Category: Cybersecurity

Introduction: Security at a Tipping Point

Security Operations Centers (SOCs) were built for a different era, one defined by perimeter-based thinking, known threats, and manageable alert volumes. But today’s threat landscape doesn’t play by those rules. The sheer volume of telemetry, overlapping tools, and automated alerts has pushed traditional SOCs to the edge. Security teams are overwhelmed, chasing indicators that often lead nowhere, while real risks go unnoticed in the noise.

We’re not dealing with a visibility problem. We’re dealing with a relevance problem.

That’s where Continuous Threat Exposure Management (CTEM) comes in. Unlike detection-centric operations that react to what’s already happened, CTEM shifts the focus from what could happen to “why it matters.” It’s a move away from reacting to alerts and toward managing risk with targeted, evidence-based actions.

The Problem with Alert-Centric Security

At its core, the SOC is a monitoring engine. It digests input from firewalls, endpoints, logs, cloud systems, and more, and then generates alerts based on rules and detections. But this model is outdated and flawed in a modern environment where:

• Attackers stay under the radar by combining small, overlooked vulnerabilities to eventually gain unauthorized access.
• Tool overlap creates alert fatigue and conflicting signals.
• SOC analysts burn out trying to sort through and evaluate potential incidents that lack business context.

This model treats every alert as a potential emergency. But not every alert deserves equal attention, and many don’t deserve attention at all. The consequence is SOCs are pulled in too many directions, with no prioritization, solving for volume instead of value.

CTEM: From Monitoring to Meaning

CTEM reimagines security operations as a continuous, exposure-driven approach. Instead of starting with alerts and working backward, CTEM starts by asking:

• What are the most critical assets in our environment?
• What are the actual paths an attacker could use to reach them?
• Which exposures are exploitable right now?
• How effective are our defenses against the path?

CTEM isn’t a tool. It’s a framework and discipline that continuously maps out potential attack paths, validates security control effectiveness, and prioritizes action based on real-world impact rather than theoretical threat models.

This is not about abandoning the SOC. It’s about evolving its role from monitoring the past to anticipating and preventing what’s next.

Why This Shift Matters

The rapid escalation of CTEM signals a deeper transformation in how enterprises are approaching their security strategy. CTEM shifts the focus from reactive to dynamic exposure management, reducing risk not just by watching for signs of compromise, but by eliminating the conditions that make compromise possible in the first place.

The points below illustrate why CTEM represents not just a better security model, but a smarter, more sustainable one.

1. Exposure and Exhaustion

CTEM doesn’t try to monitor everything. It identifies what’s actually exposed and whether that exposure can lead to harm. This drastically reduces noise while increasing alert accuracy.

2. Business Context Over Technical Clutter

SOCs often operate in technical silos, detached from what matters to the business. CTEM injects data-driven risk context into security decisions, and which vulnerabilities are hidden in real attack paths leading to sensitive data, systems or revenue streams.

3. Prevention Over Reaction

In a CTEM model, exposures are mitigated before they’re exploited. Rather than racing to respond to alerts after the fact, security teams are focused on closing off attack paths and validating the effectiveness of security controls.

Together, these principles reflect why CTEM has become a fundamental change in mindset. By focusing on what’s truly exposed, correlating risks directly to business outcomes, and prioritizing prevention, CTEM enables security teams to operate with more clarity, precision, and purpose to help drive measurable impact.

What CTEM Looks Like in Practice

An enterprise adopting CTEM may not reduce the number of security tools it uses but it will use them differently. For example:

• Exposure insights will guide patching priorities, not CVSS scores.
• Attack path mapping and validation will inform control effectiveness, not generic policy updates.
• Validation exercise – such as automated pentesting or autonomous red teaming – will confirm whether a real attacker could reach valuable data or systems, not just whether control is “on.”

This core strategic change allows security teams to shift from reactive threat assessment to targeted, data-driven risk reduction where every security activity is connected to potential business impact.

