Akamai's latest Ransomware Report 2025 reveals "quadruple extortion," new AI-driven tactics by groups like Black Basta, FunkSec, and TrickBot, and growing threats to non-profits. Learn about evolving cyber threats.

Cybercriminals are escalating their tactics, moving beyond traditional data encryption to employ a more aggressive approach known as quadruple extortion. This alarming trend is explained in the latest Ransomware Report 2025: Building Resilience Amid a Volatile Threat Landscape, released today by Akamai, a leading cybersecurity and cloud computing firm.

The report reveals that while double extortion (a technique where attackers encrypt data and threaten to leak it if a ransom isn’t paid) remains common, the emerging quadruple extortion adds layers of pressure. This includes using distributed denial-of-service (DDoS) attacks to shut down a victim’s operations and harassing third parties, like customers, business partners, or even the media, to increase the demand for payment.

Image via Akamai

“Ransomware threats today aren’t just about encryption anymore,” stated Steve Winterfeld, Advisory CISO at Akamai. He emphasised that attackers are now leveraging “stolen data, public exposure, and service outages to increase the pressure on victims,” turning cyberattacks into major business crises.

The Akamai report also highlights other significant developments in the world of cybercrime. Generative AI and large language models (LLMs) are making it easier for individuals with less technical skill to launch complex ransomware attacks by helping them write malicious code and improve their social engineering techniques. The report specifically notes that groups like Black Basta and FunkSec, along with other RaaS platforms, are quickly adopting AI and evolving their extortion tactics.

Additionally, hybrid groups, combining the motives of hacktivists with ransomware, are increasingly using ransomware-as-a-service (RaaS) platforms. These platforms allow individuals or groups to rent access to ransomware tools and infrastructure, amplifying their impact for a mix of political, ideological, and financial reasons. An example is Dragon RaaS, which emerged in 2024 from the Stormous group, now focusing on smaller, less secure organisations.

The research indicates that certain sectors are particularly vulnerable. Nearly half of all cryptomining attacks, which involve secretly using a victim’s computer resources to mine cryptocurrency, targeted non-profit and educational organisations. This is likely due to these organisations often having fewer resources dedicated to cybersecurity.

****TrickBot: The Malware Behind Hundreds of Millions in Crypto Extortion****

For decades, Trickbot malware has been known for hijacking cryptocurrency transactions, and the financial damage caused by these groups is finally showing up. The TrickBot malware family, widely used by ransomware groups, has alone been responsible for extorting over $724 million in cryptocurrency from victims since 2016.

Although the Trickbot’s infrastructure was dismantled in 2020, Akamai’s Guardicore Hunt Team recently identified its continued suspicious activity on several customer systems.

****How Does TrickBot Infect a Device****

TrickBot malware spreads primarily through phishing emails, which are created to look like legitimate messages from banks, delivery services, or government agencies. These emails include malicious attachments, such as Word or Excel files, or links to compromised websites. When a user opens one of these attachments, they may be prompted to enable macros. If they do, malicious scripts run in the background and quietly install TrickBot on the system.

In addition to phishing, TrickBot can exploit unpatched software vulnerabilities. If a system hasn’t been updated with the latest security fixes, the malware can use those flaws to gain access or spread across the network. It’s also common for TrickBot to be delivered by other malware, especially Emotet or QakBot. These act as loaders, setting up the infection so TrickBot can follow.

Once TrickBot gains access, it harvests login credentials, maps out connected systems, and infects other machines. This infection chain allows it to collect more data and sometimes even deploy ransomware.

James A. Casey, Akamai’s Vice President and Chief Privacy Officer, emphasised the importance of strong cybersecurity measures, incident reporting, and effective risk management strategies, such as Zero Trust and micro-segmentation, to build resilience against these evolving threats. He stressed that organisations must stay updated and adapt their defences to counter the changing tactics of cyber extortion.

