A list of topics we covered in the week of November 10 to November 16 of 2025

November 14, 2025 - Contacted out of the blue for a virtual interview? Be cautious. Attackers are using fake interviews to slip malware onto your device.

November 14, 2025 - Apple's Digital ID makes travel smoother and saves you from digging for documents, but it comes with privacy and security trade-offs. We break down the pros and cons.

November 13, 2025 - Google’s suing Lighthouse, a Chinese Phishing-as-a-Service platform that uses Google’s branding on scam sites to trick victims.

November 13, 2025 - In 2025, receiving a .vbs “invoice” is like finding a floppy disk in your mailbox. It's retro, suspicious, and definitely not something you should run.

November 12, 2025 - Think twice before clicking that "Secure Message" alert from your organization's spam filters. It might be a phish built to steal your credentials.

 A week in security (November 10 &#8211; November 16) 

Contacted out of the blue for a virtual interview? Be cautious. Attackers are using fake interviews to slip malware onto your device.

One of our customers was contacted on LinkedIn about a job offer. The initial message was followed up by an email:

> “Thank you for your interest in the Senior Construction Manager position at {company}. After reviewing your background, we were impressed with your experience and would like to invite you to the next stage of our selection process — a virtual interview.
> 
> In this session, we’ll discuss your project management experience, leadership approach, and how your expertise aligns with {company}’s current and upcoming construction initiatives.
> 
> A Zoom link will be shared in a follow-up email, which will allow you to select a time that’s most convenient for you.
> 
> If you have any questions in the meantime, please don’t hesitate to reach out. I look forward to speaking with you soon.
> 
> Warm regards,”

I edited out the company name and the name of the supposed recruiter, but when we Googled that alleged recruiter’s name, he does work at the impersonated company (just not in HR). That’s not unique, though. We’ve heard several variants of very similar stories involving other companies and other names.

Other red flags included the fact that the email came from a Gmail address (not a company domain), and that the company has no openings for a Senior Construction Manager.

When our target replied they were looking forward to the interview, they received the “Meeting invitation” by email:

> “Hi There,
> 
>       {recruiter} INVITED YOU TO A ZOOM REMOTE MEETING
> 
> Please click the button below to view the invitation within 30 days. By acceptance, you’ll be able to message and call each other.
> 
>                View Invitation {button}
> 
> To see the list of invited guests, click here.
> 
> Thank you.
> 
> Zoom”

Both links in this email were shortened t\[.\]co links that redirected to meetingzs\[.\]com/bt.

That site is currently unavailable, but users have reported seeing fake Windows update warnings, or notifications about having to install updates for their meeting application (Zoom, Teams—name your favorite). Our logs show that we blocked meetingzs\[.\]com for phishing and hosting a file called GoToResolveUnattendedUpdater.exe.

While this file is not malicious in itself, it can be abused by cybercriminals. It’s associated with LogMeIn Resolve, a remote support tool, which attackers can fake or misuse to execute ransomware payloads once installed.

This tactic is part of a broader trend where attackers pose as recruiters or trusted contacts, inviting targets to meetings and requiring them to install software updates to participate. Those updates, however, can be malware installers or Remote Monitoring and Management (RMM) tools which can give attackers direct access to your device.

This type of attack is a prime example of how social engineering is becoming the primary way to gain initial access to you or your company’s system.

**How to stay safe**

The best way to stay safe is to be able to recognize attacks like these, but there are some other things you can do.

*   Always keep your operating system, software, and security tools updated regularly with the latest patches to close vulnerabilities.
*   Use a real-time anti-malware solution with a web protection component.
*   Be extremely cautious with unsolicited communications, especially those inviting you to meetings or requesting software installs or updates; verify the sender and context independently.
*   Avoid clicking on links or downloading attachments from unknown or unexpected sources. Verify their authenticity first.
*   Compare the URL in the browsers’ address bar to what you’re expecting.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Be careful responding to unexpected job interviews 

Apple's Digital ID makes travel smoother and saves you from digging for documents, but it comes with privacy and security trade-offs. We break down the pros and cons.

Apple has launched Digital ID, a way for users in the US to create and present a government-issued ID in Apple Wallet using their passport information. For now, it works only for identity verification at Transportation Security Administration (TSA) checkpoints in more than 250 airports.

Apple says the reason for the introduction is because users asked for it:

> “Since introducing the ability to add a driver’s license or state ID to Apple Wallet in 2022, we’ve seen how much users love having their ID right on their devices. Digital IDs brings this secure and convenient option to even more users across the country, as they can now add an ID to Wallet using information from their U.S. passport.”

****What does Apple’s Digital ID mean for users?****

You add a Digital ID by scanning your physical passport (photo page and chip) and taking a selfie as part of a verification process. Your ID stays encrypted on the device and isn’t shared with Apple.

To present it, you hold your iPhone or Apple Watch near a reader and confirm with Face ID or Touch ID. You choose which information is shared, and you never have to unlock or hand over your device.

At launch, it’s TSA-only. Apple says wider use at businesses, organizations, and online services will come later. Digital ID **does not** replace a passport for international travel.

****Pros of Apple’s Digital ID:****

*   **Convenience:** Quickly present your ID from your iPhone or Apple Watch for TSA security, and eventually, for businesses or online checks.
*   **Security:** The ID data is locally encrypted and requires biometric authentication for access.
*   **Privacy control:** Users review and authorize the information shared, and Apple claims it doesn’t track when you use the ID.
*   **Expanded access:** It’s helpful for people without a REAL ID-compliant driver’s license who want to fly domestically.
*   **No device hand-off:** You don’t hand over your device for inspection. You just present your phone or watch to a reader.
*   **Scalable:** Apple already has the support of states and airports, and plans to expand.

Apple barely touches upon the risks that come with this new feature. We discussed many of them when we asked, should you let Chrome store your driver’s license and passport? Although Apple’s Digital ID looks safer than storing your ID in your browser, there are some additional concerns.

****The risks of using Apple’s Digital ID****

We had to look at other sources to find some of the more serious downsides.

*   **Device dependency:** Lose your phone or watch, and you lose access to your Digital ID. That’s not to mention the risks if the device is stolen.
*   **Privacy and surveillance:** Experts warn Digital ID adoption may lead to more ID checks in places that didn’t require them before, increasing surveillance and data tracking concerns.​
*   **Potential for security breaches:** Encrypted or not, digital IDs can still be targeted by device exploits, phishing, or social engineering.
*   **Biometric spoofing:** Face ID or Touch ID can, in some cases, be spoofed or exploited.​
*   **Platform** **lock-in:** Apple’s system is closed, which means users are dependent on Apple’s legacy, update policies, and device ecosystem. If you switch platforms, you might find it hard to recover your digital ID.
*   **Social risks:** Critics worry police or other authorities could pressure users to unlock devices under the guise of ID verification.
*   **Data sharing with state authorities:** Your photo, video, and limited device analytics may be shared temporarily with issuing authorities for verification.​
*   **Limited usefulness:** Digital ID doesn’t replace your passport outside the US, so it’s not very useful for international travel, and it’s not accepted everywhere yet.

**Summary**

Apple’s Digital ID aims to make ID checks private, more secure, and convenient for most users. But concerns remain regarding privacy, device loss, ecosystem lock-in, and the potential for expanded surveillance and demands in everyday activities beyond TSA checkpoints.

We still see this option as safer than storing your ID in a browser, where attacks are far more common, but the drawbacks may still outweigh the benefits for many users. As one of our readers put it:

> “The inconvenience of having to look through a drawer for my passport is not that big, that I would risk having my identity stolen.”

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Your passport, now on your iPhone. Helpful or risky? 

Google’s suing Lighthouse, a Chinese Phishing-as-a-Service platform that uses Google’s branding on scam sites to trick victims.

A Phishing-as-a-Service (PhaaS) platform based in China, known as “Lighthouse,” is the subject of a new Google lawsuit.

Lighthouse enables smishing (SMS phishing) campaigns, and if you’re in the US there is a good chance you’ve seen their texts about a small amount you supposedly owe in toll fees. Here’s an example of a toll-fee scam text:

Google’s lawsuit brings claims against the Lighthouse platform under federal racketeering and fraud statutes, including the Racketeer Influenced and Corrupt Organizations Act (RICO), the Lanham Act, and the Computer Fraud and Abuse Act.

The texts lure targets to websites that impersonate toll authorities or other trusted organizations. The goal is to steal personal information and credit card numbers for use in further financial fraud.

As we reported in October 2025, Project Red Hook launched to combine the power of the US Homeland Security Investigations (HSI), law enforcement partners, and businesses to raise awareness of how Chinese organized crime groups use gift cards to launder money.

These toll, postage, and refund scams might look different on the surface, but they all feed the same machine, each one crafted to look like an urgent government or service message demanding a small fee. Together, they form an industrialized text-scam ecosystem that’s earned Chinese crime groups more than $1 billion in just three years.

Google says Lighthouse alone affected more than 1 million victims across 120 countries. A September report by Netcraft discussed two phishing campaigns believed to be associated with Lighthouse and “Lucid,” a very similar PhaaS platform. Since identifying these campaigns, Netcraft has detected more than 17,500 phishing domains targeting 316 brands from 74 countries.

As grounds for the lawsuit, Google says it found at least 107 phishing website templates that feature its own branding to boost credibility. But a lawsuit can only go so far, and Google says robust public policy is needed to address the broader threat of scams:

> “We are collaborating with policymakers and are today announcing our endorsement of key bipartisan bills in the U.S. Congress.”

Will lawsuits, disruptions, and even bills make toll-fee scams go away? Not very likely. The only thing that will really help is if their source of income dries up because people stop falling for smishing. Education is the biggest lever.

**Red flags in smishing messages**

There are some tell-tale signs in these scams to look for:

1.  **Spelling and grammar mistakes**: the scammers seem to have problems with formatting dates. For example “September 10nd”, “9st” (instead of 9th or 1st).
2.  **Urgency:** you only have one or two days to pay. Or else…
3.  **The over-the-top threats:** Real agencies won’t say your “credit score will be affected” for an unpaid traffic violation.
4.  **Made-up legal codes:** “Ohio Administrative Code 15C-16.003” doesn’t match any real Ohio BMV administrative codes. When a code looks fake, it probably is!
5.  **Sketchy payment link:** Truly trusted organizations don’t send urgent “pay now or else” links by text.
6.  **Vague or missing personalization:** Genuine government agencies tend to use your legal name, not a generic scare message sent to many people at the same time.

**Be alert to scams**

Recognizing scams is the most important part of protecting yourself, so always consider these golden rules:

*   Always search phone numbers and email addresses to look for associations with known scams.
*   When in doubt, go directly to the website of the organization that contacted you to see if there are any messages for you.
*   Do not get rushed into decisions without thinking them through.
*   Do not click on links in unsolicited text messages.
*   Do not reply, even if the text message explicitly tells you to do so.

