Byer-Nichols Cybersecurity Threat Brief: October 1-15, 2025
Season: 2 | Episode: 41
Published: October 17, 2025
By: Byer Co
The provided text is an excerpt from a cybersecurity threat brief for the first half of October 2025, produced by Byer-Nichols. It offers a detailed analysis of the current threat landscape, highlighting the rapid rise of the new ransomware group, Scattered LAPSUS$ Hunters, who now rank second in prevalence behind Qilin. The report tracks victim data, noting that the USA remains the top target location, though France and Spain have entered the top five, and provides breakdowns of victims by sector, with manufacturing and retail leading. Furthermore, the brief outlines trending malware variants, many of which target Android devices (such as ClayRat and Klopatra), and details a list of actively exploited vulnerabilities across major vendors like Microsoft and Adobe. Finally, it identifies several trending adversaries including state-backed groups like Flax Typhoon and summarizes recent cybersecurity news headlines involving data breaches and bug bounty programs.
Link: Byer-Nichols Cybersecurity Threat Brief: October 1-15, 2025
Keywords:
Episode Transcript
00:00:00 - 00:00:03
Welcome to the Deep Dive.
00:00:03 - 00:00:05
Today, we're cutting through the noise
00:00:05 - 00:00:08
and getting straight into the latest global threat intel.
00:00:08 - 00:00:10
- Yep, we've got the Byer-Nichols Threat Brief
00:00:10 - 00:00:13
right here covering the first half of October 2025.
00:00:13 - 00:00:16
- It's a pretty dense document, really a snapshot
00:00:16 - 00:00:18
of what's happening right now in cybersecurity.
00:00:18 - 00:00:21
- And our job, well our mission is to break this down
00:00:21 - 00:00:22
for you, the listener.
00:00:22 - 00:00:27
- Turn this mountain of data into something useful, actionable.
00:00:27 - 00:00:31
- Exactly, we're boiling it down to the critical bits,
00:00:31 - 00:00:34
the who, what, and where of the attacks
00:00:34 - 00:00:35
really shaking things up.
00:00:35 - 00:00:38
- And honestly, the big picture trends in this report,
00:00:38 - 00:00:40
they're pretty startling.
00:00:40 - 00:00:43
Three major shifts really stand out.
00:00:43 - 00:00:45
- Yeah, first up, there's this sudden,
00:00:45 - 00:00:47
almost violent arrival of a new player
00:00:47 - 00:00:48
in the ransomware game.
00:00:48 - 00:00:51
- The scattered LAPSOSRs, they're calling them
00:00:51 - 00:00:52
the Trinity of Chaos.
00:00:52 - 00:00:54
- That's them and they're like immediately changing
00:00:54 - 00:00:56
the whole extortion landscape.
00:00:56 - 00:00:57
It's quite dramatic.
00:00:57 - 00:00:58
- Okay, what second?
00:00:58 - 00:00:59
- Second is the tech focus.
00:00:59 - 00:01:01
It's, well, it's kind of surprising.
00:01:01 - 00:01:03
Android malware is just dominating.
00:01:03 - 00:01:03
- Really?
00:01:03 - 00:01:04
Android?
00:01:04 - 00:01:06
- Yeah, forget Windows for a second.
00:01:06 - 00:01:09
Four of the top six trending malware variants,
00:01:09 - 00:01:10
all targeting Android.
00:01:10 - 00:01:11
- Wow, that's it.
00:01:11 - 00:01:12
- Yeah, that's big,
00:01:12 - 00:01:14
an epidemic on the small screen basically.
00:01:14 - 00:01:17
- Pretty much and backed by some serious criminal
00:01:17 - 00:01:18
investment it looks like.
00:01:18 - 00:01:19
- Okay, and the third big shift.
00:01:19 - 00:01:21
- Geography.
00:01:21 - 00:01:23
The map of who's getting hit is widening.
00:01:23 - 00:01:26
North America is still king, no surprise there.
00:01:26 - 00:01:26
- Oh, yeah.
00:01:26 - 00:01:29
- We've got two new countries jumping into the top five
00:01:29 - 00:01:32
victim list, France and Spain.
00:01:32 - 00:01:33
- Interesting.
00:01:33 - 00:01:36
So a real shift towards Western Europe,
00:01:36 - 00:01:39
outside the usual suspects like the UK or Germany.
00:01:39 - 00:01:41
- Definitely indicates a successful,
00:01:41 - 00:01:43
concentrated push into those areas.
00:01:43 - 00:01:44
- Okay, let's unpack this.
00:01:44 - 00:01:46
Maybe start with the ransomware scene.
00:01:46 - 00:01:48
It sounds like there's been a major shakeup.
00:01:48 - 00:01:50
- Yeah, it's definitely volatile right now.
00:01:50 - 00:01:53
On one side, you've got some stability.
00:01:53 - 00:01:54
Kuala is still number one.
00:01:54 - 00:01:56
- Boulding strong from the last couple of reports.
00:01:56 - 00:02:00
- Exactly, they've got about what, 26.70% share.
00:02:00 - 00:02:03
They're the baseline threat, consistent relentless.
00:02:03 - 00:02:05
- It puts with this stability and, she said.
00:02:05 - 00:02:08
- Pretty much because the number two spot,
00:02:08 - 00:02:12
it's taken by this group, the scattered LPS hunters,
00:02:12 - 00:02:13
the Trinity of Chaos.
00:02:13 - 00:02:14
- And they weren't even on the list before.
00:02:14 - 00:02:15
- Nope.
00:02:15 - 00:02:16
- NA, zero presence.
00:02:16 - 00:02:20
And now boom, they've grabbed almost 12%, specifically,
00:02:20 - 00:02:23
11.89% of reported activity.
00:02:23 - 00:02:25
- Just like that, in two weeks.
00:02:25 - 00:02:26
Just like that, to jump from nothing
00:02:26 - 00:02:29
to nearly 12% market share,
00:02:29 - 00:02:31
well, it's basically unheard of.
