In this week’s newsletter, Amy recounts her journey from Halloween festivities to unraveling the story of the 2022 Viasat satellite hack, with plenty of cybersecurity surprises along the way.

Thursday, November 13, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

A year ago, fresh off a layoff, I never would have guessed I’d be spending Halloween weekend bouncing between conversations about space policy, satellite hacking, and wedding plans. That’s exactly what happened when my space analyst friend came to stay with us for a few days. Between coffee runs, getting sneak peeks of his upcoming book, and painting on skull makeup for a party, we found ourselves deep in discussions about putting data centers in space and, inevitably, the world of satellite cybersecurity. 

Somewhere within all of that, I realized I was on deck for the newsletter intro soon, and I did what any cyber newbie would do: I asked the nearest expert if there had ever been a well-known cyberattack on satellites. My friend didn’t even blink before answering, “KA-SAT.”

Some light research and a few Webex messages later, I was speaking with our own Joe Marshall — who, lucky for me, might be the only person at Cisco who’s been to satellite hacking training.

Joe walked me through how on Feb. 24, 2022, just hours before Russia’s invasion of Ukraine, a cyber attack targeted Viasat’s KA-SAT satellite network. The attackers exploited a vulnerability in a VPN appliance, gaining access to the network’s management systems. They then deployed a wiper malware called AcidRain, which was designed to erase data on modems and routers across Europe.

Satellite communications were disrupted for thousands of users in Ukraine, but surprisingly, beyond Ukraine’s borders, approximately 5,800 Enercon wind turbines in Germany lost connectivity for remote monitoring and control. 

One surprise from the conversation was the overlap between the AcidRain wiper and VPNFilter, which you may remember from Joe’s September newsletter. AcidRain may be VPNFilter’s successor. Take a look:

Figure 1. Section headers strings tables for VPNFilter (left) and AcidRain (right). Credit: SentinelOne.

Identical, hinting at a shared compiler and other technical links, as SentinelOne's blog details.

What followed this summary was a LOT of questions on my part. What _was_ the VPN vulnerability? How did the wiper work, exactly? What are the pros and cons of replacing vs. fixing the modems, and what about the logistics of the winning decision? Ultimately, while the AcidRain attack was destructive, it was, in the context of what else was happening to Ukraine’s infrastructure, a blip.

As a newcomer to both cybersecurity and Talos, I keep discovering that there are always gaps in the story. I didn’t get all my questions answered because companies guard details, official statements leave out key information, and sometimes, even years later, we’re still piecing things together. Being okay with that is a tall order for people who scour logs looking for a needle in a stack of needles. But when attacks are raining down, customers aren’t asking you to send a flawless analysis. They want to know what you'redoing to keep them safe. 

So, as I write this, still with more questions than answers about AcidRain and the KA-SAT attacks, I’m learning to find peace in knowing that curiosity is the foundation for future expertise. Keep acquiring knowledge, asking questions (both basic and complex), and being okay with some uncertainty.

**The one big thing **

Cisco Talos published a new blog today on the Kraken ransomware group. Linked to HelloKitty, they double-extort organizations globally with cross-platform attacks and use advanced techniques like encryption benchmarking and anti-analysis. Kraken has also launched a new underground forum to strengthen ties within the cybercrime community. 

**Why do I care? **

Kraken’s advanced, cross-platform techniques — including encryption benchmarking and evasion methods — raise the threat level for organizations of all sizes, and may inspire similar advancements in future ransomware. Plus, their new secure underground forum may accelerate collaboration between threat actors, making robust, layered defenses and intelligence sharing among defenders even more critical. 

**So now what? **

Prioritize patching known vulnerabilities (especially SMB), strengthen credential management, and implement comprehensive endpoint, network, and access security solutions. Continuous monitoring, incident response planning, and user awareness training are crucial to detect and contain threats early. 

**Top security headlines of the week **

**SAP fixes serious security issues - here's how to stay safe**   
A patch is now publicly available, and while SAP’s users were previously notified, the researchers are once again urging everyone to apply it as soon as possible since the risk is only going to get bigger going forward. (TechRadar) 

**Phishing tool uses smart redirects to bypass detection**   
A new phishing tool targeting Microsoft 365 users called Quantum Route Redirect simplifies what was once a technically complex campaign flow, as well as offers a uniquely evasive redirect feature that can bypass even robust email protections. (Dark Reading) 

**Cisco finds open-weight AI models easy to exploit in long chats**   
The report, titled Death by a Thousand Prompts: Open Model Vulnerability Analysis, analyzed eight leading open-weight language models and found that multi-turn attacks, where an attacker engages the model across multiple conversational steps, were up to ten times more effective than one-shot attempts. (HackRead) 

**Nearly 30 alleged victims of Oracle EBS hack named on Cl0p ransomware site**   
The Cl0p website lists major organizations such as Logitech, The Washington Post, Cox Enterprises, Pan American Silver, LKQ Corporation, and Copeland. (SecurityWeek) 

**Kimsuky APT takes over South Korean Androids, abuses KakaoTalk**   
One of North Korea's formidable advanced persistent threat (APT) groups is targeting Android users in South Korea with a remote reset attack that exploits a feature in Google aimed at helping users find their devices. (Dark Reading) 

**Can’t get enough Talos? **

**The TTP: How Talos built an AI model into one of the internet's most abused layers**  
Hazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking anything important (like the internet).

