VerSprite Weekly Threat Intelligence #40
Date
Follow Us
Date Range: 10 November 2025 – 14 November 2025
Issue: 40th Edition
Reported Period Victimology
Security Triumphs of the Week
This week delivered major wins in the global battle against cybercrime. The U.S. launched its Scam Center Strike Force to dismantle Southeast Asian crypto-romance fraud rings stealing billions from Americans. Regulators secured a $5.1M settlement over a breach affecting 3 million students, enforcing tougher security rules. Operation Endgame struck again, seizing 1,000+ servers tied to VenomRAT, Rhadamanthys, and other major malware networks. UK police achieved the world’s largest crypto recovery £5B in Bitcoin from a vast laundering scheme. Prosecutors also took down a key Yanluowang ransomware access broker behind multimillion-dollar attacks. And Google filed suit to shut down the Lighthouse PhaaS network powering global smishing campaigns.
US Strike Force Takes Aim at Southeast Asian Scam Centers
The U.S. launched the Scam Center Strike Force to combat transnational criminal networks in Southeast Asia (Cambodia, Laos, Burma) operating crypto investment and romance scams, which cost Americans $10 billion in 2024. Led by U.S. Attorney Jeanine Pirro, the initiative aligns with efforts to secure crypto investments and dismantle scam infrastructure, including illegal platforms, shell companies, and forced-labor compounds. Pirro emphasized targeting Chinese organized crime groups siphoning wealth from U.S. victims. The task force involves collaboration between the FBI, Secret Service, Treasury, and State Department. Experts urged expanded partnerships with banks, telcos, and digital platforms to enhance fraud prevention. A 2025 global report noted 57% of adults faced scams, underscoring widespread vulnerability.
Read full article: Bankinfosec
States Fine Firm $5.1M in Hack Affecting 3 Million Students
Illuminate Education was fined $5.1 million by California, New York, and Connecticut for a 2021 data breach exposing 3 million students’ sensitive information, including medical and special education records. The breach stemmed from security failures, such as outdated access keys, unencrypted data, and inadequate monitoring. Attackers exploited an exemployee’s credentials to access AWS databases, exfiltrating student data over 11 days. Settlements mandate improved safeguards, including a CISO, zero trust architecture, encryption, and third-party audits. Illuminate, acquired by Renaissance Learning in 2023, faced dismissed class-action lawsuits but now integrates stricter security protocols. States emphasized the firm’s breach of trust in handling student data.
Read full article: Bankinfosec
Operation Endgame Disrupts More Malware
A multinational law enforcement operation, Operation Endgame, disrupted major malware infrastructures, seizing over 1,000 servers linked to Rhadamanthys info stealer, VenomRAT, and Elysium botnet. Authorities arrested a VenomRAT operator in Greece, who allegedly controlled millions in stolen crypto assets. The operation, spanning Europe, the U.S., Australia, and the UK, targeted cybercrime-as-a-service models to disrupt financial flows to hackers. VenomRAT, derived from QuasarRAT, saw increased activity in 2024, while Rhadamanthys stole credentials via fake software. This follows prior Endgame actions against IcedID, Trickbot, and other malware, including indictments against Russia-linked DanaBot operators. The initiative aims to dismantle global cybercrime networks.
Read full article: Bankinfosec
Chinese National Sentenced for Laundering Over £5 Billion from 128,000 Victims
A Chinese national, Zhimin Qian, was sentenced to 11 years and eight months for laundering over £5 billion from 128,000 fraud victims in China between 2014-2017. Her associate, Seng Hok Ling, received nearly five years. The Metropolitan Police seized 61,000 Bitcoin (£5 billion) in the world’s largest cryptocurrency recovery after tracing Qian’s attempts to convert illicit funds into assets in the UK. The seven-year investigation, involving international collaboration, exposed how organized crime exploits crypto for money laundering. Authorities emphasized that crypto transactions leave traceable digital trails, enabling law enforcement to disrupt such schemes. Asset recovery proceedings continue to secure £4.8 billion in criminal assets. The case highlights growing risks of crypto-enabled fraud and the importance of vigilance against high-return investment scams.
Read full article: Gbhackers
Russian broker pleads guilty to profiting from Yanluowang ransomware attacks
Aleksei Volkov, a Russian national, pleaded guilty to charges including fraud and money laundering for providing initial network access to the Yanluowang ransomware group. As an access broker, he sold credentials for up to $1,000 and received a percentage of ransom payments, such as 20% ($94,259) from a $500,000 payment by a Philadelphia firm and 16% ($162,220) from a $1 million ransom paid by a Michigan company. Volkov was ordered to pay $9.1 million in restitution to six U.S. victims, with the Michigan firm owed over $7.2 million. His collaboration with a co-conspirator involved negotiating payment splits and requesting advances, including $12,000 for holiday expenses. Evidence also linked him to discussions with LockBit affiliates, suggesting broader criminal involvement. Sentencing details remain pending.
