Cyber OSINT Overview, Nov 3 - Nov 9, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• The integration and weaponization of Artificial Intelligence in cybersecurity is a dominant theme, with new reports detailing both offensive and defensive applications. Threat actors are now deploying AI-enabled malware like PROMPTFLUX and PROMPTSTEAL, which use LLMs at runtime to generate malicious code and evade detection. Concurrently, defenders are moving towards an “Agentic SOC” model, using AI for threat hunting, analysis, and response automation. This dual-use evolution is also creating new attack surfaces, with vulnerabilities being discovered in AI platforms like ChatGPT and threat actors using AI to enhance social engineering campaigns.

• Vulnerabilities in foundational open-source software and core infrastructure components continue to be a major focus, impacting a vast ecosystem of products. Numerous advisories highlighted critical flaws in the Linux Kernel, leading to risks such as denial of service, privilege escalation, and remote code execution. Similarly, multiple vulnerabilities were reported in the widely used cURL library, potentially causing information disclosure and security bypasses. Containerization technologies were also affected, with several high-severity vulnerabilities discovered in the runC container runtime that could allow for container escape and host compromise.

• Security concerns related to Industrial Control Systems (ICS) and Operational Technology (OT) are prominent, with numerous advisories from CISA detailing vulnerabilities in widely used equipment. Flaws were identified in products from vendors such as Advantech, ABB, Radiometrics, and Fuji Electric. These vulnerabilities could allow for remote code execution, unauthorized access via hardcoded credentials, and data manipulation. The risks highlighted include disruption of airport operations through weather system manipulation and unauthorized control of industrial controllers, emphasizing the need for robust security in critical infrastructure.

• Software supply chain security remains a critical area of focus, with attacks targeting developers and CI/CD pipelines through various vectors. Malicious npm packages were discovered delivering the Vidar infostealer by executing postinstall scripts, masquerading as legitimate SDKs. A critical remote code execution vulnerability (CVE-2025-11953) was also found in the widely-used React Native CLI package. Additionally, research highlighted the risk of AI assistants hallucinating non-existent software packages, which could lead to “slopsquatting” attacks if an adversary registers the package with malicious code.

Critical Vulnerabilities #

• Multiple vulnerabilities in Cisco products are being actively exploited, posing significant risks of remote code execution and denial of service. Critical flaws in Cisco Unified Contact Center Express (CVE-2025-20354 and CVE-2025-20358) allow unauthenticated attackers to upload arbitrary files and execute commands with root permissions. Additionally, a new attack variant targets Cisco Secure Firewall ASA and FTD devices by chaining vulnerabilities CVE-2025-20333 and CVE-2025-20362, which can cause an unexpected reload and lead to a DoS condition on unpatched systems.

• A zero-day vulnerability in Samsung’s Android image processing library (CVE-2025-21042) was exploited in the wild for months to deliver the ‘LANDFALL’ commercial spyware. The attack, possibly a zero-click exploit, used malicious DNG image files sent via WhatsApp to compromise Samsung Galaxy devices. Once installed, the spyware enabled comprehensive surveillance, including microphone recording, location tracking, and exfiltration of photos, contacts, and call logs. The campaign primarily targeted individuals in the Middle East and highlights an emerging attack vector in mobile device image processing libraries.

• CISA has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating an immediate risk to organizations. The first, CVE-2025-48703, is an unauthenticated remote code execution flaw in CWP (Control Web Panel) that allows attackers to inject shell commands. The second, CVE-2025-11371, is a vulnerability in Gladinet CentreStack and Triofox that permits external parties to access files and directories. Federal agencies are required to remediate these vulnerabilities, and all organizations are strongly urged to prioritize patching.

• Multiple vulnerabilities have been discovered in OpenAI’s ChatGPT, posing significant risks for data exfiltration and prompt injection. Tenable Research identified seven flaws, including some in the latest GPT-5 model, that could allow attackers to steal private user data from chat history and memories, bypass safety mechanisms, and achieve persistence. Separately, Microsoft detailed a side-channel attack named ‘Whisper Leak,’ which enables attackers to infer the topics of encrypted AI chat sessions by analyzing network traffic patterns like packet size and timing.

