CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.
Type: Ransomware
Target Technologies: Windows OS, Local File Systems, Network Shares
Introduction:
CYFIRMA Research and Advisory Team has found GINES Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Gines Ransomware
Gines ransomware is a file-encrypting malware strain associated with the Makop ransomware family that encrypts victim files and appends the .gines extension along with a victim-specific ID and attacker-controlled email address, rendering files inaccessible. Following encryption, the malware deploys a ransom note named +README-WARNING+.txt and may modify the victim’s desktop wallpaper to indicate compromise. Analysis suggests that Gines operates using a double-extortion model, where threat actors allegedly exfiltrate sensitive data prior to encryption and threaten to publicly leak the stolen information if ransom demands are not met. The ransomware primarily targets local systems and accessible network resources, leading to operational disruption and potential data exposure risks. Currently, there is no publicly verified decryptor available for Gines ransomware, and victims are advised that paying the ransom does not guarantee data recovery or prevent data leakage.
Screenshot: File encrypted by ransomware (Source: Surface Web)
The ransom note associated with Gines ransomware, typically dropped as +README-WARNING+.txt after the encryption process, informs victims that their files have been encrypted and allegedly stolen by the attackers. The note instructs victims to contact the threat actors through the provided email address, commonly [email protected], and includes a victim-specific identifier to facilitate communication and ransom negotiation. It warns against using third-party recovery tools or attempting manual file restoration, claiming such actions could result in permanent data loss. Consistent with many modern ransomware operations, the note follows a double-extortion strategy, emphasizing both file encryption and the threat of public data leakage if payment demands are not met, while providing no reliable assurance that data or files will be successfully recovered after payment.
Screenshot: The appearance of GINES’s Ransom Note (Source: Surface Web)
The following are the TTPs based on the MITRE Attack Framework
| Tactic | Technique ID | Technique Name |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1129 | Shared Modules |
| Discovery | T1012 | Query Registry |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1135 | Network Share Discovery |
| Discovery | T1518 | Software Discovery |
| Discovery | T1614 | System Location Discovery |
| Collection | T1115 | Clipboard Data |
| Command and Control | T1071 | Application Layer Protocol |
| Impact | T1485 | Data Destruction |
| Impact | T1486 | Data Encrypted for Impact |
| Stealth | T1027 | Obfuscated Files or Information |
| Stealth | T1027.002 | Obfuscated Files or Information: Software Packing |
| Stealth | T1070 | Indicator Removal |
| Stealth | T1202 | Indirect Command Execution |
| Stealth | T1564 | Hide Artifacts |
| Stealth | T1564.003 | Hide Artifacts: Hidden Window |
| Defense Impairment | T1222 | File and Directory Permissions Modification |
Relevancy and Insights:
ETLM Assessment:
CYFIRMA’s analytical assessment suggests that Gines ransomware is likely to continue evolving within established ransomware tradecraft through incremental enhancements rather than the introduction of highly advanced capabilities. Future variants may focus on improving encryption efficiency, expanding compatibility across additional environments, and refining extortion and victim communication mechanisms to increase payment success rates. There is also a possibility of broader adoption of double-extortion tactics, including enhanced data exfiltration and public leak threats. Operators may continue leveraging common initial access vectors such as phishing campaigns, compromised credentials, and exploitation of exposed services while maintaining an opportunistic targeting approach. Based on currently available evidence, there are no confirmed indications of sophisticated custom exploit development or advanced evasion frameworks, suggesting that near-term evolution will likely remain consistent with conventional commodity ransomware operations.
Sigma rule:
title: Suspicious Ransomware Execution And Service Termination Activity tags:
– attack.execution
– attack.impact
– attack.persistence
– attack.t1059.003
– attack.t1486
– attack.ransomware logsource:
category: process_creation product: windows
detection: selection_cmd:
Image|endswith: ‘\cmd.exe’ CommandLine|contains:
– ‘taskkill’
– ‘net stop’
– ‘vssadmin’
– ‘wbadmin’
– ‘del ‘
selection_services: CommandLine|contains:
– ‘MSSQL’
– ‘SQLAgent’
– ‘SQLBrowser’
– ‘sql’ selection_ransomnote:
CommandLine|contains:
– ‘+README-WARNING+.txt’
– ‘README’
– ‘decrypt’ filter_optional_admin:
ParentImage|contains:
– ‘\ccmexec.exe’
– ‘\PDQDeploy.exe’
– ‘\services.exe’
condition: (selection_cmd and 1 of selection_*) and not 1 of filter_optional_* falsepositives:
– Administrative scripting
– Database maintenance activity
– Software deployment operations level: high
(Source: Surface Web)
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
STRATEGIC RECOMMENDATION
MANAGEMENT RECOMMENDATION
TACTICAL RECOMMENDATION
Type: Information Stealer| Objectives: Data Exfiltration | Target Technology: Windows OS| Target Geography: Global
CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.