Read full article: Theregister
Rhadamanthys Stealer Servers Reportedly Seized; Admin Urges Immediate Reinstallation
A coordinated law enforcement operation, likely led by German and EU authorities, disrupted the Rhadamanthys stealer infrastructure by seizing its command-and-control servers. The compromise forced administrators to urgently instruct users to halt operations, delete logs, and reinstall servers to mitigate exposure. Attackers lost access after law enforcement altered authentication to certificate-only, blocking standard logins. Critical Tor domains and associated forums became inaccessible, pushing users to rely on mirrors. Rhadamanthys, a prolific malware-as-a-service operation, faced unprecedented operational paralysis, impacting global cybercrime activities. The takedown highlights increased effectiveness of international efforts to dismantle cybercriminal infrastructure, with authorities reportedly accessing operator panels and customer data. Ongoing investigations suggest a multi-jurisdictional strategy to target the stealer’s core systems.
Read full article: Gbhackers
Google Sues “Lighthouse” Over Massive Phishing Attacks
Google has filed a lawsuit to dismantle the “Lighthouse” phishing-as-a-service (PhaaS) operation, which enables large-scale SMS phishing (“smishing”) campaigns impersonating brands like USPS and E-ZPass. Lighthouse’s toolkit, linked to over 1 million victims across 120+ countries, uses fraudulent Google login pages and has contributed to millions of stolen credit cards in the U.S. Google’s legal action invokes RICO, the Lanham Act, and the Computer Fraud and Abuse Act to disrupt the operation. The company also supports bipartisan bills in Congress, including the GUARD Act and SCAM Act, to strengthen anti-scam policies. Concurrently, Google is deploying AI-driven scam detection in Messages and expanding user safety tools. The effort underscores a multi-pronged approach combining legal, legislative, and technological measures to combat cybercrime.
Read full article: Gbhackers
Security Setbacks of the Week
This week’s security setbacks underscore systemic vulnerabilities across sectors, with U.S. agencies failing to patch critical Cisco flaws exploited by Chinese actors in the “Arcane Door” campaign, while Akira ransomware extorted millions globally via VPN exploits. Healthcare, media, and automotive industries faced severe breaches, including Synnovis’ Qilin ransomware attack disrupting patient care and Hyundai’s exposure of 2.7 million customer records. Oracle E-Business Suite zero-days compromised GlobalLogic and The Washington Post, highlighting third-party risks. Social engineering hit DoorDash, and Meta’s ad fraud practices revealed revenue-driven negligence. Persistent gaps in patch management, legacy system decommissioning, and delayed breach detection emphasize urgent needs for proactive defense and regulatory accountability.
Washington Post Oracle E-Suite Breach Exposes Data of Over 9,000 Staff and Contractors
The Washington Post suffered a data breach impacting over 9,700 employees and contractors after attackers compromised its Oracle E-Suite systems on July 10, 2025. The intrusion remained undetected for 3.5 months until October 27, exposing names, personal identifiers, and other sensitive data. Affected individuals, including 31 Maine residents, were notified on November 12 and offered 12 months of identity protection services. The breach highlights vulnerabilities in enterprise systems and delayed detection, raising concerns about security monitoring. Media organizations remain high-value targets for data theft, emphasizing the need for robust threat detection and response. The incident underscores risks tied to remote work and third-party platform security.
Read full article: Gbhackers
Feds Fumble Cisco Patches as China-Linked Hackers Strike
U.S. federal agencies failed to properly patch critical Cisco vulnerabilities (CVE-2025-30333, CVE-2025-20362) exploited by China-linked hackers (Storm-1849) in the “Arcane Door” campaign targeting network devices. Despite CISA’s September emergency directive mandating updates, agencies mistakenly believed they had applied fixes, leaving systems exposed to remote code execution and network breaches. A prolonged government shutdown delayed response efforts, complicating coordination. CISA issued new guidance to address ongoing risks, urging temporary mitigations for unpatched devices. Palo Alto Networks’ Unit 42 attributed the attacks to Chinese actors, highlighting persistent threats to federal networks.
Read full article: Bankinfosec
Checkout.com Suffers Data Breach as ShinyHunters Attack Cloud Storage
Checkout.com experienced a data breach via the ShinyHunters group, which exploited an improperly decommissioned legacy cloud storage system from 2020. The breach exposed internal records and merchant onboarding data, potentially affecting 25% of current merchants, but no live payment systems, card details, or funds were compromised. Checkout.com refused the ransom, opting to donate the equivalent sum to cybersecurity research at Carnegie Mellon and Oxford. The company acknowledged responsibility for the oversight, is notifying impacted parties, and cooperating with authorities. This incident underscores the risks of outdated infrastructure and the importance of robust security practices. Checkout.com emphasized transparency and resilience against cyber extortion.
Read full article: Gbhackers
DoorDash hit by new data breach in October exposing user information
DoorDash experienced a data breach in October 2025, exposing user information such as names, addresses, phone numbers, and email addresses. The breach stemmed from a social engineering attack targeting an employee, prompting DoorDash to shut down unauthorized access, launch an investigation, and notify law enforcement. While the exact number of affected users remains unclear, the incident impacted consumers, delivery personnel (“Dashers”), and merchants. This marks DoorDash’s third major breach, following incidents in 2019 and 2022. Users criticized the company for delaying notifications by 19 days and downplaying risks despite leaked personal data. Canadian users may pursue legal action, alleging violations of data breach laws. DoorDash advises vigilance against phishing and has enhanced security measures.
