Information Security News | AI Aggregator

SonicWall has confirmed that state-sponsored hackers were responsible for the September breach that exposed firewall configuration backup files. The unauthorized access was limited to a specific cloud environment via an API call and affected less than 5% of customers. SonicWall engaged Mandiant for investigation and implemented recommended security measures. Customers are advised to check MySonicWall.com for device status and reset credentials for affected services. Tools for analysis and credential resetting have been released.

SonicWall reported a data breach attributed to state-sponsored actors, affecting all its global customers, approximately 500,000. The breach, which occurred in September 2025, involved unauthorized access to cloud backup files via an API, but did not compromise products or firmware. SonicWall has engaged Mandiant for remediation and network hardening. Attackers could potentially exploit stolen credentials and network configurations, posing risks for targeted attacks.

SonicWall has attributed a September breach to a state-sponsored group, which accessed firewall configuration backups via an API call to its cloud backup service. Initially claiming fewer than 5% of customers were affected, SonicWall later confirmed all users of the MySonicWall backup feature were impacted. The incident did not compromise SonicWall's products or customer networks. The company is working with Mandiant on remediation and enhancing security practices amid rising threats to edge-security providers.

A state-sponsored threat actor was responsible for the SonicWall cloud backup service hack, as confirmed by Mandiant's investigation. The breach involved unauthorized access to cloud backup files via an API call, detected in early September 2025. SonicWall stated that no internal systems or customer networks were impacted. However, compromised backup files could aid attackers in exploiting related firewalls. Customers are advised to restrict access, reset passwords, and update security credentials.

SonicWall reported that a state-sponsored threat actor targeted its MySonicWall cloud backup service, affecting all customers despite initial claims of limited impact. No SonicWall products or firmware were compromised, and there was no disruption to systems or networks. CEO Bob VanKirk outlined governance changes and emphasized transparency and accountability. The company is offering support to customers affected by the attack and has implemented secure design practices to enhance product safety.

SonicWall reported that a state-sponsored threat actor conducted a brute-force attack on its customer portal, exposing firewall configuration files of all users of its cloud backup service. Mandiant's investigation confirmed the attack but did not specify the nation or group responsible. SonicWall stated that while no other systems were affected, sensitive data was compromised. The company is implementing Mandiant's security recommendations following the incident, which was detected in September.

Nikkei Inc. confirmed a data breach affecting over 17,000 individuals, discovered in September after unusual logins to employee Slack accounts. The breach originated from malware on an employee's PC, leading to stolen login credentials. Exposed data includes names, email addresses, and chat histories. Nikkei implemented password resets and informed Japan's Personal Information Protection Commission. No journalistic source information was compromised. The incident highlights challenges in detecting unauthorized actions by legitimate users.

Japanese media company Nikkei experienced a data breach after malware infected an employee's laptop, allowing attackers to access its internal Slack workspace. Personal details of 17,368 individuals, including names and email addresses, were exposed. Nikkei reported the incident to Japan's Personal Information Protection Commission. The company has reset passwords and plans to enhance personal information management. No evidence of the stolen data being online has been found, but the breach highlights vulnerabilities in collaboration platforms.

Unbefugte hatten Zugriff auf die Slack-Plattform von Nikkei, einem großen Medienkonzern, möglicherweise mit Daten von über 17.000 Mitarbeitenden und Geschäftspartnern. Betroffene Informationen könnten Namen, E-Mail-Adressen und Chatverläufe umfassen. Der Zugang erfolgte durch Malware, die den Computer eines Mitarbeitenden infizierte und die Slack-Zugangsdaten kompromittierte. Es wurde kein Informationsleck im Zusammenhang mit journalistischen Quellen bestätigt.

Japanese media company Nikkei confirmed a security breach of its Slack accounts, potentially leaking sensitive information from over 17,000 users. The breach occurred due to an employee's personal computer being infected with a virus, which compromised Slack authentication credentials. Identified in September, countermeasures like password changes were implemented. Leaked data includes names, email addresses, and chat histories of 17,368 individuals. Nikkei reported the incident to Japan’s Personal Information Protection Commission.

Seven critical vulnerabilities in OpenAI's ChatGPT, affecting GPT-4o and GPT-5, enable zero-click attacks that can exfiltrate user data. These flaws involve indirect prompt injections, allowing attackers to manipulate AI responses without user interaction. Key vulnerabilities include zero-click injections via indexed websites, one-click injections through crafted URLs, and persistent memory injections. Tenable disclosed these issues to OpenAI, which has issued fixes, but risks remain, highlighting the need for enhanced AI security measures.

A report from Tenable Research identified seven vulnerabilities in OpenAI's ChatGPT, including GPT-5, that could allow hackers to steal user data and gain persistent control. Key threats include prompt injection, particularly indirect prompt injection, where harmful instructions are hidden in external sources. Techniques like safety bypass and memory injection were also detailed. OpenAI is aware and working on fixes, but the vulnerabilities underscore significant risks for all companies using generative AI.

Tenable identified seven security vulnerabilities in OpenAI's ChatGPT-4o, collectively termed "HackedGPT." These include indirect prompt injection, 0-click injection, and safety mechanism bypasses, allowing attackers to insert hidden commands and steal data. OpenAI has addressed some issues in GPT-5, but several vulnerabilities remain, posing risks to users. Tenable urges AI vendors to strengthen defenses against prompt injection attacks, highlighting the potential for AI systems to be exploited as attack tools.

Google Threat Intelligence Group (GTIG) reports a significant shift in threat actor behavior, with adversaries now deploying AI-enabled malware that can alter its behavior during execution. This update, following a January 2025 analysis, highlights the integration of AI by government-backed actors and cyber criminals throughout the attack lifecycle. Google emphasizes its commitment to responsible AI development and proactive measures to disrupt malicious activities, including disabling harmful projects and enhancing security models.

State-backed hackers are deploying AI-driven malware for the first time, enabling dynamic script generation to evade detection. Google researchers reported two types: PROMPTFLUX, an experimental dropper that rewrites its own code, and PROMPTSTEAL, used by APT28 against Ukrainian targets, which generates commands via large language models. While still in testing, these developments indicate a shift towards more autonomous malware, with a growing marketplace for AI tools aimed at enhancing cybercriminal activities.

Google has identified a new malware, PROMPTFLUX, which utilizes its Gemini AI model to autonomously rewrite its VBScript code for evasion purposes. This malware can modify itself in real-time, saving obfuscated versions to the Windows Startup folder for persistence. Currently in development, it lacks the capability to compromise systems. Google also noted that various threat actors, including state-sponsored groups, are leveraging AI for malicious activities, enhancing their operational efficiency and attack strategies.

Cyber threat actors are increasingly using AI to develop adaptive malware, complicating detection and defense. Google identified five new malware families—FRUITSHELL, PROMPTFLUX, PROMPTSTEAL, PROMPTLOCK, and QUIETVAULT—capable of real-time code modification and dynamic script generation. Notably, PROMPTSTEAL was linked to APT28, utilizing a large language model for reconnaissance. Google emphasizes the need for advanced detection tools to counter these evolving threats, as traditional methods may no longer suffice.

Google's report reveals the emergence of AI-powered malware, including PromptLock and QuietVault, which utilize large language models (LLMs) to evade detection and enhance operational capabilities. Notable examples include PromptSteal, used by Russian APT28, and FruitShell, designed to bypass LLM-based security. Threat actors are increasingly leveraging AI for various attack stages, with underground marketplaces offering illicit AI tools. Google has strengthened protections against misuse, as adversaries adapt generative AI to improve their tactics.

Google's Threat Intelligence Group warns of AI-infused malware, specifically "just-in-time" AI tools like PromptFlux and PromptSteal, which utilize large language models (LLMs) for deployment. PromptFlux, an experimental VBScript dropper, generates obfuscated scripts to evade detection and spreads via removable drives. Google has disabled its access to Gemini and noted that various threat groups are abusing AI for phishing and crypto theft. Recommendations include limiting AI access to sensitive accounts and keeping software updated.

On Wednesday, Google analyzed five AI-generated malware samples: PromptLock, FruitShell, PromptFlux, PromptSteal, and QuietVault. The findings indicated that these samples were easily detectable and lacked advanced capabilities, such as persistence and lateral movement. PromptLock, noted as potentially the first AI-powered ransomware, demonstrated clear limitations and had no operational impact. Experts concluded that generative AI has not significantly advanced malware development, with traditional methods remaining more effective.

