GroupQilin (RaaS, cybercriminal); Warlock aka Water Manaul (cybercriminal)TypeRansomware with BYOVD EDR KillerMalwaremsimg32.dll (DLL sideload loader); rwdrv.sys (kernel memory driver); hlpdrv.sys (EDR killer driver); NSecKrnl.sys (Warlock BYOVD driver); Qilin ransomware; LockBit-derived Warlock payload (.x2anylock)Score🔴 9.5 Critical. Two active RaaS groups have deployed kernel-level tooling
Threat Group Reynolds Ransomware Group Threat Type Ransomware with integrated Bring Your Own Vulnerable Driver exploitation Exploited Vulnerabilities CVE-2025-68947 abuse of the NsecSoft NSecKrnl driver authorisation model Malware Used Reynolds Ransomware with embedded NSecKrnl.sys kernel driver Threat Score 🔴 9.1/10 High risk Last Threat Observation 11 February 2026
Threat Group – LockBit operators Threat Type – Ransomware as a Service Exploited Vulnerabilities – Exposed remote access services, unpatched internet facing infrastructure, valid credential reuse, weak virtualisation hardening Malware Used – LockBit 5.0 Windows Linux and ESXi variants Threat Score – 7.5 🔴 High – Cross platform impact with ESXi targeting, rapid encryption, and
Threat Group: ScarCruft / APT37 / Reaper / Red Eyes Threat Type: Advanced Persistent Threat (APT), Remote‑Access Trojan (RAT), Espionage and Ransomware Exploited Vulnerabilities: CVE‑2017‑8291 (Encapsulated PostScript vulnerability in Hangul Word Processor), CVE‑2024‑38178 (Internet Explorer mode of Microsoft Edge), vulnerabilities in Hancom Office; exploitation of Windows LNK files,
Threat Group: Suspected China linked Earth Baxia affiliate or imitator Threat Type: Ransomware Exploited Vulnerabilities: None confirmed. Suspected spear phishing and DLL sideloading Malware Used: Ransom.Win64.CHARON.THGBCBE Threat Score: 🔴 High (7.5/10) – Advanced persistent threat style capabilities, targeted operations, destructive behaviours, and potential state alignment Last Threat