IT threat evolution in Q3 2025. Mobile statistics
IT threat evolution in Q3 2025. Non-mobile statistics

Quarterly figures

In Q3 2025:

• Kaspersky solutions blocked more than 389 million attacks that originated with various online resources.
• Web Anti-Virus responded to 52 million unique links.
• File Anti-Virus blocked more than 21 million malicious and potentially unwanted objects.
• 2,200 new ransomware variants were detected.
• Nearly 85,000 users experienced ransomware attacks.
• 15% of all ransomware victims whose data was published on threat actors’ data leak sites (DLSs) were victims of Qilin.
• More than 254,000 users were targeted by miners.

Ransomware

Quarterly trends and highlights

Law enforcement success

The UK’s National Crime Agency (NCA) arrested the first suspect in connection with a ransomware attack that caused disruptions at numerous European airports in September 2025. Details of the arrest have not been published as the investigation remains ongoing. According to security researcher Kevin Beaumont, the attack employed the HardBit ransomware, which he described as primitive and lacking its own data leak site.

The U.S. Department of Justice filed charges against the administrator of the LockerGoga, MegaCortex and Nefilim ransomware gangs. His attacks caused millions of dollars in damage, putting him on wanted lists for both the FBI and the European Union.

U.S. authorities seized over $2.8 million in cryptocurrency, $70,000 in cash, and a luxury vehicle from a suspect allegedly involved in distributing the Zeppelin ransomware. The criminal scheme involved data theft, file encryption, and extortion, with numerous organizations worldwide falling victim.

A coordinated international operation conducted by the FBI, Homeland Security Investigations (HSI), the U.S. Internal Revenue Service (IRS), and law enforcement agencies from several other countries successfully dismantled the infrastructure of the BlackSuit ransomware. The operation resulted in the seizure of four servers, nine domains, and $1.09 million in cryptocurrency. The objective of the operation was to destabilize the malware ecosystem and protect critical U.S. infrastructure.

Vulnerabilities and attacks

SSL VPN attacks on SonicWall

Since late July, researchers have recorded a rise in attacks by the Akira threat actor targeting SonicWall firewalls supporting SSL VPN. SonicWall has linked these incidents to the already-patched vulnerability CVE-2024-40766, which allows unauthorized users to gain access to system resources. Attackers exploited the vulnerability to steal credentials, subsequently using them to access devices, even those that had been patched. Furthermore, the attackers were able to bypass multi-factor authentication enabled on the devices. SonicWall urges customers to reset all passwords and update their SonicOS firmware.

Scattered Spider uses social engineering to breach VMware ESXi

The Scattered Spider (UNC3944) group is attacking VMware virtual environments. The attackers contact IT support posing as company employees and request to reset their Active Directory password. Once access to vCenter is obtained, the threat actors enable SSH on the ESXi servers, extract the NTDS.dit database, and, in the final phase of the attack, deploy ransomware to encrypt all virtual machines.

Exploitation of a Microsoft SharePoint vulnerability

In late July, researchers uncovered attacks on SharePoint servers that exploited the ToolShell vulnerability chain. In the course of investigating this campaign, which affected over 140 organizations globally, researchers discovered the 4L4MD4R ransomware based on Mauri870 code. The malware is written in Go and packed using the UPX compressor. It demands a ransom of 0.005 BTC.

The application of AI in ransomware development

A UK-based threat actor used Claude to create and launch a ransomware-as-a-service (RaaS) platform. The AI was responsible for writing the code, which included advanced features such as anti-EDR techniques, encryption using ChaCha20 and RSA algorithms, shadow copy deletion, and network file encryption.

Anthropic noted that the attacker was almost entirely dependent on Claude, as they lacked the necessary technical knowledge to provide technical support to their own clients. The threat actor sold the completed malware kits on the dark web for $400–$1,200.

Researchers also discovered a new ransomware strain, dubbed PromptLock, that utilizes an LLM directly during attacks. The malware is written in Go. It uses hardcoded prompts to dynamically generate Lua scripts for data theft and encryption across Windows, macOS and Linux systems. For encryption, it employs the SPECK-128 algorithm, which is rarely used by ransomware groups.

