Over the last month, Barracuda Managed XDR’s security solutions, threat intelligence and SOC analysts identified developments that organisations should be aware of, including:

• A 35% rise in infostealer detections
• A 56% rise in threats targeting Linux servers
• A 13% rise in suspicious logins for AWS consoles

A 35% rise in infostealer attacks

What’s behind this?

SOC threat analysts and XDR Endpoint Security have detected a notable increase in infostealer malware targeting organisations. Infostealers are a diverse and widespread threat. Interpol recently took down 20,000 IPs that were found to be linked to 69 infostealer variants.

What is the risk?

Infostealers play a central role in, among other things, credential theft attacks, session (cookie) hijacking attacks, cyber espionage and data exfiltration, and they are also used as part of larger botnets to enable attackers to control infected machines and harvest data.

Infostealers are delivered through common attack vectors, including:

1. Phishing emails encouraging users to click on links or download attachments that install and execute the malware.
2. Malicious websites where the infostealer is downloaded automatically to unwary visitors (known as ‘drive-by’ downloads).
3. Software exploits targeting unpatched bugs in applications or operating systems to install infostealers without user consent.
4. Bundled software where infostealers are wrapped with other software such as cracked or pirate applications.

What should I look out for?

Signs that suggest your organisation could be the victim of an infostealer attack include:

• Sudden or unusual changes in account behaviour, such as unauthorised logins or transactions.
• A spike in calls to the Help Desk reporting lost credentials or account lockouts.
• A slowdown in system performance as the malware consumes computing power.
• The unexpected appearance of pop-ups or ads, which could indicate the presence of malware on the system.

Action to take

• The best defence against infostealer malware is a robust endpoint security solution such as Barracuda Managed XDR Endpoint Security that can detect and block malware in real time.
• Enforce the use of multifactor authentication (MFA) to make it harder for attackers to breach accounts even if credentials are compromised.
• Implement security awareness training for employees on the latest phishing tactics and safe browsing.
• Implement advanced email security to detect and block phishing attempts before they reach users.
• Keep systems and software updated with the latest security patches.
• Prevent employees from downloading and installing pirate versions of applications to their work accounts.

A 56% rise in threats targeting Linux servers

What’s behind this?

SOC analysts and XDR Server Security saw a jump in the number of detections for attacks against Linux servers. Linux systems are vulnerable to attack. Recent reports suggest that the number of vulnerabilities in Linux systems increased by 3,300 in 2025 — with a 130% increase in attacks over the past 12 months, and two new critical vulnerabilities announced in June 2025.

What is the risk?

Many organisations rely on Linux systems for their servers, cloud infrastructure and IoT devices — and the combination of this and Linux’s multiple security gaps makes them attractive targets for attacks such as:

• Malware attacks, including ransomware, rootkits and backdoors that give attackers complete control of the infected system as well as persistent access for unauthorised data exfiltration or to install additional malicious payloads, and the ability to return at any time.
• Distributed denial of service (DDoS) attacks that try to overwhelm Linux servers with traffic, leading to operational downtime and disruption.
• The exploitation of unpatched bugs in Linux software or services that enable attackers to gain unauthorised access and elevate their privileges.
• The hijacking of server computing power to mine cryptocurrencies without the owner’s consent, leading to degraded performance and increased operational costs.

What should I look out for?

The signs that suggest your organisation could have a compromised Linux system include:

• Unusual or unexpected spikes in traffic or connections to unfamiliar IP addresses may indicate a DDoS attack or other unauthorised access attempt.
• Sudden changes in account behaviour, such as frequent failed login attempts or unusual login times, as these can indicate attempted brute-force access.
• A slowdown in system performance as the malware consumes computing power.
• Unexpected configuration or other changes to critical system files.

Action to take

• Keep systems, including operating systems, and software updated with the latest security patches.
• Implement firewalls to restrict access to critical services and monitor incoming and outgoing traffic for suspicious activity.
• Enforce strong password and authentication policies, and consider using key-based authentication for SSH (a cryptographic protocol for secure remote login) access to reduce the risk of brute-force attacks.
• Implement a robust backup and recovery plan to limit the operational impact and quickly restore services following an incident.
• Deploy an extended detection and response (XDR) solution — ideally covering endpoints, servers and networks — as this features intrusion detection systems (IDS) that monitor activity and alert administrators to potential threats in real time.

A 13% rise in suspicious logins for AWS consoles

What’s behind this?

SOC analysts and XDR Cloud Security have detected an increase in unauthorised and potentially malicious attempts to access the Amazon Web Services (AWS) Management Console.

What’s the risk?

Although the increase in detections is relatively low, it’s important for AWS users to be aware of the potential risks of a successful breach, which can include:

• Brute-force attacks and credential theft, providing attackers with unauthorised access to AWS accounts and leading to potential data breaches or service disruptions.
• Phishing attacks leveraging social engineering to trick users into sharing their AWS credentials so the attackers can then log in as legitimate users.
• Account takeover attacks once access has been achieved. These attacks can be highly damaging, enabling attackers to manipulate resources, steal sensitive data or launch further attacks from the compromised account.

What should I look out for?

The signs that suggest your organisation could be a target of an AWS login attack include:

• Logins or attempted logins from locations or IP addresses that are unusual for that account — this is a clear red flag for an unauthorised access attempt.
• A high number of failed login attempts as this may indicate a brute-force attack.
• Other account anomalies such as sudden changes in resource use or a configuration change can also mean an account has been compromised.

Action to take

• Enforce the use of strong passwords and multifactor authentication (MFA) to make it harder for attackers to breach accounts even if credentials are compromised.
• Implement security awareness training for employees on the latest phishing tactics and safe browsing.
• Continuously check for and correct misconfigurations in cloud service settings.
• Implement network segmentation, and restrict employees’ access permissions to limit access to sensitive areas of the network.
• Deploy an XDR cloud security solution that will check regularly for unusual login activity and flag any suspicious events.