December 15, 2025

Executive Summary

Resilience, Attack Surface, and Exposure (RASE)

Taken together, the corpus describes a threat environment in which organizations consistently experience low resilience, an expanding attack surface, and elevated exposure due to systemic weaknesses across software, identity, supply chain, endpoints, and human workflows. Multiple cases demonstrate how attackers exploit known software flaws and insecure development practices, poor secrets hygiene and repository misuse, and unsafe automation and robotics ecosystems to gain initial access or scale compromise. Others show how public-facing and operational technology systems are increasingly targeted when visibility and segmentation are weak, while small or resource-constrained public-sector entities suffer outsized operational impact from ransomware and data loss. These technical and environmental weaknesses are repeatedly compounded by identity-centric failures, including credential theft and account abuse leading to downstream data exposure and fraud, as well as third-party and analytics-driven supply-chain exposure that turns trusted vendors into attack accelerants.

Across the corpus, attackers consistently bypass traditional perimeter defenses by exploiting trusted execution paths and user behavior, including social engineering delivered via consumer platforms, abuse of legitimate remote-management tooling to establish persistence, and long-lived malware frameworks designed for stealth and endurance. Collectively, these cases reinforce that risk is not driven by isolated “advanced” exploits but by repeatable failure modes: weak authentication and authorization, unsafe input and file handling, unmanaged identities and secrets, insufficient monitoring at trust boundaries, and inadequate governance of third parties, endpoints, and emerging technologies. This assessment represents only a sample of all collected information and is, therefore, biased toward the materials provided for this report; as such, all estimates and calculations must be taken with a grain of salt. Nevertheless, the synthesis meaningfully expands the conversation around resilience, attack surface, and exposure by showing how diverse incidents converge on the same underlying risk drivers, and why aligning technical controls and detection with governance frameworks such as NIST SP 800-53 is essential to measurably reducing loss frequency and magnitude rather than reacting to incidents in isolation.

Governance, Strategy, and Operational Implications

Leadership should interpret the combined intelligence as a clear signal that routine control gaps—particularly identity and session abuse, weak credential hygiene, ungoverned remote access, exploitable application and OT interfaces, and insufficient logging—are the primary drivers that turn a broad attack surface into real exposure. Resilience, therefore, depends less on acquiring additional tools and more on enforceable governance, verification, and alignment to how attackers actually operate. Strategically, this requires prioritizing investments that reduce credential-centric compromise and blast radius, including tightening privileged and third-party access, treating SaaS, analytics platforms, and public code as part of the enterprise boundary, and modeling ransomware with data exfiltration and regulated-PII loss as standard business risks rather than exceptional events.

Operational readiness should focus on areas where failure is repeatedly observed: survivable backups and recovery for ransomware, strong segmentation of PII, OT, and identity-critical systems, and monitoring that can reliably reconstruct identity activity, SaaS data access, administrative actions, endpoint execution, and data egress. Tactically, security teams should concentrate on rapid remediation of known-exploited weaknesses, strengthening identity governance through phishing-resistant MFA, least privilege, and disciplined account lifecycles, and deploying endpoint and application detections that reflect real attacker workflows such as script chains, remote-tool abuse, web-shells, and anomalous bulk data access. For SOC and vulnerability management, the emphasis should be on instrumenting trust boundaries, correlating identity to data access, enforcing SLA-based remediation for high-exposure systems, and validating fixes through telemetry and testing rather than checklist compliance. Finally, policy and oversight must explicitly govern these cross-cutting risks—secrets in code, remote tooling, SaaS data exports, backup isolation, and auditable authorization decisions—using measurable evidence so leadership can assess true control effectiveness rather than assumed protection.

Prioritized Recommendations

Improve Resilience

1. Make ransomware recovery a board-level capability: immutable/offline backups, separate storage, and routine restore testing (CP-9, CP-4).

2. Define and drill “contain > eradicate > restore” playbooks for ransomware, SaaS compromise, and identity takeover (IR-4, IR-3, IR-5).

