CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.
Type: Ransomware
Target Technologies: Windows
Introduction
CYFIRMA Research and Advisory Team has found Ripper Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Ripper Ransomware
CYFIRMA Research identified Ripper as a ransomware that encrypts files and restricts access to data on infected systems. The malware applies cryptographic protection described as RSA and AES, renames affected files by appending the “.ripper12” extension, and targets multiple file types, including images, executables, and other common formats. In addition to file encryption, Ripper modifies the desktop wallpaper and creates a ransom note named “READ_NOTE.html,” both of which are used to notify the victim of the compromise and provide contact instructions.
The ransom note states that the victim’s network has been penetrated and that files have been encrypted and modified. It warns against using third-party recovery tools, renaming files, or altering encrypted data, claiming such actions will permanently corrupt the files. The note asserts that confidential and personal data has been exfiltrated and stored on a private server, with destruction promised upon payment and public release or sale threatened if payment is not made. Victims are instructed to contact the operators via specified email addresses or Tor chat, are offered free decryption of a small number of non-important files as proof, and are informed that the ransom price will increase if contact is not initiated within 72 hours.
The following are the TTPs based on the MITRE Attack Framework
| Tactic | Technique ID | Technique Name |
| Initial Access | T1091 | Replication Through Removable Media |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1129 | Shared Modules |
| Persistence | T1112 | Modify Registry |
| Persistence | T1542.003 | Pre-OS Boot: Bootkit |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1055 | Process Injection |
| Privilege Escalation | T1134.004 | Access Token Manipulation: Parent PID Spoofing |
| Privilege Escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Defense Evasion | T1014 | Rootkit |
| Defense Evasion | T1027.002 | Obfuscated Files or Information: Software Packing |
| Defense Evasion | T1027.005 | Obfuscated Files or Information: Indicator Removal from Tools |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1055 | Process Injection |
| Defense Evasion | T1070.004 | Indicator Removal: File Deletion |
| Defense Evasion | T1112 | Modify Registry |
| Defense Evasion | T1134.004 | Access Token Manipulation: Parent PID Spoofing |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
| Defense Evasion | T1202 | Indirect Command Execution |
| Defense Evasion | T1222 | File and Directory Permissions Modification |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Defense Evasion | T1542.003 | Pre-OS Boot: Bootkit |
| Defense Evasion | T1564.003 | Hide Artifacts: Hidden Window |
| Credential Access | T1056.001 | Input Capture: Keylogging |
| Discovery | T1010 | Application Window Discovery |
| Discovery | T1012 | Query Registry |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1120 | Peripheral Device Discovery |
| Discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Discovery | T1518.001 | Software Discovery: Security Software Discovery |
| Discovery | T1614 | System Location Discovery |
| Lateral Movement | T1091 | Replication Through Removable Media |
| Collection | T1056.001 | Input Capture: Keylogging |
| Collection | T1074 | Data Staged |
| Command and Control | T1071 | Application Layer Protocol |
| Command and Control | T1095 | Non-Application Layer Protocol |
| Command and Control | T1105 | Ingress Tool Transfer |
| Command and Control | T1573 | Encrypted Channel |
| Impact | T1485 | Data Destruction |
| Impact | T1486 | Data Encrypted for Impact |
| Impact | T1490 | Inhibit System Recovery |
Relevancy and Insights:
ETLM Assessment:
CYFIRMA’s assessment indicates that Ripper demonstrates characteristics of an emerging ransomware operation that is structured around deliberate intrusion, controlled execution, and victim-centric extortion workflows. The combination of encryption, environmental modification, and explicit communication channels reflects an operational mindset focused on maintaining authority over the compromised environment and guiding victim behavior. The emphasis on identity- based interaction, time-bound pressure, and proof-of-decryption mechanisms suggests that the actors are seeking to establish credibility and efficiency in negotiations, which are commonly observed in ransomware groups aiming to scale their operations beyond isolated incidents.