• A critical unauthenticated remote code execution vulnerability (CVE-2025-59287, CVSS 9.8) in Microsoft’s Windows Server Update Services (WSUS) is being actively exploited. The flaw is due to unsafe deserialization of untrusted data and allows attackers to execute arbitrary code with system privileges. Given that WSUS is a core component for patch management in enterprise networks, a compromise can provide a foothold for widespread network compromise. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate action for federal agencies.

• Multiple high-severity vulnerabilities have been discovered in runC, the underlying container runtime for Docker, Kubernetes, and other platforms, which could allow for container escape. The flaws (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) involve incorrect handling of masked paths and bind-mounts. A malicious or compromised container could exploit these issues to gain write access to the host filesystem, leading to remote code execution on the host, persistence, or denial-of-service attacks across a cluster. Users are urged to patch runC and update node images immediately.

• Multiple vulnerabilities have been patched in Apple products including iOS, iPadOS, macOS, tvOS, watchOS, and Safari, with the most severe allowing for arbitrary code execution. The flaws could be exploited by processing maliciously crafted web content, media files, or other inputs, potentially leading to memory corruption or unexpected system termination. Other issues could allow an app to bypass privacy preferences, break out of its sandbox, or access protected user data. While none are reported as actively exploited, users are urged to apply the updates immediately to mitigate risks.

Major Incidents #

• The DeFi platform Balancer V2 suffered a massive exploit resulting in the loss of $128.64 million across six different blockchain networks. The attack, which took place in under 30 minutes, leveraged a sophisticated exploit targeting a rounding error vulnerability in the platform’s ComposableStablePool contracts. Attackers were able to manipulate arithmetic precision loss during pool invariant calculations through a series of carefully crafted batchSwap operations, allowing them to artificially suppress token prices and drain liquidity.

• SonicWall confirmed that a nation-state actor was responsible for a security breach of its MySonicWall customer portal in September. The attackers gained access to the cloud backup service and stole firewall configuration files for every customer using the service. While SonicWall stated the attack was contained and did not impact its products or source code, the stolen configuration files contain sensitive data such as firewall rules and encrypted credentials, posing a significant risk to affected customers.

• The U.S. Congressional Budget Office (CBO) confirmed it was breached by a “complex foreign actor,” leading to an ongoing investigation. The incident may have exposed messages and chats between Congressional offices and CBO staffers. The agency has taken immediate containment actions and implemented new security controls. This attack follows a pattern of nation-state actors targeting U.S. federal agencies involved in finance and policy, including recent breaches at the Treasury Department and the Office of the Comptroller of the Currency (OCC).

• Japanese media giant Nikkei Inc. disclosed a data breach resulting from a malware infection on an employee’s computer. The attackers used stolen credentials to gain unauthorized access to Nikkei’s internal Slack workspace. The incident exposed the names, email addresses, and chat histories of 17,368 individuals, including employees and business partners. The company has reset passwords and reported the incident to Japan’s Personal Information Protection Commission.

• The University of Pennsylvania confirmed a data breach after an attacker used social engineering to compromise a single sign-on account. The unauthorized access affected systems related to development and alumni activities, resulting in data theft. The attacker also sent an offensive mass email to the university community from official addresses, falsely claiming a more extensive breach of student data. The university has since secured the systems and is investigating the extent of the data theft.

• A successful ransomware attack against Jaguar Land Rover (JLR) was significant enough to negatively impact the UK’s overall GDP growth, according to the Bank of England. The incident highlights the systemic economic risk posed by major cyberattacks on critical manufacturing and supply chain entities. While specific details of the attack were not provided, the acknowledgment from a central bank underscores the macroeconomic consequences that can result from a single corporate breach.

Emerging Threats #

• A novel commercial-grade Android spyware named LANDFALL has been identified targeting Samsung Galaxy devices in the Middle East. The spyware was delivered by exploiting a zero-day vulnerability (CVE-2025-21042) in Samsung’s image processing library. Attackers sent malicious DNG image files via WhatsApp, possibly enabling a zero-click infection that grants full surveillance capabilities, including microphone access, location tracking, and data exfiltration. The campaign has been active since mid-2024 and shows tactical overlaps with private-sector offensive actor (PSOA) operations.

