Security Signals (12/30/25-01/13/26)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

These early January 2026 cyber threat reports showcase how attackers are actively abusing trusted software, exposed infrastructure, and popular platforms to reach victims at scale. This roundup highlights GoBruteforcer server attacks, UAT-7290 telecom targeting, fake WinRAR installers delivering malware, malicious Chrome extensions abusing AI tools, and ongoing MacSync stealer campaigns impacting macOS users.

APT36 : Multi-Stage LNK Malware Campaign Targeting Indian Government Entities

Source: CYFIRMA
(Published: 30 December 2025)
CYFIRMA has identified a targeted malware campaign attributed to APT36 (Transparent Tribe), a Pakistan aligned threat actor actively engaged in cyber espionage operations against Indian governmental, academic, and strategic entities. Read more.

From Victim to Vector: How Infostealers Turn Legitimate Businesses into Malware Hosts

Source: InfoStealers
(Published: 30 December 2025)
This entry in the Hudson Rock database means that a computer – likely belonging to a developer or admin at jrqsistemas.com – was infected by an Infostealer. Read more.

2 Security Experts Plead Guilty In BlackCat Ransomware Case

Source: The Cyber Express
(Published: 30 December 2025)
Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were indicted in the BlackCat ransomware case in October. Read more.

Knownsec Data Breach: A Trove of Espionage Tradecraft with an Insider Narrative

Source: Resecurity
(Published: 31 December 2025)
The Knownsec leak is a pivotal incident of 2025 because it exposed the inner workings of a major state-linked Chinese cybersecurity firm, revealed espionage tools and global targets, internal documentation, and evidence of ongoing cyber operations targeting other countries. Read more.

VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion

Source: Unit 42 (Palo Alto Networks)
(Published: 2 January 2026)
This article details our technical analysis of VVS stealer, also styled VVS $tealer, including its distributors’ use of obfuscation and detection evasion. Read more.

Resurgence of Scattered Lapsus$ hunters

Source: CYFIRMA
(Published: 3 January 2026)
Recent monitoring of underground forums and Telegram communities has identified the resurgence of the Scattered Lapsus$ collective. Read more.

D-Link DSL/DIR/DNS Command Injection via DNS Configuration Endpoint

Source: VulnCheck
(Published: 5 January 2026)
severity critical. Read more.

NordVPN Denies Breach After Hacker Leaks Data

Source: SecurityWeek
(Published: 6 January 2026)
The VPN company has conducted an investigation after a threat actor claimed to have hacked its systems. Read more.

Phishing actors exploit complex routing and misconfigurations to spoof domains

Source: Microsoft Security Blog
(Published: 6 January 2026)
Any third-party connectors – such as a spam filtering service, security solution, or archiving service – must be configured properly or spoof detections cannot be calculated correctly, allowing phishing emails such as the examples below to be delivered. Read more.

The Great VM Escape: ESXi Exploitation in the Wild

Source: Huntress
(Published: 7 January 2026)
In December 2025, Huntress observed an intrusion leading to the deployment of VMware ESXi exploits. Read more.

Malicious NPM Packages Deliver NodeCordRAT

Source: Zscaler ThreatLabz
(Published: 7 January 2026)
Zscaler ThreatLabz regularly monitors the `npm` database for suspicious packages. Read more.

Researchers rush to warn defenders of max-severity defect in n8n

Source: CyberScoop
(Published: 7 January 2026)
Roughly 100,000 servers running the automated workflow platform for AI and other enterprise tools are potentially exposed to exploitation. Read more.

Chrome Extensions Impersonate AI Tools to Steal ChatGPT & DeepSeek Chats

Source: SOCRadar
(Published: 7 January 2026)
A recently uncovered malware campaign involving Chrome extensions demonstrates how seemingly legitimate AI-focused add-ons can be abused to quietly collect sensitive user data at scale. Read more.

Inside GoBruteforcer: AI-Generated Server Defaults, Weak Passwords, and Crypto-Focused Campaigns

Source: Check Point Research
(Published: 7 January 2026)
GoBruteforcer is a botnet that turns compromised Linux servers into scanning and password brute-force nodes. Read more.

UAT-7290 targets high value telecommunications infrastructure in South Asia

Source: Cisco Talos
(Published: 8 January 2026)
Cisco Talos is disclosing a sophisticated threat actor we track as UAT-7290, who has been active since at least 2022. Read more.

Fake WinRAR downloads hide malware behind a real installer

Source: Malwarebytes
(Published: 8 January 2026)
A member of our web research team pointed me to a fake WinRAR installer that was linked from various Chinese websites. Read more.

Maduro Arrest Used as a Lure to Deliver Backdoor

Source: Darktrace
(Published: 9 January 2026)
Darktrace researchers observed threat actors exploiting reports of Venezuelan President Maduro’s arrest to deliver backdoor malware. Read more.

MacSync stealer is using a notarized app to bypass Mac defenses

Source: Moonlock
(Published: 9 January 2026)
MacSync, the new macOS stealer in town, is back with new tricks. Read more.

Boto-Cor-de-Rosa campaign reveals Astaroth WhatsApp-based worm activity in Brazil

Source: Acronis Threat Research Unit
(Published: 8 January 2026)
In a newly identified campaign, internally referred to as Boto Cor-de-Rosa, our researchers discovered that Astaroth now exploits WhatsApp Web as part of its propagation strategy. Read more.

Under Medusa’s Gaze: How Darktrace Uncovers RMM Abuse in Ransomware Campaigns

Source: Darktrace
(Published: 8 January 2026)
Medusa ransomware increasingly exploits remote monitoring and management (RMM) tools for persistence, lateral movement, and data exfiltration. Read more.

Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant

Source: CloudSEK
(Published: 8 January 2026)
CloudSEK’s TRIAD recently identified a spear-phishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. Read more.

North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns Targeting U.S. Entities

Source: FBI IC3 (FLASH)
(Published: 8 January 2026)
The Federal Bureau of Investigation (FBI) is releasing this FLASH to alert NGOs, think tanks, academia, and other foreign policy experts with a nexus to North Korea of evolving tactics employed by the North Korean state-sponsored cyber threat group Kimsuky and to provide mitigation recommendations. Read more.

Iran Implements Nationwide Military Jamming to Cripple Starlink and Enforce Digital Blackout

Source: Reclaim The Net
(Published: 12 January 2026)
Iran’s government has expanded its control over digital communication, deploying military jamming systems that have largely disabled Starlink satellite access. Read more.

Stealthy malware masking its activity, deploying infostealer

Source: Kaspersky
(Published: 12 January 2026)
Our experts have detected a new wave of malicious emails targeting Russian private-sector organizations. Read more.

Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure

Source: Red Asgard
(Published: 12 January 2026)
We found North Korean malware in a client’s Upwork project. Read more.

Unmasking the DPRK Remote Worker Problem

Source: Silent Push
(Published: 12 January 2026)
For decades, the “insider threat” was synonymous with the disgruntled staffer or the negligent contractor. Read more.

Want more articles? Check out the previous edition of Security Signals here. 

?

Take advantage of our free data evaluation.

REQUEST NOW
?

Security Signals (12/02/25-12/16/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Mid December 2025 Cyber Threat Reports highlight how rapidly evolving threats are colliding with geopolitics, cloud infrastructure, and everyday consumer tech. This roundup spans everything from React2Shell mass exploitation to new Android banking malware, Mirai botnets at sea, and fresh ransomware tooling targeting ESXi and EDR.

Investigating an AiTM Phishing Campaign Targeting M365 and Okta

Source: Datadog Security Labs
(Published: 10 December 2025)
Datadog researchers detail an adversary-in-the-middle phishing campaign designed to bypass MFA protections for Microsoft 365 and Okta users. Read more.

