Welcome to this week’s version of the Cybersecurity Information Weekly E-newsletter, the place we dissect the most recent threats shaking the digital panorama. As cyber dangers evolve sooner than ever, staying forward means understanding the exploits that would goal your units, networks, and information.
This roundup spotlights zero-day vulnerabilities in Android and Cisco methods, crucial flaws in Microsoft Groups, the rise of HackedGPT as a weaponized AI software, and a serious leak from OpenAI’s Whisper transcription service. These tales underscore the pressing want for proactive defenses in an period of refined assaults.
Kicking off with cell safety, a newly disclosed zero-day in Android’s kernel has left thousands and thousands of units uncovered to distant code execution. Google has rushed a patch, however unupdated units stay at excessive danger particularly in enterprise environments counting on BYOD insurance policies. Exploited within the wild by state-sponsored actors, this vulnerability has prompted emergency advisories, reminding us why well timed firmware updates are non-negotiable for infrastructure safety.
Shifting to collaboration instruments, Microsoft Groups harbors a number of high-severity vulnerabilities, together with a privilege escalation bug that lets authenticated customers entry delicate admin capabilities. These flaws, detailed in Microsoft’s October Patch Tuesday, might facilitate lateral motion in hybrid work setups, the place Groups serves as a gateway to company assets. Organizations ought to prioritize patching to mitigate phishing and insider threats amplified by these weaknesses.
Within the AI realm, HackedGPT emerges as a chilling improvement: a modified model of ChatGPT fine-tuned for malicious functions, able to producing phishing emails, malware code, and even social engineering scripts.
Researchers warn that this “jailbroken” AI democratizes cybercrime, reducing obstacles for novice attackers. Complementing this, an enormous information leak from OpenAI’s Whisper API has uncovered over 1.5 million audio recordsdata, together with delicate conversations from healthcare and finance sectors.
The breach, attributed to misconfigured cloud storage, highlights the privateness pitfalls of AI-driven transcription instruments and the cascading dangers when voice information falls into the improper palms.
These incidents reveal a typical thread: the intersection of legacy methods, speedy tech adoption, and human oversight fueling exploits. As we dive deeper into every story with professional evaluation, patch suggestions, and menace mitigation methods, do not forget that vigilance begins with consciousness. Keep safe, and let’s unpack the small print forward.
Threats
Hackers Ship SSH-Tor Backdoor Through Weaponized Army Paperwork
In October 2025, Cyble researchers uncovered a state-sponsored cyber espionage marketing campaign utilizing weaponized Belarusian navy paperwork to deploy a complicated SSH-Tor backdoor aimed toward protection sector personnel, significantly these in unmanned aerial automobile operations. The malware combines OpenSSH for Home windows with a personalized Tor hidden service utilizing obfs4 obfuscation, enabling nameless entry to SSH, RDP, SFTP, and SMB protocols on contaminated methods. The multi-stage an infection includes nested ZIP archives and LNK recordsdata with anti-analysis checks, reminiscent of verifying LNK file counts and course of numbers, to evade sandboxes whereas establishing persistence by way of scheduled duties. Attribution factors to reasonable confidence in UAC-0125/Sandworm (APT44), a Russian-linked group, with techniques echoing the December 2024 Military+ marketing campaign. Learn extra
Oleksii Oleksiyovych Lytvynenko, a 43-year-old Ukrainian nationwide, was extradited from Eire to the US to face fees for his position within the Conti ransomware conspiracy between 2020 and June 2022. The operation hacked networks, encrypted information, and demanded cryptocurrency ransoms, affecting over 1,000 victims throughout 47 US states and 31 international locations, producing a minimum of $150 million by January 2022. Conti was the highest ransomware variant focusing on crucial infrastructure in 2021, with Lytvynenko allegedly managing stolen information and ransom notes, together with extorting over $500,000 in Tennessee. Arrested in July 2023 by Irish police at US request, he faces as much as 25 years if convicted for conspiracy to commit pc and wire fraud. This case displays ongoing US efforts to dismantle world ransomware networks, with over 180 convictions since 2020. Learn extra
