Although Akira was once again the most active ransomware group in January, the threat landscape was more evenly distributed than it was throughout most of 2025. In December 2025, the three most active threat groups accounted for 57% of all ransomware and extortion activity; in January, the top three accounted for just 34%. Akira’s dominance also decreased to levels more consistent with early 2025, as the group was responsible for almost a third of all attacks in December but just 17% in January. 

The number of unique ransomware and extortion groups observed in January increased slightly, to 17, up from 14 in December. It is too early to assess whether this trend will be the new normal for 2026. It is also worth noting that overall activity in January was lower than in previous months, consistent with what Arete typically observes at the beginning of a new year.

Figure 1. Activity from all threat groups in January 2026

Throughout the month of January, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities: 

• In January, Arete observed the reemergence of the LockBit Ransomware-as-a-Service (RaaS) group, which deployed an updated “LockBit 5.0” variant of its ransomware. LockBit first announced the 5.0 version on the RAMP dark web forum in early September 2025, coinciding with the group’s six-year anniversary. The latest LockBit 5.0 variant has both Windows and Linux versions, with notable improvements, including anti-analysis features and unique 16-character extensions added to each encrypted file. However, it remains to be seen whether LockBit will return to consistent activity levels in 2026.

• The ClickFix social engineering technique, which leverages fake error dialog boxes to deceive users into manually executing malicious PowerShell commands, continued to evolve in unique ways in January. One campaign reported in January involved fake Blue Screen of Death (BSOD) messages manipulating users into pasting attacker-controlled code. During the month, researchers also documented a separate campaign, dubbed “CrashFix,” that uses a malicious Chrome browser extension-based attack vector. It crashes the web browser, displays a message stating the browser had "stopped abnormally," and then prompts the victim to click a button that executes malicious commands.

• Also in January, Fortinet confirmed that a new critical authentication vulnerability affecting its FortiGate devices is being actively exploited. The vulnerability, tracked as CVE-2026-24858, allows attackers with a FortiCloud account to log in to devices registered to other account owners due to an authentication bypass flaw in devices using FortiCloud single sign-on (SSO). This recent activity follows the exploitation of two other Fortinet SSO authentication flaws, CVE-2025-59718 and CVE-2025-59719, which were disclosed in December 2025.

Source

Arete Internal

Fortinet recently confirmed that its FortiGate devices are affected by a new critical authentication vulnerability that is being actively exploited. The vulnerability, tracked as CVE-2026-24858, allows attackers with a FortiCloud account to log in to devices registered to other account owners due to an authentication bypass flaw in devices using FortiCloud single sign-on (SSO). CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue and gave federal agencies just three days to patch, which requires users to upgrade all devices running FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb to fixed versions. This recent activity follows the exploitation of two other SSO authentication flaws, CVE-2025-59718 and CVE-2025-59719, which were disclosed last month.

What’s Notable and Unique

• There are strong indications that much of the recent exploitation activity was automated, with attackers moving from initial access to account creation within seconds.

• As observed in December 2025, the attackers’ primary target appears to be firewall configuration files, which contain a trove of information that can be leveraged in future operations.

• The threat actors in this campaign favor innocuous, IT-themed email and account names, with malicious login activity originating from cloud-init@mail[.]io and cloud-noc@mail[.]io, while account names such as ‘secadmin’, ‘itadmin’, ‘audit’, and others are created for persistence and subsequent activity.

Analyst Comments

This is an active campaign, and the investigation into these attacks is ongoing. Organizations relying on FortiGate devices should remain extremely vigilant, even after following patching guidance. With threat actors circumventing authentication, it’s crucial to monitor for and alert on anomalous behavior within your environment, such as the unauthorized creation of admin accounts, the creation or modification of access policies, logins outside normal working hours, and anything that deviates from your security baseline.

Sources

• Administrative FortiCloud SSO authentication bypass

• Multiple Fortinet Products’ FortiCloud SSO Login Authentication Bypass

• Arctic Wolf Observes Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts

• Arctic Wolf Observes Malicious SSO Logins on FortiGate Devices Following Disclosure of CVE-2025-59718 and CVE-2025-59719

Cyber Campfire delivers data-driven insights from Arete’s Threat Intelligence Team. In this episode, we discuss cyber threat trends, statistics, and emerging threat actors from December 2025. Tune in for an in-depth look at the evolving threat landscape and actionable insights for global organizations and security partners.

Recent research reveals two distinct but similar malicious Chrome browser extension campaigns that demonstrate how threat actors are increasingly abusing trusted browser extension ecosystems to gain initial access, steal sessions, and compromise enterprise environments.

