In 2025, the financial cyberthreat landscape continued to evolve. While traditional PC banking malware declined in relative prevalence, this shift was offset by the rapid growth of credential theft by infostealers. Attackers increasingly relied on aggregation and reuse of stolen data, rather than developing entirely new malware capabilities.

To describe the financial threat landscape in 2025, we analyzed anonymized data on malicious activities detected on the devices of Kaspersky security product users and consensually provided to us through the Kaspersky Security Network (KSN), along with publicly available data and data on the dark web.

We analyzed the data for

• financial phishing,
• banking malware,
• infostealers and the dark web.

Key findings

Phishing

Phishing activity in 2025 shifted toward e-commerce (14.17%) and digital services (16.15%), with attackers increasingly tailoring campaigns to regional trends and user behavior, making social engineering more targeted despite reduced focus on traditional banking lures.

Banking malware

Financial PC malware declined in prevalence but remained a persistent threat, with established families continuing to operate, while attackers increasingly prioritize credential access and indirect fraud over deploying complex banking Trojans. To the contrary, mobile banking malware continues growing, as we wrote in detail in our mobile malware report.

Infostealers and the dark web

Infostealers became a central driver of financial cybercrime, fueling a growing dark web economy where stolen credentials, payment data, and full identity profiles are traded at scale, enabling widespread and destructive fraud operations.

Financial phishing

In 2025, online fraudsters continued to lure users to phishing and scam pages that mimicked the websites of popular brands and financial organizations. Attackers leveraged increasingly convincing social engineering techniques and brand impersonation to exploit user trust. Rather than relying solely on volume, campaigns showed greater targeting and contextual adaptation, reflecting a maturation of phishing operations.

The distribution of top phishing categories in 2025 shows a clear shift toward digital platforms that aggregate multiple user activities, with web services (16.15%), online games (14.58%), and online stores (14.17%) leading globally. Compared to 2024, the rise of online games and the decline of social networks and banks indicate that attackers are increasingly targeting environments where users are more likely to take a risk or engage impulsively. Categories such as instant messaging apps and global internet portals remain significant phishing targets, reflecting their role as communication and access hubs that can be exploited for credential harvesting.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices, 2025 (download)

Regional patterns further reinforce the adaptive nature of phishing campaigns, showing that attackers closely align category targeting with local digital habits. For example, online stores dominate heavily in the Middle East.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in the Middle East, 2025 (download)

Online games and instant messaging platforms feature more prominently in the CIS, suggesting a focus on younger or highly connected user bases.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in the CIS, 2025 (download)

APAC demonstrates almost equal shares of online games and banks which signifies a combined approach targeting different users.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in APAC, 2025 (download)

In Africa, a stronger emphasis on banks reflects the continued importance of traditional financial services. Most likely, this is due to the lower security level of the financial institutions in the region.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in Africa, 2025 (download)

Whereas in LATAM, delivery companies appearing in the top categories indicate attackers exploiting the growth of e-commerce logistics.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in Latin America, 2025 (download)

Europe presents a more balanced distribution across categories, pointing to diversified attack strategies.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in Europe, 2025 (download)

Attackers actively localize their tactics to maximize relevance and effectiveness.

The distribution of financial phishing pages by category in 2025 reveals strong regional asymmetries that reflect both user behavior and attacker prioritization.

Globally, online stores dominated (48.45%), followed by banks (26.05%) and payment systems (25.50%). The decline in bank phishing may suggest that these services are becoming increasingly difficult to successfully impersonate, so fraudsters are turning to easier ways to access users’ finances.

However, this balance shifts significantly at the regional level.

In the Middle East, phishing is overwhelmingly concentrated on e-commerce (85.8%), indicating a heavy reliance on online retail lures, whereas in Africa, bank-related phishing leads (53.75%), which may indicate that user account security there is still insufficient. LATAM shows a more balanced distribution but with a higher share of online store targeting (46.30%), while APAC and Europe display a more even spread across all three categories, pointing to diversified attack strategies. These variations suggest that attackers are not operating uniformly but are instead adapting campaigns to regional digital habits, payment ecosystems, and trust patterns – maximizing effectiveness by aligning phishing content with the most commonly used financial services in each market.

Distribution of financial phishing pages by category and region, 2025 (download)

Online shopping scams

The distribution of organizations mimicked by phishing and scam pages in 2025 highlights a clear shift toward globally recognized digital service and e-commerce brands, with attackers prioritizing platforms that have large, active user bases and frequent payment interactions.

Netflix (28.42%) solidified its ranking as the most impersonated brand, followed by Apple (20.55%), Spotify (18.09%), and Amazon (17.85%). This reflects a move away from traditional retail-only targets toward subscription-based and ecosystem-driven services.

TOP 10 online shopping brands mimicked by phishing and scam pages, 2025 (download)

Regionally, this trend varies: Netflix dominates heavily in the Middle East, Apple leads in APAC, while Spotify ranks first across Europe, LATAM, and Africa. Although most of the top platforms are highly popular across different regions, we may suggest that the attackers tailor brand impersonation to regional popularity and user engagement.

Payment system phishing

Phishing campaigns are impersonating multiple payment ecosystems to maximize coverage. While PayPal was the most mimicked in 2024 with 37.53%, its share dropped to 14.10% in 2025. Mastercard, on the contrary, attracted cybercriminals’ attention, its share increasing from 30.54% to 33.45%, while Visa accounted for a significant 20.06% (last year, it wasn’t in the TOP 5), reinforcing the growing focus on widely used banking card networks. The continued presence of American Express (3.87%) and the increasing number of pages mimicking PayPay (11.72%) further highlight attacker experimentation and regional adaptation.

