Update: Ransomware Actors Target Hypervisors at Scale
Ransomware operations are increasingly shifting their focus to the hypervisor layer, where a single point of control can affect dozens of virtual machines simultaneously. Huntress data shows a steep rise in attacks throughout 2025, with hypervisor-level encryption incidents climbing from a small fraction early in the year to a significant portion by year's end, primarily driven by the Akira group. Adversaries are exploiting weak segmentation, mismanaged credentials, and gaps in monitoring to maneuver into the vCenter, ESXi, and Hyper-V management planes, where traditional endpoint defenses provide limited coverage. Many intrusions require no custom malware at all; attackers often rely on built-in tools to encrypt virtual volumes, reducing noise and accelerating operations directly. Vulnerabilities that grant elevated control, including flaws tied to automatic AD group privilege inheritance, have made it easier for threat actors to seize administrative access and deploy mass encryption within seconds. Protecting this layer requires the same rigor applied to mission-critical infrastructure, beginning with strict identity practices and properly isolated management networks that prevent lateral movement. Organizations should rely on dedicated local accounts, enforce MFA across all management interfaces, and route administrative sessions through monitored jump hosts to ensure accountability. Hardening actions that limit the execution of code to trusted components and disable unnecessary services reduce attackers' ability to run tools on the host. A resilient recovery posture remains essential, with immutable backups, detached authentication for backup systems, and frequent validation of full VM restorations to ensure business continuity. Continuous monitoring for configuration drift, suspicious log events, and unexpected management access further improves detection and response. Safety controls such as reinforced segmentation, strong identity controls, and validated disaster recovery capabilities can help reduce the risk of large-scale disruption.
Vishing Campaign Abuses Microsoft Tools to Deliver Fileless Malware
A newly observed vishing campaign is combining impersonation, remote assistance abuse, and advanced fileless execution to compromise targets with multi-stage [.]NET malware. The attack begins when threat actors spoof the identities of IT personnel in Microsoft Teams, prompting victims to trust unexpected support calls. Once contact is made, the attacker walks the user through launching Windows Quick Assist, which appears to grant remote access for legitimate troubleshooting. Within minutes, the victim is redirected to a malicious webpage hosted on the attacker's infrastructure, transitioning the operation from social engineering to technical delivery. This redirection triggers the download of a trojanized executable presented as a system update, establishing the foundation for a stealthy, memory-resident infection chain. The deployed component functions as a [.]NET Core wrapper that contains an embedded loader designed to avoid traditional disk-based indicators. This loader retrieves keys from a remote command server, separating decryption material from payload delivery, thereby complicating defenders' efforts. The final stage involves fetching an encrypted payload, decrypting it through layered AES-CBC and XOR routines, then loading the resulting assembly directly into memory through [.]NET reflection. This approach enables full fileless execution, bypassing antivirus tools that depend on file scanning, persistence monitoring, or static signatures. The malware inherits the user's privileges, expanding its operational freedom while staying hidden from endpoint defenses. Organizations should strengthen verification procedures for internal IT communications, limit or tightly monitor remote assistance capabilities, and educate employees to treat unexpected support requests as potential threats. They should also deploy security platforms capable of inspecting [.]NET runtime behavior, monitoring memory injection patterns, and detecting anomalous Quick Assist usage, thereby improving the likelihood of identifying this type of fileless intrusion before it escalates.
AI-Driven Threat Hunting Exposes GhostPenguin Linux Backdoor
A GhostPenguin represents a newly uncovered Linux backdoor that remained undetected for months, demonstrating how advanced threat actors design implants that blend quiet operation, robust remote control, and strong command delivery mechanisms. Trend Micro's AI-driven hunting pipeline identified the sample after profiling thousands of Linux binaries from VirusTotal and isolating those with no detection history, allowing analysts to pinpoint a multi-threaded C++ backdoor built from the ground up. GhostPenguin communicates via an RC5-encrypted UDP channel on port 53 and performs a structured handshake to obtain a session identifier, enabling encrypted registration, heartbeat signaling, and reliable task execution. Once active, the malware gathers detailed system information and then awaits commands that support remote shell access and extensive file and directory manipulation, including creating, deleting, moving, and modifying system artifacts. This discovery highlights how traditional defenses miss novel Linux malware families when actors avoid code reuse, minimize network signatures, and rely on controlled multi-stage communication flows. Trend Micro's research also shows that AI-supported threat hunting is becoming essential for uncovering stealthy malware that persists quietly within enterprise Linux environments. By building a structured artifact database and applying automated decompilation pipelines, analysts were able to classify behaviors, map capabilities, and generate custom YARA and hunting rules that brought GhostPenguin out of obscurity. The workflow relied on extracting strings, API calls, communication patterns, and behavioral markers from thousands of samples, enabling AI agents to score suspicious files, escalate high-confidence candidates, and generate technical analysis reports aligned with real-world attack behaviors. The research underscores the need for defenders to adopt intelligence-led practices that go beyond signature matching, combining AI automation, rich contextual analysis, and long-term behavioral profiling to surface hidden threats. Organizations should strengthen Linux visibility, deploy behavioral monitoring that can detect encrypted UDP communications and remote shell spawning, and incorporate AI-based hunting tools to stay ahead of rapidly evolving backdoors engineered to evade conventional detection.