Share ChatGPT Chat ClickFix: macOS AMOS Infostealer

Source: Kaspersky
(Published: 9 December 2025)
Kaspersky researchers describe a macOS infostealer campaign abusing fake ChatGPT sharing prompts to trick users into executing malicious commands. Read more.

Detecting Mythic C2 in Network Traffic

Source: Kaspersky Securelist
(Published: 11 December 2025)
This research outlines techniques for identifying Mythic command-and-control traffic using network-level indicators and behavioral patterns. Read more.

IT, Geopolitics, and Cyber Risk: How Global Tensions Shape the Attack Surface

Source: Rapid7
(Published: 11 December 2025)
Rapid7 examines how geopolitical instability influences cyber operations, threat actor targeting, and organizational risk exposure. Read more.

CyberVolk Returns: Flawed VolkLocker Brings New Features With Growing Pains

Source: SentinelOne
(Published: 10 December 2025)
SentinelOne analyzes the reemergence of CyberVolk ransomware, highlighting technical flaws alongside newly added capabilities. Read more.

Cato CTRL: Deep Dive Into New JSCeal Infostealer Campaign

Source: Cato Networks
(Published: 11 December 2025)
Cato Networks investigates a new JSCeal infostealer campaign leveraging obfuscated JavaScript to harvest credentials at scale. Read more.

What Happens to Stolen Data After Phishing Attacks?

Source: Kaspersky Securelist
(Published: 12 December 2025)
This article examines how stolen credentials and personal data are monetized, resold, and reused following phishing attacks. Read more.

The Infostealer to APT Pipeline: How Lazarus Hijacked a Yemen Disinformation Network

Source: Infostealers.com
(Published: 12 December 2025)
Researchers describe how the Lazarus Group leveraged infostealer infrastructure to compromise and repurpose a Yemen-based disinformation network. Read more.

Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite

Source: Unit 42 (Palo Alto Networks)
(Published: 11 December 2025)
Unit 42 researchers detail how Hamas-affiliated threat actor Ashen Lepus is using a new AshTag malware suite to target Middle Eastern diplomatic entities. Read more.

Apple fixes two zero-day flaws exploited in ‘sophisticated’ attacks

Source: BleepingComputer
(Published: 12 December 2025)
Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an extremely sophisticated attack targeting specific individuals. Read more.

Operation MoneyMount-ISO – Deploying Phantom Stealer via ISO-Mounted Executables

Source: Seqrite
(Published: 12 December 2025)
At Seqrite Labs, we continuously monitor global cyber threat activity. Read more.

Threats Behind the Mask of Gentlemen Ransomware

Source: ASEC
(Published: 11 December 2025)
ASEC researchers analyze threats hidden behind the so-called Gentlemen ransomware, including its infection vector, encryption behavior, and tactics for evading detection. Read more.

Evolution of Composite Cyber Threats: 2025 Analysis and 2026 Key Response Strategies

Source: Medium (@nshcthreatrecon)
(Published: 15 December 2025)
This long-form analysis explores how composite cyber threats evolved in 2025 and outlines key response strategies defenders should prioritize in 2026. Read more.

Free Micropatches for Windows Remote Access Connection Manager DoS

Source: 0patch
(Published: 11 December 2025)
0patch ships free micropatches for a Windows Remote Access Connection Manager zero day that attackers can abuse to gain Local System privileges on vulnerable hosts. Read more.

Microsoft Teams to Introduce External Domains Anomalies Report for Enhanced Security

Source: Cybersecurity News
(Published: 11 December 2025)
Microsoft is adding an External Domains Anomalies report to Teams so administrators can spot unusual communication patterns with outside tenants and clamp down on risky connections. Read more.

New DroidLock Malware Locks Android Devices and Demands a Ransom

Source: Cybersecurity News
(Published: 11 December 2025)
Researchers warn that the DroidLock Android malware is being pushed via phishing sites, locking victims’ phones for ransom while also enabling attackers to take remote control. Read more.

Notepad++ Vulnerability Let Attackers Hijack Network Traffic to Install Malware via Updates

Source: Cybersecurity News
(Published: 11 December 2025)
A vulnerability in Notepad++ update traffic could allow threat actors to intercept requests on the network and deliver malicious payloads disguised as legitimate software updates. Read more.

Threat actors exploit React2Shell CVE-2025-55182

Source: Google Cloud Threat Intelligence
(Published: 12 December 2025)
Google Threat Intelligence details how multiple actors quickly weaponized the React2Shell (CVE-2025-55182) remote code execution flaw in React Server Components to gain initial access to internet facing services. Read more.

How NoName05716 Uses DDoSia to Attack NATO Targets

Source: Picus Security
(Published: 14 December 2025)
Picus analyzes how pro Russian hacktivist group NoName05716 leverages its DDoSia platform to coordinate politically motivated DDoS attacks against NATO aligned governments and organizations. Read more.

Frogblight threatens you with a court case: a new Android banker targets Turkish users

Source: Securelist
(Published: 15 December 2025)
Kaspersky describes Frogblight, an Android banking trojan distributed via smishing and fake government court case portals that steals banking credentials and can remotely control infected devices. Read more.

DDoS Threat Intelligence: Belgium, 15 Dec 2025

Source: SOCRadar
(Published: 15 December 2025)
SOCRadar details a DDoSia campaign by pro Russian group NoName05716 that generated thousands of DDoS attacks focusing on Belgium as well as Ukraine and other European targets between 8 and 14 December 2025. Read more.

Cyberattack on the Sun

Source: Cato Networks
(Published: 15 December 2025)
Cato Networks examines how insecure legacy protocols in solar power infrastructure could let attackers manipulate inverters at scale and cause widespread power disruption. Read more.

TR SantaStealer Is Coming to Town: A New, Ambitious Infostealer Advertised on Underground Forums

Source: Rapid7
(Published: 15 December 2025)
Rapid7 profiles SantaStealer, a new information stealing malware as a service offering on underground forums that targets browser, cryptocurrency wallet, and application credentials. Read more.

Phishing Kits: An Interactive Deep Dive

Source: Flare
(Published: 15 December 2025)
Flare takes an interactive look at modern phishing kits, showing how they bundle cloned login pages, evasion features, and automation to let low skill actors harvest credentials at scale. Read more.

GhostPairing Attacks: from phone number to full access in WhatsApp

Source: Gen Digital
(Published: 15 December 2025)
Gen researchers describe GhostPairing, a WhatsApp account takeover technique where attackers trick victims into pairing an attacker controlled device without ever stealing their password. Read more.

16TB of MongoDB Database Exposes 4.3 Billion Lead Gen Records

Source: Hackread
(Published: 15 December 2025)
Hackread reports on an unsecured 16TB MongoDB instance left open online that exposed over 4.3 billion professional lead generation records containing extensive personal and business data. Read more.

BreachForums Reemerges, Admin Apologizes for Honeypot Confusion, Claims the Attack the French Govt Announced Impacting Over 16M Individuals

Source: TechNadu
(Published: 15 December 2025)
TechNadu covers BreachForums administrators resurfacing to deny being a law enforcement honeypot while claiming responsibility for a French government data breach affecting more than 16 million people. Read more.

Kimsuky Distributing Malicious Mobile App via QR Code

Source: Enki White Hat
(Published: 16 December 2025)
Enki’s White Hat team analyzes new DOCSWAP APK variants delivered via QR code phishing sites and attributes the campaign to DPRK aligned threat actor Kimsuky. Read more.

Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation

Source: Check Point Research
(Published: 16 December 2025)
Check Point Research exposes Chinese espionage actor Ink Dragon, showing how it turns compromised IIS servers into a ShadowPad based relay mesh spanning government and telecom victims worldwide. Read more.

CastleRAT malware detection with Splunk and MITRE ATT&CK

Source: Splunk
(Published: 5 December 2025)
Splunk Threat Research shows how defenders can detect CastleRAT infections by mapping the malware’s behaviors to MITRE ATT&CK techniques and translating them into Splunk detections. Read more.