Google researchers have identified PROMPTSTEAL, the first operational malware utilizing large language models (LLMs), linked to Russian government-backed actors. This data miner employs the Hugging Face API to generate commands dynamically instead of using hard-coded ones. It masquerades as an image generation program, guiding users through prompts while secretly querying the Qwen2.5-Coder-32B-Instruct model to execute malicious commands. This development marks a significant advancement toward more autonomous malware.

Google's Threat Intelligence Group (GTIG) reported on PROMPTFLUX, a new malware leveraging the Gemini AI API to rewrite its own code. This VBScript-based dropper masquerades as benign installers and uses a "Thinking Robot" module to generate evasion scripts. Although still in testing, it can mutate its source code hourly and attempts lateral spread. GTIG warns of rising AI-assisted threats, urging organizations to monitor API abuses and adopt behavioral detection methods.

Google's Threat Intelligence Group reports the emergence of AI-enabled malware, marking a significant shift in cyber threats. New malware families, such as PromptSteal and PromptFlux, utilize AI to generate malicious scripts and dynamically alter their behavior. PromptSteal, linked to the Russian Fancy Bear group, harvests system info using Hugging Face’s API. PromptFlux employs dynamic obfuscation and self-replication techniques but is not yet active in campaigns. Google has disabled associated assets to mitigate risks.

Google's Threat Intelligence Group reported the emergence of AI-powered malware, specifically PromptFlux and PromptSteal, which utilize large language models (LLMs) to generate malicious scripts and evade detection. PromptFlux, a VBScript dropper, regenerates its code via the Google Gemini API, while PromptSteal, a Python data miner, uses LLMs to execute commands for data collection. The report warns of a rapidly maturing AI malware market, with implications for detection strategies and the evolving tactics of threat actors.

Cybercriminals are increasingly leveraging AI in their malware campaigns, as highlighted by the Google Threat Intelligence Group (GTIG). They are using Large Language Models (LLMs) to generate malicious scripts and obfuscate malware. The report indicates a new phase of AI misuse, with tools that dynamically alter malware behavior during execution. Researchers warn that these activities are on the rise and that AI models are also vulnerable to social engineering attacks, similar to human targets.

Google's Threat Intelligence Group reports a troubling trend where criminals are developing and selling illicit AI tools, particularly using Large Language Models (LLMs) for malware. Notably, the 'Just-in-Time' AI malware, PROMPTFLUX, utilizes Gemini's API for dynamic obfuscation techniques to evade detection. The underground market for these tools is growing, lowering the skill barrier for cybercriminals. Links to state-sponsored actors from Iran and China are noted, with objectives including data exfiltration and reconnaissance.

Google's Threat Intelligence Group warns of a new generation of AI-powered malware that can mutate and adapt during execution, enhancing evasion and persistence. Notable examples include PROMPTFLUX, a VBScript dropper that uses the Google Gemini API for obfuscation, and PROMPTSTEAL, a data miner that queries an LLM for commands to collect system data. The report highlights a shift towards AI-integrated cyberattacks, with state-sponsored actors also leveraging generative AI tools for various malicious activities.

European law enforcement dismantled a credit card fraud and money-laundering network exploiting four German payment service providers, processing illicit transactions worth hundreds of millions from 2016 to 2021. Over 60 searches and 18 arrests occurred across multiple countries, with 4.3 million stolen credit card data used for 19 million fake subscriptions. Six individuals allegedly aided the criminals for fees. The investigation, ongoing since late 2020, involves charges of organized computer fraud and money laundering.

Operation "Chargeback" resulted in coordinated law enforcement actions against three international fraud and money laundering networks, exploiting stolen credit card data from over 4.3 million cardholders across 193 countries. On November 4, 2025, more than 60 searches and 18 arrests were made, with damages exceeding €300m. The networks created 19 million fake subscription payments, using shell companies and low-value charges to evade detection. The operation involved cooperation from multiple countries and targeted payment service providers.

International law enforcement dismantled a major credit card fraud operation, codenamed “Chargeback,” affecting over 4.3 million cardholders across 193 countries, with damages exceeding EUR 300 million. On November 4, 2025, authorities executed 60 house searches and made 18 arrests, led by Germany’s Cybercrime Department. The networks created 19 million fake subscriptions using stolen credit card info, disguising charges to evade detection. Assets worth over EUR 35 million were secured, and suspects included payment service executives and crime-as-a-service providers.

Europol and Eurojust have dismantled a major credit card fraud network, arresting 18 suspects involved in defrauding users of over €300 million since 2016. The group used stolen credit card data to create accounts for fake subscriptions to dating, pornography, and streaming services. They targeted 4.3 million cardholders across 193 countries. Five arrested were executives at payment service providers who facilitated the fraud for fees. The operation is one of the largest ever uncovered.

U.S. CISA has added vulnerabilities CVE-2025-11371 and CVE-2025-48703 to its Known Exploited Vulnerabilities catalog. CVE-2025-11371, affecting Gladinet CentreStack and Triofox, allows unauthorized access to system files and is actively exploited. A workaround is available. CVE-2025-48703, an OS command injection flaw in CWP Control Web Panel, permits remote command execution. Federal agencies must address these vulnerabilities by November 25, 2025, as per BOD 22-01.

CISA has issued a critical warning about CVE-2025-48703, an OS command injection vulnerability in Control Web Panel (CWP). This flaw allows unauthenticated attackers to execute arbitrary commands with minimal prerequisites. CISA added it to its Known Exploited Vulnerabilities catalog on November 4, 2025, with a mitigation deadline of November 25, 2025. Organizations are advised to apply patches, ensure compliance with BOD 22-01, or discontinue use if patches are insufficient. Immediate audits and monitoring are recommended.

CVE-2025-48703 is a critical OS Command Injection vulnerability in Control Web Panel (CWP) that allows unauthenticated remote code execution. Exploitation requires knowledge of a valid non-root username. CWP versions before 0.9.8.1205 are affected. Users are advised to upgrade, restrict access to port 2083, and monitor for signs of compromise. Over 220,000 CWP instances are internet-facing, with active exploit development noted since June 2025.

CISA has issued a critical warning about a vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox platforms, allowing unauthorized access to sensitive files. Exploitation attempts have been confirmed, posing risks of data exposure and potential follow-up attacks. Organizations are urged to apply patches, implement security controls, or discontinue use by the remediation deadline of November 25, 2025. Recommended actions include reviewing access logs and enhancing network security measures.

Russian hackers known as Curly COMrades have targeted Georgian and Moldovan institutions using custom malware, CurlyShell and CurlCat, hidden within Alpine Linux VMs on Windows hosts. This tactic, which began in July 2025, allows them to bypass traditional EDR by tunneling traffic through the host's IP. The attackers executed remote commands to enable Hyper-V and deployed PowerShell scripts for remote access. Their operations align with Russian geopolitical interests, although no direct links to known APT groups were established.

Researchers from Bitdefender reported on a cyber-espionage campaign attributed to the Russia-linked group Curly COMrades, active since July 2024. The group uses malicious virtual machines, specifically exploiting Hyper-V, to maintain covert access to networks. They installed a lightweight Alpine Linux VM containing custom malware tools, CurlyShell and CurlCat, to steal data. The campaign targets critical organizations in Georgia and Moldova, aligning with Russian geopolitical interests.

A hacker group named Curly COMrades has exploited Windows 10's Hyper-V virtualization to gain covert access to networks since July 2025. They deploy a minimal Alpine Linux VM to host malware, including CurlyShell and CurlCat, while evading detection. The attackers disable Hyper-V management interfaces and use deceptive file placements to initiate their operations. Persistence is maintained through scheduled tasks, and malicious traffic is routed to appear legitimate, complicating detection and attribution efforts.

A Russian APT group, Curly COMrades, is exploiting Windows Hyper-V to maintain persistent access on compromised Windows 10 systems. They deploy lightweight, Alpine Linux-based virtual machines to conceal their malware tools, including a custom reverse shell named CurlyShell and a reverse proxy called CurlCat. This method allows them to operate covertly while utilizing Hyper-V's capabilities, which is available in Windows 10 and 11 Pro and Enterprise editions.

The threat actor Curly COMrades exploits Windows Hyper-V to deploy a hidden Alpine Linux VM, enabling custom malware execution while evading EDR detection. This environment hosts CurlyShell and CurlCat for reverse shell and proxy capabilities. Active since late 2023, their toolkit includes RuRat, Mimikatz, and MucorAgent. By isolating malware in a VM, they bypass traditional detections. Communication with the C2 server is achieved via HTTP requests, allowing encrypted command execution.

