Sarina

CVE-2025-58424

I. Introduction

Application Delivery Controllers (ADCs) are essential to modern networks because they optimize, secure, and manage client-server traffic. F5’s BIG-IP, a critical Application Delivery Controller used across enterprises and government networks, plays a key role in traffic management, SSL/TLS termination, and application delivery. [1]

On October 15, 2025, CVE-2025-58424 was discovered, describing a vulnerability affecting F5’s BIG-IP systems where undisclosed traffic can cause data corruption and unauthorized data modification in protocols that lack message integrity protection. The vulnerability currently affects several versions and configurations of BIG-IP products [2] and has been linked to the BRICKSTORM malware, which is used by state-sponsored actors. Although rated Medium (CVSS v3.1 score 4.5) by the National Vulnerability Database (NVD) [6], the potential for exploitation across critical infrastructure makes immediate patching a priority.

No public reports of active in-the-wild exploitation as of October 28, 2025. However, it is part of a broader set of F5 BIG-IP vulnerabilities disclosed amid a nation-state breach of F5’s internal networks (detected on August 9, 2025) [6], where source code and undisclosed vulnerable details were stolen. This raises concerns for potential zero-day exploits by the threat actor.

Following the public disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive (ED 26-01) for federal agencies. [8] The directive required agencies to apply F5 patches, inventory F5 products, and restrict management interface access. CISA warned that the breach presents an “imminent threat” to federal networks.

This advisory provides a consolidated overview of what CVE-2025-58424 is, where it is targeted towards, affected BIG-IP modules, associated MITRE ATT&CK techniques, as well as recommended mitigations. It serves to help readers understand the technical scope and protections to maintain data integrity and network resilience.

II. Target

CVE-2025-58424 affects the BIG-IP data plane, which is responsible for nearly all runtime network traffic processing, including load balanced traffic by Traffic Management Microkernel (TMM). As a result, any organization running affected F5 BIG-IP products or services that rely on TMM is potentially vulnerable to CVE-2025-58424. These products and services sit at the network edge and handle large volumes of client-server traffic, making successful exploitation extremely dangerous and affecting a wide range of industries [4], including:

• Enterprise & Cloud Service Providers
• Financial Services
• Government & Public Sectors
• Healthcare
• Telecommunications
• Retail & E-commerce

Affected BIG-IP Modules:

The following table lists the BIG-IP modules affected by CVE-2025-58424, as identified in Recorded Future [6], a leading cyber-threat intelligence and vulnerability tracking platform, along with their corresponding function category:

III. Tactics and Techniques

The following table maps out MITRE ATT&CK Techniques Associated with CVE-2025-58424:

IV. Adversary Tools and Services

Although a specific threat actor has not been linked to the F5 breach, public reporting from Google Cloud Mandiant (Mandiant is Google Cloud’s threat intelligence sector that conducts research on advanced persistent threat APT activity and state sponsored cyber activity) suggests that this vulnerability may be of the works of UNC5221, a Chinese threat actor that targets network and edge devices [7]. Attackers using CVE-2025-58424 resemble UNC5221 who have conducted previous campaigns; however, it does not prove that they are the same actor. It only indicated that comparable techniques and similar tools are deployed, which is crucial to monitor in case the same malware or infrastructure recurs in the future.

The primary malware family linked to this vulnerability is BRICKSTORM, a backdoor that allows attackers to gain sustained remote access and command over compromised systems. Due to its cross-platform capabilities, BRICKSTORM can be used on Windows, Linux, and BSD (Berkley Software Distribution), which enables attackers to infiltrate a variety of network environments [7]. In past campaigns, UNC5221 has been observed to have persistence for more than a year (roughly 393 days), showing that they prioritize data collection and being hidden over big attacks that quickly cease access [7].

To stay hidden, this group uses cloud services like Cloudflare Workers and Heroku as part of their command-and-control (C2) blueprint to perform cloud-fronting. Could-fronting is a technique that makes malicious traffic appear to be from reliable businesses. Additionally, they employ DNS-over-HTTPS (DoH), which encrypts network communication to make it difficult for defenders to identify anomalies. After entering the system, this group advances into virtualized environments such as VMware, vCenter, and ESXi, which are frequently found in data centers [7]. This allows them to increase their level of control and remain undetected, even in the event that one machine is isolated or patched.

Recorded Future also discovered that CVE-2025-58424 appears in legitimate penetration testing tools like Tenable Nessus plugin #270590, as well as other tools like the DDoS Toolkit and generic Backdoor malware [6]. This demonstrates that both attackers and defenders are actively using this vulnerability: Adversaries are looking for unpatched targets, and defenders are using it for testing and securing systems.