What’s Notable and Unique

• In mid-January 2026, cybersecurity researchers uncovered a coordinated cluster of five malicious Chrome extensions masquerading as enterprise productivity or access management tools for popular Human Resource and Enterprise Resource Planning platforms such as Workday, NetSuite, and SAP SuccessFactors.

• Although published under different names, the extensions shared identical infrastructure, code patterns, and attack logic, indicating a single, well-organized operation. These extensions enabled session hijacking and full account takeover by abusing browser-level access.

• In January, researchers also documented a separate campaign, dubbed “CrashFix,” which uses a different but equally effective browser extension-based attack vector. In this case, a malicious Chrome extension named NexShield impersonated the legitimate uBlock Origin Lite ad blocker and was distributed through malicious ads that redirected users to the official Chrome Web Store where they would be prompted to download the malicious version.

• The technique mentioned above is yet another evolution of the ClickFix style social engineering that emerged in 2025, in which users are tricked into executing malicious commands themselves. In CrashFix attacks, following the instructions led to the execution of PowerShell commands that downloaded and installed ModeloRAT, a previously undocumented Python based remote access trojan.

Analyst Comments

Browser extensions are being weaponized as highly trusted initial access vectors, with attackers blending technical abuse (cookie theft, resource exhaustion) with social engineering (productivity branding, fake repair prompts). Together, these two recent findings demonstrate that malicious Chrome extensions pose a risk as a primary entry point for enterprise compromise, making browser extension governance, monitoring, and user education a critical defensive priority. Organizations should monitor for hidden PowerShell processes that are accessing browser cache folders and limit the use of PowerShell to privileged administrators. Organizations should also continue to promote and update their security awareness training, educating employees on newer social engineering techniques such as ClickFix.

Sources

• 5 Malicious Chrome Extensions Enable Session Hijacking in Enterprise HR and ERP Systems

• Dissecting CrashFix: KongTuke’s New Toy

The once-prolific LockBit group appears to have reemerged, recently deploying an updated “LockBit 5.0” variant of its ransomware. Although the Ransomware-as-a-Service (RaaS) group has been trying to reestablish its brand since international law enforcement disrupted the group’s infrastructure in early 2024, this latest effort appears to be a return to form.

LockBit first announced the 5.0 version on the RAMP dark web forum in early September 2025, coinciding with the group’s six-year anniversary. In early December 2025, the group posted an announcement on its old data leak site (DLS) with a link to its new Christmas-themed LockBit 5.0 DLS. Since then, the group has already posted over 100 alleged victims to the new DLS.

Figure 1. LockBit’s new “5.0” DLS (Source: Arete)

A Long History of LockBit Variants

According to researchers, the 5.0 variant has numerous code overlaps with the LockBit 4.0 variant and appears to be the latest in a series of evolving ransomware versions observed since the group first emerged in September 2019.

• In June 2021, LockBit released version 2.0, also known as LockBit Red, followed by a Linux version released in October 2021 that could be deployed on Linux and VMware ESXi systems.

• In March 2022, the group released version 3.0, which was also known as LockBit Black. The builder for this LockBit 3.0 variant was subsequently leaked by a disgruntled affiliate in June 2023. Since then, this leaked builder has been used by a number of unaffiliated threat actors, even after law enforcement’s disruption of the LockBit RaaS in 2024.

• Following the leak of the LockBit Black builder, the group released a LockBit Green version in January 2023, followed by a macOS version in April 2023.

• In February 2024, international law enforcement disrupted LockBit’s operations, seizing the group’s DLS along with numerous websites and servers used by LockBit administrators. In May 2024, international law enforcement revealed that Russian national Dmitry Yuryevich Khoroshev, who went by the alias LockBitSupp, was the developer and administrator of the LockBit RaaS. Khoroshev was sanctioned by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the UK’s Foreign Commonwealth & Development Office (FCDO), and the Australian Department of Foreign Affairs.

• In December 2024, LockBit announced the release of LockBit 4.0, with the new version becoming available to affiliates in February 2025. However, the group remained quiet for most of 2025, and Arete never observed any incidents involving the 4.0 version during the year.

The latest LockBit 5.0 variant has both Windows and Linux versions, with notable improvements, including anti-analysis features and unique 16-character extensions added to each encrypted file. Ransom notes for the 5.0 version direct victims to Tor chat panels, similar to those the group used before law enforcement’s disruptions.
 

Analyst Comments

Despite the number of victims initially posted to the new DLS, it remains to be seen whether LockBit will return to consistent activity levels in 2026. With the group continuing to operate under the LockBit brand, the sanctions against Khoroshev should inhibit victims contemplating payment for LockBit 5.0 decryption keys, creating a substantial barrier to the group reclaiming its place as one of the top RaaS organizations. If the group becomes an increasingly active threat in 2026, the OFAC sanction implications make it exceedingly important for organizations to have adequate data protection and security practices in place to be able to recover from potential encryption and extortion attacks without payment.

