F5 Threat Report - December 3rd, 2025

Hundreds of Abandoned iCalendar Sync Domains Put Nearly 4 Million Devices at Risk

A study has revealed that over 390 abandoned or hijacked iCalendar sync domains are still receiving daily synchronization requests from nearly 4 million iOS and macOS devices, posing significant security risks. When users subscribe to external calendars, their devices automatically fetch updates via .ics files, and attackers can register expired domains to serve malicious .ics files. These files can contain harmful event links, phishing URLs, or prompts for unwanted applications, appearing legitimate within users' calendars. Apple devices' calendar sync daemons, identified by user-agent strings like `dataaccessd/1.0`, continuously request updates. Further investigation linked these hijacked servers to JavaScript payloads that trick users into granting push notification permissions or subscribing to spam calendars, often overlapping with large-scale notification scam campaigns and infrastructure previously compromised by Balada Injector malware. While most attacks leverage social engineering, some campaigns have distributed weaponized .ics files exploiting vulnerabilities such as CVE-2025-27915 in Zimbra, allowing JavaScript execution without user interaction. Security experts warn that calendar-based threats are an overlooked attack vector, recommending that organizations review active calendar subscriptions, implement whitelist-based firewall rules, and include calendar security in employee awareness training to mitigate risks from large-scale phishing, malware delivery, and data harvesting.

Severity: Critical

Sources

• https://cyberpress.org/icalendar-sync-domains/
• https://www.hkcert.org/security-bulletin/zimbra-multiple-vulnerabilities_20251107

Threat Details and IOCs

Mitigation Advice

• Instruct all users to immediately review their calendar subscriptions on all corporate and BYOD Apple devices (iOS and macOS) and remove any unrecognized or unnecessary subscriptions.
• Configure network monitoring tools to create alerts for outbound traffic from Apple devices that contains both the user-agent 'dataaccessd/1.0' and the 'Accept: text/calendar' header, destined for non-standard or uncategorized domains.
• If your organization uses the Zimbra Collaboration Suite, immediately apply the vendor-supplied patches to mitigate the actively exploited cross-site scripting vulnerability, CVE-2025-27915.
• Send an immediate security bulletin to all employees warning them about the risks of unsolicited calendar events and browser push notification prompts. Instruct them to decline all unexpected requests to 'Allow' notifications and to avoid clicking links in suspicious calendar entries.

Compliance Best Practices

• Develop and implement a network firewall policy that whitelists approved domains for iCalendar synchronization and blocks all other outbound requests matching the 'dataaccessd/1.0' user-agent.
• Update the corporate security awareness training program to include a dedicated module on the risks of calendar subscriptions, phishing via calendar events, and social engineering tactics used in browser push notification scams.
• Develop and deploy a Mobile Device Management (MDM) configuration profile to restrict or disable the ability for users to add arbitrary calendar subscriptions on corporate-managed iOS and macOS devices.
• Configure the email security gateway to specifically inspect incoming `.ics` file attachments for malicious links and embedded scripts, and consider implementing content disarm and reconstruction (CDR) for these files.

---

Microsoft Teams Guest Chat Flaw Could Let Hackers Deliver Malware

A critical vulnerability in Microsoft Teams guest chat allows attackers to bypass Defender for Office 365 protections by exploiting an architectural gap in cross-tenant collaboration. When users accept guest invitations to external Teams tenants, they fall under the hosting tenant's security policies, which attackers can disable in low-cost Microsoft 365 tenants lacking Defender for Office 365. The November 2025 rollout of feature MC1182004, enabling chats with anyone via email by default, makes this attack practical, allowing attackers to invite targets to their unprotected environments and deliver phishing or malware without detection. To mitigate this, organizations should restrict B2B guest invitations to trusted domains via Microsoft Entra ID, configure granular cross-tenant access policies, limit external Teams communication to specific domains through the Teams Admin Center, and consider disabling the MC1182004 feature using the PowerShell command `Set-CsTeamsMessagingPolicy -UseB2BInvitesToAddExternalUsers $false`. This issue highlights that security protections follow the resource tenant, a distinction organizations must address to prevent sophisticated attacks.

