Cyber Security Report -December 2025
- danielmiddlemass0
- Jan 20
- 16 min read
Updated: 5 days ago
Research by OSINT Monitoring Team, NTT Security Japan K.K
Original Report in Japanese; サイバーセキュリティレポート 2025年12月 | セキュリティナレッジ | NTTセキュリティ・ジャパン株式会社
Table Contents
Page Summary
This report highlights and summarizes three topics considered particularly important among the various information security‑related events and incidents that occurred during December 2025, as well as developments in the surrounding environment. The key points of each chapter are as follows:
Chapter 1 "Multiple Extorsion Ransomware Attacks: Activity Overview for 2025"
The number of posts about victim organizations on exposure sites operated by ransomware groups has increased year by year, and in 2025, 8,199 posts were confirmed, an increase of about 50% from the previous year.
Due to detections by investigative agencies and intensified competition between groups, the power structure is changing, such as the replacement of active ransomware groups and the emergence of new groups.
Since the momentum of ransomware attacks is expected to remain high due to the restructuring of ransomware groups, it is important for companies not only to strengthen security, but also to prepare for breaches in the event of a breach.
Chapter 2 "Portugal Revises the Law to Permit Ethical Hacking"
In December 2025, Portugal amended its Cybercrime Law to add a new article, Article 8-A, which regulates cybersecurity actions in the public interest.
This amendment aims to strengthen the cyber defense foundation by legalizing responsible vulnerability research by security researchers and ethical hackers under certain conditions.
As cyberattacks grow more sophisticated, creating an environment where security researchers can operate without legal uncertainty is becoming a topic of interest for future discussion in Japan as well.
Chapter 3 "North Korea's IT Workers' Infiltration Operations"
Famous Chollima, a subgroup of the North Korean hacker group Lazarus, uses the identities of others to infiltrate companies in the United States and other countries as IT workers to carry out their missions of corporate espionage and financing of sanctioned North Korea.
While Chollima is recruiting people to interview on their behalf, security researchers actually contacted Chollima recruiters and conducted a sting operation to observe their infiltration process from the inside, uncovering the full story of the North Korean operatives disguised as IT workers.
As long as you have embraced remote interviews, it is not easy to prevent interviews like those planned by Famous Chollima. This case is a blind spot in remote work operations, and it is possible that it can be prevented or deterred by having applicants actually come to the company for interviews, and by having them perform work on site regularly (or irregularly) after hiring.
Multiple Extorsion Ransomware Attacks: Activity Overview for 2025
1.1. outline
Our OSINT monitoring team monitors posts on exposed sites operated by exposed ransomware groups on a daily basis. Based on the results of this monitoring, we summarized the activities and trends of exposed ransomware groups in 2025.
1.2. Increase in ransomware attacks
An extorsion ransomware group is a criminal group that uses ransomware to encrypt/steal files on the target organization's network, demands a ransom in exchange for the decryption key, and then threatens the victim organization to publish (expose) the stolen files on a site operated by the group if the ransom is not paid by the deadline. While many of the exposed sites exist on the dark web, there are also ransomware groups that use sites and social media that anyone can access.
The total number of posts about victim organizations on exposure sites has increased year by year, and in 2025, 8,199 posts were confirmed, an increase of about 50% from the previous year (Figure 1).
In terms of the total number of posts by month, each month in 2025 will exceed the same month of the previous year, and it has become normal for there to be more than 500 posts per month(Figure 2). Investigative agencies around the world have cooperated to uncover active ransomware groups such as ALPHV and LockBit.[1] [2]
These efforts highlight that ransomware activity continues to escalate rather than decline.
1.3. Ransomware group
Replacement of active ransomware groups
Half of the top 10 groups by annual posts in 2025 were new to the top 10 compared with 2024. Groups such as LockBit - affected by law‑enforcement action - and Hunters International, which announced its disbandment, dropped out of the top tier.
On the other hand, the activities of "Qilin", which attracted attention in Japan due to the attack on Asahi Group Holdings, are becoming more active, and the number of posts is the highest among all groups. In addition, "Akira" posted about three times as many posts as the previous year, ranking second.
These groups offer RaaS (Ransomware as a Service) and offer high profit sharing and generous technical support to gain more "affiliates" who are the perpetrators of ransomware attacks.[3]Their activity appears to have accelerated as they attempt to poach affiliates from groups weakened by operational pauses.
The third-ranked Cl0p has achieved results by focusing on exploiting zero-day vulnerabilities in a short period of time rather than constantly attacking. In early 2025, the company launched an attack campaign by exploiting the vulnerability CVE-2024-50623 in Cleo's file transfer software, and in November, it exploited the vulnerability CVE-2025-61882 in the Oracle E-Business Suite, an integrated ERP package.[4]It shows characteristics that are different from other groups, and the recruitment of affiliates seems to be limited.[5]
Restructuring of ransomware groups
The active integration and rebranding of the group is also a feature of 2025. "RansomHub" has been active since the second half of 2024, but suddenly went on hiatus in late March 2025. It seems to have been forcibly absorbed by another group, 'DragonForce'.[6]In addition, "Hunters International" announced on the group's exposure site in July that it would dissolve and provide free decryption tools, but in fact launched a new group called "World Leaks", which is still active.[7] The background to these moves is not only the increasing power struggle between ransomware groups, but also the intention to evade the pursuit of law-enforcement agencies.
In addition, the number of new ransomware groups entering the market is increasing, with 66 new groups observed in 2025. As the know-how of platforms and other technologies required to provide RaaS spreads and the barriers to entry into the ransomware industry are lowered, there is a possibility that the state of dominance will continue.
The ransom payment rate is also declining[8], which seems to be affecting the restructuring of ransomware groups. In order to increase revenue, it is necessary to attract many affiliates and increase the number of attacks. However, increasing the group's popularity and brand power will lead to detection by the authorities, so it is thought that the movement has shifted to differentiating even on a small scale and gathering affiliates and concentrating attacks in a short period of time.
These small, short-lived groups don't need to care about their reputation, so they may not provide the decryption key even if the ransom is paid, or they may not have a means of decryption in place in the first place. This can lead to a decrease in the recovery rate of encrypted data. There are also concerns that competition will intensify due to the proliferation of groups, and attacks on critical infrastructure such as nuclear power plants, which many groups have tacitly avoided so far.[9]
1.4. summary
In 2025, major and well-known companies in Japan, such as Asahi Group Holdings and ASKUL, fell victim to ransomware attacks, and the risk of prolonged business shutdowns became apparent.[10] [11]The trend of ransomware group restructuring continues, and the momentum of ransomware attacks is expected to remain high due to increased competition between groups. It is also important for companies to strengthen security, including supply chains, and to prepare for breaches by verifying whether business continuity plans are working effectively.
References
[1] Source: U.S. Department of Justice - Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant https://www.justice.gov/archives/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant
[2] Source: National Crime Agency - The NCA announces the disruption of LockBit with Operation Cronos https://www.nationalcrimeagency.gov.uk/the-nca-announces-the-disruption-of-lockbit-with-operation-cronos
[3] Source: Analyst1 - Qilin - Threat Actor Profile
[4] Source: Vectra AI - Cl0p Is Back, Exploiting Supply Chains Again.
[5] Source: Barracuda Networks Blog - Cl0p ransomware: The skeezy invader that bites while you sleep https://blog.barracuda.com/2025/05/16/cl0p-ransomware--the-skeezy-invader-that-bites-while-you-sleep
[6] Source: SOPHOS - DragonForce targets rivals in a play for dominance
[7] Source: The Record from Recorded Future News -Hunters International ransomware group claims to be shutting down
[8] Source: Coveware "Insider Threats Loom while Ransom Payment Rates Plummet "https://www.coveware.com/blog/2025/10/24/insider-threats-loom-while-ransom-payment-rates-plummet
[9] Source: ReliaQuest - Ransomware and Cyber Extortion in Q3 2025
[10] Source: Asahi Group Holdings - Investigation Results on Information Leakage by Cyber Attacks and Future Responses https://www.asahigroup-holdings.com/newsroom/detail/20251127-0104.html
[11] Source: ASKUL Co., Ltd. - Service Recovery Status (System Failure Related to Ransomware Attack, 15th Report) (IR Pocket)
Portugal Revises the Law to Permit Ethical Hacking
2.1. outline
On December 4, 2025, Portugal amended its Cybercrime Law to include a new article, Article 8-A, which regulates cybersecurity actions in the public interest (expected to come into force 120 days from this date). The amendment aims to strengthen national cyber defense by legalizing responsible vulnerability research by security researchers and ethical hackers (hackers who investigate vulnerabilities for the purpose of strengthening defenses) under certain conditions.
2.2. About Article 8-A
Overview and application conditions [13]
Article 8-A is a provision entitled "Acts in the public interest that cannot be punished in cybersecurity". It exempts criminal liability for actions that were previously illegal - such as unauthorized access or interception of communications - when performed as part of an independent vulnerability investigation without prior consent, only if all the following conditions are met:[[12]
Limitation of purpose
The sole purpose is to identify vulnerabilities and improve cybersecurity.
Prohibition of economic benefits
Not seeking or receiving any financial benefits beyond the usual professional remuneration.
Notification Obligation
Any vulnerabilities discovered must be reported immediately to the system owner or administrator, the holder of the personal data obtained, and the Portuguese National Cybersecurity Center (CNCS).
Minimum Principle
When conducting vulnerability research, limit the scope necessary to detect vulnerabilities. You must not interrupt the service, modify or delete data, or cause damage.
Protection of Personal Information
In accordance with the GDPR and related laws and regulations, do not illegally obtain, use, or disclose personal data.
Data Confidentiality and Deletion
Data obtained during vulnerability research must be kept confidential and deleted within 10 days after the vulnerability is fixed.
Prohibited Methods [13]
If you use the following methods, Article 8-A will not apply and you will be held criminally responsible.
DoS and DDoS attacks
Social Engineering
Phishing and similar activities
Stealing passwords and sensitive information
Intentional deletion or alteration of data
Intentional damage to the system
Installing and distributing malware
2.3. comparison of international trends
As with Portugal's Article 8-A, there are also moves to legally protect vulnerability investigations in the public interest in other countries.
Trends in the United States [14] [15]
In May 2022, the U.S. Department of Justice revised its prosecution policy based on the Computer Fraud and Abuse Prevention Act (CFAA). In security research that serves the public interest, we have established a new exception that we will not prosecute acts that contribute to improving the security of the system by discovering, reporting, or fixing vulnerabilities (without the intent to exploit or unfair profit). This has promoted responsible vulnerability disclosure and created an environment in which security researchers can operate without fear of legal risks. However, this policy does not serve as an indulgence for everyone who claims to be conducting a security investigation. For example, the act of blackmailing the owner by discovering a vulnerability in a device is not legitimate. Prosecutors are also required to consult with the Computer Crime and Intellectual Property Division of the Criminal Division regarding the application of this policy when considering prosecution for CFAA violations.
Trends in the UK [16]
The UK government is currently trying to amend the Computer Misuse Act (CMA), which was enacted in 1990. There were criticisms of the law for exposing security researchers to the risk of prosecution and imposing unnecessary restrictions on them.
On December 3, 2025, Security Secretary Dan Jarvis announced a policy to legally protect security researchers who discover and share vulnerabilities by introducing "statutory defense."
Trends in Japan [17]
In Japan, the Coordinated Vulnerability Disclosure (CVD) Guidelines operated by the Information Technology Promotion Agency (IPA) and JPCERT/CC have established a mechanism for the discoverer of the vulnerability and the developers of equipment and software containing the vulnerability to coordinate, fix and publish the problem. The aim is to take measures before vulnerabilities can be exploited and minimize the impact on users. However, this guideline is voluntary and does not guarantee legal immunity. Vulnerability research can still violate unauthorized access laws, and there is no legal framework in place to protect security researchers and responsible vulnerability disclosure.
2.4. summary
Historically, the technical methods used by attackers and security researchers can look similar, and the law did not clearly differentiate between them - meaning research in the public interest could be interpreted as illegal. Portugal’s Article 8‑A provides legal support for responsible disclosure and emphasizes the public interest. The United States updated policy several years ago, and the United Kingdom is actively reviewing its law. As cyber threats grow more sophisticated, establishing an environment in which researchers can work without undue legal risk is an important consideration for Japan.
References
[12] Source: Infosecurity Magazine "Portugal Revises Cybercrime Law to Protect Security Researchers "https://www.infosecurity-magazine.com/news/portugal-cybercrime-law-security/
[13] Source: Presidência do Conselho de Ministros "Decreto-Lei n.º 125/2025, de 4 de dezembro" (Diário da República)
[14] Source: U.S. Department of Justice "Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act"
[15] Source: U.S. Department of Justice, 9-48.000 - COMPUTER FRAUD AND ABUSE ACT https://www.justice.gov/archives/opa/press-release/file/1507126/dl?inline
[16] Source: Computer Weekly - UK government pledges to rewrite Computer Misuse Act https://www.computerweekly.com/news/366635624/UK-government-pledges-to-rewrite-Computer-Misuse-Act
[17] Source: Information Technology Promotion Agency (IPA) - Information Security Early Warning Partnership Guidelines
North Korea's IT Workers' Infiltration Operations
3.1. outline
As part of its cyber operations, the Famous Chollima subgroup of the North Korean hacker group Lazarus uses the identities of others to infiltrate companies in the United States and other countries as IT workers. The operatives, who are sent as remote workers after fake interviews, are responsible for corporate espionage and financing of sanctioned North Korea. Security researchers conducted a decoy investigation into Famous Chollima's activities, revealing notable tradecraft.[18]
