Cyber threats did not decelerate final week—and attackers are getting smarter. We’re seeing malware hidden in digital machines, side-channel leaks exposing AI chats, and adware quietly concentrating on Android units within the wild.
However that is simply the floor. From sleeper logic bombs to a contemporary alliance between main risk teams, this week’s roundup highlights a transparent shift: cybercrime is evolving quick, and the strains between technical stealth and strategic coordination are blurring.
It is value your time. Each story right here is about actual dangers that your staff must find out about proper now. Learn the entire recap.
⚡ Menace of the Week
Curly COMrades Abuses Hyper-V to Conceal Malware in Linux VMs — Curly COMrades, a risk actor supporting Russia’s geopolitical pursuits, has been noticed abusing Microsoft’s Hyper-V hypervisor in compromised Home windows machines to create a hidden Alpine Linux-based digital machine and deploy malicious payloads. This methodology permits the malware to run utterly exterior the host working system’s visibility, successfully bypassing endpoint security instruments. The marketing campaign, noticed in July 2025, concerned the deployment of CurlyShell and CurlyCat. The victims weren’t publicly recognized. The risk actors are mentioned to have configured the digital machine to make use of the Default Swap community adaptor in Hyper-V to make sure that the VM’s site visitors travels by means of the host’s community stack utilizing Hyper-V’s inside Community Tackle Translation (NAT) service, inflicting all malicious outbound communication to look to originate from the respectable host machine’s IP deal with. Additional investigation has revealed that the attackers first used the Home windows Deployment Picture Servicing and Administration (DISM) command-line instrument to allow the Hyper-V hypervisor, whereas disabling its graphical administration interface, Hyper-V Supervisor. The group then downloaded a RAR archive masquerading as an MP4 video file and extracted its contents. The archive contained two VHDX and VMCX recordsdata akin to a pre-built Alpine Linux VM. Lastly, the risk actors used the Import-VM and Begin-VM PowerShell cmdlets to import the digital machine into Hyper-V and launch it with the title WSL, a deception tactic meant to provide the impression that the Home windows Subsystem for Linux was employed. “The sophistication demonstrated by Curly COMrades confirms a key development: as EDR/XDR options turn out to be commodity instruments, risk actors are getting higher at bypassing them by means of tooling or methods like VM isolation,” Bitdefender mentioned. The findings paint an image of a risk actor that makes use of refined strategies to take care of long-term entry in goal networks, whereas leaving a minimal forensic footprint.
🔔 High Information
- ‘Whisper Leak’ That Identifies AI Chat Subjects in Encrypted Visitors — Microsoft has disclosed particulars of a novel side-channel assault concentrating on distant language fashions that would allow a passive adversary with capabilities to look at community site visitors to glean particulars about mannequin dialog matters regardless of encryption protections. “Cyber attackers ready to look at the encrypted site visitors (for instance, a nation-state actor on the web service supplier layer, somebody on the native community, or somebody linked to the identical Wi-Fi router) may use this cyber assault to deduce if the person’s immediate is on a particular subject,” the corporate mentioned. The assault has been codenamed Whisper Leak. In a proof-of-concept (PoC) take a look at, researchers discovered that it is potential to glean dialog matters from Alibaba, DeepSeek, Mistral, Microsoft, OpenAI, and xAI fashions with a hit charge of over 98%. In response, OpenAI, Mistral, Microsoft, and xAI have deployed mitigations to counter the chance.
- Samsung Cell Flaw Exploited as Zero-Day to Deploy LANDFALL Android Adware — A now-patched security flaw in Samsung Galaxy Android units was exploited as a zero-day to ship a “commercial-grade” Android adware dubbed LANDFALL in precision assaults in Iraq, Iran, Turkey, and Morocco. The exercise concerned the exploitation of CVE-2025-21042 (CVSS rating: 8.8), an out-of-bounds write flaw within the “libimagecodec.quram.so” element that would permit distant attackers to execute arbitrary code, in line with Palo Alto Networks Unit 42. The problem was addressed by Samsung in April 2025. LANDFALL, as soon as put in and executed, acts as a complete spy instrument, able to harvesting delicate knowledge, together with microphone recording, location, images, contacts, SMS, recordsdata, and name logs. Whereas Unit 42 mentioned the exploit chain might have concerned the usage of a zero-click method to set off the exploitation of CVE-2025-21042 with out requiring any person interplay, there are presently no indications that it has occurred or that there exists an unknown security challenge in WhatsApp to assist this speculation. The Android adware is particularly designed to focus on Samsung’s Galaxy S22, S23, and S24 sequence units, together with Z Fold 4 and Z Flip 4. There are not any conclusive clues but on who’s concerned, neither is it clear how many individuals had been focused or exploited.
