gray background triangle

February 2025

Threat Intelligence Report

  • The Bitsight Investigative Platform detected attacks against 793 organizations in February 2025, in comparison with 573 in January.
  • The group Clop was responsible for the highest number of ransomware attacks this month returning to the top spot as it continues to leak data from victims of the Cleo attacks.
  • Funksec dropped out of the top five groups this month, after a burst of activity during the previous two months.
  • Bitsight's victimology statistics aggregate all of Funksec’s attack types, which include data breaches, ransomware attacks, and website defacement.
Demo real-time threat intelligence
Threat Intel Feb 2025 top countries

Ransomware news

Threat Intel Feb 2025 Top Ransomware

1The listed groups above accounted for 67% of all ransomware attacks among the top 10 operations in February 2025. The other five groups in the top 10 consisted of Cactus (8%), Medusa (7%), Lynx (7%), Funksec (6%), and Fog (5%).		  
Threat Intel Feb 2025 Top Industries

Trending topics of the month

‘Typhoon’ Season: U.S. Treasury Department Sanctions China- Linked Threat Groups:

After a major cyber attack rocked the U.S. Treasury Department, the authorities announced sanctions on multiple China-linked threat groups, including Silk Typhoon and Salt Typhoon. While the vulnerabilities exploited in the Treasury attack were patched, Bitsight detected stolen credentials for the affected vendor advertised on a popular dark web forum.

Dark Web ‘DeepSeek’: Threat Actors Jailbreak AI Juggernaut, Steal User Data:

As upstart AI platform DeepSeek continues to grab headlines, cybercriminals are bypassing restrictions designed to prevent exploitation of the tool. Bitsight also observed a threat actor advertising stolen data from users of DeepSeek, which was also rocked by disruptive cyber attacks that shut down new registrations.

‘Black Basta’ Exposed: Massive Leak Reveals Ransomware Gang’s Tactics:

The ‘Black Basta’ ransomware group was targeted by an ideologically-driven actor who leaked hundreds of thousands of the gang’s internal messages. The discussions exposed details about both the group’s members and operations, including its preference for compromising VPNs and recent pivot to social engineering.

Threat Intel Feb 2025 Black Hat Tools

Black Hat Pro Tools

Black Hat Pro Tools is an English-language forum on the deep web that became active in 2025.

As its name implies, it is primarily focused on general black hat activities, serving as a platform for discussions, tool sharing, and strategies for malicious activities.

The forum’s administrators also maintain an X/Twitter account that has over 35,000 followers. The feed is used to promote goods and services available on the forum.

Top 3 Vulnerabilities in February

Top CVEs of the month based on Bitsight Data Mechanisms

The Dynamic Vulnerability Exploit (DVE) Module score reflects the probability of a vulnerability being exploited by malicious actors over the course of 90 days.

CVE-2025-0411

The current DVE score is 9.77. This is a mark-of-the-web bypass vulnerability that allows remote attackers to bypass protection mechanisms on affected installations of 7-Zip. An attacker can leverage this vulnerability to execute arbitrary code in the context of a current user.

CVSS: 7

DVE: 9.77

CVE-2025-24200

The current DVE score is 9.33. Apple reported that this vulnerability may have been exploited in an extremely sophisticated attack against specific targeted individuals. The authorization issue was addressed with improved state management and is fixed in iPadOS 17.7.5, iOS 18.3.1 and iPadOS 18.3.1.

CVSS: 6.1

DVE: 9.33

CVE-2025-0108

The current DVE score is 9.74. This authentication bypass vulnerability in the Palo Alto Networks PAN-OS software provides an unauthenticated attacker with network access to the management web interface.

CVSS: 9.1

DVE: 9.74

Threat Intel Feb 2025 Top Malware

An Analysis of the Top Mentioned Malware in February

Babuk 2.0

In February 2025, Babuk 2.0 (aka Babuk Locker) had the highest number of mentions in the underground sources collected by the Bitsight Investigative Portal.

The Babuk 2.0 operation presents itself as a relaunch of the original Babuk ransomware strain (aka Babyk/Vasa Locker), which emerged at the beginning of 2021 and was responsible for multiple attacks on companies and governmental entities.

Babuk’s operators are recruiting affiliates on BreachForums and DarkForums using the motto “Earn Big, Live Bigger,” in addition to leaking data to advertise the ransomware-asa- service (RaaS) platform.

Babuk maintains several Telegram channels for support and correspondence, in addition to communicating via Tox.

Threat Intel Feb 2025 Threat Actor

Spotlight on a Threat Actor

ExploitWhispers

A threat actor named ExploitWhispers was responsible for leaking a trove of data from a specified group, dumping the content on the mega.nz file-sharing platform before eventually transferring it to a dedicated Telegram channel that is monitored by Bitsight.

ExploitWhispers communicated a desire to punish this group for attacking Russian organizations, activity that represents an aberration among RaaS groups, which usually avoid attacking entities in former CIS countries.

The leak allegedly includes chat logs with critical intelligence related to this group’s tactics, techniques, and procedures (TTPs), including phishing templates, cryptocurrency addresses, stolen credentials, and strategies for pressuring victims into paying ransoms.

The group messages were exchanged between administrators and affiliates and contain key victimology indicators. The leaked data also revealed this group’s pursuit of internal accesses and VPN exploits, which the group actively sought and used to infiltrate victims’ systems. While the group appeared to focus on utilities, supply chain firms, and finance organizations, it also whitelisted specific victims when other gangs had already compromised them.

Threat Intel Feb 2025 APT Group

APTs During the Month of February

APT Group TalibLeaks (aka Taliban Leaks)

During the first week of February 2025, a politically motivated threat group called TalibLeaks (aka Taliban Leaks) posted documents from 21 Afghan ministries and government agencies on the group’s dedicated leak site (DLS).

The campaign appears designed to harm the Taliban, whom the U.S. classified as Specially Designated Global Terrorists (SDGTs) under Executive Order 13224. According to TalibLeaks, the content on the DLS contains classified information and documents from the Taliban-controlled Ministries of Finance, Justice, Foreign Affairs, Information and Culture, Telecommunications, and Mining.

In response, the Taliban Ministry of Communications and Information Technology denied that their data center was breached, claiming instead that the leaked documents were obtained from “individual computers” with suboptimal security hygiene. Despite downplaying the extent of the potential breach, public statements from the Taliban did not appear to deny the authenticity of the content. Instead, the Taliban dismissed the leaks’ contents as stale publicly accessible data.