Cisco Talos is Cisco’s threat intelligence and security research organization that powers Cisco’s product portfolio with that intelligence. While we are well known for the security research in our blog, vulnerability discoveries, and our open-source software, you may not be aware of exactly how our know-how protects Cisco customers.

Talos’ core mission is to understand the broad threat landscape and distill the massive amount of telemetry we ingest into actionable intelligence. This intelligence is put to use in detecting and defending against threats with speed and accuracy, providing incident response and empowering our customers, constituents, and communities with context-rich actionable cyber intelligence. Under the hood of Cisco’s security portfolio, you will find our reputation and detection services applying our real time intelligence to detect and block threats.

Defending networks

Possibly our best-known service is the Cisco Talos Network Intrusion Prevention system, widely known as SNORT®. Snort performs deep packet inspection on network traffic, using advanced signature-based detection to identify known threats. In addition, its machine learning-powered component, SnortML, helps detect and block attempts to exploit zero-day vulnerabilities, providing robust protection against both familiar and emerging network attacks.

Securing the web

The core of securing our customers across our product portfolio is Cisco Talos Web Filtering Service. This service considers the reputation and categorization of domains, IP addresses, and indicators surrounding the URL. The service can proactively block web traffic to sites that have a poor reputation or that serve content in contravention of a customer’s web use policy.

The Cisco Talos DNS Security service augments our web filtering by defending specific attacks at the DNS layer. It detects domains used by threat actors for command and control (C2), data exfiltration, and phishing attacks. Behind the scenes, our machine learning algorithms constantly analyze patterns in the DNS traffic to identify new malicious domains to add to our own intelligence.

Protecting your inbox

Cisco Talos Email Filtering analyzes a wide range of indicators within email to determine if it is malicious, spam, or a genuine email. This includes assessing the sender’s domain and IP reputation and behavior, examining URLs and the content they reference, and evaluating the body of the email, header, and any attachments. By combining these factors, our email filtering can identify benign messages, spam, phish, as well as other unwanted messages.

Cisco Talos Email Threat Prevention goes one step further than DMARC, the standard for properly handling emails with inaccurate sender data, by analyzing anomalies in email traffic patterns with AI, to identify when brands are being impersonated. This technology can detect when an email is likely to be a phish or a business email compromise attempt.

Detecting malware

Talos provides two complementary technologies to detect malware: Cisco Talos Antivirus and Cisco Talos Malware Protection. The former provides signature and pattern detection of malware within files to identify known malware, similar to our ClamAV open-source product. The latter goes further, checking the dispositions of unknown files and looking for suspicious behavior on the machine. This layered approach allows us to quickly spot and contain threats while our researchers scour telemetry for any indications that a bad actor has gained access to a device.

We also provide Orbital queries and scripts, a platform by which administrators can collect information from networked devices and use their own queries (or those provided by us) to hunt for devices that are insecure, out of policy, or potentially affected by a security incident.

Summary

You can find Talos’ intelligence integrated into a wide variety of Cisco products:

Our published research and threat intelligence reports represent just a small part of the work we do at Talos. The many hours our researchers, analysts, and engineers spend researching the threat environment and developing systems to detect and block attacks bear fruit in the components that we deploy as part of the Cisco Security portfolio. Our intelligence and know-how protect Cisco Security customers from threats, brand new or decades old.

Note: You can benefit from the experience of our analysts directly through a Cisco Talos Incident Response (Talos IR) retainer. While Talos IR can provide relevant threat information and expert emergency incident response, you can also use our proactive services to help prepare your systems, support and train your team, or actively hunt for bad guys on your network.

Cisco Talos Blog – ​Read More

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 245 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in 2025, as the database grew to 1,484 software and hardware flaws at high risk of cyberattacks. 

The agency removed at least one vulnerability from the catalog in 2025 – CVE-2025-6264, a Velociraptor Incorrect Default Permissions vulnerability that CISA determined had insufficient evidence of exploitation – but the database has generally grown steadily since its launch in November 2021. 

After an initial surge of added vulnerabilities after the database first launched, growth stabilized in 2023 and 2024, with 187 vulnerabilities added in 2023 and 185 in 2024. 

