Cyber threats did not decelerate final week—and attackers are getting smarter. We’re seeing malware hidden in digital machines, side-channel leaks exposing AI chats, and spyware and adware quietly focusing on Android gadgets within the wild.
However that is simply the floor. From sleeper logic bombs to a contemporary alliance between main menace teams, this week’s roundup highlights a transparent shift: cybercrime is evolving quick, and the strains between technical stealth and strategic coordination are blurring.
It is value your time. Each story right here is about actual dangers that your workforce must find out about proper now. Learn the entire recap.
⚡ Menace of the Week
Curly COMrades Abuses Hyper-V to Disguise Malware in Linux VMs — Curly COMrades, a menace actor supporting Russia’s geopolitical pursuits, has been noticed abusing Microsoft’s Hyper-V hypervisor in compromised Home windows machines to create a hidden Alpine Linux-based digital machine and deploy malicious payloads. This technique permits the malware to run utterly outdoors the host working system’s visibility, successfully bypassing endpoint safety instruments. The marketing campaign, noticed in July 2025, concerned the deployment of CurlyShell and CurlyCat. The victims weren’t publicly recognized. The menace actors are stated to have configured the digital machine to make use of the Default Change community adaptor in Hyper-V to make sure that the VM’s site visitors travels by means of the host’s community stack utilizing Hyper-V’s inside Community Handle Translation (NAT) service, inflicting all malicious outbound communication to look to originate from the legit host machine’s IP handle. Additional investigation has revealed that the attackers first used the Home windows Deployment Picture Servicing and Administration (DISM) command-line instrument to allow the Hyper-V hypervisor, whereas disabling its graphical administration interface, Hyper-V Supervisor. The group then downloaded a RAR archive masquerading as an MP4 video file and extracted its contents. The archive contained two VHDX and VMCX recordsdata equivalent to a pre-built Alpine Linux VM. Lastly, the menace actors used the Import-VM and Begin-VM PowerShell cmdlets to import the digital machine into Hyper-V and launch it with the title WSL, a deception tactic meant to present the impression that the Home windows Subsystem for Linux was employed. “The sophistication demonstrated by Curly COMrades confirms a key development: as EDR/XDR options turn out to be commodity instruments, menace actors are getting higher at bypassing them by means of tooling or methods like VM isolation,” Bitdefender stated. The findings paint an image of a menace actor that makes use of subtle strategies to keep up long-term entry in goal networks, whereas leaving a minimal forensic footprint.
🔔 High Information
‘Whisper Leak’ That Identifies AI Chat Matters in Encrypted Visitors — Microsoft has disclosed particulars of a novel side-channel assault focusing on distant language fashions that might allow a passive adversary with capabilities to look at community site visitors to glean particulars about mannequin dialog matters regardless of encryption protections. “Cyber attackers able to look at the encrypted site visitors (for instance, a nation-state actor on the web service supplier layer, somebody on the native community, or somebody related to the identical Wi-Fi router) may use this cyber assault to deduce if the person’s immediate is on a particular matter,” the corporate stated. The assault has been codenamed Whisper Leak. In a proof-of-concept (PoC) check, researchers discovered that it is doable to glean dialog matters from Alibaba, DeepSeek, Mistral, Microsoft, OpenAI, and xAI fashions with successful fee of over 98%. In response, OpenAI, Mistral, Microsoft, and xAI have deployed mitigations to counter the danger.
Samsung Cellular Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spy ware — A now-patched safety flaw in Samsung Galaxy Android gadgets was exploited as a zero-day to ship a “commercial-grade” Android spyware and adware dubbed LANDFALL in precision assaults in Iraq, Iran, Turkey, and Morocco. The exercise concerned the exploitation of CVE-2025-21042 (CVSS rating: 8.8), an out-of-bounds write flaw within the “libimagecodec.quram.so” element that might permit distant attackers to execute arbitrary code, in response to Palo Alto Networks Unit 42. The difficulty was addressed by Samsung in April 2025. LANDFALL, as soon as put in and executed, acts as a complete spy instrument, able to harvesting delicate knowledge, together with microphone recording, location, images, contacts, SMS, recordsdata, and name logs. Whereas Unit 42 stated the exploit chain could have concerned the usage of a zero-click strategy to set off the exploitation of CVE-2025-21042 with out requiring any person interplay, there are presently no indications that it has occurred or that there exists an unknown safety situation in WhatsApp to help this speculation. The Android spyware and adware is particularly designed to focus on Samsung’s Galaxy S22, S23, and S24 collection gadgets, together with Z Fold 4 and Z Flip 4. There are not any conclusive clues but on who’s concerned, neither is it clear how many individuals had been focused or exploited.