TOP 5 payment systems mimicked by phishing and scam pages, 2025 (download)

Financial malware

In 2025, the decline in users affected by financial PC malware continued. On the one hand, people continue to rely on mobile devices to manage their finances. On the other hand, some of the most prominent malware families that were initially designed as bankers had not used this functionality for years, so we excluded them from these statistics.

Changes in the number of unique users attacked by banking malware, by month, 2023–2025 (download)

Windows systems remained the primary platform targeted by attackers with financial malware. According to Kaspersky Security Bulletin, overall detections included 1,338,357 banking Trojan attacks globally from November 2024 to October 2025, though this number is also declining due to increasing focus on mobile vectors. Desktop threats continued to be distributed via traditional delivery methods like malicious emails, compromised websites, and droppers.

In 2025, Brazilian-origin families such as Grandoreiro (part of the Tetrade group) stood out for their constant activity and global reach. Despite a major law enforcement disruption in early 2024, Grandoreiro remained active in 2025, re-emerging with updated variants and continuing to operate. Other notable actors included Coyote and emerging families like Maverick, which abused WhatsApp for distribution while maintaining fileless techniques and overlaps with established Brazilian banking malware to steal credentials and enable fraudulent transactions on desktop banking platforms. Besides traditional bankers, other Brazilian malware families are worth mentioning, which specifically target relatively new and highly popular regional payment systems. One of the most prominent threats among these is GoPix Trojan focusing on the users of Brazilian Pix payment system. It is also capable of targeting local Boleto payment method, as well as stealing cryptocurrency.

There was also a surge in incidents in 2025 in which fraudsters targeted organizations through electronic document management (EDM) systems, for example, by substituting invoice details to trick victims into transferring funds. The Pure Trojan was most frequently encountered in such attacks. Attackers typically distribute it through targeted emails, using abbreviations of document names, software titles, or other accounting-related keywords in the headers of attached files. Globally in the corporate segment, Pure was detected 896 633 times over 2025, with over 64 thousand users attacked.

Contrary to PC banking malware, mobile banker attacks grew by 1.5 times in 2025 compared to the previous reporting period, which is consistent with their growth in 2024. They also saw a sharp surge in the number of unique installation packages. More statistics and trends on mobile banking malware can be found in our yearly mobile threat report.

Complementing traditional financial malware, infostealers played a significant role in enabling financial crime both on PCs and mobile devices by harvesting credentials, cookies, and autofill data from browsers and applications, which attackers then used for account takeovers or direct banking fraud. Kaspersky analyses pointed to a surge in infostealer detections (up by 59% globally on PCs), fueling credential-based attacks.

Financial cyberthreats on the dark web

The Kaspersky Digital Footprint Intelligence (DFI) team closely monitors infostealer activity on both PC and mobile devices to analyze emerging trends and assess the evolving tactics of cybercriminals.

Fraudsters especially target financial data such as payment cards, cryptocurrency wallets, login credentials and cookies for banking services, as well as documents stored on the victim’s device. The stolen data is collected in log files and shared on dark web resources, where they are bought, sold, or distributed freely and then used for financial fraud.

With access to financial data, fraudsters can gain control of users’ bank accounts and payment cards, and withdraw funds. Compromised accounts and cards are also frequently used in subsequent activities, turning the victims into intermediaries in a fraud scheme.

Compromised accounts

Kaspersky DFI found that in 2025, over one million online banking accounts (these are not Kaspersky product users) served by the world’s 100 largest banks fell victim to infostealers: their credentials were being freely shared on the dark web.

The countries with the highest median number of compromised accounts per bank were India, Spain, and Brazil.

The chart below shows the median number of compromised accounts per bank for the TOP 10 countries.

TOP 10 countries with the highest compromised account median (download)

Compromised payment cards

Seventy-four percent of payment cards that were compromised by infostealer malware, published on dark web resources and identified by the Digital Footprint Intelligence team in 2025, remained valid as of March 2026. This means that attackers could still use the cards that had been stolen months or even years prior.

It should be noted that the number of bank accounts and payment cards known to have been compromised by infostealers in 2025 will continue to rise, because fraudsters do not publish the log files immediately after the compromise but only after a delay of months or even years.

Data breaches

Regardless of the industry in which the target company operates, data breaches often expose users’ financial data, including payment card information, bank account details, transaction histories and other financial information. As a consequence, the compromised databases are sold and distributed on underground resources.

It should be noted that the threat is not limited to the exposure of financial information alone. Various identity documents and even seemingly public data, such as names, phone numbers and email addresses, can become a risk when they are published on the dark web. Such data attracts fraudsters’ attention and can be used in social engineering attacks to gain access to the user’s financial assets.

An example of a post offering a database

Sale of bank accounts and payment cards

The dark web often features services provided by stores that specialize in selling bank accounts and payment cards. Fraudsters typically obtain data for sale from a variety of sources, including infostealer logs and leaked databases, which are first repackaged and then combined.

Examples of a post (top) and a site (bottom) offering payment cards

Often, sellers offer complete victim profiles, referred to by fraudsters as “fullz”. These include not only bank accounts or payment cards but also identification documents, dates of birth, residential addresses, and other personal details. A full‑information package is usually more expensive than a payment card or a bank account alone.

Examples of a post (top) and a site (bottom) offering bank accounts

Compiled databases

Fraudsters exploit various sources, including previously leaked databases, to compile new, thematic ones. Finance- and, in particular, cryptocurrency-related databases, are among the most popular. Compilations aimed at specific user groups, such as the elderly or wealthy people, are also of interest to cybercriminals.

Usually, thematic databases contain personal information about users, such as names, phone numbers, and email addresses. Fraudsters can use this data to launch social engineering attacks.

An example of a message offering compiled databases

Creation of phishing websites

Phishing websites have become a powerful tool for the financial enrichment of fraudsters. Cybercriminals create fraudulent sites that masquerade as legitimate resources of companies operating in various industries. Gambling and retail sites remain among the most popular targets.

