Nov 24, 2025Ravie LakshmananCybersecurity / Hacking Information
This week noticed numerous new cyber bother. Hackers hit Fortinet and Chrome with new 0-day bugs. Additionally they broke into provide chains and SaaS instruments. Many hid inside trusted apps, browser alerts, and software program updates.
Huge companies like Microsoft, Salesforce, and Google needed to react quick — stopping DDoS assaults, blocking unhealthy hyperlinks, and fixing reside flaws. Stories additionally confirmed how briskly pretend information, AI dangers, and assaults on builders are rising.
This is what mattered most in safety this week.
⚡ Menace of the Week
Fortinet Warns of One other Silently Patched and Actively Exploited FortiWeb Flaw — Fortinet has warned {that a} new safety flaw in FortiWeb has been exploited within the wild. The medium-severity vulnerability, tracked as CVE-2025-58034, carries a CVSS rating of 6.7 out of a most of 10.0. It has been addressed in model 8.0.2. “An Improper Neutralization of Particular Parts utilized in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] in FortiWeb might enable an authenticated attacker to execute unauthorized code on the underlying system by way of crafted HTTP requests or CLI instructions,” the corporate stated. The event got here days after Fortinet confirmed that it silently patched one other important FortiWeb vulnerability (CVE-2025-64446, CVSS rating: 9.1) in model 8.0.2. Though the corporate has not clarified if the exploitation exercise is linked, Orange Cyberdefense stated it noticed “a number of exploitation campaigns” chaining CVE-2025-58034 with CVE-2025-64446 to facilitate authentication bypass and command injection. Fortinet’s dealing with of the problem has are available in for heavy criticism. It is doable that the corporate was conscious however selected to not disclose them to keep away from alerting different menace actors to their existence till a majority of its clients had utilized the patch. However what’s troublesome to clarify at this stage is why Fortinet opted to reveal the failings 4 days aside.
🔔 Prime Information
Google Patches New Actively Exploited Chrome 0-Day — Google launched safety updates for its Chrome browser to deal with two safety flaws, together with one which has come beneath energetic exploitation within the wild. The vulnerability in query is CVE-2025-13223 (CVSS rating: 8.8), a sort confusion vulnerability within the V8 JavaScript and WebAssembly engine that may very well be exploited to attain arbitrary code execution or program crashes. Clément Lecigne of Google’s Menace Evaluation Group (TAG) has been credited with discovering and reporting the flaw on November 12, 2025. Google has not shared any particulars on who’s behind the assaults, who might have been focused, or the size of such efforts. Nevertheless, the tech large acknowledged that an “exploit for CVE-2025-13223 exists within the wild.” With the most recent replace, Google has addressed seven zero-day flaws in Chrome which were both actively exploited or demonstrated as a proof-of-concept (PoC) for the reason that begin of the yr.
Matrix Push C2 Makes use of Browser Extensions to Take Customers to Phishing Pages — Unhealthy actors are leveraging browser notifications as a vector for phishing assaults to distribute malicious hyperlinks via a brand new command-and-control (C2) platform referred to as Matrix Push C2. In these assaults, potential targets are tricked into permitting browser notifications by social engineering on malicious or legitimate-but-compromised web sites. As soon as a person agrees to obtain notifications from the positioning, the attackers make the most of the net push notification mechanism constructed into the net browser to ship alerts that appear like they’ve been despatched by the working system or the browser itself. The service is obtainable for about $150 for one month, $405 for 3 months, $765 for six months, and $1,500 for a full yr. The truth that the instrument is platform-agnostic means it may very well be favoured by menace actors trying to conduct credential theft, cost fraud, and cryptocurrency scams. Countering such dangers requires browser distributors to implement stronger abuse protections, reminiscent of utilizing a repute system to flag sketchy websites and routinely revoking notification permissions for suspicious websites.
PlushDaemon APT Makes use of EdgeStepper to Hijack Software program Updates — The menace actor often called PlushDaemon has been noticed utilizing a beforehand undocumented Go-based community backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) assaults. EdgeStepper is positioned between a sufferer and the community edge, monitoring requests for sure in style Chinese language software program merchandise, such because the Sogou Pinyin Technique enter editor, the Baidu Netdisk cloud service, multipurpose prompt messenger Tencent QQ, and the free workplace suite WPS Workplace. If one such software program replace request is discovered EdgeStepper will redirect it to PlushDaemon’s infrastructure, ensuing within the obtain of a trojanized replace. The assaults result in the deployment of SlowStepper.
