Microsoft has released its November 2025 Patch Tuesday updates, addressing more than 60 security vulnerabilities across its product lineup, including an actively exploited zero-day issue. The said zero-day flaw, tracked as CVE-2025-62215, is a Windows kernel elevation of privilege vulnerability, which exists due to a race condition within the OS kernel. It has been exploited in the wild to gain SYSTEM-level privileges on affected Windows devices.
A critical-severity vulnerability (CVE-2025-9242) in WatchGuard Firebox firewalls has been actively exploited, according to the US CISA. The flaw, an out-of-bounds write in the Fireware OS iked process, allows unauthenticated remote code execution. It affects IKEv2-based mobile user VPNs and branch office VPNs configured with dynamic gateway peers.
Amazon’s threat intelligence division has uncovered a sophisticated campaign in which an advanced threat actor exploited a high-risk vulnerability in NetScaler ADC and Gateway (CVE-2025-5777, aka “Citrix Bleed 2”), and CVE-2025-20337 in Cisco Identity Services Engine (ISE) to deploy stealthy custom malware. Both vulnerabilities were used together in advanced persistent threat (APT) operations before Citrix and Cisco issued their initial advisories. Attackers leveraged the Cisco flaw to gain pre-authentication administrative access and installed a custom web shell called “IdentityAuditAction,” masquerading as a legitimate ISE component.
Threat actors are exploiting a vulnerability in Gladinet’s Triofox file-sharing and remote access platform, chaining it with the abuse of the built-in anti-virus feature to achieve code execution. The flaw, tracked as CVE-2025-12480, allows an attacker to bypass authentication and get access to configuration pages, enabling uploads and execution of arbitrary payloads. Mandiant said it observed a threat cluster tracked as UNC6485 weaponizing the vulnerability as early as August 24, 2025, nearly a month after Gladinet released fixes in Triofox version 16.7.10368.56560.
A now-patched security flaw in Samsung Galaxy devices was exploited as a zero-day to deliver Android spyware dubbed ‘Landfall’ in targeted attacks across the Middle East. The campaign exploited CVE-2025-21042, an out-of-bounds write vulnerability in the libimagecodec.quram.so component that can allow remote code execution. Samsung fixed the issue in April 2025 after PAN's Unit 42 found evidence the bug had been used in the wild.
A Fortinet FortiWeb path traversal vulnerability, likely a variant of CVE-2022-40684, is being actively exploited to create new administrative users on exposed devices without authentication. The flaw is fixed in FortiWeb 8.0.2. Administrators are urged to update immediately and check for unauthorized access.
North Korean hackers are abusing Google’s Find Hub tool (formerly known as “Find My Device”) to track the GPS locations of South Korean targets and remotely reset their smartphones to factory settings. Using stolen Google credentials, the hackers log into victims’ accounts to access Find Hub, where they can query GPS data and issue remote wipe commands.
Anthropic says it detected a sophisticated cyberespionage campaign by a Chinese state-sponsored group that exploited its AI coding assistant Claude Code. The attackers developed an autonomous framework capable of compromising targets with minimal human involvement, targeting around 30 critical organizations and successfully breaching a few of them. The list of targeted entities included tech firms, financial institutions, chemical manufacturers, and government agencies. The threat actor manipulated Claude Code by “jailbreaking” it to bypass safeguards.
A new type of side-channel attack can allow adversaries to infer conversations with large language models (LLMs), even when protected by strong encryption such as Transport Layer Security (TLS). The attack, dubbed “Whisper Leak,” exploits subtle metadata patterns in network traffic to deduce a user’s discussion topics.
Point Wild’s Lat61 Threat Intelligence Team has spotted a new variant of the DarkComet RAT remote access tool, which was originally developed back in 2008 but later discontinued by its creator. The new version comes in the form of a Bitcoin-related application and once installed, it silently activates the full arsenal of DarkComet RAT. The spyware has a wide range of capabilities, including keystroke logging, file theft, webcam surveillance and remote desktop control.
Cisco’s Talos team looks into Kraken, Russian-speaking offshoot of the former HelloKitty ransomware cartel. Kraken is a cross-platform ransomware with specialized encryptors for Windows, Linux, and VMware ESXi, and it uniquely benchmarks victim machines prior to encryption, a capability seldom seen in ransomware. In an observed case, the attackers gained initial access by exploiting SMB flaws, maintained persistence with Cloudflared, and exfiltrated data using SSHFS before encrypting systems.
US government agencies have issued an updated advisory warning that the Akira ransomware operation is now targeting Nutanix AHV virtual machines. The ransomware has expanded its capabilities to encrypt AHV VM disk files. The advisory provides new indicators of compromise and details on observed tactics, based on FBI investigations and third-party reports as recent as November 2025.
Darktrace published a deep dive into the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications.
Socket’s Threat Research Team has spotted a malicious Chrome extension called ‘Safery: Ethereum Wallet,’ which contains a backdoor that steals users’ seed phrases. It encodes the phrases into Sui addresses and initiating microtransactions from a Sui wallet controlled by the threat actor.
