Anomali Cyber Watch: Nimbus Manticore, Spoofed IC3 Portals, a Record-Breaking DDoS Attack, and More
Nimbus Manticore Expands European Espionage Campaign
(published: September 22, 2025)
Researchers reports that the Iran-nexus APT group Nimbus Manticore (also linked to UNC1549 and “Iranian Dream Job”) has broadened its operations into Western Europe, targeting defense, aerospace, and telecommunications industries. The actor delivers malware via highly tailored spear-phishing campaigns posing as HR recruiters, directing victims to fake “career portal” sites with preassigned unique credentials. The payloads include a new backdoor, MiniJunk, which evolves from earlier Minibike variants using modular side-loading chains, obfuscation, junk code, and signed binaries to evade detection. A companion stealer, MiniBrowse, targets browser-stored credentials. Infrastructure blends Cloudflare and Azure App Services for resilience, and domains often impersonate major aerospace/defense brands.
Analyst Comment: We are seeing the job market lure become a staple across industries, and it is no accident. Adversaries know people are at their most vulnerable when they are changing roles or looking for new opportunities. Those are high-emotion moments where trust comes more easily and scrutiny slips. Nimbus Manticore’s use of tailored credentials and convincing career portals is just one example of a wider trend that is gaining traction. This is a friendly reminder that vigilance matters most when you are in situations where you want to trust, like job applications, because those are the very spaces attackers are working hardest to exploit.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1574.002 - Hijack Execution Flow: Dll Side-Loading | T1053 - Scheduled Task/Job | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers
FBI Warns of Spoofed IC3 Complaint Portals
(published: September 22, 2025)
The FBI issued a Public Service Announcement warning that cybercriminals are operating fraudulent websites impersonating the Internet Crime Complaint Center (IC3.gov). These spoofed portals closely mimic the legitimate IC3 site, tricking victims into submitting personally identifiable information and financial details through fake complaint forms. According to the FBI, the harvested data can be used for identity theft, financial fraud, or leveraged in further cybercrime schemes. Attackers often register domains that differ from the official site by small variations, making them difficult for victims to detect. The FBI emphasized that the authentic IC3 portal remains at ic3.gov only.
Analyst Comment: The IC3 portal is open to the public for reporting fraud, scams, ransomware, or identity theft. But in practice, it’s also used alot by cybersecurity and business professionals to file reports on behalf of their organizations. That means any data harvested from spoofed sites isn’t just consumer-grade information; it could include corporate breach details, contact data for security staff, technical indicators, or even financial account information. That level of detail would be highly valuable for threat actors. They could weaponize it to launch tailored follow-on attacks against businesses, such as spearphishing security teams, exploiting disclosed infrastructure weaknesses, or using financial data for targeted fraud.
MITRE ATT&CK: T1566 - Phishing | T1566.002 - Phishing: Spearphishing Link | T1589 - Gather Victim Identity Information | T1589.001 - Gather Victim Identity Information: Credentials | T1583.001 - Acquire Infrastructure: Domains | T1567 - Exfiltration Over Web Service
GitHub to Tighten NPM Security After Shai-Hulud Attacks
(published: September 23, 2025)
GitHub announced new security measures to harden the NPM ecosystem following recent supply chain incidents, including the Shai-Hulud self-propagating malware. The company will enforce mandatory two-factor authentication, deprecate legacy tokens, shorten token lifespans, and expand use of “trusted publishing” to reduce API token risks. Over 500 malicious packages linked to Shai-Hulud were removed, but experts warn that attackers will continue to exploit weak authentication and developer trust. While these steps mark progress, analysts stress that package registries are only one part of the wider open-source attack surface, and broader defenses remain necessary.
Analyst Comment: These changes are promising, but what matters is whether developers actually adopt them. We have seen fixes before that remain optional until the next crisis. Mandatory 2FA and short-lived tokens are overdue, and while they won’t solve every issue, they do raise the bar significantly. I see this as a welcome but partial step in a much longer fight to secure software supply chains.
Cloudflare Mitigates New Record-Breaking 22.2 Tbps DDoS Attack
(published: September 23, 2025)
Cloudflare recently disclosed that it successfully defended against a Distributed Denial-of-Service (DDoS) attack peaking at 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps). The 40-second assault targeted a single IP address belonging to an unnamed European infrastructure customer. The attack was traced to more than 404,000 unique source IPs across 14+ autonomous systems, with internal assessments suggesting the traffic sources were not spoofed. Cloudflare has not publicly confirmed the attacker, but analysts point to the Aisuru botnet, which has been linked to other large-scale DDoS campaigns using compromised IoT devices.
