Threat Research

UAT-8837 is a China-nexus threat actor assessed with medium confidence to specialize in gaining initial access to high-value organizations, with a clear focus on critical infrastructure targets in North America since at least 2025....

As of mid-September 2025, GOLD SALEM has named 60 victims, placing it mid-tier among active ransomware groups. Its targets range from small entities to major multinational firms across North America, Europe, and South America. Consistent with typical ransomware behavior, the group has mostly avoided victims in China and Russia....

On September 15, attackers launched a targeted phishing campaign to compromise NPM maintainer accounts and inject malicious code into popular JavaScript packages. The attack enabled supply chain compromise, affecting key packages used in application development and cryptography....

Interlock ransomware, active since late September 2024, targets businesses and infrastructure in North America and Europe with financially driven attacks. The FBI notes its use of encryptors for both Windows and Linux, often impacting virtual machines. Initial access methods include drive-by downloads from compromised sites and the ClickFix social engineering tactic....

A China-nexus threat actor is actively exploiting a critical vulnerability (CVE-2025-4428) in Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. The flaw, when chained with CVE-2025-4427, enables unauthenticated remote code execution on vulnerable systems. Exploitation has been observed since May 15, 2025, targeting internet-facing Ivanti EPMM instances....

"Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal" refers to the use of BackConnect malware by these ransomware groups, as part of their evolving tactics. Attackers exploited social engineering, Microsoft Teams, Quick Assist, and tools like OneDriveStandaloneUpdater.exe to gain initial access and escalate privileges....