Active Malware of the week
This week “NWH Stealer” is in focus.
Overview of Operation NWH Stealer Malware
The analysis of the NWH Stealer sample reveals a sophisticated information-stealing malware operation engineered to covertly compromise systems, collect sensitive user information, and maintain communication with attacker-controlled infrastructure. The malware exhibits a strong emphasis on credential theft, browser data extraction, and stealthy execution techniques while disguising its activity using legitimate Windows processes and trusted system utilities. Such behaviour enables the threat to minimize suspicion and complicate traditional detection mechanisms during execution.
Further examination identified active interaction with widely used web browsers, including Microsoft Edge and Mozilla Firefox, with the objective of accessing stored credentials, browsing history, and user configuration data. The sample also demonstrated multiple defense evasion techniques, including obfuscation, concealed execution methods, and suspicious process activities intended to hinder forensic analysis and security monitoring. Additionally, the malware established encrypted outbound communications with external domains, indicating capabilities related to data exfiltration and potential command-and-control operations.
Overall, the NWH Stealer sample reflects the increasing sophistication of modern credential-stealing malware families, combining stealth, persistence, and information theft functionalities within a streamlined attack framework. Its reliance on legitimate system components, browser-focused targeting, and covert execution behaviour highlights the potential risk it poses to both individual users and enterprise environments. The observed activities emphasize the critical importance of proactive threat monitoring, robust endpoint security controls, and strengthened credential protection practices to mitigate exposure to similar threats.
Attack Method
The behavioural analysis of the NWH Stealer sample reveals a technically advanced multistage infection chain engineered to perform stealth-based credential theft, host reconnaissance, and covert data exfiltration. Following execution, the malware spawns multiple legitimate Windows processes, including cmd.exe, powershell.exe, svchost.exe, taskhostw.exe, and wmiprvse.exe, enabling malicious operations to blend into normal system activity and evade behavioural detection mechanisms. The execution tree also indicates abuse of trusted Windows components such as consent.exe, slui.exe, and sppextcomobj.exe, which may be associated with privilege escalation attempts, User Account Control (UAC) bypass behaviour, or proxy execution techniques commonly leveraged to inherit elevated permissions. In addition, the malware performs system-level reconnaissance using utilities including ipconfig.exe, ping.exe, find.exe, and reg.exe, indicating active host validation, network profiling, and environmental awareness prior to conducting credential theft activities. The presence of obfuscated execution patterns, suspicious command-line behaviour, and abnormal service-related process invocation strongly demonstrates the malware’s emphasis on operational stealth and defense evasion.
Further forensic examination identified extensive browser-centric data harvesting operations targeting both Chromium- and Gecko-based applications. The malware directly accessed critical browser storage locations associated with Microsoft Edge and Mozilla Firefox, including Login Data, History, Preferences, Web Data, and Local State files, all of which commonly contain saved credentials, autofill information, browsing artifacts, session tokens, and encrypted user metadata. Additional access to Firefox extension storage paths and IndexedDB SQLite databases indicate the capability to extract browser extension data, authentication tokens, or cryptocurrency wallet-related information. Process injection activity observed within active msedge.exe and firefox.exe processes further suggest runtime manipulation of trusted browser memory space to facilitate credential extraction while minimizing endpoint detection visibility. Registry analysis also revealed enumeration of browser-specific keys under HKEY_CURRENT_USER\Software\Microsoft\Edge, along with interactions involving Windows certificate stores and system certificate blobs. Modifications to certificate-related registry entries may indicate attempts to manipulate trusted root certificate mechanisms, suppress SSL validation alerts, or evade encrypted traffic inspection performed by enterprise security solutions.
