Kaspersky: Undetected Cyberattacks Lasted Up to Four Years in 2025 Compromise Assessments, Claude Code Captured Confidential Files

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Key Takeaways
  • Longest Dwell Time: A four-year-old NSABuffMiner cryptomining infection ran undetected on three domain controllers via the 2017 EternalBlue (MS17-010) exploit.
  • Detection Gap Confirmed: Research says 60% of security incidents were missed by tools in 2025, with only 20% caught manually.
  • AI Tool Flagged: The Claude Code command-line assistant captured filesystem snapshots containing confidential Excel files on a macOS workstation.

Kaspersky’s 2025 Compromise Assessment analysis covers real-world engagements across the META, APAC, and CIS regions, with government (29%), education (19%), and financial (17%) organizations most affected. Kaspersky confirms that 30.8% of cyberattack activity and 52% of high-severity compromises went undetected for more than 90 days. 

The oldest case involved NSABuffMiner, a crypto-mining malware family exploiting the 2017 EternalBlue (MS17-010) vulnerability, which ran undetected on three domain controllers for nearly four years before its discovery in May 2025.

Why Undetected Threats Escalate in Severity

Kaspersky found that 60% of incidents were missed entirely because existing security tools failed to generate high-confidence alerts, while only 20% were caught through manual analyst review. 

Incident severity breakdown | Source: Kaspersky
Incident severity breakdown | Source: Kaspersky

Organizations without continuous monitoring saw medium- or high-severity incidents in 86% of cases; those without threat hunting saw 84%. 

Insufficient detection fidelity is a significant contributing factor to high-severity incidents | Source: Kaspersky
Insufficient detection fidelity is a significant contributing factor to high-severity incidents | Source: Kaspersky

The implied correlation would be that limited visibility appears to increase the proportion of incidents that evolve into high-severity compromises.

Claude Code AI Coding Assistant Silently Snapshotting Confidential Files

Separately, one engagement uncovered a macOS workstation running the Claude Code (Anthropic) command-line assistant as a VS Code extension, which had automatically captured filesystem snapshots containing full paths to confidential internal Excel workbooks.

Claude Code captured confidential Excel files | Source: Kaspersky
Claude Code captured confidential Excel files | Source: Kaspersky

How to Close the Detection Gap

Kaspersky recommends organizations run a detection engine health check within 30 days of any assessment, establish a Tier 1 team to validate low-confidence alerts, and maintain 24/7 monitoring paired with threat hunting. 

It also urges updated vulnerability management, security awareness training addressing personal-device credential leaks, and clear policies governing generative AI tools that may expose confidential data.

A recent Pentera Labs analysis revealed that Claude Desktop could be hijacked to enable remote code execution. An Ask the Experts interview published last month explained how Microsoft Copilot Studio Creator permissions can expand the blast radius of prompt injection attacks. In late May, 3,800 internal GitHub repositories were lost due to a malicious Nx Console VS Code extension.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: