Byer-Nichols Threat Brief for November 16-30 2025

Season: 2 | Episode: 47

Published: December 2, 2025

By: Byer Co

The "Byer-Nichols Threat Brief" delivers a detailed analysis of the cyber threat landscape during the second half of November 2025, highlighting trends in ransomware and emerging security risks. Ransomware dominance is held by Qilin, CL0P, and Akira, although newer groups like Sinobi and DragonForce show a rapidly increasing impact. The majority of targets are small businesses in the USA, with the manufacturing, technology, retail, and construction sectors experiencing the most frequent attacks, while Canada has notably risen as a major victim location. The analysis also identifies specific operational indicators, including several trending adversaries that merge state-aligned espionage with criminal monetization and a list of frequently exploited vulnerabilities and emerging malware like Amatera Stealer and ShadowV2. Furthermore, the report summarizes major incidents in the cyber news, such as a substantial DDoS attack on Azure and global crypto laundering convictions. This information reinforces the necessity for organizations to track how rapidly threat actors shift tactics between intelligence gathering and financial intrusion.

Link: Byer-Nichols Threat Brief for November 16-30 2025

Keywords:

Episode Transcript

Download SRT file

00:00:00 - 00:00:03

[MUSIC PLAYING]

00:00:03 - 00:00:07

Welcome back to The Deep Dive.

00:00:07 - 00:00:10

Our mission today is, well, it's

00:00:10 - 00:00:12

to give you a shortcut to filter through all the noise

00:00:12 - 00:00:14

and get right to the actionable insights.

00:00:14 - 00:00:15

Exactly.

00:00:15 - 00:00:17

We've got the Byer-Nichols threat brief

00:00:17 - 00:00:19

for the last half of November 2025.

00:00:19 - 00:00:21

And it's really a snapshot in time.

00:00:21 - 00:00:24

It shows us who's winning, who's losing,

00:00:24 - 00:00:27

and maybe most importantly, how the tech itself is changing.

00:00:27 - 00:00:27

That's right.

00:00:27 - 00:00:30

And this brief-- I mean, it has input from people

00:00:30 - 00:00:33

like Jeremy Nichols and Jeff Remitts, so it's solid.

00:00:33 - 00:00:36

But the key thing it shows is this--

00:00:36 - 00:00:36

convergence.

00:00:36 - 00:00:38

Converses of what, exactly?

00:00:38 - 00:00:40

You're seeing espionage, straight up financial crime,

00:00:40 - 00:00:43

and huge disruption all blended together.

00:00:43 - 00:00:45

And understanding that blend is, well,

00:00:45 - 00:00:46

it's everything for defense.

00:00:46 - 00:00:47

Absolutely.

00:00:47 - 00:00:49

We know you don't have the time to wait through all this,

00:00:49 - 00:00:52

so we're going to pull out those aha moments for you.

00:00:52 - 00:00:53

Let's start right at the top.

00:00:53 - 00:00:54

The competition.

00:00:54 - 00:00:57

Who's leading the ransomware ecosystem right now?

00:00:57 - 00:01:00

OK, so if you look at the ransomware actors table,

00:01:00 - 00:01:03

the first name that jumps out is Quilin.

00:01:03 - 00:01:04

They're holding that top spot.

00:01:04 - 00:01:09

They account for nearly 20% of all activity, 19.74,

00:01:09 - 00:01:09

to be exact.

00:01:09 - 00:01:12

And that kind of persistence, that tells us

00:01:12 - 00:01:15

they have a really efficient polished operation.

00:01:15 - 00:01:18

It's a well-oiled machine, but Quilin's consistency

00:01:18 - 00:01:20

isn't the real headline here.

00:01:20 - 00:01:20

Right.

00:01:20 - 00:01:22

The big story is the movement below them.

00:01:22 - 00:01:23

It's CL0P.

00:01:23 - 00:01:24

Oh, absolutely.

00:01:24 - 00:01:27

We saw them down in fifth place last period now.

00:01:27 - 00:01:29

They've launched themselves into the number two spot.

00:01:29 - 00:01:33

At 17.1%, a jump like that isn't just gradual growth.

00:01:33 - 00:01:36

No, that screams a new campaign.

00:01:36 - 00:01:37

It has to be.

00:01:37 - 00:01:40

Either a brand new, very effective, zero-day exploit,

00:01:40 - 00:01:43

or they hit a massive target, like a managed service

00:01:43 - 00:01:47

provider, and got access to dozens of victims all at once.

