Major Cybercrime and Malware Trends in December 2025
Cybersecurity agencies and researchers reported a surge in sophisticated cybercrime operations and malware campaigns in December 2025. Notable law enforcement actions included the takedown of major cybercriminal forums such as Cracked and Nulled, and the disruption of ransomware networks like Phobos/8Base, as highlighted in SOCRadar's review of top law enforcement operations. Concurrently, threat intelligence sources documented a rise in ransomware attacks, with LockBit 5.0 targeting 25 companies globally, and agencies intensifying pressure on pro-Russian hacktivist groups. The month also saw a significant malware incident in New Zealand, where the national cyber security agency warned 26,000 citizens about infections by Lumma Stealer, a credential-harvesting malware.
Technical research revealed the continued evolution of information-stealing malware, such as Stealc and Phantom Stealer, which leverage new delivery methods including Discord-hosted payloads and fake software updates. The Mirai botnet family demonstrated renewed activity, with new variants like Broadside and Jackskid exploiting IoT vulnerabilities and targeting sectors such as maritime logistics. Reports also underscored the growing threat of browser-based attacks, with critical vulnerabilities being disclosed throughout the year, and the increasing use of social engineering tactics to bypass security controls. These developments reflect a rapidly shifting threat landscape, with attackers adopting advanced techniques and law enforcement responding with coordinated global operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
HP report details new social engineering malware delivery tactics
HP's Threat Research Team published a report describing novel social engineering techniques, including fake legal notices, Adobe-themed lures, and Discord-hosted malware used to deliver infostealers and remote access tools. The report also found that 11% of email threats bypassed at least one email gateway scanner.
Stealc V2.9.0 documented with expanded theft and evasion features
By December 2025, researchers documented Stealc version 2.9.0, noting enhanced data collection, improved evasion, and broader support for browsers and cryptocurrency wallets. The report also linked the malware to more than 40 command-and-control servers and ongoing underground log trading.
New Zealand agency warns 26,000 residents' devices are infected
New Zealand's cyber security agency warned that about 26,000 New Zealanders had devices infected with malicious software. The alert highlighted a large domestic malware infection problem affecting consumer devices.
ShadowV2 tests attacks across 28 countries during AWS outage
In November 2025, the ShadowV2 Mirai variant used the AWS outage as cover to test its capabilities across 28 countries. The activity demonstrated how botnet operators were exploiting global events to mask or amplify malicious operations.
Jackskid botnet infects over 40,000 devices per day
As part of the November 2025 Mirai resurgence, the Jackskid botnet was reported infecting more than 40,000 devices daily. The malware also supported high-volume DDoS attacks and additional functions such as crypto-mining and data exfiltration.
November 2025 wave of major cyber incidents hits multiple organizations
During November 2025, a series of significant cyber incidents affected organizations globally, including the Coupang breach, the Balancer theft, Gainsight token abuse, the Eurofiber GLPI incident, and other large-scale breaches and ransomware attacks. Authorities opened investigations in some cases and affected organizations warned users about follow-on phishing and scam risks.
Mirai variants resurge in November 2025
In November 2025, Mirai-derived botnets including Jackskid and ShadowV2 resurged, infecting large numbers of IoT devices and driving major DDoS activity. The campaigns targeted routers, DVRs, industrial controllers, and other exposed systems using zero-days, brute force, and weakly secured firmware.
Global law enforcement conducts major cybercrime operations in 2025
Throughout 2025, international law enforcement agencies carried out multiple major actions against cybercrime, including takedowns, seizures, sanctions, and indictments targeting forums, ransomware groups, botnets, and fraud networks. These operations included actions against Cracked and Nulled, Phobos/8Base, LummaC2, NoName057(16), BlackSuit, and other criminal infrastructure.
SquareX launches 2025 Year of Browser Bugs research
During 2025, SquareX's Year of Browser Bugs project disclosed a series of major browser security issues across conferences and research publications, exposing architectural weaknesses in modern browsers. Some vendors later introduced patches or guardrails in response to specific findings.