Hypervisor defenses against ransomware targeting ESXi

Source: Huntress
(Published: 8 December 2025)
Hypervisors are the backbone of modern virtualized environments, but when ransomware targets ESXi hosts the blast radius can quickly extend across an entire organization. Read more.

White Lynx uses CAPTCHA macros

Source: Unit 42 (Palo Alto Networks)
(Published: 8 December 2025)
This Unit 42 timely threat intel note documents a White Lynx phishing campaign that uses a CAPTCHA themed Word macro to deliver malware and harvest victim credentials. Read more.

React2Shell exploitation escalates into mass attacks

Source: The Hacker News
(Published: 10 December 2025)
The Hacker News reports that a critical ReactPHP vulnerability dubbed React2Shell, tracked as CVE 2025 55182, is now being widely exploited to deploy web shells on vulnerable servers. Read more.

Windows PowerShell 0 day vulnerability allows attackers to execute malicious code

Source: Cybersecurity News
(Published: 10 December 2025)
Security researchers warn that a newly disclosed Windows PowerShell 0 day vulnerability could allow attackers to execute arbitrary code on Windows systems if it is abused by threat actors. Read more.

Fortinet FortiGate under active attack

Source: The Hacker News
(Published: 11 December 2025)
A critical flaw in Fortinet FortiOS and FortiProxy is being actively exploited, allowing attackers to bypass authentication on FortiGate devices and gain full control of vulnerable appliances. Read more.

NANOREMOTE, cousin of FINALDRAFT

Source: Elastic Security Labs
(Published: 11 December 2025)
In October 2025, Elastic Security Labs discovered a newly observed Windows backdoor in telemetry that they call NanoRemote, which closely resembles the FINALDRAFT implant. Read more.

Shanya emerges as top EDR killing tool for ransomware gangs

Source: Techworm
(Published: 11 December 2025)
Techworm profiles Shanya, a new EDR killing utility aggressively marketed to ransomware gangs for disabling security tools before encryption begins. Read more.

Intellexa leaks: Predator spyware operations exposed

Source: Amnesty International Security Lab
(Published: 11 December 2025)
Amnesty International’s Security Lab analyzes a large leak of Intellexa documents that exposes how the Predator spyware platform has been sold and deployed around the world. Read more.

Cracking ValleyRAT: from builder secrets to kernel rootkits

Source: Check Point Research
(Published: 12 December 2025)
Throughout 2025, Check Point Research tracked the evolution of ValleyRAT, following the malware from leaked builder tools to sophisticated kernel level rootkits used in the wild. Read more.

Technical analysis of the BlackForce phishing kit

Source: Zscaler
(Published: 12 December 2025)
Zscaler ThreatLabz provides a technical deep dive into the BlackForce phishing as a service kit, which automates Microsoft 365 credential theft using reverse proxy techniques and extensive anti analysis features. Read more.

China-Nexus Cyber Threat Groups Rapidly Exploit React2Shell Vulnerability (CVE-2025-55182)

Source: AWS Security Blog
(Published: 4 December 2025)
Within hours of the React2Shell CVE-2025-55182 disclosure, Amazon threat intelligence teams observed multiple China-nexus actors attempting to exploit vulnerable Next.js applications at scale. Read more.

Advent of Configuration Extraction – Part 2: Unwrapping QuasarRAT’s Configuration

Source: Sekoia.io
(Published: 8 December 2025)
This second installment of the Advent of Configuration Extraction series shows how analysts can unpack QuasarRAT samples and extract their encrypted configuration from the .NET binary. Read more.

BYOVD Loader Deploys DeadLock Ransomware

Source: Talos Intelligence
(Published: 9 December 2025)
Cisco Talos details a new bring-your-own-vulnerable-driver (BYOVD) loader used to disable security products and deploy DeadLock ransomware in targeted attacks. Read more.

Cydome Identifies Broadside, a New Mirai Botnet Variant Targeting Maritime IoT

Source: Cydome
(Published: 3 December 2025)
Cydome researchers uncover Broadside, a Mirai-based botnet variant that abuses weakly secured maritime IoT devices to build a DDoS-capable fleet. Read more.

Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT

Source: Hunt.io
(Published: 3 December 2025)
Hunt.io describes a malicious Visual Studio Code extension that delivers a multi-stage attack chain, ultimately deploying the Anivia loader and OctoRAT for persistent remote control. Read more.

SMS Phishers Pivot to Points, Taxes, Fake Retailers

Source: Krebs on Security
(Published: 4 December 2025)
Brian Krebs reports that China-based SMS phishing crews now sell phishing kits for mass-creating fake e-commerce sites that funnel victims’ card data into mobile wallets, alongside lures about tax refunds and rewards points. Read more.

OSINT Kitten: The Headquarters for Hacktivist Operations Against Israel

Source: Medium
(Published: 5 December 2025)
This investigation profiles OSINT Kitten as a coordination hub for hacktivist campaigns targeting Israel, outlining how propaganda, leaks, and operational chatter intersect on the platform. Read more.

Inside Shanya: A Packer-as-a-Service Fueling Modern Attacks

Source: Sophos News
(Published: 6 December 2025)
Sophos examines Shanya, a packer-as-a-service offering that ransomware groups increasingly use to obfuscate payloads, evade analysis, and extend the lifespan of their campaigns. Read more.

Nothing to Steal? Let’s Wipe. We Are Analyzing the Shai Hulud 2.0 npm Worm

Source: Securelist (Kaspersky)
(Published: 9 December 2025)
Kaspersky researchers dissect Shai Hulud 2.0, a destructive npm worm that abuses developer tooling and supply chain trust to spread and wipe systems instead of stealing data. Read more.

Cato CTRL: Weaponizing Claude Skills with MedusaLocker

Source: Cato Networks
(Published: 10 December 2025)
Cato Networks describes how red-teamers simulated an attack in which MedusaLocker operators combine LLM-powered automation with C2 infrastructure to accelerate discovery, lateral movement, and impact. Read more.

New eBPF Filters for Symbiote and BPFdoor Malware

Source: Fortinet
(Published: 9 December 2025)
Fortinet introduces new eBPF-based detection filters that help defenders identify and hunt for stealthy Linux threats such as Symbiote and BPFdoor in production environments. Read more.

UDPGangster Campaigns Target Multiple Countries

Source: Fortinet
(Published: 4 December 2025)
FortiGuard Labs reveals UDPGangster, a UDP-based backdoor linked to MuddyWater that is being used in campaigns against organizations across several Middle Eastern and neighboring states. Read more.

Investigating Indonesia’s Gambling Ecosystem: Indicators of National-Level Cyber Operations

Source: Malanta
(Published: 3 December 2025)
Malanta’s research team maps Indonesia’s online gambling infrastructure and highlights technical and behavioral indicators that could signal involvement by state-linked operators. Read more.

Deceptive Layoff-Themed HR Email Distributes Remcos RAT Malware

Source: Seqrite
(Published: 9 December 2025)
Seqrite analyzes phishing emails masquerading as layoff notifications that deliver a weaponized attachment used to install the Remcos remote access trojan. Read more.

Operation DupeHike: UNG0902 Targets Russian Employees with DupeRunner and AdaptixC2

Source: Seqrite
(Published: 3 December 2025)
This report documents Operation DupeHike, where the UNG0902 group uses phishing lures and custom malware families DupeRunner and AdaptixC2 to target employees in Russia. Read more.

Africa in the Crosshairs: Covert Influence, Cyber Operations, and the New Geopolitics

Source: Silobreaker
(Published: 9 December 2025)
Silobreaker explores how non-Western powers use information operations, cyber activity, and local partnerships to shape narratives and political outcomes across Africa. Read more.

AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows

Source: Trend Micro
(Published: 8 December 2025)
Trend Micro introduces GhostPenguin, a previously undocumented Linux backdoor discovered through AI-assisted threat hunting and low-detection telemetry analysis. Read more.

Dangerous Invitations: Russian Threat Actor Spoofs European Security Events in Targeted Phishing Attacks

Source: Volexity
(Published: 4 December 2025)
Volexity details a campaign in which a Russian threat actor sends spoofed invitations to high-profile European security conferences to deliver malware to selected targets. Read more.

Attackers Actively Exploiting Critical Vulnerability in King Addons for Elementor Plugin

Source: Wordfence
(Published: 2 December 2025)
Wordfence warns that a critical privilege escalation flaw in the King Addons for Elementor plugin is under active exploitation, enabling unauthenticated attackers to gain admin access. Read more.

Technical Analysis of Matanbuchus 3.0

Source: Zscaler
(Published: 2 December 2025)
Zscaler ThreatLabz provides a deep technical dive into Matanbuchus 3.0, a C++ downloader malware-as-a-service that now plays a growing role in ransomware operations. Read more.

Want more articles? Check out the previous edition of Security Signals here. 

?

Take advantage of our free data evaluation.

REQUEST NOW
?

Security Signals (11/18/25-12/02/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

November to December 2025 Cyber Threat Reports brings together a fast-moving mix of supply chain compromises, ransomware evolutions, APT operations, and cloud-targeted attacks. This roundup highlights how actors are abusing npm ecosystems, targeting SSO and identity platforms, and weaponizing IoT and banking malware, giving your team timely context to tune detections and prioritize defenses.

 

Autumn Dragon: China-nexus APT Group Targets South East Asia

Source: CyberArmor
(Published: 18 November 2025)
Since early 2025, China’s involvement in the Indo-Pacific has been more prolific, from escalating maritime tensions, to being peacebroker in Myanmar’s military junta and more recently, espionage activities on joint exercises the Philippines naval forces have been conducting together with the US, Australia, Canada and New Zealand. Read more.

Cloudflare outage on November 18, 2025

Source: Cloudflare
(Published: 18 November 2025)
On November 18, 2025, Cloudflare experienced an outage that affected a portion of traffic on its network. Read more.

Fortinet warns of new FortiWeb zero-day exploited in attacks

Source: BleepingComputer
(Published: 18 November 2025)
Today, Fortinet released security updates to patch a new FortiWeb zero-day vulnerability that threat actors are actively exploiting in attacks. Read more.

Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision One™ Defenses

Source: Trend Research
(Published: 18 November 2025)
Ransomware is shifting from traditional systems to cloud environments, redefining its impact on cloud-native data. Read more.

Masked in Memory: A Hidden .PYC Fragment Utilises cvtres.exe to Communicate With C&C

Source: K7 Labs
(Published: 19 November 2025)
During a routine analysis at K7 Labs, we encountered a Python-based malware sample that uses multi-stage obfuscation. Read more.

The Cloudflare Outage May Be a Security Roadmap

Source: Krebs on Security
(Published: 19 November 2025)
An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline. Read more.

Cooking up trouble: How TamperedChef uses signed apps to deliver stealthy payloads

Source: Acronis Threat Research Unit
(Published: 19 November 2025)
Acronis Threat Research Unit (TRU) observed a global malvertising / SEO campaign, tracked as “TamperedChef.” Read more.

Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters

Source: BleepingComputer
(Published: 19 November 2025)
An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation. Read more.

PlushDaemon compromises network devices for adversary-in-the-middle attacks

Source: ESET WeLiveSecurity
(Published: 19 November 2025)
ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant called EdgeStepper. Read more.

Beyond the Watering Hole: APT24’s Pivot to Multi-Vector Attacks

Source: Google Cloud
(Published: 20 November 2025)
Google Threat Intelligence Group (GTIG) is tracking a long-running and adaptive cyber espionage campaign by APT24, a People’s Republic of China (PRC)-nexus threat actor. Read more.

ToddyCat: your hidden email assistant. Part 1

Source: Securelist (Kaspersky)
(Published: 21 November 2025)
Email remains the main means of business correspondence at organizations. Read more.

China’s APT31 linked to hacks on Russian tech firms

Source: The Record
(Published: 21 November 2025)
The China-linked hacking group known as APT31 infiltrated Russia’s technology sector for years and quietly exfiltrated data from companies involved in government contracting and systems integration, according to a new report. Read more.

Brazilian Campaign: Spreading the Malware via WhatsApp

Source: K7 Labs
(Published: 21 November 2025)
K7 Labs found out from a tweet about a massive phishing campaign going on against Brazil, spreading the malware via WhatsApp Web from the victim’s machine to their contacts by using the open source WhatsApp automation script from GitHub and also loading a banking trojan into memory. Read more.

The Korean Leaks – Analyzing the Hybrid Geopolitical Campaign Targeting South Korean Financial Services With Qilin RaaS

Source: Bitdefender
(Published: 24 November 2025)
TL;DR The “Korean Leaks” campaign showcases a sophisticated supply chain attack against South Korea’s financial sector. Read more.

Weekly DDoSIA Threat Intelligence: Sweden

Source: SOCRadar
(Published: 24 November 2025)
NoName057(16), a pro-Russian hacktivist group, conducted coordinated DDoS attacks on Swedish organizations between November 10 and 16, 2025, as part of its ongoing campaign against countries supporting Ukraine. Read more.

South-east Asia increasingly targeted as cybercrime groups launch global attacks: report

Source: The Business Times
(Published: 25 November 2025)
South-east Asia is increasingly being targeted by cybercriminals leveraging the region’s rapid digitalization and expanding attack surface to launch global campaigns. Read more.

Defending Against Sha1-Hulud: The Second Coming

Source: SentinelOne
(Published: 25 November 2025)
A new wave of compromised NPM packages is leading to wide-scale supply chain attacks. Read more.

Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks

Source: Socket
(Published: 26 November 2025)
The Socket Threat Research Team continues to track North Korea’s Contagious Interview operation as it systematically infiltrates the npm ecosystem. Read more.

Is Zendesk Scattered Lapsus$ Hunters’ Latest Campaign Target?

Source: ReliaQuest
(Published: 26 November 2025)
ReliaQuest has uncovered indications of a potential new campaign from the notorious threat collective “Scattered Lapsus$ Hunters,” this time targeting users of the customer support software Zendesk. Read more.

Xillen Stealer Updates to Version 5 to Evade AI Detection

Source: Darktrace
(Published: 26 November 2025)
Darktrace has observed a new version of the Xillen Stealer malware, designed to exfiltrate sensitive data including credentials, financial information, and cryptowallet keys. Read more.

Deepseek May Intentionally Produce Malicious Code Due to Chinese Political Bias, Research Shows

Source: Foundation for Defense of Democracies (FDD)
(Published: 26 November 2025)
A Chinese AI model may be intentionally generating harmful code due to political biases embedded in its training data, according to new research. Read more.

Albiriox RAT: Mobile Malware Targeting Global Finance and Crypto Wallets

Source: Cleafy Labs
(Published: 26 November 2025)
Cleafy Labs identified a new Android Remote Access Trojan (RAT) dubbed Albiriox, which targets global banking and crypto wallet applications. Read more.

Inside Valkyrie Stealer: Capabilities, Evasion Techniques, and Operator Profile

Source: DExpose
(Published: 26 November 2025)
The DExpose research team analyzed a new info-stealing malware known as Valkyrie, uncovering its core capabilities and operator tradecraft. Read more.

Shai-Hulud 2.0 Exposes Over 33,000 Unique Secrets [Updated Nov, 27]

Source: GitGuardian
(Published: 27 November 2025)
In this report, we detail how the Shai-Hulud 2.0 supply chain attack exposed tens of thousands of unique secrets across hundreds of affected projects. Read more.