00:02:31 - 00:02:32
- So how are they doing it?
00:02:32 - 00:02:33
What's their method?
00:02:33 - 00:02:35
- It seems tied to their whole approach.
00:02:35 - 00:02:37
Very selective, very public.
00:02:37 - 00:02:41
They're not just mass encrypting, hoping for small payouts.
00:02:41 - 00:02:42
They're going after huge enterprises
00:02:42 - 00:02:45
with high profile extortion attempts.
00:02:45 - 00:02:46
It's all about leverage.
00:02:46 - 00:02:48
- Maximum pressure, maximum visibility.
00:02:48 - 00:02:49
- Exactly.
00:02:49 - 00:02:51
The report specifically mentions them,
00:02:51 - 00:02:52
hitting sales, for instance,
00:02:52 - 00:02:53
stealing data from there.
00:02:53 - 00:02:56
- Oof, hitting the core CRM like that,
00:02:56 - 00:02:57
that guarantees pain.
00:02:57 - 00:02:58
And headlines.
00:02:58 - 00:03:00
- Right, maximum disruption, maximum public pressure.
00:03:00 - 00:03:02
And it's having a ripple effect.
00:03:02 - 00:03:03
- Oh, so.
00:03:03 - 00:03:05
- Well, the report links their activity directly
00:03:05 - 00:03:08
to this noticeable increase in what they call large bumps.
00:03:08 - 00:03:11
- Meaning more big companies getting hit.
00:03:11 - 00:03:13
- Yeah, a sharp sudden jump
00:03:13 - 00:03:15
in large enterprises falling victim.
00:03:15 - 00:03:18
This group is single-handedly changing the risk calculation
00:03:18 - 00:03:20
for like Fortune 500 type companies.
00:03:20 - 00:03:21
- Wow.
00:03:21 - 00:03:24
- The equivalent steady at one LAPS, EIA Hunters,
00:03:24 - 00:03:26
exploding into two.
00:03:26 - 00:03:27
Who else is in the mix?
00:03:27 - 00:03:29
- We've also got a comeback story.
00:03:29 - 00:03:31
Sonobi, they kind of faded,
00:03:31 - 00:03:33
were way down around 21st place.
00:03:33 - 00:03:34
- And now?
00:03:34 - 00:03:36
- Now they've searched back right into the top five
00:03:36 - 00:03:38
at 11.65%.
00:03:38 - 00:03:39
Just behind LAPS.
00:03:39 - 00:03:41
- That's a huge jump too from 21st.
00:03:41 - 00:03:43
What does that suggest?
00:03:43 - 00:03:45
- It feels like a coordinated campaign launch.
00:03:45 - 00:03:47
Maybe they found a new exploit, something widespread,
00:03:47 - 00:03:50
and just went for it after a lying low for a month or so.
00:03:50 - 00:03:53
- So the top three are Quillen, LAPS, and Sonobi,
00:03:53 - 00:03:55
all pretty close in activity levels behind Quillen.
00:03:55 - 00:03:57
- Well, Quillen's had a clear lead,
00:03:57 - 00:03:58
but yeah, the next two are neck and neck.
00:03:58 - 00:04:00
Then you got Akira at about 8%,
00:04:00 - 00:04:02
and I&C ran some around 5.3%.
00:04:02 - 00:04:05
- So the big takeaway is this move towards elite,
00:04:05 - 00:04:07
high impact, very visible attacks,
00:04:07 - 00:04:10
targeting major players for big money or big disruption.
00:04:10 - 00:04:11
- Precisely.
00:04:11 - 00:04:13
Targeted maximum financial and reputational damage
00:04:13 - 00:04:16
seems to be the name of the game at the top end.
00:04:16 - 00:04:20
- Okay, so if the ransomware gangs are all about chaos
00:04:20 - 00:04:23
and big targets, what about the other trending adversaries,
00:04:23 - 00:04:26
the specialists, the state-sponsored groups?
00:04:26 - 00:04:28
- Yeah, they painted a slightly different,
00:04:28 - 00:04:31
maybe more strategic picture, a stark contrast actually.
00:04:31 - 00:04:33
- Who's most concerning on that list?
00:04:33 - 00:04:37
- The report flags Flax Typhoon as the big one to watch.
00:04:37 - 00:04:38
Their state-sponsored, that's confirmed.
00:04:38 - 00:04:39
- And their target.
00:04:39 - 00:04:43
- Taiwan, specifically spying on Taiwanese organizations,
00:04:43 - 00:04:45
but it's how they do it, that's interesting.
00:04:45 - 00:04:45
- Okay.
00:04:45 - 00:04:47
- They're masters of living off the land.
00:04:47 - 00:04:50
- They use legitimate tools already on the system,
00:04:50 - 00:04:52
not custom malware.
00:04:52 - 00:04:55
- Right, things like PowerShell, Standard Admin tools,
00:04:55 - 00:04:56
stuff that looks like normal activity.
00:04:56 - 00:04:58
- Exactly, it lets them blend in,
00:04:58 - 00:05:00
makes detection incredibly difficult,
00:05:00 - 00:05:02
they can stay hidden for ages.
00:05:02 - 00:05:05
- So stealthy, long-term espionage,
00:05:05 - 00:05:08
not noisy ransomware, points to national security goals,
00:05:08 - 00:05:09
not cash.
00:05:09 - 00:05:12
- Absolutely, pure intelligence gathering.
00:05:12 - 00:05:15
Then shifting gears, you've got pure financial crime,
00:05:15 - 00:05:18
but high tech financial crime, with the Crimson Collective.
00:05:18 - 00:05:19
- What's their niche?
00:05:19 - 00:05:20
- Modern infrastructure.
00:05:20 - 00:05:23
They're hitting tech firms, cloud environments specifically.
00:05:23 - 00:05:25
They're not after desktop files,
00:05:25 - 00:05:27
they want those big data lakes in the cloud.
