Weekly Intelligence Report – 12 September 2025

Ransomware of the week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.

Type: Ransomware
Target Technologies: Windows

Introduction
CYFIRMA Research and Advisory Team has found EXTEN Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

EXTEN Ransomware.
Researchers identified a new ransomware variant called EXTEN. This malicious program encrypts files on compromised systems and alters their filenames by appending the “.EXTEN” extension. All affected files are rendered inaccessible after encryption. Once the encryption process is complete, EXTEN generates a ransom note titled “readme.txt.”

The ransom note states that all data has been encrypted and can only be recovered by paying a ransom of 5 Bitcoin (BTC). The message provides a Bitcoin wallet address for the payment and instructs the victim to make further contact through the email address.

Victims are warned that failure to pay within five days will result in the public release of stolen data.

The ransom note also specifies several conditions for the victim. It explicitly instructs not to shut down or reboot infected devices and prohibits the use of recovery tools, claiming these actions could make decryption impossible.

Combined with the encryption behavior and the appended file extension, these elements define the operational characteristics of the EXTEN ransomware.

The following are the TTPs based on the MITRE Attack Framework

Relevancy and Insights:

• The ransomware primarily affects the Windows operating system, which is commonly utilized in enterprise environments across multiple industries.
• shadow copy deletion: The ransomware issues WMI commands to enumerate and remove Windows shadow copies. These shadow copies are used by the operating system for system restore and file recovery. By deleting them, the malware ensures victims cannot roll back to clean states or recover files through built-in features, increasing the pressure to comply with ransom demands.

ETLM Assessment:
CYFIRMA’s analysis of the EXTEN ransomware campaign highlights the ongoing evolution of ransomware groups in both scale and tactics. The appearance of this variant reflects a continuing trend where adversaries refine their methods to maximize disruption and leverage data exposure as an additional pressure mechanism. This suggests that such threats will remain a dominant force in the cybercrime ecosystem, targeting organizations across diverse industries that rely heavily on Windows-based infrastructure.

Given the ransom demands in cryptocurrency and the threat of data leakage, the operators are not only seeking direct financial gain but also exploiting the fear of reputational and regulatory damage. This dual-extortion model is becoming a defining characteristic of modern ransomware incidents, and EXTEN’s activity aligns with that trajectory. The ability to deny victims access to recovery options further increases the likelihood of payment, making these campaigns particularly damaging for enterprises with limited resilience strategies.

Looking forward, the tactics demonstrated in this campaign are expected to inspire copycat actors and the development of more sophisticated variants. Organizations can anticipate a rise in ransomware activity that blends traditional file encryption with aggressive data-handling practices, extending the impact beyond immediate financial losses to long-term operational and brand consequences.

Sigma rule:
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.defense-evasion
– attack.impact
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’
selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) fields:
– CommandLine
– ParentCommandLine falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface Web)

IOCs:
Kindly refer to the IOCs section to exercise control of your security systems.

STRATEGIC RECOMMENDATION

• Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
• Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATION

• A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
• Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
• Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATION

• Update all applications/software regularly with the latest versions and security patches alike.
• Add the Sigma rule for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Botnet | Objectives: Data Theft, Remote control, Data Exfiltration |Target Technologies: Windows OS, Web Browsers | Target Geography: Global

CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the week
This week “NightshadeC2” is trending.

Overview of NightshadeC2 Malware
Researchers have identified NightshadeC2, a recently discovered botnet that leverages a loader designed to bypass security checks. It employs a method known as UAC Prompt Bombing to evade detection and make analysis more difficult. It has been observed in both C and Python variants, each maintaining communication with its operators through different channels. Once deployed, NightshadeC2 provides attackers with a wide range of capabilities, including remote command execution, reverse shell access, downloading and running additional files, self-deletion, keylogging, clipboard data collection, browser credential theft, screen capture, and hidden browsing activity. These functions make it a flexible tool for espionage, data theft, and persistent control over infected systems. The appearance of NightshadeC2, with its dual C and Python builds, highlights how threat actors continue to experiment with diverse approaches to create adaptable and resilient botnets capable of evading defenses and expanding their reach.