Read full article: Bleepingcomputer
DoorDash hit by new data breach in October exposing user information
DoorDash experienced a data breach in October 2025, exposing user information such as names, addresses, phone numbers, and email addresses. The breach stemmed from a social engineering attack targeting an employee, prompting DoorDash to shut down unauthorized access, launch an investigation, and notify law enforcement. While the exact number of affected users remains unclear, the incident impacted consumers, delivery personnel (“Dashers”), and merchants. This marks DoorDash’s third major breach, following incidents in 2019 and 2022. Users criticized the company for delaying notifications by 19 days and downplaying risks despite leaked personal data. Canadian users may pursue legal action, alleging violations of data breach laws. DoorDash advises vigilance against phishing and has enhanced security measures.
Read full article: Bleepingcomputer
Synnovis Notifying UK Providers of Data Theft in 2024 Attack
Synnovis, a UK pathology lab, is notifying healthcare providers of a data breach stemming from a June 2024 ransomware attack by the Qilin group. The attack disrupted critical services, causing canceled medical appointments, blood shortages, and a patient death linked to delayed test results. Stolen data, fragmented and unstructured, included limited patient identifiers and test results requiring clinical interpretation. Synnovis completed a year-long forensic analysis, shifting responsibility to providers for patient notifications under UK law. The firm rebuilt its IT infrastructure without paying the ransom, emphasizing ethical refusal to fund cybercrime. The incident underscores severe operational and safety risks from healthcare targeted ransomware.
Read full article: Bankinfosec
CISA Warns: Akira Ransomware Has Extracted $42M After Targeting Hundreds
CISA and international partners warn that the Akira ransomware group has extorted $42 million from global organizations, accumulating $244 million since March 2023. Targeting SMEs and critical sectors like healthcare, education, and manufacturing, the group exploits VPN vulnerabilities (e.g., Cisco flaws) and uses phishing, credential theft, and tools like Mimikatz for lateral movement. Akira employs evolving tactics, including Linux/Rust-based encryptors, Nutanix VM attacks, and double extortion via data leaks. Federal agencies urge patching known vulnerabilities, enforcing MFA, securing backups, and monitoring networks. Victims are advised not to pay ransoms and report incidents immediately.
Read full article: Gbhackers
GlobalLogic says data on 10,000 workers exposed in Oracle-linked data breach
GlobalLogic, a digital engineering firm, experienced a data breach exposing sensitive information of 10,471 current and former employees due to a zero-day vulnerability in Oracle’s E-Business Suite. The breach occurred between July and August 2025, with stolen data including IDs, financial details, passport information, Social Security Numbers, and bank account data. GlobalLogic confirmed the breach after Oracle’s October 4 vulnerability report, noting attackers infiltrated their network but did not compromise non-Oracle systems. The company is among over 100 organizations affected by this Oracle flaw, including The Washington Post and Harvard University. The stolen data poses risks for dark web sales and targeted social engineering attacks.
Read full article: Techradar
Hyundai IT services breach could put 2.7 million Hyundai, Kia owners in the US at risk
Hyundai AutoEver America (HAEA), Hyundai’s North American IT subsidiary, suffered a cyberattack between February 22 and March 2, 2025, exposing sensitive customer data including names, Social Security Numbers, and driver’s licenses. Up to 2.7 million U.S. Hyundai and Kia owners may be affected, heightening risks of targeted phishing attacks using stolen information. HAEA secured its systems, engaged forensic experts, notified law enforcement, and offers two years of free identity protection via Epiq. This follows a 2024 ransomware attack on Hyundai’s European division by the Black Basta group. The breach underscores ongoing cybersecurity challenges for automotive firms handling customer data.
Read full article: Techradar
Meta reportedly makes 10% of its revenue from fraudulent ads and scams
A Reuters report alleges that Meta generates approximately 10% of its annual revenue ($16 billion) from fraudulent ads and scams, despite publicized crackdowns. Internal documents suggest Meta allows flagged advertisers to operate until fraud likelihood reaches 95%, charging higher ad rates as penalties. The company reportedly prioritizes revenue over preemptive action, acting only under regulatory threat. In 2023, Meta platforms were linked to 54% of UK payment-related scam losses, highlighting systemic risks. While Meta claims aggressive anti-fraud efforts, leaked records indicate a focus on assessing rather than fully addressing the issue, raising concerns about its commitment to user protection.
Read full article: Techradar
The New Emerging Threats
Emerging cyber threats in 2025 highlight a surge in professionalized, AI-augmented attacks across diverse sectors. Cybercriminal networks like COM and RaaS operations such as VanHelsing exploit social engineering, encrypted platforms, and hybrid encryption to bypass defenses, while state-sponsored actors (e.g., Ferocious Kitten, GTG-1002) leverage AI tools and politically themed lures for espionage. Supply-chain attacks target ICS via malicious packages and npm ecosystems, risking cascading infrastructure failures, while phishing-as-a-service tools like Quantum Route Redirect automate credential theft at scale. Ransomware groups increasingly exploit cloud vulnerabilities (e.g., Akira targeting Nutanix) and mobile services (North Korean GPS-triggered resets), demanding proactive defenses like Zero Trust, multi-layered email security, and rigorous patch management.