Curly COMrades, a Russia-linked threat group, exploits Windows Hyper-V to conceal Linux VMs and evade EDR detection. They deploy custom malware, CurlyShell and CurlCat, within hidden Alpine Linux VMs, maintaining covert access and using tunneling tools. Active since late 2023, they employ techniques like PowerShell exploitation and Kerberos ticket manipulation. Recommendations include monitoring LSASS access, enhancing EDR/XDR capabilities, and implementing multilayered security to counteract their sophisticated tactics.

The U.S. Treasury Department sanctioned eight individuals and two companies linked to North Korean cybercrime and money laundering, which have reportedly generated over $3 billion in stolen cryptocurrency. Key figures include bankers Jang Kuk Chol and Ho Jong Son, and the Korea Mangyongdae Computer Technology Company. These actions support North Korea's nuclear program and violate UN Security Council resolutions. The sanctions aim to disrupt funding for these activities, which pose global security threats.

The U.S. Treasury sanctioned ten North Korean entities for laundering $12.7 million in cryptocurrency linked to cybercrime and IT fraud. Key figures include Jang Kuk Chol and Ho Jong Son, associated with First Credit Bank, and U Yong Su, president of Korea Mangyongdae Computer Technology Company (KMCTC). The sanctions target those facilitating North Korea's illicit revenue streams, which fund its nuclear program. North Korean cyber actors have stolen over $3 billion in digital assets in recent years.

The U.S. Treasury Department sanctioned two North Korean banks and eight individuals for laundering funds linked to cybercrime supporting the country's nuclear weapons program. North Korean cyber actors have stolen over $3 billion in digital assets in three years through advanced malware and social engineering. Sanctioned entities include Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company. All assets of sanctioned individuals in the U.S. are frozen, and U.S. persons are barred from transactions with them.

CVE-2025-11953 is a critical OS command injection vulnerability affecting the React Native CLI package versions 4.8.0 to 20.0.0-alpha.2, with a severity score of 9.8/10. It allows unauthenticated attackers to execute arbitrary commands via the Metro server. The vulnerability has not been confirmed as exploited in the wild. Users are advised to update to version 20.0.0 or restrict server exposure to mitigate risks. The issue highlights the importance of security scanning in the software supply chain.

A critical vulnerability, tracked as CVE-2025-11953, has been discovered in the @react-native-community/cli package, affecting versions 4.8.0 to 20.0.0-alpha.2. This flaw allows remote code execution (RCE) on developer machines due to improper configuration of the Metro development server. Developers are urged to update to version 20.0.0 or higher. A temporary workaround is to bind the server to the local machine using the flag –host 127.0.0.1. The CVSS score for this vulnerability is 9.8.

A critical remote-code execution (RCE) vulnerability in the @react-native-community/cli allows attackers to execute arbitrary OS commands via the Metro development server. By default, the server binds to all network interfaces (0.0.0.0), exposing machines to external threats when launched with standard commands like npm start. JFrog researchers highlight the severity of this issue for React Native developers, noting that while exploitation is clear on Windows, risks on macOS/Linux require further investigation.

Microsoft Teams had serious vulnerabilities allowing attackers to impersonate executives, rewrite chat history, and fake notifications or calls. Check Point identified four flaws, including silent message overwrites and caller ID forgery. Microsoft confirmed these issues, tracked one as CVE-2024-38197, and issued patches from March 2024 to October 2025. The vulnerabilities could enable financial fraud and misinformation, highlighting the need for enhanced security measures in collaboration tools.

Critical vulnerabilities in Microsoft Teams allow attackers to manipulate messages, spoof notifications, and impersonate users, as reported by Check Point Research. Four specific attack types were identified: editing messages without an "edited" label, altering notification senders, changing display names in chats, and modifying caller identities in calls. Microsoft tracked one vulnerability as CVE-2024-38197 and issued fixes last month, addressing issues with audio and video messages.

Microsoft Teams had critical vulnerabilities allowing attackers to impersonate users, alter chat histories, and spoof notifications. Check Point Research revealed that messages could be edited without an "Edited" tag, and notifications could appear as if sent by trusted individuals. Attackers could also modify display names in chats and calls. Microsoft addressed these issues, tracked as CVE-2024-38197, with patches released from March 2024 to October 2025. Users received updates automatically, but collaboration tools remain high-risk targets.

Multiple vulnerabilities in Microsoft Teams allowed attackers to edit messages, spoof notifications, and alter caller identities, facilitating phishing and social engineering attacks. Check Point Research reported that these flaws could lead to data theft and wire fraud. Microsoft addressed these issues under CVE-2024-38197, with fixes rolled out by October 2025, requiring no user action. The manipulation of trust mechanisms in Teams poses significant risks to user security and collaboration integrity.

On November 4, French authorities announced the arrest of nine individuals linked to an international cryptocurrency investment scam and money laundering network. The operation, conducted from October 27 to 30, involved police from France, Belgium, and Cyprus, resulting in the seizure of €1.6m in assets. The investigation, initiated in 2023, uncovered that the scammers targeted hundreds of victims, laundering at least $700m through fake investment platforms. The suspects face significant prison time and fines.

Europol and Eurojust arrested nine individuals linked to a €600 million cryptocurrency fraud network during a coordinated operation from October 27-29 across Cyprus, Spain, and Germany. Authorities seized €800,000 in bank accounts, €415,000 in cryptocurrencies, and €300,000 in cash. The network created fake investment platforms and used social media and cold calling to recruit victims. The investigation began after victims reported losses, highlighting the growing sophistication of crypto-related crimes.

Nine individuals were arrested in Europe for their roles in a cryptocurrency investment scam network that defrauded victims of nearly $700 million. The operation, conducted in late October, involved creating fake investment platforms that promised high returns but ultimately stole funds. Victims were targeted through social media, cold calls, and fake testimonials. Arrests occurred in Cyprus, Spain, and Germany, with law enforcement seizing €1.5 million in cash and cryptocurrency, along with luxury watches valued at €100,000.

Nine individuals were arrested in a Eurojust-led operation across Cyprus, Spain, and Germany for laundering €600 million from a crypto fraud scheme. The group operated fake investment sites, attracting victims via social media and false endorsements. Authorities seized €800,000 in bank funds, €415,000 in cryptocurrency, and €300,000 in cash during raids. The coordinated actions occurred on October 27 and 29, 2025, with involvement from investigators in multiple European countries.

Google's AI agent, Big Sleep, identified five WebKit vulnerabilities in Safari that could lead to crashes or memory corruption. The flaws include CVE-2025-43434 (use-after-free), CVE-2025-43429 (buffer overflow), CVE-2025-43430 (unspecified bug), and CVEs 2025-43431 & 43433 (memory corruption). None have been exploited in the wild. Apple has released updates to fix these issues, enhancing state management and memory handling. Additionally, Google addressed CVE-2025-9132 in Chrome 139.

Apple's iOS 26.1 and iPadOS 26.1 address around 50 vulnerabilities, including critical flaws like CVE-2025-43442, which allowed apps to identify installed applications, increasing phishing risks. CVE-2025-43455 enabled malicious apps to take screenshots of sensitive data. Additionally, CVEs 2025-43447 and 2025-43462 could lead to system termination or kernel memory corruption. Users are urged to apply the updates promptly across various Apple devices to mitigate these risks.

Apple addressed 105 vulnerabilities in MacOS 26.1 and 56 in iOS/iPadOS 26.1, including flaws in core services affecting iPhones, Macs, and iPads. No active exploitation was reported. The Cybersecurity and Infrastructure Security Agency added eight Apple defects to its exploited vulnerabilities catalog. Notably, seven WebKit defects could lead to unexpected crashes from malicious web content. Apple also patched 21 defects in Safari 26.1, 43 in visionOS 26.1, 32 in watchOS 26.1, and two in Xcode 26.1.

Apple has released updates addressing nearly 50 security flaws across iPhones, iPads, Macs, Apple Watches, Apple TVs, Safari, and Xcode. Notable vulnerabilities include CVE-2025-43442, which could allow apps to identify installed applications, and CVE-2025-43455, enabling malicious apps to capture sensitive screenshots. Users are urged to update their devices promptly to safeguard personal information. Instructions for updating various Apple devices are provided.

