CyberSecurity news

FlagThis - #threatintel

@www.microsoft.com //

Microsoft and CrowdStrike Align Threat Actor Naming - Microsoft and CrowdStrike are teaming up to harmonize threat actor naming conventions to reduce confusion and enhance consistency in identifying and tracking cyber threat actors.
References: bsky.app , BetaNews , BleepingComputer ...
Microsoft and CrowdStrike have announced a new strategic collaboration aimed at bringing clarity to the often-confusing landscape of cyber threat actor naming. The partnership seeks to align their respective threat actor taxonomies to help security professionals connect insights faster and more efficiently. By mapping threat actor aliases and aligning adversary attribution across platforms, the collaboration aims to minimize confusion caused by different naming systems used across the industry. In cybersecurity, every second counts, and the goal is to reduce the wasted time defenders spend deciphering which hacking group is being referenced, allowing them to focus on stopping attacks.

The core of this collaboration is a shared mapping system, described as a "Rosetta Stone" for cyber threat intelligence, that links adversary identifiers across vendor ecosystems without mandating a single naming standard. According to the joint statement, the alliance will help the industry better correlate threat actor aliases, and will grow in the future to include other organizations that also practice the art of attribution. Microsoft has updated its threat actor reference guide with a list of common hacking groups tracked by both CrowdStrike and Redmond, all mapped using each company's naming systems. While they will not switch to a single threat actor taxonomy, Microsoft and CrowdStrike analysts have already linked more than 80 overlapping threat groups.

Industry experts have largely lauded the partnership, recognizing the long-standing issue of inconsistent threat actor naming. Kip Boyle, vCISO, Cyber Risk Opportunities LLC noted that this has been a problem for years, adding that as ransomware gangs blur into state-backed actors, knowing who you're up against matters more than ever. The move is not about creating one universal naming system, but rather a decoder ring to translate between naming conventions. Google's Mandiant team and Palo Alto Networks' Unit 42 are expected to join the project soon, potentially bringing even more clarity to the threat landscape.

Recommended read:
References :
  • bsky.app: While they will not switch to a single threat actor taxonomy, Microsoft and CrowdStrike analysts have already linked more than 80 overlapping threat groups.
  • BetaNews: In cybersecurity, every second counts. But when the same hacking group goes by half a dozen different names depending on which company you ask, defenders are left wasting time instead of stopping attacks.
  • @VMblog: CrowdStrike and Microsoft announced a collaboration to bring clarity and coordination to how cyber threat actors are identified and tracked across...
  • BleepingComputer: Microsoft and CrowdStrike announced today that they've partnered to connect the aliases used for specific threat groups without actually using a single naming standard.
  • SecureWorld News: CrowdStrike and Microsoft Join Forces on Naming Threat Actors
  • www.cybersecuritydive.com: Microsoft, CrowdStrike, other cyber firms collaborate on threat actor taxonomy
  • Source: Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies to help security professionals connect insights faster. The post appeared first on .
  • MSSP feed for Latest: Microsoft and CrowdStrike Align on Threat Actor Mapping to Support Faster, Unified Defense
  • Catalin Cimpanu: Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies
  • betanews.com: In cybersecurity, every second counts. But when the same hacking group goes by half a dozen different names depending on which company you ask, defenders are left wasting time instead of stopping attacks. Now, Microsoft and CrowdStrike are teaming up to clean up the mess they helped create. The two companies just announced a joint effort to map their threat actor naming systems to each other.
  • www.crowdstrike.com: CrowdStrike and Microsoft Unite to Deconflict Cyber Threat Attribution
  • www.microsoft.com: Announcing a new strategic collaboration to bring clarity to threat actor naming
  • www.scworld.com: Microsoft, CrowdStrike pitch giving threat groups the same name
  • www.cxoinsightme.com: CrowdStrike and Microsoft collaborate to harmonise cyber threat attribution
@cyble.com //

Ransomware Attacks Shift: Qilin Emerges from Chaos - The ransomware landscape is constantly shifting, with groups like Qilin, Akira, and Play leading attacks, and new groups like Silent Team and Gunra emerging.
The ransomware landscape is experiencing significant shifts in April 2025, with groups like Qilin taking center stage. Despite a general decline in ransomware attacks from 564 in March to 450 in April, the lowest level since November 2024, Qilin has surged to the top of the ransomware rankings. This rise is attributed to the realignment of cybercriminal groups within the chaotic Ransomware-as-a-Service (RaaS) ecosystem. Qilin is reportedly leveraging sophisticated tools and techniques, contributing to their increased success in recent months.