CTEM and the Future of the SOC

In many enterprises, CTEM will sit alongside the SOC, feeding it higher-quality insights and focusing analysts on what actually matters. But in forward-leaning teams, CTEM will become the new SOC, not just operationally but philosophically. A function no longer built around watching but around disrupting. That means:

• Threat detection becomes threat anticipation.
• Alert queues become prioritized risk based on context.
• Success is no longer “we caught the breach in time” rather it’s “the breach never found a path to begin with.”

Conclusion: From Volume to Value

Security teams don’t need more alerts; they need better questions. They need to know what matters most, what’s truly at risk, and what to fix first. CTEM answers those questions. And in doing so, it redefines the very purpose of modern security operations not to respond faster, but to remove the attacker’s opportunity altogether.

It’s time to shift from monitoring everything to measuring what matters. CTEM isn’t just an enhancement to the SOC. It’s what the SOC should become.

Apple has disclosed that a now-patched security flaw present in its Messages app was actively exploited in the wild to target civil society members in sophisticated cyber attacks.

The vulnerability, tracked as CVE-2025-43200, was addressed on February 10, 2025, as part of iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1.

“A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link,” the company said in an advisory, adding the vulnerability was addressed with improved checks.

The iPhone maker also acknowledged that it’s aware the vulnerability “may have been exploited in an extremely sophisticated attack against specifically targeted individuals.”

It’s worth noting that the iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5 updates also resolved another actively exploited zero-day tracked as CVE-2025-24200. It’s currently not known why Apple chose not to disclose the existence of this flaw until now.

While Apple did not share any further details of the nature of the attacks weaponizing CVE-2025-43200, the Citizen Lab said it unearthed forensic evidence that the shortcoming was leveraged to target Italian journalist Ciro Pellegrino and an unnamed prominent European journalist and infect them with Paragon’s Graphite mercenary spyware.

The interdisciplinary research center described the attack as zero-click, meaning the vulnerability could be triggered on targeted devices without requiring any user interaction.

“One of the journalist’s devices was compromised with Paragon’s Graphite spyware in January and early February 2025 while running iOS 18.2.1,” researchers Bill Marczak and John Scott-Railton said. “We believe that this infection would not have been visible to the target.”

Both individuals were notified on April 29, 2025, by Apple that they were targeted with advanced spyware. Apple began sending threat notifications to alert users it suspects have been targeted by state-sponsored attackers starting November 2021.

Graphite is a surveillance tool developed by the Israeli private sector offensive actor (PSOA) Paragon. It can access messages, emails, cameras, microphones, and location data without any user action, making detection and prevention especially difficult. The spyware is typically deployed by government clients under the guise of national security investigations.

The Citizen Lab said the two journalists were sent iMessages from the same Apple account (codenamed “ATTACKER1”) to deploy the Graphite tool, indicating that the account may have been used by a single Paragon customer to target them.

The development is the latest twist in a scandal that erupted in January, when Meta-owned WhatsApp divulged that the spyware had been deployed against dozens of users globally, including Pellegrino’s colleague Francesco Cancellato. In all, a total of seven individuals have been publicly identified as victims of Paragon targeting and infection to date.

Earlier this week, the Israeli spyware maker said it has terminated its contracts with Italy, citing the government’s refusal to let the company independently verify that Italian authorities did not break into the phone of the investigative journalist.

“The company offered both the Italian government and parliament a way to determine whether its system had been used against the journalist in violation of Italian law and the contractual terms,” it said in a statement to Haaretz.

However, the Italian government said the decision was mutual and that it rejected the offer due to national security concerns.

The Parliamentary Committee for the Security of the Republic (COPASIR), in a report published last week, confirmed that Italian foreign and domestic intelligence services used Graphite to target the phones of a limited number of people after necessary legal approval.

COPASIR added that the spyware was used to search for fugitives, counter illegal immigration, alleged terrorism, organized crime, fuel smuggling and counter-espionage, and internal security activities. However, the phone belonging to Cancellato was not among the victims, it said, leaving a key question as to who may have targeted the journalist unanswered.

