VerSprite Weekly Threat Intelligence #42
Date
Follow Us
Date Range: 24 November 2025 – 28 November 2025
Issue: 42nd Edition
Reported Period Victimology
Security Triumphs of the Week
A significant security triumph emerged as a massive leak exposed Iran’s state-backed cyber-terror unit, Department 40, revealing its operational structure, leadership under Abbas Rahrovi, and direct coordination between cyber-espionage and physical assassination plots. The unit’s tactics, including real-time surveillance via the “Kashef” platform and social engineering by the “Sister’s Team,” targeted Israeli, Saudi, and UAE entities, with infrastructure and front companies now publicly identified. This disclosure critically undermines Iran’s plausible deniability, exposing its integration of cyber operations with kinetic attacks and elevating global awareness of its state-sponsored threat
ecosystem.
UNMASKED: Massive Leak Exposes Iran’s ‘Department 40’ Cyber-Terror Unit
A massive leak exposed Iran’s Department 40, a cyber-terror unit under the IRGC, revealing direct ties between state-sponsored hacking and physical assassination plots. The unit, led by Abbas Rahrovi, employs 60+ operatives across cyber and kinetic teams, including the “Sister’s Team” for social engineering. Their operations involve breaching airlines, hotels, and government databases to create real-time surveillance via the “Kashef” platform, enabling targeted attacks like the failed 2022 Istanbul plot. Targets include Israeli diplomats, Saudi officials, UAE police systems, and international organizations. The leak exposes identities, front companies, and infrastructure, undermining Iran’s deniability and highlighting its state- backed cyber-terrorism apparatus.
Read full article: Securityonline
Security Setbacks of the Week
The past week saw a surge in ransomware and state-aligned cyberattacks targeting critical infrastructure, financial sectors, and third-party vendors. North Korean actors collaborated with Qilin ransomware in destabilizing South Korea’s financial markets, while INC Ransom disrupted US emergency services via OnSolve’s legacy systems. Supply chain vulnerabilities were exploited in attacks on London councils, Korean MSPs, and third-party vendors like Mixpanel and FBCS, exposing sensitive data. Legacy IT systems, including unpatched SonicWall VPNs and inherited assets, enabled rapid ransomware deployment by groups like Akira. High-profile breaches at Harvard, UPBIT, and Iberia underscored persistent risks from phishing, crypto theft, and misconfigured cloud services, with recovery costs and operational disruptions mounting globally.
Emergency alert systems across the US were disrupted following OnSolve CodeRED cyberattack
OnSolve’s legacy CodeRED emergency alert system suffered a cyberattack by the INC Ransom group, disrupting critical services used by US government agencies, law enforcement, and emergency responders. The breach forced parent company Crisis24 to rebuild systems using outdated backups, resulting in permanent loss of recent user accounts and data. Sensitive information, including names, addresses, passwords, and contact details, was compromised, prompting warnings for users to reset reused credentials. Douglas County Sheriff’s Office and 911 Board terminated their CodeRED contracts over citizen privacy concerns. INC Ransom leaked screenshots of stolen customer data, though no confirmed public release occurred. The FBI was notified, and OnSolve accelerated migration to a new platform post-attack.
Read full article: Techradar
The “Korean Leaks” Siege: Qilin & North Korea Cripple Financial Sector via MSP Hack
A sophisticated cyber campaign dubbed “Korean Leaks” targeted South Korea’s financial sector in September 2025, involving collaboration between the Qilin ransomware group and North Korean state-linked actors (Moonstone Sleet). The attackers exploited a Managed Service Provider (MSP) to breach multiple financial firms simultaneously, marking a shift toward politically charged ransomware operations. Unlike typical financially motivated attacks, this campaign used propaganda and threats to destabilize South Korea’s financial markets. The operation combined Qilin’s RaaS infrastructure with state-aligned tactics, enabling deniability for North Korea while generating revenue. Over 25 financial sector victims were claimed, highlighting the growing risk of supply chain attacks via third-party vendors.
