Cyber Security News Daily Recap

Threat Research | Weekly Recap [30 Nov 2025]

admin
Threat Research | Weekly Recap [30 Nov 2025]

Cybersecurity Threat Research ‘Weekly’ Recap: The report highlights a broad wave of risk from supply-chain and developer-ecosystem abuse—including npm worm campaigns like Shai-Hulud 2.0, OtterCookie, and PyPI domain-takeover vectors—alongside ongoing nation-state operations from Lazarus, Kimsuky, Gamaredon, Tomiris, and related actors. It also covers infostealers, loaders, vulnerabilities (CVE-2025-61882, CVE-2025-64446), breaches, and e-commerce fraud, with defensive guidance on threat intelligence integration, automated security validation, phishing simulations, and AI risk mitigation.
#ShaiHulud #OtterCookie #Kimsuky #Lazarus #Gamaredon #Tomiris #WaterGamayun #BerserkBear #ShinySp1d3r #Gainsight

Supply‑chain & developer ecosystem

  • Self‑propagating npm worm that backdoors packages, steals CI/cloud secrets, creates persistent GitHub runners and can wipe files; widespread multi‑wave impact across popular scopes. Shai‑Hulud 2.0 — Datadog
  • Parallel reporting on massive npm waves: analysis of additional infected packages, propagation vectors (setup_bun.js / bun_environment.js) and large‑scale repo exfiltration. Shai‑Hulud — TrendMicro
  • North Korean npm campaign injecting 197+ malicious packages that load OtterCookie payloads and target developer wallets/credentials via typosquats and GitHub staging. Contagious Interview / OtterCookie — Socket.dev
  • Legacy PyPI bootstrap/build scripts fetch from abandoned python-distribute[.]org, creating a domain‑takeover supply‑chain vector in popular packages (e.g., tornado, pypiserver). PyPI bootstrap domain‑takeover risk — ReversingLabs

Nation‑state & APT operations

  • Lazarus deploys new C++ in‑memory RAT ScoringMathTea (reflective DLL plugins, API hashing, TEA/XTEA‑CBC C2) targeting UAV contractors. ScoringMathTea — PolySwarm
  • Kimsuky and Lazarus coordinating campaigns: academic spearphishing + zero‑day exploitation, shared C2 and bespoke backdoors to exfiltrate intelligence and crypto. Kimsuky–Lazarus coordination — CN‑SEC
  • Evidence of infrastructure overlap between Russia‑aligned Gamaredon and North Korea’s Lazarus, suggesting cross‑actor operational synergy. Gamaredon–Lazarus link — GEN
  • Tomiris phishing campaigns against foreign ministries/IGOs using reverse shells, AdaptixC2/Havoc, public services (Discord/Telegram) as C2 and stealthy proxies. Tomiris tools & techniques — Kaspersky SecureList
  • Water Gamayun multi‑stage intrusion abusing compromised BELAY site, double‑extension RAR, MSC EvilTwin (CVE‑2025‑26633) exploit via mmc.exe and nested PowerShell stages to deploy ItunesC. Water Gamayun reconstruction — Zscaler
  • APT36 delivered a Python‑based ELF RAT to BOSS Linux via weaponized .desktop shortcuts, establishing systemd user persistence and cross‑platform espionage. APT36 Python ELF RAT — CYFIRMA
  • APT24 (PRC‑nexus) used obfuscated BADAUDIO downloader, supply‑chain abuse and strategic web compromises to deliver AES‑encrypted payloads and Cobalt Strike. APT24 multi‑vector campaign — Google Cloud
  • Russia‑linked COLDRIVER retooled NOROBOT/YESROBOT into MAYBEROBOT, with DNS/WHOIS artifact hunting revealing early warnings and extra malicious IPs. MAYBEROBOT — CircleID
  • Long‑running espionage group Berserk Bear (FSB‑linked) continues stealthy intrusions against critical infrastructure, reusing admin tools and implants like Havex. Berserk Bear profile — SocARadar
  • LABScon25 analysis: Chinese commercial cyber ranges and private firms (i‑SOON, IntegrityTech, Sichuan Silence) contribute to offensive capability development. Labscon25 — SentinelOne