Apple released iOS 26.1, introducing a feature called Security Improvements that allows automatic installation of small security updates to enhance device protection. This feature is designed to patch vulnerabilities quickly, similar to the Rapid Security Responses introduced in 2023. Users can enable this setting by navigating to Settings > Privacy & Security > Background Security Improvements and toggling on Automatic Install. Compatibility issues may temporarily remove these updates, but they can be enhanced in future updates.

A new backdoor named SesameOp has been discovered, exploiting the OpenAI Assistants API for command and control (C2) operations. Researchers at Microsoft reported that this campaign was active for months, utilizing obfuscated .NET libraries injected into compromised Visual Studio utilities. The threat actor employs this unconventional method to stealthily communicate and orchestrate malicious activities within the affected environment.

Hackers are exploiting OpenAI's Assistants API to control malware through a backdoor named "SesameOp," discovered by Microsoft. This backdoor uses ".NET AppDomainManager injection" to communicate with infected systems, blending malicious traffic with legitimate AI usage to evade detection. The malware employs payload compression and encryption, complicating detection efforts. Microsoft has shared its findings with OpenAI, which disabled a compromised API key. The Assistants API is set for deprecation in August 2026.

Threat actors are exploiting the OpenAI Assistants API to deploy a backdoor named 'SesameOp,' discovered by Microsoft DART in July 2025. This backdoor uses a DLL, Netapi64.dll, for stealthy command-and-control communications, allowing remote management of compromised devices. The report, published on November 3, details sophisticated evasion techniques, including payload compression and layered encryption. Microsoft recommends specific mitigations to counter the SesameOp threat, which is expected to persist until the API's deprecation in August 2026.

Microsoft has identified a new malware, SesameOp, which exploits OpenAI's Assistants API for command-and-control operations. Discovered in July 2025, it allows attackers persistent access and data exfiltration through encrypted API traffic. Microsoft clarifies that this is not a vulnerability in OpenAI but an abuse of the API's capabilities. Recommendations include auditing firewall logs, enabling tamper protection, and configuring endpoint detection to mitigate risks associated with SesameOp.

Microsoft discovered a new backdoor, SesameOp, exploiting the OpenAI Assistants API for covert command-and-control (C2) in compromised systems. Detected in July 2025, it uses .NET AppDomainManager injections within Visual Studio utilities for persistence. The backdoor consists of a heavily obfuscated loader (Netapi64.dll) and a .NET component (OpenAIAgent.Netapi64), enabling stealthy communication and command execution via the OpenAI API. Microsoft and OpenAI have disabled the malicious API key following the investigation.

Cybersecurity researchers have discovered a backdoor named SesameOp that misuses the OpenAI Assistants API for remote access, allowing attackers to communicate covertly after compromising systems. The malware employs a .NET-based component and maintains persistence by managing custom "Assistants" for encoded messages. Microsoft, in collaboration with OpenAI, has disabled the attacker's API key. Organizations are advised to audit logs, enforce strict controls, and monitor unexpected connections to api.openai.com.

Federal prosecutors allege that cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Martin, along with an unnamed co-conspirator, used ALPHV/BlackCat ransomware to extort five U.S. businesses from May 2023 to April 2025. They successfully extorted $1.3 million from a Florida medical company. Both were indicted on October 2 for conspiracy and extortion. Goldberg was arrested on September 22 after attempting to flee to Europe, while Martin was arrested on October 14. Each faces up to 50 years in prison.

Ryan Clifford Goldberg and Kevin Tyler Martin, both cybersecurity professionals, were indicted for conducting ransomware attacks against multiple U.S. companies between May and November 2023. They allegedly deployed ALPHV/BlackCat ransomware, demanding tens of millions in extortion payments. One victim, a Florida medical device firm, paid approximately $1.27 million in virtual currency. The indictment states that the attacks did not involve client data from their employers, DigitalMint and Sygnia Cybersecurity Services.

Federal prosecutors have indicted Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co-conspirator for using BlackCat ransomware to attack five U.S. companies between May and November 2023. The victims include a medical device firm, a pharmaceutical company, a doctor's office, an engineering company, and a drone manufacturer. Ransom demands ranged from $300,000 to $10 million. Goldberg allegedly confessed to the FBI, while both he and Martin face charges that could lead to 50 years in prison.

Ryan Clifford Goldberg and Kevin Tyler Martin have been indicted in Florida for allegedly conspiring to deploy the ALPHV/BlackCat ransomware against multiple US firms, extorting nearly $1.3 million from one victim. The indictment details their partnership with the ransomware group from May 2023 to April 2025, targeting at least five organizations, including a Tampa medical device manufacturer that paid approximately $1.27 million in cryptocurrency. Law enforcement has since seized ALPHV/BlackCat leak sites.

Three cybersecurity professionals have been charged with running the BlackCat ransomware operation, deploying ALPHV malware against at least five US enterprises from May to November 2023. The indictment, filed on October 2 in the US District Court for the Southern District of Florida, names Ryan Clifford Goldberg and Kevin Tyler Martin, while a third conspirator remains unnamed. The document does not disclose the names of the affected organizations.

Three men, including former cybersecurity professionals, have been indicted for deploying ALPHV ransomware against multiple US firms, demanding cryptocurrency ransoms. Victims included a medical device company, a pharmaceutical firm, and others, with one company paying $1.2 million. Charges include conspiracy to interfere with interstate commerce by extortion, carrying up to 20 years in prison. Goldberg confessed and attempted to flee; Martin has pleaded not guilty.

The US Department of Justice has indicted Kevin Tyler Martin and Ryan Clifford Goldberg, former employees of cybersecurity firms, for hacking US companies and deploying ransomware. They allegedly extorted millions, including a $10 million ransom from a medical device company. The group used AlphV (BlackCat) ransomware, and their activities reportedly continued until April 2025. Authorities seized AlphV servers in December 2023, aiding in the investigation. Martin and Goldberg are currently detained.

U.S. prosecutors charged Ryan Clifford Goldberg and Kevin Tyler Martin for extorting five U.S. companies using BlackCat ransomware between May and November 2023. Ransom demands included $10 million from a medical device firm (which paid $1.27 million), $5 million from a California doctor's office, and others. Goldberg, a former incident response manager, admitted to laundering $1.2 million in cryptocurrency. Both face charges that could result in up to 50 years in prison.

U.S. prosecutors charged Ryan Clifford Goldberg and Kevin Tyler Martin for extorting five U.S. companies using BlackCat ransomware between May and November 2023. The attacks targeted a medical device company, a pharmaceutical firm, a doctor's office, an engineering company, and a drone manufacturer, with ransom demands totaling approximately $16.3 million. Only the medical device firm paid, about $1.27 million. Goldberg admitted to laundering the ransom, while both face charges that could result in 50 years in prison.

On Oct. 31, the University of Pennsylvania experienced a cyber incident where mass emails were sent from compromised accounts, criticizing the institution. The alleged threat actor claimed access to an employee's PennKey SSO account, allowing entry to various systems and exfiltration of data for approximately 1.2 million individuals, including names, dates of birth, phone numbers, addresses, donation history, estimated net worth, and demographic information. An archive of 1.7 GB containing this data has been published.

The University of Pennsylvania reported a data breach affecting 1.2 million lines of data, including information on donors, alumni, students, internal memos, and banking details. Some data dates back decades. The breach appears politically motivated, with the hacker sending vulgar emails to the university community. This incident follows similar breaches at New York University and Columbia University. The breach was initially reported by The Daily Pennsylvanian and various technology sites.

The University of Pennsylvania confirmed a data breach where a hacker stole information related to alumni and development activities. The breach was discovered on October 31, attributed to a social engineering attack. Hackers sent fraudulent emails from official addresses, claiming to have accessed sensitive documents, including donor information and personally identifiable information. The university will notify affected individuals but has not disclosed the number of impacted persons or specific data accessed.

Hackers accessed the University of Pennsylvania's systems using stolen SSO credentials, compromising data on approximately 1.2 million individuals, including students, alumni, and donors. The breach exploited weak MFA enforcement among senior staff through social engineering. Stolen information includes names, birth dates, addresses, phone numbers, estimated net worth, and demographic details. An offensive email was sent to 700,000 recipients post-attack, prompting the university to confirm the breach and initiate an investigation.