CYFIRMA’s assessment indicates that Ripper is likely to transition toward a more advanced and sustained ransomware model as its operators refine their tactics. This evolution may involve broader targeting strategies, more efficient deployment techniques, and increased reliance on data exposure threats to reinforce payment pressure. As operational confidence grows, the ransomware could adopt more standardized processes and infrastructure to support recurring campaigns, positioning it as a more persistent threat within the ransomware ecosystem rather than a short-lived or experimental variant.
Sigma rule:
title: New RUN Key Pointing to Suspicious Folder tags:
– attack.privilege-escalation
– attack.persistence
– attack.t1547.001 logsource:
category: registry_set product: windows
detection: selection_target:
TargetObject|contains:
– ‘\Software\Microsoft\Windows\CurrentVersion\Run’
– ‘\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run’
– ‘\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run’ selection_suspicious_paths_1:
Details|contains:
– ‘:\Perflogs’
– :\ProgramData’
– ‘:\Windows\Temp’
– ‘:\Temp’
– ‘\AppData\Local\Temp’
– ‘\AppData\Roaming’
– ‘:\$Recycle.bin’
– ‘:\Users\Default’
– ‘:\Users\public’
– ‘%temp%’
– ‘%tmp%’
– ‘%Public%’
– ‘%AppData%’ selection_suspicious_paths_user_1:
Details|contains: ‘:\Users\’ selection_suspicious_paths_user_2:
Details|contains:
– ‘\Favorites’
– ‘\Favourites’
– ‘\Contacts’
– ‘\Music’
– ‘\Pictures’
– ‘\Documents’
– ‘\Photos’ filter_main_windows_update:
TargetObject|contains: ‘\Microsoft\Windows\CurrentVersion\RunOnce\’ Image|startswith: ‘C:\Windows\SoftwareDistribution\Download\’ Details|contains|all:
– ‘rundll32.exe ‘
– ‘C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32’ Details|contains:
– ‘\AppData\Local\Temp\’
– ‘C:\Windows\Temp\’ filter_optional_spotify:
Image|endswith:
– ‘C:\Program Files\Spotify\Spotify.exe’
– ‘C:\Program Files (x86)\Spotify\Spotify.exe’
– ‘\AppData\Roaming\Spotify\Spotify.exe’ TargetObject|endswith:
‘SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify’
Details|endswith: ‘Spotify.exe –autostart –minimized’
condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
– Software using weird folders for updates level: high
(Source: Surface Web)
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems.
STRATEGIC RECOMMENDATION
MANAGEMENT RECOMMENDATION
TACTICAL RECOMMENDATION
Type: DDoS Botnet / Proxy Malware (Android) | Objectives: Distributed Denial-of-Service & Proxy Monetization | Target Technology: Android OS | Target Geography: Vietnam, Brazil, India, and Saudi Arabia
CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malware that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.
Active Malware of the week
This week, “Kimwolf” is trending.
Overview of Operation Kimwolf
Recent research has identified the rapid expansion of the Kimwolf botnet, a large-scale malicious operation that has grown significantly since mid-2025. The botnet has compromised millions of devices worldwide, primarily low-cost Android-based TV and streaming devices. Rather than relying on traditional infection techniques, Kimwolf spreads by exploiting weaknesses in residential proxy networks, allowing attackers to gain access to devices that are unknowingly exposed through poorly secured proxy services.
Kimwolf poses a serious threat due to both its operational scale and its monetization model. The botnet has been used to launch extremely high-volume distributed denial-of- service attacks while simultaneously generating revenue through the sale of residential proxy access, bandwidth rental, and unauthorized installation of third-party monetization software. Investigations indicate that many affected devices were already compromised before reaching end users, revealing significant security gaps within the hardware and proxy supply chains.