The report, however, sheds light on how Paragon’s spyware infrastructure works in the background. It said an operator has to sign in with a username and password in order to use Graphite. Each deployment of the spyware generates detailed logs that are located on a server controlled by the customer and not accessible by Paragon.

“The lack of accountability available to these spyware targets highlights the extent to which journalists in Europe continue to be subjected to this highly invasive digital threat, and underlines the dangers of spyware proliferation and abuse,” the Citizen Lab said.

The European Union (E.U.) has previously raised concerns over the unchecked use of commercial spyware, calling for stronger export controls and legal safeguards. Recent cases like this one could intensify pressure for regulatory reforms at both national and E.U. levels.

Apple’s threat notification system is based on internal threat intelligence and may not detect all instances of targeting. The company notes that receiving such a warning does not confirm an active infection, but indicates that unusual activity consistent with a targeted attack was observed.

The Return of Predator

The latest revelations come as Recorded Future’s Insikt Group said it observed a “resurgence” of Predator-related activity, months after the U.S. government sanctioned several individuals tied to Israeli spyware vendor Intellexa/Cytrox.

This includes the identification of new victim-facing Tier 1 servers, a previously unknown customer in Mozambique, and connections between Predator infrastructure and FoxITech s.r.o., a Czech entity previously associated with the Intellexa Consortium.

Over the past two years, Predator operators have been flagged in over a dozen counties, such as Angola, Armenia, Botswana, the Democratic Republic of the Congo, Egypt, Indonesia, Kazakhstan, Mongolia, Mozambique, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago.

“This aligns with the broader observation that Predator is highly active in Africa, with over half of its identified customers located on the continent,” the company said.

“This likely reflects growing demand for spyware tools, especially in countries facing export restrictions, ongoing technical innovation in response to public reporting and security enhancements, and increasingly complex corporate structures designed to impede sanctions and attribution.”

The threat actors behind the VexTrio Viper Traffic Distribution Service (TDS) have been linked to other TDS services like Help TDS and Disposable TDS, indicating that the sophisticated cybercriminal operation is a sprawling enterprise of its own that’s designed to distribute malicious content.

“VexTrio is a group of malicious adtech companies that distribute scams and harmful software via different advertising formats, including smartlinks and push notifications,” Infoblox said in a deep-dive report shared with The Hacker News.

Some of the malicious adtech companies under VexTrio Viper include Los Pollos, Taco Loco, and Adtrafico. These companies operate what’s called a commercial affiliate network that connects malware actors whose websites unsuspecting users land on and so-called “advertising affiliates” who offer various forms of illicit schemes like gift card fraud, malicious apps, phishing sites, and scams.

Put differently, these malicious traffic distribution systems are designed to redirect victims to their destinations through a SmartLink or direct offer. Los Pollos, per the DNS threat intelligence firm, enlists malware distributors (aka publishing affiliates) with promises of high-paying offers, whereas Taco Loco specializes in push monetization and recruits advertising affiliates.

Another notable component of these attacks is the compromise of WordPress websites to inject malicious code that’s responsible for initiating the redirection chain, ultimately leading visitors to VexTrio scam infrastructure. Examples of such injections include Balada, DollyWay, Sign1, and DNS TXT record campaigns.

“These scripts redirect site visitors to various scam pages through traffic broker networks associated with VexTrio, one of the largest known cybercriminal affiliate networks that leverages sophisticated DNS techniques, traffic distribution systems, and domain generation algorithms to deliver malware and scams across global networks,” GoDaddy noted in a report published in March 2025.

VexTrio’s operations suffered a blow around mid-November 2024 after Qurium revealed that the Swiss-Czech adtech company Los Pollos was part of VexTrio, causing Los Pollos to cease their push link monetization. This, in turn, triggered an exodus, causing threat actors that relied heavily on the Los Pollos network to move to alternate redirect destinations such as Help TDS and Disposable TDS.