**The 2026 Snort Calendar is now available**   
Snorty will pose as a new mythical creature each month. To get your copy, fill out our short survey. Calendars will begin shipping in December 2025. U.S. shipping only, available while supplies last. 

**Talos Takes: How attackers use your own tools against you**   
From a wave of Toolshell events, to a rise in post-exploitation phishing, and the misuse of legitimate tools like Velociraptor, this quarter’s cases all point to a theme: attackers are getting very good at living off what’s already in your environment.

**Do robots dream of secure networking?**   
This blog demonstrates a proof of concept using LangChain and OpenAI, integrated with Cisco Umbrella API, to provide AI agents with real-time threat intelligence for evaluating domain dispositions.

**Upcoming events where you can find Talos **

*   DeepSec IDSC (Nov. 18 – 21) Vienna, Austria 
*   AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe    
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974    
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe    
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
MD5: 7bdbd180c081fa63ca94f9c22c457376    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_3\_Exe.exe    
Detection Name: Win.Dropper.Miner::95.sbx.tg 

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**    
MD5: 1f7e01a3355b52cbc92c908a61abf643    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a    
Example Filename: cleanup.bat    
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**    
MD5: bf9672ec85283fdf002d83662f0b08b7   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe    
Example Filename: f\_003b6c.html    
Detection Name: W32.C0AD494457-95.SBX.TG

Viasat and the terrible, horrible, no good, very bad day

A fast-spreading threat, known as the screen-sharing scam, is using a simple feature on WhatsApp to steal money…

A fast-spreading threat, known as the screen-sharing scam, is using a simple feature on WhatsApp to steal money and personal data, according to an analysis from the research firm ESET (published on November 5, 2025).

This scam, which takes advantage of the screen-sharing tool available since 2023, has already led to massive losses worldwide, including a case in Hong Kong where a victim lost approximately US$700,000.

(Source: Facebook)

****The Screen-Sharing Scam****

According to ESET, the scam starts with an unexpected video call from an unfamiliar number. The caller pretends to be a trusted figure, like a bank employee or a support agent from Meta, the company that owns WhatsApp.

They create a huge sense of panic, claiming your account is compromised or that there’s a fraudulent charge on your credit card. They then ask you to share your screen, or even install remote apps like AnyDesk or TeamViewer, claiming they need to ‘fix’ the issue.

As is evident, the main trick is psychological, exploiting three key elements: trust, urgency, and control. “The goal is to build trust or create panic so that you act impulsively; the scam relies less on technical wizardry and more on psychological manipulation,” ESET’s report reads.

Additionally, victims are pressured into believing there is an immediate issue that requires their attention, and in that panic, they grant the scammer full access to their phone’s screen. With that access, the scammer can easily see and steal passwords, banking details, and the crucial one-time passwords (OTPs) that pop up.

A victim discussing the scam on Reddit and how their mother was one of the victims

****Meta Fights Back****

It is worth noting that Meta is actively fighting this threat. Meta is strengthening WhatsApp’s defences with new AI-powered safety tools. The most significant update is a real-time warning system that pops up an alert when you try to share your screen during a video call with a number that is not saved in your contacts. This feature is designed to make users pause and reconsider before exposing sensitive information.

Image source: Meta

The company is also addressing the global scale of the problem with action taken against around eight million scam\-linked accounts and removal of over 21,000 fake pages that were impersonating customer service representatives across various countries, including Myanmar, Cambodia, Laos, the UAE, and the Philippines.

****Your Best Defence****

Experts warn that to stay safe online, you should never share your screen, passwords, or verification codes with strangers, no matter how convincing they sound. Always verify suspicious claims directly with banks or relatives through a separate, trusted channel. Also, enabling Two-Step Verification in your WhatsApp settings greatly helps protect your account.

Scammers Abuse WhatsApp Screen Sharing to Steal OTPs and Funds

Google is suing more than two dozen unnamed individuals allegedly involved in peddling a popular China-based mobile phishing service that helps scammers impersonate hundreds of trusted brands, blast out text message lures, and convert phished payment card data into mobile wallets from Apple and Google.

**Google** is suing more than two dozen unnamed individuals allegedly involved in peddling a popular China-based mobile phishing service that helps scammers impersonate hundreds of trusted brands, blast out text message lures, and convert phished payment card data into mobile wallets from Apple and Google.

In a lawsuit filed in the Southern District of New York on November 12, Google sued to unmask and disrupt 25 “John Doe” defendants allegedly linked to the sale of **Lighthouse**, a sophisticated phishing kit that makes it simple for even novices to steal payment card data from mobile users. Google said Lighthouse has harmed more than a million victims across 120 countries.

A component of the Chinese phishing kit Lighthouse made to target customers of The Toll Roads, which refers to several state routes through Orange County, Calif.

Lighthouse is one of several prolific phishing-as-a-service operations known as the “**Smishing Triad**,” and collectively they are responsible for sending millions of text messages that spoof the U.S. Postal Service to supposedly collect some outstanding delivery fee, or that pretend to be a local toll road operator warning of a delinquent toll fee. More recently, Lighthouse has been used to spoof e-commerce websites, financial institutions and brokerage firms.