00:05:27 - 00:05:30
- Data theft and extortion from cloud platforms,
00:05:30 - 00:05:32
makes sense that's where the crown jewels are now.
00:05:32 - 00:05:35
- Right, and it's harder to just drop ransomware
00:05:35 - 00:05:37
in a well-managed cloud setup,
00:05:37 - 00:05:39
so they pivot to stealing the data itself
00:05:39 - 00:05:41
and using that for leverage.
00:05:41 - 00:05:43
- Smart, in a criminal way.
00:05:43 - 00:05:45
- What are these storm groups?
00:05:45 - 00:05:46
Sound ominous.
00:05:46 - 00:05:47
- They're basically exploit specialists.
00:05:47 - 00:05:50
Think of them as the delivery crews
00:05:50 - 00:05:52
for ransomware or other payloads.
00:05:52 - 00:05:53
- So finding the way in.
00:05:53 - 00:05:54
- Exactly.
00:05:54 - 00:05:57
Storm 1175 and Storm 2603, for example,
00:05:57 - 00:06:00
they specialize in hitting major enterprise software,
00:06:00 - 00:06:01
things like Go Anywhere, MFT,
00:06:01 - 00:06:04
that's managed file transfer and SharePoint.
00:06:04 - 00:06:06
- Big collaboration and file sharing platforms, prime targets.
00:06:06 - 00:06:09
- They punch the initial holes in those
00:06:09 - 00:06:12
complex corporate networks, tactical entry teams essentially.
00:06:12 - 00:06:15
- There's another storm group mentioned, 2657.
00:06:15 - 00:06:16
They're different.
00:06:16 - 00:06:18
- Yeah, Storm 2657 stands out,
00:06:18 - 00:06:20
not necessarily for cutting-edge tech,
00:06:20 - 00:06:21
but for their target.
00:06:21 - 00:06:25
They're specifically hijacking US university payroll systems.
00:06:25 - 00:06:27
- University payrolls.
00:06:27 - 00:06:28
Why them?
00:06:28 - 00:06:30
Seems oddly specific.
00:06:30 - 00:06:30
- Well, think about it.
00:06:30 - 00:06:34
Universities often have a mix of valuable data research,
00:06:34 - 00:06:36
PII on faculty and students,
00:06:36 - 00:06:38
but maybe not the same level of security funding
00:06:38 - 00:06:39
as a big bank.
00:06:39 - 00:06:40
- Okay, makes sense.
00:06:40 - 00:06:41
And hitting pay--
00:06:41 - 00:06:42
- Have gruelly disruptive.
00:06:42 - 00:06:43
- People don't get paid.
00:06:43 - 00:06:46
It causes immediate widespread distress.
00:06:46 - 00:06:47
That forces the university's hand.
00:06:47 - 00:06:51
They need to pay quickly to get essential services back online.
00:06:51 - 00:06:54
- It's a very targeted way to inflict maximum pain quickly
00:06:54 - 00:06:55
on a potentially softer target.
00:06:55 - 00:06:59
- Exactly, a critical but maybe less hardened infrastructure
00:06:59 - 00:07:00
sector.
00:07:00 - 00:07:02
- And there's also a pro-reshing group mentioned.
00:07:02 - 00:07:02
Tune-it.
00:07:02 - 00:07:03
- Yep, their focus is clear.
00:07:03 - 00:07:06
Disrupting critical infrastructure, pure disruption,
00:07:06 - 00:07:08
political motives likely.
00:07:08 - 00:07:10
- So if we tile these threads together,
00:07:10 - 00:07:13
like typhoon, crimson collective, the storm groups,
00:07:13 - 00:07:17
two net, even LAPS US, what's the common theme?
00:07:17 - 00:07:19
- I think it's specialization and professionalization,
00:07:19 - 00:07:23
really, whether it's state espionage, cloud data theft,
00:07:23 - 00:07:26
specific exploits, payroll hijacking,
00:07:26 - 00:07:27
or high stakes extortion.
00:07:27 - 00:07:28
- It's all very focused now.
00:07:28 - 00:07:30
- Right, we're moving past the era
00:07:30 - 00:07:33
of just opportunistic spray and prey attacks.
00:07:33 - 00:07:36
Every campaign seems tailored for maximum impact,
00:07:36 - 00:07:38
whether that's stealing secrets or causing chaos,
00:07:38 - 00:07:40
bespoke attacks.
00:07:40 - 00:07:42
- That level of specialization must mean
00:07:42 - 00:07:44
they're choosing their targets very carefully.
00:07:44 - 00:07:46
So who is getting hit?
00:07:46 - 00:07:48
Let's look at the victimology.
00:07:48 - 00:07:51
- Yeah, the shift in victim sectors is really telling.
00:07:51 - 00:07:53
It signals where attackers see the best opportunities
00:07:53 - 00:07:54
right now.
00:07:54 - 00:07:56
- And financial services is no longer number one.
00:07:56 - 00:07:58
That's huge news.
00:07:58 - 00:07:59
For years, that was the target.
00:07:59 - 00:08:02
- It was, but this period, major shakeup,
00:08:02 - 00:08:04
finance dropped significantly.
00:08:04 - 00:08:05
- So who took the top spots?
00:08:05 - 00:08:07
- Manufacturing jumped from fourth place
00:08:07 - 00:08:08
all the way to first.
00:08:08 - 00:08:10
- Now 15.53% of victims.
00:08:10 - 00:08:12
- Wow, and Re-Kale also surged.
00:08:12 - 00:08:16
- Yep, from fifth place up to second at 14.32%.
00:08:16 - 00:08:18
- Meanwhile, finance fell from first to fourth.
00:08:18 - 00:08:19
Only about 11%.
00:08:19 - 00:08:20
- That's right.
00:08:20 - 00:08:23
Technology held steady in third place at around 13%.
00:08:23 - 00:08:24
- What does that tell you?
00:08:24 - 00:08:27
Why the shift away from banks to factories and shops?
00:08:27 - 00:08:29
- I think it points to leverage.