Infostealers, loaders & novel lures

  • GhostCall (macOS via malicious Zoom updates) and GhostHire (GitHub recruitment test malware) exfiltrate wallets, keychains, API keys and notes; DNS/WHOIS analysis found typosquatting clusters and many infected client IPs. GhostCall / GhostHire — CircleID
  • macOS infostealer DigitStealer targets Apple Silicon (M2+) using unsigned DMGs, AppleScript/JXA, Ledger Live redirection and Launch Agent persistence. JTL DigitStealer — Jamf
  • Xillen Stealer v5 (Python) expands to harvest browser credentials from 100+ browsers, 70+ crypto wallets, cloud/container configs, TOTP/biometrics and adds P2P C2 and polymorphism. Xillen Stealer v5 — Darktrace
  • Malicious Chrome extension Crypto Copilot injects hidden SOL fees into Raydium swaps, siphoning funds to a hardcoded attacker wallet while obfuscating behavior. Crypto Copilot — Socket.dev
  • Fake adult sites show a full‑screen fake Windows Update (ClickFix/JackFix) to trick users into running commands; multistage mshta→PowerShell chain delivers stealers like Rhadamanthys and Vidar. ClickFix / JackFix campaign — Acronis TRU
  • “Operation Hanoi Thief” used fake resumes and trusted Windows binaries to sideload LOTUSHARVEST, stealing browser credentials from Vietnamese recruitment/IT targets. LOTUSHARVEST / Operation Hanoi Thief — SEQRITE
  • StealC V2 campaign weaponized Blender .blend files to run embedded Python → PowerShell chains, using Pyramid C2 and hidden LNK persistence to target Blender users. StealC via .blend files — Morphisec
  • RelayNFC Android malware in Brazil relays NFC APDU commands over WebSockets to complete contactless payments; uses Hermes bytecode to hinder analysis and experiments with HCE. RelayNFC — Cyble
  • Malicious ZIP with a lure executable SecurityKey.exe displays a PDF password then loads shellcode (PEB walking, API hashing) to fetch further payloads. SecurityKey / Rare Earth lure — dmpdump
  • .NET steganographic loader that extracts image‑embedded stagers to deliver Lokibot, demonstrating stego‑based staging and credential theft techniques. Lokibot stego loader — Splunk

Vulnerabilities & exploitation

  • Complex pre‑auth exploit chain against Oracle E‑Business Suite (12.2.3–12.2.14) leading to RCE via SSRF, CRLF, XSLT remote stylesheet execution — CVE‑2025‑61882. Oracle EBS pre‑auth RCE — WatchTowr Labs
  • FortiWeb auth bypass chain via path traversal + Base64 HTTP_CGIINFO header allows full admin impersonation and persistent admin account creation — CVE‑2025‑64446. FortiWeb auth bypass — WatchTowr Labs
  • Four Microsoft Teams flaws let guests/insiders impersonate executives, edit messages silently, manipulate notifications and forge caller identities (one tracked as CVE‑2024‑38197). Microsoft Teams impersonation — Check Point Research
  • NTLM abuse remains a vector in 2024–2025 with multiple flaws weaponized for hash leaks, relay/reflection and post‑exploit payloads; recommendations: disable/limit NTLM, enable signing/EPA and monitor NTLM traffic. NTLM abuse & ongoing exploitation — SecureList

Breaches, extortion & dark‑web commerce

  • SaaS integration incident: suspicious API activity involving Gainsight + Salesforce led to revoked tokens and links to UNC6040, SmokeLoader and Vidar — underscores risk from trusted integrations. Salesforce–Gainsight incident — Recorded Future
  • Dark‑web broker ByteToBreach sells corporate datasets/access; claimed theft of ~10k GLPI password hashes from Eurofiber using rented VPS SQL extraction. ByteToBreach profile — SocARadar
  • Resurgent LAPSUS$ Hunters (SLSH) activity: claims of Gainsight data theft, recruitment of insiders, leak teasers and a new RaaS called ShinySp1d3r. ShinySp1d3r / SLSH — Unit42
  • Monthly roundup of November 2025: multi‑stage loaders, stealers, PNG in‑memory loaders and JScript→PowerShell chains across Windows, Linux and Android with IoCs for SOCs. Major cyber attacks — ANY.RUN

E‑commerce fraud & seasonal scams

  • CloudSEK found >2,000 holiday‑themed fake storefronts (Amazon typosquats, .shop clusters) reusing templates and CDN assets to harvest billing/payment details and enable mass financial theft. Holiday fake stores — CloudSEK
  • Fortinet analysis: 2025 holiday season sees surge in malicious e‑commerce domains, stealer logs, and exploitation of Magento/Oracle EBS/WooCommerce — automated attacker services scale credential abuse and payment skimming. Holiday‑season threats — Fortinet

Defensive guidance, AI risks & tooling

  • CERT‑AGID report: AI agents that execute OS commands are risky primarily due to connector code and interfaces; recommends secure SDKs, rigorous testing and security‑by‑design to maintain human control. AI agents & security — CERT‑AGID
  • HashJack: indirect prompt injection via URL fragments against AI browser assistants (Comet, Copilot for Edge, Gemini for Chrome) enabling exfiltration, phishing and harmful instructions; mitigations include CASB/NGAM/IPS. HashJack prompt injection — Cato CTRL
  • Advocate integrating threat intelligence with vulnerability management to prioritize remediation by real‑world attacker activity and asset criticality (Recorded Future integrations with Tenable/Qualys/ServiceNow). TI + VM integration — Recorded Future
  • Automated Security Validation (ASV) and adversarial exposure validation (BAS/APT) help validate exploitability and control effectiveness, reducing MTTR and remediation backlog. ASV guide — Picus Security
  • Operational advice: run phishing simulations with clear signals (HTML comments, visible WHOIS, pre‑notify CERTs, security.txt) to avoid misclassification and prevent simulation IoCs entering incident blacklists. Phishing simulation suggestions — CERT‑AGID
  • Design awareness programs as short, repeated units rather than one‑off lectures to correct misconceptions and reduce email‑based incidents. Awareness training misconceptions — G DATA
  • Product update: Validin improved domain/IP summaries, refreshed Projects UI and YARA‑X workflow enhancements (YARA‑X exiting beta Dec 1). Validin product update — Validin

Threat Research | Weekly Recap – hendryadrian.com