Blogs

Threat Intelligence Executive Report – Volume 2025, Number 4

This issue of the Counter Threat Unit’s high-level bimonthly report discusses noteworthy updates in the threat landscape during May and June

The Counter Threat Unit (CTU) research team analyzes security threats to help organizations protect their systems. Based on observations in May and June, CTU researchers identified the following noteworthy issues and changes in the global threat landscape:

  • Threat group naming alignment poses challenges
  • Iran threatens retaliation against U.S.
  • Law enforcement uses mockery as a tactic

Threat group naming alignment poses challenges

Reconciling different threat group naming conventions is an ambitious task. Secureworks’ comprehensive and dynamic Rosetta stone for threat group names has been public since 2020.

Threat group naming is designed to help security professionals quickly understand and identify specific attack patterns and connect past activity to current incidents. This information provides insight into threat actors’ capabilities and intent, and can inform response decisions, assist with attribution, and lead to more accurate risk modeling. It can provide actionable guidance about the types and scope of a threat and how an attack may have happened.

The existence of multiple naming conventions for threat groups is not just because vendors want to impose their own branding on threat intelligence. It is also the result of naming being based on individual vendor observations, which may differ. It is possible to map threat group names if two vendors observe the same activity, but it is not always that straightforward.

At the beginning of June, Microsoft and CrowdStrike announced an alignment of their threat group naming conventions. This type of mapping is beneficial to the security community. In 2020, Secureworks began publishing threat group profiles, incorporating a continuously updated ‘Rosetta stone’ to map the threat groups to names used by other vendors. CTU researchers are currently involved in aligning Secureworks threat group names with Sophos threat activity cluster numbers.

Maintaining one-to-one mappings is challenging and requires ongoing monitoring and recalibration to ensure accuracy. Threat groups may work together or change their tactics, techniques, and procedures (TTPs) and objectives, and vendor apertures may change. Nonetheless, Microsoft and CrowdStrike’s announcements both imply that the initiative is the start of an attempt to establish a broader alignment.

Achieving this alignment while protecting proprietary telemetry and intellectual property will likely be difficult, but analyst-led deconfliction is necessary. It is unclear which other vendors will be included in this effort: Microsoft mentions Google/Mandiant and Palo Alto Networks Unit 42 in its announcement, but CrowdStrike does not. Microsoft’s preliminary list includes a wider range of vendor threat group names, including some from Secureworks.

What You Should Do Next

Refer to Secureworks threat group profiles while reading threat intelligence for a broader understanding of individual threat groups’ tasking and TTPs.

Law enforcement uses mockery as a tactic

Adding ridicule to arrests and takedowns seems to be a surprisingly effective way of dealing with cybercriminals.

Global law enforcement continued targeting cybercrime operations, but as in the past, not all actions had a lasting impact. For example, Microsoft and the U.S. Department of Justice conducted coordinated actions in late May 2025 that led to the seizure and takedown of over 2,300 domains associated with LummaC2, one of the most prevalent infostealer operations. However, LummaC2 recovered quickly. CTU sandboxes continued to collect LummaC2 samples through June, and command and control (C2) servers responded as normal. CTU researchers also observed LummaC2 being delivered as a second-stage payload in June by Smoke Loader, itself the survivor of a law enforcement takedown in May 2024. Furthermore, the number of LummaC2 logs for sale on underground forums continued to rise during May and June 2025.

Arrests and convictions impact individual threat actors but do not always deter cybercriminal activity. In May, Iranian national Sina Gholinejad pleaded guilty in the U.S. to conducting RobbinHood ransomware attacks from 2019 to 2024 and faces up to 30 years in prison. In late June, French police arrested four alleged operators of the BreachForums cybercrime forum, which followed the February arrest of the individual behind the prolific BreachForums persona known as IntelBroker. However, BreachForums resumed operations under new ownership.

Arrests are not always possible. The U.S. regularly indicts both cybercriminal and state-sponsored threat actors who reside in countries where U.S. law enforcement has no influence. For example, a 36-year-old Russian named Vitaly Nikolaevich Kovalev was linked by German law enforcement in May to the Conti and TrickBot operations. He had been indicted in the U.S. in 2012 on charges of bank fraud but remains at large in Russia.