Read full article: Securityonline
Crypto Crisis: UPBIT Hacked for $369 Million in Solana-Based Tokens
South Korea’s largest cryptocurrency exchange, UPBIT, experienced a $369 million hack involving Solana-based tokens, leading to suspended withdrawals. The breach occurred on November 27, 2025, with assets drained from a hot wallet, likely due to a security vulnerability. UPBIT transferred remaining funds to cold storage and collaborated with authorities to freeze $12 million in stolen assets. The exchange pledged to cover all losses with its capital, ensuring no user financial impact. Investigations continue into the attack’s origin, suspected to involve prolonged infrastructure infiltration. Withdrawals will resume post-audit, restoring customer access to funds.
Read full article: Securityonline
Akira’s SonicWall Hacks Are Taking Down Large Enterprises
The Akira ransomware group is exploiting SonicWall SSL VPN vulnerabilities, particularly CVE-2024-40766, to target large enterprises that inherited these devices through mergers and acquisitions. These devices, common in smaller firms, often remain misconfigured or unpatched post-acquisition, allowing attackers to leverage legacy admin credentials for rapid network compromise. ReliaQuest found Akira attackers progress from initial access to ransomware deployment in under 10 hours, sometimes as quickly as five. Inherited IT assets, including unmonitored credentials, pose significant risks, with attackers exploiting unpatched or end-of-life firewalls. Mitigation includes patching, credential rotation, MFA, and restricting remote access. SonicWall recommends firmware updates and access control hardening to counter brute-force attacks.
Read full article: Bankinfosec
Multiple London Councils Responding to Cyberattack
Several London councils, including Westminster, Kensington and Chelsea, and Hammersmith and Fulham, are responding to a cyberattack disrupting phone services and potentially compromising sensitive data. The shared IT systems among the boroughs may have facilitated the attack, suspected to involve a supply chain compromise. Experts highlight risks of data misuse for phishing or fraud, given councils’ reliance on legacy systems with poor patching. The UK National Cyber Security Center is assisting investigations. This follows recent high- profile breaches in the UK, prompting government action via the new Cyber Security and Resilience Bill mandating incident response and system patching.
Read full article: Bankinfosec
Asahi confirms cyberattack leaked data on 1.5 million customers
Asahi Group confirmed a ransomware attack by the Qilin group, compromising data of approximately 1.5 million customers who contacted its customer service centers. The breach, detected on September 29, involved unauthorized access via company equipment, leading to stolen personal information like names, addresses, phone numbers, and emails. An additional 300,000 individuals, including employees and external contacts, may also be affected. Qilin claimed responsibility, listing Asahi on its dark web leak site, though no data misuse has been confirmed. The attack primarily impacted systems in Japan, with no evidence of data publication online. Qilin has been active recently, targeting other major firms like IGT and Nissan Creative Box.
Read full article: Techradar
Cox Enterprises hit by Oracle data breach – but it won’t name who carried out the attack
Cox Enterprises suffered a data breach via a zero-day vulnerability in Oracle E-Business Suite, exposing data of 9,479 individuals. The Cl0p ransomware group claimed responsibility, publishing stolen files in late October 2025. The breach occurred in August but was detected in late September, prompting Cox to apply Oracle’s security fix, involve cybersecurity experts, and notify law enforcement. Affected individuals are offered 24 months of free credit monitoring and identity theft protection. Cl0p has previously targeted other high-profile organizations through Oracle vulnerabilities, including Logitech and the Washington Post. Cox confirmed the breach in a filing with the Maine Attorney General’s Office but did not publicly name the attackers.
Read full article: Techradar
Harvard University reveals data breach hitting alumni and donors
Harvard University disclosed a data breach affecting alumni, donors, faculty, staff, and some students, caused by a voice phishing attack. Exposed data included email addresses, phone numbers, addresses, event attendance, donation records, and biographical details, but no financial information or passwords. The breach occurred via compromised Alumni Affairs and Development systems, with attackers leveraging phone-based social engineering. Harvard has secured systems, alerted affected individuals, and is collaborating with law enforcement and cybersecurity experts. The incident highlights risks of phishing campaigns exploiting personal data for fraud. This follows similar breaches at Princeton and the University of Pennsylvania, underscoring heightened targeting of academic institutions.