00:08:29 - 00:08:31
Disrupting the physical world supply chains,
00:08:31 - 00:08:34
point of sale systems seems to offer a better,
00:08:34 - 00:08:36
or maybe just faster pay off right now.
00:08:36 - 00:08:38
- Faster than trying to cash out
00:08:38 - 00:08:40
stolen financial data, which can be tricky.
00:08:40 - 00:08:41
- Exactly.
00:08:41 - 00:08:43
If you shut down a factory line,
00:08:43 - 00:08:45
the cost of that downtime is immediate.
00:08:45 - 00:08:45
It's huge.
00:08:45 - 00:08:48
And the pressure to pay the ransom now is immense.
00:08:48 - 00:08:50
Same with retail POS systems.
00:08:50 - 00:08:54
- It's moving from data value to operational disruption value.
00:08:54 - 00:08:55
Makes sense.
00:08:55 - 00:08:57
- It's the difference between slow monetization
00:08:57 - 00:08:59
and immediate critical leverage.
00:08:59 - 00:09:02
- Okay, so manufacturing and retail are the hot sectors.
00:09:02 - 00:09:03
What about geographically?
00:09:03 - 00:09:05
USA still dominant.
00:09:05 - 00:09:06
- Overwhelmingly.
00:09:06 - 00:09:10
Holding study at 57.28% of victims, no change there.
00:09:10 - 00:09:12
The US is still ground zero.
00:09:12 - 00:09:14
- But you mentioned changes in Europe.
00:09:14 - 00:09:15
- Yeah, the map is shifting a bit.
00:09:15 - 00:09:18
Canada is still in the top five, 5.34%.
00:09:18 - 00:09:20
Germany's there too, 2.43%.
00:09:20 - 00:09:20
- But the newcomers.
00:09:20 - 00:09:25
- France at 5.34% tied with Canada and Spain at 3.4%.
00:09:25 - 00:09:27
They're new to the top five this period.
00:09:27 - 00:09:28
- That can't be, Rand.
00:09:28 - 00:09:31
What's driving that focus on France and Spain specifically?
00:09:31 - 00:09:32
- Could be a few things.
00:09:32 - 00:09:35
Maybe attackers developed tools better suited
00:09:35 - 00:09:38
for French or Spanish systems or languages.
00:09:38 - 00:09:39
Maybe they found some common vulnerabilities
00:09:39 - 00:09:41
or regulatory gaps there.
00:09:41 - 00:09:43
- Or maybe those markets are just seen
00:09:43 - 00:09:47
as slightly softer targets compared to the hyper-aware US,
00:09:47 - 00:09:48
or maybe even UK German markets.
00:09:48 - 00:09:50
- That's definitely possible.
00:09:50 - 00:09:54
A concentrated push into what they perceive as greener pastors.
00:09:54 - 00:09:55
- And you mentioned that this ties back
00:09:55 - 00:09:57
to the LAPS hunters in the size of targets.
00:09:57 - 00:09:58
- Absolutely.
00:09:58 - 00:10:00
The data on organizational size
00:10:00 - 00:10:02
is maybe the most dramatic statistic in the whole report.
00:10:02 - 00:10:03
- Let's hear it.
00:10:03 - 00:10:05
- A percentage of victims that are large enterprises
00:10:05 - 00:10:09
defined as 5,000 or more employees, it nearly tripled.
00:10:09 - 00:10:10
- Tripled in one reporting period.
00:10:10 - 00:10:11
- Yep.
00:10:11 - 00:10:16
Went from 5.24% in the last brief to 13.14% now.
00:10:16 - 00:10:18
- That's staggering.
00:10:18 - 00:10:19
And that's the LAPS U-effect.
00:10:19 - 00:10:20
- Almost certainly.
00:10:20 - 00:10:22
It's the statistical footprint
00:10:22 - 00:10:24
of these groups going after the whales.
00:10:24 - 00:10:25
They've decided the extra effort
00:10:25 - 00:10:28
to bridge a huge company is worth the potentially massive payout.
00:10:28 - 00:10:31
- So large enterprises are now firmly in the crosshairs,
00:10:31 - 00:10:33
not just occasional collateral damage.
00:10:33 - 00:10:36
- Their primary targets now, high priority.
00:10:36 - 00:10:37
- What about smaller companies?
00:10:37 - 00:10:39
Are they getting a break?
00:10:39 - 00:10:40
- Not exactly.
00:10:40 - 00:10:43
Mid-market companies, 501, 5,000 employees,
00:10:43 - 00:10:45
actually saw a bit of an increase too,
00:10:45 - 00:10:49
from about 13.3% to almost 16.8%.
00:10:49 - 00:10:50
- And small businesses?
00:10:50 - 00:10:51
Under 500 employees.
00:10:51 - 00:10:54
- They're sure dropped from over 81%
00:10:54 - 00:10:56
down to about 70%.
00:10:56 - 00:10:58
So proportionally less,
00:10:58 - 00:10:59
but they're still the biggest group
00:10:59 - 00:11:02
by sheer volume, lots, lots of small businesses getting hit.
00:11:02 - 00:11:05
- But the key message for CISOs at big corporations
00:11:05 - 00:11:09
is the risk just went way, way up.
00:11:09 - 00:11:11
- Undeniably, the game has changed for them.
00:11:11 - 00:11:13
- Okay, here's where you said it gets really interesting.
00:11:13 - 00:11:17
The tools, the malware itself, and this focus on Android.
00:11:17 - 00:11:20
- Yeah, the sheer volume and sophistication here.
00:11:20 - 00:11:22
It suggests a major strategic investment
00:11:22 - 00:11:24
by attackers and mobile tooling.
00:11:24 - 00:11:25
- It's not just kids messing around.
00:11:25 - 00:11:27
This is serious stuff hitting phones.
00:11:27 - 00:11:28
- Definitely.
