What is Cymulate and how does it help organizations defend against cyberattacks?

Cymulate is a cybersecurity platform that empowers organizations to continuously assess and validate their security posture. By simulating real-world threats and providing actionable insights, Cymulate helps organizations identify vulnerabilities, optimize defenses, and stay ahead of emerging cyber threats. Learn more.

How can Cymulate help test defenses against the latest malware and cyberattacks?

Cymulate's Immediate Threats assessment allows organizations to test and verify their exposure to the latest malware attacks. The platform provides indicators of compromise (IOCs) and actionable mitigation suggestions if vulnerabilities are found. Learn more about IOCs on the Cymulate Platform.

What types of cyberattacks were prominent in February 2022?

February 2022 saw major cyberattacks including the Nvidia breach by Lapsus$, state-sponsored attacks from China, Russia (Shuckworm), Iran (APT35, MuddyWater), and North Korea (Lazarus Group), as well as ransomware attacks on critical infrastructure in Poland and Western Europe by groups like ALPHV/BlackCat.

How did the Lapsus$ group impact Nvidia in February 2022?

The Lapsus$ ransomware gang infiltrated Nvidia's network, causing outages in email systems and developer tools for two days. They stole one terabyte of data, including source code and information related to Nvidia RTX GPUs.

What techniques did state-sponsored threat actors use in February 2022 cyberattacks?

State-sponsored threat actors used advanced techniques such as stealthy backdoors, spear-phishing, lateral movement, PowerShell and Visual Basic scripting, living-off-the-land binaries (LoLBins), and multi-stage malware to infiltrate and persist within target networks.

How did the ALPHV/BlackCat ransomware group disrupt critical infrastructure in Europe?

The ALPHV/BlackCat ransomware group attacked the German petrol distributor Oiltanking and major oil terminals in Antwerp and Rotterdam, disrupting oil supply chains in Western Europe.

What is lateral movement in cyberattacks and how is it used?

Lateral movement refers to the techniques attackers use to move through a network after initial compromise, often to escalate privileges or access sensitive data. Groups like Shuckworm and Lazarus used lateral movement in their campaigns. Learn more in Cymulate's glossary.

How does Cymulate Exposure Validation help with advanced security testing?

Cymulate Exposure Validation makes advanced security testing fast and easy by providing a unified platform for building custom attack chains and simulating real-world threats. This helps organizations identify and remediate vulnerabilities efficiently. Learn more.

What are the motives behind state-sponsored cyberattacks?

State-sponsored cyberattacks are typically motivated by espionage, intellectual property theft, or disrupting operations of targeted organizations or countries.

How can organizations stay informed about the latest cyber threats and research?

Organizations can stay updated by following Cymulate's blog for the latest threats and research, accessing the newsroom for media mentions, and joining events and webinars. Read the blog | Newsroom | Events & Webinars

Where can I find best practices for preventing data breaches?

Cymulate provides guidance on preventing data breaches through layered defenses, including MFA, endpoint protection, employee training, and continuous validation. Read the blog post.

How does Cymulate help organizations respond to ransomware attacks?

Cymulate enables organizations to simulate ransomware attacks, assess their defenses, and receive actionable recommendations for mitigation, helping to reduce the risk and impact of ransomware incidents.

What is the Cymulate Resource Hub and what can I find there?

The Cymulate Resource Hub is a central location for insights, thought leadership, and product information, including whitepapers, reports, blogs, and webinars. Visit the Resource Hub.

How does Cymulate support detection engineering and SIEM optimization?

Cymulate provides tools to build, tune, and test SIEM, EDR, and XDR solutions, improving mean time to detect and respond to threats. The platform offers AI-powered SIEM rule mapping and continuous validation. Learn more.

What is the role of Cymulate in exposure management and CTEM?

Cymulate enables organizations to integrate validation into exposure prioritization and mobilization, supporting Continuous Threat Exposure Management (CTEM) programs through collaboration across teams. Learn more.

How can I get a personalized demo of Cymulate?

You can book a personalized demo of Cymulate to see the platform in action and understand how it can address your organization's specific security needs. Book a Demo.

Where can I find Cymulate's glossary of cybersecurity terms?

Cymulate offers an expanding glossary of cybersecurity terms, acronyms, and jargon to help users stay informed. Visit the glossary.

How does Cymulate help organizations address lateral movement attacks?

Cymulate provides resources and simulations to help organizations detect and prevent lateral movement attacks. For example, the blog post 'Stopping Attackers in Their Tracks' discusses common lateral movement techniques and prevention strategies. Read the blog post.

What is the significance of Cymulate being named a Customers' Choice in Gartner Peer Insights?