The Kimwolf operation underscores a broader and growing risk within the residential proxy ecosystem. Unsecured proxy infrastructure provides threat actors with a reliable and low- cost method to gain persistent access to trusted networks at scale. While limited remediation efforts have begun, the continued demand for inexpensive residential bandwidth increases the likelihood of similar campaigns emerging in the future.
Strengthening device security and enforcing stricter controls across proxy networks will be critical to preventing the repetition of such large-scale abuses.
Attack Method
The Kimwolf botnet utilizes a nontraditional infection model that capitalizes on systemic weaknesses within residential proxy infrastructures. Rather than directly targeting end users, the threat actors exploit proxy networks that permit unrestricted routing to internal and local network resources. This access enables large-scale scanning of connected devices while masking malicious activity behind legitimate residential IP addresses, thereby reducing the likelihood of detection and attribution.
Upon identifying exposed devices, the attackers exploit unauthenticated Android Debug Bridge (ADB) services that are reachable through these proxy networks. The compromise process is automated and executed remotely through command-line interactions, allowing the attackers to deploy downloader scripts without user involvement. These scripts retrieve and execute multiple payloads, including both native binaries and application packages, which are installed using built-in Android system utilities. File permissions are modified to ensure execution, and persistence mechanisms are applied to maintain continued access.
After installation, the malware establishes persistent communication with its command- and-control infrastructure to receive operational directives. Infected devices periodically transmit status information and remain available for tasking, including denial-of-service operations and traffic relaying. The malware incorporates safeguards to prevent multiple instances from executing concurrently on the same device, improving operational stability. Additionally, secondary software may be deployed to monetize compromised systems through proxy bandwidth resale or automated credential abuse, allowing the operators to derive sustained financial benefit from each infected device.
The following are the TTPs based on the MITRE Attack Framework for Mobile
| Tactic (ID) | Technique ID | Technique Name |
| Initial Access | T1409 | Stored Application Data |
| Execution | T1621 | Multi-Factor Authentication Request Generation |
| Execution | T1623 | Command and Scripting Interpreter |
| Persistence | T1624 | Event Triggered Execution |
| Persistence | T1406 | Obfuscated Files or Information |
| Privilege Escalation | T1404 | Exploitation for Privilege Escalation |
| Defense Evasion | T1633 | Virtualization/Sandbox Evasion |
| Defense Evasion | T1407 | Download New Code at Runtime |
| Command and control | T1437 | Application Layer Protocol |
INSIGHTS
ETLM ASSESSMENT
From an ETLM perspective, CYFIRMA assesses that this activity reflects a shifting threat landscape characterized by prolonged, low-visibility exploitation embedded within otherwise legitimate digital ecosystems. As adversaries increasingly operate through trusted services and consumer technologies, organizations are likely to face extended periods of undetected exposure, complicating risk attribution and impact assessment. Employees may be affected indirectly as routine workflows, connected devices, and third-party services become vectors for latent compromise rather than direct targets. Over time, this trend is expected to weaken traditional assumptions around asset trust and operational boundaries, increasing uncertainty in enterprise risk management as malicious activity becomes progressively harder to distinguish from normal business behavior.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.
