Full Report
Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q4 2025, a report built on frontline threat intelligence from our global incident response investigations, enriched by noteworthy detections from our SOC.
Analysis Summary
Here is the summary of the information extracted from the TTP Briefing Q4 2025 context, focusing on malware, tools, techniques, and associated TTPs.
---
# Tool/Technique: Remote Access Tools (RATs) (General Category)
## Overview
Remote Access Tools (RATs) are being leveraged by threat actors after being downloaded via increasingly sophisticated SEO poisoning campaigns. The deployment of RATs is sharply increasing, shifting from opportunistic use to systematic deployment for persistence, credential access, and internal reconnaissance following initial access.
## Technical Details
- Type: Malware family (General Category)
- Platform: Implied Windows/Enterprise workstations (as they are downloaded and used for privilege escalation and reconnaissance)
- Capabilities: Privilege escalation, persistence, credential access, internal reconnaissance, asset discovery, lateral movement.
- First Seen: Not specified, but usage surged significantly in Q4 2025.
## MITRE ATT&CK Mapping
(Derived from usage description: Privilege Escalation, Persistence, Reconnaissance)
- TA0004 - Privilege Escalation
- T1054 - Proxy Execution (Implied through leveraging legitimate-looking tools)
- TA0003 - Persistence
- T1543.003 - Create or Modify System Process: Windows Service (Common RAT persistence method)
- TA0015 - Lateral Movement
- TA0013 - Credential Access
## Functionality
### Core Capabilities
- Enabling broader asset discovery across the compromised network.
- Facilitating lateral movement to expand attacker footholds.
### Advanced Features
- Systematically deployed for persistence and credential access, indicating mature operational use rather than simple opportunistic exploitation.
## Indicators of Compromise
- File Hashes: Not provided in context.
- File Names: Legitimate-looking Remote Access Tools (details obscured by "legitimate-looking").
- Registry Keys: Not provided in context.
- Network Indicators: Not explicitly detailed for the RAT C2s, but implied network activity associated with reconnaissance.
- Behavioral Indicators: Installation of software disguised as legitimate IT tools; sudden increase in internal reconnaissance activity; confirmed use for privilege escalation.
## Associated Threat Actors
- Threat Actors utilizing SEO Poisoning and leveraging Initial Access Brokers (IABs). (Specific named groups not mentioned in context).
## Detection Methods
- Signature-based detection: Likely less effective as threat actors use "legitimate-looking" tools.
- Behavioral detection: Crucial for detecting the systematic deployment and subsequent reconnaissance/lateral movement associated with RATs.
- YARA rules if available: Not provided in context.
## Mitigation Strategies
- Strengthening vetting processes for software downloads, treating non-sanctioned IT tools with high suspicion.
- Monitoring for anomalous privilege escalation behaviors.
- Endpoint Detection and Response (EDR) solutions tuned to detect RAT behaviors rather than relying solely on file signatures.
## Related Tools/Techniques
- Initial Access Brokers (IABs) (as they sell the initial access which often leads to RAT deployment).
- SEO Poisoning (as the delivery mechanism).
---
# Tool/Technique: Calendar Phishing
## Overview
An evolving phishing tactic where attackers send victims a **calendar invite** containing a malicious login prompt within the event description, designed to bypass traditional email security filters.
## Technical Details
- Type: Technique (Delivery via email/calendar service)
- Platform: End-user email clients supporting calendar invitations (e.g., Outlook, Google Calendar)
- Capabilities: Credential capture against user-trusted calendar applications.
- First Seen: Observed as a new trend in Q4 2025.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566.001 - Phishing: Spearphishing Attachment (Calendar invite functions as the delivery mechanism)
- T1566.003 - Phishing: Campaign ([Implied generalized phishing campaign delivery])
## Functionality
### Core Capabilities
- Delivering malicious content (login prompts) or phishing links hidden within the description field of a calendar event.
- Utilizing the perceived trustworthiness and system integration of calendar notifications to lure victims.