TrickBot Behind More Than $724 Million in Crypto Theft and Extortion

Menlo Park, United States, 30th July 2025, CyberNewsWire

**Menlo Park, United States, July 30th, 2025, CyberNewsWire**

AccuKnox, Inc., the Zero Trust Cloud-Native Application Protection Platform (CNAPP) leader, has announced deployment in the UAE banking sector through its strategic partnership with cybersecurity VAD **CyberKnight**. The deal, secured with a major Abu Dhabi-based financial institution , marks a milestone in AccuKnox’s regional expansion.

The deployment will enhance the bank’s cloud security framework and support its broader digital transformation objectives, ensuring alignment with UAE banking regulations and national cybersecurity mandates.

**Security for Critical Banking Infrastructure**

AccuKnox’s Code to Cognition security platform rollout is tailored to address the region’s growing threats to financial institutions.

**Key benefits include:**

*   **Compliance** with UAE Bank regulations, PCI-DSS, ISO 27001, and SOC2 Type II
*   **Zero Trust architecture** implementation supporting the UAE’s National Cybersecurity Strategy
*   **Real-time monitoring** across multi-cloud and Kubernetes environments
*   **DevSecOps alignment** for seamless integration into development workflows without operational disruptions
*   **Advanced threat detection** capabilities to protect financial transactions and sensitive customer data

**Voices from the Leaders**

> “**We’re proud to facilitate this breakthrough partnership. It signals a clear shift: financial institutions in the UAE are ready to leap ahead with cybersecurity strategies that are smart, scalable, and regionally supported,**” – said Avinash Advani, CEO and Founder of CyberKnight

> **“This deployment significantly transforms not only our operations, but also the entire UAE region.” Working with a visionary institution of this size highlights the growing importance of Zero Trust architecture in safeguarding the backbone of digital banking,”** – said Nat Natraj, CEO and Co-Founder, AccuKnox 

> **“Thanks to our partnership with CyberKnight, we are continuing to grow and establish a leadership position in the GCC region. We are pleased to see the increasing momentum in the Middle East**. – said Raj Panchapakesan, Global Head, Partner Ecosystem, AccuKnox.

**About AccuKnox**

AccuKnox delivers a Zero Trust CNAPP platform that secures public clouds, private clouds, edge/IoT & 5G assets. Born out of SRI International (Stanford Research Institute), AccuKnox holds seminal Zero Trust security patents and is backed by top-tier investors including National Grid Partners, Dolby Family Ventures, and the 5G Open Innovation Lab.

Users can learn more at accuknox.com

**About CyberKnight**

CyberKnight is a regional cybersecurity leader serving the Middle East and Africa. With specialised expertise in finance and government, CyberKnight partners with the world’s leading security providers to deliver end-to-end protection tailored to the unique demands of the region.

Organizations evaluating CNAPP solutions can **schedule a 15-minute** **demo** **to learn more.**

**Contact**

**Product Marketing Manager**  
**Syed Hadi**  
**AccuKnox Inc.**  
**\[email protected\]**

AccuKnox partners with CyberKnight to deliver Zero Trust Security for a Leading Global Bank in the UAE.

Choicejacking is a new USB attack that tricks phones into sharing data at public charging stations, bypassing security prompts in milliseconds.

If you thought using a public phone charger was safe, it’s time to think again. Despite years of updates aimed at protecting smartphones from “juice jacking” attacks, cybersecurity researchers have identified a new threat that sidesteps those very safeguards.

A new study now outlines how attackers are now using a method called Choicejacking to exploit smartphones into granting unauthorised access, often without the user realising anything happened.

****From Juice Jacking to Choicejacking****

Juice jacking first made headlines over a decade ago, when hackers used infected charging stations to either steal data or inject malware into connected phones. In response, smartphone operating systems began requiring users to approve any data transfer when a device is plugged into an unknown port. That change gave users the option to choose “charge only” or allow file access.

But researchers from Graz University of Technology in Austria have found a way (PDF) to sidestep those security prompts altogether. The technique tricks phones into thinking the user has allowed data transfer, even when they haven’t touched the screen.

****How Choicejacking Works****

Instead of relying on traditional malware, this attack spoofs USB or Bluetooth input devices to fake user actions. A malicious charging station could simulate keyboard inputs, overflow input buffers, or abuse device communication protocols to quietly switch your phone into data-transfer or debug mode.

