Major Cybercrime and Malware Trends in December 2025
Cybersecurity agencies and researchers reported a surge in sophisticated cybercrime operations and malware campaigns in December 2025. Notable law enforcement actions included the takedown of major cybercriminal forums such as Cracked and Nulled, and the disruption of ransomware networks like Phobos/8Base, as highlighted in SOCRadar's review of top law enforcement operations. Concurrently, threat intelligence sources documented a rise in ransomware attacks, with LockBit 5.0 targeting 25 companies globally, and agencies intensifying pressure on pro-Russian hacktivist groups. The month also saw a significant malware incident in New Zealand, where the national cyber security agency warned 26,000 citizens about infections by Lumma Stealer, a credential-harvesting malware.
Technical research revealed the continued evolution of information-stealing malware, such as Stealc and Phantom Stealer, which leverage new delivery methods including Discord-hosted payloads and fake software updates. The Mirai botnet family demonstrated renewed activity, with new variants like Broadside and Jackskid exploiting IoT vulnerabilities and targeting sectors such as maritime logistics. Reports also underscored the growing threat of browser-based attacks, with critical vulnerabilities being disclosed throughout the year, and the increasing use of social engineering tactics to bypass security controls. These developments reflect a rapidly shifting threat landscape, with attackers adopting advanced techniques and law enforcement responding with coordinated global operations.
Timeline
Dec 11, 2025
HP report details new social engineering malware delivery tactics
HP's Threat Research Team published a report describing novel social engineering techniques, including fake legal notices, Adobe-themed lures, and Discord-hosted malware used to deliver infostealers and remote access tools. The report also found that 11% of email threats bypassed at least one email gateway scanner.
Dec 10, 2025
Stealc V2.9.0 documented with expanded theft and evasion features
By December 2025, researchers documented Stealc version 2.9.0, noting enhanced data collection, improved evasion, and broader support for browsers and cryptocurrency wallets. The report also linked the malware to more than 40 command-and-control servers and ongoing underground log trading.
Dec 9, 2025
New Zealand agency warns 26,000 residents' devices are infected
New Zealand's cyber security agency warned that about 26,000 New Zealanders had devices infected with malicious software. The alert highlighted a large domestic malware infection problem affecting consumer devices.
Nov 1, 2025
ShadowV2 tests attacks across 28 countries during AWS outage
In November 2025, the ShadowV2 Mirai variant used the AWS outage as cover to test its capabilities across 28 countries. The activity demonstrated how botnet operators were exploiting global events to mask or amplify malicious operations.
Nov 1, 2025
Jackskid botnet infects over 40,000 devices per day
As part of the November 2025 Mirai resurgence, the Jackskid botnet was reported infecting more than 40,000 devices daily. The malware also supported high-volume DDoS attacks and additional functions such as crypto-mining and data exfiltration.
Nov 1, 2025
November 2025 wave of major cyber incidents hits multiple organizations
During November 2025, a series of significant cyber incidents affected organizations globally, including the Coupang breach, the Balancer theft, Gainsight token abuse, the Eurofiber GLPI incident, and other large-scale breaches and ransomware attacks. Authorities opened investigations in some cases and affected organizations warned users about follow-on phishing and scam risks.
Nov 1, 2025
Mirai variants resurge in November 2025
In November 2025, Mirai-derived botnets including Jackskid and ShadowV2 resurged, infecting large numbers of IoT devices and driving major DDoS activity. The campaigns targeted routers, DVRs, industrial controllers, and other exposed systems using zero-days, brute force, and weakly secured firmware.
Jan 1, 2025
Global law enforcement conducts major cybercrime operations in 2025
Throughout 2025, international law enforcement agencies carried out multiple major actions against cybercrime, including takedowns, seizures, sanctions, and indictments targeting forums, ransomware groups, botnets, and fraud networks. These operations included actions against Cracked and Nulled, Phobos/8Base, LummaC2, NoName057(16), BlackSuit, and other criminal infrastructure.
Jan 1, 2025
SquareX launches 2025 Year of Browser Bugs research
During 2025, SquareX's Year of Browser Bugs project disclosed a series of major browser security issues across conferences and research publications, exposing architectural weaknesses in modern browsers. Some vendors later introduced patches or guardrails in response to specific findings.