Phishing Assault That Abuses Cloudflare Providers
A Russian-speaking menace actor is abusing Cloudflare’s Pages and Employees providers to host phishing pages disguised as DMCA takedown notices, tricking victims into downloading malicious recordsdata. The marketing campaign directs customers to malicious .lnk recordsdata by way of the “search-ms” protocol, which execute PowerShell scripts downloading ZIP archives containing Python-based payloads related to Pyramid C2 servers for distant management. Over 20 domains have been recognized, many reusing file names however altering contents, hosted on networks like Railnet LLC with uncovered directories facilitating payload staging. This system leverages professional Cloudflare domains like pages.dev and staff.dev for credibility, enabling widespread distribution by means of social engineering. Learn extra
New TruffleNet BEC Marketing campaign Leverages AWS SES
FortiGuard Labs recognized the TruffleNet marketing campaign abusing stolen AWS credentials to use Easy E-mail Service (SES) for large-scale Enterprise E-mail Compromise (BEC) assaults, primarily focusing on the oil and fuel sector. The infrastructure spans over 800 hosts throughout 57 networks, utilizing TruffleHog for credential validation and Portainer for administration, with preliminary API calls like GetCallerIdentity and GetSendQuota to verify entry. Attackers create e-mail identities with stolen DKIM keys from compromised WordPress websites, impersonating distributors like ZoomInfo to ship fraudulent $50,000 ACH invoices to typosquatted domains.[From fetch content] The tiered setup contains US-based suppliers like WS Telecom and Hivelocity, with open ports repurposed for operations, and FortiCNAPP detected anomalies by means of behavioral indicators. Learn extra
Risk Actors Leverage RMM Instruments for Assaults
Risk actors are more and more utilizing professional Distant Monitoring and Administration (RMM) instruments as first-stage payloads in e-mail campaigns for information assortment, monetary theft, lateral motion, and ransomware deployment. This pattern aligns with a decline in conventional loaders and botnets, as RMMs present strong distant options with inherent legitimacy, evading detection in enterprise environments. Examples embrace Hunters Worldwide utilizing AnyDesk and ScreenConnect for persistent entry in a UK manufacturing assault, sustaining instruments for over a month earlier than ransomware execution. A number of business and open-source RMMs have been exploited for preliminary entry and exfiltration, blurring the strains between admin exercise and malicious intent. Learn extra
RondoDox Botnet Updates Arsenal with Expanded Exploits
The RondoDox botnet has advanced to v2, increasing from two exploits focusing on DVRs to over 75 vectors throughout IoT and enterprise units, a 650% enhance first famous in September 2024. Detected on October 30, 2025, by way of honeypots from IP 124.198.131.83, it exploits CVEs like Shellshock (CVE-2014-6271), Dasan GPON (CVE-2018-10561), and up to date ones in TBK DVRs (CVE-2024-3721). This shift bridges IoT opportunism to enterprise focusing on, analyzed by Beelzebub’s AI deception platform capturing the complete assault chain. FortiGuard Labs and Development Micro have tracked its development, emphasizing vulnerabilities spanning a decade of CVEs in routers and purposes. Learn extra
XLoader Malware Analyzed Utilizing ChatGPT
Researchers used ChatGPT to speed up reverse engineering of XLoader, a FormBook successor evolving since 2020, decrypting over 100 capabilities and breaking modified RC4 schemes in hours fairly than days. The AI workflow exported IDA Professional information for static evaluation, extracting runtime values like encryption keys and C2 information by way of reside debuggers, deobfuscating API calls hidden by customized hashing. XLoader employs runtime decryption and multi-layer encryption with hidden keys, often updating to counter evaluation, making AI-assisted dissection a game-changer for malware groups. Learn extra