Salesforce Warns of Unauthorized Knowledge Entry by way of Gainsight-Linked Apps — Salesforce alerted clients of “uncommon exercise” associated to Gainsight-published functions related to the platform. The cloud providers agency stated it has taken the step of revoking all energetic entry and refresh tokens related to Gainsight-published functions related to Salesforce. It has additionally quickly eliminated these functions from the AppExchange as its investigation continues. Gainsight stated the Gainsight app has been quickly pulled from the HubSpot Market and Zendesk connector entry has been revoked as a precautionary measure. The marketing campaign has been attributed by Google to ShinyHunters, with the group assessed to have stolen information from greater than 200 doubtlessly affected Salesforce cases. Cybersecurity firm CrowdStrike additionally stated it terminated a “suspicious insider” final month for allegedly passing insider info to Scattered LAPSUS$ Hunters. A member of the extortionist crew instructed The Register they obtained entry to Gainsight following the Salesloft Drift hack earlier this yr. The incident as soon as once more underscores the safety threat posed by the SaaS integration provide chain, the place breaching a single vendor acts as a gateway into dozens of downstream environments.
Microsoft Mitigates Report 15.72 Tbps DDoS Assault — Microsoft disclosed that it routinely detected and neutralized a distributed denial-of-service (DDoS) assault concentrating on a single endpoint in Australia that measured 15.72 terabits per second (Tbps) and practically 3.64 billion packets per second (pps). The tech large stated it was the most important DDoS assault ever noticed within the cloud, and that it originated from a TurboMirai-class Web of Issues (IoT) botnet often called AISURU. It is at present not recognized who was focused by the assault. Based on information from QiAnXin XLab, the AISURU botnet is powered by practically 300,000 contaminated units, most of that are routers, safety cameras, and DVR methods. It has been attributed to a few of the greatest DDoS assaults recorded up to now. In a report printed final month, NETSCOUT categorized the DDoS-for-hire botnet as working with a restricted clientele. QiAnXin XLab instructed The Hacker Information {that a} botnet named Kimwolf is probably going linked to the group behind AISURU, including one among Kimwolf’s C2 domains not too long ago surpassed Google in Cloudflare’s listing of high 100 domains, particularly, 14emeliaterracewestroxburyma02132[.]su.
️🔥 Trending CVEs
Hackers act quick. They will use new bugs inside hours. One missed replace could cause a giant breach. Listed below are this week’s most critical safety flaws. Verify them, repair what issues first, and keep protected.
This week’s listing contains — CVE-2025-9501 (W3 Whole Cache plugin), CVE-2025-62765 (Lynx+ Gateway), CVE-2025-36251, CVE-2025-36250 (IBM AIX), CVE-2025-60672, CVE-2025-60673, CVE-2025-60674, CVE-2025-60676 (D-Hyperlink DIR-878 routers), CVE-2025-40547, CVE-2025-40548, CVE-2025-40549 (SolarWinds Serv-U), CVE-2025-40601 (SonicWall SonicOS), CVE-2025-50165 (Home windows Graphics), CVE-2025-9316, CVE-2025-11700 (N-able N-central), CVE-2025-13315, CVE-2025-13316 (Twonky Server), CVE-2024-24481, CVE-2025-13207 (Tenda N300 sequence and Tenda 4G03 Professional), CVE-2025-13051 (ASUSTOR), CVE-2025-49752 (Azure Bastion), CVE-2024-48949, CVE-2024-48948 (elliptic), and a TLS verification bypass vulnerability in GoSign Desktop (no CVE).
📰 Across the Cyber World
Malicious VS Code Extension Taken Down — A malicious Visible Studio Code extension was discovered making an attempt to capitalize on the respectable “Prettier” model to reap delicate information. The extension, named “publishingsofficial.prettier-vscode-plus,” was printed to the Microsoft Extension Market on November 21, 2025. The extension, as soon as put in, launches a batch script that is liable for operating a Visible Fundamental Script file designed to execute a stealer malware. “The payload system inserted into the malicious extension seems designed to evade frequent anti-malware and static scanning techniques,” Checkmarx stated. “It is a multi-stage assault that ends with deploying and operating what seems to be a variant of the Anivia Stealer malware; this malware acquires and exfiltrates credentials, metadata, and personal info like WhatsApp chats from Home windows machines.” The extension has since been taken down.
