The global campaign marks the second series of multiple actively exploited zero-day vulnerabilities in Cisco edge technology since last spring. The similarities don’t end there.

Additionally, the U.S. Treasury sanctioned the Russian zero-day brokerage that Peter Williams sold the exploits to.

The average time from intrusion to network movement in 2025 was 29 minutes, a 65% increase in speed from the year prior.

Google researchers said Chinese attackers have been exploiting a zero-day since mid-2024, and they’ve moved on to a more advanced version of Brickstorm malware called Grimbolt.

Shadowserver scans have identified 86 compromised instances, and researchers warn multiple threat groups are involved.

Limited attacks occurred prior to Ivanti’s disclosure, followed by mass exploitation by multiple threat groups. More than 1,400 potentially vulnerable instances remain exposed.

The Ivy League school said it was one of almost 100 organizations hit by the simultaneous attacks in August.

The vendors disclosed and patched the defects last summer, but not before advanced attackers exploited the vulnerabilities to likely gain prolonged access for espionage, according to Amazon.

The digital engineering services firm said human resources data on nearly 10,500 current and former employees was exposed.

Peter Williams entered into several contracts with the Russian broker, exchanging the trade secrets for millions of dollars in cryptocurrency.