- Hidden Logic Bombs in Malicious NuGet Packages Go Off Years After Deployment — A set of 9 malicious NuGet packages has been recognized as able to dropping time-delayed payloads to sabotage database operations and corrupt industrial management methods. The packages had been revealed in 2023 and 2024 by a person named “shanhai666” and are designed to run malicious code after particular set off dates in August 2027 and November 2028, except one library, which claims to increase the performance of one other respectable NuGet bundle known as Sharp7. Sharp7Extend, because it’s known as, is ready to activate its malicious logic instantly following set up and continues till June 6, 2028, when the termination mechanism stops by itself.
- Flaws in Microsoft Groups Expose Customers to Impersonation Dangers — A set of 4 now-patched security vulnerabilities in Microsoft Groups may have uncovered customers to critical impersonation and social engineering assaults. The vulnerabilities “allowed attackers to control conversations, impersonate colleagues, and exploit notifications,” in line with Test Level. These shortcomings make it potential to change message content material with out leaving the “Edited” label and sender identification and modify incoming notifications to alter the obvious sender of the message, thereby permitting an attacker to trick victims into opening malicious messages by making them seem as if they’re coming from a trusted supply, together with high-profile C-suite executives. The failings additionally granted the power to alter the show names in non-public chat conversations by modifying the dialog subject, in addition to arbitrarily modify show names utilized in name notifications and throughout the name, allowing an attacker to forge caller identities within the course of. The problems have since been addressed by Microsoft.
- Three Excessive-Profile Teams Come Collectively — Scattered LAPSUS$ Hunters (SLH), a merger shaped between Scattered Spider, LAPSUS$, and ShinyHunters, has cycled by means of a minimum of 16 Telegram channels since August 8, 2025. The group, which has marketed an extortion-as-a-service providing and can also be testing “Sh1nySp1d3r” ransomware, has now been recognized not simply as a fluid collaboration however as a coordinated alliance mixing the operational techniques of the three high-profile legal clusters beneath a shared banner for extortion, recruitment, and viewers management. The brand new group is intentionally bringing collectively the reputational capital related to the manufacturers to create a potent, unified risk identification. The hassle is being seen as the primary cohesive alliance inside The Com, a historically loose-knit community, leveraging the merger as a pressure multiplier for financially motivated assaults.
️🔥 Trending CVEs
Hackers transfer quick. They typically exploit new vulnerabilities inside hours, turning a single missed patch into a serious breach. One unpatched CVE will be all it takes for a full compromise. Under are this week’s most crucial vulnerabilities gaining consideration throughout the trade. Evaluation them, prioritize your fixes, and shut the hole earlier than attackers take benefit.
This week’s checklist contains — CVE-2025-20354, CVE-2025-20358 (Cisco Unified CCX), CVE-2025-20343 (Cisco Identification Providers Engine), CVE-2025-62626 (AMD), CVE-2025-5397 (Noo JobMonster theme), CVE-2025-48593, CVE-2025-48581 (Android), CVE-2025-11749 (AI Engine plugin), CVE-2025-12501 (GameMaker IDE), CVE-2025-23358 (NVIDIA App for Home windows), CVE-2025-64458, CVE-2025-64459 (Django), CVE-2025-12058 (Keras AI), CVE-2025-12779 (Amazon WorkSpaces shopper for Linux), CVE-2025-12735 (JavaScript expr-eval), CVE-2025-62847, CVE-2025-62848, CVE-2025-62849 (QNAP QTS and QuTS hero), CVE-2024-12886, CVE-2025-51471, CVE-2025-48889 (Ollama), CVE-2025-34299 (Monsta FTP), CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 (RunC), CVE-2025-55315 (ASP.NET Core Kestrel server), CVE-2025-64439 (langgraph-checkpoint), CVE-2025-37735 (Elastic Defend on Home windows), and 7 vulnerabilities in django-allauth.