00:11:28 - 00:11:29
- It's not just mobile because, frankly,
00:11:29 - 00:11:31
it's often the weakest link
00:11:31 - 00:11:33
and it holds so much sensitive personal data.
00:11:33 - 00:11:35
- So let's break down these top Android threats.
00:11:35 - 00:11:37
You mentioned Clare at first.
00:11:37 - 00:11:38
- Right, Clare at is interesting.
00:11:38 - 00:11:40
It's spyware, evolving fast,
00:11:40 - 00:11:42
and seems mainly targeted at Russian users.
00:11:42 - 00:11:43
- Oh, it's spreading.
00:11:43 - 00:11:44
- Mostly through deception.
00:11:44 - 00:11:47
Social engineering via telegram channels,
00:11:47 - 00:11:48
phishing sites,
00:11:48 - 00:11:50
tricking users into sideloading the app,
00:11:50 - 00:11:53
basically installing it outside the official app store.
00:11:53 - 00:11:54
- And once it's on the phone.
00:11:54 - 00:11:56
- It's all about surveillance.
00:11:56 - 00:12:00
Hoovering up SMS texts, call logs, device info,
00:12:00 - 00:12:02
a complete digital eavesdropping tool.
00:12:02 - 00:12:06
- Suggest SB&Rs or maybe deep financial intel gathering
00:12:06 - 00:12:07
on a specific group.
00:12:07 - 00:12:09
- Could be, and you have Clopatra.
00:12:09 - 00:12:10
This one's different.
00:12:10 - 00:12:11
It's a banking Trojan.
00:12:11 - 00:12:13
- Aiming for money.
00:12:13 - 00:12:14
Where's it hitting?
00:12:14 - 00:12:15
- Primarily Spain and Italy,
00:12:15 - 00:12:18
which remember are our new European hotspots
00:12:18 - 00:12:19
in the victim list.
00:12:19 - 00:12:21
- Ah, connecting the dots.
00:12:21 - 00:12:23
What's special about Clopatra?
00:12:23 - 00:12:25
- Technically, it's using a commercial grade code
00:12:25 - 00:12:26
protection suite.
00:12:26 - 00:12:28
This is software legitimate companies used
00:12:28 - 00:12:31
to stop their code being copied or reverse engineered.
00:12:31 - 00:12:33
- And the criminals are using it to hide their malware.
00:12:33 - 00:12:34
- Exactly.
00:12:34 - 00:12:37
It makes Clopatra incredibly hard for security tools
00:12:37 - 00:12:40
to detect and for researchers to pull apart and analyze.
00:12:40 - 00:12:43
- That points to a well-funded professional operation.
00:12:43 - 00:12:44
- No doubt.
00:12:44 - 00:12:47
Intel suggests it's run by a Turkish speaking group
00:12:47 - 00:12:49
who've spotted an opportunity in Southern Europe
00:12:49 - 00:12:52
using high-end tools for mobile bank theft.
00:12:52 - 00:12:54
- Okay, and then there were two others.
00:12:54 - 00:12:56
ProsPy and Tospy.
00:12:56 - 00:12:59
- Yeah, this peer seems focused on communication apps.
00:12:59 - 00:13:01
ProsPy pretends to be an update or plug-in
00:13:01 - 00:13:03
for apps like Signal and TOTOC.
00:13:03 - 00:13:06
- While Tospy just goes after TOTOC users specifically.
00:13:06 - 00:13:08
- Right, laser focused on TOTOC.
00:13:08 - 00:13:11
And like Clayrat, they avoid the Mughal Play Store.
00:13:11 - 00:13:13
Distribution is via malicious websites,
00:13:13 - 00:13:15
tricking users into installing them manually.
00:13:15 - 00:13:17
- And where are these being seen?
00:13:17 - 00:13:20
- Confirmed detections are heavily concentrated in the UAE.
00:13:20 - 00:13:23
- So another regionally targeted operation.
00:13:23 - 00:13:26
- Likely trying to intercept sensitive chats
00:13:26 - 00:13:29
in a region where those specific apps are popular.
00:13:29 - 00:13:29
- Looks that way.
00:13:29 - 00:13:32
- Targeted interception using apps people trust.
00:13:32 - 00:13:35
- It's really clear mobile isn't a side show anymore.
00:13:35 - 00:13:38
But you also mentioned some incredibly complex attacks
00:13:38 - 00:13:40
hitting like core infrastructure.
00:13:40 - 00:13:41
Tell us about Pure Rat.
00:13:41 - 00:13:42
- Ah, Pure Rat.
00:13:42 - 00:13:45
This one's attributed to suspected Vietnamese hackers
00:13:45 - 00:13:48
and it's just a master class in complexity and still.
00:13:48 - 00:13:49
- How complex are we talking?
00:13:49 - 00:13:52
- We're talking a 10 stage infection chain.
00:13:52 - 00:13:55
- 10 distinct steps just to get the final payload
00:13:55 - 00:13:56
running and hidden.
00:13:56 - 00:13:58
- 10 stages.
00:13:58 - 00:14:00
That sounds incredibly intricate.
00:14:00 - 00:14:01
How does it even start?
00:14:01 - 00:14:03
- Starts deceptively simple.
00:14:03 - 00:14:06
A fishing email disguised as a boring copyright notice.
00:14:06 - 00:14:07
- Okay, lure them in.
00:14:07 - 00:14:09
- Inside is a ZIP file.
00:14:09 - 00:14:12
Contains a malicious DLL file and a fake PDF reader.
00:14:12 - 00:14:14
That's stage one.
00:14:14 - 00:14:16
The early stages use lightweight Python scripts
00:14:16 - 00:14:18
just to gather basic info, do some recon.
00:14:18 - 00:14:20
- Feeling out the system before going all in.
00:14:20 - 00:14:21
- Pretty much.
00:14:21 - 00:14:22
Then it escalates.
00:14:22 - 00:14:24
Later stages use compile.net code
00:14:24 - 00:14:26
and some really advanced evasion techniques.
00:14:26 - 00:14:27
- Like what?
