Threat Research

Since late December 2025, the team has handled multiple incidents involving voice-based phishing (vishing) leading to data theft and extortion. These attacks have targeted organizations across Financial Services, Manufacturing, Professional & Legal Services, and Wholesale & Retail sectors....

The team observed increased threat activity matching tactics linked to previous ShinyHunters extortion campaigns. These operations rely heavily on advanced voice phishing (vishing) techniques. Attackers use victim-branded credential harvesting sites to capture SSO credentials and MFA codes. With initial access gained, they pivot into corporate cloud environments....

In August 2025, Kraken— a Russian-speaking ransomware group that emerged from the former HelloKitty cartel— conducted big-game hunting and double-extortion attacks. Cisco Talos observed the group exploiting SMB vulnerabilities for initial access, then using Cloudflared for persistence and SSHFS for pre-encryption data exfiltration....

Beginning in late September 2025, a threat actor linked to the CL0P extortion group launched a large-scale campaign targeting organizations using Oracle E-Business Suite (EBS)....

Since June 2022, the Play ransomware group—also known as Playcrypt—has targeted numerous businesses and critical infrastructure across North, South America, and Europe. By 2024, Play will have become one of the most active ransomware operations, with around 900 victims reported as of May 2025....

Muddled Libra’s operations have evolved throughout 2024. As members rotate in and out, the group’s capabilities and tactics continue to adapt. Their toolkit now includes end-user and helpdesk social engineering, traditional phishing, insider access via business process outsourcers, and ransomware partnerships for extortion....

This article examines an incident in which a threat actor attempted, unsuccessfully, to bypass Cortex XDR. Our investigation offered insight into the threat actor's methods, revealing that they had purchased access to the client’s network via Atera RMM from an initial access broker....

Repellent Scorpius is a recently surfaced ransomware-as-a-service (RaaS) group that deploys Cicada3301 ransomware. The group seems to have first appeared in May 2024, initiating a multi-extortion campaign. This report, derived from Unit 42 Incident Response engagements, offers a technical examination of the ransomware used by the Repellent Scorpius group....

During an incident response managed by Unit 42, the threat actor group Bling Libra (known for ShinyHunters ransomware) shifted from their usual method of selling or publishing stolen data to extorting victims....

Unit 42 researchers uncovered a cloud-based extortion scheme that targeted several organizations. The attackers exploited exposed .env files, which held sensitive credentials and other application secrets, to carry out their campaign....