Changes in behavior over time from the two independent C2 sets

Infoblox’s analysis of 4.5 million DNS TXT record responses from compromised websites over a six-month period has revealed that the domains that were part of the DNS TXT record campaigns could be classified into two sets, each with its own distinct command-and-control (C2) server.

“Both servers were hosted in Russian-connected infrastructure, but neither their hosting nor their TXT responses overlapped,” the company said. “Each set maintained different redirect URL structures, even though they both originally led to VexTrio and subsequently to the Help TDS.”

Further evidence has uncovered that both Help TDS and Disposable TDS are one and the same, and that the services enjoyed an “exclusive relationship” with VexTrio until November 2024. Help TDS, which historically redirected traffic to VexTrio domains, has since shifted to Monetizer, a monetization platform that uses TDS technology to connect web traffic from publisher affiliates to advertisers.

“The Help TDS has a strong Russian nexus, with hosting and domain registration frequently done via Russian entities,” Infoblox said, describing the operators as possibly independent. “It does not have the full-blown functionality of the VexTrio TDSs and has no obvious commercial ties beyond its eerie connections with VexTrio.”

Renée Burton, vice president of threat intel at Infoblox, told The Hacker News that Help TDS is redirecting exclusively to Monetizer. “We know there is some special relationship between help TDS and VexTrio, meaning they are likely in coordination,” Burton added. “They share software. [But] we don’t know the relationship between VexTrio and Monetizer. In other words, moving to Help TDS isn’t really moving to a new TDS most likely.”

VexTrio is one among the many TDSs that have been outed as commercial adtech firms, the others being Partners House, BroPush, RichAds, Admeking, and RexPush. Many of these are geared towards push notification services by making use of Google Firebase Cloud Messaging (FCM) or Push API-based custom-developed scripts to distribute links to malicious content via push notifications.

“Hundreds of thousands of compromised websites around the world every year redirect victims to the tangled web of VexTrio and VexTrio-affiliate TDSs,” the company said.

“VexTrio and the other affiliate advertising companies know who the malware actors are, or they at least have enough information to track them down. Many of the companies are registered in countries that require some degree of ‘know your customer’ (KYC), but even without these requirements, publishing affiliates are vetted by their customer managers.”

A new malware campaign is exploiting a weakness in Discord’s invitation system to deliver an information stealer called Skuld and the AsyncRAT remote access trojan.

“Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers,” Check Point said in a technical report. “The attackers combined the ClickFix phishing technique, multi-stage loaders, and time-based evasions to stealthily deliver AsyncRAT, and a customized Skuld Stealer targeting crypto wallets.”

The issue with Discord’s invite mechanism is that it allows attackers to hijack expired or deleted invite links and secretly redirect unsuspecting users to malicious servers under their control. This also means that a Discord invite link that was once trusted and shared on forums or social media platforms could unwittingly lead users to malicious sites.

Details of the campaign come a little over a month after the cybersecurity company revealed another sophisticated phishing campaign that hijacked expired vanity invite links to entice users into joining a Discord server and instruct them to visit a phishing site to verify ownership, only to have their digital assets drained upon connecting their wallets.

While users can create temporary, permanent, or custom (vanity) invite links on Discord, the platform prevents other legitimate servers from reclaiming a previously expired or deleted invite. However, Check Point found that creating custom invite links allows the reuse of expired invite codes and even deleted permanent invite codes in some cases.

This ability to reuse Discord expired or deleted codes when creating custom vanity invite links opens the door to abuse, allowing attackers to claim it for their malicious server.

“This creates a serious risk: Users who follow previously trusted invite links (e.g., on websites, blogs, or forums) can unknowingly be redirected to fake Discord servers created by threat actors,” Check Point said.

The Discord invite-link hijacking, in a nutshell, involves taking control of invite links originally shared by legitimate communities and then using them to redirect users to the malicious server. Users who fall prey to the scheme and join the server are asked to complete a verification step in order to gain full server access by authorizing a bot, which then leads them to a fake website with a prominent “Verify” button.