In order to obtain personal and financial information from unsuspecting users, adversaries seek out ways to create such phishing websites. Ready-made layouts and website copies are sold on the dark web and advertised as profitable tools. Moreover, fraudsters offer phishing website creation services.

Examples of posts offering creation of phishing websites

Conclusion

The decline of traditional PC banking malware is not an indicator of reduced risk; rather, it highlights a redistribution of attacker effort toward more efficient methods targeting mobile devices, credential theft, and social engineering. Infostealers, in particular, are a force multiplier, enabling widespread compromise at scale.

Looking ahead to 2026, the financial threat landscape is expected to become even more data-driven and automated. Organizations must adapt by focusing on identity protection, real-time monitoring, and cross-channel threat intelligence, while users must remain vigilant against increasingly sophisticated and personalized attack techniques.

Over the past twelve months, SentinelLABS research revealed how threat actors have changed their operational approach in ways previously unseen. Among our many research publications during 2025, we exposed North Korean threat actors monitoring the same cyber threat intelligence platforms defenders use to share indicators of compromise, and revealed how a single cryptocurrency phishing operation deployed over 38,000 malicious subdomains across trusted free-tier platforms.

2025 also saw artificial intelligence transition from theoretical threat to practical reality, though not in the revolutionary ways many predicted. Instead, AI emerged as a force multiplier, with threat actors weaponizing large language models to scale attacks, generate convincing social engineering content, and automate previously manual processes.

These discoveries and others we will explore in this review, exemplify how adversaries have fundamentally changed their operational calculus, treating legitimate infrastructure—from Telegram to free-tier publishing platforms to commercial AI APIs—as essential criminal resources and actively surveilling the defender community’s intelligence-sharing mechanisms.

Throughout 2025, SentinelLABS tracked, identified, and disclosed information on these and other critical issues to help organizations and defenders stay ahead of threats to their business operations.

All our research and threat intelligence posts can be found on the SentinelLABS home page, but for a recap of the year’s main cybersecurity events, take a scroll through the main highlights below.

Key Trends from SentinelLABS Research in 2025

• AI Weaponization Across the Threat Spectrum: Artificial intelligence matured from a theoretical threat to an operational accelerator, used to automate existing capabilities from runtime code generation (MalTerminal) to CAPTCHA bypassing (AkiraBot), lowering barriers for both sophisticated and commodity attacks.

• Threat Actors Monitoring Defensive Intelligence: North Korean operators (Contagious Interview) began actively monitoring platforms like Validin and VirusTotal to detect their own infrastructure exposure in near real-time.

• Industrial-Scale Cryptocurrency & Credentials Theft: Highly organized, business-like criminal operations such as  FreeDrain and PXA Stealer prove cryptocurrency and credential theft at scale has evolved into a professional sector with sophisticated infrastructure and monetization pipelines.

• Ransomware’s Relentless Business Model Evolution: The ransomware ecosystem saw innovations like DragonForce’s “white-label” branding service, the convergence of hacktivist and profit motivations, and the blurring of distinct ransomware families (HellCat/Morpheus deploying identical code). 

• Exploitation of Legitimate Platforms: Threat actors have increasingly leveraged trusted infrastructure for malicious purposes: Telegram for C2 and data monetization, free-tier publishing platforms for phishing campaigns, and cloud services for hosting and evasion. 

• China’s Hidden Offensive Capabilities: Research into Hafnium-linked companies and firms that provide Censorship as a Service to government customers reveal deep integration between China’s private cybersecurity sector and state offensive operations.

• Developments in Social Engineering: Through ClickFix techniques, fake CAPTCHA pages, and increasingly convincing fake job offers, threat actors have found new ways to exploit user psychology to deliver malware.

January

SentinelLABS researchers uncovered how HellCat and Morpheus ransomware operations were essentially two distinct brands deploying identical ransomware payloads, illustrating the commoditization and rebranding practices within the RaaS ecosystem. This discovery highlighted how affiliates could rebrand the same underlying malware to create the appearance of distinct threat groups, complicating attribution efforts.

Our research into a returning phishing campaign revealed the targeting of high-profile accounts on X (formerly Twitter) to promote cryptocurrency scams. The attacks demonstrated the persistent value of compromising social media accounts with large followings for financially motivated threat actors seeking to reach broad audiences with investment fraud schemes.

Key Takeaway: Understanding how common code is sourced and shared across ransomware groups can inform detection efforts and improve threat intelligence on their operations.

February

In early February, SentinelLABS reported on further variants of the FlexibleFerret DPRK malware family, continuing the Contagious Interview campaign that had been active since November 2023. The research uncovered new infection vectors and samples while also documenting persistent attempts to compromise developers through fake GitHub issues promoting malicious installer scripts.

Later in the month, analysis of leaked data from TopSec, a Beijing-based cybersecurity firm, revealed how China’s private sector provides Censorship as a Service to enforce government content monitoring. The leaked work logs showed TopSec delivering bespoke monitoring services to a state-owned enterprise precisely when a corruption investigation was announced, offering rare insight into public-private coordination for managing sensitive events and controlling public opinion in China.

February concluded with discovery of a new Ghostwriter campaign targeting both the Ukrainian government and, for the first time, Belarusian opposition groups. The long-running threat activity cluster deployed weaponized Excel documents with lures crafted to appeal to government officials and opposition activists, marking an expansion of the campaign’s targeting scope.

Key Takeaway: The TopSec leak reveals how China’s private cybersecurity sector directly enables state surveillance and censorship operations, highlighting the interconnected nature of commercial security firms and government offensive capabilities.