100s of English-Language Web sites Hyperlink to Professional-Kremlin Propaganda — A brand new research from the Institute for Strategic Dialogue (ISD) has revealed that a whole bunch of English-language web sites between July 2024 and July 2025, together with information shops, fact-checkers, and tutorial establishments, are linking to articles from a pro-Kremlin community named Pravda that is flooding the web with disinformation. “Roughly 900 websites from throughout the political spectrum, starting from main information shops to fringe blogs, have linked to Pravda community articles over the noticed year-long interval,” ISD stated. “A reviewed pattern of greater than 300 English-language websites included U.S. nationwide and native information shops, distinguished sources of political commentary, in addition to fact-checking and tutorial establishments.” It is assessed that the Pravda community makes use of a high-volume technique to affect massive language fashions (LLMs) like of ChatGPT and Gemini and seed them with pro-Russia narratives, a course of known as LLM grooming. The community has been energetic since 2014, churning out greater than 6 million articles.
Anthropic Finds Reward Hacking Results in Extra Misalignment — A brand new research from synthetic intelligence (AI) firm Anthropic revealed that giant language fashions (LLMs) educated to “reward hack” by dishonest on coding duties exhibit much more misaligned habits, together with sabotaging AI security analysis. “After they be taught to cheat on software program programming duties, they go on to show different, much more misaligned behaviors as an unintended consequence,” the corporate stated. “These embody regarding behaviors like alignment faking and sabotage of AI security analysis.”
Microsoft to Embrace Sysmon into Home windows 11 — Microsoft stated it is going to add Sysmon, a third-party app from the Sysinternals package deal, into future variations of Home windows 11 to assist with safety log evaluation. “Subsequent yr, Home windows updates for Home windows 11 and Home windows Server 2025 will carry Sysmon performance natively to Home windows,” the tech large stated. “Sysmon performance means that you can use customized configuration recordsdata to filter captured occasions. These occasions are written to the Home windows occasion log, enabling a variety of use circumstances, together with by safety functions.”
Extra Than 150 Remcos RAT Servers Discovered — Assault floor administration platform Censys stated it constantly tracked over 150 energetic Remcos RAT command-and-control (C2) servers between October 14 and November 14, 2025. “Most servers listened on port 2404, generally related to Remcos, with further use of ports 5000, 5060, 5061, 8268, and 8808, exhibiting deployment flexibility,” the corporate stated. “A subset of hosts uncovered Server Message Block (SMB) and Distant Desktop Protocol (RDP), suggesting some operators additionally use native Home windows providers for administration. Internet hosting concentrated in the US, the Netherlands, and Germany, with smaller clusters in France, the UK, Turkey, and Vietnam.”
PyPI to Require E-mail Verification for TOTP Logins — The Python Package deal Index (PyPI) portal will now require email-based verification for all Time-based One-Time Password (TOTP) logins coming from new developer units. “Customers who’ve enabled WebAuthn (safety keys) or passkeys for 2FA is not going to see any modifications, as these strategies are inherently phishing-resistant,” PyPI stated. “They cryptographically bind the authentication to the precise web site (origin), which means an attacker can not trick you into authenticating on a pretend web site, not like TOTP codes, which will be phished.”
Blockade Spider’s Cross-Area Assaults Detailed — A financially motivated menace actor often called Blockade Spider has been attributed to utilizing cross-domain methods in its ransomware campaigns since at the least April 2024. The e-crime group makes use of Embargo ransomware and information theft to monetize their operations. “They achieve entry by unmanaged methods, dump credentials, and transfer laterally to virtualized infrastructure to remotely encrypt recordsdata with Embargo ransomware,” CrowdStrike stated. “They’ve additionally demonstrated the flexibility to focus on cloud environments.” In a single case beforehand flagged by the corporate, the menace actor added compromised customers to a “No MFA” Energetic Listing group, circumvented safety controls, and deployed ransomware whereas evading conventional detection methods.
JSGuLdr Loader Delivers Phantom Stealer — A brand new multi-stage JavaScript-to-PowerShell loader has been put to make use of in cyber assaults, delivering an info stealer referred to as Phantom Stealer. “A JavaScript file triggers PowerShell by an Explorer COM name, pulls the second stage from %APPDATApercentRegistreri62, then makes use of Web.WebClient to fetch an encrypted payload from Google Drive into %APPDATApercentAutorise131[.]Tel,” ANY.RUN stated. “The payload is decoded in reminiscence and loaded, with PhantomStealer injected into msiexec.exe.” The assault combines obfuscation and fileless in-memory loading methods to sidestep detection. As a result of the ultimate payload runs solely in reminiscence inside a trusted course of, it permits menace actors to stealthily transfer throughout the community and steal information.
