Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Meet Scattered Spider: The Group Currently Scattering UK Retail Organizations

First published May 8th 2025 Updated Sept 16th 2025 Editor’s Note: This blog builds on our recent analysis of the DragonForce ransomware cartel, which claimed responsibility for a wave of UK retail attacks in April–May 2025. While DragonForce took credit for the extortion and data leak phase, growing evidence suggests that another group—Scattered Spider—may have played a foundational role in enabling those attacks.

The Great NPM Heist - September 2025

On September 8, 2025, the JavaScript ecosystem experienced what is now considered the largest supply chain attack in npm history. A sophisticated phishing campaign led to the compromise of a trusted maintainer’s account, resulting in the injection of cryptocurrency-stealing malware into 18+ foundational npm packages. These packages collectively accounted for over 2 billion weekly downloads, affecting millions of applications globally—from personal projects to enterprise-grade systems.

The Alarming Surge in Leaked Credentials: Protecting Your Business in 2025

One of the most pressing cyber threats businesses face today is the rampant rise in leaked credentials. Data from Cyberint, a Check Point company, reveals a staggering 160% increase in leaked credentials so far in 2025 compared to 2024. This isn’t just a statistic; it’s a direct threat to your organization’s security.

The Downfall of XSS Forum

On July 23rd the notorious Russian-language hacking forum XSS.is was seized by French law enforcement agencies. Interestingly, just a few hours before the takedown, Cyberint, now a Check Point Company researchers were informed by “Loki,” a well-known moderator on BreachForums, that one of XSS’s admins had allegedly been arrested by the French. This follows a series of actions by French authorities, who have arrested BreachForums admins over the past few months.

Cloak Ransomware: Who's Behind the Cloak?

Emerging between late 2022 and the beginning of 2023, Cloak Ransomware is a new ransomware group. Despite its activities, the origins and organizational structure of the group remain unknown. According to data from the group’s DLS (data leak site), Cloak has accessed 23 databases of small-medium businesses, selling 21 of them so far. Out of these, 21 victims paid the ransom and had their data deleted, 1 declined and 1 is still in negotiations, indicating a high payment rate of 91-96%.

Qilin Ransomware: Get the 2025 Lowdown

Qilin operates as an affiliate program for Ransomware-as-a-Service, employing a Rust-based ransomware to target victims. Qilin ransomware attacks are often tailored for each victim to maximize their impact, utilizing tactics like altering filename extensions of encrypted files and terminating specific processes and services.

Mapping Attacks by TEAM FEARLESS

TEAM FEARLESS is a hacktivist group active in various cyber operations. Their activities are motivated by political and ideological beliefs, primarily in support of Palestine, and they have notably targeted organizations and government entities associated with Israel. The group primarily conducts Distributed Denial of Service (DDoS) attacks and has claimed responsibility for disrupting services of various organizations.

Introducing the Risk Dashboard: Cyberint's Answer to the Challenge of Measuring & Mitigating Cyber Risk

Cyber security is now a major focus for organizations of all sizes and across all industries. Despite the increased attention on cyber—and corresponding boost in budgets—many organizations still struggle to effectively measure and report on their cyber program. This challenge has broader implications, as justifying your budget and headcount is much more difficult if you can’t clearly show results and success to the board.