March

March was marked by several significant ransomware developments. Mid-month, SentinelLABS reported on Dragon RaaS, a pro-Russian hacktivist group attempting to build on the reputation of “The Five Families” cybercrime ecosystem. The group’s emergence reflected the continued  fragmentation and rebranding within ransomware operations.

The month also saw publication of research on ReaderUpdate, a macOS malware loader that had been largely dormant since 2023. New samples showed the threat actors had expanded the loader’s capabilities by adding Go to its existing arsenal of Crystal, Nim, and Rust variants, creating a “melting pot” of macOS malware designed to evade detection through diverse implementation languages.

Key Takeaway: ReaderUpdate’s use of multiple programming languages (Crystal, Nim, Rust, Go) presents unique challenges for detection and analysis, necessitating detection strategies that focus on behavior and artifacts rather than language-specific signatures.

April

April brought the discovery of AkiraBot, an AI-powered Python framework using OpenAI to generate custom spam messages targeting website contact forms and chat widgets.

Since September 2024, the bot had targeted more than 400,000 websites and successfully spammed at least 80,000 sites promoting dubious SEO services. The framework’s sophistication, including multiple CAPTCHA bypass mechanisms and network detection evasion techniques, illustrated how AI lowers barriers for scaled attacks even when the underlying criminal objective remains straightforward.

Later in the month, SentinelLABS published research on what it takes to defend a top-tier cybersecurity company from today’s adversaries. Drawing on SentinelOne’s own experiences as a target of advanced persistent threats, the research provided insight into the resources and capabilities required to protect organizations that themselves represent high-value targets for nation-state actors seeking to compromise security vendors.

Key Takeaway: AI-generated content in AkiraBot bypasses traditional spam filters by creating unique messages for each target, exposing the challenges AI poses to traditional website spam defenses.

May

May opened with our reporting on DragonForce, a ransomware gang that had completed its transformation from Pro-Palestine hacktivist operation to profit-driven extortion enterprise. The group introduced a “white-label” branding service in early 2025, allowing affiliates to rebrand DragonForce ransomware as different strains for additional fees, marking a new level of commercialization within the RaaS ecosystem.

Shortly afterward, SentinelLABS and Validin unveiled FreeDrain at PIVOTcon. Our collaboration exposed an industrial-scale cryptocurrency phishing operation using SEO manipulation and over 38,000 distinct subdomains across free publishing platforms. The investigation began with a victim who lost approximately $500,000 worth of Bitcoin and expanded to reveal a professional criminal enterprise operating during standard business hours from the UTC+05:30 timezone, systematically stealing digital assets through multilayered redirection techniques.

Anti-Ransomware Day 2025 marked the sobering milestone of ten years of Ransomware-as-a-Service, now a billion-dollar criminal industry. SentinelLABS’ retrospective examined how RaaS operations had evolved from early experiments into sophisticated criminal enterprises with mature business models, customer service, and ongoing innovation.

A busy month for our researchers concluded with documentation of ClickFix techniques embedding fraudulent CAPTCHA images on compromised websites. We shared original findings from SentinelOne investigations, including infection chains and technical artifacts not previously reported.

Key Takeaway: FreeDrain’s abuse of thousands of subdomains on trusted free-tier platforms demonstrates that without stronger default safeguards, identity verification, or proper abuse response infrastructure, free publishing platforms will continue to be abused, undermining user trust and inflicting real-world financial harm.

June

SentinelLABS expanded on its earlier research on adversaries targeting top-tier organizations, detailing a China-nexus threat actor’s reconnaissance operation against SentinelOne itself that had occurred in October 2024 and extended into 2025. The research highlighted adversaries’ persistent focus on compromising cybersecurity vendors and high-value targets.

Also in June, we reported on Katz Stealer, an emerging Malware-as-a-Service platform targeting credentials and crypto assets. Advertised on BreachForums in April 2025, Katz Stealer followed the established RaaS business model, offering services to affiliates for upfront fees and demonstrating the continued commercialization of information stealer operations.

We reported on two separate Mac-focused campaigns in June, attributed in turn to China and North Korean threat actors. Our researchers found evidence of macOS.ZuRu’s re-emergence with a modified Khepri C2 framework concealed inside a trojanized version of the legitimate Termius SSH client. We also detailed intrusions attributed to DPRK activity and the macOS NimDoor malware family: a Nim-based backdoor specifically designed to target Web3 and crypto platforms. The research extended understanding of North Korean threat actors’ evolving macOS malware playbook and their persistent focus on the cryptocurrency sector.

Key Takeaway: DPRK’s exploration of lesser-known languages in order to introduce analysis complexity requires security engineers to invest equal effort in understanding the affordances such languages offer threat actors.

July

One of the year’s most significant zero-day disclosures was revealed when Microsoft confirmed active exploitation of SharePoint ToolShell (CVE-2025-53770) on July 19th, two days after SentinelOne first observed ToolShell exploitation. SentinelLABS researchers subsequently documented targeted exploitation against high-value organizations in technology consulting, manufacturing, critical infrastructure, and professional services.

The vulnerability enabled unauthenticated remote code execution through crafted POST requests, with attacks occurring before public disclosure spurred mass exploitation. Further research found multiple state-aligned threat actors beginning reconnaissance and early-stage exploitation activities.

Later in July, following Department of Justice indictments of two hackers working for China’s Ministry of State Security, SentinelLABS identified more than ten patents for highly intrusive forensics and data collection technologies registered by companies linked to the Hafnium (Silk Typhoon) threat actor group.

The patents revealed previously unreported offensive capabilities including encrypted endpoint data acquisition, mobile forensics, and network traffic collection, exposing the sophisticated technical infrastructure supporting China’s APT operations and highlighting critical gaps in traditional campaign-focused attribution.

Key Takeaway: Campaign-focused attribution misses the full picture. Understanding the companies behind attacks and their documented capabilities, not just observed behavior, is essential for comprehensive threat intelligence.