Analyst Comment: What strikies me the most isn’t just the 22.2 Tbps peak, it’s how quickly that number eclipsed the previous 11.5 Tbps record, essentially doubling in a matter of weeks. That kind of acceleration tells us attackers are not only scaling up capacity but also operational tempo. It may suggest access to larger or better-coordinated botnets, and that record-breaking floods are becoming less outliers and more proof of an upward trend. Cloudflare has already mitigated 20.5 million DDoS attacks, including 6.6 million directed at its own infrastructure ’s in Q1 2025 alone. That level of volume, just in one quarter proves that defenders are under sustained pressure, not occasional spikes. Organizations would be well advised to revisit their DDoS response and resilience strategies to ensure they align with the scale and frequency now being observed.
MITRE ATT&CK: T1584.005 - Compromise Infrastructure: Botnet | T1499 - Endpoint Denial Of Service
Cybersecurity Training Programs Fail to Prevent Phishing Success
(published: September 22, 2025)
In an eight-month randomized controlled trial involving over 19,500 employees of UC San Diego Health, researchers tested both annual mandated cybersecurity training and embedded phishing training. They found no significant difference in phishing click rates between employees who had recently completed training and those who had not. Embedded training showed only a 2 % absolute reduction in click rates, and most users engaged with the training materials for under a minute, or abandoned them entirely. Over time, the click-through rate increased: from 10 % in month one to over 50 % having clicked at least one malicious link by month eight. The study’s authors conclude that, as currently deployed, these training methods offer minimal real-world protection against phishing.
Analyst Comment: While this isn’t the usual ACW story, I’ve included it because the study highlights a weakness that is too often overlooked. The authors recommend strengthening technical mitigations, and those controls are certainly essential. But in my view, if the core issue is lack of engagement, then culture is just as important. It may also be time to rethink how training itself is delivered. Real awareness is built when we move beyond box-ticking modules and instead create forums where people share experiences and talk openly. Clicking through phishing slides in isolation rarely shifts behavior. Small group sessions and peer discussions may help make security feel collective rather than imposed. Once a common weakness is identified, it becomes an opportunity not only to redesign awareness efforts but also to rethink the technical safeguards that should reinforce them.
Cisco IOS Zero-Day Exploited via SNMP Buffer Overflow
(published: September 24, 2025)
Cisco has disclosed CVE-2025-20352, a high-severity zero-day in IOS and IOS XE software actively exploited in attacks. The flaw stems from a stack-based buffer overflow in the SNMP subsystem, affecting any device with SNMP enabled. Attackers with low privileges can trigger denial-of-service, while those with higher privileges can achieve full root access. Exploitation involves sending crafted SNMP packets over IPv4/IPv6. Cisco confirmed in-the-wild abuse following credential compromise and urges immediate upgrades to patched releases.
Analyst Comment: If patching cannot be applied immediately, Cisco advises restricting SNMP access on affected systems to trusted users. This may reduce exposure temporarily, but it does not eliminate the underlying risk, which is why timely patching remains essential.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1210 - Exploitation Of Remote Services | T1543 - Create Or Modify System Process | T1055 - Process Injection | T1078 - Valid Accounts
New SVG-Based Phishing Campaign Exposes Weakness in Image File Trusting
(published: September 25, 2025)
A recent campaign uncovered by Malwarebytes demonstrates a novel phishing tactic: embedding obfuscated JavaScript into SVG (Scalable Vector Graphics) files to surreptitiously redirect users to credential-stealing sites. The malicious SVG named RECEIPT.SVG encodes a redirect URL via numeric offsets hidden in “data-ingredients” fields. The attacker embeds the recipient’s email inside the SVG, making targeting highly personalized. Microsoft has observed similar AI-obfuscated SVG phishing, where files disguised as PDF dashboards contained synthetic naming and hidden scripting to evade detection. Broader analyses from Cloudflare and IBM confirm that weaponized SVG files are rising across sectors, often bypassing conventional filters and enabling advanced malware delivery.