Growth accelerated in 2025, however, as CISA added 245 vulnerabilities to the KEV catalog, an increase of more than 30% above the trend seen in 2023 and 2024. With new vulnerabilities surging in recent weeks, the elevated exploitation trend may well continue into 2026. 

Overall, CISA KEV vulnerabilities grew from 1,239 vulnerabilities at the end of 2024 to 1,484 at the end of 2025, an increase of just under 20%. 

We’ll look at some of the trends and vulnerabilities from 2025 – including 24 vulnerabilities known to be exploited by ransomware groups – along with the vendors and projects that had the most CVEs added to the list this year. 

Older Vulnerabilities Added to CISA KEV Also Grew 

The addition of older vulnerabilities to the CISA KEV catalog also grew in 2025. In 2023 and 2024, 60 to 70 older vulnerabilities were added to the KEV catalog each year. In 2025, the number of vulnerabilities from 2024 and earlier added to the catalog grew to 94, a 34% increase from a year earlier. 

The oldest vulnerability added to the KEV catalog in 2025 was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. 

The oldest vulnerability in the catalog remains one from 2002 – CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used in ransomware attacks.  

Vulnerabilities Used in Ransomware Attacks 

CISA marked 24 of the vulnerabilities added in 2025 as known to be exploited by ransomware groups. They include some well-known flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities exploited by the CL0P ransomware group. 

The full list of vulnerabilities newly exploited by ransomware groups in 2025 is included below, and should be prioritized by security teams if they’re not yet patched. 

Vulnerabilities Exploited by Ransomware Groups
CVE-2025-5777	Citrix NetScaler ADC and Gateway Out-of-Bounds Read
CVE-2025-31161	CrushFTP Authentication Bypass
CVE-2019-6693	Fortinet FortiOS Use of Hard-Coded Credentials
CVE-2025-24472	Fortinet FortiOS and FortiProxy Authentication Bypass
CVE-2024-55591	Fortinet FortiOS and FortiProxy Authentication Bypass
CVE-2025-10035	Fortra GoAnywhere MFT Deserialization of Untrusted Data
CVE-2025-22457	Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow
CVE-2025-0282	Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow
CVE-2025-55182	Meta React Server Components Remote Code Execution
CVE-2025-49704	Microsoft SharePoint Code Injection
CVE-2025-49706	Microsoft SharePoint Improper Authentication
CVE-2025-53770	Microsoft SharePoint Deserialization of Untrusted Data
CVE-2025-29824	Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free
CVE-2025-26633	Microsoft Windows Management Console (MMC) Improper Neutralization
CVE-2018-8639	Microsoft Windows Win32k Improper Resource Shutdown or Release
CVE-2024-55550	Mitel MiCollab Path Traversal
CVE-2024-41713	Mitel MiCollab Path Traversal
CVE-2025-61884	Oracle E-Business Suite Server-Side Request Forgery (SSRF)
CVE-2025-61882	Oracle E-Business Suite Unspecified
CVE-2023-48365	Qlik Sense HTTP Tunneling
CVE-2025-31324	SAP NetWeaver Unrestricted File Upload
CVE-2024-57727	SimpleHelp Path Traversal
CVE-2024-53704	SonicWall SonicOS SSLVPN Improper Authentication
CVE-2025-23006	SonicWall SMA1000 Appliances Deserialization

Projects and Vendors with the Highest Number of Exploited Vulnerabilities 

Microsoft once again led all vendors and projects in CISA KEV additions, with 39 vulnerabilities added to the database in 2025, up from 36 in 2024. 

Several vendors and projects had fewer vulnerabilities added in 2025 than they did in 2024, suggesting improved security controls. Among the vendors and projects that saw a decline in KEV vulnerabilities in 2025 were Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware. 

11 vendors and projects had five or more KEV vulnerabilities added this year, included below. 

