Major Incidents or Breaches

  • Salesforce reported unauthorized data access via Gainsight-linked OAuth activity, resulting in revoked refresh tokens and an ongoing investigation into possible customer data theft.
  • Italy’s national railway operator, FS Italiane Group, suffered a data breach after its IT services provider, Almaviva, was compromised. A threat actor claims to have stolen 2.3TB of data.
  • CTM360 exposed a global WhatsApp hijacking campaign (“HackOnChat”) leveraging deceptive authentication portals and impersonation pages to compromise accounts.
  • Over 50,000 Asus routers were compromised in “Operation WrtHug,” attributed to a Chinese threat actor exploiting known vulnerabilities in discontinued devices.
  • A vulnerability, now patched, previously allowed scraping of up to 3.5 billion WhatsApp accounts.
  • Researchers reported that some budget Samsung phones were shipped with unremovable spyware (“AppCloud”) in certain regions.
  • A TV streaming piracy platform, Photocall, with 26 million annual users, was shut down following an investigation by ACE and DAZN.

Newly Discovered Vulnerabilities

  • A high-severity SonicOS SSLVPN vulnerability in SonicWall firewalls can allow attackers to crash devices. SonicWall has urged immediate patching.
  • D-Link disclosed three remote command execution vulnerabilities affecting all models and hardware revisions of the now end-of-life DIR-878 router.
  • A two-year-old, unpatched security flaw in the Ray open-source AI framework is being actively exploited by the ShadowRay 2.0 botnet to compromise clusters with NVIDIA GPUs.
  • A recent 7-Zip vulnerability is being exploited in the wild, with proof-of-concept code available for remote code execution.
  • Oracle patched CVE-2025-61757 in Oracle Identity Manager, a vulnerability allowing attackers to escalate privileges.
  • Researchers highlighted ongoing malicious scanning against Palo Alto Networks GlobalProtect VPN portals, with 2.3 million scan sessions detected since 14 November 2025.

Notable Threat Actor Activity

  • The Tsundere botnet, active since mid-2025, is expanding and targeting Windows users. It abuses Node.js and Ethereum blockchain for command and control, spreading via MSI installers, PowerShell scripts, and game-related lures.
  • A Chinese APT group (“PlushDaemon”) is infecting routers to hijack software updates, primarily targeting Chinese organizations.
  • China-linked APT24 has been using the previously undocumented “BadAudio” malware in a three-year espionage campaign, recently adopting more sophisticated attack methods.
  • Russian bulletproof hosting providers Media Land and Hypercore, along with their leadership, were sanctioned by the US and allies for facilitating cybercriminal activities.
  • A Russian hacking suspect wanted by the FBI was arrested in Thailand following an FBI tip-off.
  • The “Eternidade” WhatsApp Trojan is self-propagating in Brazil, combining infostealer, banking malware, and worm capabilities, specifically targeting Brazilian Portuguese speakers.

Trends, Tools, or Tactics of Interest

  • Ransomware attacks surged globally in October 2025, with over 700 organizations affected, according to Cyfirma.
  • Mobile phishing attacks are projected to increase fourfold during the holiday season as attackers exploit seasonal shopping behaviors.
  • The Sturnus Android banking trojan, currently in development, targets users in Europe and is capable of capturing messages from encrypted apps (Signal, WhatsApp, Telegram) and hijacking devices for financial fraud.
  • The dark web job market remains active, with over 2,000 job-related posts observed between January 2023 and June 2025, indicating ongoing professionalization among cybercriminals.
  • The “Matrix Push” C2 tool is being used to hijack browser notifications for phishing purposes.
  • OSINT (open-source intelligence) remains a critical tool for both attackers and defenders to identify digital footprint vulnerabilities.
  • Heisenberg Dependency Health Check, a new GitHub Action, provides automated supply chain risk assessment by flagging risky dependencies in pull requests.
  • Cisco and other vendors are highlighting the increasing risks posed by aging network infrastructure, especially in the context of generative AI-driven attacks.
  • Budget Samsung phones in certain regions are shipped with pre-installed, unremovable spyware, raising concerns over supply chain and device security.

Regulatory or Policy Developments

  • The US and allied governments imposed sanctions on Russian bulletproof hosting service providers Media Land and Hypercore for their roles in supporting cybercriminal activities.
  • The founders of the Samourai cryptocurrency mixer were sentenced to prison for laundering over $237 million.
  • Windows 10 end-of-support is driving organizations to migrate to Windows 11, with security implications for unsupported systems.
  • Mozilla formally ended its partnership with Onerep, an identity protection service previously offered via Firefox.