Severity: Critical

Sources

• https://buaq.net/go-378428.html
• https://gbhackers.com/microsoft-teams-guest-chat-flaw/
• https://hackread.com/microsoft-teams-guest-chat-flaw-malware/

Threat Details and IOCs

Mitigation Advice

• In Microsoft Entra ID, navigate to 'External Identities' -> 'External collaboration settings' and change the 'Guest invite settings' to 'Allow invitations only to specified domains'. Populate the list with currently known and trusted partner domains.
• In the Microsoft Teams Admin Center, under 'Users' -> 'External access', set the policy for Teams and Skype for Business users in external organizations to 'Allow only specific external domains' and add the domains of trusted business partners.
• Use PowerShell to connect to your Microsoft Teams instance and run the command 'Set-CsTeamsMessagingPolicy -Identity Global -UseB2BInvitesToAddExternalUsers $false' to disable the ability for users to start chats with external users using just an email address.
• In Microsoft Entra ID, under 'External Identities' -> 'Cross-tenant access settings', configure the default settings to block all inbound and outbound B2B collaboration and B2B direct connect access for both users and applications.

Compliance Best Practices

• Develop and implement a formal policy and process for vetting, approving, and periodically reviewing external organizations for Teams collaboration. Use this process to manage the allowlists in Entra ID's cross-tenant access settings and the Teams Admin Center.
• Develop and deploy a recurring security awareness training module that specifically educates users on the risks of accepting Microsoft Teams guest invitations from unknown organizations. The training should explain that security protections do not carry over and should instruct users on how to verify and report suspicious invitations.

---

DPRK-Linked Kimsuky and Lazarus Coordinate Espionage and Financial Theft via CVE-2024-38193

Kimsuky and Lazarus operate a coordinated campaign, combining Kimsuky's precise espionage with Lazarus's financial theft capabilities, both under DPRK control. Kimsuky initiates attacks through academic-themed spearphishing, using malicious HWP and MSC attachments to harvest credentials and reconnaissance data, deploying backdoors like FPSpy and the KLogEXE keylogger. Lazarus then leverages zero-day Windows privilege escalation, specifically CVE-2024-38193, and malicious Node.js packages to gain SYSTEM privileges and deploy the InvisibleFerret backdoor for cryptocurrency wallet theft. The groups share C2 infrastructure, intelligence, and tools, employing advanced evasion techniques such as encrypted/HTTP-like C2 traffic, multi-layer packing (Fudmodule), domain rotation, and anti-EDR capabilities to avoid detection. This collaboration has resulted in the rapid exfiltration of sensitive documents and significant cryptocurrency thefts, including a single incident of $32 million and over $120 million cumulatively since 2024. The campaign utilizes various MITRE ATT&CK techniques, including Phishing (T1566), Input Capture (T1056), Exploitation for Privilege Escalation (T1068), Command and Scripting Interpreter (T1059), Ingress Tool Transfer (T1105), Boot or Logon Autostart Execution (T1547), Obfuscated Files or Information (T1027), Application Layer Protocol (T1071), Exfiltration Over C2 Channel (T1041), Valid Accounts (T1078), and Domain Policy Modification (T1484). Key indicators of compromise include FPSpy (MD5: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6) and InvisibleFerret (MD5: f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1) hashes, shared C2 IP addresses like 192.168.xxx.xxx, the academic lure domain academic-symposium[.]info, and the exploitation of CVE-2024-38193.

Severity: Critical

Sources

• https://buaq.net/go-375362.html
• https://buaq.net/go-376034.html
• https://cyberpress.org/exploiting-code-hosting-platforms/
• https://cyberpress.org/north-korean-job-fraud/
• https://gbhackers.com/json-storage/
• https://securityonline.info/north-koreas-contagious-interview-apt-uses-json-keeper-and-gitlab-to-deliver-beavertail-spyware/
• https://slowmist.medium.com/explanation-msmt-the-dprks-violation-and-evasion-of-un-sanctions-via-cyber-and-it-worker-e2a674d3a2c5?source=rss-4ceeedda40e8------2
• https://thehackernews.com/2025/11/north-korean-hackers-turn-json-services.html
• https://www.hendryadrian.com/inside-dprks-fake-job-platform-targeting-u-s-ai-talent-validin/
• https://www.hendryadrian.com/kimsuky-and-lazarus-coordinated-campaign/
• https://www.hendryadrian.com/kimsuky-health-checkup-email-malware/

