Cyber Threat Intelligence 25 November 2025

NCSA_THAICERT

Healthcare Sector

The Privacy Tension Driving The Medical Data Shift Nobody Wants To Talk About
"Most people assume their medical data sits in quiet storage, protected by familiar rules. That belief gives a sense of safety, but new research argues that the world around healthcare data has changed faster than the policies meant to guide it. As a result, the system is stuck, and the cost of that stagnation is rising for patients, researchers, and innovators. The paper, written by experts from major U.S. medical institutions, examines how healthcare’s privacy-centric approach limits progress at a moment when data could unlock better tools, lower costs, and broader access to care. The authors argue that privacy remains important, but current frameworks fall behind the ways data is produced, used, and misused in digital environments."
https://www.helpnetsecurity.com/2025/11/24/medical-data-stewardship-privacy/
https://arxiv.org/pdf/2511.15829

New Tooling

Cnspec: Open-Source, Cloud-Native Security And Policy Project
"cnspec is an open source tool that helps when you are trying to keep a sprawling setup of clouds, containers, APIs and endpoints under control. It checks security and compliance across all of it, which makes it easier to see what needs attention. At its core, cnspec looks for vulnerabilities and misconfigurations across public and private cloud environments, Kubernetes clusters, containers, container registries, servers, endpoints, SaaS products, infrastructure as code and APIs. It uses a policy-as-code engine built on a security data fabric, which allows you to codify checks and run them at scale."
https://www.helpnetsecurity.com/2025/11/24/cnspec-open-source-cloud-native-security-policy-project/
https://github.com/mondoohq/cnspec

Vulnerabilities

Critical Vulnerabilities In FluentBit Expose Cloud Environments To Remote Takeover
"A new chain of 5 critical vulnerabilities within Fluent Bit allows attackers to compromise cloud infrastructure. Fluent Bit, an open-source tool for collecting, processing, and forwarding logs is the quiet messenger of modern computing. It is embedded in billions of containers and deployed more than 15 billion times, with over 4 million pulls in the past week alone. It runs everywhere: AI labs, banks, car manufactures, all the major cloud providers such as AWS, Google Cloud, and Microsoft Azure, and more."
https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover
https://thehackernews.com/2025/11/new-fluent-bit-flaws-expose-cloud-to.html
https://www.infosecurity-magazine.com/news/flaws-expose-risks-fluent-bit/
https://www.theregister.com/2025/11/24/fluent_bit_cves/

Malware

RadzaRat: New Android Trojan Disguised As File Manager Emerges With Zero Detection Rate
"The Android malware-as-a-service (MaaS) ecosystem continues to evolve with increasingly sophisticated threats designed to evade security measures while maintaining operational simplicity for would-be attackers. The emergence of RadzaRat, an Android remote access trojan (RAT) recently discovered by Certo’s researchers, exemplifies this troubling trend. What makes this threat particularly concerning is not just its capabilities, but its complete absence from security vendor detection lists and its brazen distribution through legitimate code hosting platforms."
https://www.certosoftware.com/insights/radzarat-new-android-trojan-disguised-as-file-manager-emerges-with-zero-detection-rate/
https://hackread.com/radzarat-spyware-hijack-android-devices/
Malicious Blender Model Files Deliver StealC Infostealing Malware
"A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader. Blender is a powerful open-source 3D creation suite that can execute Python scripts for automation, custom user interface panels, add-ons, rendering processes, rigging tools, and pipeline integration. If the Auto Run feature is enabled, when a user opens a character rig, a Python script can automatically load the facial controls and custom UI panels with the required buttons and sliders."
https://www.bleepingcomputer.com/news/security/malicious-blender-model-files-deliver-stealc-infostealing-malware/
https://www.infosecurity-magazine.com/news/russian-malware-blender-3d-files/
ClickFix Gets Creative: Malware Buried In Images
"This analysis details a multi-stage malware execution chain, originating from a ClickFix lure, that leads to the delivery of infostealing malware, including LummaC2 and Rhadamanthys. A notable discovery during analysis was the campaign's use of steganography to conceal the final malware stages within an image. Rather than simply appending malicious data to a file, the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory."
https://www.huntress.com/blog/clickfix-malware-buried-in-images
https://www.bleepingcomputer.com/news/security/clickfix-attack-uses-fake-windows-update-screen-to-push-malware/
https://www.theregister.com/2025/11/24/clickfix_attack_infostealers_images/
Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised
"It's another Monday morning, sitting down at the computer. And I see a stack of alerts from the last hour of packages showing signs of malware in our triage queue. Having not yet finished my first cup of coffee, I see Shai Hulud indicators. Yikes, surely that's a false positive? Nope, welcome to Monday, Shai Hulud struck again. Strap in. The timing is notable, given npm’s recent announcement that it will revoke classic tokens on December 9 after the wave of supply-chain attacks. With many users still not migrated to trusted publishing, the attacker seized the moment for one more hit before npm’s deadline."
https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html
https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/
https://www.darkreading.com/application-security/infamous-shai-hulud-worm-resurfaces-from-depths
https://hackread.com/shai-hulud-npm-worm-supply-chain-attack/
https://www.theregister.com/2025/11/24/shai_hulud_npm_worm/
https://cyberscoop.com/supply-chain-attack-shai-hulud-npm/
GhostAd: Hidden Google Play Adware Drains Devices And Disrupts Millions Of Users
"Check Point researchers uncover a large-scale Android adware campaign that silently drains resources and disrupts normal phone use through persistent background activity. During an internal threat-hunting investigation, Check Point Harmony Mobile Detection Team identified a network of Android applications on Google Play masquerading as harmless utility and emoji-editing tools. Behind their cheerful icons, these apps created a persistent background advertising engine – one that kept running even after users closed or rebooted their devices, quietly consuming battery and mobile data."
https://blog.checkpoint.com/research/ghostad-hidden-google-play-adware-drains-devices-and-disrupts-millions-of-users/
Checkmarx Zero Takes Down Malicious “Prettier” Alternative Found In VSCode Marketplace
"Checkmarx Zero’s ongoing monitoring of the Visual Studio Code Marketplace has identified a critical Brandjacking style attack in the form of a malicious VSCode extension. Name: prettier-vscode-plus (full identifier: publishingsofficial.prettier-vscode-plus) Publisher Account: publishingsofficial Release Date: 2025-11-21 11:34:12 UTC We identified and reported this extension quickly, and it was removed within 4 hours after its publication, thanks to the efforts of Daniel Miranda and Raphael Silva on the Checkmarx Zero team and coordination with the VSCode Marketplace security team. We detected only 6 downloads and 3 installs before removal."
https://checkmarx.com/zero-post/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace/
https://hackread.com/prettier-extension-vscode-marketplace-anivia-stealer/

