1025 matches found
IT threat evolution in Q2 2025. Mobile statistics
IT threat evolution in Q2 2025. Mobile statistics IT threat evolution in Q2 2025. Non-mobile statistics The mobile section of our quarterly cyberthreat report includes statistics on malware, adware, and potentially unwanted software for Android, as well as descriptions of the most notable threats...
IT threat evolution in Q2 2025. Non-mobile statistics
IT threat evolution in Q2 2025. Non-mobile statistics IT threat evolution in Q2 2025. Mobile statistics The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing...
Cookies and how to bake them: what they are for, associated risks, and what session hijacking has to do with it
When you visit almost any website, you'll see a pop-up asking you to accept, decline, or customize the cookies it collects. Sometimes, it just tells you that cookies are in use by default. We randomly checked 647 websites, and 563 of them displayed cookie notifications. Most of the time, users...
How attackers adapt to built-in macOS protection
If a system is popular with users, you can bet it's just as popular with cybercriminals. Although Windows still dominates, second place belongs to macOS. And this makes it a viable target for attackers. With various built-in protection mechanisms, macOS generally provides a pretty much end-to-end...
Exploits and vulnerabilities in Q2 2025
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published impact the security of nearly every computer subsystem: UEFI, drivers, operating systems, browsers, as well as user and web applications. Based on our analysis, threat actors continue to leverag...
Modern vehicle cybersecurity trends
Modern vehicles are transforming into full-fledged digital devices that offer a multitude of features, from common smartphone-like conveniences to complex intelligent systems and services designed to keep everyone on the road safe. However, this digitalization, while aimed at improving comfort an...
GodRAT – New RAT targeting financial institutions
Summary In September 2024, we detected malicious activity targeting financial trading and brokerage firms through the distribution of malicious .scr screen saver files disguised as financial documents via Skype messenger. The threat actor deployed a newly identified Remote Access Trojan RAT named...
Evolution of the PipeMagic backdoor: from the RansomExx incident to CVE-2025-29824
In April 2025, Microsoft patched 121 vulnerabilities in its products. According to the company, only one of them was being used in real-world attacks at the time the patch was released: CVE-2025-29824. The exploit for this vulnerability was executed by the PipeMagic malware, which we first...
New trends in phishing and scams: how AI and social media are changing the game
Introduction Phishing and scams are dynamic types of online fraud that primarily target individuals, with cybercriminals constantly adapting their tactics to deceive people. Scammers invent new methods and improve old ones, adjusting them to fit current news, trends, and major world events:...
Scammers mass-mailing the Efimer Trojan to steal crypto
Introduction In June, we encountered a mass mailing campaign impersonating lawyers from a major company. These emails falsely claimed the recipient's domain name infringed on the sender's rights. The messages contained the Efimer malicious script, designed to steal cryptocurrency. This script als...
Driver of destruction: How a legitimate driver is being used to take down AV processes
Introduction In a recent incident response case in Brazil, we spotted intriguing new antivirus AV killer software that has been circulating in the wild since at least October 2024. This malicious artifact abuses the ThrottleStop.sys driver, delivered together with the malware, to terminate numero...
Cobalt Strike Beacon delivered via GitHub and social media
Introduction In the latter half of 2024, the Russian IT industry, alongside a number of entities in other countries, experienced a notable cyberattack. The attackers employed a range of malicious techniques to trick security systems and remain undetected. To bypass detection, they delivered...
ToolShell: a story of five vulnerabilities in Microsoft SharePoint
On July 19–20, 2025, various security companies and national CERTs published alerts about active exploitation of on-premise SharePoint servers. According to the reports, observed attacks did not require authentication, allowed attackers to gain full control over the infected servers, and were...
The SOC files: Rumble in the jungle or APT41’s new target in Africa
Introduction Some time ago, Kaspersky MDR analysts detected a targeted attack against government IT services in the African region. The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware. One of the C2s was a captive SharePoint serve...
GhostContainer backdoor: malware compromising Exchange servers of high-value organizations in Asia
In a recent incident response IR case, we discovered highly customized malware targeting Exchange infrastructure within government environments. Analysis of detection logs and clues within the sample suggests that the Exchange server was likely compromised via a known N-day vulnerability. Our...
Forensic journey: Breaking down the UserAssist artifact structure
Introduction As members of the Global Emergency Response Team GERT, we work with forensic artifacts on a daily basis to conduct investigations, and one of the most valuable artifacts is UserAssist. It contains useful execution information that helps us determine and track adversarial activities,...
