By Executive Summary
We all knew that sooner or later we would start to see malware that leverages generative AI. PromptLock, which was recently discovered by ESET, makes use of GenAI to analyze files on victim systems to work out whether to encrypt or exfiltrate the files. We are also seeing more active malware that is targeting MacOS and Linux. In fact, half of the trending malware variants that we focus on in this brief specifically target Linux and MacOS – a firm reminder that no matter which OS you are running, you should ensure that you have strong endpoint protection and detection capabilities in place.
Report Links
Download Threat Brief For August 16-31 2025
Top Ransomware
| Ransomware | Percentage | |||
|---|---|---|---|---|
| Qilin | 15.25% | 20.08% | 13.10% | remains at 1 |
| Warlock | 9.38% | New | ||
| SAFEPAY | 8.50% | New | ||
| Sinobi | 7.62% | 6.69% | remains at 4 | |
| Akira | 7.33% | 14.17% | Down from 2 |
Qilin continues to maintain its top spot amongst ransomware actors, albeit with a slightly lower percentage of infections. Akira and Sinobi continue to make their presence known. SafePay, which initially surfaced in late 2024, has now made its way into the top 5. Warlock, which only made its public debut in June 2025, is notable for exploiting vulnerabilities in unpatched Microsoft SharePoint servers.
Victim Sector
| Sector | Percentage | |||
|---|---|---|---|---|
| manufacturing | 16.13% | 16.54% | 15.08% | 1 -> 1% |
| technology | 15.25% | 8.27% | 10.71% | 5 -> 2% |
| retail | 13.78% | 11.02% | 15.48% | 4 -> 3% |
| construction | 13.20% | 13.39% | 16.27% | 3 -> 4% |
| financial-services | 11.14% | 8.27% | 10.71% | 2 -> 5% |
Victim Location
| Victim | Percentage | |||
|---|---|---|---|---|
| USA | 52.20% | 57.48% | 50% | 1 -> 1% |
| Germany | 7.04% | 5.12% | 3.57% | 3 -> 2% |
| UK | 6.45% | 6.30% | 4.37% | 2 -> 3% |
| Canada | 5.28% | 3.15% | 3.57% | 5 -> 4% |
| France | 2.05% | New |
Victim Org Size
| Size | Percentage | ||
|---|---|---|---|
| Small Business (500 or less) | 82.65% | 84.25% | 84.52% |
| Mid-Market (501-5000) | 14.41% | 12.99% | 12.30% |
| Large Enterprise (5000+) | 2.94% | 2.76% | 3.17% |
Trending Adversaries
- APT36
- Blind Eagle
- Salt Typhoon
- Silk Typhoon
- Silver Fox
- Storm-0501
Cyber-attacks often mirror real-world rivalries. APT36 is a Pakistani cyber espionage group which is using sophisticated phishing campaigns to target Indian defense personnel. The group sends phishing emails containing malicious PDFs, with a blurred background, along with a button that emulates the login interface of the Indian National Informatics Centre (NIC). Users who click the button are redirected to a URL which downloads a ZIP archive, posing as a legitimate application. The campaign is focused on credential theft and establishing long-term persistence inside Indian defense networks. Another 2 trending adversaries who are believed to be nation state actors are Salt Typhoon and Silk Typhoon, both of whom are believed to be engaged in espionage activities. Both are suspected of having links to China’s Ministry of State Security (MSS).
Trending & Actively Exploited Vulnerabilities
| CVE | Vendor | Product |
|---|---|---|
| CVE-2024-8068 | Citrix | Session Recording |
| CVE-2024-8069 | Citrix | Session Recording |
| CVE-2025-20265 | Cisco | Secure Firewall Management Center |
| CVE-2025-43300 | Apple | iOS, iPadOS, and macOS |
| CVE-2025-48384 | Git | Git |
| CVE-2025-52970 | Fortinet | FortiWeb |
| CVE-2025-54948 | Trend Micro | Apex One |
| CVE-2025-57819 | Sangoma | FreePBX |
| CVE-2025-7775 | Citrix | NetScaler |
| CVE-2025-9074 | Docker | Desktop |
In this period, we are seeing a particularly high number of trending and actively exploited vulnerabilities. Of particular concern are 3 vulnerabilities impacting Citrix technologies (CVE-2024-8086, CVE-2024-8069 and CVE-2025-7775). It is worth noting that the first 2 of these date back to 2024 and are not new.