00:01:47 - 00:01:50

And Akira is right behind them, rounding out the top three

00:01:50 - 00:01:52

at almost 17%.

00:01:52 - 00:01:56

So when you add those three up Quilin, CL0P, Akira,

00:01:56 - 00:01:59

you're already at more than half of all the ransomware attacks.

00:01:59 - 00:02:01

But we can't just look at the top three.

00:02:01 - 00:02:03

There's a lot of diversification happening

00:02:03 - 00:02:04

further down the list.

00:02:04 - 00:02:05

That's what's so fascinating, though.

00:02:05 - 00:02:07

You have these newer mid-tier groups

00:02:07 - 00:02:11

that are really competing now, groups like Sonobi

00:02:11 - 00:02:12

and Dragon Force.

00:02:12 - 00:02:17

They're tied at just under 5%, but they're showing real momentum.

00:02:17 - 00:02:19

They're probably using those ransomware

00:02:19 - 00:02:22

as a service platform to scale up fast.

00:02:22 - 00:02:25

And then there's a new name on the list, Kazoo.

00:02:25 - 00:02:27

Yeah, their volume isn't high yet,

00:02:27 - 00:02:29

but their strategy is what's interesting.

00:02:29 - 00:02:30

What are they doing differently?

00:02:30 - 00:02:33

They're focusing almost exclusively on data theft

00:02:33 - 00:02:35

by hitting web application flaws.

00:02:35 - 00:02:36

So they're not trying to break down

00:02:36 - 00:02:37

the front door of the network?

00:02:37 - 00:02:38

Exactly.

00:02:38 - 00:02:40

They're going straight for the high-value data

00:02:40 - 00:02:43

in, say, a customer portal.

00:02:43 - 00:02:45

It suggests they're playing a longer game,

00:02:45 - 00:02:48

maybe data-brokering, not just quick extortion.

00:02:48 - 00:02:50

So a really diverse set of attackers.

00:02:50 - 00:02:51

Yeah.

00:02:51 - 00:02:53

That's the perfect transition to who they're actually hitting.

00:02:53 - 00:02:54

Let's look at the victim profiles.

00:02:54 - 00:02:55

Well, no surprise.

00:02:55 - 00:02:59

Manufacturing is still number one, almost 20% of all attacks.

00:02:59 - 00:03:01

And technology is stable at number two.

00:03:01 - 00:03:03

Those sectors are just constant targets.

00:03:03 - 00:03:05

The value of disruption there is so high.

00:03:05 - 00:03:06

It is.

00:03:06 - 00:03:10

But the real movement this period was in the middle of the pack.

00:03:10 - 00:03:11

Retail.

00:03:11 - 00:03:13

It jumped from fifth place all the way to third.

00:03:13 - 00:03:14

13%.

00:03:14 - 00:03:16

That is a clear financial signal.

00:03:16 - 00:03:18

You mean they're following the money?

00:03:18 - 00:03:22

Attackers are going for the most direct path to monetization.

00:03:22 - 00:03:25

Retail has huge amounts of transactional data

00:03:25 - 00:03:27

and hitting them around big shopping periods

00:03:27 - 00:03:29

gives them maximum leverage.

00:03:29 - 00:03:32

On the flip side, financial services actually

00:03:32 - 00:03:34

dropped from third down to fifth.

00:03:34 - 00:03:36

Which, you know, it might suggest

00:03:36 - 00:03:38

that all that investment in security and compliance

00:03:38 - 00:03:41

in the financial sector is actually working.

00:03:41 - 00:03:43

It's forcing attackers to look for softer targets.

00:03:43 - 00:03:46

Speaking of softer targets, this

00:03:46 - 00:03:48

brings us to what I think is the most alarming number

00:03:48 - 00:03:49

in the whole brief.

00:03:49 - 00:03:50

The organization size.

00:03:50 - 00:03:51

It's just devastating.

00:03:51 - 00:03:52

It is.

00:03:52 - 00:03:53

Small businesses.

00:03:53 - 00:03:56

And they define that as 500 employees or less

00:03:56 - 00:03:59

account for 72.30% of all victims.

00:03:59 - 00:04:02

72% and the ticking up from last period.

00:04:02 - 00:04:04

Nearly three quarters of all ransomware victims

00:04:04 - 00:04:06

are small organizations.

00:04:06 - 00:04:07

Why?

00:04:07 - 00:04:10

Is it just that they don't have the budget for security?

