Group-IB reports that a financially motivated actor it tracks as GoldFactory used smishing/vishing/phishing and government-service impersonation to push malicious APKs and trojan droppers that install modified banking apps across parts of APAC, enabling remote control, data theft, and fraud by bypassing app security controls.

A malware campaign attributed to PureRAT targets job seekers via email lures using archived “HR documents” that drop a Foxit Reader–branded executable for DLL side-loading, then runs batch/Python staging (including base64-downloaded loader), sets persistence via an autorun registry entry, and steals browser data while communicating with attacker infrastructure.

In 2025, the Russia-nexus Calisto intrusion set used spearphishing, trusted-contact impersonation, and redirector-based credential harvesting (including AiTM-style tactics) to target NGOs and other entities linked to Ukraine support, including Reporters Without Borders.

A long-running malicious browser-extension ecosystem (“ShadyPanda”) that used trusted marketplace distribution and silent updates to enable large-scale surveillance (URLs, searches, clicks, fingerprints) and, in some cases, hourly remote code execution via downloaded JavaScript, affecting millions of Chrome and Edge users.

An examination of the MITRE Top 25 CWE for 2025.

PRC state-sponsored cyber actors are deploying the BRICKSTORM backdoor to maintain long-term, stealthy access to VMware vSphere and related Windows infrastructure in government and IT organizations, enabling persistent control, lateral movement, and data exfiltration.

The Water Saci campaign in Brazil uses layered, multi-format malware delivered via socially engineered WhatsApp messages, with AI-assisted scripting, to propagate a banking trojan that targets Brazilian banking and cryptocurrency users while evading traditional endpoint defenses.

Iran-aligned MuddyWater is running a focused cyberespionage campaign against Israeli and Egyptian organizations, deploying new custom tools such as the Fooder loader, MuddyViper backdoor, credential stealers, and reverse tunnels to improve stealth, persistence, and credential theft against government and critical infrastructure networks.

Albiriox is a newly emerged Android RAT sold as a malware-as-a-service that uses social-engineering droppers, accessibility-driven VNC remote control, and overlay attacks to enable Russian-speaking threat actors to perform on-device banking and crypto fraud against users of hundreds of financial apps worldwide.

The OSINT reports that a Mirai-based botnet variant named ShadowV2 is exploiting known vulnerabilities in widely deployed IoT devices across multiple countries and industries to build a DDoS-capable botnet, with recent activity during a global AWS outage assessed as a likely test run for future attacks.

The OSINT reports that North Korean state-sponsored operators are running the “Contagious Interview” campaign, using malicious npm packages, GitHub, and Vercel infrastructure, and the OtterCookie malware family to compromise blockchain and Web3 developers, exfiltrate credentials and wallet data, and remotely control infected systems for digital asset theft and espionage.

“Bloody Wolf” is actively expanding spear-phishing campaigns across Central Asia by impersonating Ministries of Justice and using custom JAR loaders to deploy the legitimate NetSupport RAT for persistent remote access and low-profile operations.

The OSINT reports that threat actors deploying Qilin ransomware are using a previously undocumented Windows malware packer, TangleCrypt, to hide and launch the STONESTOP EDR-killer with the ABYSSWORKER driver, using multi-layered encoding and flexible injection techniques but with implementation flaws that can cause crashes and reduce reliability.

November 30th, 2025 Synopsis The analysis shows that Shai-hulud 2.0 is a highly capable supply-chain threat that compromises CI/CD workflows, developer accounts, and cloud secret stores to harvest credentials, weaponize npm packages, and propagate automatically across dependent systems, creating a scalable and repeating compromise pattern. This understanding shapes strategic decisions by requiring stronger governance over software-supply-chain risk, dependency management, and

Arctic Wolf Labs reports that RomCom, a Russian-aligned threat group, was observed delivering its Mythic Agent loader through the SocGholish framework for the first time, targeting a U.S. engineering firm with ties to Ukraine.

Fake LinkedIn jobs trick Mac users into downloading Flexible Ferret malware