YARA Rules
rule Kimwolf_Android_Botnet_Campaign
{
meta:
author = “CYFIRMA” date = “2026-01-06”
description = “Detects Kimwolf Android botnet components based on known identifiers, package names, and C2 indicators”
strings:
/* Unique execution and mutex-related strings */
$s1 = “xdrofl123”
$s2 = “botless”
$s3 = “rolf”
/* Malicious Android package and service identifiers */
$pkg1 = “com.n2.systemservice063”
$pkg2 = “com.n2.systemservice062”
$pkg3 = “com.abcproxy.lolsdk”
$pkg4 = “com.a.androidsvc”
$svc1 = “NetworkSyncService”
$svc2 = “SDKService”
/* Known Kimwolf C2 / infrastructure indicators */
$c2_1 = “85.234.91.247”
$c2_2 = “93.95.112.53”
$c2_3 = “213.193.253.1”
$c2_4 = “62.210.172.157”
$c2_5 = “89.39.70.110”
/* Residential proxy abuse indicators */
$dom1 = “xd.resi.to”
$dom2 = “xd.mob.to”
$dom3 = “onetwoseven.14emeliaterracewestroxburyma02132.su”
$dom4 = “lolxd.713mtauburnctcolumbusoh43085.st”
condition:
(any of ($s*) and any of ($pkg*)) or any of ($c2*)
or any of ($dom*)
}
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Key Intelligence Signals:
Tracking Mustang Panda: Advanced Espionage Techniques and Regional Impacts
About the Threat Actor
Mustang Panda is a China-linked cyber-espionage threat actor active since at least 2012, known for conducting geopolitically motivated intelligence operations marked by disciplined execution, evolving tradecraft, and long-term persistence. Its campaigns commonly start with targeted spear-phishing, using politically themed lures delivered via ZIP, RAR, LNK, or URL files, followed by multi-stage infection chains that deploy loaders and stagers to install backdoors, reverse shells, and lateral-movement tools. The group frequently leverages malware families, such as PlugX, Poison Ivy, ToneShell, StarProxy, Claimloader, and SplatCloak, favoring DLL sideloading and encrypted command-and-control channels to maintain stealth and persistence, with some operations also spreading via infected USB media. Overall, Mustang Panda demonstrates a high degree of adaptability, combining precise targeting with modular tooling to sustain prolonged access to high-value networks.
Details on Exploited Vulnerabilities
| CVE ID | Affected Products | CVSS Score | Exploit Links |
| CVE-2021-1675 | Microsoft Windows | 7.8 | link1, link2, link3 |
| CVE-2021-40444 | Microsoft Windows | 7.8 | link1, link2, link3 |
TTPs based on MITRE ATT&CK Framework
| Tactic | ID | Technique |
| Reconnaissance | T1598.003 | Phishing for Information: Spear phishing Link |
| Resource Development | T1585.002 | Establish Accounts: Email Accounts |
| Resource Development | T1608 | Stage Capabilities |
| Resource Development | T1608.001 | Stage Capabilities: Upload Malware |
| Resource Development | T1588.004 | Obtain Capabilities: Digital Certificates |
| Resource Development | T1583.002 | Acquire Infrastructure: Domains |
| Initial Access | T1091 | Replication Through Removable Media |
| Initial Access | T1566.001 | Phishing: Spear phishing Attachment |
| Initial Access | T1566.002 | Phishing: Spear phishing Link |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| Execution | T1059.005 | Command and Scripting Interpreter: Visual Basic |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Execution | T1203 | Exploitation for Client Execution |
| Execution | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Execution | T1204.001 | User Execution: Malicious Link |
| Execution | T1204.002 | User Execution: Malicious File |
| Execution | T1047 | Windows Management Instrumentation |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Persistence | T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
| Persistence | T1574.001 | Hijack Execution Flow: DLL |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Privilege Escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
| Privilege Escalation | T1574.001 | Hijack Execution Flow: DLL |
| Privilege Escalation | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Defense Evasion | T1480 | Execution Guardrails |