00:04:10 - 00:04:12

Or is it something more systemic?

00:04:12 - 00:04:13

It's definitely systemic.

00:04:13 - 00:04:18

Yes, low budgets mean no dedicated security staff, no CISO.

00:04:18 - 00:04:19

Right.

00:04:19 - 00:04:23

But it's also their reliance on third party vendors on MSPs.

00:04:23 - 00:04:26

If an attacker can compromise just one of those MSPs.

00:04:26 - 00:04:29

They get the keys to the kingdom, access

00:04:29 - 00:04:31

to dozens of small businesses at once.

00:04:31 - 00:04:33

It's just efficient for them.

00:04:33 - 00:04:35

They've become the default revenue stream

00:04:35 - 00:04:36

for these ransomware groups.

00:04:36 - 00:04:39

And while most of these victims are in the US,

00:04:39 - 00:04:41

we're seeing them app expand.

00:04:41 - 00:04:44

The US is still dominant at over 56%,

00:04:44 - 00:04:46

but Canada showed a big jump.

00:04:46 - 00:04:47

They went from fifth place to second.

00:04:47 - 00:04:49

Yep, over 7% of victims now.

00:04:49 - 00:04:51

And we also have new hotspots popping up.

00:04:51 - 00:04:54

Thailand and Germany are now on the list,

00:04:54 - 00:04:55

both around 2.5%.

00:04:55 - 00:04:57

So it's clear the attackers are adapting.

00:04:57 - 00:04:58

They shift from who they're hitting

00:04:58 - 00:05:01

to what they're using these trending adversaries.

00:05:01 - 00:05:02

These are the most dangerous groups

00:05:02 - 00:05:04

because their motive isn't fixed.

00:05:04 - 00:05:08

They blend state aligned goals with normal criminal operations.

00:05:08 - 00:05:10

So one day they could be spying.

00:05:10 - 00:05:12

And the next they're deploying ransomware.

00:05:12 - 00:05:13

Precisely.

00:05:13 - 00:05:16

They might do long-term intelligence gathering.

00:05:16 - 00:05:19

And then when an opportunity for monetization appears,

00:05:19 - 00:05:20

they pivot instantly.

00:05:20 - 00:05:24

The brief names of you, like APT24, Autumn Dragon,

00:05:24 - 00:05:25

Bloody Wolf.

00:05:25 - 00:05:27

And what makes them so tough to defend against

00:05:27 - 00:05:29

is that they have resources and skills

00:05:29 - 00:05:32

way beyond your typical ransomware crew.

00:05:32 - 00:05:34

So they're not just buying a toolkit?

00:05:34 - 00:05:35

Not at all.

00:05:35 - 00:05:37

A group like APT24, for example,

00:05:37 - 00:05:39

has known links to geopolitical conflicts.

00:05:39 - 00:05:42

They might be stealing defense secrets one month.

00:05:42 - 00:05:45

And then encrypting a power grid for ransom the next.

00:05:45 - 00:05:48

They're sophisticated, well-funded mercenaries.

00:05:48 - 00:05:50

And the list of vulnerabilities they're using

00:05:50 - 00:05:51

really shows that complexity.

00:05:51 - 00:05:52

It really does.

00:05:52 - 00:05:54

It shows their total opportunists.

00:05:54 - 00:05:57

You see them exploiting really old vulnerabilities.

00:05:57 - 00:05:59

Like that one for the industrial control systems,

00:05:59 - 00:06:01

the Open PLC SCA to BR.

00:06:01 - 00:06:02

That's from 2021.

00:06:02 - 00:06:04

Old tech, that's just hard to patch

00:06:04 - 00:06:06

in a live factory environment.

00:06:06 - 00:06:07

But then right next to that, you see them

00:06:07 - 00:06:10

hitting critical modern infrastructure.

00:06:10 - 00:06:14

Right, like the Sonic Wall SSL VPN for remote access.

00:06:14 - 00:06:16

And Microsoft's Windows Graphics component.

00:06:16 - 00:06:18

They're hitting the entry points.

00:06:18 - 00:06:18

Yes.

00:06:18 - 00:06:21

But for me, the single most important vulnerability

00:06:21 - 00:06:22

on this list.

00:06:22 - 00:06:24

It's the one in Anthropics Code AI.

00:06:24 - 00:06:27

Wait, a flaw in a developer AI tool?

00:06:27 - 00:06:29

That seems incredibly specific.

00:06:29 - 00:06:31

Why is that such a big deal?

00:06:31 - 00:06:33

Because it's a massive tell.

00:06:33 - 00:06:35

It confirms that these advanced groups are already

00:06:35 - 00:06:38

targeting the generative AI pipeline.

00:06:38 - 00:06:40

They're going after the tools developers are using.

00:06:40 - 00:06:41

Exactly.

00:06:41 - 00:06:44

They know developers are using AI to write code that handles

00:06:44 - 00:06:47

sensitive data, credentials, you name it.

00:06:47 - 00:06:49

If they can exploit the AI tool itself,

00:06:49 - 00:06:52

they can inject malicious code at the source.

00:06:52 - 00:06:55

It's an attack on software creation itself.

00:06:55 - 00:06:57

That's a whole new level of supply chain risk.

00:06:57 - 00:06:59

OK, so from the vulnerabilities,

00:06:59 - 00:07:01

let's look at the tools they're delivering.

00:07:01 - 00:07:02

The trending malware.

00:07:02 - 00:07:04

Let's start with Amateurist dealer.

00:07:04 - 00:07:06

We're seeing its telemetry everywhere, which

00:07:06 - 00:07:08

means it's being widely deployed.

00:07:08 - 00:07:09

It's an info stealer.

00:07:09 - 00:07:13

So this job is just to siphon off credentials, financial data.

00:07:13 - 00:07:13

Right.

00:07:13 - 00:07:14

It's the first stage.

00:07:14 - 00:07:17

It gathers the fuel for the later ransomware attack.

00:07:17 - 00:07:20

And what's the one defenders really need to catch early?

00:07:20 - 00:07:21

That would be Ronin Glowder.

00:07:21 - 00:07:22

It's a loader.

00:07:22 - 00:07:25

It's whole purpose is to get a foothold

00:07:25 - 00:07:28

and then pull down the real payload, like the ransomware itself.

00:07:28 - 00:07:30

So if you spot that, you have a chance

00:07:30 - 00:07:31

to break the kill chain.

00:07:31 - 00:07:32

A critical chance.

00:07:32 - 00:07:35

If you see Ronin Glowder, you can stop the attack

00:07:35 - 00:07:37

before the encryption starts.

00:07:37 - 00:07:39

We're also seeing an evolution of older malware,

00:07:39 - 00:07:41

specifically Shadow V2.

00:07:41 - 00:07:44

What does second generation mean here?

00:07:44 - 00:07:46

It means it's been significantly upgraded

00:07:46 - 00:07:47

to be more evasive.

00:07:47 - 00:07:50

It might be polymorphic, changing its own code

00:07:50 - 00:07:52

to avoid detection.

00:07:52 - 00:07:54

Or it might be using new command and control

00:07:54 - 00:07:56

channels to hide its communication.

00:07:56 - 00:07:58

So the old signatures and defenses

00:07:58 - 00:08:01

for the original Shadow won't work anymore.

00:08:01 - 00:08:02

I won't.

00:08:02 - 00:08:04

Teams need to update their playbooks for this one fast.

00:08:04 - 00:08:07

And finally, Sternis is spreading rapidly through fishing.

00:08:07 - 00:08:09

Yeah, it's a high volume threat that feeds right

00:08:09 - 00:08:11

into those loader ecosystems.

00:08:11 - 00:08:14

OK, so we've covered the actors, victims, and tools.

00:08:14 - 00:08:17

Let's connect this to the real world with the top news section.

00:08:17 - 00:08:20

The infrastructure attacks are just mind-boggling.

00:08:20 - 00:08:21

They are.

00:08:21 - 00:08:25

Azure got hit with a 15-terribute per second DDoS attack.

00:08:25 - 00:08:30

15-terributes from half a million different IP addresses.

00:08:30 - 00:08:31

That's not an amateur job.

00:08:31 - 00:08:34

That requires a massive coordinated botnet,

00:08:34 - 00:08:36

the kind of firepower linked to those blended state

00:08:36 - 00:08:38

criminal groups we were just talking about.

00:08:38 - 00:08:40

And it wasn't just Microsoft.

00:08:40 - 00:08:42

Cloudflare also had a major outage.

00:08:42 - 00:08:45

Right, a database issue that affected their global network.

00:08:45 - 00:08:49

It just shows how fragile some of this core infrastructure can be.