If you have engaged with the scammers’ website:

*   Immediately change your passwords for any accounts that may have been compromised. 
*   Contact your bank or financial institution to report the incident and take any necessary steps to protect your accounts, such as freezing them or monitoring for suspicious activity. 
*   Consider a fraud alert or credit freeze. To start layering protection, you might want to place a fraud alert or credit freeze on your credit file with all three of the primary credit bureaus. This makes it harder for fraudsters to open new accounts in your name.
*   US citizens can report confirmed cases of identity theft to the FTC at identitytheft.gov.

**Pro tip:** You can upload suspicious messages of any kind to Malwarebytes Scam Guard. It will tell you whether it’s likely to be a scam and advise you what to do.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 1 million victims, 17,500 fake sites: Google takes on toll-fee scammers 

New York is calling out data-driven pricing, where algorithms use your clicks, location and search history to tweak what you pay.

When you search for a product online, you might think you’re getting the same price as everyone else. Think again. Your price might be different based on everything from your location to what you’ve looked at online. Companies often use algorithms to set their prices that rely heavily on customers’ personal data. Now, the state of New York is forcing companies to come clean when they set prices using customer data.

Anyone using algorithms to adjust pricing for people in the state must now reveal when they’re doing it, thanks to legislation that the state began enforcing this week called the Algorithmic Pricing Disclosure Act.

Algorithmic pricing is also known as “surveillance pricing” because it relies on using a person’s personal data to offer them promotional pricing (or potentially higher prices, if the vendor thinks they’ll pay).

**How software algorithms affect the prices you see**

The Federal Trade Commission (FTC) warned about this in a report that it released in January this year. It had ordered eight companies (Mastercard, Revionics, Bloomreach, JPMorgan Chase, Task Software, PROS, Accenture, and McKinsey) to disclose the services they offer that use algorithms and consumer data to set or recommend individualized prices, as well as the data inputs, customer lists and potential impact on consumer pricing. From the report:

> “A tool could be used to collect real-time information about a person’s browsing and transaction history and enable a company to offer—or not offer—promotions based on that consumer’s perceived affinity.”

This data could include where they are, who they are, what they’re doing, and what they’ve done in the past. The report suggests that companies could use a wide variety of customer data to achieve these goals, including everything from their geolocation to what they’ve looked at on a particular website.

For example, lingering over a particular item with their mouse or watching a certain percentage of a video on a website might alert companies that a consumer has a particular interest.

The same data could be used to create “buckets” of customers with similar profiles (called “segments” in marketing) that companies could use to target people with different pricing.

The FTC report had to use hypothetical examples, following push-back from the companies involved, but what it revealed was enlightening. A company might jack up prices of baby formula offered to a parent found searching for fast delivery, it said.

In another imagined case, a person visiting a car dealership and using an in-store kiosk to explore vehicles might be segmented as a first-time car buyer, the report said. The store might decide that they’re inexperienced about the financing options available, affecting the rates that they’re offered.

The FTC had issued a Request for Information (RFI) on the report, asking people for their own experiences of surveillance pricing. The public comment period was supposed to run until April 17, but the new FTC chair under the Trump administration, Andrew Ferguson, closed the RFI less than a week after the previous chair, Lina Khan, issued it.

Last week the state’s Attorney General, Letitia James, effectively re-opened it—at least for New York residents. She issued a consumer alert urging residents to help enforce the law, which threatens a $1,000 penalty each time a company violates it. The alert encouraged people to report companies they believe are using algorithms to determine pricing.

Under the New York law, businesses must display the exact text:

> “This price was set by an algorithm using your personal data.”

They must display the text near the price shown, and they can’t use “protected class data” that is legally shielded from discrimination under the law. That includes ethnicity, national origin, disability, age, sex, sexual orientation, or gender identity. There are exceptions: insurance companies and other financial institutions are exempt under the Gramm-Leach-Bliley Act.

**A long history of algorithmic pricing**

Algorithmic pricing has been happening for years. For example, in 2013 Staples was found to be adjusting prices for different people according to their distance from a rival’s store. The retailer reportedly charged higher prices for households with lower incomes, although whether this was intentional or just an unintended by-product of the algorithm isn’t clear. That’s the problem though: algorithms can easily have unexpected results.

More recently, reporters have found people charged more for hotel rooms based on their IP addresses, while one report found Target charging more for goods viewed on its app when they were inside a Target store than when they were outside.

This pushback against surveillance pricing is spreading. California’s AB 325 bill amends the state’s Cartwright Act antitrust law to ban shared pricing algorithms that use competitor data between multiple businesses. Governor Gavin Newsom signed that into law last month, and it will take effect on January 1, 2026. He also passed SB 763, which increases civil and criminal penalties for violations of the Cartwright Act.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Are you paying more than other people? NY cracks down on surveillance pricing 

In 2025, receiving a .vbs “invoice” is like finding a floppy disk in your mailbox. It's retro, suspicious, and definitely not something you should run.

Somebody forwarded an “invoice” email and asked me to check the attachment because it looked suspicious. Good instinct—it was, and what we found inside was a surprisingly old trick hiding a modern threat.

**What it does**

If the recipient had opened the attached Visual Basic Script (.vbs) file, it would have quietly installed a remote-access Trojan known as Backdoor.XWorm. Once active, it could have let attackers:

*   Steal files, passwords and other personal data
*   Record keystrokes
*   Spy on the user
*   Install other malware, including ransomware

Everything happens silently, with no alerts or windows. It’s built to avoid antivirus tools and hand over complete control of the PC.

