Advanced fraud attacks surged 180% in 2025 as cyber scammers used generative AI to churn out flawless IDs, deepfakes, and autonomous bots at levels never before seen.

Digital Fraud at Industrial Scale: 2025 Wasn't Great

This holiday season, as teams run lean and cyber threats rise, being open with what — and how — you share can protect both information and relationships.

Wednesday, November 26, 2025 12:00

Welcome to this week's edition of the Threat Source newsletter.

Back in April, I wrote about the risks of unintentionally leaking information while using search engines. Since then, I’ve been thinking: Life doesn’t just happen in front of a keyboard. There’s a social side, too (or so I’m told). With Thanksgiving around the corner, it seems the perfect time to flip the script and focus on a different but related concept: Care _that_ you share. 

For my non-American friends, who may be enjoying just another Thursday, stick with me. This season brings heightened risks everywhere. Many teams are running with skeleton crews, whether due to holiday mode (family, turkey, football, days off) or the year-end compliance push (hello, NIS2 and DORA). At the same time, on the other side of the fence, attackers ramp up their efforts; globally, Black Friday and similar events are peak periods for phishing campaigns, often targeting credentials with fake employee perk emails and other seasonal lures. 

So, why emphasize “care that you share?” 

Recently, I visited a university of applied sciences to give a guest lecture and learn more about the projects students are working on. It was a great experience, though preparing for an audience of students (not my usual crowd) was challenging. What do they already know? What topics interest them? Should I give them some history of STIX/TAXII? Geopolitical tensions? Honestly speaking, none of this was interesting to me when I was a student. I chose to start simple, discussing what threats and the DKIW pyramid were, and then focusing on CVE, CVSS, and KEV — one of my favorite topic clusters. 

To my surprise, not only did the students engage and ask questions, but they also stuck around late on a Friday afternoon, diving into discussions about software supply chain risks and beyond. I don’t remember ever staying at university past 6:00 p.m. on a Friday as a student! A week later, when they presented their projects — many centered on authentication, TOTP, and SmartCards — I was genuinely impressed by their ideas and the real-world problems they were addressing. 

“Care that you share” is a mindset that helps us appreciate the knowledge exchange that happens in person, too. 

Whether sharing stories over dinner, IOCs over email, or ideas in a classroom, let’s all take a moment to consider not just what we share, but how and why we share it. I’ll admit, I sometimes hesitate to share certain stories myself, worried they might seem too obvious or uninteresting, or maybe even dumb. But more often than not, those moments of openness lead to the best conversations and new perspectives. 

This rings especially true during busy or understaffed times, when teams are stretched thin. It’s tempting to keep things to ourselves to avoid “bothering” others. In reality, sharing a helpful tip, a concern, or just a quick update can make all the difference for colleagues who might be juggling extra responsibilities or missing context. 

So this holiday season, care that you share. Thoughtful communication isn’t just about protecting information — it’s also about supporting each other, especially when resources are limited. You never know who might benefit from what you have to offer, yourself included. 

**The one big thing **

Last week, Cisco Talos announced an initiative to retire outdated ClamAV signatures to reduce database sizes and improve efficiency by focusing on currently relevant threats. Starting Dec. 16, 2025, the “main.cvd” and “daily.cvd” databases will be cut roughly in half, offering smaller downloads and reduced resource usage. Retired signatures may be reintroduced if old threats reappear, and only supported ClamAV container images will remain available on Docker Hub to enhance security and management. 

**Why do I care? **

Smaller signature databases mean faster updates, lower bandwidth and storage requirements, and improved performance, especially on resource-constrained systems. By focusing detection on active threats, ClamAV can more efficiently protect against current malware without being bogged down by obsolete signatures. 

**So now what? **

We will continue to monitor the activity of retired signatures and will restore any that are needed to protect the community. Stay attentive and request the reinstatement of retired signatures if older threats reappear. In the meantime, we recommend that ClamAV container image users select a feature release tag rather than a specific minor release tag to stay up to date with security updates and bug fixes. 

