December 2025 ATS Monthly Digest: Emerging Threats, Top Actors, and Top ATT&CK Techniques

Greetings Securonix Connect Members,

We are pleased to share the December 2025 Autonomous Threat Sweeper (ATS) Monthly Digest.

During December, ATS tracked 141 emerging threats identified in the wild and performed corresponding sweeps across customer environments to assess potential exposure and validate detection coverage. This monthly digest provides insight into the evolving threat landscape, highlighting key trends, active threat actors, and commonly observed MITRE ATT&CK techniques.

Emerging Threat Trends

Several recurring themes were observed throughout the month’s activity:

• Exploitation of public-facing applications remained one of the most common initial access vectors.

• React2Shell / CVE-2025-55182 was exploited by multiple threat actors, often for persistence or cryptomining payloads.

• Software supply chain abuse continued, including malicious packages and compromised developer extensions.

• Credential theft and phishing campaigns persisted as precursors to lateral movement and data exfiltration.

• Ransomware operations showed ongoing refinement in privilege escalation and dual extortion methods.

Most items this month were assessed as High severity, followed by Medium-High and Medium.

Top 5 MITRE ATT&CK Techniques (December 2025)

1. Exploiting Public-Facing Application (T1190) - Initial Access

2. Phishing: Spearphishing Attachment (T1566.001) - Initial Access

3. Command and Scripting Interpreter: PowerShell (T1059.001) - Execution

4. OS Credential Dumping: LSASS Memory (T1003.001) - Credential Access

5. Data Encrypted for Impact (T1486) - Impact

Top 5 Threat Actors (December 2025)

1. PRC State-Sponsored (China) - activity consistent with Volt Typhoon-related operations.

2. Pro-Russia Hacktivist Collectives - including KillNet, NoName057(16), CARR, and Z-Pentest.

3. Qilin Ransomware (Agenda) - ransomware-as-a-service campaigns expanding in scope and targeting.

4. Clop Ransomware Gang (Cl0p/FIN11) - continued activity linked to data theft and extortion.

5. Lazarus Group (APT38) - financially motivated operations associated with DPRK.

Workbook Overview (Attachment)

The attached Excel file contains three tabs for deeper review:

• ATS - Emerging Threats: All 141 threats identified in the wild, with summaries, sources, and contextual details.

• Top 5 Threat Actors: Profiles and observed activity summaries for the leading threat actors.

• Top 5 MITRE ATT&CK Techniques: Techniques most frequently seen across the month’s activity, mapped to ATT&CK tactics.

This digest is designed to help teams understand current threat activity and maintain awareness of the coverage ATS provides through continuous sweeping and enrichment.