1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Threat actor landscape: what every CISO must know to stay ahead

    From TechnologyDaily@1337:1/100 to All on Fri Dec 19 11:15:08 2025
    Threat actor landscape: what every CISO must know to stay ahead

    Date:
    Fri, 19 Dec 2025 10:58:07 +0000

    Description:
    Organizations should build their cybersecurity programs around their adversariesnot assumptions.

    FULL STORY ======================================================================

    Now in 2H 2025, the cybersecurity landscape is not just active; its industry-specialized and precision-targeted. Sophisticated threat actors no longer take a spray-and-pray approach.

    Instead, they study your sector, exploit your business model, and even train their malware to mimic your workflows.

    To outpace attackers, CISOs must understand who is targeting their industry, how they're doing it, and why and then convert that knowledge into action through a robust threat intelligence program (TIP).

    Without threat intelligence, your defenses are based on guesswork. Threat actors know your industry, your environment, and your users. Your defenses should know them too. The Essential Threat Intelligence Program (TIP)

    A mature threat intelligence capability isnt just about collecting feedsits about translating threat data into actionable defenses. With a modern
    program, you can:

    - Identify threat actors and tactics, techniques, and procedures (TTPs) targeting your industry with high fidelity.

    - Use frameworks like MITRE ATT&CK to reduce risk.

    - Enhance detection and response via security information and event
    management (SIEM), security orchestration, automation , and response (SOAR), and endpoint detection and response (EDR).

    - Customize awareness training to real attack scenarios.

    - Provide executive-ready reports that inform decisions.

    To unlock the value of threat intelligence, integrate it into your security fabric. For example:

    Detection engineering Map TTPs to MITRE, build detections, and enrich SIEM/extended detection and response (XDR) with relevant actor indicators of compromise (IoCs).

    Automated response (SOAR) Tag alerts by actor and sector and trigger playbooks aligned to threat profiles.

    Vulnerability management - Prioritize patches tied to active threats.

    Security awareness Simulate actor-based phishing (e.g., QR-phishing from TA577) and train teams against deepfake voice attacks.

    CISOs should include threat intelligence updates to the board and executive team with their programs regularly scheduled updates.

    They should include industry threat trends and peer incidents, actor motives and evolving techniques, and risk outcomes and funding needs.

    These insights frame cybersecurity as strategic and business-alignednot just reactive. Threat actors by industry

    Each industry faces specialized threats. Here is summary of some of the top threat actors, techniques, and trends by sector. Threat Actors in Healthcare

    Threat actors include Scattered Spider (UNC3944), BlackBasta, RansomHub, and NoEscape. TTPs comprise SIM-swapping to bypass multi-factor authentication (MFA), compromise of cloud and SaaS-based platforms, lateral movement via Remote Desktop Protocol (RDP) and unmanaged endpoints, and abuse of third-party vendor access.

    Actors impacting healthcare are (1) using social engineering like fake job offers to impersonate insiders or vendors; (2) bypassing MFA via help desk
    and recovery process abuse; and (3) leveraging advanced lateral movement,
    such as Living Off the Land Binaries (LOLBins), Windows Management Instrumentation (WMI), and PsExec, to persist across segmented networks.

    The FBI has warned that Scattered Spider actors are targeting healthcare help desk software and bypassing two-factor authentication (2FA) via support call impersonation. Lifewire reports MFA bypass is becoming a common entry point across ransomware campaigns in healthcare.

    Financial Services Actors include APT38 (Lazarus), TA577, and Storm 1811. TTPs comprise Deepfake-enabled voice fraud, QR-phishing targeting mobile banking apps, deployment of rogue investment and payment apps , and abuse of third-party payment processors. Threat actors in financial services

    In financial services, threat actors are (1) using deepfake voice scams to authorize fraudulent transfers; (2) launching QR-code phishing to steal financial credentials; and (3) spreading fake apps to harvest data and deploy malware exploiting gaps in training, mobile security, and vendor risk.

    The FBI has recently highlighted the rise of deepfake voice fraud schemes, resulting in multi-million-dollar wire fraud losses at financial
    institutions.

