Executive Summary
As 2025 ended vendor reports slowed down. Even reports of emerging threats slowed down a little. Could the bad guys also be taking a break? The reality seems less comforting as we are still seeing plenty of victims and we are also seeing a significant number of actively exploited vulnerabilities. On a positive note, we have seen successes reported in the disruption of threat actor groups, including an Interpol-led action which resulted in decryption of 6 ransomware strains and hundreds of arrests.
Report Links
Download Threat Brief For December 16-31 2025
Byer-Nichols Threat Brief Podcast 12-31-2025
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| Qilin | 20.98% | 1 | 1 |
| LockBit | 14.51% | 3 | N/A |
| SAFEPAY | 11.61% | 8 | 10 |
| Sinobi | 8.04% | 4 | 4 |
| Akira | 5.80% | 2 | 3 |
Qilin, one of the most prolific ransomware groups of 2025 closed the year as the most visible trending ransomware actor – for the third period running. Qilin had listed over 1000 victims on its leaks site by late December, and its activity remained aggressive and industrialized, scaling attacks across manufacturing, financial services, healthcare and government sectors.
Victim Sector
| Sector | Percentage | Previous | Movement |
|---|---|---|---|
| manufacturing | 17.63% | 4 | 4 -> 1 |
| construction | 12.95% | 1 | 1 -> 2 |
| retail | 12.28% | 5 | 5 -> 3 |
| technology | 10.71% | 3 | 3 -> 4 |
| financial-services | 9.15% | 2 | 2 -> 5 |
Victim Location
| Victim | Percentage | Previous | Movement |
|---|---|---|---|
| USA | 42.41% | 1 | 1 - > 1 |
| Germany | 5.80% | 4 | 4 -> 2 |
| Canada | 4.69% | 2 | 2 -> 3 |
| Spain | 3.79% | N/A | New |
| UK | 3.35% | 3 | 3 -> 5 |
Victim Org Size
| Size | Percentage | Previous | Change |
|---|---|---|---|
| Small Business (500 or less) | 83.11% | 81.37% | 1.74% |
| Mid-Market (501-5000) | 13.74% | 15.20% | -1.46% |
| Large Enterprise (5000+) | 3.15% | 3.43% | -0.28% |
Trending Adversaries
Threat groups like Evasive Panda, LongNosedGoblin, Mustang Panda, NoName057(16), TA2723, and AcademicFlare are showing a clear shift toward stealthier, long‑term intrusions using DNS manipulation, AitM attacks, and EDR evasion. Many abuse trusted channels such as software updates and academic lures. Their mix of espionage and disruption is increasingly sophisticated. Defenders should harden identity controls, use behavior‑based detection, secure DNS, retain logs, and prepare for DDoS‑style attacks.
- Evasive Panda
- LongNosedGoblin
- Mustang Panda
- NoName057(16)
- TA2723
- UNK_AcademicFlare
Trending & Actively Exploited Vulnerabilities
Actively exploited vulnerabilities highlight a surge in attacks against network edge devices, management platforms, and update mechanisms, enabling initial access, privilege escalation, or remote code execution. Firewalls (FortiGate, WatchGuard, SonicWall), infrastructure managers (HPE OneView, Cisco), and trusted update or database components (ASUS Live Update, MongoDB) are key targets, increasing blast radius and lateral movement risk. Defenders should urgently patch, restrict management interfaces, rotate credentials, monitor for exploitation indicators, and segment critical systems to limit impact.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2023-52163 | Digiever | DS-2105 Pro |
| CVE-2025-13915 | IBM | API Connect |
| CVE-2025-14733 | WatchGuard | Firebox |
| CVE-2025-14847 | MongoDB | MongoDB and MongoDB Server |
| CVE-2025-20393 | Cisco | Multiple Products |
| CVE-2025-37164 | HPE | OneView |
| CVE-2025-40602 | SonicWall | SMA1000 appliance |
| CVE-2025-59374 | ASUS | Live Update |
| CVE-2025-59718 | Fortinet | Multiple Products |
| CVE-2025-59719 | Fortinet | FortiGate |
Trending Malware
| Trending Malware | Details |
|---|---|
| Cellik | Cellik is an Android remote-access trojan that gives attackers near-complete control of infected devices, offering advanced spyware capabilities such as real-time screen streaming, keylogging, camera and microphone access, and notification interception. It features a one-click APK builder that allows operators to bundle the RAT into legitimate apps—often selected directly from Google Play—making infection easy and convincing. Once installed, Cellik enables remote UI control, file and cloud storage access, and a hidden browser that hijacks sessions, captures form data, and abuses saved cookies. The malware also supports overlays and custom injection frameworks to steal credentials across multiple apps simultaneously. Sold, for as little as $150, as a subscription service on the dark web, Cellik stands out for combining Play Store integration, automation, and broad surveillance features at a relatively low cost. |