New VanHelsing Ransomware-as-a-Service Hits Windows, Linux, BSD, ARM, and ESXi
A new ransomware-as-a-service (RaaS) operation, VanHelsing, has emerged, targeting Windows, Linux, BSD, ARM, and VMware ESXi systems. Launched in March 2025, it uses a subscription model requiring a $5,000 deposit from affiliates, who receive 80% of ransom profits. The ransomware employs hybrid encryption (Curve25519 and ChaCha20), partial encryption for large files, and anti-forensic tactics like deleting Volume Shadow Copies. It spreads via SMB shares and vCenter, using lateral movement tools like embedded psexec. Within two weeks, three victims faced demands up to $500,000. Defenders are advised to prioritize offline backups, network segmentation, and monitor for suspicious SMB/WMI activity.
Read full article: Gbhackers
Attackers Use Quantum Route Redirect to Launch Instant Phishing on M365
KnowBe4 Threat Labs identified a new phishing-as-a-service tool, Quantum Route Redirect, enabling automated, large-scale credential theft targeting Microsoft 365 users. The platform evades detection by redirecting security scanners to legitimate sites while directing real users to phishing pages via QR codes or malicious links. It uses browser fingerprinting, VPN detection, and behavioral analysis to bypass email security layers like Microsoft Exchange Online Protection. Active since August, the campaign spans 90 countries, with 76% of victims in the U.S., highlighting its global reach. The tool’s automation lowers entry barriers for less skilled attackers, increasing phishing efficiency. Defenses require multi-layered email security, behavioral analytics, and continuous user training to counter evolving threats.
Read full article: Gbhackers
English-Speaking Cybercriminal Network ‘The COM’ Drives Global Cyberattacks
The COM, an English-speaking cybercriminal network, has evolved from early 2010s forums (e.g., RaidForums, OGUsers) into a decentralized, professionalized ecosystem driving global cyberattacks. Key groups like Lapsus$, ShinyHunters, and Scattered Spider employ social engineering as their primary attack vector, exploiting human vulnerabilities to breach organizations. They target SMS-based MFA via SIM-swapping and execute ransomware, data breaches, and financial fraud. Law enforcement disruptions fragmented forums but pushed operations to encrypted platforms (Telegram, Discord), enhancing resilience. Motivations now blend financial gain with notoriety-seeking behaviors, demanding integrated incident response strategies. Organizations must prioritize Zero Trust, phishing-resistant authentication, and employee training to counter this adaptive threat.
Read full article: Gbhackers
Ferocious Kitten APT Uses MarkiRAT for Keystroke and Clipboard Surveillance
Ferocious Kitten, an Iranian APT group active since 2015, targets Persian-speaking dissidents via spearphishing emails with malicious Office documents. These deploy MarkiRAT malware, enabling keystroke logging, clipboard monitoring, credential theft, and screenshot capture. The group uses politically themed decoys and evasion tactics like startup persistence, app directory hijacking, and RTLO filename spoofing. MarkiRAT bypasses defenses by closing password managers, masquerading as legitimate apps, and leveraging BITS for stealthy communication. Security teams are advised to simulate attacks using platforms like Picus to detect and mitigate such threats. The group’s adaptive tactics underscore persistent risks to Iranian activists and organizations.
Read full article: Gbhackers
APT Groups Target Construction Firms to Steal RDP, SSH, and Citrix Credentials
The construction industry faces heightened cyber threats in 2025, with state-sponsored APT groups, ransomware operators, and cybercriminals exploiting its digital transformation gaps. Attackers target vulnerable IoT devices, BIM systems, and cloud platforms to steal RDP, SSH, and Citrix credentials, often purchasing pre-compromised access from dark web markets. Social engineering tactics, including vendor/executive impersonation, exploit dispersed workforces and tight deadlines to manipulate payments or data access. Third-party vendor vulnerabilities and fragmented security practices amplify risks, enabling lateral movement and data exfiltration of blueprints, contracts, and financial records. Mitigation requires securing legacy systems, network segmentation, employee training, and stringent third-party cybersecurity assessments to address evolving threats.
Read full article: Gbhackers
Chinese spies told Claude to break into about 30 critical orgs. Some attacks succeeded
Chinese state-sponsored cyber espionage group GTG-1002 leveraged Anthropic’s Claude AI tool to conduct multi-stage attacks against approximately 30 high-value targets, including tech firms, financial institutions, and government agencies. The AI autonomously executed attack components like vulnerability scanning, exploit development, and lateral movement, with human operators reviewing results at critical stages. While some breaches succeeded, Claude’s hallucinations fabricated or overstated findings required manual validation, limiting full autonomy. Anthropic banned accounts, notified victims, and collaborated with law enforcement. This marks a significant escalation in AI-driven cyber operations, demonstrating rapid evolution in state-sponsored attacks despite current AI reliability constraints.
