Researchers recently identified threat actor campaigns leveraging QEMU, a free open-source virtual machine (VM) emulator, to evade endpoint security solutions. Since QEMU acts as a VM within the target environment, endpoint detection tools cannot scan inside the emulator or detect any malicious files or payloads QEMU contains. Although threat actors have been utilizing QEMU maliciously since 2020, recent activity is attributed to the Payouts King ransomware group and a cluster of threat actors believed to be initial access brokers who have also been exploiting the CitrixBleed2 vulnerability CVE-2025-5777.

What’s Notable and Unique

• Payouts King has been observed deploying QEMU since November and uses the VM to create a reverse SSH backdoor to evade detection and install various tools, including Rclone, Chisel, and BusyBox.

• In a separate campaign, threat actors are exploiting CVE-2025-5777, a Citrix NetScaler vulnerability that allows attackers to bypass authentication. Once they’ve gained initial access, the threat actors use QEMU to deploy tools inside the VM, which are then used to steal credentials, identify Kerberos usernames, perform Active Directory reconnaissance, and set up FTP servers for staging or data exfiltration.

Analyst Comments

Threat actors continue to focus their efforts on defense evasion, often leveraging legitimate, easily accessible tools such as QEMU. The continued use of QEMU by multiple threat actors highlights the effectiveness of these tactics and the difficulty in detecting and defending against them. To counter this campaign, organizations should proactively monitor for unauthorized QEMU installations, abnormal scheduled tasks, and port forwarding rules. 

 Sources

• QEMU abused to evade detection and enable ransomware delivery

Microsoft warns that threat actors are increasingly abusing Microsoft Teams and relying on legitimate tools to gain access and conduct lateral movement within enterprise networks. The threat actors impersonate IT or helpdesk staff to contact employees via cross-tenant chats and trick them into granting remote access for data theft. Microsoft has observed multiple intrusions with a similar attack chain that utilized commercial remote management software, like Quick Assist and the Rclone utility, to transfer files to an external cloud storage service. This tactic, notably associated with Black Basta and Cactus ransomware operations in late 2024 and early 2025, appears to have resurfaced, with similar activity more recently observed in intrusions linked to the Akira and Payouts King ransomware groups.

What’s Notable and Unique

• Initial access is achieved by leveraging external collaboration features in Microsoft Teams to allow impersonation of internal support personnel, tricking users into bypassing security warnings. This reflects abuse of legitimate functionality rather than exploitation of a Microsoft Teams vulnerability.

  
  

• Following initial access, attackers conduct rapid reconnaissance using Command Prompt and PowerShell to assess privileges, domain membership, and opportunities for lateral movement. Persistence is maintained through Windows Registry modifications, after which attackers leveraged WinRM for lateral movement, targeting domain-joined systems and high-value assets, including domain controllers.

  
  

• Malicious payloads were staged in user-writable directories and executed through DLL side-loading via trusted, signed applications, enabling covert code execution while blending with legitimate activity. Additional remote management tools were also deployed to support broader access, while Rclone or similar utilities were used to stage and exfiltrate sensitive data to external cloud storage. 

Analyst Comments

This activity highlights how modern threat actors can leverage trusted collaboration workflows, remote management tools, and stealthy exfiltration techniques to conduct intrusions through a combination of social engineering and misuse of legitimate functionality. Effective defense depends on layered mitigations that combine identity controls, restricted remote administration, endpoint hardening, network protections, and user awareness measures to disrupt attacker activity at multiple stages of the intrusion lifecycle. To mitigate the risk of this and similar campaigns, users should treat external Teams contacts as untrusted by default, and administrators should restrict or closely monitor remote assistance tools while limiting WinRM usage to controlled systems. 

Sources

• Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook

• Microsoft: Teams increasingly abused in helpdesk impersonation attacks

• Payouts King Takes Aim at the Ransomware Throne

“Whaling” has taken on a new meaning with a highly targeted phishing campaign active from November 2025 through March 2026, aimed exclusively at senior executives from more than 20 industries. The campaign, dubbed VENOM, is a phishing-as-a-service (PhaaS) platform that combines advanced evasion capabilities with immediate persistence of targeted executives. The initial phish impersonates an internal SharePoint document notification and uses embedded QR codes to convince victims to shift to unmanaged mobile devices to bypass corporate security controls. VENOM aims to establish persistence immediately by either registering a new MFA device or retaining long-lived refresh tokens, allowing threat actors to maintain access even after password resets or other base-level remediation efforts. 

What’s Notable and Unique

•  This campaign is unique in its targeted nature of the PhaaS platform rather than broad, sweeping attempts. The threat actors behind VENOM create convincing phishing emails that impersonate SharePoint activity using the victim’s own domain, company name, and even fabricated email threads. These convincing social engineering tactics, combined with the specific targeting of executives, make this an effective capability for cybercriminals.

•  VENOM operates as a closed-access system, with full adversarial support, but has no public visibility on the dark web or from security researchers. The service likely operates on an invite-only basis, unlike most PhaaS platforms, which typically seek to have as many paying customers as possible. This, among other items such as the sophisticated evasion techniques, indicates a higher degree of sophistication than most other PhaaS offerings.

• Either through MFA enrollment or Microsoft Device Code abuse, the threat actor forces the victim to aid them in establishing persistence early in the attack lifecycle. These tactics result in either valid tokens or an additional MFA login method controlled by the threat actor, meaning typical password resets alone are not effective against this technique. Administrators would be required to explicitly revoke sessions and token grants to mitigate the threat actors’ persistence.

Analyst Comments

Oftentimes, MFA is viewed as a one-stop shop to cybersecurity, but tactics such as this show how threat actors can bypass MFA, or worse, use it to establish persistence. Ultimately, this campaign highlights how modern attacks increasingly abuse legitimate authentication workflows rather than attempting to defeat them outright. Defenses that rely solely on MFA without other security posturing, such as continuous session monitoring, token revocation, and identity logging, can leave organizations vulnerable. As attackers shift toward token theft and device trust abuse, incident response and identity security strategies must evolve accordingly.

Sources

• Meet VENOM: The PhaaS Platform That Neutralizes MFA

Multiple ransomware operations have recently been observed leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint security controls prior to ransomware deployment. Notably, the Qilin ransomware group commonly leverages a malicious msimg32.dll file loaded via DLL side-loading, along with vulnerable drivers including rwdrv.sys and hlpdrv.sys, to gain kernel-level access and disable security processes. Similarly, Warlock ransomware has been observed exploiting the vulnerable NSecKrnl.sys driver to bypass security controls. The use of BYOVD has also been observed across ransomware campaigns associated with Akira, INC, Medusa, and other threat actors. 

What’s Notable and Unique 

• The Qilin ransomware group employs a sophisticated multi-stage infection chain, leveraging DLL side-loading (msimg32.dll) to execute malicious payloads directly in memory and evade traditional file-based detection. In DLL side-loading, a threat actor tricks a program into loading a malicious dynamic link library. The malware escalates privileges and uses signed but vulnerable drivers (rwdrv.sys and hlpdrv.sys) to bypass security controls, access system memory, and systematically disable endpoint defenses by terminating security processes and disabling monitoring callbacks at the kernel level. 

• Akira ransomware operators have also exploited the rwdrv.sys and hlpdrv.sys drivers. Additionally, Arete has observed threat actors leveraging multiple other drivers, including the vulnerable TrueSight.sys, to bypass security controls. 

• Meanwhile, Warlock ransomware operators disguised malicious activity by renaming rclone.exe to TrendSecurity.exe to appear legitimate. The file functioned as a loader, exploiting the vulnerable NSecKrnl.sys driver to disable security processes, while Group Policy Objects (GPOs) were leveraged to systematically disable security controls across the environment. 

Analyst Comments 

The BYOVD technique, employed by multiple known ransomware operators, reflects a broader shift toward pre-encryption defense evasion, including suppression of Windows telemetry, removal of monitoring callbacks, and abuse of legitimately signed but vulnerable drivers. This technique enables threat actors to evade detection, maintain persistence for extended periods, and maximize the operational impact of ransomware deployment across compromised environments. Organizations should implement strict driver control policies, such as Microsoft’s Vulnerable Driver Blocklist and application control mechanisms. Additionally, enforcing least privilege access, enabling multi-factor authentication (MFA), maintaining up-to-date patching, and continuously monitoring for anomalous driver and kernel-level activity can further reduce the risk of such attacks. 