The ClickFix social engineering technique has gained significant popularity across the threat landscape since it emerged in 2025. It leverages fake error dialog boxes to deceive users into manually executing malicious PowerShell commands. This technique is commonly delivered through compromised websites, malicious documents, HTML attachments, or phishing URLs, and has been associated with a wide range of malware families, including AsyncRAT, DarkGate, NetSupport, and Lumma Stealer.

More recently, threat researchers have identified a clever evolution of this technique targeting the hospitality sector. This campaign combines ClickFix lures with fake CAPTCHA prompts and counterfeit Blue Screen of Death (BSOD) messages to manipulate users into pasting attacker-controlled code. This approach enables defense evasion and ultimately results in the deployment of the Russian-linked DCRat malware.

Figure 1. Example of a fake BSOD used to trick victims (Source: Securonix)

What’s Notable and Unique

• This latest campaign leverages phishing emails impersonating Booking.com, using Euro-denominated reservation cancellation charges to create urgency and direct victims to fraudulent websites.

• These websites use fake CAPTCHA challenges and counterfeit BSOD messages as social engineering lures, targeting hospitality organizations, particularly European entities, during the peak holiday season.

• This social engineering technique ultimately deceives users into executing malicious code that abuses MSBuild.exe to deploy a Russian-linked DCRat payload, enabling persistent remote access, process hollowing, keylogging, and secondary payload delivery.

Analyst Comments

ClickFix social engineering techniques continue to evolve, with earlier-identified variants like FileFix using sophisticated methods that trick users into copying malicious scripts, which are then executed through Windows File Explorer. The latest campaign now employs fake BSOD prompts to deceive victims and deploy DCRat malware, underscoring the importance of vigilance against emerging social engineering threats. To defend against these attacks, organizations should provide ongoing employee training to recognize and respond to social engineering techniques, ensure software is downloaded only from trusted sources, and restrict PowerShell usage to privileged administrators.

Sources

• Analyzing PHALT#BLYX: How Fake BSODs and Trusted Build Tools Are Used to Construct a Malware Infection

• Think before you Click(Fix): Analyzing the ClickFix social engineering technique

Consistent with the second half of 2025, Akira continues to dominate the ransomware landscape. In December, the group was responsible for over a third of all ransomware and extortion engagements observed by Arete. Akira was also responsible for 10% more ransomware attacks than second and third most active groups, Qilin and INC Ransom, combined. Collectively, the top three most active threat groups in December comprised about 57% of all activity Arete observed during the month. 

Figure 1. Activity from the top 3 threat groups in December 2025

Throughout the month of December, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities: 

• In addition to Akira, Qilin, and INC, there has recently been an uptick in engagements attributed to RansomHouse, a group that Arete had not observed since early 2024. Reporting from December 2025 indicated that the group updated its encryption code to make it more efficient, which could partly explain the increase in RansomHouse engagements observed in November and December.

  
  

• In early December, a maximum-severity flaw was reported in the widely used JavaScript library React that allows unauthenticated remote attackers to execute malicious code on vulnerable instances. The vulnerability, tracked as CVE-2025-55182, also known as React2Shell, was assigned a maximum CVSS severity rating of 10.0, with an estimated 39% of cloud environments affected at the time the vulnerability was disclosed. Organizations should prioritize immediate patching to address the React2Shell (CVE-2025-55182) vulnerability and ensure all internet-facing applications are updated to the vendor-recommended versions.

  
  

• In late December 2025, a high-severity, pre-authentication memory vulnerability was disclosed that affects MongoDB versions 3.6 and later. Referred to as MongoBleed (CVE-2025-14847), the vulnerability enables unauthenticated attackers to send malformed network messages, thereby leaking uninitialized server memory that contains sensitive data, such as credentials, tokens, and API keys. While the flaw does not allow for remote code execution and no ransomware campaigns have been confirmed, researchers have linked it to real-world abuse, including a suspected Ubisoft Rainbow Six Siege backend compromise. Data leaked from these incidents could enable follow-on attacks, including ransomware. Organizations with publicly exposed MongoDB servers affected by the vulnerability should immediately patch to the latest version.

Sources

• Arete Internal

Apple released patches for two zero-day vulnerabilities affecting WebKit, the browser engine that powers Safari on macOS, iOS, and iPadOS, and is used by all browsers on iPhone and iPad devices. The vulnerabilities, tracked as CVE-2025-14174 and CVE-2025-43529, can both be exploited with maliciously crafted web content, leading to arbitrary code execution. According to Apple, the vulnerabilities were already exploited in what it describes as “…an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.” Apple urges its users to upgrade to the latest version of its OS, which implements a fix for the bugs.

