Executive Summary
One of the most concerning developments over this period has been the discovery of “zero-click” vulnerabilities in Samsung mobile devices, which have already been actively exploited by the Landfall spyware. We have also seen a newcomer in the ransomware space – Kazu, which is a group focused on data theft. Meanwhile, Akira, a perennial ransomware actor is now believed to have made over $244 million from its malicious activities.
Report Links
Download Threat Brief For November 1-15 2025
Byer-Nichols Threat Brief Podcast 11-15-2025
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| Qilin | 14.24% | 1 | 1 |
| Akira | 11.34% | 2 | 4 |
| Kazu | 10.17% | N/A | N/A |
| INC Ransom | 8.14% | 8 | 5 |
| CL0P | 7.85% | 4 | 39 |
CL0P, who made a resurgence in the previous period remains active in the top 5. A relative newcomer is Kazu, and actor focused on data theft, which has only shown visible activity in this period. Amongst its victims are Doctor Alliance in Texas, which provides billing and management to physicians as well government agencies in Colombia. Indications are that Kazu is exploiting vulnerabilities in web applications.
Victim Sector
| Sector | Percentage | Last period | Movement |
|---|---|---|---|
| manufacturing | 20.06% | 1 | Unchanged |
| technology | 11.34% | 5 | 5 -> 2 |
| financial-services | 11.05% | 2 | 2 -> 3 |
| construction | 9.59% | 3 | 3 -> 4 |
| retail | 9.01% | 4 | 4 -> 5 |
Victim Location
| Victim | Percentage | last period | Movement |
|---|---|---|---|
| USA | 47.97% | 1 | Unchanged |
| Mexico | 4.07% | New | |
| UK | 3.20% | New | |
| Austria | 2.91% | New | |
| Canada | 2.62% | 3 | 3 -> 5 |
Victim Org Size
| Size | Percentage | Last period |
|---|---|---|
| Small Business (500 or less) | 70.03% | 70.07% |
| Mid-Market (501-5000) | 19.58% | 16.79% |
| Large Enterprise (5000+) | 10.39% | 13.14% |
Trending Adversaries
A common trend through the trending adversaries we are seeing in this period is nation state alignment of sponsorship for purposes of sabotage or espionage. Some groups are being particularly meticulous in establishing stealthy persistent access, such as the Russian-aligned Curly COMrades who are using Hyper-V to run Linux VMs on victim machines as a method of avoiding detection by EDR tools. Potentially the most concerning adversary is Sandworm due to its capacity for large-scale destructive attacks (wipers), especially against critical infrastructure and Ukraine’s economy.
- APT37
- Curly COMrades
- Sandworm
- Tick
- UAC-0099
Trending & Actively Exploited Vulnerabilities
Active vulnerabilities during this period predominantly reflect flaws which allow unauthenticated Remote Code Execution (RCE) or privilege escalation, leading to full system compromise. The targets are diverse, including enterprise software (Gladinet file sharing), the Windows kernel and the network perimeter (Watchguard firewalls). A particularly concerning vulnerability is CVE-2025-21042, a “zero-click” exploit affecting Samsung mobile devices, and which is being actively exploited by the Landfall spyware.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2025-12480 | Gladinet | Triofox |
| CVE-2025-62215 | Microsoft | Windows |
| CVE-2025-9242 | WatchGuard | Firebox |
| CVE-2025-21042 | Samsung | Mobile Devices |
| CVE-2025-48703 | CWP | Control Web Panel |
| CVE-2025-11371 | Gladinet | CentreStack and Triofox |
| CVE-2025-61932 | Motex | Lanscope Endpoint Manager |
| CVE-2025-64446 | Fortinet | Fortiweb |
| CVE-2025-59367 | ASUS | DSL Series Routers |
| CVE-2025-20354 | Cisco | Unified Contact Center Express |
Trending Malware
| Trending Malware | Details |
|---|---|
| GlassWorm | GlassWorm is a self-propagating malware that infects Visual Studio Code extensions on the Open VSX marketplace, compromising tens of thousands of developer machines. It spreads stealthily using invisible printable Unicode characters and leverages both the Solana blockchain and Google Calendar for resilient command-and-control. Like the earlier Shai-hulud worm, it focuses on harvesting developer credentials—including NPM, GitHub, Git, and crypto wallets—and then uses those stolen credentials to further propagate. |