Sources 

• Qilin EDR killer infection chain

• Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack 

The threat landscape in March had a much more even distribution of threat groups than has been observed since the first half of 2025. Although Akira, Qilin, Play, and INC remained among the most active groups, Arete observed 21 unique ransomware and extortion groups in March, compared to only 15 in February. Akira and Qilin’s activity also declined from the previous month; in February, the two groups were responsible for almost half of all ransomware incidents, but in March they only comprised a little more than a quarter of all activity. Arete also observed activity from several emerging groups in the past month, including BravoX, NightSpire, Payouts King, and Securotrop.

 Figure 1. Activity from the top 5 threat groups in March 2026

Analysts at Arete identified several trends behind the threat actors perpetrating cybercrime activities:

• In March, threat actors actively exploited FortiGate Next-Generation Firewall appliances as initial access vectors to compromise enterprise networks. The activity involves the exploitation of recently disclosed security vulnerabilities, including CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, or weak credentials, allowing attackers to gain administrative access, extract configuration files, and obtain service account credentials. Arete also observed Fortinet device exploitation involving various threat groups, with the Qilin ransomware group notably leveraging Fortinet device exploits.

  
  

• Phishing campaigns leveraging OAuth redirection and a resurgence of Microsoft Teams–based social engineering were also observed in March. In one campaign, attackers sent emails disguised as Microsoft Teams recordings or Microsoft 365 alerts, redirecting victims through legitimate OAuth endpoints to attacker-controlled pages hosting malicious ZIP payloads. A separate campaign has been ongoing since last year, in which attackers flood users’ inboxes with spam and impersonate IT support personnel to trick victims into initiating remote support sessions via tools like Quick Assist.

  
  

• Arete recently released its 2025 Annual Crimeware Report. Leveraging data and intelligence collected during ransomware and extortion incident response engagements, this report highlights notable trends and shifts in the threat landscape throughout 2025, including Akira’s unusually high activity levels in the second half of 2025, evolving social engineering techniques, and trends in ransom demands and impacted industries.

Sources

• Arete Internal

Harness Arete’s unique data and expertise on extortion and ransomware to inform your response to the evolving threat landscape.

A recent security report indicates that threat actors are actively exploiting FortiGate Next-Generation Firewall (NGFW) appliances as initial access vectors to compromise enterprise networks. The activity leverages recently disclosed vulnerabilities or weak credentials to gain unauthorized access and extract configuration files, which often contain sensitive information, including service account credentials and detailed network topology data. 

Analysis of these incidents shows significant variation in attacker dwell time, ranging from immediate lateral movement to delays of up to two months post-compromise. Since these appliances often integrate with authentication systems such as Active Directory and Lightweight Directory Access Protocol (LDAP), their compromise can grant attackers extensive access, substantially increasing the risk of widespread network intrusion and data exposure. 

What’s Notable and Unique 

• The activity involves the exploitation of recently disclosed security vulnerabilities, including CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, or weak credentials, allowing attackers to gain administrative access, extract configuration files, and obtain service account credentials and network topology information. 

  
  

• In one observed incident, attackers created a FortiGate admin account with unrestricted firewall rules and maintained access over time, consistent with initial access broker activity. After a couple of months, threat actors extracted and decrypted LDAP credentials to compromise Active Directory. 

• In another case, attackers moved from FortiGate access to deploying remote access tools, including Pulseway and MeshAgent, while also utilizing cloud infrastructure such as Google Cloud Storage and Amazon Web Services (AWS). 

Analyst Comments 

Arete has identified multiple instances of Fortinet device exploitation for initial access, involving various threat actors, with the Qilin ransomware group notably leveraging Fortinet device exploits. Given their integration with systems like Active Directory, NGFW appliances remain high-value targets for both state-aligned and financially motivated actors. In parallel, Arete has observed recent dark web activity involving leaked FortiGate VPN access, further highlighting the expanding risk landscape. This aligns with the recent reporting from Amazon Threat Intelligence, which identified large-scale compromises of FortiGate devices driven by exposed management ports and weak authentication, rather than vulnerability exploitation. Overall, these developments underscore the increasing focus on network edge devices as entry points, reinforcing the need for organizations to strengthen authentication, restrict external exposure, and address fundamental security gaps to mitigate the risk of widespread compromise. 