Network telemetry associated with the sample confirms active outbound communication with external infrastructure over encrypted TLS channels. The malware resolved suspicious domains, including seall-vernous.com, and established HTTPS sessions accompanied by identifiable JA3 TLS fingerprints linked to malicious or customized communication frameworks. Observed HTTP requests to external certificate-related endpoints, combined with SSL activity and certificate manipulation behaviour, suggest connectivity validation and secure command-and-control establishment prior to data exfiltration. The sample also generated traffic through external DNS resolvers and initiated encrypted communications over TCP port 443, indicating attempts to conceal exfiltration activity within normal HTTPS traffic patterns. Concurrent Sigma detections associated with suspicious browser credential access,
uncommon svchost.exe execution parameters, and non-interactive PowerShell activity further reinforce the assessment that the malware was actively engaged in credential harvesting and stealth-oriented execution. Collectively, the analysed behaviour demonstrates a sophisticated information-stealing framework that integrates process masquerading, browser exploitation, registry manipulation, encrypted command-and-control communication, and covert reconnaissance capabilities into a comprehensive attack methodology capable of targeting both individual endpoints and enterprise environments.
Following are the TTPs based on the MITRE Attack Framework for Enterprise
| Tactic | Technique ID | Technique Name |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1129 | Shared Modules |
| Privilege Escalation | T1134 | Access Token Manipulation |
| Stealth | T1027 | Obfuscated Files or Information |
| Stealth | T1140 | Deobfuscate/Decode Files or Information |
| Discovery | T1012 | Query Registry |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1518 | Software Discovery |
| Discovery | T1518.001 | Software Discovery: Security Software Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1087 | Account Discovery |
| Discovery | T1614 | System Location Discovery |
| Command and Control | T1071 | Application Layer Protocol |
INSIGHTS
ETLM ASSESSMENT
From an ETLM perspective, the operational behaviour demonstrated by NWH Stealer reflects a broader movement toward threats that increasingly rely on subtle execution patterns and integration with normal user activity. Rather than creating visible disruption, these threats are likely to operate in ways that imitate trusted applications, routine browser interactions, and legitimate system behaviour, making early identification significantly more difficult within enterprise environments. As organizations continue expanding cloud-connected workflows and browser-dependent operations, everyday employee activity may unintentionally provide greater opportunities for concealed information theft to persist without immediate detection.
Over time, the growing dependence on digital identities, synchronized browser sessions, and interconnected platforms may further increase exposure to threats designed to quietly collect and misuse user-centric data. This convergence between routine operational behaviour and covert malicious activity is expected to create a more complex security landscape where distinguishing genuine business processes from hidden compromise becomes increasingly challenging. Consequently, both organizations and employees may encounter an environment in which low-visibility threats remain embedded within ordinary workflows for extended periods without generating obvious indicators of malicious activity.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems. (Source: Surface Web)
YARA Rule
rule NWH_Stealer_Extended_IOC_Detection
{
meta:
description = “Detection rule for NWH Stealer using browser theft behavior, C2 domains, and IOC hashes”
author = “CYFIRMA” date = “2026-05-25”
strings:
/* C2 Domains */
$c2_1 = “seall-vernous.com”
$c2_2 = “whale-ether.pro”
$c2_3 = “cosmic-nebula.cc”
/* Browser Credential Artifacts */
$b1 = “Login Data”
$b2 = “Web Data”
$b4 = “History”
$b5 = “Preferences”
$b6 = “moz-extension”
$b7 = “storage\\default”
$b8 = “idb\\”
/* Targeted Browser Processes */
$p1 = “msedge.exe”
$p2 = “firefox.exe”
/* Suspicious Execution Utilities */
$s1 = “powershell.exe”
$s2 = “cmd.exe”
$s3 = “svchost.exe”
$s4 = “taskhostw.exe”
