Barts Health NHS confirms Cl0p ransomware breach via Oracle flaw. Invoice data exposed. Patient records and clinical systems remain unaffected.

Barts Health NHS Trust has confirmed that the Russian-speaking Cl0p ransomware group stole files from one of its invoice databases after exploiting a vulnerability in Oracle E-Business Suite. The breach exposed data linked to payments for treatment and services, with some records going back several years.

Hackread.com first reported on the Cl0p activity in November twenty twenty five, noting the group had leaked 241 GB of NHS data on its hidden site shortly after claiming responsibility for a wider campaign against healthcare targets.

Cl0p Ransomware leaking NHS data (Image credit: Hackread.com)

Now, according to Barts’ press release, the stolen material includes names and addresses of patients who were billed for care, records of former staff with unresolved salary issues and payment details for suppliers. Most supplier information is already public. Clinical systems and patient records were not affected.

Files linked to accounting services provided to Barking Havering and Redbridge University Hospitals NHS Trust since April 2024 were also compromised. Barts advises patients to review any invoices they received to understand if their data was involved.

The breach occurred in August but went undetected until November, when the files surfaced on the Cl0p ransomware‘s dark web leak site. Oracle has since patched the exploited flaw. Barts has reported the incident to NHS England, the National Cyber Security Centre, the Metropolitan Police and data regulators. It is also seeking a High Court order to block the circulation of the stolen data.

NHS UK data breach claims from the Cl0p ransomware group (Image credit: Hackread.com)

****NHS and ransomware attacks****

The Barts incident adds to a growing list of ransomware activity aimed at UK health services. In recent months, Qilin ransomware has released patient records on private channels after hitting an NHS supplier, which affected emergency care in London. Hackread reported that one of those incidents has been linked by staff to the death of a patient after a disruption caused delays in treatment.

More attacks have targeted NHS bodies in Scotland. The INC group claimed to have taken several terabytes of patient files and later released the material on hidden forums while also publishing threats against UK health services.

These cases share common traits. Attackers look for security vulnerabilities in widely used enterprise systems. Once inside, they move toward administrative data that can be sold or used for pressure campaigns. Even when clinical systems stay intact, the fallout strains staff who have to rebuild trust and manage fraud risks for those affected.

Although the Barts theft involves invoice data rather than clinical records, it still creates opportunities for social engineering. Cyber criminals often use basic personal details to support payment fraud. Barts is directing people to Stop Think Fraud for advice and is urging anyone with questions to contact its data protection officer.

Barts Health NHS Confirms Cl0p Ransomware Behind Data Breach

CISA, NSA, and Canadian Cyber Centre warn that PRC state-sponsored hackers are using BRICKSTORM, a stealthy Go-based backdoor, for long-term espionage in Government and IT networks.

Major security agencies from the US and Canada have issued a serious alert about BRICKSTORM, a new cybersecurity threat believed to be used by hackers sponsored by the People’s Republic of China (PRC).

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) from the US, and the Canadian Centre for Cyber Security (Cyber Centre) say these hackers are using the tool to sneak into critical networks and stay hidden for long periods.

****What Is BRICKSTORM and Who’s at Risk?****

BRICKSTORM is basically a backdoor that gives attackers a secret entry point to control systems undetected. Built with the Go programming language for broad compatibility, including Windows and Linux environments, it primarily targets organisations in the Government Services and Facilities and Information Technology sectors, CISA explained in its press release published on December 4, 2025.

CISA also notes that the hackers are especially focused on VMware vSphere platforms, which manage large virtual computer networks. Once a hacker gains access, they can steal snapshots of virtual machines to get usernames and passwords, and even create their own hidden, secret virtual machines.

For your information, this long-term “persistent” access was observed lasting from April 2024 until at least September 3, 2025. This activity was previously reported by Hackread.com in September, when the hackers were observed targeting US legal, technology, and business outsourcing firms

****How the Attacks Work****

According to CISA’s Malware Analysis Report (PDF), the agency analysed eight BRICKSTORM samples obtained from compromised organisations to help others detect and remove the threat. In one case, the state-sponsored hackers first broke into a web server inside a victim’s security zone (DMZ).