This is where the attackers take the attack to the next level by incorporating the infamous ClickFix social engineering tactic to trick users into infecting their systems under the pretext of verification.

Specifically, clicking the “Verify” button surreptitiously executes JavaScript that copies a PowerShell command to the machine’s clipboard, after which the users are urged to launch the Windows Run dialog, paste the already copied “verification string” (i.e., the PowerShell command), and press Enter to authenticate their accounts.

But in reality, performing these steps triggers the download of a PowerShell script hosted on Pastebin that subsequently retrieves and executes a first-stage downloader, which is ultimately used to drop AsyncRAT and Skuld Stealer from a remote server and execute them.

At the heart of this attack lies a meticulously engineered, multi-stage infection process designed for both precision and stealth, while also taking steps to subvert security protections through sandbox security checks.

AsyncRAT, which offers comprehensive remote control capabilities over infected systems, has been found to employ a technique called dead drop resolver to access the actual command-and-control (C2) server by reading a Pastebin file.

The other payload is a Golang information stealer that’s downloaded from Bitbucket. It’s equipped to steal sensitive user data from Discord, various browsers, crypto wallets, and gaming platforms.

Skuld is also capable of harvesting crypto wallet seed phrases and passwords from the Exodus and Atomic crypto wallets. It accomplishes this using an approach called wallet injection that replaces legitimate application files with trojanized versions downloaded from GitHub. It’s worth noting that a similar technique was recently put to use by a rogue npm package named pdf-to-office.

The attack also employs a custom version of an open-source tool known as ChromeKatz to bypass Chrome’s app-bound encryption protections. The collected data is exfiltrated to the miscreants via a Discord webhook.

The fact that payload delivery and data exfiltration occur via trusted cloud services such as GitHub, Bitbucket, Pastebin, and Discord allows the threat actors to blend in with normal traffic and fly under the radar. Discord has since disabled the malicious bot, effectively breaking the attack chain.

Check Point said it also identified another campaign mounted by the same threat actor that distributes the loader as a modified version of a hacktool for unlocking pirated games. The malicious program, also hosted on Bitbucket, has been downloaded 350 times.

It has been assessed that the victims of these campaigns are primarily located in the United States, Vietnam, France, Germany, Slovakia, Austria, the Netherlands, and the United Kingdom.

The findings represent the latest example of how cybercriminals are targeting the popular social platform, which has had its content delivery network (CDN) abused to host malware in the past.

“This campaign illustrates how a subtle feature of Discord’s invite system, the ability to reuse expired or deleted invite codes in vanity invite links, can be exploited as a powerful attack vector,” the researchers said. “By hijacking legitimate invite links, threat actors silently redirect unsuspecting users to malicious Discord servers.”

“The choice of payloads, including a powerful stealer specifically targeting cryptocurrency wallets, suggests that the attackers are primarily focused on crypto users and motivated by financial gain.”

Jun 13, 2025Ravie LakshmananWeb Security / Network Security

Cybersecurity researchers are calling attention to a “large-scale campaign” that has been observed compromising legitimate websites with malicious JavaScript injections.

According to Palo Alto Networks Unit 42, these malicious injects are obfuscated using JSFuck, which refers to an “esoteric and educational programming style” that uses only a limited set of characters to write and execute code.

The cybersecurity company has given the technique an alternate name JSFireTruck owing to the profanity involved.

“Multiple websites have been identified with injected malicious JavaScript that uses JSFireTruck obfuscation, which is composed primarily of the symbols [, ], +, $, {, and },” security researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal said. “The code’s obfuscation hides its true purpose, hindering analysis.”

Further analysis has determined that the injected code is designed to check the website referrer (“document.referrer“), which identifies the address of the web page from which a request originated.

Should the referrer be a search engine such as Google, Bing, DuckDuckGo, Yahoo!, or AOL, the JavaScript code redirects victims to malicious URLs that can deliver malware, exploits, traffic monetization, and malvertising.

