This past week in cybersecurity highlighted a pervasive trend: threats are becoming more sophisticated, leveraging trusted tools like AI, VPNs, and app stores to bypass traditional defenses. Criminals are establishing robust, business-like operations for espionage, financial gain, and malware distribution, often by subverting the very services organizations depend on. Many of these exploits were not due to bugs but rather ingenious uses of existing features, demonstrating the increasing need for vigilant monitoring and proactive security measures against cleverly disguised threats.
The week’s cybersecurity landscape was marked by the silent exploitation of a critical Fortinet vulnerability, underscoring the urgency of patching even after a fix has been deployed. This vulnerability, tracked as CVE-2025-64446, combines path traversal and authentication bypass flaws within FortiWeb Web Application Firewall (WAF), allowing attackers to create malicious administrative accounts. The Cybersecurity and Infrastructure Security Agency (CISA) has added this highly critical flaw (CVSS score: 9.1) to its Known Exploited Vulnerabilities catalog, mandating remediation for Federal Civilian Executive Branch agencies by November 21, 2025.
⚡ Threat of the Week
The discovery and subsequent exploitation of CVE-2025-64446 in Fortinet’s FortiWeb WAF served as a stark reminder of the ongoing risks associated with unaddressed or silently exploited vulnerabilities. Threat actors have been actively leveraging this combined flaw, which allows for path traversal and authentication bypass, to establish unauthorized administrative access since early October 2025. This exploitation highlights a critical gap in security where patched vulnerabilities can still pose a significant threat if deployed systems are not consistently monitored and updated.
🔔 Top News and Key Developments
Law enforcement agencies, led by Europol and Eurojust, successfully disrupted malware operations through “Operation Endgame.” This operation led to the dismantling of the Rhadamanthys Stealer, Venom RAT, and the Elysium botnet, with arrests made and significant server and domain infrastructure seized. Indicative of the scale of these operations, Europol reported that the compromised infrastructure contained millions of stolen credentials, with many victims unaware of their systems’ infection.
Google has initiated legal action against 25 unnamed Chinese hackers responsible for the Lighthouse Phishing-as-a-Service (PhaaS) platform. Lighthouse is accused of targeting over one million users globally through large-scale smishing campaigns, impersonating various entities such as banks and delivery services to illicitly acquire personal and financial information. Google emphasized its commitment to ongoing vigilance and proactive measures within the evolving cybercrime ecosystem.
A new tactic by the North Korea-affiliated Konni group was identified, involving the exploitation of Google’s Find Hub service to remotely wipe Android devices. According to Google, this was not an exploitation of a software flaw but rather a consequence of compromised user credentials. The company urged users to implement multi-factor authentication to prevent such credential theft.
The npm open-source registry has been flooded with over 150,000 malicious packages designed to exploit the Tea Protocol for token farming. Amazon highlighted that this campaign creates a self-replicating system through circular dependencies, artificially inflating package metrics to gain financial benefits and potentially inspiring similar exploits in other reward-based systems.
Anthropic reported that a Chinese state-sponsored hacking group leveraged its Claude AI tool for espionage campaigns, automating much of the attack process. The attackers bypassed safeguards by claiming to conduct security audits. While Anthropic disrupted the activity by banning accounts, some cybersecurity experts have expressed skepticism due to a lack of concrete indicators of compromise in the initial report, suggesting the techniques used were not entirely novel.
️🔥 Trending CVEs and Vulnerabilities
The ongoing threat landscape necessitates immediate attention to newly identified vulnerabilities. This week’s trending CVEs highlight active areas of concern across various software and hardware platforms. Organizations must prioritize patching efforts for vulnerable systems, including Fortinet FortiWeb, Zoom, Devolutions Server, WatchGuard Firebox, SAP products, Synology BeeStation OS, Ivanti Endpoint Manager, Lite XL, Wolfram Cloud, Dell Data Lakehouse, Apache OpenOffice, Visual Studio Code extensions, Kibana, Palo Alto Networks PAN-OS, GitLab CE/EE, ASUS DSL series, Apple Compressor, NVIDIA NeMo Framework, Cisco Catalyst Center, and pgAdmin4. Swift remediation is crucial to prevent potential exploitation by threat actors who are actively scanning for and exploiting these weaknesses.