Vendor/project	CISA KEV additions in 2025
Microsoft	39
Apple	9
Cisco	8
Fortinet	8
Google Chromium	7
Ivanti	7
Linux Kernel	7
Citrix	5
D-Link	5
Oracle	5
SonicWall	5

Most Common Software Weaknesses Exploited in 2025 

Eight software and hardware weaknesses (common weakness enumerations, or CWEs) were particularly prominent among the 2025 KEV additions. The list is similar to last year, although CWE-787, CWE-79, and CWE-94 are new to the list this year. 

• CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – was again the most common weakness among vulnerabilities added to the KEV database, accounting for 18 of the 245 vulnerabilities added in 2025. 

• CWE-502 – Deserialization of Untrusted Data – again came in second, occurring in 14 of the vulnerabilities. 

• CWE-22 – Improper Limitation of a Pathname to a Restricted Directory, or ‘Path Traversal’ – moved up to third place with 13 appearances. 

• CWE-416 – Use After Free – slipped a spot to fourth and was behind 11 of the vulnerabilities. 

• CWE-787 – Out-of-bounds Write – was a factor in 10 of the vulnerabilities. 

• CWE-79 – Cross-site Scripting – appeared 7 times. 

• CWE-94 (Code Injection) and CWE-287 (Improper Authentication) occurred 6 times each. 

Conclusion 

CISA’s Known Exploited Vulnerabilities catalog remains a valuable tool for helping IT security teams prioritize patching and vulnerability management efforts. 

The CISA KEV catalog can also alert organizations to third-party risks – although by the time a vulnerability gets added to the database, it’s become an urgent problem requiring immediate attention. Third-party risk management (TPRM) solutions could provide earlier warnings about partner risk through audits and other tools. 

Finally, software and application development teams should monitor CISA KEV additions to gain awareness of common software weaknesses that threat actors routinely target. 

Take control of your vulnerability risk today — book a personalized demo to see how CISA KEV impacts your organization. 

The post CISA Known Exploited Vulnerabilities Surged 20% in 2025  appeared first on Cyble.

Cyble – ​Read More

Cyble Vulnerability Intelligence researchers tracked 1,782 vulnerabilities in the last week, the third straight week that new vulnerabilities have been growing at twice their long-term rate. 

Over 282 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. 

A total of 207 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 51 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Here are some of the top IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

CVE-2025-66516 is a maximum severity XML External Entity (XXE) injection vulnerability in Apache Tika’s core, PDF and parsers modules. Attackers could embed malicious XFA files in PDFs to trigger XXE, potentially allowing for the disclosure of sensitive files, SSRF, or DoS without authentication. 

CVE-2025-15047 is a critical stack-based buffer overflow vulnerability in Tenda WH450 router firmware version V1.0.0.18. Attackers could potentially initiate it remotely over the network with low complexity, and a public exploit exists, increasing the risk of widespread abuse. 

Among the vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog were: 

• CVE-2025-14733, an out-of-bounds write vulnerability in WatchGuard Fireware OS that could enable remote unauthenticated attackers to execute arbitrary code. 

• CVE-2025-40602, a local privilege escalation vulnerability due to insufficient authorization in the Appliance Management Console (AMC) of SonicWall SMA 1000 appliances. 

• CVE-2025-20393, a critical remote code execution (RCE) vulnerability in Cisco AsyncOS Software affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. The flaw has reportedly been actively exploited since late November by a China-linked APT group, which has deployed backdoors such as AquaShell, tunneling tools, and log cleaners to achieve persistence and remote access. 

• CVE-2025-14847, a high-severity MongoDB vulnerability that’s been dubbed “MongoBleed” and reported to be under active exploitation. The Improper Handling of Length Parameter Inconsistency vulnerability could potentially allow uninitialized heap memory to be read by an unauthenticated client, potentially exposing data, credentials and session tokens. 

Vulnerabilities Under Discussion on the Dark Web 

Cyble dark web researchers observed a number of threat actors sharing exploits and discussing weaponizing vulnerabilities on underground and cybercrime forums. Among the vulnerabilities under discussion were: 

CVE-2025-56157, a critical default credentials vulnerability affecting Dify versions through 1.5.1, where PostgreSQL credentials are stored in plaintext within the docker-compose.yaml file. Attackers who access deployment files or source code repositories could extract these default credentials, potentially gaining unauthorized access to databases. Successful exploitation could enable remote code execution, privilege escalation, and complete data compromise. 

