Matrix Push C2 is a browser-native, fileless command-and-control platform that actors are using to deliver malware and conduct phishing attacks. According to BlackFrog, Matrix Push C2 abuses the web push notification system (a legitimate browser feature) as a command-and-control (C2) channel.
Last month, Microsoft addressed a critical deserialization flaw in Windows Server Update Services (WSUS) that could enable actors to achieve remote code execution with system privileges.
New research from Gen Digital indicates a rare and potentially significant overlap between two major state-sponsored threat actors: Russia-aligned Gamaredon and North Korea's Lazarus Group.
Researchers have discovered a critical Directory Traversal Remote Code Execution (RCE) vulnerability (tracked as CVE-2025-11001) affecting older versions of the popular, free file-compressing tool, 7-Zip, specifically on Windows systems.
On November 24, 2025, a second wave of the Shai-Hulud npm supply-chain campaign, branded by the attacker as “Sha1-Hulud: The Second Coming”, began pushing malicious updates to hundreds of npm packages.
A surge in scanning activity was identified by GreyNoise targeting Palo Alto Networks GlobalProtect portals, with attack traffic increasing by 40 times within 24 hours on November 14, 2025, marking a new 90-day high.
SonicWall has issued patches for a high-severity SonicOS SSLVPN vulnerability CVE-2025-40601 affecting Gen7 and Gen8 firewalls, both hardware and virtual. The flaw is a stack-based buffer overflow in the SSLVPN service that allows a remote, unauthenticated attacker to trigger a denial-of-service condition and crash the firewall.
Google Threat Intelligence Group is tracking a persistent, three-year PRC-nexus espionage campaign attributed to APT24, centered around a custom, heavily obfuscated downloader known as BADAUDIO.
A persistent, highly active threat actor, known for initially leveraging the ScreenConnect RMM software, has modified its tactics. The group is now infecting victim systems with multiple RMM tools, including LogMeIn Resolve, Naverisk, SimpleHelp, PDQ, and Atera, often installing them sequentially and long after the initial breach is successful.
Salesforce issued an alert on November 20, warning that it had identified unusual activity involving Gainsight-published applications connected to Salesforce. This prompted Salesforce to revoke access to all Gainsight applications and temporarily removed them from its AppExchange.
The TamperedChef campaign, tracked by Acronis in their recent blog post, is a global malvertising and SEO operation that distributes malicious installers disguised as common applications.
Push researchers identified a new evolution in the Sneaky2FA Phishing-as-a-Service kit: the integration of Browser-in-the-Browser phishing capabilities. Sneaky2FA, already known for its MFA-bypass features and Telegram-based distribution, now deploys phishing pages that simulate legitimate pop-up authentication windows containing embedded reverse-proxy login forms.
A new wave of ransomware attacks has been observed targeting cloud-native environments, specifically Amazon Simple Storage Service (S3) buckets, to extort victims.
Amazon Threat Intelligence has identified a clear rise in cyber-enabled kinetic targeting, where nation-state groups use cyber intrusions to directly support physical military operations.
There was no major breach of the Salesforce platform itself, but rather a series of attacks in 2025 where attackers gained access to third-party applications integrated with Salesforce, such as Salesloft Drift}, to steal data from many companies, including Gainsight's Salesforce environment.
CISA, in collaboration with the U.S. National Security Agency, U.S. Department of Defense Cyber Crime Center, U.S. Federal Bureau of Investigation, and international partners, have released the guide Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers to help internet service providers (ISPs) and network defenders mitigate cybercriminal activity enabled by bulletproof hosting (BPH) providers.
According to Unit 42, a global data storage and infrastructure company suffered a 42-day destructive ransomware attack orchestrated by the Howling Scorpius group (Akira ransomware).
Sarcoma is a financially motivated ransomware group that emerged in late 2024, quickly launching aggressive, global double-extortion campaigns. Operating under a selective RaaS model with limited, trusted partners, the group employs techniques such as leveraging reported zero-day exploits to steal sensitive data before deploying encryption.
ShinySp1d3r is an emerging ransomware-as-a-service platform being developed by threat actors linked to ShinyHunters, Scattered Spider, and Lapsus$. These groups, which in the past have relied on other ransomware groups' encryptors, are now building their own ransomware strain, according to an announcement on Telegram.
Operation WrtHug is a large-scale, ongoing compromise of ASUS WRT routers, uncovered by SecurityScorecard's STRIKE team. The campaign affects thousands of devices globally, with the heaviest concentration in Taiwan, followed by Southeast Asia, Russia, central Europe, and the United States.
ESET researchers uncovered how the China-aligned PlushDaemon threat actor conducts adversary-in-the-middle attacks by hijacking legitimate software update traffic using a previously undocumented network implant called EdgeStepper.
Fortinet has issued security updates to address a newly disclosed FortiWeb zero-day vulnerability (tracked as CVE-2025-58034) that is currently being actively exploited by threat actors.
Fraudsters are actively exploiting WhatsApp's screen-sharing feature to trick users into giving them real-time access to sensitive information. The scam typically initiates with a video call from an unknown number.