Threat Details and IOCs

Mitigation Advice

• Immediately apply the security patch for CVE-2024-38193 to all vulnerable Windows systems.
• Block the domain 'academic-symposium[.]info' at the web proxy, DNS firewall, and email gateway.
• Add the file hashes for FPSpy (MD5: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6) and InvisibleFerret (MD5: f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1) to your Endpoint Detection and Response (EDR) and antivirus blocklists.
• Configure email security gateways to block or quarantine incoming emails with HWP and MSC file attachments.
• Run threat hunting queries in your SIEM and EDR to search for suspicious process behaviors, such as HWP files spawning 'winlogon.exe' or any process accessing cryptocurrency wallet paths like '%APPDATA%\MetaMask'.

Compliance Best Practices

• Develop and implement a mandatory, recurring security awareness training program that focuses on identifying spearphishing emails and the risks of handling unsolicited attachments or links.
• Implement application control policies, such as AppLocker, to restrict the execution of unauthorized scripts and executables, particularly in developer environments.
• Establish a secure software development lifecycle (SDLC) policy that includes vetting all third-party libraries, such as those from npm, for known vulnerabilities or malicious code before they are approved for use.
• Implement regular auditing and alerting for any modifications to Group Policy Objects (GPOs) to quickly detect unauthorized changes used for lateral movement.
• Implement network segmentation to isolate critical assets, such as domain controllers and servers handling financial data, from the general user network.
• Deploy a network security solution capable of TLS inspection to decrypt and analyze outbound web traffic for signs of command-and-control (C2) activity.
• Establish and enforce a corporate policy that requires all company-managed cryptocurrency assets to be stored in hardware wallets and prohibits the use of software wallets on networked endpoints.

---

ShadowV2 Botnet Exploits AWS Outage to Infect IoT Devices in 28 Countries

A Mirai-based botnet, ShadowV2, emerged during a widespread AWS outage last October, infecting IoT devices across 28 countries and multiple sectors including technology, retail, government, and education. This activity, potentially a "test run" for future attacks, involved the botnet exploiting vulnerabilities in devices from vendors like DD-WRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), and TP-Link (CVE-2024-53375). The infection process involved dropping a `binary.sh` downloader that delivered "shadow" prefixed malware binaries from 81[.]88[.]18[.]108, utilizing an XOR-encoded configuration to connect to a command-and-control server for DDoS attacks, and displaying the string "ShadowV2 Build v1.0.0 IoT version." While ShadowV2's observed activity was limited to the outage period, its emergence underscores the persistent vulnerability of IoT devices, a point further highlighted by a subsequent 15.72 Tbps DDoS attack on Azure by the Aisuru botnet, which was successfully mitigated.

Severity: Critical

Sources

• https://cyberpress.org/shadowv2-malware/
• https://dataconomy.com/2025/11/27/shadowv2-botnet-exploited-aws-outage-timeline-to-test-global-iot-attacks/
• https://www.bleepingcomputer.com/news/security/new-shadowv2-botnet-malware-used-aws-outage-as-a-test-opportunity/
• https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
• https://www.securitylab.ru/news/566583.php
• https://www.securitylab.ru/news/566590.php
• https://www.theregister.com/2025/11/26/miraibased_botnet_shadowv2/

Threat Details and IOCs

Mitigation Advice

• Add the IP address 81.88.18.108 to the network firewall blocklist to prevent connections to and from the ShadowV2 malware delivery server.
• Use your SIEM or EDR solution to search for executions of a script named 'binary.sh' and the presence of any files with the prefix 'shadow' on all endpoints.
• Scan the network to identify all devices running DD-WRT firmware and immediately update any vulnerable instances to a version that patches CVE-2009-2765.
• Scan the network to identify all D-Link devices vulnerable to CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, or CVE-2024-10915. Apply vendor patches where available or isolate and plan for the replacement of end-of-life devices.
• Scan the network to identify TBK DVRs vulnerable to CVE-2024-3721. Since no patch is available, isolate these devices from the network immediately and prioritize their replacement.
• Scan the network to identify all TP-Link routers vulnerable to CVE-2024-53375 and apply the necessary firmware updates immediately.