From there, they used stolen service account credentials, which are like master keys, to invade other crucial systems, including domain controllers and an Active Directory Federation Services (ADFS) server. They then deployed BRICKSTORM onto an internal VMware vCenter server.

Once installed, the malware ensures its own persistence by using a built-in function to automatically reinstall itself if interrupted. It also uses multiple layers of encryption to hide its messages, making communication with the hackers’ control centres extremely difficult to spot, which is highly concerning.

It is worth noting that while all samples gave the hackers stealthy control, they differed in minor ways, such as how they achieved persistence or which samples included a SOCKS proxy feature to help them tunnel deeper into a victim’s network.

The agencies are strongly urging all affected organisations to use the newly released indicators of compromise (IOCs) and detection signatures to check their systems and immediately report any sign of BRICKSTORM activity.

BRICKSTORM Operational Flow and Malware Initiation (Image via CISA)

****Expert View: Targeting the Virtualisation Foundation:****

Commenting exclusively on the advisory**,** Ensar Seker, CISO at threat intel company SOCRadar, shared with Hackread.com that: “What’s especially alarming about this campaign is that it targets the virtualisation layer itself, not the OS or applications, which historically receives less attention.”

Seker stressed that once the management console (vCenter) is compromised, attackers “gain broad visibility over the virtual infrastructure and can bypass many traditional endpoint defences.”

He concluded that this malware “isn’t just another malware campaign. It’s a wake-up call showing that adversaries are shifting upward in the stack, targeting the foundations of virtualisation rather than individual VMs.”

Chinese State Hackers Use New BRICKSTORM Malware Against VMware Systems

AI is transforming the video-making process of creators. Learn how WondershareFilmora V15 helps individual creators edit smarter using powerful AI.

Creative independence is reshaping how people tell their stories. Today, more creators are taking control of their own production from shooting to editing without relying on professional studios. However, managing every step alone can be time-consuming and technically demanding.

That’s where the new Wondershare Filmora V15 comes in. Designed to support the evolving needs of modern creators, Filmora combines simple and advanced tools in one intuitive platform. With its latest AI-powered features, editing becomes faster, smarter, and more effortless, allowing creators to focus on ideas rather than operations.

****Issues of Conventional Video Editing****

1.  **Time Constraints:** Editing often takes longer than expected. Overlapping tasks like shooting, scripting, and posting make it hard to stay on schedule.
2.  **Lack of Resources:** Without access to strong editing tools, videos can look plain and incomplete, limiting the ability to create polished content.
3.  **Skill Gap:** Learning editing techniques takes time and practice, which can slow down production and reduce consistency.
4.  **Creative Fatigue:** Handling content creation can quickly become exhausting if managed alone. This leads to burnout, reducing creativity, and making it harder to maintain enthusiasm.

****Solution: How to Edit a Video With the Help of AI Using Filmora****

Filmora’s AI tools can easily address these challenges through automation and smart guidance. One-click operations save hours of manual work while maintaining full creative control. Whether it’s scene detection, text-to-video generation, or smart editing suggestions, creators can now produce polished, professional results quickly and confidently, without seeking assistance.

Short text prompts can be easily turned into visuals, music, or videos. Beyond editing, Filmora helps creators turn simple ideas into rich visual stories. Users are able to render their ideas alive with a few words. The following are some of the important AI tools that can enhance creativity used in Filmora V15:

****AI Extend****

AI Extend automatically adds 0–8 seconds of seamless footage to a clip, creating smooth and natural transitions. It generates new frames that blend perfectly into the timeline no extra setup required. 

Creators can resize, move, or refine clips at any stage of editing. Whether extending the beginning or the end of a scene, AI Extend offers full flexibility and precise control. Simply enter a prompt to guide how the moment should continue, and you can even define camera movements to achieve the exact visual flow you want.  

****Smart Cutout****

AI Smart Cutout isolates individuals or objects in a video. With a simple brush, you can select the areas you want to keep. The tool lets you switch the mask flexibly between the foreground and the background for easier, more precise control.

