Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Apache Patches Stack Exhaustion Vulnerability CVE-2025-59789 Affecting Apache bRPC - On 30 November 2025, Apache released a patch for CVE-2025-59789, a critical vulnerability affecting Apache bRPC versions prior to 1.15.0. The flaw, corrected in version 1.15.0, stems from uncontrolled recursion within the json2pb JSON parser. An attacker could trigger this behaviour by submitting excessively nested JSON structures, overwhelming the call stack.
Exploitation of this vulnerability leads to a stack overflow and a subsequent server crash. Although the issue is severe, there have been no reports of active exploitation so far. Organisations using affected versions are advised to upgrade promptly to ensure service stability and reduce exposure to potential attacks
IBM Patches Privilege Escalation Vulnerability CVE-2024-45675 Affecting IBM Informix Dynamic Server - On 26 November 2025, IBM issued a patch for a privilege escalation vulnerability identified as CVE-2024-45675, which affects IBM Informix Dynamic Server version 14.10. If exploited, the flaw could enable an attacker to access the Informix Server with administrator privileges without the need for a password. At the time of writing, there have been no reports of this vulnerability being actively exploited.
To mitigate the risk of exploitation, Insikt Group advises upgrading IBM Informix Dynamic Server to version 14.10.xC11W1. Organisations using affected versions should apply the update promptly to ensure system security and maintain operational integrity.
Google Addresses 107 Vulnerabilities, Including Actively Exploited Flaws CVE-2025-48633 and CVE-2025-48572, in December Android Security Bulletin - On 1 December 2025, Google released its Android Security Bulletin addressing 107 vulnerabilities, including high‑severity zero-day flaws CVE‑2025‑48633 and CVE‑2025‑48572 affecting Android 13 through 16. CVE‑2025‑48633 is an information disclosure vulnerability, while CVE‑2025‑48572 allows elevation of privileges. Google indicated these flaws may be subject to limited, targeted exploitation but has not provided further technical details.
The bulletin also patched CVE‑2025‑48631, a critical denial-of-service vulnerability in the Android Framework. At the time of writing, no active exploitation of these vulnerabilities has been reported.
Potential Threats
New GrokPy Malware Uses Grok Large Language Model (LLM) to Bypass CAPTCHA - On 27 November 2025, abuse.ch reported the discovery of GrokPy, a new malware family distributed via the Amadey downloader. GrokPy collects system information such as screen resolution, public IP, geolocation, RAM usage, and CPU details, and can attempt privilege escalation by running as an administrator or registering scheduled tasks. It also uses the Chrome Developer Protocol on Google Chrome or Microsoft Edge to control browser activity and capture desktop screenshots, extracting text from images via Optical Character Recognition (OCR).
The malware automates CAPTCHA solving by sending images to a Grok Large Language Model hosted on its command-and-control server, allowing it to bypass verification challenges. GrokPy can also create Discord accounts with valid email and password patterns, report new authentication tokens back to its botnet C2, and maintain continuous communication over port 8008 throughout the infection lifecycle.
Threat Actors Use Calendly-Themed Phishing Lures to Target Google and Facebook Accounts - Push Security reported on 2 December 2025 that a long‑running phishing campaign has targeted Google Workspace and Facebook Business advertising accounts. The threat actor impersonates Calendly and major brands such as LVMH, LEGO, Uber, Mastercard, Disney and Unilever to gain access to digital advertising systems. The operation uses job‑themed lures, multi‑stage messaging to evade email scanners, and more than 31 unique URLs developed over two years, indicating sustained evolution of its tooling and infrastructure.
Researchers observed three variants. The first targets Google Workspace users with staged recruiter‑themed emails leading to a fake Calendly page, a CAPTCHA and an AiTM site that restricts access by domain. The second variant focuses on Facebook Business accounts with numerous reused templates, many now inactive. The third merges both approaches through a Browser‑in‑the‑Browser pop‑up that imitates Google or Facebook login windows and employs anti‑analysis techniques to block VPNs, proxies, developer tools and automated crawlers.
