Pulsedive Threat Intelligence

Wishing our community the best in the remaining days of 2025, and an amazing 2026 to come. Happy New Year!

What To Know: Ink Dragon - Suspected China-linked espionage group focused on intelligence collection - Known for targeted attacks and custom malware, converting compromised environments to launch new attacks - Frequently targets government, telecom, and public sector Threat page: https://lnkd.in/eGDkz3FN Credit to recent reporting from the Check Point Software research team: https://lnkd.in/gNXACYB3

Here's a breakdown of additions to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities Catalog in 2025 by vendor. - 236 vulnerabilities added to KEV year to date (as of 12/14/25) - Microsoft led with 39 - 23 vulnerabilities have been used in ransomware campaigns More info on this and more threat landscape activities from 2025 here: https://lnkd.in/e3w_4_sY

This Week in Curated Intelligence Bytes&Borscht — Your reporting should act as a yardstick — https://lnkd.in/ePxK55ZQ Mei Danowski — The Many Arms of the MSS — https://lnkd.in/gj6DUT2i Thomas Roccia — Experimenting with Gemini Gems for CTI — https://lnkd.in/e8-DcirN SttyK — Why Not Start With Your Purpose? — https://lnkd.in/euKJzAVV Eli W. — The Indictment is the IOC: Using Legal Records to Hunt DPRK Remote Workers — https://lnkd.in/eiViHzrf Grace C. — 2025 in Review — https://lnkd.in/e3w_4_sY Andy G. — Making Cloudflare Workers Work for Red Teams — https://blog.zsec.uk/capd/ Ollie Whitehouse — CTO at NCSC Weekly Summary — https://lnkd.in/egtT5ZXj

⚠️ PSA: Incident Responders from the Curated Intelligence community have encountered a new CLOP extortion campaign targeting Internet-facing CentreStack file servers. From recent port scan data, there appears to be at least 200+ unique IPs running the “CentreStack - Login” HTTP Title, making them potential targets of CLOP who is exploiting an unknown CVE (n-day or zero-day) in these systems. This is yet another similar data extortion campaign by this adversary. CLOP is well-known for targeting file transfer servers such as Oracle EBS, Cleo FTP, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, GoAnywhere, among others. Resources: https://lnkd.in/enEA9jSZ

A lot happened in 2025 - some surprising, some expected. In 2024 we predicted increased adoption Gen AI by threat actors for social engineering lures and malicious tooling. In 2025, we saw that threat actors have integrated AI into malware and used prompt engineering to bypass AI safety controls. Notably, Anthropic reported on the first AI-orchestrated cyber espionage campaign. See below for the breakdown by task & AI v. human activity. For more details about this and what else happened in the threat landscape over the last 12 months, check out our Year in Review blog: https://lnkd.in/e3w_4_sY

Shoutout to the Cisco Talos team, Jessica (Bair) Oppenheimer, & all the hard work to make the Cisco Live Melbourne SOC happen. It's been years since our integration was added - grateful for the continued collaboration with the team for our end clients and community. Glad to provide threat intel enrichment & data to help secure the show! Read more: https://lnkd.in/eUNB3scJ

Exploitation attempts for #React2Shell (CVE-2025-55182) have been widespread over the last week. Three resources that outline exploitation are: https://lnkd.in/gEFra979 https://lnkd.in/g-GgwrtE https://lnkd.in/gYZbu6Ap Recommendation: Deploy patches as soon as possible

Pulsedive links related threats together in our platform. Here's an example: RONINGLOADER (https://lnkd.in/ebYtZkru) is used by Dragon Breath APT (https://lnkd.in/eMumMr4X) to deploy Gh0st RAT (https://lnkd.in/ebTTcGJw)

LAST CALL Less than a day left on our deal: 30% off a year of Pro. This is our biggest sale of the year for Pro, which comes with an upgraded API, Feed, and additional benefits. Monthly and annual plans both apply for first-time customers. Redeem: https://lnkd.in/eNPrtHik Details: https://lnkd.in/ecrfn_xu