Ransomware Update – 2025-11-17

[Content by Gemini 2.5]

Latest Cybersecurity News Summary

  • Ransomware Activity:

    • Akira: Announced attacks on BOLD Furniture, a US furniture manufacturer, and MOBI Technologies, a consumer electronics brand. The group threatens to leak financial data, project details, and employee information.
    • Thegentlemen: Claimed responsibility for attacks on United Enterprise Fund, a NY-based financial services firm, and two separate entities in the Chinese semiconductor industry.
    • Devman: Posted two new victims, demanding ransoms of $300k and $210k respectively, and claiming to have exfiltrated 120GB and 145GB of data.
    • Qilin: Added three new victims to its leak site: Maresa Logística, SES Société Energies Services, and FREEDL GROUP s.r.l.
    • Nightspire: Targeted Lotus Powergear Pvt. Ltd, an Indian company.
    • Alphalocker: Listed Bangkok Eagle Wings Co., Ltd. from Thailand as a victim.
    • Brotherhood: Published a post indicating a new victim will be announced by November 20th.

  • Cyber Threats:

    • Dragon Breath APT: A threat actor group is using a new loader called RONINGLOADER to disable security tools and deploy the Gh0st RAT trojan. The campaign primarily targets Chinese-speaking users with trojanized installers for legitimate software.
    • ClickFix Malware: Threat actors are abusing the decades-old “finger” protocol to retrieve and execute remote commands on compromised Windows systems, marking a resurgence of an outdated network tool for malicious purposes.

  • Security Developments:

    • Android Memory Safety: Google reported that its adoption of the Rust programming language in Android has led to a significant decrease in memory safety vulnerabilities, which now account for less than 20% of total vulnerabilities for the first time.

Observations and Further Recommendations

  • Ransomware remains a significant threat with multiple active groups targeting a wide array of industries globally, including manufacturing, finance, technology, and logistics. The tactics vary, with some groups (like Devman) openly stating ransom demands, while others (like Akira) focus on the value of the stolen data.
  • Threat actors continue to innovate and repurpose old technologies. The use of the “finger” protocol is a reminder that even obscure or legacy protocols can be weaponized.
  • Organizations should prioritize robust security hygiene, including regular patching, network monitoring, and maintaining offline backups. The success of memory-safe languages like Rust in reducing vulnerabilities highlights the importance of secure-by-design principles in software development.