Scattered Lapsus$ Hunters-Linked Campaign Targets Zendesk Support Personnel and Users via Spoofed Domains and Fraudulent Ticket Submissions - On 26 November 2025, ReliaQuest reported that the threat collective Scattered Lapsus$ Hunters (SLSH) likely launched a campaign targeting Zendesk users and support staff via spoofed domains and fake ticket submissions. Over six months, more than 40 phishing domains mimicking Zendesk, such as znedesk[.]com and vpn‑zendesk[.]com, were identified, hosting fraudulent single sign-on portals designed to capture credentials. The domains shared technical indicators, including NiceNic registration, US and UK registrant details, and Cloudflare‑obscured nameservers. Fraudulent tickets were also likely submitted to legitimate Zendesk portals to compromise support teams with remote access trojans and other malware.
ReliaQuest noted that the campaign’s formatting, registry characteristics, and deceptive SSO portals resembled infrastructure seen in the August 2025 Salesforce campaign. They also referenced the September 2025 Discord breach attributed to SLSH, suggesting a broader pattern of activity. Telegram posts associated with SLSH indicate multiple ongoing campaigns through 2026, supporting a connection to the Zendesk targeting.
General News
UK-Based ISP Brsk Reportedly Suffers Data Breach Affecting Customer Information; Unconfirmed Dark Web Claim Alleges Data Theft - On 27 November 2026, ISPReview reported that UK-based internet service provider Brsk (brsk.co.uk) suffered a data breach after an unknown actor accessed a system used for processing new broadband installations. The incident exposed sensitive personal information belonging to an undisclosed number of customers, including names, email addresses, phone numbers, and physical addresses. Brsk removed the data from the affected system, implemented additional security measures, and notified relevant authorities in line with legal and regulatory requirements.
Earlier, on 17 November 2025, a threat actor using the alias “fuckoverflow” posted on DarkForums claiming to have obtained a Brsk customer database containing 230,105 records. Brsk has not publicly commented on this claim. Insikt Group will provide updates as further information becomes available.
Public GitLab repositories exposed more than 17,000 secrets - A security engineer recently scanned all 5.6 million public repositories on GitLab Cloud and discovered more than 17,000 exposed secrets — including API keys, passwords, and tokens — across some 2,800 unique domains. Using the open‑source tool TruffleHog and a custom Python script via GitLab’s public API, the researcher ran automated scans in an AWS Lambda setup that completed in just over 24 hours at a cost of around $770. The density of exposed secrets was roughly 35 % higher per repository than in a previous scan of Bitbucket repositories, and some of the exposed credentials — including Google Cloud Platform credentials, MongoDB keys, Telegram bot tokens and OpenAI keys — dated as far back as 2009.
While many affected organisations responded by revoking the exposed secrets, a portion remain publicly available on GitLab. The findings underscore a persistent and widespread security risk: embedding sensitive credentials directly in publicly accessible code repositories. In many cases, the leak arises from committed code history that developers may overlook or forget.
ShadyPanda browser extensions amass 4.3M installs in malicious campaign - A long‑running malware operation dubbed ShadyPanda has infected over 4.3 million users via browser extensions on Google Chrome and Microsoft Edge. What began as seemingly legitimate wallpaper or productivity add‑ons submitted as far back as 2018 eventually morphed into spyware. Researchers at Koi Security found 145 malicious extensions (20 for Chrome, 125 for Edge), many of which were quietly updated around 2024 to include harmful functionality. These included remote‑code‑execution (RCE) capabilities: every hour the extensions checked in with a command‑and‑control server to pull and execute arbitrary JavaScript with full browser privileges.
