CISA issues an urgent directive for all organizations to patch Cisco ASA and Firepower devices against CVE-2025-20362 and CVE-2025-20333, exploited in the ArcaneDoor campaign. Verify the correct version now!

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a strong warning regarding critical vulnerabilities in Cisco’s Adaptive Security Appliances (ASA) and Firepower devices, which are essential for network security. These systems are, reportedly, being actively targeted by attackers.

****The Two Big Problems****

Two specific flaws, tracked as CVE-2025-20362 and CVE-2025-20333, are the main concern. CVE-2025-20362 allows an attacker to bypass the login requirement and access a restricted area of the device. This then enables the second, more dangerous flaw (CVE-2025-20333), which allows the attacker to run their own malicious code as the ‘root’ user, possibly leading to complete control of the affected device.

Reportedly, these two vulnerabilities are being collectively used by attackers in a campaign called ArcaneDoor to gain full control of the affected systems. Cisco first fixed these problems in September, but the threat from these active exploits continues, posing a risk to data and systems everywhere.

****The Patching Problem****

CISA’s Emergency Directive 25-03 (issued September 25) required immediate fixes. However, many organisations, including federal agencies, mistakenly believed they had updated their devices, with CISA finding that systems marked as ‘patched’ were actually still running vulnerable software.

The biggest issue CISA found is that simply updating wasn’t enough; organisations needed the correct minimum software version. For instance, Cisco ASA Release 9.12 requires version 9.12.4.72, and Release 9.14 requires 9.14.4.28, often accessible via a Special Release Download. CISA stresses that all Cisco ASA and Firepower devices must be updated immediately.

Organisations must update all Cisco ASA and Firepower devices, not just the ones facing the public internet. If devices were updated after September 26, 2025, or are still running vulnerable versions, CISA recommends additional steps to check for and remove any remaining threats.

****New Attacks Emerge****

Adding to the worries, Cisco also warned of a new variant of the attack, which can cause unpatched Cisco devices to suddenly stop working and restart (a denial of service or DoS condition). This new attack was noticed on November 5, 2025, highlighting the urgent need for all customers to immediately install the fixes released by Cisco.

****Expert perspectives****

Gunter Ollmann, CTO at Cobalt, shared exclusively with Hackread.com that the nature of these flaws, which target devices on the edge of a network, is particularly attractive to attackers because they allow the hackers to bypass many inner network defences. Ollmann notes that:

“The challenge is that organisations still struggle to validate their exposure in real-world terms, even when patches exist. Offensive testing helps reveal whether the environment behaves as expected after updates and whether an attacker could still traverse overlooked paths. Mature programs treat patching as the starting point, not the finish line, and use adversarial validation to catch residual gaps before threat actors do.”

Wade Ellery, Chief Evangelist at Radiant Logic, also speaking exclusively to Hackread.com, explains that once attackers breach devices like firewalls, their next goal is usually stealing user login information, and perimeter flaws that quickly lead to risks within user identity systems.

“The limitation is that many organisations still operate with fragmented identity data, making it hard to detect suspicious changes that follow network intrusions. Strengthening identity observability provides the context needed to spot anomalies early and contain lateral movement before privileges accumulate. Agencies that unify and observe identity data will be better positioned to absorb these infrastructure-level shocks and maintain Zero Trust resilience,” Ellery stated.

CISA Warns of Active Attacks on Cisco ASA and Firepower Flaws

Anthropic, the developer behind Claude AI, says a Chinese state sponsored group used its model to automate most of a cyber espionage operation against about 30 companies with Claude handling up to 90% of the technical work.

The world of cybersecurity is changing fast, and a recent report from Anthropic, the company behind the AI model Claude, has revealed a problematic new chapter in cyberattacks. Suspected Chinese state-sponsored operators, reportedly, successfully used Anthropic’s AI coding tool, Claude Code, to target around 30 organisations globally, including major tech companies, financial institutions, chemical manufacturers, and government agencies.

****A New Level of Automation****

This campaign, detected starting in mid-September and investigated over the following ten days, is significant because it is the first documented case of a foreign government using Artificial Intelligence (AI) to fully automate a cyber operation. Previously, similar incidents, like one involving Russian military hackers targeting Ukrainian entities with AI-generated malware, PROMPTSTEAL, still required human operators to guide the model step-by-step.

