executive Summary A critical vulnerability, CVE-2025-59287 , has been identified in Microsoft Windows Server Update Services (WSUS) , prompting the vendor to issue an emergency out-of-band patch on October 24, 2025. This remote code execution (RCE) flaw, with a CVSS score of 9.8, enables unauthenticated attackers to execute arbitrary code with SYSTEM privileges on affected Windows Server installations running the WSUS role. The vulnerability is being actively exploited in