September 2025 Major Cybersecurity Incidents and Trends
Multiple significant cybersecurity incidents and trends were reported in September and Q3 2025, highlighting the evolving threat landscape. Ransomware and cyber extortion continued to be major concerns, with Nevada experiencing a historic ransomware attack that forced a near-total shutdown of state government operations, severely disrupting digital infrastructure and putting essential services and resident data at risk. The attack on Nevada was described as unprecedented at the statewide level, underscoring the increasing scale and impact of ransomware campaigns. In the realm of supply chain security, the JavaScript ecosystem faced a major npm supply chain attack in September 2025, which compromised over 180 popular packages, including some under the CrowdStrike namespace. This attack was attributed to the self-replicating "Shai-Hulud" worm, serving as a stark warning about the risks inherent in open-source dependencies and the potential for widespread compromise through software supply chains. Additionally, active exploitation of the CVE-2025-10035 vulnerability in GoAnywhere Managed File Transfer was investigated, indicating ongoing targeting of file transfer solutions by threat actors. The emergence of new malware families was also noted, such as XWorm V6 with pivotal plugins and ClayRat, a new Android spyware targeting Russian users. The RondoDox campaign was observed leveraging Pwn2Own vulnerabilities and employing a shotgun approach to exploits, further demonstrating the adaptability of threat actors. Over 175 malicious npm packages were identified as hosting phishing infrastructure targeting more than 135 organizations, highlighting the persistent threat of phishing via software repositories. A record DDoS attack by the Aisuru botnet targeted US ISPs, showcasing the scale and sophistication of modern botnet operations. New Stealit campaigns were reported abusing Node.js single executable applications, reflecting the trend of attackers exploiting developer tools and environments. The newsletters also discussed advancements in malware detection, including quantum computing methods and machine learning approaches such as static portable executable header feature analysis. Cyber warfare activities during Operation Sindoor were analyzed, providing insights into malware campaign tactics and detection frameworks. Security evaluations of Android apps on budget African mobile devices and novel detection methods for railway mobile terminals were also covered, indicating a broadening focus on mobile and IoT security. These developments collectively illustrate the diverse and escalating nature of cyber threats facing organizations and governments worldwide in late 2025.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Q3 2025 ransomware and cyber extortion trends are published
A Q3 2025 overview of ransomware and cyber extortion activity was published, summarizing major trends observed during the quarter. This constitutes a notable intelligence release about the broader threat landscape.
New campaigns abuse Node.js applications
Reporting highlighted newly identified threat campaigns abusing Node.js applications. This reflects a distinct attacker tradecraft development centered on Node.js-based execution or delivery.
Malicious npm packages used in phishing activity are disclosed
Security researchers reported malicious npm packages being used to facilitate phishing operations. The disclosure adds technical detail about supply-chain abuse in the Node.js ecosystem.
Large-scale DDoS attacks hit US ISPs
The referenced malware roundup notes large-scale distributed denial-of-service attacks affecting US internet service providers. This represents a separate incident trend involving disruption of ISP infrastructure or services.
ClayRat spyware campaign targets Russia
Threat reporting described ClayRat spyware as part of an active campaign targeting Russia. This marks a distinct operational development involving a specific malware family and geographic focus.
Researchers report emergence of XWorm V6 malware
Security coverage in October 2025 identified XWorm V6 as a newly observed malware development. The reporting indicates the malware had emerged in the wild by that time.