Attack Method
The NightshadeC2 campaign begins with deceptive entry points designed to trick victims into running malicious code. In this campaign, attackers leveraged the ClickFix vector, where individuals are shown a fake captcha and then prompted to enter a command into the Windows Run dialog. Alongside this, researchers also found the malware distributed through trojanized versions of popular software tools, including well-known programs like VPN clients, system utilities, and file search applications.

With initial access secured, the threat progresses through multiple stages to deliver its payload. The loader stage is responsible for downloading and activating the core malware. To secure its position, it repeatedly pushes a User Account Control (UAC) prompt until the victim approves, a tactic known as UAC Prompt Bombing. This not only forces user compliance but also sidesteps Microsoft Defender protections and disables analysis environments, allowing the malware to slip through unnoticed. Persistence is then achieved by modifying registry entries, ensuring the malware launches automatically on system restart.

The payload stage delivers the full NightshadeC2 botnet. At this point, it gathers basic information about the device—such as system details, user identity, and location—before reporting back to its command-and-control server. Once communication is established, NightshadeC2 enables attackers to take complete control, with capabilities including keylogging, clipboard monitoring, reverse shells, hidden browsing, and credential theft from major web browsers. While most samples observed are compiled in C, a Python variant has also been identified, offering a slimmer but still functional version of the malware. Some versions even leverage Steam profiles to disguise and update their command servers dynamically.

Further analysis revealed that NightshadeC2 employs multiple privilege escalation tricks, including older bypasses of Windows’ UAC mechanism, making it adaptable across different operating system versions. These combined methods—stealthy entry, forced privilege acceptance, layered execution, and versatile payload delivery—demonstrate the botnet’s sophisticated approach to infiltration and persistence.

Following are the TTPs based on the MITRE Attack Framework for Enterprise

INSIGHTS

• NightshadeC2 stands out because of how it blends multiple distribution methods, making its entry into victim systems unpredictable and harder to defend against. Instead of relying on a single infection route, it appears both through social engineering tricks like the ClickFix vector and through tampered versions of everyday software tools. This variety ensures that different types of users—ranging from casual home users to professionals downloading legitimate utilities—can all be unwittingly exposed, giving the campaign a broader reach than malware that depends on one narrow entry point.
• By abusing User Account Control prompts in a way that essentially forces victims to approve its actions, it not only bypasses Microsoft Defender but also disrupts automated security sandboxes. This means analysts studying the malware may see incomplete behavior, allowing the threat to slip by unnoticed. Such evasion techniques highlight how the operators behind NightshadeC2 think beyond simple infection, designing it to frustrate both end users and security researchers alike.
• Finally, NightshadeC2’s dual presence in C and Python form reveals something about the attackers’ priorities. The C variant delivers the full suite of spying and control functions, while the Python version strips down the capabilities but offers greater flexibility and stealth due to lower detection rates. This suggests the operators are experimenting with different builds to suit different campaigns, using the heavier variant where full control is needed and the lighter one in situations that demand discretion. The coexistence of these builds reflects a deliberate strategy to maintain adaptability in the face of diverse security environments.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that as malware like NightshadeC2 continues to evolve, techniques such as ClickFix could turn ordinary digital interactions into hidden points of compromise, where even a routine captcha or prompt might trigger infection. By exploiting familiar tools and everyday actions, attackers may increasingly spread threats across interconnected systems, software supply chains, and widely used platforms, targeting multiple browsers and potentially reaching users in broader regions. Over time, the combination of stealthy malware and deceptive techniques could reshape how people interact with digital interfaces, making awareness of hidden threats an essential part of navigating everyday technology.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

YARA Rule
rule NightshadeC2_Indicators
{
meta:
description = “Detects NightshadeC2 malware indicators” author = “CYFIRMA”
malware_family = “NightshadeC2”
strings:

