On this month’s SANS Threat Analysis Rundown, we covered top cyber threat news, including the persistent threat of ransomware, the continued exploitation of old vulnerabilities by threat actors, and the evolving role of artificial intelligence (AI) by both adversaries and defenders. As always, in addition to discussing threats, we also discussed how analysts and defenders can significantly improve their security posture by focusing on common intrusion methods, prioritizing patching, and using simple, effective mitigations.
Read on for key insights from our discussion, including links to more information, and check out the video for the full conversation.
Annual Reports Overview
Since it’s February, that means it’s the start of annual report season! Annual cybersecurity reports are a treasure trove of insights for defenders. These reports, often the result of months of detailed analysis by security researchers, offer a broad view of the most prevalent threats over the past year and how different organizations experienced the cyber threat landscape.
While no single report provides a complete picture, comparing multiple reports helps defenders identify patterns and common attack techniques across different industries. I encourage analysts to look for these commonalities across different reports to prioritize their focus. Many reports highlight the same foundational threats, like PowerShell abuse, stolen credentials, and perimeter-facing vulnerabilities—which are often the easiest for defenders to detect and mitigate.
I walked through two major reports:
1. Dragos 2025 OT Cybersecurity Report
This report detailed threats to industrial control systems (ICS) and operational technology (OT), revealing an 87% increase in cyber intrusions targeting industrial organizations compared to 2023. I highlighted that even organizations outside of industrial sectors should pay attention to OT threats, as many attacks begin in IT environments before pivoting into OT networks.
2. ThreatDown 2025 State of Malware Report
This report focused heavily on human-operated ransomware and the growing use of AI-enhanced tools by attackers. It revealed that ransomware payments reached record highs in 2024, with one payment topping $75 million—a statistic I recommended sharing with leadership to help justify security investments.
The key takeaway is that even if an organization can't address every vulnerability or threat, focusing on the most common attack techniques across multiple reports can drastically improve defenses. Spend a couple hours reading these reports and identifying a few key improvements you can make based on what threats are doing, and your organization will be stronger for it.
Ransomware Trends
Ransomware remains one of the most damaging threats facing organizations in 2025, and I shared insights into recent ransomware campaigns. One of the most notable ransomware events was the leak of internal chats from the Black Basta ransomware group, offering a rare glimpse into the business models, priorities, and vulnerabilities exploited by ransomware operators.
Analysis of these leaks showed that ransomware gangs continue to target old vulnerabilities—some dating back to 2017—because they are still widely unpatched.
I also discussed Anubis, a relatively new ransomware group that emerged in late 2024 and will be a group to watch in 2025.
Links:
Malware Developments
I discussed several malware campaigns that gained recent traction, including fake browser update campaigns that have become increasingly prevalent over the past months. Adversaries often compromise legitimate websites or use malicious ads to display highly convincing pages that urge users to download a browser update. Once the victim clicks the download button, they receive a JavaScript payload that launches the malware infection chain, sometimes resulting in other threats like ransomware.
I recommend a simple but powerful mitigation: forcing JavaScript files to open in Notepad by default through Group Policy or endpoint management tools. This approach effectively prevents automatic execution while allowing users to review the script content if needed.
We also discussed GitVenom, a campaign where adversaries created convincing GitHub repositories to deliver malware. Developers, who frequently download code from GitHub for their work, are prime targets. One particularly deceptive trick used by GitVenom actors is artificially inflating the number of commits on a malicious repository to make it appear like a well-maintained, active project. This can lure developers into downloading malicious scripts or libraries. I noted that an interesting point in this blog was the researchers’ assessment that adversaries may have used AI to create the repositories - a challenging assessment to make.
A standout malware family on the macOS side has become Poseidon Stealer, which overtook Atomic Stealer as the most prevalent information stealer targeting macOS devices. Poseidon Stealer accounted for approximately 70% of all macOS stealer detections in 2024.
State-Sponsored Groups
State-sponsored groups continue to target critical infrastructure, telecommunications, and government sectors globally. Though we often think of these groups as “advanced,” many of these groups are exploiting old vulnerabilities and using common intrusion techniques like PowerShell scripts, stolen credentials, and remote management tools. We discussed recent campaigns from:
- Seashell Blizzard (Microsoft) – A Russian-affiliated group conducting multi-year global access operations.
- Salt Typhoon (Cisco Talos) – A Chinese espionage group targeting network infrastructure and telecom providers.
While not state-sponsored, we also discussed UAC-0287 (Ukraine CERT), a financially motivated cybercrime group targeting Ukrainian organizations. Threat reporting from other countries can offer valuable insights, especially if you support users in different parts of the world.
Your Next Steps in Threat Intelligence
I recommended the new SANS CTI Cheat Sheet, which I coauthored with Rebekah Brown, as a reference for many of the topics discussed in the livestream.
I also encourage everyone to check out upcoming SANS Summits, including the Ransomware Summit 2025 and the AI Cybersecurity Summit 2025.
If you missed this month’s livestream, be sure to check out next month's for more actionable threat intelligence!