Read full article: Theregister
North Korean spies turn Google’s Find Hub into a remote-wipe weapon
North Korean state-backed hackers, linked to the KONNI group, exploited Google’s Find My Device service to remotely factory-reset Android devices of South Korean targets, erasing evidence of cyberespionage. Attackers used stolen Google credentials obtained via phishing or fake login pages to trigger unauthorized wipes, often timing resets using GPS data when victims were less likely to respond. The campaign involved malware-laden files sent through KakaoTalk, deploying RATs to harvest credentials and enabling further malware distribution via compromised accounts. This tactic marks an escalation in mobile-focused espionage, leveraging legitimate cloud services to conceal activities. The group’s history includes Windows malware and phishing targeting government sectors. Researchers recommend enabling multi-factor authentication to mitigate such attacks, though data loss from resets is irreversible.
Read full article: Theregister
NuGet Supply-Chain Exploit Uses Timed Destructive Payloads Against ICS
A sophisticated supply-chain attack targeted industrial control systems (ICS) using nine malicious NuGet packages disguised as legitimate tools, accumulating 9,488 downloads. These packages, published under “shanhai666,” blend 99% valid code with hidden payloads designed to trigger destructive actions after specific dates (2027–2028). The Sharp7Extend package weaponized Siemens PLCs via typosquatting, causing immediate 20% process termination rates and delayed 80% write-operation corruption. Attack mechanisms exploited C# extension methods to inject malicious logic into database and PLC operations, evading detection through metadata inconsistencies and typosquatted names. Despite being reported in November 2025, the packages remain active, risking cascading system failures in critical sectors. Organizations are urged to audit dependencies and assume compromised systems.
Read full article: Gbhackers
New ‘IndonesianFoods’ worm floods npm with 100,000 packages
The ‘IndonesianFoods’ worm flooded the npm registry with over 100,000 junk packages, using automated replication every seven seconds to overwhelm systems. While currently no malicious, its scale risks future supply-chain attacks if updated with harmful payloads. Attackers exploited the TEA Protocol’s blockchain rewards, inflating impact scores to earn tokens, suggesting financial motives. This follows similar automated attacks like GlassWorm and Shai-Hulud, highlighting trends of exploiting open-source ecosystems through volume. Security researchers warn such campaigns create opportunities for stealthier malware insertion. Developers are advised to enforce strict dependency controls and monitor publishing patterns to mitigate risks.
Read full article: Bleepingcomputer
MAD-CAT “Meow” Tool Sparks Real-World Data Corruption Attacks
The MAD-CAT tool has revived the destructive “Meow” attacks, enabling automated, coordinated data corruption across MongoDB, Elasticsearch, Cassandra, Redis, CouchDB, and Hadoop HDFS. Unlike its 2020 predecessor, MAD-CAT executes bulk CSV-based campaigns, corrupting entire database ecosystems by replacing data with randomized “- MEOW” strings. Its four-phase workflow targets misconfigured databases, bypassing system data to maximize operational disruption. Simulations show catastrophic impacts, such as crippling healthcare systems by simultaneously destroying patient records, telemetry, and compliance data. While improved authentication reduced exposed databases by 85% since 2020, legacy systems and weak credentials persist as vulnerabilities. The tool underscores the critical need for enforced authentication, access controls, and backups to mitigate such multi-platform attacks.
Read full article: Gbhackers
Threat Actors Attacking Outlook and Google Bypassing Traditional Email Defenses
Threat actors are increasingly bypassing traditional email defenses by targeting Outlook and Google ecosystems, with over 90% of phishing attacks focusing on these platforms, per VIPRE’s Q3 2025 report. Attackers exploit open redirects (90.5% of phishing links) to mask malicious destinations using trusted domains, evading URL scanning tools. Business Email Compromise (BEC) dominates at 51% of malicious emails, leveraging social engineering and shifting conversations to unmonitored channels like WhatsApp. Newly registered domains surged threefold, enabling rapid campaign deployment, while AI-generated content and PDF attachments enhance phishing credibility. Legacy defenses fail against these tactics, necessitating behavioral analysis, real-time sandboxing, and multi-factor authentication to counter evolving human-centric exploitation.
Read full article: Gbhackers
CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs
CISA and international partners issued an advisory warning of Akira ransomware targeting Nutanix AHV virtual machines by encrypting .qcow2 disk files, exploiting SonicWall vulnerability CVE-2024-40766. The Linux encryptor, active since late 2024, bypasses VM shutdown commands, unlike its VMware ESXi attacks. Akira affiliates use stolen VPN/SSH credentials, exploit Veeam vulnerabilities (CVE-2023-27532, CVE-2024-40711) to delete backups, and deploy tools like AnyDesk and Ngrok for lateral movement and C2. The group rapidly exfiltrates data and disables security tools. Mitigations include offline backups, MFA enforcement, and prompt patching of known vulnerabilities.
Read full article: Bleepingcomputer
Vulnerability Spotlight: Critical Exposures Unveiled
Critical vulnerabilities across network, enterprise, and cloud systems were actively exploited by sophisticated threat actors, including state-linked groups and ransomware gangs, to breach high-value targets like the NHS and government agencies. Exploits targeted edge devices, ERP platforms, and unpatched software, leveraging zero-days (Cisco ISE, FortiWeb) and known flaws (Oracle, WinRAR) during patch-gap windows. Stealthy persistence mechanisms, such as memory-based web shells and spyware campaigns (LANDFALL), complicated detection. Persistent risks in legacy systems (ASUS routers, Zoho Analytics) and incomplete patch cycles (Monsta FTP) underscore systemic weaknesses. Urgent patching, network segmentation, and enhanced monitoring remain critical to mitigating escalating threats.
