PostHole
Compose
Login
IR Trends Q4 2025: Exploitation remains dominant, phishing campaign targets Native American tribal organizations
A drop in exploitation and ransomware, but a spike in phishing and credential abuse, show why timely patching and robust MFA matter more than ever.
IR Trends Q4 2025: Exploitation remains dominant, phishing campaign targets Native American tribal organizations
Thursday, January 29, 2026 06:00
Threat actors predominately exploited public-facing applications for the second quarter in a row, with this tactic appearing in nearly 40 percent of Cisco Talos Incident Response (Talos IR) engagements — a notable decrease from over 60 percent last quarter, when engagements involving ToolShell surged. This quarter included exploitation of Oracle E-Business Suite (EBS) and React2Shell, as well as the deployment of malware implants previously associated with advanced persistent threat (APT) groups.
Phishing was the second-most common tactic for initial access, and this quarter included a campaign specifically targeting Native American tribal organizations for credential harvesting. Once the adversaries compromised a legitimate account, they leverage it to send out further internal phishes and gain more credentials.
Ransomware incidents made up only approximately 13 percent of engagements this quarter, a decrease from 20 percent last quarter and a steep drop from nearly 50 percent in Q1 and Q2. Talos IR did not respond to any previously unseen ransomware variants. Qilin continues to be a dominant player in these engagements, a continuation from the previous few quarters.
Watch this video discussion on the biggest trends from this quarter's report
Continued exploitation campaigns show the importance of timely patching
As mentioned above, threat actors exploited public-facing applications for initial access in nearly 40 percent of engagements this quarter. While there was no dominant exploitation campaign as there was last quarter with ToolShell, Talos IR did observe activity targeting Oracle EBS (CVE-2025-61882) as well as React Server Components, Next.js, and related frameworks (CVE-2025-55182 aka React2Shell). In both cases, exploitation activity occurred around the time the vulnerability became public, demonstrating actors’ speed in capitalizing on these opportunities as well as the inherent risks of internet-facing enterprise applications and default deployments embedded in widely used frameworks.
Talos IR responded to an organization that had an internet-facing server vulnerable to CVE-2025-61882. Exploitation began very shortly after the vulnerability was made public and was likely related to a large-scale campaign aiming to extort executives. After exploiting the vulnerability, the threat actors deployed multi-stage web shells related to the SAGE* infection chain.
In another incident, we observed a threat actor successfully exploit the React2Shell vulnerability to compromise the victim organization, gain shell access to the web server, and download and install XMRig Monero cryptomining malware. Cryptocurrency mining is one of the many types of operations we expect to see as threat actors race to quickly capitalize on unpatched systems. Public reporting on React2Shell exploitation also revealed targeting by state-sponsored groups, ransomware affiliates, and more, highlighting the diverse array of threat actors who look to leverage new exploits and the importance of timely patching and other mitigations, such as robust segmentation.
Exploitation activity this quarter also involved implants previously tied to APT groups. In one incident, Talos IR observed activity consistent with the BadCandy implant targeting Cisco IOS XE. The threat actors leveraged this implant to create an unauthorized account, though the activity appeared to be automated with no interactive access or additional malicious activity observed outside the router.
In an incident in which exploitation of the organization’s Cisco Secure Management Appliance (SMA) was suspected, the adversaries deployed AquaShell, a lightweight Python backdoor capable of receiving encoded commands through unauthenticated HTTP POST requests and executing them in the system shell, a backdoor which Talos has connected to UAT-9686. Similar to the incident described above, there was no follow-on activity observed. In both incidents, Talos IR commended the customers for their quick responses, which likely helped mitigate any further damage.
Phishing campaigns target Native American tribal organizations for potential credential harvesting operation
Phishing was the second-most common means of initial access this quarter, and Talos IR responded to a phishing campaign that appeared to target Native American tribal organizations.
In one incident affecting a tribal organization, Talos IR observed adversaries use compromised email accounts, alongside a legitimate but compromised web domain, to distribute lures themed around sexual harassment training. Although initial waves were unsuccessful, once the adversaries compromised an account, they used it to propagate further phishing internally and externally. In the latter phases of this campaign, the adversary leveraged a web shell directory hosted on a legitimate third-party domain to distribute phishing content and facilitate broader targeting. We suspect that the attacker gained a foothold within the victim environment due to lack of multi-factor authentication (MFA), and while no lateral movement beyond email account abuse could be confirmed, the exposure of additional accounts within the victim's environment and external recipients indicates the potential for a wider impact.
In a second related incident affecting another tribal organization, Talos IR observed the victim receive a wave of external phishing emails, with one user targeted with numerous Outlook Web Access (OWA) login attempts, resulting in subsequent MFA prompts, one of which was approved. Afterwards, the compromised user’s account was used to issue a flood of follow-on phishing emails. After the customer removed the compromised account, the campaign continued, leveraging an external email address that was spoofed to resemble the disabled account.
Beyond similar victimology, there were overlaps in the indicators of compromise for these incidents, suggesting they may have originated from the same campaign. Both incidents also highlight a trend observed last quarter of compromised accounts being used to distribute further phishing attacks. Talos IR urges tribal organizations to be especially vigilant of this threat, scrutinizing all emails and MFA pushes.
Ransomware trends
Ransomware and pre-ransomware incidents made up just 13 percent of engagements this quarter, a decline from 20 percent last quarter, and a sharp drop from 50 percent in Q1 and Q2. Qilin ransomware, which we responded to for the first time in Q2, remains dominant and was observed in the majority of ransomware incidents, confirming our predictions in Q2 and Q3 that the group would continue to hold a heavy presence. We also responded to DragonForce ransomware, a variant we had not observed in Talos IR engagements for over a year.
[...]