📰 Across the Cyber World
- RDP Accounts Breached to Drop Cephalus Ransomware — A brand new Go-based ransomware known as Cephalus has been breaching organizations by stealing credentials by means of Distant Desktop Protocol (RDP) accounts that should not have multi-factor authentication (MFA) enabled since mid-June 2025. It is presently not recognized if it operates beneath a ransomware-as-a-service (RaaS). “Upon execution, it disables Home windows Defender’s real-time safety, deletes VSS backups, and stops key companies corresponding to Veeam and MSSQL to extend its encryption success charge and reduce the probabilities of restoration,” AhnLab mentioned. “Cephalus makes use of a single AES-CTR key for encryption, and this secret is managed to reduce publicity on the disk and in reminiscence. Lastly, the AES secret is encrypted utilizing an embedded RSA public key, guaranteeing that solely risk actors with the corresponding RSA non-public key can decrypt the important thing. It disrupts dynamic evaluation by producing a pretend AES key.”
- WhatsApp to Roll Out Enhanced Protections for Excessive-Threat Accounts — Customers beneath the next danger of being focused by hacking makes an attempt will quickly have the choice to allow an additional set of security options on WhatsApp, in line with a beta model of the app analyzed by WABetaInfo. Much like Apple’s Lockdown Mode, the characteristic blocks media and attachments from unknown senders, provides calling and messaging restrictions, and permits different settings, together with silencing unknown callers, limiting computerized group invitations to recognized contacts, disabling hyperlink previews, notifying customers about encryption code adjustments, activating two-step verification, and limiting the visibility of non-public info for unknown contacts.
- Aurologic Gives Internet hosting for Sanctioned Entities — German internet hosting supplier aurologic GmbH has emerged as a “central nexus throughout the world malicious infrastructure ecosystem” offering upstream transit and knowledge heart companies to a big focus of high-risk internet hosting networks, together with the Doppelgänger disinformation community and the not too long ago sanctioned Aeza Group, together with Metaspinner web GmbH (AsyncRAT, njRAT, Quasar RAT), Femo IT Options Restricted (CastleLoader and different malware), World-Data System IT Company (Cobalt Strike, Sliver, Quasar RAT, Remcos RAT, and different malware), and Railnet. The corporate was established in October 2023. “Regardless of its core concentrate on respectable community and knowledge heart operations, Aurologic has emerged as a hub for a few of the most abusive and high-risk networks working throughout the world internet hosting ecosystem,” Recorded Future mentioned.
- Australia Sanctions North Korean Menace Actors — The Australian Authorities has imposed monetary sanctions and journey bans on 4 entities and one particular person — Park Jin Hyok, Kimsuky, Lazarus Group, Andariel, and Chosun Expo — for participating in cybercrime to assist and fund North Korea’s illegal weapons of mass destruction and ballistic missile applications. “The dimensions of North Korea’s involvement in malicious cyber-enabled actions, together with cryptocurrency theft, fraudulent IT work and espionage, is deeply regarding,” the International Affairs ministry mentioned.
- U.Ok. Takes Motion on Spoofed Cell Numbers — U.Ok. cellular carriers will improve their networks to “remove the power for international name centres to spoof U.Ok. numbers.” The businesses will mark when calls come from overseas to stop scammers from impersonating U.Ok. cellphone numbers. The businesses will even roll out “superior name tracing expertise” to permit legislation enforcement the instruments to trace down scammers working throughout the nation and dismantle their operations. “It’ll make it tougher than ever for criminals to trick individuals by means of rip-off calls, utilizing cutting-edge expertise to show fraudsters and convey them to justice,” the U.Ok. authorities mentioned.
- Safety Flaw in Superior Installer — A vulnerability has been disclosed in Superior Installer (model 22.7), a framework for constructing Home windows installers. The bug can allow risk actors to hijack app replace mechanisms and run malicious exterior code if replace packages will not be digitally signed. By default, and in widespread observe, they don’t seem to be digitally signed, Cyderes mentioned. Based on its web site, Superior Installer is utilized by builders and system directors in additional than 60 international locations “to bundle or repackage all the things from small shareware merchandise, inside functions, and gadget drivers, to huge mission-critical methods.” The security danger poses a serious provide chain danger as a result of reputation of Superior Installer, opening the door for Convey Your Personal Updates (BYOU), enabling attackers to hijack trusted updaters to execute arbitrary code, whereas bypassing security controls. “These assaults are particularly harmful as a result of they exploit belief and scale: a single poisoned replace from a extensively used instrument (for instance, an installer or construct instrument like Superior Installer) can silently distribute signed, trusted malware to numerous world firms, inflicting broad knowledge theft, operational outages, regulatory penalties, and extreme reputational harm throughout many sectors,” security researcher Reegun Jayapaul mentioned.