Qilin's success is partly due to the adoption of advanced tactics, techniques, and procedures (TTPs). Threat actors associated with Qilin have been observed utilizing malware such as SmokeLoader, along with a previously undocumented .NET compiled loader called NETXLOADER, in campaigns dating back to November 2024. NETXLOADER is a highly obfuscated loader designed to deploy additional malicious payloads and bypass traditional detection mechanisms, making it difficult to analyze. This loader plays a critical role in Qilin's stealthy malware delivery method. The surge in activity is reflected in the doubling of disclosures on Qilin's data leak site since February 2025, making it the top ransomware group in April.

The emergence of new actors like DragonForce is reshaping the threat landscape. The group is built for the gig economy. Its features include a 20% revenue share, white-label ransomware kits, pre-built infrastructure. DragonForce quickly moved to absorb affiliates following the April 2025 disappearance of RansomHub, pitching itself as an agile alternative to collapsed legacy operators. A historic surge in ransomware activity is occurring. A total of 2,289 publicly named ransomware victims were reported in just Q1 a 126% year-over-year increase, setting an all-time high. 74 distinct ransomware groups are now operating concurrently, highlighting an explosion of new actors and affiliate-driven threats.

Recommended read:
References :
  • cyble.com: Ransomware Attacks April 2025: Qilin Emerges from Chaos
  • cyble.com: Global ransomware attacks in April 2025 declined to 450 from 564 in – the lowest level since November 2024 – as major changes among the leading Ransomware-as-a-Service (RaaS) groups caused many affiliates to align with new groups.
  • The Hacker News: Qilin Ransomware Ranked Highest in April 2025 with Over 45 Data Leak Disclosures
  • www.redpacketsecurity.com: [QILIN] – Ransomware Victim: www[.]hcsheriff[.]gov
@itpro.com //

Resecurity Infiltrates BlackLock Ransomware Gang Network - Resecurity infiltrated the BlackLock ransomware gang's network by exploiting a local file inclusion vulnerability, gathering intelligence and alerting potential victims and law enforcement about their operations.
Cybersecurity firm Resecurity successfully infiltrated the BlackLock ransomware gang's network by exploiting a local file inclusion vulnerability on their data leak site (DLS). This vulnerability, a misconfiguration in the site, allowed Resecurity to access the gang's network infrastructure, configuration files, and even account credentials. By gaining access, Resecurity could observe the gang's operations, identify potential victims, and alert both the victims and authorities, providing valuable insights into the gang's modus operandi.

Resecurity's actions have provided law enforcement with crucial information about BlackLock, also known as El Dorado, which had successfully attacked at least 46 organizations worldwide. The compromised DLS revealed that the gang was actively recruiting affiliates to spread the ransomware further. By uncovering the gang's methods and infrastructure, Resecurity has potentially disrupted BlackLock's operations and protected numerous organizations from falling victim to their attacks.

Recommended read:
References :
  • PCMag UK security: Cybersecurity Firm Hacks Ransomware Group, Alerts Potential Victims
  • www.itpro.com: Security researchers hack BlackLock ransomware gang in push back against rising threat actor
  • securityaffairs.com: BlackLock Ransomware Targeted by Cybersecurity Firm
  • The Hacker News: BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability
  • thehackernews.com: In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
  • securityaffairs.com: In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
  • www.cybersecurity-insiders.com: For the first time, a team of security researchers has successfully infiltrated the network of a ransomware operation
Microsoft Threat@Microsoft Security Blog //

Global Cyber Intrusions and New Malware Threats - The cluster focuses on cyber security incidents, including the indictment of Chinese hackers, the discovery of new XCSSET malware targeting Xcode projects, and a phishing campaign impersonating Booking .com.
The U.S. Department of Justice has indicted 12 Chinese individuals for over a decade of global hacking intrusions, including a breach of the U.S. Treasury last year. The individuals include eight staffers for the contractor i-Soon, two officials at China’s Ministry of Public Security, and two other alleged hackers belonging to the APT27 group, also known as Silk Typhoon. The group is accused of targeting U.S. state and federal agencies, foreign ministries across Asia, Chinese dissidents, and U.S.-based media outlets critical of the Chinese government.

Microsoft Threat Intelligence has detected a new variant of XCSSET, a macOS malware targeting Xcode projects, since 2022. This variant features enhanced obfuscation, updated persistence mechanisms, and new infection strategies. It steals and exfiltrates files and system/user information, including digital wallet data and notes. The malware's modular approach and encoded payloads make detection and removal challenging, even allowing it to remain fileless.

Recommended read:
References :

Posts

Blogs

Research Tools