Cyber Threat Intelligence 21 November 2025
-
Financial Sector
- October 2025 Security Issues In Korean And Global Financial Sector
"This report comprehensively covers actual cyber threats and security issues relevant to the finance industry in Korea and around the world. The article includes an analysis of the malware and phishing cases distributed to the financial sector. It also provides a list of the top 10 malware targeting the financial sector and statistics on the industries of the leaked Korean accounts on Telegram. A case of phishing emails distributed to the financial sector is also covered in detail."
https://asec.ahnlab.com/en/91174/
Industrial Sector
- Automated Logic WebCTRL Premium Server
"Successful exploitation of these vulnerabilities could allow a remote attacker to deceive a legitimate user into running malicious scripts or redirecting them to malicious websites."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-01 - Festo MSE6-C2M/D2M/E2M
"Successful exploitation of this vulnerability could lead to a complete loss of confidentiality, integrity, and availability."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-04 - Emerson Appleton UPSMON-PRO
"Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code on affected installations of Appleton UPSMON-PRO."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-06 - ICAM365 CCTV Camera Multiple Models
"Successful exploitation of these vulnerabilities could result in unauthorized exposure of camera video streams and camera configuration data."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-02 - Opto 22 GRV-EPIC And Groov RIO
"Successful exploitation of this vulnerability could result in the execution of arbitrary shell commands with root privileges."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-03 - Festo Didactic Products
"Successful exploitation of this vulnerability could allow the creation or overwriting of arbitrary files in the engineering system."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-05
Vulnerabilities
- SolarWinds Patches Three Critical Serv-U Vulnerabilities
"SolarWinds this week announced patches for three critical vulnerabilities found in its Serv-U enterprise file transfer solution. One of the flaws, tracked as CVE-2025-40549, has been described as a path restriction bypass issue that can be exploited by a threat actor with administrator privileges to execute arbitrary code on a directory. The vendor pointed out that on Windows systems the vulnerability has a ‘medium severity’ rating due to “differences in how paths and home directories are handled”."
https://www.securityweek.com/solarwinds-patches-three-critical-serv-u-vulnerabilities/ - New SonicWall SonicOS Flaw Allows Hackers To Crash Firewalls
"American cybersecurity company SonicWall urged customers today to patch a high-severity SonicOS SSLVPN security flaw that can allow attackers to crash vulnerable firewalls. Tracked as CVE-2025-40601, this denial-of-service vulnerability is caused by a stack-based buffer overflow impacting Gen8 and Gen7 (hardware and virtual) firewalls. "A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash," SonicWall said."
https://www.bleepingcomputer.com/news/security/new-sonicwall-sonicos-flaw-allows-hackers-to-crash-firewalls/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0016 - D-Link Warns Of New RCE Flaws In End-Of-Life DIR-878 Routers
"D-Link is warning of three remotely exploitable command execution vulnerabilities that affect all models and hardware revisions of its DIR-878 router, which has reached end-of-service but is still available in several markets. Technical details and proof-of-concept (PoC) exploit code demonstrating the vulnerabilities have been published by a researcher using the name Yangyifan. Typically used in homes and small offices, the DIR-878 was hailed as a high-performance dual-band wireless router when it launched in 2017."
https://www.bleepingcomputer.com/news/security/d-link-warns-of-new-rce-flaws-in-end-of-life-dir-878-routers/
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10475 - CVE-2025-50165: Critical Flaw In Windows Graphics Component
"In May 2025, Zscaler ThreatLabz discovered CVE-2025-50165, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8 that impacts the Windows Graphics Component. The vulnerability lies within windowscodecs.dll, and any application that uses this library as a dependency is vulnerable to compromise, such as a Microsoft Office document. For example, attackers can exploit the vulnerability by creating a malicious JPEG image and inserting it into any file that leverages windowscodecs.dll. If a user opens that file, their system can be compromised by an attacker who can go on to perform RCE and take over the victim’s system."
https://www.zscaler.com/blogs/security-research/cve-2025-50165-critical-flaw-windows-graphics-component
Malware
- Analysis Of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287)
"AhnLab SEcurity intelligence Center (ASEC) has identified an attack where the remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, was exploited to distribute the ShadowPad malware. ShadowPad is a backdoor malware used by numerous Chinese APT groups. First discovered in 2017, its developers have continuously updated its modules. According to a report by SentinelOne, ShadowPad is privately sold to Chinese state-backed APT groups. This report analyzes the initial intrusion process exploiting the vulnerability, the operational mechanism of ShadowPad, and recommended countermeasures."
