This threat intelligence report outlines a series of coordinated and opportunistic cyberattacks by multiple ransomware groups and nation-state actors exploiting both known and zero-day vulnerabilities. The Everest ransomware group has claimed responsibility for attacks on major entities including AT&T, Dublin Airport, Air Arabia, and Sweden’s Svenska kraftnät, exfiltrating hundreds of thousands to millions of sensitive records such as applicant data, passenger files, employee records, and internal operational data. These attacks demonstrate the group’s capability to target critical infrastructure and large enterprises across sectors. Simultaneously, the Cl0p ransomware group exploited a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite to breach Pan American Silver Corp, Schneider Electric, and Cox Enterprises, with data already leaked and ransom demands ongoing. The Akira ransomware gang targeted Apache OpenOffice systems, exfiltrating sensitive employee and financial data, though end-user installations remain unaffected. Nation-state actors compromised Ribbon Communications, accessing files of government agencies and telecom providers, indicating espionage or strategic intelligence gathering. Other breaches include Dentsu’s US subsidiary Merkle and a politically sensitive data leak involving US House Democratic applicants. Critical vulnerabilities such as CVE-2025-59287 in Microsoft Windows Server Update Services are actively exploited to harvest Active Directory and network data, while Google Chrome’s V8 engine vulnerabilities (CVE-2025-12036 and CVE-2025-12428) exposed billions of users to remote code execution risks prior to patching. Emerging threats include CSRF and remote code execution flaws in AI browsers like OpenAI’s Atlas and zero-click exploits (Shadow Escape) in AI assistants, enabling data exfiltration bypassing traditional security controls. Additional campaigns include hacktivist DDoS attacks by Hezi Rash targeting Germany and other countries, and a China-affiliated UNC6384 campaign targeting European diplomatic and government entities via spear-phishing and malware deployment. The report underscores the evolving threat landscape combining ransomware, zero-day exploitation, nation-state espionage, and AI-targeted attacks.

European organizations face significant risks from these threats due to direct targeting of critical infrastructure (e.g., Dublin Airport, Svenska kraftnät), multinational corporations with European operations, and widespread use of vulnerable software platforms such as Oracle E-Business Suite, Microsoft Windows Server Update Services, and Google Chrome. The exfiltration of sensitive personal, operational, and strategic data can lead to severe confidentiality breaches, reputational damage, regulatory penalties under GDPR, and operational disruptions. Ransomware attacks threaten availability by encrypting critical systems and demanding payment, potentially impacting public services and essential infrastructure. Nation-state espionage campaigns targeting government and diplomatic entities risk compromising national security and sensitive policy information. The exploitation of zero-day vulnerabilities and advanced persistent threats complicates detection and response, increasing the likelihood of prolonged intrusions. AI assistant and browser vulnerabilities introduce novel attack vectors that may affect a broad user base, including corporate environments relying on AI tools. The combined effect is a heightened threat environment requiring urgent and sophisticated defensive measures to protect European digital assets and maintain operational resilience.

European organizations should prioritize immediate patching of all known critical vulnerabilities, especially CVE-2025-61882 in Oracle E-Business Suite, CVE-2025-59287 in Microsoft WSUS, and the recent Chrome V8 engine patches. Deploy advanced intrusion detection and prevention systems (IPS) with signatures updated to detect Everest, Cl0p, and Akira ransomware activities, as well as known malware like PlugX. Implement network segmentation and least privilege access to limit lateral movement, particularly in critical infrastructure and sensitive environments. Enhance monitoring of Active Directory and network configurations for anomalous activity indicative of exploitation attempts. Conduct targeted phishing awareness and spear-phishing simulations to reduce success rates of social engineering attacks, especially in government and diplomatic sectors. Employ AI security solutions capable of detecting malicious instructions embedded in AI assistant interactions and documents. Establish robust incident response plans including data backup and recovery strategies tested against ransomware scenarios. Collaborate with national cybersecurity centers and share threat intelligence to stay ahead of evolving tactics. For organizations using Salesforce Marketing Cloud or similar platforms, audit and secure mailing list platforms to prevent abuse. Finally, consider threat hunting focused on indicators related to Hezi Rash and UNC6384 campaigns, particularly in countries with historical targeting.