August

In early August, SentinelLABS and Beazley Security exposed the PXA Stealer campaign, a Python-based operation that had infected more than 4,000 unique victims across 62 countries. The stolen data included over 200,000 passwords, hundreds of credit card records, and more than 4 million browser cookies, and was monetized through a Vietnamese-speaking cybercriminal ecosystem using Telegram APIs. The campaign demonstrated increasingly advanced tradecraft with nuanced anti-analysis techniques, non-malicious decoy content, and hardened command-and-control infrastructure.

This month, SentinelLABS also exposed widespread smart contract scams, where actors advertised crypto trading bots concealing malicious contracts designed to drain user wallets. Promoted through fake YouTube channels and AI-generated videos, the scams demonstrated how threat actors leverage social media and emerging technologies to lend legitimacy to financial fraud schemes.

Key Takeaway: Stealer campaigns have become increasingly automated and supply-chain integrated. PXA Stealer exemplifies a growing trend in which legitimate infrastructure is weaponized at scale.

September

SentinelLABS, in collaboration with Validin, exposed how North Korean threat actors behind the Contagious Interview campaign were actively monitoring cyber threat intelligence platforms to detect infrastructure exposure.

The research revealed coordinated teams using Slack for real-time collaboration and rapidly deploying replacement infrastructure when services took down their assets. Between January and March 2025 alone, our efforts identified more than 230 victims, predominantly cryptocurrency professionals, with the actual number likely significantly higher.

Later in September, SentinelLABS published groundbreaking research on hunting for LLM-enabled malware. Facing the challenge that malware offloading functionality to AI could generate unique code at runtime and evade traditional detection, our researchers developed novel methodologies based on embedded API key detection and specific prompt structure patterns.

This approach successfully identified previously unknown samples including MalTerminal, potentially the earliest known example of LLM-enabled malware. Despite initial concerns about detection challenges, the research showed how defenders could reliably hunt for and detect these emerging threats.

Key Takeaway: LLM-enabled malware is still in a nascent stage, giving defenders an opportunity to learn from attackers’ mistakes and adjust their approaches accordingly.

October

In late October, following intelligence shared by the Digital Security Lab of Ukraine, SentinelLABS investigated PhantomCaptcha, a coordinated single-day spearphishing operation launched on October 8th targeting organizations critical to Ukraine’s war relief efforts.

The threat actors used emails impersonating the Ukrainian President’s Office carrying weaponized PDFs, luring victims into executing malware via a ‘ClickFix’-style fake Cloudflare captcha page. The final payload was a multi-stage WebSocket RAT, hosted on Russian-owned infrastructure,  with an array of offensive features including arbitrary remote command execution, data exfiltration, and the potential deployment of additional malware.

The campaign reflects a highly capable adversary with extensive operational planning, compartmentalized infrastructure, and deliberate exposure control. The six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, indicates an operator well-versed in both offensive tradecraft and defensive detection evasion.

Key Takeaway: User awareness training on “ClickFix”-style social engineering techniques can help prevent attacks using this infection vector. PowerShell logging provides visibility into commands using hidden window styles, execution policy bypasses, or attempts to disable command history logging, while network security teams can monitor for WebSocket connections to recently-registered or suspicious domains.

November

As part of our efforts to empower the community at large through research and adversary exposure, SentinelLABS also develops and releases open source tooling. In November, we released a Synapse Rapid Power Up for Validin to improve campaign discovery at scale. Our research showed how modern intelligence platforms could accelerate identification of threat campaigns through infrastructure correlation and automated discovery techniques.

Using the LaundryBear and FreeDrain campaigns as case studies, we explored how the sentinelone-validin power-up leverages Validin’s multi-source enrichment and HTTP fingerprinting to reveal wider campaign infrastructure within Synapse from just a handful of indicators.

The tool makes it easier to follow how infrastructure changes over time, trace shared resources across campaigns, and connect what might first appear as isolated indicators. With this richer context available directly in Synapse, analysts can move from collection to understanding with greater speed and confidence in their conclusions.

Key Takeaway: Modern adversaries rotate domains and replicate infrastructure templates, which can limit the value of isolated indicators. Analysts need time-aware, cross-source analysis to identify shared traits and connect related assets.

December

Early in December, SentinelLABS released its forward-looking “Cybersecurity 2026” forecast, examining the year ahead in AI, adversaries, and global change. The analysis drew on trends observed throughout 2025 to project how the threat landscape would continue evolving.

This month we also traced how two hackers progressed from Cisco Academy students to orchestrating Salt Typhoon attacks, providing rare insight into how technical education can be perverted toward malicious ends and highlighting the danger of threat actors emerging from legitimate training programs.

December also saw reporting on CyberVolk’s return with VolkLocker. The pro-Russian hacktivist collective continued its pattern of reusing, tweaking, and rebranding leaked ransomware source code.

The year concluded with comprehensive research on how large language models impact ransomware operations. The analysis found that while LLMs are being adopted by crimeware actors, they serve as operational accelerators rather than revolutionary tools, streamlining reconnaissance, improving phishing, and speeding up attack stages without fundamentally changing ransomware methodology.

Key Takeaway: With today’s LLMs, the risk is not superintelligent malware but industrialized extortion, requiring defenders to adapt to faster operational tempo rather than novel capabilities.

Conclusion

2025 saw the cybersecurity landscape defined not by revolutionary changes but by the acceleration of existing threats. AI has emerged not as a game-changer but as a force multiplier, amplifying attacks across the spectrum.

Meanwhile, cybercriminals operate industrial-scale operations with professional infrastructure, business hours, and customer service models much like legitimate enterprises, and nation-state actors monitor the same intelligence platforms defenders use, turning the information security community’s own tools into reconnaissance resources.