https://asec.ahnlab.com/en/91166/ - NKNShell Malware Distributed Via VPN Website
"AhnLab SEcurity intelligence Center (ASEC) has confirmed that malware has been uploaded to the website of a South Korean VPN provider. Based on the distribution method and characteristics of the malware used, this attack appears to be the work of the same threat actor who has been targeting South Korean VPN providers since 2023. In previous cases, the attacker ultimately installed backdoors such as SparkRAT, MeshAgent, and Sliver to control the infected systems. In the latest incident, MeshAgent with similar PDB paths was again observed, along with a newly identified backdoor named NKNShell. NKNShell is notable for using NKN and MQTT protocols for communication with its C&C server."
https://asec.ahnlab.com/en/91139/ - Phishing Emails Impersonating a Popular OTT Service
"AhnLab Security Intelligence Center (ASEC) has recently discovered a phishing campaign distributing emails that impersonate a well-known OTT streaming service. The emails claim there is an issue with the user’s subscription payment and urge recipients to verify the problem. To make the message appear legitimate, the email includes a hyperlink labeled “Update Now” designed to trick users into clicking."
https://asec.ahnlab.com/en/91127/ - Sturnus: Mobile Banking Malware Bypassing WhatsApp, Telegram And Signal Encryption
"MTI Security researchers have identified Sturnus, a privately operated Android banking trojan. This malware supports a broad range of fraud-related capabilities, including full device takeover. A key differentiator is its ability to bypass encrypted messaging. By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal."
https://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal
https://www.bleepingcomputer.com/news/security/multi-threat-android-malware-sturnus-steals-signal-whatsapp-messages/
https://thehackernews.com/2025/11/new-sturnus-android-trojan-quietly.html
https://therecord.media/new-android-malware-captures-private-messages
https://www.securityweek.com/new-sturnus-banking-trojan-targets-whatsapp-telegram-signal-messages/
https://securityaffairs.com/184878/cyber-crime/sturnus-new-android-banking-trojan-targets-whatsapp-telegram-and-signal.html - Blockchain And Node.js Abused By Tsundere: An Emerging Botnet
"Tsundere is a new botnet, discovered by our Kaspersky GReAT around mid-2025. We have correlated this threat with previous reports from October 2024 that reveal code similarities, as well as the use of the same C2 retrieval method and wallet. In that instance, the threat actor created malicious Node.js packages and used the Node Package Manager (npm) to deliver the payload. The packages were named similarly to popular packages, employing a technique known as typosquatting. The threat actor targeted libraries such as Puppeteer, Bignum.js, and various cryptocurrency packages, resulting in 287 identified malware packages. This supply chain attack affected Windows, Linux, and macOS users, but it was short-lived, as the packages were removed and the threat actor abandoned this infection method after being detected."
https://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/
https://thehackernews.com/2025/11/tsundere-botnet-expands-using-game.html - CTM360 Exposes a Global WhatsApp Hijacking Campaign: HackOnChat
"CTM360 has identified a rapidly expanding WhatsApp account-hacking campaign targeting users worldwide via a network of deceptive authentication portals and impersonation pages. The campaign, internally dubbed HackOnChat, abuses WhatsApp's familiar web interface, using social engineering tactics to trick users into compromising their accounts."
https://thehackernews.com/2025/11/ctm360-exposes-global-whatsapp.html
https://www.ctm360.com/reports/hackonchat-unmasking-the-whatsapp-hacking-scam - Cooking Up Trouble: How TamperedChef Uses Signed Apps To Deliver Stealthy Payloads
"Recently, TRU observed a global campaign targeting organizations across various sectors. The attackers distribute seemingly legitimate software featuring full functionality and valid code signing to trick end users into executing them. These fake applications imitate commonly used software such as browsers, PDF editors, manual readers and even games, adding another layer of authenticity that makes it harder for users to detect their malicious intent. Additionally, trojans disguised as these familiar programs are more likely to earn users’ trust, since they mimic tools widely used for everyday tasks."
https://www.acronis.com/en/tru/posts/cooking-up-trouble-how-tamperedchef-uses-signed-apps-to-deliver-stealthy-payloads/
https://thehackernews.com/2025/11/tamperedchef-malware-spreads-via-fake.html - Palo Alto Scanning Surges 40X In 24 Hours, Marking 90-Day High
"GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high. GreyNoise has also identified strong connections between this spike and prior related campaigns. We assess with high confidence that these campaigns are at least partially driven by the same threat actor(s), supported by:"
https://www.greynoise.io/blog/palo-alto-scanning-surges-90-day-high
https://www.bleepingcomputer.com/news/security/globalprotect-vpn-portals-probed-with-23-million-scan-sessions/
https://www.theregister.com/2025/11/20/palo_alto_traffic_flood/ - Analysis Report On AI-Based Obfuscated Malicious Apps Using Compromised Legitimate Websites As C2 Servers
"Malware impersonating a famous Korean delivery service has been continuously distributed, and the threat actor behind it is utilizing various techniques to evade anti-virus (AV) detection. In particular, obfuscation and packing techniques are being used, and many malware strains leveraging these techniques have been discovered."
https://asec.ahnlab.com/en/91176/ - 'Matrix Push' C2 Tool Hijacks Browser Notifications
"Cybercriminals have a new, user-friendly tool for turning your browser alerts into a vector for phishing attacks. "Matrix Push" is slick, it's pretty, and it's about as easy to use as any commercial software you can think of. Unfortunately, it's a command-and-control (C2) framework for infecting people with malware through their browsers. A new report from BlackFog describes how, from an interface colored like a retro terminal, hackers can design notifications that get pushed to victims from their legitimate browsers, but in fact point to malicious websites."
https://www.darkreading.com/threat-intelligence/matrix-push-c2-tool-hijacks-browser-notifications-phishing - UNC2891: ATM Threats Never Die
"Group-IB’s latest research reveals how UNC2891 is rewriting the playbook of financial cybercrime.This secretive cybercrime group has been targeting banks in Southeast Asia for years, blurring the line between digital theft and physical intrusion."
https://www.group-ib.com/landing/unc2891/
https://www.infosecurity-magazine.com/news/unc2891-money-mule-network-atm/ - Beyond The Watering Hole: APT24's Pivot To Multi-Vector Attacks
"Google Threat Intelligence Group (GTIG) is tracking a long-running and adaptive cyber espionage campaign by APT24, a People's Republic of China (PRC)-nexus threat actor. Spanning three years, APT24 has been deploying BADAUDIO, a highly obfuscated first-stage downloader used to establish persistent access to victim networks. While earlier operations relied on broad strategic web compromises to compromise legitimate websites, APT24 has recently pivoted to using more sophisticated vectors targeting organizations in Taiwan. This includes the repeated compromise of a regional digital marketing firm to execute supply chain attacks and the use of targeted phishing campaigns."
https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks
https://www.bleepingcomputer.com/news/security/google-exposes-badaudio-malware-used-in-apt24-espionage-campaigns/ - Unwanted Gifts: Major Campaign Lures Targets With Fake Party Invites
"A highly active threat actor that specializes in using the ScreenConnect remote management and monitoring (RMM) software in its attacks has changed tactics and is now infecting its victims with multiple RMM tools, including LogMeIn Resolve and Naverisk. In many cases, the attackers install additional RMM tools on infected computers long after the initial compromise occurs. The motivation behind this new tactic remains unclear, although it appears that the attackers are attempting to increase their dwell time on networks in order to maximise their return on successful attacks."
https://www.security.com/threat-intelligence/rmm-logmein-attacks - Nation-State Actor’s Arsenal: An In-Depth Look At Lazarus’ ScoringMathTea
"In October 2025, the ESET Research Team published an excellent article about the identification of a new instance of the Operation DreamJob cyberespionage campaign, conducted by the Lazarus APT Group, aligned with the North Korean government. This instance was identified by ESET as Gotta Fly, as it was determined that Lazarus was directing cyberattacks with an espionage focus to steal know-how related to the production of Unmanned Aerial Vehicles from companies that are providing such technology to Ukraine. In the same article, the ESET Research Team provided information on the identification of two kill chains, both of which implement ScoringMathTea. Below, you can see an image taken from the ESET post, showing the identified execution chains."
https://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/
Breaches/Hacks/Leaks
- Hacker Claims To Steal 2.3TB Data From Italian Rail Group, Almavia
"Data from Italy's national railway operator, the FS Italiane Group, has been exposed after a threat actor breached the organization's IT services provider, Almaviva. The hacker claims to have stolen 2.3 terabytes of data and leaked it on a dark web forum. According to the threat actor's description, the leak includes confidential documents and sensitive company information."