Unit 42 said its telemetry uncovered 269,552 web pages that have been infected with JavaScript code using the JSFireTruck technique between March 26 and April 25, 2025. A spike in the campaign was first recorded on April 12, when over 50,000 infected web pages were observed in a single day.

“The campaign’s scale and stealth pose a significant threat,” the researchers said. “The widespread nature of these infections suggests a coordinated effort to compromise legitimate websites as attack vectors for further malicious activities.”

Say Hello to HelloTDS

The development comes as Gen Digital took the wraps off a sophisticated Traffic Distribution Service (TDS) called HelloTDS that’s designed to conditionally redirect site visitors to fake CAPTCHA pages, tech support scams, fake browser updates, unwanted browser extensions, and cryptocurrency scams through remotely-hosted JavaScript code injected into the sites.

The primary objective of the TDS is to act as a gateway, determining the exact nature of content to be delivered to the victims after fingerprinting their devices. If the user is not deemed a suitable target, the victim is redirected to a benign web page.

“The campaign entry points are infected or otherwise attacker-controlled streaming websites, file sharing services, as well as malvertising campaigns,” researchers Vojtěch Krejsa and Milan Špinka said in a report published this month.

“Victims are evaluated based on geolocation, IP address, and browser fingerprinting; for example, connections through VPNs or headless browsers are detected and rejected.”

Some of these attack chains have been found to serve bogus CAPTCHA pages that leverage the ClickFix strategy to trick users into running malicious code and infecting their machines with a malware known as PEAKLIGHT (aka Emmenhtal Loader), which is known to server information stealers like Lumma.

Central to the HelloTDS infrastructure is the use of .top, .shop, and .com top-level domains that are used to host the JavaScript code and trigger the redirections following a multi-stage fingerprinting process engineered to collect network and browser information.

“The HelloTDS infrastructure behind fake CAPTCHA campaigns demonstrates how attackers continue to refine their methods to bypass traditional protections, evade detection, and selectively target victims,” the researchers said.

“By leveraging sophisticated fingerprinting, dynamic domain infrastructure, and deception tactics (such as mimicking legitimate websites and serving benign content to researchers) these campaigns achieve both stealth and scale.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday disclosed that ransomware actors are targeting unpatched SimpleHelp Remote Monitoring and Management (RMM) instances to compromise customers of an unnamed utility billing software provider.

“This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025,” the agency said in an advisory.

Earlier this year, SimpleHelp disclosed a set of flaws (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could result in information disclosure, privilege escalation, and remote code execution.

The vulnerabilities have since come under repeated exploitation in the wild, including by ransomware groups like DragonForce, to breach targets of interest. Last month, Sophos revealed that a Managed Service Provider’s SimpleHelp deployed was accessed by the threat actor using these flaws, and then leveraged it to pivot to other downstream customers.

CISA said that SimpleHelp versions 5.5.7 and earlier contain multiple vulnerabilities, including CVE-2024-57727, and that the ransomware crews are exploiting it to access downstream customers’ unpatched SimpleHelp instances for double extortion attacks.

The agency has outlined the below mitigations that organizations, including third-party service providers that make use of SimpleHelp to connect to downstream customers, can implement to better respond to the ransomware activity –

• Identify and isolate SimpleHelp server instances from the internet and update them to the latest version
• Notify downstream customers and instruct them to take actions to secure their endpoints
• Conduct threat hunting actions for indicators of compromise and monitor for unusual inbound and outbound traffic from the SimpleHelp server (for downstream customers)
• Disconnect affected systems from the internet if they have been encrypted by ransomware, reinstall the operating system, and restore data from a clean backup
• Maintain periodic clean, offline backups
• Refrain from exposing remote services such as Remote Desktop Protocol (RDP) on the web

CISA said it does not encourage victims to pay ransoms as there is no guarantee that the decryptor provided by the threat actors will help recover the files.

“Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” CISA added.

