Executive Summary
Of concern in this period is an increase in attackers compromising devices from vendors including SonicWall and especially TP-Link. With many of these being consumer devices, compromises often go undetected for long periods, if they are ever noticed. On the malware side, two malware variants that target Android devices are showing notable activity. In terms of victim locations, a notable change is that two Asian countries (India and South Korea) are featuring in the top five.
Report Links
Download Threat Brief For September 1-15 2025 📁
Byer-Nichols Threat Brief Podcast 09-15-2025 🎙️
Top Ransomware
| Ransomware | Percentage | AugH2 | AugH1 | change |
|---|---|---|---|---|
| Qilin | 13.18% | 15.25% | 20.08% | 1 -> 1% |
| Akira | 11.49% | 7.33% | 14.17% | 5 -> 2% |
| The Gentlemen | 11.15% | New | ||
| PLAY | 10.81% | New | ||
| INC Ransom | 8.45% | New |
Once again, Qilin claims the top spot, but with a steadily decreasing percentage of attacks. Akira is the only other actor from our previous top 5 that still manages to stake a place. Three new actors, namely The Gentlemen, PLAY and INC Ransom make their way into the top 5. The Gentlemen, a previously undocumented group is notable for its use of highly tailored tools to bypass enterprise endpoint protection.
Victim Sector
| Sector | Percentage | AugH2 | AugH1 | change |
|---|---|---|---|---|
| manufacturing | 16.55% | 16.13% | 16.54% | 1->1 |
| technology | 15.88% | 15.25% | 8.27% | 2->2 |
| construction | 14.53% | 13.20% | 13.39% | 4->3 |
| retail | 12.84% | 13.78% | 11.02% | 3->4 |
| financial-services | 12.84% | 11.14% | 8.27% | 5->5 |
Victim Location
| Victim | Percentage | AugH2 | AugH1 | change |
|---|---|---|---|---|
| USA | 53.38% | 52.20% | 57.48% | 1->1% |
| South Korea | 4.05% | New | ||
| Canada | 3.72% | 5.28% | 3.15% | 3->3% |
| France | 3.72% | 2.05% | 5->4% | |
| India | 2.70% | New |
Victim Org Size
| Size | Percentage | AugH2 | AugH1 |
|---|---|---|---|
| Small Business (500 or less) | 84.07% | 82.65% | 84.25% |
| Mid-Market (501-5000) | 13.90% | 14.41% | 12.99% |
| Large Enterprise (5000+) | 2.03% | 2.94% | 2.76% |
Trending Adversaries
- APT29
- APT28
- Mustang Panda
- The Gentlemen
- WhiteCobra
- Yurei
APT28 and APT29, better known as Fancy Bear and Cozy Bear are up to their tricks again. Both are Russian state-sponsored groups involved in espionage. Of particular note, APT28 has been detected using a new Microsoft Outlook backdoor called NotDoor. Not to be outdone by the Russians, the Chinese group Mustang Panda has been noted for its exploits in targeting a Philippine military company in an espionage campaign. Users of the VSCode and OpenVSX marketplaces should take note of WhiteCobra, an actor responsible for planning 24 malicious extensions.
Trending & Actively Exploited Vulnerabilities
| CVE | Vendor | Product |
|---|---|---|
| CVE-2020-24363 | TP-Link | TL-WA855RE |
| CVE-2023-50224 | TP-Link | TL-WR841N |
| CVE-2024-40766 | SonicWall | SonicOS |
| CVE-2025-38352 | Linux | Kernel |
| CVE-2025-48543 | Android | Runtime |
| CVE-2025-5086 | Dassault Systèmes | DELMIA Apriso |
| CVE-2025-53690 | Sitecore | Multiple Products |
| CVE-2025-55177 | Meta Platforms | |
| CVE-2025-6202 | SK Hynix | DDR5 |
| CVE-2025-9377 | TP-Link | Multiple Routers |
In this period, we have seen significant activity relating to 3 vulnerabilities that impact TP-Link devices that have reached end of life. While TP-Link has released patches, it is advisable for owners of these devices replace them rather than continue using obsolete hardware whose firmware is not being actively maintained. Another notable vulnerability is CVE-2025-55177 which is a “zero-click” vulnerability affecting WhatsApp on iOS and MacOS and which allows processing of content from an arbitrary URL on a target’s device. There is evidence that this vulnerability has been exploited in the wild.
Trending Malware
| Malware | Details |
|---|---|
| Brokewell | Through exploitation of Meta’s ad platforms, threat actors are tricking Android users into installing fake Tradingview apps, which install a version of the Brokewell malware, which is an infostealer that captures credentials, intercepts MFA codes and drains crypto wallets. |
| EggStreme | This is a sophisticated fileless multi-stage toolset, ostensibly used by a Chinese APT group. The core component “EggStreamAgent” is a backdoor which enables reconnaissance, lateral movement and data theft. A recent notable victim was a Philippine military company |
| HybridPetya | This is a copy of the notorious Petya/NotPetya malware which adds the capability to compromise UEFI-based systems and weaponizes CVE-2024-7344 to bypass UEFI Secure Boot on older systems |
| RatOn | RatOn is an Android banking trojan that combines the capabilities of a Remote Access Trojan with a Near Field Communication (NFC) relay. It is fitted with account takeover capabilities targeting crypto wallets and is also capable of automatic money transfers abusing a bank application used in the Czech Republic |
| SnakeDisk | A previously unknown USB worm, known as SnakeDisk has been used together with the TONESHELL backdoor by a China-aligned actor called Mustang Panda. The worm limits its execution to devices with Thailand-based IP addresses and drops the Yokai backdoor. |
| StealC | A very sophisticated social engineering campaign is using a convincing multilingual phishing site to deliver the StealC infostealer. The attack begins with an email warning victims that their Facebook account is at risk of being suspended because of a policy violation. |
Top News
- AI-powered malware hit 2,180 GitHub accounts in “s1ngularity” attack
- Cloudflare blocks largest recorded DDoS attack peaking at 11.5 Tbps, DDoS defender targeted in 1.5 Bpps denial-of-service attack
- Hackers breach fintech firm in attempted $130M bank heist
- Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack
- Hackers steal 3,325 secrets in GhostAction GitHub supply chain attack
- Hackers use new HexStrike-AI tool to rapidly exploit n-day flaws
- US charges admin of LockerGoga, MegaCortex, Nefilim ransomware
- US offers $10 million bounty for info on Russian FSB hackers
Contributors
Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Expert
Produced & Distributed By Byer Co Cybersecurity Marketing Division (aka Phish Tank Digital)