https://www.bleepingcomputer.com/news/security/hacker-claims-to-steal-23tb-data-from-italian-rail-group-almavia/ - Salesforce Investigates Customer Data Theft Via Gainsight Breach
"Salesforce says it revoked refresh tokens linked to Gainsight-published applications while investigating a new wave of data theft attacks targeting customers. The cloud-based software company noted that this doesn't stem from a vulnerability in its customer relationship management (CRM) platform since all evidence points to the malicious activity being related to the app's external connection to Salesforce."
https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/
https://therecord.media/salesforce-cuts-off-access-to-third-party-unusual-activity
https://www.bankinfosecurity.com/shinyhunters-hack-salesforce-instances-via-gainsight-apps-a-30087
https://cyberscoop.com/salesforce-gainsight-customers-breach/
https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
https://www.helpnetsecurity.com/2025/11/20/salesforce-investigates-new-incident-echoing-salesloft-drift-compromise/ - Everest Ransomware Says It Breached Brazilian Energy Giant Petrobras
"Everest ransomware group has listed two separate entries on its dark web leak site, both targeting Petrobras, a Brazilian majority state-owned multinational corporation giant in the petroleum industry headquartered in Rio de Janeiro. Both listings were published on November 14, 2025. The first listing points to an alleged data breach involving both Petrobras and a partner firm, SAExploration. According to the group, it managed to steal a database that contains over 176 gigabytes of seismic navigation data. More than half of that, over 90 gigabytes, is said to belong directly to Petrobras."
https://hackread.com/everest-ransomware-brazil-petrobras-breach/
General News
- Crypto Mixer Founders Sent To Prison For Laundering Over $237 Million
"The founders of the Samourai Wallet (Samourai) cryptocurrency mixing service have been sent to prison for helping criminals launder over $237 million. Samourai CEO Keonne Rodriguez was sentenced to five years in prison on November 6th, while the cryptomixer's Chief Technology Officer William Lonergan Hill received a four-year sentence on November 19th. Both men were also sentenced to three years of supervised release and must pay $250,000 fines. The two defendants were arrested in April 2024 and charged by the prosecutors with conspiracy to operate an unlicensed money-transmitting business (with a maximum sentence of 5 years) and money laundering (which carries a maximum sentence of 20 years)."
https://www.bleepingcomputer.com/news/security/samourai-cryptomixer-founders-sent-to-prison-for-laundering-over-237-million/
https://therecord.media/samourai-wallet-crypto-mixer-founders-sentenced - The Confidence Trap Holding Security Back
"Security leaders often feel prepared for a major cyber incident, but performance data shows a different reality. Teams continue to miss key steps during practice scenarios, and the gap between confidence and capability keeps growing. Findings from Immersive’s Cyber Workforce Benchmark Report show the habits that hold readiness back and the areas security leaders must address to make progress."
https://www.helpnetsecurity.com/2025/11/20/immersive-cyber-readiness-gap-report/ - Gartner: 40% Of Firms To Be Hit By Shadow AI Security Incidents
"By 2030, more than 40% of global organizations will suffer security and compliance incidents due to the use of unauthorized AI tools, Gartner has predicted. The analyst said a survey of cybersecurity leaders earlier this year revealed that 69% have evidence or suspect that employees are using public generative AI (GenAI) at work. It warned that such tools can increase the risk of IP loss, data exposure and other security and compliance issues. These should be well understood by now. As far back as 2023, Samsung was forced to ban the use of GenAI internally after staff shared source code and meeting notes with ChatGPT."
https://www.infosecurity-magazine.com/news/gartner-40-firms-hit-shadow-ai/ - Inside The Dark Web Job Market
"In 2022, we published our research examining how IT specialists look for work on the dark web. Since then, the job market has shifted, along with the expectations and requirements placed on professionals. However, recruitment and headhunting on the dark web remain active. So, what does this job market look like today? This report examines how employment and recruitment function on the dark web, drawing on 2,225 job-related posts collected from shadow forums between January 2023 and June 2025. Our analysis shows that the dark web continues to serve as a parallel labor market with its own norms, recruitment practices and salary expectations, while also reflecting broader global economic shifts."
https://securelist.com/dark-web-job-market-2023-2025/118057/ - October 2025 Threat Trend Report On Ransomware
"This report provides the number of affected systems identified and statistics related to DLS-based ransomware, as well as major ransomware issues in and out of Korea in October 2025. The following is a summary of the report. The statistics on the number of ransomware samples and affected systems use the detection names set by AhnLab. The statistics on the number of affected companies by ransomware group are based on the information published on DLS (Dedicated Leak Sites, which are PR sites or pages for ransomware) and collected by ATIP at the time."
