Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
Turn Insights Into Action with Free Threat Intel
Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.
This Edition’s Articles
The latest November 2025 cyber threat reports reveal a surge in high-impact activity across the global threat landscape, from major ransomware developments like LockBit 5.0 and VanHelsing to new espionage operations linked to Lazarus, APT42, and multiple Iran-aligned groups. This roundup also covers expanding phishing campaigns, advanced Android and Windows malware families, supply-chain intrusions, and the growing use of AI tools in both attack and defense.
Dissecting the Infection Chain: Technical Analysis of the Kimsuky JavaScript Dropper
Source: Pulsedive Threat Research
(Published: 5 November 2025)
This blog analyzes a Kimsuky JavaScript dropper sample, detailing how it retrieves additional stages and the network traffic observed across the full infection chain. Read more.
Update on Attacks by Threat Group APT-C-60
Source: JPCERT/CC Eyes
(Published: 5 November 2025)
JPCERT/CC provides an update on recent attacks linked to APT-C-60, summarizing new intrusion methods, infrastructure, and targeting patterns observed in Japan and abroad. Read more.
Herodotus: a banking trojan that exposes the limits of an antivirus
Source: Pradeo
(Published: 6 November 2025)
Pradeo describes Herodotus, a new Android banking trojan offered as Malware as a Service that masquerades as a legitimate app, gains sensitive permissions, and performs fraudulent banking operations on behalf of victims. Read more.
Phishing Campaigns “I Paid Twice” Targeting Booking.com Hotels and Customers
Source: Sekoia.io
(Published: 6 November 2025)
Sekoia.io analysts detail a phishing campaign abusing compromised Booking.com accounts and messaging apps to trick hotel staff and guests, ultimately delivering malware and running banking fraud schemes. Read more.
Slot Gacor: The Rise of Online Casino Spam
Source: Sucuri Security
(Published: 7 November 2025)
Sucuri explains how online casino spam has become one of the most prevalent SEO spam threats, with attackers hacking websites to inject hidden backlinks that promote gambling portals. Read more.
Threat actor usage of AI tools
Source: Google Threat Intelligence Group
(Published: 7 November 2025)
Google Threat Intelligence Group examines how threat actors are adopting AI tools across the attack lifecycle, from crafting phishing content to supporting malware development and operational workflows. Read more.
Distribution of Backdoor Malware with Legitimate Signature, Disguised as Steam Cleanup Tool
Source: AhnLab ASEC
(Published: 10 November 2025)
ASEC reports multiple cases of malware posing as the SteamCleaner utility, installing a malicious Node.js script that periodically contacts C2 servers to execute commands on infected systems. Read more.
New Phishing Campaign Exploits Meta Business Suite to Target SMBs Across the U.S. and Beyond
Source: Check Point Software
(Published: 10 November 2025)
Check Point Harmony Email Security researchers uncover a large scale phishing campaign abusing Meta Business Suite and facebookmail.com to send convincing notifications that steal credentials from small and mid sized businesses. Read more.
Analysis of Encryption Structure of Yurei Ransomware Go-based Builder
Source: AhnLab ASEC
(Published: 11 November 2025)
ASEC analyzes the Go based Yurei ransomware builder, detailing its ChaCha20 Poly1305 file encryption, ECIES key protection, and targeting of organizations across several industries in Sri Lanka and Nigeria. Read more.
Amazon discovers APT exploiting Cisco and Citrix zero-days
Source: AWS Security Blog
(Published: 12 November 2025)
Amazon threat intelligence teams describe an advanced actor exploiting zero day vulnerabilities in Cisco Identity Services Engine and Citrix systems, deploying custom web shells and targeting critical identity infrastructure. Read more.
Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery
Source: NVISO Labs
(Published: 13 November 2025)
NVISO reports that the Contagious Interview campaign now abuses legitimate JSON storage services to host obfuscated payloads delivered through trojanized code projects used in fake job interviews. Read more.
