Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

First published May 8th 2025 Updated Sept 16th 2025 Editor’s Note: This blog builds on our recent analysis of the DragonForce ransomware cartel, which claimed responsibility for a wave of UK retail attacks in April–May 2025. While DragonForce took credit for the extortion and data leak phase, growing evidence suggests that another group—Scattered Spider—may have played a foundational role in enabling those attacks.

On September 15, 2025, reports surfaced that the widely used npm package @ctrl/tinycolor had been compromised by malware as part of a broader supply chain attack affecting over 40 packages initially, with the number rising to more than 180 according to Aikido’s blog. Upon further investigation, the first malicious package that was identified as compromised in this campaign was rxnt-authentication, which was updated on September 14, 2025, at 17:58:50 UTC.

On September 11, a message appeared on BreachForumshn that seemed to mark the end of an era.

Ransomware is evolving ‒ not fading. Despite a decline in attack detections based on WatchGuard Firebox telemetry, data from extortion sites and media reporting tells a different story: ransomware activity is actually on the rise, both quarter-over-quarter and year-over-year. The number of active ransomware groups is also increasing, as is the average ransom demand. In fact, the typical payout jumped from $400,000 in 2023 to $2 million in 2024 ‒ a staggering 500% spike.

AI-powered social engineering attacks are significantly more successful than traditional attacks, according to a new report from cyber risk management firm Resilience. The researchers state, “Social engineering attacks fueled 88% of material losses, with AI-powered phishing achieving a 54% success rate compared to just 12% for traditional attempts.” AI allows attackers to easily craft sophisticated phishing emails, as well as voice and video deepfakes.

Fileless malware continues to evade modern defenses due to its stealthy nature and reliance on legitimate system tools for execution. This approach bypasses traditional disk-based detection by operating in memory, making these threats harder to detect, analyze, and eradicate. A recent incident culminated in the deployment of AsyncRAT, a powerful Remote Access Trojan (RAT), through a multi-stage fileless loader. In this blog, we share some of the key takeaways from this investigation.

AI is unlocking new ways to work across industries. Nearly four in five CEOs are implementing or likely to implement generative AI to speed up innovation across their companies, and workers at every level are using GenAI to improve or expand their processes. Unfortunately, they aren’t the only ones embracing the power of AI. WormGPT was one of the best-known early examples of an AI that could create convincing social engineering attacks and build malware.

Just because ransomware attacks have decreased doesn’t mean that the risk has disappeared. Indeed, it remains one of the most disruptive threats to any organisation. Headlines can convey a false sense of relief: Ransomware attacks are down 15%, according to Verizon's latest DBIR report. But for those of us who work in cybersecurity, we know that this doesn't tell the whole story, especially when the real issue isn't how often an attack occurs, but what happens when it does.