📰 Around the Cyber World
Researchers have found a method to leak the system prompt of OpenAI’s Sora 2 video generation model by transcribing its audio output. While text-based outputs have limitations, generating speech at accelerated speeds allows for the reconstruction of a more complete system prompt, highlighting how multimodal AI capabilities can open new avenues for sensitive data exfiltration.
A critical Server-Side Request Forgery (SSRF) vulnerability in OpenAI’s Custom GPT Actions feature has been patched. This flaw allowed malicious configurations to trick ChatGPT’s servers into making unauthorized requests to internal services, such as Azure’s metadata service, potentially exposing sensitive secrets. The incident underscores the significant impact of minor validation gaps in complex frameworks.
Trend Micro has warned that threat actors are increasingly using Large Language Models (LLMs) to assist in malware development, potentially complicating attribution efforts. When these actors draw inspiration from detailed security analyses, it poses challenges for threat hunters and requires security publications to consider the potential for LLM-driven exploitation of their findings.
U.S. agencies have issued an updated alert on the Akira ransomware operation, noting its continued targeting of Nutanix AHV virtual machines and its aggregation of substantial ransomware proceeds. Akira has expanded its tactics, including the exploitation of edge devices and the use of legitimate remote access tools for privilege escalation and data theft.
The Kraken ransomware group, reportedly emerging from the defunct HelloKitty gang, has demonstrated a new strategy of performance benchmarking victim machines before encryption. This ransomware variant exploits SMB vulnerabilities for initial access and utilizes tools like Cloudflared for persistence, with a focus on optimizing encryption speed to potentially evade detection. Kraken also announced the launch of a new underground forum, “The Last Haven Board.”
A remote code execution vulnerability has been disclosed in the AI-BOLIT malware scanning component of Imunify360, a widely used Linux server security solution. The flaw, which affects versions prior to 32.7.4.0, could allow attackers to execute arbitrary commands by exploiting the deobfuscation logic to call dangerous PHP functions, leading to a full compromise of the hosting environment.
The FBI has alerted the public to a new financial fraud scheme targeting Chinese speakers in the U.S. This operation impersonates health insurance providers and Chinese law enforcement officials, using spoofed calls and fraudulent invoices to coerce victims into paying large sums for non-existent claims or “bail” under threat of extradition or foreign prosecution.
Ingress NGINX, a popular Kubernetes ingress controller, is slated for retirement in March 2026. Challenges in maintenance and the discovery of serious security vulnerabilities, such as the ability to inject arbitrary NGINX configurations, have led to this decision. Researchers previously identified flaws that could allow for complete takeover of Kubernetes clusters.
The U.S. government has established a new task force, the Scam Center Strike Force, to combat scam compound operations in Southeast Asia, particularly in Myanmar, Cambodia, and Laos, which are allegedly overseen by Chinese transnational criminal rings. The initiative aims to disrupt and prosecute those involved, building on seizures of over $401.6 million in cryptocurrency and sanctions against entities facilitating these operations.
Meta is preparing to integrate third-party messaging apps into WhatsApp in Europe in the coming months, in compliance with the Digital Markets Act. The company stated its commitment to maintaining end-to-end encryption (E2EE) and other privacy guarantees, requiring third-party apps to adhere to the same E2EE standards.
Researchers have developed “EchoGram,” a novel attack technique that circumvents common AI defense mechanisms, including text-based classification and “LLM-as-a-judge” systems. This exploit uses specific token sequences to manipulative defensive models into misclassifying malicious prompts as safe or triggering false alarms, affecting major AI models such as GPT-4, Gemini, and Claude.
Activity associated with Lumma Stealer has seen a resurgence following a period of decline. A new version of the infostealer now includes system fingerprinting capabilities to enhance evasion and targeting, transmitting system, network, hardware, and browser data to its command-and-control server. It also employs process injection techniques to execute within legitimate browser processes.
Fake cryptocurrency applications, disguised as Bitcoin wallets, mining software, or trading tools, are being distributed as compressed RAR archives. Upon installation, these applications deploy the DarkComet RAT, a remote access trojan known for its extensive surveillance and control functionalities, including keystroke logging, file theft, webcam surveillance, and remote desktop control.