Read full article: Techradar
Iberia tells customers it was hit by a major security breach
Iberia Airlines disclosed a third-party data breach exposing customer names, emails, and loyalty card IDs, though passwords and financial data remain secure. A dark web post claims 77 GB of internal technical files, including aircraft and maintenance data, were stolen, potentially indicating a separate attack. Iberia activated security protocols, notified law enforcement, and now requires email confirmation for account changes. Investigations are ongoing, with no confirmed misuse of stolen data yet. Customers are advised to monitor for suspicious communications. The discrepancy between Iberia’s breach details and the dark web ad’s claims remain unresolved.
Read full article: Techradar
OpenAI API Users Exposed in Mixpanel Security Breach
A security breach at third-party analytics provider Mixpanel exposed OpenAI API user data, though OpenAI confirmed its systems were not compromised. The incident, detected by Mixpanel on November 9, 2025, involved unauthorized access to metadata such as names, emails, location, device details, and organizational IDs. Sensitive data like passwords, API keys, or payment information remained secure. OpenAI terminated its partnership with Mixpanel and initiated broader vendor security reviews. Exposed data raises risks of targeted phishing or social engineering attacks against API users. OpenAI is notifying affected organizations and advises vigilance against suspicious communications and enabling multi- factor authentication.
Read full article: Securityonline
Scottish council still rebuilding systems two years after ransomware attack
A Scottish council, Comhairle nan Eilean Siar, continues rebuilding systems two years after a November 2023 ransomware attack, with housing benefits, council tax, and non-domestic rates systems still unrestored. Auditors highlighted gaps in cybersecurity defenses, including incomplete implementation of key recommendations like staff training tests and incident response plan validation. The attack exposed weaknesses in IT infrastructure, governance, and backups, exacerbated by staffing shortages and lapsed cybersecurity training. Recovery efforts cost £950,000, with indirect impacts like increased workloads and delayed services. While the council’s response was praised, auditors urged urgent testing of updated continuity plans and collaboration to bolster resilience. Staff faced significant pressure, manually restoring data and managing backlogs, with long-term operational challenges expected.
Read full article: Theregister
Zendesk users targeted by Scattered Lapsus$ Hunters hackers and fake support sites
Scattered Lapsus$ Hunters (SLH) group is targeting Zendesk users via typosquatted domains and fake support tickets to steal credentials and deploy malware. Over 40 spoofed domains mimicking Zendesk were registered through NiceNic, using stolen registrant data and Cloudflare-masked servers. Attackers submit fraudulent tickets to trick support staff into installing RATs or disclosing credentials, often via urgent administrative requests. The campaign mirrors tactics used in prior Salesforce breaches. SLH denied involvement in a recent Discord Zendesk compromise, claiming responsibility for an Okta breach instead. Researchers link the activity to ongoing threats against help-desk systems.
Read full article: Theregister
Comcast to pay $1.5M fine for vendor breach affecting 270K customers
Comcast agreed to a $1.5 million FCC fine following a 2024 data breach at a former vendor, FBCS, exposing personal data of 273,703 customers. The breach occurred in February 2024 but was disclosed to Comcast in July after FBCS initially denied customer impact. Attackers stole sensitive information, including Social Security numbers and account details. The FCC settlement mandates enhanced vendor oversight, risk assessments, and compliance reporting. Comcast denied responsibility, asserting FBCS violated contractual security obligations. The vendor, which later declared bankruptcy, expanded the breach’s scope to 4.2 million individuals by July 2024.
Read full article: Bleepingcomputer
The New Emerging Threats
Emerging threats highlight escalating risks from state-sponsored spyware, supply chain attacks, and AI-powered tools. Commercial spyware campaigns exploit messaging apps via zero-click exploits, while North Korean actors target macOS users with social engineering. Supply chain breaches (e.g., Gainsight, npm) and IoT botnets like ShadowV2 underscore vulnerabilities in third-party ecosystems. Malicious LLMs (WormGPT) and “Promptware” lower barriers for ransomware and phishing, blending AI abuse with legacy tactics. Concurrently, credential-stealing worms (Shai-Hulud) and fake game cracks demonstrate persistent threats to developers and consumers, demanding enhanced monitoring, patching, and zero-trust frameworks.
