The Counter Threat Unit™ (CTU) research team analyzes security threats to help organizations protect their systems. Based on observations in May and June, CTU™ researchers identified the following noteworthy issues and changes in the global threat landscape:
- Threat group naming alignment poses challenges
- Iran threatens retaliation against U.S.
- Law enforcement uses mockery as a tactic
Threat group naming alignment poses challenges
Reconciling different threat group naming conventions is an ambitious task. Secureworks’ comprehensive and dynamic Rosetta stone for threat group names has been public since 2020.
Threat group naming is designed to help security professionals quickly understand and identify specific attack patterns and connect past activity to current incidents. This information provides insight into threat actors’ capabilities and intent, and can inform response decisions, assist with attribution, and lead to more accurate risk modeling. It can provide actionable guidance about the types and scope of a threat and how an attack may have happened.
The existence of multiple naming conventions for threat groups is not just because vendors want to impose their own branding on threat intelligence. It is also the result of naming being based on individual vendor observations, which may differ. It is possible to map threat group names if two vendors observe the same activity, but it is not always that straightforward.
At the beginning of June, Microsoft and CrowdStrike announced an alignment of their threat group naming conventions. This type of mapping is beneficial to the security community. In 2020, Secureworks began publishing threat group profiles, incorporating a continuously updated ‘Rosetta stone’ to map the threat groups to names used by other vendors. CTU researchers are currently involved in aligning Secureworks threat group names with Sophos threat activity cluster numbers.
Maintaining one-to-one mappings is challenging and requires ongoing monitoring and recalibration to ensure accuracy. Threat groups may work together or change their tactics, techniques, and procedures (TTPs) and objectives, and vendor apertures may change. Nonetheless, Microsoft and CrowdStrike’s announcements both imply that the initiative is the start of an attempt to establish a broader alignment.
Achieving this alignment while protecting proprietary telemetry and intellectual property will likely be difficult, but analyst-led deconfliction is necessary. It is unclear which other vendors will be included in this effort: Microsoft mentions Google/Mandiant and Palo Alto Networks Unit 42 in its announcement, but CrowdStrike does not. Microsoft’s preliminary list includes a wider range of vendor threat group names, including some from Secureworks.
| What You Should Do Next
Refer to Secureworks threat group profiles while reading threat intelligence for a broader understanding of |
Iran threatens retaliation against U.S.
American support of Israel’s attacks on Iran may increase the risk of more attacks by Iranian threat actors on U.S. interests.
Just over a week after Israel commenced its military attacks on Iranian nuclear and military facilities in June 2025, the U.S. conducted a set of targeted air strikes against Iran’s nuclear program. Although the U.S. attacks were of limited duration and Iran responded with missiles targeting a U.S. base in Qatar, the Iranian government has since declared that it intends to retaliate further against U.S. interests.
Israel’s attacks, and its assassination of prominent Iranian military leaders and scientists, marked an escalation in a decades-long series of hostilities. This conflict has included years of proxy warfare in which Iran has provided weapons and training to groups attacking Israel, such as Hezbollah, the Houthis, and Hamas. There have also been ongoing cyber hostilities between the two countries. The U.S. has periodically been another target of Iranian cyberattacks and influence operations.
It is unclear what form this threatened retaliation could take, and if or when it would be carried out. For example, after the January 2020 U.S. drone strike that killed the general of Iran’s Islamic Revolutionary Guards Corp (IRGC) Quds Force, Iran threatened retaliation and launched missile strikes against U.S. bases in Iraq. However, it did not conduct notable offensive cyber or kinetic operations against entities in the West as some had feared.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and partner agencies published a fact sheet describing possible types of Iranian cyber retaliation. Iranian and pro-Iran threat actors have been associated with defacement, wiper, ransomware, and distributed denial of service (DDoS) attacks. The publication specifically notes the risk to Defense Industrial Base (DIB) companies, especially those with links to Israel. The elevated risk also likely affects organizations in the Middle East perceived by Iran as supporting U.S. and Israeli interests. The fact sheet mentions a previous campaign by pro-Iran hacktivists targeting facilities in the U.S. and other countries that used Israeli-made operational technology such as programmable logic controllers (PLCs). Iran increasingly uses false hacktivist personas, such as Cyber Av3ngers, to disguise government involvement in these destructive attacks.
Organizations that could be a target of Iranian reprisals should maintain a heightened sense of vigilance and should ensure that appropriate cyber defenses are in place. This advice applies equally to U.S. organizations and entities in the Middle East that Iran may consider as supportive of U.S. and Israeli interests.
 |
What You Should Do Next
Review CISA publications about Iran and the threat that it poses. |
Law enforcement uses mockery as a tactic
Adding ridicule to arrests and takedowns seems to be a surprisingly effective way of dealing with cybercriminals.
Global law enforcement continued targeting cybercrime operations, but as in the past, not all actions had a lasting impact. For example, Microsoft and the U.S. Department of Justice conducted coordinated actions in late May 2025 that led to the seizure and takedown of over 2,300 domains associated with LummaC2, one of the most prevalent infostealer operations. However, LummaC2 recovered quickly. CTU sandboxes continued to collect LummaC2 samples through June, and command and control (C2) servers responded as normal. CTU researchers also observed LummaC2 being delivered as a second-stage payload in June by Smoke Loader, itself the survivor of a law enforcement takedown in May 2024. Furthermore, the number of LummaC2 logs for sale on underground forums continued to rise during May and June 2025.
Arrests and convictions impact individual threat actors but do not always deter cybercriminal activity. In May, Iranian national Sina Gholinejad pleaded guilty in the U.S. to conducting RobbinHood ransomware attacks from 2019 to 2024 and faces up to 30 years in prison. In late June, French police arrested four alleged operators of the BreachForums cybercrime forum, which followed the February arrest of the individual behind the prolific BreachForums persona known as IntelBroker. However, BreachForums resumed operations under new ownership.
Arrests are not always possible. The U.S. regularly indicts both cybercriminal and state-sponsored threat actors who reside in countries where U.S. law enforcement has no influence. For example, a 36-year-old Russian named Vitaly Nikolaevich Kovalev was linked by German law enforcement in May to the Conti and TrickBot operations. He had been indicted in the U.S. in 2012 on charges of bank fraud but remains at large in Russia.
Ridiculing threat actors and undermining trust have proven effective. A key goal of Operation Cronos, which targeted the previously highly successful LockBit ransomware operation, was damaging the reputation of LockBit administrator Dmitry Khoroshev. He lives in Russia and therefore cannot be arrested by U.S. authorities. Law enforcement’s mockery led to significantly fewer affiliates, to the point that Khoroshev had to reduce the cost of becoming an affiliate and abandon affiliate vetting. CTU researchers have also observed threat actors displaying contempt for Khoroshev on underground forums.
Despite LockBit victim numbers plummeting from hundreds to single digits a month, the overall number of ransomware attacks by all groups has continued to climb. While even short-term disruptions will frustrate any group’s operations and result in fewer victims, organizations must continue to protect themselves against ransomware and other financially motivated attacks.
|
What You Should Do Next
Ensure you can detect common infostealers such as LummaC2, as they are frequently a precursor to |
Conclusion
Organizations’ awareness of the threat landscape is essential for defending against cyber threats. Whether the threats originate from cybercriminals or state-sponsored threat actors, timely and accurate threat intelligence from a range of sources is necessary for accurately assessing the risk posed to your organization. Meaningful attribution adds value to help defenders respond appropriately and effectively.