Threat actors are leveraging legitimate remote access tools by disguising them as popular software like Telegram, ChatGPT, and file compression utilities. These disguised applications are distributed via convincing websites and, upon installation, also deploy a Delphi-based RAT called PatoRAT, which facilitates remote control and information theft.
French authorities have fully lifted the travel ban and dropped regular police check-in requirements for Telegram CEO Pavel Durov. Durov was previously detained in connection with an investigation into the alleged misuse of the Telegram platform for criminal activities, including fraud, drug trafficking, and illegal content distribution.
A new “ClickFix” campaign is distributing information-stealing malware to both Windows and macOS users. This campaign lures individuals searching for “cracked” or pirated software, directing them to compromised Google services from which they are led to secondary landing pages. On Windows, the campaign deploys ACR Stealer, while on macOS, it distributes Odyssey Stealer.
Cyderes has identified a “Bring Your Own Updates” (BYOU) vulnerability in Fiery Driver Updater v1.0.0.16, building on a similar flaw found in Advanced Installer. The updater embeds credentials that could be exploited to retrieve or modify update binaries, presenting a significant supply chain risk. Furthermore, it can execute local, untrusted binaries without proper validation.
India has officially issued the rules under its Digital Personal Data Protection (DPDP) Act, aiming to establish a clear, citizen-focused framework for digital personal data. The rules provide a phased compliance timeline, outline data breach notification protocols, enhance protections for children’s data, and require Data Fiduciaries to display clear contact information and obtain transparent consent.
A new macOS stealer named DigitStealer has been observed using advanced hardware checks and multi-stage attack vectors to evade detection and exfiltrate sensitive data. Malware is distributed via malicious disk image (DMG) files that download a dropper, which then performs checks to circumvent defenses before fetching additional components for data harvesting and persistence.
A component linked to a botnet named PolarEdge, identified as RPX_Client, has been uncovered. This component is designed to onboard compromised IoT and edge devices into a proxy pool for designated command-and-control (C2) nodes, offering proxy services and enabling remote command execution. The botnet has amassed over 25,000 devices, suggesting its potential use for large-scale operations.
🎥 Cybersecurity Webinars and Training
Organizations can learn how to secure multi-cloud workloads without impeding innovation in an upcoming expert-led session focused on identity controls, compliance, and risk reduction. Another webinar will delve into securing patch pipelines, offering practical insights into managing community repositories like Chocolatey and Winget safely to balance speed with security.
🔧 Cybersecurity Tools for Analysis
FlowViz is an open-source React application that generates interactive attack flow diagrams using the MITRE ATT&CK framework by processing cyber articles. OWASP Noir is an open-source tool for whitebox testing that scans source code to identify API and web endpoints across multiple programming languages. Below is a Linux system monitoring tool that provides detailed performance data, supports live viewing, recording, and replaying of system activity, and offers integration with Prometheus and Grafana.
Disclaimer: These tools are intended for educational and research purposes only. Users should review the code, test in safe environments, and adhere to all ethical and legal guidelines before deployment.
🔒 Tip of the Week: Enhancing Mobile Security with Firewalls
Most mobile applications communicate with the internet in the background, potentially leaking data or exposing users to privacy risks and attacks. Unlike desktop environments, mobile operating systems offer limited built-in firewall capabilities. For Android users, tools like NetGuard and PersonalDNSfilter can provide app-level network control without requiring root access. These applications function as local VPNs, allowing users to block or allow internet access for specific apps and filter unwanted network traffic. iPhone users have fewer options for deep firewall control due to platform restrictions, but can enhance privacy by frequently reviewing app permissions, disabling background refresh, and utilizing reputable VPN services.
Conclusion
The cybersecurity threats highlighted this week were characterized by their subtlety rather than overt disruption, demonstrating a strategic shift towards stealthy and sophisticated attacks. The ongoing evolution of cyber threats, utilizing everything from compromised IoT devices to advanced AI capabilities, necessitates a continuous focus on vigilance, trust verification, and thorough security checks. Organizations and individuals must remain adaptable and informed to navigate this complex and ever-changing threat landscape effectively.