Crossed Wires: A Case Study of Iranian Espionage and Attribution
Proofpoint researchers analyzed an espionage campaign originating from Iran that began with a benign email discussing domestic unrest. The campaign’s tactics overlapped with several Iranian-linked groups, including TA455, TA453, and TA450. Due to the lack of a definitive connection to any specific group, Proofpoint designated the activity as a new temporary cluster, UNK_SmudgedSerpent. The case highlights the complexity of attribution among state-aligned threat actors.
Source: Proofpoint

Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report
Zscaler’s ThreatLabz 2025 report reveals a surge in attacks across mobile, IoT, and OT environments, reflecting their growing interconnection in business infrastructure. Android malware activity increased by 67% year-over-year, with 239 malicious apps downloaded over 42 million times. The Energy, Transportation, and Healthcare sectors saw attack spikes of 387%, 382%, and 224% respectively, driven by advanced spyware and trojans.
Source: Zscaler

LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
Palo Alto Networks’ Unit 42 uncovered a new Android spyware family named LANDFALL, exploiting zero-day CVE-2025-21042 in Samsung’s image processing library. The spyware was delivered through malicious DNG image files sent via WhatsApp and was actively exploited in the wild before Samsung issued a patch in April 2025. The attack chain resembles previous Apple and WhatsApp exploits, indicating a broader pattern in cross-platform spyware distribution.
Source: Unit 42 (Palo Alto Networks)

November 2025 Patch Tuesday Forecast: Windows Exchange Server EOL?
HelpNetSecurity’s Patch Tuesday forecast highlights Microsoft’s record number of fixes for October 2025, addressing 250 CVEs across Windows 10 and 11. With end-of-life support ending for several enterprise editions and older Office and Exchange Server versions, Microsoft urges organizations to migrate to supported platforms. The final update for Windows 11 23H2 Professional arrives next week, while Education and Enterprise editions will be supported until November 2026.
Source: HelpNetSecurity

Tracking a Dragon: Investigating a DragonForce-affiliated Ransomware Attack with Darktrace
Darktrace investigated a ransomware attack linked to DragonForce affiliates targeting the manufacturing sector. The attackers used credential brute-forcing, data exfiltration, and file encryption. Analysis of Windows Registry artifacts revealed manipulation of scheduled tasks and WMI security settings, indicating persistence techniques. The findings demonstrate the sophistication of DragonForce-linked ransomware operations.
Source: Darktrace

ClickFix Malware Attacks Evolve With Multi-OS Support, Video Tutorials
The ClickFix malware campaign has advanced with new features including multi-OS support, embedded video tutorials guiding victims through infection, and system auto-detection for tailored payload execution. Previously, attackers relied on written instructions to trick users into executing malicious code, but now they use convincing videos to enhance credibility. The goal remains to deploy information stealers and other malware through deceptive social-engineering tactics.
Source: BleepingComputer

Critical Cisco UCCX Flaw Lets Attackers Run Commands as Root
Cisco patched a critical flaw (CVE-2025-20354) in its Unified Contact Center Express (UCCX) platform that could allow unauthenticated attackers to execute commands with root privileges. The vulnerability, located in the Java RMI process, was reported by security researcher Jahmel Harris. Cisco also addressed a separate flaw in its CCX Editor application that could allow attackers to bypass authentication and execute arbitrary scripts remotely with administrative rights.
Source: BleepingComputer

SonicWall Confirms State-Sponsored Hackers Behind September Cloud Backup Breach
SonicWall confirmed that state-sponsored actors were responsible for the September breach that exposed firewall configuration backup files. The attackers accessed the backups via an API call from a specific cloud environment. While the company emphasized that the incident was unrelated to Akira ransomware attacks, it did not name the nation behind the activity. The breach affected less than 5% of SonicWall customers using the cloud backup service.
Source: TheHackerNews