> “Hi,
> 
> Please find attached the list of invoices we have processed and payment has been made as of 8/1/2025 2:45:06 a.m.
> 
> Kindly review and confirm that these have been received on your end.
> 
> Additionally, we would appreciate it if you could send us an updated list of any outstanding or unpaid invoices for our records.
> 
> Looking forward to your response.
> 
> Best regards,
> 
> Account Officer”

The payload was identified by our research team as **Backdoor.XWorm**. XWorm is a known remote-access trojan (RAT) and backdoor used for spying, keylogging, stealing data, and even installing ransomware. It is sold as malware-as-a-service (MaaS), which means cybercriminals sell (or more often, rent) it to other criminals, who can then distribute and deploy it as they see fit while using the MaaS provider’s infrastructure to receive stolen data and maintain access through the backdoor.

**Why this email was suspicious**

The email itself had obvious warning signs: no names, just a generic “Hi” and a vague “Account Officer” signature. Real invoices or payment notices almost always include contact details, so this alone should raise suspicion.

That attachment immediately stood out because .vbs files are almost never used in business emails anymore. Visual Basic Script was a Windows automation tool from the late 1990s and 2000s—long since replaced by more versatile scripting languages like PowerShell.

Today, almost every company blocks .vbs attachments outright because they can execute code the moment you open them.

So when one still gets through, it usually means either a security filter failed or an attacker deliberately tried to bypass it. In 2025, receiving a .vbs “invoice” is like finding a floppy disk in your mailbox. It’s retro, suspicious, and definitely not something you should plug in.

**How to stay safe**

*   **Double-check unexpected attachments**: If you weren’t expecting it, confirm first using a known contact method, rather than by replying to the same email.
*   **Don’t open executable files**: Anything ending in .exe, .vbs, .bat, or .scr can run code. Legitimate businesses don’t send these by email.
*   **Watch for red flags:** Generic greetings, odd job titles, or hidden file types are giveaways. Turn on the option to show file extensions so you can spot fakes like invoice.pdf.vbs.
*   **Keep your protection on and updated**: Use an up-to-date real-time anti-malware solution preferably with a web protection module.

**Technical analysis**

I wanted to know exactly what that attachment did and how it worked. For our technical readers, here’s my deep dive down the wormhole.

**The email**

The message itself was straightforward—a short “invoice” note with a polite request to confirm payment and a .vbs attachment named INV-20192,INV-20197.vbs. Nothing about the text was overtly malicious, but the presence of a Visual Basic Script attachment immediately stood out.

.vbs files are rarely, if ever, used in legitimate business correspondence anymore. Because they can execute code directly, most mail gateways block them outright. Seeing one arrive intact suggested either a configuration oversight or a deliberate attempt to bypass filtering.

That alone made the sample worth a closer look.

**Delivery**

Using an Excel file with a malicious VBA macro often makes more sense from a criminal’s perspective than sending a plain .vbs attachment. Excel files are common in business environments and can appear legitimate, making them less likely to raise suspicion than a raw script. Attackers also benefit because macro-enabled Office documents remain a frequent delivery mechanism. Many users and organisations still interact with these files and can be tricked into enabling macros for what seem like “legitimate” reasons.

Microsoft has made macros harder to execute by default, so some threat actors have shifted tactics. Macros still work where social engineering succeeds, but attackers increasingly experiment with other vectors when they can’t rely on macros.

Compared with an Excel document, a .vbs attachment immediately stands out as unusual in modern business email and is often blocked by gateway rules. In this case, the sender may also have been counting on hidden file extensions (invoice.pdf.vbs) to make the file look like a harmless invoice; a small deception that still fools busy users.

Although .vbs is largely obsolete, it’s not harmless. Visual Basic Script can run arbitrary commands on Windows and can download or create additional malicious files. It’s crude, but it still works if it gets past filters or lands with an unaware user.

I expected the code to be less-than-sophisticated, but only the first level was.

The .vbs dropped IrisBud.bat into %TEMP% (C:\Windows\Temp\IrisBud.bat) and invoked it via WMI. The .bat restarted itself in a way so it ran invisibly. The batch then copied itself to the user profile as aoc.bat and contained heavy obfuscation. Its end goal was to run a PowerShell loader that read encoded strings from aoc.bat and turn them into the real payload.

Our team identified that payload as Backdoor.XWorm—a remote-access trojan (RAT) sold as malware-as-a-service. If executed, it would give attackers stealthy access to the machine: steal files and credentials, record keystrokes, install more malware, or deploy ransomware.

The whole chain runs quietly and is designed to avoid detection. Simply opening the attachment would have put the user’s data at serious risk. If you have found Backdoor.XWorm on your machine, we advise you to follow the remediation and aftermath sections of this detection profile.

**VBS**

The .vbs file at first sight looked like alphabet soup, but the last line (of 429) provided the plan. I commented out that last line so INV-20192,INV-20197.vbs would create IrisBud.bat but **not** execute it.

A piece of the code inside the vbs file with the last line commented out

**BAT**

However, my hopes of the batch file being easier to read were quickly run into the ground. Most of the batch file consisted of simple WriteLine commands which wrote almost everything ad verbatim into IrisBud.bat.

But if you look closely you see a lot of repeated variables like %gkgqglgzhphupcp% in the first line and %viqfvdhc% in line 30. I determined that these variables were not assigned a value and only there for “padding.” Padding is a technique used by malware authors to make their malicious programs harder to detect or analyze.

Imagine you have a box with secret contents that you don’t want anyone to find easily. To hide what’s really inside, you fill the box with a lot of extra, useless material—like packing peanuts, shredded paper, or just empty space—so it’s difficult for someone to see or measure what’s actually important in the box.

So, my first move was to get rid of all the padding. Although not perfect, that cleared some things up.