| Defense Evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories |
| Defense Evasion | T1574.001 | Hijack Execution Flow: DLL |
| Defense Evasion | T1070.004 | Indicator Removal: File Deletion |
| Defense Evasion | T1036.005 | Masquerading: Match Legitimate Resource Name or Location |
| Defense Evasion | T1036.007 | Masquerading: Double File Extension |
| Defense Evasion | T1036.004 | Masquerading: Masquerade Task or Service |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File |
| Defense Evasion | T1027.016 | Obfuscated Files or Information: Junk Code Insertion |
| Defense Evasion | T1553.002 | Subvert Trust Controls: Code Signing |
| Defense Evasion | T1218.004 | System Binary Proxy Execution: InstallUtil |
| Defense Evasion | T1218.005 | System Binary Proxy Execution: Mshta |
| Defense Evasion | T1218.014 | System Binary Proxy Execution: MMC |
| Defense Evasion | T1218.007 | System Binary Proxy Execution: Msiexec |
| Credential Access | T1003.003 | OS Credential Dumping: NTDS |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1518 | Software Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1049 | System Network Connections Discovery |
| Lateral Movement | T1091 | Replication Through Removable Media |
| Collection | T1557.004 | Adversary-in-the-Middle: Evil Twin |
| Collection | T1560.001 | Archive Collected Data: Archive via Utility |
| Collection | T1119 | Automated Collection |
| Collection | T1560.003 | Archive Collected Data: Archive via Custom Method |
| Collection | T1074.001 | Data Staged: Local Data Staging |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| Command and Control | T1219.002 | Remote Access Tools: Remote Desktop Software |
| Command and Control | T1573.001 | Encrypted Channel: Symmetric Cryptography |
| Command and Control | T1105 | Ingress Tool Transfer |
| Command and Control | T1102 | Web Service |
| Command and Control | T1090 | Proxy |
| Command and Control | T1095 | Non-Application Layer Protocol |
| Exfiltration | T1052.001 | Exfiltration Over Physical Medium: Exfiltration over USB |
Latest Developments Observed
Mustang Panda’s 2025 operations reveal a shift to a kernel-mode attack chain, leveraging a malicious mini-filter driver to stealthily inject an updated ToneShell backdoor into system processes. The driver exploits a compromised legacy digital certificate, applies rootkit-level protections to files, registry keys, and processes, and disrupts Microsoft Defender’s file system filtering. This marks the first documented use of a kernel-mode loader for ToneShell, substantially improving stealth and defense evasion. The backdoor communicates with its C2 over raw TCP on port 443, masquerading traffic with fake TLS 1.3 headers.
ETLM Insights
Mustang Panda is a state-aligned cyber-espionage threat actor focused on long- term intelligence collection and geopolitical advantage, rather than financial gain. Its operations consistently align with China’s regional strategic interests, targeting government, diplomatic, military, and policy-related entities across Southeast and East Asia to support sustained situational awareness and strategic influence.
Operationally, the actor emphasizes durable access, operational stealth, and persistence, maintaining footholds within high-value environments to enable prolonged intelligence gathering. Recent activity indicates a clear shift toward enhanced survivability and evasion, suggesting an increased focus on operating undetected within hardened networks and resisting modern detection and response capabilities.
Looking ahead, Mustang Panda is expected to continue refining its covert, intelligence-led operations, expanding across interconnected government and regional partner ecosystems while adopting techniques that further reduce attribution risk and extend long-term access in support of broader state objectives.
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems.