Fog Ransomware Attack Deploys Employee Monitoring Software

The development comes as Broadcom-owned Symantec detailed a Fog ransomware attack targeting an unnamed financial institution in Asia with a combination of dual-use and open-source pentesting tools not observed in other ransomware-related intrusions.

Fog is a ransomware variant first detected in May 2024. Like other ransomware operations, the financially motivated crew employs compromised virtual private network (VPN) credentials and system vulnerabilities to gain access to an organization’s network and encrypt data, but not before exfiltrating it.

Alternate infection sequences have employed Windows shortcut (LNK) files contained within ZIP archives, which are then distributed via email and phishing attacks. Executing the LNK file leads to the download of a PowerShell script that’s responsible for dropping a ransomware loader containing the Fog locker payload.

The attacks are also characterized by the use of advanced techniques to escalate privileges and evade detection by deploying malicious code directly in memory and disabling security tools. Fog is capable of targeting both Windows and Linux endpoints.

According to Trend Micro, as of April 2025, the Fog threat actors have claimed 100 victims on its data leak site since the start of the year, with a majority of the victims associated with technology, education, manufacturing, and transportation sectors.

“The attackers used a legitimate employee monitoring software called Syteca (formerly Ekran), which is highly unusual,” Symantec said. “They also deployed several open-source pen-testing tools – GC2, Adaptix, and Stowaway – which are not commonly used during ransomware attacks.”

While the exact initial access vector used in the incident is unknown, the threat actors have been found to use Stowaway, a proxy tool widely used by Chinese hacking groups, to deliver Syteca. It’s worth noting that GC2 has been used in attacks carried out by the Chinese state-sponsored hacking group APT41 in 2023.

Also downloaded were legitimate programs like 7-Zip, Freefilesync, and MegaSync to create compressed data archives for data exfiltration.

Another interesting aspect of the attacks is that the attackers created a service to establish persistence on the network, several days after the ransomware was deployed. The threat actors are said to have spent about two weeks before dropping the ransomware.

“This is an unusual step to see in a ransomware attack, with malicious activity usually ceasing on a network once the attackers have exfiltrated data and deployed the ransomware, but the attackers in this incident appeared to wish to retain access to the victim’s network,” Symantec and Carbon Black researchers said.

The uncommon tactics have raised the possibility that the company may have been targeted for espionage reasons, and that the threat actors deployed the Fog ransomware either as a distraction to mask their true goals or to make some quick money on the side.

LockBit Panel Leak Reveals China Among Most Targeted

The findings also coincide with revelations that the LockBit ransomware-as-a-service (RaaS) scheme netted around $2.3 million within the last six months, indicating that the e-crime group continues to operate despite several setbacks.

What’s more, Trellix’s analysis of LockBit’s geographic targeting from December 2024 to April 2025 based on the May 2025 admin panel leak has uncovered China to be one of the most heavily targeted countries by affiliates Iofikdis, PiotrBond, and JamesCraig. Other prominent targets include Taiwan, Brazil, and Turkey.

“The concentration of attacks in China suggests a significant focus on this market, possibly due to its large industrial base and manufacturing sector,” security researcher Jambul Tologonov said.

“Unlike Black Basta and Conti RaaS groups that occasionally probe Chinese targets without encrypting them, LockBit appears willing to operate within Chinese borders and disregard potential political consequences, marking an interesting divergence in their approach.”

The leak of the affiliate panel has also prompted LockBit to announce a monetary reward for verifiable information about “xoxo from Prague,” an anonymous actor who claimed responsibility for the leak.

On top of that, LockBit appears to have benefitted from the sudden discontinuation of RansomHub towards the end of March 2025, causing some of the latter’s affiliates, including BaleyBeach and GuillaumeAtkinson, to transition to LockBit and compel it to reactivate its operations amid ongoing efforts to develop the next version of the ransomware, LockBit 5.0.

“What this leak truly shows is the complex and ultimately less glamorous reality of their illicit ransomware activities. While profitable, it’s far from the perfectly orchestrated, massively lucrative operation they’d like the world to believe it is,” Tologonov concluded.