Arsenal Analysis of a Nation-State Actor: An In-Depth Look at Lazarus ScoringMathTea
Source: 0x0d4y Malware Research
(Published: 13 November 2025)
This post builds on prior ESET research into Operation Dream Magic to analyze the Lazarus ScoringMathTea toolset, focusing on its capabilities, infrastructure, and links to earlier campaigns. Read more.
Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machines
Source: Bitdefender
(Published: 4 November 2025)
The investigation revealed that the attackers relied on a combination of custom malware and stealth techniques to establish and maintain persistence within the victim environment. Read more.
Cloudflare Scrubs Aisuru Botnet from Top Domains List
Source: KrebsOnSecurity
(Published: 5 November 2025)
For the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple, Google and Microsoft in Cloudflare’s public ranking of the most frequently requested websites. Read more.
New Kimsuky Malware ‘EndClient RAT’: First Technical Report and IOCs
Source: 0x0v1
(Published: 5 November 2025)
The MSI bundle, after installing the banking software and displaying the bogus VBS script mentioned above, starts by creating a BAT script which copies the AutoIt3.exe binary and the Au3 script which is heavily obfuscated. Read more.
LockBit 5.0 Analysis: Technical Deep Dive into the RaaS Giant’s Latest Upgrade
Source: Flashpoint
(Published: 6 November 2025)
LockBit 5.0, introduced in late September 2025, is the latest evolution of this dominant ransomware-as-a-service group, bringing new anti-analysis features and more flexible encryption options. Read more.
MUT-4831: Trojanized npm packages deliver Vidar infostealer malware
Source: Datadog Security Labs
(Published: 6 November 2025)
In two bursts, over the periods of October 21-22 and 26, the researchers observed a total of 23 releases of 17 distinct packages containing these and similar indicators. Read more.
Critical Cisco UCCX flaw lets hackers run commands as root
Source: BleepingComputer
(Published: 6 November 2025)
A critical security flaw in Cisco’s Unified Contact Center Express platform allows attackers to run commands as root on vulnerable systems. Read more.
LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
Source: Unit 42 by Palo Alto Networks
(Published: 7 November 2025)
Unit 42 researchers have identified a new commercial-grade Android spyware family dubbed LANDFALL that is delivered through an exploit chain targeting Samsung devices. Read more.
DarkComet Spyware Resurfaces Disguised as Fake Bitcoin Wallet
Source: HackRead
(Published: 12 November 2025)
Old DarkComet RAT spyware is back, hiding inside fake Bitcoin wallets and trading apps to steal credentials via keylogging. Read more.
Malicious Chrome Extension Exfiltrates Seed Phrases, Enabling Crypto Theft
Source: Socket
(Published: 12 November 2025)
A malicious Chrome extension posing as an Ethereum wallet steals seed phrases by encoding them into Sui transactions, enabling full wallet takeover. Read more.
The COM: Anatomy of an English-Speaking Cybercriminal Ecosystem and the Origins of Scattered Lapsus Hunters
Source: CloudSEK
(Published: 12 November 2025)
Over the past decade, the English-speaking cybercriminal ecosystem commonly referred to as “The COM” has undergone a profound transformation. Read more.
Critical FortiWeb flaw under attack, allowing complete compromise
Source: Security Affairs
(Published: 14 November 2025)
A Fortinet FortiWeb auth-bypass flaw is being actively exploited, allowing attackers to hijack admin accounts and fully compromise devices. Read more.
Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense and Government Targets
Source: The Hacker News
(Published: 14 November 2025)
The Iranian state-sponsored threat actor known as APT42 has been observed targeting government and defense organizations with a new espionage campaign codenamed SpearSpecter. Read more.
DDoSia Targets Denmark: A Clear Look at the Threat
Source: SOCRadar
(Published: 17 November 2025)
Between November 4 and November 13, 2025, Denmark was included in a focused campaign by pro-Russian hacktivist groups. Read more.
IndonesianFoods Spam Campaign: What Security Teams Need To Know
Source: SOCRadar
(Published: 17 November 2025)
A large-scale campaign known as IndonesianFoods has recently gained attention for its unusual impact on the npm ecosystem. Read more.