Subsequently, scientists from the NYU Tandon School of Engineering traced back the likely origins of PromptLock to their own educational project, Ransomware 3.0, which they detailed in a prior publication.

The most prolific groups

This section highlights the most prolific ransomware gangs by number of victims added to each group’s DLS. As in the previous quarter, Qilin leads by this metric. Its share grew by 1.89 percentage points (p.p.) to reach 14.96%. The Clop ransomware showed reduced activity, while the share of Akira (10.02%) slightly increased. The INC Ransom group, active since 2023, rose to third place with 8.15%.

Number of each group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)

Number of new variants

In the third quarter, Kaspersky solutions detected four new families and 2,259 new ransomware modifications, nearly one-third more than in Q2 2025 and slightly more than in Q3 2024.

Number of new ransomware modifications, Q3 2024 — Q3 2025 (download)

Number of users attacked by ransomware Trojans

During the reporting period, our solutions protected 84,903 unique users from ransomware. Ransomware activity was highest in July, while August proved to be the quietest month.

Number of unique users attacked by ransomware Trojans, Q3 2025 (download)

Attack geography

TOP 10 countries attacked by ransomware Trojans

In the third quarter, Israel had the highest share (1.42%) of attacked users. Most of the ransomware in that country was detected in August via behavioral analysis.

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

* Unique Kaspersky users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat.

Miners

Number of new variants

In Q3 2025, Kaspersky solutions detected 2,863 new modifications of miners.

Number of new miner modifications, Q3 2025 (download)

Number of users attacked by miners

During the third quarter, we detected attacks using miner programs on the computers of 254,414 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q3 2025 (download)

Attack geography

TOP 10 countries and territories attacked by miners

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Attacks on macOS

In April, researchers at Iru (formerly Kandji) reported the discovery of a new spyware family, PasivRobber. We observed the development of this family throughout the third quarter. Its new modifications introduced additional executable modules that were absent in previous versions. Furthermore, the attackers began employing obfuscation techniques in an attempt to hinder sample detection.

In July, we reported on a cryptostealer distributed through fake extensions for the Cursor AI development environment, which is based on Visual Studio Code. At that time, the malicious JavaScript (JS) script downloaded a payload in the form of the ScreenConnect remote access utility. This utility was then used to download cryptocurrency-stealing VBS scripts onto the victim’s device. Later, researcher Michael Bocanegra reported on new fake VS Code extensions that also executed malicious JS code. This time, the code downloaded a malicious macOS payload: a Rust-based loader. This loader then delivered a backdoor to the victim’s device, presumably also aimed at cryptocurrency theft. The backdoor supported the loading of additional modules to collect data about the victim’s machine. The Rust downloader was analyzed in detail by researchers at Iru.

In September, researchers at Jamf reported the discovery of a previously unknown version of the modular backdoor ChillyHell, first described in 2023. Notably, the Trojan’s executable files were signed with a valid developer certificate at the time of discovery.

The new sample had been available on Dropbox since 2021. In addition to its backdoor functionality, it also contains a module responsible for bruteforcing passwords of existing system users.

By the end of the third quarter, researchers at Microsoft reported new versions of the XCSSET spyware, which targets developers and spreads through infected Xcode projects. These new versions incorporated additional modules for data theft and system persistence.

TOP 20 threats to macOS

Unique users* who encountered this malware as a percentage of all attacked users of Kaspersky security solutions for macOS (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

The PasivRobber spyware continues to increase its activity, with its modifications occupying the top spots in the list of the most widespread macOS malware varieties. Other highly active threats include Amos Trojans, which steal passwords and cryptocurrency wallet data, and various adware. The Backdoor.OSX.Agent.l family, which took thirteenth place, represents a variation on the well-known open-source malware, Mettle.

Geography of threats to macOS

TOP 10 countries and territories by share of attacked users

IoT threat statistics

This section presents statistics on attacks targeting Kaspersky IoT honeypots. The geographic data on attack sources is based on the IP addresses of attacking devices.

In Q3 2025, there was a slight increase in the share of devices attacking Kaspersky honeypots via the SSH protocol.