// SHA256 File Hashes
$sha256_1 = “8940944e4abc600b283703876def0403160a5109abdbcb9e97c488dc3cc59b94”
$sha256_2 = “39b40746de01af66c0e5ce5888df4c42e474adcdb4301275b1474423d7a0ff1f”
$sha256_3 = “f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be”
$sha256_4 = “0c08b5f3c24841d5fe02ddebdcf4707a75c790916c3ad4c769108241ddf999e4”
$sha256_5 = “c4fd98db8d8181d949ee4ff47991dda70f73b47c72104aa519150223dd8d3588”
$sha256_6 = “cf0c7e0f3c3ea60da7bfe779f09d32b441d5089c905a5d905253e2f4b2b202fd”
$sha256_7 = “0fd7eb57f5f9d817dd497c1ce3be0791f5e798077f8dc2c3a4e2b2b0b0bdc2c6”
$sha256_8 = “1178fa21928e5aac0f320e18bfb15603e00d3b8874719f4e74dd4f49db6dc5a8”
$sha256_9 = “1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75”
$sha256_10 = “26a5e18d6ac86a865250452528664d4cde74187d741fcf98370efb34d4219490”
$sha256_11 = “2fcb76dfdfcd390658bbc032faafef607804d5d4a2f1c0005f274ab2e06d8af4”
$sha256_12 = “3dd877835c04fde3f2d14ce96f23a1c00002fefa9d731e8c4ce3b656aac90063”
$sha256_13 = “420f13538c0c2620eba396e96afdf36430b2618d7d215e96c81444379ab8a7bc”
$sha256_14 = “5a741df3e4a61b8632f62109a65afc0f297f4ed03cd7e208ffd2ea5e2badf318”
$sha256_15 = “e77bc95772ae84e5ecf68c928059cab3e305f92b1518d0ec3f8a7eb6eb728503”
$sha256_16 = “24934295a5824ef8ec8df1df9ee5bc719bb98e9b6b55b2cbbb02498782762cc5”
$sha256_17 = “0e9d984f980ceffb846946a8926e1d69abf2d07a6b710b8f8c802026ba3bbdb4”
$sha256_18 = “05a4f648099d0b35d6eb4662266b1046d4691bb8e739a4fd4e4e55e69774ef1f”
$sha256_19 = “21497a0eb89f321f971b4346880b43b342df131c431788cff4685c5a5a71b53e”
$sha256_20 = “cbee972115b129ed3ce366217321a6f431ab86d9bf61c90ef7d224f1004a672c”
$sha256_21 = “375229df144b3fb0d0560d90b06aa7fe34825886069653a088fa4071476cf63e”
$sha256_22 = “ce2ad8b6d76ba03c96d9248ac3d22590801e00611244c1942875adf52c154971”
$sha256_23 = “7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5”
$sha256_24 = “05d2d06143d363c1e41546f14c1d99b082402460ba4e8598667614de996d2fbc”
$sha256_25 = “94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a”
$sha256_26 = “58d54e2454be3e4e9a8ea86a3f299a7a60529bc12d28394c5bdf8f858400ff7b”
$sha256_27 = “53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df”
$sha256_28 = “6d62210addb8268d0bd3e6ef0400d54c84e550ccad49f5867fdc51edc0c1db2c”
$sha256_29 = “282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207”
$sha256_30 = “a2feb262a667de704e5e08a8a705c69bbcc806e0d52f0f8e3f081a6aa6c8d7b4”
$sha256_31 = “85b4d29f2830a3be3a0f51fbe358bea1a35d2a8aaa6a24f5cc1f2e5d2769716e”
$sha256_32 = “04a1852aed5734d8aaf97730a7231272f103605a4f83ea8413abe6f8169aee4c”

// IP Addresses
$ip_1 = “185.208.158.250”
$ip_2 = “104.225.129.171”
$ip_3 = “34.72.90.40”
$ip_4 = “94.141.122.164”
$ip_5 = “64.52.80.82”
$ip_6 = “102.135.95.102”
$ip_7 = “178.17.57.102”
$ip_8 = “185.149.146.118”
$ip_9 = “185.149.146.1”
$ip_10 = “180.178.189.17”
$ip_11 = “195.201.108.189”
$ip_12 = “77.238.241.203”
$ip_13 = “5.35.44.176”
$ip_14 = “180.178.122.131”
$ip_15 = “91.202.233.250”
$ip_16 = “45.61.136.81”
$ip_17 = “45.11.180.174”
$ip_18 = “91.202.233.132”
$ip_19 = “107.158.128.90”
$ip_20 = “107.158.128.45”
$ip_21 = “170.130.165.28”
$ip_22 = “91.202.233.251”
$ip_23 = “79.132.130.142”
$ip_24 = “173.232.146.90”