00:14:27 - 00:14:29
- Process hollowing is a key one.
00:14:29 - 00:14:31
They essentially carve out the memory
00:14:31 - 00:14:34
of a legitimate trusted Windows process.
00:14:34 - 00:14:36
- Like explore.exe or something.
00:14:36 - 00:14:38
- Could be and then they inject their malicious code
00:14:38 - 00:14:40
into that hollowed out space.
00:14:40 - 00:14:43
The OS still sees the trusted process running
00:14:43 - 00:14:44
but it's actually the malware.
00:14:44 - 00:14:45
- Ooh.
00:14:45 - 00:14:48
- Running completely hidden under a legitimate disguise.
00:14:48 - 00:14:49
A ghost in the machine.
00:14:49 - 00:14:50
- That's a good way to put it.
00:14:50 - 00:14:52
It bypasses a lot of defenses.
00:14:52 - 00:14:55
The final payload, pure at, sets up
00:14:55 - 00:14:56
encrypted command and control,
00:14:56 - 00:14:58
fingerprints the host in detail.
00:14:58 - 00:15:02
It's built for long term, secure, hidden access.
00:15:02 - 00:15:03
- That's deeply sophisticated.
00:15:03 - 00:15:05
A sniper rifle approach.
00:15:05 - 00:15:06
What about the opposite end?
00:15:06 - 00:15:08
You mentioned an exploit shotgun.
00:15:08 - 00:15:09
- Right, that's Rhonda docs.
00:15:09 - 00:15:10
If pure at is the sniper,
00:15:10 - 00:15:13
Rhonda docs is just spraying pellets everywhere,
00:15:13 - 00:15:14
hoping to hit something.
00:15:14 - 00:15:15
- What's it shooting at?
00:15:15 - 00:15:18
- Basically the neglected parts of the internet infrastructure.
00:15:18 - 00:15:21
It scans for and tries to exploit over 50 different
00:15:21 - 00:15:22
known vulnerabilities.
00:15:22 - 00:15:24
- 50, across how many vendors?
00:15:24 - 00:15:26
- More than 30 different vendors.
00:15:26 - 00:15:29
It's looking for any unlocked door on devices
00:15:29 - 00:15:30
people forget about.
00:15:30 - 00:15:31
- Like what kind of devices?
00:15:31 - 00:15:35
- Rauders, consumer and enterprise, DVRs,
00:15:35 - 00:15:39
NVRs for security cameras, CC TV systems themselves,
00:15:39 - 00:15:42
old web servers, anything internet facing
00:15:42 - 00:15:44
that probably hasn't been patched in ages.
00:15:44 - 00:15:45
- Not low hanging fruit of the internet.
00:15:45 - 00:15:48
- Often running ancient software, default passwords.
00:15:48 - 00:15:50
- Exactly, easy targets.
00:15:50 - 00:15:52
And the report gives a specific example
00:15:52 - 00:15:54
they saw Rhonda docs getting in using a flaw
00:15:54 - 00:15:56
in TP link archer routers.
00:15:56 - 00:16:00
It's CVE 2023 1389, the kicker.
00:16:00 - 00:16:04
This flaw has been actively exploited since 2022.
00:16:04 - 00:16:05
- Wait, a two year old vulnerability
00:16:05 - 00:16:08
is still a primary way in for a major botnet.
00:16:08 - 00:16:09
- Yep.
00:16:09 - 00:16:10
Tells you everything you need to know
00:16:10 - 00:16:12
about the state of basic infrastructure patching, doesn't it?
00:16:12 - 00:16:14
It's a huge systemic failure.
00:16:14 - 00:16:15
- So what does Rhonda docs do with all these
00:16:15 - 00:16:17
compromised routers and DVRs?
00:16:17 - 00:16:19
- Builds a massive botnet.
00:16:19 - 00:16:21
Its sole purpose seems to be launching powerful
00:16:21 - 00:16:24
DDoS attacks distributed denial of service,
00:16:24 - 00:16:26
flooding targets with junk traffic
00:16:26 - 00:16:29
using HTTP, UDP, TCP protocols.
00:16:29 - 00:16:32
- So we have this wild contrast, hyper complex,
00:16:32 - 00:16:36
10 stage attacks for espionage, and brute force exploitation
00:16:36 - 00:16:38
of old flaws to build DDoS armies.
00:16:38 - 00:16:39
- Attackers use whatever works.
00:16:39 - 00:16:42
From the most advanced techniques to the most basic neglect,
00:16:42 - 00:16:44
they leverage the whole spectrum.
00:16:44 - 00:16:45
- Okay, let's switch gears slightly.
00:16:45 - 00:16:46
Immediate risks.
00:16:46 - 00:16:49
What vulnerabilities need patching like yesterday?
00:16:49 - 00:16:51
And then let's talk about the money driving all this.
00:16:51 - 00:16:54
- The vulnerability list is pretty daunting.
00:16:54 - 00:16:55
All the big names are there.
00:16:55 - 00:16:57
Microsoft, Adobe, Oracle, Samsung,
00:16:57 - 00:16:59
flaws hitting critical enterprise systems
00:16:59 - 00:17:01
and mobile devices.
00:17:01 - 00:17:02
- But the report singles out one
00:17:02 - 00:17:05
as the absolute highest immediate risk.
00:17:05 - 00:17:09
- Yeah, that's CVE 2025, 542, 533.
00:17:09 - 00:17:13
It affects Adobe Experience Manager forms or AEM forms.
00:17:13 - 00:17:15
- And remind us, what's AEM forms use for?
00:17:15 - 00:17:18
- It's a big enterprise platform for managing content,
00:17:18 - 00:17:21
workflows, digital forms,
00:17:21 - 00:17:23
handles a lot of sensitive business processes.
00:17:23 - 00:17:25
- And the vulnerability, why is it so bad?
00:17:25 - 00:17:27
- It allows remote code execution RCE
00:17:27 - 00:17:29
without any user interaction.