Regardless of the text message lure used or brand used, the basic scam remains the same: After the visitor enters their payment information, the phishing site will automatically attempt to enroll the card as a mobile wallet from Apple or Google. The phishing site then tells the visitor that their bank is going to verify the transaction by sending a one-time code that needs to be entered into the payment page before the transaction can be completed.

If the recipient provides that one-time code, the scammers can link the victim’s card data to a mobile wallet on a device that they control. Researchers say the fraudsters usually load several stolen wallets onto each mobile device, and wait 7-10 days after that enrollment before selling the phones or using them for fraud.

Google called the scale of the Lighthouse phishing attacks “staggering.” A May 2025 report from **Silent Push** found the domains used by the Smishing Triad are rotated frequently, with approximately 25,000 phishing domains active during any 8-day period.

Google’s lawsuit alleges the purveyors of Lighthouse violated the company’s trademarks by including Google’s logos on countless phishing websites. The complaint says Lighthouse offers over 600 templates for phishing websites of more than 400 entities, and that Google’s logos were featured on at least a quarter of those templates.

Google is also pursuing Lighthouse under the Racketeer Influenced and Corrupt Organizations (RICO) Act, saying the Lighthouse phishing enterprise encompasses several connected threat actor groups that work together to design and implement complex criminal schemes targeting the general public.

According to Google, those threat actor teams include a “**developer group**” that supplies the phishing software and templates; a “**data broker group**” that provides a list of targets; a “**spammer group**” that provides the tools to send fraudulent text messages in volume; a “**theft group**,” in charge of monetizing the phished information; and an “**administrative group**,” which runs their Telegram support channels and discussion groups designed to facilitate collaboration and recruit new members.

“While different members of the Enterprise may play different roles in the Schemes, they all collaborate to execute phishing attacks that rely on the Lighthouse software,” Google’s complaint alleges. “None of the Enterprise’s Schemes can generate revenue without collaboration and cooperation among the members of the Enterprise. All of the threat actor groups are connected to one another through historical and current business ties, including through their use of Lighthouse and the online community supporting its use, which exists on both YouTube and Telegram channels.”

Silent Push’s May report observed that the Smishing Triad boasts it has “300+ front desk staff worldwide” involved in Lighthouse, staff that is mainly used to support various aspects of the group’s fraud and cash-out schemes.

An image shared by an SMS phishing group shows a panel of mobile phones responsible for mass-sending phishing messages. These panels require a live operator because the one-time codes being shared by phishing victims must be used quickly as they generally expire within a few minutes.

Google alleges that in addition to blasting out text messages spoofing known brands, Lighthouse makes it easy for customers to mass-create fake e-commerce websites that are advertised using Google Ads accounts (and paid for with stolen credit cards). These phony merchants collect payment card information at checkout, and then prompt the customer to expect and share a one-time code sent from their financial institution.

Once again, that one-time code is being sent by the bank because the fake e-commerce site has just attempted to enroll the victim’s payment card data in a mobile wallet. By the time a victim understands they will likely never receive the item they just purchased from the fake e-commerce shop, the scammers have already run through hundreds of dollars in fraudulent charges, often at high-end electronics stores or jewelers.

**Ford Merrill** works in security research at SecAlliance, a CSIS Security Group company, and he’s been tracking Chinese SMS phishing groups for several years. Merrill said many Lighthouse customers are now using the phishing kit to erect fake e-commerce websites that are advertised on Google and Meta platforms.

“You find this shop by searching for a particular product online or whatever, and you think you’re getting a good deal,” Merrill said. “But of course you never receive the product, and they will phish that one-time code at checkout.”

Merrill said some of the phishing templates include payment buttons for services like **PayPal**, and that victims who choose to pay through PayPal can also see their PayPal accounts hijacked.

A fake e-commerce site from the Smishing Triad spoofing PayPal on a mobile device.

“The main advantage of the fake e-commerce site is that it doesn’t require them to send out message lures,” Merrill said, noting that the fake vendor sites have more staying power than traditional phishing sites because it takes far longer for them to be flagged for fraud.

Merrill said Google’s legal action may temporarily disrupt the Lighthouse operators, and could make it easier for U.S. federal authorities to bring criminal charges against the group. But he said the Chinese mobile phishing market is so lucrative right now that it’s difficult to imagine a popular phishing service voluntarily turning out the lights.

Merrill said Google’s lawsuit also can help lay the groundwork for future disruptive actions against Lighthouse and other phishing-as-a-service entities that are operating almost entirely on Chinese networks. According to Silent Push, a majority of the phishing sites created with these kits are sitting at two Chinese hosting companies: **Tencent** (AS132203) and **Alibaba** (AS45102).

“Once Google has a default judgment against the Lighthouse guys in court, theoretically they could use that to go to Alibaba and Tencent and say, ‘These guys have been found guilty, here are their domains and IP addresses, we want you to shut these down or we’ll include you in the case.'”

If Google can bring that kind of legal pressure consistently over time, Merrill said, they might succeed in increasing costs for the phishers and more frequently disrupting their operations.

“If you take all of these Chinese phishing kit developers, I have to believe it’s tens of thousands of Chinese-speaking people involved,” he said. “The Lighthouse guys will probably burn down their Telegram channels and disappear for a while. They might call it something else or redevelop their service entirely. But I don’t believe for a minute they’re going to close up shop and leave forever.”

Google Sues to Disrupt Chinese SMS Phishing Triad

CVE 2025 42887 vulnerability, rated 9.9, allows code injection through Solution Manager giving attackers full SAP control urgent patch needed to block system takeover.