The entire process takes less than 133 milliseconds. That’s faster than you can blink, meaning the phone reacts before you even have a chance to notice.

Adrianus Warmenhoven, a cybersecurity advisor at NordVPN, said the danger lies in the illusion of control. “Choicejacking is particularly dangerous because it manipulates a device into making decisions users never intended, all without them realising it,” he explained.

Once access is granted, the attacker can quietly browse photos, read messages, or plant malicious software.

Attack flow (Image via Graz University of Technology)

****Public Ports Aren’t Worth the Risk****

The rise of choicejacking reinforces what cybersecurity experts have said for years: public USB ports should not be trusted. Even at airports, hotels, or cafés, a compromised charger could be waiting to hijack your device.

Warmenhoven adds, “With a single deceptive prompt, attackers can trick people into enabling data transfer, potentially exposing personal files and other sensitive data.”

That warning applies to both Android and iOS users. While some platforms offer more visible prompts or charge-only settings, the underlying vulnerabilities still exist, and attackers are always looking for ways to get around them.

While the Choicejacking technique was detailed in a research paper, it has been accepted for presentation at the 34th USENIX Security Symposium, taking place in August 2025.

****What You Can Do to Stay Safe****

Nevertheless, researchers suggest keeping your phone’s software updated and avoiding unfamiliar charging ports whenever you can. It also helps to be prepared. Carrying a portable power bank is one of the easiest ways to stay in control while you’re out. If you do need to plug in, try to use a wall outlet with your own cable and adapter instead of a public USB port, especially ones that look suspicious or overly complicated.

Some devices let you select “charge only” mode, which prevents any data from being transferred. Turn that on if it’s available. While attackers keep finding new tricks, staying cautious and informed can still keep you a step ahead.

New Choicejacking Attack Steals Data from Phones via Public Chargers

Allianz Life Insurance confirms a July 2025 data breach impacting 1.4 million customers, financial pros and employees. Learn how social engineering exploited a third-party CRM, the hallmarks of Scattered Spider tactics, and the broader risks of supply chain vulnerabilities.

Allianz Life Insurance Company of North America, based in Minneapolis, MN, has confirmed a significant data breach, affecting the personal information of most of its 1.4 million customers, financial professionals, and select employees. The incident, which occurred on July 16, 2025, and was discovered the following day, involved unauthorised access to a customer relationship management (CRM) platform operated by a third-party vendor.

According to TechCrunch, which first reported this incident, the attacker gained access using a social engineering technique, which involves manipulating individuals through deception to obtain credentials or sensitive data. While the exact number of individuals impacted remains undisclosed, the company has reported the breach to authorities, including the FBI and the Maine Attorney General’s office.

“The threat actor was able to obtain personally identifiable data related to the majority of Allianz Life’s customers, financial professionals, and select Allianz Life employees. We took immediate action to contain and mitigate the issue and notified the FBI,” the company’s spokesperson stated.

Allianz Life plans to begin sending written notifications to affected individuals around August 1, 2025, offering them 24 months of complimentary credit monitoring and identity theft protection. The company’s internal systems, including its policy administration platform, remained secure throughout the incident. The breach was also confirmed by parent company Allianz SE, which stated it was contained to Allianz Life’s North American operations and did not affect other parts of the global Allianz Group network.

The method used in the Allianz Life breach, employing social engineering to access a third-party system, bears similarities to tactics used by the Scattered Spider hacking collective. This group is known for using deception, such as impersonating IT help desks, to steal credentials from technology vendors. However, the specific perpetrators of the Allianz Life attack have not been identified.

This incident highlights a growing challenge for financial service companies: securing their extended technology networks, given the rising number of cases where financial firms are compromised via their third-party providers rather than direct attacks on their main infrastructure.

Third-party vendors handling sensitive customer data have become appealing targets for cybercriminals seeking a single entry point to access information from multiple organisations. Cloud-based CRM systems are particularly attractive, as they contain valuable customer details such as contact information, policy specifics, and communication histories and can potentially offer pathways for attackers to move deeper into corporate networks.

