Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 20-26 December
Prince of Persia reappears with new malicious activity
The Iranian APT group Infy, also known as Prince of Persia, has reappeared with new malicious activity after nearly five years of apparent inactivity, according to a technical analysis by SafeBreach.
Active since at least 2004, the group has carried out a recent covert campaign targeting high-value victims in the Middle East, Europe, India, and Canada, using updated versions of the Foudre downloader and Tonnerre implant for profiling and data exfiltration.
The campaign shows an evolution in its attack chains, replacing macros with executables embedded in documents and strengthening its C2 infrastructure through a domain generation algorithm (DGA) and an RSA signature-based validation mechanism.
Strategic alliance between Qilin, DragonForce and LockBit in the ransomware ecosystem
In September 2025, DragonForce announced an alleged alliance with Qilin and LockBit on a Russian underground forum, against a backdrop of intense police pressure and fragmentation of the ransomware ecosystem.
According to Yarix, the announcement came after international operations dismantled major groups such as HIVE, AlphV/BlackCat and, in particular, LockBit, which was affected by Operation Cronos in February 2024. Analysis of ransomware claims in 2025 shows a global increase of 61% year-on-year, but with less concentration of activity among the main players.
Following the announcement, Qilin significantly increased its activity, reaching first place with 13.07% of annual claims, while DragonForce showed moderate growth. In contrast, LockBit has remained inactive since June 2025, despite announcing a 5.0 version and suffering a rejection of its account restoration in underground forums.
DIG AI: consolidation of an illicit LLM in cybercrime
Resecurity has identified the emergence of DIG AI, an uncensored language model (dark LLM) operating on the Tor network and geared towards criminal activities. First detected on 29 September, its use increased significantly during the fourth quarter of 2025, especially during the holiday period.
Unlike legitimate platforms, DIG AI lacks ethical safeguards and allows anonymous access without registration. According to Resecurity's HUNTER team, the tool facilitates the automation of malicious campaigns and lowers the barrier to entry into cybercrime. Its capabilities include the generation of malicious code, fraudulent content, and highly dangerous illegal material.
Although it has limitations in computationally intensive tasks, its results are operationally viable. DIG AI is part of the growth of so-called "Not Good AI," whose mentions in criminal forums increased by more than 200% between 2024 and 2025.
Operation PCPcat compromises thousands of Next.js servers and steals credentials en masse
Operation PCPcat is a highly sophisticated credential theft campaign that has compromised more than 59,000 Next.js servers globally, exploiting critical vulnerabilities (CVE-2025-29927 and CVE-2025-66478) to achieve remote code execution.
Through massive scans and prototype contamination attacks, attackers inject malicious payloads that enable the systematic extraction of sensitive data such as .env files, SSH keys, cloud credentials, and development tokens.
The C2 infrastructure, hosted in Singapore, exposes operational metrics without authentication, revealing a success rate of 64.6%, between 300,000 and 590,000 stolen credentials, and a potential expansion of up to 41,000 servers per day.
Italy fines Apple £98 million for consent management in App Tracking Transparency
Italy's Competition and Market Authority (AGCM) has fined Apple £98 million for abusing its dominant position in the mobile app distribution market with its App Tracking Transparency (ATT) feature, introduced in 2021.
The regulator determined that ATT rules require third-party developers to request user consent twice for data tracking and personalised advertising purposes, while Apple's own apps do not display this notice, creating an unfair competitive advantage that may harm third parties.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