Partly deobfuscated bat file

The line  
if not DEFINED Abc1 (set Abc1=1 & cmd /c start "" /min "%~dpnx0" %* & exit)  
is a classic malware technique to hide execution from the user while keeping the script running in the background. Let’s look at it step by step:

1.  if not DEFINED Abc1 — Checks if the variable Abc1 doesn’t exist yet.
2.  set Abc1=1 — Sets the variable to 1 (which marks that this check has been done).
3.  cmd /c start "" /min "%~dpnx0" %* — Restarts the batch file:
    *   cmd /c runs a new command prompt
    *   start "" /min starts a program minimized (invisible to the user)
    *   "%~dpnx0" is the full path to the current batch file itself
    *   %* passes along any command-line arguments
4.  exit — Exits the current (visible) instance

So, in other words the first time it runs:

*   It restarts itself in a minimized/hidden window.
*   The original visible instance exits immediately.
*   The new hidden instance continues running with Abc1=1 set, so it won’t trigger this restart loop again.

And this line:  
copy "%sourceFile%" "%userprofile%\aoc.bat" >nul  
is where the bat file copies itself to the user’s profile directory.

Breaking it down:

*   %sourceFile% — The source (set earlier to the current batch file’s full path).
*   %userprofile%\aoc.bat — The destination: the user’s profile directory (typically C:\Users\[username]\) with the new name aoc.bat.
*   >nul — Suppresses output (hides the “1 file(s) copied” message).

The setlocal enabledelayedexpansion is needed because exclamation marks (!) around variables are used for delayed variable expansion, which allows the batch script to update and use the value of variables dynamically within loops or code blocks where normal percent expansion wouldn’t work. This requires delayed expansion to be enabled which is done with the command setlocal enabledelayedexpansion.

From the next lines I can tell that the !xmgotoyfycqitjc! which we see can be replaced by the set command.

Because it is defined by:

set "xmgotoyfycqitjc=!ejlhixzkmttzgho!e!ugcqubmykdxgowp!"  
where earlier we saw:  
set "ejlhixzkmttzgho=s"  
set "ugcqubmykdxgowp=t"  
Together this makes xmgotoyfycqitjc = s + e + t so my next step was to replace all those instances. And with that we made a good start at mapping out all the variables that were not intended as padding.

Of specific interest in this case was one particular line (414) where all the mapped variables came together.

Last piece of the partly deobfuscated bat file

The only two other lines that stood out were two lines that begin with :: and contain a very long string. While these superficially appear to be ordinary batch comments, they actually hide encrypted payload data (lines 41 and 69 are the hidden payload).

We’ll get to those later on.

First, we need to construct line 414 into something readable.

After replacing all the defined variables, line 414 turned into this:

Windows\System32\WindowsPowerShell\v1.0\powershell.exe-nop -c coding]::Unicode.GetString([Convert]::FromBase64String(('CgAkA…..{very_long_base64_encoded_string}…..AoA'.Replace('hkfdo','')))))

The **replace** command showed me that I had to remove even more padding—this time from the encoded PowerShell script which was padded with the hkfdo string.

**PowerShell**

After I did that and decoded the base64 string, this was the PowerShell script:

The resulting PowerShell script

What this PowerShell script does explains why the two long lines I referred to earlier are needed:

**First part**: the script looks for the hidden payload in aoc.bat (the copy it created). The script reads aoc.bat line by line, looking for lines that start with ::: (three colons). If it finds one, it treats everything after the colons as Base64-encoded data, decodes it, and runs it as PowerShell code. This is a way to hide malicious commands inside what looks like a batch file comment.

**Second part:** creates the main malicious payload**.** The big block (starting with $weiamnightfo) does several things:

1.  **Reads encrypted data from aoc.bat**: It looks for a line starting with :: (two colons) in the batch file, which contains encrypted and compressed malware.
2.  **Decrypts the data:** It uses AES encryption (with a hardcoded key and Initialization Vector (IV)) to decrypt the payload. Think of this like unlocking a safe with a specific combination.
3.  **Decompresses it:** After decryption, it unzips the data using GZip compression. The malware was squeezed down to make it smaller and harder to detect.
4.  **Loads and runs the malware:** The decrypted/decompressed data turns out to be two executable files. The script loads these files directly into memory and runs them without ever saving them to disk. This is called a “fileless attack” and helps avoid anti-malware detection.

By loading and running these malicious programs directly in memory, the attack avoids dropping visible files on disk, making it much harder for anti-malware solutions to spot or capture the real threat.

**Payload**

To extract the payload safely I wrote a Python script to reproduce steps 1–3 without executing the code in memory. That produced two executable samples which I ran in an isolated sandbox.

The sandbox revealed a mutex 5wyy00gGpG6LF3m6 which pointed to the XWorm family. “Mutex” stands for mutual exclusion, which is a special marker that a running program creates on a Windows computer to make sure only one copy of the process is running at once. Malware authors bake them into their code and security analysts catalog them, much like a “fingerprint.” So when our researchers see one of the known mutex names, they can easily classify the malware and move on to the next sample.

**Indicators of Compromise (IOCs)**

INV- 20192,INV-20197.vbs (email attachment)  
IrisBud.bat (in %temp% folder)  
aoc.bat (In %user% folder)  
SHA256: 0861f20e889f36eb529068179908c26879225bf9e3068189389b76c76820e74e ( for Backdoor.XWorm)

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 We opened a fake invoice and fell down a retro XWorm-shaped wormhole 

Think twice before clicking that "Secure Message" alert from your organization's spam filters. It might be a phish built to steal your credentials.