Ridiculing threat actors and undermining trust have proven effective. A key goal of Operation Cronos, which targeted the previously highly successful LockBit ransomware operation, was damaging the reputation of LockBit administrator Dmitry Khoroshev. He lives in Russia and therefore cannot be arrested by U.S. authorities. Law enforcement’s mockery led to significantly fewer affiliates, to the point that Khoroshev had to reduce the cost of becoming an affiliate and abandon affiliate vetting. CTU researchers have also observed threat actors displaying contempt for Khoroshev on underground forums.

Despite LockBit victim numbers plummeting from hundreds to single digits a month, the overall number of ransomware attacks by all groups has continued to climb. While even short-term disruptions will frustrate any group’s operations and result in fewer victims, organizations must continue to protect themselves against ransomware and other financially motivated attacks.

What You Should Do Next

Ensure you can detect common infostealers such as LummaC2, as they are frequently a precursor to ransomware attacks.

Conclusion

Organizations’ awareness of the threat landscape is essential for defending against cyber threats. Whether the threats originate from cybercriminals or state-sponsored threat actors, timely and accurate threat intelligence from a range of sources is necessary for accurately assessing the risk posed to your organization. Meaningful attribution adds value to help defenders respond appropriately and effectively.

Team, S. C. T. U. R. (2025, August 20). Threat Intelligence Executive Report – Volume 2025, Number 4. Sophos News. https://news.sophos.com/en-us/2025/08/20/threat-intelligence-executive-report-volume-2025-number-4/

Recent Posts

Digital Transformation Metrics & KPIs for Measuring Success

Wordtext Systems, Inc. September 23, 2025

Change is hard, digital transformation is harder. Digital transformation (DX) is a challenging initiative. Many organizations are pursuing large-scale change efforts—yet less than 30% succeed. Traditional industries such as automatics, infrastructure, oil and gas, and healthcare among others find it

Read More >

Mainframe Transformation with AIOps: Smarter Operations, Greater ROI

Wordtext Systems, Inc. September 23, 2025

Organizations that rely on legacy mainframe monitoring tools often face costly inefficiencies, including SLA violations, regulatory compliance risks, and application slowdowns. These hidden costs can increase capital expenditure and operational inefficiencies—even impact overall business resilience. Luckily, there are alternatives to

Read More >

BMC Helix Receives TrustRadius Top Rated Award

Wordtext Systems, Inc. September 23, 2025

As the adage goes, customers are the lifeblood of every business, and at BMC Helix, everything we do is with the customer in mind. We’re enormously gratified to be recognized with the 2025 Top Rated Award by TrustRadius, the buyer

Read More >
More Blogs

Talk to Us

Contact us using the information below. We’ll respond promptly to your inquiries and feedback

Phone

+63 2 8858 5555

email

Email

sales@wsiphil.com.ph

Address

WSI Corporate Center 1005 Metropolitan Avenue,
Corner Kakarong, Makati, 1205 Metro Manila

Schedule

8:00am - 5:00pm, Monday - Friday 

				
					/* 

Copy this code on section to modify colors of icons, submit button, hovers 
depends on the webpage theme.

Note: Keep visibility disabled, Do not Edit this

*/

/*Contact Content Icons & Text*/
.contact-iconbox .elementor-icon {
    color: pink;
    fill: pink;
}
.contact-iconbox .elementor-icon:hover{
    color: violet;
     fill:violet ;
}
.contact-iconbox p a, .contact-iconbox p{
    color: pink !important;
}
.contact-iconbox p a:hover, .contact-iconbox p:hover{
    color: violet !important;
}

/*Contact Form*/
.contact-form .elementor-widget-container{
    background:red !important;
}
.contact-form label{
    color: blue;
}
.contact-form .wpforms-submit-container button{
    border-color: pink !important;
    background: pink !important;
}
.contact-form .wpforms-submit-container button:hover{
    background: violet !important;
    border-color: violet !important;
}