Surge in Diverse Cybercrime Tactics and Malware Campaigns in November 2025
A series of cybersecurity incidents and threat intelligence reports in November 2025 highlight a surge in sophisticated cybercrime tactics, including the exploitation of new vulnerabilities, resurgence of established malware, and the evolution of phishing and credential theft campaigns. Notable events include the disclosure of a critical unauthenticated remote code execution vulnerability (CVE-2025-52665) in Ubiquiti’s UniFi OS, which allows attackers to execute arbitrary commands via the backup API, potentially leading to full device compromise. Concurrently, researchers observed a resurgence in Lumma Stealer activity, with the malware adopting adaptive browser fingerprinting to enhance victim profiling and evade detection, and the reappearance of GootLoader malware using novel font-based obfuscation techniques to deliver payloads through compromised WordPress sites. Other significant threats include the deployment of DarkComet RAT disguised as Bitcoin wallet software, the spread of Maverick banking malware via WhatsApp targeting Brazilian financial institutions, and a European phishing campaign leveraging Telegram bots to exfiltrate credentials.
These incidents are set against a backdrop of increasing cyber insurance payouts in the UK, driven by a rise in ransomware and malware attacks, and a proliferation of online scams targeting gambling platforms and social media users. The reports also underscore the growing use of AI in both offensive and defensive cybersecurity operations, with advancements in AI red teaming and blue teaming for code generation models. Collectively, these developments illustrate the rapidly evolving threat landscape, the convergence of traditional and novel attack vectors, and the need for organizations to adopt robust, adaptive security measures to counter increasingly sophisticated adversaries.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Trend Micro publishes Lumma Stealer fingerprinting findings
Trend Micro disclosed that Lumma Stealer operators had added adaptive browser fingerprinting while retaining their existing command-and-control structure. The report also described process injection into chrome.exe and continued use of GhostSocks as a secondary payload.
Point Wild analyzes DarkComet in fake Bitcoin wallet lure
Point Wild's Lat61 Threat Intelligence Team analyzed a DarkComet sample disguised as a Bitcoin wallet and trading application. The malware was delivered in a RAR archive, established persistence, and attempted to contact a command-and-control server at kvejo991.ddns.net:1604.
Researchers document new GootLoader font-based obfuscation
Huntress reported that the latest GootLoader activity used custom WOFF2 web fonts and glyph substitution to disguise malicious filenames in the browser. The campaign also abused ZIP handling differences so automated tools saw a benign .TXT file while Windows Explorer extracted JavaScript malware.
GootLoader intrusions escalate to domain controller compromise
In two of the observed GootLoader cases, the activity escalated to hands-on-keyboard intrusions that reached a domain controller within 17 hours. At least one intrusion involved Supper backdoor deployment, WinRM-based lateral movement, and creation of a new admin user.
GootLoader infections observed in renewed campaign
Huntress observed three GootLoader infections beginning on October 27, 2025, marking a resurgence of the malware loader. The campaign used compromised WordPress sites, SEO-style lures, and XOR-encrypted ZIP payloads.
Lumma Stealer activity resurges with new fingerprinting tactic
Trend Micro observed Lumma Stealer activity pick up again starting the week of October 20, 2025, after an earlier decline. The renewed activity introduced adaptive browser fingerprinting through JavaScript delivered from a command-and-control endpoint.
DarkComet RAT originally released
DarkComet, a remote access trojan later repurposed in many campaigns, was originally developed in 2008. Its long availability helped enable later reuse in modern malware lures.
DarkComet development discontinued
The original development of DarkComet was later discontinued, though the malware remained widely available and continued to be reused by threat actors. This set the stage for its later resurfacing in new campaigns.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
UniFi OS Security Warning: A flaw in the Backup API could let attackers run code without authentication (CVE-2025–52665)
osintteam.blog
Open sourceIncrease in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics | Trend Micro (US)
trendmicro.com
Open sourceWanna bet? Scammers are playing the odds better than you are
helpnetsecurity.com
Open sourceDarkComet Spyware Resurfaces Disguised as Fake Bitcoin Wallet
hackread.com
Open sourceTelegram bots exploited in European credential phishing campaign
scworld.com
Open sourceCyber insurers paid out over twice as much for UK ransomware attacks last year
go.theregister.com
Open sourceWhatsApp Malware 'Maverick' Hijacks Browser Sessions to Target Brazil's Biggest Banks
thehackernews.com
Open sourceGootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Major Cybercrime and Malware Trends in December 2025
Cybersecurity agencies and researchers reported a surge in sophisticated cybercrime operations and malware campaigns in December 2025. Notable law enforcement actions included the takedown of major cybercriminal forums such as Cracked and Nulled, and the disruption of ransomware networks like Phobos/8Base, as highlighted in SOCRadar's review of top law enforcement operations. Concurrently, threat intelligence sources documented a rise in ransomware attacks, with LockBit 5.0 targeting 25 companies globally, and agencies intensifying pressure on pro-Russian hacktivist groups. The month also saw a significant malware incident in New Zealand, where the national cyber security agency warned 26,000 citizens about infections by Lumma Stealer, a credential-harvesting malware. Technical research revealed the continued evolution of information-stealing malware, such as Stealc and Phantom Stealer, which leverage new delivery methods including Discord-hosted payloads and fake software updates. The Mirai botnet family demonstrated renewed activity, with new variants like Broadside and Jackskid exploiting IoT vulnerabilities and targeting sectors such as maritime logistics. Reports also underscored the growing threat of browser-based attacks, with critical vulnerabilities being disclosed throughout the year, and the increasing use of social engineering tactics to bypass security controls. These developments reflect a rapidly shifting threat landscape, with attackers adopting advanced techniques and law enforcement responding with coordinated global operations.