Manual tweaks can be done to enhance difficult frames. Not only this, but Smart Cutout also offers multiple ways to select and isolate elements. Furthermore, it also features an Eraser option that helps enhance creativity to the next level.

****AI Object Remover****

Erase objects in images or videos within seconds using this feature. The tool identifies both still and moving objects and restores the background in a natural manner. You can remove a variety of distractions and keep your footage looking clean. AI Object Remover understands the highlight and effectively removes the selected element. Together with other AI tools, it turns Filmora into a complete one-person production studio, powerful, intuitive, and effortless to use.

****Why is AI-powered Editing the Right Option?****

For independent creators, editing means doing it all, trimming clips, fixing audio, and perfecting colour. When the individual turns out to be a beginner, it can be hard and time-consuming. Filmora’s AI operations change the system for its users and make content creation easier. Solo creators can easily use tools like Smart Cutout, Object Remover, and AI Extend to save time.

This helps them keep themselves in complete control without putting in extra effort. It does not compromise the results, as the content created replicates professional quality. In short, AI has redefined content creation, making it faster, easier, and just as professional.

****Closing Thoughts****

Solo creators have to deal with many challenges, such as limited time, resources, and creative energy. Wondershare Filmora V15 helps overcome these barriers with advanced AI features like AI Extend, Smart Cutout, and Object Remover, which make editing fast and simple. Filmora is a tool that allows creators to be creative and professional. It edits on its own, a process that is easy and also very enjoyable.

Wondershare is a globally recognised software company founded in 2003, known for its innovative solutions in creativity and productivity. Driven by the mission “Creativity Simplified”, Wondershare offers a range of tools, including Filmora and SelfyzAI for video editing; PDFelement for document management; and EdrawMax, EdrawMind for diagramming.

With over 2 billion cumulative active users across all products and a presence in over 200 countries and regions, Wondershare empowers the next generation of creators with intuitive software and trendy creative resources, continually expanding the possibilities of creativity worldwide.

One-Person Production: Wondershare Filmora V15 Empowers Solo Creators With AI

Madison, United States, 5th December 2025, CyberNewsWire

**Madison, United States, December 5th, 2025, CyberNewsWire**

Sprocket Security is proud to announce that it has once again been recognized by G2 for “**High Performer**,” “**Best Support**,” and “**Easiest to Do Business With**” in the Winter 2025 Relationship Index for Penetration Testing. This marks the second consecutive quarter Sprocket has earned these honors, reinforcing the company’s commitment to providing a seamless customer experience while redefining how organizations approach modern security.  

Following our Fall 2025 recognition, we continued to evolve our platform and deepen partnerships with customers. This repeat achievement underscores the dependability and consistency of our continuous penetration testing (CPT) model, which has rapidly become a trusted foundation for security teams seeking real-time, ongoing assurance.  

> “Earning these awards again is especially meaningful because it demonstrates that our standard of service isn’t a moment-in-time accomplishment, but who we are,” said Casey Cammilleri, CEO of Sprocket Security. “Customers rely on us every day to simplify complex work, deliver clarity when it matters most, and strengthen their security posture without slowing them down. Seeing that reflected in their continued feedback reinforces that our model of continuous penetration testing is not just innovative, but dependable.”  

**Customer Feedback Continues to Lead the Way** 

The Winter 2025 G2 recognition is based entirely on verified customer reviews. In the past quarter, users have consistently praised:  

*   Responsiveness and expertise of the team 
*   Simplicity and transparency of the continuous testing approach  
*   Clear, actionable guidance that accelerates remediation 
*   Ease of onboarding and general frictionless experience  

This feedback not only validates Sprocket’s customer-first culture but also strengthens the company’s belief that security tools should make life easier for the teams who rely on them.  

**Looking Ahead** 

As demand for CPT accelerates, Sprocket Security remains committed to leading the industry with a solution that is both effective and easy to use. The company will continue advancing its platform, expanding customer resources, and supporting organizations in proactively preventing breaches. Learn more about what customers are saying on Sprocket Security’s G2 profile.  