**Top security headlines of the week **

**Second Sha1-Hulud wave affects 25,000+ repositories via npm preinstall credential theft**   
The new supply chain campaign, dubbed Sha1-Hulud, has compromised hundreds of npm packages, uploaded to npm between November 21 and 23, 2025. The attack has impacted popular packages from Zapier, ENS Domains, PostHog, and Postman, among others. (The Hacker News) 

**FBI: Cybercriminals stole $262M by impersonating bank support teams**    
Since January 2025, the FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, with the attacks impacting individuals, as well as businesses and organizations across all industry sectors. (Bleeping Computer) 

**Everest ransomware claims breach at Spain’s national airline Iberia with 596 GB data theft**   
The group states that the data covers millions of customers in multiple countries, and says it had long-term access with the ability to read and alter bookings. (HackRead) 

**CISA warns of active spyware campaigns hijacking high-value Signal and WhatsApp users**   
CISA on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications. (The Hacker News) 

**LINE messaging bugs open Asian users to cyber espionage**   
Researchers discovered critical vulnerabilities that open the door to three main buckets of compromise: message replay attacks, plaintext and sticker leakage, and, most concerningly, impersonation attacks. (Dark Reading) 

**Can’t get enough Talos? **

**Talos Takes: When you’re told “no budget”**   
From configuring what you already have, to open-source strategies, to the impact of cybersecurity layoffs, this episode is packed with practical guidance for securing your organization during an economic downturn. 

**Humans of Talos: On epic reads, lifelong learning, and empathy**    
In this episode, Bill Largent shares what drew him to Talos, how his love of reading has shaped his cybersecurity ethos, and the key insights he shares for the next generation of cybersecurity professionals. 

**The TTP: How Talos built an AI model into one of the internet's most abused layers**   
Hazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking the internet. 

**Upcoming events where you can find Talos **

*   AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 
*   Black Hat Europe (Dec. 8 – 11) London, U.K. 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**   
MD5: 1f7e01a3355b52cbc92c908a61abf643   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a   
Example Filename: cleanup.bat   
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59**   
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59    
Example Filename: ck8yh2og.dll    
Detection Name: Auto.90B145.282358.in02 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974    
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe    
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: 26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff**    
MD5: 71da0bf3094e3ed17bc5a1c78de80933    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff    
Example Filename: cleanup.bat    
Detection Name: W32.26FA67DB9A-90.SBX.TG

Care that you share

AI meeting assistants have become essential tools for professionals who want fast, accurate, and automated transcription. Yet behind…

AI meeting assistants have become essential tools for professionals who want fast, accurate, and automated transcription. Yet behind the convenience lies a concern many users overlook: how safely is their data handled? 

As more companies introduce AI note-takers, the gap between automation and security grows wider. TicNote AI steps into this landscape with a different philosophy, intelligence with responsibility.

****The New Generation of AI Note-Taking****

The surge in AI meeting tools shows how much modern work relies on capturing information quickly. However, most tools focus on transcription alone and leave users questioning what happens to their recordings. 

TicNote approaches this challenge through Agentic Intelligence, a system designed to help users think, organise, and stay in control of their information.

****What Makes TicNote an Agentic OS****

TicNote is not just an AI recorder. It interprets conversations, connects ideas, and structures information in a way that supports decision-making. Designed for creators, professionals, interviewers, researchers, and teams, TicNote transforms meetings and thoughts into usable knowledge.

****Core Features Strengthening TicNote’s Intelligence********Shadow and Projects****

TicNote captures audio, images, and documents in one place and instantly turns them into clean summaries using multimodal AI.

****Deep Research****

Users can ask questions across their recordings and files. TicNote understands intent and retrieves context-rich answers.

****Aha Moments****

The system identifies hidden relationships across stored content, revealing insights users may not notice on their own.

****AI Podcast Mode****

Recordings can be transformed into professional podcast-style audio, with optional voice changes for privacy or creativity.

****AI Voiceprint Recognition****

The device automatically identifies speakers, offering precise and organised transcripts for teams, interviews, and collaborative work.

****Pricing Built for Transparency and Value********Free (Plus)****

600 minutes per month, multilingual transcription, translation, basic templates, and document import.

****Pro****

2100 minutes per year, unlimited cloud storage, Deep Research, Aha Moments, AI Podcast Mode, and advanced templates.

****Business****

6600 minutes per year, eight-hour sessions, speaker recognition, and advanced workflows for teams.

****Why TicNote Matters in Today’s Workflows****

Information overload has become a major challenge for modern professionals. TicNote responds with a system that converts disorganised conversations into structured knowledge. 