$s5 = “wmiprvse.exe”
$s6 = “consent.exe”
$s7 = “slui.exe”
/* Recon Commands */
$r1 = “ipconfig”
$r2 = “ping”
$r3 = “reg.exe”
/* SHA256 IOC Strings */
$h1 = “4858094881907387319bc047ef89299613f45fb2178b752c15a7b653559e759c”
$h2 = “d3a896f450561b2546b418b469a8e10949c7320212eb1c72b48e2b1e37c34ba5”
$h3 = “96fe4ddfe256dc9d2c6faea7c18e2583cd9d9c0099a4ad2cf082f569ee8379f4”
$h4 = “3710fb27d2032ef1eb1252ebf5c4dd516d2b2c0a83fb82c664c89e504b990fa9”
$h5 = “33d07aa24b217f27df6a483295c817da198e12511a6989bcc6b917feaf8e491d”
$h6 =
“5427b4cefb329ed0e9585b3ce58a2788baf87e3b0c7221373f9bbd5f32c85b62”
$h7 = “308da9f49ffa1d1744e428b567792ab22712159974e9da8d8e0414ecd81de93e”
$h8 = “021838f30a43026084978bce187c165c6b640d8d474ec009d48078d21ec62025”
$h9 = “c8e96b55f13435c4b43b7209d2403f1a0e0f9deb05edc50e0f777430be693b07”
$h10 = “0614c4cc6375ab6bdcdd2dfa913a67d32c3e8be9b95a4a2aa09bb131b98191c8”
$h11 = “0020999b2e3e4d1b2cfb69e4df9440d3ce05d508573889fdc12b724ce75a0cd8”
$h12 = “0fa42df08cc467ec52b2d388b5575114a8ec067d13f6b1a653ec33fe879f88ca”
$h13 = “15f79980650393d182f81cd6e389210568aa1f5f875e515efe6cb9485d64b7fb”
$h14 = “20454ba58d509300fd694ae6159db4efa1b7ff965f98c29e7d087e20f96578c1”
condition:
uint16(0) == 0x5A4D and (
(2 of ($c2_*)) and (3 of ($b*)) and
(2 of ($s*, $p*))
)
or (
(all ($r*)) and
(1 of ($c2_*)) and (4 of ($h*))
)
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
Key Intelligence Signals:
Screening Serpens: Recent Cyber Espionage Operations and Tradecraft Evolution
About the Threat Actor
Screening Serpens is suspected to have been active since at least June 2022, with operations continuing to the present. The threat actor appears to maintain a regional focus, primarily targeting countries across the Middle East, while indications suggest its targeting scope has expanded to include entities on a global scale.
TTPs based on MITRE ATT&CK Framework
| Tactic | ID | Technique |
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment |
| Initial Access | T1566.002 | Phishing: Spearphishing Link |
| Initial Access | T1189 | Drive-by Compromise |
| Execution | T1574.001 | Hijack Execution Flow: DLL |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| Execution | T1574.014 | Hijack Execution Flow: AppDomainManager |
| Execution | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Execution | T1574.001 | Hijack Execution Flow: DLL |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
| Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
| Privilege Escalation | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Stealth | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Stealth | T1574.014 | Hijack Execution Flow: AppDomainManager |
| Stealth | T1574.001 | Hijack Execution Flow: DLL |
| Stealth | T1036 | Masquerading |
| Stealth | T1027 | Obfuscated Files or Information |
| Stealth | T1622 | Debugger Evasion |
| Defense Impairment | T1553.002 | Subvert Trust Controls: Code Signing |
| Discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Discovery | T1057 | Process Discovery |
| Discovery | T1622 | Debugger Evasion |
| Discovery | T1082 | System Information Discovery |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| Command and Control | T1132.001 | Data Encoding: Standard Encoding |
| Command and Control | T1573 | Encrypted Channel |
| Command and Control | T1105 | Ingress Tool Transfer |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Exfiltration | T1030 | Data Transfer Size Limits |
Latest Developments Observed
The threat actor is suspected of leveraging social engineering techniques as the initial access vector to target entities across the US, Israel, UAE, and other Middle Eastern nations. By utilizing DLL sideloading and AppDomainManager hijacking techniques, the threat actor is believed to have deployed MiniUpdate and MiniJunkRAT across ten targeted systems. The campaign appears to be primarily motivated by espionage and intelligence-gathering objectives.
ETLM Insights
Screening Serpens (aka UNC1549) is assessed as an Iran-linked cyber espionage threat actor aligned with strategic intelligence collection objectives, with operations focused on maintaining prolonged access to targeted environments rather than generating financial gain. Active since at least June 2022, the group appears to retain a regional emphasis across the Middle East while showing indications of expanding its targeting activity globally.
