web analytics

Threat Intelligence Executive Report – Volume 2025, Number 3 – Source: news.sophos.com

threat-intelligence-executive-report-–-volume-2025,-number-3-–-source:-newssophos.com
, , , , , , , , ,
Rate this post

Source: news.sophos.com – Author: mindimcdowell

Threat Intelligence Executive Report cover image for Volume 2025 Number 3

Threat Research

This issue of the Counter Threat Unit’s high-level bimonthly report discusses noteworthy updates in the threat landscape during March and April

Executive summary

The Counter Threat Unit™ (CTU) research team analyzes security threats to help organizations protect their systems. Based on observations in March and April, CTU™ researchers identified the following noteworthy issues and changes in the global threat landscape:

  • Cybersecurity lessons for HR
  • Black Basta leaks provided strategic takeaways
  • To future-proof cybersecurity, start now

Cybersecurity lessons for HR

Threat actors are increasingly targeting corporate departments where cybersecurity is not always the first thing they think about.

CTU researchers continue to investigate the ongoing and expanding North Korean campaign to embed fraudulent workers into Western organizations. The North Korean government has multiple goals: generate revenue via salaries to evade sanctions, conduct cyberespionage, obtain access to steal cryptocurrency, and carry out extortion operations. In a possible reaction to elevated awareness by U.S.-based organizations, North Korean state-sponsored threat groups such as NICKEL TAPESTRY have increased targeting of European and Japanese organizations as well. In addition to posing as American candidates, fraudulent workers applying to positions in Japan and the U.S. are adopting Vietnamese, Japanese, and Singaporean personas for their resumes.

Suspicious signs that a candidate is not who they claim to be include digitally manipulated stock photos, names or voices changing during the application process, an unverifiable employment history, and requests to use their own devices and virtual desktop infrastructure. Applicants are increasingly using AI to manipulate photos, generate resumes, and take part in interviews, and there has been an increase in the number of female personas. Once employed, these workers may steal data or cryptocurrency wallets and deploy malware on the system. It is essential for human resources (HR) and recruitment professionals to be able to identify fraudulent candidates to protect their organizations.

NICKEL TAPESTRY and other groups such as GOLD BLADE are also focusing on HR staff and recruiters. CTU researchers observed GOLD BLADE targeting talent acquisition staff in phishing attacks that were likely part of corporate espionage operations. PDF resumes uploaded to the victim’s external job application site contained malicious code that ultimately led to system compromise. The attacks impacted organizations in Canada, Australia, and the UK.

CTU researchers recommend that organizations educate HR employees about risks associated with phishing and social engineering attacks and specifically about the dangers posed by fraudulent North Korean workers. Organizations should establish processes for reporting suspicious candidates and other malicious activities.

Checkmark icon for the 'What to do next' sections What You Should Do Next

Ensure that your recruiters conduct candidate verification checks, and take additional measures to verify
identity during the hiring process and after onboarding.

Black Basta leaks provided strategic takeaways

Publicly exposed chat logs revealed details of Black Basta ransomware operations.

Analysis of Black Basta chat logs that were posted first to a file-sharing service and then to Telegram did not radically change CTU researchers’ understanding of the ransomware landscape. However, the logs do contain information about the GOLD REBELLION threat group’s operation. They also reinforce lessons about how important it is for organizations to maintain good cyber defenses. Ransomware attacks remain largely opportunistic, even if groups such as GOLD REBELLION perform triage after obtaining initial access to evaluate the victim’s viability as a ransomware target. Organizations cannot afford to relax their defenses.

Ransomware and extortion groups innovate when it benefits them; for example, Anubis offers an unusual range of options to its affiliates, and DragonForce attempted to rebrand as a cartel. However, proven approaches and tactics continue to be popular. The leaks confirmed that GOLD REBELLION is one of many ransomware groups that exploit older vulnerabilities for access. Identifying and exploiting zero-days take both technical skills and resources, but these investments are unnecessary when unpatched systems susceptible to older flaws remain abundant. The chat logs also showed that GOLD REBELLION members regularly exploited stolen credentials to access networks. The logs contained usernames and passwords for multiple organizations. To defend against these attacks, organizations must patch vulnerabilities as soon as possible and must protect networks against infostealers that capture credentials.