TangleCrypt: a sophisticated but buggy malware packer

Source: WithSecure Labs
(Published: 27 November 2025)
Just like most malware packers, TangleCrypt’s main objective is to hide the actual payload and make it look like a benign file. Read more.

Inside Morte Loader: How Loader as a Service Builds Modern Botnets

Source: SOCRadar
(Published: 27 November 2025)
Morte is a Loader as a Service (LaaS) that turns vulnerable SOHO routers, IoT devices and web applications into a flexible botnet platform. Read more.

APT36’s Python-based ELF Malware Targeting Indian Government Entities

Source: Cyfirma
(Published: 27 November 2025)
CYFIRMA researchers observed APT36 deploying a new Python-based ELF malware variant against Indian government agencies. Read more.

Palo Alto Scanning Surges to a 90-Day High

Source: GreyNoise
(Published: 27 November 2025)
GreyNoise observed a dramatic spike in scanning activity targeting Palo Alto Networks devices, reaching the highest level in 90 days. Read more.

FlexibleFerret Malware Continues to Adapt

Source: Jamf
(Published: 27 November 2025)
Jamf Threat Labs is tracking FlexibleFerret, a multi-stage malware family targeting macOS users with evolving techniques. Read more.

Morphisec Thwarts Russian-linked Stealc v2 Campaign Targeting Blender Users via Malicious .blend Files

Source: Morphisec
(Published: 27 November 2025)
Morphisec detected and blocked an attack campaign leveraging weaponized Blender .blend files to distribute Stealc v2, a Russian-linked infostealer. Read more.

The Pain in the Mist: Navigating Operation DreamJob’s Arsenal

Source: Orange Cyberdefense
(Published: 27 November 2025)
Orange Cyberdefense researchers shed light on new tooling, infrastructure and phishing techniques attributed to the North Korea-nexus Operation DreamJob. Read more.

Scattered Lapsus$ Hunters Intensifican la Venta de Accesos FortiOS en DarkForums, con Foco en Latinoamérica

Source: Devel Group
(Published: 28 November 2025)
En DarkForums, un vendedor identificado como “miyako”, señalado por la comunidad como parte del ecosistema cercano a Scattered Lapsus$ Hunters, ha publicado de manera constante accesos comprometidos a organizaciones vulneradas mediante fallas en FortiOS. Read more.

Tomiris wreaks Havoc: New tools and techniques of the APT group

Source: Securelist (Kaspersky)
(Published: 28 November 2025)
While tracking the activities of the Tomiris threat actor, we identified new malicious operations that began in early 2025. Read more.

Thousands of sensitive secrets published on JSONFormatter and CodeBeautify

Source: Security Affairs
(Published: 28 November 2025)
Users of JSONFormatter and CodeBeautify leaked thousands of sensitive secrets, including credentials and private keys, WatchTowr warns. Read more.

Critical Flaw in Oracle Identity Manager Under Exploitation

Source: Dark Reading
(Published: 28 November 2025)
Attackers are exploiting a critical privilege escalation vulnerability in Oracle Identity Manager, prompting urgent patching recommendations. Read more.

Inside ShadyPanda: A 7-Year Malware Campaign That Infected 4 Million Browsers

Source: Koi Labs
(Published: 28 November 2025)
Koi Labs uncovered a massive multi-year surveillance and credential harvesting operation known as ShadyPanda, affecting more than 4 million browser installations worldwide. Read more.

THOR vs. Silver Fox: Uncovering and Defeating a Sophisticated ValleyRAT Campaign

Source: Nextron Systems
(Published: 28 November 2025)
Nextron Systems researchers analyzed a new ValleyRAT campaign named “Silver Fox,” uncovering and mitigating the threat using THOR YARA and behavioral analytics. Read more.

Candiru/DevilsTongue Spyware: Tracking the Global Operations

Source: Recorded Future
(Published: 29 November 2025)
Recorded Future’s Insikt Group analyzed ongoing DevilsTongue spyware activity attributed to the Israeli vendor Candiru. Read more.

DNS Uncovers Infrastructure Used in SSO Attacks

Source: Infoblox
(Published: 1 December 2025)
We recently received a tip from a customer that their institution was under recurring attacks that targeted their student single sign-on (SSO) portal. Read more.

EDR-Freeze: The User-Mode Attack That Puts Security Into a Coma

Source: Picus Security
(Published: 1 December 2025)
EDR-Freeze is a user-mode attack technique that abuses the dependency of endpoint detection and response solutions on user-mode telemetry to blind security monitoring. Read more.

Google Addresses 107 Android Vulnerabilities, Including Two Zero-Days

Source: CyberScoop
(Published: 1 December 2025)
Google disclosed two actively exploited zero-day vulnerabilities Monday, which it addressed among a total of 107 defects in the company’s monthly security update for Android devices. Read more.

Shai-Hulud 2.0 Aftermath: Ongoing Supply Chain Attack

Source: Wiz
(Published: 1 December 2025)
Wiz researchers are tracking an ongoing supply chain attack involving Shai-Hulud 2.0 that continues to impact organizations through compromised npm packages and cloud workloads. Read more.

Microsoft Chat With Anyone: Understanding the Phishing Risk

Source: Ontinue
(Published: 1 December 2025)
Attackers are abusing Microsoft’s Chat With Anyone features to socially engineer victims into credential theft and phishing attacks. Read more.

Water Saci: Stealthy Banking Malware Leveraging AI and Obfuscation

Source: Trend Micro
(Published: 2 December 2025)
Through AI-driven code analysis and large-scale telemetry, Trend Micro researchers uncovered Water Saci, a stealthy banking malware family that targets financial institutions with sophisticated evasion techniques. Read more.

Insider Threat Detection: Key Warning Signs Your Organization Cannot Ignore

Source: Nisos
(Published: 2 December 2025)
Insider activity rarely appears malicious in the beginning. Read more.

ShadowV2 casts a shadow over IoT devices

Source: Fortinet
(Published: 2 December 2025)
Fortinet researchers are tracking ShadowV2, an IoT-focused malware that expands on the capabilities of its predecessor with stealthier persistence mechanisms. Read more.

Want more articles? Check out the previous edition of Security Signals here. 

?

Take advantage of our free data evaluation.

REQUEST NOW
?

Security Signals (11/04/25-11/18/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

The latest November 2025 cyber threat reports reveal a surge in high-impact activity across the global threat landscape, from major ransomware developments like LockBit 5.0 and VanHelsing to new espionage operations linked to Lazarus, APT42, and multiple Iran-aligned groups. This roundup also covers expanding phishing campaigns, advanced Android and Windows malware families, supply-chain intrusions, and the growing use of AI tools in both attack and defense. 

Dissecting the Infection Chain: Technical Analysis of the Kimsuky JavaScript Dropper

Source: Pulsedive Threat Research
(Published: 5 November 2025)
This blog analyzes a Kimsuky JavaScript dropper sample, detailing how it retrieves additional stages and the network traffic observed across the full infection chain. Read more.

Update on Attacks by Threat Group APT-C-60

Source: JPCERT/CC Eyes
(Published: 5 November 2025)
JPCERT/CC provides an update on recent attacks linked to APT-C-60, summarizing new intrusion methods, infrastructure, and targeting patterns observed in Japan and abroad. Read more.

Herodotus: a banking trojan that exposes the limits of an antivirus

Source: Pradeo
(Published: 6 November 2025)
Pradeo describes Herodotus, a new Android banking trojan offered as Malware as a Service that masquerades as a legitimate app, gains sensitive permissions, and performs fraudulent banking operations on behalf of victims. Read more.