Apple Updates App Retailer Developer Pointers — Apple up to date its developer tips to require each app to reveal if it collects and shares person information with AI corporations, in addition to ask customers for permissions. “You need to clearly disclose the place private information might be shared with third events, together with with third-party AI, and acquire specific permission earlier than doing so,” the corporate’s rule 5.1.2(i) now states. The modifications went into impact on November 13, 2025.
Malware Marketing campaign Targets Microsoft IIS servers to Deploy BadIIS Malware — A malware marketing campaign dubbed WEBJACK has been noticed compromising Microsoft IIS servers to deploy malicious IIS modules belonging to the BadIIS malware household. “The hijacked servers are being abused for search engine marketing poisoning and fraud, redirecting customers to on line casino, playing, or betting web sites,” WithSecure stated. “The menace actor has compromised high-profile targets, together with authorities establishments, universities, tech companies, and plenty of different organizations, abusing their area repute to serve fraudulent content material by search engine outcomes pages (SERPs).” The preliminary entry vector used within the assaults will not be recognized, though earlier BadIIS intrusions have leveraged susceptible net functions, stolen administrator credentials, and bought entry from initial-access brokers. The instruments and operational traits noticed level to a robust Chinese language nexus, a sample evidenced by the invention of comparable clusters in latest months, reminiscent of GhostRedirector, Operation Rewrite, UAT-8099, and TOLLBOOTH.
Phishing Scheme Targets WhatsApp Accounts — Tons of of victims throughout the Center East, Asia, and past have been ensnared in a brand new rip-off that leverages cloned login portals, low-cost domains, and WhatsApp’s personal “Linked Units” and one-time password workflows to hijack WhatsApp accounts. “Menace actors behind this marketing campaign create fraudulent web sites that intently imitate respectable WhatsApp interfaces, utilizing urgency-driven techniques to trick customers into compromising their accounts,” CTM360 stated. The marketing campaign has been codenamed HackOnChat. Over 9,000 phishing URLs have been uncovered up to now, with the websites hosted on domains registered with low-cost or much less regulated top-level domains reminiscent of .cc, .internet, .icu, and .high. Within the final 45 days, greater than 450 incidents have been recorded. “The attackers depend on two major methods: Session Hijacking, the place the WhatsApp-linked system characteristic is exploited to hijack WhatsApp net classes, and the Account Takeover, which includes tricking victims into revealing their authentication key to grab full possession of their accounts,” the corporate added. “Malicious hyperlinks are utilizing templates of pretend security-alert verification, misleading WhatsApp Internet imitation pages, and spoofed group invitation messages, all designed to lure customers into these traps and allow the hacking course of.”
Spike in Palo Alto Networks GlobalProtect Scanning — Menace intelligence agency GreyNoise has warned of one other wave of scanning exercise concentrating on Palo Alto Networks GlobalProtect portals. “Starting on 14 November 2025, exercise quickly intensified, culminating in a 40x surge inside 24 hours, marking a brand new 90-day excessive,” the corporate stated. Between November 14 and 19, 2.3 million classes hitting the */global-protect/login.esp URI have been noticed. It is assessed that these assaults are the work of the identical menace actor primarily based on the recurring TCP/JA4t signatures and overlapping infrastructure.
JustAskJacky is the Most Prevalent Menace in October 2025 — A malware household often called JustAskJacky emerged as essentially the most pervasive menace in October 2025, adopted by KongTuke, Rhadamanthys, NetSupport RAT, and TamperedChef, in keeping with information from Crimson Canary. JustAskJacky, which emerged earlier this yr, is a “household of malicious NodeJS functions that masquerade as a useful AI or utility instrument whereas conducting reconnaissance and executing arbitrary instructions in reminiscence within the background.”
NSO Group Seeks to Overturn WhatsApp Case — Final month, a U.S. court docket ordered Israeli business adware vendor NSO Group to cease concentrating on WhatsApp. In response, the corporate has filed an attraction to overturn the ruling, arguing that the corporate will “undergo irreparable, doubtlessly existential accidents” and be compelled it out of enterprise. “And the injunction prohibits NSO from partaking in solely lawful conduct to develop, license, and promote merchandise utilized in approved authorities investigations — a prohibition that will devastate NSO’s enterprise and will nicely power it out of enterprise solely,” the movement reads.