Cymulate being named a Customers' Choice in the 2025 Gartner Peer Insights™ reflects high customer satisfaction and recognition for its effectiveness in exposure management and security validation. Read more.

Where can I find case studies about Cymulate's impact on organizations?

You can explore Cymulate's case studies to see how organizations across industries have improved their security posture and resilience. View case studies.

What are the key features of Cymulate's platform?

Cymulate offers continuous threat validation, unified exposure management, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions updated daily. Learn more.

Does Cymulate integrate with other security technologies?

Yes, Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. See the full list of integrations.

How easy is Cymulate to implement and use?

Cymulate is designed for quick and easy implementation, operating in agentless mode with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately, and the platform is praised for its intuitive, user-friendly interface. Schedule a demo.

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its ease of use, intuitive dashboard, and accessible support. Testimonials highlight the platform's user-friendly design and the immediate value it provides in identifying security gaps. Read customer quotes.

What security and compliance certifications does Cymulate hold?

Cymulate holds several key certifications, including SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1, demonstrating adherence to industry-leading security and compliance standards. Learn more.

How does Cymulate ensure data security and privacy?

Cymulate ensures data security through encryption in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, a robust disaster recovery plan, and compliance with GDPR. The platform also features 2FA, RBAC, and IP address restrictions. More details.

What is Cymulate's approach to application and HR security?

Cymulate follows a strict Secure Development Lifecycle (SDLC), conducts continuous vulnerability scanning, annual third-party penetration tests, and provides ongoing security awareness training and phishing tests for employees.

How does Cymulate support GDPR compliance?

Cymulate incorporates data protection by design, has a dedicated privacy and security team including a Data Protection Officer (DPO) and Chief Information Security Officer (CISO), and complies with GDPR requirements. Learn more.

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a detailed quote, schedule a demo.

How does Cymulate compare to other security validation platforms?

Cymulate stands out with its unified platform combining Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics. It offers continuous validation, AI-powered optimization, and an extensive threat library, with proven results such as a 52% reduction in critical exposures and 81% reduction in cyber risk for customers. See comparisons.

What are the measurable benefits of using Cymulate?

Organizations using Cymulate have reported up to a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. The platform also enables faster threat validation and cost savings by consolidating tools. See case studies.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. Learn more.

What pain points does Cymulate address for different security roles?

Cymulate addresses communication barriers and unclear risk prioritization for CISOs, resource constraints for SecOps teams, inadequate threat simulation for red teams, and operational inefficiencies for vulnerability management teams. Solutions are tailored for each role. See role-based solutions.

What are some real-world examples of Cymulate's impact?

Hertz Israel reduced cyber risk by 81% in four months, a sustainable energy company scaled penetration testing cost-effectively, and Nemours Children's Health improved detection in hybrid environments using Cymulate. Read more case studies.

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity practices by enabling organizations to proactively validate defenses, identify vulnerabilities, and optimize their security posture. The vision is to foster a collaborative environment for lasting improvements in cybersecurity. About Us.

Where can I watch Cymulate's video on supply chain attacks?

You can watch the video 'npm Under Siege: Worms, Toolchains and the Next Evolution of Supply Chain Attacks' on YouTube.

Cymulate’s Februrary 2022 Cyberattacks Wrap-up

By: Cymulate

Last Updated: December 9, 2025

In February, several large enterprises were hit by cyberattacks, including US chipmaker Nvidia Corp. The malicious network intrusion caused outages in Nvidia's email systems and developer tools for two days.

The threat actor behind the attack was the South American hacker group Lapsus$, which also stole from the compromised network one terabyte of data, including source code and information related to Nvidia RTX GPUs. Lapsus$ is a ransomware gang recently linked to an attack on Portugal’s largest TV channel.

State-Sponsored Cyberattacks: China, Russia, Iran, and North Korea

China-Linked Threat Actors Target Government Networks

China-linked threat actors targeted government computers at multiple foreign agencies using a stealthy backdoor program to retain a presence on sensitive networks and exfiltrate data while remaining undetected.

Russia’s Shuckworm Escalates Cyber-Espionage in Ukraine

The Russia-sponsored Shuckworm group (aka Gamaredon and Armageddon) conducted cyber-espionage attacks against targets in Ukraine pre-invasion. Shuckworm specializes in cyber-espionage campaigns, mainly against entities in Ukraine. Shuckworm is known to use phishing emails to distribute Remote Manipulator System (RMS), UltraVNC, and customized malware Pterodo/Pteranodon to steal credentials and move laterally on compromised networks.