Logitech confirmed they suffered a data breach back in July 2025, linked to the CL0P ransomware group. On November 14th, the company filed a form 8-K with the U.S. Securities and Exchange Commission, confirming that data was stolen in a breach.
Researchers at Mandiant have published the advanced tactics, techniques, and procedures and custom tooling employed by UNC1549, an Iran-nexus threat group, observed in targeted espionage campaigns against the aerospace, aviation, and defense sectors from late 2023 through 2025.
Cloudflare is addressing a significant global outage that has caused widespread 500 “internal server error” messages across websites and online services that rely on its infrastructure.
The cyber threat landscape is shifting significantly due to the integration of autonomous Agentic AI by malicious actors. A prime example is the recent AI-orchestrated cyber espionage campaign involving a China-aligned group that manipulated Anthropic's Claude Code tool.
CVE-2025-24893 is a critical remote code execution flaw impacting XWiki, an open-source Wiki platform. XWiki includes a macro called SolrSearch that facilitates full-text search through the embedded Solr engine.
Microsoft disclosed that its Azure infrastructure was recently targeted by a massive 15.72 Tbps DDoS attack attributed to the Aisuru botnet, a Turbo-Mirai–class IoT botnet known for record-setting attack volumes.
BlackBerry researchers uncovered a sophisticated, highly targeted espionage campaign against the Pakistan Navy, active from mid-2023 through at least September 2024. The intrusion began with a convincingly forged PDF designed to mimic an internal IT memo about integrating Axigen Thunderbird email services.
Threat actors are reviving the decades-old finger command as part of new ClickFix-style social-engineering attacks on Windows systems. Originally designed to look up information about remote users over TCP port 79, the finger protocol is now being abused as a lightweight remote command-delivery mechanism.
The US Department of Justice (DoJ) announced that five individuals have pleaded guilty to helping North Korean hackers gain remote IT work in the US. The conspirators provided personal, false or stolen identities as well as hosted laptops provided by the victim organizations to make it appear as if the North Koreans were employed domestically.
According to AhnLab Security intelligence center (ASEC), actors are abusing Remote Monitoring and Management (RMM) tools like LogMeIn Resolve and PDQ Connect to distribute malware. These attacks involve setting up websites that impersonate downloads for legitimate software such as Notepad++, 7-Zip, or WinRAR.
State-sponsored threat actors, assessed with high confidence to be Chinese state-sponsored, successfully employed the advanced Anthropic AI, specifically, manipulating the Claude Code tool, to execute their espionage objectives in a campaign observed in mid-September 2025.
SpearSpecter is an ongoing, highly targeted espionage campaign attributed with high confidence to Iranian state-aligned operators working on behalf of the IRGC Intelligence Organization and overlapping with APT42 / Mint Sandstorm / Educated Manticore / CharmingCypress.
A rapidly evolving phishing campaign is impersonating internal “spam filter” or “secure message” alerts to trick users into handing over their credentials.
CISA released a joint cybersecurity advisory this week which focuses on the Akira operator's latest tactics, techniques, and procedures (TTPs). Most concerningly, is the speed at which Akira has been exfiltrating data from victims, just two hours from initial access.
Cybersecurity researcher Paul McCarty recently uncovered a massive, financially motivated spam campaign targeting the npm registry with tens of thousands of fake packages since early 2024.
Cybersecurity researcher Paul McCarty recently uncovered a massive, financially motivated spam campaign targeting the npm registry with tens of thousands of fake packages since early 2024.
Lumma Stealer (tracked by Trend Micro as Water Kurita) has re-emerged after a temporary decline caused by the doxxing of its alleged operators.
Kraken is a Russian-speaking ransomware group that emerged in early 2025 from the remnants of the HelloKitty cartel, adopting the same double-extortion model and even reusing HelloKitty's ransom note filename.
Operation Endgame is a joint international law enforcement effort to take down major cybercriminal infrastructures.
Check Point Research released their Q3 ransomware report. Their findings found that the overall volume of attacks have normalized, but the landscape as a whole is experiencing “fragmentation and decentralization”.
Email security researchers at Check Point identified an ostensibly new phishing campaign that distributed over 40,000 malicious emails to more than 5,000 customers across the U.S., Europe, Canada, and Australia, likely targeting industries reliant on Facebook advertising (e.g., automotive, finance, hospitality).
A recent campaign linked to North Korean threat actors is abusing Google's Find Hub to track and remotely wipe the Android devices of targeted South Koreans. The operation, attributed to the KONNI activity cluster, which overlaps with APT37 (ScarCruft) and Kimsuky (Emerald Sleet), relies on credential theft rather than exploiting any Google or Android vulnerabilities.
Marking as Medium, only because a patch for this vulnerability was released back in June. There are many exploits for this available now, so organizations who haven't patched, should consider this a critical situation.
As part of the Microsoft November Patch Tuesday, the vendor issued security updates to address 63 flaws, including one actively exploited zero-day. Of the 63 flaws addressed, there were 29 Elevation of Privilege Vulnerabilities, 2 Security Feature Bypass Vulnerabilities, 16 Remote Code Execution Vulnerabilities, 11 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, and 2 Spoofing Vulnerabilities.