While Allianz Life swiftly implemented containment measures and is notifying affected customers, experts caution that stolen personal data could still be “weaponised” in future social engineering attempts targeting the same victims. Individuals impacted should, therefore, remain vigilant against unsolicited messages or suspicious links.

“This breach highlights that the biggest threats don’t always come from direct attacks, but often a combination of vulnerabilities across the entire supply chain. In this case, the attacker used multiple techniques: social engineering to obtain access rights, and a third-party solution as a backdoor into the system,” said Boris Cipot, Senior Security Engineer at Black Duck, a Burlington, Massachusetts-based provider of application security solutions.

“Allianz responded appropriately by notifying the authorities and the affected customer, and by offering credit and identity monitoring services,” Boris added. “However, impacted individuals should remain vigilant. The stolen data could still be used in follow-up social engineering attempts. Be cautious of unsolicited messages, especially those containing links or attachments. Don’t click on links or open files unless you’re absolutely sure they’re legitimate,” he warned.

Allianz Life Data Breach Hits 1.4 Million Customers

Darktrace uncovers the first exploit of a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy Auto-Color backdoor malware. Learn how this evasive Linux RAT targets systems for remote code execution and how AI-powered defence thwarts multi-stage attacks.

Darktrace, a leading cybersecurity research firm, has identified what is believed to be the first documented instance of threat actors exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy the evasive Auto-Color backdoor malware.

This flaw, disclosed by SAP SE on April 24, 2025 and assigned a CVSS score of 10, is particularly dangerous as it enables attackers to upload malicious files to the SAP NetWeaver application server, potentially leading to remote code execution and full system compromise.

****About Auto-Color****

The Auto-Color Backdoor, first seen in November 2024 and previously observed targeting systems in the US and Asia, is a Remote Access Trojan (RAT) named for its ability to rename itself to “/var/log/cross/auto-color” post-execution. It primarily targets Linux systems, often found in universities and government institutions in the US and Asia.

Auto-Color is highly evasive, exploiting built-in Linux features like ld.so.preload for persistent system compromise. Each instance is unique due to statically compiled and encrypted command-and-control (C2) configurations. A key new finding is the malware’s suppression tactic: it can “pretend to be sleep” if C2 connections fail, appearing benign to analysts and hiding its full capabilities during analysis.

****Attack Timeline: SAP Exploit to Malware Delivery****

This crucial research was shared with Hackread.com ahead of its publishing on Tuesday, according to which in April 2025, Darktrace Security Operations Centre (SOC) identified a multi-stage Auto-Color attack on a US-based chemicals company’s network.

According to researchers, initial scanning for CVE-2025-31324 was observed from April 25. Active exploitation began on April 27, with an incoming connection from IP 91.193.19.109 and a ZIP file download signalling the exploit.

The compromised device immediately made suspicious DNS requests for Out-of-Band Application Security Testing (OAST) domains on April 27 and 28, a tactic for vulnerability testing or data tunnelling.

Timeline of Exploit (Source: Darktrace)

Roughly ten hours later, on April 27, a shell script (config.sh) was downloaded. The device then made connections to 47.97.42.177, an endpoint linked to Supershell, a C2 platform. Less than 12 hours later, on April 28, the Auto-Color ELF malware file was downloaded from 146.70.41.178. Darktrace’s investigation confirmed this was the first observed pairing of SAP NetWeaver exploitation with Auto-Color malware.

****AI-Powered Security Halts Stealthy Intrusion****

Darktrace’s AI-driven Autonomous Response capability quickly intervened, enforcing a “pattern of life” on the affected device for 30 minutes, starting on April 28. This prevented further malicious actions while allowing normal business operations. Multiple alerts were triggered, prompting investigation by Darktrace’s Managed Detection and Response (MDR) service.

Alerts from the device’s Model Alert Log (Source: Darktrace)

Analysts extended the Autonomous Response actions for an additional 24 hours, giving the customer’s security team crucial time for investigation and remediation.