**About G2**  

G2 is the world’s largest and most trusted software marketplace. Millions of users trust these authentic peer reviews to guide their purchasing decisions.  

**About Sprocket Security** 

Sprocket Security provides an expert-driven offensive security platform that proactively identifies, verifies and simulates threats, ensuring our clients’ digital environments are always secure. Unlike legacy penetration testing, our continuous approach offers real-time insights and adaptive security measures, giving businesses the confidence to move quickly and reliably prevent potential threats. 

**Contact**

**Content Strategy Manager**  
**Amanda Mates**  
**SPROCKET SECURITY LLC**  
**\[email protected\]**

Sprocket Security Earns Repeat Recognition in G2’s Winter 2025 Relationship Index for Penetration Testing

The dangerous ClayRat Android spyware has evolved, gaining the ability to steal PINs, record screens, and disable security by abusing Accessibility Services. Users must beware of fake apps spreading through phishing sites and Dropbox.

ClayRat, a new Android spyware, has drastically improved its abilities, making it a far greater threat than anticipated. Mobile security firm Zimperium has released an important update on this spyware, revealing that this new version is not only harder to spot but has been upgraded to perform a full device takeover.

****Initial Discovery and New Features****

As previously covered by Hackread.com, Zimperium’s zLabs discovered ClayRat in October 2025 as a fast-spreading Android spyware mainly targeting users in Russia. It disguised itself as popular apps like WhatsApp, Google Photos, TikTok, and YouTube. Even then, it could steal private data, including call logs, SMS messages, and even capture victim photos with the phone’s camera.

This new version still mimics apps and local services, such as Russian taxi and parking applications. However, the added features make it “a more dangerous spyware compared to its previous version,” noted zLabs researchers Vishnu Pratapagiri and Fernando Ortega in their latest blog post shared exclusively with Hackread.com.

Reportedly, the updated ClayRat abuses a powerful Android feature called Accessibility Services. It first asks the user to grant it Default SMS privileges, then guides them to turn on the Accessibility Service.

This new capability means the spyware can take over your phone as it can record your lock screen details, capturing your PINs, passwords, or even patterns, to unlock your device automatically. It can record your entire screen activity, letting attackers see exactly what you’re looking at and typing.

To secure its hold, the malware can block you out by putting fake screens, like a phoney “System Update” notice, on top of your display; it then uses automated screen taps to disable Google Play Protect, preventing you from uninstalling the malicious app or shutting down the phone. Finally, it can create fake custom messages that pop up like real alerts, intercepting any personal information, e.g. password, that you type in reply.

Malware impersonating different apps (Source: Zimperium)

****Why Businesses Should Worry****

ClayRat poses a serious risk to companies because employees often use their own mobile phones for work. If a work device is compromised, attackers can easily access company emails, messaging apps, and other business data.

The spyware is still spreading aggressively; researchers observed it operating over 25 fraudulent phishing domains that mimic various apps, including utility tools like the Car Scanner ELM. It also uses the widely trusted cloud service Dropbox to distribute its malicious files. Zimperium has already found over 700 unique versions of the software, showing how quickly this operation is expanding.

As we know it, protecting a device from a threat that can seize complete control requires very strong security. The simplest and most effective way to stay protected is to only install apps from the official Google Play Store and carefully check the permissions, especially the Accessibility Service, before granting them.

New Variant of ClayRat Android Spyware Seize Full Device Control

Torrance, California, USA, 5th December 2025, CyberNewsWire

**Torrance, California, USA, December 5th, 2025, CyberNewsWire**

Criminal IP will host a live webinar on **December 16 at 11:00 AM Pacific Time (PT)**, focusing on the shift in cyberattack strategies. The session will examine how an increasing number of incidents now originate from exposed digital assets, rather than from known software vulnerabilities.

As organizations rapidly adopt cloud platforms and distributed architectures, previously unknown or unmanaged assets such as forgotten cloud instances, exposed APIs, misconfigured storage, and publicly accessible services have become real-world attack entry points. This session will showcase how **Criminal IP ASM****, an AI-powered and Threat Intelligence-driven Attack Surface Management platform,** enables security teams to gain visibility, detect risks earlier, and take actionable steps before incidents escalate.

