infosecurity-magazine James Coker
Deputy Editor, Infosecurity Magazine 29 Aug 2025
Recorded Future highlighted the vast capabilities of state actors to rapidly weaponize newly disclosed vulnerabilities for geopolitical purposes
The majority (53%) of attributed vulnerability exploits in the first half 2025 were conducted by state-sponsored actors for strategic, geopolitical purposes, according to a new report by Recorded Future’s Insikt Group.
The researchers said the findings demonstrate the growing ability of well-resourced state-sponsored groups to weaponize flaws rapidly following disclosure. Geopolitical purposes, such as espionage and surveillance, are the key motives for these threat actors.
“The significant state-sponsored involvement also implies that these threats are not just random or opportunistic but often targeted and persistent campaigns aiming at specific sectors or high-value systems,” they noted.
The majority of state-sponsored campaigns were conducted by Chinese state-sponsored actors. These groups primarily targeted edge infrastructure and enterprise solutions, a tactic that has continued since 2024.
Read now: Chinese Tech Firms Linked to Salt Typhoon Espionage Campaigns
The suspected China-linked group UNC5221 exploited the highest number of vulnerabilities in H1 2025. It demonstrated a preference for Ivanti products, including Endpoint Manager Mobile, Connect Secure and Policy Secure.
Financially motivated groups accounted for the remaining 47% of vulnerability exploits – 27% were made up of those actors involved in theft and fraud but not linked to ransomware and 20% attributed to ransomware and extortion groups.
The researchers predicted that the exploitation of edge security appliances, remote access tools and other gateway-layer software will remain a top priority for both state-sponsored and financially-motivated groups.
“The strategic value of these systems – acting as intermediaries for encrypted traffic and privileged access – makes them high-reward targets,” they noted.
Microsoft was the most targeted vendor, with the tech giant’s products accounting for 17% of exploitations.
Most Vulnerability Exploits Required No Authentication
Insikt Group’s H1 2025 Malware and Vulnerability Trends report, published on August 28, found that the total number of disclosed common vulnerabilities and exposures (CVEs) grew 16% year-over-year.
Attackers exploited 161 distinct vulnerabilities in the six-month period, up from 136 in H1 2024.
Of the 161 flaws, 69% required no authentication to exploit, while 48% could be exploited remotely over a network.
“This heavy tilt toward unauthenticated, remote exploits means that attacks can be launched directly from the internet against vulnerable hosts, with no credentials or insider access needed,” the researchers commented.
Additionally, 30% of the exploited CVEs enabled remote code execution (RCE), which often grants an attacker full control over the target system.
ClickFix Becomes a Favored Initial Access Technique
The report observed that ransomware actors adopted new initial access techniques in H1 2025.
This included a significant increase in ClickFix social engineering attacks. ClickFix involves the use of a fake error or verification message to manipulate victims into copying and pasting a malicious script and then running it.
The tactic preys on users’ desire to fix problems themselves rather than alerting their IT team or anyone else. Therefore, it is effective at bypassing security protections as the victim infects themselves.
The Interlock gang was observed using ClickFix in campaigns in January and February 2025.
The group has also leveraged FileFix in later attacks. This tactic is an evolution on ClickFix, where users are tricked into pasting a malicious file path into a Windows File Explorer’s address bar rather than using a dialog box.
Inskit group assess that the success of ClickFix means this method will remain a favored initial access technique through the rest of 2025 unless widespread mitigations reduce its effectiveness.
Post-compromise, ransomware groups have increased their use of endpoint detection and response (EDR) evasion via bring-your-own-installer (BYOI) techniques, and custom payloads using just-in-time (JIT) hooking and memory injection to bypass detection.
bleepingcomputer.com - Cybersecurity firm Profero cracked the encryption of the DarkBit ransomware gang's encryptors, allowing them to recover a victim's files for free without paying a ransom.
This occurred in 2023 during an incident response handled by Profero experts, who were brought in to investigate a ransomware attack on one of their clients, which had encrypted multiple VMware ESXi servers.
The timing of the cyberattack suggests that it was in retaliation for the 2023 drone strikes in Iran that targeted an ammunition factory belonging to the Iranian Defence Ministry.