Like other cybercriminal groups such as GOLD HARVEST, GOLD REBELLION also used social engineering techniques in its attacks. The threat actors posed as IT help desk workers to contact victims via Microsoft Teams. The chat logs contained multiple discussions about effective techniques to use in these attacks. Organizations need to stay up to date on social engineering ruses and how to counter them. Organizations must also ensure that second-line defenses can identify and stop attacks if the social engineering efforts succeed.

The publication of these logs may have caused GOLD REBELLION to cease its operation, as it has not posted victims to its leak site since January 2025. Group members and affiliates have options, though: they may migrate to other ransomware operations or even carry out attacks alone. Network defenders can apply lessons learned from the chat logs to the broader fight against the ransomware threat.

Checkmark icon for the 'What to do next' sections What You Should Do Next

Train employees to recognize and resist evolving social engineering techniques in order to counter a
significant initial access vector.

To future-proof cybersecurity, start now

Migration to technologies that are compatible with post-quantum cryptography requires organizations to start planning now.

Defending an organization against cyber threats can feel like maintaining flood defenses against a constant wave of issues that need addressing now. It may be tempting to put off thinking about threats that seem to be years away, such as quantum computing. However, mitigating these threats can require extensive preparation.

Since 2020, the UK’s National Cyber Security Centre (NCSC) has published a series of documents on the threat posed by quantum computing and on how to prepare for it. Quantum computing’s probable ability to crack current encryption methods will require organizations to upgrade to technology that can support post-quantum cryptography (PQC). This upgrade is necessary to maintain the confidentiality and integrity of their systems and data. Technical standardization has already begun — the U.S. National Institute of Standards and Technology (NIST) published the first three relevant standards in August 2024.

In March 2025, the NCSC published guidance about timelines for migration to PQC. This information primarily targets large and critical national infrastructure organizations. Smaller organizations will likely receive guidance and help from vendors but still need to be aware of the issue. The deadline for complete migration to PQC is 2035, but interim goals are set for defining migration goals, conducting discovery, and building an initial plan by 2028, and for starting highest priority migration and making necessary refinements to the plan by 2031. The guidance says that the primary goal is to integrate PQC without increasing cybersecurity risks, which requires early and thorough planning.

The guidance acknowledges that migration will be a major undertaking for many organizations, especially in environments that include older systems. It is equally explicit that migration cannot be avoided. Organizations that choose to delay will expose themselves to substantial risks posed by quantum computing attacks. While the guidance is aimed at UK organizations, it is also useful for organizations in other countries and may additionally be beneficial for other major technology migration efforts.

Checkmark icon for the 'What to do next' sections What You Should Do Next

Read the NCSC guidance and consider the impact that PQC may have on your technology investment and growth plans over the next 10 years.

Conclusion

The cyber threat landscape is constantly fluctuating, but many of those fluctuations are predictable. They might arise from standardization of new technologies that will lead to different types of threat, or from threat actors continuing to take advantage of old security gaps. Keeping up to date with threat intelligence is an important part of security strategy planning.

Original Post URL: https://news.sophos.com/en-us/2025/07/03/threat-intelligence-executive-report-volume-2025-number-3/

Category & Tags: Threat Research,Black Basta,ctu,employment scam,featured,GOLD REBELLION,human resources,North Korea,post-quantum cryptography – Threat Research,Black Basta,ctu,employment scam,featured,GOLD REBELLION,human resources,North Korea,post-quantum cryptography

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Practical DevSecOps
API Security Fundamentals – Your Handy Guide to Building an Unhackable System by practical-devsecops.com
API Security Fundamentals – Your...
Marcos Jaimovich
Nuevo Firewall para IA , un Cacharro nuevo para nuestro SOC y los equipos de Ciberseguridad !
Nuevo Firewall para IA ,...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos