Weekly Intelligence Report – 09 January 2026

Published On : 2026-01-08

Ransomware of the week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.

Type: Ransomware
Target Technologies: Windows

Introduction
CYFIRMA Research and Advisory Team has found Ripper Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Ripper Ransomware
CYFIRMA Research identified Ripper as a ransomware that encrypts files and restricts access to data on infected systems. The malware applies cryptographic protection described as RSA and AES, renames affected files by appending the “.ripper12” extension, and targets multiple file types, including images, executables, and other common formats. In addition to file encryption, Ripper modifies the desktop wallpaper and creates a ransom note named “READ_NOTE.html,” both of which are used to notify the victim of the compromise and provide contact instructions.

Screenshot of files encrypted by the ransomware (Source: Surface Web)

The ransom note states that the victim’s network has been penetrated and that files have been encrypted and modified. It warns against using third-party recovery tools, renaming files, or altering encrypted data, claiming such actions will permanently corrupt the files. The note asserts that confidential and personal data has been exfiltrated and stored on a private server, with destruction promised upon payment and public release or sale threatened if payment is not made. Victims are instructed to contact the operators via specified email addresses or Tor chat, are offered free decryption of a small number of non-important files as proof, and are informed that the ransom price will increase if contact is not initiated within 72 hours.

The appearance of the Ripper ransom note (READ_NOTE.html) (Source: Surface Web)

The following are the TTPs based on the MITRE Attack Framework

Relevancy and Insights:

• The ransomware primarily affects the Windows operating system, which is commonly utilized in enterprise environments across multiple industries.
• The ransomware maintains long-term presence on the system by creating and modifying Windows scheduled tasks, which allow it to automatically execute even after restarts or user logins. It sets tasks to run with SYSTEM-level privileges and uses recurring triggers such as hourly or logon events. By doing so, the malware ensures its payload is consistently launched, enabling it to finish encryption, re-establish control, or run additional malicious actions without relying on user interaction.
• The ransomware kills processes like vssadmin.exe Delete Shadows /all /quiet and wmic shadowcopy delete /nointeractive to eliminate Volume Shadow Copies, which Windows utilizes for backup and restoration. By deleting these shadow copies, the malware guarantees that victims are unable to retrieve their files through system restore points or backup tools.

ETLM Assessment:
CYFIRMA’s assessment indicates that Ripper demonstrates characteristics of an emerging ransomware operation that is structured around deliberate intrusion, controlled execution, and victim-centric extortion workflows. The combination of encryption, environmental modification, and explicit communication channels reflects an operational mindset focused on maintaining authority over the compromised environment and guiding victim behavior. The emphasis on identity- based interaction, time-bound pressure, and proof-of-decryption mechanisms suggests that the actors are seeking to establish credibility and efficiency in negotiations, which are commonly observed in ransomware groups aiming to scale their operations beyond isolated incidents.

CYFIRMA’s assessment indicates that Ripper is likely to transition toward a more advanced and sustained ransomware model as its operators refine their tactics. This evolution may involve broader targeting strategies, more efficient deployment techniques, and increased reliance on data exposure threats to reinforce payment pressure. As operational confidence grows, the ransomware could adopt more standardized processes and infrastructure to support recurring campaigns, positioning it as a more persistent threat within the ransomware ecosystem rather than a short-lived or experimental variant.

Sigma rule:
title: New RUN Key Pointing to Suspicious Folder tags:
– attack.privilege-escalation
– attack.persistence
– attack.t1547.001 logsource:
category: registry_set product: windows
detection: selection_target:
TargetObject|contains:
– ‘SoftwareMicrosoftWindowsCurrentVersionRun’
– ‘SoftwareWOW6432NodeMicrosoftWindowsCurrentVersionRun’
– ‘SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun’ selection_suspicious_paths_1:
Details|contains:
– ‘:Perflogs’
– :ProgramData’
– ‘:WindowsTemp’
– ‘:Temp’
– ‘AppDataLocalTemp’
– ‘AppDataRoaming’
– ‘:$Recycle.bin’
– ‘:UsersDefault’
– ‘:Userspublic’
– ‘%temp%’
– ‘%tmp%’
– ‘%Public%’
– ‘%AppData%’ selection_suspicious_paths_user_1:
Details|contains: ‘:Users’ selection_suspicious_paths_user_2:
Details|contains:
– ‘Favorites’
– ‘Favourites’
– ‘Contacts’
– ‘Music’
– ‘Pictures’
– ‘Documents’
– ‘Photos’ filter_main_windows_update:
TargetObject|contains: ‘MicrosoftWindowsCurrentVersionRunOnce’ Image|startswith: ‘C:WindowsSoftwareDistributionDownload’ Details|contains|all:
– ‘rundll32.exe ‘
– ‘C:WINDOWSsystem32advpack.dll,DelNodeRunDLL32’ Details|contains:
– ‘AppDataLocalTemp’
– ‘C:WindowsTemp’ filter_optional_spotify:
Image|endswith:
– ‘C:Program FilesSpotifySpotify.exe’
– ‘C:Program Files (x86)SpotifySpotify.exe’
– ‘AppDataRoamingSpotifySpotify.exe’ TargetObject|endswith:
‘SOFTWAREMicrosoftWindowsCurrentVersionRunSpotify’
Details|endswith: ‘Spotify.exe –autostart –minimized’
condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
– Software using weird folders for updates level: high
(Source: Surface Web)

IOCs:
Kindly refer to the IOCs section to exercise control of your security systems.