Cybercriminals are aiding organized crime in cargo freight theft, targeting trucking and logistics firms in North America. Proofpoint's November 3 report reveals that since at least June 2025, hackers have employed social engineering tactics, including compromised load boards and email hijacking, to gain access. They use RMM tools like ScreenConnect and LogMeIn Resolve for control and deploy credential harvesting tools. This indicates a strategy to compromise accounts and expand access within targeted systems.

Financially motivated cyber gangs are collaborating with organized crime to steal cargo using remote monitoring tools like ScreenConnect and SimpleHelp. Active since June 2025, they conduct reconnaissance and harvest credentials from trucking carriers and freight brokers. A separate campaign from 2024 to March 2025 involved malware like DanaBot targeting transportation companies. Cargo theft losses reached $34 billion annually, with a 27% increase in 2024. U.S. authorities are focusing on combating this growing threat.

Cybercriminals are collaborating with organized crime groups to execute cargo thefts, targeting US logistics companies using remote monitoring and management (RMM) tools. Attacks begin at broker load boards, where criminals post fake loads to lure unsuspecting haulers. Once access is gained, they intercept communications to redirect shipments to their control, leading to significant supply chain disruptions and losses. In Q3 2025, cargo thefts totaled $111.88 million, with an average stolen shipment value of $336,787.

Cybercriminals are increasingly targeting trucking and logistics firms using remote monitoring tools to hijack cargo. A report by Proofpoint reveals a 27% rise in cargo theft in the U.S. in 2024, with losses estimated at $35 billion annually. Hackers infiltrate load boards to advertise fraudulent loads and use malicious emails to install monitoring tools. Recommendations include restricting such tool installations and enhancing network detections. Legislative efforts are underway to address the growing issue of cargo theft.

Cybercriminals are exploiting remote monitoring and management (RMM) software to hijack cargo from trucking and logistics firms, collaborating with organized crime since June 2025. They infiltrate companies, post fake freight listings, and use phishing tactics to install RMM tools, gaining full system access. This has led to significant cargo theft, with losses projected to rise 22% in 2025. Proofpoint reports nearly two dozen campaigns targeting these entities, emphasizing the growing threat to supply chains and financial stability.

Cybercriminals are targeting logistics and trucking companies by tricking them into installing remote monitoring and management (RMM) tools, according to Proofpoint researchers. Since at least June 2025, attackers have used fraudulent freight listings and malicious emails to compromise companies. Once installed, RMM tools give attackers full control, enabling them to hijack freight shipments. Recommendations include restricting RMM software to approved tools, enhancing network detection, and training employees to recognize suspicious files and activities.

Hackers are collaborating with organized crime gangs to steal cargo from supply chains. They initiate phishing attacks on logistics companies to gain access and redirect shipments. Using remote monitoring tools, they impersonate firms and manipulate truck drivers, leading to theft at fraudulent pickup points. This sophisticated approach targets freight brokers and trucking companies, posing risks to drivers. Cargo theft costs approximately $34 billion annually, with digitization increasing vulnerabilities in supply chains.

Crooks compromise broker load boards to facilitate cargo theft by posting fake load offers or intercepting email conversations between carriers and firms. They send infected attachments to install remote access malware, allowing them to bid on real loads. One company reported being compromised when a fake broker sent a malicious setup link, leading to email access and deletion of bookings. Although they attempted to steal loads, the firm alerted drivers in time. Another company later experienced a similar attack.

Cybercriminals are targeting trucking and logistics companies, impersonating brands to divert cargo shipments to unauthorized locations. This has led to significant supply chain disruptions and financial losses, particularly affecting food and beverage products. Attack methods include fake load boards that install Remote Monitoring and Management (RMM) software, compromised email accounts, and phishing emails. Recommendations include using security products to monitor RMM tool installations and adhering to security best practices.

OpenAI has launched Aardvark, an autonomous agent powered by GPT-5, designed to detect and patch hidden bugs in code. Announced on Thursday and currently in private beta, Aardvark mimics human security researchers by analyzing code semantics and behavior rather than just flagging suspicious code. This AI-driven approach represents a significant advancement in software security, aiming to enhance vulnerability analysis and remediation processes.

OpenAI has launched Aardvark, an autonomous agent powered by GPT-5, designed to identify and patch security vulnerabilities in code. Currently in private beta, Aardvark analyzes source code repositories, assesses vulnerabilities, and proposes targeted patches. It has already identified at least 10 CVEs in open-source projects. Aardvark aims to enhance security without hindering development, functioning alongside similar tools like Google’s CodeMender for continuous code analysis and patch generation.

OpenAI announced Aardvark, an AI agent utilizing GPT-5, designed to automatically detect and fix software vulnerabilities. Launched on October 29, 2025, Aardvark analyzes code repositories, identifies vulnerabilities in real-time, and validates them in a sandboxed environment. It has demonstrated a 92% detection rate for known flaws and has led to ten CVEs in open-source applications. Aardvark integrates with development tools, promoting proactive security while maintaining workflow efficiency. Private beta invitations are currently available.

OpenAI has introduced Aardvark, an autonomous agent based on GPT-5 designed to scan, understand, and patch code like a human security researcher. Unlike traditional scanners that mechanically flag suspicious code, Aardvark analyzes the semantics and behavior of code using LLM-based reasoning. By integrating directly into the development pipeline, it aims to transform security from a post-development issue into a continuous protective measure that evolves with the software.

OpenAI has launched Aardvark, an autonomous AI tool designed for scalable vulnerability detection and patching in software. Currently in private beta, Aardvark mimics human researchers by reading code, running tests, and proposing security fixes. In benchmark tests, it achieved a 92% success rate on known vulnerable repositories. OpenAI has been using Aardvark internally and with alpha partners, identifying significant vulnerabilities to enhance its security posture.

Russian police arrested three suspected developers of the Meduza Stealer malware, which is designed to steal login credentials and sensitive information. The arrests occurred in Moscow, with authorities seizing computers and other equipment. The malware has been linked to cyberattacks in Russia and Ukraine, including a campaign using a fake Telegram bot. This crackdown reflects a shift in Russia's approach to domestic cybercrime, moving from tolerance to active management of the hacking ecosystem.

Russia's Interior Ministry arrested three suspects linked to the Meduza infostealer, a malware capable of stealing extensive data, including credentials and cryptocurrency information. The arrests occurred in Moscow, with devices and evidence seized. Meduza targets popular password managers and over 100 cryptocurrency wallets. The Ministry noted a recent attack in Astrakhan as relevant. Analysts suggest a shift in Russia's approach to cybercrime, moving from tolerance to active management, influenced by political factors.

On October 30, 2025, Russian law enforcement arrested three individuals in Moscow for developing and selling the Meduza Stealer, a C++-based Malware-as-a-Service operation active since mid-2023. The malware could steal sensitive data from over 100 browsers and wallets. The investigation was triggered by a breach of a Russian government organization. Police seized equipment during the raids, and the suspects face up to five years in prison. This marks a shift in Russia's approach to local cybercriminals.

CISA and NSA released a best-practices guide to mitigate security risks associated with on-premises Microsoft Exchange Servers, particularly those that are misconfigured or have reached end-of-life. This follows a warning about a high-severity vulnerability that could allow attackers to gain control of systems. The guide builds on CISA's emergency directive related to this vulnerability, with contributions from international partners including Australia and Canada.

CISA and NSA issued guidance to secure Microsoft Exchange Servers against exploitation, emphasizing administrative access restrictions, multi-factor authentication, and zero trust principles. Organizations are urged to decommission end-of-life servers and maintain security updates. Additionally, CISA updated its alert on CVE-2025-59287, a WSUS vulnerability linked to remote code execution, advising organizations to apply security updates and monitor for suspicious activity. Exploitation has been detected across various sectors, highlighting urgent security needs.

CISA and NSA have issued security best practices for organizations using on-premises Microsoft Exchange Server, highlighting risks as Microsoft ends support for Exchange 2016 and 2019. With 92% of Germany's 33,000 servers still vulnerable, CISA advises migrating to Exchange Server Subscription Edition or alternative solutions. Recommendations include restricting administrative access, implementing multifactor authentication, and isolating servers. CISA also suggests considering cloud-based email services for better security management.

Cyber agencies from the US, Australia, and Canada have released security best practices for Microsoft Exchange Server, addressing vulnerabilities in outdated installations. Germany's Office for Information Security reports that 90% of Exchange servers there are outdated. Additionally, Microsoft highlighted a high-severity vulnerability (CVE-2025-53786) affecting hybrid environments, allowing privilege escalation for threat actors with admin access. This advisory follows an earlier hot fix issued in April.

A new cybersecurity blueprint from CISA and NSA provides best practices for securing Microsoft Exchange Server environments. It emphasizes restricting admin access, enabling multi-factor authentication (MFA), enhancing encryption, and adopting zero-trust principles. The guidance highlights the importance of migrating from unsupported versions and maintaining software baselines. CISA officials stress ongoing collaboration to mitigate threats, urging organizations to adopt these practices to safeguard critical communication systems.

Cyber spies linked to China exploited an unpatched Windows shortcut vulnerability (CVE-2025-9491) to target European diplomats, aiming to steal defense and national security information. The campaign, attributed to UNC6384, involved phishing emails with weaponized LNK files that executed PlugX malware. Targeted countries included Belgium, Hungary, Italy, and the Netherlands during September and October 2025. The attack utilized DLL sideloading techniques to bypass security measures, leveraging a legitimate but expired Canon utility.

Chinese-linked hackers, attributed to UNC6384 (Mustang Panda), targeted European diplomats in Hungary and Belgium through a cyber espionage campaign observed in September and October 2025. Exploiting the ZDI-CAN-25373 Windows vulnerability, attackers used spear phishing emails themed around diplomatic conferences to deliver malicious LNK files. This led to the deployment of the PlugX RAT, executing commands via PowerShell and extracting a malicious executable from a tar archive, while displaying decoy PDF documents.

A China-affiliated threat actor, UNC6384, has targeted European diplomats and government entities from September to October 2025 by exploiting an unpatched Windows shortcut vulnerability (CVE-2025-9491, CVSS 7.0). The attack involves spear-phishing emails leading to malicious LNK files that deploy PlugX malware via DLL side-loading. The malware offers extensive remote access capabilities and has shown signs of active development, with delivery mechanisms evolving to minimize forensic footprints.

A Windows vulnerability (CVE-2025-9491, ZDI-CAN-25373) has been exploited by state-sponsored actors since 2017, targeting European diplomatic entities and Serbian aviation departments. During September and October 2025, UNC6384 used spearphishing emails to deliver malicious LNK files that execute PowerShell commands, leading to PlugX RAT deployment. Microsoft acknowledged the vulnerability but deemed it not critical for servicing, despite existing detections in Microsoft Defender. A fix is uncertain.

Two Windows vulnerabilities are under active exploitation: a zero-day known since 2017 (ZDI-CAN-25373, now CVE-2025-9491) and a critical flaw Microsoft failed to patch. Trend Micro reported that 11 APT groups exploited the zero-day to deploy payloads in nearly 60 countries. Arctic Wolf noted a China-aligned group, UNC-6384, using CVE-2025-9491 against European nations, deploying the PlugX remote access trojan while concealing the malware in an encrypted binary file.

Chinese hackers, identified as UNC6384, have targeted European diplomats from Hungary, Belgium, Serbia, Italy, and The Netherlands using a longstanding Windows shortcut vulnerability. This campaign, uncovered by Arctic Wolf, involved spear phishing emails sent during September and October. Although the group appears newly categorized, it has been active since at least 2017 and previously targeted diplomats in Asia earlier in 2025.

A China-linked APT group, UNC6384, is exploiting a Windows zero-day vulnerability (ZDI-CAN-25373) to conduct cyber espionage against European diplomats, particularly in Hungary and Belgium. The campaign, active since September 2025, utilizes phishing emails with malicious LNK files to deploy the PlugX RAT through DLL side-loading of legitimate Canon utilities. The attack chain involves multiple stages, including obfuscated PowerShell scripts and encrypted payloads, posing significant national security risks.

Chinese hackers, identified as Mustang Panda (UNC6384), exploited the Windows zero-day vulnerability CVE-2025-9491 to target European diplomats through phishing emails containing malicious .LNK files. This flaw allows the deployment of the PlugX Remote Access Trojan (RAT), enabling persistent access and data exfiltration. The campaign has been linked to espionage efforts dating back to 2017, affecting diplomats in Hungary, Belgium, Serbia, Italy, and the Netherlands. The vulnerability has a severity score of 7.8/10.

Ribbon Communications, a US telecom firm, reported a year-long security breach by nation-state hackers, discovered in September 2025. The initial compromise likely occurred in December 2024. While no material information was accessed, four older customer files were compromised. The company is collaborating with federal law enforcement for investigation. This incident highlights the increasing trend of nation-state espionage targeting telecom firms, emphasizing the need for improved security measures in critical infrastructure.

A suspected Chinese nation-state actor compromised U.S. telecom firm Ribbon Communications, with the intrusion likely dating back to December 2024 and discovered in September 2025. The attackers accessed customer files on two laptops, but no material information appears to have been exfiltrated. Ribbon initiated its incident response plan and is working with third-party cybersecurity experts. The incident has not materially affected the company's finances, though additional costs are anticipated.

U.S. telecommunications company Ribbon confirmed that government-backed hackers accessed its network for nearly a year, starting in December 2024. The breach was disclosed in a 10-Q filing with the SEC. Ribbon reported that several customer files on two laptops were accessed, but it remains unclear if personally identifiable information was exfiltrated. Three customers were affected, though not named. Ribbon has notified law enforcement and believes the hackers are no longer in its network.

A Ukrainian national, Oleksii Oleksiyovych Lytvynenko, has been extradited from Ireland to the US to face charges related to the Conti ransomware group. Lytvynenko allegedly helped spread Conti ransomware globally from 2020 to 2022, impacting over a thousand victims and generating approximately $150 million in ransom. He faces charges of conspiracy to commit computer and wire fraud, with potential penalties of five and twenty years, respectively. His arrest is part of ongoing efforts to combat ransomware operations.

A Ukrainian national, Oleksii Oleksiyovych Lytvynenko, was extradited from Ireland to the U.S. and appeared in court on charges related to his role in the Conti ransomware gang. Indicted in 2023, he faces up to 25 years in prison for conspiracy to commit computer fraud and wire fraud. Lytvynenko allegedly extorted around $500,000 from victims in Tennessee and was involved in a scheme that extorted approximately $150 million globally. He was arrested in July 2023 and has been linked to multiple cybercrimes.

Oleksii Lytvynenko, a 43-year-old Ukrainian, pleaded not guilty to cybercrime charges related to his involvement in the Conti ransomware group, facing up to 25 years in prison. Arrested in Ireland in July 2023, he was extradited to the U.S. where he remains in custody. Lytvynenko and his co-conspirators allegedly attacked over 1,000 victims globally, extorting more than $150 million. He is charged with computer fraud and wire fraud conspiracy, with evidence linking him to ongoing cyberattacks at the time of his arrest.

Ukrainian Oleksii Lytvynenko was extradited from Ireland to the US for his alleged role in Conti ransomware attacks, which extorted over $500K from US victims. He faces charges for deploying ransomware from 2020 to June 2022, managing stolen data, and participating in a conspiracy that defrauded victims globally of approximately $150 million. If convicted, he faces up to 25 years in prison. The case highlights US-Ireland cooperation in combating ransomware.

A Ukrainian man, Oleksii Oleksiyovych Lytvynenko, was extradited from Ireland and charged in the US with conspiracy to deploy the Conti ransomware. He allegedly extorted over $500,000 in cryptocurrency from victims between 2020 and July 2022. Conti has targeted over 1,000 corporate victims globally, causing losses of at least $150 million. Lytvynenko faces up to 25 years in prison if convicted. His arrest highlights international cooperation in combating cybercrime.

A surge in the use of AdaptixC2, an adversarial emulation framework, by cybercriminals for ransomware operations has been observed. Initially designed for penetration testing, it is now linked to CountLoader malware. The Akira ransomware group, which has breached over 250 organizations, is noted for using AdaptixC2. Silent Push researchers identified a developer, “RalfHacker,” associated with Russian-language promotion of the tool. Key indicators for detection include unusual network traffic and Golang-based communications.

Researchers from Silent Push reported that the open-source hacking tool AdaptixC2 is being exploited by Russian cybercriminals in ransomware campaigns globally. Initially designed for penetration testing, it has been linked to the delivery of malicious payloads, including CountLoader malware. The tool's developer, known as "RalfHacker," promotes it on Telegram, raising concerns about its use in cybercrime. Silent Push first noted its abuse in August 2025, highlighting the risks of open-source tools in the criminal ecosystem.

