Threat Research

BRICKSTORM is an advanced backdoor targeting VMware vSphere, including vCenter servers and ESXi, as well as Windows systems. The actors specifically focused on compromising VMware vSphere platforms. After gaining access, they used the vCenter console to steal VM snapshots for credential harvesting and to create hidden rogue VMs....

During its incident response efforts, determined that cyber threat actors infiltrated the agency’s network on July 11, 2024, by exploiting a critical vulnerability—CVE-2024-36401 [CWE-95: “Eval Injection”]—in a public-facing GeoServer instance (referred to as GeoServer 1)....

Cyber threat actors exploited Ivanti EPMM systems by chaining two vulnerabilities—CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (code injection)—to gain initial access. Around May 15, 2025, they targeted the /mifs/rs/api/v2/ endpoint using crafted HTTP GET requests and the ?format= parameter to execute remote commands....

Interlock ransomware, active since late September 2024, targets businesses and infrastructure in North America and Europe with financially driven attacks. The FBI notes its use of encryptors for both Windows and Linux, often impacting virtual machines. Initial access methods include drive-by downloads from compromised sites and the ClickFix social engineering tactic....

Since June 2022, the Play ransomware group—also known as Playcrypt—has targeted numerous businesses and critical infrastructure across North, South America, and Europe. By 2024, Play will have become one of the most active ransomware operations, with around 900 victims reported as of May 2025....

LummaC2 is an infostealer malware targeting critical U.S. infrastructure sectors, active from November 2023 to May 2025. It spreads via spearphishing emails containing fake CAPTCHAs that trick users into running PowerShell commands. The malware is often embedded in spoofed software and first emerged on Russian-speaking forums in 2022....

A Russian state-sponsored cyber campaign has been targeting Western logistics and technology firms, transport, especially those aiding Ukraine’s foreign assistance efforts. Since 2022, these sectors have been under increased threat from GRU’s 85th Main Special Service Center (Unit 26165). The campaign uses known cyber espionage tactics and techniques....

This joint Cybersecurity Advisory is part of the ongoing #StopRansomware initiative, providing network defenders with insights into ransomware variants and threat actors. These advisories share observed tactics, techniques, procedures (TTPs), and indicators of compromise (IOCs) to enhance protection....

"StopRansomware: Ghost (Cring) Ransomware" refers to a China-based cybercriminal group, known as Ghost or Cring, that targets vulnerable internet-facing services. Since 2021, they have compromised organizations worldwide, including critical infrastructure and businesses....

According to reliable third-party incident response data, threat actors exploited the listed vulnerabilities to achieve initial access, execute remote code (RCE), acquire credentials, and deploy webshells on victim networks....