This incident highlights that despite urgent disclosures, vulnerabilities like CVE-2025-31324 remain actively exploited, leading to more persistent threats. Darktrace’s timely detection and autonomous response ensured the threat was contained, preventing escalation and demonstrating the power of AI in thwarting sophisticated, multi-stage attacks.

Since CVE-2025-31324 remains actively exploited despite disclosure, organisations should take immediate actions, said Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit.

“Immediately patch SAP NetWeaver systems against CVE-2025-31324, but if for some reason, they cannot install the patch, they should immediately stop exposing these SAP NetWeaver installations on the internet, isolate them and block the /developmentserver/metadatauploader endpoint and also deploy a zero-trust architecture that assumes breach and verifies every network transaction before transmission.”, stressed Mayuresh.

SAP NetWeaver Vulnerability Used in Auto-Color Malware Attack on US Firm

Palo Alto, California, 29th July 2025, CyberNewsWire

**Palo Alto, California, July 29th, 2025, CyberNewsWire**

Despite the expanding use of browser extensions, the majority of enterprises and individuals still rely on labels such as “Verified” and “Chrome Featured” provided by extension stores as a security indicator. The recent Geco Colorpick case exemplifies how these certifications provide nothing more than a false sense of security – Koi Research disclosed 18 malicious extensions that distributed spyware to 2.3M users, with most bearing the well-trusted “Verified” status.

SquareX researchers disclosed the technological reason behind this vulnerability, highlighting an architectural flaw in Browser DevTools that prevents browser vendors and enterprises from performing the thorough security analysis many enterprises expect.

> “Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension’s security posture at runtime,” says Nishant Sharma, Head of Security Research at SquareX, “This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have “superpowers” that allow them to easily bypass detection via rudimentary Browser DevTool telemetry.”

In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections. 

Browser DevTools were introduced in the late 2000s, long pre-dating the widespread extension adoption. These tools were invented to help users and web developers debug websites and inspect web page elements. However, browser extensions have unique capabilities to, among others, modify, take screenshots and inject scripts into multiple web pages, which cannot be easily monitored and attributed by Browser DevTools. For example, an extension may make a network request through a web page by injecting a script into the page. With Browser DevTools, there is no way to differentiate network requests made by the web page itself and those by an extension.

Detailed in the technical blog, SquareX’s researchers propose a novel approach that uses the combination of a modified browser and Browser AI Agents to plug this gap. The modified browser exposes critical telemetry required to understand an extension’s true behavior, while the Browser AI Agent simulates different user personas to incite various extension behaviors at runtime for monitoring and security analysis. This not only allows a dynamic analysis of the extension, but also discoveries of various “hidden” extension behaviors that are only triggered by time, a certain user action or device environments. Named the Extension Monitoring Sandbox, the research details the necessary modifications required for the modified browser. 

The revelation of Browser DevTools’ architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors.

This August, SquareX is offering a free enterprise-wide extension audit in August. The audit involves conducting an extensive audit of all extensions installed across the organization using all three components of the SquareX Extension Analysis Framework – metadata analysis, static code analysis and dynamic analysis with the Extension Monitoring Sandbox – providing a full analysis of the organization’s extension risk exposure and a risk score for each extension.

**About** **SquareX**

SquareX’s browser extension transforms any browser on any device into an enterprise-grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks including malicious browser extensions, advanced spearphishing, browser-native ransomware, GenAI data loss prevention, and more.

Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser.

More information available at: sqrx.com

**Reference**

http://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-with-17m-installs-found-on-web-store/

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Discloses Architectural Limitations of Browser DevTools in Debugging Malicious Extensions

Specops Software's analysis reveals how Scattered Spider's persistent help desk exploitation cost Clorox $400 million. Understand the August 2023 breach, its operational disruption, and critical steps organisations must take to protect against similar social engineering threats.

Cleaning products giant Clorox has sued its IT services partner, Cognizant, alleging that a devastating August 2023 ransomware attack that crippled production and cost the company $380 million in lost revenue was due to the firm’s negligence.

In a California Superior Court lawsuit, Clorox claims hackers linked to the Scattered Spider group simply obtained credentials by phoning Cognizant’s service desk for a password reset. Clorox further alleges Cognizant botched its response, prolonging the recovery time.