STRATEGIC RECOMMENDATION

• Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
• Ensure that backups of critical systems are maintained, which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATION

• A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is a requirement to inform the local authority.
• Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
• Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATION

• Ensure that all applications and software are consistently maintained by deploying the most recent releases and applying available security updates and patches in a timely manner.
• Add the Sigma rule for threat detection and monitoring, which will help to detect anomalies in log events, identify and monitor suspicious activities.
• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: DDoS Botnet / Proxy Malware (Android) | Objectives: Distributed Denial-of-Service & Proxy Monetization | Target Technology: Android OS | Target Geography: Vietnam, Brazil, India, and Saudi Arabia

CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malware that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the week
This week, “Kimwolf” is trending.

Overview of Operation Kimwolf
Recent research has identified the rapid expansion of the Kimwolf botnet, a large-scale malicious operation that has grown significantly since mid-2025. The botnet has compromised millions of devices worldwide, primarily low-cost Android-based TV and streaming devices. Rather than relying on traditional infection techniques, Kimwolf spreads by exploiting weaknesses in residential proxy networks, allowing attackers to gain access to devices that are unknowingly exposed through poorly secured proxy services.

Kimwolf poses a serious threat due to both its operational scale and its monetization model. The botnet has been used to launch extremely high-volume distributed denial-of- service attacks while simultaneously generating revenue through the sale of residential proxy access, bandwidth rental, and unauthorized installation of third-party monetization software. Investigations indicate that many affected devices were already compromised before reaching end users, revealing significant security gaps within the hardware and proxy supply chains.

The Kimwolf operation underscores a broader and growing risk within the residential proxy ecosystem. Unsecured proxy infrastructure provides threat actors with a reliable and low- cost method to gain persistent access to trusted networks at scale. While limited remediation efforts have begun, the continued demand for inexpensive residential bandwidth increases the likelihood of similar campaigns emerging in the future.
Strengthening device security and enforcing stricter controls across proxy networks will be critical to preventing the repetition of such large-scale abuses.

Attack Method
The Kimwolf botnet utilizes a nontraditional infection model that capitalizes on systemic weaknesses within residential proxy infrastructures. Rather than directly targeting end users, the threat actors exploit proxy networks that permit unrestricted routing to internal and local network resources. This access enables large-scale scanning of connected devices while masking malicious activity behind legitimate residential IP addresses, thereby reducing the likelihood of detection and attribution.

Upon identifying exposed devices, the attackers exploit unauthenticated Android Debug Bridge (ADB) services that are reachable through these proxy networks. The compromise process is automated and executed remotely through command-line interactions, allowing the attackers to deploy downloader scripts without user involvement. These scripts retrieve and execute multiple payloads, including both native binaries and application packages, which are installed using built-in Android system utilities. File permissions are modified to ensure execution, and persistence mechanisms are applied to maintain continued access.

After installation, the malware establishes persistent communication with its command- and-control infrastructure to receive operational directives. Infected devices periodically transmit status information and remain available for tasking, including denial-of-service operations and traffic relaying. The malware incorporates safeguards to prevent multiple instances from executing concurrently on the same device, improving operational stability. Additionally, secondary software may be deployed to monetize compromised systems through proxy bandwidth resale or automated credential abuse, allowing the operators to derive sustained financial benefit from each infected device.

The following are the TTPs based on the MITRE Attack Framework for Mobile

INSIGHTS

• Blending of Malicious Activity with Legitimate Service Ecosystems: The Kimwolf operation illustrates how malicious campaigns can be concealed within infrastructure that outwardly resembles legitimate commercial services. By operating through commonly trusted service models, the activity reduces immediate suspicion and complicates the distinction between normal and malicious behavior. This convergence of legitimate-looking operations and covert abuse delays identification and challenges conventional methods used to classify and respond to threats.
• Exploitation of Consumer Hardware as Persistent Operational Assets: The activity highlights the increasing role of consumer-grade devices in sustaining large-scale malicious operations. Hardware designed for continuous, unattended operation, particularly low-cost streaming and embedded systems, provides stable and long- lived platforms for misuse. Limited visibility after deployment and minimal user interaction allow such devices to remain active within malicious networks without disrupting their intended functionality.
• Impact Through Systemic Weakness Alignment: The Kimwolf case demonstrates that significant operational effectiveness can be achieved through coordinated exploitation of widespread, low-level weaknesses rather than advanced technical innovation. By repeatedly leveraging gaps across multiple commercial layers, including manufacturing, software integration, and service provisioning, the operation benefits from the cumulative effect of minor security deficiencies, enabling persistence and scale over time.

