Signals Weekly: Active WSUS Exploits and Ransomware Shifts

WSUS RCE is live—patch OOB now + watch 8530/8531. Payments fell to 23% in Q3 as crews pivot to insider bribes; Qilin doubles down on ESXi + EDR tamper.

Cl0p’s Leak Sites: 20% Chance They Go Dark by Apr 22, 2026

Forecast: 20% chance Cl0p’s leak sites go dark by Apr 22, 2026. Needs a seizure banner or ≥14 days down w/ LE attribution. Cronos showed it’s doable; mirrors make it brutal.

COLDRIVER’s Next Move

COLDRIVER went from LOSTKEYS to a full “ROBOT” chain and ClickFix tricks—then started poking linked-device flows. We put 75% on a truly new family or access vector within 12 months.

Signals Weekly: Devices Under Siege- SNMP Rootkits, F5 Fallout

SNMP rootkits on Cisco (CVE-2025-20352) 🎛️, F5 source-code heist + CISA ED 26-01 🚨, and 175 MS CVEs 📅. Pick your poison: harden SNMP or inventory+patch BIG-IP today.

Storm-2657 Watch: Does Workday mark the start — or just the first stop?

Workday was the first stop, not the destination. We’re at 62% odds it hits another payroll stack by 2026-04-17. Harden all the paydoors, not just the pretty one.

CL0P/FIN11 Go In-Memory on Oracle EBS — The Extortion Comes Later

Oracle EBS got in-memory Java loaders, not lockerware. Patch CVE-2025-61882, lock egress, hunt TemplatePreviewPG with TMP|DEF + XSL-TEXT|XML. Extortion rides in via “pubstorm.”

Signals Weekly: Zero-Days, Hijacked Payrolls & a Crypto Kingpin

This Week's Threat Intel Pulse: Oracle EBS zero-day exploited before patches dropped, Storm-1175 abuses GoAnywhere MFT, payroll hijackers hit US universities, ransomware crews weaponize Velociraptor, and a $15B Southeast Asian scam network faces global sanctions.

TA558 2026: The Quiet Upgrade

Which scenario will best describe TA558’s (aka RevengeHotels) evolution by June 30, 2026?

By Dec 31, 2025, will a reputable primary source (Oracle, CISA, Mandiant/MSTIC, affected org’s SEC 8-K/IR blog) confirm at least one breach where CVE-2025-61882 was the initial access vector?

Oracle EBS zero-day (CVE-2025-61882): OOB patch, KEV-listed, exec extortion emails flying. We’re at 76% that a primary source names it as initial access by 12/31. Raise or fade? 🧨🧭

Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026?

RedNovember likely stays fast-follow on edge devices using N-days and public PoCs, not 0-days. China-nexus peers show willingness to burn edge 0-days, so a pivot is plausible but not base case...

By Dec 31, 2025, will UNC5221 be publicly linked to exploiting at least one new zero-day?

Question: By Dec 31, 2025, will UNC5221 be publicly linked to exploiting at least one new zero-day in a non-Ivanti edge platform (e.g., VMware vCenter/ESXi, Citrix NetScaler, F5, Palo Alto, Fortinet)?

VoidProxy: AitM Phishing-as-a-Service Quietly Bypasses MFA at Scale

VoidProxy is reshaping the phishing landscape, enabling adversaries to bypass MFA and hijack enterprise cloud sessions with minimal technical skill. Its rapid adoption, use of trusted email providers, and evasive infrastructure demand urgent, layered defenses—especially for organizations...

c2

Modular C2 Frameworks Quietly Redefine Threat Operations for 2025–2026

Attackers are rapidly shifting to modular, cloud-integrated C2 frameworks—Sliver, Havoc, Mythic, Brute Ratel C4, and Cobalt Strike—blurring lines between APT and cybercrime. These tools’ stealth, automation, and cloud API abuse are outpacing legacy detection, demanding urgent defensive adaptation.

geopolitics

Blended Geopolitical-Cyber Intelligence: Financial Sector’s Quiet Shift

Financial institutions are quietly overhauling cyber defenses, blending geopolitical risk with threat intelligence to counter state-sponsored attacks and regulatory pressure. This shift is driving new investments in automation, incident response, and sector-wide collaboration..

ta558

SteganoAmor: TA558’s image-hidden malware targets oil, gas & maritime

TA558’s “SteganoAmor” campaign leverages steganography to deliver commodity malware across oil, gas, maritime, and industrial targets. The group’s use of image-embedded payloads and compromised infrastructure...

poisonseed

PoisonSeed: supply-chain phish, seed-phrase theft, MFA bypass

If your bulk email or CRM gets popped, PoisonSeed rides your good reputation straight past filters and users’ instincts. Here’s the fast path to detect and blunt it—without boiling the ocean.

space

Space IoT: Under Siege.

If your organization consumes satellite data, runs VSATs (very small aperture terminals), or depends on vendors who do—you’re in scope. Since 2020, attackers have shifted from “space” to the easier target: ground networks and cloud storage.

russia

Russian APTs: OAuth Abuse, RDP Phish, and Takedowns

Russia-linked actors leaned hard on OAuth device codes and RDP phishing from Oct 2024–Aug 2025. Providers pushed back in concert. Here’s what changed, what to watch in your logs, and the quickest moves that buy real risk reduction.

ecrime

SaaS Data Theft: How UNC3944, UNC6040, and UNC6395 Quietly Redefined Cloud Risk

Three financially motivated clusters—UNC3944 (“Scattered Spider”), UNC6040, and UNC6395—are driving a surge in SaaS and cloud data theft via social engineering, OAuth abuse, and supply-chain attacks. Their evolving TTPs and anti-forensics are raising the stakes for defenders..

shamos

Shamos macOS Infostealer: Malvertising Lures, BYOD Gaps, and Sector Expansion

Shamos, a new Atomic macOS Stealer (AMOS) variant attributed to COOKIE SPIDER, is targeting U.S. tech and education sectors via malvertising and fake support sites.

supply-chain

Slopsquatting: AI Hallucinations Fueling a New Class of Software Supply Chain Attacks

Your code assistant invents a “helpful” package; an attacker registers it; your pipeline installs it. As of Aug 27, 2025, this is moving from edge case to repeatable tactic. Here’s how to spot it fast and force your builds to fail-closed.

ta-natalstatus

TA-NATALSTATUS: Rootkit-Style Cryptojacking Dominates Exposed Redis Servers Globally

If Redis is open to the internet, assume compromise. This actor gains root with native Redis tricks, plants miners, and hides using “rootkit-style” evasion. Here’s how to spot it fast and close the hole for good.

ransomware

Hybrid Threats at Sea: Ransomware, GPS Spoofing, and State-Linked Attacks Escalate Against Maritime Communications

Hybrid attacks are hitting navigation and port systems harder than ever — from ransomware to GPS spoofing — threatening safety, operations, and global trade.

ransomware

Q4 2025 Threat Priorities: Ransomware Surge, Regulatory Volatility, and Geopolitical Disruption in US Tech, Finance, and Education

Three converging trends—ransomware, volatile regulations, and global instability—are reshaping risk for US tech, finance, and education. The common thread? Disruption spreads faster than most organizations can detect or respond.