Web intruders installed backdoors through websites and manipulated accessible programs during the last quarter of the year.
In a recent report, Cisco Talos, the threat intelligence and research arm of Cisco Systems, has shed light on several key trends in threat group activities, focusing on the use of web shells, remote access tools, and initial access methods in ransomware cases and web application attacks.
## Web Shells and Remote Access Tools
The report reveals a surge in the use of web shells and remote access tools, particularly in ransomware cases. Notably, a Python-based variant of the GolangGhost RAT, named PylangGhost, has been identified as a tool used by a North Korean-aligned threat actor known as Famous Chollima. This RAT, which primarily targets Windows systems, is used to infiltrate systems related to cryptocurrency and blockchain technologies.
Another notable campaign, Operation Celestial Force, employs GravityRAT, an Android-based malware, and a Windows-based malware loader called HeavyLift. This campaign, which has been active since at least 2018, targets Indian entities.
## Initial Access Methods
Threat actors are increasingly using phishing as an initial access vector, as seen in the Blind Eagle group's activities. This group uses phishing emails to deliver malicious payloads, targeting organizations across Latin America, particularly in Colombia.
The report also highlights the exploitation of vulnerabilities, such as CVE-2025-32713, CVE-2025-32714, and CVE-2025-47962, which are considered more likely to be exploited. However, these specific vulnerabilities are related to privilege elevation and are not directly tied to web shell or ransomware attacks.
## Ransomware and Web Application Attacks
While specific trends involving web shells in ransomware cases are not detailed, the report shows a major shift in the means of initial access, with public-facing applications becoming a significant point of entry. This marks a shift from prior quarters where initial access primarily came from valid accounts.
Web application attacks often involve exploiting vulnerabilities or using phishing to gain initial access, but specific trends involving web shells are not highlighted in the recent reports from Cisco Talos. The focus has been more on RATs and phishing campaigns.
In one case, an organization reported 13 million attempts against known accounts in a 24-hour period, suggesting that attacks were automated. Cisco Talos's report highlights several important changes in the tactics and tools used by threat groups.
The report by Cisco Talos serves as a valuable resource for organisations to understand the current cyber threat landscape and take necessary measures to protect their systems and data. By staying informed about the latest trends and tactics used by threat actors, organisations can better prepare themselves against potential cyber attacks.
The report by Cisco Talos reveals an upward trend in the use of web shells and remote access tools, particularly in ransomware cases, such as the Python-based PylangGhost RAT. Furthermore, the significance of public-facing applications as a point of entry for ransomware and web application attacks is underlined in the cybersecurity landscape, indicating a shift from prior quarters where initial access primarily came from valid accounts.