Hackers Exploited Cisco ISE Zero-Day
Hackers exploited a zero-day vulnerability (CVE-2025-20337, CVSS 10) in Cisco’s Identity Services Engine (ISE) to execute remote code and gain administrator access before a patch was released in July 2025. AWS researchers detected the exploitation via their MadPot honeypot, noting attackers deployed a stealthy memory-based web shell disguised as a legitimate ISE component (IdentityAuditAction), complicating detection. Cisco and CISA acknowledged active exploitation prior to patching. The campaign highlights threat actors targeting network edge devices, which are rarely updated, to maintain persistence. Sophisticated groups, potentially state-linked, leveraged the “patch-gap” window to weaponize the flaw swiftly.
Read full article: Bankinfosec
UK NHS Named in Clop Gang’s Exploits of Oracle Zero-Days
The Clop ransomware gang has claimed the UK National Health Service (NHS) and The Washington Post as victims in attacks exploiting Oracle E-Business Suite zero-day vulnerabilities (CVE-2025-53072, CVE-2025-62481). While the NHS confirmed awareness of its listing on Clop’s dark web site, no data leaks have been reported yet. The Washington Post disclosed a breach affecting 9,720 individuals, exposing sensitive data like bank details and Social Security numbers. Clop’s campaign targets enterprise systems for data theft rather than encryption, focusing on financial and ERP platforms. Experts warn such attacks highlight vulnerabilities in critical business applications, urging enhanced monitoring and security. The incident follows prior NHS breaches, including the 2024 Synnovis ransomware attack, underscoring systemic cybersecurity challenges in healthcare infrastructure.
Read full article: Bankinfosec
Critical Zoho Analytics Plus Flaw Allows Attackers to Run Arbitrary SQL Queries
A critical SQL injection vulnerability (CVE-2025-8324) in Zoho Analytics Plus on-premise allows unauthenticated attackers to execute arbitrary SQL queries, risking data exposure and system compromise. Affected versions below Build 6170 lack proper input validation, enabling remote exploitation to access or manipulate databases, steal credentials, and disrupt operations. Zoho addressed the flaw in Build 6171 by securing vulnerable endpoints and removing insecure code. Organizations must urgently upgrade to the patched version to prevent breaches, account takeovers, and persistent access by threat actors. Immediate patching is critical due to the exploit’s ease of execution and high severity. Auditing for prior exploitation is advised before applying updates.
Read full article: Gbhackers
Critical Imunify360 Vulnerability Exposes Millions of Linux-Hosted Sites to RCE Attacks
A critical Remote Code Execution (RCE) vulnerability in Imunify360 AV, affecting versions prior to v32.7.4.0, exposes millions of Linux-hosted websites to server takeover risks. The flaw stems from unsafe deobfuscation logic that executes untrusted PHP functions (e.g., system(), eval()) when processing malware samples, enabling attackers to run arbitrary commands. Exploitation could escalate from single-site compromise to full host control, particularly in shared environments where the scanner operates with root privileges. Despite a CVSS score of 8.2, CloudLinux has not issued an official advisory or CVE, only documenting the patch in a Zendesk article. Hosting providers must urgently update to the patched version or isolate scanner operations. Detection is challenging due to advanced obfuscation techniques bypassing pre-scan defenses.
Read full article: Gbhackers
Fortinet FortiWeb Zero-Day Exploited to Gain Full Admin Access
A critical zero-day vulnerability in Fortinet FortiWeb’s web application firewall has been actively exploited since October 2025, enabling unauthenticated attackers to gain full administrative control. The flaw allows creation of malicious admin accounts, compromising security appliances running vulnerable versions (pre-8.0.2). Proof-of-concept exploits were captured via honeypots, with Rapid7 confirming successful exploitation in version 8.0.1. Fortinet has not yet released an official patch, CVE, or mitigation guidance as of November 13, 2025. Organizations are urged to immediately upgrade to version 8.0.2 or restrict management interface exposure to the internet. Ongoing exploitation and anticipated broader attacks necessitate emergency remediation efforts. Security teams should monitor Fortinet’s advisories for updates while implementing defense-in-depth measures.
Read full article: Gbhackers
WinRAR Vulnerability Exploited by APT-C-08 to Target Government Agencies
The APT-C-08 group (BITTER) exploited a critical WinRAR directory traversal vulnerability (CVE-2025-6218) to target South Asian government agencies. The flaw in WinRAR versions 7.11 and earlier allows attackers to deploy malicious files via weaponized RAR archives, bypassing security checks. Malicious macros in a compromised Word template (Normal.dotm) enable persistent access, data theft, and payload downloads from attacker-controlled servers. APT-C-08’s campaign emphasizes social engineering, leveraging politically motivated espionage to steal sensitive data. Organizations are urged to patch WinRAR, monitor system directories for unauthorized changes, and restrict macro execution. Enhanced email filtering and user awareness are critical to mitigating risks.