    Cybersecurity firms report a surge in QR-code phishing campaigns
    impersonating major banks, leading to credential compromise and account takeovers. Industry alerts have noted the emergence of rogue mobile apps masquerading as legitimate fintech tools, which increases exposure to credential theft and mobile malware infections. Threat actors in
    manufacturing & OT

    Threat actors here include Volt Typhoon, Sandworm, LockBit 3.0, and Muddled Libra Scattered Spider. TTPs comprise Living-off-the-land techniques using
    WMI and PsExec, credential harvesting, ICS (industrial control systems) protocol manipulation, and exploitation of legacy and OT-specific protocols.

    In this vertical, Volt Typhoon targets hybrid information technology (IT)/operational technology (OT) environments, exploiting weak segmentation and identity controls to maintain long-term access and enable future disruption. Multiple government agencies confirm that Volt Typhoon has been pre-positioning on IT networks to pivot into OT for potential sabotage (CISA Advisory).

    Analysts report Volt Typhoon maintained covert access to a small U.S. utility's OT network for nearly a year, demonstrating sophisticated persistence and stealth. Sandworms continued targeting of industrial control systems highlights the increasing risk to manufacturing and critical infrastructure sectors. Threat actors in retail & eCommerce

    Actors here include Magecart Group6, Storm0539 (aka ATLAS LION), and LAPSUS$. TTPs comprise checkout hijacking via browser plugins and JS skimmers, account takeover through credential or session theft, and insider-assisted attacks
    for direct system access.

    Retail threat actors are exploiting compromised employee credentials and phishing campaignsoften via QR and SMS to inject payment card skimmers,
    hijack checkout flows, and create fraudulent gift cards.

    Increasingly, these operations combine AI-powered phishing and insider recruitment tactics to bypass MFA, stealthily compromise POS systems , and harvest customer payment data over prolonged periods. Magecart skimmers steal payment cards from ecommerce sites and are causing resurgence in JS-based checkout methods.

    Microsoft observes Storm-0539 spear phishing and smishing campaigns targeting gift card workflows at U.S. retailers, enabling MFA bypass via AI-aided phishing pages (Microsoft). CISA alerts and case studies reveal that LAPSUS$ is recruiting insiders and abusing valid accounts for non-ransom data extortion across retail entities (CISA). Threat actors in technology & SaaS

    Actors here include Midnight Blizzard (APT29), UNC5537, and UNC3886. TTPs comprise OAuth token exfiltration, CI/CD supply chain poisoning (e.g., GitHub Actions), and DLL sideloading.

    Technology & SaaS APTs are targeting cloud-native pipelines, exploiting OAuth tokens and continuous integration (CI)/continuous delivery/deployment (CD) workflows, while using dynamic link library (DLL) sideloading for stealthy persistence and escalation.

    APT29 continues to leverage OAuth token theft for deep infiltration of cloud services and SaaS environments (Microsoft). Recent supply chain attacks have focused on GitHub Actions workflows, poisoning build pipelines to insert backdoors (CISA Alert). UNC5537 and UNC3886 have been observed using DLL sideloading to bypass application whitelisting and execute malware under the guise of legitimate software (CrowdStrike).

    Energy & Critical Infrastructure Actors include VoltTyphoon, ChamelGang, Xenotime, and DarkTortilla. TTPs comprise firmware implants, watering-hole attacks on vendor portals, and field engineer credential theft.

    Threat actors targeting critical infrastructure use firmware implants, vendor watering-hole attacks, and stolen field engineer credentialsexploiting supply chain and identity weaknesses. Volt Typhoon continues to leverage OAuth token theft for deep infiltration of cloud services and SaaS environments (CISA).

    Xenotime is noted for deploying malware targeting industrial control systems, leveraging stolen credentials from field personnel to escalate access (Dragos). Final Word: Dont Just SecureCounter the Adversary

    Without threat intelligence, your defenses are guesses. Threat actors know your industry, your software, and your systems. Your defenses should know
    them too and you should be communicating this info to your board or executive team.

    Organizations should build their cybersecurity programs around their adversariesnot assumptions. Threat actors are hyper-focused by industry, so building a centralized threat intelligence engine that feeds detection, response, and training is critical.

    Finally, teams should use news-backed intelligence for reporting urgency, and conduct quarterly executive briefings.

    Check out our list of the best identity management solutions .



    ======================================================================
    Link to news story: https://www.techradar.com/pro/threat-actor-landscape-what-every-ciso-must-know -to-stay-ahead


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)