Cybercriminals are spoofing “email delivery” notifications to look like they came from spam filters inside your own organization. The goal is to lure you to a phishing site that steals login credentials—credentials that could unlock your email, cloud storage or other personal accounts.

The email claims that, due to an upgrade in the Secure Message system, some pending messages didn’t make it to your inbox and are ready to be moved there now.

> “Email Delivery Reports: Incoming Pending Messages
> 
> We have recently upgraded our Secure Message system, and there are pending messages that have not been delivered to your Inbox.
> 
> Failure Delivery Messages
> 
> Email Delivery Reports For  info@seychellesapartment.com
> 
>    Status :                         Subject:                      Date:            Time:
> 
> {A couple of message titles that are very generic and common as not to raise any suspicion}
> 
> Move To Inbox (button)
> 
> Note     : The messages will be delivered within 1-2 hours after you receive a confirmation Mail Notice. If this message lands in your spam folder, please move it to your inbox folder
> 
> Mail Encrypted by {spoofed domain} © All Rights Reserved. | If you do not wish to receive this message    Unsubscribe. (link)”

Both the “Move to Inbox” button and the unsubscribe link abuse a cbssports\[.\]com redirect to reach the real phishing site located on the domain mdbgo\[.\]io, which was blocked by Malwarebytes.

Researchers at Unit42 warned about this type of phishing campaign, so we decided to take a closer look.

The links pass the spoofed email address as a base64-encoded string to the phishing site. Going to that site, we were served this fake login screen with the target’s domain already filled in—making it look personalized and legitimate:

Contrary to Unit42’s findings, we found that this version of the attack is more sophisticated and likely evolving quickly. The phishing site’s code is heavily obfuscated, and credentials are harvested through a websocket.

A websocket keeps an open channel between your browser and the website’s server—like a phone call that never hangs up. This lets the browser and server send messages instantly back and forth, in both directions, without needing to reload the page. Cybercriminals love using websockets because they receive your details the instant you type them into a phishing site, and can even send prompts for additional information, such as two-factor authentication (2FA) codes.

This means that if you enter your email and password on such a site, attackers could instantly take control of your email, access cloud-stored files, reset other passwords, and impersonate you across services.

**How to stay safe from phishing emails**

In phishing attempts like these, two simple rules can save you from lots of trouble.

*   Don’t open unsolicited attachments
*   Always check the website address in the browser before signing in. Make sure it matches the site you expect to be on.

Other important tips to stay safe from phishing in general:

*   **Verify the sender.** Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive, but it can help you spot some attempts.
*   **Double-check requests** through another channel if you receive an attachment or a link you weren’t expecting.
*   **Use up-to-date security software**, preferably with a web protection component.
*   **Keep your device and all its software updated.**
*   **Use multi-factor authentication** (MFA) for every account you can.
*   **Use a password manager.** Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.

If you already entered credentials on a page you don’t trust, change your passwords immediately.

**Pro tip:** The free Malwarebytes Browser Guard extension would have stopped this attack as well:

**Indicators of Compromise (IOCs)**

*   several subdomains of mdbgo\[.\]io
*   xxx-three-theta.vercel\[.\]app
*   client1.inftrimool\[.\]xyz
*   psee\[.\]io
*   veluntra-technology-productivity-boost-cold-pine-8f29.ellenplum9.workers\[.\]dev
*   lotusbridge.ru\[.\]com
*   shain-log4rtf.surge\[.\]sh

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Phishing emails disguised as spam filter alerts are stealing logins 

This month’s Windows update closes several major security holes, including one that’s already being used by attackers. Make sure your PC is up to date.

These updates fix serious security issues — including one that attackers are already exploiting to take control of Windows systems. By chaining it with other attacks, they can gain full admin access, install malware, steal data, or make deeper changes you wouldn’t normally be able to undo. Run Windows Update today, restart your PC, and check you’re up to date.

**What’s been fixed**

Microsoft releases important security updates on the second Tuesday of every month—known as “Patch Tuesday.” This month’s patches fix critical flaws in Windows 10, Windows 11, Windows Server, Office, and related services.

Particularly noteworthy are some critical Remote Code Execution (RCE) bugs in Microsoft Graphics and Office that can allow attackers to run malicious code just by convincing someone to open a booby-trapped file or document.

A “zero-day” is a software flaw that attackers are already exploiting before a fix is available. The name comes from the fact that defenders have _zero days_ to protect themselves—attackers can strike before patches are released. In this month’s update, Microsoft fixed one such vulnerability: CVE-2025-62215, a Windows Kernel Elevation of Privilege (EoP) flaw.

It lets an attacker who already has local access to a device gain higher, admin-level permissions by exploiting what’s known as a “race condition.” A race condition vulnerability happens when different programs or processes try to use the same resource at the same time without proper coordination. During that brief window of confusion, attackers can slip through and exploit the system.

Attackers need to combine this vulnerability with other attack methods. Once they’ve compromised a system, they use this vulnerability to escalate privileges and gain admin-level rights.

Another critical vulnerability worth noting is CVE-2025-60724, which comes with a CVSS score of 9.8 out of 10. It’s a heap-based buffer overflow in the GDI+ Microsoft Graphics Component, which allows an unauthorized attacker to run malicious code over a network.

A buffer overflow happens when software writes more data to memory than it can handle, potentially overwriting other areas and injecting malicious code. In the case of CVE-2025-60724, Microsoft warns that attackers could exploit the flaw by convincing a victim to download and open a document that contains a specially crafted metafile. In more advanced attacks, the same vulnerability could be triggered remotely by uploading a malicious file to a vulnerable web service.