YARA Rules
rule APT_MustangPanda_Malware_Infrastructure_Indicators
{
meta:
description = “Detects Mustang Panda malware using known filenames, C2 domains, IPs, and exploit references”
author = “CYFIRMA” threat_actor = “Mustang Panda”
reference = “shipping-doc themed lures, known C2 infra, PrintNightmare and MSHTML exploits”
date = “2026-01-06”
confidence = “Medium-High”
strings:
/* Suspicious lure document */
$doc_lure = “shipping documents.docx” nocase
/* Malware filenames observed */
$exe1 = “jhjhdskjsdklsdkl.exe” nocase
$exe2 = “JHJHDSKJSDKLSDKL.exe” nocase
$exe3 = “order 22hjbx1151frr.exe” nocase
/* Known Mustang Panda domains */
$domain1 = “www.profile-keybord.com”
$domain2 = “www.dest-working.com”
$domain3 = “www.ynsins.com”
$domain4 = “www.aihkstore.com”
/* Known IP addresses */
$ip1 = “202.59.10.106”
$ip2 = “188.208.141.196”
$ip3 = “103.159.132.91”
$ip4 = “23.216.147.76”
/* Exploit references commonly abused by Mustang Panda */
$cve1 = “CVE-2021-1675”
$cve2 = “CVE-2021-40444”
condition:
/* Trigger if malware filename or lure doc is present */ (
1 of ($exe*) or $doc_lure
)
and
/* And at least one infrastructure or exploit indicator */ (
1 of ($domain*) or 1 of ($ip*) or
1 of ($cve*)
)
}
Strategic
Management
Tactical
USA hits Venezuela in a raid that sees its president arrested by Special Forces
The United States conducted a large-scale military operation in Caracas over the first weekend of January, resulting in the capture of Venezuelan President Nicolás Maduro and his wife, Cilia Flores. U.S. forces, including Delta Force special operators supported by approximately 150 aircraft, executed a pre-dawn raid that involved airstrikes on military installations and air defenses, followed by a helicopter insertion to seize Maduro at his compound. The operation, referred to as “Absolute Resolve,” caused significant disruptions in Caracas, including widespread power outages and blackouts across parts of the capital, which coincided with the strikes and were accompanied by reported losses of internet connectivity. The Venezuelan government attributed the outages to physical attacks on infrastructure, but President Donald Trump suggested
U.S. involvement in creating the darkness, stating during a Mar-a-Lago press conference that “the lights of Caracas were largely turned off due to a certain expertise that we have.”
ETLM Assessment:
The Joint Chiefs of Staff confirmed at a separate briefing that U.S. Cyber Command and U.S. Space Command contributed by “layering different effects” and helping to “create a pathway” for the incoming U.S. forces, though neither command has provided further details on any cyber operations. Independent monitoring from researchers documented targeted outages in Caracas, aligning with the timing of the military action. While we do not know the details of the operations, it’s becoming clear that in modern warfare, a cyber component is part of any successful operation.
Disrupting, degrading, or destroying an adversary’s digital systems, networks, and data can help achieve strategic effects comparable to traditional kinetic military actions.
Russia escalating cyber war on Germany
Russia is escalating covert hybrid warfare against Germany’s critical infrastructure– through sabotage, cyberattacks, espionage, and influence operations–targeting energy and defense sectors as a potential prelude to broader conflict, according to a leaked German Defense Ministry document. The classified documents present these attacks as deliberate Russian tools to probe weaknesses in government coordination, unsettle the public, and hinder NATO force deployments, while preparing capabilities for large-scale war against the alliance by 2029 at the latest. Germany, as NATO’s key European logistics hub, expects to face initial hybrid threats before any open military escalation on the eastern flank, though it would not become a direct ground frontline; the ministry identifies Russia as the greatest immediate security threat. In separate news, the European Space Agency (ESA) disclosed on X that a recent cybersecurity incident may have compromised a very small number of external servers outside its corporate network, supporting unclassified collaborative scientific engineering; the agency is conducting forensic analysis and has secured affected devices. Some analysts have already blamed Russia for the incident as well.
ETLM Assessment:
As previously noted in this CYFIRMA report, since the beginning of the Russian war in Ukraine in 2022, NATO member states have experienced a surge in physical attacks targeting critical infrastructure. Civilian facilities like shopping malls and factories have been set ablaze, while vital rail lines in Sweden, Germany, and France have been sabotaged. Defense plants supporting Ukraine have also been hit, including a London aid warehouse in March 2024 and a Welsh ammunition factory in April. This wave of sabotage is arguably the most significant the West has faced since World War II. While Russia maintains plausible deniability (towards which goal it also employs privateering cyber criminals), Western officials increasingly believe the Kremlin is orchestrating many of these attacks.
Governments and NATO leaders have publicly blamed Russian intelligence agencies and affiliated groups, implementing various measures to counter this threat. While definitive attribution remains complex, the sophistication of these attacks and the backdrop of geopolitical tensions strongly indicate Russian involvement.