Now, Specops Software, a security analysis firm, published a detailed analysis of this incident, revealing precisely how this straightforward service desk attack unfolded and offering critical lessons for organisations.

According to their research, shared with Hackread.com, the incident began on August 11, 2023. Attackers, impersonating legitimate employees, placed multiple calls to Cognizant’s service desk. Their goal: to get passwords and Multi-Factor Authentication (MFA) resets for locked-out employees.

Despite Clorox’s clear procedures, the service desk agent reportedly bypassed these protocols, failing to verify the caller’s identity and providing new credentials. Compounding the oversight, no alert emails were sent to the impersonated employee or their manager – a basic notification that could have warned Clorox’s security team.

The hackers then repeated this tactic, gaining access to a second account belonging to an IT-security employee. This instantly elevated their access _to domain-admin privileges_, granting them unrestricted entry to Clorox’s core Active Directory environment, which controls user access across the network.

With high-level credentials, the intruders swiftly disabled security controls, escalated their privileges further, and deployed ransomware across key servers. This silently encrypted data, severing vital links between manufacturing, distribution, and IT systems. Production lines halted, and order fulfilment ceased. Clorox reported $49 million in direct remediation expenses and a staggering $380 million in lost revenue.

The risk of outsourcing critical IT support functions, while offering cost savings, can introduce vulnerabilities. Notably, UK retailer Marks and Spencer’s faced a similar incident where Scattered Spider tricked staff at their IT helpdesk contractor, Tata Consultancy Services (TCS), into resetting privileged credentials, also gaining Active Directory access.

This incident highlights the ongoing threat posed by Scattered Spider (aka 0ktapus, UNC3944). As Hackread.com reported, this group has been involved in numerous high-profile breaches, including MGM Resorts and other major retailers.

Their persistent exploitation of help desks to target VMware vSphere environments for ransomware deployment directly from the hypervisor to the Clorox incident shows that simple human vulnerabilities, if unaddressed, can lead to monumental financial and operational devastation.

To mitigate these risks, organisations must enforce strict Service Level Agreements (SLAs) with contractors, conduct regular red team exercises (simulated attacks) on outsourced processes, and demand transparent, real-time reporting of high-risk activities. Crucially, service desk permissions should be locked down to prevent agents from resetting admin or IT-privileged accounts without secondary approval workflows.

How Scattered Spider Used Fake Calls to Breach Clorox via Cognizant

GLOBAL GROUP Ransomware targets media giant Albavisión, claims 400 GB data theft as it continues hitting global sectors with advanced extortion tactics.

The GLOBAL GROUP ransomware gang is claiming responsibility for a breach of **Albavisión** (albavision.tv), a major Spanish-language media conglomerate based in Miami, Florida. The group also claims to have stolen 400 GB of data.

GLOBAL GROUP is a newly emerged Ransomware-as-a-Service **(RaaS) operation** that has been active since early June 2025. The group has targeted multiple sectors globally, including media and healthcare, with Albavisión listed as its 29th claimed victim since its launch.

What sets GLOBAL GROUP ransomware apart from other gangs is its use of an AI-driven negotiation tool. This system employs chatbots to handle negotiations with victims, particularly those who do not speak English.

In its latest announcement posted earlier today on its dark web leak site, GLOBAL GROUP stated that Albavisión has 15 days to begin negotiations or the allegedly stolen data will be published online. While the exact ransom amount in this case is unknown, a previous incident **observed** by EclecticIQ showed the group demanding 9.5 BTC, which was approximately $1 million at the time.

A look at the ransomware group’s previous listings shows it has so far leaked a complete dataset of 18 victims, which also includes a hospital.

Screenshot from the GLOBAL GROUP ransomware gang’s dark web leak site. (Image credit: Hackread.com)

****Is GLOBAL GROUP Ransomware Targeting Media Giants?****

While GLOBAL GROUP has been targeting a variety of industries, its recent activity suggests a focus on media organisations. For example, the group has listed “RTE” as one of its victims, though no additional details have been provided. RTE (RTÉ) is the national television and radio broadcaster of Ireland.