What’s Notable and Unique

• Apple’s patch releases coincided with a somewhat vague Google advisory, which, at the time, did not have an assigned CVE. The vulnerability described in Google’s release has since been identified as CVE-2025-14174 and affects Chrome’s graphics engine, ANGLE, on Mac devices.

• Technical details concerning the vulnerabilities and the attacks observed by Apple remain scarce, likely due to Apple and Google wanting to provide enough time for users to patch their devices before widespread exploitation occurs.

• This is the second zero-day Apple has reported this year related to WebKit. In March, CVE-2025-24201 was released, which describes an out-of-bounds write flaw that can allow an attacker to break out of the Web Content sandbox. This vulnerability was also exploited in what Apple described as an “extremely sophisticated” attack.

Analyst Comments

There are conflicting reports as to whether the vulnerabilities were first discovered by Apple’s Security Engineering and Architecture (SEAR) team or Google’s Threat Analysis Group (TAG), but it is clear that the two organizations have been working together to address the issues. This level of collaboration between Apple and Google is rare and speaks to the severity of the flaws and the potential threat to targeted individuals. Given Apple’s language about the attacks and the involvement of Google’s TAG, which generally focuses its efforts on state-sponsored actors, it has been widely speculated that the activity was perpetrated as part of a well-resourced espionage campaign. Regardless of the adversaries behind the attacks reported by Apple, users should follow patching guidance as soon as possible.

Sources

• About the security content of iOS 18.7.3 and iPadOS 18.7.3

• Stable Channel Update for Desktop

• Apple fixes two zero-day flaws exploited in ‘sophisticated’ attacks

• Apple Patches More Zero-Days Used in ‘Sophisticated’ Attack

A maximum-severity flaw in the widely used JavaScript library React, as well as several React-based frameworks, including Next.js, allows unauthenticated remote attackers to execute malicious code on vulnerable instances. The vulnerability, tracked as CVE-2025-55182, also known as React2Shell, has been assigned a maximum CVSS severity rating of 10.0, with an estimated 39% of cloud environments affected.

Within hours of disclosure, multiple threat actors, including state-sponsored groups, were observed exploiting the flaw, with researchers confirming that over 30 organizations across multiple sectors have already been compromised.

What’s Notable and Unique

• This vulnerability originates from insecure deserialization, where attacker-controlled inputs are processed without adequate validation. Since the flaw is unauthenticated, exploitation becomes significantly easier for threat actors. During deserialization, object properties are implicitly expanded, enabling prototype pollution that can alter application behavior and, when aligned with specific React Server Components execution paths, escalate to remote code execution (RCE).

• Active exploitation of the React2Shell (CVE-2025-55182) vulnerability has already been observed from China state-nexus groups Earth Lamia and Jackpot Panda, as well as suspected North Korean actors who are attacking unpatched React Server Components using automated scans and PoC exploits.

• Subsequent activity includes EtherRAT and EtherHiding-based payload delivery linked to Democratic People’s Republic of Korea (DPRK) actor UNC5342, BPFDoor attributed to Red Menshen, the newly identified Auto-color PAM backdoor, and Cobalt Strike, demonstrating the broad use of React2Shell as an initial access vector.

• The issue affects versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of the react-server-dom-parcel, react-server-dom-webpack, and react-server-dom-turbopack packages, which are embedded in frameworks such as Next.js (≥14.3.0-canary.77, ≥15, ≥16) and other tools including Vite, Parcel, React Router, RedwoodSDK, and Waku.

Analyst Comments

Organizations should prioritize immediate patching to address the React2Shell (CVE-2025-55182) vulnerability and ensure all internet-facing applications are updated to the vendor-recommended versions. In the interim, it is advisable to restrict access to Server Function/Flight endpoints and monitor for any unusual Node.js activity or anomalous React Server Components request patterns due to confirmed exploitation attempts.

At Arete, we are actively monitoring all endpoints for suspicious activity related to this vulnerability and will take prompt action to contain and mitigate any threats. Our security monitoring and response capabilities are fully maintained to ensure timely detection and protection against emerging risks.

Sources

• Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
  Clock Icon 16 min read

• China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)

• ‘Exploitation is imminent’ as 39 percent of cloud environs have max-severity React hole

• Responding to CVE-2025-55182: Secure your React and Next.js workloads

• Protect against React RSC CVE-2025-55182 with Azure Web Application Firewall (WAF)