Spyware Abuse of Signal and WhatsApp Targeting US Officials
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of commercial spyware campaigns targeting high-ranking government, military, and political officials via messaging apps like Signal and WhatsApp. Threat actors use phishing, malicious QR codes, zero-click exploits, and fake app impersonation to compromise devices and access sensitive communications. Recent incidents include Russian-aligned groups exploiting Signal’s “linked devices” feature and Android spyware masquerading as Signal in the UAE. The advisory highlights risks to civil society and at-risk individuals globally, noting a rise in sophisticated social engineering tactics. This follows a U.S. court’s permanent ban on NSO Group from targeting WhatsApp, amid broader efforts to curb spyware abuse.
Read full article: Bankinfosec
This devious botnet tried a trial run during the recent AWS outage – so when will it be back?
A new Mirai-based botnet named ShadowV2 emerged briefly during the recent AWS outage, targeting IoT devices via vulnerabilities in vendors like D-Link, TP-Link, and others. Active for roughly 15 hours, it infected routers, NAS devices, and DVRs across 20+ countries, suggesting a test run for future attacks. Researchers warn it could evolve to launch large-scale DDoS attacks, similar to Mirai’s legacy. ShadowV2, now cloud-native, expanded beyond AWS EC2 instances to target sectors like retail, government, and telecom. Its activity coincided with Azure’s record DDoS attack by Aisuru, another Mirai offshoot. The botnet’s current scale remains unclear, but its brief appearance hints at potential resurgence.
Read full article: Techradar
New macOS malware chain could cause a major security headache – here’s what we know
North Korean state-sponsored actors are targeting macOS users through a campaign called Contagious Interview, using fake job ads and LinkedIn profiles to lure victims, primarily software developers. The attackers employ “ClickFix” tactics, tricking users into executing malicious curl commands in Terminal under the guise of resolving fake camera issues. This installs the FlexibleFerret backdoor, enabling credential theft, file exfiltration, and remote system control. The malware connects to a command server to execute further payloads, including harvesting Chrome data and system information. Security firm Jamf warns organizations to treat unsolicited interview requests and Terminal-based fixes as high-risk indicators. Users are advised to report such incidents rather than comply with suspicious instructions.
Read full article: Techradar
Ransomware hackers attack SMBs being acquired to try and gain access to multiple companies
Akira ransomware actors are exploiting vulnerabilities in acquired companies’ unpatched SonicWall SSL VPN appliances during mergers and acquisitions, enabling lateral movement and encryption. ReliaQuest’s analysis of June-October 2025 attacks found compromised inherited assets as the primary entry point. A critical buffer overflow flaw (CVE-2025-40601, severity 7.5/10) in SonicWall Gen7/Gen8 firewalls, patched recently, was frequently abused. Despite patches and MFA, attackers infiltrated VPNs, raising uncertainty if acquisitions were targeted or opportunistic. SMBs are urged to patch vulnerable devices and audit inherited networks post-acquisition to mitigate risks.
Read full article: Techradar
Silent Threat: How Malicious Calendars & ‘Promptware’ Target 4M+ Devices Daily
A new report reveals malicious calendar subscriptions and emerging “Promptware” threats targeting over 4 million iOS/macOS devices daily. Attackers exploit expired domains to push spam, phishing links, or malicious commands via calendar syncs, leveraging inherent trust in system notifications. Once subscribed, devices persistently poll attacker-controlled domains, enabling silent payload delivery. The “Promptware” risk involves embedding hidden prompts (e.g., AI jailbreak commands) in calendar events, which AI assistants like Gemini might execute when summarizing schedules, potentially triggering unauthorized actions (e.g., data deletion). Users often remain unaware of these subscriptions, complicating detection. This highlights evolving threats blending social engineering, legacy vulnerabilities, and AI integration risks.
Read full article: Securityonline
Hidden Theft: ‘Crypto Copilot’ Chrome Extension Drains Solana Wallets on X
A malicious Chrome extension named “Crypto Copilot,” discovered by Socket’s Threat Research Team, targets Solana users by stealthily draining funds during transactions. Marketed as a tool to execute instant trades via X, the extension injects hidden transfer instructions into swap transactions, siphoning 0.0013 SOL or 0.05% of the trade to an attacker-controlled wallet. The theft leverages Solana’s atomic transactions, executing the drain alongside legitimate swaps without user awareness. Obfuscated code and a misspelled backend domain (crypto-coplilot-dashboard[.]vercel[.]app) conceal the malicious activity. Despite the findings, the extension remains available on the Chrome Web Store, prompting a takedown request to Google.