CVE-2025-43300, which is related to an out of bounds write issue, is of worrying because of its broad impact across iOS, IpadOS and MacOS. Apple believes this vulnerability may have been exploited in a sophisticated attack against specifically targeted individuals.
Trending Malware
| Name | Description |
|---|---|
| DripDropper | DripDropper is a perfect example of the fact that malware doesn't only affect Windows and MacOS systems - Linux is vulnerable too. The malware exploits a vulnerability in Apache ActiveMQ (CVE-2023-46604). After establishing persistence, it patches the vulnerability to secure exclusivity and disguise its initial access path. Once it has established persistence, it communicates with an adversary-controlled Dropbox account for command and control. |
| MixShell | Mixshell is a sophisticated threat actor who engages in phishing activities by contacting target entities via their "Contact us" forms on their public web sites. Through social engineering they trick company representatives to click on malicious links which trigger the installation of malware. Their primary targets are industrial supply chain companies in the US. |
| PromptLock | We knew it was only a matter of time until malware would also start to use generative AI. Promptlock, which was recently discovered by ESET, creates Lua scripts which can operate on MacOS, Windows and Linux. It uses GenAI to analyze local files, and depending on their content either encrypts or exfiltrates them. |
| RingReaper | Yet another example of Linux malware is Ringreaper, which uses the Linux io_uring interface, which is normally used for asynchronous I/O, to evade EDR software. By using io_uring for file and network operations, Ringreaper reduces the traces which EDR tools can use to detect malware, making itself almost invisible. |
| Shamos | A sophisticated malware campaign that targets MacOS users, Shamos lures Mac users to fake tech support websites and tricks users who are looking for solutions to technical issues into downloading malware which captures the user's password and downloads the SHAMOS executable which establishes persistence by installing a malicious Plist in the user's LaunchDemons directory. |
| TamperedChef | This cybercrime campaign uses malvertising tactics to trick users into going to fraudulent websites which lure users into downloading the TamperedChef infostealer. It masquerades as a free PDF editor called AppSuite PDF Editor. Once installed it enumerates installed security tools and attempts to stop web browsers to gain access sensitive data such as credentials and cookies. |
Top News
- US seizes $2.8 million in crypto from Zeppelin ransomware operator, sanctions Grinex crypto-exchange
- DOJ charges 22-year-old man behind RapperBot botnet used in over 370,000 DDoS attacks
- Scattered Spider hacker gets sentenced to 10 years in prison
- Dev gets 4 years for creating kill switch on ex-employer's systems
- Massive anti-cybercrime operation leads to over 1,200 arrests in Africa
- Malicious Android apps with 19M installs removed from Google Play
- New AI attack hides data-theft prompts in downscaled images
- Malware devs abuse Anthropic’s Claude AI to build ransomware
Contributors
Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Expert
Produced & Distributed By Phish Tank Cybersecurity Marketing Division
Categories
- B2B Marketing & Lead Generation (17)
- Digital Marketing Trends & Thought Leadership (15)
- Content Marketing & Copywriting (13)
- SEO Strategies & Best Practices (8)
- Marketing Analytics & Data Insights (6)
- Marketing Technology & Tools (6)
- Social Media Marketing & Management (4)
- PPC & Online Advertising (4)
- Cybersecurity Reports (4)
- E-commerce Marketing & Growth (2)
- Conversion Rate Optimization (1)
- Email Marketing & Automation (1)