“`html
Greetings to this week’s installment of the Cybersecurity News Weekly Newsletter, where we analyze the most recent dangers disrupting the digital realm. As cyber threats progress more swiftly than ever, staying informed entails comprehending the vulnerabilities that might affect your devices, networks, and data.
This summary highlights zero-day weaknesses in Android and Cisco systems, significant flaws in Microsoft Teams, the emergence of HackedGPT as a weaponized AI asset, and a substantial data breach from OpenAI’s Whisper transcription service. These narratives emphasize the pressing requirement for proactive measures in an age of complex attacks.
Beginning with mobile security, a recently uncovered zero-day in Android’s kernel has left countless devices vulnerable to remote code execution. Google has quickly issued a fix, but unpatched devices continue to be at high jeopardy, particularly in corporate environments dependent on BYOD protocols. Exploited in the field by state-sponsored agents, this vulnerability has led to urgent advisories, reminding us why timely firmware updates are essential for infrastructure protection.
Transitioning to collaboration platforms, Microsoft Teams contains multiple high-risk vulnerabilities, including a privilege escalation flaw that allows authenticated users to access sensitive administrator functions. These issues, outlined in Microsoft’s September Patch Tuesday, could enable lateral movement in hybrid work configurations, where Teams acts as a gateway to organizational resources. Organizations should prioritize patching to reduce phishing and insider threats magnified by these vulnerabilities.
In the realm of AI, HackedGPT surfaces as a concerning advancement: a modified iteration of ChatGPT fine-tuned for malicious intents, capable of creating phishing emails, malware scripts, and even social engineering texts.
Experts caution that this “jailbroken” AI makes cybercrime more accessible, lowering barriers for inexperienced attackers. Moreover, a significant data breach from OpenAI’s Whisper API has uncovered over 1.5 million audio files, including confidential exchanges from the healthcare and financial sectors.
The breach, linked to improperly configured cloud storage, underscores the privacy pitfalls inherent in AI-driven transcription tools and the cascading hazards when voice data lands in malicious hands.
These occurrences unveil a shared theme: the intersection of legacy systems, swift technology adoption, and human error fostering exploits. As we delve deeper into each story with professional insights, patch suggestions, and threat mitigation tactics, keep in mind that vigilance begins with awareness. Stay safe, and let’s explore the details forthcoming.
Threats
Hackers Deliver SSH-Tor Backdoor Via Weaponized Military Documents
In October 2025, Cyble analysts revealed a state-sponsored cyber espionage initiative utilizing weaponized Belarusian military documents to implement an advanced SSH-Tor backdoor targeting defense sector personnel, particularly those involved in unmanned aerial vehicle operations. The malware integrates OpenSSH for Windows with a tailored Tor hidden service employing obfs4 obfuscation, facilitating anonymous access to SSH, RDP, SFTP, and SMB protocols on compromised systems. The multi-phase infection encompasses nested ZIP files and LNK documents with anti-analysis checks, such as validating LNK file counts and process figures, to avoid sandboxes while ensuring persistence through scheduled tasks. Attribution points to a moderate confidence in UAC-0125/Sandworm (APT44), a group linked to Russia, with methods mirroring the December 2024 Army+ campaign. Read more
Oleksii Oleksiyovych Lytvynenko, a 43-year-old Ukrainian citizen, was extradited from Ireland to the United States to face accusations for his involvement in the Conti ransomware conspiracy from 2020 to June 2022. The operation breached networks, encrypted data, and sought cryptocurrency ransoms, impacting over 1,000 victims across 47 US states and 31 nations, earning at least $150 million by January 2022. Conti was the leading ransomware variant targeting key infrastructure in 2021, with Lytvynenko allegedly overseeing stolen data and ransom notices, including extorting over $500,000 in Tennessee. Arrested in July 2023 by Irish authorities at US request, he faces up to 25 years if found guilty of conspiracy to perpetrate computer and wire fraud. This case highlights ongoing US efforts to dismantle global ransomware networks, with over 180 convictions since 2020.
Phishing Attack That Abuses Cloudflare Services
A Russian-speaking threat actor is exploiting Cloudflare’s Pages and Workers services to host phishing sites masquerading as DMCA takedown notices, misleading victims into downloading harmful files. The campaign directs users to malicious .lnk documents via the “search-ms” protocol, which execute PowerShell scripts that download ZIP archives containing Python-based payloads linked to Pyramid C2 servers for remote management. Over 20 domains have been identified, many reusing file names but altering contents, hosted on networks like Railnet LLC with exposed directories supporting payload staging. This method utilizes legitimate Cloudflare domains like pages.dev and workers.dev for credibility, enabling widespread dissemination through social engineering.