Risk Actors Might Abuse VS Code Extensions
North Korean-linked actors are importing rogue Visible Studio Code (VS Code) extensions to Microsoft’s market, impersonating standard instruments like Prettier to allow provide chain assaults on builders. Extensions run with full person privileges with out sandboxing, permitting arbitrary code execution, file manipulation, and information theft as soon as put in. Attackers exploit {the marketplace}’s lack of distinctive identify enforcement and bypass verification badges, with a PoC pretend Prettier extension put in over 1,000 instances earlier than removing. Customers ought to confirm sources, evaluations, and obtain counts to mitigate dangers from this developer-targeted vector. Learn extra
Cyberattack
WSUS Port Scanning Surge
Cybersecurity researchers have noticed a pointy enhance in scans focusing on TCP ports 8530 and 8531 related to Home windows Server Replace Providers (WSUS) infrastructure. This exercise hyperlinks to CVE-2025-59287, a crucial vulnerability enabling distant code execution with out authentication, permitting attackers to run arbitrary scripts on susceptible servers. Risk actors comply with a reconnaissance-to-exploitation sample, and consultants suggest auditing uncovered WSUS cases for compromise, making use of patches, and segmenting networks to mitigate dangers. The flaw impacts a number of WSUS variations with a CVSS rating of 9.8, urging fast isolation and forensic evaluation for internet-facing methods. Learn extra
Malvertising with PuTTY and Groups
A persistent malvertising marketing campaign is distributing OysterLoader malware by way of pretend adverts for professional instruments like PuTTY and Microsoft Groups on Bing search outcomes. Linked to the Rhysida ransomware group, this operation makes use of code-signing certificates and obfuscation to evade detection, with over 40 certificates burned since June 2025. Attackers impersonate standard software program to ship preliminary entry payloads, enabling ransomware deployment in company networks.
Rhysida’s techniques have escalated, together with exploitation of Microsoft’s Trusted Signing service, prompting revocations of greater than 200 certificates whereas operations proceed. Learn extra
XWiki Eval Injection Flaw
The XWiki Platform suffers from CVE-2025-24893, a crucial eval injection vulnerability in its SolrSearch function that permits unauthenticated distant code execution. Added to CISA’s Recognized Exploited Vulnerabilities catalog on October 30, 2025, the flaw allows attackers to craft requests for arbitrary code runs, compromising wiki installations utilized in training, authorities, and company settings. Impacts embrace information theft, malware deployment, and community pivoting, with affected variations beneath 15.10.11, 16.4.1, and 16.5.0RC1.
Mitigations contain patching to mounted releases or modifying the SolrSearchMacros file to implement safe content material sorts; CISA mandates fast motion per BOD 22-01. Learn extra
Curly COMrades Assault Improvements
The Curly COMrades menace actor group employs novel methods utilizing professional Home windows instruments for persistent entry and evasion in focused operations. This superior persistent menace leverages system-native parts to create backdoors and preserve footholds, posing dangers to enterprise environments. Their methodology focuses on COM object manipulation for stealthy persistence, highlighting the hazards of living-off-the-land techniques. Organizations ought to monitor for anomalous Home windows API calls and implement behavioral detection to counter such evasive behaviors. Learn extra
PROMPTFLUX AI-Enhanced Malware
Google Risk Intelligence has disclosed PROMPTFLUX, an experimental VBScript-based malware household that integrates Google’s Gemini API for real-time code obfuscation and evasion. Appearing as a dropper disguised as installers, it queries the “gemini-1.5-flash-latest” mannequin to generate antivirus-bypassing scripts, marking the primary “just-in-time” AI use in malware. Superior options embrace hourly self-mutation and lateral motion to drives, although presently in testing phases. Google disabled associated API keys, and defenses emphasize monitoring for uncommon API visitors and proscribing mannequin entry in enterprise settings. Learn extra