Russian ransomware gangs are increasingly using the open-source command-and-control framework AdaptixC2 for advanced attacks. Initially released in August 2024 by a user named "RalfHacker," AdaptixC2 features encrypted communications and remote terminal capabilities. It has been adopted by groups linked to Fog and Akira ransomware operations. Cybersecurity firm Silent Push raised concerns about RalfHacker's ties to Russian cybercriminals, noting their marketing activities on Telegram and the framework's malicious use.

Proton's research reveals that 71% of data breaches in 2025 target firms with under 250 employees, with nearly 800 verified breaches exposing over 300 million records. Retail and wholesale sectors are most affected, comprising over 25% of incidents. Commonly compromised data includes email addresses (100%), names (90%), and phone numbers (72%), with passwords in 49% of breaches. The primary risk is identity theft. Continuous monitoring of accounts and using tools like Have I Been Pwned is recommended for protection.

Proton launched its Data Breach Observatory to expose unreported cyberattacks, aiming to enhance transparency in data breaches. The service will initially cover 2025 incidents, revealing 300 million records across 794 attacks, focusing on breaches affecting individual organizations. Notably, 49% of cases involved leaked passwords, and 34% contained sensitive government or healthcare data. Proton collaborates with Constella Intelligence to validate data from the dark web, ensuring responsible disclosure and aiding small to medium businesses in improving their security.

In 2025, over 300 million private records were leaked across 794 breaches, according to Proton's Data Breach Observatory. Major incidents included Qantas Airlines (11.8 million records) and SkilloVilla (33 million records). Nearly half of breaches contained passwords, while 34% included sensitive data. Retail was the hardest hit sector (25.3% of breaches), with small and medium-sized businesses targeted in 70.5% of cases. Proton emphasizes the importance of dark web monitoring to detect breaches.

Hacktivists have compromised Canadian critical infrastructure, manipulating industrial control systems (ICS) in municipal water facilities, oil and gas companies, and farm silos, potentially creating unsafe conditions. The Canadian Centre for Cyber Security and the RCMP issued a joint alert, emphasizing that these opportunistic intrusions exploit vulnerable ICS devices. Operators are urged to secure systems with VPNs and multi-factor authentication. Consequences so far include false alarms and service degradation, but risks of severe impacts remain.

Canada's cyber authorities warn of increasing hacktivist attacks on industrial control systems (ICS), disrupting operations at utilities and small businesses. Recent incidents include altering water pressure at a utility, tampering with an oil and gas tank gauge, and changing conditions in a grain-drying silo. The Canadian Centre for Cyber Security highlights the risks posed by exposed ICS components and notes a global rise in similar activities, including claims by groups like CARR and CyberAv3ngers.

Canadian authorities warned that hacktivist groups have breached critical infrastructure, including water, energy, and agricultural sites, by manipulating exposed industrial control systems (ICS). Attacks involved tampering with pressure valves, automated tank gauges, and exploiting environmental controls. The Canadian Centre for Cyber Security advised securing ICS behind VPNs with multifactor authentication and urged security teams to inventory devices and conduct regular testing. Specific companies and locations were not disclosed.

The Canadian government has issued a security alert regarding hacktivist attacks on Industrial Control Systems (ICS), affecting water, oil, and agricultural infrastructure. Incidents include tampering with water pressure valves, manipulating an Automated Tank Gauge, and altering conditions in a grain drying silo. The report highlights vulnerabilities due to unclear roles and recommends implementing VPNs, two-factor authentication, threat detection, and regular penetration testing to secure ICS environments.

Hacktivists are increasingly targeting industrial control systems (ICS), according to a warning from the Canadian Centre for Cyber Security. The alert highlights real-world attacks affecting a water facility, an oil and gas company, and a farm. One incident involved hackers accessing a water utility's control system and altering water pressure values, disrupting service. The Centre urges CISOs to secure internet-accessible ICS devices to prevent exploitation by threat groups seeking media attention and to protect Canada’s reputation.

A vulnerability in Chromium's rendering engine can crash Chrome, Microsoft Edge, and seven other browsers if exploited. Security researcher Jose Pino published proof-of-concept code on October 29 after Google did not respond to his report submitted on August 28. This flaw potentially affects over three billion users, exploiting a design weakness in Blink, leading to browser crashes and system instability. The incident raises concerns about Google's vulnerability response process.

A severe vulnerability, codenamed "Brash," has been disclosed in Chromium's Blink rendering engine, allowing attackers to crash Chromium-based browsers by exploiting an architectural flaw in DOM operations. The attack can execute millions of document.title updates per second, leading to browser unresponsiveness. It can be triggered at specific times, functioning like a logic bomb. Affected browsers include Google Chrome, Microsoft Edge, and others, while Firefox and Safari are unaffected. Google has been contacted for a fix.

A critical vulnerability named "Brash" in Chromium's Blink engine allows attackers to crash any Chromium-based browser within 15-60 seconds using a single malicious URL. The exploit floods browsers with rapid DOM updates, causing severe CPU spikes and system slowdowns. It affects over 3 billion users globally, impacting browsers like Chrome, Edge, and Opera. Firefox and Safari are immune. The flaw highlights a lack of rate limiting in the document.title API, posing significant risks to automated systems and economic stability.

On Wednesday, Microsoft Azure experienced a significant outage affecting over 11,500 users globally, disrupting services like Microsoft 365, Teams, Word, and Excel. Downdetector reported more than 20,000 complaints. Microsoft identified a recent configuration change in Azure as the likely cause and is implementing multiple remediation strategies, including halting the rollout of the change and rerouting traffic to restore services. The Azure status page indicated no active events during the outage.

Microsoft Azure experienced significant outages on Wednesday due to an inadvertent configuration change affecting its cloud services, including 365, Xbox, and Minecraft. The issues began around noon ET, coinciding with Microsoft's earnings announcement. Recovery efforts involved rolling back to a stable configuration, with full mitigation expected by 7:20 pm ET. This incident follows a recent outage at Amazon Web Services, highlighting vulnerabilities in cloud infrastructure and the risks of dependency on major providers.

On October 29, 2025, Microsoft experienced a significant outage affecting Azure, Microsoft 365, Xbox, and Minecraft due to a misconfiguration in its cloud network. This caused DNS resolution failures and connectivity issues, impacting enterprise and consumer services. Affected organizations included Alaska Airlines and Vodafone. Microsoft has initiated a rollback to a stable configuration and reports some recovery, though full restoration may take hours. Users are advised to check official status pages for updates.

On October 29-30, 2023, Microsoft experienced a significant outage affecting Azure, Outlook, and Microsoft 365 due to a configuration error in Azure Front Door, lasting nearly eight hours. This caused widespread login issues and slow responses across services like Azure Active Directory B2C and Azure SQL Database. A software flaw allowed the faulty configuration to bypass safety checks. Microsoft is implementing new safeguards, including automated rollback systems and stricter monitoring, to prevent future incidents.

On January 13, 2025, Conduent reported a data breach affecting over 400,000 individuals, primarily in Texas, with unauthorized access from October 21, 2024. The ransomware group SafePay claimed responsibility, exfiltrating 8.5 terabytes of data, including Social Security numbers and medical information. Conduent is notifying affected individuals and emphasizes the importance of cybersecurity. Victims are advised to change passwords, enable two-factor authentication, and be vigilant against phishing attempts.

Conduent reported a data breach affecting approximately 10 million individuals, with sensitive health and identity information compromised. The attack, attributed to the SafePay ransomware group, occurred from October 21, 2024, to January 13, 2025. Affected states include Texas (400,000 individuals), Washington (76,000), South Carolina (48,000), and New Hampshire (10,000). Conduent has restored its systems and notified law enforcement. The attackers claimed to have stolen 8.5 TB of data.

A data breach at Conduent Business Services has impacted over 10.5 million individuals, with customer notices sent in October 2025. The breach, discovered on January 13, 2025, involved unauthorized access from October 21, 2024, for nearly three months. Affected data may include names, Social Security numbers, and medical information. The SafePay ransomware gang claimed responsibility, asserting they stole 8.5TB of data. This incident is ranked as the eighth largest healthcare data breach by the HIPPA Journal.

In January 2025, Conduent experienced a cyberattack that exposed personal data of over 10.5 million individuals, including names, addresses, Social Security numbers, and health information. The breach occurred between October 21, 2024, and January 13, 2025, causing service disruptions in multiple US states. Conduent has since restored operations, notified affected individuals, and is offering free identity protection. Recommendations include monitoring credit and placing fraud alerts.