Ohio Contractor Pleads Responsible to Hacking Former Employer — Maxwell Schultz, a 35-year-old man from Ohio, pleaded responsible to fees associated to hacking into the community of his former employer. The incident occurred in 2021, after the unnamed firm terminated Schultz’s employment in its IT division. Based on the U.S. Justice Division, Schultz accessed the corporate’s community by impersonating one other contractor to acquire login credentials. “He ran a PowerShell script that reset roughly 2,500 passwords, locking 1000’s of staff and contractors out of their computer systems nationwide,” the division stated. “Schultz additionally searched for methods to delete logs, PowerShell window occasions and cleared a number of system logs.” The incident brought about the corporate $862,000 in losses. Schultz admitted that he carried out the assault as a result of “he was upset about being fired.” He faces as much as 10 years in federal jail and a doable $250,000 most superb.
Safety Flaws in Cline Bot AI — Safety vulnerabilities have been found in an open-source AI coding assistant referred to as Cline that might expose them to immediate injection and malicious code execution when opening specifically crafted supply code repositories. The problems have been addressed in Cline v3.35.0. “System prompts are usually not innocent configuration textual content. They form agent habits, affect privilege boundaries, and considerably improve attacker leverage when uncovered verbatim,” Mindgard researcher Aaron Portnoy stated. “Treating prompts as non-sensitive overlooks the fact that fashionable brokers mix language, instruments, and code execution right into a single operational floor. Securing AI brokers like Cline requires recognizing that prompts, instrument wiring, and agent logic are tightly related, and every should be dealt with as a part of the safety boundary.”
🎥 Cybersecurity Webinars
Guardrails for Chaos: The best way to Patch Quick With out Opening the Door to Attackers — Group instruments like Chocolatey and Winget assist groups patch software program quick. However they will additionally cover dangers — outdated code, lacking checks, and unsafe updates. Gene Moody from Action1 exhibits tips on how to use these instruments safely, with clear steps to maintain pace and safety in stability.
Meet WormGPT, FraudGPT, and SpamGPT — the Darkish Facet of AI You Must See — AI instruments are actually serving to criminals ship pretend emails. Names like WormGPT, FraudGPT, and SpamGPT can write or ship these messages quick. They make emails that look actual and might idiot folks and filters. Many safety instruments cannot sustain. Leaders have to see how these assaults work and discover ways to cease them earlier than passwords get stolen.
Misconfigurations, Misuse, and Missed Warnings: The New Cloud Safety Equation — Hackers are discovering new methods to interrupt into cloud methods. Some use weak identification settings in AWS. Others cover unhealthy AI fashions by copying actual ones. Some take too many permissions in Kubernetes. The Cortex Cloud staff will present how their instruments can spot these issues early and assist cease assaults earlier than they occur.
🔧 Cybersecurity Instruments
YAMAGoya — A brand new free instrument from JPCERT/CC. It helps discover unusual or unsafe actions on Home windows in actual time. It watches recordsdata, applications, and community strikes, and checks reminiscence for hidden threats. It makes use of Sigma and YARA guidelines made by the safety neighborhood. You’ll be able to run it with a window or from the command line. It additionally saves alerts to Home windows logs so different instruments can learn them.
Metis — A free instrument made by Arm’s Product Safety Group. It makes use of AI to examine code for safety issues. It helps discover small bugs that standard instruments miss. It really works with C, C++, Python, Rust, and TypeScript. You’ll be able to run it in your pc or add it to your construct system.
Disclaimer: These instruments are for studying and analysis solely. They have not been totally examined for safety. If used the fallacious manner, they might trigger hurt. Verify the code first, check solely in protected locations, and comply with all guidelines and legal guidelines.
Conclusion
Every week proves that the cyber menace panorama by no means stands nonetheless. From patched vulnerabilities to sprawling botnets and creative new assault strategies, defenders are locked in a relentless race to remain forward. Even small lapses — a missed replace or a weak integration — can create main openings for attackers.
Staying forward calls for consideration to element, classes from each breach, and fast motion when alerts seem. Because the boundary between software program and safety continues to blur, consciousness stays our strongest line of protection.
Keep tuned for subsequent week’s RECAP, the place we observe the threats, patches, and patterns shaping the digital world.