| GachiLoader | GachiLoader is a newly discovered Node.js‑based malware family that uses previously unseen PE injection techniques to evade traditional security tools. It spreads through the YouTube Ghost Network campaign, where compromised channels distribute malicious payloads at scale. The malware operates in two stages: a fast‑acting Node.js component that establishes persistence within seconds, followed by a PE injector that successfully deploys across modern Windows systems. Its real‑time API tracing allows it to study and bypass security software, giving it a high evasion rate. With over 127 samples found across multiple countries, GachiLoader highlights a growing shift toward advanced JavaScript‑runtime malware requiring new defensive strategies. |
| MacSync | MacSync Stealer is a macOS infostealer that disguises itself as a legitimate, code‑signed, and notarized Swift application, allowing it to infect systems with minimal user interaction. Once launched, the dropper retrieves its malicious payload from a command‑and‑control server, bypassing typical macOS warnings because it appears to come from a trusted developer. This technique exposes a weakness in Apple’s Gatekeeper system, which can be evaded by frequently re‑signing and re‑notarizing malware. MacSync Stealer targets high‑value users by stealing credentials, API keys, and crypto‑wallet data, and represents an evolution of the earlier Mac.c Stealer. Its distribution method reflects a broader trend of macOS malware increasingly hiding inside signed, legitimate‑looking applications to avoid detection. |
| RondoDox | Rondodox is a malware variety that previously made waves in November 2025, and has re-emerged as a trending threat once again. It is a stealthy botnet campaign that compromises internet-facing routers, DVRs, CCTV systems, and other network devices by exploiting multiple long-standing command-injection vulnerabilities. Overall, RondoDox represents an evolving, multi-architecture loader ecosystem targeting a wide range of vulnerable edge devices. |
| SantaStealer | SantaStealer is a Windows‑based infostealer, written in C, that recently surfaced on Russian‑language hacking forums and appears to be a rebranded version of BluelineStealer. It can steal credentials, documents, crypto‑wallet data, and other sensitive information from numerous applications, operating entirely in memory to reduce file‑based detection. Despite claims of stealth, early samples show weak evasion features, minimal anti‑analysis protections, and even plain‑text configuration data, making it relatively easy for researchers to study and track. The malware sends stolen data in compressed packets to its command‑and‑control server and is sold as a subscription service, with both monthly and lifetime pricing tiers. Researchers warn that future versions could become more dangerous if the developers add encryption, obfuscation, or stronger anti‑analysis techniques. |
| ToneShell | ToneShell is a next‑generation backdoor used by Mustang Panda that replaces PlugX and introduces far more advanced stealth, evasion, and modular capabilities. It disguises its command‑and‑control traffic using FakeTLS, making malicious communication appear identical to legitimate encrypted traffic and allowing it to bypass firewalls and EDR systems. ToneShell also uses AES‑128 with xmm‑register‑based decryption, randomized execution, anti‑VM/sandbox checks, and junk code to evade analysis, making it significantly harder to detect than its predecessors. Its modular design allows it to load additional payloads—such as TonePipeShell—for persistence even without direct internet access. These upgrades make ToneShell particularly concerning because it is actively evolving, widely deployed in politically sensitive campaigns across Southeast Asia, and engineered specifically to overcome the long‑known limitations of PlugX. |
Top News
- Amazon disrupts Russian GRU hackers attacking edge network devices
- Critical React2Shell flaw exploited in ransomware attacks
- France arrests Latvian for installing malware on Italian ferry
- Hackers drain $3.9M from Unleash Protocol after multisig hijack
- Interpol-led action decrypts 6 ransomware strains, arrests hundreds
- Trust Wallet confirms extension hack led to $7 million crypto theft
- US cybersecurity experts plead guilty to BlackCat ransomware attacks
- US seizes E-Note crypto exchange for laundering ransomware payments
Contributors
Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Expert
Produced & Distributed By Phish Tank Digital