infosecurity-magazine James Coker
Deputy Editor, Infosecurity Magazine 29 Aug 2025

Recorded Future highlighted the vast capabilities of state actors to rapidly weaponize newly disclosed vulnerabilities for geopolitical purposes

The majority (53%) of attributed vulnerability exploits in the first half 2025 were conducted by state-sponsored actors for strategic, geopolitical purposes, according to a new report by Recorded Future’s Insikt Group.

The researchers said the findings demonstrate the growing ability of well-resourced state-sponsored groups to weaponize flaws rapidly following disclosure. Geopolitical purposes, such as espionage and surveillance, are the key motives for these threat actors.

“The significant state-sponsored involvement also implies that these threats are not just random or opportunistic but often targeted and persistent campaigns aiming at specific sectors or high-value systems,” they noted.

The majority of state-sponsored campaigns were conducted by Chinese state-sponsored actors. These groups primarily targeted edge infrastructure and enterprise solutions, a tactic that has continued since 2024.

Read now: Chinese Tech Firms Linked to Salt Typhoon Espionage Campaigns

The suspected China-linked group UNC5221 exploited the highest number of vulnerabilities in H1 2025. It demonstrated a preference for Ivanti products, including Endpoint Manager Mobile, Connect Secure and Policy Secure.

Financially motivated groups accounted for the remaining 47% of vulnerability exploits – 27% were made up of those actors involved in theft and fraud but not linked to ransomware and 20% attributed to ransomware and extortion groups.

The researchers predicted that the exploitation of edge security appliances, remote access tools and other gateway-layer software will remain a top priority for both state-sponsored and financially-motivated groups.

“The strategic value of these systems – acting as intermediaries for encrypted traffic and privileged access – makes them high-reward targets,” they noted.

Microsoft was the most targeted vendor, with the tech giant’s products accounting for 17% of exploitations.

Most Vulnerability Exploits Required No Authentication
Insikt Group’s H1 2025 Malware and Vulnerability Trends report, published on August 28, found that the total number of disclosed common vulnerabilities and exposures (CVEs) grew 16% year-over-year.

Attackers exploited 161 distinct vulnerabilities in the six-month period, up from 136 in H1 2024.

Of the 161 flaws, 69% required no authentication to exploit, while 48% could be exploited remotely over a network.

“This heavy tilt toward unauthenticated, remote exploits means that attacks can be launched directly from the internet against vulnerable hosts, with no credentials or insider access needed,” the researchers commented.

Additionally, 30% of the exploited CVEs enabled remote code execution (RCE), which often grants an attacker full control over the target system.

ClickFix Becomes a Favored Initial Access Technique
The report observed that ransomware actors adopted new initial access techniques in H1 2025.

This included a significant increase in ClickFix social engineering attacks. ClickFix involves the use of a fake error or verification message to manipulate victims into copying and pasting a malicious script and then running it.

The tactic preys on users’ desire to fix problems themselves rather than alerting their IT team or anyone else. Therefore, it is effective at bypassing security protections as the victim infects themselves.

The Interlock gang was observed using ClickFix in campaigns in January and February 2025.

The group has also leveraged FileFix in later attacks. This tactic is an evolution on ClickFix, where users are tricked into pasting a malicious file path into a Windows File Explorer’s address bar rather than using a dialog box.

Inskit group assess that the success of ClickFix means this method will remain a favored initial access technique through the rest of 2025 unless widespread mitigations reduce its effectiveness.

Post-compromise, ransomware groups have increased their use of endpoint detection and response (EDR) evasion via bring-your-own-installer (BYOI) techniques, and custom payloads using just-in-time (JIT) hooking and memory injection to bypass detection.

techcrunch.com 2025/08/21 - The two self-described hacktivists said they had access to the North Korean spy’s computer for around four months before deciding what they had found should be made public.

Earlier this year, two hackers broke into a computer and soon realized the significance of what this machine was. As it turned out, they had landed on the computer of a hacker who allegedly works for the North Korean government.

The two hackers decided to keep digging and found evidence that they say linked the hacker to cyberespionage operations carried out by North Korea, exploits and hacking tools, and infrastructure used in those operations.

Saber, one of the hackers involved, told TechCrunch that they had access to the North Korean government worker’s computer for around four months, but as soon as they understood what data they got access to, they realized they eventually had to leak it and expose what they had discovered.

“These nation-state hackers are hacking for all the wrong reasons. I hope more of them will get exposed; they deserve to be,” said Saber, who spoke to TechCrunch after he and cyb0rg published an article in the legendary hacking e-zine Phrack, disclosing details of their findings.

There are countless cybersecurity companies and researchers who closely track anything the North Korean government and its many hacking groups are up to, which includes espionage operations, as well as increasingly large crypto heists and wide-ranging operations where North Koreans pose as remote IT workers to fund the regime’s nuclear weapons program.

In this case, Saber and cyb0rg went one step further and actually hacked the hackers, an operation that can give more, or at least different, insights into how these government-backed groups work, as well as “what they are doing on a daily basis and so on,” as Saber put it.