Tracking a Dragon: Investigating a DragonForce-affiliated ransomware attack with Darktrace
Source: Darktrace
(Published: 5 November 2025)
Darktrace investigates a DragonForce-affiliated ransomware attack targeting the manufacturing sector, tracing the intrusion from initial access through to ransomware deployment. Read more.
Gootloader Threat Detection: WOFF2 Obfuscation and Evasion Tactics
Source: Huntress
(Published: 5 November 2025)
Gootloader is a sophisticated JavaScript-based malware loader that threat actors commonly use to gain initial access. Read more.
GlassWorm Returns: New Wave Strikes as We Expose Attacker Infrastructure
Source: Koi Security
(Published: 6 November 2025)
Almost three weeks ago, we disclosed GlassWorm, the first self-propagating worm targeting VS Code extensions using invisible Unicode characters, and now we are seeing a new wave of infections linked to the same attacker infrastructure. Read more.
Lazarus Group targets Aerospace and Defense with new Comebacker variant
Source: Enki
(Published: 7 November 2025)
Enki researchers detail a new Comebacker malware variant deployed by the Lazarus Group against aerospace and defense organizations, expanding the threat actor’s long-running espionage toolkit. Read more.
Maverick and Coyote: Analyzing the link between two evolving Brazilian banking trojans
Source: CyberProof
(Published: 10 November 2025)
The CyberProof SOC Team has observed overlapping infrastructure and tooling connecting the Brazilian banking trojans Maverick and Coyote, suggesting a shared developer or tightly coordinated operators. Read more.
Dissecting ValleyRAT: From loader to RAT execution in targeted campaigns
Source: Picus Security
(Published: 11 November 2025)
Picus researchers analyze ValleyRAT’s loader, staging chain, and command-and-control behavior observed in recent targeted attacks against organizations in East Asia. Read more.
Initial Access Brokers (IAB) in 2025: From dark web listings to supply chain ransomware events
Source: Darknet.org.uk
(Published: 12 November 2025)
Initial Access Brokers are specialist cybercriminals who sell or rent compromised footholds in corporate networks, enabling ransomware gangs and other actors to launch disruptive attacks with minimal effort. Read more.
Thousands of domains target hotel guests in massive phishing campaign
Source: Netcraft
(Published: 12 November 2025)
Netcraft has identified thousands of lookalike domains impersonating hotel brands and booking platforms to lure guests into phishing pages that steal credentials and payment information. Read more.
DigitStealer: a JXA-based infostealer that leaves little footprint
Source: Jamf
(Published: 13 November 2025)
Jamf Threat Labs dissects the new DigitStealer malware, a sophisticated macOS infostealer that uses advanced hardware checks and multi-stage attacks to evade detection and steal sensitive data. Read more.
Uncovering a Multi-Stage Phishing Kit Targeting Italy’s Infrastructure
Source: Group-IB
(Published: 13 November 2025)
Group-IB researchers uncovered a professional phishing framework that mimics trusted brands with remarkable precision, using layered evasion, CAPTCHA filtering, and Telegram-based data exfiltration to harvest credentials and bypass automated detection. Read more.
Unmasking Vo1d: Inside Darktrace’s botnet detection
Source: Darktrace
(Published: 14 November 2025)
Earlier this year, Darktrace investigated the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications. Read more.
Pig Butchering Scams: Cybercrime Threat Intelligence
Source: Cyfirma
(Published: 15 November 2025)
Pig butchering scams, also known as romance or cryptocurrency investment scams, are long-term social engineering schemes in which attackers build trust before defrauding victims of large sums of money. Read more.
RONINGLOADER: DragonBreath’s new path to PPL abuse
Source: Elastic Security Labs
(Published: 15 November 2025)
This campaign primarily targets Chinese-speaking users and demonstrates a clear evolution in adaptability compared to earlier DragonBreath-related campaigns documented in 2022-2023. Read more.
100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in AI Engine WordPress Plugin
Source: Wordfence
(Published: 4 November 2025)
On October 4th, 2025, we received a submission for a Sensitive Information Exposure vulnerability in AI Engine, a WordPress plugin with more than 100,000 active installations. Read more.
