Real-World Cloud Attack Intelligence

In late 2025, the Kimwolf botnet emerged as a significant cybersecurity threat, infecting over 2 million Android devices worldwide, primarily targeting off-brand smart TVs and set-top boxes. Exploiting vulnerabilities in residential proxy networks and exposed Android Debug Bridge (ADB) services, Kimwolf transformed these devices into nodes for large-scale distributed denial-of-service (DDoS) attacks. Notably, in November 2025, the botnet launched a record-setting DDoS attack peaking at 31.4 terabits per second, underscoring its unprecedented scale and impact. ([thehackernews.com](https://thehackernews.com/2026/02/aisurukimwolf-botnet-launches-record.html?utm_source=openai)) The rapid proliferation and sophistication of Kimwolf highlight the escalating threat posed by botnets leveraging IoT devices. This incident underscores the urgent need for enhanced security measures in consumer electronics and the importance of proactive defense strategies to mitigate the risks associated with large-scale botnet attacks.

In February 2026, Cisco disclosed a critical authentication bypass vulnerability (CVE-2026-20127) in its Catalyst SD-WAN Controller and Manager, rated with a CVSS score of 10.0. This flaw allows unauthenticated, remote attackers to gain high-privileged access by exploiting a malfunctioning peering authentication mechanism. The threat actor group UAT-8616 has been actively exploiting this vulnerability since at least 2023, enabling them to manipulate SD-WAN fabric configurations via the NETCONF protocol. The exploitation involves downgrading the SD-WAN system to a vulnerable version, achieving root access, and restoring the original firmware to evade detection. ([cisco.com](https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sdwan-rpa-EHchtZk.html?utm_source=openai)) The urgency of this issue is underscored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding CVE-2026-20127 to its Known Exploited Vulnerabilities catalog, mandating immediate remediation by federal agencies. This incident highlights the persistent threat posed by sophisticated actors targeting critical infrastructure components, emphasizing the need for organizations to promptly apply patches, monitor for unauthorized access, and implement robust network segmentation to mitigate potential impacts. ([cisco.com](https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sdwan-rpa-EHchtZk.html?utm_source=openai))

In February 2026, Ukrainian national Yurii Nazarenko pleaded guilty to operating OnlyFake, an AI-driven website that generated and sold over 10,000 counterfeit identification documents globally. The platform allowed users to create realistic digital versions of passports, driver's licenses, and Social Security cards, which were primarily used to bypass Know Your Customer (KYC) verification processes at financial institutions and cryptocurrency exchanges. Nazarenko was extradited from Romania in September 2025, agreed to forfeit $1.2 million, and faces a maximum sentence of 15 years in prison, with sentencing scheduled for June 26, 2026. This case underscores the growing misuse of artificial intelligence in facilitating sophisticated cybercrimes, particularly in identity fraud. The incident highlights the urgent need for enhanced security measures and regulatory frameworks to address AI-powered threats in the digital landscape.

In early 2025, the Cybersecurity and Infrastructure Security Agency (CISA) identified a sophisticated malware variant named RESURGE, which exploited the critical vulnerability CVE-2025-0282 in Ivanti Connect Secure appliances. This vulnerability allowed unauthenticated remote code execution, enabling attackers to deploy RESURGE to establish persistent access, create web shells, harvest credentials, and escalate privileges. The malware's advanced evasion techniques, including network-level stealth and boot-level persistence, posed significant challenges for detection and remediation. The emergence of RESURGE underscores a growing trend of advanced persistent threats targeting critical infrastructure through zero-day vulnerabilities. Organizations must prioritize timely patching, implement robust monitoring systems, and adopt a zero-trust security model to mitigate such sophisticated attacks.

In January 2025, Europol initiated 'Project Compass,' a collaborative effort involving law enforcement agencies from 28 countries, including the United States, to dismantle 'The Com,' a decentralized cybercriminal network notorious for targeting minors through cyberattacks, extortion, and exploitation. Over the course of a year, this operation led to the arrest of 30 individuals and the identification of 179 suspects associated with The Com. Authorities also identified 62 victims, directly safeguarding four of them from further harm. The Com's activities encompassed a range of cybercrimes, including ransomware attacks on prominent organizations and the coercion of minors into producing explicit content. ([cyberscoop.com](https://cyberscoop.com/project-compass-the-com-europol/?utm_source=openai)) The significance of this operation lies in its demonstration of the effectiveness of international cooperation in combating complex cybercriminal networks. The Com's exploitation of digital platforms to recruit and victimize young individuals underscores the urgent need for enhanced cybersecurity measures and public awareness to protect vulnerable populations from such threats. ([infosecurity-magazine.com](https://www.infosecurity-magazine.com/news/project-compass-com-arrests/?utm_source=openai))

In December 2025, the North Korean state-sponsored group APT37, also known as ScarCruft, launched the 'Ruby Jumper' campaign targeting air-gapped networks. The attack began with victims opening malicious Windows shortcut (LNK) files, which executed PowerShell scripts to deploy a series of malware tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. These tools facilitated initial infection, established command-and-control via Zoho WorkDrive, and enabled lateral movement through removable media, ultimately compromising isolated systems. The campaign underscores the evolving tactics of APT37 in breaching highly secure environments. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/?utm_source=openai)) This incident highlights a significant advancement in cyber-espionage techniques, demonstrating the capability to infiltrate air-gapped systems. Organizations with critical infrastructure should reassess their security protocols to mitigate such sophisticated threats.