Users can **Register now for the free webinar on December 16 (11:00 AM PT)**

**Key Takeaways:**

**• Why CVEs Are No Longer Enough:** Understanding why traditional vulnerability-based security approaches are insufficient against modern exposure-driven attacks.

**• What Real Cloud Exposure Looks Like:** Seeing how misconfigurations, forgotten assets, and publicly accessible services create real attack entry points.

**• How Attackers Interpret Exposed Assets:** Learning how adversaries evaluate exposed services, identify weak points, and map attack paths.

**• Real-World ASM Exposure Cases:** Exploring case studies showing how Attack Surface Management uncovers risks and prevents incidents.

This webinar is designed for IT professionals, security managers, and decision-makers looking to advance their cybersecurity strategies and stay ahead in today’s rapidly changing threat landscape.

Register today to gain practical insights on how ASM helps users identify hidden attack paths, reduce exposure, and operationalize security actions across every corner of the digital environment.

**About Criminal IP**

Criminal IP is the flagship cyber threat intelligence platform developed by AI SPERA. The platform is used in more than 150 countries and provides comprehensive threat visibility through enterprise security solutions such as Criminal IP ASM and Criminal IP FDS.

Criminal IP continues to strengthen its global ecosystem through strategic partnerships with Cisco, VirusTotal and Quad9. The platform’s threat data is also available through major US data warehouse marketplaces including Amazon Web Services (AWS), Microsoft Azure and Snowflake. This expansion improves global access to high quality threat intelligence from Criminal IP.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Criminal IP to Host Webinar: Beyond CVEs – From Visibility to Action with ASM

Aikido Security exposes a new AI prompt injection flaw in GitHub/GitLab pipelines, letting attackers steal secrets. Major companies affected.

Researchers at the software security company Aikido Security have reported a new type of vulnerability that could compromise how major firms build their software. They’ve named this issue PromptPwnd, and it centres on a specific type of attack called prompt injection, where AI agents like Gemini, Claude Code, and OpenAI Codex are being used inside automated systems like GitHub Actions and GitLab CI/CD.

****Why AI Automation is Suddenly Risky****

For your information, these automated CI/CD pipelines use AI to speed up tasks like managing bug reports. The flaw begins when AI agents receive outside text (like a bug report title), allowing an attacker to slip secret instructions into the prompt. This technique, called prompt injection, confuses the AI agent, causing it to mistake the attacker’s text for a direct command and run privileged tools.

This simple pattern of injecting untrusted text into the AI’s prompt lets attackers steal security keys or modify the code workflows. This new vulnerability shows that relying on these automated systems can backfire, especially since these same systems were recently targeted in attacks like Shai-Hulud 2.0.

Aikido Security was the first to identify this vulnerability pattern and immediately open-sourced Opengrep rules to help all security vendors and organisations trace this flaw in their own code.

The PromptPwnd Attack Chain (Source: Aikido Security)

****Real-World Companies Were Exposed****

Aikido Security confirmed the exposure in at least five Fortune 500 companies, and they believe many more are at risk. In the blog post shared with Hackread.com, researchers confirmed the attack chain is “practical, reproducible, and already present in real-world GitHub Actions workflows.”

In a notable case, Google’s own Gemini CLI repository was affected. Google moved quickly to fix the issue, patching it within four days after Aikido Security responsibly shared their findings. It is worth noting that this is one of the first times we’ve seen confirmed proof that AI prompt injection can directly break critical software pipelines.

The same risk was found in other popular AI tools like Claude Code Actions and OpenAI Codex Actions. While these tools have built-in safety rules (like needing specific user permissions), researchers found that if companies turn off these rules with a simple configuration change, it becomes easy for an outside attacker to steal the very important GITHUB_TOKEN.

Given this widespread risk, for anyone running these automated AI tools, security experts advise immediately limiting the powerful tools AI agents have access to and making sure you never inject untrusted user input directly into AI prompts.

PromptPwnd Vulnerability Exposes AI driven build systems to Data Theft

LummaC2 infostealer infects North Korean hacker’s device, exposing ties to $1.4B Bybit heist and revealing tools, infrastructure and OPSEC failures.