Instead of just storing words, it helps users think more clearly, plan effectively, and revisit insights confidently. From remote teams to journalists and podcasters, TicNote offers clarity with secure handling of user data.

****Why Users Are Turning to TicNote AI****

The device stands out for combining intelligence, context awareness, and secure processing. Instead of acting as just another note-taker, it becomes a thinking partner. Users choose TicNote for its ability to transform daily conversations into meaningful insights and organised ideas.

****Messaging Behind TicNote’s Vision********Key Statements****

“TicNote isn’t just an AI recorder – it’s an Agentic OS designed to help every mind work smarter.”

“It doesn’t just record; it thinks with you, turning chaos into clarity.”

“The future of productivity is not more tools, but more intelligence.”

****Black Friday Campaign Details****

TicNote offers its best pricing of the year during its Black Friday launch. The TicNote Official US Store promotion runs from November 12 to December 1, 2025, priced at $99.99 for the United States, CA$139.99 in Canada and EUR 169.99 in Europe, with a special lowest price of EUR 135.99 on November 28 and December 1. 

On the TicNote Amazon US store, the campaign runs from November 20 to December 1 at USD 99.99 (Code **XGDP8422**). Affiliates can request personalised tracking links to earn commissions during the campaign.

****Final Thoughts****

As AI meeting assistants continue to rise, concerns about data security and long-term reliability become more important. TicNote answers these concerns with an Agentic OS that goes beyond basic transcription. With multimodal intelligence, deep research capabilities, and clear data practices, TicNote offers a smarter and safer path for capturing and understanding daily conversations. For professionals seeking meaningful clarity and control, TicNote represents the next evolution of AI-powered productivity.

AI Meeting Assistants Are Rising – But Is Your Data Safe? A Deep Look at TicNote AI

Myanmar’s military has been blowing up parts of the KK Park scam compound. Experts say the actions are likely for show.

After Myanmar’s military junta raided a notorious scam compound and destroyed buildings with explosives in October, officials claimed the country would entirely “eradicate” forced scamming within its borders. Now newly released satellite images of the targeted KK Park scam center reveal that only buildings in one limited section of the compound were destroyed during the initial raids. Experts on scam compounds, meanwhile, say the entire effort is likely “propaganda.”

High-resolution images of the KK Park scam compound, which is located near the Myanmar-Thailand border, show how military forces have razed multiple buildings, leaving piles of rubble in their place. However, the images show the destruction is, so-far, confined to the Eastern side of the gigantic compound—with hundreds of buildings across the vast compound being left untouched.

Multiple experts tell WIRED that the raids at KK Park and some other scam compounds are likely part of a wider “performative” effort by Myanmar's military government, which has come under increasing pressure to tackle the highly lucrative scam compounds that have flourished in recent years. They also raise concerns about the welfare of thousands of people forced to run scams in KK Park.

“The junta is making it sound as though they’re taking down the entire compound, and the imagery that we have seen so far is only limited to one section,” says Eric Heintz, a global analyst at the International Justice Mission, an anti-slavery organization. “It’s important to keep monitoring this to verify what they’re actually doing and \[see\] if this is just for show or if they’re actually cracking down on the real problem.”

The satellite images, taken on November 16, appear to show that some buildings located around courtyards have been almost totally destroyed, with debris strewn around other buildings. Heintz says that the images, plus extra social media footage, indicates that some “villas” and dormitories where trafficking victims may have been housed appear to have been damaged or destroyed. (Myanmar’s military government has said further destruction started on November 17; third-party reports also suggest more buildings have been destroyed).

“All of the critical buildings that you would need to perpetrate the scams are still intact and still ready for use,” says Mechelle B Moore, the CEO of anti-trafficking nonprofit Global Alms, which is based in Thailand and works to help people who have trafficked into scam compounds in Myanmar. “They’re putting on a good show right now to say that they don’t support scamming compounds or human trafficking. But what they’ve allowed is all the scamming syndicates—all of the scamming bosses and supervisors—have been allowed to flee,” Moore claims.