These attacks have targeted diverse German and other NATO countries’ organizations, causing widespread disruption and financial losses. Russia has solidified its position as a capable, motivated, and irresponsible cyber threat actor. Russian operatives have almost certainly escalated their cyber campaigns against Ukraine and its allies, aligning these operations with their military objectives and broader geopolitical ambitions.
Qilin Ransomware Impacts Logic Vein Co., Ltd
Summary:
CYFIRMA observed in an underground forum that a company from Japan, Logic Vein Co., Ltd (https[:]//www[.]lvi[.]co[.]jp/), was compromised by Qilin Ransomware. Logic Vein Co., Ltd. is a Japanese software company, specializing in enterprise network management solutions like Net LineDancer for configuration backup, change detection, and automation. The compromised data contains confidential and sensitive information belonging to the organization.
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, Qilin ransomware poses a significant threat to organizations of all sizes. Its evolving tactics, including double extortion (data encryption and leak threats), cross-platform capabilities (Windows and Linux, including VMware ESXi), and a focus on speed and evasion, make it a particularly dangerous actor.
SafePay Ransomware Impacts 47CLUB
Summary:
CYFIRMA observed in an underground forum that a company from Japan, 47CLUB (https[:]//www[.]47club[.]co[.]jp/), was compromised by SafePay Ransomware. 47CLUB (operated by Kabushiki Kaisha 47CLUB) is a Japanese e-commerce and regional marketing company based in Tokyo. Its core mission is to support and promote local producers across Japan by offering regional specialties, traditional foods, crafts, and artisan products through an online platform that showcases products from all 47 Japanese prefectures — a reference reflected in the company’s name (“47” representing Japan’s prefectures). The company works with over 1,300 local shops and producers and partners with regional newspaper companies to curate and sell unique local goods via EC (electronic commerce) marketplaces, pop-up events, and business collaborations, including catalog sales and promotional campaigns. The compromised data contains confidential and sensitive information belonging to the organization.
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, SafePay represents a sophisticated, fast- moving ransomware threat capitalizing on VPN weaknesses and credential theft, employing effective double extortion tactics to maximize ransom payments.
Organizations, especially in highly targeted sectors and regions, must prioritize layered defenses and active hunting for early detection.
Vulnerability in Xspeeder SXZOS
Relevancy & Insights:
The vulnerability exists due to a missing input validation in the vLogin.py script when processing based64-encoded data. A remote non- authenticated attacker can send a specially crafted HTTP request with encoded Python code and execute it on the system with root privileges.
Impact:
Successful exploitation of this vulnerability may result in complete compromise of the vulnerable system.
Affected Products:
https[:]//pwn[.]ai/blog/cve-2025-54322-zeroday- unauthenticated-root-rce-affecting-70-000-hosts
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behaviour that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment
Vulnerability in Xspeeder SXZOS can pose significant threats to user privacy and system security. This can impact various industries globally, including telecommunications, enterprise networking, and service providers. Ensuring the security of Xspeeder SXZOS is crucial for maintaining the integrity and protection of network operations and user data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding traffic acceleration, bandwidth optimization, and network performance management across different geographic regions and sectors.
INC Ransomware attacked and published the data of Omrania
Summary:
Recently, we observed that INC Ransomware attacked and published the data of Omrania (https[:]//omrania[.]com/) on its dark web website. Omrania is a Saudi Arabia–based international architecture and engineering consultancy with more than five decades of experience. The firm specializes in sustainable urban planning, landscape design, and building development, delivering services to clients across Saudi Arabia, the Middle East, North Africa, and Europe. The ransomware incident resulted in the exposure of approximately 4,000 GB of data, comprising confidential documents, client information, NDAs, financial records, corporate data, business agreements, project drawings, and a significant amount of other highly critical and sensitive information.