A North Korean state-sponsored threat actor got infected by the same kind of malware typically used against others, exposing rare insights into their operations and direct ties to one of the largest cryptocurrency thefts on record. For once, the tables turned.

The infection was picked up by Hudson Rock, a cybercrime intelligence firm, during analysis of a LummaC2 infostealer log. What looked like a routine infection turned out to be anything but. The compromised machine belonged to a malware developer operating within North Korea’s state-linked cyber apparatus.

****Links to $1.4 Billion Bybit Crypto Exchange Breach****

Hudson Rock matched the data against earlier findings from threat intelligence company Silent Push. Both investigations pointed to the same thing – the infected machine had been used in the setup that supported the $1.4 billion Bybit crypto heist.

It is worth noting that the Bybit data breach, which targeted the crypto exchange in February 2025, has long been linked to North Korean threat actors, widely believed to be connected to the Lazarus Group.

According to Hudson Rock’s report, which the company shared with Hackread.com, one of the most telling details came from credentials found on the infected device. Among them was an email address, [email protected], which Silent Push had already flagged in its findings.

That same email was used to register bybit-assessment.com, a domain spun up just hours before the Bybit theft. Its role was to impersonate the exchange and support the infrastructure behind the attack.

Though the infected system’s user may not have been directly responsible for the heist itself, the data reveals how different parts of a state-sponsored operation share assets. Development rigs, phishing domains, credential sets, and communications infrastructure all flow through shared hands. This machine happened to be one of them, exposing details typically hidden behind VPNs and fake identities.

****Specs and Tools of the Compromised Device****

The forensic data tells its own story. The infected device was a high-end setup, running a 12th Gen Intel Core i7 processor with 16GB of RAM, loaded with development tools like Visual Studio Professional 2019 and Enigma Protector.

Enigma is commonly used to pack executables to avoid antivirus detection. This wasn’t someone experimenting in a basement. This was a well-equipped rig used to produce malware and manage infrastructure.

Browser history and application data added more layers. The user routed traffic through a US IP using Astrill VPN, but browser settings defaulted to Simplified Chinese, and translation history included direct Korean language queries.

Slack, Telegram, Dropbox, and BeeBEEP were also being spotted installed on the system, all of which point to both internal communications and potential command-and-control use. Dropbox folder structures, in particular, suggested stolen data was being uploaded for later access.

****Astrill VPN and Fake Zoom Installers****

It’s important to note that Hackread.com’s November 2025 article, written by cybersecurity researcher Mauro Eldritch, reported that North Korean threat actors posing as job candidates for Western IT roles also used Astrill VPN to hide their IP addresses.

The system also revealed preparations for phishing. Domains like callapp.us and callservice.us were purchased, along with subdomains such as zoom.callapp.us, used to trick targets into downloading fake software or updates. The fake Zoom installer’s local IP address was also linked back to this same rig.

There’s no indication the threat actor realised they had been compromised. That’s what makes this so unusual. Infostealers like LummaC2 are usually deployed by attackers to grab browser data, credentials, and wallets from everyday users.

In this case, the malware backfired, exposing a piece of the infrastructure behind one of the most coordinated crypto thefts on record. It gives security researchers a rare chance to examine how a state-linked threat actor sets up and runs their operations. Hudson Rock has even built a simulator replicating the compromised machine, allowing others to inspect software, browser activity, and stolen data for themselves.

Screenshot via Hudson Rock

****A First for Infostealers, But Not for Hacker Exposure****

While this may be the first documented case of a North Korean hacker getting hit by an infostealer, it’s not the first time an operator from the country has had their system compromised. In August 2025, a group of hackers published 9GB of stolen data from the computer of an alleged North Korean threat actor.

The leak exposed internal tools, logs, sensitive documents, and files that appeared to belong to someone directly involved in offensive cyber operations. The incident provided an unusual and valuable peek into the daily environment of a threat actor working within North Korea’s cyber units.