Over the past decade, dozens of scam compounds have appeared in Southeast Asia, primarily across Myanmar, Cambodia, and Laos. Often operated by or linked to Chinese organized crime groups, the compounds trick people into working at them—often with the offer of high-paying jobs—and then force them to run a range of scams. Trafficking victims often have their passports taken; they can be tortured or beaten if they refuse to scam. By stealing from people around the world, the compounds have made billions for the organized crime groups.

Amid the extensive criminality, KK Park has emerged as one of the largest and most notorious scam compounds in Myanmar. Five years ago, the site was a series of fields near the town of Myawaddy, but has since been transformed into a sprawling compound with hundreds of buildings and thousands of people held there.

Full view of the KK Park scam compound, which shows the limited destruction as of November 16, 2025.

Satellite image ©2025 Vantor

Myanmar’s military junta has been conducting raids on KK Park since the middle of October and on the Shwe Kokko compound since mid-November. The sites are linked to “telecom” fraud and illegal gambling operations, government statements say. A statement from Myanmar’s Ministry of Information published online on Wednesday says officials are “dismantling and removing illegal buildings, and taking further action in accordance with the law.”

The statement claims that officials are demolishing buildings in three areas of KK Park, and since the raids began a “a total of 237 buildings out of 635 illegal buildings have so far been demolished.” It says that 1,847 “undocumented foreign entrants” have been detained, along with more than 3,000 computers, 21,000 mobile phones, and 102 Starlink satellite internet systems. Multiple Myanmar government departments did not immediately respond to WIRED’s request for comment. A member of Myanmar’s London embassy said they would prefer to discuss the topic in person, which was not viable ahead of publication, but did not otherwise comment.

“From 30 January to 25 November 2025, a total of 12,687 foreign nationals who had entered Myanmar illegally were detained,” the junta’s Ministry of Information statement says. “Of these, 12,343 individuals were screened to be expelled, and 10,029 were systematically repatriated to their respective countries through Thailand in accordance with legal procedures.”

Alongside multiple government statements, the Associated Press reports that state television in Myanmar has been broadcasting “extensive” video footage of buildings being dismantled in KK Park, and the unusually detailed reports “appear to reflect the military government’s desire to publicize its efforts after months of bad publicity.” Some video footage shows steamrollers crushing thousands of smartphones and computers.

“This is really performative, and it continues to be the case,” says Jason Tower, a senior expert at the Global Initiative Against Transnational Organized Crime. “I think around 20,000 devices were destroyed, which is tragic in terms of just mass amounts of evidence lost.”

Myanmar’s recent high-profile crackdown on KK Park and the Shwe Kokko compounds could be driven by multiple reasons, the experts WIRED spoke to say. The United States government has recently set up a Scam Center Strike Force that has targeted the infrastructure and organizations allegedly behind the compounds, including sanctioning armed groups that support the military regime in Myanmar for their alleged involvement in the criminality. China has also extradited an alleged criminal boss who is linked to scam centers and sentenced others to death. The military government is also holding a widely criticized election in December.

“The new sanctions have put a lot of pressure on the Myanmar military to try to do something in response to this. But this is definitely a propaganda scheme,” Moore says. “We have several different groups that are being held in scamming compounds. Groups of victims that are too scared to leave, even though the crime syndicates have left or they’re being held under guard and they're not allowed to leave.”

Tower says another development, which is more significant than the military junta action, has come from anti-government, resistance groups also starting to disrupt scam compounds; he points to one group, the Karen National Liberation Army, recently taking over a compound. “I think this was the first time on the Karen border that you’ve seen resistance forces really step in to put pressure on the military and to take this issue up as part of their revolutionary activity,” Tower says.

Meanwhile, Heintz says that when people enslaved in scam compounds are freed or escape, authorities need to properly class them as victims of human trafficking and not treat them as criminals themselves. “It’s crucial that every individual undergoes a proper victim screening and identification process to ensure that trafficking survivors receive the protection and justice they deserve,” he says, “and that critical intelligence is secured and used to stop these criminal trafficking networks.”

The Destruction of a Notorious Myanmar Scam Compound Appears to Have Been ‘Performative’

New research from Ontinue exposes a major security flaw in Microsoft Teams B2B Guest Access. Learn how attackers bypass all Defender for Office 365 protections with a single invite.

Microsoft Teams has become the main tool for communication in businesses globally. Due to this, security teams spend a lot of time and money on protection services like Microsoft Defender for Office 365 to guard against dangers like phishing emails, malicious links, and malware.