Breaches/Hacks/Leaks

146,000 Impacted By Delta Dental Of Virginia Data Breach
"Dental services provider Delta Dental of Virginia (DDVA) is notifying roughly 146,000 people that their personal and health information was compromised in a data breach this year. In the notification letter to the impacted individuals, a copy of which was submitted to the Maine Attorney General’s Office, the organization describes the incident as the compromise of an email account. Between March 21 and April 23, it says, a threat actor accessed and may have exfiltrated emails and attachments containing patient data from the impacted email account."
https://www.securityweek.com/146000-impacted-by-delta-dental-of-virginia-data-breach/
https://securityaffairs.com/185019/data-breach/delta-dental-of-virginia-data-breach-impacts-145918-customers.html
https://www.bankinfosecurity.com/email-hacks-continue-to-plague-healthcare-sector-a-30116
Real-Estate Finance Services Giant SitusAMC Breach Exposes Client Data
"SitusAMC, a company that provides back-end services for top banks and lenders, disclosed on Saturday a data breach it had discovered earlier this month that impacted customer data. As a real-estate (commercial and residential) financing firm, SitusAMC handles back-office operations in areas like mortgage origination, servicing, and compliance for banks and investors. The company generates around $1 billion in annual revenue from 1,500 clients, some of whom are banking giants like Citi, Morgan Stanley, and JPMorgan Chase."
https://www.bleepingcomputer.com/news/security/real-estate-finance-services-giant-situsamc-breach-exposes-client-data/
https://www.bankinfosecurity.com/major-us-banks-gauge-their-exposure-to-situsamc-breach-a-30114
https://www.theregister.com/2025/11/24/situsamc_breach/
Harvard University Discloses Data Breach Affecting Alumni, Donors
"Harvard University disclosed over the weekend that its Alumni Affairs and Development systems were compromised in a voice phishing attack, exposing the personal information of students, alumni, donors, staff, and faculty members. The exposed data includes email addresses, telephone numbers, home and business addresses, event attendance records, donation details, and "biographical information pertaining to University fundraising and alumni engagement activities.""
https://www.bleepingcomputer.com/news/security/harvard-university-discloses-data-breach-affecting-alumni-donors/
https://securityaffairs.com/185034/security/harvard-reports-vishing-breach-exposing-alumni-and-donor-contact-data.html
Mazda Says No Data Leakage Or Operational Impact From Oracle Hack
"Mazda has confirmed being targeted in the recent Oracle E-Business Suite (EBS) hacking campaign. However, the carmaker told SecurityWeek that the incident did not impact system operations or production. In addition, the company said “no data leakage has been confirmed”. A Mazda Motor Europe representative clarified that “traces of an attack” were detected, but its “defensive measures were effective, preventing any system impact or data leakage”. The company said it continues to monitor its systems."
https://www.securityweek.com/mazda-says-no-data-leakage-or-operational-impact-from-oracle-hack/
Hackers Knock Out Systems At Moscow-Run Postal Operator In Occupied Ukraine
"A Russian state-owned postal operator in occupied eastern Ukraine said Monday its systems were disrupted by “external interference” after a pro-Ukraine hacktivist group claimed it had wiped thousands of the company’s devices. Donbas Post, which operates in the Russian-controlled parts of Donetsk and Luhansk, said the incident affected its corporate network, web platform and email systems. The company had restricted access to several services to contain the breach and was working to restore operations."
https://therecord.media/hackers-knock-out-systems-russia-operated-post-ukraine