However, since it remains unclear which entity the group is referring to, Hackread.com does not imply that the Irish media organisation was breached or is the intended target listed as “RTE.”

Another name on the list is Rete Toscana Classica (RTC), an Italian radio station that broadcasts classical music 24 hours a day. Both RTE and RTC have been given 7 days to respond or begin negotiations with the GLOBAL GROUP ransomware gang.

Screenshot from the GLOBAL GROUP ransomware gang’s dark web leak site. (Image credit: Hackread.com)

****Targeting Albavisión: A Calculated Move by GLOBAL GROUP?****

Targeting Albavisión appears to be a calculated move. The multinational media conglomerate operates across Latin America, owning around 45 television channels, 68 radio stations, a print publication, and approximately 65 movie theatres in 14 to 15 Spanish-speaking countries.

The company was founded in 1987 by Remigio Ángel González, a Mexican-born Guatemalan businessman who is known for acquiring struggling media outlets and turning them into profitable operations using syndicated programming and local telenovelas. González is personally estimated to be worth around **$2 billion**, though the exact valuation of the company itself is not publicly disclosed.

Nevertheless, GLOBAL GROUP ransomware is emerging as yet another serious cybersecurity threat to organisations worldwide. While authorities continue to struggle with the growing challenge of ransomware gangs and with even data breach-focused threat actors like Scattered Spider now **moving toward ransomware**, businesses must rethink their security strategies.

This is especially urgent for sectors like healthcare. Implementing clear cybersecurity policies and providing training to all staff, including those with limited access to sensitive data, is essential. Employees should be **educated on phishing scams**, social engineering tactics, and the risks of using work devices for personal activities.

Hackread.com has reached out to Albavisión. This article will be updated accordingly.

GLOBAL GROUP Ransomware Claims Breach of Media Giant Albavisión

A new report from Google's GTIG reveals how UNC3944 (0ktapus) uses social engineering to compromise Active Directory, then exploits VMware vSphere for data theft and direct ransomware deployment. Understand their tactics and learn vital mitigation steps.

A highly “aggressive” cyber campaign, identified in mid-2025 by Google’s Threat Intelligence Group (GTIG), is posing a severe threat to major industries, including retail, airlines, and insurance.

This sophisticated operation is attributed to Scattered Spider, a financially motivated hacking group also known as 0ktapus and UNC3944, which has been involved in high-profile breaches, including those affecting UK retail giants M&S, Harrods, and Co-op.

Although several members of the group have been arrested and charged in the United States and the United Kingdom over attacks on MGM Resorts and major retailers, the group remains highly active and continues to demonstrate a global presence.

In its latest campaign, as reported by GTIG, the group is eyeing compromised Active Directory accounts to gain full control of VMware vSphere environments to steal sensitive data and deploy ransomware directly from the hypervisor.

This method is particularly dangerous as it often bypasses traditional security tools like Endpoint Detection and Response (EDR), which lack visibility into the underlying ESXi hypervisor and vCenter Server Appliance (VCSA).

GTIG outlines how UNC3944 moves from an initial low-level foothold to complete hypervisor control across five methodical phases. The critical entry point involves phone-based social engineering where attackers impersonate a regular employee, making phone calls to the IT help desk. By using publicly available personal information and persuasive tactics, they trick help desk agents into resetting Active Directory passwords.

This initial access allows them to conduct internal reconnaissance, searching for high-value targets like vSphere administrators or powerful Active Directory groups. They then make a second, more informed call, impersonating a privileged administrator to take over their account. This cunning two-step process bypasses standard technical protections by exploiting vulnerabilities in help desk identity verification procedures.

Once privileged Active Directory credentials are stolen, the attackers swiftly move to compromise the vCenter Server. From there, they gain “virtual physical access” to the VCSA. They manipulate the system’s bootloader to achieve root access, enabling SSH, and then deploy a legitimate open-source tool called Teleport. This tool creates a persistent, encrypted communication channel, effectively bypassing most firewalls.

