Insights, news, education and announcements from PolySwarm | SSL VPN

Akira Reloaded

Oct 7, 2025 1:04:01 PM / by The Hivemind posted in Threat Bulletin, Data Exfiltration, credential theft, SonicWall VPN, Ransomware Campaign, Akira Ransomware, CVE-2024-40766, SSL VPN

Verticals Targeted: Real Estate, Insurance, Energy, Manufacturing, Legal Services, Healthcare, Construction, Retail, Agriculture, Finance, Business Services, Transportation, Software, Hospitality, Government, Telecommunications
Regions Targeted: US, Europe, South America, Australia, Canada, India, Africa

Executive Summary

A surge in Akira ransomware attacks since July 2025 exploits SonicWall VPNs via CVE-2024-40766, enabling rapid credential-based intrusions with dwell times as short as 55 minutes. Threat actors leverage stolen credentials, bypass MFA, and deploy tools such as Impacket and WinRAR for lateral movement and data exfiltration, targeting organizations across various sectors.

Read More

BRICKSTORM Targets U.S. Tech and Legal Sectors with Stealthy Espionage

Oct 3, 2025 3:29:53 PM / by The Hivemind posted in Threat Bulletin, Evolving Threat, credential theft, SonicWall VPN, Ransomware Campaign, Akira Ransomware, CVE-2024-40766, SSL VPN, multi-factor authentication

Verticals Targeted: Legal Services, Software, Business Services, Technology
Regions Targeted: US
Related Families: BRICKSTEAL, SLAYSTYLE

Executive Summary

The BRICKSTORM backdoor, attributed to the suspected China-nexus threat cluster UNC5221, has been actively targeting U.S. organizations in the legal, SaaS, BPO, and technology sectors since March 2025, enabling prolonged espionage with an average dwell time of 393 days. This sophisticated malware leverages zero-day exploits and stealthy techniques to maintain persistent access, evade detection, and steal sensitive data, posing significant risks to critical infrastructure.

Read More