Crossed wires: a case study of Iranian espionage and attribution
Source: Proofpoint
(Published: 5 November 2025)
This analysis examines a newly identified threat actor dubbed UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. Read more.
Private data at risk due to seven ChatGPT vulnerabilities
Source: Tenable
(Published: 5 November 2025)
Tenable Research has identified seven vulnerabilities in ChatGPT that could enable an attacker to exfiltrate private information from users’ memories and chat history. Read more.
UNC6384’s 2025 PlugX Campaign Explained
Source: Picus Security
(Published: 6 November 2025)
In March 2025, UNC6384 ran a targeted espionage campaign against diplomatic and related organizations, employing a multi-stage, highly evasive delivery chain that culminated in the in-memory deployment of the SOGU.SEC/PlugX backdoor. Read more.
Fantasy Hub: Another Russian Based RAT as M-a-a-S
Source: Zimperium
(Published: 6 November 2025)
zLabs identified “Fantasy Hub,” an Android Remote Access Trojan sold on Russian-language channels under a Malware-as-a-Service (MaaS) subscription. Read more.
The Cat’s Out of the Bag: A ‘Meow Attack’ Data Corruption Campaign Simulation via MAD-CAT
Source: Trustwave SpiderLabs
(Published: 7 November 2025)
In 2024, I published Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack), which explored the notorious Meow attack campaign that had plagued unsecured databases since 2020. Read more.
Multi-Platform VanHelsing Ransomware (RaaS) Analysis
Source: Picus Security
(Published: 8 November 2025)
A new and rapidly expanding ransomware operation, dubbed VanHelsing, has emerged on the cybercrime scene. Read more.
Ferocious Kitten APT Exposed: Inside the Iran-Focused Espionage Campaign
Source: Picus Security
(Published: 10 November 2025)
Ferocious Kitten is a covert cyber-espionage actor active since at least 2015 that has focused on Persian-speaking targets inside Iran, using politically themed decoy documents to trick dissidents, activists, and other individuals into opening weaponized files. Read more.
GreenCharlie APT: Iran’s PowerShell-Based Cyber Espionage Campaigns
Source: Picus Security
(Published: 11 November 2025)
GreenCharlie is an Iran-based advanced persistent threat (APT) group known for its active cyber-espionage and phishing operations. Read more.
MalKamak APT’s ShellClient RAT: Inside Operation GhostShell
Source: Picus Security
(Published: 11 November 2025)
MalKamak group has been active since at least 2018 and was observed in a targeted espionage campaign that peaked in July 2021, focusing primarily on the aerospace and telecommunications sectors in the Middle East, with additional victims in the U.S., Russia, and Europe. Read more.
NGate: NFC Relay Malware Enabling ATM Withdrawals Without Physical Cards
Source: Zimperium
(Published: 12 November 2025)
CERT Polska has recently uncovered a sophisticated Android malware family dubbed NGate, designed to perform NFC relay attacks targeting Polish bank customers. Read more.
Operation Endgame Quakes Rhadamanthys
Source: Proofpoint
(Published: 13 November 2025)
Rhadamanthys malware has evolved significantly over time, reflecting ongoing advancements in cybercriminal techniques. Read more.
Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics
Source: Trend Micro
(Published: 13 November 2025)
In this blog entry, Trend Research analyses the layered command-and-control approaches that Lumma Stealer uses to maintain its ongoing operations while enhancing collection of victim-environment data. Read more.
NotDoor Insights: A Closer Look at Outlook Macros and More
Source: Splunk
(Published: 14 November 2025)
This blog helps security analysts, blue teamers, and Splunk customers identify NotDoor, and similar malware, by enabling the community to discover related TTPs used by threat actors and adversaries. Read more.
Hide Me Again: The Updated Multi-Payload .NET Steganography Loader That Includes Lokibot
Source: Splunk
(Published: 14 November 2025)
In this blog, the Splunk Threat Research Team presents an analysis of the updated steganographic loader, including one of its payloads: the Lokibot malware. Read more.
Want more articles beyond these November 2025 cyber threat reports? Check out the previous edition of Security Signals here.