Going further back, in July 2020, another rare breach made headlines, but this time involving Iranian hackers. IBM’s X-Force found a 40GB trove of training videos showing how Iranian operators hijacked email accounts in real time.

The videos showed step-by-step walkthroughs of credential theft, account takeovers, and techniques for maintaining access. While it remains unclear if the full footage was ever made public, the existence of the material gave researchers an unusually close view of the attackers’ methods and internal training resources.

Nevertheless, mistakes like this don’t happen often at that level. When they do, they open a window that rarely stays open for long.

LummaC2 Infects North Korean Hacker Device Linked to Bybit Heist

Cloudflare's Q3 2025 DDoS Threat Report reveals the Aisuru botnet launched a record 29.7 Tbps attack. Learn which sectors were the most targeted, and the key drivers behind the surge in attacks.

The Internet faced an aggressive surge in cyberattacks during the third quarter of 2025, according to a comprehensive DDoS threat report from Cloudflare, a web security and infrastructure company. The period was dominated by a notorious IoT botnet called Aisuru, which launched some of the largest-ever attacks.

Aisuru is believed to be a huge army of 1 to 4 million compromised devices worldwide, powerful enough to be rented out to anyone looking to cause chaos for a few hundred to a few thousand US dollars.

****The Unprecedented Scale of Aisuru****

Cloudflare reports that Aisuru was responsible for a world record-breaking DDoS attack that peaked at 29.7 terabits per second (Tbps) and 14.1 billion packets per second (Bpps).

This volume of traffic, achieved by a technique called UDP carpet-bombing, can even cause “collateral Internet disruption” for major Internet Service Providers (ISPs) in places like the US, slowing down or disrupting service for millions of users even when the ISP wasn’t the main target.

Source: Cloudflare

Since the start of 2025, Cloudflare has stopped 2,867 Aisuru attacks, including 1,304 massive “hyper-volumetric” ones in the third quarter alone, a 54% jump from the previous quarter.

It is worth noting that overall, Cloudflare’s automated systems blocked a total of 8.3 million DDoS attacks in the quarter, a 40% increase compared to last year. Interestingly, the two main types of attacks saw different trends: Network-layer attacks surged by 87%, while HTTP attacks actually fell by 41%. Furthermore, most attacks, including 71% of HTTP and 89% of network-layer attacks, lasted under 10 minutes, highlighting the challenge of human response time.

****Geopolitics Influencing Targets****

Certain industries were hit particularly hard. Information Technology & Services was the most attacked industry overall in Q3 2025, followed by Telecommunications and Gambling and Casinos.

However, some sectors saw dramatic spikes in attack frequency due to real-world events. Artificial Intelligence (AI) Companies, for example, reported the largest DDoS attack traffic, up by as much as 347% in September 2025, coinciding with the growing public discussions over AI regulation.

Similarly, the Automotive Industry saw the largest surge, moving 62 spots up the most attacked list, followed by the Mining, Minerals and Metals industry, given the rising trade tensions between the European Union and China.

Regarding affected countries, the most dramatic rise was seen in the Maldives (up 125 spots) and France (up 65 spots) during periods of national protests, indicating threat actors prefer targeting sites during unrest.

Nevertheless, China remains the most attacked country, followed by Turkey, Germany, Brazil, and the United States (which jumped 11 spots). Surprisingly, Indonesia remains the largest source of these attacks globally for the fourth consecutive quarter, with seven out of the top ten attack sources located in Asia.

Source: Cloudflare

****Automated Defence is Key****

Cloudflare concludes that because most attacks are now simply “too fast for any human or on-demand service to react,” companies must start relying more on automated systems for survival in the current digital age.

“Cybercriminals attack from all angles and are incredibly relentless in their attempts. Although this attempt was mitigated, it is a clear reminder that volume-powered DDoS campaigns are still evolving faster than the majority of organisations’ defences,_“_ said Jake Moore, Global Cybersecurity Advisor at ESET.