 With this deep control, they can enable SSH on ESXi hosts, reset passwords, and perform an “offline attack” on critical virtual machines, such as Domain Controllers. This involves powering off a target VM, detaching its virtual disk, attaching it to an unmonitored “orphaned” VM, and copying sensitive data like the Active Directory database.

All of this occurs at the hypervisor layer, rendering it invisible to in-guest security agents. Before deploying ransomware, they sabotage recovery efforts by targeting backup infrastructure, deleting jobs and repositories. Finally, they use SSH access to ESXi hosts to push their custom ransomware, forcibly powering off VMs and encrypting files directly from the hypervisor.

Attack chain (Via Google)

“UNC3944’s playbook requires a fundamental shift in defensive strategy, moving from EDR-based threat hunting to proactive, infrastructure-centric defence,” Google warns. The group operates with extreme speed; the entire attack, from initial access to ransomware deployment, “can occur in mere hours.” Therefore, organisations must protect their virtualised assets through strong identity verification, VMware hardening, backup integrity, and continuous monitoring.

“The advanced sophistication Scattered Spider exhibits should have security teams on high alert,” said Thomas Richards, Infrastructure Security Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions.

“Social engineering attacks can be prevented with proper training and a challenge process to validate the caller is who they say they are. By using valid credentials and built-in tools, it is difficult for security teams to discern if they are compromised or not,” he advised.

Scattered Spider Launching Ransomware on Hijacked VMware Systems, Google

macOS flaw dubbed Sploitlight allows attackers to access Apple Intelligence-cached data by abusing Spotlight plugins, bypassing privacy controls.

A newly disclosed macOS vulnerability is allowing attackers to bypass Apple’s privacy controls and access sensitive user data, including files cached by Apple Intelligence. Tracked as CVE-2025-31199, the flaw was identified by Microsoft Threat Intelligence and involves a method that abuses Spotlight plugins to leak protected files.

Microsoft Threat Intelligence, which originally spotted the vulnerability, revealed the flaw and dubbed the exploit “Sploitlight” due to its abuse of Spotlight plugins. While Apple has already released a patch, the technical method behind the exploit should be concerning for macOS users, especially those using Apple’s latest AI-powered features.

It all starts with how Spotlight, macOS’s built-in search tool, handles plugins known as importers. These are designed to help index content from specific apps like Outlook or Photos.

Microsoft researchers found that attackers could modify these importers to scan and leak sensitive data from TCC-protected locations like Downloads and Pictures, even without the user’s permission. The trick? Logging file contents in chunks through the system log, then quietly retrieving them.

However, according to the company’s blog post, it gets worse. Apple Intelligence, installed by default on all ARM-based Macs, stores caches containing geolocation data, photo and video metadata, recognised faces, and even search history.

This information, protected under TCC (Transparency, Consent, and Control) rules, is typically out of reach to apps without user consent. But using Sploitlight, attackers can pull this data directly from the caches, bypassing the system’s consent mechanisms entirely.

Microsoft’s proof-of-concept shows a clear step-by-step process attackers could use to exploit the flaw. By modifying the metadata of a Spotlight plugin, placing it in a specific directory, and triggering a scan, attackers can tap into sensitive folders without ever requesting access. And because these plugins don’t need to be signed, no compilation is necessary. A few tweaks to a text file are all it takes.

Apple’s patch, released in March 2025 for macOS Sequoia, addresses this flaw. Microsoft thanked Apple’s security team for cooperating under Coordinated Vulnerability Disclosure and urged users to install the updates without delay.

The impact goes further than the mechanics of the exploit and affects real user data. Since metadata and facial recognition information sync across Apple devices via iCloud, attackers exploiting a single Mac could also gain indirect insights into iPhones or iPads linked to the same account.

This isn’t the first TCC bypass Apple has dealt with. Earlier examples like powerdir and HM-Surf relied on different system components, but Sploitlight’s use of Spotlight importers makes the attack both subtle and effective. It blurs the lines between trusted operating system components and what can be injected from user-controlled sources.

If you use a Mac, especially one with Apple Intelligence features active, make sure your system is up to date. The fix for CVE-2025-31199 is live and available, and applying it closes off this very specific way of data theft.

Source

HackRead