Altogether, these results demonstrate that CVE-2025-58424 lies in a hybrid threat space that can be exploited by both independent and state-sponsored threat actors. Despite the lack of confirmation regarding who is responsible for F5’s BIG-IP modules, the similarity in tactics and techniques points to a larger campaign approach that emphasizes data manipulation, stealth, and continuous persistence.

V. Indicators of Compromise (IOCs) and Detection Indicators

There are currently no verified Indicators of Compromise (IOCs) available for CVE-2025-58424 as of this advisory. Being that this is a possible early warning sign of exploitation, security teams should keep an eye out for anomalies in outgoing connections to cloud-hosted command-and-control (C2) services and encrypted DNS traffic.

The following table rounds up observable behaviors and network patterns connected to the exploitation activity linked to CVE-2025-58424. Until confirmed IOCs are released, these indicators serve to assist analysts in searching for related activity:

VI. Recommendations

CVE-2025-58424 allows attackers to infiltrate and modify data within active TCP sessions that use protocols lacking encryption or message integrity protection, such as those without TLS. The issue stems from predictable identifiers in TMM, that is, the Traffic Management Microkernel, a core component of F5 Networks, which can be leveraged to inject malicious data into the data plane. To mitigate these threats, organizations should implement the following course of action:

1. Upgrade BIG-IP

F5 have introduced patched versions for affected modules. Organizations using affected models should upgrade to patched versions (15.1.10.8+, 16.1.6+, or 17.5.0+) for optimum security and performance.

For additional guidance:

Navigate to F5’s official website to learn more about common issues and best practices when upgrading BIG-IP systems: https://my.f5.com/manage/s/article/K000157079

1. Turn on the TCP Injection Protection Setting

Administrators can enable the ‘tm.tcpstopblindinjection’ database variable via the Traffic Management Shell (TMSH) to add an extra layer of protection and serve as temporary mitigation until the patch is applied.

a. Log in to the TMOS Shell (tmsh) with the following command from the Advanced Shell (bash):

Tmsh

b. Enter the following command to enable the ‘tm.tcpstopblindinjection’ database variable:

modify /sys db tm.tcpstopblindinjection value enable

c. Verify the change with the following command:

list /sys db tm.tcpstopblindinjection

To limit exposure, it is recommended to restrict management and self-IP access to trusted networks and enforce TLS across all traffic in addition to patching systems. 8 of 9

Security analysts should maintain increased monitoring of network traffic and logs for unusual TCP behavior, injection attempts, or sequence number anomalies while systems are in the process of being patched. The CVSS score is rated moderate, but the potential for unauthorized data manipulation within live network segments makes this a serious threat that requires immediate attention and remediation.

VII. References

[1] F5 Networks. (2025, October). Security Advisory K000156572: BIG-IP Software Vulnerabilities Quarterly Notification | MyF5. https://my.f5.com/manage/s/article/K000156572

[2] National Vulnerability Database (NVD). (2025, October 15). CVE-2025-58424: F5 BIG-IP Traffic Management Microkernel Data Corruption Vulnerability | National Institute of Standards and Technology (NIST). https://nvd.nist.gov/vuln/detail/CVE-2025-58424

[3] F5 Networks. (2025, October 15). Security Advisory K000151297: BIG-IP System Software Security Update for CVE-2025-58424 | MyF5. https://my.f5.com/manage/s/article/K000151297

[4] F5 Networks. (2025, October). Security Advisory K44525501: CVE-2025-58424 BIG-IP Data Plane Vulnerability Overview | MyF5. https://my.f5.com/manage/s/article/K44525501

[5] F5 Networks. (2025, October). Security Advisory K000157079: Upgrading BIG-IP Systems – Best Practices and Mitigation Guidance | MyF5. https://my.f5.com/manage/s/article/K000157079

[6] Recorded Future Insikt Group (2025, October 23). Vulnerability Enrichment: CVE-2025-58424. Recorded Future. https://app.recordedfuture.com/portal/analyst-note/doc:_b2QRX https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

[7] Yoder, S., Wolfram, J., Pearson, A., Bienstock, D., Madeley, J., Murchie, J., Slaybaugh, B., Lin, M., Carstairs, G., & Larsen, A. (2025, September 24). Another BRICKSTORM: Stealthy backdoor enabling espionage into tech and legal sectors. Google Cloud Blog. https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

[8] Lakshmanan, R. (2025, October 15). F5 breach exposes BIG-IP source code — Nation-state hackers behind massive intrusion. The Hacker News. https://thehackernews.com/2025/10/f5-breach-exposes-big-ip-source-code.html

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Taylor Alvarez, Isaiah Johnson, Eduarda Koop, and Waratchaya Luangphairin (June)

I. Introduction

Scattered Spider is a large and loosely affiliated cybercrime group also referred to as UNC3944 or Octo Tempest. This group is made up of teens and young adults who primarily target companies in the U.S. and U.K. for financial gain (CISA, 2025).

