A big finish to 2025 in December’s Patch Tuesday
A month with no Critical-severity Windows bugs is overshadowed by a mass of Mariner mop-up
Sophos Threat Research
React2Shell flaw (CVE-2025-55182) exploited for remote code execution
The availability of exploit code will likely lead to more widespread opportunistic attacks
GOLD SALEM tradecraft for deploying Warlock ransomware
Analysis of the tradecraft evolution across 6 months and 11 incidents
Inside Shanya, a packer-as-a-service fueling modern attacks
The ransomware scene gains another would-be EDR killer
Sharpening the knife: GOLD BLADE’s strategic evolution
Updates include novel abuse of recruitment platforms, modified infection chains, and expansion into a hybrid operation that combines data theft and ransomware deployment
WhatsApp compromise leads to Astaroth deployment
Another campaign targeting WhatsApp users in Brazil spreads like a worm and employs multiple payloads for credential theft, session hijacking, and persistence
November Patch Tuesday does its chores
A cleanup month brings 63 patches… wait, no, 68… how about 61?
BRONZE BUTLER exploits Japanese asset management software vulnerability
The threat group targeted a LANSCOPE zero-day vulnerability (CVE-2025-61932)
Windows Server Update Services (WSUS) vulnerability abused to harvest sensitive data
Exploitation of CVE-2025-59287 began after public disclosure and the release of proof-of-concept code
Threat Intelligence Executive Report – Volume 2025, Number 5
This issue of the Counter Threat Unit’s high-level bimonthly report discusses noteworthy updates in the threat landscape during July and August
F5 network compromised
On October 15, 2025, F5 reported that a nation-state threat actor had gained long-term access to some F5 systems and exfiltrated data, including source code and information about undisclosed product vulnerabilities. This information may enable threat actors to compromise F5 devices by developing exploits for these vulnerabilities. The UK National Cyber Security Centre also notes […]
October Patch Tuesday beats January ’25 record
Microsoft throws a farewell party for Win10, Office 2016, and Office 2019… a very big party
WhatsApp Worm Targets Brazilian Banking Customers
Counter Threat Unit™ (CTU) researchers are investigating multiple incidents in an ongoing campaign targeting users of the WhatsApp messaging platform. The campaign, which started on September 29, 2025, is focused on Brazil and seeks to trick users into executing a malicious file attached to a self-spreading message received from a previously infected WhatsApp web session. […]
HeartCrypt’s wholesale impersonation effort
How the notorious Packer-as-a-Service operation built itself into a hydra
GOLD SALEM’s Warlock operation joins busy ransomware landscape
The emerging group demonstrates competent tradecraft using a familiar ransomware playbook and hints of ingenuity
September Patch Tuesday handles 81 CVEs
The last round of fixes before Win 10’s final shout touches 15 product families, including Xbox
Velociraptor incident response tool abused for remote access
This approach represents an evolution from threat actors abusing remote monitoring and management tools
Threat Intelligence Executive Report – Volume 2025, Number 4
This issue of the Counter Threat Unit’s high-level bimonthly report discusses noteworthy updates in the threat landscape during May and June
August Patch Tuesday includes blasts from the (recent) past
Microsoft haul this month covers 109 CVEs… more or less
Sophos AI at Black Hat USA ’25: Anomaly detection betrayed us, so we gave it a new job
Following on from our preview, here's Ben Gelman and Sean Bergeron's research on enhancing command line classification with benign anomalous data
The Sophos Blog