Hidden Logic Bombs in Malicious NuGet Packages Go Off Years After Deployment — A set of 9 malicious NuGet packages has been recognized as able to dropping time-delayed payloads to sabotage database operations and corrupt industrial management programs. The packages had been revealed in 2023 and 2024 by a person named “shanhai666” and are designed to run malicious code after particular set off dates in August 2027 and November 2028, excluding one library, which claims to increase the performance of one other legit NuGet package deal known as Sharp7. Sharp7Extend, because it’s known as, is ready to activate its malicious logic instantly following set up and continues till June 6, 2028, when the termination mechanism stops by itself.
Flaws in Microsoft Groups Expose Customers to Impersonation Dangers — A set of 4 now-patched safety vulnerabilities in Microsoft Groups may have uncovered customers to severe impersonation and social engineering assaults. The vulnerabilities “allowed attackers to control conversations, impersonate colleagues, and exploit notifications,” in response to Test Level. These shortcomings make it doable to change message content material with out leaving the “Edited” label and sender id and modify incoming notifications to vary the obvious sender of the message, thereby permitting an attacker to trick victims into opening malicious messages by making them seem as if they’re coming from a trusted supply, together with high-profile C-suite executives. The failings additionally granted the flexibility to vary the show names in non-public chat conversations by modifying the dialog matter, in addition to arbitrarily modify show names utilized in name notifications and in the course of the name, allowing an attacker to forge caller identities within the course of. The problems have since been addressed by Microsoft.
Three Excessive-Profile Teams Come Collectively — Scattered LAPSUS$ Hunters (SLH), a merger fashioned between Scattered Spider, LAPSUS$, and ShinyHunters, has cycled by means of at least 16 Telegram channels since August 8, 2025. The group, which has marketed an extortion-as-a-service providing and can also be testing “Sh1nySp1d3r” ransomware, has now been recognized not simply as a fluid collaboration however as a coordinated alliance mixing the operational techniques of the three high-profile felony clusters underneath a shared banner for extortion, recruitment, and viewers management. The brand new group is intentionally bringing collectively the reputational capital related to the manufacturers to create a potent, unified menace id. The hassle is being seen as the primary cohesive alliance inside The Com, a historically loose-knit community, leveraging the merger as a power multiplier for financially motivated assaults.
️🔥 Trending CVEs
Hackers transfer quick. They typically exploit new vulnerabilities inside hours, turning a single missed patch into a significant breach. One unpatched CVE may be all it takes for a full compromise. Beneath are this week’s most important vulnerabilities gaining consideration throughout the trade. Assessment them, prioritize your fixes, and shut the hole earlier than attackers take benefit.
This week’s record contains — CVE-2025-20354, CVE-2025-20358 (Cisco Unified CCX), CVE-2025-20343 (Cisco Id Providers Engine), CVE-2025-62626 (AMD), CVE-2025-5397 (Noo JobMonster theme), CVE-2025-48593, CVE-2025-48581 (Android), CVE-2025-11749 (AI Engine plugin), CVE-2025-12501 (GameMaker IDE), CVE-2025-23358 (NVIDIA App for Home windows), CVE-2025-64458, CVE-2025-64459 (Django), CVE-2025-12058 (Keras AI), CVE-2025-12779 (Amazon WorkSpaces shopper for Linux), CVE-2025-12735 (JavaScript expr-eval), CVE-2025-62847, CVE-2025-62848, CVE-2025-62849 (QNAP QTS and QuTS hero), CVE-2024-12886, CVE-2025-51471, CVE-2025-48889 (Ollama), CVE-2025-34299 (Monsta FTP), CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 (RunC), CVE-2025-55315 (ASP.NET Core Kestrel server), CVE-2025-64439 (langgraph-checkpoint), CVE-2025-37735 (Elastic Defend on Home windows), and 7 vulnerabilities in django-allauth.