Read full article: Securityonline
Fragging Your Data: Fake ‘Battlefield 6’ Cracks & Trainers Spread Infostealers
are exploiting the popularity of Battlefield 6 by distributing fake game cracks and cheat tools containing malware. Bitdefender Labs identified three primary variants: a fake trainer stealing crypto wallets and Discord tokens, a sophisticated “crack” targeting developer credentials while evading detection in Russian/CIS regions, and a persistent backdoor disguised as an ISO image. These campaigns use spoofed warez group names (e.g., InsaneRamZes, RUNE) to appear legitimate. The malware employs evasion tactics like sandbox detection and traffic masking via Google domains. Users are urged to avoid pirated software, assume compromise if infected, and reset passwords while scanning systems.
Read full article: Securityonline
GitLab discovers widespread NPM supply chain attack
GitLab identified a widespread NPM supply chain attack involving malicious packages targeting developers. The attack exploited automated dependency workflows to infiltrate projects, potentially compromising systems via typosquatting and dependency confusion tactics. GitLab’s security team detected suspicious activity in public NPM repositories, linking it to automated account creation and package uploads. The campaign aimed to steal sensitive data, including credentials and environment variables. Users are urged to audit dependencies, enable multi-factor authentication, and monitor for unusual package activity. This incident underscores persistent risks in open-source ecosystems and the need for robust supply chain safeguards.
Read full article: Hackernews
Malicious LLMs empower inexperienced hackers with advanced tools
Malicious large language models (LLMs) like WormGPT 4 and KawaiiGPT are enabling cybercriminals to generate advanced attack tools, lowering the barrier for inexperienced hackers. WormGPT 4 produces functional ransomware scripts, encrypting files via AES-256 and creating realistic ransom notes, while KawaiiGPT automates phishing emails and lateral movement using Python. Both models, accessible via subscriptions or free setups, streamline complex attacks like data exfiltration and credential harvesting. Palo Alto Networks Unit42 researchers confirmed these LLMs are actively used in real-world threats, with active communities on Telegram sharing tactics. These tools eliminate traditional phishing red flags and allow scalable, sophisticated attacks with minimal effort, shifting cybercrime dynamics.
Read full article: Bleepingcomputer
Shai-Hulud worm returns, belches secrets to 25K GitHub repos
The Shai-Hulud worm, a self-propagating npm malware, resurfaced, compromising AWS, GCP, Azure, and GitHub credentials from over 25,000 developers within three days. It spreads via trojanized npm packages, stealing secrets and publishing them to victims’ GitHub repositories. This second wave, active since November 21, executes malicious code during the pre-install phase, increasing exposure risks in build environments. GitHub struggles to contain the rapid spread despite deleting compromised repos. Affected organizations must rotate credentials, audit dependencies, and monitor for suspicious activity. npm and GitHub have tightened security, deprecating legacy tokens and enforcing FIDO-based 2FA to mitigate future supply-chain attacks.
Read full article: Theregister
Vulnerability Spotlight: Critical Exposures Unveiled
Critical vulnerabilities across major platforms and protocols dominated the threat landscape, with state-aligned APTs exploiting zero-days like Windows MMC’s MSC EvilTwin (CVE-2025-26633) and WSUS flaws (CVE-2025-59287) to deploy advanced backdoors. Legacy systems remained prime targets, as evidenced by NTLMv2 hash theft campaigns and the unpatched Twonky Server flaws enabling full media server takeovers. High-impact library vulnerabilities in Angular (CSRF bypass) and node-forge (signature validation flaws) exposed millions of applications to session hijacking and data tampering. Novel attack vectors emerged, including AI browser prompt injection via HashJack and WhatsApp metadata harvesting through contact-discovery exploits. Persistent supply chain risks and delayed patching amplified threats, underscoring the urgency of network segmentation, credential rotation, and prioritized updates.