CVE-2025-37164, a critical code injection vulnerability in HPE OneView. The unauthenticated remote code execution flaw affects HPE OneView versions 10.20 and prior due to improper control of code generation. The vulnerability exists in the /rest/id-pools/executeCommand REST API endpoint, which is accessible without authentication, potentially allowing remote attackers to execute arbitrary code and gain centralized control over the enterprise infrastructure. 

CVE-2025-14558, a critical severity remote code execution vulnerability in FreeBSD’s rtsol(8) and rtsold(8) programs that is still awaiting NVD and CVE publication. The flaw occurs because these programs fail to validate domain search list options in IPv6 router advertisement messages, potentially allowing shell commands to be executed due to improper input validation in resolvconf(8). Attackers on the same network segment could potentially exploit this vulnerability for remote code execution; however, the attack does not cross network boundaries, as router advertisement messages are not routable. 

CVE-2025-38352, a high-severity race condition vulnerability in the Linux kernel. This Time-of-Check Time-of-Use (TOCTOU) race condition in the posix-cpu-timers subsystem could allow local attackers to escalate privileges. The flaw occurs when concurrent timer deletion and task reaping operations create a race condition that fails to detect timer firing states. 

ICS Vulnerabilities 

Cyble threat researchers also flagged two industrial control system (ICS) vulnerabilities as meriting high-priority attention by security teams. They include: 

CVE-2025-30023, a critical Deserialization of Untrusted Data vulnerability in Axis Communications Camera Station Pro, Camera Station, and Device Manager. Successful exploitation could allow an attacker to execute arbitrary code, conduct a man-in-the-middle-style attack, or bypass authentication. 

Schneider Electric EcoStruxure Foxboro DCS Advisor is affected by CVE-2025-59827, a Deserialization of Untrusted Data vulnerability in Microsoft Windows Server Update Service (WSUS). Successful exploitation could allow for remote code execution, potentially resulting in unauthorized parties acquiring system-level privileges. 

Conclusion 

The persistently high number of new vulnerabilities observed in recent weeks is a worrisome new trend as we head into 2026. More than ever, security teams must respond with rapid, well-targeted actions to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

The post The Week in Vulnerabilities: The Year Ends with an Alarming New Trend  appeared first on Cyble.

Cyble – ​Read More

By 2026, MSSPs will compete less on tooling and more on clarity, speed, and foresight. Security buyers want proof that their provider understands what threats matter now, how fast they can respond, and how security decisions reduce business risk.

At the center of this challenge sits threat intelligence. Not as a research output, but as an operational input shaping every security decision. 

What Clients Will Demand This Year: The Five Deciding Factors 

Winning deals in 2026 means excelling where others fall short. Prospects grill providers on these five areas before signing: 

• Relentless Threat Blocking: They want evidence you’re stopping attacks they can’t see coming. 

• Clean, Actionable Alerts: Too many false positives waste time and erode confidence. 

• Blazing-Fast Incident Response: Slow containment turns small incidents into headline breaches. 

• Forward-Leaning Threat Hunting: Reactive-only services feel outdated in a zero-trust world. 

• Undeniable ROI Visibility: Executives need clear proof of risks blocked and value delivered. 

Master these with actionable threat intelligence, and you’ll close more deals while your competitors hassle.

ANY.RUN’s Threat Intelligence Feeds contain real-time streams of malicious IPs, domains, and URLs pulled from millions of sandbox submissions, updated frequently to keep you ahead. TI Feeds are not background data. They are the operational core of detection, response, hunting, reporting, and proactive defense. 

Here are the five ways to stand out by employing real-time trustworthy threat data. 

1. Early awareness defines credibility 

Clients rarely see the attacks you stop. They only notice the ones you miss. One successful intrusion can erase years of good service and trigger immediate vendor reassessment. 