According to Anthropic’s detailed analysis , in this new approach, Claude acted as an autonomous agent to execute the attack. This means the model took multiple steps and actions with very little human direction.

Anthropic further stated the AI carried out an astonishing 80% to 90% of the total tactical work on its own, whereas human involvement was mainly limited to strategic decisions, like authorising the attack to move from the initial research phase to active theft.

As Jacob Klein, Anthropic’s head of threat intelligence, noted, the AI made “thousands of requests per second,” achieving an attack speed simply impossible for human hackers to match.

****How Claude Was Tricked****

Further probing revealed the attackers had to jailbreak Claude, basically tricking the AI into bypassing its built-in safety rules. They did this by presenting the malicious tasks as routine, defensive cybersecurity work for a made-up, legitimate company. By breaking the larger attack into smaller, less suspicious steps, the hackers managed to avoid setting off the AI’s security alarms.

Once it was tricked, Claude worked on its own to examine target systems, look for valuable databases, and even write its own unique code for the break-in. It then stole usernames and passwords (credentials) to get access to sensitive data. The AI even created detailed reports afterwards, listing the credentials it used and the systems it had breached.

The lifecycle of the cyberattack (source: Anthropic)

****The Impact and the Future****

While the campaign targeted dozens of organisations, around four of the intrusions were successful, leading to the theft of sensitive information. While Claude wasn’t perfect, as researchers found it sometimes made up false login details, the overall autonomy and speed achieved are a fundamental change to cybercrime as we know it.

“The threat actor—whom we assess with high confidence was a Chinese state-sponsored group—manipulated our Claude Code tool into attempting infiltration into roughly thirty global targets and succeeded in a small number of cases,” Anthropic confirmed.

Anthropic has since banned the accounts and shared its findings with authorities, but warns that this AI-driven attack method will increase. This signals a new reality; security teams must now use AI for defence, such as faster threat detection, to combat the emerging threat.

Chinese State Hackers Jailbroke Claude AI Code for Automated Breaches

A massive data leak reportedly at Chinese firm Knownsec (Chuangyu) exposed 12,000 files detailing state-backed 'cyber weapons' and spying on over 20 countries. See the details, including 95GB of stolen Indian immigration data.

A major data leak recently hit the Chinese security firm Knownsec (aka Chuangyu), where over 12,000 secret files briefly appeared on GitHub around November 2, 2025. It gave experts a rare look into China’s government-backed hacking tools and operations. The files were taken down quickly, though some evidence suggests the actual data theft may have happened as early as 2023.

****Key Details****

Knownsec is a huge player in China’s cybersecurity network, having received a major investment from Tencent in 2015, and it works closely with government offices. The stolen files seem to confirm how deeply a private company can be mixed up in national cyber programs, including helping build “cyber weapons” and keeping a list of international targets.

As the Chinese news outlet, Mrxn, reported, the leak is truly unprecedented because it points directly to spying and data collection on over 20 countries and regions globally. This list includes places like Japan, Vietnam, India, Indonesia, Nigeria, and the United Kingdom. Furthermore, there’s a spreadsheet that claims to detail attacks on 80 foreign organisations, mainly critical infrastructure like telecommunications companies.

****Stolen Data and Hacking Tools****

The amount of data reportedly stolen is overwhelming. This includes an enormous 95GB of immigration records from India and 3TB of call logs taken from the South Korean phone company LG U Plus. We also saw mentions of 459GB of transport data from Taiwan in the breach documents

Details, including one shared on X (formerly Twitter) by International Cyber Digest, highlighted the details of the hacking tools. These include Remote Access Trojans (RATs), which you can think of as hidden programs that let hackers secretly control computers or devices remotely.

The files also reveal special hacking tools for Android phones that sneakily pull out message histories from apps like Telegram and other well-known Chinese chat apps. It is worth noting that the documents even mention a seemingly harmless, malicious power bank designed to secretly upload data from a victim’s device while pretending to charge it.

