Boost your cyber resilience.
Talk to an expert about BarracudaONE and Managed XDR
Live insights
This chart is based on detection data from Barracuda’s Advanced Threat Protection (ATP) platform
Cybersecurity Threats Targeting Businesses
Barracuda Research delivers actionable insights from trillions of IT events, AI-powered threat detection and real-world security incidents. Our advanced threat intelligence empowers IT security professionals with the knowledge to identify emerging threats, recognize the warning signs and implement effective protection strategies for their businesses.
35%
Rise in Infostealer attacks
July 2025
56%
Rise in threats targeting Linux servers
July 2025
Latest email threat tactics
EvilProxy launches new attacks spoofing employment platform and M365 warnings
The EvilProxy phishing kit has launched new waves of attacks. One spoofs the trusted Upwork employment platform to send fake payment notifications, sending targets through several links and an “I’m not a robot’ verification page before they arrive at a fake login screen designed to steal their Microsoft login credentials.
Another set of attacks feature fake Microsoft 365 login alerts. The alert messages have consistent body copy but three different subject lines — enabling attacks to continue after security tools have spotted and blocked one of the subject lines.
Action to take: Always verify unexpected or unusual payment or security notifications and check with the sender. The use of verification pages can be a trick to reassure victims and make it harder for security tools to detect the scam. Every additional link or attachment takes victims further away from protection so ensure employees are alert to this.
Toxic calendar invites in emails
The Sneaky 2FA phishing kit has been using toxic calendar invites to steal credentials. The invites are compatible with Google Calendar and Microsoft Outlook and contain phishing links that look like legitimate events. When recipients open the invite, they are redirected to a phishing page on the trusted Monday platform via a CAPTCHA verification.
Action to take: Be wary of unexpected meeting invites, especially from unknown senders or with no context. Verify with the sender if needed. The use of calendar invites in phishing attacks is increasing as ICS files bypass some security controls.
Phishing kits abuse ShareFile for attacks
These attacks use ShareFile to host fake login forms and send URLs to potential victims. Tycoon 2FA and Mamba 2FA are prominent users of this tactic, implementing advanced evasion techniques such as proxy servers, switching phishing links and HTML attachments to bypass detection.
Action to take: Be wary of unexpected emails, on unusual topics or from unfamiliar senders. Any emails from ShareFile, especially if your organization doesn’t use this service, should be scrutinized. Verify the message with the sender. Always check the legitimacy of Microsoft or Google login pages before entering credentials.
Latest threats targeting organizations
A rise in attacks targeting bugs in FortiGate Firewall VPN services
The FortiGate vulnerabilities enable attackers to use unsecured VPN tunnels to bypass authentication and gain full administrative privileges and initial access. Attacks can lead to data breaches, reputational damage and ransomware attacks.
Action to take: Ensure systems are updated with the latest patches and enforce multifactor authentication (MFA) for VPN access. Implement geo-fencing or conditional access policies and install comprehensive, layered defenses with extended visibility.
A rise in attempted data exfiltration
Attackers are increasingly stealing data instead of or as well as encrypting it. The unauthorized removal of data is often carried out under the radar such as by compressing the data, hiding content in text, audio or image files (steganography), using private channels (tunnelling), or moving data quietly and slowly so it looks like ordinary traffic. Data exfiltration can lead to the loss of valuable intellectual property, financial impacts, reputational damage, and regulatory fines.
Action to take: Limit who can access sensitive data, monitor data transfers, educate employees on phishing, segment your network, and implement zero-trust security measures.
A rise in the detection of ‘packed’ malware
Packed malware is malicious code that has been compressed or encrypted to evade detection. Packed malware is often used in ransomware attacks to conceal the final encryption payload until execution. A remote workforce and cloud assets can increase vulnerable access points.
Action to take: Implement advanced endpoint protection, install the latest security patches, use MFA for VPN access to prevent unauthorized access, continuously check for and correct cloud service misconfigurations, and use network segmentation to limit access to sensitive areas.
New threat advisory: Critical CrushFTP vulnerability
CrushFTP, a multi-platform file transfer system, carries a critical vulnerability allowing attackers to bypass authentication and gain unauthorized access. This vulnerability can lead to data manipulation, exfiltration, and service disruption. Threat actors have exploited this in the wild.
Action to take: Update CrushFTP to the latest patched version. Verify and strengthen passwords, user permissions and limit server access rights.
New threat advisory: Critical Next.js vulnerability
Next.js, a popular framework for building fast web applications, has a newly reported critical vulnerability. This bug allows attackers to bypass some authorization checks and gain access to restricted areas without proper permissions. The access enables attackers to manipulate data, change configurations, or compromise the application.
Action to take: Update Next.js and all its dependencies to the latest version and implement robust access and authentication controls.
Real world incidents and trends
XDR contains two nearly identical attacks leveraging ScreenConnect
Barracuda’s Managed XDR team recently helped two companies mitigate incidents where attackers had managed to compromise computers and install rogue ScreenConnect remote management software.
Both organizations spotted odd behavior on computers. One found open tax software that had not been opened by the employee using the computer. The other spotted unusual mouse movements. Both companies had rogue deployments of ScreenConnect that had been installed surreptitiously disguised as Social Security files. In one company there were signs of possible data exfiltration linked to a convoluted series of malicious downloads. In the other there was evidence of malicious scripts and persistence techniques. SOC analysts were able to help both companies contain and neutralize the incidents.
Python-armed ransomware gang reemerges to face a wall of XDR defenses
Barracuda’s Managed XDR team recently contained a ransomware attack where the attackers compromised several machines and an administrator account before the company installed XDR. By the time the attackers returned for the main attack, a suite of Barracuda Managed XDR solutions was in place, monitoring and containing the threat.
The attackers created scheduled tasks, moved laterally, and infected additional machines with a Python-based payload. Despite these efforts, Barracuda’s XDR solutions isolated the infected machines, detected the C2 communications, and shared firewall logs revealing exfiltration attempts.
Why scheduled tasks can be a security red flag
Ransomware attackers often use scheduled tasks to automate different stages of the attack, maximizing the impact of the attack while reducing the chances of detection. Attackers create scheduled tasks for several reasons, including:
- To release the ransomware payload at a specific time
- To maintain access to the network, for example by scheduling tasks to rerun malware at intervals, even if it is detected and removed
- To help with stealthy data exfiltration, for example by collecting and removing information at intervals
- To turn off antivirus software, firewall protections or system recovery tools, making it harder for the security team to remediate or recover from the incident
- To distribute ransomware to connected devices across the network
- To delete traces of attack activity after encryption, making it harder for security teams to investigate how the attack unfolded
Resource Library
Barracuda provides a wide range of cyberthreat and cybersecurity insights, tools and support to help organizations and security researchers better understand the rapidly evolving threat landscape and how to manage risk.