• Google’s Threat Intelligence Group (GTIG) has identified the first instances of malware using Large Language Models (LLMs) during execution in active operations. Malware families such as PROMPTFLUX and PROMPTSTEAL dynamically generate malicious scripts and obfuscate their own code at runtime. This marks a shift from using AI for productivity to deploying novel, adaptive malware that creates malicious functions on demand, representing a significant evolution in threat capabilities. Researchers at SentinelOne also detailed hunting techniques for this new class of threat, which they term “LLM-enabled malware.”

• The North Korean threat group Kimsuky has been observed using a new multi-stage infection chain initiated by a JavaScript dropper. The initial dropper is unobfuscated and serves to download additional payloads from adversary-controlled infrastructure. This activity is part of the group’s ongoing espionage operations, which primarily target government entities and subject matter experts. Researchers analyzed the dropper and its associated network traffic to detail the infection process.

• Cephalus, a new financially motivated ransomware group, is gaining initial access by exploiting stolen Remote Desktop Protocol (RDP) credentials for accounts that do not have multi-factor authentication (MFA) enabled. The group uses customized, Go-based ransomware that disables security tools like Windows Defender and deletes volume shadow copies to prevent recovery. To pressure victims, Cephalus proves data exfiltration by providing links to stolen data in their ransom notes.

• The Gootloader malware has resurfaced with updated obfuscation and persistence techniques. Recent infections show the threat actor using custom WOFF2 web fonts with glyph substitution to hide malicious filenames and moving from scheduled tasks to the Startup folder for persistence. Post-infection, access is often transferred to the Vanilla Tempest group, which has been observed compromising domain controllers within hours of initial access to deploy ransomware such as Rhysida and BlackCat.

• China-linked threat actors are maintaining a focus on U.S. organizations involved in policy-making, demonstrating a persistent interest in espionage. In a recent campaign, attackers compromised a U.S. non-profit for several weeks, using tactics like DLL sideloading with a legitimate Vipre Antivirus executable (vetysafe.exe). The TTPs observed in the attack have been previously associated with various Chinese APT groups, including Kelp (Salt Typhoon), Space Pirates, and subgroups of APT41, indicating a shared or overlapping operational playbook.

• Malicious actors are increasingly targeting software supply chains by publishing trojanized packages to public repositories like npm. A recent campaign involved 17 npm packages masquerading as SDKs, which contained downloader malware executed via postinstall scripts. This malware ultimately deployed the Vidar infostealer on Windows systems. This marks the first known public disclosure of Vidar being distributed through npm, highlighting the continued abuse of package managers as an initial access vector.

Regulatory and Policy Updates #

• CISA has added two new actively exploited vulnerabilities, CVE-2025-48703 and CVE-2025-11371, to its Known Exploited Vulnerabilities (KEV) Catalog. The first vulnerability is a command injection flaw in CWP Control Web Panel, while the second affects Gladinet CentreStack and Triofox, allowing unauthorized access to files. In accordance with Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by the specified deadlines to protect against active threats.

• The U.S. government is increasing its strategic focus on technology competition with China, particularly in telecommunications and emerging tech sectors. Congressional leaders are pressing for a comprehensive strategy on 6G to avoid repeating past mistakes with 5G, which allowed Chinese firms like Huawei to gain significant global influence. In parallel, House GOP leaders are calling for the Commerce Department to investigate and potentially restrict Chinese-made products in over a dozen industries, including AI and industrial control systems, citing national security risks.

• The Pentagon has released a revised model to enhance its cyber force capabilities, focusing on talent recruitment, training, and operational readiness. The plan includes the creation of three new organizations: a Cyber Innovation Warfare Center, an Advanced Cyber Training and Education Center, and a new structure for tactical-level support. However, the implementation timeline is protracted, with some initiatives not expected to be fully operational until the early 2030s, which may intensify calls from Congress and experts for the creation of a separate U.S. Cyber Force.

• The European Commission is moving to address antitrust concerns regarding SAP’s software licensing and maintenance practices. Following an investigation into potentially anti-competitive behavior in the on-premises ERP support market, SAP is expected to submit formal concessions. The investigation focuses on practices that may restrict customers from using rival support providers, such as bundling support services and charging prohibitive fees for returning to SAP support. The outcome is particularly significant for customers managing the transition from legacy SAP systems.

Security Operations #

• The UK’s National Cyber Security Centre (NCSC) is retiring its public Web Check and Mail Check services, signaling a shift towards reliance on commercial solutions. The agency advises that the capabilities offered by these free tools are now widely available in commercial External Attack Surface Management (EASM) products. This move encourages organizations to adopt more comprehensive, commercially supported tools for monitoring and securing their internet-facing assets.

• VirusTotal has launched its ‘#MonthOfVTSearch’ initiative for November, offering all enterprise customers uncapped manual searches through its web interface without consuming API quota. This move is designed to encourage threat hunting and exploration of the platform’s advanced search capabilities. Daily search query examples will be shared on social media to help users sharpen their threat analysis skills and uncover new insights from VirusTotal’s extensive dataset.

• The MITRE ATT&CK framework has been updated to enhance its coverage of modern threat landscapes, including new intelligence on attacks targeting cloud and development environments. The latest version incorporates specific tactics and techniques related to Kubernetes, continuous integration/continuous delivery (CI/CD) pipelines, and cloud databases. This expansion provides defenders with a more comprehensive knowledge base for modeling threats and improving detection and response strategies in these increasingly targeted areas.

• The OWASP Foundation has released its updated Top 10 list for 2025, outlining the most critical security risks to web applications. This widely recognized standard serves as a key resource for developers and security professionals to prioritize their efforts in mitigating common vulnerabilities. The latest list reflects changes in the threat landscape, including risks associated with modern application architectures and development practices. Organizations are encouraged to review the new list to align their security testing and remediation strategies accordingly.

• Google’s 2026 Cybersecurity Forecast predicts a major shift in security operations, with AI agents becoming integral to the Security Operations Center (SOC). This “Agentic SOC” model will see analysts directing AI to handle routine tasks like data correlation and incident summarization, freeing them to focus on high-level strategy and validation. This evolution will necessitate new approaches to identity and access management for AI agents to ensure they operate under the principle of least privilege, transforming the roles of security analysts and the architecture of defensive tools.

Wins #

• Aleksei Olegovich Volkov, a 25-year-old Russian national, pleaded guilty in a U.S. court for his role as an initial access broker for the Yanluowang ransomware group. Operating from Russia between 2021 and 2022, Volkov targeted at least seven U.S. businesses by exploiting vulnerabilities and selling network access to co-conspirators. He faces a maximum penalty of up to 53 years in prison and is required to pay nearly $9.2 million in restitution to the victims.

• In a significant international law enforcement operation, nine individuals have been arrested across Europe in connection with a €600 million cryptocurrency laundering scheme. The coordinated bust highlights a major success in combating large-scale financial cybercrime. The arrests disrupt a substantial network responsible for laundering illicit funds, demonstrating increased collaboration among European authorities to tackle complex cross-border criminal activities involving digital assets.

• Malwarebytes demonstrated strong performance in mobile security by achieving a 100% detection rate in the AV-Comparatives Stalkerware Test 2025. The test evaluated 13 leading Android security applications against 17 different stalkerware-type apps. Malwarebytes was the only product to detect all tested samples, showcasing its effectiveness in identifying and protecting users from covert surveillance software. This result highlights the company’s commitment as a founding member of the Coalition Against Stalkerware.

• A federal judge has concluded the legal proceedings against Paige Thompson, the hacker responsible for the 2019 Capital One data breach that affected over 100 million people. After an appeals court vacated her initial sentence, the judge reimposed a sentence of time served plus five years of supervised release. While prosecutors argued for a prison term, the judge cited Thompson’s mental health, acceptance of responsibility, and compliance during supervision as factors, bringing a definitive end to this high-profile case.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.