Synopsis

1. The hacker environment is not getting any better. The number of hackers and hacking groups continues to increase. Hackers are working smarter, including using AI. Hackers love to hack the Olympics. North Korea is using QR codes for cyber espionage and is also hacking job seekers. The PRC has an espionage campaign based in Venezuela, another targeting virtual machines, and yet another targeting critical infrastructure (again). We are reporting three Russian items: APT28 targeting Ukrainian supply chains, a new malware attack on Ukrainian defence forces, and NoName057(16) attacking the UK. The U.S. is using cyber weapons against Venezuela.

2. It is our assessment that the three major cyber conflicts—Russia vs. Ukraine, Iran vs. Israel, and the People’s Republic of China vs. others—are the most likely sources for the creation of next-generation malware and/or primary sources of cyberattacks. This includes government-funded hackers (military, intelligence, and civilian employees), affiliated hackers (criminals and mercenaries), and volunteer “supporters.”

Criminal Hackers

3. The Number of Hackers Is Increasing: Law-enforcement agencies around the globe are becoming better at identifying and prosecuting criminal hackers. Occasionally these reports make it into the mainstream media, raising the question: Are these arrests making an impact?
Security firm Emsisoft says ransomware attacks continued to climb last year, with more victims appearing on extortion sites and more groups operating than ever before. Trackers monitoring ransomware leak sites logged more than 8,000 claimed victims worldwide in 2025, a rise of more than 50 percent compared to 2023. Emsisoft’s numbers also suggest there are more gangs in the game than there were a couple of years ago, with the count of active ransomware crews climbing from a few dozen in 2023 to well into three figures by the end of 2025. Instead of a handful of mega-brands dominating, the scene now looks messier, with lots of smaller outfits popping up, disappearing, and reappearing under new names as affiliates drift between operations.²

4. Hacking Groups Are Multiplying: The Emsisoft report is supported across the cybersecurity industry. Law-enforcement prosecutions of major groups have caused those groups to divide and multiply, increasing the overall threat.

• Ransomware activity never dies; it multiplies
• Ransomware activity surges to record levels
• Ransomware attacks showed a 45 percent increase in 2025
• Account-compromise threats up nearly 400 percent in the past year
• Global ransomware attacks rose 32 percent in 2025, with manufacturers emerging as the top target

5. Hackers Using AI: Amplifying the problem is hacker use of artificial intelligence (AI) to develop better malware and more effectively attack their targets. Cybersecurity company Check Point Software reports that “Ransomware continues to scale through industrialized operations, while unmanaged GenAI usage is creating widespread data exposure at the enterprise level.”³
Analysts’ Comment: Not only are the bad actors using AI to attack, but corporate use of AI is also making organizations more vulnerable.

6. Hackers Attacking ‘Smarter’: Another emerging trend among criminal hackers is an increase in methodical, long-term attacks on high-value targets. One recent example is the Dutch hacker who lost his appeal against a conviction for hacking the Port of Antwerp to help smuggle cocaine. “The hacker bribed an Antwerp port worker to insert a malware-infected USB, creating a backdoor that gave remote access to container, gate, and access-control systems.”⁴ The trend ranges from attacking larger, more lucrative targets to becoming more creative in hiding tracks.

• Microsoft says Azure was hit with a massive DDoS attack launched from over 500,000 IP addresses
• “‘Imagination is the limit’: DeadLock ransomware gang using smart contracts to hide their work”

7. Hackers Targeting Cloud Computing Environments: Cybersecurity firms warn that a new malware campaign is targeting cloud infrastructure supported by modern data centres. “VoidLink can target machines within popular cloud services by detecting if an infected machine is hosted inside AWS, GCP, Azure, Alibaba, and Tencent, with indications that developers plan to add Huawei, DigitalOcean, and Vultr in future releases.”⁵
The severity of VoidLink is difficult to understate. “VoidLink targets victims’ cloud infrastructure with more than 30 plugins, allowing activities ranging from silent reconnaissance and credential theft to lateral movement and container abuse. When VoidLink detects tampering or malware analysis, it can delete itself and invoke anti-forensics modules designed to remove traces of its activity.”⁶
Analysts’ Comment: This malware was written in part by AI to attack the Linux backbone of cloud infrastructure.

• VoidLink: The Cloud-Native Malware Framework Weaponizing Linux Infrastructure
• Remember VoidLink, the cloud-targeting Linux malware? An AI agent wrote it

8. Hackers Planning Attacks on the Winter Olympics: Reports of “chatter” on hacker social media indicate discussions on attacking the Winter Olympics in two weeks. Palo Alto Networks’ Unit 42 warns attacks should be expected. “Hacktivist groups want to draw attention to themselves and their cause,” Unit 42 said. “They undermine targets by creating instability through disruption.” The report identified groups such as Russia’s APT28, China’s Mustang Panda, and North Korea’s Kimsuky as state-sponsored actors with the capability to attack the Olympics.⁷

North Korea

9. Quishing Campaign: The FBI issued a warning about a North Korean “quishing” campaign. Quishing—QR-code phishing—uses embedded links in QR codes to redirect victims to phishing sites. These attacks are typically targeted rather than mass campaigns. Attackers impersonated trusted figures such as foreign advisors, embassy staff, and think-tank employees. Victims were primarily in South Korea, with others in the United States, Europe, and Russia.⁸⁹

10. PurpleBravo Hackers Target Job Seekers: Recorded Future’s Insikt Group reports the group targeted 20 companies in Belgium, Bulgaria, Costa Rica, India, Italy, the Netherlands, Pakistan, Romania, the UAE, and Vietnam. Hackers posed as recruiters—often claiming to be from Odesa, Ukraine—and tricked job seekers into executing malicious Microsoft Visual Studio code, installing a backdoor. In several cases, malicious code was executed on corporate devices, creating broader organizational exposure.¹⁰

People’s Republic of China (PRC)

11. Venezuela-Themed Lures: Mustang Panda is suspected behind a campaign targeting U.S. government and political organizations using a ZIP file titled “US now deciding what’s next for Venezuela.zip.” The file contains a DLL (Dynamic-Link Library) delivering the LOTUSLITE backdoor.¹¹

12. PRC Hackers Target Virtual Machines: Two newly discovered campaigns target essential infrastructure. Virtual machines (VMs) allow multiple applications to run on a single hardware platform. “Huntress identified a compromised SonicWall VPN appliance used to deploy a VMware ESXi exploit.”¹² Three chained exploits enabled access to VM servers.

13. UAT-8837 Targeting Critical Infrastructure: Cisco Talos identified PRC group UAT-8837 targeting North American critical-infrastructure sectors. After gaining access, the group deploys open-source tools to harvest credentials and Active Directory data, creating persistent access.¹³

Russia

14. APT28 Targeting Energy, Nuclear, and Policy Staff: APT28 is running credential-harvesting campaigns against Turkish energy and nuclear agencies, European think tanks, and organizations in North Macedonia and Uzbekistan. Fake login pages mimicking Outlook, Google, and Sophos VPN were used.¹⁴

15. PLUGGYAPE Malware Targets Ukrainian Defence Forces: CERT-UA reports a social-engineering campaign in which attackers lure victims to fake charity websites that deliver malicious executables. A Python installer installs the PLUGGYAPE backdoor, giving attackers access to infected systems.¹⁵

16. UK National Cyber Security Centre Warns of Pro-Russian Hackers: The NCSC warns that NoName057(16) continues targeting the UK via DDoS attacks coordinated on Telegram and GitHub.¹⁶ Senior officials warn these attacks, while technically simple, can significantly disrupt essential services.¹⁷

United States

17. U.S. Uses Cyber Weapons Against Venezuela: The New York Times reports the U.S. used cyber weapons in operations against Venezuela, temporarily shutting off power in Caracas and interfering with air-defence radar. RUSI assessed the operation relied on “layered effects” combining cyber and kinetic tools.¹⁸