Their attacks are heavily reliant on social engineering. Common tactics include bombarding employees with repeated MFA prompts (“push bombing”), hijacking phone numbers through SIM-swap attacks, and impersonating IT help desk staff to steal credentials. Once inside, they use “everyday” administrative tools and legitimate remote access applications to move quietly through networks, steal sensitive data, and in many cases deploy ransomware such as DragonForce [1, 2]. Scattered Spider is a serious concern because they adapt quickly, move across multiple industries, and combine human manipulation with technical persistence. [2, 7]

In today’s fast-paced technological and cybersecurity environment, staying ahead of the game is critical, and members of the Scattered Spider understand this well. They take advantage of the newest technologies, quickly identifying vulnerable areas and exploiting them for attack. For this reason, they have gained reputation as one of the most dangerous threat groups active today.

This report will outline who they target, the tactics they use, indicators of compromise, and how different roles can defend against them.

II. Target

Scattered Spider’s targets span across multiple industries, with the most recent being retail, insurance companies, and aviation. These incidents have impacted many countries worldwide and are most heavily hit in the U.S. and U.K. They go after large companies exploiting help desks and compromising third-party vendors such as customer support platforms, IT contractors, or cloud services. The following examples highlight major attacks between April and July 2025.

• April 2025
  • Marks and Spencer (Retail, U.K.) – Struck by a ransomware attack that disrupted operations, cut into sales, and exposed customer and employee data. Attackers gained access through social engineering that targeted IT help desks, a tactic characteristic of Scattered Spider [3].
  • Co-op (Retail, U.K.) – Experienced ransomware attacks causing data loss and service outages, negatively affecting company revenue and stock. Investigators revealed that access was granted through the impersonation of support staff and later passed to a ransomware-as-a-service (RaaS) operator, methods closely matching Scattered Spider’s standard techniques [4].

• May 2025
  • Victoria’s Secret (Retail, U.S.) – Forced to shut down their website and in-store services following a security breach that was part of a wider campaign targeting retail [5].
  • Adidas (Retail, Germany, global) – Confirmed theft of company and customer contact information through a third-party customer service provider [6].
• June 2025
  • AFLAC (Insurance, U.S.) – Confirmed a data breach with Scattered Spider’s use of social engineering suspected for initial access.
  • Philadelphia Indemnity Insurance (Insurance, U.S.) – Suffered a data breach linked to Scattered Spider’s use of Multi-Factor-Authentication (MFA) fatigue attacks.
  • WestJet (Aviation, Canada) – Data centers breached along with their Microsoft Cloud environment. Scattered Spider gained their initial access through password reset on an employee account and using MFA to gain further access.
  • Hawaiian Airlines (Aviation, U.S.) – Believed to have also been attacked by Scattered Spider, although investigations are ongoing and see similarities in tactics to other airline attacks.
• July 2025
  • Qantas (Aviation, Australia) – Suffered significant data breach through a third-party customer service platform affecting nearly 6 million customers. Members of the Scattered Spider are believed to be responsible through targeting an IT call center.
  • Azpiral (Loyalty Program Provider, U.K.) – Loyalty program provider for Co-op UK, disclosed a cyberattack extending impact beyond the retail company itself [7].

III. Tactics and Techniques

Scattered Spider incorporates a wide range of Tactics, Techniques, and Procedures (TTPs) to get what they want. They consistently rely on social engineering, most commonly impersonation of IT or Helpdesk personnel to deceive employees into revealing credentials, approving MFA prompts, or granting remote access.

The following list shows their tactics and techniques, along with the corresponding MITRE ATT&CK technique IDs.

IV. Adversary Tools and Services

Scattered Spider relies on social engineering and trusted IT tools rather than custom malware. This helps them stay undiscovered in corporate environments [4].

Based on the recently published reports by CISA (2025) and CrowdStrike (2025), they use the following tools and services to maintain their persistence in the compromised systems:

1. Remote Access Tools: AnyDesk, TeamViewer, Teleport.sh, and ScreenConnect provide persistent remote connectivity by tunneling over the internet [1].
2. Cloudflare Tunnels: Cloudflare’s trycloudflare creates encrypted tunnels that bypass company firewalls and VPNs without raising suspicion. [9].
3. Communication Platforms: Slack, Microsoft Teams and even SMS platforms would be exploited for social engineering, impersonating IT staff and targeting privileged users [9].
4. Cloud Storage and Databases: Mega.nz, and Amazon S3, and Snowflake are mishandled for large-scale data exfiltration. Thousands of rapid queries would be used to pull out huge amounts of data in a very short time [9].
5. Living off the Land Tools: PsExec, Powershell and Remote Desktop Protocol (RDP) allows for stealthy command execution, credential theft, and lateral movement disguised as routine I activity [9, 10].
6. Malware and Ransomware (less common): AveMaria/WareZone (RAT), Racoon and Vidar (stealers), and ALPHV/BlackCat or DragonForce (ransomware) are deployed occasionally for persistence, theft, and extortion [1, 12].