ETLM ASSESSMENT
From an ETLM perspective, CYFIRMA assesses that this activity reflects a shifting threat landscape characterized by prolonged, low-visibility exploitation embedded within otherwise legitimate digital ecosystems. As adversaries increasingly operate through trusted services and consumer technologies, organizations are likely to face extended periods of undetected exposure, complicating risk attribution and impact assessment. Employees may be affected indirectly as routine workflows, connected devices, and third-party services become vectors for latent compromise rather than direct targets. Over time, this trend is expected to weaken traditional assumptions around asset trust and operational boundaries, increasing uncertainty in enterprise risk management as malicious activity becomes progressively harder to distinguish from normal business behavior.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.
YARA Rules
rule Kimwolf_Android_Botnet_Campaign

meta:
author = “CYFIRMA” date = “2026-01-06”
description = “Detects Kimwolf Android botnet components based on known identifiers, package names, and C2 indicators”

strings:
/* Unique execution and mutex-related strings */
$s1 = “xdrofl123”
$s2 = “botless”
$s3 = “rolf”

/* Malicious Android package and service identifiers */
$pkg1 = “com.n2.systemservice063”
$pkg2 = “com.n2.systemservice062”
$pkg3 = “com.abcproxy.lolsdk”
$pkg4 = “com.a.androidsvc”
$svc1 = “NetworkSyncService”
$svc2 = “SDKService”

/* Known Kimwolf C2 / infrastructure indicators */
$c2_1 = “85.234.91.247”
$c2_2 = “93.95.112.53”
$c2_3 = “213.193.253.1”
$c2_4 = “62.210.172.157”
$c2_5 = “89.39.70.110”

/* Residential proxy abuse indicators */
$dom1 = “xd.resi.to”
$dom2 = “xd.mob.to”
$dom3 = “onetwoseven.14emeliaterracewestroxburyma02132.su”
$dom4 = “lolxd.713mtauburnctcolumbusoh43085.st”

condition:
(any of ($s*) and any of ($pkg*)) or any of ($c2*)
or any of ($dom*)

Recommendations:

STRATEGIC RECOMMENDATIONS

• Layered Security Posture: Implement a comprehensive, multi-layered security architecture designed to mitigate sophisticated threat campaigns that leverage supply-chain weaknesses, interception techniques, and extended persistence. Security controls should be consistently applied across endpoints, networks, and cloud environments to ensure resilience throughout all stages of an intrusion.
• Intelligence-Led Security Operations: Embed actionable threat intelligence into daily security operations to support proactive detection and threat hunting. Emphasis should be placed on identifying evolving attacker methodologies that abuse trusted services, infrastructure dependencies, and software distribution channels.
• Strengthened Network and Trust Foundations: Enhance the integrity of network trust mechanisms by adopting secure DNS frameworks and maintaining close coordination with service providers. This approach helps reduce susceptibility to infrastructure manipulation, traffic interception, and trust-based abuse.
• Visibility Across Attack Phases: Maintain continuous visibility across telemetry sources to identify early indicators of multi-phase intrusions. Correlating endpoint, network, and cloud signals enables earlier disruption of attacks before persistence and impact escalate.

MANAGEMENT RECOMMENDATIONS

• Controlled Software and Update Practices: Establish strict governance over software installation and update processes, ensuring that applications are sourced only from authenticated, approved, and verifiable channels. This reduces the risk posed by tampered or malicious software components.
• Ongoing Security Awareness Initiatives: Reinforce user education programs to improve awareness of deceptive installation prompts, fraudulent update mechanisms, and socially engineered delivery techniques that mimic legitimate workflows.
• Enhanced Detection Investment: Prioritize investment in advanced detection technologies capable of identifying stealthy execution patterns, abnormal process behavior, encrypted communications, and misuse of trusted system functions.
• Incident Response Preparedness: Regularly review and test incident response procedures to ensure readiness for prolonged intrusions and infrastructure-centric threats. Plans should include clear escalation paths and coordination mechanisms with external stakeholders when necessary.