📰 Across the Cyber World
RDP Accounts Breached to Drop Cephalus Ransomware — A brand new Go-based ransomware known as Cephalus has been breaching organizations by stealing credentials by means of Distant Desktop Protocol (RDP) accounts that should not have multi-factor authentication (MFA) enabled since mid-June 2025. It is presently not identified if it operates underneath a ransomware-as-a-service (RaaS). “Upon execution, it disables Home windows Defender’s real-time safety, deletes VSS backups, and stops key providers comparable to Veeam and MSSQL to extend its encryption success fee and reduce the probabilities of restoration,” AhnLab stated. “Cephalus makes use of a single AES-CTR key for encryption, and this key’s managed to attenuate publicity on the disk and in reminiscence. Lastly, the AES key’s encrypted utilizing an embedded RSA public key, guaranteeing that solely menace actors with the corresponding RSA non-public key can decrypt the important thing. It disrupts dynamic evaluation by producing a pretend AES key.”
WhatsApp to Roll Out Enhanced Protections for Excessive-Danger Accounts — Customers underneath a better threat of being focused by hacking makes an attempt will quickly have the choice to allow an additional set of security measures on WhatsApp, in response to a beta model of the app analyzed by WABetaInfo. Just like Apple’s Lockdown Mode, the function blocks media and attachments from unknown senders, provides calling and messaging restrictions, and allows different settings, together with silencing unknown callers, proscribing computerized group invitations to identified contacts, disabling hyperlink previews, notifying customers about encryption code adjustments, activating two-step verification, and limiting the visibility of private data for unknown contacts.
Aurologic Supplies Internet hosting for Sanctioned Entities — German internet hosting supplier aurologic GmbH has emerged as a “central nexus inside the international malicious infrastructure ecosystem” offering upstream transit and knowledge heart providers to a big focus of high-risk internet hosting networks, together with the Doppelgänger disinformation community and the just lately sanctioned Aeza Group, together with Metaspinner internet GmbH (AsyncRAT, njRAT, Quasar RAT), Femo IT Options Restricted (CastleLoader and different malware), International-Knowledge System IT Company (Cobalt Strike, Sliver, Quasar RAT, Remcos RAT, and different malware), and Railnet. The corporate was established in October 2023. “Regardless of its core give attention to legit community and knowledge heart operations, Aurologic has emerged as a hub for a few of the most abusive and high-risk networks working inside the international internet hosting ecosystem,” Recorded Future stated.
Australia Sanctions North Korean Menace Actors — The Australian Authorities has imposed monetary sanctions and journey bans on 4 entities and one particular person — Park Jin Hyok, Kimsuky, Lazarus Group, Andariel, and Chosun Expo — for participating in cybercrime to help and fund North Korea’s illegal weapons of mass destruction and ballistic missile applications. “The size of North Korea’s involvement in malicious cyber-enabled actions, together with cryptocurrency theft, fraudulent IT work and espionage, is deeply regarding,” the Overseas Affairs ministry stated.
U.Okay. Takes Motion on Spoofed Cellular Numbers — U.Okay. cell carriers will improve their networks to “eradicate the flexibility for overseas name centres to spoof U.Okay. numbers.” The businesses will mark when calls come from overseas to forestall scammers from impersonating U.Okay. telephone numbers. The businesses can even roll out “superior name tracing know-how” to permit regulation enforcement the instruments to trace down scammers working throughout the nation and dismantle their operations. “It is going to make it more durable than ever for criminals to trick individuals by means of rip-off calls, utilizing cutting-edge know-how to reveal fraudsters and produce them to justice,” the U.Okay. authorities stated.
Safety Flaw in Superior Installer — A vulnerability has been disclosed in Superior Installer (model 22.7), a framework for constructing Home windows installers. The bug can allow menace actors to hijack app replace mechanisms and run malicious exterior code if replace packages usually are not digitally signed. By default, and in widespread follow, they aren’t digitally signed, Cyderes stated. In response to its web site, Superior Installer is utilized by builders and system directors in additional than 60 nations “to package deal or repackage all the pieces from small shareware merchandise, inside functions, and system drivers, to huge mission-critical programs.” The safety threat poses a significant provide chain threat as a result of reputation of Superior Installer, opening the door for Convey Your Personal Updates (BYOU), enabling attackers to hijack trusted updaters to execute arbitrary code, whereas bypassing safety controls. “These assaults are particularly harmful as a result of they exploit belief and scale: a single poisoned replace from a extensively used instrument (for instance, an installer or construct instrument like Superior Installer) can silently distribute signed, trusted malware to numerous international corporations, inflicting broad knowledge theft, operational outages, regulatory penalties, and extreme reputational injury throughout many sectors,” safety researcher Reegun Jayapaul stated.