Cybersecurity researchers are issuing an alert regarding a major security vulnerability discovered in SAP systems. This vulnerability, rated an extremely high 9.9 out of 10 in severity, could potentially let cyber attackers take complete control over a company’s SAP network and all the sensitive data it holds.

The discovery came from the SecurityBridge Threat Research Labs, a specialised team dedicated to identifying weaknesses in SAP security. As we know it, SAP software is the crucial backbone for countless businesses worldwide, handling critical functions like finance and logistics. This means any major security vulnerability presents a massive, immediate risk.

****Code Injection Threat Explained****

The most severe problem found by the SecurityBridge team is known as Note 3668705 (CVE-2025-42887), which affects SAP Solution Manager. This specific component is a powerful tool used to manage other SAP systems.

The issue is a Code Injection vulnerability, meaning an attacker can misuse a remote feature to sneak in malicious programming code. Once the code is successfully injected, it results in a total system compromise.

Joris van de Vis, the Director of Security Research at SecurityBridge, emphasised the severe nature of the threat in the blog post shared with Hackread.com. He noted that this flaw is “particularly dangerous because it allows to injection of code from a low-privileged user, which leads to a full SAP compromise and all data contained in the SAP system.”

****Patching Must Be Immediate****

This critical vulnerability was part of 25 new and updated SAP Security Notes released on the company’s November Patch Day, November 11, 2025. This month’s fixes included four notes in the highest-priority HotNews category.

SAP’s patch release included a second max-severity flaw (CVE-2025-42890, a perfect 10.0/10) related to hardcoded login details in the SQL Anywhere Monitor tool. Another HotNews fix (Note 3647332) was an update for an issue in SAP SRM. There were also two patches in the important High-Priority category, including one (Note 3633049) for a memory flaw in SAP CommonCryptoLib, used for encryption tasks.

A public fix (patch) has been released for CVE-2025-42887. While this solves the problem, the release of the patch also gives cybercriminals the information they need to try and copy the attack, which could speed up exploit development. Therefore, all organisations using SAP are strongly advised to install this patch immediately.

Furthermore, even older software is seeing updates: four fixes were released for the SAP Business Connector, a tool many integration specialists may remember. The SecurityBridge team also found two other issues addressed in the November patches: a Medium priority vulnerability (Note 3643337) and a Low priority one (Note 3634053).

The firm gave its own customers an advanced warning about these discoveries on October 30, 2025, advising them to update their security protections before the public disclosure.

SAP Pushes Emergency Patch for 9.9 Rated CVE-2025-42887 After Full Takeover Risk

Think twice before clicking that "Secure Message" alert from your organization's spam filters. It might be a phish built to steal your credentials.

Cybercriminals are spoofing “email delivery” notifications to look like they came from spam filters inside your own organization. The goal is to lure you to a phishing site that steals login credentials—credentials that could unlock your email, cloud storage or other personal accounts.

The email claims that, due to an upgrade in the Secure Message system, some pending messages didn’t make it to your inbox and are ready to be moved there now.

> “Email Delivery Reports: Incoming Pending Messages
> 
> We have recently upgraded our Secure Message system, and there are pending messages that have not been delivered to your Inbox.
> 
> Failure Delivery Messages
> 
> Email Delivery Reports For  info@seychellesapartment.com
> 
>    Status :                         Subject:                      Date:            Time:
> 
> {A couple of message titles that are very generic and common as not to raise any suspicion}
> 
> Move To Inbox (button)
> 
> Note     : The messages will be delivered within 1-2 hours after you receive a confirmation Mail Notice. If this message lands in your spam folder, please move it to your inbox folder
> 
> Mail Encrypted by {spoofed domain} © All Rights Reserved. | If you do not wish to receive this message    Unsubscribe. (link)”

Both the “Move to Inbox” button and the unsubscribe link abuse a cbssports\[.\]com redirect to reach the real phishing site located on the domain mdbgo\[.\]io, which was blocked by Malwarebytes.

Researchers at Unit42 warned about this type of phishing campaign, so we decided to take a closer look.

The links pass the spoofed email address as a base64-encoded string to the phishing site. Going to that site, we were served this fake login screen with the target’s domain already filled in—making it look personalized and legitimate:

Contrary to Unit42’s findings, we found that this version of the attack is more sophisticated and likely evolving quickly. The phishing site’s code is heavily obfuscated, and credentials are harvested through a websocket.

A websocket keeps an open channel between your browser and the website’s server—like a phone call that never hangs up. This lets the browser and server send messages instantly back and forth, in both directions, without needing to reload the page. Cybercriminals love using websockets because they receive your details the instant you type them into a phishing site, and can even send prompts for additional information, such as two-factor authentication (2FA) codes.

This means that if you enter your email and password on such a site, attackers could instantly take control of your email, access cloud-stored files, reset other passwords, and impersonate you across services.

**How to stay safe from phishing emails**

In phishing attempts like these, two simple rules can save you from lots of trouble.

*   Don’t open unsolicited attachments
*   Always check the website address in the browser before signing in. Make sure it matches the site you expect to be on.

