Campaigns observed in October and November 2025, tracked under the temporary intrusion set SHADOW-VOID-042, targeted several high-value sectors, including energy, defense, pharmaceuticals, and cybersecurity, according to Trend Micro.
Cybersecurity researchers have documented the return of CyberVolk, a pro-Russia hacktivist persona that has evolved into a Ransomware-as-a-Service (RaaS) provider following a period of dormancy in early 2025.
Cybersecurity researchers have documented the emergence of four sophisticated phishing kits, BlackForce, GhostFrame, InboxPrime AI, and Spiderman, designed to facilitate large-scale credential theft and bypass modern security perimeters.
Notepad++ recently addressed a security weakness in its update tool (WinGUp) after receiving word of several incidents wherein the updater was manipulated to download and run malicious executables instead of legitimate updates.
MITRE has shared this year's top 25 list of the most dangerous software weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
Cybersecurity researchers have unveiled details of NANOREMOTE, a newly observed, full-featured Windows backdoor written in C++ without obfuscation that utilizes the Google Drive API for C2.
Cybersecurity researchers have unveiled details of NANOREMOTE, a newly observed, full-featured Windows backdoor written in C++ without obfuscation that utilizes the Google Drive API for C2.
Wiz Threat Research has identified and publicly disclosed a critical zero-day vulnerability, CVE-2025-8110 (CVSS: 8.7), actively being exploited in-the-wild against Gogs, a popular self-hosted Git service.
U.S. agencies warned critical infrastructure organizations this week of attacks launched by multiple Russian groups backed financially by the country's government.
Researchers at Push Security have uncovered details of a new browser-native phishing technique, dubbed “ConsentFix” that steals Oauth authorization codes by tricking users into copying and pasting a URL from a legitimate Microsoft login flow into an attack-controlled phishing page.
Operation FrostBeacon is a targeted, financially motivated cybercrime campaign identified by Seqrite Labs, focusing on B2B enterprises within the Russian Federation, specifically targeting finance and legal departments in sectors like logistics and industrial production.
The highly sophisticated threat activity, JS#SMUGGLER, is a multi-stage web-based malware campaign engineered for stealth and the delivery of NetSupport RAT. The chain begins with Stage 1, a heavily obfuscated JavaScript loader injected via silent redirects, which uses advanced obfuscation, device-aware branching, and local storage for first-visit tracking before fetching the next stage from rotating C2 domains.
The financially motivated threat activity cluster, tracked as CL-CRI-1036, centers on a new, multi-platform ransomware family named 01flip. This ransomware is notable for being entirely written in the modern Rust programming language, allowing for seamless cross-compilation targeting both Windows and Linux operating systems.
Fortinet has issued security updates to address two critical vulnerabilities, CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that could allow threat actors to bypass FortiCloud SSO authentication.
As part of the Microsoft December Patch Tuesday, the vendor addressed 57 flaws, including three zero-days. Of the 57 flaws addressed, there were 28 Elevation of Privilege Vulnerabilities, 19 Remote Code Execution Vulnerabilities, 4 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, and 2 Spoofing Vulnerabilities.
Cisco Talos tracked new TTPs from a financially motivated threat actor that were utilized to deploy DeadLock ransomware on Windows machines. The key initial access technique involves a BYOVD attack using the legitimate but vulnerable Baidu Antivirus driver (disguised as DriverGay.sys) to exploit CVE-2024-51324.
Storm-0249 has evolved from relying on mass phishing to executing highly targeted, sophisticated post-exploitation tactics to facilitate ransomware attacks. This financially motivated actor now prioritizes stealth and persistence by weaponizing trusted enterprise components.
Insikt Group has rebranded the technically sophisticated threat actor TAG-150 as GrayBravo, confirming its operation of a Malware-as-a-Service (MaaS) ecosystem centered around the custom malware families CastleLoader, CastleBot, and the newly discovered CastleRAT (a remote access trojan with C and Python variants).
In April 2025, a China-linked threat group launched a campaign targeting Japanese shipping and transportation companies, using several variants of the PlugX remote access trojan (RAT).
North Korean state-sponsored actors have begun leveraging the critical React2Shell flaw (CVE-2025-55182) to deploy a new, highly sophisticated Linux malware called EtherRAT.
CrowdStrike researchers have identified a critical, high-level threat from the China-nexus adversary WARP PANDA, who is actively engaged in long-term, covert intelligence-collection operations primarily targeting VMware vCenter/ESXi and Microsoft Azure/365 environments at U.S.-based legal, technology, and manufacturing entities.
Shanya is packer-as-a-service that has been promoted on underground forums since late 2024. Under this model, cybercriminals can pay to have their malware re-packed and encrypted to avoid detection.
A campaign has been observed targeting publicly exposed security devices, namely Palo Alto Networks GlobalProtect portals and SonicWall SonicOS API endpoints, starting on December 2nd. According to GreyNoise, this large-scale reconnaissance originated from over 7,000 distinct IP addresses within the infrastructure of German hosting provider 3xK GmbH (AS200373).
According to a researcher named Rakesh Krishnan on X, LockBit 5.0 has accidently exposed some of their internal infrastructure. Specifically, the IP address 205[.]185[.]116[.]233 and the domain karma0[.]xyz are being used to host the ransomware group's latest data leak website.
