Byer-Nichols Threat Brief Cybersecurity Data For October 1-15 2025

Executive Summary

The emergence of the Scattered LAPSUS$ Hunters “Trinity of Chaos” has made headlines in recent weeks with their daring extortion attempts of large enterprises whose data they had stolen from SalesForce instances. On the malware front, four of the top six trending variants target Android devices. In terms of victim locations, France and Spain make new appearances in the top 5, with the countries in the top 5 outside North America all being in Western Europe.

Report Links

Download Threat Brief For October 1-15 2025 📁

Byer-Nichols Threat Brief Podcast 10-15-2025 🎙️

Ransomware Actors

Ransomware	Percentage	Last Period	Two Ago
Qilin	26.70%	1	1
Scattered LAPSUS$ Hunters	11.89%	N/A	N/A
Sinobi	11.65%	21	23
Akira	8.01%	2	2
INC Ransom	5.34%	5	4

While Qilin continues to be the most prevalent ransomware actor, the Scattered LAPSUS$ Hunters “trinity of chaos” has jumped into second spot with an associated flurry of media attention as a result of their high-profile extortion activity. Tied to their attention-grabbing heists has been a noticeable uptick in the proportion of large bumps, the proportion of large enterprises falling victim to breaches. After a lull of about a month, we are also seeing Sinobi back in the top 5\.

Victim Sector

Sector	Percentage	Last period	Movement
manufacturing	15.53%	4	4 -> 1
retail	14.32%	5	5 -> 2
technology	13.11%	3	unchanged
financial-services	11.17%	1	1 -> 4
construction	8.98%	2	2 -> 5

Victim Location

Victim	Percentage	last period	Movement
USA	57.28%	1	Unchanged
France	5.34%		New
Canada	5.34%	5	5 -> 3
Spain	3.40%		New
Germany	2.43%	3	3 -> 5

Victim Org Size

Size	Percentage	Last period
Small Business (500 or less)	70.07%	81.47%
Mid-Market (501-5000)	16.79%	13.29%
Large Enterprise (5000+)	13.14%	5.24%

Trending Adversaries

• Crimson Collective
• Flax Typhoon
• Storm-1175
• Storm-2603
• Storm-2657
• TwoNet

Turning to trending adversaries, Crimson Collective targets tech firms and cloud environments for data theft and extortion. Flax Typhoon, a state-sponsored group, spies on Taiwanese organizations using legitimate software. Storm-1175 and 2603 deploy ransomware via GoAnywhere and SharePoint exploits, while Storm-2657 is responsible for hijacking US university payrolls. Pro-Russian TwoNet disrupts critical infrastructure. The most concerning of these is probably Flax Typhoon, due to its state backing and critical targets.

Trending & Actively Exploited Vulnerabilities

CVE	Vendor	Product
CVE-2025-10035	Forta	GoAnywhere MFT
CVE-2025-21043	Samsung	Mobile Devices
CVE-2025-24990	Microsoft	Windows
CVE-2025-27915	Synacor	Zimbra Collaboration Suite (ZCS)
CVE-2025-4008	Smartbedded	Meteobridge
CVE-2025-47827	IGEL	IGEL OS
CVE-2025-54253	Adobe	Experience Manager (AEM) Forms
CVE-2025-59230	Microsoft	Windows
CVE-2025-61882	Oracle	E-Business Suite
CVE-2025-6264	Rapid7	Velociraptor

Recent trending vulnerabilities span major vendors—Microsoft, Adobe, Oracle, Samsung, and others—impacting critical enterprise platforms, mobile devices, and collaboration tools. Exploitation could enable data theft, remote code execution, or service disruption. Security managers should prioritize rapid patching, monitor for exploitation indicators, and reinforce endpoint and application hardening across both infrastructure and user-facing systems. Arguably the greatest immediate risk exists in CVE-2025-54253 (Adobe AEM Forms) as it allows remote code execution without user interaction, and has a public proof-of-concept exploit.

Trending Malware

Malware	Details
ClayRat	A new and rapidly evolving Android spyware campaign that appears to be mainly targeting Russian users. Once active, ClayRat exfiltrates SMS messages, call logs and device information. It is mainly being distributed via Telegram channels and phishing sites, using social engineering and web-based deception.
Klopatra	Klopatra is another new variety of Android malware: a banking trojan. The majority of infections have been reported in Spain and Italy. A concerning characteristic is that it uses a commercial grade code protection suite, which results it is being very hard to detect and analyze. Evidence suggests that Klopatra is being operated by a Turkish speaking group.
ProSpy	ProSpy is one of two new Android malware varieties recently discovered by ESET. ProSpy impersonates upgrades or plugins to the Signal and ToTok apps. The app is only installed via malicious websites and is not available via the Play Store. Once installed, ProSpy maintains persistence and exfiltrates sensitive data from compromised devices.
PureRat	Suspected Vietnamese hackers have launched a phishing campaign distributing the PureRAT trojan. The attack began with phishing emails disguised as copyright notices, containing a ZIP file with a malicious DLL and fake PDF reader that initiated a 10-stage infection chain. Early stages used Python-based info-stealing scripts, followed by compiled .NET executables that employed process hollowing and exploited Windows defenses. The final payload, PureRAT, established encrypted command-and-control channels and enabled detailed host fingerprinting for attacker control.
RondoDox	The RondoDox botnet campaign has broadened its scope to exploit over 50 vulnerabilities across more than 30 vendors, using what researchers describe as an “exploit shotgun” approach. According to Trend Micro, the malware targets a wide array of internet-exposed infrastructure—including routers, DVRs, NVRs, CCTV systems, and web servers. A RondoDox intrusion attempt was detected on June 15, 2025, leveraging the TP-Link Archer router flaw (CVE-2023-1389), which has been repeatedly exploited since 2022. First identified by Fortinet in July 2025, RondoDox is known to compromise devices like TBK DVRs and Four-Faith routers to build a botnet used for DDoS attacks via HTTP, UDP, and TCP protocols.
ToSpy	ToSpy is a variety of Android malware related to the previously mentioned ProSpy. ToSpy targets ToTok users exclusively, unlike ProSpy, which also targets Signal users. Both varieties of malware have had confirmed detections in the UAE, potentially indicating regionally targeted operations.

Top News

• Adobe Analytics bug leaked customer tracking data to other tenants
• Clop exploited Oracle zero-day for data theft since early August
• HackerOne paid $81 million in bug bounties over the past year, Zeroday Cloud hacking contest offers $4.5 million in bounties, Apple now offers $2 million for zero-click RCE vulnerabilities
• Hackers claim Discord breach exposed data of 5.5 million users
• LinkedIn sues ProAPIs for using 1M fake accounts to scrape user data
• North Korean hackers stole over $2 billion in crypto this year, US seizes $15 billion in crypto from 'pig butchering' kingpin
• Red Hat confirms security incident after hackers claim GitHub breach
• SonicWall firewall configs stolen for all cloud backup customers

Contributors

Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Expert
Produced & Distributed By Byer Co Cybersecurity Marketing Division (aka Phish Tank Digital)