However, new research from the security firm Ontinue, released on Wednesday, November 26, shows a huge security flaw in the standard setup of Microsoft Teams collaboration with outside partners, known as B2B Guest Access, which lets attackers entirely bypass a company’s Microsoft Defender protections.

****Who Controls Your Security as a Guest?****

The problem isn’t actually a software bug in Teams; it’s about the way security is managed when employees work with external groups. Ontinue’s blog post makes it clear; when your staff accepts an outside invitation and joins another company’s chat, their security is no longer determined by their home organisation. Instead, the research found that security is controlled “entirely by that hosting environment.”

This finding is highly worrying. The moment a user accepts a guest invite, they instantly lose all their home security features, including Safe Links (the system that checks if a link is dangerous before you click it) and Zero-hour Auto Purge (ZAP), which is designed to retroactively delete malicious messages. Attackers are exploiting this. Attackers know this and can create their own basic Teams accounts with security policies completely switched off, basically creating a perfect trap.

Further probing revealed that the attacker needs minimal resources. They can set up a basic Microsoft 365 environment using a low-cost subscription or even a trial. Since these basic accounts lack security packages like Defender, they are unprotected by default, which means the attacker doesn’t need any complex setup to achieve a “protection-free zone.”

Diagram showing the “protection-free zone” attackers create (source: Ontinue)

****The Easy Way In****

The risk has become even simpler because of a feature Microsoft rolled out in November 2025 (MC1182004), which is turned on by default for most users. This setting allows any Teams user to start a chat with any email address, even people not currently using Teams. The victim receives a genuine-looking Microsoft invitation and needs only a single click to enter the malicious, unprotected environment.

This easy invitation method, combined with the fact that most organisations are defaulted to accept guest invites from any company worldwide, means a lot of companies are exposed. Once inside, attackers can easily deliver phishing links and malware to employees without any security warnings appearing. Also, they can exfiltrate information (or steal sensitive data) and conduct large-scale social engineering attacks.

Phishing Email Sample (source: Ontinue)

****Experts Urge Immediate Action****

Ontinue strongly recommends companies move quickly to change their configurations, suggesting they limit guest invitations to only those domains they explicitly trust.

Industry leaders also weighed in on the findings, sharing their perspectives with Hackread.com. They emphasised that this is a serious architectural problem requiring a configuration change, not just a patch.

Shane Barney, Chief Information Security Officer at Keeper Security, noted the deceptive nature of the attack: “The familiar interface can give the impression that security remains consistent, but the safeguards in place are entirely dependent on how the hosting tenant is configured.” He added that organisations must ensure “access is appropriately limited and activity tied to sensitive systems is consistently monitored.”

Julian Brownlow Davies, Senior Vice President, Offensive Security Strategy & Operations at Bugcrowd, clarified the uncomfortable truth for users: “The moment your users cross into someone else’s tenant as guests, your own Defender for Office 365 protections effectively disappear.” He concluded that because attackers abuse collaboration features, “you have to assume that attackers will abuse ‘legitimate’ collaboration features.”

Finally, Agnidipta Sarkar, Chief Evangelist at ColorTokens, stressed the immediate policy response needed: “Until Microsoft addresses this vulnerability, organisations must set up a policy to address this immediately, and disallow all B2B meetings using Teams from anyone not previously known.” He recommends that companies configure technical controls to ensure Teams allows B2B connections to predefined domains.

Microsoft Teams Flaw in Guest Chat Exposes Users to Malware Attacks

As in the wider world, AI is not quite living up to the hype in the cyber underground. But it's definitely helping low-level cybercriminals do competent work.

'Dark LLMs' Aid Petty Criminals, But Underwhelm Technically

It's the law of unintended consequences: equipping browsers with agentic AI opens the door to an exponential volume of prompt injections.

Prompt Injections Loom Large Over ChatGPT's Atlas Browser

Cyberattackers are integrating large language models (LLMs) into malware, running prompts at runtime to evade detection and augment their code on demand.

How Malware Authors Are Incorporating LLMs to Evade Detection

More than half of organizations surveyed aren't sure they can secure non-human identities (NHIs), underscoring the lag between the rollout of these identities and the tools to protect them.