Analyst Comment: What makes this campaign unusual is the way the redirect URL is hidden in what looks like a cooking recipe. The SVG carries fields such as 219cups_flour or 205tbsp_eggs. When the script runs, it pulls out the number at the front of each entry, subtracts 100, and then checks if the result lines up with a printable ASCII character. Each valid number is converted into a letter, and the sequence of letters is stitched together to reveal the hidden URL. Once that string is built, the script pushes the browser to it. It is a blunt but clever method of hiding text in plain sight.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1566.002 - Phishing: Spearphishing Link | T1059.007 - Command and Scripting Interpreter: Javascript | T1027.017 - Obfuscated Files or Information: SVG Smuggling | T1056.003 - Input Capture: Web Portal Capture | T1589.001 - Gather Victim Identity Information: Credentials
Chinese Hackers Deploy “BRICKSTORM” Backdoor in Long-Term Espionage Campaign
(published: September 25, 2025)
Since March 2025, Chinese-linked threat actors (notably UNC5221 and related clusters) have used a stealthy backdoor dubbed BRICKSTORM to infiltrate organizations in legal services, SaaS, technology, and business process outsourcing. The malware is typically deployed on devices lacking traditional endpoint detection (e.g. email gateways, VMware ESXi/vCenter, network appliances), enabling attackers to avoid visibility. Researchers observed an average dwell time of 393 days before detection. Attackers used the access not only for espionage (email snooping, IP theft) but also to exfiltrate source code and hunt for zero-day vulnerabilities for future use.
Analyst Comment: What stands out to me in this campaign is not just the dwell time but the choice of footholds. BRICKSTORM was often planted in systems where defenders look least, which explains how attackers could stay hidden for over a year. That makes this as much about blind spots in visibility as it is about the backdoor itself. Another detail that deserves attention is the theft of source code to aid in zero-day discovery, showing an intent to turn espionage into long-term capability building. For those wondering what to do now, Google and Mandiant have released YARA rules and a scanning tool specifically for detecting BRICKSTORM.
MITRE ATT&CK: T1059 - Command And Scripting Interpreter | T1505.003 - Server Software Component: Web Shell | T1547 - Boot Or Logon Autostart Execution | T1555 - Credentials From Password Stores | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel | T1587.001 - Develop Capabilities: Malware
Ransomware Activity Hits Record High in 2025
(published: September 26, 2025)
A mid-year report from Searchlight Cyber shows ransomware activity accelerating in 2025, with 3,734 victims listed on extortion sites from January to June—a 67% rise year-on-year. The surge is fueled by Ransomware-as-a-Service operations, Initial Access Brokers selling credentials, and continued exploitation of unpatched vulnerabilities. Groups are increasingly shifting from encryption toward data theft and extortion, exploiting improved victim backup strategies. The United States and other NATO countries remain primary targets due to their economic value and geopolitical significance. The report also highlights the rapid turnover of groups, complicating attribution as affiliates rebrand or move between operations.
Analyst Comment: As a researcher I also find the pace at which groups rebrand and recycle themselves increasingly telling. Affiliates switching names or joining new operations is not just branding or fallouts, it is becoming a tactic that blurs attribution and keeps pressure on defenders who rely on threat naming to track activity. If you think you are dealing with a “new” group, often it is the same actors operating under a different flag. That reality means focusing less on names and more on behaviors like how they gain initial access or move data out of the network. Monitoring those repeatable tradecraft patterns gives you a better chance of anticipating the next attack than chasing logos and leaks on extortion sites.
MITRE ATT&CK: T1078 - Valid Accounts | T1190 - Exploit Public-Facing Application | T1059 - Command And Scripting Interpreter | T1203 - Exploitation For Client Execution | T1106 - Native Api | T1087 - Account Discovery | T1055 - Process Injection | T1499 - Endpoint Denial Of Service | T1041 - Exfiltration Over C2 Channel | T1020 - Automated Exfiltration | T1486 - Data Encrypted For Impact
LockBit 5.0 Expands to Windows, Linux, and ESXi Targets
(published: September 25, 2025)
Trend Micro has reported the emergence of LockBit 5.0, an updated ransomware strain that significantly broadens its reach. The Windows variant uses DLL reflection, ETW patching, and event log clearing to obstruct detection and analysis. Linux builds allow attackers to specify target directories via command line, while the ESXi version is engineered to encrypt VMware virtual machines directly, threatening entire virtual infrastructures. All versions apply randomized 16-character extensions to encrypted files and omit systems using Russian locales. Code similarities confirm LockBit 5.0 as an evolutionary step from LockBit 4.0 rather than a fork, reinforcing its role as one of the most advanced and persistent ransomware operations active today.
Analyst Comment: LockBit 5.0’s focus on ESXi is the most telling development. By hitting the virtualization layer, attackers can cripple dozens of systems in one move, making recovery far harder than a typical endpoint infection. Too many organizations still overlook hypervisors in their security planning. This shift makes it clear that backups, segmentation, and recovery drills must explicitly cover virtual environments. LockBit is signaling that the real prize is not the endpoint but the infrastructure running beneath it.
MITRE ATT&CK: T1620 - Reflective Code Loading | T1562.006 - Impair Defenses: Indicator Blocking | T1070.001 - Indicator Removal on Host: Clear Windows Event Logs | T1486 - Data Encrypted For Impact | T1675 - ESXi Administration Command
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
