August’s top threat actors: Ransomware, espionage and infostealers

Throughout the year we’ve observed ransomware attacks, data exfiltration and stealthy state-sponsored espionage. These are some of the most significant threats that surged in August 2025.

Qilin ransomware group (aka “Agenda”)

Qilin is a ransomware-as-a-service (RaaS) operation that we profiled in July. This Eastern European threat actor has become one of the world’s most active and damaging ransomware groups. First observed as “Agenda” in mid-2022, it was fully rebranded as Qilin by September 2022. The group works with affiliates who deploy its ransomware in victim networks; in return, the Qilin administrators maintain the data leak sites and manage the negotiations, payments, and profit-sharing arrangements. According to FalconFeeds threat intelligence, Qilin’s 2025 activity peaked in June and claimed 93 victims during the month of August. Comparitech’s August research differs slightly, attributing only 86 attacks to the group.

The Qilin ransomware payload can encrypt both Windows and Linux/VMware ESXi systems, which allows Qilin to target a wide range of enterprise assets. During execution, it deletes backups/shadow copies, encrypts the targeted files and renames encrypted files with an extension like .qilin. The ransomware exfiltrates sensitive data before encryption, and the group threatens to publish it if ransom demands aren’t met.

Qilin is continuing to attack high-value sectors like healthcare, automotive and manufacturing. Their RaaS system and attack tools are evolving, and the group has momentum going into September.

Key defenses against Qilin-style attacks:

• Segment IT and OT networks to isolate industrial control systems from internet-facing assets. Consider using the Purdue Model as a guide.
• Monitor for unusual data exfiltration patterns and large outbound transfers—Qilin often steals data before encryption.
• Disable PowerShell and scripting tools when possible. Ensure that system utilities and tools that are in use are visible and tightly controlled.
• Use honeypots and other defense tactics to detect lateral movement and ransomware staging activities.

Akira ransomware group

The Akira RaaS group is one of the most active ransomware operations over its lifespan, consistently ranking in the top 3-5 threat actors for the number of victims. What sets Akira apart is the combination of its high operational tempo – attacking hundreds of organizations within a short span – and its steep ransom demands in the tens or even hundreds of millions of dollars (U.S.). Akira’s brand is recognized by its retro-styled leak site and the “.akira” file extension left on encrypted files.

Akira attacks often begin by exploiting known vulnerabilities in VPNs or other public-facing applications, especially if multi-factor authentication (MFA) is not enforced. Akira also uses phishing emails with malicious attachments or links to deploy malware loaders in victim networks. Once inside a network, Akira follows a typical attack chain for double extortion. Unlike some criminal groups, Akira makes no exceptions for medical institutions, government agencies or school districts. The group claimed 60 victims in August.   

Akira was a significant threat to managed service providers in August, and continues to improve its attack tools and methods. The group remains significant going into September because of its use of exploits and the opportunities created by unpatched and outdated systems. Akira held roughly 19% of the ‘ransomware market share’ in the second quarter of 2025.

Key defenses against Akira-style attacks:

• Patch and monitor all VPN appliances, especially those brands and models known to be exploited by Akira.
• Use hardware-backed multifactor authentication like FIDO keys when possible. This is especially important for privileged and remote access logins.
• Prevent driver tampering by enabling memory integrity on supported systems to block bring-your-own-vulnerable-driver (BYOVD) techniques.

Lazarus Group

The Lazarus Group, also referred to as APT38, Hidden Cobra, and other aliases, is believed to operate within the government of the Democratic People’s Republic of Korea (DPRK), commonly referred to as North Korea. The group is known for the Sony Pictures hack in 2014 and the WannaCry ransomware campaign in 2017. Over more than a decade, Lazarus has targeted banking systems, government networks and cryptocurrency exchanges worldwide, using advanced malware and social engineering tactics for both financial gain and political objectives. The group has stolen more money via cyberattacks than any other threat actor in history, thanks in part to the billions stolen from the Bybit exchange and the Bangladesh Bank.

In August 2025, Lazarus Group debuted PyLangGhost, a Python-based remote access trojan (RAT) that attackers use in fake job interviews or business calls. The malware presents deceptive error messages that trick victims into running scripts and malicious code. When successful, these attacks grant remote access privileges to the attackers. PyLangGhost malware includes modules for reconnaissance, file operations and several other steps in the attack chain. This new malware is another demonstration of Lazarus Group’s technical sophistication and agility.

Lazarus has pivoted to stealthy software supply chain and open-source poisoning attacks. Their targets include developers, CI/CD pipelines, and cryptocurrency firms.

Key defenses against Lazarus Group attacks:

• Use software composition analysis (SCA) and lockfile monitoring to detect tampered open-source dependencies.
• Enforce signed commits and artifact provenance in CI/CD workflows to reduce dependency hijack risk.
• Implement developer-specific endpoint protection that flags unauthorized toolchains, credential theft attempts and code exfiltration.
• Monitor for beaconing from dev/test environments, as Lazarus frequently uses infected dev tools as stealthy persistence points.

Lumma and Redline stealers

Our last two threats are combined because they are so similar. Lumma and RedLine are by far the most active infostealer families in 2025. Infostealer malware is designed to infiltrate a system, identify and collect sensitive information on the system and transmit that data to a server controlled by an attacker. This makes them the ideal tool for initial access brokers (IABs) to steal and sell credentials to ransomware groups and other threat actors.

According to Hudson Rock infostealer intelligence, the August infostealer infection count is over 289,000. This is a 13% increase over the previous month. Other research shows that roughly one-third of all ransomware victims have discovered at least one infostealer infection within 16 weeks before the attack.  

Most infostealers are linked to ransomware groups and cybercriminal ecosystems, but some nation-state actors have recently added infostealers to their arsenal. Hudson Rock research has discovered “a global wave of compromised Ministry of Foreign Affairs (MOFA) email accounts” linked to infostealers and stolen credentials.

The research detailed these victims and the impact of the attacks:

• Saudi Arabia (mofa.gov.sa): Credentials tied to the Kingdom’s MFA, vulnerable to misuse in Middle Eastern diplomacy.
• South Korea (mail.mofa.go.kr): Infections hitting Seoul’s foreign affairs systems, risking exposure of Indo-Pacific negotiations.
• United Arab Emirates (mofa.gov.ae): Breaches at Abu Dhabi’s MFA, a key player in Gulf diplomacy.
• Qatar (mofa.gov.qa): Compromised accounts in Doha, critical for mediating conflicts like Gaza.
• Others: Detections span MFAs in Europe, Asia, Africa, and the Americas, showing a widespread threat.

With these nation-state groups adopting these techniques, infostealers are being elevated from a common initial access attack to a geopolitical weapon.

Key defenses against infostealers like Lumma and Redline:

• Enforce browser isolation for high-risk users or those who handle the most sensitive data. This will prevent cookie / session theft.  
• Block access to known stealer C2 infrastructure and domains that end in .top, .xyz and .ru, These are used by both families, though Lumma leans more on .xyz than RedLine, and RedLine will also use .shop and .club. These domains are popular because they are inexpensive and usually have lax registration checks.
• Disable credential autofill and storage in browsers and enforce password manager use with strong multifactor authentication (MFA) policies.
• Deploy behavioral detection for unusual file access patterns like “login data” and “web data.”

Barracuda can help

Let us help you maximize your protection and cyber resilience with the BarracudaONE AI-powered cybersecurity platform. The platform protects your email, data, applications, and networks, and is strengthened by a 24/7 managed XDR service, unifying your security defenses and providing deep, intelligent threat detection and response. Manage your organization’s security posture with confidence, leveraging advanced protection, real-time analytics and proactive response capabilities. Robust reporting tools provide clear, actionable insights, helping you monitor risks, measure ROI and demonstrate operational impact. Don’t miss the opportunity to get a demo of the platform from our cybersecurity experts.