Within hours of the React2Shell flaw (CVE-2025-55182) becoming public, China-linked threat actors began exploiting this pre-authentication Remote Code Execution (RCE) vulnerability. The flaw exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 across packages like react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.
CastleRAT is a remote access trojan (RAT) that was first identified in March 2025. Two different variants of CastleRAT have been observed to date: one written in Python and another that is a C compiled version.
A command injection flaw in Array Networks AG Series gateways has been under exploitation since August 2025, according to a new advisory from JPCERT/CC. The flaw, which has yet to be assigned a CVE number, resides in the DesktopDirect function of the Array AG series, a feature that provides remote desktop access.
The Intellexa Leaks, a new joint investigation published by Inside Story, Haaretz, and the WAV Research Collective, with technical analysis from Amnesty International's Security Lab, has exposed the persistent global threat posed by the mercenary Predator spyware and its maker, Intellexa, despite the company and its executives being subjected to U.S. sanctions.
The GOLD BLADE threat group has undergone a significant strategic evolution, shifting from a primary focus on cyberespionage to operating as a hybrid operation that successfully blends data theft with selective ransomware deployment.
More details on the BRICKSTORM campaign emerge, as Chinese nexus adversaries were seen leveraging Managed Service Provider (MSP) credentials for initial access. The attackers' strategy focused on high-value, centralized management platforms, specifically VMware vCenter servers and Active Directory Federation Services (ADFS), in both Windows and VMware ESXi environments.
Microsoft has mitigated a high-severity Windows LNK vulnerability, CVE-2025-9491, which has been widely exploited as a zero-day by multiple state-sponsored groups (including Mustang Panda) and MaaS platforms, according to research from Trend Micro.
Barracuda's threat analysts first spotted the GhostFrame phishing kit in September 2025, and by December, the team had identified over a million attacks utilizing this novel and stealthy Phishing-as-a-Service (PhaaS) framework.
CyberProof Threat Hunters recently reviewed an MDR team alert that detailed a highly targeted and effective social engineering attack utilizing the Microsoft Teams "Chat with Anyone" feature for initial access.
Evilginx, an attacker-in-the-middle phishing toolkit, is increasingly being leveraged by actors to steal session cookies and bypass multi-factor authentication.
A long-running and increasingly sophisticated phishing operation is targeting Google Workspace and Facebook Business accounts, specifically those tied to business ad management. The campaign begins with highly tailored, multi-stage job-recruitment lures impersonating brands like LVMH, LEGO, Mastercard, and Uber, using Calendly-themed links to avoid email scanners.
Koi researchers uncovered a long-running threat actor known as ShadyPanda, responsible for a seven-year browser extension operation impacting 4.3 million Chrome and Edge users.
The ongoing GlassWorm supply chain attack, which began in mid-October 2025, resurfaced in late November with new packages that successfully infiltrated both the Microsoft VS Marketplace and Open VSX, introducing 24 malicious extensions, doubling the total extension count from when it was initially discovered.
GreyNoise Labs has released a free tool, GreyNoise IP Check, that allows users to quickly determine whether their IP address has been involved in malicious scanning operations, such as those associated with botnets and residential proxy networks.
The cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH) has rapidly intensified its activity following a brief hiatus, marked by the creation of a new Telegram channel and several significant events since mid-November 2025.
Security researchers have conducted an extensive investigation led by Mauro Eldritch on the North Korean state-sponsored Lazarus subgroup, Famous Chollima (WageMole), which often targets and recruits legitimate IT professionals to conduct cyberespionage and funnel illicit wages.
Trend Micro researchers have found that the ValleyRAT campaign is a growing threat that is escalating in both aggressiveness and sophistication, demonstrated by a notable spike in detections observed in their telemetry at the end of October.
Cyble Research & Intelligence Labs (CRIL) has identified an active Linux-targeting campaign, dubbed V3G4, that signifies the ongoing, financially-motivated evolution of Mirai-lineage threats by coupling DDoS capabilities with covert monetization.
Research emerging from China indicates a concentrated and strategic effort to develop countermeasures against Low Earth Orbit (LEO) satellite internet constellations, particularly SpaceX's Starlink, which Beijing views as a major national security threat.
Matanbuchus is a C++ downloader malware that has been active since 2020, evolving through multiple versions to enhance its capabilities. The latest, version 3.0, was identified in July 2025 and introduces significant improvements such as the integration of Protocol Buffers for network communication, making its communication more efficient and harder to detect.
TangleCrypt is a previously undocumented Windows malware packer, designed to hide malicious payloads inside what appear to be benign executable files. TangleCrypt stores the original payload within PE resources, while the rest of the file is mostly the loader code itself.
Canada issued a warning this week on escalating cyber threats to critical infrastructure, specifically, sectors like energy, water, healthcare, financial services, and transportation. In their advisory, they note that both nation-state actors and cybercriminal groups are poised to create significant service outages, economic losses, and could endanger public health and safety.
Researchers from Socket linked a series of fake job interviews and test assignments targeting developers to a state-sponsored North Korean threat actor.