- Jailbreak Detection in Authenticator App — Microsoft mentioned it would introduce Jailbreak/Root detection for Microsoft Entra credentials within the Authenticator app beginning February 2026. “This replace strengthens security by stopping Microsoft Entra credentials from performing on jail-broken or rooted units. All present credentials on such units can be wiped to guard your group,” it mentioned. The change applies to each Android and iOS units.
- Dangerous Actors Exploit Flaws in RMM Software program — Menace actors have been discovered exploiting recognized security vulnerabilities within the SimpleHelp Distant Monitoring and Administration (RMM) platform (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) to realize downstream entry into buyer environments and deploy Medusa and DragonForce ransomware. “By compromising third-party RMM servers operating as SYSTEM, attackers achieved full management over sufferer networks, deploying discovery instruments, disabling defences, exfiltrating knowledge through RClone and Restic, and at last encrypting methods,” Zensec mentioned.
- Cambodia Raids Rip-off Compounds in Bavet city — The Cambodian authorities raided two cyber rip-off compounds within the metropolis of Bavet on November 4, 2025, taking greater than 650 suspects, largely international nationals, into custody. One rip-off compound specialised in impersonating authorities authorities to threaten victims, whereas the second website ran pretend high-profit funding schemes, cast banking platforms, romance scams, pretend marathon registrations, and the usage of AI deepfake movies and pictures to forge identities.
- Samourai Pockets Co-Founder Sentenced to five Years in Jail — Keonne Rodriguez, the co-founder and CEO of cryptocurrency mixing service Samourai Pockets, was sentenced to 5 years in jail. Authorities shut down the Samourai Pockets web site in April 2024. The service was used to launder greater than $237 million in cryptocurrency linked to hacks, on-line fraud, and drug trafficking. Samourai Pockets CTO William Lonergan Hill is predicted to be sentenced later this month. Each people pleaded responsible to cash laundering prices again in August.
- Russian Man Pleads Responsible for Yanluowang Attacks — A 25-year-old Russian nationwide, Aleksei Olegovich Volkov, has pleaded responsible to hacking U.S. firms and promoting entry to ransomware teams. Volkov went on-line beneath the hacker title of chubaka.kor, and labored as an preliminary entry dealer (IAB) for the Yanluowang ransomware by exploiting security flaws between July 2021 and November 2022. As many as seven U.S. companies had been attacked throughout that interval, out of which an engineering agency and a financial institution paid a mixed $1.5 million in ransoms. Volkov was arrested on January 18, 2024, in Rome and was later extradited to the U.S. to face prices.
- Malicious AI Bots Impersonate Professional Brokers — Menace actors have been discovered to develop and deploy bots that impersonate respectable AI brokers from suppliers like Google, OpenAI, Grok, and Anthropic. “Malicious actors can exploit up to date bot insurance policies by spoofing AI agent identities to bypass detection methods, probably executing large-scale account takeover (ATO) and monetary fraud assaults,” Radware mentioned. “Attackers want solely spoof ChatGPT’s person agent and use residential proxies or IP spoofing methods to be categorised as a “good AI bot” with POST permissions.”
- Faux Installers Mimic Productiveness Instruments in Ongoing Campaigns — Data stealer campaigns are leveraging malicious installers impersonating respectable productiveness instruments with backdoor functionality, that are doubtless created utilizing EvilAI to distribute malware often called TamperedChef/BaoLoader. “The backdoor can also be able to extracting DPAPI secrets and techniques and gives full command-and-control performance, together with arbitrary command execution, file add and obtain, and knowledge exfiltration,” CyberProof mentioned. “In most noticed circumstances, the malware proceeds with the deployment of second-stage binaries and establishes extra persistence mechanisms, corresponding to ASEP registry run keys and .LNK startup recordsdata.”