Jan 1, 2023
Stealc malware-as-a-service begins operating
The Stealc infostealer began being offered as a malware-as-a-service operation in early 2023, marking the start of its ongoing criminal use and development.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Sources
3 more from sources like rnz.co.nz, foresiet blog and socradar blog
Related Stories
Major Cyberattack and Malware Trends in 2025
Cybersecurity threats in 2025 were marked by a surge in sophisticated attacks targeting both enterprises and critical infrastructure. Notable incidents included the exploitation of a zero-day vulnerability (`CVE-2025-61882`) in Oracle E-Business Suite by the Clop ransomware group, leading to data theft and extortion campaigns against multiple organizations. Ransomware activity overall increased, with Akira and Qilin dominating the ransomware-as-a-service market, and new strains like Warlock and HybridPetya introducing advanced evasion and destructive capabilities. The year also saw a significant rise in software supply chain attacks and the emergence of AI-powered malware such as PromptLock, which can generate malicious scripts dynamically. State-sponsored campaigns remained a persistent threat, exemplified by the BRICKSTORM malware attributed to Chinese actors, which targeted VMware and Windows systems in government and IT sectors. Data breaches, such as the API compromise at 700Credit affecting over 5.6 million individuals, highlighted ongoing risks in third-party integrations and API security. Malware-as-a-service platforms like CloudEyE (GuLoader) surged in prevalence, facilitating the distribution of infostealers and ransomware. The threat landscape was further complicated by the proliferation of EDR killers and the rapid evolution of Android NFC-based threats, underscoring the need for robust detection and response strategies across all platforms.
1 months ago
Surge in Diverse Cybercrime Tactics and Malware Campaigns in November 2025
A series of cybersecurity incidents and threat intelligence reports in November 2025 highlight a surge in sophisticated cybercrime tactics, including the exploitation of new vulnerabilities, resurgence of established malware, and the evolution of phishing and credential theft campaigns. Notable events include the disclosure of a critical unauthenticated remote code execution vulnerability (CVE-2025-52665) in Ubiquiti’s UniFi OS, which allows attackers to execute arbitrary commands via the backup API, potentially leading to full device compromise. Concurrently, researchers observed a resurgence in Lumma Stealer activity, with the malware adopting adaptive browser fingerprinting to enhance victim profiling and evade detection, and the reappearance of GootLoader malware using novel font-based obfuscation techniques to deliver payloads through compromised WordPress sites. Other significant threats include the deployment of DarkComet RAT disguised as Bitcoin wallet software, the spread of Maverick banking malware via WhatsApp targeting Brazilian financial institutions, and a European phishing campaign leveraging Telegram bots to exfiltrate credentials. These incidents are set against a backdrop of increasing cyber insurance payouts in the UK, driven by a rise in ransomware and malware attacks, and a proliferation of online scams targeting gambling platforms and social media users. The reports also underscore the growing use of AI in both offensive and defensive cybersecurity operations, with advancements in AI red teaming and blue teaming for code generation models. Collectively, these developments illustrate the rapidly evolving threat landscape, the convergence of traditional and novel attack vectors, and the need for organizations to adopt robust, adaptive security measures to counter increasingly sophisticated adversaries.
1 months ago
September 2025 Major Cybersecurity Incidents and Trends
Multiple significant cybersecurity incidents and trends were reported in September and Q3 2025, highlighting the evolving threat landscape. Ransomware and cyber extortion continued to be major concerns, with Nevada experiencing a historic ransomware attack that forced a near-total shutdown of state government operations, severely disrupting digital infrastructure and putting essential services and resident data at risk. The attack on Nevada was described as unprecedented at the statewide level, underscoring the increasing scale and impact of ransomware campaigns. In the realm of supply chain security, the JavaScript ecosystem faced a major npm supply chain attack in September 2025, which compromised over 180 popular packages, including some under the CrowdStrike namespace. This attack was attributed to the self-replicating "Shai-Hulud" worm, serving as a stark warning about the risks inherent in open-source dependencies and the potential for widespread compromise through software supply chains. Additionally, active exploitation of the CVE-2025-10035 vulnerability in GoAnywhere Managed File Transfer was investigated, indicating ongoing targeting of file transfer solutions by threat actors. The emergence of new malware families was also noted, such as XWorm V6 with pivotal plugins and ClayRat, a new Android spyware targeting Russian users. The RondoDox campaign was observed leveraging Pwn2Own vulnerabilities and employing a shotgun approach to exploits, further demonstrating the adaptability of threat actors. Over 175 malicious npm packages were identified as hosting phishing infrastructure targeting more than 135 organizations, highlighting the persistent threat of phishing via software repositories. A record DDoS attack by the Aisuru botnet targeted US ISPs, showcasing the scale and sophistication of modern botnet operations. New Stealit campaigns were reported abusing Node.js single executable applications, reflecting the trend of attackers exploiting developer tools and environments. The newsletters also discussed advancements in malware detection, including quantum computing methods and machine learning approaches such as static portable executable header feature analysis. Cyber warfare activities during Operation Sindoor were analyzed, providing insights into malware campaign tactics and detection frameworks. Security evaluations of Android apps on budget African mobile devices and novel detection methods for railway mobile terminals were also covered, indicating a broadening focus on mobile and IoT security. These developments collectively illustrate the diverse and escalating nature of cyber threats facing organizations and governments worldwide in late 2025.
1 months ago