Executive Summary The emergence of the Akira Ransomware-as-a-Service (RaaS) operation has introduced a significant threat to organizations leveraging Nutanix Virtual Machines (VMs) . Recent intelligence indicates that the Akira threat group has expanded its targeting scope to include Nutanix environments, exploiting virtualization infrastructure to maximize operational disruption and ransom leverage. This campaign is particularly concerning for critical infrastructure, hea

Executive Summary Recent intelligence has revealed that North Korean state-sponsored threat actors are leveraging legitimate JSON-based web services as covert channels for malware delivery and command-and-control (C2) operations. This innovative tactic exploits the ubiquity and trust associated with JSON data formats and cloud-based APIs, enabling adversaries to bypass traditional security controls and evade detection. The campaign demonstrates a significant evolution in th

Executive Summary Logitech has confirmed a data breach following an extortion attack attributed to the Clop ransomware group. The incident involved unauthorized access to certain company data, with the attackers leveraging vulnerabilities to exfiltrate sensitive information. Logitech has stated that the breach did not impact its core business operations or compromise customer payment data. The company is actively investigating the scope of the breach and has engaged with r

Executive Summary Recent intelligence has surfaced regarding a sophisticated cyber-espionage campaign attributed to Iranian threat actors, codenamed SpearSpecter . This operation is characterized by highly targeted spear-phishing attacks and the deployment of advanced custom malware, with a primary focus on defense and government entities. The campaign leverages a combination of social engineering, zero-day vulnerabilities, and multi-stage payloads to establish persistent acc

Executive Summary Recent intelligence has surfaced indicating that Chinese state-sponsored threat actors are leveraging advanced generative AI models, specifically Anthropic's AI , to orchestrate highly automated and scalable cyber espionage campaigns. This marks a significant evolution in the threat landscape, as adversaries are now integrating large language models (LLMs) into their attack chains to enhance reconnaissance, automate phishing, and accelerate malware developme

Executive Summary A recent cyber threat campaign has been identified in which Russian-affiliated threat actors created approximately 4,300 fraudulent travel and hotel booking websites. The primary objective of this campaign was to harvest payment card data and personal information from unsuspecting hotel guests. These fake sites closely mimicked legitimate hotel and travel booking platforms, leveraging sophisticated social engineering and web spoofing techniques to deceive us

Executive Summary The Akira Ransomware Group has emerged as a significant threat actor in the global cybercrime landscape, amassing approximately $244 million in ransom proceeds as of mid-2025. This group has demonstrated a high level of technical sophistication, targeting organizations across sectors such as education, manufacturing, healthcare, and government. The group’s operations are characterized by the exploitation of remote access vulnerabilities, deployment of custo

Executive Summary Checkout.com , a global payment processing provider, disclosed a data breach following an extortion attempt by an unidentified threat actor. The incident involved unauthorized access to certain internal systems, resulting in the exposure of sensitive data. Checkout.com has confirmed the breach and has taken steps to contain the incident, notify affected parties, and engage with law enforcement. At this time, there is no evidence that payment card data or cu

Executive Summary Publication Date: November 7, 2025 Microsoft has uncovered a novel side-channel attack, dubbed Whisper Leak , that enables adversaries to infer the topics of AI chatbot conversations—even when the traffic is encrypted with TLS . This attack leverages observable patterns in packet sizes and timings during streaming responses from large language models ( LLMs ) to classify the subject of user prompts. The vulnerability is systemic, affecting a wide range of L

Executive Summary Between February 22 and March 2, 2025, Hyundai AutoEver America, LLC , a key automotive IT provider for Hyundai and Kia affiliates, experienced a data breach involving unauthorized access to its IT environment. The breach was discovered on March 1, 2025, and public notification was issued on November 4–5, 2025, in accordance with regulatory requirements. The incident resulted in the exposure of sensitive personal information, including names, Social Securi