**How to apply fixes and check you’re protected**

These updates fix security problems and keep your Windows PC protected. Here’s how to make sure you’re up to date:

1\. Open **Settings**

*   Click the **Start** button (the Windows logo at the bottom left of your screen).
*   Click on **Settings** (it looks like a little gear).

2\. Go to **Windows Update**

*   In the Settings window, select **Windows Update** (usually at the bottom of the menu on the left).

3. **Check for Updates**

*   Click the button that says **Check for updates**.
*   Windows will search for the latest Patch Tuesday updates for November 2025.

If you have selected automatic updates earlier, you may see this:

*   Which means all you have to do is restart your system and you’re done updating.
*   If not, continue with the below.

4. **Download and Install**

*   If updates are found, they’ll start downloading right away. Once complete, you’ll see a button that says **Install** or **Restart now**.
*   Click **Install** if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click **Restart now**.

**5\. Double-check you’re up to date**

*   After restarting, go back to **Windows Update** and check again. If it says **You’re up to date**, you’re all set!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update now: November Patch Tuesday fixes Windows zero-day exploited in the wild 

Discover how Malwarebytes detects and blocks network-based ransomware attacks that bypass traditional ransomware protection.

Imagine this scenario: Your protection software is running perfectly. Systems are protected, definitions are up to date, behavioral analysis is active. Then, suddenly, files across your network start getting encrypted. Backups are being deleted. Ransom notes appear across your machines. Your security software shows nothing. No alerts, no detections, no blocked processes. How is this possible? 

This isn’t a hypothetical situation. It’s a real attack technique that ransomware operators are actively using to bypass even sophisticated protection systems. The attack exploits a fundamental assumption in how security software operates: that the malicious process and the files being attacked are on the same machine. When that assumption breaks down, traditional defenses fail. 

Malwarebytes ransomware protection works through multiple defensive layers. These include AI-based analysis, machine learning models, signature detection, runtime sandboxing, exploit mitigation, and web protection. Each layer stops threats at different stages. The Anti-Ransomware behavioral layer monitors actual file encryption behavior in real time. Malwarebytes continuously enhances all layers of its defense.  

This article discusses a recent innovation in our **Anti-Ransomware behavioral monitoring technology**. The result is a comprehensive enhancement incorporating innovations in file monitoring, network session tracking, behavioral analysis, and real-time threat correlation. 

****Why traditional protection fails** **

To understand why a ransomware attack over a network is so effective, we need to understand how this technology _typically_ works. The Anti-Ransomware component sits between applications and the file system, allowing it to see every file operation before it completes. 

When a process tries to open, read, or write a file, specialized callbacks are triggered. Think of these as security checkpoints where the security driver can inspect what’s happening and decide whether to allow the operation. The software looks at patterns: Is this process rapidly encrypting many files? Is it adding suspicious extensions? Is it attempting to delete backup Copies? These behavioral indicators, when combined, signal ransomware. 

This architecture works brilliantly when the ransomware process and the files being encrypted are on the same machine. The driver sees the process, tracks its behavior over time, builds a threat profile, and can block it before significant damage occurs. 

But what happens when ransomware runs on one device and attacks files on another? For example, an attacker compromises an unprotected device, a legacy device without current protection or an unmanaged guest device, and uses it to encrypt files on protected systems through network shares. Your machine doesn’t see any suspicious programs running. It just looks like someone is accessing files over the network, which happens all the time. 

This creates a perfect hiding spot for ransomware. On the attacking device, there might be no security software installed. On your main PC where files are being encrypted, the security software sees files changing but can’t tell which program is causing it. The connection between the malicious program and your files is hidden. 

Multiple ransomware variants have adopted this technique. They use specific commands to target network folders and shared drives. These aren’t random attacks. They’re carefully designed to bypass security software through remote encryption 

These aren’t opportunistic attacks. They’re carefully engineered for bypassing traditional anti-ransomware protection through remote encryption. 

****Two-part protection architecture** **

Solving this problem required addressing two distinct attack vectors. Part 1 involves a local process attacking remote files, while Part 2 involves a remote process attacking local files. Each required different technical approaches. 

**Part 1: Detecting local to remote attacks** 

When a program tries to access files on your network or shared folders, Malwarebytes checks if it’s behaving suspiciously. If the program is rapidly changing many files and creating ransom notes, the system builds a threat score in real time. 

The key innovation is that Malwarebytes tracks local and network activity separately. A program might be safely working with files on your computer while attacking files on another device through the network. By monitoring both, we can catch ransomware without false alarms. When Malwarebytes detects ransomware behavior, it blocks the malicious program immediately, stopping the attack before your files are encrypted. 

**Part 2: Detecting remote to local attacks** 

The second challenge is harder: what if the ransomware is running on another device and attacking your files remotely? There’s no malicious program on your computer to block. 

Our solution tracks network connections. When files are accessed from another device on your network, Windows keeps information about which device is connecting. Malwarebytes captures this information and watches for suspicious behavior, like rapidly changing many files, adding suspicious file extensions, or creating ransom notes. When we detect an attack coming from another device, we block that specific connection from accessing your files. 

****Innovation in ransomware protection** **

Our implementation operates through our specialized components. This architecture is essential for both performance and security. Every file operation goes through our filter, so we need to process decisions in microseconds to avoid impacting system responsiveness. 

We implemented multiple optimization layers. First, we filter out file operations that categorically cannot be ransomware related. Opening a file for read only access is not a threat, so we skip detailed analysis. Operations that only query metadata happen constantly in Windows and can be safely ignored for ransomware detection purposes. 