3. Reduce blast radius with hard segmentation for PII systems, identity infrastructure, and OT/ICS zones; pre-stage isolation actions (C-7, AC-4).

Reduce Attack Surface

1. Shrink exposed pathways: remove or tightly govern remote admin tooling and third-party access; enforce secure remote access patterns (AC-17, AC-2).

2. Treat public code and CI/CD as production: secret scanning, key rotation, least-privilege tokens, and guardrails for publishing artifacts (IA-5, AC-6).

3. Harden internet-facing apps/APIs and OT/HMI interfaces by prioritizing known-exploited and high-leverage weakness classes (SI-2, RA-5).

Reduce Exposure

1. Tighten identity governance to reduce valid-account abuse: strong MFA, session controls, privileged access restrictions, and service-account constraints (IA-2, IA-5, AC-6, AC-2).

2. Instrument “trust boundaries” end-to-end: correlate identity events to data access/exports, admin actions, and egress to make compromise provable (SI-4, AU-6, CA-7).

3. Put explicit controls around SaaS/analytics data exports and regulated data handling (monitoring, approvals, and auditability) (AU-2, AU-6, AC-6).

Most Common Theme

Identity, access, and privilege control are the most dominant themes across the recommendations. This indicates that the combined corpus consistently identifies valid access abuse—not exotic exploits—as the primary mechanism converting attack surface into loss, and positions identity governance as the highest-leverage investment for improving resilience, reducing attack surface, and limiting exposure simultaneously. While monitoring, detection, and recovery are close contenders for the second most common theme (44-56%)

Evidentiary Basis for Recommendations

The recommendations in this report are grounded in a structured synthesis of all available intelligence, using observed patterns in resilience gaps, attack-surface expansion, and organizational exposure to identify where controls, processes, and architectures consistently fail under real-world threat conditions. By examining threat behavior, targeting tendencies, exploitation methods, and the systemic factors that enable successful intrusions, the analysis reveals the underlying drivers that shape risk and operational impact. This evidence base ensures that each recommendation is not merely prescriptive but directly aligned with demonstrated weaknesses and recurring adversary opportunities, translating raw intelligence into actionable guidance to strengthen organizational resilience, reduce the attack surface, and limit potential exposure.

RASE Signature

Resilience (R): 2 / 5

Driven by repeated patterns where encryption + disruption succeeds operationally, and recovery hinges on backup survivability, restore confidence, and rehearsed response (CP-9/CP-4/CP-10 and IR-4 maturity gaps are the difference between “incident” and “business interruption”).

Attack Surface (A): 4 / 5

Driven by broad, heterogeneous entry points: exposed OT/HMI interfaces, credential/secret leakage via public repos, remote tooling/third-party pathways, and multi-tenant SaaS/analytics as part of the enterprise boundary (high number of reachable and abusable interfaces).

Exposure (E): 4 / 5

Driven by control failures that convert access into loss: identity/session abuse enabling privileged actions, bulk access/exports of sensitive data, stealthy persistence, and incomplete logging that delays detection/containment (monitoring and identity-to-data correlation are not consistently enforceable).

RASE Analysis — Detailed Findings

Resilience

Across the corpus, resilience is repeatedly degraded by (1) attacker persistence that survives “one-and-done” cleanup, (2) incident response friction caused by incomplete or siloed telemetry across identity, SaaS, endpoints, and OT environments, and (3) recovery inhibitors where ransomware or destructive actions reach backups and core administrative systems. Several documents demonstrate long-dwell or repeatable footholds, including malware and web-based persistence mechanisms designed to evade routine remediation, while others show rapid-impact ransomware events where restore capability and decision authority become the limiting factor. The cumulative effect is that organizations may detect that an incident occurred but still struggle to prove scope, fully evict access, and restore operations in a timely manner—especially when compromise paths cross identity systems, third-party access, SaaS export functions, endpoint execution chains, and exposed OT/HMI interfaces.