Ernst & Young (EY) exposed a 4TB SQL backup online, containing sensitive credentials and application secrets. Neo Security alerted EY, suspecting that threat actors may have accessed the data. EY's response was praised as "Textbook perfect," though it took a week to fully remediate the issue. The exposed backup could have led to significant breaches, as it contained critical information like API keys and user credentials.

A 4TB SQL Server backup file from Ernst & Young (EY) was found publicly accessible on Microsoft Azure, discovered by Neo Security during a routine scan. The unencrypted backup likely contained sensitive data. After identifying the file's ownership through merger documents and DNS lookups, Neo Security responsibly disclosed the exposure to EY, which confirmed no client data was affected. The incident underscores the need for continuous cloud visibility and leak detection tools to prevent such exposures.

EY Data Leak: A 4TB SQL Server backup file from Ernst & Young was found publicly accessible on Microsoft Azure, containing database dumps and embedded credentials. Discovered by Neo Security, the unencrypted file was linked to an acquired Italian entity. EY quickly remediated the issue, confirming no client data was impacted. This incident highlights the importance of continuous cloud asset mapping to prevent unauthorized access.

Attackers have exploited a vulnerability in the NPM code repository, introducing over 126 malicious packages, collectively downloaded more than 86,000 times since August. The campaign, tracked as PhantomRaven, takes advantage of NPM's Remote Dynamic Dependencies (RDD), allowing packages to pull unvetted code from untrusted domains. This method circumvents traditional security measures, as these dependencies are not visible to developers or static analysis tools, posing significant security risks.

Cybersecurity researchers from Koi Security have identified the PhantomRaven malware campaign, which has compromised 126 npm packages since August 2025, stealing GitHub tokens and CI/CD secrets. The malicious packages, which have over 86,000 installs, hide harmful code in dependencies fetched from an attacker-controlled URL, bypassing security scanners. The malware collects sensitive information from developers' environments and exfiltrates it to a remote server, exploiting slopsquatting and lifecycle scripts for stealth.

A supply chain attack named PhantomRaven has compromised the npm registry with 126 malicious packages that steal credentials and tokens during installation. Active since August 2025, these packages initially appear benign, using a technique called Remote Dynamic Dependencies (RDD) to fetch malicious code from remote servers post-installation. Over 86,000 downloads occurred before exposure, with stolen data including npm tokens and cloud credentials. The attack highlights vulnerabilities in software supply chain defenses.

Threat actors are using invisible links in npm packages to bypass detection in software supply chain attacks. Researchers from Koi Security reported that since August, 126 packages in Microsoft's npm repository have been contaminated, with over 86,000 installs. The malicious packages do not contain detectable code; instead, they link to a URL that retrieves harmful code upon installation by developers. The campaign is ongoing, highlighting the evolving tactics in open source vulnerabilities.

Peter Williams, a former executive at L3 Harris Trenchant, pleaded guilty to selling trade secrets worth at least $1.3 million to a Russian buyer. He faces 87 to 108 months in prison and $300,000 in fines. Williams, who worked at Trenchant for less than a year, was accused of stealing seven trade secrets from two unnamed companies between April 2022 and June 2025. He will be sentenced early next year and is currently under house arrest with electronic monitoring.

Peter Williams, former general manager at L3Harris's Trenchant division, pleaded guilty to selling zero-day exploits to a Russian broker, causing over $35 million in losses. The stolen material included eight sensitive cyber-exploit components intended for U.S. government use. Williams, who faces up to 20 years in prison, received $1.3 million for the sale. He is currently under house arrest, with sentencing scheduled for January 2026. The case highlights significant national security risks associated with insider threats.

Peter Williams, a former L3Harris executive, pleaded guilty to two counts of theft of trade secrets for selling eight zero-day exploits to a Russian broker, identified as Operation Zero. The exploits, intended for U.S. government use, were sold for millions in cryptocurrency. The Justice Department estimates the theft caused $35 million in losses. Williams faces a potential sentence of 87 to 108 months in prison, with sentencing scheduled for January.

Peter Williams, a former executive at L3 Harris, pleaded guilty to selling spyware exploits to a Russian broker, which advertises itself as a reseller of cyber exploits. He stole trade secrets over three years (2022-2025), including eight sensitive cyber-exploit components meant for U.S. government use. Each of the two counts carries a maximum of 10 years in prison. His actions cost L3Harris $35 million and potentially armed foreign cyber actors with sophisticated exploits.

Peter Williams, former general manager of L3Harris Trenchant, pleaded guilty to selling eight cyber-exploit components to Russian broker Operation Zero, netting $1.3 million over three years. Williams, previously with Australia's ASD, was in charge of a leak investigation at Trenchant when he fired a researcher allegedly involved in leaking Google Chrome exploits. The incident raises concerns about exploit leaks from commercial vendors and the need for robust personnel security in the private sector.

Peter Williams, former general manager at L3Harris cyber-division Trenchant, pleaded guilty to selling zero-day exploits to a Russian cyber broker. He stole at least eight cyber-exploit components, receiving millions in cryptocurrency. The Justice Department views this as a national security threat, given the broker's ties to the Kremlin. Williams faces up to 20 years in prison and a fine of up to $250,000. The case highlights concerns over the trade in commercial spyware and zero-day exploits.

Former US defense contractor executive Peter Williams pled guilty to stealing and selling U.S. defense trade secrets, including sensitive cyber exploits, to a Russian broker. Over three years, he sold components valued at $35 million, aiding Russian cyber actors. Williams, associated with Trenchant (L3Harris), faces up to 10 years in prison per charge. The FBI is seeking forfeiture of his assets, including $1.3 million in cryptocurrency. The investigation was led by the FBI Baltimore Field Office.

A new Android banking trojan named Herodotus has been identified, targeting users in Italy and Brazil for device takeover attacks. First advertised on September 7, 2025, it mimics human behavior to evade anti-fraud systems. Herodotus uses accessibility services to conduct credential theft and can intercept SMS 2FA codes. It introduces random delays in text input to avoid detection. The malware is distributed via dropper apps posing as Google Chrome and is under active development, expanding its targeting to financial organizations globally.

Herodotus is a new Android banking Trojan identified by Threat Fabric, which mimics human typing with random delays to evade detection. It allows operators to take over devices, bypassing behavioral biometrics. Active campaigns have been observed in Italy and Brazil, using SMiShing for distribution. The malware employs overlays to capture credentials and supports full device takeover. It operates via the MQTT protocol and is marketed as malware-as-a-service. Herodotus is in active development, indicating a growing threat landscape.

Herodotus is a new Android malware that evades detection by mimicking human typing patterns, generating random delays between inputs. Discovered by Threat Fabric, it spreads via SMS phishing, installing silently by bypassing permissions. Currently offered as malware-as-a-service, it has already infected users in Italy and Brazil. Researchers recommend Android users download apps only from reputable sources, activate Play Protect, and revoke risky permissions for new apps.

Google has dismissed reports of a massive Gmail breach affecting over 183 million accounts as false. The confusion arose from the addition of old, recycled credentials to the Have I Been Pwned service, which reflects years of infostealer activity rather than a new compromise. Google emphasized that its defenses are robust and that it actively monitors for stolen credentials, advising users to enable two-step verification and update passwords as necessary.

Google has denied reports of a significant Gmail security breach, clarifying that claims of leaked passwords are based on old data from past credential thefts, not a new incident. The confusion arose from a 3.5-terabyte database containing 183 million email credentials, reported by cybersecurity researcher Troy Hunt. Google reassured users of Gmail's security and recommended practices such as checking for past breaches, changing passwords regularly, and enabling two-step verification for enhanced protection.

Gmail has denied claims of a massive breach affecting 183 million passwords, stating that the figure is derived from previously compromised credentials. Google emphasized that its defenses remain strong and that the reports stem from misunderstandings of infostealer databases. Troy Hunt, creator of HaveIBeenPwned, noted that 91% of the credentials were previously known, but 16.4 million were new, potentially exposing users. Users are advised to monitor accounts for suspicious activity and consider identity theft protection.

A misunderstanding of a security researcher's comments led to false reports of a major Gmail breach, prompting Google to clarify that no breach occurred. The confusion arose from the circulation of old Gmail credentials on the dark web, stemming from various past data breaches. Cybercriminals often trade these outdated credentials, which can cause unnecessary panic. Users are advised to check for breaches, change passwords, and enable multi-factor authentication for security.