Commenting on the significance of the AISURU botnet, Moore emphasised that _“_scale and its use of highly randomised traffic show that relying on legacy filtering or static rules is not always enough, plus DDoS attacks are a clever way of targeting a company without having to genuinely hack the network, and the attackers can remain largely anonymous, making it so successful in its disruption._“_

_“_However, even with current robust protections, each year threat actors become better equipped and use even more IP addresses at scale to flood systems, making it increasingly more difficult to protect from. Once again, companies need to continually look into future-proofing their networks and to continue to expect the unexpected,” he advised.

Cloudflare Blocks Aisuru Botnet Powered Largest Ever 29.7 Tbps DDoS Attack

Austin, TX, USA, 4th December 2025, CyberNewsWire

**Austin, TX, USA, December 4th, 2025, CyberNewsWire**

**Phishing has surged 400% year-over-year, highlighting need for real-time visibility into identity exposures.**

SpyCloud, the leader in identity threat protection, today released new data showing a sharp rise in phishing attacks that disproportionately target corporate users. The company tracked a 400% year-over-year increase in successfully phished identities, with nearly 40% of the 28+ million recaptured phished records containing a business email address – compared to just 11.5% in recaptured malware data. The result is a warning to enterprises that their workforce is three times more likely to be targeted with phishing attacks than infostealer malware. 

The findings reinforce a growing shift in cybercriminals’ strategy: phishing is now the preferred gateway into enterprise environments, and SpyCloud sees this trend continuing in 2026. Threat actors are using this access as a launchpad for follow-on attacks, with SpyCloud reporting in its 2025 Identity Threat Report that phishing is now the leading entry point for ransomware, accounting for 35% of all ransomware infections. 

> “Phishing is now one of the most scalable tools cybercriminals use to breach enterprise environments,” said Trevor Hilligoss, SpyCloud’s Head of Security Research. “Cybercrime enablement services, like phishing-as-a-service kits that automate convincing lures and adversary-in-the-middle tactics that capture MFA tokens and session cookies, put advanced tactics into the hands of low-skilled actors, making it easier than ever to compromise users at scale. SpyCloud’s visibility into these campaigns gives organizations a critical edge, helping them detect who’s been targeted and what data has been exposed, and remediate those credentials before they can be weaponized.”

SpyCloud is the only provider recapturing and automatically remediating successfully phished identity data and targeting lists at scale before follow-on attacks like ransomware, fraud, and account takeover can occur.

> “Many organizations rely on traditional defenses like email filtering, endpoint protection, and employee education to stop phishing and malware attempts, but those tools only go so far,” said Damon Fleury, SpyCloud’s Chief Product Officer. “Attackers are still getting through – and when they do, it’s the exposed identity data that enables further harm. Security teams need to be vigilant about what’s already been compromised and circulating in the criminal underground. Prevention is important, but without real-time visibility and post-compromise remediation, it’s not enough.”

While phishing has become a dominant entry point, malware remains a critical threat vector. In the age of remote work and bring-your-own-device policies, personal exposures are increasingly used to compromise enterprise environments. A recent example is the 2025 Nikkei breach, where malware on a personal device led to the compromise of sensitive corporate data. Despite only 11.5% of recaptured malware infections exfiltrating business email addresses directly, SpyCloud data shows that nearly 1 in 2 corporate users have been the victim of an infostealer malware infection in their digital history, whether that be on a managed or unmanaged device – a strong indicator that threat actors are moving laterally from personal to corporate accounts.

> “Protecting the enterprise means looking beyond corporate accounts,” Fleury added. “Due to the continuous reuse of passwords and shared identity data across work and personal accounts like mobile numbers, the line between a user’s personal digital history and their professional access effectively no longer exists. That’s why it’s essential to monitor and remediate exposures across the full spectrum of an individual’s digital identity – personal and professional.”

SpyCloud is the leader in holistic identity protection, detecting and protecting organizations from the phishing, malware, and breach exposures of employees, contractors, and vendors across personal and professional identities. Users can click here to learn more.

**About SpyCloud:**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions leverage advanced analytics and AI to proactively prevent ransomware and account takeover, detect insider threats, safeguard employee and consumer identities, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights on their company’s exposed data, users can visit spycloud.com.

**Contact**

**Sr. Account Director**  
**Emily Brown**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

Source

HackRead