Distribution of attacked services by number of unique IP addresses of attacking devices (download)

Conversely, the share of attacks using the SSH protocol slightly decreased.

Distribution of attackers’ sessions in Kaspersky honeypots (download)

TOP 10 threats delivered to IoT devices

Share of each threat delivered to an infected device as a result of a successful attack, out of the total number of threats delivered (download)

In the third quarter, the shares of the NyaDrop and Mirai.b botnets significantly decreased in the overall volume of IoT threats. Conversely, the activity of several other members of the Mirai family, as well as the Gafgyt botnet, increased. As is typical, various Mirai variants occupy the majority of the list of the most widespread malware strains.

Attacks on IoT honeypots

Germany and the United States continue to lead in the distribution of attacks via the SSH protocol. The share of attacks originating from Panama and Iran also saw a slight increase.

The largest number of attacks via the Telnet protocol were carried out from China, as is typically the case. Devices located in India reduced their activity, whereas the share of attacks from Indonesia increased.

Attacks via web resources

The statistics in this section are based on detection verdicts by Web Anti-Virus, which protects users when suspicious objects are downloaded from malicious or infected web pages. These malicious pages are purposefully created by cybercriminals. Websites that host user-generated content, such as message boards, as well as compromised legitimate sites, can become infected.

TOP 10 countries that served as sources of web-based attacks

This section gives the geographical distribution of sources of online attacks (such as web pages redirecting to exploits, sites hosting exploits and other malware, and botnet C2 centers) blocked by Kaspersky products. One or more web-based attacks could originate from each unique host.

To determine the geographic source of web attacks, we matched the domain name with the real IP address where the domain is hosted, then identified the geographic location of that IP address (GeoIP).

In the third quarter of 2025, Kaspersky solutions blocked 389,755,481 attacks from internet resources worldwide. Web Anti-Virus was triggered by 51,886,619 unique URLs.

Web-based attacks by country, Q3 2025 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection via the internet for users’ computers in different countries and territories, we calculated the share of Kaspersky users in each location on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

This ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by web-based Malware attacks as a percentage of all unique users of Kaspersky products in the country/territory.
On average, over the course of the quarter, 4.88% of devices globally were subjected to at least one web-based Malware attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer by infecting files or removable media, or initially made their way onto the computer in non-open form. Examples of the latter are programs in complex installers and encrypted files.

Data in this section is based on analyzing statistics produced by anti-virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media: flash drives, camera memory cards, phones, and external drives. The statistics are based on detection verdicts from the on-access scan (OAS) and on-demand scan (ODS) modules of File Anti-Virus.

In the third quarter of 2025, our File Anti-Virus recorded 21,356,075 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. This statistic reflects the level of personal computer infection in different countries and territories around the world.

Note that this ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers local Malware threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.
On average worldwide, local Malware threats were detected at least once on 12.36% of computers during the third quarter.

securelist.com/malware-report-…

The increasing dominance of lithium cells in the market place leave our trusty NiMH cells in a rough spot. Sure, you can still get a chargers for the AAs in your life, but it’s old tech and not particularly stylish. That’s where [Maximilian Kern] comes in, whose SPINC project was recently featured in IEEE Spectrum— so you know it has to be good.

With the high-resolution LED, the styling of this device reminds us a little bit of the Pi-Mac-Nano— and anything that makes you think of a classic Macintosh gets automatic style points. There’s something reminiscent of an ammunition clip in the way batteries are fed into the top and let out the bottom of the machine.

[Maximilian] thought of the, ah, less-detail-oriented amongst us with this one, as the dedicated charging IC he chose (why reinvent the wheel?) is connected to an H-bridge to allow the charger to be agnostic as to orientation. That’s a nice touch. An internal servo grabs each battery in turn to stick into the charging circuit, and deposits it into the bottom of the device once it is charged. The LCD screen lets you monitor the status of the battery as it charges, while doubling as a handy desk clock (that’s where the RP2040 comes in). It is, of course, powered by USB-C-PD as all things are these days. Fast-charging upto 1A is enabled, but you might want to go slower to keep your cells lasting as long as possible. Firmware, gerbers and STLs are available on GitHub under a GPL-3.0 license– so if you’re still using NiCads or want to bring this design into the glorious lithium future, you can consider yourself welcome to.

We recently featured a AA rundown, and for now, it looks like NiMH is still the best bang for your buck, which means this project will remain relevant for a few years yet. Of course, we didn’t expect the IEEE to steer us wrong.

Thanks to [George Graves] for the tip.

hackaday.com/2025/11/19/charge…

You’ve probably seen the inflatable frogs, the dance parties, the naked bike ride. Maybe you’ve also seen the darker images: a federal officer aiming a weapon at protesters, or federal agents hurling tear gas and flash bangs into peaceful demonstrations at a Portland, Oregon, immigration facility.

Local journalists have been attacked for bringing images like these to the world. They’re being tear-gassed and shot with crowd-control munitions by federal agents simply for doing their jobs.

Photojournalist John Rudoff is among them. He’s been covering these protests since June, photographing both peaceful marches and violent responses from federal officers that often follow.

On Oct. 11, while documenting a protest, Rudoff was struck by a stinger grenade, even though he was clearly identifiable as press. He was bruised, but not deterred.

“If you cover protests, you’re going to have discomfort and hazard. Period. That’s just the way it is,” Rudoff told us. “They shoot 20-year-old girls, and they shoot 70-year-old men, and they shoot people in wheelchairs, and they shoot blind people,” he added, referring to federal agents using crowd-control munitions. “The word impunity seems to be coined for them.”

Despite the danger, Rudoff refuses to stop documenting. “The entire media ecosystem has been covered with the administration’s rantings about the war-ravaged hellscape of Portland, and the city is burning down, and ICE officers are being attacked, and on and on and on,” he said. “I feel some obligation to try and counter this frankly preposterous narrative that the city’s burning down. It isn’t.”

Independent journalist Kevin Foster, who has also been covering the Portland protests, shares that sense of duty and outrage. “It’s clear the Trump administration wants to paint Portland as a war zone to seize more control, but it’s a lot harder to do that when I’m showing you all the dancing inflatable frogs,” he told us. “At the end of the day, someone needs to be there to document abuses of power.”

Foster has felt the danger up close while reporting from protests. “I’ve seen other press members shot with pepper balls, I’ve had flash bangs go off at my feet, and tear gas canisters explode above my head,” he said. But he continues to work to keep the public informed, reporting on federal agents’ heavy use of force and escalatory tactics at the protests.

For Foster, the concerns go beyond federal agents at protests. “Right-wing influencers and agitators have reportedly doxxed people,” Foster said. “With the state of the presidency and the history of authoritarianism, I do sometimes worry about persecution as well, especially given that a lot of my coverage subverts the narrative produced by right-wing media.”

The incident in Portland that got the most attention involved Katie Daviscourt, a reporter for the conservative news site The Post Millennial. She reported being hit in the face by someone swinging a flagpole at a protest, blackening her eye. Police let the suspect go, prompting feigned outrage from the White House.

Holding federal agents accountable

Violence against the press, from any direction, is an attack on the First Amendment itself, especially when enabled by law enforcement. Unfortunately, those purportedly appalled by the Daviscourt incident have not shown similar concern over federal law enforcement attacks on journalists who don’t further their preferred political narratives.

Since the Portland protests began in June, for instance, photojournalist Mason Lake has been struck by crowd-control munitions twice, pepper-sprayed, and had a rifle aimed at him. Yet federal officials haven’t condemned these attacks, or the attack on Rudoff.

“It’s very disconcerting to see how free press has been trampled,” Lake told the U.S. Press Freedom Tracker, a project of Freedom of the Press Foundation (FPF). “The best we can do is push back and make sure the truth isn’t run over.”

In other cities, like Chicago, Illinois, and Los Angeles, California, federal court orders protect journalists from such assaults. But Portland currently has no such order. Legal precedent from 2020 protests in Portland recognized reporters’ First Amendment right to cover protests and shielded them from dispersal orders. But it has done little to rein in federal agents today.