00:08:49 - 00:08:51

We also saw the Ruthhug campaign hijacking thousands

00:08:51 - 00:08:55

of old end-of-life ASUS routers.

00:08:55 - 00:08:56

And that's a classic move.

00:08:56 - 00:08:58

Those routers aren't getting security patches anymore.

00:08:58 - 00:09:01

So they're an easy, persistent way into home

00:09:01 - 00:09:03

and small business networks.

00:09:03 - 00:09:05

Now for the financial crime.

00:09:05 - 00:09:06

The numbers are huge.

00:09:06 - 00:09:10

Cybercriminals stole $262 million, just

00:09:10 - 00:09:12

by pretending to be bank support staff.

00:09:12 - 00:09:15

Just pure social engineering, it's an incredible return on investment.

00:09:15 - 00:09:17

And the authorities are trying to clamp down.

00:09:17 - 00:09:19

We saw crypto-mixer founders sent to prison

00:09:19 - 00:09:21

for laudering hundreds of millions.

00:09:21 - 00:09:23

But the sheer volume of money flowing

00:09:23 - 00:09:26

through these illicit channels is immense.

00:09:26 - 00:09:28

The legal system is playing catch-up.

00:09:28 - 00:09:30

And finally, there was the sanctioning

00:09:30 - 00:09:33

of a Russian bill-approved hosting provider.

00:09:33 - 00:09:34

Which is significant.

00:09:34 - 00:09:37

It shows governments are starting to target the infrastructure

00:09:37 - 00:09:40

that enables these attacks, not just the attackers themselves.

00:09:40 - 00:09:42

So if we pull this all together, what

00:09:42 - 00:09:45

are the big takeaways for you, the listener?

00:09:45 - 00:09:46

I think there are two.

00:09:46 - 00:09:49

First, the economics of this whole landscape

00:09:49 - 00:09:53

mean that ransomware led by groups like Quilin and CL0P

00:09:53 - 00:09:58

is overwhelmingly targeting high volume low defense organizations.

00:09:58 - 00:10:01

So if you run a small business, especially in the US,

00:10:01 - 00:10:03

you are square in the crosshairs.

00:10:03 - 00:10:04

You are the default target.

00:10:04 - 00:10:06

That's takeaway number one.

00:10:06 - 00:10:09

And the second is the rise of these incredibly versatile adversaries.

00:10:09 - 00:10:11

The ones that pivot between spying and stealing.

00:10:11 - 00:10:12

Exactly.

00:10:12 - 00:10:15

They're targeting everything from 20-year-old factory equipment

00:10:15 - 00:10:17

to cutting-edge AI developer tools.

00:10:17 - 00:10:19

You can't just have one single defense strategy

00:10:19 - 00:10:21

against a threat that fluid.

00:10:21 - 00:10:25

It's that blend of espionage trade craft and financial greed

00:10:25 - 00:10:27

that really defines this moment.

00:10:27 - 00:10:28

It does.

00:10:28 - 00:10:31

And if we connect that rapid malware evolution

00:10:31 - 00:10:33

like we saw with Shadow V2 with the pivot capability

00:10:33 - 00:10:37

of these groups, it brings up a really important question.

00:10:37 - 00:10:41

Given that they are already targeting developer AI,

00:10:41 - 00:10:44

what specific, maybe non-traditional vulnerability

00:10:44 - 00:10:46

in your supply chain will they go after next?

00:10:46 - 00:10:48

Maybe it's not your firewall.

00:10:48 - 00:10:51

Maybe it's a code repository, a cloud configuration tool

00:10:51 - 00:10:55

you rarely use, or a tiny third-party service provider.

00:10:55 - 00:10:58

What's that weak link that will exploit to bridge the gap

00:10:58 - 00:11:01

from that first initial breach to a massive financial payday?

00:11:01 - 00:11:02

A truly challenging question.

00:11:02 - 00:11:04

And understanding that a tact flows really

00:11:04 - 00:11:06

the only way to get ahead of it.

00:11:06 - 00:11:10

That is a wrap on our deep dive into the November 2025

00:11:10 - 00:11:11

Cyber Threat Landscape.

00:11:11 - 00:11:13

Thank you for tuning in.

00:11:13 - 00:11:14

[MUSIC PLAYING]

00:11:14 - 00:11:17

[MUSIC PLAYING]

00:11:17 - 00:11:20

[MUSIC PLAYING]

00:11:20 - 00:11:22

[MUSIC PLAYING]

00:11:22 - 00:11:32

[MUSIC]