Executive Summary On November 4, 2025, Eurojust announced the arrest of nine individuals suspected of operating a sophisticated cryptocurrency fraud and money laundering network that defrauded victims of over €600 million. The coordinated law enforcement operation, conducted across Cyprus, Spain, and Germany, targeted a transnational group that created dozens of fake cryptocurrency investment websites. These sites lured victims through social engineering tactics such as soci

Executive Summary A newly identified and highly sophisticated cyber-espionage campaign has been attributed to the North Korean advanced persistent threat group Kimsuky . This operation leverages a novel backdoor, HTTPTroy , to target South Korean users through a meticulously crafted spear-phishing campaign. The attack chain employs advanced social engineering, multi-stage payload delivery, and state-of-the-art obfuscation and anti-analysis techniques. The primary objective is

Executive Summary On October 30, 2025, the Akira ransomware gang publicly claimed to have breached the Apache OpenOffice project, alleging the theft of 23GB of sensitive corporate data, including employee and financial information. The Apache Software Foundation (ASF), which oversees Apache OpenOffice , has categorically disputed these claims, stating that the project does not possess the types of data described by the attackers and that no evidence of compromise has been f

Executive Summary A critical OS command injection vulnerability, tracked as CVE-2025-11953 with a CVSS score of 9.8, has been identified in the React Native Community CLI ’s Metro Development Server . This vulnerability exposes developer environments to unauthenticated remote code execution attacks. The flaw is present in all versions of the Metro Development Server prior to the security patch and is especially severe on Windows platforms, though macOS and Linux are also

Executive Summary On November 4, 2025, Nikkei Inc. , a leading Japanese media conglomerate, publicly disclosed a data breach impacting over 17,000 employees and business partners. The breach was traced to unauthorized access to the company’s Slack messaging platform, following the compromise of an employee’s computer by malware. Attackers used stolen authentication credentials to access Slack accounts, resulting in the exposure of names, email addresses, and chat histories f

Executive Summary Operation SkyCloak is an advanced, ongoing cyber-espionage campaign targeting defense and military sectors, with a primary focus on organizations in Eastern Europe, notably Belarus and Russia. The operation employs highly targeted phishing emails containing military-themed lure documents to deliver a persistent, Tor-enabled OpenSSH backdoor. This backdoor leverages a legitimate, signed OpenSSH for Windows binary, combined with a custom Tor hidden service

Executive Summary In July 2025, Microsoft’s Detection and Response Team (DART) identified a highly sophisticated malware campaign leveraging the SesameOp backdoor, which uniquely abuses the OpenAI Assistants API as a covert command-and-control (C2) channel. This innovative TTP (Tactics, Techniques, and Procedures) enables threat actors to blend malicious C2 traffic with legitimate API usage, effectively bypassing traditional network security controls and evading detection.

Executive Summary In mid-October 2025, a sophisticated phishing campaign targeting users of the LastPass password manager was identified and publicly disclosed by multiple security sources. The campaign, attributed to the financially motivated threat group CryptoChameleon (UNC5356), exploits the LastPass inheritance (emergency access) feature by sending fraudulent emails that claim a family member has requested access to the recipient’s password vault due to a supposed dea

Executive Summary Between September and October 2025, the United States government experienced a significant surge in cyberattacks, with multiple sources referencing an 85% increase in incidents targeting federal agencies and critical infrastructure during the government shutdown. This escalation coincided with the expiration of the Cybersecurity Information Sharing Act of 2015 on September 30, 2025, and the onset of a government shutdown on October 1, 2025, which resulted in

Rescana Cyber Threat Intelligence Executive Summary A sophisticated and large-scale malware distribution campaign, identified as the YouTube Ghost Network , has been exposed by Check Point Research. This operation weaponized over 3,000 YouTube videos, leveraging both fake and compromised accounts to disseminate a range of infostealer malware families. The campaign exploited YouTube’s inherent trust signals—such as high view counts, likes, and positive comments—to lure unsuspe