From Tabletop to Turnkey: Building Cyber Resilience in Financial Services
The financial sector is now required to conduct cyber resilience exercises due to global regulatory mandates such as DORA in the EU and CPS230 in Australia. These tabletop exercises, once optional, have become an operational necessity. The complexity of compliance lies in cross-functional collaboration, combining technical and non-technical teams to meet resilience standards and strengthen organizational preparedness.
Source: TheHackerNews

Nevada Ransomware Attack Started Months Before It Was Discovered, Per Report
An after-action report revealed that Nevada’s August ransomware attack began as early as May 2025, when a state employee unknowingly downloaded malicious software. The incident disrupted critical services including licensing, employment checks, and payroll operations. Recovery efforts cost the state at least $1.5 million, though officials confirmed no ransom was paid. The attack underscores the growing threat of ransomware to state-level infrastructure.
Source: SecurityWeek

Beating XLoader at Speed: Generative AI as a Force Multiplier for Reverse Engineering
Check Point Research highlights how generative AI is revolutionizing malware analysis, enabling researchers to rapidly decode and understand complex malware like XLoader. Traditionally, XLoader’s multiple encryption layers, obfuscation, and fake C2 domains made it one of the hardest malware families to reverse-engineer. With generative AI, analysts can now identify algorithms, generate decryption tools, and uncover indicators of compromise in hours rather than days, significantly improving response speed.
Source: Check Point Research

Exploiting Microsoft Teams: Impersonation and Spoofing Vulnerabilities Exposed
New research from Check Point reveals that Microsoft Teams contained vulnerabilities allowing attackers to impersonate executives, manipulate messages, and spoof notifications. The flaws could be exploited by malicious insiders or external guest users, fundamentally compromising trust in corporate communications. Attackers could appear as high-level executives or alter message histories without detection, exposing major risks for organizations that rely heavily on Teams for collaboration and decision-making.
Source: Check Point Research

GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools
Google’s Threat Intelligence Group (GTIG) reports that adversaries have moved beyond using AI for efficiency — they are now deploying AI-enabled malware capable of adapting in real time. The “AI Threat Tracker” update shows both state-backed and cybercriminal groups integrating machine learning into attacks, enhancing evasion and persistence. The findings reflect an operational shift toward dynamic, self-modifying AI-driven threats across the attack lifecycle.
Source: Google Cloud

Software Supply Chain Attacks Surge to Record High in October 2025
According to Cyble, software supply chain attacks reached record levels in October 2025 — up 30% from the previous peak in April. Threat actors claimed 41 attacks during the month, doubling the average monthly activity from early 2024. The surge is linked to zero-day exploits and increased targeting of SaaS and IT service providers. Cyble warns that elevated activity levels indicate sustained long-term risk, with AI-powered phishing and cloud threats further fueling the trend.
Source: Cyble

South Africa Launches Pilot for Secure Data Exchange Among Government Agencies
South Africa has launched “MzansiXchange,” a pilot initiative enabling secure data exchange between government departments. Led by the National Treasury, the system aims to eliminate data silos and improve public-sector efficiency by allowing real-time collaboration and informed decision-making. Rather than centralizing information, MzansiXchange acts as a secure bridge between authorized entities, promoting interoperability and transparency in governance.
Source: Cyble

Preparing for Threats to Come: Cybersecurity Forecast 2026
Google Cloud released its Cybersecurity Forecast 2026 report, providing insight into key security challenges expected in the coming year. The report highlights a major shift as adversaries fully embrace AI to accelerate and scale their operations. Another focus area is the rise of prompt injection attacks — manipulations of AI models to execute hidden malicious commands. The forecasts are based on real-world data and frontline intelligence from Google Cloud experts, analysts, and researchers.
Source: Google Cloud

U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks
Federal prosecutors have charged three U.S. nationals — Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co-conspirator — for deploying BlackCat ransomware against five U.S. companies between May and November 2023. The defendants, who worked as incident response and ransomware negotiators, allegedly abused their positions to conduct extortion attacks targeting companies in healthcare, pharmaceuticals, and engineering. They are accused of stealing and encrypting data, demanding cryptocurrency ransoms, and publishing stolen information online.
Source: TheHackerNews