Leaked Data Sample Files (Source: Mrxn)

****Official Response and Security Lessons****

When questioned about the leak, the Chinese government, through its Foreign Ministry spokesperson, officially denied having any knowledge of a breach at Knownsec. The spokesperson repeated that China is firmly against and fights all kinds of cyberattacks. However, the statement did not go so far as to deny that state-associated companies get involved in cyber intelligence work.

Security experts warn that basic antivirus and firewalls are often not enough anymore. Companies need a stronger, layered defence, which means combining standard protection with constant checking of their networks.

Photo by Engin Akyurt on Unsplash

Chinese Tech Firm Leak Reportedly Exposes State Linked Hacking

Internet-facing assets like domains, servers, or networked device endpoints are where attackers look first, probing their target’s infrastructure…

Internet-facing assets like domains, servers, or networked device endpoints are where attackers look first, probing their target’s infrastructure to determine if there is a viable way in. External attack surface management (EASM) is how security teams stay ahead of such vulnerabilities, which is why it’s become so critical for shoring up defences.

However, many security teams only rely on Microsoft Defender for EASM, which might not be enough. We regularly see some of the most security-mature organisations suffer breaches, indicating that there are some gaps in how EASM is being implemented across industries.

****How EASM Blind Spots Become Entry Points****

With powerful, widely available scanners like Shodan, Censys, or custom-built scanners, attackers are always probing the internet to identify any exposed assets. Something as simple as an open port or misconfigured server can signal to them that a service is active and potentially exploitable.

In more targeted attacks, a malicious actor might even correlate data from multiple sources to map the target’s entire external footprint. This may include exposed admin panels coupled with leaked secrets on GitHub, or open APIs with weak or missing authentication.

Because our digital footprints are so extensive nowadays, there is a real challenge in maintaining visibility and control across all assets. Even the most powerful companies are struggling. In the spring of 2025, Oracle, a leading provider of cloud infrastructure services, suffered a breach that exposed millions of customer records.

The cause was a single unmanaged subdomain, which attackers used to gain initial access and identify other security gaps before moving laterally.

****The Most Common EASM Blind Spots****

Regardless of how much emphasis is placed on EASM, exposures still can and do happen. There are simply too many dynamics at work. Perhaps the most obvious one is the rise of remote work policies, which significantly accelerated the spread of shadow IT.

Employees now often use their own devices for work, which includes any applications or services installed that the company’s IT team has no idea about. Without integration into the EASM inventory, such assets are a major blind spot for defenders and a huge opportunity for attackers.

Old infrastructure is another blind spot. Old servers, domains, or staging environments regularly outlive their purpose. Even though they’re not in use, they remain online and unpatched. Without security updates or proper configuration management, these are the easiest targets.

Because businesses are so interconnected, third-party risk is another gap. Organisations have very little control over how their partners secure and manage their infrastructure, outside of any initial due diligence, before starting the relationship.

With so many possible exposures, relying on a single tool to identify them adds to the risk. Most companies only use Defender, which is a great tool, but it also gives false confidence that all internet-facing assets are accounted for.

****Does AI Close or Create More Blind Spots?****

A big topic around EASM and cybersecurity in general is the impact of artificial intelligence and how it aids attackers and defenders.

On the offensive side, AI has made it slightly easier for attackers to automate reconnaissance by generating exploit scripts or analysing vast amounts of publicly available data. The main advantage adversaries get is speed, which is crucial when a missing a patch install by a day can turn into a security incident.

For defenders, the benefits are equally significant. Modern EASM platforms leverage AI to improve asset discovery, correlate data across the environment, and prioritise findings based on asset criticality and exploitability.

So it’s a double-edged sword, and it’s unlikely that AI will create any meaningful advantage for either side, as both parties are constantly adapting.

****Hardening Your External Attack Surface Management****

If you’re already implementing EASM, a few small tweaks can have a huge impact in reducing external exposure.

The frequency of scanning is very important. Adversaries don’t scan your infrastructure just once per quarter, and neither should you. Scanning should be continuous, with automated discovery across domains, endpoints, IPs, and cloud instances. Any old or unused infrastructure that is discovered should be removed.

To improve the breadth of scanning, consider implementing an additional EASM layer on top of Defender. It’s important to incorporate validation and remediation capabilities, particularly surrounding unmanaged SaaS applications, external cloud providers, and third-party relationships.