V. Indicators of Compromise (IOCs)

Because Scattered Spider is known for blending in with legitimate user activity, this makes spotting them challenging. To stay ahead of them, defenders should look for subtle anomalies that give away their presence rather than just the tools themselves [11]. These clues, when pieced together, can help identify an attack even before major damage is done.

1. Impersonation Domains: Fake login/helpdesk sites. These domains typically impersonate corporate login or IT helpdesk pages, making them appear trustworthy to targets.

• In the past they have used: [1]
  • targetsname-sso[.]com,
  • targetsname-servicedesk[.]com,
  • targetsname-okta[.]com,
  • targetsname-helpdesk[.]com,
  • oktalogin-targetcompany[.]com

2. Remote Access Abuse: Unexpected installation of remote access tools like AnyDesk, TeamViewer, Teleport.sh, and ScreenConnect (mentioned above) or unusual connections to unknown domains.

3. Tunneling Traffic: Repeated connections to trycloudflare domains that bypass VPN/firewalls.

4. Abnormal Data Exfiltration Patterns: Bursts of SQL queries executed against databases, large uploads to Mega.nz or Amazon S3 buckets outside of normal workflow [8], or high-volume outbound traffic from accounts or servers that don’t usually transfer large datasets.

5. Credential and Privilege Abuse: Repeated failed login attempts followed by successful access from a new or foreign IPs, unexpected privilege escalations or password resets, and MFA bypass attempts via helpdesk calls (vishing) or SIM swaps [13].

VI. Recommendations

Scattered Spider has impacted a wide range of individuals within targeted organizations by exploiting both human behavior and weaknesses in cloud identity systems. Their tactics allow them to compromise accounts across all levels of a company. Because their attacks touch so many different roles, a one-size-fits-all approach to mitigation would be insufficient.

This report breaks down mitigation strategies by role group, focusing on the four most frequently targeted groups: IT Support and Help Desk Personnel, Identity & Access Administrators, Executives & High-Privilege Users, and Standard Users across the Organization. Each section highlights who these groups are, how they are attacked, and what can be done to reduce the exposure to the attack, boosting resilience to a group whose playbook is to exfiltrate victims’ data and extort them for financial gain.

1. IT Support & Help Desk Personnel: Front-liners responsible for password resets, multi-factor authentication setup/resets, as well as employee account recovery. Scattered Spider targets this group the most by frequently impersonating employees calling IT support and Help desk personnel during after-hours (A time when not many people are around to verify legitimacy) requesting an “authentication reset” to gain remote access on that employee’s device.

How to Defend:

• • Be trained in detecting social engineering, especially during after-hours or peak times when there are multiple requests in short windows.’
  • Create a process that can be implemented for out of band authorization, meaning that if an employee calls saying they have lost their password and phone, be able to differentiate between a legitimate employee calling and a threat actor, like Scattered Spider, calling in to gain initial access.
  • Log and audit all reset/MFA enrollment and reset requests.
  • Block unauthorized Remote Monitoring and Management tools.
  • Use fallback verification channels, such as alternate phone numbers, to confirm identity.

2. Identity & Access Management Administrators: Control who can log into systems and what they can access. IAM Administrators manage passwords, multi-factor authentication, cloud access, and application permissions. They essentially hold the keys to everything. If an attacker compromises an IAM account, they can access multiple systems, escalate privileges to gain even more control, disable protections like MFA, remain hidden longer, exfiltrate sensitive data, or launch larger attacks.

How to Defend:

• Have strong conditional access policies. Conditional access policies let you restrict logins to known IPs, managed devices, and geofenced locations, as well as specify token lifetimes to be short enough so even if it was stolen it will not work [14].
• Use stronger multi-factor authentication for admins, such as hardware-based tokens or NFC connections. Hardware tokens are highly resistant to phishing and are not reliant on mobile devices [15].
• Implement passkeys for employee authentication. Passkeys are cryptographic keys stored directly to a specific device and cannot be linked or synced to other devices [16].
• Don’t let admin access be “always on.” Give admin access only when necessary, not all the time. (This is also called “just-in-time” access.)
• Implement allow-listing and block known applications used by Scattered Spider and only allowing specific internal tools used within the company [17].
• Watch for suspicious activity. Flag whenever someone logs in from a new device or location, or if a login token gets reused.
• Clean up unused integrations. Disconnect old logins and apps that are no longer used, as they are an easy way to get in.

3. Executives & High-Privilege Users: Individuals with access to extremely valuable data, such as sensitive financial, legal, or insurance information. They are the prime targets for extortion and leveraging attacks due to having broader system privileges across the organization.