Hackers Exploit Critical Auth Bypass Flaw in JobMonster WordPress Theme
Threat actors are actively exploiting CVE-2025-5397, a critical authentication bypass flaw in the JobMonster WordPress theme, to hijack administrator accounts. The flaw, with a CVSS score of 9.8, stems from improper identity verification in the check_login() function. Wordfence detected multiple exploit attempts across client websites. JobMonster, a popular job board theme used by recruitment platforms, remains vulnerable in all versions up to 4.8.1.
Source: BleepingComputer

Fake Solidity VSCode Extension on Open VSX Backdoors Developers
A fake Solidity VSCode extension named “juan-bianco.solidity-vlang” uploaded to the Open VSX registry has been found distributing a remote access trojan dubbed SleepyDuck. Initially harmless, the extension gained malicious capabilities after an update and has since been downloaded more than 53,000 times. The malware uses an Ethereum smart contract as a covert command channel, allowing attackers to control infected developer systems.
Source: BleepingComputer

Apple Patches 19 WebKit Vulnerabilities
Apple released iOS 26.1 and macOS updates addressing over 100 security flaws, including 19 affecting the WebKit engine. Successful exploitation could allow attackers to steal cross-origin data, cause crashes, or monitor user keystrokes. Notably, many of these vulnerabilities were identified by Google’s “Big Sleep” AI agent, which autonomously finds exploitable bugs before threat actors can weaponize them.
Source: SecurityWeek

North Korean Hackers Caught on Video Using AI Filters in Fake Job Interviews
North Korean state-sponsored hackers from the Famous Chollima APT group are using real-time AI deepfakes to impersonate software engineers during job interviews with cryptocurrency and Web3 companies. They steal legitimate identities and resumes, using AI-powered facial filters to disguise their faces and secure employment under false pretenses. The campaign aims to infiltrate Western firms for espionage and financial gain, with multiple infiltration attempts observed by Quetzal Team analysts targeting senior software engineering roles.
Source: HackRead

The Week in Vulnerabilities: Cyble Urges Apache, Microsoft Fixes
Cyble researchers tracked 1,128 vulnerabilities over the past week, 138 of which already have public Proof-of-Concept exploits, increasing the risk of real-world attacks. Sixty-seven flaws were rated critical under CVSS v3.1 and 22 under CVSS v4.0. Among them, CVE-2025-55754 affects Apache Tomcat and could allow indirect administrative command execution via console manipulation, posing a serious risk to system integrity if administrators are deceived into executing malicious commands.
Source: Cyble

Remote Access, Real Cargo: Cybercriminals Targeting Trucking and Logistics
Proofpoint identified a cybercriminal campaign targeting logistics and trucking companies using remote monitoring and management (RMM) tools to hijack cargo shipments. Attackers collaborate with organized crime to gain network access and bid on legitimate freight jobs, then steal the physical goods. The stolen items, ranging from electronics to beverages, are sold online or shipped overseas, causing millions in damages and major disruptions to supply chains.
Source: Proofpoint

Operation SkyCloak: Tor Campaign Targets Military of Russia & Belarus
SEQRITE Labs uncovered a Tor-based campaign targeting the military of Russia and Belarus, including the Russian Airborne Forces and Belarusian Special Forces. The infection chain exposes local services via Tor using obfs4 bridges for anonymous communication. Attackers used multi-stage PowerShell scripts, military-themed decoys, and hidden SSH services to maintain persistence. Similar regional campaigns, such as HollowQuill and CargoTalon, were also observed throughout 2025, focusing on aerospace and defense sectors.
Source: Seqrite

Leak Site Ransomware Victims Spike 13% in a Year
European ransomware victims increased by 13% between September 2024 and August 2025, with the UK being the most affected, according to CrowdStrike’s European Threat Landscape Report. The total number of leaked victims reached 1,380, with Germany, Italy, France, and Spain following closely behind. The most targeted sectors include manufacturing, technology, and professional services, reflecting a sustained trend of financially motivated attacks across Europe.
Source: Infosecurity Magazine