New TruffleNet BEC Campaign Leverages AWS SES
FortiGuard Labs detected the TruffleNet campaign exploiting stolen AWS credentials to abuse Simple Email Service (SES) for large-scale Business Email Compromise (BEC) initiatives, mainly targeting the oil and gas industry. The infrastructure encompasses over 800 hosts across 57 networks, employing TruffleHog for credential validation and Portainer for management, with initial API calls like GetCallerIdentity and GetSendQuota to verify access. Attackers fabricate email identities with pilfered DKIM keys from compromised WordPress sites, impersonating vendors like ZoomInfo to dispatch fraudulent $50,000 ACH invoices to typosquatted domains. The tiered setup includes US-based providers like WS Telecom and Hivelocity, with open ports repurposed for operations, and FortiCNAPP detected anomalies through behavioral indicators.
Threat Actors Leverage RMM Tools for Attacks
Threat actors are increasingly utilizing legitimate Remote Monitoring and Management (RMM)
“““html
instruments as initial-stage payloads in email marketing for information gathering, financial fraud, lateral movement, and ransomware activation. This pattern corresponds with a reduction in conventional loaders and botnets, as RMMs offer strong remote functionalities with built-in legitimacy, successfully avoiding identification in corporate settings. Instances include Hunters International utilizing AnyDesk and ScreenConnect for ongoing access in a UK manufacturing breach, keeping tools active for over a month prior to ransomware execution. Numerous commercial and open-source RMMs have been misused for initial infiltration and data exfiltration, obscuring the distinction between administrative operations and malevolent intentions. Read more
RondoDox Botnet Enhances Arsenal with Broadened Exploits
The RondoDox botnet has transitioned to version 2, growing from two exploits aimed at DVRs to more than 75 vectors spanning IoT and corporate devices, representing a 650% increase first noted in September 2024. Identified on October 30, 2025, through honeypots from IP 124.198.131.83, it exploits CVEs such as Shellshock (CVE-2014-6271), Dasan GPON (CVE-2018-10561), and recent vulnerabilities in TBK DVRs (CVE-2024-3721). This transition connects IoT opportunism to corporate targeting, analyzed by Beelzebub’s AI deception platform, capturing the complete attack sequence. FortiGuard Labs and Trend Micro have monitored its expansion, emphasizing vulnerabilities across a decade of CVEs related to routers and applications. Read more
XLoader Malware Evaluated Utilising ChatGPT
Investigators employed ChatGPT to expedite reverse engineering of XLoader, a successor to FormBook that has advanced since 2020, decrypting over 100 functions and breaking modified RC4 algorithms in hours as opposed to days. The AI process exported IDA Pro data for static examination, extracting runtime elements like encryption keys and C2 data via real-time debuggers, deobfuscating API calls concealed by custom hashing. XLoader utilizes runtime decryption and multi-layer encryption with concealed keys, frequently updating to resist analysis, making AI-assisted dissection a transformative advantage for malware teams. Read more
Malicious Actors Might Exploit VS Code Extensions
Actors linked to North Korea are uploading malicious Visual Studio Code (VS Code) extensions to Microsoft’s marketplace, mimicking popular tools such as Prettier to facilitate supply chain assaults on developers. Extensions execute with full user permissions without sandboxing, permitting arbitrary code execution, file alteration, and data theft once installed. Attackers take advantage of the marketplace’s absence of unique name enforcement and bypass validation badges, with a proof of concept fake Prettier extension installed over 1,000 times before its deletion. Users ought to validate sources, reviews, and download statistics to minimize threats from this developer-focused vector. Read more
Cyberattack
WSUS Port Scanning Surge
Cybersecurity analysts have noted a significant surge in scans targeting TCP ports 8530 and 8531 linked to Windows Server Update Services (WSUS) infrastructure. This activity is associated with CVE-2025-59287, a critical flaw permitting remote code execution without authentication, allowing attackers to execute arbitrary scripts on vulnerable servers. Malicious actors adopt a reconnaissance-to-exploitation approach, and specialists advise reviewing exposed WSUS instances for breaches, applying updates, and segmenting networks to mitigate hazards. This vulnerability impacts multiple WSUS versions with a CVSS score of 9.8, necessitating immediate isolation and forensic investigation for internet-facing systems. Read more
Malvertising Featuring PuTTY and Teams
A continuous malvertising initiative is spreading OysterLoader malware through fake advertisements for legitimate applications such as PuTTY and Microsoft Teams on Bing search results. Associated with the Rhysida ransomware faction, this operation utilizes code-signing certificates and obfuscation to avoid detection, with over 40 certificates compromised since June 2025. Attackers disguise themselves as popular software to deliver initial access payloads, enabling ransomware activation within corporate networks.