Why they are targeted: Offers high-value access with minimal friction. Executives often have direct access to confidential documents; their accounts typically have higher internal trust, and if compromised, could be used to trick others within the organization. Executive accounts are also often over-permissioned and interwoven in multiple high-risk systems, so one compromise can rapidly destruct laterally.

How to Defend:

• Be phishing savvy.
• Use hardware-based multi-factor authentication to prevent SIM-swaps and push bombing, a method used to overwhelm a user with repeated multi-factor authentication push notifications in hopes that the user will eventually approve out of annoyance.

4. Standard Users Across the Organization: Everybody else using email, SaaS (Software-As-A-Service, software solutions delivered over the internet on a subscription basis) apps, and cloud tools.

How they are targeted: Phishing, smishing, and multi-factor authentication attacks

How to Defend:

• Partake in ongoing training with phishing and smishing simulations and report suspicious MFA prompts.
• Use strong passwords, including no reuse, no hints, and use of password managers.
• Disable email-based onetime passwords as this can be leveraged to gain onwards authentication.
• Enable account lockouts after failed login attempts to limit brute-force access.
• Block unauthorized software, especially remote access or monitoring tools.
• Update devices and software regularly.
• Be cautious when uploading or sharing files in cloud platforms like SharePoint, Slack, or email.

VII. References

[1] Scattered spider: Cisa. Cybersecurity and Infrastructure Security Agency CISA. (2025, July 31). https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

[2] Scattered spider. Scattered Spider, Roasted 0ktapus, Octo Tempest, Storm-0875, Group G1015 | MITRE ATT&CK®. (2024, April 4). https://attack.mitre.org/versions/v17/groups/G1015/

[3] Tidy, J. (2025, May 21). M&S and co-op hacks: Scattered spider is focus of police investigation. BBC News. https://www.bbc.com/news/articles/ckgnndrgxv3

[4] Poston, H. (2022, March 21). £300m gone: How scattered spider hit the UK’s biggest retailers. Hack The Box. https://www.hackthebox.com/blog/scattered-spider-insurance-retail-attacks

[5] Silberstein, N. (2025, June 13). Update: May cyber attack expected to cost victoria’s secret $20 million. Retail TouchPoints. https://www.retailtouchpoints.com/topics/security/data-security/victorias-secret-latest-hit-in-growing-swath-of-retail-cyber-attacks

[6] Beek, K. (2025, May 27). Adidas falls victim to third-party Data Breach. https://www.darkreading.com/vulnerabilities-threats/adidas-victim-third-party-data-breach

[7] Scattered spider targets tech companies for help-desk exploitation. ReliaQuest. (2025, June 23). https://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/

[8] Fadilpašić, S. (2025, July 30). FBI, CISA warn of more scattered spider attacks to come. TechRadar. https://www.techradar.com/pro/security/fbi-cisa-warn-of-more-scattered-spider-attacks-to-come

[9] Scattered spider escalates attacks across industries. CrowdStrike. (n.d.). https://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/

[10] Yasir, S. (2025, July 7). Inside the scattered Spider Attack: How a UK retail giant was breached and what it means for… Medium. https://medium.com/@shaheeryasirofficial/inside-the-scattered-spider-attack-how-a-uk-retail-giant-was-breached-and-what-it-means-for-e3e94a7ce5bf

[11] Richardson, J. (2025, July 29). Scattered spider: The looming shadow over U.S. cybersecurity. Medium. https://medium.com/@the-prototype/scattered-spider-the-looming-shadow-over-u-s-cybersecurity-e8ce141185a5

[12] Tahir. (2025, May 2). Unmasking the scattered Spider Threat actor. Medium. https://medium.com/@tahirbalarabe2/%EF%B8%8Funmasking-the-scattered-spider-threat-actor-6435c2439ed7

[13] Doyle, A., & Langley, M. (2025, June 9). Scattered spider: A web of social engineering – threat actors. Daily Security Review. https://dailysecurityreview.com/resources/threat-actors-resources/scattered-spider-a-web-of-social-engineering/

[14] Shastri, V. (2025, January 15). What is conditional access?. CrowdStrike. https://www.crowdstrike.com/en-us/cybersecurity-101/identity-protection/conditional-access/

[15] Horn, P. (2025, July 11). Passkeys vs Hardware Tokens: Phishing-resistant MFA. Accutive Security – The IAM + Crypto Products and Services Company. https://accutivesecurity.com/guide-to-passkeys-and-hardware-security-tokens-yubikeys/

[16] Passkeys: Passwordless authentication. FIDO Alliance. (2025, July 24). https://fidoalliance.org/passkeys/

[17] What is allowlisting?: Broadcom. Broadcom Inc. (n.d.). https://www.broadcom.com/topics/allowlisting

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Waratchaya Luangphairin (June), Taylor Alvarez, Lara Radovanovic, Sneha Lama