Once your EASM stack is in order, it’s best to integrate it with your SIEM, SOAR, DRPS and ticketing workflows. This way, security teams can easily analyse external exposure findings and implement any necessary fixes, prioritised by risk levels.

****Final Thoughts****

The effectiveness of your security program depends on what you can see, but even more so on what you can’t. EASM has become one of the most valuable tools for uncovering exposures before attackers do. But it’s not a silver bullet. Blind spots will always exist where visibility, context, or ownership breaks down.

How Adversaries Exploit the Blind Spots in Your EASM Strategy

A fast-spreading threat, known as the screen-sharing scam, is using a simple feature on WhatsApp to steal money…

A fast-spreading threat, known as the screen-sharing scam, is using a simple feature on WhatsApp to steal money and personal data, according to an analysis from the research firm ESET (published on November 5, 2025).

This scam, which takes advantage of the screen-sharing tool available since 2023, has already led to massive losses worldwide, including a case in Hong Kong where a victim lost approximately US$700,000.

(Source: Facebook)

****The Screen-Sharing Scam****

According to ESET, the scam starts with an unexpected video call from an unfamiliar number. The caller pretends to be a trusted figure, like a bank employee or a support agent from Meta, the company that owns WhatsApp.

They create a huge sense of panic, claiming your account is compromised or that there’s a fraudulent charge on your credit card. They then ask you to share your screen, or even install remote apps like AnyDesk or TeamViewer, claiming they need to ‘fix’ the issue.

As is evident, the main trick is psychological, exploiting three key elements: trust, urgency, and control. “The goal is to build trust or create panic so that you act impulsively; the scam relies less on technical wizardry and more on psychological manipulation,” ESET’s report reads.

Additionally, victims are pressured into believing there is an immediate issue that requires their attention, and in that panic, they grant the scammer full access to their phone’s screen. With that access, the scammer can easily see and steal passwords, banking details, and the crucial one-time passwords (OTPs) that pop up.

A victim discussing the scam on Reddit and how their mother was one of the victims

****Meta Fights Back****

It is worth noting that Meta is actively fighting this threat. Meta is strengthening WhatsApp’s defences with new AI-powered safety tools. The most significant update is a real-time warning system that pops up an alert when you try to share your screen during a video call with a number that is not saved in your contacts. This feature is designed to make users pause and reconsider before exposing sensitive information.

Image source: Meta

The company is also addressing the global scale of the problem with action taken against around eight million scam\-linked accounts and removal of over 21,000 fake pages that were impersonating customer service representatives across various countries, including Myanmar, Cambodia, Laos, the UAE, and the Philippines.

****Your Best Defence****

Experts warn that to stay safe online, you should never share your screen, passwords, or verification codes with strangers, no matter how convincing they sound. Always verify suspicious claims directly with banks or relatives through a separate, trusted channel. Also, enabling Two-Step Verification in your WhatsApp settings greatly helps protect your account.

Scammers Abuse WhatsApp Screen Sharing to Steal OTPs and Funds

Europol-led Operation Endgame seizes 1,025 servers and arrests a key suspect in Greece, disrupting three major global malware and hacking tools, including Rhadamanthys, VenomRAT and Elysium botnet.

In a massive global operation called Operation Endgame, police forces have taken down the core systems of three major online crime groups, including the Rhadamanthys infostealer, the VenomRAT remote control tool, and the Elysium botnet.

The operation took place between November 10 and 13, 2025, and was managed from Europol’s main office in The Hague, Netherlands. The operation was also supported by Eurojust, the European Union’s judicial cooperation agency.

****Key Arrests and Network Takedown****

This joint action involved law enforcement and legal teams from 11 nations, including Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States.

Authorities also had support from more than 30 organisations, including cybersecurity firms like Proofpoint, CrowdStrike, and Bitdefender, which led to the seizure of 11 malicious domains and the shutdown of over 1,025 servers used by cyber criminals to run malware globally.

Seizure notice (Screenshot: Europol)

Additionally, authorities conducted 11 searches across locations in Germany, Greece, and the Netherlands, and arrested a key suspect linked to the VenomRAT operation in Greece on November 3, 2025.

According to Europol’s press release, further probing revealed the astounding scale of the crime. The systems that were taken down had infected hundreds of thousands of computers, resulting in several million stolen login details.

