Executive Summary
LockBit resurfaced and immediately re-entered the top 5, driving renewed ransomware activity. Coinbase Cartel’s victim postings pushed the UAE into the top 5 target regions and elevated construction to the top victim sector. Across all major actors, exploitation of React2Shell dominated the period, with adversaries rapidly weaponizing the vulnerability in different ways.
Report Links
Download Threat Brief For December 1-15 2025
Byer-Nichols Threat Brief Podcast 12-15-2025
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| Qilin | 26.52% | 1 | 1 |
| Akira | 13.38% | 3 | 2 |
| LockBit | 6.08% | N/A | N/A |
| Sinobi | 4.38% | 4 | 16 |
| Coinbase Cartel | 4.38% | 17 | 27 |
Qilin held a strong lead again this period, while Akira stayed firmly in the top tier. The major shift came from LockBit’s return, re-entering the rankings at #3 with immediate impact. Sinobi continued its climb, and Coinbase Cartel jumped from the teens into the top 5, driven by its recent victim disclosures.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| construction | 17.03% | 4 | 4 -> 1 |
| financial-services | 12.41% | 5 | 5 -> 2 |
| technology | 11.92% | 2 | 2 -> 3 |
| manufacturing | 11.68% | 1 | 1 -> 4 |
| retail | 10.95% | 3 | 3 -> 5 |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 48.18% | 1 | Unchanged |
| Canada | 6.08% | 2 | Unchanged |
| UK | 3.65% | 5 | 5 -> 3 |
| Germany | 3.41% | 4 | Unchanged |
| United Arab Emirates | 2.68% | New |
Victim Org Size
| Size | Percentage | Last Period | Change |
|---|---|---|---|
| Small Business (500 or less) | 81.37% | 72.30% | 9.08% |
| Mid-Market (501-5000) | 15.20% | 16.62% | -1.43% |
| Large Enterprise (5000+) | 3.43% | 11.08% | -7.65% |
Trending Adversaries
UNC5174, UNC6586, UNC6588, UNC6595, UNC6600, and UNC6603 all showed elevated activity during this period, with each leveraging React2Shell in different ways. These clusters focused on rapid exploitation, opportunistic targeting, and broad scanning behavior, contributing to the spike in intrusions tied to the vulnerability.
- UNC5174
- UNC6586
- UNC6588
- UNC6595
- UNC6600
- UNC6603
Trending & Actively Exploited Vulnerabilities
Attackers focused on new flaws across Chromium, Apple, Android, and Windows. Meta’s React Server Components issue tied directly into ongoing React2Shell exploitation. WinRAR, GeoServer, and ArrayOS AG vulnerabilities also saw increased targeting this period.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2025-14174 | Chromium | |
| CVE-2025-14611 | Gladinet | CentreStack and Triofox |
| CVE-2025-43529 | Apple | Multiple Products |
| CVE-2025-48572 | Android | Framework |
| CVE-2025-48633 | Android | Framework |
| CVE-2025-55182 | Meta | React Server Components |
| CVE-2025-58360 | OSGeo | GeoServer |
| CVE-2025-6218 | RARLAB | WinRAR |
| CVE-2025-62221 | Microsoft | Windows |
| CVE-2025-66644 | Array Networks | ArrayOS AG |
Trending Malware
| Trending Malware | Description |
|---|---|
| Aisuru | Massive IoT DDoS botnet & Info-stealer targeting credentials and browser data. |
| DroidLock | Android malware used for device locking and ransom extortion. |
| EtherRAT | Lightweight RAT enabling remote control and data theft. |
| Glassworm | Worm-like loader spreading quickly across networks. |
| Shai-Hulud 2.0 | Updated stealer with improved evasion and data-harvest capabilities. |
| ValleyRAT | Modular RAT used in espionage campaigns with broad system access. |
Top News
- Contractors with hacking records accused of wiping 96 US government databases
- EU fines X $140 million over deceptive blue checkmarks
- Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws
- Marquis data breach impacts over 74 US banks, credit unions
- Over 10,000 Docker Hub images found leaking credentials, auth keys
- Police takes down Cryptomixer cryptocurrency mixing service
- React2Shell flaw exploited to breach 30 orgs, 77k IP addresses vulnerable
- ShadyPanda browser extensions amass 4.3M installs in malicious campaign
Contributors
Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Expert
Produced & Distributed By Phish Tank Digital