00:17:29 - 00:17:30
That's the killer part.
00:17:30 - 00:17:32
- Meaning an attacker doesn't need someone
00:17:32 - 00:17:33
to click a link or open a file.
00:17:33 - 00:17:35
- Yep, they can just send a specially crafted packet
00:17:35 - 00:17:38
to a vulnerable AEM server and boom,
00:17:38 - 00:17:42
they can run their own code on it silently, remotely.
00:17:42 - 00:17:43
- That's terrifying.
00:17:43 - 00:17:46
An invisible attack vector on a core business system.
00:17:46 - 00:17:46
- It gets worse.
00:17:46 - 00:17:49
There's already a public proof of concept exploit available.
00:17:49 - 00:17:52
- Oh great, so any script kitty can now try and use it.
00:17:52 - 00:17:53
- Pretty much, the knowledge is out there
00:17:53 - 00:17:56
that shrinks the window for patching down to basically zero,
00:17:56 - 00:17:57
needs to be fixed immediately.
00:17:57 - 00:17:59
- And other critical ones mentioned.
00:17:59 - 00:18:01
Besides Adobe.
00:18:01 - 00:18:04
- Yeah, ongoing risks in Fortes go anywhere, MFT,
00:18:04 - 00:18:06
that's been a recurring target.
00:18:06 - 00:18:09
Cinecours, Zimbra, email and collaboration suite,
00:18:09 - 00:18:11
Oracle's eBusiness suite,
00:18:11 - 00:18:14
and of course various flaws in Samsung mobile devices.
00:18:14 - 00:18:17
- All systems handling sensitive data transfer and storage.
00:18:17 - 00:18:21
- Right, and patching these big, complex enterprise systems
00:18:21 - 00:18:25
like Oracle EBS or AEM, it's not always faster easy.
00:18:25 - 00:18:27
- Which raises that question you post.
00:18:27 - 00:18:29
Are companies prioritizing patchics
00:18:29 - 00:18:32
to be getting something face quickly, over scope,
00:18:32 - 00:18:34
making sure everything related is covered?
00:18:34 - 00:18:36
- It's a tough balance, but any delay in patching
00:18:36 - 00:18:39
these critical flaws is an open invitation for attackers.
00:18:39 - 00:18:41
They live in that gap.
00:18:41 - 00:18:42
- And speaking of exploiting those gaps.
00:18:42 - 00:18:43
- Yeah.
00:18:43 - 00:18:44
- Let's look at some recent headlines
00:18:44 - 00:18:46
that show the impact and the,
00:18:46 - 00:18:48
well, the economics is this whole situation.
00:18:48 - 00:18:51
Finding a zero day first is gold.
00:18:51 - 00:18:53
- The Clop Ransomware Group is a prime example.
00:18:53 - 00:18:55
The report notes they were caught exploiting
00:18:55 - 00:18:57
an Oracle zero day vulnerability,
00:18:57 - 00:19:00
and they'd been doing it since early August for data theft.
00:19:00 - 00:19:03
That means they had two full months of undetectable access
00:19:03 - 00:19:06
before Oracle even knew about the flaw or released a patch.
00:19:06 - 00:19:07
- Two months.
00:19:07 - 00:19:09
That's an eternity in cyber time.
00:19:09 - 00:19:11
- Show's way zero days are worth so much.
00:19:11 - 00:19:12
- Absolutely.
00:19:12 - 00:19:15
And supply chain issues just keep making news.
00:19:15 - 00:19:18
We saw Sonic Wall having firewall configuration stolen.
00:19:18 - 00:19:21
- For all their cloud backup customers, that's bad.
00:19:21 - 00:19:24
Gives attackers the blueprints to hit the actual customers.
00:19:24 - 00:19:25
- Exactly.
00:19:25 - 00:19:28
And then there was that weird Adobe Analytics bug
00:19:28 - 00:19:31
where customer tracking data somehow leaked
00:19:31 - 00:19:32
between different tenants.
00:19:32 - 00:19:34
Company A could see company B's data.
00:19:34 - 00:19:36
Imagine the privacy nightmare.
00:19:36 - 00:19:37
- Yeah, not good.
00:19:37 - 00:19:40
And these breaches feed the underground economy, right?
00:19:40 - 00:19:42
We're talking huge money.
00:19:42 - 00:19:43
- Fasiv scale.
00:19:43 - 00:19:44
Look at the state sponsored stuff.
00:19:44 - 00:19:47
The report mentions North Korean hackers stealing
00:19:47 - 00:19:50
over $2 billion in cryptocurrency this year alone.
00:19:50 - 00:19:51
- $2 billion.
00:19:51 - 00:19:52
That's not just crime.
00:19:52 - 00:19:53
That's state funding via hacking.
00:19:53 - 00:19:54
- It basically is.
00:19:54 - 00:19:57
Funding missile programs, who knows what else?
00:19:57 - 00:19:58
And on the pure criminal side,
00:19:58 - 00:20:01
the USC used $15 million in crypto
00:20:01 - 00:20:03
from just one pig butchering scam, KingPen.
00:20:03 - 00:20:04
- $15 billion.
00:20:04 - 00:20:07
The scale is just astronomical.
00:20:07 - 00:20:09
These groups have incredibly deep pockets.
00:20:09 - 00:20:12
- Which lets them buy the best tools, the best zero days.
00:20:12 - 00:20:14
It's a vicious cycle.
00:20:14 - 00:20:15
- But there's a counter economy, right?
00:20:15 - 00:20:17
The defensive side, the bug bounties.
00:20:17 - 00:20:19
- Yeah, and that's growing massively too.
00:20:19 - 00:20:21
Companies are throwing money at finding flaws
00:20:21 - 00:20:23
before the criminals do.
00:20:23 - 00:20:24
- How much money are we talking?
00:20:24 - 00:20:27
- Hacker one, a big bug bounty platform paid out
00:20:27 - 00:20:30
$81 million to ethical hackers in the last year.
