Major Cybercrime and Malware Trends in December 2025
Cybersecurity agencies and researchers reported a surge in sophisticated cybercrime operations and malware campaigns in December 2025. Notable law enforcement actions included the takedown of major cybercriminal forums such as Cracked and Nulled, and the disruption of ransomware networks like Phobos/8Base, as highlighted in SOCRadar's review of top law enforcement operations. Concurrently, threat intelligence sources documented a rise in ransomware attacks, with LockBit 5.0 targeting 25 companies globally, and agencies intensifying pressure on pro-Russian hacktivist groups. The month also saw a significant malware incident in New Zealand, where the national cyber security agency warned 26,000 citizens about infections by Lumma Stealer, a credential-harvesting malware.
Technical research revealed the continued evolution of information-stealing malware, such as Stealc and Phantom Stealer, which leverage new delivery methods including Discord-hosted payloads and fake software updates. The Mirai botnet family demonstrated renewed activity, with new variants like Broadside and Jackskid exploiting IoT vulnerabilities and targeting sectors such as maritime logistics. Reports also underscored the growing threat of browser-based attacks, with critical vulnerabilities being disclosed throughout the year, and the increasing use of social engineering tactics to bypass security controls. These developments reflect a rapidly shifting threat landscape, with attackers adopting advanced techniques and law enforcement responding with coordinated global operations.
Related Entities
Vulnerabilities
Threat Actors
Sources
3 more from sources like rnz.co.nz, foresiet blog and socradar blog
Related Stories
Major Cyberattack and Malware Trends in 2025
Cybersecurity threats in 2025 were marked by a surge in sophisticated attacks targeting both enterprises and critical infrastructure. Notable incidents included the exploitation of a zero-day vulnerability (`CVE-2025-61882`) in Oracle E-Business Suite by the Clop ransomware group, leading to data theft and extortion campaigns against multiple organizations. Ransomware activity overall increased, with Akira and Qilin dominating the ransomware-as-a-service market, and new strains like Warlock and HybridPetya introducing advanced evasion and destructive capabilities. The year also saw a significant rise in software supply chain attacks and the emergence of AI-powered malware such as PromptLock, which can generate malicious scripts dynamically. State-sponsored campaigns remained a persistent threat, exemplified by the BRICKSTORM malware attributed to Chinese actors, which targeted VMware and Windows systems in government and IT sectors. Data breaches, such as the API compromise at 700Credit affecting over 5.6 million individuals, highlighted ongoing risks in third-party integrations and API security. Malware-as-a-service platforms like CloudEyE (GuLoader) surged in prevalence, facilitating the distribution of infostealers and ransomware. The threat landscape was further complicated by the proliferation of EDR killers and the rapid evolution of Android NFC-based threats, underscoring the need for robust detection and response strategies across all platforms.
3 months agoSurge in Diverse Cybercrime Tactics and Malware Campaigns in November 2025
A series of cybersecurity incidents and threat intelligence reports in November 2025 highlight a surge in sophisticated cybercrime tactics, including the exploitation of new vulnerabilities, resurgence of established malware, and the evolution of phishing and credential theft campaigns. Notable events include the disclosure of a critical unauthenticated remote code execution vulnerability (CVE-2025-52665) in Ubiquiti’s UniFi OS, which allows attackers to execute arbitrary commands via the backup API, potentially leading to full device compromise. Concurrently, researchers observed a resurgence in Lumma Stealer activity, with the malware adopting adaptive browser fingerprinting to enhance victim profiling and evade detection, and the reappearance of GootLoader malware using novel font-based obfuscation techniques to deliver payloads through compromised WordPress sites. Other significant threats include the deployment of DarkComet RAT disguised as Bitcoin wallet software, the spread of Maverick banking malware via WhatsApp targeting Brazilian financial institutions, and a European phishing campaign leveraging Telegram bots to exfiltrate credentials. These incidents are set against a backdrop of increasing cyber insurance payouts in the UK, driven by a rise in ransomware and malware attacks, and a proliferation of online scams targeting gambling platforms and social media users. The reports also underscore the growing use of AI in both offensive and defensive cybersecurity operations, with advancements in AI red teaming and blue teaming for code generation models. Collectively, these developments illustrate the rapidly evolving threat landscape, the convergence of traditional and novel attack vectors, and the need for organizations to adopt robust, adaptive security measures to counter increasingly sophisticated adversaries.
4 months agoSeptember 2025 Major Cybersecurity Incidents and Trends
Multiple significant cybersecurity incidents and trends were reported in September and Q3 2025, highlighting the evolving threat landscape. Ransomware and cyber extortion continued to be major concerns, with Nevada experiencing a historic ransomware attack that forced a near-total shutdown of state government operations, severely disrupting digital infrastructure and putting essential services and resident data at risk. The attack on Nevada was described as unprecedented at the statewide level, underscoring the increasing scale and impact of ransomware campaigns. In the realm of supply chain security, the JavaScript ecosystem faced a major npm supply chain attack in September 2025, which compromised over 180 popular packages, including some under the CrowdStrike namespace. This attack was attributed to the self-replicating "Shai-Hulud" worm, serving as a stark warning about the risks inherent in open-source dependencies and the potential for widespread compromise through software supply chains. Additionally, active exploitation of the CVE-2025-10035 vulnerability in GoAnywhere Managed File Transfer was investigated, indicating ongoing targeting of file transfer solutions by threat actors. The emergence of new malware families was also noted, such as XWorm V6 with pivotal plugins and ClayRat, a new Android spyware targeting Russian users. The RondoDox campaign was observed leveraging Pwn2Own vulnerabilities and employing a shotgun approach to exploits, further demonstrating the adaptability of threat actors. Over 175 malicious npm packages were identified as hosting phishing infrastructure targeting more than 135 organizations, highlighting the persistent threat of phishing via software repositories. A record DDoS attack by the Aisuru botnet targeted US ISPs, showcasing the scale and sophistication of modern botnet operations. New Stealit campaigns were reported abusing Node.js single executable applications, reflecting the trend of attackers exploiting developer tools and environments. The newsletters also discussed advancements in malware detection, including quantum computing methods and machine learning approaches such as static portable executable header feature analysis. Cyber warfare activities during Operation Sindoor were analyzed, providing insights into malware campaign tactics and detection frameworks. Security evaluations of Android apps on budget African mobile devices and novel detection methods for railway mobile terminals were also covered, indicating a broadening focus on mobile and IoT security. These developments collectively illustrate the diverse and escalating nature of cyber threats facing organizations and governments worldwide in late 2025.
5 months ago