### Advanced Features
- Effectiveness in bypassing standard email gateway filters which often focus on email body/attachment content rather than calendar object metadata/descriptions.
## Indicators of Compromise
- File Hashes: Not applicable (link/description based).
- File Names: Not applicable.
- Registry Keys: Not applicable.
- Network Indicators: Malicious login URLs embedded in calendar event descriptions.
- Behavioral Indicators: Users clicking unfamiliar login prompts embedded in seemingly legitimate calendar events.
## Associated Threat Actors
- Threat actors specializing in evolving phishing tactics to bypass email security controls.
## Detection Methods
- Signature-based detection: Limited effectiveness against novel URLs/descriptions.
- Behavioral detection: Monitoring for user interaction with embedded login prompts within calendar applications.
- YARA rules if available: Not applicable.
## Mitigation Strategies
- User training focused specifically on suspicious calendar invitations, urging verification of event senders and external links *before* interacting, even if the event appears natively in the calendar.
- Configuration restrictions on accepting external calendar invitations or displaying high-risk links within event bodies.
## Related Tools/Techniques
- Business Email Compromise (BEC) (as calendar phishing can be used to stage BEC attacks).
---
# Tool/Technique: Exploitation of Edge Device Vulnerabilities
## Overview
The exploitation of vulnerable edge devices (such as VPNs and RDP gateways) remains a high-priority intrusion vector, accounting for 18% of initial access methods observed in Q4 2025.
## Technical Details
- Type: Technique (Vulnerability Exploitation)
- Platform: Network Edge Devices (VPN Concentrators, RDP Gateways)
- Capabilities: Gaining initial foothold/access without requiring user interaction (zero-click or pre-authenticated access).
- First Seen: Ongoing trend throughout 2025.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application
## Functionality
### Core Capabilities
- Direct exploitation of known vulnerabilities (CVEs) in perimeter devices like FortiOS, SonicOS, and Oracle products.
- Establishing initial persistent access via compromised VPN or RDP services.
### Advanced Features
- Leveraging a high volume of known, unpatched vulnerabilities across specific vendor products.
## Indicators of Compromise
- File Hashes: Not applicable (Exploitation occurs pre-file delivery sometimes).
- File Names: Not applicable.
- Registry Keys: Not applicable.
- Network Indicators: High volumes of abnormal connection attempts or successful authentications (using system accounts or newly created attacker accounts) against VPN/RDP endpoints.
- Behavioral Indicators: Anomalous process creation or execution originating from network service accounts following exploitation.
## Associated Threat Actors
- Ransomware groups and various intrusion teams exploiting known vulnerabilities for initial entry.
## Detection Methods
- Signature-based detection: Applying vendor-published patches immediately.
- Behavioral detection: Monitoring edge systems for unusual command execution post-connection or suspicious service restarts.
- YARA rules if available: Not applicable.
## Mitigation Strategies
- Aggressive patching strategy, prioritizing CVEs impacting edge devices (especially Fortinet and SonicWall products listed).
- Implementation of Multi-Factor Authentication (MFA) even on edge system authentication where possible, although MFA bypass remains a high-level concern.
- Network segmentation enforcement to limit lateral movement post-exploitation of these devices.
## Related Tools/Techniques
- MFA Bypass (as even protected edge devices are targeted).
### Most Commonly Observed CVEs (Q4 2025)
The following CVEs were frequently observed as successful initial intrusion vectors:
* **CVE-2025-24472:** FortiOS Authentication Bypass
* **CVE-2025-61882:** Oracle (Specific product unclear)
* **CVE-2025-40601, CVE-2024-53705, CVE‑2024‑53704, CVE‑2024‑40762:** SonicWall SonicOS SSL-VPN vulnerabilities
* **CVE-2024-55591, CVE-2024-21762:** Fortinet FortiOS vulnerabilities
* **CVE-2023-399280 onward:** Various SonicWall SonicOS Buffer Overflows.