NGate NFC Relay Assaults
NGate malware targets Android customers in Poland by way of phishing, enabling unauthorized ATM money withdrawals by means of NFC information relay with out bodily card theft. Distributed as pretend banking apps, it captures card particulars and PINs throughout “verification” faucets, relaying them to attacker units at ATMs by way of a C2 server. The an infection makes use of encrypted configurations and Host Card Emulation to imitate professional cost providers, evading normal safety checks. Customers ought to confirm apps from official sources and make contact with banks immediately for suspicious calls; technical evaluation reveals cleartext TCP exfiltration of delicate information. Learn extra
Vulnerabilities
Cisco ASA/FTD RCE Exploitation
Cisco studies energetic exploitation of CVE-2025-20333, a crucial buffer overflow in Safe Firewall ASA and FTD software program’s VPN internet server, permitting authenticated attackers root-level code execution. Disclosed September 25, 2025, with CVSS 9.9, it impacts configurations enabling AnyConnect IKEv2 or SSL VPN, resulting in information exfiltration or DoS by way of gadget reloads. No workarounds exist, requiring upgrades to patched variations like ASA 9.18.4.19. Directors should audit VPN setups and allow multi-factor authentication to restrict publicity in perimeter defenses. Learn extra
Home windows Graphics RCE Vulnerabilities
A number of vulnerabilities in Microsoft’s Graphics Gadget Interface (GDI) enable distant attackers to execute arbitrary code or steal information by means of malformed Enhanced Metafile (EMF) codecs. Found by way of fuzzing by Examine Level, these points have an effect on Home windows 10/11 and Workplace apps, with exploits attainable by way of rigged paperwork or pictures with out person interplay. Patched in 2025 updates like KB5058411, they spotlight dangers in legacy graphics processing, rated as much as Crucial (CVSS 9.8). Learn extra
WSUS Patch Breaks Hotpatching
Microsoft’s October 2025 replace for CVE-2025-59287, a crucial WSUS RCE flaw, disrupted hotpatching on some Home windows Server 2025 methods by pushing to enrolled units prematurely. Affected servers now require reboots for updates till a January 2026 baseline realigns them, whereas untouched methods obtain layered fixes with out interruption. This incident stresses challenges in zero-downtime patching for enterprise environments reliant on WSUS. Learn extra
Apple Patches Crucial iOS Flaws
Apple’s iOS 26.1 and iPadOS 26.1 updates repair over 50 vulnerabilities throughout WebKit, Kernel, and Accessibility, stopping privateness breaches, app crashes, and sandbox escapes on iPhone 11+ and suitable iPads. Key fixes embrace permissions points permitting app detection (CVE-2025-43442) and malicious screenshotting (CVE-2025-43455), plus WebKit use-after-free bugs enabling code execution. Reported by researchers from ByteDance and Google, these patches improve defenses towards focused malware and internet exploits. Learn extra
Android Zero-Click on RCE Bug
Google’s November 2025 bulletin discloses CVE-2025-48593, a crucial zero-click RCE in Android’s System element, permitting distant code execution by way of community packets or malicious apps on AOSP variations 13-16. No person interplay is required, risking full gadget compromise together with information theft or botnet inclusion. A companion high-severity EoP flaw (CVE-2025-48581) additional elevates dangers; customers ought to apply the 2025-11-01 patch stage instantly. Learn extra
Microsoft Groups Characteristic Exposes Dangers
Microsoft Groups’ “Chat with Anybody” function, permitting exterior e-mail chats with out validation, enlarges phishing vectors by enabling spoofed communications from attackers posing as contacts. This replace, rolled out in late 2025, bypasses conventional safeguards, doubtlessly resulting in credential theft or malware supply in hybrid work settings. With over 320 million customers, organizations should implement strict exterior chat insurance policies and monitor for anomalous invitations to mitigate social engineering threats. Learn extra
CWP OS Command Injection Exploited