Most impacted NIST controls

• IR-4 — Incident Handling

• SI-4 — System Monitoring

• CP-9 — System Backup

• CP-10 — System Recovery and Reconstitution

• AU-6 — Audit Review, Analysis, and Reporting

• IR-5 — Incident Monitoring

• IR-8 — Incident Response Plan

• CM-7 — Least Functionality

Attack Surface

The attack surface expands in consistent and observable ways across all documents. Internet-facing application and API weaknesses—often aligned to high-leverage CWE classes—combine with exposed OT/HMI web interfaces, scalable discovery and automation techniques, and identity-based access paths that allow valid-account abuse and stealthy remote control. Public code repositories, CI/CD pipelines, SaaS platforms, analytics services, and remote management tooling all function as de facto production infrastructure and are treated as such by attackers. This results in high contact frequency through continuous probing, a wide diversity of entry vectors, and a growing number of reachable and exploitable conditions when remediation and access governance are not enforced.

Most impacted NIST controls

• RA-5 — Vulnerability Monitoring and Scanning

• SI-2 — Flaw Remediation

• AC-2 — Account Management

• IA-2 — Identification and Authentication

• IA-5 — Authenticator Management

• AC-17 — Remote Access

• SC-7 — Boundary Protection

• AC-6 — Least Privilege

• SI-10 — Information Input Validation

Exposure

Exposure is driven by the convergence of operational disruption and data compromise once attackers operate inside trusted layers of the environment. Multiple documents show that when identity systems, administrative portals, virtualization platforms, SaaS export mechanisms, or endpoint execution paths are abused, loss is rarely contained to a single asset. Instead, organizations face cascading impacts, including prolonged service outages, theft of regulated or customer data, regulatory reporting obligations, legal and remediation costs, and reputational damage. In OT-related scenarios, exposure also includes integrity and availability impacts to monitoring and control functions, with downstream compliance and recovery implications. Across the corpus, the same weaknesses that enable initial access also amplify loss magnitude once compromise occurs.

Most impacted NIST controls

• AC-2 — Account Management

• AC-6 — Least Privilege

• AU-2 — Event Logging

• AU-6 — Audit Review, Analysis, and Reporting

• SC-7 — Boundary Protection

• SI-4 — System Monitoring

• IR-6 — Incident Reporting

• SC-28 — Protection of Information at Rest

Top Control Frequencies

Unified Threat Synthesis

Across the corpus, the combined intelligence describes multiple, distinct adversary sets—but with a consistent operational pattern: attackers win by abusing trust boundaries (identity, admin planes, third parties, “routine” tooling, and web-facing interfaces) rather than relying on exotic exploits. At the high end, a PRC-aligned intrusion set uses BRICKSTORM to persist in VMware vSphere/vCenter and Windows environments with stealthy C2 (including DNS-over-HTTPS and WebSockets) and control-plane targeting that can survive typical cleanup; at the state-espionage tier, an Iran-aligned campaign (MuddyWater) leans on spearphishing-driven remote tooling/RMM delivery and staged capability deployment; at the financially motivated tier, ransomware and data-theft outcomes recur (including double-extortion patterns) and criminal ecosystems target end users via multi-stage banking-trojan delivery over WhatsApp; and at the “ambient exposure” tier, scalable automation (public repo secret discovery, SaaS analytics compromise, bulk portal/database access) turns small hygiene gaps into repeatable access. This creates a single cohesive risk picture: the most reliable path to impact is valid access (or valid-looking access) plus high-leverage data movement, followed by either persistence (espionage) or disruption/extortion (crime).

Threat Actors and Capabilities

Victimology and Targeting Patterns

Targeting clusters into four “who gets hit and why” lanes. First, public sector and IT service ecosystems are at risk from virtualization-plane compromises, because vCenter/ESXi and identity infrastructure (AD/ADFS-like key material) concentrate control over many downstream workloads—raising the blast radius when compromised. Second, government, engineering, utilities, transportation, and similar critical-infrastructure-adjacent verticals appear in the espionage lane where spearphishing plus remote tooling provides durable access for collection. Third, local governments and small municipalities recur as ransomware-impacted entities where operational disruption dominates, and recovery capacity becomes the constraint (T1486/T1490 themes). Fourth, consumer/financial users in Brazil sit in a fraud lane where WhatsApp trust relationships enable initial access at scale, and downstream harm is direct (credential theft, fraud, and account takeover) rather than just enterprise downtime.