Our research over the last 12 months has also found an adversary landscape in which attribution has become increasingly complex, and the line between hacktivist and profit-motivated operations continues to blur. From the 38,000 phishing subdomains of FreeDrain to the coordinated teams behind Contagious Interview monitoring threat intelligence platforms, threat actors have shown both adaptability and operational maturity.

SentinelLABS’ discoveries throughout 2025 underscore the critical need for a collaborative, intelligence-driven approach to cybersecurity. As we move into 2026, defenders will find themselves in an environment where trust models require reevaluation,  adversaries demonstrate sophisticated awareness of defensive operations, and the weaponization of legitimate services demands new detection paradigms.

Singularity Platform

Elevate your security posture with real-time detection, machine-speed response, and total visibility of your entire digital environment.

Get a Demo

Executive Summary

• SentinelLABS assesses that LLMs are accelerating the ransomware lifecycle, not fundamentally transforming it.
• We observe measurable gains in speed, volume, and multilingual reach across reconnaissance, phishing, tooling assistance, data triage, and negotiation, but no step-change in novel tactics or techniques driven purely by AI at scale.
• Self-hosted, open-source Ollama models will likely be the go-to for top tier actors looking to avoid provider guardrails.
• Defenders should prepare for adversaries making incremental but rapid efficiency gains.

Overview

SentinelLABS has been researching how large language models (LLMs) impact cybersecurity for both defenders and adversaries. As part of our ongoing efforts in this area and our well-established research and tracking of crimeware actors, we have been closely following the adoption of LLM technology among ransomware operators. We have observed that there appear to be three structural shifts unfolding in parallel.

First, the barriers to entry continue to fall for those intent on cybercrime. LLMs allow low- to mid-skill actors to assemble functional tooling and ransomware-as-a-service (RaaS) infrastructure by decomposing malicious tasks into seemingly benign prompts that are able to slip past provider guardrails.

Second, the ransomware ecosystem is splintering. The era of mega-brand cartels (LockBit, Conti, REvil) has faded under sustained law enforcement pressure and sanctions. In their place, we see a proliferation of small, short-lived crews—Termite, Punisher, The Gentlemen, Obscura—operating under the radar, alongside a surge in mimicry and false claims, such as fake Babuk2 and confused ShinyHunters branding.

Third, the line between APT and crimeware is blurring. State-aligned actors are moonlighting as ransomware affiliates or using extortion for operational cover, while culturally-motivated groups like “The Com” are buying into affiliate ecosystems, adding noise and complicating attribution as we saw with groups such as DragonForce, Qilin, and previously BlackCat/ALPHV.

While these three structural shifts were to a certain extent in play prior to the widespread availability of LLMs, we observe that all three are accelerating simultaneously. To understand the mechanics, we examined how LLMs are being integrated into day-to-day ransomware operations.

We note that the threat intelligence community’s understanding of exactly how threat actors integrate LLMs into attacks is severely limited. The primary sources that furnish information on these attacks are the intelligence teams of LLM providers via periodic reports and, more rarely, victims of intrusions who find artifacts of LLM use.

As a result, it is easy to overinterpret a small number of cases as indicative of a revolutionary change in adversary tradecraft. We assess that such conclusions exceed the available evidence. We find instead that while the use of LLMs by adversaries is certainly an important trend, in ways we detail throughout this report, this reflects operational acceleration rather than a fundamental transformation in attacker capabilities.

How AI Is Changing Ransomware Operations Today

Direct Substitutions from Enterprise Workflows

The most immediate impact comes from ransomware operators adopting the same LLM workflows that legitimate enterprises use every day, only repurposed for crime. In the same way that marketers use LLMs to write copy, threat actors use them to draft phishing emails and localized content, such as ransom notes using the same language as the victim company. Enterprises take advantage of LLMs to refine large amounts of data for sales operations while threat actors use the same workflow to identify lucrative targets from dumps of leaked data or how to extort a specific victim based on the value of the data they steal.

This data triage capability is particularly amplified across language barriers. A Russian-speaking operator might not recognize that a file named “Fatura” (Turkish for “Invoice”) or “Rechnung” (German) contains financially sensitive information. LLMs eliminate this blind spot.

With LLMs, attackers can instruct a model to “Find all documents related to financial debt or trade secrets” in Arabic, Hindi, Spanish, or Japanese. Research shows LLMs significantly outperform traditional tools in identifying sensitive data in non-English languages.

The pattern holds across other enterprise workflows as well. In each case, the effect is the same: competent crews become faster and can operate across more tech stacks, languages, and geographies, while new entrants reach functional capability sooner. Importantly, what we are not seeing is any fundamentally new category of attack or novel capability.

Local Models to Evade Guardrails

Actors are increasingly breaking down malicious tasks into “non-malicious,” seemingly benign fragments. Often, actors spread requests across multiple sessions or prompt multiple models, then stitch code together offline. This approach dilutes potential suspicion from LLM providers by decentralizing malicious activity.

There is a clear and increasing trend of actor interest in using open models for nefarious purposes. Local, fine-tuned, open-source Ollama models offer more control, minimize provider telemetry and have fewer guardrails than commoditized LLMs. Early proof-of-concept (PoC) LLM-enabled ransomware tools like PromptLock may be clunky, but the direction is clear: once optimized, local and self-hosted models will be the default for higher-end crews.

Cisco Talos and others have flagged criminals gravitating toward uncensored models, which offer fewer safeguards than frontier labs and typically omit security controls like prompt classification, account telemetry, and other abuse-monitoring mechanisms in addition to being trained on more harmful content.

As adoption of these open-source models accelerates and as they are fine-tuned specifically for offensive use cases, defenders will find it increasingly challenging to identify and disrupt abuse originating from models that are customized for or directly operated by adversaries.

