The October 13th, 2025 Threat Intelligence Report from Check Point Research provides a comprehensive overview of multiple concurrent cyber threats affecting global organizations. The Qilin ransomware group claimed responsibility for a significant attack on Asahi, Japan’s largest brewing company, resulting in the theft of over 9,300 files (27GB) containing sensitive financial and operational data, and causing production disruptions. This exemplifies the ongoing threat of ransomware groups combining data exfiltration with operational sabotage for extortion. Concurrently, the RondoDox botnet campaign actively exploits a wide range of 56 vulnerabilities, including remote code execution (RCE) and command injection flaws (e.g., CVE-2023-1389, CVE-2024-3721, CVE-2024-12856), targeting over 30 device types such as DVRs, NVRs, CCTV, and web servers. This campaign leverages both new and legacy vulnerabilities, including those in end-of-life devices, using an “exploit shotgun” approach to maximize infection rates and network control. Critical zero-day vulnerabilities are also highlighted: Oracle E-Business Suite CVE-2025-61882 allows unauthenticated RCE via the BI Publisher Integration component, enabling data theft from internet-exposed applications and is actively exploited by Cl0p and other extortion groups. Redis’s CVE-2025-49844 is a critical use-after-free RCE in the Lua engine, allowing authenticated attackers to escape sandboxes and fully compromise hosts; notably, many Redis servers exposed on the internet lack authentication, facilitating exploitation by botnets and ransomware groups. The Crimson Collective threat group targets AWS environments by harvesting exposed credentials, escalating privileges, resetting database passwords, and deploying extortion campaigns from within compromised cloud accounts. Additional threats include data breaches at Avnet and DraftKings, the resurgence of the XWorm RAT with enhanced ransomware and data theft plugins, and the ClayRat Android spyware campaign targeting Russian users. The report also notes a surge in ransomware and data exposure risks linked to enterprise use of GenAI tools, with 1 in 54 GenAI prompts posing high data exposure risks. Protection is available via Check Point IPS and Threat Emulation technologies for many of these threats. Overall, the report paints a picture of a complex threat landscape combining ransomware, botnets, cloud attacks, and zero-day exploits, requiring multi-layered defense strategies.

European organizations face significant risks from this multifaceted threat landscape. The exploitation of critical zero-day vulnerabilities in widely used enterprise applications like Oracle E-Business Suite and Redis can lead to unauthorized remote code execution, data theft, and full system compromise, threatening confidentiality, integrity, and availability of sensitive business data. The RondoDox botnet campaign’s targeting of IoT and network devices prevalent in European industrial and commercial environments could disrupt operations and provide attackers with footholds for lateral movement. Cloud environments, particularly AWS, are at risk from sophisticated credential theft and privilege escalation attacks, potentially leading to data breaches and extortion. The resurgence of ransomware groups employing data exfiltration and extortion tactics increases the risk of operational disruption and financial losses. The increased risk of sensitive data exposure through GenAI tools used by enterprises further complicates data protection efforts. These threats could impact critical sectors such as manufacturing, finance, public administration, and cloud service providers across Europe, potentially causing operational downtime, reputational damage, regulatory penalties under GDPR, and substantial financial losses.

European organizations should prioritize immediate patching of critical vulnerabilities, especially Oracle E-Business Suite CVE-2025-61882 and Redis CVE-2025-49844, ensuring all internet-exposed instances are secured and authenticated. Comprehensive inventory and segmentation of IoT and network devices are essential to limit the attack surface exploited by the RondoDox botnet; legacy and end-of-life devices should be isolated or replaced. Cloud security posture management must be enhanced to detect and remediate exposed AWS credentials, enforce least privilege IAM policies, and monitor for anomalous activities such as unauthorized IAM user creation and password resets. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying ransomware and RAT behaviors, including those linked to XWorm and Qilin ransomware. Implement strict controls and monitoring around GenAI tool usage to prevent inadvertent sensitive data exposure. Regularly conduct threat hunting and penetration testing focused on these emerging threats. Establish incident response plans that include ransomware and cloud compromise scenarios. Collaborate with threat intelligence providers to stay updated on evolving tactics and indicators of compromise. Finally, enforce multi-factor authentication (MFA) across all critical systems and cloud platforms to reduce the risk of credential-based attacks.