The 29th September 2025 Threat Intelligence Report from Check Point Research provides a comprehensive overview of recent cyber threats, breaches, and vulnerabilities impacting global organizations, including those in Europe. Among the notable incidents, Stellantis, a major automotive conglomerate owning brands such as Citroën, FIAT, Jeep, Chrysler, and Peugeot, suffered a data breach exposing North American customer contact information after attackers compromised a third-party platform integrated with its Salesforce environment. The ShinyHunters threat actor claimed responsibility for stealing over 18 million Salesforce records. Similarly, Volvo Group North America confirmed a ransomware attack on its third-party HR software provider Miljödata, leading to exposure of employee personal data including Social Security numbers. The DataCarry ransomware group claimed responsibility and leaked the stolen data. In Europe, the UK nursery chain Kido was targeted by the Radiant ransomware group, which stole sensitive data on approximately 8,000 children and staff, threatening to leak it unless a ransom was paid. This incident is under investigation by UK authorities. The report also details critical vulnerabilities patched in widely deployed enterprise software: SolarWinds Web Help Desk suffered from a critical unauthenticated remote code execution vulnerability (CVE-2025-26399) due to unsafe deserialization, with previous related flaws already exploited in the wild. Cisco patched multiple zero-day vulnerabilities in ASA and FTD software, including authenticated and unauthenticated remote code execution flaws (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) actively targeted by attackers. Another significant vulnerability (CVE-2025-10184) in OnePlus OxygenOS allows any installed app to read SMS/MMS data without permissions or user interaction, enabling silent exfiltration and bypass of SMS-based multi-factor authentication. The report highlights an Iranian nation-state threat actor, Nimbus Manticore, targeting European defense and telecom sectors using spear-phishing, fake HR portals, DLL side-loading, and obfuscated malware with valid signatures, demonstrating advanced evasion and persistence capabilities. Additionally, over 4,300 domains mimicking FIFA World Cup 2026 branding were registered, primarily on registrars like GoDaddy and Namecheap, to facilitate scams involving fake tickets, streams, and merchandise, posing risks to European football fans and organizations. The LockBit ransomware family continues evolving with variants targeting Windows, Linux, and VMware ESXi environments, employing obfuscation, DLL reflection, and anti-forensic techniques, while avoiding Russian systems. The report underscores the complexity and diversity of current cyber threats, combining ransomware, espionage, supply chain compromises, and social engineering, with direct implications for European organizations across multiple sectors.

European organizations face multifaceted risks from the threats detailed in the report. The compromise of third-party platforms integrated with critical business systems, as seen with Stellantis and Volvo Group North America, highlights the vulnerability of supply chains and service providers, which European companies similarly rely upon. The ransomware attacks targeting sensitive sectors such as childcare (Kido nursery chain) demonstrate the potential for severe reputational damage, regulatory scrutiny, and operational disruption within Europe. Nation-state campaigns by actors like Nimbus Manticore pose significant espionage and intellectual property theft risks to European defense and telecom sectors, potentially undermining national security and critical infrastructure. The exploitation of critical vulnerabilities in widely used enterprise software (SolarWinds, Cisco ASA/FTD) threatens the confidentiality, integrity, and availability of European IT environments, especially given active exploitation in the wild. The OnePlus OxygenOS vulnerability risks bypassing SMS-based MFA, a common security control in Europe, potentially facilitating unauthorized access to sensitive accounts. The proliferation of fraudulent domains related to the FIFA World Cup 2026 could lead to widespread phishing and financial fraud targeting European consumers and organizations involved in the event. LockBit ransomware’s cross-platform capabilities threaten European enterprises running physical and virtualized environments, increasing the risk of data loss and operational downtime. Collectively, these threats could result in data breaches, financial losses, regulatory penalties under GDPR, erosion of customer trust, and disruption of critical services across Europe.

European organizations should adopt a multi-layered, proactive defense strategy tailored to the specific threats identified. First, conduct thorough third-party risk assessments and enforce stringent security requirements for suppliers and service providers, especially those handling sensitive data or integrated with core systems like Salesforce or HR platforms. Implement continuous monitoring and anomaly detection on third-party access and data flows. Prioritize patch management by promptly applying security updates for critical vulnerabilities in enterprise software such as SolarWinds Web Help Desk and Cisco ASA/FTD, leveraging automated patch deployment tools and vulnerability scanning to identify unpatched systems. For mobile device management, especially for Android devices like OnePlus phones, enforce application whitelisting and restrict installation of untrusted apps to mitigate exploitation of permission bypass vulnerabilities. Enhance endpoint protection with advanced threat detection capabilities to identify and block sophisticated malware and DLL side-loading techniques used by nation-state actors. Strengthen email security and user awareness training to counter spear-phishing and social engineering campaigns, particularly in defense and telecom sectors. Deploy DNS filtering and domain reputation services to detect and block access to fraudulent FIFA World Cup 2026 domains and related scams. Implement robust ransomware defenses including regular offline backups, network segmentation, and incident response plans tailored to ransomware scenarios. Finally, ensure compliance with GDPR by promptly reporting breaches and maintaining transparent communication with affected individuals and regulators to mitigate legal and reputational impacts.