ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories

Thursday. Another week, another batch of things that probably should've been caught sooner but weren't. This one's got some range — old vulnerabilities getting new life, a few "why was that even possible" moments, attackers leaning on platforms and tools you'd normally trust without thinking twic...

Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware

A pro-Ukrainian group called Bearlyfy has been attributed to more than 70 cyber attacks targeting Russian companies since it first surfaced in the threat landscape in January 2025, with recent attacks leveraging a custom Windows ransomware strain codenamed GenieLocker. "Bearlyfy also known as...

ThreatsDay Bulletin: OpenSSL RCE, Foxit 0-Days, Copilot Leak, AI Password Flaws & 20+ Stories

The cyber threat space doesn’t pause, and this week makes that clear. New risks, new tactics, and new security gaps are showing up across platforms, tools, and industries — often all at the same time. Some developments are headline-level. Others sit in the background but carry long-term impact...

Exploit for Deserialization of Untrusted Data in Microsoft

Incident Investigation Report Case Title: WSUS Exploi...

UK Exposes Bulletproof Hosting Operator Linked to LockBit and Evil Corp

The operator, Alexander Volosovik, also known as “Yalishanda”, “Downlow” and “Stasvl,” ran a long-running bulletproof hosting operation used by top ransomware groups...

Ransomware's Fragmentation Reaches a Breaking Point While LockBit Returns

Key Takeaways: 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date. 1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure. 14 new ransomware brands launched this...

Inside LockBit: Technical, Behavioral, and Financial Anatomy of a Ransomware Empire

LockBit has evolved from an obscure Ransomware-as-a-Service newcomer in 2019 to the most prolific ransomware franchise of 2024. Leveraging a recently leaked MySQL dump of the gang's management panel, this study offers an end-to-end reconstruction of LockBit's technical, behavioral, and financial...

⚡ Weekly Recap: WSUS Exploited, LockBit 5.0 Returns, Telegram Backdoor, F5 Breach Widens

Security, trust, and stability — once the pillars of our digital world — are now the tools attackers turn against us. From stolen accounts to fake job offers, cybercriminals keep finding new ways to exploit both system flaws and human behavior. Each new breach proves a harsh truth: in...

Learning from the LockBit Takedown

...

Dark Web Roast - September 2025 Edition

Dark Web Roast - September 2025 Edition By Trellix Advanced Research Center · October 14, 2025 Executive Summary September 2025 brought us a delightful buffet of underground incompetence that makes one wonder if cybercriminals are actively competing for the "Most Spectacular Failure" award. From...

Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks

Threat actors are abusing Velociraptor, an open-source digital forensics and incident response DFIR tool, in connection with ransomware attacks likely orchestrated by Storm-2603 aka CL-CRI-1040 or Gold Salem, which is known for deploying the Warlock and LockBit ransomware. The threat actor's use ...

Velociraptor leveraged in ransomware attacks

Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response DFIR tool that had not previously been definitively tied to ransomware incidents. We assess with moderate confidence that this activity can be attributed to thre...

LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem

Three prominent ransomware groups DragonForce, LockBit, and Qilin have announced a new strategic ransomware alliance, once underscoring continued shifts in the cyber threat landscape. The coalition is seen as an attempt on the part of the financially motivated threat actors to conduct more...

⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More

Cybersecurity never stops—and neither do hackers. While you wrapped up last week, new attacks were already underway. From hidden software bugs to massive DDoS attacks and new ransomware tricks, this week's roundup gives you the biggest security moves to know. Whether you're protecting key systems...

New LockBit 5.0 Targets Windows, Linux, ESXi

Trend™ Research analyzed source binaries from the latest activity from notorious LockBit ransomware with their 5.0 version that exhibits advanced obfuscation, anti-analysis techniques, and seamless cross-platform capabilities for Windows, Linux, and ESXi systems...

Fake Ukrainian Police Emails Spread New CountLoader Malware Loader

A new malware loader, CountLoader, has been discovered by cybersecurity firm Silent Push. This threat is linked to prominent Russian ransomware gangs, including LockBit, BlackBasta, and Qilin, and is being used as an initial access broker...

CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader

Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT. "CountLoader is being used either as par...

Inside LockBit's Admin Panel Leak

Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto By Jambul Tologonov · June 12, 2025 Introduction On May 7, 2025, the LockBit admin panel was hacked by an anonymous actor who replaced their TOR website with the text ‘ Don’t do crime CRIME IS BAD xoxo from Prague ’...

LockBit Leak Shows Affiliates Use Pressure Tactics, Rarely Get Paid

Weeks after LockBit ransomware breach, leaked data reveals how affiliates generate ransomware, set ransom demands, and often walk away unpaid...

Xoxo to Prague

Welcome to this week's edition of the Threat Source newsletter. I haven't been to Prague in a while, which is a pity. It's a wonderful city -- great people, amazing food. I've visited customers there, held team meetings at the local office shoutout to Petr! and spent some memorable summer days of...