X-Industry

The Hoxhunt 2025 Cyber Threat Intelligence Report delivers a sobering message for security professionals: the most dangerous threats are no longer the most obvious ones.  As 2026 approaches, enterprises are no longer fighting clumsy, error-riddled bulk spam; they are facing a quiet revolution where sophisticated, convincing attacks blend seamlessly into daily workflows, fueled by AI and advanced token-theft toolkits.

See:  https://hoxhunt.com/guide/threat-intelligence-report

The report, based on

UDPGangster is a UDP-based backdoor associated with the MuddyWater threat group, which is known for its cyber espionage operations across the Middle East and neighboring regions.  This malware enables remote control of compromised systems by allowing attackers to execute commands, exfiltrate files, and deploy additional payloads, all communicated through UDP channels designed to evade traditional network defenses.

Researchers recently observed multiple UDPGangster campaigns targeting users in Tu

During a recent incident response engagement, researchers at the FortiGuard IR services (FGIR) responded to a ransomware attack where the threat actor heavily used anti forensic techniques to cover their tracks and to avoid their malware getting into the hands of researchers.  They attempted to achieve this by deleting files and folders they had created, clearing logs and obfuscating malware.

Link to full report:  IR-25-344-001_AutoLogger.pdf

At the end of October, during a global disruption of AWS connections, FortiGuard Labs observed malware named “ShadowV2” spreading via IoT vulnerabilities.  These incidents affected multiple countries worldwide and spanned seven different industries.  To date, the malware appears to have been active only during the large-scale AWS outage.  Researchers believe this activity was likely a test run conducted in preparation for future attacks.  The following article provides a detailed analysis of the

Marquis Software Solutions is notifying banks and credit unions of a ransomware attack that leaked their customer data.  The Texas-based digital and physical marketing firm learned of the ransomware cyber-attack on 14 August 2025, after detecting suspicious activity on its network.  It responded by launching an investigation and notifying law enforcement.  The probe determined that the threat actor breached its SonicWall firewall to gain initial access.[1]

After gaining access, the attackers exf

Some of the nation's largest banks, including JPMorgan Chase, Citi, and Morgan Stanley, spent the end of November 2025 assessing exposure after a significant cyberattack on SitusAMC, a major technology and services vendor in the mortgage and real estate finance ecosystem.  SitusAMC confirmed that a cyberattack hit it on 12 November 2025 and that it has spent nearly two weeks determining which information was accessed. According to a statement posted on its website, the company identified "data r

Industrial cyber security is facing significant challenges driven by the increasing complexity of attacks, such as ransomware and supply-chain compromises, alongside a proliferation of interconnected devices and a persistent shortage of skilled professionals.  Attacks against critical infrastructure have evolved from isolated incidents into coordinated conducted by both state and non-state actors.

Cyber threats have increased in frequency and technical capability, particularly those leveraging A

A Chinese state-aligned threat actor may have been spying on Russia's government for years through its IT sector.  For all of the adversarial intelligence gathering going on in the world today, there is also plenty of spying among friends. Friendly nations, and friendly-ish nations like China and Russia, regularly use cyberspace against their allies to glean potentially valuable political or economic intelligence, gain advantages in strategic negotiations, or simply steal technology.

On 20 Novem

Europol has taken down the illegal cryptocurrency mixing service ‘Cryptomixer’, which is suspected of facilitating cybercrime and money laundering.  During the operation, which was conducted in conjunction with Swiss and German law enforcement, €25m ($30m) worth of the cryptocurrency Bitcoin was seized.  Action took place between 24-28 November 2025 in Zurich, Switzerland.

Three servers were seized, along with the cryptomixer.io domain.  The operation resulted in the confiscation of over 12 tera

After years of quiet escalation, business leaders are finally beginning to grasp just how serious the threat of fraud has become. Today, nearly half of all fraud attempts (41%) now involve artificial intelligence.  Nowhere is this more evident than in the payments industry.  Fraudsters can use AI to generate convincing fake invoices, purchase orders, and payment instructions that mirror legitimate business documents.  I’ve seen examples that are indistinguishable from the real thing, which is a

Imagine if a hacker could gain full control of your smartphone and stream everything on its screen to their own device?  Well, a new Android banking trojan allows them to do just that, but they can also tap, swipe, type and navigate through hijacked smartphones in real time.  According to a new blog post from the cybersecurity site Malwarebytes, security researchers at the online fraud management firm Cleafy have discovered a new Android malware family called Albiriox.  Despite being fairly new,

A long-running malware operation that has evolved over several years has been turning browser extensions in Chrome and Edge into spyware through updates that added malicious functionalities.  According to a report from Koi Security, the ShadyPanda campaign affects 4.3 million users who downloaded these now compromised browser extensions.

The ShadyPanda campaign consists of 20 malicious extensions on the Chrome Web Store and 125 in Edge; initial submissions of the extensions appeared in 2018, and

Cybercriminals have targeted 700Credit, the largest provider of credit, identity, and compliance services for dealerships, breaching sensitive data of approximately 5.6 million customers and nearly 18,000 dealerships in North America.  This incident occurred in late October and involved names, addresses, Social Security numbers, and employment information.

The breach, confirmed by Managing Director Ken Hill, resulted from a compromise of the 700Dealer.com website.  A third-party vendor’s API con

Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associate

A former technical manager employed by the wind farm operator Nordex has been sentenced to 120 hours of community service by a Dutch court.  The sentence follows the discovery that the employee had used company infrastructure to power a clandestine cryptocurrency mining operation across two renewable energy sites.   The rogue employee, a man in his forties, exploited his privileged access to the company’s internal systems between August and November 2022.

According to court proceedings in Assen,

A new spin on the ClickFix attack is making the rounds, and it is designed to circumvent some of the strategies organizations have for mitigating them.  ClickFix and its slightly more elegant offshoot, FileFix, are notorious for being almost inexplicably manipulative. Attackers persuade victims to run commands on their computers that they never otherwise would and may never have before.  Now there's a new variant, deemed "JackFix," that gives more logical context to those strange actions victims

A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations.  But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group:  Last week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father.

Scattered LAPSUS$ Hu

eBPF (Extended Berkeley Packet Filter) is a very interesting kernel technology that lets users load tiny, sandboxed programs into the Linux kernel to inspect or modify network packets, system calls, and more.  The technology was introduced in 2015 to replace the “old” BPF technology of 1992, which was no longer compatible with modern computer architectures (e.g., 64-bit).  As usual, the technology was quickly noticed by malware authors, leading to the Bvp47 malware in 2015 and a collection of ro

In the modern digital ecosystem, subscribing to a calendar series has become a routine convenience.  Whether it is a retailer sharing dates for upcoming sales, a sports association like FIFA publishing match schedules, or a government body listing public holidays, the standard ‘ICS’ web calendar format, also known as iCalendars, allows third parties to integrate events directly into a user’s device.  A new report indicates that this functionality is being weaponized by cybercriminals to distribu