WhatsApp security flaw lets experts scrape 3.5 billion user numbers – here’s what we know, and how to stay safe
A University of Vienna study revealed a critical WhatsApp security flaw allowing attackers to scrape metadata from 3.5 billion active accounts globally. Researchers exploited a contact- discovery vulnerability, using automated tools to validate phone numbers and collect public data (profile photos, statuses) and encryption keys, with millions reused across accounts. The method bypassed rate limits, enabling mass data harvesting, including in regions where WhatsApp is banned. Meta addressed the flaw via enhanced anti-scraping measures and rate limits, asserting messages remained secure. Users are advised to limit public profile data, avoid unofficial clients, enable two-factor authentication, and update apps promptly.
Read full article: Techradar
Zero-Day Warning: Unpatched Twonky Server Flaws Expose Media to Total Takeover
A critical zero-day vulnerability in Twonky Server (v8.5.2) exposes media servers to full takeover via two unpatched flaws. CVE-2025-13315 allows unauthenticated attackers to bypass API authentication and leak admin credentials, while CVE-2025-13316 enables decryption of passwords using hardcoded keys. Rapid7 confirmed exploitation grants attackers full control of media files. Vendor Lynx Technology ceased communication, stating a patch is impossible, leaving ~850 exposed instances unprotected. Users are urged to isolate Twonky Server from untrusted networks, restrict IP access, and treat stored credentials as compromised. No official mitigation exists, emphasizing immediate network segmentation.
Read full article: Securityonline
Zombie Protocol: How NTLM Flaws Like CVE-2024-43451 Are Haunting 2025
The article details ongoing security risks posed by the outdated NTLM authentication protocol in 2025, particularly through vulnerabilities like CVE-2024-43451. This flaw allows attackers to steal NTLMv2 hashes via malicious url files with minimal user interaction. Threat actors such as BlindEagle and Head Mare exploit these weaknesses in campaigns targeting government, manufacturing, and education sectors, deploying malware like Remcos RAT and PhantomCore. Kaspersky’s report highlights additional vulnerabilities, including CVE-2025-33073, enabling SYSTEM-level privilege escalation via NTLM reflection attacks. Despite Microsoft’s efforts to phase out NTLM, its persistence in legacy systems remains a critical attack vector. Experts urge organizations to transition to Kerberos, enforce SMB signing, and audit NTLM usage to mitigate risks.
Read full article: Securityonline
Angular Alert: Protocol-Relative URLs Leak XSRF Tokens (CVE-2025-66035)
A high-severity Angular vulnerability (CVE-2025-66035) exposes applications to CSRF attacks due to mishandling protocol-relative URLs (e.g., //attacker.com). Angular’s HTTP Client incorrectly treats such URLs as same-origin, attaching XSRF tokens to requests sent to external domains. Attackers exploiting this flaw can steal tokens and forge authenticated requests, compromising user sessions. Patched versions (v21.0.1, v20.3.14, v19.2.16) address the issue. Unpatched applications must avoid protocol-relative URLs, using relative paths or absolute HTTPS URLs instead. Immediate updates are critical to maintain CSRF protections.
Read full article: Securityonline
Windows Server flaw targeted by hackers to spread malware – here’s what we know
Chinese state-sponsored hackers are exploiting CVE-2025-59287, a critical Windows Server Update Services (WSUS) vulnerability, to deploy ShadowPad malware. This flaw allows unauthenticated remote code execution (RCE) with SYSTEM privileges, enabling attackers to pivot across networks. AhnLab observed attackers using PowerCat and tools like certutil/curl to gain system shells and install ShadowPad, a PlugX successor backdoor. Targets likely include government, defense, telecom, and critical infrastructure sectors. Microsoft issued an out-of-band patch after PoC exploits emerged. The vulnerability’s severity (9.8/10) stems from its low-complexity exploitation and high-impact system-level access. Organizations are urged to apply updates to mitigate risks.
