Check Point Research has published its Threat Intelligence Report for November 17th, identifying a new ransomware family and a significant campaign by an established state-sponsored actor. The findings highlight persistent threats to the financial and telecommunications sectors through sophisticated attack vectors.

New CryoWire Ransomware Targets Financial Institutions

The report provides a detailed analysis of a previously unknown ransomware variant named CryoWire. This malware is actively targeting financial organizations across North America and Western Europe. The initial infection vector is a widespread phishing campaign that uses emails containing malicious Microsoft Excel attachments. Once a user enables macros, the CryoWire payload is executed.

CryoWire’s primary functions include data exfiltration prior to file encryption. The threat actor, tracked as UNC4815, steals sensitive internal documents before deploying AES-256 encryption on the victim’s network. The report confirms that the ransomware note demands payment in Monero to a specific wallet address.

APT41 Exploits VPN Vulnerabilities in New Campaign

The intelligence report also documents a resurgence of activity from the state-sponsored group APT41. The group’s latest campaign is focused on telecommunications providers in Southeast Asia. Attackers are gaining initial access by exploiting a critical remote code execution vulnerability, designated CVE-2025-28111, in a popular enterprise VPN appliance.

Following exploitation, APT41 deploys Cobalt Strike beacons for command and control and uses custom backdoors to maintain persistence within the compromised networks. The objective of the campaign, as detailed in the report, is espionage and the theft of sensitive subscriber data and network infrastructure information.

Source: https://research.checkpoint.com/2025/17th-november-threat-intelligence-report/