For operations that require analysis, we implemented a sophisticated indicator time-to-live (TTL) system. Behavioral indicators decay over time. This prevents false positives from legitimate activities like file synchronization tools or backup software. 

The network session tracking component required deep integration with Windows networking. We extract session information by accessing internal structures that Windows uses for network file serving. Our exclusion system supports IPv4, IPv6, hostnames, and CIDR notation for network ranges. 

****What makes this protection different** **

Several factors distinguish the Malwarebytes approach from other solutions.

The first is comprehensiveness. Many security vendors address this partially. Remote processes attacking local files or where local processes attack remote files. An attacker who compromises a single endpoint can still encrypt the shared resources. Malwarebytes protects against both vectors. 

Second is precision. Many solutions block entire network connections or lock accounts when they detect threats. Malwarebytes is more precise. We block only the specific malicious connection. Other activities from the same device continue working normally. Only the ransomware’s access is stopped. 

Third is performance. Malwarebytes runs efficiently without slowing down your computer. 

Fourth is proven protection. This technology has been tested and deployed across many different business and home networks. It is proven to work in real world situations. 

****The broader implications** **

This protection does more than just stop one type of ransomware attack. It represents a new way of thinking about network-aware security. The old approach treated each device separately, but that doesn’t work when attackers use network connections to spread threats. Security solutions need to understand that attacks can come from any device on the network and target any accessible files. 

The technology we’ve built can do more than stop ransomware. The same system that tracks network connections and monitors suspicious behavior can help detect other threats, like someone trying to steal your data or access files they shouldn’t have permission to view. 

Attackers will keep evolving their methods. The attacks we’re seeing now will become more sophisticated. They might try to disguise themselves as normal computer maintenance or file management. Our protection is designed to adapt. Because it watches for suspicious patterns of behavior rather than looking for specific known attacks, it can detect new variations without needing constant updates. 

Ransomware keeps evolving, and attackers constantly find new ways to bypass security. Malwarebytes is committed to staying ahead with real innovation. This enhancement closes a critical gap that many security programs don’t address until it’s too late. 

If you’re choosing security software or reviewing your current protection, ask yourself: Does it protect against ransomware that spreads through network shares? This is becoming increasingly important as more ransomware attacks use this technique. 

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 How Malwarebytes stops the ransomware attack that most security software can&#8217;t see  

A critical vulnerability that affects Samsung mobile devices was exploited in the wild to distribute LANDFALL spyware.

A critical vulnerability has put Samsung mobile device owners at risk of sophisticated cyberattacks. On November 10, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability, tracked as CVE-2025-21042, to its Known Exploited Vulnerabilities (KEV) catalog. The KEV catalog lists vulnerabilities that are known to be exploited in the wild and sets patch deadlines for Federal Civilian Executive Branch (FCEB) agencies.

So, for many cybersecurity professionals, CISA adding this vulnerability to the list signals both urgency and confirmation of active, real-world exploitation.

CVE-2025-21042 was reportedly exploited as a remote code execution (RCE) zero-day to deploy LANDFALL spyware on Galaxy devices in the Middle East. But once that happens, other criminals tend to quickly follow with similar attacks.

The flaw itself is an out-of-bounds write vulnerability in Samsung’s image processing library. These vulnerabilities let attackers overwrite memory beyond what is intended, often leading to memory corruption, unauthorized code execution, and, as in this case, device takeover. CVE-2025-21042 allows remote attackers to execute arbitrary code—potentially gaining complete control over the victim’s phone—without user interaction. No clicks required. No warning given.

Samsung patched this issue in April 2025, but CISA’s recent warning highlights that exploits have been active in the wild for months, with attackers outpacing defenders in some cases. The stakes are high: data theft, surveillance, and compromised mobile devices being used as footholds for broader enterprise attacks.​

The exploitation playbook is as clever as it is dangerous. According to research from Unit 42, criminals (likely private-sector offensive actors operating out of the Middle East) weaponized the vulnerability to deliver LANDFALL spyware through malformed Digital Negative (DNG) image files sent via WhatsApp. DNG is an open and lossless RAW image format developed by Adobe and used by digital photographers to store uncompressed sensor data.

The attack chain works like this:

*   The victim receives a booby-trapped DNG photo file.
*   The file, armed with ZIP archive payloads and tailored exploit code, triggers the vulnerability in Samsung’s image codec library.
*   This is a “zero-click” attack: the user doesn’t have to tap, open, or execute anything. Just processing the image is enough to compromise the device.

It’s important to know that Samsung addressed another image-library flaw, CVE-2025-21043, in September 2025, showing a growing trend: image processing flaws are becoming a favorite entry point for both espionage and cybercrime.

**What should users and businesses do?**

Our advice to stay safe from this type of attack is simple:

*   **Patch immediately.** If you haven’t updated your Samsung device since April, do so. FCEB organizations have until December 1, 2025, to comply with CISA’s operational directive.
*   **Be wary of unsolicited messages and files**, especially images received over messaging apps.
*   **Download apps only from trusted sources** and avoid sideloading files.
*   **Use up-to-date real-time anti-malware solution** for your devices.

Zero-days targeting mobile devices are becoming frighteningly common, but the risk can be lowered with urgent patching, awareness, and solid security controls. As LANDFALL shows, the most dangerous attacks today are often the quietest—no user action required and no obvious signs until it’s too late.

****Device models targeted by LANDFALL:****

Galaxy S23 Series

Galaxy S24 Series

Galaxy Z Fold4

Galaxy S22

Galaxy Z Flip4

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Source

Malwarebytes