// Domains
$domain_1 = “bioomx.com”
$domain_2 = “boiksal.com”
$domain_3 = “bkkil.com”
$domain_4 = “biosefjk.com”
$domain_5 = “bioakw.com”
$domain_6 = “bikbal.com”
$domain_7 = “bilaskf.com”
$domain_8 = “bliokdf.com”
$domain_9 = “tdbfvgwe456yt.com”
$domain_10 = “programsbookss.com”

// URLs
$url_1 = “http://www.ip-api.com/line/?fields=147457”
$url_2 = “http://www.ip-api.com/line/?fields=147505”
$url_3 = “http://www.ip-api.com/line/?fields=16385”
condition:
any of ($sha256*) or any of ($ip*) or
any of ($domain*) or any of ($url*)
}

Recommendations:

STRATEGIC:

• Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
• Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
• Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT:

• Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.
• Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
• Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
• Evaluate the security and reputation of each piece of open-source software or utilities before usage.
• Add the Yara rules for threat detection and monitoring, which will help to detect anomalies in log events and identify and monitor suspicious activities.

CYFIRMA’S WEEKLY INSIGHTS

1. Weekly Attack Types and Trends

Key Intelligence Signals:

• Attack Type: Ransomware Attacks, Vulnerabilities & Exploits, Malware implant, Data Leaks.
• Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
• Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
• Ransomware – Qilin Ransomware, Dire Wolf Ransomware | Malware – NightshadeC2
• Qilin Ransomware– One of the ransomware groups.
• Dire Wolf Ransomware – One of the ransomware groups.
  Please refer to the trending malware advisory for details on the following:
• Malware – NightshadeC2
  Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

FANCY BEAR: Unmasking a Decade of State-Sponsored Cyber Espionage

• Threat Actor: FANCY BEAR aka APT28
• Attack Type: Connection Proxy, Credential Dumping, Footprint deletion, Malware Implant, Social Engineering Attack, Timestomping, Exploitation of Vulnerabilities
• Objective: Information theft, Espionage, Long-Term Persistence & Stealth
• Suspected Target Technology: Microsoft Outlook, Office Suites Software, Operating System (Windows, Linux Kernel, Android), Web Application, Oracle Java SE, Adobe Flash Player, Apache Server
• Suspected Target Geography: Afghanistan, Brazil, Cambodia, France, Georgia, Germany, India, Indonesia, Kazakhstan, Malaysia, Moldova, Pakistan, Romania, Russia, South Africa, Syria, Thailand, Turkey, Ukraine, United States, Vietnam, Australia, Mexico
• Suspected Target Industries: Aerospace & Defense, Capital Goods, Critical Infrastructure, Crypto, Defense, Energy, Energy Equipment & Services, Government, Information Technology, Military, NGO, Telecommunications, Utilities, Banking & Investment Services
• Business Impact: Compromised user accounts, Data Theft, Operational Disruption, Reputational Damage

About the Threat Actor
FANCY BEAR is a Russian state-sponsored hacking group active since 2007, widely linked to Russian military intelligence. Known for cyber-espionage and political interference, including election-related operations, the group targets governments, corporations, and media worldwide. They exploit software vulnerabilities to gain access, extract credentials using custom and public tools, and deploy tailored malware. To evade detection, they delete system logs, manipulate file timestamps, and route command traffic through compromised systems. Their campaigns are highly targeted and align closely with Russian strategic objectives, reflecting advanced technical skill and a deep understanding of both offensive tactics and stealthy persistence.

Details on Exploited Vulnerabilities

TTPs based on MITRE ATT&CK Framework

Latest Developments Observed
The threat actor is suspected of exploiting Microsoft Outlook by deploying a newly identified backdoor, referred to as NotDoor. This malware enables adversaries to exfiltrate sensitive data, upload malicious files, and remotely execute commands on compromised systems. The campaign’s primary objective appears to be the theft of confidential information, with social engineering techniques leveraged as the initial entry point into targeted environments.

