Today’s roundup
FinCEN data shows $4.5B in ransomware payments, record spike in 2023
Researchers track dozens of organizations affected by React2Shell compromises tied to China’s MSS
Researchers Find Malicious VS Code, Go, npm, and Rust Packages Stealing Developer Data
Ransomware gangs turn to Shanya EXE packer to hide EDR killers
STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware
Apache Issues Max-Severity Tika CVE After Patch Miss
Marquis Software Breach Affects Over 780,000 Nationwide
Google Adds Layered Defenses to Chrome to Block Indirect Prompt Injection Threats
Gartner Calls For Pause on AI Browser Use
FBI: Crooks manipulate online photos to fuel virtual kidnapping ransoms
Summary
The Financial Crimes Enforcement Network (FinCEN) reports that ransomware payments tracked through 2024 have exceeded $4.5 billion, with 2023 marking a record year at $1.1 billion across 1,512 incidents. From January 2022 to February 2025, 4,194 ransomware incidents and over $2.1 billion in payments were reported, with ALPHV/BlackCat and Akira being prominent variants. Most payments were under $250,000, 97% in Bitcoin, primarily laundered via unhosted crypto wallets.
Researchers are tracking over 30 organizations affected by compromises linked to the React2Shell vulnerability (CVE-2025-55182). This exploitation activity, which escalated quickly after public disclosure, is attributed to threat actors connected to China’s Ministry of State Security (MSS). The ongoing attacks highlight persistent threats against this critical remote code execution flaw.
Cybersecurity researchers have discovered two new malicious extensions within Microsoft’s Visual Studio Code Marketplace. These extensions, masquerading as a premium dark theme and an AI-powered coding assistant, infect developers' machines with information-stealing malware capable of taking screenshots, stealing credentials, and hijacking browser sessions.
Ransomware groups are increasingly utilizing a packer-as-a-service (PaaS) platform named Shanya to evade Endpoint Detection and Response (EDR) solutions. This new tool helps attackers conceal EDR-killing operations, enhancing the effectiveness of their ransomware deployments.
A threat activity cluster identified as STAC6565, also known as Gold Blade, is specifically targeting Canadian organizations. Investigations by Sophos reveal almost 40 intrusions between February 2024 and August 2025, with 80% of attacks deploying QWCrypt ransomware against Canadian entities.
The Apache Software Foundation has issued an updated advisory for a maximum-severity vulnerability in its Tika framework, revealing that an earlier fix did not fully address the flaw. This oversight has led to a new CVE and underscores a critical remote code execution risk.
A data breach at Marquis Software Solutions, caused by a firewall flaw, has impacted over 780,000 individuals nationwide across the United States. The breach compromised personal information, affecting a significant number of people.
Google Chrome is implementing new layered security defenses to protect upcoming agentic AI browsing features powered by Gemini. These measures aim to counter indirect prompt injection threats that can arise from exposure to untrusted web content and potentially lead to user harm.
Gartner has advised organizations to block current AI browsers due to significant security concerns. The research firm's recommendation highlights potential risks associated with these new browsing tools, urging a cautious approach until security measures mature.
The FBI has warned the public about a new virtual kidnapping scam where criminals manipulate publicly available online photos to create fake "proof-of-life" images. Scammers use these altered images to demand immediate ransom payments, often threatening violence against the alleged victim.
Want to dig deeper?
Vulnerabilities
Cyber Groups
| Akira | GOLD SAHARA, PUNK SPIDER, Howling Scorpius |
Malware Families