Sources 

FortiGate Edge Intrusions | Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise

Security researchers discovered two critical vulnerabilities in Anthropic's agentic AI coding tool, Claude Code. The vulnerabilities, tracked as CVE-2025-59536 and CVE-2026-21852, allowed attackers to achieve remote code execution and to compromise a victim's API credentials. The vulnerabilities exploit maliciously crafted repository configurations to circumvent control mechanisms. It should be noted that Anthropic worked closely with the security researchers throughout the process, and the bugs were patched before the research was published. 

What’s Notable and Unique 

• The configuration files .claude/settings.json and .mcp.json were repurposed to execute malicious commands. Because the configurations could be applied immediately upon starting Claude Code, the commands ran before the user could deny permissions via a dialogue prompt, or they bypassed the authentication prompt altogether. 

  
  

• .claude/settings.json also defines the endpoint for all Claude Code API communications. By replacing the default localhost URL with a URL they own, an attacker could redirect traffic to infrastructure they control. Critically, the authentication traffic generated upon starting Claude Code included the user's full Anthropic API key in plain text and was sent before the user could interact with the trust dialogue. 

  
  

• Restrictive permissions on sensitive files could be bypassed by simply prompting Claude Code to create a copy of the file's contents, which did not inherit the original file's permissions. A threat actor using a stolen API key could gain complete read and write access to all files within a workspace. 

Analyst Comments 

The vulnerabilities and attack paths detailed in the research illustrate the double-edged nature of AI tools. The speed, scale, and convenience characteristics that make AI tools attractive to developer teams also benefit threat actors who use them for nefarious purposes. Defenders should expect adversaries to continue seeking ways to exploit configurations and orchestration logic to increase the impact of their attacks. Organizations planning to implement AI development tools should prioritize AI supply-chain hygiene and CI/CD hardening practices. 

Sources 

• Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852

After a slight lull in January, Akira and Qilin returned to dominating ransomware activity in February, collectively accounting for almost half of all engagements that month. The rest of the threat landscape remained relatively diverse, with a mix of persistent threats like INC and PLAY, older groups like Cl0p and LockBit, and newer groups like BravoX and Payouts King. Given current trends, the first quarter of 2026 will likely remain relatively predictable, with the top groups from the second half of 2025 continuing to operate at fairly consistent levels month to month.

Figure 1. Activity from the top 5 threat groups in February 2026

Throughout the month of February, analysts at Arete identified several trends behind the threat actors perpetrating cybercrime activities: 

• In February, Arete observed Qilin actively targeting WatchGuard Firebox devices, especially those vulnerable to CVE-2025-14733, to gain initial access to victim environments. CVE-2025-14733 is a critical vulnerability in WatchGuard Fireware OS that allows a remote, unauthenticated threat actor to execute arbitrary code. In addition to upgrading WatchGuard devices to the latest Firebox OS version, which patches the bug, administrators are urged to rotate all shared secrets on affected devices that may have been compromised and may be used in future campaigns.

  
  

• Reports from February suggest that threat actors are increasingly exploring AI-enabled tools and services to scale malicious activities, demonstrating how generative AI is being integrated into both espionage and financially motivated threat operations. The Google Threat Intelligence Group indicated that state-backed threat actors are leveraging Google’s Gemini AI as a force multiplier to support all stages of the cyberattack lifecycle, from reconnaissance to post-compromise operations. Separate reporting from Amazon Threat Intelligence identified a threat actor leveraging commercially available generative AI services to conduct a large-scale campaign against FortiGate firewalls, gaining access through weak or reused credentials protected only by single-factor authentication.

  
  

• The Interlock ransomware group recently introduced a custom process-termination utility called “Hotta Killer,” designed to disable endpoint detection and response solutions during active intrusions. This tool exploits a zero-day vulnerability (CVE-2025-61155) in a gaming anti-cheat driver, marking a significant adaptation in the group’s operations against security tools like FortiEDR. Arete is actively monitoring this activity, which highlights the growing trend of Bring Your Own Vulnerable Driver (BYOVD) attacks, in which threat actors exploit legitimate, signed drivers to bypass and disable endpoint security controls.

Sources

• Arete Internal