Documented Use of AI in Offensive Operations

Automated Attacks via Claude Code

Some recent campaigns illustrate our observations of how LLMs are actively being used and how they may be incorporated to accelerate attacker tradecraft.

In August 2025, Anthropic’s Threat Intelligence team reported on a threat actor using Claude Code to perform a highly autonomous extortion campaign. This actor automated not only the technical and reconnaissance aspects of the intrusion but also instructed Claude Code to evaluate what data to exfiltrate, the ideal monetary ransom amount, and to curate the ransom note demands to maximize impact and coax the victims into paying.

The actor’s prompt apparently guided Claude to accept commands in Russian and instructed the LLM to maintain communications in this language. While Anthropic does not state the final language used for creating ransom notes, SentinelLABS assesses that the subsequent prompts likely generated ransom notes and customer communications in English, as ransomware actors typically avoid targeting organizations within the Commonwealth of Independent States (CIS).

This campaign presents an impressive degree of LLM-enabled automation that furthers actors’ offensive security, data analysis, and linguistic capabilities. While each step alone could be achieved by typical, well-resourced ransomware groups, the Claude Code-enabled automation flow required far fewer human resources.

Malware Embedding Calls to LLM APIs

SentinelLABS’ research on LLM-enabled threats brought MalTerminal to light, a PoC tool that stitches together multiple capabilities, including ransomware and a reverse shell, through prompting a commercial LLM to generate the code.

Relics in MalTerminal strongly suggested that this tool was developed by a security researcher or company; however, the capabilities were a very early iteration of how threat actors will incorporate malicious prompting into tools to further their attacks.

This tool bypassed safety filters to deliver a ransomware payload, proving that ransomware-focused actors can overcome provider guardrails not only for earlier attack stages like reconnaissance and lateral movement but also for the impact phase of a ransomware attack.

Abusing Victim’s Locally Hosted LLMs

In August 2025, Google Threat Intelligence researchers identified examples of stealer malware dubbed QUIETVAULT, which weaponizes locally installed AI command-line tools to enhance data exfiltration capabilities. The JavaScript-based stealer searches for and leverages LLMs on macOS and Linux hosts by embedding a malicious prompt, instructing them to recursively search for wallet-related files and sensitive configuration data across the victim’s filesystem.

The prompt directs the local LLM to search common user directories like $HOME, ~/.config, and ~/.local/share, while avoiding system paths that would trigger errors or require elevated privileges. In addition, it instructs the LLM to identify files matching patterns associated with various cryptowallets including MetaMask, Electrum, Ledger, Trezor, Exodus, Trust Wallet, Phantom, and Solflare.

This approach demonstrates how threat actors are adapting to the proliferation of AI tools on victim workstations. By leveraging the AI’s natural language understanding and file system reasoning capabilities, the malware is able to conduct more intelligent reconnaissance than traditional pattern-matching algorithms.

Once sensitive files are discovered through AI-assisted enumeration, QUIETVAULT proceeds with traditional stealer functions. It Base64-encodes the stolen data and attempts to exfiltrate it via newly created GitHub repositories using local credentials.

LLM-Enabled Exploit Development

There has been significant discourse surrounding LLM-enabled exploit development and how AI will accelerate the vulnerability-disclosure-to-exploit-development lifecycle. As of this writing, credible reports of LLM-developed one-day exploits have been scarce and difficult to verify, though it is very likely that LLMs can help actors rapidly prototype pieces of exploit code and support actors in stitching pieces of code together, plausibly resulting in a viable, weaponized version.

However, it is worth noting that LLM-enabled exploit development can be a double-edged sword: the December 2025 React2Shell vulnerability raised alarm when a PoC exploit circulated shortly after the vendor disclosed the flaw. However, credible researchers soon found that the exploit was not only non-viable but had been generated by an LLM. Defenders should expect an increased churn and fatigue cycle based on the rapid proliferation of LLM-enabled exploits, many of which are likely to be more hallucination than weapon.

LLM-Assisted Social Engineering

Actor misuse of LLM provider brands to further social engineering campaigns remains a tried and true technique. A campaign in December 2025 used a combination of chat-style LLM conversation sharing features and search engine optimization (SEO) poisoning to direct users to LLM-written tutorials that delivered the macOS Amos Stealer to the victim’s system.

Because the actors used prompt engineering techniques to insert attacker-controlled infrastructure into the chat conversation along with typical macOS software installation steps, these conversations were hosted on the LLM provider’s websites and their URLs were listed as sponsored search engine results under the legitimate LLM provider domain, for example https://<llm_provider_name>[.]com.

These SEO-boosted results contain conversations which instruct the user to install the stealer under the guise of AI-powered software or routine operating system maintenance tasks. While Amos Stealer is not overtly linked to a ransomware group, it is well documented that infostealers play a crucial role in the initial access broker (IAB) ecosystem, which feed operations for small and large ransomware groups alike. While genuine incidents of macOS ransomware are virtually unknown, credentials stolen from Macs can be sold to enable extortion or access to corporate environments containing systems with a higher predisposition to ransomware.

Additionally, operations supporting ransomware and extortion have begun to offer AI-driven communication features to facilitate attacker-to-victim communications. In mid-2025, Global Group RaaS started advertising their “AI-Assisted Chat”. This feature claims to analyze data from victim companies, including revenue and historical public behavior, and then tailors the communication around that analysis.

While Global RaaS does not restrict itself to specific sectors, to date its attacks have disproportionately affected Healthcare, Construction, and Manufacturing.

What we observe is a pattern of LLMs accelerating execution, enabling automation through prompts and vibe-coding, streamlining repetitive tasks, and translating spoken language on the fly.

What’s Next for LLMs and Ransomware?

SentinelLABS is tracking several specific LLM-related patterns that we assess will become increasingly significant over the next 12–24 months.

