Home / Blog / Byer-Nichols Threat Brief for October 1-15 2025

Byer-Nichols Threat Brief Cybersecurity Data For October 1-15 2025

Executive Summary

The emergence of the Scattered LAPSUS$ Hunters “Trinity of Chaos” has made headlines in recent weeks with their daring extortion attempts of large enterprises whose data they had stolen from SalesForce instances. On the malware front, four of the top six trending variants target Android devices. In terms of victim locations, France and Spain make new appearances in the top 5, with the countries in the top 5 outside North America all being in Western Europe.

Report Links

Download Threat Brief For October 1-15 2025 📁

Byer-Nichols Threat Brief Podcast 10-15-2025 🎙️

Ransomware Actors

Ransomware Percentage Last Period Two Ago
Qilin 26.70% 1 1
Scattered LAPSUS$ Hunters 11.89% N/A N/A
Sinobi 11.65% 21 23
Akira 8.01% 2 2
INC Ransom 5.34% 5 4

While Qilin continues to be the most prevalent ransomware actor, the Scattered LAPSUS$ Hunters “trinity of chaos” has jumped into second spot with an associated flurry of media attention as a result of their high-profile extortion activity. Tied to their attention-grabbing heists has been a noticeable uptick in the proportion of large bumps, the proportion of large enterprises falling victim to breaches. After a lull of about a month, we are also seeing Sinobi back in the top 5\.

Victim Sector

Sector Percentage Last period Movement
manufacturing 15.53% 4 4 -> 1
retail 14.32% 5 5 -> 2
technology 13.11% 3 unchanged
financial-services 11.17% 1 1 -> 4
construction 8.98% 2 2 -> 5

Victim Location

Victim Percentage last period Movement
USA 57.28% 1 Unchanged
France 5.34% New
Canada 5.34% 5 5 -> 3
Spain 3.40% New
Germany 2.43% 3 3 -> 5

Victim Org Size

Size Percentage Last period
Small Business (500 or less) 70.07% 81.47%
Mid-Market (501-5000) 16.79% 13.29%
Large Enterprise (5000+) 13.14% 5.24%

Trending Adversaries

  • Crimson Collective
  • Flax Typhoon
  • Storm-1175
  • Storm-2603
  • Storm-2657
  • TwoNet

Turning to trending adversaries, Crimson Collective targets tech firms and cloud environments for data theft and extortion. Flax Typhoon, a state-sponsored group, spies on Taiwanese organizations using legitimate software. Storm-1175 and 2603 deploy ransomware via GoAnywhere and SharePoint exploits, while Storm-2657 is responsible for hijacking US university payrolls. Pro-Russian TwoNet disrupts critical infrastructure. The most concerning of these is probably Flax Typhoon, due to its state backing and critical targets.

Trending & Actively Exploited Vulnerabilities

CVE Vendor Product
CVE-2025-10035 Forta GoAnywhere MFT
CVE-2025-21043 Samsung Mobile Devices
CVE-2025-24990 Microsoft Windows
CVE-2025-27915 Synacor Zimbra Collaboration Suite (ZCS)
CVE-2025-4008 Smartbedded Meteobridge
CVE-2025-47827 IGEL IGEL OS
CVE-2025-54253 Adobe Experience Manager (AEM) Forms
CVE-2025-59230 Microsoft Windows
CVE-2025-61882 Oracle E-Business Suite
CVE-2025-6264 Rapid7 Velociraptor

Recent trending vulnerabilities span major vendors—Microsoft, Adobe, Oracle, Samsung, and others—impacting critical enterprise platforms, mobile devices, and collaboration tools. Exploitation could enable data theft, remote code execution, or service disruption. Security managers should prioritize rapid patching, monitor for exploitation indicators, and reinforce endpoint and application hardening across both infrastructure and user-facing systems. Arguably the greatest immediate risk exists in CVE-2025-54253 (Adobe AEM Forms) as it allows remote code execution without user interaction, and has a public proof-of-concept exploit.

Trending Malware

Malware Details
ClayRat A new and rapidly evolving Android spyware campaign that appears to be mainly targeting Russian users. Once active, ClayRat exfiltrates SMS messages, call logs and device information. It is mainly being distributed via Telegram channels and phishing sites, using social engineering and web-based deception.
Klopatra Klopatra is another new variety of Android malware: a banking trojan. The majority of infections have been reported in Spain and Italy. A concerning characteristic is that it uses a commercial grade code protection suite, which results it is being very hard to detect and analyze. Evidence suggests that Klopatra is being operated by a Turkish speaking group.
ProSpy ProSpy is one of two new Android malware varieties recently discovered by ESET. ProSpy impersonates upgrades or plugins to the Signal and ToTok apps. The app is only installed via malicious websites and is not available via the Play Store. Once installed, ProSpy maintains persistence and exfiltrates sensitive data from compromised devices.
PureRat Suspected Vietnamese hackers have launched a phishing campaign distributing the PureRAT trojan. The attack began with phishing emails disguised as copyright notices, containing a ZIP file with a malicious DLL and fake PDF reader that initiated a 10-stage infection chain. Early stages used Python-based info-stealing scripts, followed by compiled .NET executables that employed process hollowing and exploited Windows defenses. The final payload, PureRAT, established encrypted command-and-control channels and enabled detailed host fingerprinting for attacker control.
RondoDox The RondoDox botnet campaign has broadened its scope to exploit over 50 vulnerabilities across more than 30 vendors, using what researchers describe as an “exploit shotgun” approach. According to Trend Micro, the malware targets a wide array of internet-exposed infrastructure—including routers, DVRs, NVRs, CCTV systems, and web servers. A RondoDox intrusion attempt was detected on June 15, 2025, leveraging the TP-Link Archer router flaw (CVE-2023-1389), which has been repeatedly exploited since 2022. First identified by Fortinet in July 2025, RondoDox is known to compromise devices like TBK DVRs and Four-Faith routers to build a botnet used for DDoS attacks via HTTP, UDP, and TCP protocols.
ToSpy ToSpy is a variety of Android malware related to the previously mentioned ProSpy. ToSpy targets ToTok users exclusively, unlike ProSpy, which also targets Signal users. Both varieties of malware have had confirmed detections in the UAE, potentially indicating regionally targeted operations.

Top News

  • Adobe Analytics bug leaked customer tracking data to other tenants
  • Clop exploited Oracle zero-day for data theft since early August
  • HackerOne paid $81 million in bug bounties over the past year, Zeroday Cloud hacking contest offers $4.5 million in bounties, Apple now offers $2 million for zero-click RCE vulnerabilities
  • Hackers claim Discord breach exposed data of 5.5 million users
  • LinkedIn sues ProAPIs for using 1M fake accounts to scrape user data
  • North Korean hackers stole over $2 billion in crypto this year, US seizes $15 billion in crypto from 'pig butchering' kingpin
  • Red Hat confirms security incident after hackers claim GitHub breach
  • SonicWall firewall configs stolen for all cloud backup customers

Contributors

Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Expert
Produced & Distributed By Byer Co Cybersecurity Marketing Division (aka Phish Tank Digital)