August 26, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Aug 26, 2025
Kroll

This week’s briefing covers:

00:00 – Intro

00:43 [MALWARE] PIPEMAGIC Backdoor
Microsoft has released an in-depth technical analysis on PIPEMAGIC, a sophisticated, modular backdoor malware framework actively used by ransomware groups like PLAY to deploy ransomware.

03:22 [CAMPAIGN] Russian Hacktivists Target Polish Power Plant a Second Time
A Polish hydropower plant has been targeted by Russian hacktivists for a second time this year. The power plant, located in Tczew, near Gdańsk, was previously targeted in May when the plant was offline. A video has now been released showing the group targeting the same facility for a second time, this time disrupting its control systems and turbines during operation.

04:19 [MALWARE] New RAT Targeting Financial Institutions
A new malware campaign is targeting financial institutions, particularly trading and brokerage firms, using a previously unknown remote access trojan (RAT) called GODRAT. The attacks deliver malicious screen saver files (.SCR) disguised as financial documents through Skype messages and use steganography to hide shellcode within image files that download the malware from a C2 server.

06:59 [MALWARE] Linux EDR bypassing post-exploitation framework RINGREAPER
Over a year after the XZ Utils backdoor (CVE-2024-3094) was disclosed in March 2024, Binarly researchers identified 35 Docker Hub images still containing the malicious code. The set includes 12 base Debian images and 23 derivative builds, creating transitive infection risks across container environments.

09:29 [RANSOMWARE] KTA492 (Warlock) Ransomware
KTA492, also known as WARLOCK, is a ransomware group that emerged in June 2025 on the Russian language platform RAMP. The group quickly began racking up victims, over 16 in the first two days after its launch, half of which were Eastern European government agencies. The group is suspected of having ties to the ransomware group BLACKBASTA, and since June 2025, KTA492 has expanded its operations targeting victims all over the globe.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.