Executive Summary
Of concern in this period is a rise in attacks against Cisco ASA and IOS XE devices, highlighting the exposure of critical network infrastructure. On the malware side, Brickstorm and MetaStealer are showing increased activity, with several lightweight loaders tied to state-backed groups also in play. In terms of victims, the United States continues to dominate, though South Korea has emerged among the top five impacted countries due to a big Qilin dump.
Report Links
Download Threat Brief For September 16-30 2025 đ
Byer-Nichols Threat Brief Podcast 09-30-2025 đď¸
Top Ransomware
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| Qilin | 21.07% | 1 | 1 |
| Akira | 11.64% | 2 | 4 |
| PLAY | 10.69% | 4 | 12 |
| INC Ransom | 5.97% | 5 | 8 |
| Kill Security | 5.03% | 7 | 27 |
- Qilin leads activity this period with 21% of observed incidents, maintaining the top spot.
- Akira (11.6%) continues its upward climb, moving from 4th to 2nd place.
- PLAY ransomware surged into the top 3, climbing from 12th place two periods ago.
- INC Ransom (6%) and Kill Security (5%) round out the top 5, with Kill Security making the most notable leap (27th â 7th â 5th).
Victim Sector
| Sector | Percentage |
|---|---|
| financial-services | 18.53% |
| construction | 17.13% |
| technology | 16.08% |
| manufacturing | 12.59% |
| retail | 8.39% |
Victim Location
| Victim | Percentage |
|---|---|
| USA | 54.20% |
| South Korea | 7.69% |
| Germany | 5.59% |
| UK | 3.85% |
| Canada | 3.15% |
Victim Org Size
| Size | Percentage |
|---|---|
| Small Business (500 or less) | 81.47% |
| Mid-Market (501-5000) | 13.29% |
| Large Enterprise (5000+) | 5.24% |
Trending Adversaries
- ArcaneDoor â Espionage campaign exploiting Cisco devices.
- Nimbus Manticore â Iran-linked APT using custom malware.
- Phantom Taurus â China-based espionage group targeting government and telecommunications.
- Scattered Spider â Social engineering crew turned ransomware. Still active despite arrests.
- Storm-1516 â Russian influence/disinformation operation.
- UNC5174 â China-linked stealth actor targeting VMWare zero day.
APT28 and APT29, better known as Fancy Bear and Cozy Bear are up to their tricks again. Both are Russian state-sponsored groups involved in espionage. Of particular note, APT28 has been detected using a new Microsoft Outlook backdoor called NotDoor. Not to be outdone by the Russians, the Chinese group Mustang Panda has been noted for its exploits in targeting a Philippine military company in an espionage campaign. Users of the VSCode and OpenVSX marketplaces should take note of WhiteCobra, an actor responsible for planning 24 malicious extensions.
Trending & Actively Exploited Vulnerabilities
| CVE | Vendor | Product |
|---|---|---|
| CVE-2021-21311 | Adminer | Adminer |
| CVE-2025-10035 | Fortra | GoAnywhere MFT |
| CVE-2025-10585 | Chromium V8 | |
| CVE-2025-20333 | Cisco | Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense |
| CVE-2025-20352 | Cisco | IOS and IOS XE |
| CVE-2025-20362 | Cisco | Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense |
| CVE-2025-30247 | Western Digital | My Cloud |
| CVE-2025-32463 | Sudo | Sudo |
| CVE-2025-59689 | Libraesva | Email Security Gateway |
| CVE-2025-9242 | WatchGuard | Fireware OS |
This period highlights critical flaws in Cisco ASA and IOS XE devices, exposing core infrastructure to takeover. Fortraâs GoAnywhere MFT and Googleâs Chromium V8 were also actively exploited, with attackers leveraging them for data theft and browser-based attacks. A vulnerability in Western Digital My Cloud further underscores the risk to storage systems, making timely patching essential.
Trending Malware
| Malware | Description |
|---|---|
| Brickstorm | Brickstorm is a malware variant that has been particularly focused on organizations in the USA and is currently being tracked by the Google Threat Intelligence Group. Most notably it is targeting legal services, SaaS providers, Business Process Outsourcers and Technology. This malware is believed to be the work of the UNC5221 group, suspected to be of Chinese origin. The group appears to be focused on establishing long-term persistence on devices that do not support EDR tools. |
| MetaStealer | Metastealer is an infostealer that is believed to have emerged on underground marketplaces and has been advertised as an upgrade of the RedLine Stealer Variant2. It is available on a subscription basis for USD 125 per month, or USD 1000 for a lifetime subscription. This relatively affordable subscription model is likely to be attractive to criminal groups who are interested in stealing credentials. |
| MiniBrowse | A trending adversary, Iranian based Nimbus Manticore, who are also being tracked as UNC1549, is being tracked engaging in sustained cyberespionage activities targeting defense manufacturing, telecommunications and aviation. They have been observed to be particularly active in Western Europe. One of the tools in their arsenal is the MiniBrowse infostealer, which has separate versions for stealing credentials from the Chrome and Edge browsers. |
| MiniJunk | Another tool being used by Nimbus Manticore is MiniJunk, which is a highly obfuscated backdoor, which they are using to achieve persistent access. Analyis performed by Check Point indicates that it is a much improved version of MiniBike. |
| Obscura | Onbscura is a previously unseen ransomware variant which was observed by analysts at Huntress in late August 2025. The name was taken from the file name of the ransom note (README_Obscura.txt). This particular ransomware filters the files it encrypts to maximize damage to user data while trying to preserve system functionality. |
| Shai-Hulud | Shai-Hulud is a self-replicating worm which is being used in a supply chain attack on the Node Package Manager (npm) ecosystem. What is significant about Shai-Hulud is that it utilizes automated propagation to achieve scale. Analysts at Palo Alto Networksâ Unit 42 have assessed with a moderate degree of confidence that a LLM was used to create this malicious bash script. This assessment is partly based on the comments and emojis included in it. |
Brickstorm has emerged as a disruptive malware aimed at large-scale compromise, while MetaStealer continues to grow as a Mac-focused infostealer. MiniBrowse and MiniJunk, linked to Nimbus Manticore, act as lightweight loaders for follow-on payloads. Obscura enhances evasion, and Shai-Hulud shows worm-like traits that raise concerns of self-propagation.
Top News
- Canada dismantles TradeOgre exchange, seizes $40 million in crypto
- Cloudflare mitigates new record-breaking 22.2 Tbps DDoS attack
- Google nukes 224 Android malware apps behind massive ad fraud campaign
- Police dismantles crypto fraud ring linked to âŹ100 million in losses
- Police seizes $439 million stolen by cybercrime rings worldwide
- Self-propagating supply chain attack hits 187 npm packages
- UK arrests 'Scattered Spider' teens linked to Transport for London hack
- UK arrests suspect for RTX ransomware attack causing airport disruptions
Contributors
Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bioâs by Geoff Rehmet, Cybersecurity Expert
Produced & Distributed By Byer Co Cybersecurity Marketing Division (aka Phish Tank Digital)