Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
Turn Insights Into Action with Free Threat Intel
Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.
This Edition’s Articles
November to December 2025 Cyber Threat Reports brings together a fast-moving mix of supply chain compromises, ransomware evolutions, APT operations, and cloud-targeted attacks. This roundup highlights how actors are abusing npm ecosystems, targeting SSO and identity platforms, and weaponizing IoT and banking malware, giving your team timely context to tune detections and prioritize defenses.
Autumn Dragon: China-nexus APT Group Targets South East Asia
Source: CyberArmor
(Published: 18 November 2025)
Since early 2025, China’s involvement in the Indo-Pacific has been more prolific, from escalating maritime tensions, to being peacebroker in Myanmar’s military junta and more recently, espionage activities on joint exercises the Philippines naval forces have been conducting together with the US, Australia, Canada and New Zealand. Read more.
Cloudflare outage on November 18, 2025
Source: Cloudflare
(Published: 18 November 2025)
On November 18, 2025, Cloudflare experienced an outage that affected a portion of traffic on its network. Read more.
Fortinet warns of new FortiWeb zero-day exploited in attacks
Source: BleepingComputer
(Published: 18 November 2025)
Today, Fortinet released security updates to patch a new FortiWeb zero-day vulnerability that threat actors are actively exploiting in attacks. Read more.
Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision One™ Defenses
Source: Trend Research
(Published: 18 November 2025)
Ransomware is shifting from traditional systems to cloud environments, redefining its impact on cloud-native data. Read more.
Masked in Memory: A Hidden .PYC Fragment Utilises cvtres.exe to Communicate With C&C
Source: K7 Labs
(Published: 19 November 2025)
During a routine analysis at K7 Labs, we encountered a Python-based malware sample that uses multi-stage obfuscation. Read more.
The Cloudflare Outage May Be a Security Roadmap
Source: Krebs on Security
(Published: 19 November 2025)
An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline. Read more.
Cooking up trouble: How TamperedChef uses signed apps to deliver stealthy payloads
Source: Acronis Threat Research Unit
(Published: 19 November 2025)
Acronis Threat Research Unit (TRU) observed a global malvertising / SEO campaign, tracked as “TamperedChef.” Read more.
Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters
Source: BleepingComputer
(Published: 19 November 2025)
An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation. Read more.
PlushDaemon compromises network devices for adversary-in-the-middle attacks
Source: ESET WeLiveSecurity
(Published: 19 November 2025)
ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant called EdgeStepper. Read more.
Beyond the Watering Hole: APT24’s Pivot to Multi-Vector Attacks
Source: Google Cloud
(Published: 20 November 2025)
Google Threat Intelligence Group (GTIG) is tracking a long-running and adaptive cyber espionage campaign by APT24, a People’s Republic of China (PRC)-nexus threat actor. Read more.
ToddyCat: your hidden email assistant. Part 1
Source: Securelist (Kaspersky)
(Published: 21 November 2025)
Email remains the main means of business correspondence at organizations. Read more.
China’s APT31 linked to hacks on Russian tech firms
Source: The Record
(Published: 21 November 2025)
The China-linked hacking group known as APT31 infiltrated Russia’s technology sector for years and quietly exfiltrated data from companies involved in government contracting and systems integration, according to a new report. Read more.
Brazilian Campaign: Spreading the Malware via WhatsApp
Source: K7 Labs
(Published: 21 November 2025)
K7 Labs found out from a tweet about a massive phishing campaign going on against Brazil, spreading the malware via WhatsApp Web from the victim’s machine to their contacts by using the open source WhatsApp automation script from GitHub and also loading a banking trojan into memory. Read more.
The Korean Leaks – Analyzing the Hybrid Geopolitical Campaign Targeting South Korean Financial Services With Qilin RaaS
Source: Bitdefender
(Published: 24 November 2025)
TL;DR The “Korean Leaks” campaign showcases a sophisticated supply chain attack against South Korea’s financial sector. Read more.
Weekly DDoSIA Threat Intelligence: Sweden
Source: SOCRadar
(Published: 24 November 2025)
NoName057(16), a pro-Russian hacktivist group, conducted coordinated DDoS attacks on Swedish organizations between November 10 and 16, 2025, as part of its ongoing campaign against countries supporting Ukraine. Read more.