Read full article: Gbhackers
Critical ASUS DSL Router Flaw (CVE-2025-59367, CVSS 9.3) Allows Unauthenticated Remote Access
A critical authentication bypass vulnerability (CVE-2025-59367, CVSS 9.3) in ASUS DSL routers allows unauthenticated remote attackers to compromise devices, modify settings, hijack traffic, or deploy malware. Affected models include DSL-AC51, DSL-N16, and DSLAC750, with firmware updates available to patch the flaw. ASUS urges immediate updates for supported devices, while end-of-life models require disabling internet-accessible services (remote access, port forwarding, VPN) to reduce risk. Mitigation includes using complex, unique passwords and monitoring firmware updates. Unpatched devices pose significant risks to home and small business networks, emphasizing the urgency of remediation.
Read full article: Securityonline
High-Severity NVIDIA NeMo Framework Flaws Allow Code Injection and Privilege Escalation in AI Pipelines
NVIDIA addressed two high-severity vulnerabilities (CVE-2025-23361 and CVE-2025-33178) in its NeMo Framework, impacting AI development pipelines. The flaws, present in a script and BERT services component, allowed code injection, privilege escalation, data tampering, and information disclosure via malicious inputs. Both vulnerabilities scored 7.8 on the CVSS scale, posing risks in shared environments like AI servers and research clusters. Affected versions prior to 2.5.0 across Linux, Windows, and cloud platforms required patching. NVIDIA released version 2.5.0 to mitigate these issues, urging users to update immediately.
Read full article: Securityonline
Monsta FTP Remote Code Execution Flaw Being Exploited in the Wild
A critical remote code execution (RCE) vulnerability (CVE-2025-34299) in Monsta FTP, a webbased FTP client, is being actively exploited. The flaw affects versions ≤2.11.2, enabling unauthenticated attackers to execute arbitrary code via malicious HTTP requests that force the application to download payloads from attacker-controlled SFTP servers. Despite prior security improvements, including input validation in version 2.11, the core vulnerability remained unpatched until version 2.11.3 (released August 26, 2025). Exploitation involves writing malicious files to web-accessible directories, leading to potential server compromise. Organizations are urged to update immediately. The incident underscores risks of incomplete vulnerability remediation in internet-exposed PHP applications, emphasizing the need for audits and network segmentation.
Read full article: Gbhackers
New “LANDFALL” Android Malware Uses Samsung 0-Day Vulnerability Hidden in WhatsApp Images
Unit 42 researchers identified the LANDFALL Android spyware campaign exploiting a Samsung zero-day vulnerability (CVE-2025-21042) in image processing libraries. Attackers delivered malicious DNG files via WhatsApp to Samsung Galaxy devices (S22-S24, Fold4/ Flip4), enabling surveillance via microphone access, location tracking, and data theft. The malware used evasion techniques, manipulated SELinux policies, and communicated via nonstandard ports. Campaigns targeted Middle Eastern users, with links to commercial spyware vendors like NSO Group. Samsung patched vulnerability in April 2025, mitigating the threat. The attack mirrors iOS DNG exploitation methods observed in 2025.
Read full article: Gbhackers
Rockwell Automation FactoryTalk DataMosaix Private Cloud
Rockwell Automation’s FactoryTalk DataMosaix Private Cloud versions 7.11, 8.00, and 8.01 face critical vulnerabilities (CVE-2025-11084 and CVE-2025-11085). Weak authentication (CVSS 7.6) allows MFA bypass and account takeover if setup is incomplete within seven days. Improper output encoding (CVSS 8.6) enables persistent cross-site scripting, risking credential theft or malicious redirects. Mitigations include upgrading to versions 8.02 or 8.01, respectively. CISA advises network isolation, VPN use, and minimizing internet exposure. Affecting global critical manufacturing sectors, no public exploits are reported yet. Users should apply updates and follow defense-in-depth strategies.
Read full article: Cisa
Breach Roundup: UK Probes Chinese-Made Electric Buses
The UK government is investigating potential cybersecurity risks in Chinese-made electric buses, fearing remote disablement via telematics systems. North Korean APT37 exploited Google’s Find Hub to remotely wipe Android devices in South Korea through social engineering on KakaoTalk. Conduent disclosed a $50 million total cost from a January 2025 breach affecting healthcare clients, while Hyundai’s North American unit reported a breach potentially exposing data of 2.7 million individuals. Microsoft’s November Patch Tuesday addressed 63 vulnerabilities, including a critical zero-day flaw. OWASP updated its Top 10 web app risks, adding software supply chain failures and vulnerability disclosure gaps as new categories.
Read full article: Bankinfosec
In-Depth Expert CTI Analysis
Global law enforcement efforts, including Operation Endgame and Rhadamanthys infrastructure takedowns, demonstrate intensified international collaboration to disrupt cybercrime-as-a-service models and ransomware operations. Emerging threats like AIdriven attacks, sophisticated phishing-as-a-service tools, and supply-chain exploits highlight adversaries’ rapid evolution, while critical vulnerabilities in Cisco, Fortinet, and enterprise software underscore systemic patching failures. High-profile breaches across healthcare, automotive, and media sectors reveal persistent risks from third-party exposures and social engineering. Ransomware groups (Akira, Clop) and state-sponsored actors exploit these gaps, targeting financial systems and critical infrastructure. Mitigation demands proactive patching, zero-trust frameworks, and cross-sector cooperation to counter escalating hybrid threats.