In the ransomware attack, the threat actors claimed to be from DarkBit, who previously posed as pro-Iranian hacktivists, targeting educational institutes in Israel. The attackers included anti-Israel statements in their ransom notes, demanding ransom payments of 80 Bitcoin.
Israel's National Cyber Command linked DarkBit attacks to the Iranian state-sponsored APT hacking group known as MuddyWater, who have a history of conducting cyberespionage attacks.
In the case investigated by Profero, the attackers did not engage in ransom payment negotiations, but instead appeared to be more interested in causing operational disruption.
Instead, the attackers launched an influence campaign to maximize reputational damage to the victim, which is a tactic associated with nation-state actors posing as hacktivists.
Decrypting DarkBit
At the time of the attack, no decryptor existed for DarkBit ransomware, so Profero researchers decided to analyze the malware for potential weaknesses.
DarkBit uses a unique AES-128-CBC key and Initialization Vector (IV) generated at runtime for each file, encrypted with RSA-2048, and appended to the locked file.
Profero found that the key generation method used by DarkBit is low entropy. When combined with the encryption timestamp, which can be inferred from file modification times, the total keyspace is reduced to a few billion possibilities.
Moreover, they found that Virtual Machine Disk (VMDK) files on ESXi servers have known header bytes, so they only had to brute force the first 16 bytes to see if the header matched, instead of the entire file.
Profero built a tool to try all possible seeds, generate candidate key/IV pairs, and check against VMDK headers, which they ran in a high-performance computing environment, recovering valid decryption keys.
In parallel, the researchers discovered that much of the VMDK file content hadn't been impacted by DarkBit's intermittent encryption, as those files are sparse and many encrypted chunks fall onto empty space.
This allowed them to retrieve significant amounts of valuable data without having to decrypt it by brute-forcing keys.
"As we began to work on speeding up our brute force, one of our engineers/team members? had an interesting idea," explained Profero.
"VMDK files are sparse, which means they are mostly empty, and therefore, the chunks encrypted by the ransomware in each file are also mostly empty. Statistically, most files contained within the VMDK filesystems won't be encrypted, and most files inside these file systems were anyways not relevant to us/our task/our investigation."
"So, we realized we could walk the file system to extract what was left of the internal VMDK filesystems... and it worked! Most of the files we needed could simply be recovered without decryption."
Despite their hacktivist front, CyberAv3ngers is a rare state-sponsored hacker group bent on putting industrial infrastructure at risk—and has already caused global disruption.
The intermittent cyberwar between Israel and Iran, stretching back to Israel's role in the creation and deployment of the Stuxnet malware that sabotaged Iran's nuclear weapons program, has been perhaps the longest-running conflict in the era of state-sponsored hacking. But since Hamas' October 7 attack and Israel's retaliatory invasion of Gaza, a new player in that conflict threatens not just digital infrastructure in Israel but also critical systems in the US and around the world.
The group known as CyberAv3ngers has, in the last year and a half, proven to be the Iranian government's most active hackers focused on industrial control systems. Its targets include water, wastewater, oil and gas, and many other types of critical infrastructure. Despite being operated by members of Iran's Revolutionary Guard Corps, according to US officials who have offered a $10 million bounty for information leading to their arrest, the group initially took on the mantle of a “hacktivist” campaign.
Salt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has breached at least nine U.S.-based telecommunications companies with the intent to target high profile government and political figures. Tenable Research examines the tactics, techniques and procedures of this threat actor.
The national Dutch police (Politie) says that a state actor was likely behind the data breach it detected last week.
Apple's warnings in late October that Indian journalists and opposition figures may have been targeted by state-sponsored attacks prompted a forceful Behind closed doors, senior officials from Modi's administration demanded that Apple soften the political impact of the state-sponsored warnings, according to Washington Post.
Understanding the complex threat landscape facing businesses today from state-sponsored cyber attacks is crucial to effective cyber defense.
Russian state-sponsored hackers posed as technical support staff on Microsoft Teams to compromise dozens of global organizations, including government agencies.
For March 2023 Patch Tuesday Microsoft has fixed 2 vulnerabilities actively exploited in the wild (CVE-2023-23397, CVE-2023-24880).
Best Practices • Apply patches as soon as possible • Disable unnecessary ports and protocols • Replace end-of-life infrastructure • Implement a centralized patch management system
InvisiMole has been collaborating with the Gamaredon APT for years.
