Home / Blog / Byer-Nichols Threat Brief for December 1-15 2025

Executive Summary

LockBit resurfaced and immediately re-entered the top 5, driving renewed ransomware activity. Coinbase Cartel’s victim postings pushed the UAE into the top 5 target regions and elevated construction to the top victim sector. Across all major actors, exploitation of React2Shell dominated the period, with adversaries rapidly weaponizing the vulnerability in different ways.

Report Links

Download Threat Brief For December 1-15 2025

Byer-Nichols Threat Brief Podcast 12-15-2025

Ransomware Actors

Ransomware Percentage Last Period Two Ago
Qilin 26.52% 1 1
Akira 13.38% 3 2
LockBit 6.08% N/A N/A
Sinobi 4.38% 4 16
Coinbase Cartel 4.38% 17 27

Qilin held a strong lead again this period, while Akira stayed firmly in the top tier. The major shift came from LockBit’s return, re-entering the rankings at #3 with immediate impact. Sinobi continued its climb, and Coinbase Cartel jumped from the teens into the top 5, driven by its recent victim disclosures.

Victim Sector

Sector Percentage Last Period Movement
construction 17.03% 4 4 -> 1
financial-services 12.41% 5 5 -> 2
technology 11.92% 2 2 -> 3
manufacturing 11.68% 1 1 -> 4
retail 10.95% 3 3 -> 5

Victim Location

Victim Percentage Last Period Movement
USA 48.18% 1 Unchanged
Canada 6.08% 2 Unchanged
UK 3.65% 5 5 -> 3
Germany 3.41% 4 Unchanged
United Arab Emirates 2.68% New

Victim Org Size

Size Percentage Last Period Change
Small Business (500 or less) 81.37% 72.30% 9.08%
Mid-Market (501-5000) 15.20% 16.62% -1.43%
Large Enterprise (5000+) 3.43% 11.08% -7.65%

Trending Adversaries

UNC5174, UNC6586, UNC6588, UNC6595, UNC6600, and UNC6603 all showed elevated activity during this period, with each leveraging React2Shell in different ways. These clusters focused on rapid exploitation, opportunistic targeting, and broad scanning behavior, contributing to the spike in intrusions tied to the vulnerability.

  • UNC5174
  • UNC6586
  • UNC6588
  • UNC6595
  • UNC6600
  • UNC6603

Trending & Actively Exploited Vulnerabilities

Attackers focused on new flaws across Chromium, Apple, Android, and Windows. Meta’s React Server Components issue tied directly into ongoing React2Shell exploitation. WinRAR, GeoServer, and ArrayOS AG vulnerabilities also saw increased targeting this period.

CVE Vendor Product
CVE-2025-14174 Google Chromium
CVE-2025-14611 Gladinet CentreStack and Triofox
CVE-2025-43529 Apple Multiple Products
CVE-2025-48572 Android Framework
CVE-2025-48633 Android Framework
CVE-2025-55182 Meta React Server Components
CVE-2025-58360 OSGeo GeoServer
CVE-2025-6218 RARLAB WinRAR
CVE-2025-62221 Microsoft Windows
CVE-2025-66644 Array Networks ArrayOS AG

Trending Malware

Trending Malware Description
Aisuru Massive IoT DDoS botnet & Info-stealer targeting credentials and browser data.
DroidLock Android malware used for device locking and ransom extortion.
EtherRAT Lightweight RAT enabling remote control and data theft.
Glassworm Worm-like loader spreading quickly across networks.
Shai-Hulud 2.0 Updated stealer with improved evasion and data-harvest capabilities.
ValleyRAT Modular RAT used in espionage campaigns with broad system access.

Top News

  • Contractors with hacking records accused of wiping 96 US government databases
  • EU fines X $140 million over deceptive blue checkmarks
  • Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws
  • Marquis data breach impacts over 74 US banks, credit unions
  • Over 10,000 Docker Hub images found leaking credentials, auth keys
  • Police takes down Cryptomixer cryptocurrency mixing service
  • React2Shell flaw exploited to breach 30 orgs, 77k IP addresses vulnerable
  • ShadyPanda browser extensions amass 4.3M installs in malicious campaign

Contributors

Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Expert
Produced & Distributed By Phish Tank Digital