To learn more about Cyber Florida visit: www.cyberflorida.org

I. Targeted Entities

Deepfake technologies pose a threat to a wide range of entities, including but not limited to:

• Individuals / General Public
• Politicians and Political Processes
• Celebrities and Public Figures
• Organizations and Corporations:
• Senior Executives
• Financial Sector
• Government Officials and Agencies

II. Introduction and Key Treat Details

Introduction

Synthetic media generated by Artificial Intelligence (AI), commonly known as deepfakes, are rapidly multiplying and increasing in sophistication. We are currently witnessing a significant surge in deepfake incidents; for instance, there was a 257% rise in recorded incidents from 2023 to 2024, and the rest quarter of 2025 alone surpassed the total incidents of the previous year.

The potential impacts are severe and varied. These include substantial financial losses for organizations and individuals, as seen by the $25 million fraud at Arup, where executives were impersonated via deepfake video. Deepfakes are key in disinformation campaigns that erode public trust and can influence political outcomes, such as through fake calls targeting voters. Furthermore, the technology is used to create non-consensual explicit content and enhance the effectiveness of social engineering attacks.

As outlined in Section I, targets span from the general public and public gures to corporations (particularly in nance) and government entities. Addressing this emerging threat requires a multi-layered strategy. Organizations must implement robust cybersecurity policies, conduct continuous employee awareness training, deploy technical safeguards, and enforce strict verification protocols. Also, individuals need to develop media literacy, enhance personal data security, and be skeptical of certain online information. Ocial bodies, such as the FBI, are increasingly issuing warnings and guidance, indicating a move towards more collaborative defense.

Key Threat Details

Threat Type: The threat involves the malicious use of deepfakes, which are AI-generated synthetic media (audio, video, or images) carefully crafted to impersonate real individuals or fabricate events that never occurred. The primary technology empowering deepfakes is Generative Adversarial Networks (GANs). A GAN consists of two neural networks: a 'generator' that creates the fake content and a 'discriminator' that attempts to distinguish the fake content from authentic examples. Through an iterative, adversarial training process, the generator becomes progressively better at creating realistic fakes that can deceive the discriminator, and ultimately, human perception. This technology is leveraged by increasingly accessible software, with tools like Iperov's DeepFaceLab and FaceSwap, and services like Voice.ai, Mur.ai, and Elevenlabs.io for voice cloning.

Targets

• Individuals (General Public): Targeted for fraud, non-consensual explicit content, and harassment.
• Politicians and Political Processes: Disinformation campaigns, impersonation to influence elections, and reputational attacks.
• Celebrities and Public Figures: Often targeted for non-consensual explicit content, endorsement scams, and reputational damage.
• Organizations and Corporations:
  • Senior Executives (CEOs, CFOs): Impersonated in financial fraud schemes.
• Financial Sector: Targeted for large-scale fraud, market manipulation through disinformation, and undermining customer trust.
• Government Officials and Agencies: Impersonated to obtain sensitive information, spread disinformation, or authorize fraudulent actions.

Impact

If successful, deepfake attacks can lead to:

• Financial Fraud: Significant monetary losses through impersonation of executives or trusted parties to authorize fraudulent transactions (vishing).
• Disinformation and Political Destabilization: Manipulation of public opinion, interference in elections, incitement of social unrest, and damage to democratic processes.
• Reputational Harm: Severe damage to personal or corporate reputations through the creation and dissemination of non-consensual explicit material, defamatory statements, or fabricated incriminating evidence.
• Social Engineering and Data Breaches: Gaining unauthorized access to sensitive systems or information by impersonating trusted individuals and deceiving employees.
• Erosion of Trust: Diminished public trust in authentic media, institutions, and digital communication ("liar's dividend").
• Operational Disruption: Business operations can be disrupted by disinformation campaigns or internal fraud incidents.

Contextual Info

Deepfake technology is accessible to a wide spectrum of malicious actors. This includes individual fraudsters, online harassers, organized criminal enterprises focused on financial gain, and potentially state-sponsored groups deploying deepfakes for complex disinformation campaigns and political interference.

Related Campaigns/Past Activity

The versatility of deepfakes is seen through various high-prole incidents:

• The $25 million financial fraud at Arup, where attackers used deepfake video and audio to impersonate senior executives in a conference call, compelling an employee to make unauthorized transfers.
• AI-generated calls impersonating U.S. President Joe Biden, which urged voters in New Hampshire not to participate in the primary election, representing a direct attempt at election interference.
• The widespread creation and distribution of non-consensual explicit deepfake images of public gures like Taylor Swi, highlighting the potential for severe personal and reputational harm.

MITRE ATT&CK TTPs

T1566 Phishing: Deepfakes, especially audio (voice clones), are used in vishing (voice phishing) campaigns, aligning with sub-techniques like T1566.003 Spearphishing Voice.