TACTICAL RECOMMENDATIONS

• Indicator and Behavior Correlation: Deploy detection mechanisms that combine static indicators with behavioral analysis to identify malicious activity more effectively. This includes leveraging signature-based rules alongside monitoring for suspicious system and API usage.
• DNS and Traffic Analysis: Actively monitor DNS and network traffic for irregular resolution patterns, unexpected routing behavior, and inconsistencies that may indicate manipulation or abuse of trusted infrastructure.
• Execution and Application Controls: Enforce execution control mechanisms such as application whitelisting and hardened loading behaviors to prevent unauthorized binaries and reduce exposure to abuse of legitimate system processes.
• Endpoint Activity Monitoring: Conduct routine endpoint assessments to detect anomalous files, unauthorized persistence mechanisms, and unusual process interactions within sensitive system locations.
• Outbound Communication Restrictions: Apply strict egress filtering policies to limit outbound connectivity to approved destinations only, thereby constraining adversary command-and-control communication and reducing opportunities for unauthorized data transfer.

CYFIRMA’S WEEKLY INSIGHTS

1. Weekly Attack Types and Trends

Key Intelligence Signals:

• Attack Type: Ransomware Attacks, Spear-Phishing, Vulnerabilities & Exploits, Data Leaks.
• Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
• Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
• Ransomware – Qilin Ransomware, SafePay Ransomware| Malware – Kimwolf
• Qilin Ransomware – One of the ransomware groups.
• SafePay Ransomware – One of the ransomware groups.
  Please refer to the trending malware advisory for details on the following:
• Malware – Kimwolf
  Behavior – Most of these malware use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

Tracking Mustang Panda: Advanced Espionage Techniques and Regional Impacts

• Threat Actor: Mustang Panda aka HoneyMyte
• Attack Type: Connection Proxy, Credential Dumping, DLL Sideloading, USB, Exploitation of Vulnerability, Spear-Phishing, Kernel-Mode Rootkit, Signed Driver Abuse, Kernel Assisted Backdoor Injection, Stealth Command-and-Control (Fake TLS 1.3)
• Objective: Information Theft, Espionage
• Suspected Target Technology: Air Gapped systems, Office Suites Software, Operating System, Web Application, Citrix NetScaler, WdFilter (Microsoft Defender)
• Suspected Target Geography: Australia, India, Japan, South Korea, Taiwan, Thailand, US, Vietnam, Myanmar, Philippines, Mongolia, Pakistan
• Suspected Target Industries: Critical Infrastructure, Government, NGOs, Religion, Think Tanks
• Business Impact: Compromised user accounts, Data Theft, Operational Disruption, Reputational Damage

About the Threat Actor
Mustang Panda is a China-linked cyber-espionage threat actor active since at least 2012, known for conducting geopolitically motivated intelligence operations marked by disciplined execution, evolving tradecraft, and long-term persistence. Its campaigns commonly start with targeted spear-phishing, using politically themed lures delivered via ZIP, RAR, LNK, or URL files, followed by multi-stage infection chains that deploy loaders and stagers to install backdoors, reverse shells, and lateral-movement tools. The group frequently leverages malware families, such as PlugX, Poison Ivy, ToneShell, StarProxy, Claimloader, and SplatCloak, favoring DLL sideloading and encrypted command-and-control channels to maintain stealth and persistence, with some operations also spreading via infected USB media. Overall, Mustang Panda demonstrates a high degree of adaptability, combining precise targeting with modular tooling to sustain prolonged access to high-value networks.

Details on Exploited Vulnerabilities

TTPs based on MITRE ATT&CK Framework

Latest Developments Observed
Mustang Panda’s 2025 operations reveal a shift to a kernel-mode attack chain, leveraging a malicious mini-filter driver to stealthily inject an updated ToneShell backdoor into system processes. The driver exploits a compromised legacy digital certificate, applies rootkit-level protections to files, registry keys, and processes, and disrupts Microsoft Defender’s file system filtering. This marks the first documented use of a kernel-mode loader for ToneShell, substantially improving stealth and defense evasion. The backdoor communicates with its C2 over raw TCP on port 443, masquerading traffic with fake TLS 1.3 headers.

ETLM Insights
Mustang Panda is a state-aligned cyber-espionage threat actor focused on long- term intelligence collection and geopolitical advantage, rather than financial gain. Its operations consistently align with China’s regional strategic interests, targeting government, diplomatic, military, and policy-related entities across Southeast and East Asia to support sustained situational awareness and strategic influence.

Operationally, the actor emphasizes durable access, operational stealth, and persistence, maintaining footholds within high-value environments to enable prolonged intelligence gathering. Recent activity indicates a clear shift toward enhanced survivability and evasion, suggesting an increased focus on operating undetected within hardened networks and resisting modern detection and response capabilities.

Looking ahead, Mustang Panda is expected to continue refining its covert, intelligence-led operations, expanding across interconnected government and regional partner ecosystems while adopting techniques that further reduce attribution risk and extend long-term access in support of broader state objectives.

IOCs:
Kindly refer to the IOCs section to exercise control of your security systems.