Iran’s APT35 Deploys New PowerLess Backdoor in Attacks

Iran-sponsored APT35 (aka Phosphorus and Charming Kitten) was also active during February. APT35 attacked medical research organizations in the US and Israel in late 2020 and academic researchers from the US, France, and the Middle East in 2019. The threat actors have now added a new PowerShell backdoor to remain undetected. Dubbed PowerLess Backdoor, it is a .NET context rather than spawning the PowerShell process. The new toolset includes modular and multi-staged malware in addition to a range of open-source tools, including cryptography libraries. The threat actors also used an IP address as a C2 for the Memento ransomware.

MuddyWater Targets Turkish Government in Phishing Campaign

Another Iran-sponsored group, MuddyWater (aka Mercury and Static Kitten), is an APT group that frequently conducts campaigns against high-value targets in the US, EU, and Asia. In February, MuddyWater targeted Turkish government entities, including the Scientific & Technological Research Council of Turkey (Tubitak), with a spear-phishing attack.

The motives behind the attacks are normally threefold - espionage, IP theft, or disrupting operations.

The attack followed a familiar pattern:

The users received a spoofed email with malicious PDFs and Microsoft Office documents (maldocs).
These PDF files showed an error message asking to click on the embedded link to get
Once the victims clicked on the embedded links, a decoy document was displayed to the victims while malicious excel documents (XLS maldocs) and executables were executed from a remote location.
A directory was created in the user's home folder for storing the PowerShell and Visual Basic scripts.
The malware then executed a series of scripts using PowerShell and Visual Basic scripting combined with living-off-the-land binaries (LoLBins).
The initial contact with hosting servers was obtained via HTTP.
After the initial infection, the scripts downloaded additional payloads.
A registry key was added for persistence.
DNS was used to contact the command and control (C2).

North Korea’s Lazarus Group Mimics Lockheed Martin in Spear-Phishing Campaign

The North-Korean Lazarus Group also started using LoLBins in its campaigns. In February, it launched a spear-phishing campaign targeting the defense sector. Posing as the Lockheed Martin Corporation, the email enticed users with job openings.

The email contained two phishing documents (Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc.
Once clicked, the macro loaded WMVCORE.DLL, a legitimate windows DLL for Windows Media.
The macro checked for a document variable before entering its main functionality block to prevent it from being executed again.
Next, the shellcode, which was embedded as a base64 encoded string array inside the macro, was decoded using CryptStringToBinaryW or UuidFromStringA.
These functions decoded the embedded payload and wrote it to an executable Heap.
The decoded shellcode retrieved the address and memory permissions of the WMIsAvailableOffline function to overwrite.
The KernelCallbackTable pointer was retrieved from the PEB structure of the current process via NtQueryInformationProcess to achieve a callback to the shellcode.
The _fnDWORD pointer was patched to point to WMIsAvailableOffline.
The shellcode was executed upon a graphical winword call.
The macro established a document variable to prevent the execution of the shellcode during subsequent runs.
The macro also retrieved and displayed a decoy document.
The shellcode created a new staging folder C:WMAuthorization, wrote a VBS file (WMVxEncd.vbs) to it, and created a corresponding Scheduled task to run the vbs file every 20 minutes.

Critical Infrastructure Under Attack: Poland and Western Europe

Ransomware Attacks on Polish Power Utility and Government Systems

In addition to the cyberattacks against the websites of Ukraine’s defense ministry, army, and the interfaces of the country’s two largest banks, threat actors also attacked Polish targets. The website of the Polish national clearing system and servers dedicated to the government email network was attacked, as well as the IT networks of Poland's main power utility PGE SA. The Polish power utility was not the only critical infrastructure that suffered ransomware attacks in February.

ALPHV/BlackCat Ransomware Disrupts Oil Supply Chain

The German petrol distributor Oiltanking was also the victim of a ransomware attack conducted by a new ransomware group dubbed ALPHV/BlackCat. Major oil terminals in Antwerp and Rotterdam, two of Western Europe's biggest ports, were also attacked.

How to Test Your Defenses Against Emerging Threats

To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate Platform!

Cymulate empowers organizations to fortify their defenses through continuous assessment and validation of their security posture. With a focus on threat simulation, comprehensive security assessments, and a commitment to innovation, Cymulate equips organizations with the tools and insights needed to stay ahead of cyber threats.

More about Author

Table of Contents

Critical Infrastructure Under Attack: Poland and Western Europe How to Test Your Defenses Against Emerging Threats

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

blog

10 Best Practices for Preventing a Data Breach

Preventing data breaches requires layered defenses with MFA, endpoint protection, employee training, and continuous validation

Report

2025 Gartner® Market Guide for Adversarial Exposure Validation

Read Gartner’s 2025 guide on adversarial exposure validation featuring Cymulate as a vendor.