Rhysida’s strategies have intensified, incorporating the exploitation of Microsoft’s Trusted Signing service, prompting the revocation of over 200 certificates while operations carry on. Read more
XWiki Eval Injection Vulnerability
The XWiki Platform is afflicted by CVE-2025-24893, a serious eval injection weakness in its SolrSearch functionality that enables unauthenticated remote code execution. Added to CISA’s Known Exploited Vulnerabilities list on October 30, 2025, this flaw allows attackers to create requests for arbitrary code executions, endangering wiki installations used in educational, governmental, and corporate environments. Consequences include data exfiltration, malware activation, and network pivoting, affecting versions below 15.10.11, 16.4.1, and 16.5.0RC1.
Mitigation strategies involve applying patches to fixed releases or adjusting the SolrSearchMacros file to enforce secure content types; CISA mandates immediate action per BOD 22-01. Read more
Curly COMrades Attack Innovations
The Curly COMrades threat actor group utilizes innovative techniques employing legitimate Windows tools for persistent access and evasion in targeted operations. This advanced persistent threat harnesses system-native components to establish backdoors and sustain footholds, posing risks to corporate environments. Their methodology emphasizes COM object manipulation for covert persistence, underscoring the hazards of living-off-the-land tactics. Organizations should keep an eye on unusual Windows API calls and implement behavioral detection to counter such evasive actions. Read more
PROMPTFLUX AI-Enhanced Malware
Google Threat Intelligence has revealed PROMPTFLUX, a prototype VBScript-based malware family that integrates Google’s Gemini API for immediate code obfuscation and evasion. Functioning as a dropper disguised as installers, it queries the “gemini-1.5-flash-latest” model to generate scripts that bypass antivirus, representing the first instance of “just-in-time” AI application in malware. Advanced features include hourly self-mutation and lateral movement to drives, although currently still in testing phases. Google has disabled related API keys, and security measures stress monitoring unusual API traffic and limiting model access within corporate contexts. Read more
NGate NFC Relay Attacks
NGate malware targets Android users in Poland through phishing, enabling unauthorized ATM cash withdrawals via NFC data relay without physical card theft. Distributed as counterfeit banking applications, it captures card information and PINs during “verification” taps, relaying them to attacker devices at ATMs via a C2 server. The infection utilizes encrypted configurations and Host Card Emulation to replicate legitimate payment services, avoiding standard security checks. Users should confirm applications from official sources and reach out to banks directly for suspicious calls; technical analysis indicates cleartext TCP exfiltration of sensitive information. Read more
Vulnerabilities
“““html
Cisco ASA/FTD RCE Exploitation
Cisco indicates active misuse of CVE-2025-20333, a severe buffer overflow in Secure Firewall ASA and FTD software’s VPN web server, permitting authenticated intruders root-level code execution. Unveiled on September 25, 2025, with a CVSS score of 9.9, it influences setups activating AnyConnect IKEv2 or SSL VPN, resulting in data exfiltration or DoS through device restarts. No workarounds are available, necessitating upgrades to fixed versions like ASA 9.18.4.19. Administrators should evaluate VPN configurations and enable multifactor authentication to reduce exposure in perimeter defenses. Read more
Windows Graphics RCE Vulnerabilities
Numerous vulnerabilities in Microsoft’s Graphics Device Interface (GDI) allow remote attackers to run arbitrary code or extract data via malformed Enhanced Metafile (EMF) formats. Identified through fuzzing by Check Point, these problems affect Windows 10/11 and Office applications, with exploits feasible via manipulated documents or images without user involvement. Corrected in 2025 updates like KB5058411, they underscore dangers in outdated graphics processing, rated up to Critical (CVSS 9.8). Read more
WSUS Patch Breaks Hotpatching
Microsoft’s October 2025 update for CVE-2025-59287, a serious WSUS RCE vulnerability, disrupted hotpatching on certain Windows Server 2025 systems by prematurely pushing to enrolled devices. Affected servers now necessitate reboots for updates until a January 2026 baseline reestablishes them, while unimpacted systems receive layered fixes seamlessly. This incident emphasizes the challenges of zero-downtime patching for enterprise settings relying on WSUS. Read more
Apple Patches Critical iOS Flaws
Apple’s iOS 26.1 and iPadOS 26.1 updates rectify over 50 vulnerabilities across WebKit, Kernel, and Accessibility, thwarting privacy violations, app failures, and sandbox breaches on iPhone 11+ and compatible iPads. Major fixes address permissions issues permitting app detection (CVE-2025-43442) and malicious screenshotting (CVE-2025-43455), in addition to WebKit use-after-free defects enabling code execution. Reported by researchers from ByteDance and Google, these patches strengthen defenses against targeted malware and web exploits. Read more