Mar 21, 2026
Major Cyberattack and Malware Trends in 2025
Cybersecurity threats in 2025 were marked by a surge in sophisticated attacks targeting both enterprises and critical infrastructure. Notable incidents included the exploitation of a zero-day vulnerability (`CVE-2025-61882`) in Oracle E-Business Suite by the Clop ransomware group, leading to data theft and extortion campaigns against multiple organizations. Ransomware activity overall increased, with Akira and Qilin dominating the ransomware-as-a-service market, and new strains like Warlock and HybridPetya introducing advanced evasion and destructive capabilities. The year also saw a significant rise in software supply chain attacks and the emergence of AI-powered malware such as PromptLock, which can generate malicious scripts dynamically. State-sponsored campaigns remained a persistent threat, exemplified by the BRICKSTORM malware attributed to Chinese actors, which targeted VMware and Windows systems in government and IT sectors. Data breaches, such as the API compromise at 700Credit affecting over 5.6 million individuals, highlighted ongoing risks in third-party integrations and API security. Malware-as-a-service platforms like CloudEyE (GuLoader) surged in prevalence, facilitating the distribution of infostealers and ransomware. The threat landscape was further complicated by the proliferation of EDR killers and the rapid evolution of Android NFC-based threats, underscoring the need for robust detection and response strategies across all platforms.
Mar 21, 2026
September 2025 Major Cybersecurity Incidents and Trends
Multiple significant cybersecurity incidents and trends were reported in September and Q3 2025, highlighting the evolving threat landscape. Ransomware and cyber extortion continued to be major concerns, with Nevada experiencing a historic ransomware attack that forced a near-total shutdown of state government operations, severely disrupting digital infrastructure and putting essential services and resident data at risk. The attack on Nevada was described as unprecedented at the statewide level, underscoring the increasing scale and impact of ransomware campaigns. In the realm of supply chain security, the JavaScript ecosystem faced a major npm supply chain attack in September 2025, which compromised over 180 popular packages, including some under the CrowdStrike namespace. This attack was attributed to the self-replicating "Shai-Hulud" worm, serving as a stark warning about the risks inherent in open-source dependencies and the potential for widespread compromise through software supply chains. Additionally, active exploitation of the CVE-2025-10035 vulnerability in GoAnywhere Managed File Transfer was investigated, indicating ongoing targeting of file transfer solutions by threat actors. The emergence of new malware families was also noted, such as XWorm V6 with pivotal plugins and ClayRat, a new Android spyware targeting Russian users. The RondoDox campaign was observed leveraging Pwn2Own vulnerabilities and employing a shotgun approach to exploits, further demonstrating the adaptability of threat actors. Over 175 malicious npm packages were identified as hosting phishing infrastructure targeting more than 135 organizations, highlighting the persistent threat of phishing via software repositories. A record DDoS attack by the Aisuru botnet targeted US ISPs, showcasing the scale and sophistication of modern botnet operations. New Stealit campaigns were reported abusing Node.js single executable applications, reflecting the trend of attackers exploiting developer tools and environments. The newsletters also discussed advancements in malware detection, including quantum computing methods and machine learning approaches such as static portable executable header feature analysis. Cyber warfare activities during Operation Sindoor were analyzed, providing insights into malware campaign tactics and detection frameworks. Security evaluations of Android apps on budget African mobile devices and novel detection methods for railway mobile terminals were also covered, indicating a broadening focus on mobile and IoT security. These developments collectively illustrate the diverse and escalating nature of cyber threats facing organizations and governments worldwide in late 2025.
Mar 21, 2026