Key Takeaways
Just months after being disrupted during Operation Cronos, the notorious LockBit ransomware group has reemerged — and it hasn’t wasted time. Check Point Research has confirmed that LockBit is back in operation and already extorting new victims.
Throughout September 2025, Check Point Research identified a dozen organizations targeted by the revived operation, with half of them infected by the newly released LockBit 5.0 variant and the rest by LockBit Black. The attacks span Western Europe, the Americas, and Asia, affecting both Windows and Linux systems, a clear sign that LockBit’s infrastructure and affiliate network are once again active.
A Rapid and Confident Comeback
At the beginning of September, LockBit officially announced its return on underground forums, unveiling LockBit 5.0 and calling for new affiliates to join. This latest version, internally codenamed “ChuongDong,” marks a significant evolution of the group’s encryptor family.
The newly observed LockBit 5.0 attacks span a broad range of targets — about 80% on Windows systems, and around 20% on ESXi and Linux environments. The quick reappearance of multiple active victims demonstrates that LockBit’s Ransomware-as-a-Service (RaaS) model has successfully reactivated its affiliate base.
From Disruption to Reorganization
Until its takedown in early 2024, LockBit was the most dominant RaaS operation globally, responsible for 20–30% of all data-leak site victim postings. Following Operation Cronos, several arrests and data seizures disrupted the group’s infrastructure. Competing ransomware programs, such as RansomHub and Qilin, briefly tried to absorb its affiliates.
However, LockBit’s administrator, LockBitSupp, evaded capture and continued to hint at a comeback on dark web forums. In May 2025, he posted defiantly on the RAMP forum: “We always rise up after being hacked.” By August, LockBitSupp reappeared again, claiming the group was “getting back to work,” a statement that quickly proved true.
A Divided Underground
While LockBit regained traction on RAMP, other major forums like XSS continued to ban RaaS advertising. In early September, LockBitSupp attempted to be reinstated on XSS, even prompting a community vote, which ultimately failed.
Implications: A Familiar Threat Returns
LockBit’s reemergence underscores the group’s resilience and sophistication. Despite high-profile law enforcement actions and public setbacks, the group has once again managed to restore its operations, recruit affiliates, and resume extortion.
With its mature RaaS model, cross-platform reach, and proven reputation among cyber criminals, LockBit’s return represents a renewed threat to organizations across all sectors. September’s wave of infections likely marks only the beginning of a larger campaign — and October’s postings may confirm the group’s full operational recovery.
| Brave brave.com
Authors
Shivan Kaul Sahib
Artem Chaikin
AI browsers remain vulnerable to prompt injection attacks via screenshots and hidden content, allowing attackers to exploit users' authenticated sessions.
This is the second post in a series about security and privacy challenges in agentic browsers. This vulnerability research was conducted by Artem Chaikin (Senior Mobile Security Engineer), and was written by Artem and Shivan Kaul Sahib (VP, Privacy and Security).
Building on our previous disclosure of the Perplexity Comet vulnerability, we’ve continued our security research across the agentic browser landscape. What we’ve found confirms our initial concerns: indirect prompt injection is not an isolated issue, but a systemic challenge facing the entire category of AI-powered browsers. This post examines additional attack vectors we’ve identified and tested across different implementations.
On request, we are withholding one additional vulnerability found in another browser for now. We plan on providing more details next week.
As we’ve written before, AI-powered browsers that can take actions on your behalf are powerful yet extremely risky. If you’re signed into sensitive accounts like your bank or your email provider in your browser, simply summarizing a Reddit post could result in an attacker being able to steal money or your private data.
As always, we responsibly reported these issues to the various companies listed below so the vulnerabilities could be addressed. As we’ve previously said, a safer Web is good for everyone. The thoughtful commentary and debate about secure agentic AI that was raised by our previous blog post in this series motivated our decision to continue researching and publicizing our findings.
Prompt injection via screenshots in Perplexity Comet
Perplexity’s Comet assistant lets users take screenshots on websites and ask questions about those images. These screenshots can be used as yet another way to inject prompts that bypass traditional text-based input sanitization. Malicious instructions embedded as nearly-invisible text within the image are processed as commands rather than (untrusted) content.
How the attack works:
Setup: An attacker embeds malicious instructions in Web content that are hard to see for humans. In our attack, we were able to hide prompt injection instructions in images using a faint light blue text on a yellow background. This means that the malicious instructions are effectively hidden from the user.
Trigger: User-initiated screenshot capture of a page containing camouflaged malicious text.
Injection: Text recognition extracts text that’s imperceptible to human users (possibly via OCR though we can’t tell for sure since the Comet browser is not open-source). This extracted text is then passed to the LLM without distinguishing it from the user’s query.
Exploit: The injected commands instruct the AI to use its browser tools maliciously.