South-east Asia increasingly targeted as cybercrime groups launch global attacks: report
Source: The Business Times
(Published: 25 November 2025)
South-east Asia is increasingly being targeted by cybercriminals leveraging the region’s rapid digitalization and expanding attack surface to launch global campaigns. Read more.
Defending Against Sha1-Hulud: The Second Coming
Source: SentinelOne
(Published: 25 November 2025)
A new wave of compromised NPM packages is leading to wide-scale supply chain attacks. Read more.
Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks
Source: Socket
(Published: 26 November 2025)
The Socket Threat Research Team continues to track North Korea’s Contagious Interview operation as it systematically infiltrates the npm ecosystem. Read more.
Is Zendesk Scattered Lapsus$ Hunters’ Latest Campaign Target?
Source: ReliaQuest
(Published: 26 November 2025)
ReliaQuest has uncovered indications of a potential new campaign from the notorious threat collective “Scattered Lapsus$ Hunters,” this time targeting users of the customer support software Zendesk. Read more.
Xillen Stealer Updates to Version 5 to Evade AI Detection
Source: Darktrace
(Published: 26 November 2025)
Darktrace has observed a new version of the Xillen Stealer malware, designed to exfiltrate sensitive data including credentials, financial information, and cryptowallet keys. Read more.
Deepseek May Intentionally Produce Malicious Code Due to Chinese Political Bias, Research Shows
Source: Foundation for Defense of Democracies (FDD)
(Published: 26 November 2025)
A Chinese AI model may be intentionally generating harmful code due to political biases embedded in its training data, according to new research. Read more.
Albiriox RAT: Mobile Malware Targeting Global Finance and Crypto Wallets
Source: Cleafy Labs
(Published: 26 November 2025)
Cleafy Labs identified a new Android Remote Access Trojan (RAT) dubbed Albiriox, which targets global banking and crypto wallet applications. Read more.
Inside Valkyrie Stealer: Capabilities, Evasion Techniques, and Operator Profile
Source: DExpose
(Published: 26 November 2025)
The DExpose research team analyzed a new info-stealing malware known as Valkyrie, uncovering its core capabilities and operator tradecraft. Read more.
Shai-Hulud 2.0 Exposes Over 33,000 Unique Secrets [Updated Nov, 27]
Source: GitGuardian
(Published: 27 November 2025)
In this report, we detail how the Shai-Hulud 2.0 supply chain attack exposed tens of thousands of unique secrets across hundreds of affected projects. Read more.
TangleCrypt: a sophisticated but buggy malware packer
Source: WithSecure Labs
(Published: 27 November 2025)
Just like most malware packers, TangleCrypt’s main objective is to hide the actual payload and make it look like a benign file. Read more.
Inside Morte Loader: How Loader as a Service Builds Modern Botnets
Source: SOCRadar
(Published: 27 November 2025)
Morte is a Loader as a Service (LaaS) that turns vulnerable SOHO routers, IoT devices and web applications into a flexible botnet platform. Read more.
APT36’s Python-based ELF Malware Targeting Indian Government Entities
Source: Cyfirma
(Published: 27 November 2025)
CYFIRMA researchers observed APT36 deploying a new Python-based ELF malware variant against Indian government agencies. Read more.
Palo Alto Scanning Surges to a 90-Day High
Source: GreyNoise
(Published: 27 November 2025)
GreyNoise observed a dramatic spike in scanning activity targeting Palo Alto Networks devices, reaching the highest level in 90 days. Read more.
FlexibleFerret Malware Continues to Adapt
Source: Jamf
(Published: 27 November 2025)
Jamf Threat Labs is tracking FlexibleFerret, a multi-stage malware family targeting macOS users with evolving techniques. Read more.
Morphisec Thwarts Russian-linked Stealc v2 Campaign Targeting Blender Users via Malicious .blend Files
Source: Morphisec
(Published: 27 November 2025)
Morphisec detected and blocked an attack campaign leveraging weaponized Blender .blend files to distribute Stealc v2, a Russian-linked infostealer. Read more.
The Pain in the Mist: Navigating Operation DreamJob’s Arsenal
Source: Orange Cyberdefense
(Published: 27 November 2025)
Orange Cyberdefense researchers shed light on new tooling, infrastructure and phishing techniques attributed to the North Korea-nexus Operation DreamJob. Read more.