Jailbreak Detection in Authenticator App — Microsoft stated it should introduce Jailbreak/Root detection for Microsoft Entra credentials within the Authenticator app beginning February 2026. “This replace strengthens safety by stopping Microsoft Entra credentials from performing on jail-broken or rooted gadgets. All current credentials on such gadgets might be wiped to guard your group,” it stated. The change applies to each Android and iOS gadgets.
Unhealthy Actors Exploit Flaws in RMM Software program — Menace actors have been discovered exploiting identified safety vulnerabilities within the SimpleHelp Distant Monitoring and Administration (RMM) platform (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) to achieve downstream entry into buyer environments and deploy Medusa and DragonForce ransomware. “By compromising third-party RMM servers operating as SYSTEM, attackers achieved full management over sufferer networks, deploying discovery instruments, disabling defences, exfiltrating knowledge through RClone and Restic, and eventually encrypting programs,” Zensec stated.
Cambodia Raids Rip-off Compounds in Bavet city — The Cambodian authorities raided two cyber rip-off compounds within the metropolis of Bavet on November 4, 2025, taking greater than 650 suspects, principally overseas nationals, into custody. One rip-off compound specialised in impersonating authorities authorities to threaten victims, whereas the second website ran pretend high-profit funding schemes, cast banking platforms, romance scams, pretend marathon registrations, and the usage of AI deepfake movies and pictures to forge identities.
Samourai Pockets Co-Founder Sentenced to five Years in Jail — Keonne Rodriguez, the co-founder and CEO of cryptocurrency mixing service Samourai Pockets, was sentenced to 5 years in jail. Authorities shut down the Samourai Pockets web site in April 2024. The service was used to launder greater than $237 million in cryptocurrency linked to hacks, on-line fraud, and drug trafficking. Samourai Pockets CTO William Lonergan Hill is predicted to be sentenced later this month. Each people pleaded responsible to cash laundering fees again in August.
Russian Man Pleads Responsible for Yanluowang Assaults — A 25-year-old Russian nationwide, Aleksei Olegovich Volkov, has pleaded responsible to hacking U.S. corporations and promoting entry to ransomware teams. Volkov went on-line underneath the hacker title of chubaka.kor, and labored as an preliminary entry dealer (IAB) for the Yanluowang ransomware by exploiting safety flaws between July 2021 and November 2022. As many as seven U.S. companies had been attacked throughout that interval, out of which an engineering agency and a financial institution paid a mixed $1.5 million in ransoms. Volkov was arrested on January 18, 2024, in Rome and was later extradited to the U.S. to face fees.
Malicious AI Bots Impersonate Legit Brokers — Menace actors have been discovered to develop and deploy bots that impersonate legit AI brokers from suppliers like Google, OpenAI, Grok, and Anthropic. “Malicious actors can exploit up to date bot insurance policies by spoofing AI agent identities to bypass detection programs, probably executing large-scale account takeover (ATO) and monetary fraud assaults,” Radware stated. “Attackers want solely spoof ChatGPT’s person agent and use residential proxies or IP spoofing methods to be categorised as a “good AI bot” with POST permissions.”
Faux Installers Mimic Productiveness Instruments in Ongoing Campaigns — Info stealer campaigns are leveraging malicious installers impersonating legit productiveness instruments with backdoor functionality, that are doubtless created utilizing EvilAI to distribute malware often called TamperedChef/BaoLoader. “The backdoor can also be able to extracting DPAPI secrets and techniques and offers full command-and-control performance, together with arbitrary command execution, file add and obtain, and knowledge exfiltration,” CyberProof stated. “In most noticed instances, the malware proceeds with the deployment of second-stage binaries and establishes extra persistence mechanisms, comparable to ASEP registry run keys and .LNK startup recordsdata.”