News Details

  • Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT: The threat actor known as Dragon Breath has been observed making use of a multi-stage loader codenamed RONINGLOADER to deliver a modified variant of a remote access trojan called Gh0st RAT. The campaign, which is primarily aimed at Chinese-speaking users, employs trojanized NSIS installers masquerading as legitimate like Google Chrome and Microsoft Teams, according to Elastic Security Labs.
  • Rust Adoption Drives Android Memory Safety Bugs Below 20% for First Time: Google has disclosed that the company’s continued adoption of the Rust programming language in Android has resulted in the number of memory safety vulnerabilities falling below 20% of total vulnerabilities for the first time. “We adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android’s C and C++ code. But the biggest surprise was…”
  • Google to flag Android apps with excessive battery use on the Play Store: Google will start taking action on Android apps in the official Google Play store that have high background activity and cause excessive battery draining. […]
  • Microsoft: Windows 10 KB5068781 ESU update may fail with 0x800f0922 errors: Microsoft has confirmed it is investigating a bug causing the Windows 10 KB5068781 extended security update to fail to install with 0x800f0922 errors on devices with corporate licensing. […]
  • Decades-old ‘Finger’ protocol abused in ClickFix malware attacks: The decades-old “finger” command is making a comeback,, with threat actors using the protocol to retrieve remote commands to execute on Windows devices. […]
  • Jeff Bezos will be co-CEO of AI startup Project Prometheus: Jeff Bezos is getting a new job. He’ll reportedly become co-CEO of Project Prometheus, a new startup that he’s partly funding. The company’s exact plans are still unknown, but its focus is on AI that could improve manufacturing in fields including computing, automobiles, and aerospace.
  • Europe banned new gas cars after 2035 — now it’s reconsidering: Mercedes-Benz CEO Ola Källenius is the eternal optimist, and for good reason. He has long pushed the European Union to roll back its lofty goal of phasing out new internal combustion engine cars, arguing that weakening the rules was a return to pragmatism and not capitulation to opponents of Europe’s green agenda.
  • Sky Sports killed off its female-focused Halo brand after just three days: Girls like pink and peach, right? That Sky Sports felt the need to launch a TikTok channel specifically marketed towards women and billed as its “lil sis” was questionable enough. But once people got a taste of the content on Halo, it was clear the company had absolutely no idea what it was doing.
  • You need to listen to the searing noise pop album Forever in Your Heart: The cover goes as hard as the album does. There’s something irresistible about music that sounds as if it’s coming apart at the seams. The Black Dresses are masters of barely contained chaos. All of their records feel as if they’re in danger of collapsing into pure noise at any moment.
  • Stereogum soldiers on in the era of streaming and AI: If you’re an indie rock fan of a certain age, the name Stereogum will probably conjure strong feelings. The site was launched “January 1st, 2002, on a whim,” founder Scott Lapatine told The Verge. Originally, this early staple of the music blog era was focused almost entirely on music discovery and posting MP3s.
  • The best gifts for dads that have everything (but deserve more): What do you get the man who says he has everything? It’s a tough question – and one you have a limited amount of time to answer, given the holidays are nearly upon us. You could try dropping subtle hints or asking friends and family for suggestions, but they might save their best ideas for themselves.
  • How LimeWire ended the Napster music revolution: Quick: tell me how old you are by telling me which app you used to download free music. Was it Napster? Kazaa? Usenet? Gnutella? WinMX? Morpheus? The Pirate Bay? Were you, I don’t know, sending your friends songs on AIM or BBM? The possibilities are endless.
  • The Asus Falcata is an ambitious split ergo gaming keyboard that falls short: Each half is compact, and they fit together for easy travel. Hall effect gaming keyboards aren’t uncommon. But Asus’ ROG Falcata is the only one that’s also a split ergonomic keyboard, aimed at alleviating wrist, hand, or arm pain.
  • How soapy micro dramas became Hollywood’s next big bet: This is The Stepback, a weekly newsletter breaking down one essential story from the tech world. For more on Hollywood trends and streaming culture, follow Charles Pulliam-Moore. The Stepback arrives in our subscribers’ inboxes at 8AM ET.
  • Tim Cook could step down as Apple CEO next year: According to the Financial Times, Tim Cook could step down as Apple CEO as early as next year. And the board has started to seriously work out a succession plan. FT says that John Ternus, Apple’s senior vice-president of hardware engineering, is considered the frontrunner for the position.
  • 🏴‍☠️ Thegentlemen has just published a new victim : A*.com: 🇨🇳 Semiconductor industry
  • 🏴‍☠️ Devman has just published a new victim : ftr.com.*: Ransom: 300k 120gb
  • *🏴‍☠️ Devman has just published a new victim : clinic.com.*: Ransom: 210k 145gb
  • 🏴‍☠️ Akira has just published a new victim : BOLD Furniture: BOLD Furniture manufactures distinctive, highly functional and ad aptable standard and custom furniture and fixtures for all kinds of work environments. We are going to upload company data soon. You will find financial data (audit, invoices), project details, personal financial details of employees, accounting files.
  • 🏴‍☠️ Akira has just published a new victim : MOBI Technologies: MOBI Technologies Inc. is a consumer health and home electronics brand committed to elevating the consumer experience around digit al living and wellness monitoring for all ages. We are going to upload company data soon. You will find financial data (audit, payment details, invoices), personal financial details of employees, accounting files.
  • 🏴‍☠️ Brotherhood has just published a new victim : Announcement till 20/11: [AI generated] N/A
  • 🏴‍☠️ Thegentlemen has just published a new victim : .com: 🇨🇳 Semiconductor industry
  • 🏴‍☠️ Nightspire has just published a new victim : Lotus Powergear Pvt. Ltd, India: Lotus Powergear Pvt. Ltd, India
  • 🏴‍☠️ Thegentlemen has just published a new victim : United Enterprise Fund: https://www.zoominfo.com/c/united-enterprise-fund-lp/104726614 www.unitedenterprisefund.com United Enterprise Fund is a New Yorkbased financial services firm that delivers personalized investment management and advisory solutions.
  • 🏴‍☠️ Qilin has just published a new victim : Maresa Logística: N/A
  • 🏴‍☠️ Alphalocker has just published a new victim : www.bew.co.th: Bangkok Eagle Wings Co.,Ltd. 67/14 Mu 5 Chuamsamphan Rd. Kokfad. Nongchok. Bangkok 10530. Thailand. Stamping process Welding and assembly process Machining process Painting process
  • 🏴‍☠️ Qilin has just published a new victim : SES Société Energies Services: N/A
  • 🏴‍☠️ Qilin has just published a new victim : FREEDL GROUP s.r.l.: N/A
  • Microsoft Patch Tuesday, November 2025 Edition: Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited.