Cyber Attack Trends 2025 🚀. AI Threat Landscape Expands 🤖

Hello, here is your daily Cybersecurity & AI Threat Intelligence brief for January 31, 2026.

Today's headlines

• Ransomware incidents hit a record high in 2025, according to Check Point's annual report.
• Five publicly available tools are repeatedly leveraged in global cyber incidents.
• Iran-linked RedKitten campaign intensifies targeting of human‑rights NGOs.
• Agentic tool‑chain attacks pose new risks to AI‑driven systems.
• The “Turkish Rat” Adwind phishing operation shows sophisticated evasion techniques.
• A critical vulnerability dubbed “Next WannaCry” could affect millions of devices.

1️⃣ Ransomware Surge Sets New Record

Key Points:

• Global ransomware incidents rose by 27% in 2025.
• Attackers increasingly exploit supply‑chain weaknesses.
• Average ransom demand reached $750,000 per incident.
• Emerging ransomware-as-a-service platforms lowered entry barriers.

Description:

Check Point's 2026 Cyber Security Report documents a significant increase in ransomware activity during 2025, highlighting a 27% rise in incidents worldwide and a shift toward targeting supply‑chain partners. The report notes that ransomware‑as‑a‑service models have lowered the technical threshold for new actors, leading to a broader threat landscape.

Why It Matters:

Understanding the scale and tactics of the ransomware surge helps organizations prioritize patch management, backup strategies, and supply‑chain security, reducing the likelihood of costly disruptions and data loss.

2️⃣ Publicly Available Tools Fuel Global Attacks

Key Points:

• Five tools identified as frequently used in recent incidents.
• Tools span credential dumping, remote access, and data exfiltration.
• Both state actors and cybercriminals leverage the same utilities.
• Availability of these tools challenges attribution efforts.

Description:

The CISA advisory highlights five publicly available tools that have been employed across sectors such as health, finance, government, and defense. These utilities, originally released for legitimate purposes, are repurposed by a diverse set of threat actors, complicating defensive measures and attribution.

Why It Matters:

Awareness of commonly abused tools enables security teams to implement specific detection signatures and harden vulnerable endpoints, mitigating the risk of widespread compromise.

 3️⃣ RedKitten Targets Human‑Rights NGOs

Key Points:

• Iran‑linked group uses spear‑phishing emails with malicious macros.
• Campaign focused on NGOs, activists, and journalists.
• Malware exfiltrates communications and location data.
• Attribution to RedKitten reinforced by infrastructure reuse.

Description:

A new campaign attributed to the Iran‑linked RedKitten group has been observed targeting human‑rights NGOs and individual activists. The attackers distribute weaponized Office documents that, once opened, install a custom backdoor capable of stealing emails, documents, and geolocation data.

Why It Matters:

The campaign underscores the heightened risk to civil‑society organizations, emphasizing the need for robust email security, user training, and endpoint monitoring to protect sensitive advocacy work.

 4️⃣ Agentic Tool‑Chain Attacks Threaten AI Systems

Key Points:

• AI agents can be hijacked through malicious tool‑chain components.
• Attacks manipulate schema enforcement and boundary verification.
• Detection relies on reasoning telemetry and anomaly tracking.
• Guidance includes strict baseline definitions and continuous monitoring.

Description:

CrowdStrike’s research outlines a new class of attacks that target the tool‑chains used by autonomous AI agents. By compromising components such as schema validators or boundary checkers, adversaries can steer AI behavior toward unauthorized actions, making traditional security controls insufficient.

Why It Matters:

As organizations integrate generative AI agents into critical workflows, understanding and mitigating tool‑chain vulnerabilities is essential to prevent data leakage, privilege escalation, and operational disruption.

 5️⃣ Turkish Rat (Adwind) Phishing Campaign Evolves

Key Points:

• Adwind leverages AI‑generated lure content to evade filters.
• Campaign targets finance and energy sectors across Europe.
• New obfuscation techniques bypass sandbox analysis.
• Indicators of compromise updated in ThreatCloud.

Description:

Check Point identifies a sophisticated evolution of the Turkish Rat (Adwind) phishing campaign, now employing AI‑generated content to increase credibility. The operation attacks financial and energy organizations in Europe, using advanced obfuscation to avoid detection by traditional sandbox environments.

Why It Matters:

The campaign demonstrates how threat actors are integrating AI to enhance social engineering, highlighting the need for dynamic email defenses and threat‑intel integration.

 6️⃣ “Next WannaCry” Vulnerability Discovered

Key Points:

• Critical flaw in SMB protocol allows remote code execution.
• Exploit chain can spread laterally without user interaction.
• Patch released for supported Windows versions; older systems remain at risk.
• Emergency advisories issued by multiple national CERTs.

Description:

Researchers from Check Point have uncovered a high‑severity vulnerability in the SMB protocol, dubbed the “Next WannaCry.” The flaw enables unauthenticated remote code execution and rapid lateral movement, reminiscent of the 2017 ransomware outbreak. Patches are now available for supported Windows releases.

Why It Matters:

Prompt patch deployment and network segmentation are critical to prevent a potential widescale ransomware campaign that could exploit this vulnerability across enterprise environments.

Stay vigilant and keep your defenses updated.