T1591.002 Create/Modify Content: Deepfakes inherently involve creating or modifying content to deceive, related to broader information operations or influence campaigns.

IV. Recommendations

For Organizations

Policies:

• Develop and enforce robust cybersecurity policies that address the risks of deepfake attacks. Integrate deepfake scenarios into incident response plans and conduct regular practice incidents.
• Establish clear guidelines on the acceptable use of AI and synthetic media tools within the organization.

Awareness/Training:

• Implement continuous security awareness training for all employees, leadership, and relevant third parties. Training should cover deepfake identification, the psychological tactics used by attackers (e.g., urgency, authority bias), and established reporting procedures.

Technical Safeguards:

Enforce strong Multi-Factor Authentication (MFA) across all systems and users, prioritizing stronger methods for critical access points.

Deploy AI-powered detection tools for high-risk communication channels (e.g., video conferencing, customer service calls).

Adopt a Zero Trust security architecture, assuming no user or device is inherently trustworthy without continuous verification.

Monitor for Virtual Camera Software in Logs: For live deepfake attacks, attackers may use virtual camera software like Open Broadcaster Software (OBS) to feed the manipulated video into the meeting application. If logging is enabled for platforms like Zoom or Microsoft Teams, security teams can review logs for camera device names. The presence of uncommon camera names like 'OBS Virtual Camera' can be a strong indicator of a deepfake attempt, since this software is not typically used by employees for standard meetings.

Verification and Controls:

• Implement strict verification (e.g., phone call authentication) for any unusual or high-value requests, specifically those involving financial transfers, changes to payment details, or disclosure of sensitive information over digital channels.
  • Implement "master passcodes" or challenge questions for authenticating identities during sensitive communications.
  • Enforce dual approvals for significant decisions/transactions.

Preventative Measures:

• Minimize the public availability of audiovisual material of executives/employees to limit training data for attackers.
• Assess organizational susceptibility to deepfake attacks, identifying vulnerable processes and personnel.

For Individuals

Increase Media Literacy and Critical Thinking:

• Approach online content with healthy skepticism. Question the authenticity of unexpected, sensational, or emotionally manipulative videos, audio messages, or images.
• Always consider the source of information. Verify claims through multiple reputable sources before accepting them as true.

Recognize Potential Red Flags:

• Be aware of common visual indicators such as unnatural eye movements, mismatched lighting, a face that flickers when an object passes in front of it, or an unwillingness from the person to show their side prole. For audio, listen for robotic cadence, unnatural pitch, or lack of emotional inection. 17 However, understand that sophisticated deepfakes may not exhibit obvious aws.

Protect Personal Data:

• Review and tighten privacy settings on all social media accounts to limit public access to personal images, videos, and information.
• Be mindful of the amount of personal audiovisual data shared online.

Verify and Report:

• If you receive a suspicious or urgent request, even if it appears to be from a known contact, verify it through a separate, trusted communication channel (e.g., call a known phone number).
• Report suspected deepfakes immediately to the platform where they are hosted. If the deepfake is being used for malicious purposes (e.g., fraud, harassment, defamation, non-consensual explicit content), report it to law enforcement agencies.

VII. References

Works cited

Deepfake statistics 2025: how frequently are celebrities targeted?, accessed June 7, 2025, hps://surfshark.com/research/study/deepfake-statistics

Cybercrime: Lessons learned from a $25m deepfake attack | World …, accessed June 7, 2025, hps://www.weforum.org/stories/2025/02/deepfake-ai-cybercrime-arup/

Understanding the Hidden Costs of Deepfake Fraud in Finance – Reality Defender, accessed June 7, 2025, hps://www.realitydefender.com/insights/understanding-the-hidden-costs-of-de epfake-fraud-in-nance

Top 5 Cases of AI Deepfake Fraud From 2024 Exposed | Blog – Incode, accessed June 7, 2025, hps://incode.com/blog/top-5-cases-of-ai-deepfake-fraud-from-2024-exposed/

Gauging the AI Threat to Free and Fair Elections | Brennan Center for Justice, accessed June 7, 2025, hps://www.brennancenter.org/our-work/analysis-opinion/gauging-ai-threat-free-and-fair-elections

FBI warns of fake texts, deepfake calls impersonating senior U.S. …, accessed June 7, 2025, hps://cyberscoop.com/i-warns-of-ai-deepfake-phishing-impersonating-government-ocials/

Top 10 Terrifying Deepfake Examples – Arya.ai, accessed June 7, 2025, hps://arya.ai/blog/top-deepfake-incidents

Deepfake threats to companies – KPMG International, accessed June 7, 2025,hps://kpmg.com/xx/en/our-insights/risk-and-regulation/deepfake-threats.html

Cybercrime Trends: Social Engineering via Deepfakes | Lumi Cybersecurity, accessed June 7, 2025,hps://www.lumicyber.com/blog/cybercrime-trends-social-engineering-via-dee pfakes/