Once malicious, the extensions began exfiltrating sensitive data — browsing history, search terms, visited URLs, cookies, click coordinates, keystrokes, browser fingerprints and more — to servers located in China. Some of the most widely installed add‑ons — such as WeTab 新标签页 (with about 3 million installs) and Clean Master — remain available via the Edge add‑ons store, even though versions were removed from Chrome’s Web Store.Users are strongly advised to remove any suspicious extensions immediately and reset their passwords across all accounts.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Black Shantrac Ransomware | NEW | → | ● Basic | NEW | → | ● 40 | NEW | → | ● 30 |
| XHJACK | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
| World Leaks Ransomware | ● Basic | → | ● Basic | ● 30 | → | ● 49 | ● 49 | → | ● 49 |
|
Scattered LAPSUS$ Hunters |
● Basic | → | ● Basic | ● 25 | → | ● 40 | ● 49 | → | ● 49 |
| 8Base Ransomware Group | ● Basic | → | ● Basic | ● 35 | → | ● 25 | ● 49 | → | ● 49 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Beregini | ▲ | Sinobi | ▲ | CVE-2025-48633 | ▲ |
Coupang |
▲ | |
|
MuddyWater |
▲ |
Browser Reconnaissance Exfiltration |
▲ | CVE-2025-48572 | ▲ |
Ukrainian Navy |
▲ | |
|
Killnet |
▲ | Devman Ransomware | ▲ | CVE-2025-8088 | ▲ |
France Travail |
▲ | |
| Everest Ransomware Group | ▲ |
Remote Code Execution |
▲ | CVE-2025-6440 | ▲ | Smart Tube | ▲ | |
|
INC RANSOM |
▲ |
Akira Ransomware |
▲ |
CVE-2021-26829 |
▲ |
ASUS |
▲ | |
Prominent Information Security Events
New GrokPy Malware Uses Grok Large Language Model (LLM) to Bypass CAPTCHA
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 46[.]62[.]224[.]205, 6[.]62[.]225[.]51, and 46[.]62[.]205[.]38
IOC: URL - hxxp://46[.]62[.]225[.]5/ask
On 27 November 2025, abuse.ch reported the discovery of GrokPy, a newly identified malware family delivered via the Amadey downloader. GrokPy is designed to collect extensive system information, including screen resolution, public IP address, geolocation, RAM usage and CPU details. It can also attempt privilege escalation by running with administrator permissions or establishing persistence through scheduled tasks.
The malware uses the Chrome Developer Protocol on Google Chrome or Microsoft Edge to control browser behaviour, capture desktop screenshots and extract text from those images using Optical Character Recognition. GrokPy further enhances its automation by sending CAPTCHA images to a Grok Large Language Model hosted on its command-and-control server, enabling CAPTCHA bypass. It is also capable of automatically creating Discord accounts using syntactically valid email and password formats and exfiltrating newly generated authentication tokens to its C2 infrastructure.
Throughout the infection lifecycle, GrokPy maintains communication with its command-and-control server over port 8008. abuse.ch additionally shared three associated C2 IP addresses: 46[.]62[.]225[.]51, 46[.]62[.]224[.]205 and 46[.]62[.]205[.]38.
Scattered Lapsus$ Hunters-Linked Campaign Targets Zendesk Support Personnel and Users via Spoofed Domains and Fraudulent Ticket Submissions
Source: Insikt Group | Validated Intelligence Event
IOC: Domain - znedesk[.]com
On 26 November 2025, ReliaQuest reported that the threat collective Scattered Lapsus$ Hunters (SLSH) had likely launched a campaign targeting Zendesk users and support staff through spoofed domains and fraudulent ticket submissions. Over six months, more than 40 phishing domains mimicking Zendesk, including znedesk[.]com and vpn-zendesk[.]com, were identified, hosting fake single sign-on portals designed to capture user credentials. These domains shared technical indicators such as NiceNic registration, US and UK registrant details, and Cloudflare‑obscured nameservers. Fraudulent tickets were also likely submitted to legitimate Zendesk portals to compromise support teams with remote access trojans and other malware.
ReliaQuest noted that the campaign’s formatting, registry characteristics, and deceptive SSO portals resembled infrastructure observed in the August 2025 Salesforce campaign. The September 2025 Discord breach, attributed to SLSH, was also cited as contextual evidence suggesting a broader campaign pattern.
Telegram posts associated with SLSH further referenced multiple ongoing campaigns through 2026, supporting a potential connection to the Zendesk targeting. These observations indicate that SLSH may be conducting coordinated operations across multiple platforms, continuing a trend of persistent, multi-service phishing activity.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-59789: This vulnerability can be remediated by updating the Apache bRPC to version 1.15.0.
- CVE-2024-45675: We recommend upgrading IBM Informix Dynamic Server to version 14.10.xC11W1.
- CVE-2025-48633/ CVE-2025-48572: These vulnerabilities can be addressed by updating to the newest version.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.