https://asec.ahnlab.com/en/91178/ - October 2025 APT Attack Trends Report (South Korea)
"AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea by utilizing their own infrastructure. This report covers the classification, statistics, and features of APT attacks in South Korea that were identified in October 2025."
https://asec.ahnlab.com/en/91177/ - Stepping Up Our Role In Vulnerability Management: ENISA Becomes CVE Root
"The European Union Agency for Cybersecurity (ENISA) is now a Common Vulnerabilities and Exposures (CVE) Program-Root, thus becoming a central point of contact within the CVE program for national/EU authorities, EU CSIRTs network members, and cooperative partners falling under ENISA’s mandate. As a Common Vulnerability and Exposure (CVE) Numbering Authority (CNA), ENISA is authorised to assign CVE Identifiers (CVE IDs) and to publish CVE Records for vulnerabilities discovered by or reported to EU CSIRTs, in line with their dedicated coordinator roles since January 2024. As Root CNA, ENISA is now expanding its role within the CVE program."
https://www.enisa.europa.eu/news/stepping-up-our-role-in-vulnerability-management-enisa-becomes-cve-root
https://www.bankinfosecurity.com/enisa-now-cve-program-root-a-30086 - The Black Friday Cyber Crime Economy: Surge In Fraudulent Domains And eCommerce Scams
"Seasonal shopping periods regularly trigger domain registration spikes, and criminal actors capitalize on the opportunity to camouflage fraudulent infrastructure. October saw 158 new Black Friday related domains, a staggering 93 percent increase over the 2025 monthly average. Early November intensified that growth, with more than 330 new related domains appearing in only the first 10 days. This pace aligns with historical behavior. In 2024, Black Friday domain registration grew 188 percent between October and November. Based on current trends, hundreds of additional domains are likely to appear before month’s end."
https://blog.checkpoint.com/research/the-black-friday-cyber-crime-economy-surge-in-fraudulent-domains-and-ecommerce-scams/ - Same Old Security Problems: Cyber Training Still Fails Miserably
"It's a story we've all heard before, yet somehow, we keep living it. Despite years of cybersecurity awareness campaigns, training sessions, and technological advances, the same fundamental security challenges continue to plague organizations worldwide. This past October, during Cybersecurity Awareness Month 2025, three seasoned cybersecurity journalists, from Dark Reading, Tech Target Search Security, and Cybersecurity Dive, came together to examine a frustrating reality: We're still fighting the same battles we were fighting decades ago. Their candid discussion in this month's "Reporters Notebook" reveals why password hygiene remains poor and phishing attacks keep working, even as we pour resources into awareness programs that seem to miss the mark."
https://www.darkreading.com/cybersecurity-operations/security-problems-cyber-training-fails-miserably - Supply Chain Breaches Impact Almost All Firms Globally, BlueVoyant Reveals
"An overwhelming majority of organizations (97%) have been negatively impacted by a supply chain breach, according to a new survey by BlueVoyant. This is a significant increase from 2024, when 81% of respondents to the same annual survey from the third-party risk management (TPRM) provider said they suffered from such an incident."
https://www.infosecurity-magazine.com/news/supply-chain-breaches-impact/ - The Future Of Malware Is LLM-Powered
"Large language models (LLMs) have rapidly transformed industries, becoming invaluable tools for automation, coding assistance, and research. However, their widespread adoption raises several critical cybersecurity questions. Is it feasible to create agentic malware composed solely of LLM prompts and minimal code, thereby eliminating the need to hardcode detectable instructions? How effective are LLMs at generating polymorphic threats that can autonomously analyze and execute evasive actions on a victim’s machine in real time? How close are we to seeing this next generation of truly autonomous, LLM-driven malware emerge?"
https://www.netskope.com/blog/the-future-of-malware-is-llm-powered
https://www.theregister.com/2025/11/20/llmgenerated_malware_improving/ - UK Drug Funds Flowed Into Bank Tied To Russian Spy Services, Military
"Investigators at the U.K.’s National Crime Agency say cash generated by Britain’s local drug trade was funnelled through a bank connected to the Kremlin’s intelligence services and sanctioned defense sector, expanding the known scope of a vast Russian money laundering network uncovered last year. The agency said on Friday that ‘Operation Destabilise’ investigators identified a growing number of entities linked to the two major laundering networks — SMART and TGR — including a spy ring imprisoned in Britain back in May."
https://therecord.media/uk-drug-funds-flowed-into-bank-tied-to-russia
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- October 2025 Security Issues In Korean And Global Financial Sector