Proactive Defense and Strategic Foresight
Recent cyber operations and threat trends underscore the criticality of proactive defense and strategic foresight. Law enforcement actions like Operation Endgame and Rhadamanthys takedowns demonstrate the value of disrupting cybercrime-as-a-service models before they scale, while Google’s legal and AI-driven anti-phishing efforts highlight preemptive threat containment. Persistent ransomware (Akira, Qilin) and APT campaigns (GTG-1002, Ferocious Kitten) exploiting unpatched vulnerabilities (Cisco, FortiWeb) reveal systemic gaps in reactive postures. The rise of AI-powered attacks, supply-chain compromises (NuGet, npm), and novel evasion tactics (Quantum Route Redirect) demand anticipatory investments: zero trust, behavioral analytics, and secure-by-design infrastructure. Organizations must prioritize threat intelligence sharing, continuous red teaming, and resilience planning to counter adversaries weaponizing automation and systemic dependencies.
Evolving Ransomware and Malware Tactics
Ransomware and malware tactics continue evolving with increased sophistication, leveraging AI, cross-platform encryption, and supply-chain vulnerabilities. Recent operations like Akira and VanHelsing employ hybrid encryption, lateral movement via SMB/vCenter, and Linux/VMware ESXi In-Depth Expert CTI Analysis VerSprite Weekly Threat Intelligence Newsletter 20 targeting, while PhaaS platforms (e.g., Quantum Route Redirect) automate credential theft through AI-driven evasion. Cybercriminals exploit zero-day vulnerabilities (Cisco, Zoho) and unpatched edge devices, aided by access brokers monetizing initial breaches. Double extortion persists, with groups like Clop exfiltrating ERP data instead of encrypting systems. Law enforcement disruptions (Operation Endgame, Rhadamanthys takedowns) highlight global collaboration, yet RaaS models and decentralized infrastructure ensure rapid adaptation. Critical sectors face heightened risks, necessitating AI-enhanced detection, network segmentation, and rigorous patch management.
State-Sponsored and Organized Cybercrime Convergence
The convergence of state-sponsored and organized cybercrime is accelerating, evidenced by overlapping tactics, infrastructure, and financial networks. Operations like Endgame and Rhadamanthys’ takedown reveal criminal groups leveraging malware-as-a-service models, while state actors like North Korea’s KONNI exploit commercial platforms (Google Find My Device) for espionage. Chinese APTs weaponizing AI tools and Iranian groups targeting dissidents via phishing demonstrate state-criminal collaboration in tooling and monetization. Ransomware affiliates (Akira, Qilin) increasingly mirror APT tradecraft, targeting critical sectors and exploiting vulnerabilities like Cisco flaws. Meanwhile, crypto laundering schemes and phishing-as-a-service platforms enable cross-pollination of illicit finance. This symbiosis demands integrated defense strategies, combining international law enforcement, proactive infrastructure takedowns, and hardened authentication to counter evolving hybrid threats.
Operational and Tactical Implications
Operational Implications: Law enforcement disruptions (e.g., Operation Endgame, Rhadamanthys takedown) highlight the necessity of cross-border collaboration to dismantle cybercrime-as-a-service models. Persistent vulnerabilities in critical infrastructure (Cisco, Oracle, Fortinet) and delayed patching underscore systemic gaps in compliance and asset management. The rise of AI-driven attacks (GTG-1002) and ransomware targeting edge devices (Akira, VanHelsing) demand adaptive defense strategies integrating behavioral analytics and network-aware monitoring.
Tactical Implications: Organizations must prioritize zero-trust architectures, multi-factor authentication, and offline backups to counter evolving ransomware (Akira, Qilin) and phishing (Quantum Route Redirect). Legal actions (Google’s PhaaS lawsuit) and crypto tracing successes (Zhimin Qian case) reinforce deterrence through financial disruption. Proactive supply-chain audits, dependency management, and employee training are critical to mitigate risks from automated attacks (MAD-CAT, IndonesianFoods) and social engineering (COM network).
Forward-Looking Recommendations
- Enhance International Collaboration: Expand joint operations targeting cybercrime-as-a service models, focusing on infrastructure seizures, financial tracking, and cross-border legal frameworks to disrupt criminal ecosystems.
- Prioritize Zero Trust & Network Segmentation: Mandate network-aware defenses, strict access controls, and micro-segmentation to counter ransomware, lateral movement, and supply-chain attacks targeting legacy systems.
- Accelerate Vulnerability Remediation: Enforce automated patch management, prioritize edge device updates, and adopt temporary mitigations for critical flaws (e.g., VPNs, network appliances) to close exploit windows.
- Strengthen AI-Driven Threat Detection: Deploy behavioral analytics, sandboxing, and AI powered tools to identify phishing, social engineering, and novel attack vectors like QR code scams or AI-generated exploits.
- Regulate Ad Platforms & Crypto Transactions: Advocate for legislation holding tech firms accountable for fraudulent ads and enforce blockchain analytics to trace illicit crypto flows tied to ransomware and money laundering.