The difficulty lies in the speed of attacker adaptation. Malware changes quickly, infrastructure rotates, and indicators expire fast. Detection logic based on static or delayed intelligence struggles to keep pace. 

What mature threat intelligence enables: 

ANY.RUN’s TI Feeds deliver continuously updated indicators along with sandbox analyses documenting attacker behavior extracted from live malware execution. For MSSPs, this means: 

• Detection rules that evolve as threats evolve;

• Faster identification of emerging malware families; 

• Visibility into infrastructure used in active attacks; 

• Reduced reliance on outdated or recycled indicators. 

Instead of reacting to incidents reported elsewhere, your MSSP detects threats while competitors are still catching up. For clients, that difference is felt as safety, not statistics. 

2. Response matters more than perfection 

No MSSP can prevent every incident. What matters is how quickly and confidently you respond. Long investigations, unclear answers, and delayed containment create anxiety at the executive level. 

Most delays come from context gaps. Analysts must validate indicators, understand attackers’ intent, and assess scope before acting. That takes time when intelligence is fragmented. 

TI Feeds give response teams immediate access to: 

• Fresh, validated indicators of compromise: malicious IPs, domains, and URLs continuously updated from real malware analysis by over 15K SOC teams;

• Contextual metadata including links to sandbox analysis sessions that provide additional insight into threat behavior;

• Intelligence that supports instant containment decisions;

• Formats compatible with SIEMs and security platforms (STIX, MISP) for seamless integration into existing workflows;

• API-enabled delivery so intelligence can feed automated detection and monitoring systems in real time.

This allows MSSPs to move from alert to action in minutes, not hours. Over time, clients associate your service with decisiveness and control. That perception is critical for renewal conversations. 

3. Proactive security becomes expected 

By 2026, clients will not ask whether you offer threat hunting. They will assume you do. The real question will be whether your hunting produces meaningful results or just internal noise. 

Without fresh intelligence, hunting teams often chase weak signals or outdated hypotheses. That leads to low impact and poor client communication. 

With TI Feeds, MSSPs can anchor threat hunting in reality: 

•  Hunt for indicators tied to active attacker campaigns; 

•  Correlate client telemetry with known malicious behavior; 

•  Continuously refine hypotheses using new feed data; 

•  Demonstrate findings backed by observable attacker activity. 

This makes threat hunting repeatable, scalable, and easier to justify commercially. 

4. Reporting shapes executive perception 

Executives don’t want dashboards full of alerts. They want confidence that risk is being reduced and managed. Poor reporting creates the impression that security work is abstract or disconnected from business reality. 

In many cases, churn begins not after incidents, but after months of unclear reporting. 

TI Feeds allow MSSPs to report on outcomes, not effort: 

• Indicators with associated threat context help explain why a detected indicator matters; 

• Detection timestamps and threat labels reveal whether an indicator is recent and connected to active campaigns; 

• Consistent delivery of validated, actionable IOCs allows reports to reflect real threat activity, not noise. 

Reports become stories of protection delivered, not lists of events processed. This is where MSSPs justify their value in language decision-makers understand. 

5. Generic defense won’t hold clients 

Clients increasingly expect their security posture to evolve alongside attacker behavior. Generic controls applied uniformly across clients feel outdated and inattentive. The challenge is keeping defenses current without overwhelming analysts. 

By aligning TI Feeds with each client’s risk profile, MSSPs can: 

• Base decisions on high-confidence threat data, minimizing distraction from low-value or false signals; 

• Use enriched contextual data to explain how specific IOCs are connected to observed or emerging threats; 

• Update detection logic as campaigns evolve. 

Security stops being reactive and starts feeling anticipatory. Clients feel seen, protected, and prioritized. That emotional factor matters more than most technical metrics. 

Final Thought: What Clients Are Willing to Pay For 

MSSPs don’t lose clients because attackers exist. They lose clients because they fail to show awareness, speed, and progress. 

In 2026, Threat Intelligence Feeds are the foundation of competitive MSSP services. They power better detection, faster response, meaningful hunting, credible reporting, and proactive protection. The key metrics demonstrate this clearly:  

• Security teams report up to a 21‑minute reduction in MTTR per case, with automation-ready feeds accelerating triage and containment actions. 

