Qilin’s Hybrid Ransomware Tactics Signal Escalating Risk for Industrial OT and ESXi Environments

New reporting on the Qilin (aka Agenda) ransomware operation highlights a sharp uptick in activity through 2025 and a shift toward hybrid tradecraft: Linux payloads, bring-your-own-vulnerable-driver (BYOVD) techniques, and explicit focus on VMware ESXi. Analysts tracked 40+ victims per month across 2025 (peaking near 100 leak-site postings in June), with outsized impact in North America. For manufacturers running mixed Windows/Linux estates and virtualized plants, the combination raises the likelihood of line stoppage and widespread VM outages during an incident.  

Hostile cyber activity in the UK is growing more intense, frequent and sophisticated. This is causing significant financial and social harm to UK businesses and citizens. There is a direct and active threat to our economic and national security which requires an urgent collective response

F5 Confirms Nation‑State Breach, CISA Issues Emergency Patch Mandate.

Cybersecurity firm F5 Networks recently disclosed that it was the target of a nation‑state intrusion. According to F5, unauthorized access was detected in certain internal systems, and sensitive assets including source code may have been stolen

In our latest bi-weekly briefing, we review the cybersecurity incidents that shaped the period from September 8–21, 2025. This reporting window saw ransomware campaigns against healthcare providers in multiple countries, a large-scale supply chain compromise in the NPM ecosystem, active zero-day exploitation requiring emergency patching, and disruptions at major European airports caused by a vendor system outage.

This past week has been a stark reminder that cybercriminals are evolving faster than most organisations can adapt. The trends we’ve tracked indicate a significant shift in attacker methodologies, particularly in how they gain access, maintain persistence, and extort victims.

Cybercriminals no longer need to write complex malware or exploit software vulnerabilities to breach an organisation. They have found an easier, faster, and more effective way in—by targeting people. Social engineering has evolved from generic phishing emails to sophisticated, AI-driven deception tactics that can manipulate even the most security-conscious employees.

Cybercriminals are moving at speeds that most organisations are not equipped to handle. Last year, the average breakout time—the time it takes for an attacker to move laterally within a compromised network—dropped to 48 minutes. In the fastest observed case, it took just 51 seconds. That means by the time a security alert is triggered, the attacker could have already escalated privileges, exfiltrated data, and established persistence.

Artificial intelligence is not just a tool for businesses looking to optimize workflows and automate processes. It has also become a weapon for cybercriminals who are using AI to scale their attacks, evade detection, and manipulate targets with unprecedented precision. The organisations that fail to recognize this shift will be left defenseless against an adversary that is getting smarter, faster, and more efficient.

Cybercrime is no longer a niche problem or a side hustle for opportunistic hackers. It is a multi-billion-dollar industry with structured operations, specialized roles, and global reach. Criminal organisations have evolved into enterprise-grade operations, complete with research and development teams, strategic partnerships, and aggressive expansion plans. The modern cybercriminal doesn’t just hack into systems; they build scalable business models designed for efficiency, automation, and maximum return on investment.