Code highlighting with Cursor AI for $500,000
Attacks that leverage malicious open-source packages are becoming a major and growing threat. This type of attacks currently seems commonplace, with reports of infected packages in repositories like PyPI or npm appearing almost daily. It would seem that increased scrutiny from researchers on thes...
Approach to mainframe penetration testing on z/OS. Deep dive into RACF
In our previous article we dissected penetration testing techniques for IBM z/OS mainframes protected by the Resource Access Control Facility RACF security package. In this second part of our research, we delve deeper into RACF by examining its decision-making logic, database structure, and the...
Batavia spyware steals data from Russian organizations
Introduction Since early March 2025, our systems have recorded an increase in detections of similar files with names like договор-2025-5.vbe, приложение.vbe, and dogovor.vbe translation: contract, attachment among employees at various Russian organizations. The targeted attack begins with bait...
AI and collaboration tools: how cyberattackers are targeting SMBs in 2025
Cyberattackers often view small and medium-sized businesses SMBs as easier targets, assuming their security measures are less robust than those of larger enterprises. In fact, attacks through contractors, also known as trusted relationship attacks, remain one of the top three methods used to brea...
SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play
Update 25.06.2025: Apple removed the malicious app from the App Store. In January 2025, we uncovered the SparkCat spyware campaign, which was aimed at gaining access to victims' crypto wallets. The threat actor distributed apps containing a malicious SDK/framework. This component would wait for a...
Toxic trend: Another malware threat targets DeepSeek
Introduction DeepSeek-R1 is one of the most popular LLMs right now. Users of all experience levels look for chatbot websites on search engines, and threat actors have started abusing the popularity of LLMs. We previously reported attacks with malware being spread under the guise of DeepSeek to...
Sleep with one eye open: how Librarian Ghouls steal data by night
Introduction Librarian Ghouls, also known as "Rare Werewolf" and "Rezet", is an APT group that targets entities in Russia and the CIS. Other security vendors are also monitoring this APT and releasing analyses of its campaigns. The group has remained active through May 2025, consistently targetin...
Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721
The abuse of known security flaws to deploy bots on vulnerable systems is a widely recognized problem. Many automated bots constantly search the web for known vulnerabilities in servers and devices connected to the internet, especially those running popular services. These bots often carry Remote...
IT threat evolution in Q1 2025. Non-mobile statistics
IT threat evolution in Q1 2025. Non-mobile statistics IT threat evolution in Q1 2025. Mobile statistics The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing...
IT threat evolution in Q1 2025. Mobile statistics
IT threat evolution in Q1 2025. Mobile statistics IT threat evolution in Q1 2025. Non-mobile statistics Quarterly figures According to Kaspersky Security Network, in the first quarter of 2025: A total of 12 million attacks on mobile devices involving malware, adware, or unwanted apps were blocked...
Host-based logs, container-based threats: How to tell where an attack began
The risks associated with containerized environments Although containers provide an isolated runtime environment for applications, this isolation is often overestimated. While containers encapsulate dependencies and ensure consistency, the fact that they share the host system's kernel introduces...
Exploits and vulnerabilities in Q1 2025
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NNNNN identifiers. The nature of the C...
Zanubis in motion: Tracing the active evolution of the Android banking malware
Introduction Zanubis is a banking Trojan for Android that emerged in mid-2022. Since its inception, it has targeted banks and financial entities in Peru, before expanding its objectives to virtual cards and crypto wallets. The main infection vector of Zanubis is impersonating legitimate Peruvian...
Dero miner zombies biting through Docker APIs to build a cryptojacking horde
Introduction Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new "zombies" that will mine for Dero currency...
Threat landscape for industrial automation systems in Q1 2025
Trends Relative stability from quarter to quarter. The percentage of ICS computers on which malicious objects were blocked remained unchanged from Q4 2024 at 21.9%. Over the last three quarters, the value has ranged from 22.0% to 21.9%. The quarterly figures are decreasing from year to year. Sinc...
Using a Mythic agent to optimize penetration testing
Introduction The way threat actors use post-exploitation frameworks in their attacks is a topic we frequently discuss. It's not just about analysis of artifacts for us, though. Our company's deep expertise means we can study these tools to implement best practices in penetration testing. This hel...
State of ransomware in 2025
Global ransomware trends and numbers With the International Anti-Ransomware Day just around the corner on May 12, Kaspersky explores the ever-changing ransomware threat landscape and its implications for cybersecurity. According to Kaspersky Security Network data, the number of ransomware...