YARA Rules
rule APT_MustangPanda_Malware_Infrastructure_Indicators

meta:
description = “Detects Mustang Panda malware using known filenames, C2 domains, IPs, and exploit references”
author = “CYFIRMA” threat_actor = “Mustang Panda”
reference = “shipping-doc themed lures, known C2 infra, PrintNightmare and MSHTML exploits”
date = “2026-01-06”
confidence = “Medium-High”

strings:
/* Suspicious lure document */
$doc_lure = “shipping documents.docx” nocase

/* Malware filenames observed */
$exe1 = “jhjhdskjsdklsdkl.exe” nocase
$exe2 = “JHJHDSKJSDKLSDKL.exe” nocase
$exe3 = “order 22hjbx1151frr.exe” nocase

/* Known Mustang Panda domains */
$domain1 = “www.profile-keybord.com”
$domain2 = “www.dest-working.com”
$domain3 = “www.ynsins.com”
$domain4 = “www.aihkstore.com”

/* Known IP addresses */
$ip1 = “202.59.10.106”
$ip2 = “188.208.141.196”
$ip3 = “103.159.132.91”
$ip4 = “23.216.147.76”

/* Exploit references commonly abused by Mustang Panda */
$cve1 = “CVE-2021-1675”
$cve2 = “CVE-2021-40444”

condition:
/* Trigger if malware filename or lure doc is present */ (
1 of ($exe*) or $doc_lure
)
and
/* And at least one infrastructure or exploit indicator */ (
1 of ($domain*) or 1 of ($ip*) or
1 of ($cve*)
)

Recommendations

Strategic

• Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
• Assess and deploy alternatives for an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
• Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more by identifying such patterns.

Management

• Invest in user education and implement standard operating procedures for the handling of financial and sensitive data transactions commonly targeted by impersonation attacks. Reinforce this training with context-aware banners and in-line prompts to help educate users.
• Develop a cyber threat remediation program and encourage employee training to detect anomalies proactively.

Tactical

• For better protection coverage against email attacks (like spear phishing, business email compromise, or credential phishing attacks), organizations should augment built-in email security with layers that take a materially different approach to threat detection.
• Protect accounts with multi-factor authentication. Exert caution when opening email attachments or clicking on embedded links supplied via email communications, SMS, or messaging.
• Apply security measures to detect unauthorized activities, protect sensitive production, and process control systems from cyberattacks.
• Add the YARA rules for threat detection and monitoring, which will help to detect anomalies in log events, identify and monitor suspicious activities.

3. Major Geopolitical Developments in Cybersecurity

USA hits Venezuela in a raid that sees its president arrested by Special Forces
The United States conducted a large-scale military operation in Caracas over the first weekend of January, resulting in the capture of Venezuelan President Nicolás Maduro and his wife, Cilia Flores. U.S. forces, including Delta Force special operators supported by approximately 150 aircraft, executed a pre-dawn raid that involved airstrikes on military installations and air defenses, followed by a helicopter insertion to seize Maduro at his compound. The operation, referred to as “Absolute Resolve,” caused significant disruptions in Caracas, including widespread power outages and blackouts across parts of the capital, which coincided with the strikes and were accompanied by reported losses of internet connectivity. The Venezuelan government attributed the outages to physical attacks on infrastructure, but President Donald Trump suggested

U.S. involvement in creating the darkness, stating during a Mar-a-Lago press conference that “the lights of Caracas were largely turned off due to a certain expertise that we have.”

ETLM Assessment:
The Joint Chiefs of Staff confirmed at a separate briefing that U.S. Cyber Command and U.S. Space Command contributed by “layering different effects” and helping to “create a pathway” for the incoming U.S. forces, though neither command has provided further details on any cyber operations. Independent monitoring from researchers documented targeted outages in Caracas, aligning with the timing of the military action. While we do not know the details of the operations, it’s becoming clear that in modern warfare, a cyber component is part of any successful operation.

Disrupting, degrading, or destroying an adversary’s digital systems, networks, and data can help achieve strategic effects comparable to traditional kinetic military actions.

Russia escalating cyber war on Germany
Russia is escalating covert hybrid warfare against Germany’s critical infrastructure– through sabotage, cyberattacks, espionage, and influence operations–targeting energy and defense sectors as a potential prelude to broader conflict, according to a leaked German Defense Ministry document. The classified documents present these attacks as deliberate Russian tools to probe weaknesses in government coordination, unsettle the public, and hinder NATO force deployments, while preparing capabilities for large-scale war against the alliance by 2029 at the latest. Germany, as NATO’s key European logistics hub, expects to face initial hybrid threats before any open military escalation on the eastern flank, though it would not become a direct ground frontline; the ministry identifies Russia as the greatest immediate security threat. In separate news, the European Space Agency (ESA) disclosed on X that a recent cybersecurity incident may have compromised a very small number of external servers outside its corporate network, supporting unclassified collaborative scientific engineering; the agency is conducting forensic analysis and has secured affected devices. Some analysts have already blamed Russia for the incident as well.