| LandFall | LANDFALL is a previously unknown Android spyware family delivered through malicious DNG image files that exploited a zero-day flaw (CVE-2025-21042) in Samsung’s image processing library. Attackers sent these weaponised images—likely via WhatsApp—to trigger silent compromise without user interaction. The campaign operated as early as mid-2024 and reflects a broader pattern of image-processing vulnerabilities across mobile platforms. Although the flaw was patched in April 2025 (and a similar one in September), LANDFALL provides a rare look at an advanced, commercial-grade spyware operation that remained unreported during its active use. |
| PromptFlux | PromptFlux is an experimental malware strain that uses Google’s Gemini chatbot to continuously rewrite its own code in an attempt to evade antivirus detection. Its “Thinking Robot” module periodically sends prompts to Gemini—via Google’s API—requesting small code blocks or functions intended to improve stealth. This allows the malware to evolve in near real time, theoretically even regenerating its entire codebase on an hourly basis. However, researchers have questioned its practical effectiveness, noting that the prompts are vague and unlikely to consistently produce meaningful evasion techniques. Overall, PromptFlux illustrates early experimentation in using generative AI for automated malware adaptation, even if its real-world impact remains uncertain. |
| PromptSteal | Also recently discovered by Google, PromptSteal is a malware tool that leverages Hugging Face–hosted language models to generate short Windows commands for reconnaissance and data theft. Disguised as an image generation application, it silently runs these LLM generated commands in the background to gather system information. By producing new scripts on demand, PromptSteal helps attackers avoid detection techniques that rely on spotting known code patterns. Google has linked its use to APT28, a Russia aligned GRU associated threat actor operating in Ukraine. This represents the first observed case of malware querying an LLM in active, real world attacks. |
| SesameOp | SesameOp is a novel backdoor that uses the OpenAI Assistants API as its command and control channel, allowing attackers to fetch and relay instructions in a stealthy, non traditional way. The malware queries the API to obtain stored commands, which it then executes inside the compromised environment. Discovered in July 2025, SesameOp had enabled unknown threat actors to maintain long term persistence through a network of internal web shells and strategically placed malicious processes. These processes relied on compromised Visual Studio utilities using AppDomainManager injection to execute attacker controlled code. Overall, SesameOp demonstrates a sophisticated use of legitimate AI services to mask C2 activity and evade detection. |
| SleepyDuck | SleepyDuck is a remote access trojan that infiltrates systems by posing as a legitimate Solidity extension for Visual Studio Code, allowing attackers to target developers through a trusted workflow. Distributed via the community driven Open VSX registry—which lacks strict vetting and publisher verification—the malicious extension enabled efficient, scalable supply chain compromise. Once installed, SleepyDuck provides persistent access and uses blockchain based mechanisms for command and control, enhancing stealth and resilience. The campaign exploits developer trust in familiar extension names and the lower scrutiny of Open VSX compared to Microsoft’s marketplace. Overall, SleepyDuck highlights how open development ecosystems can be weaponised to deliver advanced malware to decentralized teams. |
Top News
- “Bitcoin Queen” gets 11 years in prison for $7.3 billion Bitcoin scam
- Hacker steals over $120 million from Balancer DeFi crypto protocol
- Open VSX rotates access tokens used in supply-chain malware attack
- Police arrests suspects linked to €600 million crypto fraud ring
- SonicWall says state-sponsored hackers behind security breach in September
- US announces new strike force targeting Chinese crypto scammers
- US Congressional Budget Office hit by suspected foreign cyberattack
- US sanctions North Korean bankers linked to cybercrime, IT worker fraud
Contributors
Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Expert
Produced & Distributed By Byer Co Cybersecurity Marketing Division (aka Phish Tank Digital)