• Up to 58% more threats identified after integrating TI Feeds into detection rules and playbooks. 

• Streamlined intelligence lets Tier 1 teams resolve more incidents independently, reducing escalations to senior analysts by 30%. 

The MSSPs that win will be those who turn intelligence into visible outcomes their clients can trust month after month.

About ANY.RUN 

Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.     

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.     

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks.     

Start a 2-week ANY.RUN trial → 

FAQ: Threat Intelligence Feeds for MSSPs 

The post 5 Ways MSSPs Can Win Clients in 2026 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

We’re glad to present our regular quarterly report highlighting the most prominent malicious trends of the last three months of 2025, as observed by ANY.RUN’s community. 

Following the release of our annual report on key threats and milestones, this report offers a closer look at the threat landscape of the final chapter of 2025. 

The Malware Trends report Q4 features top malware types, families, phishing kits, TTPs, APTs, and other notable insights. 

You can turn to the previous Q3 report for reference. 

Key Takeaways 

• Threat activity remained steady, with sandbox usage up 6% quarter over quarter and over 1 billion IOCs collected, reflecting sustained investigative demand rather than volume spikes. 

• Stealers still dominate, even after a 16% decline, confirming credential theft as a primary attacker objective. 

• RATs and backdoors gained momentum, with RATs up 28% and backdoors up 68%, signaling a shift toward persistent access and modular malware. 

• XWorm and open-source RATs surged, with XWorm up 174%, showing attackers favor adaptable, widely shared toolsets over saturated stealer families. 

• Phishing continued to evolve, led by Tycoon and EvilProxy, underscoring the growing sophistication of PhaaS and 2FA bypass campaigns. 

Summary 

• Total sandbox sessions: 2,015,181  

• Malicious: 389,636  

• Suspicious: 75,113  

• IOCs: 1,015,431,934  

During the last quarter of 2025, overall threat investigation activity remained stable — no drastic growth in volume. The total number of sandbox analyses conducted in ANY.RUN’s Interactive Sandboxincreased slightly by 6%, surpassing 2 million since Q3. 

Over one billion indicators were gathered by our community during analysis sessions. A total of 389,636 samples were labeled as malicious, and 75,113 as suspicious. 

Top Malware Types: Highlights 

1. Stealer: 36,685  

2. RAT: 23,788 

3. Loader: 19,070  

4. Backdoor: 10,560  

5. Ransomware: 7,317  

6. Adware: 5,854  

7. Botnet: 5,149 

8. Trojan: 2,813  

9. Miner: 2,668  

10. Keylogger: 2,598 

Although the list of top malware types looks similar to Q3 at first glance, several notable changes in activity levels should be pointed out: 

• Stealer dominance persists despite a 16% drop. This signals that credential theft remains a priority for attackers targeting financial sectors. 

Widespread families: Lumma,  Stealc, Blank Grabber 

• RAT surged (+28%), overtaking Loaders’ second place. A clear indication of remote access tools gaining traction for persistent post-exploitation in enterprise environments. 

Widespread families: XWorm, Quasar RAT, AsyncRAT 

• Loader threats moved one place down despite a slight decrease in detections. 

Widespread families: Smoke Loader, PureCrypter, HijackLoader 

Backdoor‘s 68% activity growth reflects modular malware kits proliferating, enabling easier customization and evasion of traditional defenses. 

Adware moved up two places with a 31% rise in activity, while ransomware detections decreased by the same percentage. 

At the lower end of the list there are Botnet with 5K detections, Trojan with 2.8K, Miner with 2.6K, and Keylogger with 2.5K. 

Detect evasive threats with ANY.RUN’s Interactive Sandbox   

ANY.RUN’s Interactive Sandbox enables businesses and SOC teams to proactively identify cyber threats by analyzing files and URLs inside interactive Windows, Linux, Android VMs.  

• Stronger Protection for Businesses: Early detection and shorter MTTD minimize risks, safeguarding infrastructure and reputation. 

• Higher Efficiency & ROI: Faster investigations cut costs, reduce analyst load, and power quicker incident resolution. 

