@www.microsoft.com
//
Microsoft and CrowdStrike have announced a new strategic collaboration aimed at bringing clarity to the often-confusing landscape of cyber threat actor naming. The partnership seeks to align their respective threat actor taxonomies to help security professionals connect insights faster and more efficiently. By mapping threat actor aliases and aligning adversary attribution across platforms, the collaboration aims to minimize confusion caused by different naming systems used across the industry. In cybersecurity, every second counts, and the goal is to reduce the wasted time defenders spend deciphering which hacking group is being referenced, allowing them to focus on stopping attacks.
The core of this collaboration is a shared mapping system, described as a "Rosetta Stone" for cyber threat intelligence, that links adversary identifiers across vendor ecosystems without mandating a single naming standard. According to the joint statement, the alliance will help the industry better correlate threat actor aliases, and will grow in the future to include other organizations that also practice the art of attribution. Microsoft has updated its threat actor reference guide with a list of common hacking groups tracked by both CrowdStrike and Redmond, all mapped using each company's naming systems. While they will not switch to a single threat actor taxonomy, Microsoft and CrowdStrike analysts have already linked more than 80 overlapping threat groups. Industry experts have largely lauded the partnership, recognizing the long-standing issue of inconsistent threat actor naming. Kip Boyle, vCISO, Cyber Risk Opportunities LLC noted that this has been a problem for years, adding that as ransomware gangs blur into state-backed actors, knowing who you're up against matters more than ever. The move is not about creating one universal naming system, but rather a decoder ring to translate between naming conventions. Google's Mandiant team and Palo Alto Networks' Unit 42 are expected to join the project soon, potentially bringing even more clarity to the threat landscape. Recommended read:
References :
@cyble.com
//
The ransomware landscape is experiencing significant shifts in April 2025, with groups like Qilin taking center stage. Despite a general decline in ransomware attacks from 564 in March to 450 in April, the lowest level since November 2024, Qilin has surged to the top of the ransomware rankings. This rise is attributed to the realignment of cybercriminal groups within the chaotic Ransomware-as-a-Service (RaaS) ecosystem. Qilin is reportedly leveraging sophisticated tools and techniques, contributing to their increased success in recent months.
Qilin's success is partly due to the adoption of advanced tactics, techniques, and procedures (TTPs). Threat actors associated with Qilin have been observed utilizing malware such as SmokeLoader, along with a previously undocumented .NET compiled loader called NETXLOADER, in campaigns dating back to November 2024. NETXLOADER is a highly obfuscated loader designed to deploy additional malicious payloads and bypass traditional detection mechanisms, making it difficult to analyze. This loader plays a critical role in Qilin's stealthy malware delivery method. The surge in activity is reflected in the doubling of disclosures on Qilin's data leak site since February 2025, making it the top ransomware group in April. The emergence of new actors like DragonForce is reshaping the threat landscape. The group is built for the gig economy. Its features include a 20% revenue share, white-label ransomware kits, pre-built infrastructure. DragonForce quickly moved to absorb affiliates following the April 2025 disappearance of RansomHub, pitching itself as an agile alternative to collapsed legacy operators. A historic surge in ransomware activity is occurring. A total of 2,289 publicly named ransomware victims were reported in just Q1 a 126% year-over-year increase, setting an all-time high. 74 distinct ransomware groups are now operating concurrently, highlighting an explosion of new actors and affiliate-driven threats. Recommended read:
References :
@itpro.com
//
Cybersecurity firm Resecurity successfully infiltrated the BlackLock ransomware gang's network by exploiting a local file inclusion vulnerability on their data leak site (DLS). This vulnerability, a misconfiguration in the site, allowed Resecurity to access the gang's network infrastructure, configuration files, and even account credentials. By gaining access, Resecurity could observe the gang's operations, identify potential victims, and alert both the victims and authorities, providing valuable insights into the gang's modus operandi.
Resecurity's actions have provided law enforcement with crucial information about BlackLock, also known as El Dorado, which had successfully attacked at least 46 organizations worldwide. The compromised DLS revealed that the gang was actively recruiting affiliates to spread the ransomware further. By uncovering the gang's methods and infrastructure, Resecurity has potentially disrupted BlackLock's operations and protected numerous organizations from falling victim to their attacks. Recommended read:
References :
Microsoft Threat@Microsoft Security Blog
//
References:
Microsoft Security Blog
, Schneier on Security
The U.S. Department of Justice has indicted 12 Chinese individuals for over a decade of global hacking intrusions, including a breach of the U.S. Treasury last year. The individuals include eight staffers for the contractor i-Soon, two officials at China’s Ministry of Public Security, and two other alleged hackers belonging to the APT27 group, also known as Silk Typhoon. The group is accused of targeting U.S. state and federal agencies, foreign ministries across Asia, Chinese dissidents, and U.S.-based media outlets critical of the Chinese government.
Microsoft Threat Intelligence has detected a new variant of XCSSET, a macOS malware targeting Xcode projects, since 2022. This variant features enhanced obfuscation, updated persistence mechanisms, and new infection strategies. It steals and exfiltrates files and system/user information, including digital wallet data and notes. The malware's modular approach and encoded payloads make detection and removal challenging, even allowing it to remain fileless. Recommended read:
References :
|