🎥 Cybersecurity Webinars
- Be taught How High Consultants Safe Multi-Cloud Workloads With out Slowing Innovation — Be part of this expert-led session to learn to shield your cloud workloads with out slowing innovation. You may uncover easy, confirmed methods to manage identities, meet world compliance guidelines, and scale back danger throughout multi-cloud environments. Whether or not you’re employed in tech, finance, or operations, you will go away with clear, sensible steps to strengthen security and hold your small business agile, compliant, and prepared for what’s subsequent.
- Guardrails, Not Guesswork: How Mature IT Groups Safe Their Patch Pipelines — Be part of this session to learn to patch sooner with out shedding security. You may see actual examples of how group repositories like Chocolatey and Winget can expose your community if not managed safely — and get clear, sensible guardrails to keep away from it. Gene Moody, Discipline CTO at Action1, will present you precisely when to belief group repos, when to go vendor-direct, and stability pace with security so your patching stays quick, dependable, and safe.
- Uncover How Main Enterprises Are Slicing Publicity Time in Half with DASR — Be part of this stay session to find how Dynamic Attack Floor Discount (DASR) helps you narrow by means of countless vulnerability lists and really cease assaults earlier than they occur. You may see how good automation and context-driven choices can shrink your assault floor, shut hidden entry factors, and free your staff from alert fatigue. Stroll away with a transparent plan to cut back exposures sooner, strengthen defenses, and keep one step forward of hackers—with out including additional work.
🔧 Cybersecurity Instruments
- FuzzForge is an open-source instrument that helps security engineers and researchers automate utility and offensive security testing utilizing AI and fuzzing. It allows you to run vulnerability scans, handle workflows, and use AI brokers to investigate code, discover bugs, and take a look at for weaknesses throughout completely different platforms. It is constructed to make cloud and AppSec testing sooner, smarter, and simpler to scale for people and groups.
- Butler is a instrument that scans all repositories in a GitHub group to seek out and evaluate workflows, actions, secrets and techniques, and third-party dependencies. It helps security groups perceive what runs of their GitHub atmosphere and produces easy-to-read HTML and CSV experiences for audits, compliance checks, and workflow administration.
- Discover-WSUS is a PowerShell instrument that helps security groups and system admins discover each WSUS server outlined in Group Coverage. It checks each regular coverage settings and hidden Group Coverage Preferences that do not present up in customary experiences. This issues as a result of a compromised WSUS server can push pretend updates and take management of all area computer systems. Utilizing Discover-WSUS ensures you realize precisely the place your replace servers are configured—earlier than attackers do.
Disclaimer: These instruments are for academic and analysis use solely. They have not been absolutely security-tested and will pose dangers if used incorrectly. Evaluation the code earlier than making an attempt them, take a look at solely in secure environments, and comply with all moral, authorized, and organizational guidelines.
🔒 Tip of the Week
Cease Delicate Data From Reaching AI Chats — Many groups use AI chat instruments to get issues completed sooner, like writing scripts, fixing bugs, or making experiences shorter. However all the things typed into these methods leaves your organization community and could also be saved, logged, or reused. If that knowledge contains credentials, inside code, or shopper info, it turns into a straightforward leak level.
Attackers and insiders can retrieve this knowledge later, or fashions may by accident expose it in future outputs. One careless immediate can expose much more than anticipated.
✅ Add a security layer earlier than the AI. Use OpenGuardrails or related open-source frameworks to scan and block delicate textual content earlier than it is despatched to the mannequin. These instruments combine straight into your apps or inside chat methods.
✅ Pair it with DLP monitoring. Instruments like MyDLP or OpenDLP can watch outbound knowledge for patterns like passwords, API keys, or shopper identifiers.
✅ Create immediate insurance policies. Outline what workers can and might’t share with AI methods. Deal with prompts like knowledge, leaving your community.
Do not belief AI firms to maintain your secrets and techniques secure. Add guardrails to your workflow and control what leaves your area. You do not need delicate knowledge to finish up coaching another person’s mannequin.
Conclusion
Simply studying headlines will not lower it. These assaults present what’s coming subsequent—extra hidden, extra centered, and tougher to identify.
Whether or not you’re employed in security or simply wish to keep within the loop, this replace breaks it down quick. Clear, helpful, no additional noise. Take a couple of minutes and get caught up earlier than the subsequent large risk lands.