Core TTPs

Across the corpus, the most frequent TTPs favor stealth, credibility, and data movement rather than noisy exploitation. Once access is obtained, attackers consistently prioritize collection and exfiltration of data over command-and-control channels (T1041), commonly using application-layer protocols that blend with normal traffic (T1071.001). Persistence and lateral reach are maintained through masquerading (T1036), abuse of valid accounts (T1078), and routine command and scripting activity (T1059), supported by discovery (T1083), tool transfer (T1105), and collection from local systems or repositories (T1530, T1213). Initial access varies but frequently includes exploitation of public-facing applications (T1190) or user-driven execution following client-side exploitation or social engineering (T1203, T1204). In several scenarios, these same access paths culminate in disruptive impact through data encryption (T1486) and deliberate inhibition of recovery (T1490), reinforcing that quiet access and controlled data movement are the dominant behaviors, with destruction applied selectively.

Infrastructure, Tooling, Malware, and Reuse Patterns

Infrastructure and tooling across the documents reflect a blend of purpose-built malware and extensive abuse of legitimate systems. High-end intrusion activity relies on persistent backdoors embedded in control-plane environments, using boot or logon persistence (T1037), execution-flow manipulation (T1574.007), credential dumping (T1003.003), and remote services for lateral movement (T1021.001). Espionage campaigns favor modular tooling and staged infrastructure (T1583, T1608, T1587.001), orchestrated through scripting environments such as PowerShell (T1059.001), enabling flexible, low-noise operations. Financially motivated campaigns emphasize layered delivery and execution, including process injection or hollowing (T1055.012), with resilient command-and-control that mixes web protocols and alternative channels like email or IMAP-style communication (T1071.001, T1071.004). Across all scenarios, automation plays a critical role: large-scale discovery of exposed credentials (T1552.001) and harvesting of publicly available victim information (T1593, T1593.003) frequently provide access without the need for sophisticated exploits, reinforcing that scale and reuse are as important as malware sophistication.

Cross-Document Similarities, Patterns, and Contradictions

The strongest cross-document similarity is how often “legitimate” access paths are the real exploit: valid accounts (T1078), session/credential reuse, admin portals, SaaS exports, public repo keys, and remote tooling. Where exploitation exists (e.g., T1190/T1203), it usually serves as an entry point into identity and data-plane abuse—not as the whole story. Another repeating pattern is that detection and response fail when telemetry is incomplete across boundaries: identity-to-data linkages, SaaS auditability, endpoint execution chains, OT/edge visibility, and control-plane logging all show up as friction points that allow dwell time or complicate scope. A meaningful “contradiction” (really, a segmentation) is endgame variability: some cases are optimized for long-term espionage persistence (BRICKSTORM/MuddyWater), others for fast monetization (ransomware, banking trojans), and others for opportunistic access resale/abuse (public secrets, bulk portal extraction). The implication is that the same control gaps can support multiple adversary business models, so the organization’s risk response should be organized around trust-boundary outcomes (who can authenticate, what they can reach, what they can export, and how quickly you can prove it), not around a single threat label.

Notable Similar and Adjacent Threat Actors

Two “similar threats” are notable enough to track alongside the corpus because they align tightly to the same virtualization/control-plane + stealth access + pre-positioning pattern:

Hypothesis A:

The BRICKSTORM-like activity could be meaningfully similar (tradecraft-aligned) to UNC3886. Evidence consistent with the corpus: UNC3886 is publicly reported as a China-nexus group targeting VMware vCenter/ESXi and virtualized environments—matching the corpus’s control-plane emphasis and virtualization-layer attack value.

Counterevidence: attribution and malware families differ; similarity is primarily operational style and target layer, not proof of the same actor.