Android Zero-Click RCE Bug
Google’s November 2025 bulletin reveals CVE-2025-48593, a pivotal zero-click RCE in Android’s System component, permitting remote code execution through network packets or nefarious applications on AOSP versions 13-16. No user interaction is required, posing a risk of total device compromise, including data theft or botnet inclusion. An accompanying high-severity EoP vulnerability (CVE-2025-48581) further heightens concerns; users should implement the 2025-11-01 patch level without delay. Read more
Microsoft Teams Feature Exposes Risks
Microsoft Teams’ “Chat with Anyone” function, permitting external email chats without validation, amplifies phishing avenues by enabling spoofed communications from attackers masquerading as contacts. This update, introduced in late 2025, circumvents traditional defenses, potentially resulting in credential theft or malware dissemination in hybrid working environments. With over 320 million users, organizations must enforce stringent external chat policies and monitor for unusual invitations to reduce social engineering vulnerabilities. Read more
CWP OS Command Injection Exploited
CISA alerts to CVE-2025-48703, an unsecured OS command injection in Control Web Panel’s file manager, permitting arbitrary command execution with only a valid non-root username. Incorporated into KEV catalog on November 4, 2025, it is actively misused via shell metacharacters in the t_total parameter, classified as CWE-78. Federal agencies must implement patches by November 25 or cease usage; administrators should scrutinize logs for dubious requests. Read more
HackedGPT Vulnerabilities in ChatGPT
Tenable identified seven vulnerabilities in GPT-4o and GPT-5, including zero-click prompt injections via SearchGPT that facilitate data exfiltration from user memories without engagement. Attacks conceal malicious commands in websites or markdown, circumventing safety measures like url_safe for ongoing leaks across sessions. OpenAI has resolved a few through TRAs, but fundamental LLM risks remain; users should restrict sensitive data sharing in AI applications. Read more
Chrome Emergency Update
Google’s Chrome 142 update resolves five vulnerabilities, including high-severity out-of-bounds writes in WebGPU (CVE-2025-12725) and V8 implementation flaws permitting RCE through harmful web content. Impacting Windows, macOS, and Linux, these could jeopardize systems during standard browsing; Omnibox errors facilitate phishing. Implement via “About Chrome” promptly, as details are limited to prevent exploitation. Read more
Windows
New BOF Tool Targets Microsoft Teams Cookies
A specialized Beacon Object File (BOF) from Tier Zero Security exploits Microsoft Teams’ cookie encryption to retrieve authentication tokens without notifying users. The tool injects into the ms-teams.exe process, replicates file handles to the locked Cookies SQLite database, and decrypts values using the user’s DPAPI master key, permitting attackers to impersonate users and access chats, emails, and Microsoft Graph API data. This covert method adapts browser exploitation techniques, bypassing file-locking systems and revealing weaknesses in Teams’ security compared to fortified Chromium browsers. Organizations should track for process injections and enforce least-privilege execution to mitigate this risk.
Read more: https://cybersecuritynews.com/bof-tool-exploits-microsoft-teams/cybersecuritynews
Windows 11 Update Causes Task Manager Glitch
Microsoft’s KB5067036 optional update for Windows 11 versions 24H2 and 25H2 results in Task Manager remaining active in the background post-closure, consuming unnecessary resources. This recognized issue influences the utility’s termination behavior and includes enhancements to AI functionalities like Copilot Plus, alongside a non-removable servicing stack update KB5067035. Users can uninstall the cumulative update via DISM, but Microsoft recommends awaiting a solution in forthcoming releases. The dilemma underscores the necessity of testing optional updates prior to deployment in enterprise environments.
Read more: https://cybersecuritynews.com/windows-11-update-task-manager/cybersecuritynews
BitLocker Recovery Prompt After Windows Updates
Microsoft alerts that security updates from October 14, 2025, may cause BitLocker recovery screens on Intel-based Windows 11 (25H2/24H2) and Windows 10 (22H2) systems supporting Connected Standby. The glitch necessitates a one-time recovery key input upon restart but does not endanger data integrity. Affected versions include KB5066835 for Windows 11 and KB5066791 for Windows 10, with no impact on
“““html
server variants. Mitigation entails implementing Known Issue Rollbacks via Microsoft Support or confirming the availability of recovery keys.