Read full article: Techradar
Popular JavaScript library can be hacked to allow attackers into user accounts
A critical vulnerability (CVE-2025-12816) in the widely used JavaScript cryptography library “node-forge” allows attackers to bypass signature and certificate validation by exploiting flawed ASN.1 data parsing. This high-severity flaw (8.6/10 CVSS) risks authentication bypass, data tampering, and misuse of certificate functions, impacting millions of applications. Maintainers released version 1.3.2 to address the issue, urging immediate updates. The library, with 26 million weekly npm downloads, is integral to Node.js web apps, amplifying potential consequences. Palo Alto Networks researchers discovered the flaw, which was responsibly disclosed. Developers are advised to prioritize updating cryptographic dependencies to mitigate risks.
Read full article: Techradar
HashJack attack shows AI browsers can be fooled with a simple ‘#’
A new “HashJack” attack exploits AI browser vulnerabilities by hiding malicious prompts in URL fragments (after the “#” symbol), bypassing traditional security defenses. Attackers append harmful instructions to legitimate URLs, which AI assistants like Microsoft Copilot, Google Gemini, and Perplexity Comet process, enabling data theft, phishing, or misinformation. Since fragments aren’t transmitted to servers, network-based protections fail to detect them. Cato Networks demonstrated risks like data exfiltration and misleading outputs, noting fixes by Microsoft and Perplexity, while Google deemed it low severity. The attack underscores the need for layered defenses, including client-side monitoring and AI governance, as AI browsers mainstream, expanding threats beyond traditional attack vectors.
Read full article: Techradar
Breach Roundup: Recently Patched Oracle Flaw Under Attack
A critical Oracle Identity Manager vulnerability (CVE-2025-61757), patched in October, is under active exploitation, enabling remote code execution. The “Shai-Hulud 2.0” npm supply chain attack compromised 621 packages, leaking 14,000+ credentials and threatening data destruction. The FBI warned of $262M losses from bank account takeover fraud via spoofed support channels. Comcast was fined $1.5M for a vendor breach exposing 237,000 subscribers’ data. Fluent Bit resolved five high-risk vulnerabilities impacting cloud log processing. Iberia Airlines faced a supplier breach, while ransomware group Everest claimed broader access. Campbell’s fired its CISO following leaked offensive remarks and a lawsuit alleging workplace misconduct.
Read full article: Bankinfosec
In-Depth Expert CTI Analysis
State-sponsored cyber-terrorism and ransomware operations escalated globally, with Iran’s Department 40 exposed for coordinating cyber-kinetic assassination plots, while North Korean actors collaborated with ransomware groups to destabilize South Korea’s financial sector. Critical vulnerabilities in widely used systems—SonicWall VPNs, Oracle software, and third-party vendors—were exploited by groups like Akira and Cl0p, highlighting risks from unpatched legacy infrastructure and supply chain compromises. High-profile breaches at UPBIT, Harvard, and Asahi underscored threats to financial, academic, and corporate sectors, exacerbated by AI-enabled attacks and malicious LLMs lowering entry barriers for cybercriminals. Espionage campaigns targeted macOS users and government officials via spyware, while IoT botnets and npm supply-chain attacks signaled expanding attack
surfaces. Persistent gaps in cybersecurity governance, vendor oversight, and incident response emphasized the urgent need for patching, credential hygiene, and cross-sector resilience.
Proactive Defense and Strategic Foresight
Proactive defense demands rigorous patch management, credential rotation, and third-party risk mitigation, as seen in Akira’s exploitation of inherited
SonicWall VPNs and Gainsight’s supply chain breach. Strategic foresight must anticipate hybrid threats like North Korea’s ransomware-propaganda fusion in “Korean Leaks” and AI-driven crime via WormGPT, requiring cross-sector intelligence sharing and AI governance frameworks. Legacy system modernization is critical, evidenced by NTLM protocol abuses and prolonged Scottish council recovery, while emerging risks like “Promptware” calendar attacks and IoT botnets (ShadowV2) necessitate adaptive monitoring. Organizations must prioritize zero-trust principles, enforce MFA, and validate incident response plans to counter state-aligned actors and evolving ransomware tactics.