• Actors already chunk malicious code into benign prompts across multiple models or sessions, then assemble offline to dodge guardrails. This workflow will become commoditized as tutorials and tooling proliferate, ultimately maturing into “prompt smuggling as a service”: automated harnesses that route requests across multiple providers when one model refuses, then stitch the outputs together for the attacker.
• Early proof-of-concept LLM-enabled malware–including ransomware–will be optimized and take increasing advantage of local models, becoming stealthier, more controllable, and less visible to defenders and researchers.
• We expect to see ransomware operators deploy templated negotiation agents: tone-controlled, multilingual, and integrated into RaaS panels.
• Ransomware brand spoofing (fake Babuk2, ShinyHunters confusion) and false claims will increase and complicate attribution. Threat actors’ ability to generate content at scale along with plausible-sounding narratives via LLMs will negatively impact defenders’ ability to stem the blast radius of attacks.
• LLM use is also transforming the underlying infrastructure that drives extortive attacks. This includes tools and platforms for applying pressure to victims, such as automated, AI-augmented calling platforms. While peripheral to the tooling used to conduct ransom and extortion attacks, these supporting tools serve to accelerate the efforts of threat actors. Similar shifts are occurring with AI-augmented spamming tools used for payload distribution, like “SpamGPT”, “BruteForceAI” , and “AIO Callcenter”: tools used by initial access brokers, who serve a key service in the ransomware ecosystem.

Conclusion

The widespread availability of large language models is accelerating the three structural shifts we identified: falling barriers to entry, ecosystem splintering, and the convergence of APT and crimeware operations.

These advances make competent ransomware crews faster and extend their reach across languages and geographies, while allowing novices to ramp up operational capabilities by decomposing complex tasks into manageable steps that models will readily assist with. Malicious actors take this approach both out of technical necessity and to hide their intent. As top tier threat actors migrate to self-hosted, uncensored models, defenders will lose the visibility and leverage that provider guardrails currently offer.

With today’s LLMs, the risk is not superintelligent malware but industrialized extortion with smarter target selection, tailored demands, and cross-platform tradecraft that complicates response. Defenders will need to adapt to a faster and noisier threat landscape, where operational tempo, not novel capabilities, defines the challenge.

In September, a new breed of malware distributed via compromised Node Package Manager (npm) packages made headlines. It was dubbed “Shai-Hulud”, and we published an in-depth analysis of it in another post. Recently, a new version was discovered.

Shai Hulud 2.0 is a type of two-stage worm-like malware that spreads by compromising npm tokens to republish trusted packages with a malicious payload. More than 800 npm packages have been infected by this version of the worm.

According to our telemetry, the victims of this campaign include individuals and organizations worldwide, with most infections observed in Russia, India, Vietnam, Brazil, China, Türkiye, and France.

Technical analysis

When a developer installs an infected npm package, the setup_bun.js script runs during the preinstall stage, as specified in the modified package.json file.

Bootstrap script

The initial-stage script setup_bun.js is left intentionally unobfuscated and well documented to masquerade as a harmless tool for installing the legitimate Bun JavaScript runtime. It checks common installation paths for Bun and, if the runtime is missing, installs it from an official source in a platform-specific manner. This seemingly routine behavior conceals its true purpose: preparing the execution environment for later stages of the malware.

The installed Bun runtime then executes the second-stage payload, bun_environment.js, a 10MB malware script obfuscated with an obfuscate.io-like tool. This script is responsible for the main malicious activity.

Stealing credentials

Shai Hulud 2.0 is built to harvest secrets from  various environments. Upon execution, it immediately searches several sources for sensitive data, such as:

• GitHub secrets: the malware searches environment variables and the GitHub CLI configuration for values starting with ghp_ or gho_. It also creates a malicious workflow yml in victim repositories, which is then used to obtain GitHub Actions secrets.
• Cloud credentials: the malware searches for cloud credentials across AWS, Azure, and Google Cloud by querying cloud instance metadata services and using official SDKs to enumerate credentials from environment variables and local configuration files.
• Local files: it downloads and runs the TruffleHog tool to aggressively scan the entire filesystem for credentials.

Then all the exfiltrated data is sent through the established communication channel, which we describe in more detail in the next section.

Data exfiltration through GitHub

To exfiltrate the stolen data, the malware sets up a communication channel via a public GitHub repository. For this purpose, it uses  the victim’s GitHub access token if found in environment variables and the GitHub CLI configuration.

After that, the malware creates a repository with a randomly generated 18-character name and a marker in its description. This repository then serves as a data storage to which all stolen credentials and system information are uploaded.

If the token is not found, the script attempts to obtain a previously stolen token from another victim by searching through GitHub repositories for those containing the text, “Sha1-Hulud: The Second Coming.” in the description.

Worm spreading across packages

For subsequent self-replication via embedding into npm packages, the script scans .npmrc configuration files in the home directory and the current directory in an attempt to find an npm registry authorization token.

If this is successful, it validates the token by sending a probe request to the npm /-/whoami API endpoint, after which the script retrieves a list of up to 100 packages maintained by the victim.

For each package, it injects the malicious files setup_bun.js and bun_environment.js via bundleAssets and updates the package configuration by setting setup_bun.js as a pre-installation script and incrementing the package version. The modified package is then published to the npm registry.

Destructive responses to failure

If the malware fails to obtain a valid npm token and is also unable to get a valid GitHub token, making data exfiltration impossible, it triggers a destructive payload that wipes user files, primarily those in the home directory.

Our solutions detect the family described here as HEUR:Worm.Script.Shulud.gen.

Since September of this year, Kaspersky has blocked over 1700 Shai Hulud 2.0 attacks on user machines. Of these, 18.5% affected users in Russia, 10.7% occurred in India, and 9.7% in Brazil.