Scattered Lapsus$ Hunters Intensifican la Venta de Accesos FortiOS en DarkForums, con Foco en Latinoamérica
Source: Devel Group
(Published: 28 November 2025)
En DarkForums, un vendedor identificado como “miyako”, señalado por la comunidad como parte del ecosistema cercano a Scattered Lapsus$ Hunters, ha publicado de manera constante accesos comprometidos a organizaciones vulneradas mediante fallas en FortiOS. Read more.
Tomiris wreaks Havoc: New tools and techniques of the APT group
Source: Securelist (Kaspersky)
(Published: 28 November 2025)
While tracking the activities of the Tomiris threat actor, we identified new malicious operations that began in early 2025. Read more.
Thousands of sensitive secrets published on JSONFormatter and CodeBeautify
Source: Security Affairs
(Published: 28 November 2025)
Users of JSONFormatter and CodeBeautify leaked thousands of sensitive secrets, including credentials and private keys, WatchTowr warns. Read more.
Critical Flaw in Oracle Identity Manager Under Exploitation
Source: Dark Reading
(Published: 28 November 2025)
Attackers are exploiting a critical privilege escalation vulnerability in Oracle Identity Manager, prompting urgent patching recommendations. Read more.
Inside ShadyPanda: A 7-Year Malware Campaign That Infected 4 Million Browsers
Source: Koi Labs
(Published: 28 November 2025)
Koi Labs uncovered a massive multi-year surveillance and credential harvesting operation known as ShadyPanda, affecting more than 4 million browser installations worldwide. Read more.
THOR vs. Silver Fox: Uncovering and Defeating a Sophisticated ValleyRAT Campaign
Source: Nextron Systems
(Published: 28 November 2025)
Nextron Systems researchers analyzed a new ValleyRAT campaign named “Silver Fox,” uncovering and mitigating the threat using THOR YARA and behavioral analytics. Read more.
Candiru/DevilsTongue Spyware: Tracking the Global Operations
Source: Recorded Future
(Published: 29 November 2025)
Recorded Future’s Insikt Group analyzed ongoing DevilsTongue spyware activity attributed to the Israeli vendor Candiru. Read more.
DNS Uncovers Infrastructure Used in SSO Attacks
Source: Infoblox
(Published: 1 December 2025)
We recently received a tip from a customer that their institution was under recurring attacks that targeted their student single sign-on (SSO) portal. Read more.
EDR-Freeze: The User-Mode Attack That Puts Security Into a Coma
Source: Picus Security
(Published: 1 December 2025)
EDR-Freeze is a user-mode attack technique that abuses the dependency of endpoint detection and response solutions on user-mode telemetry to blind security monitoring. Read more.
Google Addresses 107 Android Vulnerabilities, Including Two Zero-Days
Source: CyberScoop
(Published: 1 December 2025)
Google disclosed two actively exploited zero-day vulnerabilities Monday, which it addressed among a total of 107 defects in the company’s monthly security update for Android devices. Read more.
Shai-Hulud 2.0 Aftermath: Ongoing Supply Chain Attack
Source: Wiz
(Published: 1 December 2025)
Wiz researchers are tracking an ongoing supply chain attack involving Shai-Hulud 2.0 that continues to impact organizations through compromised npm packages and cloud workloads. Read more.
Microsoft Chat With Anyone: Understanding the Phishing Risk
Source: Ontinue
(Published: 1 December 2025)
Attackers are abusing Microsoft’s Chat With Anyone features to socially engineer victims into credential theft and phishing attacks. Read more.
Water Saci: Stealthy Banking Malware Leveraging AI and Obfuscation
Source: Trend Micro
(Published: 2 December 2025)
Through AI-driven code analysis and large-scale telemetry, Trend Micro researchers uncovered Water Saci, a stealthy banking malware family that targets financial institutions with sophisticated evasion techniques. Read more.
Insider Threat Detection: Key Warning Signs Your Organization Cannot Ignore
Source: Nisos
(Published: 2 December 2025)
Insider activity rarely appears malicious in the beginning. Read more.
ShadowV2 casts a shadow over IoT devices
Source: Fortinet
(Published: 2 December 2025)
Fortinet researchers are tracking ShadowV2, an IoT-focused malware that expands on the capabilities of its predecessor with stealthier persistence mechanisms. Read more.
Want more articles? Check out the previous edition of Security Signals here.