00:20:30 - 00:20:32
- $81 million.
00:20:32 - 00:20:33
- Wow.
00:20:33 - 00:20:34
- And look at what vendors value most.
00:20:34 - 00:20:38
Apple is now offering up to $2 million for a single,
00:20:38 - 00:20:42
zero click, remote code execution vulnerability on iPhones.
00:20:42 - 00:20:45
- $2 million for one bug.
00:20:45 - 00:20:47
That tells you how dangerous they consider
00:20:47 - 00:20:49
that specific type of flaw.
00:20:49 - 00:20:51
The kind that requires no user interaction.
00:20:51 - 00:20:52
Like that Adobe AEM one.
00:20:52 - 00:20:55
- Exactly, the market price reflects the risk.
00:20:55 - 00:20:56
- Okay, let's try and wrap this all up.
00:20:56 - 00:20:59
We've covered a ton of ground from the buyer nickel's brief.
00:20:59 - 00:21:02
What are the absolute key takeaways for you, for the listener?
00:21:02 - 00:21:05
- For me, three big interconnected trends really define
00:21:05 - 00:21:06
this period.
00:21:06 - 00:21:07
- Go on.
00:21:07 - 00:21:10
- First, that huge undeniable shift towards hitting large
00:21:10 - 00:21:14
enterprises with high profile extortion driven by groups
00:21:14 - 00:21:15
like the LAPS hunters.
00:21:15 - 00:21:18
- The tripling of large enterprise victims.
00:21:18 - 00:21:20
That stat really sticks.
00:21:20 - 00:21:21
It's not just an SMB problem anymore.
00:21:21 - 00:21:24
- Not at all, it's a board level risk now.
00:21:24 - 00:21:26
Second, the sophistication level is up across the board,
00:21:26 - 00:21:28
but it's being applied everywhere.
00:21:28 - 00:21:31
- You mean like pure ads, 10 stages for targeted attacks?
00:21:31 - 00:21:34
- And Rhonda Dox using simple old router flaws
00:21:34 - 00:21:37
to build giant DDS botnets.
00:21:37 - 00:21:39
They're using advanced and basic techniques
00:21:39 - 00:21:42
whatever gives the best return on that specific target.
00:21:42 - 00:21:44
Maximize impact across the whole spectrum.
00:21:44 - 00:21:45
- Right, and the third trend.
00:21:45 - 00:21:47
- The Android epidemic.
00:21:47 - 00:21:48
It's unavoidable.
00:21:48 - 00:21:52
Four of the top six malware variants hitting mobile,
00:21:52 - 00:21:54
using everything from high-end commercial code protection
00:21:54 - 00:21:55
like clopatra.
00:21:55 - 00:21:58
- To very specific regional targeting,
00:21:58 - 00:22:01
like Prospi and Tospi and the UAE.
00:22:01 - 00:22:03
The fight has definitely moved into our pocket.
00:22:03 - 00:22:04
- No question.
00:22:04 - 00:22:05
So what does it all mean?
00:22:05 - 00:22:08
I think it means the line between, say,
00:22:08 - 00:22:10
nation state espionage capabilities
00:22:10 - 00:22:12
and what regular cyber criminals can deploy.
00:22:12 - 00:22:13
That line is getting incredibly blurry.
00:22:13 - 00:22:15
- State level tools in criminal hands.
00:22:15 - 00:22:19
- Effectively yes, or at least near state level.
00:22:19 - 00:22:20
Financial motivated groups have access
00:22:20 - 00:22:22
to serious fire power now.
00:22:22 - 00:22:25
They're adapting fast, hitting new targets like routers
00:22:25 - 00:22:26
and IoT.
00:22:26 - 00:22:28
While still hammering the core enterprise stuff
00:22:28 - 00:22:31
like Adobe and Oracle for RCE and Data theft.
00:22:31 - 00:22:34
- Exactly, it's converging, hitting manufacturing,
00:22:34 - 00:22:37
retail, critical sectors, right down to things
00:22:37 - 00:22:39
like university payrolls.
00:22:39 - 00:22:42
Everything is potentially a valuable target now.
00:22:42 - 00:22:44
- So that brings us to the final thought,
00:22:44 - 00:22:46
something for you, the listener, to chew on.
00:22:46 - 00:22:47
- Yeah, think about this.
00:22:47 - 00:22:51
We see massive investment in sophisticated Android malware,
00:22:51 - 00:22:54
like banking Trojans using commercial opuscation.
00:22:54 - 00:22:58
At the same time, we see groups like Storm2657
00:22:58 - 00:23:00
surgically targeting something as specific
00:23:00 - 00:23:02
as US University of payrolls.
00:23:02 - 00:23:03
- Okay.
00:23:03 - 00:23:04
- How do we, as a security community,
00:23:04 - 00:23:06
reconcile the fact that these very high-end,
00:23:06 - 00:23:08
almost state level capabilities
00:23:08 - 00:23:10
are now being routinely aimed at targets
00:23:10 - 00:23:13
we used to think of as low level or opportunistic.
00:23:13 - 00:23:15
- It implies that any target, no matter how seemingly
00:23:15 - 00:23:18
smaller complex might now be worth the effort
00:23:18 - 00:23:19
for these advanced actors,
00:23:19 - 00:23:22
if the potential payout or leverage is there.
00:23:22 - 00:23:23
- Exactly.
00:23:23 - 00:23:26
- It fundamentally changes what we consider a soft target.
00:23:26 - 00:23:27
If even a university payroll system
00:23:27 - 00:23:30
warrants dedicated specialized attack campaign,
00:23:30 - 00:23:32
what is in the target?
00:23:32 - 00:23:35
- Reach out to us at jbuyer.com for comments and questions.
00:23:35 - 00:23:37
Follow us at buyer company on social media,
00:23:37 - 00:23:39
and if you'd be so kind,
00:23:39 - 00:23:41
please rate and review us in your podcast app.
00:23:41 - 00:23:43
[Music]