CISA warns of CVE-2025-48703, an unauthenticated OS command injection in Management Net Panel’s file supervisor, permitting arbitrary command execution with only a legitimate non-root username. Added to KEV catalog on November 4, 2025, it’s actively exploited by way of shell metacharacters within the t_total parameter, categorized as CWE-78. Federal businesses should patch by November 25 or discontinue use; admins ought to audit logs for suspicious requests. Learn extra
HackedGPT Vulnerabilities in ChatGPT
Tenable uncovered seven flaws in GPT-4o and GPT-5, together with zero-click immediate injections by way of SearchGPT that allow information exfiltration from person recollections with out interplay. Assaults disguise malicious directions in web sites or markdown, bypassing security mechanisms like url_safe for persistent leaks throughout periods. OpenAI patched some by way of TRAs, however inherent LLM dangers persist; customers ought to restrict delicate information sharing in AI instruments. Learn extra
Chrome Emergency Replace
Google’s Chrome 142 replace patches 5 flaws, together with high-severity out-of-bounds writes in WebGPU (CVE-2025-12725) and V8 implementation points enabling RCE by way of malicious internet content material. Affecting Home windows, macOS, and Linux, these might compromise methods throughout routine looking; Omnibox bugs help phishing. Apply by way of “About Chrome” instantly, as particulars are restricted to curb exploits. Learn extra
Home windows
New BOF Device Targets Microsoft Groups Cookies
A specialised Beacon Object File (BOF) from Tier Zero Safety exploits Microsoft Groups’ cookie encryption to extract authentication tokens with out alerting customers. The software injects into the ms-teams.exe course of, duplicates file handles to the locked Cookies SQLite database, and decrypts values utilizing the person’s DPAPI grasp key, enabling attackers to impersonate customers and entry chats, emails, and Microsoft Graph API information. This stealthy strategy adapts browser exploitation methods, bypassing file-locking mechanisms and highlighting gaps in Groups’ safety in comparison with hardened Chromium browsers. Organizations ought to monitor for course of injections and implement least-privilege execution to counter this menace.
Learn extra:
Home windows 11 Replace Causes Process Supervisor Glitch
Microsoft’s KB5067036 non-compulsory replace for Home windows 11 variations 24H2 and 25H2 leads to Process Supervisor remaining energetic within the background after closure, consuming pointless assets. This identified concern impacts the utility’s termination habits and contains enhancements to AI options like Copilot Plus, alongside a non-removable servicing stack replace KB5067035. Customers can take away the cumulative replace by way of DISM, however Microsoft advises ready for a repair in future releases. The issue underscores the significance of testing non-compulsory updates earlier than deployment in enterprise environments.
Learn extra:
BitLocker Restoration Immediate After Home windows Updates
Microsoft warns that safety updates from October 14, 2025, could set off BitLocker restoration screens on Intel-based Home windows 11 (25H2/24H2) and Home windows 10 (22H2) methods supporting Related Standby. The glitch requires a one-time restoration key entry upon restart however doesn’t compromise information integrity. Affected variations embrace KB5066835 for Home windows 11 and KB5066791 for Home windows 10, with no influence on server editions. Mitigation includes making use of Recognized Challenge Rollbacks by way of Microsoft Help or making certain restoration keys are accessible.
Learn extra:
Cloud Recordsdata Driver Vulnerability Allows Escalation
CVE-2025-55680 within the Home windows Cloud Recordsdata Mini Filter Driver (cldsync.sys) permits native privilege escalation by means of a TOCTOU race situation in file path validation. Attackers exploit this by modifying kernel reminiscence paths to create symbolic hyperlinks, injecting malicious DLLs into system processes like rasman for full SYSTEM entry. The flaw, rated 7.8 CVSS, impacts placeholder file operations and builds on prior Microsoft patches. Instant patching is beneficial, as any authenticated person can obtain kernel-level compromise.