In February 2026, cybersecurity researchers uncovered a malicious Go module named 'github.com/xinfeisoft/crypto' that impersonated the legitimate 'golang.org/x/crypto' library. This module was designed to harvest passwords entered via terminal prompts and deploy a Linux backdoor known as Rekoobe. Upon execution, the module exfiltrated captured credentials to a remote server and executed a shell script that installed the backdoor, granting attackers persistent access to compromised systems. The campaign exploited GitHub's infrastructure to host and distribute the malicious code, highlighting the risks associated with supply chain attacks in open-source ecosystems. This incident underscores the growing trend of supply chain attacks targeting developers and the open-source community. By leveraging trusted platforms and repositories, attackers can distribute malicious code to a wide audience, emphasizing the need for enhanced vigilance and security measures in software development and distribution processes.

In February 2026, threat actors distributed trojanized gaming utilities via browsers and chat platforms, deploying a Java-based Remote Access Trojan (RAT). The attack utilized a malicious downloader to stage a portable Java runtime and execute a JAR file named jd-gui.jar, employing PowerShell and living-off-the-land binaries like cmstp.exe for stealthy execution. The malware established persistence through scheduled tasks and startup scripts, connecting to an external server for command-and-control communications, enabling data exfiltration and deployment of additional payloads. ([thehackernews.com](https://thehackernews.com/2026/02/trojanized-gaming-tools-spread-java.html?utm_source=openai)) This incident underscores the evolving tactics of cybercriminals, highlighting the increasing use of legitimate tools for malicious purposes and the targeting of gaming communities. Organizations must remain vigilant against such sophisticated attack vectors to protect sensitive data and maintain operational integrity.

In December 2025, the North Korean state-sponsored group ScarCruft (APT37) launched the 'Ruby Jumper' campaign, deploying sophisticated malware to infiltrate air-gapped networks. The attack began with malicious LNK files that, when executed, initiated a multi-stage infection chain. This chain utilized Zoho WorkDrive for command-and-control communications and leveraged removable media to bridge air-gapped systems, enabling data exfiltration and command execution. The campaign introduced new malware tools, including RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE, each designed to facilitate various stages of the attack, from initial compromise to surveillance and data theft. ([thehackernews.com](https://thehackernews.com/2026/02/scarcruft-uses-zoho-workdrive-and-usb.html?utm_source=openai)) This incident underscores the evolving tactics of nation-state actors in targeting isolated networks, highlighting the need for enhanced security measures to protect sensitive environments. The use of legitimate cloud services for C2 communications and the exploitation of removable media to breach air-gapped systems represent significant advancements in cyber-espionage techniques, posing increased risks to critical infrastructure and sensitive data repositories. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/?utm_source=openai))

In February 2026, the U.S. Department of Justice (DoJ) seized over $61 million in Tether (USDT) linked to 'pig butchering' cryptocurrency scams. These schemes involved fraudsters building trust with victims through fake romantic relationships, then persuading them to invest in fraudulent cryptocurrency platforms that displayed fabricated high returns. When victims attempted to withdraw funds, they were met with demands for additional fees, leading to further financial loss. The seized funds were traced to cryptocurrency addresses used to launder proceeds from these scams. ([justice.gov](https://www.justice.gov/usao-ednc/pr/us-attorneys-office-ednc-announces-seizure-61-million-dollars-worth-cryptocurrency?utm_source=openai)) This incident underscores the growing prevalence of sophisticated social engineering tactics in financial fraud, particularly within the cryptocurrency sector. It highlights the need for increased vigilance and regulatory measures to protect individuals from such deceptive practices.

In December 2025, over 900 Sangoma FreePBX instances were compromised through the exploitation of CVE-2025-64328, a high-severity command injection vulnerability. This flaw allowed authenticated users to execute arbitrary shell commands, leading to the deployment of the EncystPHP web shell by the threat actor group INJ3CTOR3. The attacks resulted in unauthorized remote access and control over affected VoIP infrastructures, with significant concentrations of compromised systems in the U.S., Brazil, Canada, Germany, and France. ([thehackernews.com](https://thehackernews.com/2026/02/900-sangoma-freepbx-instances.html?utm_source=openai)) The incident underscores the critical importance of timely patch management and restricting administrative access to prevent exploitation of known vulnerabilities. Organizations are urged to update their FreePBX deployments to the latest version and implement stringent access controls to mitigate similar threats. ([securityweek.com](https://www.securityweek.com/900-sangoma-freepbx-instances-infected-with-web-shells/?utm_source=openai))

In August 2025, Marquis Software Solutions, a Texas-based fintech firm serving over 700 banks and credit unions, experienced a ransomware attack. The breach was traced back to unauthorized access through its SonicWall firewall, leading to the exposure of sensitive data, including names, addresses, Social Security numbers, and financial account information of over 400,000 individuals associated with 74 financial institutions. The attackers exploited a known but unpatched vulnerability in SonicWall’s firewall software (CVE-2024-40766), allowing them to infiltrate Marquis's network and deploy ransomware. This incident underscores the critical importance of timely patch management and the potential risks associated with third-party service providers. ([techradar.com](https://www.techradar.com/pro/security/over-70-us-banks-and-credit-unions-affected-by-marquis-ransomware-breach-heres-what-we-know?utm_source=openai)) The Marquis breach highlights the escalating trend of cyberattacks targeting supply chain vulnerabilities, emphasizing the need for organizations to scrutinize the security postures of their vendors. Additionally, it serves as a stark reminder of the consequences of delayed patching, as threat actors increasingly exploit known vulnerabilities to gain unauthorized access to sensitive data.