ETLM Insights
APT28, along with other Russian state-sponsored and cybercriminal groups operating under the umbrella of Russian intelligence (GRU)-linked campaigns, is closely associated with cyber-espionage, disinformation operations, ransomware deployment, and disruptive attacks against governments, critical infrastructure, defense, energy, and financial sectors. The threat actor consistently aligns their operations with Russian state interests, supporting military, diplomatic, and geopolitical objectives through sustained espionage and influence campaigns. Looking ahead, the group may expand its focus toward supply- chain compromises and infrastructure targeting, underscoring continued strategic investment in advanced cyber capabilities to shape global political and military outcomes.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

YARA Rules
rule FancyBear_IOCs_Match
{
meta:
author = “CYFIRMA”
description = “Detects IOC artifacts associated with Fancy Bear” date = “2025-09-09”
threat_actor = “FANCY BEAR / APT28” strings:
// CVEs as text (if present in code, comments, exploit kits, etc.)
$cve1 = “CVE-2017-11882”
$cve2 = “CVE-2021-4034”
$cve3 = “CVE-2016-5195”
$cve4 = “CVE-2020-0688”
$cve5 = “CVE-2023-32315”
$cve6 = “CVE-2021-44228”
$cve7 = “CVE-2018-13379”
$cve8 = “CVE-2023-23397”
$cve9 = “CVE-2020-1472”
$cve10 = “CVE-2023-38831”
$cve11 = “CVE-2018-8174”
$cve12 = “CVE-2020-2021”
$cve13 = “CVE-2020-5902”
$cve14 = “CVE-2014-4114”
$cve15 = “CVE-2020-15505”
$cve16 = “CVE-2019-19781”
$cve17 = “CVE-2022-30190”
$cve18 = “CVE-2022-38028”
$cve19 = “CVE-2024-21412”
$cve20 = “CVE-2022-21587”
$cve21 = “CVE-2021-1675”
$cve22 = “CVE-2020-1380”
$cve23 = “CVE-2023-27350”
$cve24 = “CVE-2012-0158”
$cve25 = “CVE-2009-3129”
$cve26 = “CVE-2021-22555”
$cve27 = “CVE-2023-36025”
$cve28 = “CVE-2023-27351”
$cve29 = “CVE-2023-27992”
$cve30 = “CVE-2015-2545”
$cve31 = “CVE-2023-32231”
$cve32 = “CVE-2019-11510”
$cve33 = “CVE-2014-1761”
// IPs
$ip1 = “208.91.197.27”
$ip2 = “127.0.0.1”
$ip3 = “198.49.23.177”
$ip4 = “50.7.210.226”
$ip5 = “185.220.101.143”
$ip6 = “142.250.31.102”
// Domains
$domain1 = “jinjinpig.co.kr”
$domain2 = “cloud-mail.ink”
$domain3 = “background-services.net”
$domain4 = “futuresfurnitures.com”
// Suspicious Files
$file1 = “win32 exe”
$file2 = “hrm3jvh9v.dll”
$file3 = “ruodjxk.exe” condition:
any of ($cve*) or any of ($ip*) or any of ($domain*) or any of ($file*)
}

Recommendations Strategic

• Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
• Assess and deploy alternatives for an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
• Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more by identifying such patterns.

Management

• Invest in user education and implement standard operating procedures for the handling of financial and sensitive data transactions commonly targeted by impersonation attacks. Reinforce this training with context-aware banners and in-line prompts to help educate users.
• Develop a cyber threat remediation program and encourage employee training to detect anomalies proactively.

Tactical

• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening the defence based on the tactical intelligence provided.
• For better protection coverage against email attacks (like spear phishing, business email compromise, or credential phishing attacks), organizations should augment built-in email security with layers that take a materially different approach to threat detection.
• Protect accounts with multi-factor authentication. Exert caution when opening email attachments or clicking on embedded links supplied via email communications, SMS, or messaging.
• Apply security measures to detect unauthorized activities, protect sensitive production, and process control systems from cyberattacks.
• Add the YARA rules for threat detection and monitoring, which will help to detect anomalies in log events, identify, and monitor suspicious activities.

3. Major Geopolitical Developments in Cybersecurity

Salt Typhoon updates, and China spying on US policymakers
Global media have recently reported that the Chinese cyberespionage campaign, dubbed Salt Typhoon, may have collected data on every American. The operation’s scope was unprecedented, sweeping up information from a wide range of U.S. sectors, including telecommunications, government, transportation, lodging, and military infrastructure networks. In response, several Western allies—including the U.S., U.K., Canada, Finland, Germany, Italy, Japan, and Spain—issued a joint “name-and-shame” statement last week. They publicly linked the Salt Typhoon campaign to Chinese technology companies that have ties to Beijing’s People’s Liberation Army and Ministry of State Security.

In another news, it was reported that during trade talks with China in July, Chinese hackers impersonated a U.S. lawmaker to target U.S. individuals and organizations. The hackers posed as the China committee chair and sent malicious attachments to trade groups, law firms, and government agencies. These attachments contained malware linked to a well-known Chinese threat actor, APT41. The goal of this operation was likely to gain an advantage in the trade negotiations by gathering inside information. It is still unclear whether any of the targeted entities were successfully breached.

ETLM Assessment:
As noted by CYFIRMA in a recent report, the Salt Typhoon campaigns mark a significant evolution in China’s cyber strategy, from economic espionage to politically-driven operations that threaten Western critical infrastructure. Salt Typhoon’s infiltration of telecommunications networks and Volt Typhoon’s sabotage preparations in U.S. sectors like energy and transportation reveal China’s intent to dominate cyberspace, exploiting vulnerabilities in the U.S.’s fragmented cybersecurity framework. These campaigns, leveraging sophisticated techniques and plausible deniability, pose significant risks to national security, from compromised communications to potential disruptions of military and civilian operations. The structural advantages of China’s authoritarian cyber defense model, contrasted with the U.S.’s decentralized approach, underscore the challenges of securing privately owned systems against a state-backed actor with vast resources. As China’s cyber capabilities grow more sophisticated and disruptive, Western nations must confront the reality of a new threat landscape, where digital vulnerabilities could reshape geopolitical outcomes and challenge the resilience of open societies.

Undersea cable cuts disrupt the Internet in the Middle East and Asia
Multiple undersea internet cables have been severed in the Red Sea, causing widespread disruption to internet access across parts of Asia and the Middle East. According to researchers, the incident impacted the SMW4 and IMEWE cable systems near Jeddah, Saudi Arabia. The damage has led to degraded connectivity in several countries, including India, Pakistan, and the UAE. Infrastructure operators confirmed that internet traffic routed through the Middle East may experience increased latency due to the cuts. The cause of the damage is currently unknown. While some have previously accused the Houthis of targeting subsea cables, the group has denied these allegations.

ETLM Assessment:
CYFIRMA warned about this scenario in a report published last year. In the report, we note that although the threat from non-state actors like the Houthis cannot be dismissed, non-state actors will probably be less likely and less capable of causing harm to the networks and operating systems that submarine cables depend on. Accidental damage caused by fishing boats or ship anchors will continue to be a hazard, however, the physical infrastructure is always at risk from highly capable state-sponsored actors, and the same goes for the cyber threat to the management systems.

Besides physical threats, there’s always the risk of cyber or network attacks. By hacking into the network management systems that private companies use to manage data traffic passing through the cables, malicious actors could disrupt data flows. A “nightmare scenario” would involve a hacker gaining control, or administrative rights, of a network management system: at that point, physical vulnerabilities could be discovered, disrupting or diverting data traffic, or even executing a “kill click” (deleting the wavelengths used to transmit data). The potential for sabotage or espionage is quite clear – and according to reports, the security of many of the network management systems is not up to date.

4. Rise in Malware/Ransomware and Phishing

Qilin Ransomware Impacts Osaki Medical

• Attack Type: Ransomware
• Target Industry: Healthcare
• Target Geography: Japan
• Ransomware: Qilin Ransomware
• Objective: Data Theft, Data Encryption, Financial Gains
• Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan, Osaki Medical(https[:]//www[.]osakimedical[.]co[.]jp/), was compromised by Qilin Ransomware. Osaki Medical is a Japanese company that manufactures and markets safe, functional, and cost-effective medical supplies, sanitary materials, cosmetics, and medical equipment for the medical and nursing care industries. The ransomware group allegedly infiltrated Osaki Medical’s network and exfiltrated approximately 113 GB of data. The stolen information is reported to include multiple databases, supply chain management (SCM) records, customer relationship management (CRM) data, personal details, sales and logistics information, product-related files, internal correspondence, and other sensitive business data. The attackers have issued a warning that Osaki Medical must contact them before the countdown expires, claiming that failure to do so will leave the company with no alternative means of recovering its data or protecting its business operations.