Enterprises Aren't Confident They Can Secure Non-Human Identities (NHIs)

South Korea's financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware.
"This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet), leveraging Managed Service Provider (MSP)

South Korea's financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware.

"This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet), leveraging Managed Service Provider (MSP) compromise as the initial access vector," Bitdefender said in a report shared with The Hacker News.

Qilin has emerged as one of the most active ransomware operations this year, with the RaaS crew exhibiting "explosive growth" in the month of October 2025 by claiming over 180 victims. The group is responsible for 29% of all ransomware attacks, per data from NCC Group.

The Romanian cybersecurity company said it decided to dig deeper after uncovering an unusual spike in ransomware victims from South Korea in September 2025, when it became the second-most affected country by ransomware after the U.S., with 25 cases, a significant jump from an average of about 2 victims per month between September 2024 and August 2025.

Further analysis found that all 25 cases were attributed exclusively to the Qilin ransomware group, with 24 of the victims in the financial sector. The campaign was given the moniker **Korean Leaks** by the attackers themselves.

While Qilin's origins are likely Russian, the group describes itself as "political activists" and "patriots of the country." It follows a traditional affiliate model, which involves recruiting a diverse group of hackers to carry out the attacks in return for taking a small share of up to 20% of the illicit payments.

One particular affiliate of note is a North Korean threat actor tracked as Moonstone Sleet, which, according to Microsoft, has deployed a custom ransomware variant called FakePenny in an attack targeting an unnamed defense technology company in April 2024.

Then, earlier this February, a significant pivot occurred when the adversary was observed delivering Qilin ransomware at a limited number of organizations. While it's not exactly clear if the latest set of attacks was indeed carried out by the hacking group, the targeting of South Korean businesses aligns with its strategic objectives.

Korean Leaks took place over three publication waves, resulting in the theft of over 1 million files and 2 TB of data from 28 victims. Victim posts associated with four other entities were removed from the data leak site (DLS), suggesting that they may have been taken down either following ransom negotiations or a unique internal policy, Bitdefender said.

The three waves are as follows -

*   **Wave 1**, comprising 10 victims from the financial management sector that was published on September 14, 2025
*   **Wave 2**, comprising nine victims that were published between September 17 and 19, 2025
*   **Wave 3**, comprising nine victims that were published between September 28 and October 4, 2025

An unusual aspect about these leaks is the departure from established tactics of exerting pressure on compromised organizations, instead leaning heavily on propaganda and political language.

"The entire campaign was framed as a public-service effort to expose systemic corruption, exemplified by the threats to release files that could be 'evidence of stock market manipulation' and names of 'well-known politicians and businessmen in Korea,'" Bitdefender said of the first wave of the campaign.

Subsequent waves went on to escalate the threat a notch higher, claiming that the leak of the data could pose a severe risk to the Korean financial market. The actors also called on South Korean authorities to investigate the case, citing stringent data protection laws.

A further shift in messaging was observed in the third wave, where the group initially continued the same theme of a national financial crisis resulting from the release of stolen information, but then switched to a language that "more closely resembled Qilin's typical, financially motivated extortion messages."

Given that Qilin boasts of an "in-house team of journalists" to help affiliates with writing texts for blog posts and help apply pressure during negotiations, it's assessed that the group's core members were behind the publication of the DLS text.

"The posts contain several of the core operator's signature grammatical inconsistencies," Bitdefender said. "However, this control over the final draft does not mean the affiliate was excluded from having a critical say in the key messaging or overall direction of the content."

To pull off these attacks, the Qilin affiliate is said to have breached a single upstream managed service provider (MSP), leveraging the access to compromise several victims at once. On September 23, 2025, the Korea JoongAng Daily reported that more than 20 asset management companies in the country were infected with ransomware following the compromise of GJTec.

To mitigate these risks, it's essential that organizations enforce Multi-Factor Authentication (MFA), apply the Principle of Least Privilege (PoLP) to restrict access, segment critical systems and sensitive data, and take proactive steps to reduce attack surfaces.

"The MSP compromise that triggered the 'Korean Leaks' operation highlights a critical blind spot in cybersecurity discussions," Bitdefender said. "Exploiting a vendor, contractor, or MSP that has access to other businesses is a more prevalent and practical route that RaaS groups seeking clustered victims can take."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Latest News