Phishing Campaigns “I Paid Twice” Targeting Booking.com Hotels and Customers

Source: Sekoia.io
(Published: 6 November 2025)
Sekoia.io analysts detail a phishing campaign abusing compromised Booking.com accounts and messaging apps to trick hotel staff and guests, ultimately delivering malware and running banking fraud schemes. Read more.

Slot Gacor: The Rise of Online Casino Spam

Source: Sucuri Security
(Published: 7 November 2025)
Sucuri explains how online casino spam has become one of the most prevalent SEO spam threats, with attackers hacking websites to inject hidden backlinks that promote gambling portals. Read more.

Threat actor usage of AI tools

Source: Google Threat Intelligence Group
(Published: 7 November 2025)
Google Threat Intelligence Group examines how threat actors are adopting AI tools across the attack lifecycle, from crafting phishing content to supporting malware development and operational workflows. Read more.

Distribution of Backdoor Malware with Legitimate Signature, Disguised as Steam Cleanup Tool

Source: AhnLab ASEC
(Published: 10 November 2025)
ASEC reports multiple cases of malware posing as the SteamCleaner utility, installing a malicious Node.js script that periodically contacts C2 servers to execute commands on infected systems. Read more.

New Phishing Campaign Exploits Meta Business Suite to Target SMBs Across the U.S. and Beyond

Source: Check Point Software
(Published: 10 November 2025)
Check Point Harmony Email Security researchers uncover a large scale phishing campaign abusing Meta Business Suite and facebookmail.com to send convincing notifications that steal credentials from small and mid sized businesses. Read more.

Analysis of Encryption Structure of Yurei Ransomware Go-based Builder

Source: AhnLab ASEC
(Published: 11 November 2025)
ASEC analyzes the Go based Yurei ransomware builder, detailing its ChaCha20 Poly1305 file encryption, ECIES key protection, and targeting of organizations across several industries in Sri Lanka and Nigeria. Read more.

Amazon discovers APT exploiting Cisco and Citrix zero-days

Source: AWS Security Blog
(Published: 12 November 2025)
Amazon threat intelligence teams describe an advanced actor exploiting zero day vulnerabilities in Cisco Identity Services Engine and Citrix systems, deploying custom web shells and targeting critical identity infrastructure. Read more.

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

Source: NVISO Labs
(Published: 13 November 2025)
NVISO reports that the Contagious Interview campaign now abuses legitimate JSON storage services to host obfuscated payloads delivered through trojanized code projects used in fake job interviews. Read more.

Arsenal Analysis of a Nation-State Actor: An In-Depth Look at Lazarus ScoringMathTea

Source: 0x0d4y Malware Research
(Published: 13 November 2025)
This post builds on prior ESET research into Operation Dream Magic to analyze the Lazarus ScoringMathTea toolset, focusing on its capabilities, infrastructure, and links to earlier campaigns. Read more.

Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machines

Source: Bitdefender
(Published: 4 November 2025)
The investigation revealed that the attackers relied on a combination of custom malware and stealth techniques to establish and maintain persistence within the victim environment. Read more.

Cloudflare Scrubs Aisuru Botnet from Top Domains List

Source: KrebsOnSecurity
(Published: 5 November 2025)
For the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple, Google and Microsoft in Cloudflare’s public ranking of the most frequently requested websites. Read more.

New Kimsuky Malware ‘EndClient RAT’: First Technical Report and IOCs

Source: 0x0v1
(Published: 5 November 2025)
The MSI bundle, after installing the banking software and displaying the bogus VBS script mentioned above, starts by creating a BAT script which copies the AutoIt3.exe binary and the Au3 script which is heavily obfuscated. Read more.

LockBit 5.0 Analysis: Technical Deep Dive into the RaaS Giant’s Latest Upgrade

Source: Flashpoint
(Published: 6 November 2025)
LockBit 5.0, introduced in late September 2025, is the latest evolution of this dominant ransomware-as-a-service group, bringing new anti-analysis features and more flexible encryption options. Read more.

MUT-4831: Trojanized npm packages deliver Vidar infostealer malware

Source: Datadog Security Labs
(Published: 6 November 2025)
In two bursts, over the periods of October 21-22 and 26, the researchers observed a total of 23 releases of 17 distinct packages containing these and similar indicators. Read more.

Critical Cisco UCCX flaw lets hackers run commands as root

Source: BleepingComputer
(Published: 6 November 2025)
A critical security flaw in Cisco’s Unified Contact Center Express platform allows attackers to run commands as root on vulnerable systems. Read more.

LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices

Source: Unit 42 by Palo Alto Networks
(Published: 7 November 2025)
Unit 42 researchers have identified a new commercial-grade Android spyware family dubbed LANDFALL that is delivered through an exploit chain targeting Samsung devices. Read more.

DarkComet Spyware Resurfaces Disguised as Fake Bitcoin Wallet

Source: HackRead
(Published: 12 November 2025)
Old DarkComet RAT spyware is back, hiding inside fake Bitcoin wallets and trading apps to steal credentials via keylogging. Read more.

Malicious Chrome Extension Exfiltrates Seed Phrases, Enabling Crypto Theft

Source: Socket
(Published: 12 November 2025)
A malicious Chrome extension posing as an Ethereum wallet steals seed phrases by encoding them into Sui transactions, enabling full wallet takeover. Read more.

The COM: Anatomy of an English-Speaking Cybercriminal Ecosystem and the Origins of Scattered Lapsus Hunters

Source: CloudSEK
(Published: 12 November 2025)
Over the past decade, the English-speaking cybercriminal ecosystem commonly referred to as “The COM” has undergone a profound transformation. Read more.

Critical FortiWeb flaw under attack, allowing complete compromise

Source: Security Affairs
(Published: 14 November 2025)
A Fortinet FortiWeb auth-bypass flaw is being actively exploited, allowing attackers to hijack admin accounts and fully compromise devices. Read more.

Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense and Government Targets

Source: The Hacker News
(Published: 14 November 2025)
The Iranian state-sponsored threat actor known as APT42 has been observed targeting government and defense organizations with a new espionage campaign codenamed SpearSpecter. Read more.

DDoSia Targets Denmark: A Clear Look at the Threat

Source: SOCRadar
(Published: 17 November 2025)
Between November 4 and November 13, 2025, Denmark was included in a focused campaign by pro-Russian hacktivist groups. Read more.

IndonesianFoods Spam Campaign: What Security Teams Need To Know

Source: SOCRadar
(Published: 17 November 2025)
A large-scale campaign known as IndonesianFoods has recently gained attention for its unusual impact on the npm ecosystem. Read more.

Tracking a Dragon: Investigating a DragonForce-affiliated ransomware attack with Darktrace

Source: Darktrace
(Published: 5 November 2025)
Darktrace investigates a DragonForce-affiliated ransomware attack targeting the manufacturing sector, tracing the intrusion from initial access through to ransomware deployment. Read more.

Gootloader Threat Detection: WOFF2 Obfuscation and Evasion Tactics

Source: Huntress
(Published: 5 November 2025)
Gootloader is a sophisticated JavaScript-based malware loader that threat actors commonly use to gain initial access. Read more.

GlassWorm Returns: New Wave Strikes as We Expose Attacker Infrastructure

Source: Koi Security
(Published: 6 November 2025)
Almost three weeks ago, we disclosed GlassWorm, the first self-propagating worm targeting VS Code extensions using invisible Unicode characters, and now we are seeing a new wave of infections linked to the same attacker infrastructure. Read more.

Lazarus Group targets Aerospace and Defense with new Comebacker variant

Source: Enki
(Published: 7 November 2025)
Enki researchers detail a new Comebacker malware variant deployed by the Lazarus Group against aerospace and defense organizations, expanding the threat actor’s long-running espionage toolkit. Read more.