Evolving Ransomware and Malware Tactics
Ransomware and malware operations grew more coordinated and disruptive this week, with criminal groups increasingly partnering with state-aligned actors. Qilin’s collaboration with North Korean operatives highlighted how financial extortion campaigns now intersect with geopolitical objectives. Attackers continued exploiting inherited IT assets, third-party vendors, and unpatched vulnerabilities particularly SonicWall SSL VPN flaws to achieve rapid network compromise. AI-powered malware development and large-scale supply chain intrusions through Salesforce-integrated platforms and npm ecosystems intensified overall risk. Zero-day exploitation in critical software such as Oracle E-Business Suite and Twonky Server further expanded attack surfaces across global enterprises. Meanwhile, social engineering campaigns evolved through advanced phishing lures, fake support ticket workflows, and malicious calendar subscription attacks. Collectively, these trends underscore the urgent need for accelerated patching, MFA enforcement, legacy system audits, and stronger vendor security governance.
State-Sponsored and Organized Cybercrime Convergence
The convergence of state-sponsored and organized cybercrime is accelerating, driven by shared infrastructure, hybrid tactics, and mutual benefit. Iranian cyber- terror units (e.g., Department 40) and North Korean collaborations with ransomware groups (Qilin/Moonstone Sleet) exemplify state actors adopting criminal tools for deniable operations, while cybercriminals leverage state- aligned tactics for profit. Attacks like “Korean Leaks” and Akira’s exploitation of inherited IT assets reveal blurred lines: ransomware campaigns now destabilize markets, and state hackers monetize intrusions. Supply chain compromises (e.g., Gainsight, MSPs) and AI-enhanced tools (WormGPT, KawaiiGPT) further enable scalable, low-effort attacks. This symbiosis erodes traditional attribution boundaries, amplifies global risks, and demands coordinated defense against both geopolitical and profit-driven threats.
Operational and Tactical Implications
Operational Implications: State-sponsored cyber-kinetic operations (Iran’s Department 40) and ransomware alliances (Qilin-Moonstone Sleet) demand cross-sector threat intelligence sharing and integrated cyber-physical defense protocols. Third-party risks
(Mixpanel, Gainsight) and inherited vulnerabilities (SonicWall SSL VPN) necessitate rigorous vendor audits, M&A cybersecurity due diligence, and accelerated legacy system modernization. Critical infrastructure disruptions (OnSolve, London councils) highlight the urgency of resilient backup systems and contingency planning for essential services.
Tactical Implications: Rapid exploitation of zero-days (Cl0p, CVE-2025-26633) and AI- driven attacks (WormGPT, Promptware) require proactive patching, AI input validation, and behavioral detection. Social engineering (Contagious Interview, voice phishing) and supply chain compromises (npm, Salesforce) mandate enhanced user training, MFA enforcement, and OAuth token monitoring. Ransomware’s shift to hybrid financial-political motives (Korean Leaks) and IoT botnets (ShadowV2) call for segmented networks, credential
rotation, and real-time DDoS mitigation. Persistent NTLM/North Korean macOS threats underscore protocol modernization and endpoint hardening.
Forward-Looking Recommendations
- Prioritize patching legacy systems and enforcing strict credential management post- M&A to mitigate risks from inherited vulnerabilities in devices like SonicWall VPNs.
- Adopt zero-trust principles for third-party vendors, including rigorous supply chain audits and real-time monitoring of OAuth tokens and API integrations.
- Transition from outdated protocols (NTLM) to modern alternatives (Kerberos) and enforce SMB signing to block authentication-based attacks.
- Implement AI-specific defenses, including client-side monitoring for prompt injection attacks and restrictions on AI tool usage in sensitive workflows.
- Enhance ransomware resilience via segmented backups, rapid incident response plans, and collaboration with law enforcement on infrastructure takedowns.
- Mandate multi-factor authentication and certificate validation updates for critical libraries (e.g., node-forge) to prevent cryptographic bypasses.
- Develop counter-espionage strategies against state-aligned threats, including deception technologies and hardened network segmentation for high-value assets.
- Accelerate migration from unsupported software (Twonky Server) and establish proactive lifecycle management for IoT/OT devices.
- Expand cybersecurity training to address emerging social engineering vectors like calendar-based threats and AI-generated phishing campaigns.
- Strengthen international frameworks for combating commercial spyware through export controls and coordinated vulnerability disclosure programs.