Hypothesis B:

The virtualization pre-positioning concept is meaningfully similar to Volt Typhoon-style tradecraft. Evidence consistent with the corpus: Volt Typhoon is documented as PRC state-sponsored activity emphasizing stealth, credential access, discovery, and “living off the land” behaviors in critical infrastructure contexts, which is congruent with the corpus’ trust-boundary and persistence themes (even if the specific malware differs).

Counterevidence: Volt Typhoon reporting often emphasizes LOTL and network device/edge presence more than vCenter-specific malware; again, similarity is in approach and objectives, not in identical TTP sets.

FAIR Variable Seeds (Non-Quantified)

Threat Event Frequency (TEF) Drivers

TEF is driven by repeated, scalable, and diverse threat activity across the corpus: state-aligned operators sustaining long-dwell access in high-value infrastructure layers; financially motivated actors repeatedly executing ransomware-plus-exfiltration against organizations with regulated data and operational dependencies; and high-volume, automation-enabled targeting that broadens the reachable victim pool (e.g., mass scanning of public code, scripted propagation via consumer messaging platforms, and repeated probing of exposed web/OT interfaces). The corpus also shows multiple “threat lanes” operating in parallel—espionage, extortion, credential abuse, and banking fraud—so an organization’s TEF is strongly shaped by how often it presents any of the prerequisite conditions (internet-exposed services, reusable credentials/tokens, unmanaged endpoints, and high-value data workflows).

Contact Frequency (CF) Drivers

CF increases when attackers can repeatedly “touch” the environment through always-on entry and interaction paths: exposed application and API surfaces; exposed OT/HMI web interfaces; remote access and administrative tooling; SaaS and analytics platforms treated as production data planes; and public repositories/CI pipelines that are continuously discoverable. The corpus indicates CF is further amplified by automation (enumeration/scanning at scale, scripted propagation, and repeatable exploitation patterns) and by ubiquitous user-facing channels (messaging-based delivery and trusted-contact forwarding) that can generate frequent, low-friction contact attempts outside traditional email gateways.

Vulnerability Drivers

Vulnerability (in the FAIR sense) rises when threat capability meets exploitable conditions that recur across the documents: (1) identity weaknesses enabling valid-account abuse (credential theft/reuse, weak MFA/session controls, over-privileged accounts, and insufficient account lifecycle governance); (2) exploitable software and configuration weakness classes concentrated in common CWE patterns (input validation, authN/authZ flaws, insecure deserialization, unsafe file handling, and memory/resource failures) that tend to reappear in internet-facing apps and services; (3) exposed operational technology interfaces and fragile segmentation between IT/OT/identity tiers; (4) token/secret exposure via public code and build pipelines; and (5) user-execution chains that bypass vulnerability patching by relying on script hosts, living-off-the-land execution, and staged loaders. In combination, these conditions reduce the “difficulty” of causing loss once contact occurs.

Control Strength (CS) Degraders

Across the corpus, control strength is degraded less by the absence of tools and more by gaps in enforceability and verification: incomplete or siloed logging across identity/SaaS/endpoints/OT; monitoring that cannot reconstruct kill chains end-to-end; weak governance over remote administration and third-party access; insufficient restrictions on high-risk scripting and user-execution pathways; and inconsistent secrets management across developer workflows. CS is also weakened by recovery inhibitors (backup reachability and restore uncertainty), by poor segmentation that allows lateral movement into identity and high-value data planes, and by detection logic that is not tuned to “trust-boundary” abuse (identity-to-data actions, bulk export behavior, and stealthy persistence in administrative layers). Relevant NIST SP 800-53 control families repeatedly implicated across these degraders include AC (access control), IA (authentication), AU (logging/audit), SI (monitoring/malicious code/flaw remediation), IR (incident handling), and CP (backup/recovery).