Relevancy & Insights:
ETLM Assessment:
Based on recent assessments by CYFIRMA, INC Ransomware represents a significant threat within the evolving landscape of ransomware attacks. Its use of strong encryption methods and double extortion tactics highlights the increasing sophistication of cybercriminal operations. Organizations are advised to enhance their cybersecurity measures by implementing robust defenses against phishing attacks, maintaining updated security protocols, and monitoring for unusual network activity to mitigate risks associated with this and other ransomware variants. Continuous vigilance is essential to protect against the threats posed by emerging ransomware groups like INC Ransomware.
Tokyo FM Broadcasting Co., Ltd. Data Advertised on a Leak Site
Summary: The CYFIRMA research team has identified claims made by a threat actor operating under the alias “victim,” who alleges responsibility for a security breach involving Tokyo FM Broadcasting Co., Ltd. Tokyo FM is a prominent Japanese radio broadcaster headquartered in Tokyo and serves as the flagship station of the Japan FM Network (JFN).
According to the threat actor, the breach resulted in the compromise of data from multiple internal systems. The attackers claim to have exfiltrated more than three million records containing sensitive personal and user-related information.
The allegedly exposed data includes:
If confirmed, this incident could pose significant privacy and security risks to affected individuals and highlight the potential impact of large-scale data breaches on major media and broadcasting organizations.Top of FormBottom of Form
The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.
Wadhefa Data Advertised on a Leak Site
Summary:
The CYFIRMA Research team has observed claims by a threat actor operating under the alias “Grubder,” who alleges responsibility for a security breach involving the Saudi Arabian job platform وظيفة. كوم(Wadhefa[.]com). According to the actor, the compromised data is being offered for sale and contains records belonging to 418,293 job seekers.
The threat actor claims that the exfiltrated dataset includes a wide range of sensitive personal and professional information. If verified, this exposure could pose serious privacy and identity-theft risks to affected individuals.
The allegedly compromised data includes:
The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.
Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
The threat actor known as “Grubder” is assessed to be a highly active and capable group primarily engaged in data-leak operations. Multiple credible sources have associated this actor with a series of security incidents involving unauthorized access to systems and the sale or dissemination of stolen data on dark web marketplaces. These activities underscore the persistent and rapidly evolving cyber-threat landscape driven by underground criminal ecosystems and highlight the urgent need for organizations to reinforce their cybersecurity posture through continuous monitoring, improved threat-intelligence capabilities, and proactive defensive measures to protect sensitive information and critical infrastructure.
Recommendations: Enhance the cybersecurity posture by:
The CYFIRMA Research team observed that Kumpulan Prasarana Rakyat Johor (KPRJ), the state-owned infrastructure and property development company of Johor, Malaysia, has allegedly been compromised in a significant data breach. The company, which serves as a primary executive arm for the Johor state government, manages large-scale construction projects, multi-million-dollar contracts, and strategic state land developments. The breach was reportedly carried out by an unidentified party who is now offering the stolen database for sale on an underground forum for 1.5 BTC.
The allegedly compromised data includes a massive collection of files totaling 180.69 GB and comprising over 71,000 files. According to the actor, the sensitive information covers the period from 2022 to March 2025 and contains:
The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.
The CYFIRMA Research team has identified that Enerparc AG, a reputable German company in the renewable energy sector, has allegedly been compromised. The breach reportedly impacts the company’s internal database regarding solar projects in Spain, specifically in the Mallorca and Alicante regions. The company, which has connected over 4,500 MW of solar capacity to the grid, is one of the largest independent solar power producers in Europe. The actor responsible for the leak claims to have extracted approximately 8.6 GB of data consisting of over 5,600 files related to projects such as Alicanti, Son Pons, and Son Ravanell.
According to the actor, the documents are predominantly engineering and technical in nature. The allegedly compromised data includes:
The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.