General News

What Happens When Vulnerability Scores Fall Apart?
"Security leaders depend on vulnerability data to guide decisions, but the system supplying that data is struggling. An analysis from Sonatype shows that core vulnerability indexes no longer deliver the consistency or speed needed for the current software environment. The CVE program still serves as the industry’s naming backbone, and the NVD remains a primary source for severity ratings. These tools were built for an era of slower release cycles. They have not kept up with continuous deployment, heavy dependency use, and automated development workflows."
https://www.helpnetsecurity.com/2025/11/24/sonatype-vulnerability-scoring-gaps-report/
Email Blind Spots Are Back To Bite Security Teams
"The threat landscape is forcing CISOs to rethink what they consider normal. The latest Cybersecurity Report 2026 by Hornetsecurity, based on analysis of more than 70 billion emails and broad threat telemetry, shows attackers adopting automation, AI driven social engineering, and new evasion techniques at scale. Email remains the primary entry point for compromise. Malware in email increased by more than 130% year over year. Scams rose by more than 30% and phishing increased by more than 20%. These categories continue to drive most of the operational impact that organizations experience, including account compromise and business disruption."
https://www.helpnetsecurity.com/2025/11/24/hornetsecurity-email-attack-tactics-report/
The Slow Rise Of SBOMs Meets The Rapid Advance Of AI
"Open-source components power nearly all modern software, but they’re often buried deep in massive codebases—hiding severe vulnerabilities. For years, software bills of materials (SBOMs) have been the security community’s key tool to shine a light on these hidden risks. Yet, despite government advancements in the US and Europe, SBOM adoption in the private sector remains sluggish. Now, some experts warn that the rapid rise of AI-assisted coding could soon eclipse the push to make software supply chains more transparent."
https://cyberscoop.com/sbom-adoption-challenges-ai-coding-transparency/
Quantum Encryption Is Pushing Satellite Hardware To Its Limits
"In this Help Net Security interview, Colonel Ludovic Monnerat, Commander Space Command, Swiss Armed Forces, discusses how securing space assets is advancing in response to emerging quantum threats. He explains why satellite systems must move beyond traditional cryptography to remain protected. Monnerat also describes how future communication architectures will need to integrate quantum-safe methods without disrupting operations."
https://www.helpnetsecurity.com/2025/11/24/ludovic-monnerat-swiss-armed-forces-securing-satellite-architecture/
AI Attack Agents Are Accelerators, Not Autonomous Weapons: The Anthropic Attack
"Anthropic recently published a report that sparked a lively debate about what AI agents can actually do during a cyberattack. The study shows an AI system, trained specifically for offensive tasks, handling 80–90% of the tactical workload in simulated operations. At first glance, this sounds like a giant leap toward autonomous cyber weapons, but the real story is more nuanced, and far less dramatic. Anthropic’s agent excelled at one thing: speed. It generated scripts in seconds, tested known exploits with no fatigue, scanned configurations at scale, and built basic infrastructure faster than any analyst could. These tasks normally take hours or days, and the AI completed them almost instantly. It automated the “grunt work” that fills so much of an attacker’s time."
https://securityaffairs.com/184943/security/ai-attack-agents-are-accelerators-not-autonomous-weapons-the-anthropic-attack.html
Spyware Allows Cyber Threat Actors To Target Users Of Messaging Applications
"CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps).1 These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device."
https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-threat-actors-target-users-messaging-applications
https://cyberscoop.com/cisa-alert-draws-attention-to-spywares-targeting-of-messaging-apps/
New Research Finds That Claude Breaks Bad If You Teach It To Cheat
"According to Anthropic, its large language model Claude is designed to be a “harmless” and helpful assistant. But new research released by the company Nov. 21 shows that when Claude is taught to cheat in one area, it becomes broadly malicious and untrustworthy in other areas. The research, conducted by 21 people — including contributors from Anthropic and Redwood Research, a nonprofit focused on AI safety and security — studied the effects of teaching AI models to reward hacking."
https://cyberscoop.com/anthropic-claude-breaks-bad-jailbreak-reward-hacking-study/
https://assets.anthropic.com/m/74342f2c96095771/original/Natural-emergent-misalignment-from-reward-hacking-paper.pdf
To Buy Or Not To Buy: How Cybercriminals Capitalize On Black Friday
"The global e‑commerce market is accelerating faster than ever before, driven by expanding online retail, and rising consumer adoption worldwide. According to McKinsey Global Institute, global e‑commerce is projected to grow by 7–9% annually through 2040. At Kaspersky, we track how this surge in online shopping activity is mirrored by cyber threats. In 2025, we observed attacks which targeted not only e‑commerce platform users but online shoppers in general, including those using digital marketplaces, payment services and apps for everyday purchases."
https://securelist.com/black-friday-threat-report-2025/118083/

อ้างอิง
Electronic Transactions Development Agency (ETDA)