Other important tips to stay safe from phishing in general:

*   **Verify the sender.** Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive, but it can help you spot some attempts.
*   **Double-check requests** through another channel if you receive an attachment or a link you weren’t expecting.
*   **Use up-to-date security software**, preferably with a web protection component.
*   **Keep your device and all its software updated.**
*   **Use multi-factor authentication** (MFA) for every account you can.
*   **Use a password manager.** Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.

If you already entered credentials on a page you don’t trust, change your passwords immediately.

**Pro tip:** The free Malwarebytes Browser Guard extension would have stopped this attack as well:

**Indicators of Compromise (IOCs)**

*   several subdomains of mdbgo\[.\]io
*   xxx-three-theta.vercel\[.\]app
*   client1.inftrimool\[.\]xyz
*   psee\[.\]io
*   veluntra-technology-productivity-boost-cold-pine-8f29.ellenplum9.workers\[.\]dev
*   lotusbridge.ru\[.\]com
*   shain-log4rtf.surge\[.\]sh

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Phishing emails disguised as spam filter alerts are stealing logins 

Microsoft on Tuesday released patches for 63 new security vulnerabilities identified in its software, including one that has come under active exploitation in the wild.
Of the 63 flaws, four are rated Critical and 59 are rated Important in severity. Twenty-nine of these vulnerabilities are related to privilege escalation, followed by 16 remote code execution, 11 information disclosure, three

Vulnerability / Patch Tuesday

Microsoft on Tuesday released patches for 63 new security vulnerabilities identified in its software, including one that has come under active exploitation in the wild.

Of the 63 flaws, four are rated Critical and 59 are rated Important in severity. Twenty-nine of these vulnerabilities are related to privilege escalation, followed by 16 remote code execution, 11 information disclosure, three denial-of-service (DoS), two security feature bypass, and two spoofing bugs.

The patches are in addition to the 27 vulnerabilities the Windows maker addressed in its Chromium-based Edge browser since the release of October 2025's Patch Tuesday update.

The zero-day vulnerability that has been listed as exploited in Tuesday's update is CVE-2025-62215 (CVSS score: 7.0), a privilege escalation flaw in Windows Kernel. The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have been credited with discovering and reporting the issue.

"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kernel allows an authorized attacker to elevate privileges locally," the company said in an advisory.

That said, successful exploitation hinges on an attacker who has already gained a foothold on a system to win a race condition. Once this criterion is satisfied, it could permit the attacker to obtain SYSTEM privileges.

"An attacker with low-privilege local access can run a specially crafted application that repeatedly attempts to trigger this race condition," Ben McCarthy, lead cybersecurity engineer at Immersive, said.

"The goal is to get multiple threads to interact with a shared kernel resource in an unsynchronized way, confusing the kernel's memory management and causing it to free the same memory block twice. This successful 'double free' corrupts the kernel heap, allowing the attacker to overwrite memory and hijack the system's execution flow."

It's currently not known how this vulnerability is being exploited and by whom, but it's assessed to be used as part of a post-exploitation activity to escalate their privileges after obtaining initial access through some other means, such as social engineering, phishing, or exploitation of another vulnerability, Satnam Narang, senior staff research engineer at Tenable, said.

"When chained with other bugs this kernel race is critical: an RCE or sandbox escape can supply the local code execution needed to turn a remote attack into a SYSTEM takeover, and an initial low‑privilege foothold can be escalated to dump credentials and move laterally," Mike Walters, president and co-founder of Action1, said in a statement.

Also patched as part of the updates are two heap-based buffer overflow flaws in Microsoft's Graphics Component (CVE-2025-60724, CVSS score: 9.8) and Windows Subsystem for Linux GUI (CVE-2025-62220, CVSS score: 8.8) that could result in remote code execution.

Another vulnerability of note is a high-severity privilege escalation flaw in Windows Kerberos (CVE-2025-60704, CVSS score: 7.5) that takes advantage of a missing cryptographic step to gain administrator privileges. The vulnerability has been codenamed CheckSum by Silverfort.

"The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications," Microsoft said. "An unauthorized attacker must wait for a user to initiate a connection."

Silverfort researchers Eliran Partush and Dor Segal, who discovered the shortcoming, described it as a Kerberos constrained delegation vulnerability that allows an attacker to impersonate arbitrary users and gain control over an entire domain by means of an adversary-in-the-middle (AitM) attack.

An attacker who is able to successfully exploit the flaw could escalate privileges and move laterally to other machines in an organization. More concerning, threat actors could also gain the ability to impersonate any user in the company, allowing them to gain unfettered access or become a domain administrator.

"Any organization using Active Directory, with the Kerberos delegation capability turned on, is impacted," Silverfort said. "Because Kerberos delegation is a feature within Active Directory, an attacker requires initial access to an environment with compromised credentials."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —

*   Adobe
*   Amazon Web Services
*   AMD
*   Apple
*   ASUS
*   Atlassian
*   AutomationDirect
*   Bitdefender
*   Broadcom (including VMware)
*   Cisco
*   Citrix
*   ConnectWise
*   D-Link
*   Dell
*   Devolutions
*   Drupal
*   Elastic
*   F5
*   Fortinet
*   GitLab
*   Google Android
*   Google Chrome
*   Google Cloud
*   Grafana
*   Hitachi Energy
*   HP
*   HP Enterprise (including Aruba Networking and Juniper Networks)
*   IBM
*   Intel
*   Ivanti
*   Jenkins
*   Lenovo
*   Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MongoDB
*   Moxa
*   Mozilla Firefox and Firefox ESR
*   NVIDIA
*   Oracle
*   Palo Alto Networks
*   QNAP
*   Qualcomm
*   Rockwell Automation
*   Ruckus Wireless
*   Samba
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   SonicWall
*   Splunk
*   Spring Framework
*   Supermicro
*   Synology
*   TP-Link
*   WatchGuard, and
*   Zoom

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Microsoft Fixes 63 Security Flaws, Including a Windows Kernel Zero-Day Under Active Attack

Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp.
According to a report from CyberProof, both malware strains are written in .NET, target Brazilian users and banks, and feature identical functionality to decrypt, targeting banking URLs and monitor banking applications.

Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp.

According to a report from CyberProof, both malware strains are written in .NET, target Brazilian users and banks, and feature identical functionality to decrypt, targeting banking URLs and monitor banking applications. More importantly, both include the ability to spread through WhatsApp Web.

Maverick was first documented by Trend Micro early last month, attributing it to a threat actor dubbed **Water Saci**. The campaign involves two components: A self-propagating malware referred to as SORVEPOTEL that's spread via the desktop web version of WhatsApp and is used to deliver a ZIP archive containing the Maverick payload.

The malware is designed to monitor active browser window tabs for URLs that match a hard-coded list of financial institutions in Latin America. Should the URLs match, it establishes contact with a remote server to fetch follow-on commands to gather system information and serve phishing pages to steal credentials.

Cybersecurity firm Sophos, in a subsequent report, was the first to raise the possibility of whether the activity could be related to prior reported campaigns that disseminated Coyote targeting users in Brazil and if Maverick is an evolution of Coyote. Another analysis from Kaspersky found that Maverick did contain many code overlaps with Coyote, but noted it's treating it as a completely new threat targeting Brazil en masse.

The latest findings from CyberProof show that the ZIP file contains a Windows shortcut (LNK) that, when launched by the user, runs cmd.exe or PowerShell to connect to an external server ("zapgrande\[.\]com") to download the first-stage payload. The PowerShell script is capable of launching intermediate tools designed to disable Microsoft Defender Antivirus and UAC, as well as retrieve a .NET loader.

The loader, for its part, features anti-analysis techniques to check for the presence of reverse engineering tools and self-terminate if found. The loader then proceeds to download the main modules of the attack: SORVEPOTEL and Maverick. It's worth mentioning here that Maverick is only installed after ensuring that the victim is located in Brazil by checking the time zone, language, region, and date and time format of the infected host.

CyberProof said it also found evidence of the malware being used to single out hotels in Brazil, indicating a possible expansion of targeting.

The disclosure comes as Trend Micro detailed Water Saci's new attack chain that employs an email-based command-and-control (C2) infrastructure, relies on multi-vector persistence for resilience, and incorporates several advanced checks to evade detection, enhance operational stealth, and restrict execution to only Portuguese-language systems.

"The new attack chain also features a sophisticated remote command-and-control system that allows threat actors real-time management, including pausing, resuming, and monitoring the malware's campaign, effectively converting infected machines into a botnet tool for coordinated, dynamic operations across multiple endpoints," the cybersecurity company said in a report published late last month.

New Water Saci attack chain observed

The infection sequence eschews .NET binaries in favor of Visual Basic Script (VB Script) and PowerShell to hijack WhatsApp browser sessions and spread the ZIP file via the messaging app. Similar to the previous attack chain, the WhatsApp Web hijack is performed by downloading ChromeDriver and Selenium for browser automation.

The attack is triggered when a user downloads and extracts the ZIP archive, which includes an obfuscated VBS downloader ("Orcamento.vbs" aka SORVEPOTEL), which, in turn, issues a PowerShell command to download and execute a PowerShell script ("tadeu.ps1") directly in memory.

This PowerShell script is used to take control of the victim's WhatsApp Web session and distribute the malicious ZIP files to all contacts associated with their account, while also displaying a deceptive banner named "WhatsApp Automation v6.0" to conceal its malicious intent. Furthermore, the script contacts a C2 server to fetch message templates and exfiltrate contact lists.

"After terminating any existing Chrome processes and clearing old sessions to ensure clean operation, the malware copies the victim's legitimate Chrome profile data to its temporary workspace," Trend Micro said. "This data includes cookies, authentication tokens, and the saved browser session."

Water Saci campaign timeline

"This technique allows the malware to bypass WhatsApp Web's authentication entirely, gaining immediate access to the victim's WhatsApp account without triggering security alerts or requiring QR code scanning."

The malware, the cybersecurity company added, also implements a sophisticated remote control mechanism that allows the adversary to pause, resume, and monitor the WhatsApp propagation in real-time, effectively turning it into malware capable of controlling the compromised hosts like a bot.

As for how it actually distributes the ZIP archive, the PowerShell code iterates through every harvested contact and checks for a pause command prior to sending personalized messages by substituting variables in the message template with time-based greetings and contact names.

Another significant aspect of SORVEPOTEL is that it leverages IMAP connections to terra.com\[.\]br email accounts using hardcoded email credentials to connect to the email account and retrieve commands rather than using a traditional HTTP-based communication. Some of these accounts have been secured using multi-factor authentication (MFA) to prevent unauthorized access.