ETLM Assessment:
As previously noted in this CYFIRMA report, since the beginning of the Russian war in Ukraine in 2022, NATO member states have experienced a surge in physical attacks targeting critical infrastructure. Civilian facilities like shopping malls and factories have been set ablaze, while vital rail lines in Sweden, Germany, and France have been sabotaged. Defense plants supporting Ukraine have also been hit, including a London aid warehouse in March 2024 and a Welsh ammunition factory in April. This wave of sabotage is arguably the most significant the West has faced since World War II. While Russia maintains plausible deniability (towards which goal it also employs privateering cyber criminals), Western officials increasingly believe the Kremlin is orchestrating many of these attacks.

Governments and NATO leaders have publicly blamed Russian intelligence agencies and affiliated groups, implementing various measures to counter this threat. While definitive attribution remains complex, the sophistication of these attacks and the backdrop of geopolitical tensions strongly indicate Russian involvement.

These attacks have targeted diverse German and other NATO countries’ organizations, causing widespread disruption and financial losses. Russia has solidified its position as a capable, motivated, and irresponsible cyber threat actor. Russian operatives have almost certainly escalated their cyber campaigns against Ukraine and its allies, aligning these operations with their military objectives and broader geopolitical ambitions.

4. Rise in Malware/Ransomware and Phishing

Qilin Ransomware Impacts Logic Vein Co., Ltd

• Attack Type: Ransomware
• Target Industry: Information Technology
• Target Geography: Japan
• Ransomware: Qilin Ransomware
• Objective: Data Theft, Data Encryption, Financial Gains
• Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
CYFIRMA observed in an underground forum that a company from Japan, Logic Vein Co., Ltd (https[:]//www[.]lvi[.]co[.]jp/), was compromised by Qilin Ransomware. Logic Vein Co., Ltd. is a Japanese software company, specializing in enterprise network management solutions like Net LineDancer for configuration backup, change detection, and automation. The compromised data contains confidential and sensitive information belonging to the organization.

Source: Dark Web

Relevancy & Insights:

• The Qilin Ransomware group operates a Ransomware-as-a-Service (RaaS) model, allowing affiliates to carry out attacks while Qilin provides infrastructure and malware tools.
• The Qilin Ransomware group primarily targets countries such as the United States of America, Canada, South Korea, France, and the United Kingdom.
• The Qilin Ransomware group primarily targets industries, including Manufacturing, Professional Goods & Services, Consumer Goods & Services, Healthcare, and Real Estate & Construction.
• Based on the Qilin Ransomware victims list from 1st Jan 2025 to 06th Jan 2026, the top 5 Target Countries are as follows:
  
• The Top 10 Industries most affected by the Qilin Ransomware victims list from 1st Jan 2025 to 06th Jan 2026 are as follows:
  

ETLM Assessment:
According to CYFIRMA’s assessment, Qilin ransomware poses a significant threat to organizations of all sizes. Its evolving tactics, including double extortion (data encryption and leak threats), cross-platform capabilities (Windows and Linux, including VMware ESXi), and a focus on speed and evasion, make it a particularly dangerous actor.

SafePay Ransomware Impacts 47CLUB

• Attack Type: Ransomware
• Target Industry: Wholesale / Retail
• Target Geography: Japan
• Ransomware: SafePay Ransomware
• Objective: Data Theft, Data Encryption, Financial Gains
• Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
CYFIRMA observed in an underground forum that a company from Japan, 47CLUB (https[:]//www[.]47club[.]co[.]jp/), was compromised by SafePay Ransomware. 47CLUB (operated by Kabushiki Kaisha 47CLUB) is a Japanese e-commerce and regional marketing company based in Tokyo. Its core mission is to support and promote local producers across Japan by offering regional specialties, traditional foods, crafts, and artisan products through an online platform that showcases products from all 47 Japanese prefectures — a reference reflected in the company’s name (“47” representing Japan’s prefectures). The company works with over 1,300 local shops and producers and partners with regional newspaper companies to curate and sell unique local goods via EC (electronic commerce) marketplaces, pop-up events, and business collaborations, including catalog sales and promotional campaigns. The compromised data contains confidential and sensitive information belonging to the organization.