3.2. What is the hacker group 'Famous Chollima'?
There are several hacker groups in North Korea that are believed to be state-directed. One of the most famous is Lazarus, which has been known for large-scale cyberattacks targeting the cryptocurrency industry in recent years. One of the subgroups belonging to the Lazarus is the Famous Chollima. The group's name was given by Western security officials, but "Chollima" originally refers to the "thousand-mile horse" (a horse that runs a thousand miles in a day) in North Korean mythology, and is also known as a slogan used in the past to promote the country's rapid development,apt for a group known for swift, sophisticated operations[20] [21]
Famous Chollima (hereinafter abbreviated as "Chollima") works for foreign companies as IT workers (freelance developers, outsourced engineers, etc.) to infiltrate related systems and engage in espionage activities, and transfer salaries (foreign currency) obtained from the companies to the North Korean government. Confirmed targets include financial, cryptocurrency, and healthcare organizations,[22] including several Fortune 500 companies.[23]
3.3. Approach to Recruitment Interviews
There are two ways for Chollima to apply for jobs at foreign companies and pass online interviews: In both cases, the weapon is not advanced malware, but a combination of "social engineering" and AI technology that takes advantage of gaps in people's trust and judgment.
Self-applied roles[24]
They impersonate real people using stolen or leaked passports and driver's licenses, or create fictional characters using AI-generated photos to create fake IDs, resumes, and profiles to be introduced on LinkedIn, a business social networking site. Then, by using AI-generated deepfakes and synthetic voices, they also fake their physical characteristics and go through job interviews. With the expansion of remote work and the evolution of AI technology, it is difficult for companies to notice these crafts.
When using external collaborators[25]
They recruit non‑North Korean IT workers - offering payment - to lend their identities and attend interviews. Recruitment is conducted at scale via spam messages on GitHub and solicitations on Telegram. Collaborators provide personal information and attend interviews, receiving compensation based on their participation.
3.4. Decoy investigation by security researchers[26]
Chollima Recruitment
Mauro Eldritch of Birmingham Cyber Arms, a cyber threat intelligence company, discovered that several people (accounts) on GitHub are looking for people to interview on behalf of them for .NET, Java, C#, Python, JavaScript, Ruby, Go languages, blockchain, etc. However, the recruitment message stated that applicants do not need to be familiar with technical fields, that they will be provided with support to provide accurate answers during interviews, that "[Chollima's] team of experienced developers" can do the actual work for them once hired, and that applicants will be compensated about $3,000 per month.
Messages stated the sender had reviewed a recipient’s GitHub and LinkedIn profiles, wanted to offer an opportunity, and asked the recipient to attend an interview on their behalf. They claimed another developer could take over the work after hiring, while the collaborator still gets paid (left). The sender’s account showed many other developers receiving similar messages (right).
It also shows that many other developers have received similar messages, as displayed in the sender’s GitHub account. (Right)
Eldritch believed that this was a recruitment by North Korean agents for the "use of external collaborators" described above. Then, together with Heiner García of the other threat intelligence company "NorthScan" (both hereinafter referred to as "researchers"), they decided to actually contact Chollima recruiters and conduct an undercover investigation to observe their infiltration process from the inside to uncover the full story of the North Korean operatives disguised as IT workers.
Researchers contact Chollima and start investigation
Previously, Chollima had abused GitHub's features to send a large number of comments (messages) inviting them to attend proxy interviews. Since they were public, the researchers set their sights on one of the recipients, Jones, who lives in the United States, and created a new account with the same name that closely resembled his profile.
Posing as Jones, they continued the conversation via web meetings and Telegram. To avoid revealing themselves, the researchers disabled cameras, which raised recruiter suspicion. Nonetheless, the researchers asked precise questions to elicit details, including instructions and the intended use of spoofed IDs.
After these exchanges, the recruiter requested constant access to the machine so that he could work remotely from his "Jones" PC. He also stated that in order to apply for a job interview with the target company, he would need an ID, name, residence credentials, and address. As for the compensation to be paid, it was 20% of the salary if "Jones" was interviewed with the full support of the recruiter, and 10% if the recruiter was interviewed using "Jones' personal information and PC."
Monitoring the recruiter’s actions
At the recruiter’s request to “prepare a PC that can be accessed at all times,” the researchers—with help from ANY.RUN—provisioned a sandbox (a secure virtual environment) and used residential proxies so the device appeared to be in the U.S. Believing he had access to a real American engineer’s PC, the recruiter began operating on it; the researchers monitored all activity.