Maverick and Coyote: Analyzing the link between two evolving Brazilian banking trojans

Source: CyberProof
(Published: 10 November 2025)
The CyberProof SOC Team has observed overlapping infrastructure and tooling connecting the Brazilian banking trojans Maverick and Coyote, suggesting a shared developer or tightly coordinated operators. Read more.

Dissecting ValleyRAT: From loader to RAT execution in targeted campaigns

Source: Picus Security
(Published: 11 November 2025)
Picus researchers analyze ValleyRAT’s loader, staging chain, and command-and-control behavior observed in recent targeted attacks against organizations in East Asia. Read more.

Initial Access Brokers (IAB) in 2025: From dark web listings to supply chain ransomware events

Source: Darknet.org.uk
(Published: 12 November 2025)
Initial Access Brokers are specialist cybercriminals who sell or rent compromised footholds in corporate networks, enabling ransomware gangs and other actors to launch disruptive attacks with minimal effort. Read more.

Thousands of domains target hotel guests in massive phishing campaign

Source: Netcraft
(Published: 12 November 2025)
Netcraft has identified thousands of lookalike domains impersonating hotel brands and booking platforms to lure guests into phishing pages that steal credentials and payment information. Read more.

DigitStealer: a JXA-based infostealer that leaves little footprint

Source: Jamf
(Published: 13 November 2025)
Jamf Threat Labs dissects the new DigitStealer malware, a sophisticated macOS infostealer that uses advanced hardware checks and multi-stage attacks to evade detection and steal sensitive data. Read more.

Uncovering a Multi-Stage Phishing Kit Targeting Italy’s Infrastructure

Source: Group-IB
(Published: 13 November 2025)
Group-IB researchers uncovered a professional phishing framework that mimics trusted brands with remarkable precision, using layered evasion, CAPTCHA filtering, and Telegram-based data exfiltration to harvest credentials and bypass automated detection. Read more.

Unmasking Vo1d: Inside Darktrace’s botnet detection

Source: Darktrace
(Published: 14 November 2025)
Earlier this year, Darktrace investigated the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications. Read more.

Pig Butchering Scams: Cybercrime Threat Intelligence

Source: Cyfirma
(Published: 15 November 2025)
Pig butchering scams, also known as romance or cryptocurrency investment scams, are long-term social engineering schemes in which attackers build trust before defrauding victims of large sums of money. Read more.

RONINGLOADER: DragonBreath’s new path to PPL abuse

Source: Elastic Security Labs
(Published: 15 November 2025)
This campaign primarily targets Chinese-speaking users and demonstrates a clear evolution in adaptability compared to earlier DragonBreath-related campaigns documented in 2022-2023. Read more.

100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in AI Engine WordPress Plugin

Source: Wordfence
(Published: 4 November 2025)
On October 4th, 2025, we received a submission for a Sensitive Information Exposure vulnerability in AI Engine, a WordPress plugin with more than 100,000 active installations. Read more.

Crossed wires: a case study of Iranian espionage and attribution

Source: Proofpoint
(Published: 5 November 2025)
This analysis examines a newly identified threat actor dubbed UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. Read more.

Private data at risk due to seven ChatGPT vulnerabilities

Source: Tenable
(Published: 5 November 2025)
Tenable Research has identified seven vulnerabilities in ChatGPT that could enable an attacker to exfiltrate private information from users’ memories and chat history. Read more.

UNC6384’s 2025 PlugX Campaign Explained

Source: Picus Security
(Published: 6 November 2025)
In March 2025, UNC6384 ran a targeted espionage campaign against diplomatic and related organizations, employing a multi-stage, highly evasive delivery chain that culminated in the in-memory deployment of the SOGU.SEC/PlugX backdoor. Read more.

Fantasy Hub: Another Russian Based RAT as M-a-a-S

Source: Zimperium
(Published: 6 November 2025)
zLabs identified “Fantasy Hub,” an Android Remote Access Trojan sold on Russian-language channels under a Malware-as-a-Service (MaaS) subscription. Read more.

The Cat’s Out of the Bag: A ‘Meow Attack’ Data Corruption Campaign Simulation via MAD-CAT

Source: Trustwave SpiderLabs
(Published: 7 November 2025)
In 2024, I published Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack), which explored the notorious Meow attack campaign that had plagued unsecured databases since 2020. Read more.

Multi-Platform VanHelsing Ransomware (RaaS) Analysis

Source: Picus Security
(Published: 8 November 2025)
A new and rapidly expanding ransomware operation, dubbed VanHelsing, has emerged on the cybercrime scene. Read more.

Ferocious Kitten APT Exposed: Inside the Iran-Focused Espionage Campaign

Source: Picus Security
(Published: 10 November 2025)
Ferocious Kitten is a covert cyber-espionage actor active since at least 2015 that has focused on Persian-speaking targets inside Iran, using politically themed decoy documents to trick dissidents, activists, and other individuals into opening weaponized files. Read more.

GreenCharlie APT: Iran’s PowerShell-Based Cyber Espionage Campaigns

Source: Picus Security
(Published: 11 November 2025)
GreenCharlie is an Iran-based advanced persistent threat (APT) group known for its active cyber-espionage and phishing operations. Read more.

MalKamak APT’s ShellClient RAT: Inside Operation GhostShell

Source: Picus Security
(Published: 11 November 2025)
MalKamak group has been active since at least 2018 and was observed in a targeted espionage campaign that peaked in July 2021, focusing primarily on the aerospace and telecommunications sectors in the Middle East, with additional victims in the U.S., Russia, and Europe. Read more.

NGate: NFC Relay Malware Enabling ATM Withdrawals Without Physical Cards

Source: Zimperium
(Published: 12 November 2025)
CERT Polska has recently uncovered a sophisticated Android malware family dubbed NGate, designed to perform NFC relay attacks targeting Polish bank customers. Read more.

Operation Endgame Quakes Rhadamanthys

Source: Proofpoint
(Published: 13 November 2025)
Rhadamanthys malware has evolved significantly over time, reflecting ongoing advancements in cybercriminal techniques. Read more.

Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

Source: Trend Micro
(Published: 13 November 2025)
In this blog entry, Trend Research analyses the layered command-and-control approaches that Lumma Stealer uses to maintain its ongoing operations while enhancing collection of victim-environment data. Read more.

NotDoor Insights: A Closer Look at Outlook Macros and More

Source: Splunk
(Published: 14 November 2025)
This blog helps security analysts, blue teamers, and Splunk customers identify NotDoor, and similar malware, by enabling the community to discover related TTPs used by threat actors and adversaries. Read more.

Hide Me Again: The Updated Multi-Payload .NET Steganography Loader That Includes Lokibot

Source: Splunk
(Published: 14 November 2025)
In this blog, the Splunk Threat Research Team presents an analysis of the updated steganographic loader, including one of its payloads: the Lokibot malware. Read more.

Want more articles beyond these November 2025 cyber threat reports? Check out the previous edition of Security Signals here. 

?

Take advantage of our free data evaluation.

REQUEST NOW
?

Security Signals (10/07/25-10/21/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

In these late October 2025 cyber threat reports, global research teams uncovered an active mix of espionage, phishing, and data-theft operations. Highlights this period include North Korea’s EtherHiding and Contagious Interview campaigns, new exploits such as the Oracle EBS zero-day, COLDRIVER and Lazarus-linked attacks, and mobile threats like Pixnapping targeting Android users. Together, these findings reveal how rapidly evolving malware, cloud intrusions, and supply-chain compromises continue to test defenders’ visibility and response.

An Insider Look At The IRGC-linked APT35 Operations: Ep1 & Ep2

Source: CloudSEK
(Published: 7 October 2025)
CloudSEK’s TRIAD team analyzed the available evidence and reconstructed recent APT35 operations across two episodes of our series. Read more.

Attacker says they breached Huawei, source code sold online

Source: Cybernews
(Published: 7 October 2025)
A hacker claims to have stolen Huawei’s internal source code and sold it on an underground cybercriminal forum. Read more.