This added security layer is said to have introduced operational delays since each login requires the threat actor to manually enter a one-time authentication code to access the inbox and save the C2 server URL used to send the commands. The backdoor then periodically polls the C2 server for fetching the instruction. The list of supported commands is as follows -

*   INFO, to collect detailed system information
*   CMD, to run a command via cmd.exe and export the results of the execution to a temporary file
*   POWERSHELL, to run a PowerShell command
*   SCREENSHOT, to take screenshots
*   TASKLIST, to enumerate all running processes
*   KILL, to terminate a specific process
*   LIST\_FILES, to enumerate files/folders
*   DOWNLOAD\_FILE, to download files from infected system
*   UPLOAD\_FILE, to upload files to infected system
*   DELETE, to delete specific files/folders
*   RENAME, to rename files/folders
*   COPY, to copy files/folders
*   MOVE, to move files/folders
*   FILE\_INFO, to get detailed metadata about a file
*   SEARCH, to recursively search for files matching specified patterns
*   CREATE\_FOLDER, to create folders
*   REBOOT, to initiate a system restart with 30-second delay
*   SHUTDOWN, to initiate a system shutdown with 30-second delay
*   UPDATE, to download and install an updated version of itself
*   CHECK\_EMAIL, to check the attacker-controlled email for new C2 URLs

The widespread nature of the campaign is driven by the popularity of WhatsApp in Brazil, which has over 148 million active users, making it the second largest market in the world after India.

"The infection methods and ongoing tactical evolution, along with the region-focused targeting, indicate that Water Saci is likely linked to Coyote, and both campaigns operate within the same Brazilian cybercriminal ecosystem," Trend Micro said, describing the attackers as aggressive in "quantity and quality."

"Linking the Water Saci campaign to Coyote reveals a bigger picture that exhibits a significant shift in the banking trojan's propagation methods. Threat actors have transitioned from relying on traditional payloads to exploiting legitimate browser profiles and messaging platforms for stealthy, scalable attacks."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

WhatsApp Malware 'Maverick' Hijacks Browser Sessions to Target Brazil's Biggest Banks

A critical vulnerability that affects Samsung mobile devices was exploited in the wild to distribute LANDFALL spyware.

A critical vulnerability has put Samsung mobile device owners at risk of sophisticated cyberattacks. On November 10, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability, tracked as CVE-2025-21042, to its Known Exploited Vulnerabilities (KEV) catalog. The KEV catalog lists vulnerabilities that are known to be exploited in the wild and sets patch deadlines for Federal Civilian Executive Branch (FCEB) agencies.

So, for many cybersecurity professionals, CISA adding this vulnerability to the list signals both urgency and confirmation of active, real-world exploitation.

CVE-2025-21042 was reportedly exploited as a remote code execution (RCE) zero-day to deploy LANDFALL spyware on Galaxy devices in the Middle East. But once that happens, other criminals tend to quickly follow with similar attacks.

The flaw itself is an out-of-bounds write vulnerability in Samsung’s image processing library. These vulnerabilities let attackers overwrite memory beyond what is intended, often leading to memory corruption, unauthorized code execution, and, as in this case, device takeover. CVE-2025-21042 allows remote attackers to execute arbitrary code—potentially gaining complete control over the victim’s phone—without user interaction. No clicks required. No warning given.

Samsung patched this issue in April 2025, but CISA’s recent warning highlights that exploits have been active in the wild for months, with attackers outpacing defenders in some cases. The stakes are high: data theft, surveillance, and compromised mobile devices being used as footholds for broader enterprise attacks.​

The exploitation playbook is as clever as it is dangerous. According to research from Unit 42, criminals (likely private-sector offensive actors operating out of the Middle East) weaponized the vulnerability to deliver LANDFALL spyware through malformed Digital Negative (DNG) image files sent via WhatsApp. DNG is an open and lossless RAW image format developed by Adobe and used by digital photographers to store uncompressed sensor data.

The attack chain works like this:

*   The victim receives a booby-trapped DNG photo file.
*   The file, armed with ZIP archive payloads and tailored exploit code, triggers the vulnerability in Samsung’s image codec library.
*   This is a “zero-click” attack: the user doesn’t have to tap, open, or execute anything. Just processing the image is enough to compromise the device.

It’s important to know that Samsung addressed another image-library flaw, CVE-2025-21043, in September 2025, showing a growing trend: image processing flaws are becoming a favorite entry point for both espionage and cybercrime.

**What should users and businesses do?**

Our advice to stay safe from this type of attack is simple:

*   **Patch immediately.** If you haven’t updated your Samsung device since April, do so. FCEB organizations have until December 1, 2025, to comply with CISA’s operational directive.
*   **Be wary of unsolicited messages and files**, especially images received over messaging apps.
*   **Download apps only from trusted sources** and avoid sideloading files.
*   **Use up-to-date real-time anti-malware solution** for your devices.

Zero-days targeting mobile devices are becoming frighteningly common, but the risk can be lowered with urgent patching, awareness, and solid security controls. As LANDFALL shows, the most dangerous attacks today are often the quietest—no user action required and no obvious signs until it’s too late.

****Device models targeted by LANDFALL:****

Galaxy S23 Series

Galaxy S24 Series

Galaxy Z Fold4

Galaxy S22

Galaxy Z Flip4

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Patch now: Samsung zero-day lets attackers take over your phone 

Intel, the leading computer chip maker, has filed a lawsuit seeking at least $250,000 in damages from a…

Intel, the leading computer chip maker, has filed a lawsuit seeking at least $250,000 in damages from a former software engineer, Jinfeng Luo, who is accused of stealing a huge amount of confidential company data before disappearing.