Source: Dark Web

Relevancy & Insights:

• SafePay Ransomware is a rapidly emerging and sophisticated ransomware threat first identified in September 2024.
• The SafePay Ransomware group primarily targets countries such as the United States of America, Germany, the United Kingdom, Canada, and Argentina.
• The SafePay Ransomware group primarily targets industries, including Professional Goods & Services, Consumer Goods & Services, Real Estate & Construction, Manufacturing, and Information Technology.
• Based on the SafePay Ransomware victims list from 1st Jan 2025 to 06th Jan 2026, the top 5 Target Countries are as follows:
  
• The Top 10 Industries most affected by the SafePay Ransomware victims list from 1st Jan 2025 to 06th Jan 2026 are as follows:
  

ETLM Assessment:
According to CYFIRMA’s assessment, SafePay represents a sophisticated, fast- moving ransomware threat capitalizing on VPN weaknesses and credential theft, employing effective double extortion tactics to maximize ransom payments.

Organizations, especially in highly targeted sectors and regions, must prioritize layered defenses and active hunting for early detection.

5. Vulnerabilities and Exploits

Vulnerability in Xspeeder SXZOS

• Attack Type: Vulnerabilities & Exploits
• Target Technology: Hardware solutions / Firmware
• Vulnerability: CVE-2025-54322
• CVSS Base Score: 10.0 Source
• Vulnerability Type: Code Injection
• Summary: The vulnerability allows a remote attacker to execute arbitrary code on the target system.

Relevancy & Insights:
The vulnerability exists due to a missing input validation in the vLogin.py script when processing based64-encoded data. A remote non- authenticated attacker can send a specially crafted HTTP request with encoded Python code and execute it on the system with root privileges.

Impact:
Successful exploitation of this vulnerability may result in complete compromise of the vulnerable system.

Affected Products:
https[:]//pwn[.]ai/blog/cve-2025-54322-zeroday- unauthenticated-root-rce-affecting-70-000-hosts

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behaviour that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerability in Xspeeder SXZOS can pose significant threats to user privacy and system security. This can impact various industries globally, including telecommunications, enterprise networking, and service providers. Ensuring the security of Xspeeder SXZOS is crucial for maintaining the integrity and protection of network operations and user data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding traffic acceleration, bandwidth optimization, and network performance management across different geographic regions and sectors.

6. Latest Cyber-Attacks, Incidents, and Breaches

INC Ransomware attacked and published the data of Omrania

• Threat Actor: INC Ransomware
• Attack Type: Ransomware
• Objective: Data Leak, Financial Gains
• Target Technology: Web Applications
• Target Industry: Architecture & Engineering
• Target Geography: Saudi Arabia
• Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently, we observed that INC Ransomware attacked and published the data of Omrania (https[:]//omrania[.]com/) on its dark web website. Omrania is a Saudi Arabia–based international architecture and engineering consultancy with more than five decades of experience. The firm specializes in sustainable urban planning, landscape design, and building development, delivering services to clients across Saudi Arabia, the Middle East, North Africa, and Europe. The ransomware incident resulted in the exposure of approximately 4,000 GB of data, comprising confidential documents, client information, NDAs, financial records, corporate data, business agreements, project drawings, and a significant amount of other highly critical and sensitive information.

Source: Dark Web

Relevancy & Insights:

• INC Ransomware, also known as Incransom, is a cyber threat that emerged in mid-2023. Incransom uses strong encryption algorithms to lock files, making recovery without the decryption key virtually impossible. The ransomware typically appends specific file extensions to encrypted files, signalling that they have been compromised.
• INC Ransomware is commonly distributed through:
• Phishing emails: Containing malicious attachments or links that, when opened, deploy the ransomware.
• Malicious downloads: From compromised websites or software packages.

ETLM Assessment:
Based on recent assessments by CYFIRMA, INC Ransomware represents a significant threat within the evolving landscape of ransomware attacks. Its use of strong encryption methods and double extortion tactics highlights the increasing sophistication of cybercriminal operations. Organizations are advised to enhance their cybersecurity measures by implementing robust defenses against phishing attacks, maintaining updated security protocols, and monitoring for unusual network activity to mitigate risks associated with this and other ransomware variants. Continuous vigilance is essential to protect against the threats posed by emerging ransomware groups like INC Ransomware.

7. Data Leaks

Tokyo FM Broadcasting Co., Ltd. Data Advertised on a Leak Site

• Attack Type: Data leak
• Target Industry: Media & Entertainment
• Target Geography: Japan
• Objective: Financial Gains
• Business Impact: Data Loss, Reputational Damage

Summary: The CYFIRMA research team has identified claims made by a threat actor operating under the alias “victim,” who alleges responsibility for a security breach involving Tokyo FM Broadcasting Co., Ltd. Tokyo FM is a prominent Japanese radio broadcaster headquartered in Tokyo and serves as the flagship station of the Japan FM Network (JFN).

According to the threat actor, the breach resulted in the compromise of data from multiple internal systems. The attackers claim to have exfiltrated more than three million records containing sensitive personal and user-related information.