🎥 Cybersecurity Webinars
Be taught How High Consultants Safe Multi-Cloud Workloads With out Slowing Innovation — Be part of this expert-led session to discover ways to shield your cloud workloads with out slowing innovation. You may uncover easy, confirmed methods to regulate identities, meet international compliance guidelines, and scale back threat throughout multi-cloud environments. Whether or not you’re employed in tech, finance, or operations, you will depart with clear, sensible steps to strengthen safety and hold what you are promoting agile, compliant, and prepared for what’s subsequent.
Guardrails, Not Guesswork: How Mature IT Groups Safe Their Patch Pipelines — Be part of this session to discover ways to patch quicker with out shedding safety. You may see actual examples of how neighborhood repositories like Chocolatey and Winget can expose your community if not managed safely — and get clear, sensible guardrails to keep away from it. Gene Moody, Subject CTO at Action1, will present you precisely when to belief neighborhood repos, when to go vendor-direct, and stability pace with security so your patching stays quick, dependable, and safe.
Uncover How Main Enterprises Are Chopping Publicity Time in Half with DASR — Be part of this dwell session to find how Dynamic Assault Floor Discount (DASR) helps you chop by means of infinite vulnerability lists and really cease assaults earlier than they occur. You may see how good automation and context-driven selections can shrink your assault floor, shut hidden entry factors, and free your workforce from alert fatigue. Stroll away with a transparent plan to cut back exposures quicker, strengthen defenses, and keep one step forward of hackers—with out including additional work.
🔧 Cybersecurity Instruments
FuzzForge is an open-source instrument that helps safety engineers and researchers automate utility and offensive safety testing utilizing AI and fuzzing. It enables you to run vulnerability scans, handle workflows, and use AI brokers to research code, discover bugs, and check for weaknesses throughout totally different platforms. It is constructed to make cloud and AppSec testing quicker, smarter, and simpler to scale for people and groups.
Butler is a instrument that scans all repositories in a GitHub group to search out and evaluation workflows, actions, secrets and techniques, and third-party dependencies. It helps safety groups perceive what runs of their GitHub atmosphere and produces easy-to-read HTML and CSV reviews for audits, compliance checks, and workflow administration.
Discover-WSUS is a PowerShell instrument that helps safety groups and system admins discover each WSUS server outlined in Group Coverage. It checks each regular coverage settings and hidden Group Coverage Preferences that do not present up in normal reviews. This issues as a result of a compromised WSUS server can push pretend updates and take management of all area computer systems. Utilizing Discover-WSUS ensures you recognize precisely the place your replace servers are configured—earlier than attackers do.
Disclaimer: These instruments are for academic and analysis use solely. They have not been absolutely security-tested and will pose dangers if used incorrectly. Assessment the code earlier than attempting them, check solely in secure environments, and observe all moral, authorized, and organizational guidelines.
🔒 Tip of the Week
Cease Delicate Knowledge From Reaching AI Chats — Many groups use AI chat instruments to get issues executed quicker, like writing scripts, fixing bugs, or making reviews shorter. However all the pieces typed into these programs leaves your organization community and could also be saved, logged, or reused. If that knowledge contains credentials, inside code, or shopper data, it turns into a simple leak level.
Attackers and insiders can retrieve this knowledge later, or fashions may by chance expose it in future outputs. One careless immediate can expose much more than anticipated.
✅ Add a safety layer earlier than the AI. Use OpenGuardrails or comparable open-source frameworks to scan and block delicate textual content earlier than it is despatched to the mannequin. These instruments combine immediately into your apps or inside chat programs.
✅ Pair it with DLP monitoring. Instruments like MyDLP or OpenDLP can watch outbound knowledge for patterns like passwords, API keys, or shopper identifiers.
✅ Create immediate insurance policies. Outline what staff can and might’t share with AI programs. Deal with prompts like knowledge, leaving your community.
Do not belief AI corporations to maintain your secrets and techniques secure. Add guardrails to your workflow and regulate what leaves your area. You do not need delicate knowledge to finish up coaching another person’s mannequin.
Conclusion
Simply studying headlines will not reduce it. These assaults present what’s coming subsequent—extra hidden, extra targeted, and more durable to identify.
Whether or not you’re employed in safety or simply need to keep within the loop, this replace breaks it down quick. Clear, helpful, no additional noise. Take a couple of minutes and get caught up earlier than the following huge menace lands.