This incident comes as Intel faces massive job cuts. The company, as we know it, has laid off around 35,500 employees over the last couple of years as it tries to fix its money troubles.

Luo, who had worked at Intel since 2014, was notified on July 7, 2024, that his job was ending at the end of that month. According to court filings reported by media outlets, just days before his last day, Luo allegedly copied about 18,000 files onto a Network-Attached Storage (NAS) device. A NAS is basically a special hard drive connected to a network, making it possible to store and share data.

These files were not just any documents; some were even marked as “Intel Top Secret,” which means they contained the company’s most sensitive information. However, while Luo was notified of his termination amid these layoffs, the lawsuit itself does not state the specific reason why his job was ended.

Further probing revealed that Luo first tried to copy the files to an external drive a week before his departure, but Intel’s security systems blocked that attempt. He reportedly succeeded in the transfer a few days later, before spending the rest of his time downloading as much information as he could.

Intel detected the unusual transfers and has since spent over three months trying to contact Luo through phone calls, emails, and even letters. However, with the former employee still untraceable and not responding to any of the claims, Intel was forced to file the lawsuit in a Washington federal court.

The company is seeking the return of its property and is also demanding that the court order Luo to hand over his personal electronic devices for inspection. The case is officially titled Intel Corporation v. Luo, with Case Number 2:2025cv02159.

It is worth noting that this is not Intel’s first clash with a former employee stealing data. In a recent, separate case, another former engineer named Varun Gupta was sentenced to two years of probation and had to pay a $34,000 fine for taking proprietary information. That data was later used while he worked for Microsoft, which, the court found, actually gave the rival company an advantage in negotiations with Intel.

Intel’s lawsuit against Luo seeks the return of all the confidential data and the large sum of money for damages, as the company fights to protect its business secrets.

1.  German army’s sensitive data found on a laptop bought from eBay
2.  Ex-employee stole secrets of Israeli spyware firm for dark web deals
3.  Indian Ex-Employee Jailed for Wiping 180 Virtual Servers in Singapore
4.  Employee infects US govt network with malware after visiting 9k porn sites
5.  Sensitive Data of 130K+ US Navy Sailors Stolen Due to One Hacked Laptop

Intel Sues Ex-Engineer for Stealing 18,000 ‘Top Secret’ Files

Unit 42 discovered LANDFALL, commercial-grade Android spyware, which used a hidden image vulnerability (CVE-2025-21042) to remotely spy on Samsung Galaxy users via WhatsApp. Update your phone now.

Security researchers from Palo Alto Networks’ Unit 42 have discovered a dangerous new commercial-grade spyware called LANDFALL that secretly targeted Samsung Galaxy smartphones for months.

This sophisticated campaign relied on a hidden flaw to turn everyday image files sent over apps like WhatsApp into a tool for comprehensive surveillance. As detailed in Unit 42’s technical blog post, the foundation of this attack was a previously unknown zero-day vulnerability in a special Samsung software library (libimagecodec.quram.so) that handles image processing.

This vulnerability, tracked as CVE-2025-21042, allowed attackers to sneak the LANDFALL spyware onto a device without the user doing anything, not even clicking on a link. This is called a zero-click exploit, which is among the most dangerous attacks as it requires no user action and offers no viable defence.

For your information, CVE-2025-21042 was an ‘out-of-bounds write’ in the Samsung library and rated CVSS 9.8 (Critical). The issue basically means the spyware tricked the phone into writing malicious data outside its designated memory box.

Attackers delivered the spyware hidden inside specially created, malformed DNG (Digital Negative) image files. These images, with filenames suggesting they were sent via WhatsApp (e.g., WhatsApp Image… or WA0000.jpg), were used to exploit the Samsung vulnerability. Unit 42 confirmed they found no unknown flaws in WhatsApp itself.

Unit 42’s investigation further revealed that the LANDFALL operation was active in mid-2024, months before Samsung released a fix for the problem in April 2025. Researchers noted that a similar vulnerability (CVE-2025-21043) was patched in September 2024, showing this method of attack is part of a broader trend.

****A Powerful Spy Tool****

Once installed on a Samsung Galaxy device (including models like the S22, S23, S24, Z Flip4, and Z Fold4), LANDFALL acts as a full-featured digital spy. Its capabilities include everything from data exfiltration (stealing recorded calls, photos, contacts, and browsing history) and device fingerprinting (capturing critical identifiers like IMEI) to advanced persistence and evasion features. It can burrow deep into the system by manipulating security layers (like SELinux) and hide from security apps for long-term surveillance.

Timeline for recent exploit activity and LANDFALL spyware flowchart (Source: Palo Alto Networks)

The research suggests this was a targeted effort, not a widespread infection, with evidence pointing to activities in the Middle East, including possible victims in Iraq, Iran, Turkey, and Morocco. While no group is officially blamed, Unit 42 observed that the digital patterns and infrastructure share similarities with those of a known surveillance group called Stealth Falcon.

Current Samsung Galaxy users who have kept their devices updated are protected, as the critical flaw was fixed back in April 2025. However, the discovery of LANDFALL itself shows how advanced threats can operate for a long time, completely hidden from the average person.

Tag

#sap