• Smarter Decision-Making: Flexible, enterprise-grade solution enhances visibility into threats, allowing for insight-driven action. 

Top Malware Families 

1. XWorm: 13,945  

2. AsyncRAT: 5,056  

3. Quasar: 4,711  

4. Vidar: 4,498  

5. Stealc: 4,432 

6. Remcos: 3,598  

7. Lumma: 3,399  

8. Blackmoon: 3,208 

9. AgentTesla: 3,136  

10. Mirai: 3,067 

This section indicates a number of drastic changes in intensity and volume of certain threats. Key observations include: 

XWorm, driven by its adaptability across industries like manufacturing and healthcare, showed a +174% surge. 

XWorm IOCs from Threat Intelligence Lookup 

• centre-instruction[.]gl[.]at[.]ply[.]gg 

• uk-compete[.]gl[.]at[.]ply[.]gg 

• 176[.]113[.]73[.]167 

Find more IOCs in TI Lookup with this query: 

threatName:”xworm” AND domainName:”” 

• AsyncRAT and Quasar grew by 46% and 27%, showing open-source RATs outpacing commercial stealers, fueled by underground sharing and rapid evolution. 

AsyncRAT IOCs from Threat Intelligence Lookup  

• xoilac[.]livecdnem[.]com 

• asj299[.]com 

• 94[.]154[.]35[.]160 

Find more IOCs in TI Lookup with this query: 

threatName:”asyncrat” AND domainName:”” 

Lumma’s fall from first to eighth place with a -65% plunge highlights attacker shifts to newer, less-detected families, reducing reliance on saturated stealer platforms. 

Lumma IOCs from Threat Intelligence Lookup  

• handpaw[.]click 

• mattykp[.]click  

• 159[.]198[.]70[.]75 

Find more IOCs in TI Lookup with this query: 

threatName:”lumma” AND domainName:”” 

Vidar and Stealc with 4K+ detections each re-emerged in Q4, indicating a sudden end-of-year growth. 

Another addition to the chart is Blackmoon with 3,208 detections. At the same time, AgentTesla and Remcos threats saw a reduction in detections and went from second and fourth places to tenth andseventh respectively. 

Ensure early threat detection via Threat Intelligence Feeds 

Gain a live view of the threat landscape with fresh, actionable IOCs delivered to you from investigations done across 15,000 companies. 

• Refine detection and response: Rich threat context and integration opportunities power your SOC for proactive defense. 

• Mitigate risks of breaches: Expanded threat coverage and visibility into threats help stay ahead of attackers without wasting time on false alarms. 

• Improve performance rates: Unique, noise-free indicators beat alert fatigue and promote early detection even for hidden and evasive threats. 

Top TTPs 

The top 10 most detected techniques, tactics, and procedures (TTPs) show significant shifts from quarter to quarter — a reminder that threat actors never stop refining and changing their methods. 

The number of detections for TTPs mostly grew: the first place is taken up by Subvert Trust Controls: Install Root Certificate, T1553.004 with 227,451 detections. In Q3, the first place was taken by a TTP with activity rate twice as small. 

Second place was still occupied by Masquerading: Rename Legitimate Utilities, T1036.003 with 105,539 detections (+9%). 

A new addition to the list, Command and Scripting Interpreter: Windows Command Shell , T1059.003, came third with 71,608 detections. 

1. Subvert Trust Controls: Install Root Certificate, T1553.004: 227,451 

2. Masquerading: Rename Legitimate Utilities, T1036.003: 105,539 

3. Command and Scripting Interpreter: Windows Command Shell, T1059.003: 71,608 

4. Command and Scripting Interpreter: PowerShell, T1059.001: 64,684 

5. Virtualization/Sandbox Evasion: Time Based Checks, T1497.003: 51,910 

6. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1547.001: 46,007 

7. System Services: Service Execution, T1569.002: 38,515 

8. Masquerading: Match Legitimate Resource Name or Location, T1036.005: 35,278 

9. Scheduled Task/Job: Scheduled Task, T1053.005: 21,460 

10. Signed Binary Proxy Execution: Rundll32, T1218.011: 19,236 

Collect Fresh Threat Intelligence with Threat Intelligence Lookup 

TI Lookup offers a searchable database of fresh Indicators 
of Compromise (IOCs), Attack (IOAs), and Behavior (IOBs) belonging to the latest cyber attacks on 15,000 companies. 