Europol noted that many victims were not even aware their systems were compromised. The main suspect behind the Rhadamanthys infostealer had access to over 100,000 cryptocurrency wallets, possibly worth millions of euros.

Operation Endgame video shared by authorities

****The Fight Continues****

This Operation Endgame, as we know it, is part of a bigger, ongoing effort. Hackread.com has followed this fight from the start, reporting on past actions against other hacking tools. This includes the massive May 2024 takedown that hit dropper tools like Smokeloader, IcedID, and Bumblebee, and the disruption of the DanaBot network in May 2025.

Back in April 2025, authorities arrested criminal customers who paid to use the now-defunct Smokeloader service. This shows that authorities are not just going after the big criminals, but also the people who pay to use their services.

If you are worried that your computer might be infected, police urge you to use free tools like politie.nl/checkyourhack to check your status.

Operation Endgame Hits Rhadamanthys, VenomRAT, Elysium Malware, seize 1025 servers

CVE 2025 42887 vulnerability, rated 9.9, allows code injection through Solution Manager giving attackers full SAP control urgent patch needed to block system takeover.

Cybersecurity researchers are issuing an alert regarding a major security vulnerability discovered in SAP systems. This vulnerability, rated an extremely high 9.9 out of 10 in severity, could potentially let cyber attackers take complete control over a company’s SAP network and all the sensitive data it holds.

The discovery came from the SecurityBridge Threat Research Labs, a specialised team dedicated to identifying weaknesses in SAP security. As we know it, SAP software is the crucial backbone for countless businesses worldwide, handling critical functions like finance and logistics. This means any major security vulnerability presents a massive, immediate risk.

****Code Injection Threat Explained****

The most severe problem found by the SecurityBridge team is known as Note 3668705 (CVE-2025-42887), which affects SAP Solution Manager. This specific component is a powerful tool used to manage other SAP systems.

The issue is a Code Injection vulnerability, meaning an attacker can misuse a remote feature to sneak in malicious programming code. Once the code is successfully injected, it results in a total system compromise.

Joris van de Vis, the Director of Security Research at SecurityBridge, emphasised the severe nature of the threat in the blog post shared with Hackread.com. He noted that this flaw is “particularly dangerous because it allows to injection of code from a low-privileged user, which leads to a full SAP compromise and all data contained in the SAP system.”

****Patching Must Be Immediate****

This critical vulnerability was part of 25 new and updated SAP Security Notes released on the company’s November Patch Day, November 11, 2025. This month’s fixes included four notes in the highest-priority HotNews category.

SAP’s patch release included a second max-severity flaw (CVE-2025-42890, a perfect 10.0/10) related to hardcoded login details in the SQL Anywhere Monitor tool. Another HotNews fix (Note 3647332) was an update for an issue in SAP SRM. There were also two patches in the important High-Priority category, including one (Note 3633049) for a memory flaw in SAP CommonCryptoLib, used for encryption tasks.

A public fix (patch) has been released for CVE-2025-42887. While this solves the problem, the release of the patch also gives cybercriminals the information they need to try and copy the attack, which could speed up exploit development. Therefore, all organisations using SAP are strongly advised to install this patch immediately.

Furthermore, even older software is seeing updates: four fixes were released for the SAP Business Connector, a tool many integration specialists may remember. The SecurityBridge team also found two other issues addressed in the November patches: a Medium priority vulnerability (Note 3643337) and a Low priority one (Note 3634053).

The firm gave its own customers an advanced warning about these discoveries on October 30, 2025, advising them to update their security protections before the public disclosure.

SAP Pushes Emergency Patch for 9.9 Rated CVE-2025-42887 After Full Takeover Risk

Q3 showed sharp growth in malware activity as Lumma AgentTesla and Xworm drove access and data theft forcing SOC teams toward quicker behavior checks

_Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings._

The third quarter of 2025 saw a concerning evolution in the malware landscape. The latest ANY.RUN Malware Trends quarterly report confirms a clear pattern: threat actors are prioritising fast monetisation and initial access operations.

The number of threats investigated in ANY.RUN’s Sandbox grew by 21.6% since Q2, compared to 9.8% growth between Q1 and Q2.

Malicious verdicts increased by 18%. The sandbox extracted 32.8% more IOCs than in Q2, respectively enriching threat data available via Threat Intelligence Lookup and TI Feeds.

****The Three Top Threats SOC Teams Must Watch****

Three malware families dominate the threat landscape due to their ability to quickly monetise stolen data and establish remote control:

**Malware Family**

**Q3 Sandbox detections**

**Type**

**Primary Objective**

Lumma

9,664

Stealer

Remote access, payload delivery, and file manipulation

AgentTesla

5,337

Stealer/RAT

Keylogging, clipboard/email creds, data exfiltration.

Xworm

5,085

RAT

Remote access, payload delivery, file manipulation

Top malware families by ANY.RUN’s Sandbox detections in Q3

Analysts must adapt by reducing triage time, switching from signature-based detection to behaviour-based detection, and enriching indicators with real-time threat context.

****1\. Lumma Stealer – Credential Monetisation at Scale****

Lumma Stealer is currently the most active and prevalent malware family observed in the report. It specialises in stealing sensitive data from endpoints, focusing on browser-stored credentials, cryptocurrency wallets, form autofill data, saved credit cards, and session cookies. Lumma is particularly aggressive in industries such as finance and commerce in Europe and North America, where the stolen data has the highest monetary value.

For organisations, a single Lumma infection can result in corporate account compromise, lateral movement through SaaS access, and asset theft without triggering traditional ransomware alarms.

Lumma’s operators consistently update their infrastructure, rotating malicious domains and other C2 inventory. Threat Intelligence Lookup allows analysts to extract IOCs from the most recent sandbox sessions where Lumma samples were detonated and fuel detection and response systems. threatName:”Lumma” and domainName:””

Recently detected Lumma domains found via TI Lookup

****Where ANY.RUN’s Threat Intelligence Lookup Fits In****

TI Lookup is a real-time threat investigation platform that enriches indicators with context, not just reputation scores. It aggregates fresh IOCs, IOAs, and behaviour patterns (IOBs) directly from malware detonations performed in ANY.RUN’s Interactive Sandbox, powered by data contributed by more than 15,000 enterprise SOCs and security teams across multiple industries.

This gives analysts access to threat intelligence captured from real attacks happening right now, not stale feeds or public blocklists.

Besides the context, it enables analysts to reduce triage time, raise detection accuracy, and retain confidence in their decisions. For business, the key objectives gained are analyst efficiency and better judgment, faster MTTR, and measurable ROI.

In short, TI Lookup turns threat intelligence into operational efficiency: less time spent investigating means more time preventing breaches.

****2\. AgentTesla – activity doubled quarter-over-quarter****

AgentTesla is a widely distributed credential stealer and remote access tool (RAT) with a multilayered set of functions, including keylogging, clipboard monitoring, credential extraction from browsers and email clients, and exfiltration via SMTP or HTTP.

The malware has recently seen a sharp increase in activity, doubling quarter-to-quarter. It is particularly common in industries with large numbers of external communications, transportation, logistics, and education. Its operational simplicity and low barrier to entry make it popular among less sophisticated cybercriminal groups.

Use Threat Intelligence Lookup to instantly check network artefacts and spot AgentTesla in your network.

domainName:”mail.funworld.co.id”

Domain proven to be associated with AgentTesla campaigns via TI Lookup

Explore the linked sandbox sessions to observe AgentTesla’s attack chain and behaviour patterns:

View analysis

AgentTesla detonation in ANY.RUN’s Sandbox

****3\. Xworm (RAT) – modular, covert, highly scalable****

Xworm is a flexible, modular remote access Trojan, is often used as the first foothold in an intrusion, where it serves as a launcher for other malware, including stealers and ransomware. After execution, Xworm enables remote command execution, file manipulation, keylogging, surveillance, and exfiltration. It supports multiple communication channels, including C2 tunnelling through legitimate cloud services, which complicates detection.

Xworm infections are especially dangerous for organisations because the malware acts as a bridge to full compromise. The malware actively targets manufacturing, tourism, and healthcare: industries where business disruption can have immediate operational consequences.

Xworm samples added and analysed by sandbox users from Colombia

****To sum up:****

*   Lumma steals access.
*   AgentTesla steals communications.
*   Xworm turns those stolen credentials into full control of the environment.