Investigation nds social media companies help enable explicit deepfakes with ads for AI tools – CBS News, accessed June 7, 2025, hps://www.cbsnews.com/video/investigation-nds-social-media-companies-he lp-enable-explicit-deepfakes-with-ads-for-ai-tools/

How to Mitigate Deepfake Threats: A Security Awareness Guide – TitanHQ, accessed June 7, 2025, hps://www.titanhq.com/security-awareness-training/guide-mitigate-deepfakes/

Deepfake Defense: Your Shield Against Digital Deceit | McAfee AI Hub, accessed June 7, 2025, hps://www.mcafee.com/ai/news/deepfake-defense-your-8-step-shield-against-digital-deceit/

FBI Warns of Deepfake Messages Impersonating Senior Ocials …, accessed, June 7, 2025, hps://www.securityweek.com/i-warns-of-deepfake-messages-impersonating-senior-ocials/

FBI Alert of Malicious Campaign Impersonating U.S. Ocials Points to the Urgent Need for Identity Verication – BlackCloak | Protect Your Digital Life™, accessed June 7, 2025, hps://blackcloak.io/i-alert-of-malicious-campaign-impersonating-u-s-ocials-points-to-the-urgent-need-for-identity-verication/

AI's Role in Deepfake Countermeasures and Detection Essentials from Tonex, Inc. | NICCS, accessed June 7, 2025, hps://niccs.cisa.gov/training/catalog/tonex/ais-role-deepfake-countermeasures-and-detection-essentials

What is a Deepfake Aack? | CrowdStrike, accessed June 7, 2025, hps://www.crowdstrike.com/en-us/cybersecurity-101/social-engineering/deepfa ke-aack/

Determine Credibility (Evaluating): Deepfakes – Milner Library Guides, accessed June 7, 2025, hps://guides.library.illinoisstate.edu/evaluating/deepfakes

Understanding the Impact of Deepfake Technology – HP.com, accessed June 7, 2025, hps://www.hp.com/hk-en/shop/tech-takes/post/understanding-impact-deepfake-technology

19.Deepfakes: Denition, Types & Key Examples – SentinelOne, accessed June 7, 2025, hps://www.sentinelone.com/cybersecurity-101/cybersecurity/deepfakes/

en.wikipedia.org, accessed June 7, 2025, hps://en.wikipedia.org/wiki/Deepfake#:~:text=While%20the%20act%20of%20cr eating,generative%20adversarial%20networks%20(GANs).

What are deepfakes? – Malwarebytes, accessed June 7, 2025, hps://www.malwarebytes.com/cybersecurity/basics/deepfakes

Complete Guide to Generative Adversarial Network (GAN) – Carmatec, accessed June 7, 2025, hps://www.carmatec.com/blog/complete-guide-to-generative-adversarial-network-gan/

How to Get Started with GANs: A Step-by-Step Tutorial – Draw My Text – Text-to-Image AI Generator, accessed June 7, 2025, hps://drawmytext.com/how-to-get-started-with-gans-a-step-by-step-tutorial/

Detection of AI Deepfake and Fraud in Online Payments Using GAN-Based Models – arXiv, accessed June 7, 2025, hps://arxiv.org/pdf/2501.07033

What is a GAN? – Generative Adversarial Networks Explained – AWS, accessed June 7, 2025, hps://aws.amazon.com/what-is/gan/

Overview of GAN Structure | Machine Learning – Google for Developers,accessed June 7, 2025, hps://developers.google.com/machine-learning/gan/gan_structure

Unlocking the Power of GAN Architecture Diagram: A Comprehensive Guide for Developers, accessed June 7, 2025, hps://www.byteplus.com/en/topic/110690

We Looked at 78 Election Deepfakes. Political Misinformation Is Not an AI Problem., accessed June 7, 2025, hps://knightcolumbia.org/blog/we-looked-at-78-election-deepfakes-political-misinformation-is-not-an-ai-problem

What is a deepfake? – Internet Maers, accessed June 7, 2025, hps://www.internetmaers.org/resources/what-is-a-deepfake/

Don't Be Fooled: 5 Strategies to Defeat Deepfake Fraud – Facia.ai, accessed June 7, 2025, hps://facia.ai/blog/dont-be-fooled-5-strategies-to-defeat-deepfake-fraud/

Top 10 AI Deepfake Detection Tools to Combat Digital Deception in 2025 SOCRadar, accessed June 7, 2025, hps://socradar.io/top-10-ai-deepfake-detection-tools-2025/

How to Spot Deepfakes – Fake News – Dr. Martin Luther King, Jr. Library at San José State University Library, accessed June 7, 2025, hps://library.sjsu.edu/fake-news/deepfakes

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Derek Kravetsky