“They have to be sued, and they have to be enjoined, and they have to be criminally prosecuted until they stop doing it,” suggested Rudoff.

Until that happens, however, journalists must keep speaking up, not just about what they see, but also for being attacked for witnessing it. “Most attacks on journalists aren’t reported,” explained Rudoff. But, he added, “I don’t know a single journalist out there who hasn’t been shot or hit or knocked over or tear-gassed or pepper-sprayed. It’s everybody.”

Foster put it even more bluntly: “Many Americans seem to have this impression that brutalizing protesters and targeting the press only happens in other countries. If that notion hasn’t shattered for you yet, wait until your ears are ringing from flash bangs and you’re enveloped in a cloud of tear gas so thick you can’t see 15 feet.”

This isn’t some distant dictatorship. It’s the city of Portland. And the First Amendment is under siege.

freedom.press/issues/journalis…

noblogo.org/transit/perche-non…

Transit

2025-11-18 15:39:36

Perché non posso scrivere di tutto (anche se mi sta a cuore.)

(181)

Spesso sui social capita che, se parli sempre e solo di una certa causa (per esempio la #Palestina) qualcuno ti accusi di non interessarti ad altri drammi, come quelli che succedono in #Sudan o in altri luoghi del mondo.Questa è una questione che merita un po’ di chiarezza, perché il punto vero è un altro: nessuno di noi è un’agenzia di stampa, e non parlare di una cosa non significa affatto fregarsene. La verità è che tutti noi abbiamo dei limiti: di tempo, di energie, ma anche di capacità emotiva.

Non possiamo essere costantemente presenti su ogni emergenza, su ogni ingiustizia, su ogni tragedia che si presenta nel mondo. E, sinceramente, provarci significherebbe anche rischiare di annullare noi stessi, perdendo quella sensibilità che ci spinge a interessarci davvero di alcune questioni.

La partecipazione emotiva è inevitabilmente selettiva: ci sentiamo più vicini e coinvolti in certe storie perché le conosciamo meglio, le capiamo, o semplicemente perché in quel momento sentiamo di poter fare qualcosa di più concreto.

Non è una questione di indifferenza verso le altre cause, ma una scelta, consapevole o meno, di dove concentrare le nostre forze, anche per proteggere la nostra salute mentale. E poi, diciamolo: sui #socialmedia la pressione è fortissima. Se non ti vedi parlare di tutto, c’è chi pensa che non ti importi. Ma questa è una falsa aspettativa.

La responsabilità di dare voce a ogni singola emergenza non spetta a noi singoli individui, ma a un sistema di informazione ben più complesso.Noi partecipiamo con ciò che possiamo, con quello che sappiamo, con quello che ci muove davvero.

Quando vedi qualcuno che si concentra spesso su una sola causa, non darla per scontata: può significare un impegno profondo, non una mancanza di interesse per il resto. E chi ti conosce sa che dietro quel silenzio ci sono comunque solidarietà, preoccupazione e rispetto. Non serve parlare di tutto per esserci davvero.

In fondo, la vera indifferenza è un’altra cosa: è non provarci nemmeno, è non farsi toccare da niente, è voltare le spalle senza nemmeno chiedersi come si potrebbe fare la differenza. La partecipazione selettiva, invece, è umana, corretta e spesso necessaria. Insomma, non siamo agenzie di stampa, ma persone. E va bene così.

#Blog #SocialMedia #Opinioni #EmpatiaSelettiva #PartecipazioneEmotiva

Mastodon: @alda7069@mastodon.unoTelegram: t.me/transitblogFriendica: @danmatt@poliverso.orgBlue Sky: bsky.app/profile/mattiolidanie…Bio Site (tutto in un posto solo, diamine): bio.site/danielemattioli

Gli scritti sono tutelati da “Creative Commons” (qui)

Tutte le opinioni qui riportate sono da considerarsi personali. Per eventuali problemi riscontrati con i testi, si prega di scrivere a: corubomatt@gmail.com

Transit

Il blog di Alessandra Corubolo & Daniele Mattioli. On line -in varie forme- dal 2005.

^Telegram