****Conclusion****

As Q4 2025 unfolds, Lumma Stealer, AgentTesla, and Xworm RAT will continue to evolve, adopting new evasion techniques and targeting mechanisms to bypass traditional defences.

For SOC analysts, the challenge isn’t just detecting these threats: it’s responding fast enough to minimise impact. The difference between a contained incident and a major breach often comes down to how quickly you can identify what you’re dealing with and implement the right countermeasures.

ANY.RUN’s Threat Intelligence Lookup bridges this critical gap, transforming unknown indicators into actionable intelligence within seconds. By combining comprehensive threat data with interactive analysis capabilities, it empowers your team to move from reactive detection to proactive defence.

The threat landscape will only grow more complex. Ensure your SOC has the intelligence infrastructure to stay one step ahead.

Stop paying for data without context – get visibility that drives decisions.  
Choose your plan for intel sourced from 15K+ real SOCs

Top 3 Malware Families in Q4: How to Keep Your SOC Ready

New York, New York, 13th November 2025, CyberNewsWire

**New York, New York, November 13th, 2025, CyberNewsWire**

BreachLock, a global leader in offensive security, just announced a powerful new integration with Vanta, the leading AI-powered trust management platform, enabling organizations to push security validation evidence directly into compliance workflows with a single click. 

This integration bridges the gap between continuous security testing and compliance by allowing mutual customers to connect the BreachLock Unified Platform to their Vanta environment. Users can automatically send security evidence from the BreachLock Unified Platform, including penetration testing reports, adversarial exposure validation (AEV) results, attack surface management (ASM) results, and more, into the appropriate Vanta control folders, eliminating manual uploads and user errors while significantly reducing audit preparation time. 

> Commenting on the addition of this integration, BreachLock Founder & CEO expressed, “Our clients shouldn’t have to waste time manually transferring evidence between BreachLock and Vanta,” adding, “This integration ensures that our mutual customers’ security findings are always audit-ready and aligned with frameworks like SOC 2 and ISO 27001 within their Vanta environments, effortlessly.” 

> “At Vanta, our mission is to support companies regardless of their tech stack,” said Chris Morris, Staff Product Manager at Vanta. “We’re excited for BreachLock’s integration and to support our mutual customers!” 

The BreachLock Unified Platform supports modern Continuous Threat Exposure Management (CTEM) programs by unifying all CTEM-aligned tools and solutions modern security teams need, including both autonomous and human-led Penetration Testing as a Service (PTaaS), Adversarial Exposure Validation (AEV) for autonomous red teaming, and Attack Surface Management (ASM). This unified approach enables organizations to continuously discover, validate, and remediate exposures across their entire internal and external environments, including web, API, network, mobile, cloud assets, and more. 

With the new BreachLock x Vanta integration, organizations can maintain always-current compliance evidence across all attack surfaces, supporting continuous security and compliance alignment. 

**Key Benefits of the Integration Include** 

*   One-click evidence transfers from BreachLock to Vanta. 
*   Automatic alignment with SOC 2, ISO 27001, and other controls. 
*   Reduced manual effort and fewer errors during audit preparation. 
*   Continuous compliance support through CTEM and automated testing. 

Setting up the integration is simple; users connect to Vanta directly from the BreachLock Platform and authorize BreachLock within Vanta, following a quick step-by-step setup process outlined in a recent blog post on the integration. 

This collaboration between BreachLock and Vanta marks a significant step forward in unifying offensive security and compliance workflows, helping organizations stay not only secure but audit-ready year-round. 

**About BreachLock**

BreachLock is a global leader in offensive security, delivering scalable and continuous security testing. Trusted by global enterprises, BreachLock provides human-led and AI-powered Attack Surface Management, Penetration Testing as a Service (PTaaS), Red Teaming, and Adversarial Exposure Validation (AEV) solutions that help security teams stay ahead of adversaries. 

With a mission to make proactive security the new standard, BreachLock is shaping the future of cybersecurity through automation, data-driven intelligence, and expert-driven execution.

**Contact**

**Senior Marketing Executive**  
**Megan Charrois**  
**BreachLock**  
**\[email protected\]**

Source

HackRead