Read more: https://cybersecuritynews.com/windows-systems-bitlocker-recovery/cybersecuritynews
Cloud Files Driver Weakness Facilitates Escalation
CVE-2025-55680 in the Windows Cloud Files Mini Filter Driver (cldsync.sys) enables local privilege escalation through a TOCTOU race condition during file path validation. Cybercriminals exploit this by altering kernel memory paths to establish symbolic links, injecting harmful DLLs into system processes like rasman for complete SYSTEM access. The vulnerability, rated 7.8 CVSS, impacts placeholder file operations and extends on previous Microsoft patches. Immediate patching is advised, as any authenticated user can attain kernel-level compromise.
Read more: https://cybersecuritynews.com/windows-cloud-files-vulnerability-exploited/cybersecuritynews
Teams “Chat with Anyone” Functionality Poses Phishing Risks
Microsoft Teams’ new capability, set to release in November 2025, permits users to initiate chats with external email addresses without necessitating a Teams account, allowing guest joins. This default configuration broadens phishing risks by permitting spoofed invitations to distribute malware or capture credentials within the platform. Dangers encompass data leaks and compliance concerns under GDPR, as interactions circumvent email filtering systems. Administrators can disable it through PowerShell by adjusting UseB2BInvitesToAddExternalUsers to false and enforcing MFA.
Read more: https://cybersecuritynews.com/microsoft-teams-chat-with-anyone-feature/
Active Directory Locations for Privilege Escalation
Hackers with write privileges on Active Directory sites can associate harmful Group Policy Objects (GPOs) to escalate privileges across domains, including forest roots. Permissions such as GenericAll or WriteGPLink enable the injection of commands that add attacker accounts to administrative groups on connected systems. This method circumvents SID filtering via forest-wide replication, allowing swift lateral movement. Organizations should scrutinize site permissions and monitor GPO alterations to avert domain compromise.
Read more: https://cybersecuritynews.com/active-directory-sites-escalate-privileges/
Other Updates
Dark Web Credential Breaches
Proton introduced the Data Breach Observatory initiative, uncovering over 300 million stolen credentials circulating within dark web cybercrime markets, presenting notable risks to businesses and individuals. Small enterprises face specific dangers, with four out of five experiencing recent breaches that can exceed one million dollars per incident, often remaining unreported due to delays in detection. The observatory tracks underground forums in real-time, identifying ten significant 2025 breaches across sectors, including Qantas Airways (11.8 million records with names, birthdates, addresses, phone numbers, and emails) and Free in France (19 million records including IBANs). Other significant occurrences involve Allianz Life in Germany (1 million records with social security numbers), SkilloVilla in India (33 million records of contact details), and numerous U.S. and European companies exposing passwords, usernames, and bank information. Read more
Microsoft Entra Credential Protection
Microsoft will bolster security in its Authenticator app by automatically identifying and removing Microsoft Entra credentials on jailbroken iOS devices and rooted Android devices starting February 2026. This action addresses vulnerabilities where modified devices evade security measures, enabling credential theft and unauthorized access to organizational assets. The feature deploys automatically without IT setup, applying solely to enterprise credentials while exempting personal or third-party accounts. Organizations are recommended to inform users beforehand, suggesting device upgrades or the elimination of modifications to prevent authentication issues. Read more
HydraPWK Penetration Testing OS Update
The HydraPWK project’s Apes-T1 snapshot updates its Debian-based penetration testing Linux distribution by substituting Elasticsearch with open-source OpenSearch to address licensing conflicts and enhance industrial security tools. This semi-rolling release improves network forensics via Arkime and introduces OpenSearch Dashboards for observability, along with UI enhancements such as improved terminal color schemes for better error visibility. Compared to Kali Linux, HydraPWK provides a lightweight, low-latency alternative with PREEMPT_RT kernel support for hardware like UAVs and ECUs, highlighting plug-and-play efficiency for focused ethical hacking without Kali’s broader overhead. Read more
OneDrive DLL Sideloading Exploit
Threat actors leverage OneDrive.exe through DLL sideloading by placing a harmful version.dll in the application’s directory, deceiving it into loading malicious code in lieu of the authentic library during startup. The method utilizes DLL proxying to redirect calls to the genuine system library while executing payloads discreetly, preserving normal application functionality to evade detection. Advanced hooking through Vectored Exception Handling and PAGE_GUARD flags intercepts API calls like CreateWindowExW without inline modifications, permitting persistent control and spawning of concealed processes. Defenses include application whitelisting, DLL loading oversight, and signature validation to counter such attacks on trusted Microsoft processes. Read more
“`