Stealc malware-as-a-service begins operating
The Stealc infostealer began being offered as a malware-as-a-service operation in early 2023, marking the start of its ongoing criminal use and development.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Top 10 Cybercrime Law Enforcement Operations of 2025
socradar.io
Open sourceRansom & Dark Web Issues Week 2, December 2025
asec.ahnlab.com
Open sourceReport Surfaces Multiple Novel Social Engineering Tactics and Techniques
securityboulevard.com
Open sourceStealc Infostealer: A Deep Dive into Its Evolution, Operations, and Threat Landscape
foresiet.com
Open source2025 Year of Browser Bugs Recap: A Year of Unmasking Critical Browser Vulnerabilities
securityboulevard.com
Open source26,000 New Zealanders' devices infected with malicious software, cyber security agency warns
rnz.co.nz
Open sourceThe Resurgence of Mirai: Jackskid Botnet and Escalating IoT Threats in November 2025
foresiet.com
Open sourceNovember 2025: Coupang Breach, Balancer $120M Hack, Gainsight Token Abuse, Eurofiber GLPI Incident & More
socradar.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Major Cyberattack and Malware Trends in 2025
Cybersecurity threats in 2025 were marked by a surge in sophisticated attacks targeting both enterprises and critical infrastructure. Notable incidents included the exploitation of a zero-day vulnerability (`CVE-2025-61882`) in Oracle E-Business Suite by the Clop ransomware group, leading to data theft and extortion campaigns against multiple organizations. Ransomware activity overall increased, with Akira and Qilin dominating the ransomware-as-a-service market, and new strains like Warlock and HybridPetya introducing advanced evasion and destructive capabilities. The year also saw a significant rise in software supply chain attacks and the emergence of AI-powered malware such as PromptLock, which can generate malicious scripts dynamically. State-sponsored campaigns remained a persistent threat, exemplified by the BRICKSTORM malware attributed to Chinese actors, which targeted VMware and Windows systems in government and IT sectors. Data breaches, such as the API compromise at 700Credit affecting over 5.6 million individuals, highlighted ongoing risks in third-party integrations and API security. Malware-as-a-service platforms like CloudEyE (GuLoader) surged in prevalence, facilitating the distribution of infostealers and ransomware. The threat landscape was further complicated by the proliferation of EDR killers and the rapid evolution of Android NFC-based threats, underscoring the need for robust detection and response strategies across all platforms.
Mar 21, 2026
Surge in Diverse Cybercrime Tactics and Malware Campaigns in November 2025
A series of cybersecurity incidents and threat intelligence reports in November 2025 highlight a surge in sophisticated cybercrime tactics, including the exploitation of new vulnerabilities, resurgence of established malware, and the evolution of phishing and credential theft campaigns. Notable events include the disclosure of a critical unauthenticated remote code execution vulnerability (CVE-2025-52665) in Ubiquiti’s UniFi OS, which allows attackers to execute arbitrary commands via the backup API, potentially leading to full device compromise. Concurrently, researchers observed a resurgence in Lumma Stealer activity, with the malware adopting adaptive browser fingerprinting to enhance victim profiling and evade detection, and the reappearance of GootLoader malware using novel font-based obfuscation techniques to deliver payloads through compromised WordPress sites. Other significant threats include the deployment of DarkComet RAT disguised as Bitcoin wallet software, the spread of Maverick banking malware via WhatsApp targeting Brazilian financial institutions, and a European phishing campaign leveraging Telegram bots to exfiltrate credentials. These incidents are set against a backdrop of increasing cyber insurance payouts in the UK, driven by a rise in ransomware and malware attacks, and a proliferation of online scams targeting gambling platforms and social media users. The reports also underscore the growing use of AI in both offensive and defensive cybersecurity operations, with advancements in AI red teaming and blue teaming for code generation models. Collectively, these developments illustrate the rapidly evolving threat landscape, the convergence of traditional and novel attack vectors, and the need for organizations to adopt robust, adaptive security measures to counter increasingly sophisticated adversaries.
Mar 21, 2026
September 2025 Major Cybersecurity Incidents and Trends
Multiple significant cybersecurity incidents and trends were reported in September and Q3 2025, highlighting the evolving threat landscape. Ransomware and cyber extortion continued to be major concerns, with Nevada experiencing a historic ransomware attack that forced a near-total shutdown of state government operations, severely disrupting digital infrastructure and putting essential services and resident data at risk. The attack on Nevada was described as unprecedented at the statewide level, underscoring the increasing scale and impact of ransomware campaigns. In the realm of supply chain security, the JavaScript ecosystem faced a major npm supply chain attack in September 2025, which compromised over 180 popular packages, including some under the CrowdStrike namespace. This attack was attributed to the self-replicating "Shai-Hulud" worm, serving as a stark warning about the risks inherent in open-source dependencies and the potential for widespread compromise through software supply chains. Additionally, active exploitation of the CVE-2025-10035 vulnerability in GoAnywhere Managed File Transfer was investigated, indicating ongoing targeting of file transfer solutions by threat actors. The emergence of new malware families was also noted, such as XWorm V6 with pivotal plugins and ClayRat, a new Android spyware targeting Russian users. The RondoDox campaign was observed leveraging Pwn2Own vulnerabilities and employing a shotgun approach to exploits, further demonstrating the adaptability of threat actors. Over 175 malicious npm packages were identified as hosting phishing infrastructure targeting more than 135 organizations, highlighting the persistent threat of phishing via software repositories. A record DDoS attack by the Aisuru botnet targeted US ISPs, showcasing the scale and sophistication of modern botnet operations. New Stealit campaigns were reported abusing Node.js single executable applications, reflecting the trend of attackers exploiting developer tools and environments. The newsletters also discussed advancements in malware detection, including quantum computing methods and machine learning approaches such as static portable executable header feature analysis. Cyber warfare activities during Operation Sindoor were analyzed, providing insights into malware campaign tactics and detection frameworks. Security evaluations of Android apps on budget African mobile devices and novel detection methods for railway mobile terminals were also covered, indicating a broadening focus on mobile and IoT security. These developments collectively illustrate the diverse and escalating nature of cyber threats facing organizations and governments worldwide in late 2025.
Mar 21, 2026