Primary and Secondary Loss Magnitude (LM) Seeds

Primary loss magnitude is seeded by operational disruption and direct response burden: ransomware-driven outage and restoration effort; incident response labor and external forensics; emergency containment actions (account resets, isolation of systems, suspension of data exports, and rebuild of affected endpoints); and business interruption where core administrative systems, identity infrastructure, virtualization control planes, or OT monitoring/control functions are impaired. The corpus also supports primary loss through fraud outcomes in banking-session hijack scenarios, where direct financial theft and rapid customer remediation can become material drivers of loss.

Secondary Loss Magnitude (SLM) Seeds

Secondary loss magnitude is seeded by downstream obligations and knock-on effects: regulatory reporting and oversight actions following exposure of regulated or customer PII; potential civil claims, penalties, or contractual impacts; reputational harm and brand repair; customer/member harm (identity theft risk, fraud support costs, credit monitoring, and call-center burden); and cascading risk when compromise in one layer (identity, SaaS analytics/export, or admin platforms) enables follow-on misuse (phishing against exposed populations, repeated account abuse, or re-compromise due to persistent footholds). The corpus indicates secondary loss is especially sensitive to whether unauthorized access is provable (scope certainty), how widely data was distributed/exfiltrated, and whether recovery gaps prolong outage timelines.

Consolidated List of Artifacts

Software Weaknesses, Vulnerabilities, and Exploitation

2025 CWE Top 25 Most Dangerous Software Weaknesses

https://cwe.mitre.org/top25/archive/2025/2025_cwe_top25.html

2025 CWE Top 25 Key Insights

https://cwe.mitre.org/top25/archive/2025/2025_key_insights.html

2025 CWE Top 25 Methodology

https://cwe.mitre.org/top25/archive/2025/2025_methodology.html

CISA Alert: 2025 CWE Top 25 Most Dangerous Software Weaknesses

https://www.cisa.gov/news-events/alerts/2025/12/11/2025-cwe-top-25-most-dangerous-software-weaknesses

CVE-2025-48572

https://www.cve.org/CVERecord?id=CVE-2025-48572

CVE-2025-48633

https://www.cve.org/CVERecord?id=CVE-2025-48633

CISA Adds One Known Exploited Vulnerability to Catalog (Nov 28, 2025)

https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog

CISA Adds Two Known Exploited Vulnerabilities to Catalog (Dec 2, 2025)

https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-adds-two-known-exploited-vulnerabilities-catalog

CISA Adds One Known Exploited Vulnerability to Catalog (Dec 3, 2025)

https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-adds-one-known-exploited-vulnerability-catalog