Learn extra:
Groups “Chat with Anybody” Characteristic Dangers Phishing
Microsoft Groups’ new function, rolling out in November 2025, lets customers begin chats with exterior e-mail addresses with out requiring a Groups account, enabling visitor joins. This default setting expands phishing alternatives by permitting spoofed invitations to ship malware or harvest credentials inside the platform. Dangers embrace information leaks and compliance points beneath GDPR, as interactions bypass e-mail filters. Admins can disable it by way of PowerShell by setting UseB2BInvitesToAddExternalUsers to false and imposing MFA.
Learn extra:
Energetic Listing Websites for Privilege Escalation
Attackers with write permissions on Energetic Listing websites can hyperlink malicious Group Coverage Objects (GPOs) to escalate privileges throughout domains, together with forest roots. Permissions like GenericAll or WriteGPLink enable injecting instructions that add attacker accounts to admin teams on related methods. This system bypasses SID filtering by way of forest-wide replication, enabling speedy lateral motion. Organizations ought to audit web site permissions and monitor GPO adjustments to forestall area compromise.
Learn extra:
Different Information
Darkish Net Credential Exposures
Proton launched the Knowledge Breach Observatory initiative, revealing over 300 million stolen credentials circulating on darkish internet cybercrime markets, posing vital dangers to companies and people. Small companies face explicit threats, with 4 out of 5 experiencing current breaches that may price over a million {dollars} per incident, usually going unreported on account of delays in detection. The observatory screens underground boards in actual time, figuring out ten main 2025 breaches throughout industries, together with Qantas Airways (11.8 million data with names, delivery dates, addresses, telephone numbers, and emails) and Free in France (19 million data together with IBANs). Different notable incidents contain Allianz Life in Germany (1 million data with social safety numbers), SkilloVilla in India (33 million data of contact data), and a number of other U.S. and European companies exposing passwords, usernames, and banking particulars. Learn extra
Microsoft Entra Credential Safety
Microsoft will improve safety in its Authenticator app by robotically detecting and deleting Microsoft Entra credentials on jailbroken iOS units and rooted Android units beginning February 2026. This measure addresses vulnerabilities the place modified units bypass safety controls, enabling credential theft and unauthorized entry to organizational assets. The function deploys robotically with out IT configuration, making use of solely to enterprise credentials whereas sparing private or third-party accounts. Organizations are suggested to inform customers prematurely, recommending gadget upgrades or removing of modifications to keep away from authentication disruptions. Learn extra
HydraPWK Penetration Testing OS Replace
The HydraPWK challenge’s Apes-T1 snapshot updates its Debian-based penetration testing Linux distribution by changing Elasticsearch with open-source OpenSearch to resolve licensing points and enhance industrial safety instruments. This semi-rolling launch enhances community forensics by way of Arkime and provides OpenSearch Dashboards for observability, alongside UI fixes like improved terminal colorschemes for higher error visibility. In comparison with Kali Linux, HydraPWK presents a light-weight, low-latency different with PREEMPT_RT kernel help for {hardware} like UAVs and ECUs, emphasizing plug-and-play effectivity for focused moral hacking with out Kali’s broader overhead. Learn extra
OneDrive DLL Sideloading Assault
Risk actors exploit OneDrive.exe by way of DLL sideloading by putting a malicious model.dll within the utility’s listing, tricking it into loading dangerous code as an alternative of the professional library throughout startup. The approach makes use of DLL proxying to ahead calls to the actual system library whereas executing payloads stealthily, sustaining regular app performance to evade detection. Superior hooking by way of Vectored Exception Dealing with and PAGE_GUARD flags intercepts API calls like CreateWindowExW with out inline modifications, permitting persistent management and spawning of hidden processes. Defenses embrace utility whitelisting, DLL loading monitoring, and signature validation to counter these assaults on trusted Microsoft processes. Learn extra
