Kaspersky: Undetected Cyberattacks Lasted Up to Four Years in 2025 Compromise Assessments, Claude Code Captured Confidential Files
- Longest Dwell Time: A four-year-old NSABuffMiner cryptomining infection ran undetected on three domain controllers via the 2017 EternalBlue (MS17-010) exploit.
- Detection Gap Confirmed: Research says 60% of security incidents were missed by tools in 2025, with only 20% caught manually.
- AI Tool Flagged: The Claude Code command-line assistant captured filesystem snapshots containing confidential Excel files on a macOS workstation.
Kaspersky’s 2025 Compromise Assessment analysis covers real-world engagements across the META, APAC, and CIS regions, with government (29%), education (19%), and financial (17%) organizations most affected. Kaspersky confirms that 30.8% of cyberattack activity and 52% of high-severity compromises went undetected for more than 90 days.
The oldest case involved NSABuffMiner, a crypto-mining malware family exploiting the 2017 EternalBlue (MS17-010) vulnerability, which ran undetected on three domain controllers for nearly four years before its discovery in May 2025.
Why Undetected Threats Escalate in Severity
Kaspersky found that 60% of incidents were missed entirely because existing security tools failed to generate high-confidence alerts, while only 20% were caught through manual analyst review.
Organizations without continuous monitoring saw medium- or high-severity incidents in 86% of cases; those without threat hunting saw 84%.
The implied correlation would be that limited visibility appears to increase the proportion of incidents that evolve into high-severity compromises.
Claude Code AI Coding Assistant Silently Snapshotting Confidential Files
Separately, one engagement uncovered a macOS workstation running the Claude Code (Anthropic) command-line assistant as a VS Code extension, which had automatically captured filesystem snapshots containing full paths to confidential internal Excel workbooks.
How to Close the Detection Gap
Kaspersky recommends organizations run a detection engine health check within 30 days of any assessment, establish a Tier 1 team to validate low-confidence alerts, and maintain 24/7 monitoring paired with threat hunting.
It also urges updated vulnerability management, security awareness training addressing personal-device credential leaks, and clear policies governing generative AI tools that may expose confidential data.
A recent Pentera Labs analysis revealed that Claude Desktop could be hijacked to enable remote code execution. An Ask the Experts interview published last month explained how Microsoft Copilot Studio Creator permissions can expand the blast radius of prompt injection attacks. In late May, 3,800 internal GitHub repositories were lost due to a malicious Nx Console VS Code extension.