Outlaw cybergang attacking targets worldwide
Introduction In a recent incident response case in Brazil, we dealt with a relatively simple, yet very effective threat focused on Linux environments. Outlaw also known as "Dota" is a Perl-based crypto mining botnet that typically takes advantage of weak or default SSH credentials for its...
Triada strikes back
Introduction Older versions of Android contained various vulnerabilities that allowed gaining root access to the device. Many malicious programs exploited these to elevate their system privileges and gain persistence. The notorious Triada Trojan also used this attack vector. With time, the...
Operation SyncHole: Lazarus APT goes back to the well
We have been tracking the latest attack campaign by the Lazarus group since last November, as it targeted organizations in South Korea with a sophisticated combination of a watering hole strategy and vulnerability exploitation within South Korean software. The campaign, dubbed "Operation SyncHole...
Russian organizations targeted by backdoor masquerading as secure networking software updates
As we were looking into a cyberincident in April 2025, we uncovered a rather sophisticated backdoor. It targeted various large organizations in Russia, spanning the government, finance, and industrial sectors. While our investigation into the attack associated with the backdoor is still ongoing, ...
Lumma Stealer – Tracking distribution channels
Introduction The evolution of Malware-as-a-Service MaaS has significantly lowered the barriers to entry for cybercriminals, with information stealers becoming one of the most commercially successful categories in this underground economy. Among these threats, Lumma Stealer has emerged as a...
Phishing attacks leveraging HTML code inside SVG files
With each passing year, phishing attacks feature more and more elaborate techniques designed to trick users and evade security measures. Attackers employ deceptive URL redirection tactics, such as appending malicious website addresses to seemingly safe links, embed links in PDFs, and send HTML...
IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia
Day after day, threat actors create new malware to use in cyberattacks. Each of these new implants is developed in its own way, and as a result gets its own destiny – while the use of some malware families is reported for decades, information about others disappears after days, months or several...
Streamlining detection engineering in security operation centers
Security operations centers SOCs exist to protect organizations from cyberthreats by detecting and responding to attacks in real time. They play a crucial role in preventing security breaches by detecting adversary activity at every stage of an attack, working to minimize damage and enabling an...
GOFFEE continues to attack organizations in Russia
GOFFEE is a threat actor that first came to our attention in early 2022. Since then, we have observed malicious activities targeting exclusively entities located in the Russian Federation, leveraging spear phishing emails with a malicious attachment. Starting in May 2022 and up until summer of...
Attackers distributing a miner and the ClipBanker Trojan via SourceForge
Recently, we noticed a rather unique scheme for distributing malware that exploits SourceForge, a popular website providing software hosting, comparison, and distribution services. The site hosts numerous software projects, and anyone can upload theirs. One such project, officepackage , on the ma...
How ToddyCat tried to hide behind AV software
To hide their activity in infected systems, APT groups resort to various techniques to bypass defenses. Most of these techniques are well known and detectable by both EPP solutions and EDR threat-monitoring and response tools. For example, to hide their activity in Windows systems, cybercriminals...
A journey into forgotten Null Session and MS-RPC interfaces, part 2
In the first part of our research, I demonstrated how we revived the concept of no authentication null session after many years. This involved enumerating domain information, such as users, without authentication. I walked you through the entire process, starting with the difference between no-au...
TookPS: DeepSeek isn’t the only game in town
In early March, we published a study detailing several malicious campaigns that exploited the popular DeepSeek LLM as a lure. Subsequent telemetry analysis indicated that the TookPS downloader, a malware strain detailed in the article, was not limited to mimicking neural networks. We identified...
Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain
In mid-March 2025, Kaspersky technologies detected a wave of infections by previously unknown and highly sophisticated malware. In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers' website was opened using the Google Chrome web...
Financial cyberthreats in 2024
As more and more financial transactions are conducted in digital form each year, financial threats comprise a large piece of the global cyberthreat landscape. That's why Kaspersky researchers analyze the trends related to these threats and share an annual report highlighting the main dangers to...
Threat landscape for industrial automation systems in Q4 2024
Statistics across all threats In Q4 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.1 pp from the previous quarter to 21.9%. Percentage of ICS computers on which malicious objects were blocked, by quarter, 2022–2024 Compared to Q4 2023, the percentage...
Arcane stealer: We want all your data
At the end of 2024, we discovered a new stealer distributed via YouTube videos promoting game cheats. What's intriguing about this malware is how much it collects. It grabs account information from VPN and gaming clients, and all kinds of network utilities like ngrok, Playit, Cyberduck, FileZilla...