Oops! It’s a kernel stack use-after-free: Exploiting NVIDIA’s GPU Linux drivers

Source: Quarkslab
(Published: 14 October 2025)
This article details two bugs in NVIDIA’s GPU kernel driver vmalloc handling that can be chained to gain code execution in kernel context. Read more.

BombShell: The Signed Backdoor Hiding in Plain Sight on Framework Devices

Source: Eclypsium
(Published: 14 October 2025)
UEFI shell vulnerabilities allow attackers to bypass Secure Boot. Read more.

DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains

Source: Google Cloud Blog
(Published: 16 October 2025)
Google Threat Intelligence Group (GTIG) has observed a new malware delivery technique-EtherHiding-appearing in DPRK-linked activity. Read more.

BeaverTail and OtterCookie evolve with a new Javascript module

Source: Cisco Talos Blog
(Published: 16 October 2025)
Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK). Read more.

Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools

Source: Hunt
(Published: 16 October 2025)
In recent months, our threat hunting team has observed a surge in macOS-targeted campaigns employing new social engineering tactics and persistent infrastructure. Read more.

New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware

Source: Google Cloud Blog
(Published: 16 October 2025)
Since late 2023, UNC5142 has leveraged EtherHiding infrastructure to deliver malicious payloads and obfuscate attribution. Read more.

Joint Intel Strike – DeepCode × AMLBot Trace “1688shuju,” a Darknet Seller of Verified Exchange Numbers

Source: AMLBot
(Published: 17 October 2025)
On 22 August 2025, the DeepCode intelligence team identified a darknet marketplace listing by the actor “1688shuju” offering large batches of verified phone numbers tied to major cryptocurrency exchanges. Read more.

Email Bombs Exploit Lax Authentication in Zendesk

Source: Krebs on Security
(Published: 17 October 2025)
Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously. Read more.

Tykit Analysis: New Phishing Kit Stealing Hundreds of Microsoft Accounts in Finance

Source: ANY.RUN
(Published: 21 October 2025)
Not long ago we reported a spike in phishing attacks that use an SVG file as the delivery vector. Read more.

To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER

Source: Google Cloud Blog
(Published: 21 October 2025)
COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware. Read more.

Red Hat data breach escalates as ShinyHunters joins extortion

Source: BleepingComputer
(Published: 6 October 2025)
Enterprise software giant Red Hat is now being extorted by the ShinyHunters gang, with samples of stolen customer engagement reports (CERs) leaked on their data leak site. Read more.

OpenAI has disrupted (more) Chinese accounts using ChatGPT to create social media surveillance tools

Source: Engadget
(Published: 7 October 2025)
OpenAI published a new threat report and banned additional China-linked accounts that used ChatGPT to design social media surveillance tools. Read more.

Maverick: Android banking trojan distributing via WhatsApp

Source: Securelist
(Published: 8 October 2025)
A malware campaign was recently detected distributing various versions of the Android banking trojan called ‘Maverick’ via WhatsApp. Read more.

Phishing campaign leveraging the npm ecosystem

Source: Snyk
(Published: 9 October 2025)
We have uncovered a large-scale phishing campaign abusing the npm ecosystem to deliver malware to developers through typosquatted packages and malicious maintainers. Read more.

Harvard University hit in Oracle EBS cyberattack, 1.3 TB of data leaked by Cl0p group

Source: Security Affairs
(Published: 10 October 2025)
Harvard University was hit in a cyberattack exploiting a zero-day in Oracle E-Business Suite (EBS), with the Cl0p ransomware gang leaking 1.3 TB of data. Read more.

PhantomVAI Loader Delivers a Range of Infostealers

Source: Unit 42 (Palo Alto Networks)
(Published: 15 October 2025)
Unit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain. Read more.

Pro-Hamas hackers breach B.C. and U.S. airport display systems

Source: Juno News
(Published: 15 October 2025)
A pro-Hamas Islamist group has taken credit for a series of cyberattacks at two B.C. airports and others in the U.S. Read more.

PassiveNeuron: campaign with APT implants and Cobalt Strike

Source: Securelist
(Published: 17 October 2025)
The PassiveNeuron (also known as ‘Evernight’) cyber espionage campaign relies on a broad arsenal of tools, including clusters of implants, Cobalt Strike, and modern living-off-the-land strategies. Read more.

SIMCartel operation: Europol takes down SIM box ring linked to 3,200 scams

Source: Security Affairs
(Published: 18 October 2025)
Europol has taken down a multi-country SIM boxing ring dubbed ‘SIMCartel,’ dismantling infrastructure linked to more than 3,200 scams. Read more.

F5 breach exposes 262,000 BIG-IP systems worldwide

Source: Security Affairs
(Published: 19 October 2025)
Security firm F5 disclosed a breach exposing telemetry data from 262,000 Big-IP systems worldwide after attackers accessed a support platform. Read more.

Russian Lynk group leaks sensitive UK MoD files, including info on eight military bases

Source: Security Affairs
(Published: 20 October 2025)
The Russian hacktivist group Lynk leaked sensitive UK Ministry of Defence files, including details on eight military bases. Read more.

Salty Much: Darktrace’s view on a recent Salt Typhoon intrusion

Source: Darktrace
(Published: 20 October 2025)
Salt Typhoon, a China-linked cyber espionage group, has been observed targeting global infrastructure using stealthy techniques such as DLL sideloading and zero-day exploits. Read more.

Disrupting threats targeting Microsoft Teams

Source: Microsoft Security Blog
(Published: 7 October 2025)
The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors. Read more.

Crimson Collective: A New Threat Group Observed Operating in the Cloud

Source: Rapid7 Labs
(Published: 7 October 2025)
Over the past few weeks, Rapid7 has observed increased activity of a new threat group attacking AWS cloud environments with the goal of data exfiltration and subsequent extortion. Read more.

Pixel-stealing “Pixnapping” attack targets Android devices

Source: Malwarebytes
(Published: 14 October 2025)
Researchers at US universities have demonstrated how a malicious Android app can trick the system into leaking pixel data. Read more.

Retro Phishing: Basic Auth URLs Make a Comeback in Japan

Source: Netcraft
(Published: 15 October 2025)
Netcraft recently uncovered a suspicious URL targeting GMO Aozora Bank, a Japanese financial institution. Read more.

Inside the attack chain: Threat activity targeting Azure Blob Storage

Source: Microsoft Security Blog
(Published: 20 October 2025)
Azure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing massive amounts of unstructured data at scale. Read more.

North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads

Source: Socket
(Published: 10 October 2025)
The Contagious Interview operation continues to weaponize the npm registry with a repeatable playbook. Read more.

Espionage Exposed: Inside a North Korean Remote Worker Network

Source: KELA
(Published: 10 October 2025)
Thousands of North Korean IT workers are hiding in plain sight, blending into the global freelance economy, building your apps, or even designing your infrastructure. Read more.

Microsoft revamps Internet Explorer Mode in Edge after August attacks

Source: Security Affairs
(Published: 13 October 2025)
Microsoft has revamped the Internet Explorer (IE) mode in the Edge browser to fix an issue that threat actors exploited for attacks in August 2025. Read more.

TigerJack’s Extensions Continue to Rob Developers Blind Across Different Marketplaces

Source: Koi
(Published: 13 October 2025)
Meet TigerJack – a threat actor we’ve been tracking since early 2025, who has systematically infiltrated developer marketplaces with at least 11 malicious VS Code extensions across multiple publisher accounts. Read more.

Oracle silently fixes zero-day exploit leaked by ShinyHunters

Source: BleepingComputer
(Published: 14 October 2025)
Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group. Read more.

Want more articles? Check out the previous edition of Security Signals here. 

?

Take advantage of our free data evaluation.

REQUEST NOW
?