Six months after law enforcement disrupted DanaBot, a new version of the malware has resurfaced. Researchers at Zscaler ThreatLabz said that the new variant uses Tor-based command-and-control domains and “backconnect” nodes. The malware operators are also actively using cryptocurrency addresses in BTC, ETH, LTC, and TRX to receive stolen funds.
A Russian-speaking cybercriminal group has launched a large-scale phishing campaign aimed at travelers and hotel guests, registering more than 4,300 domains since the start of 2025, according to new research from Netcraft. The attackers appear to be targeting individuals who have upcoming travel plans, using fraudulent websites to steal payment and personal information.
A CloudSek report examines the English-speaking cybercriminal ecosystem known as “The COM,” which over the past decade evolved from trading rare social media usernames to a sophisticated, service-driven underground economy responsible for major global cyberattacks, with notorious groups such as Lapsus$ and ShinyHunters playing key roles. Today, The COM fuels a wide range of high-impact cybercrimes, including large data breaches, extortion, SIM-swapping, ransomware, cryptocurrency theft, and financial fraud, affecting corporations, governments, critical infrastructure, and individual investors.
In the latest phase of Operation Endgame, Europol and law enforcement from 11 countries dismantled a major cybercrime network distributing malware such as Rhadamanthys, VenomRAT, and the Elysium botnet. The operation led to one arrest in Greece and 11 searches across Europe, resulting in the takedown of over 1,025 servers and the seizure of 20 domains globally.
A 35-year-old Russian national described as a “world-class hacker” was detained in Thailand at the request of the United States on charges related to cyberattacks. The suspect is accused of hacking security systems and attacking government institutions in the US and Europe. 35-year-old Denis Obrezko is suspected of involvement with the Russia-linked hacker group “Void Blizzard,” which has targeted government, defense, transportation, media, NGO, and healthcare sectors across the US, Europe, and Ukraine. The group drew major attention in September 2024 after stealing sensitive data on about 63,000 Dutch police officers. Obrezko was detained on November 6 in a joint operation with the FBI, and Thai police seized several electronic devices from his hotel room for forensic analysis.
A Russian national accused of helping orchestrate multiple ransomware attacks against US companies is expected to plead guilty later this month, according to unsealed federal court documents. Aleksey Olegovich Volkov, 25, was arrested in Rome in 2023 and extradited to the United States earlier this year. Prosecutors say Volkov acted as an initial access broker for the Yanluowang ransomware group breaking into company networks and selling that access to other hackers.
A former university student Matthew D. Lane, 20, was sentenced to four years in prison, three years of supervised release, a $25,000 fine, and more than $14 million in restitution for hacking two US companies and attempting to extort them. Lane had pleaded guilty in 2024 to cyber extortion, unauthorized computer access, and identity theft. In the first scheme, Lane and others tried to extort $200,000 from a telecommunications company by threatening to leak stolen customer data. In the second, Lane used stolen credentials to access a software and cloud storage provider serving schools and stole sensitive data on over 60 million students and 10 million teachers, demanding a $2.85 million Bitcoin ransom to prevent a global leak.
Google says the Lighthouse phishing-as-a-service platform linked to China-based cybercrime group Smishing Triad, has been disrupted after the company has filed a lawsuit against the gang. Active since at least 2023, Smishing Triad runs large-scale SMS phishing campaigns impersonating banks, delivery companies, healthcare providers, and other services. According to Google, Lighthouse helped the group send fraudulent messages and build phishing sites used to steal logins and financial data, impacting more than a million users in over 120 countries.
Zhimin Qian, aka “Crypto Queen,” was sentenced to 11 years and eight months in prison for possessing and transferring criminal property in the form of cryptocurrency. Her associate, Seng Hok Ling, also 47, received a four-year and 11-month sentence for transferring criminal cryptocurrency. Qian had run a major fraud in China from 2014–2017, defrauding over 128,000 people and converting the proceeds into cash, jewellery and Bitcoin before fleeing to the UK under a false identity. A 2018 investigation led to the recovery of more than 61,000 Bitcoin, worth about £5 billion, which is the largest confirmed crypto seizure in the world to date.
She Zhijiang, a Chinese-born businessman accused by both China and the United States of running one of Southeast Asia’s largest scam compounds, has been extradited from Thailand to China. Arrested in Bangkok in 2022, She is alleged to have controlled Yatai New City in Shwe Kokko, Myanmar, a hub for internet fraud, casinos, drug trafficking, and prostitution. Authorities say the compound lured and trafficked people from around the world to work as online scammers. China issued an arrest warrant in 2021 for money laundering and illegal gambling operations.
On the same note, the United States imposed financial sanctions on five individuals and three entities, located in Burma and Thailand, for their involvement in forced labor compounds that carry out cyberscam operations. Additionally, the US authorities are establishing a strike force to target cyber scam compounds across Southeast Asia that have stolen billions from Americans over the last five years.
Authorities in France and Italy arrested five suspects allegedly linked to a global network of car-theft technology developers. The group had been producing reprogrammed speakers and other devices that could unlock vehicles by bypassing security systems, selling them worldwide for EUR 3,000 to EUR 50,000. Investigators uncovered a manufacturing site in Italy with advanced equipment, while searches in France led to multiple arrests and the seizure of six vehicles, over EUR 100,000 in cash, luxury goods, and theft devices valued at around EUR 1 million.