• Build proactive defense: Actionable threat intelligence drives targeted and insightful research for staying ahead. 

• Ensure rapid triage and response: Instant enrichment of indicators with behavioral context makes for fast and smart decisions. 

• Optimize workload: Rich threat data empowers Tier 1 analysts to work sustainably, reducing escalations to Tier 2. 

Phishing Activity in Q4 2025 

Overall phishing activity by uploads: 159,592 

Activity by phishing kits  

Phishkits: 

1. Tycoon: 41,046  

2. EvilProxy: 14,258  

3. Sneaky2FA: 7,272 

4. Mamba2FA: 3,904  

5. Salty2FA: 350  

Q4’s results align with our annual report’s conclusions: phishing is a prevalent type of cyber threat and Tycoon dominates in this category: 

• It remained at the top of the list with double the intensity of detections. Same with EvilProxy: it stayed second with 51% increase in volume. This underscores PhaaS maturation, with kits now bundling advanced 2FA bypass for high-value targets. 

• Sneaky2FA moved from fourth to third place with a whopping +138% rise in activity. 

• Salty2FA moved two places down, pointing to 2FA fatigue exploitation accelerating in enterprise phishing campaigns. 

• Mamba2FA, absent from the list in the previous quarter, took fourth place with 3.9K detections. 

Activity by cyber criminal groups 

1. Storm1747: 37,274  

2. TA569: 4,054 

3. TA558: 231 

4. Storm1575: 21 

5. APT36: 18 

Key observations regarding APT activity in Q4 2025: 

• Storm1747’s dominance continued with a 51% rise in activity, likely tied to phishing infrastructure evolution targeting finance across EU/NA regions. 

• TA558‘s jumped into top ranks with +83% detections, suggesting expanded operations, possibly leveraging modular loaders for broader campaign reach. 

• At the lower part of the list, we can see APTs’ displaying sharp 70-97% declines, likely due to the detection improvements or operational pauses. The focus shifted to more opportunistic actors. 

Top Protectors and Packers 

1. UPX: 12,576  

2. NetReactor: 4,300  

3. Themida: 3,244  

4. ASPack: 1,263  

5. Confuser: 2,204  

Top 5 most detected protectors and packers correspond with those of Q3. However, there are differences in terms of their intensity: 

• UPX remains dominant despite an 11% drop, remaining attackers’ go-to for simple, fast obfuscation across commodity malware. 

• NetReactor and Themida’s sharp declines (-49% and -37% respectively) signal detection improvements and attacker shift to newer .NET-focused protectors.  

• Confuser kept its fifth place with a 48% growth that reflects .NET malware boom. Attackers favor it for evading static analysis in enterprise-targeted payloads. 

Conclusion 

Q4 2025 shows a stable but evolving threat landscape. Key trends include persistent stealer activity, rising RATs and backdoors, and a dynamic phishing landscape. These insights underscore the importance of continuous monitoring and proactive threat analysis to stay ahead of emerging risks. 

About ANY.RUN 

ANY.RUN develops solutions for malware analysis and threat hunting. Its interactive malware analysis sandbox is used by over 500,000 cybersecurity professionals worldwide. It enables detailed investigation of threats targeting Windows, Android, and Linux systems with hands-on analysis and instant visualization of malware behavior. 

ANY.RUN’s threat intelligence solutions, including Threat Intelligence Lookup and Threat Intelligence Feeds, allow teams to quickly identify indicators of compromise, enrich alerts, and investigate incidents early on. As a result, analysts gain actionable insights, uncover hidden threats, and improve overall cybersecurity posture. 

Start a 2-week ANY.RUN trial → 

The post Malware Trends Q4 2025: Inside ANY.RUN’s Latest Threat Landscape Report  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More