GoAnywhere MFT flaw CVE-2025-10035 is actively exploited
By October 2025, security reporting highlighted active exploitation of CVE-2025-10035 affecting GoAnywhere Managed File Transfer. The references frame this as a current, real-world exploitation development rather than a theoretical risk.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Major Cybercrime and Malware Trends in December 2025
Cybersecurity agencies and researchers reported a surge in sophisticated cybercrime operations and malware campaigns in December 2025. Notable law enforcement actions included the takedown of major cybercriminal forums such as Cracked and Nulled, and the disruption of ransomware networks like Phobos/8Base, as highlighted in SOCRadar's review of top law enforcement operations. Concurrently, threat intelligence sources documented a rise in ransomware attacks, with LockBit 5.0 targeting 25 companies globally, and agencies intensifying pressure on pro-Russian hacktivist groups. The month also saw a significant malware incident in New Zealand, where the national cyber security agency warned 26,000 citizens about infections by Lumma Stealer, a credential-harvesting malware. Technical research revealed the continued evolution of information-stealing malware, such as Stealc and Phantom Stealer, which leverage new delivery methods including Discord-hosted payloads and fake software updates. The Mirai botnet family demonstrated renewed activity, with new variants like Broadside and Jackskid exploiting IoT vulnerabilities and targeting sectors such as maritime logistics. Reports also underscored the growing threat of browser-based attacks, with critical vulnerabilities being disclosed throughout the year, and the increasing use of social engineering tactics to bypass security controls. These developments reflect a rapidly shifting threat landscape, with attackers adopting advanced techniques and law enforcement responding with coordinated global operations.
Mar 21, 2026
Major Cyberattack and Malware Trends in 2025
Cybersecurity threats in 2025 were marked by a surge in sophisticated attacks targeting both enterprises and critical infrastructure. Notable incidents included the exploitation of a zero-day vulnerability (`CVE-2025-61882`) in Oracle E-Business Suite by the Clop ransomware group, leading to data theft and extortion campaigns against multiple organizations. Ransomware activity overall increased, with Akira and Qilin dominating the ransomware-as-a-service market, and new strains like Warlock and HybridPetya introducing advanced evasion and destructive capabilities. The year also saw a significant rise in software supply chain attacks and the emergence of AI-powered malware such as PromptLock, which can generate malicious scripts dynamically. State-sponsored campaigns remained a persistent threat, exemplified by the BRICKSTORM malware attributed to Chinese actors, which targeted VMware and Windows systems in government and IT sectors. Data breaches, such as the API compromise at 700Credit affecting over 5.6 million individuals, highlighted ongoing risks in third-party integrations and API security. Malware-as-a-service platforms like CloudEyE (GuLoader) surged in prevalence, facilitating the distribution of infostealers and ransomware. The threat landscape was further complicated by the proliferation of EDR killers and the rapid evolution of Android NFC-based threats, underscoring the need for robust detection and response strategies across all platforms.
Mar 21, 2026
Surge in Diverse Cybercrime Tactics and Malware Campaigns in November 2025
A series of cybersecurity incidents and threat intelligence reports in November 2025 highlight a surge in sophisticated cybercrime tactics, including the exploitation of new vulnerabilities, resurgence of established malware, and the evolution of phishing and credential theft campaigns. Notable events include the disclosure of a critical unauthenticated remote code execution vulnerability (CVE-2025-52665) in Ubiquiti’s UniFi OS, which allows attackers to execute arbitrary commands via the backup API, potentially leading to full device compromise. Concurrently, researchers observed a resurgence in Lumma Stealer activity, with the malware adopting adaptive browser fingerprinting to enhance victim profiling and evade detection, and the reappearance of GootLoader malware using novel font-based obfuscation techniques to deliver payloads through compromised WordPress sites. Other significant threats include the deployment of DarkComet RAT disguised as Bitcoin wallet software, the spread of Maverick banking malware via WhatsApp targeting Brazilian financial institutions, and a European phishing campaign leveraging Telegram bots to exfiltrate credentials. These incidents are set against a backdrop of increasing cyber insurance payouts in the UK, driven by a rise in ransomware and malware attacks, and a proliferation of online scams targeting gambling platforms and social media users. The reports also underscore the growing use of AI in both offensive and defensive cybersecurity operations, with advancements in AI red teaming and blue teaming for code generation models. Collectively, these developments illustrate the rapidly evolving threat landscape, the convergence of traditional and novel attack vectors, and the need for organizations to adopt robust, adaptive security measures to counter increasingly sophisticated adversaries.
Mar 21, 2026