To limit harm and buy time for observation, the researchers induced benign system and network errors so the recruiter had to focus on troubleshooting rather than malicious tasks.
Tools used
At one point in the study, the recruiter logged into his Google account on the decoy investigation PC and enabled the sync function, which gave the researchers a lot of information, including the content of the emails the recruiter received and the tactics of the group. For example, the group actively utilized AI tools, some of which included automatically filling out job applications and providing real-time answers to applicants during interviews.
Presence of multiple teams
This recruiter belongs to a team within Chollima, and some of his colleagues work under his direction. According to the report, there are several other teams. When the researcher told the recruiter (to put pressure on him) that he had also been scouted by a (fictional) character from another team and offered a higher salary, the recruiter described the fictional character in foul language and asked the researcher to "ignore him and only work with him from now on." In some cases, multiple operatives were arranged to attend job interviews for the same role at the same target company on the same day, suggesting that there may be no coordination between different teams, the report said.
End of investigation
At one point, due to a deliberate manipulation by the researchers, the recruiter suddenly lost access to the Internet. When asked by him about the frequent PC glitches, the researchers disabled the proxy and re-enabled the Internet connection. And when the recruiter looked up the location of the PC online, it was not the United States, as they had believed before, but Germany (via VPN). This is where the investigation ends. The researchers did not respond to the recruiter's doubts and crashed the PC.
When Chollima recruiters notice the situation, they impatiently ask the researcher: "You're located in Germany, aren't you?" "I want you to tell me the truth. You're using a VPN."
3.5. summary
This investigation offers a rare inside view of North Korea’s IT‑worker infiltration tactics, revealing attacker behavior, psychology, tools, and organizational structure. Chollima’s primary weapon is not sophisticated malware but social engineering, exploiting human factors that technical controls alone cannot fully prevent.
Organizations should thoroughly verify résumés and work histories, remain alert to anomalous behavior during interviews, and recognize that when a legitimate applicant agrees to front for someone else, detection becomes difficult, especially in remote‑only processes. Risks can be reduced by in‑person interviews and regular (or ad‑hoc) on‑site work requirements. Strengthening Zero Trust, particularly least‑privilege access and continuous monitoring, can also limit damage from insider abuse.
References
[18] Source: ANY.RUN - Smile, You're on Camera: A Live Stream from Inside Lazarus Group's IT Workers Scheme
[19] Source: ANY.RUN - Smile, You're on Camera: A Live Stream from Inside Lazarus Group's IT Workers Scheme
[20] Source: innovaTopia - CrowdStrike Warning: Chinese Hackers Increase Attacks in Latin America by 150% — Geopolitical Strategies for 5G Infrastructure
[21] Source: Mainichi Shimbun - Kim Jong-un named rocket 'Maxima' prestige likened to a legendary horse https://mainichi.jp/articles/20230602/k00/00m/030/021000c
[22] Source: ANY.RUN - Smile, You're on Camera: A Live Stream from Inside Lazarus Group's IT Workers Scheme
[23] Source: BleepingComputer - North Korea lures engineers to rent identities in fake IT worker scheme https://www.bleepingcomputer.com/news/security/north-korea-lures-engineers-to-rent-identities-in-fake-it-worker-scheme/
[24] Source: ZDNET Japan - North Korean IT Technicians Use AI to Falsely Identify Themselves at Employment - Security Companies Explain
[25] Source: ANY.RUN - Smile, You're on Camera: A Live Stream from Inside Lazarus Group's IT Workers Scheme
[26] Source: ANY.RUN - Smile, You're on Camera: A Live Stream from Inside Lazarus Group's IT Workers Scheme
[27] Source: ANY.RUN -Smile, You're on Camera: A Live Stream from Inside Lazarus Group's IT Workers Scheme
[28] Source: ANY.RUN - Lazarus #6: Asks to connect 24 7 and set a password for anydesk (YouTube) https://www.youtube.com/watch?v=PXsV7YpZvzk
[29] Source: ANY.RUN - Smile, You're on Camera: A Live Stream from Inside Lazarus Group's IT Workers Scheme
Disclaimer
Please note that while we do our best to ensure that the content of this article is accurate, we do not guarantee the content and do not compensate for any damages or losses incurred as a result of the use of this article. If you have any inquiries such as typographical errors, content errors, or other points in the article, please contact us at the following address.
Inquiries
NTT Security Japan Corporation
Professional Services OSINT Monitoring Team