Operationally, the threat actor demonstrates a structured and persistence-driven intrusion approach centered on social engineering, credential harvesting, and abuse of trusted access channels to establish and sustain covert access. Its tradecraft reflects a strong reliance on identity-based compromise and targeted intrusion activity to support long-term intelligence objectives while limiting operational visibility.
The threat actor’s operations reflect a deliberate approach:
Based on the observed activity and operational trends, the threat actor is likely to continue advancing its espionage-focused capabilities while expanding its targeting footprint. This evolving approach positions the group as a persistent threat to strategically important organizations, with continued risks related to unauthorized access, identity compromise, and exposure of sensitive information.
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
YARA Rules
rule ScreeningSerpens_IOC_Domains_Secur32
{
meta:
description = “Detects Screening Serpens-related infrastructure indicators and secur32.dll reference”
author = “CYFIRMA” date = “2026-05-26” tlp = “TLP:CLEAR”
confidence = “medium”
strings:
$domain1 = “airtravellog.com” ascii nocase
$domain2 = “thetacticstore.com” ascii nocase
$domain3 = “asylimed.azurewebsites.net” ascii nocase
$domain4 = “clinichaven.azurewebsites.net” ascii nocase
$domain5 = “healsanctum.azurewebsites.net” ascii nocase
$dll = “secur32.dll” ascii nocase
condition: (
2 of ($domain*)
)
or (
$dll and any of ($domain*)
)
}
Strategic
Management
Tactical
Chinese APTs Attack Central Asian Telcos
For years, Chinese state-sponsored hackers have been targeting telecommunications companies in Central Asia using a newly discovered Linux post-exploitation framework called “Showboat” (or “kworker”). Showboat activity has been observed across entirely different targets from Afghanistan to the Donbas region in Ukraine – suggesting that Chinese advanced persistent threats (APTs) are actively trading the tool.
One of the primary groups utilizing this malware is Calypso (Red Lamassu). First seen in 2019, Calypso focuses on countries where Western cybersecurity firms have lower visibility, such as Afghanistan, Kazakhstan, Turkey, and India. The group deploys Showboat alongside a comparable Windows backdoor known as “JFMBackdoor.”
ETLM Assessment:
Researchers note that China frequently uses specific regions as real-world testing grounds. They evaluate new malware against fully updated virtual systems, deploy it in smaller markets (like a bank in Africa or a telco in Vietnam), and once it proves successful, confidently migrate the tools to high-value targets. For groups like Calypso (Red Lamassu) and other espionage groups tasked with monitoring China’s immediate neighbors, Central Asia – alongside South Asia (India) and parts of the Middle East – is the primary, long-term target. However, because those networks often have less defensive visibility, the region simultaneously serves as a testing laboratory for China’s broader digital quartermasters to trial and perfect malware before it is scaled up for higher-stakes global campaigns.
Belarus-Linked Hackers Target Ukrainiane
The Belarus-linked hacking group known as GhostWriter (also tracked as UNC1151 or Storm-0257) has launched a new cyber espionage campaign targeting Ukrainian government officials. The operation relies on phishing emails disguised as notifications from a popular online learning platform to deliver malware.
According to Ukraine’s computer emergency response team, CERT-UA, the campaign has been active since the spring of 2026, utilizing compromised accounts to send malicious emails to employees at state organizations. This warning followed just a day after CERT-UA disclosed another separate espionage campaign targeting users of Delta, Ukraine’s vital battlefield management and situational awareness system. In that concurrent operation, unidentified attackers sent phishing emails masquerading as alerts from Ukrainian cybersecurity agencies, falsely warning recipients of unauthorized access to their Delta accounts to steal credentials.
ETLM Assessment:
The GhostWriter group, which is linked to Belarusian state intelligence services, has a long history of targeting Ukrainian military personnel, Polish government institutions, and other regional officials through credential theft and influence operations. The consensus among top cybersecurity intelligence researchers is that GhostWriter (UNC1151) operates primarily in deep alignment with and support of Russian interests, acting effectively as a regional proxy or partner, even though the operators themselves are physically located in Belarus. The attack should thus be viewed as done at the behest of and in service to the Russian war machine – with many similar campaigns being probably waged against NATO countries.
Payload Ransomware Impacts a construction company from Japan
Summary:
CYFIRMA observed on a ransomware data leak site (DLS) in the dark web, that a company from Japan was compromised by Payload Ransomware. The compromised company is a Japan-based company specializing in the design, installation, and maintenance of building utility systems. The organization operates within the construction and engineering sector, focusing on water supply, drainage, air conditioning, and heating system solutions for residential, commercial, and industrial facilities. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the data compromised is approximately 11GB.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, Payload Ransomware is a financially motivated cybercriminal operation that employs double-extortion tactics, combining data exfiltration with file encryption to maximize pressure on victims. The group demonstrates the ability to compromise enterprise environments through a range of intrusion methods, including credential theft, phishing campaigns, and the exploitation of vulnerable internet-facing systems. Payload operators conduct extensive post-compromise activities, such as reconnaissance, privilege escalation, lateral movement, and data theft before deploying ransomware. Their targeting of organizations across multiple industries and geographic regions highlights a broad operational scope and a persistent threat to enterprise networks. These capabilities make Payload Ransomware a significant cybersecurity risk, particularly for organizations with inadequate security monitoring, weak access controls, or limited incident response preparedness.
The Gentlemen Ransomware Impacts Jewelry & Luxury Goods Manufacturing and Wholesale company from Japan
Summary:
CYFIRMA observed on a ransomware data leak site (DLS) in the dark web, that a company from Japan was compromised by The Gentlemen Ransomware. The compromised company is a pioneering Japanese diamond enterprise established in 1966, specializing in the import, design, and manufacturing of fine diamond jewellery and loose stones. The organization has built a longstanding presence in the luxury goods sector through its expertise in diamond sourcing, jewellery production, and the development of high-quality gemstone products for both retail and wholesale markets. The compromised data includes confidential and sensitive information belonging to the organization.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, The Gentlemen Ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, combining data theft with file encryption. The group employs advanced evasion and persistence techniques, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. This combination of capabilities makes it a significant risk to enterprise cybersecurity defenses, particularly for organizations with limited detection and incident-response maturity.
Vulnerability in Docker Desktop
Relevancy & Insights:
The vulnerability exists due to improper isolation in Docker Model Runner vllm-metal inference backend when processing container workloads.
Impact:
A remote user can execute code from a container to execute code on the host.
Affected Products:
https[:]//docs[.]docker[.]com/security/security-announcements/#docker-desktop-4680-security-update-cve-2026-5817
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment
Vulnerability in Docker Desktop introduces significant risks to environments that rely on containerized application development and local virtualization workflows. As Docker Desktop is widely used by developers, DevOps teams, and enterprise engineering environments for building, testing, and managing containerized workloads, exploitation of this vulnerability could allow unauthorized access to sensitive development resources or weaken container isolation controls. Organizations leveraging container-based development platforms must ensure timely patching, enforce strict access control policies, and continuously monitor endpoint activity to reduce potential exposure. Addressing this vulnerability is essential to maintaining the integrity, security, and operational stability of containerized development ecosystems.
World Leaks Ransomware attacked and published the data of a manufacturing company from Indonesia
Summary:
Recently, we observed that World Leaks Ransomware attacked and published the data of a manufacturing company from Indonesia on its dark web website. The compromised company is a manufacturer of high-quality specialty paper and packaging materials primarily serving the cigarette and tobacco industry. The organization focuses on innovation, product quality, and sustainable manufacturing practices, offering a broad range of specialty paper and packaging solutions to customers worldwide. Through continuous technological advancement and a commitment to operational excellence, it supports long-term customer partnerships and delivers products tailored to the evolving needs of global markets. The ransomware attack allegedly resulted in the compromise and exposure of approximately 266.2 GB of data comprising 190,483 files. Based on the leaked storage listing, the exposed information appears to include internal corporate data organized within multiple directories, potentially containing operational records, business documents, project-related files, administrative information, and other sensitive organizational data. The full scope and nature of the compromised content cannot be independently verified from the screenshot alone, but the attackers claim to have obtained and published a substantial volume of internal files from the affected organization’s systems.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, World Leaks Ransomware represents an emerging and adaptive threat within the cybersecurity landscape, particularly due to its focus on data exfiltration, double-extortion tactics, and targeting of organizations across multiple sectors. The group leverages sophisticated intrusion techniques and publicly exposes stolen data to increase pressure on victims, amplifying both financial and reputational damage. Organizations must strengthen their cybersecurity posture by implementing robust incident response strategies, enforcing strict access controls, and enhancing employee awareness to detect phishing and social engineering attempts. Continuous monitoring, timely patch management, and proactive threat intelligence are critical to mitigating risks and defending against the evolving tactics employed by World Leaks Ransomware.
Customer Database Advertised on a Leak Site
Summary: The CYFIRMA research team identified a post on a dark web forum advertising a large customer database allegedly obtained from a Japanese-style restaurant chain operating in the Philippines. The post, published in May 2026, claims that a successful cyber intrusion resulted in the full compromise of the organization’s customer database. The forum advertisement includes sample records and references to downloadable datasets as proof of the alleged breach. According to the information presented in the forum post, the leaked dataset reportedly contains approximately 7,152,106 customer records distributed across three files with a total advertised size of approximately 1 GB. The exposed data appears to consist of customer personally identifiable information (PII), loyalty program information, account details, and transaction-related records.
Based on the claims and sample data displayed in the forum post, the compromised dataset reportedly includes:
If validated, the exposure of millions of customer records could create significant privacy and security risks for affected individuals. The availability of personal contact information, demographic data, and loyalty program details could facilitate phishing campaigns, social engineering attacks, identity theft, credential harvesting, account takeover attempts, and other forms of cyber-enabled fraud. The inclusion of spending patterns and membership information may further enable threat actors to conduct targeted scams against affected customers.
This incident highlights the cybersecurity challenges faced by organizations that manage large customer databases and digital loyalty platforms. If confirmed, the breach would represent a substantial exposure of personally identifiable information and customer account data. The incident underscores the importance of implementing strong access controls, database security measures, continuous monitoring, customer data protection practices, and proactive threat intelligence monitoring to identify and mitigate emerging cyber threats.
The authenticity of the alleged data leak remains unverified at the time of reporting, as the claims originate solely from a forum post and have not been independently confirmed.
Source: Underground Forums
Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
The threat actor is assessed as being an active and capable cybercriminal entity involved primarily in data breach and leak operations. Multiple credible indicators associate the actor with incidents involving unauthorized access to organizational systems, followed by the publication, sale, or distribution of stolen data on underground forums. These activities reflect the increasing sophistication and persistence of cyber threats emerging from organized cybercriminal ecosystems, emphasizing the need for organizations to strengthen their security posture through continuous monitoring, enhanced threat intelligence capabilities, and proactive cybersecurity measures to safeguard sensitive data and critical assets.
Recommendations: Enhance the cybersecurity posture by:
The CYFIRMA research team identified a post on a dark web forum advertising a database allegedly obtained from a Vietnam-based technology and consulting organization. The forum post, published in May 2026, claims that the dataset contains information associated with approximately 32,000 user accounts. The seller offered the database for sale and provided sample records to demonstrate possession of the data.
According to the information presented in the forum post, the exposed database appears to contain user account records and authentication-related information. The advertisement indicates that the dataset includes personal details, account credentials, and profile information that could potentially be leveraged for unauthorized access attempts, identity theft, or social engineering activities.
Based on the sample records and claims visible in the forum post, the compromised dataset reportedly includes:
If validated, the exposure of user account information and credential-related data could create significant security risks for affected individuals. Threat actors may attempt credential-cracking attacks against hashed passwords, conduct credential-stuffing campaigns against other online services, or leverage exposed email addresses for phishing and social engineering operations. The availability of personal information and authentication data may further increase the risk of account compromise and unauthorized access.
This incident highlights the ongoing cybersecurity risks faced by organizations that store large volumes of user information and authentication credentials. If confirmed, the breach would represent a substantial exposure of personally identifiable information (PII) and account security data. The incident underscores the importance of strong password-hashing mechanisms, multi-factor authentication, continuous monitoring, secure credential storage practices, and proactive threat intelligence monitoring to detect and mitigate emerging cyber threats.
The authenticity of the alleged database leak remains unverified at the time of reporting, as the claims originate solely from a forum post and have not been independently confirmed.
Source: Underground Forums
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.