The allegedly exposed data includes:

• Names of individuals
• Email addresses
• Dates of birth
• IP addresses
• User-agent information
• Job-related details
• Login IDs

If confirmed, this incident could pose significant privacy and security risks to affected individuals and highlight the potential impact of large-scale data breaches on major media and broadcasting organizations.Top of FormBottom of Form

The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.

Source: Underground Forums

Wadhefa Data Advertised on a Leak Site

• Attack Type: Data leak
• Target Industry: Human Resources and Recruitment
• Target Geography: Saudi Arabia
• Objective: Data Theft, Financial Gains
• Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team has observed claims by a threat actor operating under the alias “Grubder,” who alleges responsibility for a security breach involving the Saudi Arabian job platform وظيفة. كوم(Wadhefa[.]com). According to the actor, the compromised data is being offered for sale and contains records belonging to 418,293 job seekers.

The threat actor claims that the exfiltrated dataset includes a wide range of sensitive personal and professional information. If verified, this exposure could pose serious privacy and identity-theft risks to affected individuals.

The allegedly compromised data includes:

• Curriculum vitae (CVs)
• National identification numbers
• Email addresses
• Phone numbers
• WhatsApp contact details
• Employment history
• Educational background
• Other sensitive personal information

The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
The threat actor known as “Grubder” is assessed to be a highly active and capable group primarily engaged in data-leak operations. Multiple credible sources have associated this actor with a series of security incidents involving unauthorized access to systems and the sale or dissemination of stolen data on dark web marketplaces. These activities underscore the persistent and rapidly evolving cyber-threat landscape driven by underground criminal ecosystems and highlight the urgent need for organizations to reinforce their cybersecurity posture through continuous monitoring, improved threat-intelligence capabilities, and proactive defensive measures to protect sensitive information and critical infrastructure.

Recommendations: Enhance the cybersecurity posture by:

1. Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
2. Ensure proper database configuration to mitigate the risk of database-related attacks.
3. Establish robust password management policies, incorporating multi-factor authentication and role-based access to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA Research team observed that Kumpulan Prasarana Rakyat Johor (KPRJ), the state-owned infrastructure and property development company of Johor, Malaysia, has allegedly been compromised in a significant data breach. The company, which serves as a primary executive arm for the Johor state government, manages large-scale construction projects, multi-million-dollar contracts, and strategic state land developments. The breach was reportedly carried out by an unidentified party who is now offering the stolen database for sale on an underground forum for 1.5 BTC.

The allegedly compromised data includes a massive collection of files totaling 180.69 GB and comprising over 71,000 files. According to the actor, the sensitive information covers the period from 2022 to March 2025 and contains:

• Full names and personnel photos of over 100 employees
• Complete construction and project contracts from 2022 onwards
• Signed agreements, priced and blank Bills of Quantities (BQs)
• Progress reports and financial payment records for major state projects
• Internal audit documents (Audit Negara), CMC papers, and petty cash records
• Land valuation reports (JPPH) for major projects, including Casa Tebrau and Danga
• Internal training archives and anti-corruption webinar videos
• Tender documents and technical proposals from telecommunications companies

The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.

Source: Underground Forums

The CYFIRMA Research team has identified that Enerparc AG, a reputable German company in the renewable energy sector, has allegedly been compromised. The breach reportedly impacts the company’s internal database regarding solar projects in Spain, specifically in the Mallorca and Alicante regions. The company, which has connected over 4,500 MW of solar capacity to the grid, is one of the largest independent solar power producers in Europe. The actor responsible for the leak claims to have extracted approximately 8.6 GB of data consisting of over 5,600 files related to projects such as Alicanti, Son Pons, and Son Ravanell.

According to the actor, the documents are predominantly engineering and technical in nature. The allegedly compromised data includes:

• Station requirement tables
• Tenders and technical proposals for transformer stations
• Commercial proposals and archives (including offers from suppliers)
• Factory Acceptance Test (FAT) protocols (photos, videos, checklists, pre- commissioning protocols)
• Final station documentation (test protocols, datasheets, CE conformity certificates, electrical drawings, protection settings, installation manuals)
• Detailed photos of equipment (LV/MV compartments, switchgear, transformer compartments)
• Test videos (such as FAT footage from 2020)

The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.

Source: Underground Forums

STRATEGIC RECOMMENDATIONS

• Attack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
• Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
• Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
• Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, and active network monitoring, through next-generation security solutions and a ready-to-go incident response plan.
• Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

• Take advantage of global Cyber Intelligence, providing valuable insights on threat actor activity, detection, and mitigation techniques.
• Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies, followed by corrective actions, remediations, and lessons learned.
• Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcomings of EDR and SIEM solutions.
• Ensure detection processes are tested to ensure awareness of anomalous events, and timely communication of anomalies continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

• Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
• Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences based on the tactical intelligence provided.
• Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
• Implement a combination of security controls such as reCAPTCHA (completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
• Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.

Back to Listing