Compliance Best Practices

• Design and implement a separate network segment (VLAN) for all IoT devices to isolate them from critical business systems and user networks.
• Develop and enforce an IoT security policy that defines standards for the procurement, deployment, configuration, and lifecycle management of all connected devices.
• Establish a formal vulnerability management program that includes regular, automated scanning of all network assets, including IoT devices, to proactively identify and remediate vulnerabilities.
• Implement a default-deny egress filtering policy on the network firewall, allowing outbound connections only for specifically approved protocols, ports, and destinations required for business operations.
• Implement a Cloud Security Posture Management (CSPM) tool to continuously monitor AWS environments for misconfigurations and security risks in EC2 instances and other services.

---

ASUS Warns of Critical Auth Bypass Flaw (CVE-2025-59366) in AiCloud Routers

ASUS has released new firmware to address nine security vulnerabilities, including a critical authentication bypass flaw, CVE-2025-59366, affecting its routers with AiCloud enabled. This vulnerability, stemming from an unintended side effect of Samba functionality, allows remote attackers to execute specific functions without proper authorization by chaining path traversal and OS command injection weaknesses, requiring low complexity and no user interaction. Users are strongly advised to update their router firmware to the latest versions, specifically those in the `3.0.0.4_386,` `3.0.0.4_388,` and `3.0.0.6_102` series. For end-of-life models that will not receive updates, mitigation steps include disabling all internet-accessible services such as remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP, as well as cutting remote access to devices running vulnerable AiCloud software, and employing strong passwords for router administration and wireless networks. This follows a previous critical authentication bypass, CVE-2025-2492, patched in April, which was exploited in "Operation WrtHug" to compromise thousands of ASUS WRT routers globally.

Severity: Critical

Sources

• https://buaq.net/go-378236.html
• https://cyberinsider.com/asus-patches-critical-vulnerabilities-in-routers-and-pc-software/
• https://meterpreter.org/asus-patches-critical-aicloud-flaw-cve-2025-59366-allowing-remote-router-takeover/
• https://securityonline.info/8-flaws-asus-routers-urgently-need-patch-for-authentication-bypass-cve-2025-59366-cvss-9-4/
• https://www.bleepingcomputer.com/news/security/asus-warns-of-new-critical-auth-bypass-flaw-in-aicloud-routers/
• https://www.hkcert.org/security-bulletin/asus-router-multiple-vulnerabilities_20251126

Threat Details and IOCs

Mitigation Advice

• Identify all ASUS routers on the network and update their firmware to the latest version to patch CVE-2025-59366 and other listed vulnerabilities.
• For any ASUS routers that cannot be immediately patched or do not require the AiCloud feature, disable AiCloud to remove the primary attack vector for CVE-2025-59366.
• On unpatchable or end-of-life ASUS routers, disable all remote administration access from the WAN.
• On unpatchable or end-of-life ASUS routers, disable the built-in VPN server functionality to reduce the external attack surface.
• Review and disable all non-essential port forwarding, DMZ, and port triggering rules on ASUS routers that cannot be updated.
• On unpatchable or end-of-life ASUS routers, disable the built-in FTP server to prevent potential exploitation.

Compliance Best Practices

• Establish and enforce a hardware lifecycle management policy to ensure network devices like routers are replaced before they reach end-of-life and no longer receive security patches.
• Implement a network security policy that requires all non-essential services on internet-facing devices to be disabled by default.
• Enforce a strong password policy for all network device administrative accounts, requiring unique, complex passwords and periodic audits for compliance.
• Develop a formal vulnerability management program that includes regular, automated scanning of all network perimeter devices to identify outdated firmware, open ports, and insecure configurations.

---