The hackers want to be known only by their handles, Saber and cyb0rg, because they may face retaliation from the North Korean government, and possibly others. Saber said that they consider themselves hacktivists, and he name-dropped legendary hacktivist Phineas Fisher, responsible for hacking spyware makers FinFisher and Hacking Team, as an inspiration.

At the same time, the hackers also understand that what they did is illegal, but they thought it was nonetheless important to publicize it.

“Keeping it for us wouldn’t have been really helpful,” said Saber. “By leaking it all to the public, hopefully we can give researchers some more ways to detect them.”

“Hopefully this will also lead to many of their current victims being discovered and so to [the North Korean hackers] losing access,” he said.

“Illegal or not, this action has brought concrete artifacts to the community; this is more important,” said cyb0rg in a message sent through Saber.

Saber said they are convinced that while the hacker — who they call “Kim” — works for North Korea’s regime, they may actually be Chinese and work for both governments, based on their findings that Kim did not work during holidays in China, suggesting that the hacker may be based there.

Also, according to Saber, at times Kim translated some Korean documents into simplified Chinese using Google Translate.

Saber said that he never tried to contact Kim. “I don’t think he would even listen; all he does is empower his leaders, the same leaders who enslave his own people,” he said. “I’d probably tell him to use his knowledge in a way that helps people, not hurt them. But he lives in constant propaganda and likely since birth so this is all meaningless to him.” He’s referring to the strict information vacuum that North Koreans live in, as they are largely cut off from the outside world.

Saber declined to disclose how he and cyb0rg got access to Kim’s computer, given that the two believe they can use the same techniques to “obtain more access to some other of their systems the same way.”

During their operation, Saber and cyb0rg found evidence of active hacks carried out by Kim, against South Korean and Taiwanese companies, which they say they contacted and alerted.

North Korean hackers have a history of targeting people who work in the cybersecurity industry as well. That’s why Saber said he is aware of that risk, but “not really worried.”

“Not much can be done about this, definitely being more careful though :),” said Saber.

kyivindependent.com - The cyberattack allegedly destroyed large volumes of data and installed custom software designed to further damage the company's information systems.

Cyber specialists from Ukraine's military intelligence agency (HUR) carried out a large-scale cyberattack against the network infrastructure of Russian energy giant Gazprom, causing significant disruptions, a HUR source told the Kyiv Independent on July 18.

The Kyiv Independent could not independently verify these claims. Gazprom and Russian authorities have not publicly commented on the reported incident.

The alleged operation took place on July 17 and targeted systems used by Gazprom and its subsidiaries, which Ukraine's intelligence claims are directly involved in supporting Russia's war effort.

Gazprom is Russia's state-owned energy company, one of the world's largest gas producers and exporters.

The cyberattack allegedly destroyed large volumes of data and installed custom software designed to further damage the company's information systems.

"The degradation of Russian information systems to the technological Middle Ages continues," the source within the HUR told the Kyiv Independent.

"We congratulate Russian 'cyber specialists' on this new achievement and recommend they gradually replace their mice and keyboards with hammers and pincers."

People playing Blizzard's RTS have spent the last year complaining about hackers doing terrible shit

FEBRUARY 21st was a typical day, recalls Ben Zhou, the boss of ByBit, a Dubai-based cryptocurrency exchange. Before going to bed, he approved a fund transfer between the firm’s accounts, a “typical manoeuvre” performed while servicing more than 60m users around the world. Half an hour later he got a phone call. “Ben, there’s an issue,” his chief financial officer said, voice shaking. “We might be hacked…all of the Ethereum is gone.”

The National Assembly, Ecuador's unicameral legislature, says it was able to "identify and counteract" attempts by malicious hackers to breach sensitive systems.

Four alleged European hackers have been arrested in Phuket for deploying ransomware on the networks of 17 Swiss firms. The suspects are accused of causing significant damage and stealing $16 million in Bitcoins from 1,000 global victims.

Italian probe reveals “gigantic and alarming market of confidential data,” prosecutors say.

Quattro le persone ai domiciliari e due sotto misura interdettiva. Tra loro appartenenti o ex delle forze dell'ordine e hacker

Hackers, fraudsters, and drug dealers are all leaving the platform in one way or another. Some are worried that Telegram may start providing user data to the authorities.

Both men committed major financial crimes—and had powerful friends.

A Disney employee downloaded what they thought was a safe add-on for video game BeamNG.drive, but it was anything but.

The agency found no evidence that hackers exfiltrated information but noted the intrusion “may have resulted in the potential unauthorized access” to security plans, vulnerability assessments and user accounts within a national system to protect the chemicals sector.

Les entreprises de transport investissent massivement dans la sécurité contre les cyberattaques, notamment les CFF, ciblés par des hackers russes.

Cyber Army of Russia Reborn, a group with ties to the Kremlin’s Sandworm unit, is crossing lines even that notorious cyberwarfare unit wouldn’t dare to.

Within hours of opposition leader Alexey Navalny’s death in February in a Russian prison, a group of anti-Kremlin hackers went looking for revenge.

The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.

Russian hackers attacked several popular Ukrainian media outlets over the weekend, posting fake news related to the war.

G7 is drafting a workaround to use frozen assets to rebuild Ukraine.

One of the hacking campaigns used exploits developed by Variston, a Barcelona-based startup. Sources say the spyware maker is losing staff.