Common Weakness Enumeration (CWE) Reference Pages

CWE-20 Improper Input Validation

https://cwe.mitre.org/data/definitions/20.html

CWE-22 Improper Limitation of a Pathname to a Restricted Directory

https://cwe.mitre.org/data/definitions/22.html

CWE-23 Relative Path Traversal

https://cwe.mitre.org/data/definitions/23.html

CWE-24 Path Traversal: ‘..’ Injection

https://cwe.mitre.org/data/definitions/24.html

CWE-25 Path Traversal

https://cwe.mitre.org/data/definitions/25.html

CWE-77 Command Injection

https://cwe.mitre.org/data/definitions/77.html

CWE-78 OS Command Injection

https://cwe.mitre.org/data/definitions/78.html

CWE-79 Cross-Site Scripting

https://cwe.mitre.org/data/definitions/79.html

CWE-89 SQL Injection

https://cwe.mitre.org/data/definitions/89.html

CWE-94 Code Injection

https://cwe.mitre.org/data/definitions/94.html

CWE-96 Improper Neutralization of Directives in Dynamically Evaluated Code

https://cwe.mitre.org/data/definitions/96.html

CWE-120 Classic Buffer Overflow

https://cwe.mitre.org/data/definitions/120.html

CWE-121 Stack-Based Buffer Overflow

https://cwe.mitre.org/data/definitions/121.html

CWE-122 Heap-Based Buffer Overflow

https://cwe.mitre.org/data/definitions/122.html

CWE-125 Out-of-Bounds Read

https://cwe.mitre.org/data/definitions/125.html

CWE-129 Improper Validation of Array Index

https://cwe.mitre.org/data/definitions/129.html

CWE-269 Improper Privilege Management

https://cwe.mitre.org/data/definitions/269.html

CWE-284 Improper Access Control

https://cwe.mitre.org/data/definitions/284.html

CWE-285 Improper Authorization

https://cwe.mitre.org/data/definitions/285.html

CWE-287 Improper Authentication

https://cwe.mitre.org/data/definitions/287.html

CWE-306 Missing Authentication for Critical Function

https://cwe.mitre.org/data/definitions/306.html

CWE-307 Improper Restriction of Excessive Authentication Attempts

https://cwe.mitre.org/data/definitions/307.html

CWE-352 Cross-Site Request Forgery

https://cwe.mitre.org/data/definitions/352.html

CWE-416 Use After Free

https://cwe.mitre.org/data/definitions/416.html

CWE-434 Unrestricted Upload of File with Dangerous Type

https://cwe.mitre.org/data/definitions/434.html

CWE-476 NULL Pointer Dereference

https://cwe.mitre.org/data/definitions/476.html

Threat Actors and Campaigns (MITRE ATT&CK)

APT41

https://attack.mitre.org/groups/G0096/

HAFNIUM

https://attack.mitre.org/groups/G0125/

Lazarus Group

https://attack.mitre.org/groups/G0032/

MuddyWater

https://attack.mitre.org/groups/G0069/

Ransomware and Cybercrime Operations

Everest Ransomware Group

https://ransomware.live/group/everest

AA23-158A: CL0P Ransomware Gang Exploits MOVEit Vulnerability

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

Malware, Espionage, and Advanced Tooling

BRICKSTORM Backdoor – Malware Analysis Report

https://www.cisa.gov/news-events/analysis-reports/ar25-338a

PRC State-Sponsored Actors Use BRICKSTORM Malware Across Public Sector and IT

https://www.cisa.gov/news-events/alerts/2025/12/04/prc-state-sponsored-actors-use-brickstorm-malware-across-public-sector-and-information-technology

Malware Analysis Report: BRICKSTORM Backdoor (PDF)

https://media.defense.gov/2025/Dec/04/2003834878/-1/-1/0/MALWARE-ANALYSIS-REPORT-BRICKSTORM-BACKDOOR.PDF

Mobile Malware and Social Engineering Campaigns

Unraveling Water Saci’s New Multi-Format, AI-Enhanced Attacks via WhatsApp

https://www.trendmicro.com/en_us/research/25/l/water-saci.html

Critical Infrastructure and ICS Exposure

ScadaBR Vulnerability Advisory

https://www.cisa.gov/news-events/ics-advisories/icsa-25-343-05

Data Breaches, Third-Party Risk, and Analytics Platforms

OpenAI Data Potentially Exposed After Analytics Firm Breach

https://securityaffairs.com/185121/data-breach/openai-data-m...n-exposed-after-a-cyberattack-on-analytics-firm-mixpanel.html

Mixpanel Security Incident Response Statement

https://mixpanel.com/blog/sms-security-incident/

Running Aces Casino Data Breach Reporting

https://www.claimdepot.com/data-breach/running-aces-casino-2025

Running Aces Regulatory Filing (Attorney General)

https://www.ag.idaho.gov/content/uploads/2025/11/2025-11-14-North-Metro-Harness-Initiative-LLC-dba-Running-Aces.pdf

MITRE ATT&CK Techniques Referenced

T1190 Exploit Public-Facing Application

https://attack.mitre.org/techniques/T1190/

T1505.003 Web Shell

https://attack.mitre.org/techniques/T1505/003/

T1567 Exfiltration to Cloud Storage

https://attack.mitre.org/techniques/T1567/

T1041 Exfiltration Over C2 Channel

https://attack.mitre.org/techniques/T1041/

Governance, Risk, and Control Frameworks

NIST SP 800-53 Revision 5 – Security and Privacy Controls for Information Systems and Organizations

https://doi.org/10.6028/NIST.SP.800-53r5