DJBSEC's CyberNews 2025-11-27

1. U.S. House Committee Demands Anthropic Testify on Chinese Espionage Campaign

The House Homeland Security Committee has requested that Anthropic’s CEO testify about alleged Chinese cyber-espionage campaigns abusing AI models. Lawmakers are concerned that adversaries may be exploiting LLMs to accelerate phishing, malware development, and reconnaissance. Officials say AI vendors must address how their systems are safeguarded against hostile nation-state use. The hearing is expected to focus on oversight, transparency, and national-security implications.

2. Shai-Hulud v2 Spreads from NPM to Python and Ruby Ecosystems

The new Shai-Hulud v2 supply-chain attack campaign has expanded beyond NPM, now targeting Python and Ruby package ecosystems. Attackers are publishing malicious packages that exfiltrate credentials, SSH keys, cloud tokens, and browser data. This marks a significant escalation in cross-ecosystem supply-chain attacks. Developers are urged to verify publisher authenticity and enable scanning tools for dependency security.

3. Microsoft Teams Guest Chat Flaw Allows Malware Delivery

A flaw in Microsoft Teams’ guest chat functionality is being abused to deliver malware through seemingly trusted internal channels. Attackers compromise external accounts, then send malicious attachments or links that appear to originate from legitimate organizational collaborators. The issue bypasses some internal security policies due to how Teams handles guest permissions. Microsoft has issued guidance while preparing a full patch.

4. Qilin Ransomware Hits South Korean MSP, Impacting Hundreds of Clients

The Qilin ransomware group compromised a major South Korean managed service provider, resulting in widespread outages across downstream customers. Attackers infiltrated the MSP’s internal management system and deployed ransomware through automated client tools. The incident shows the growing threat of supply-chain ransomware attacks targeting service providers. Authorities are investigating, and impacted organizations face long recovery windows.

5. FIDO2 Keys Prompt for PIN After Latest Windows Update

Following a recent Windows update, users of FIDO2 security keys may be unexpectedly prompted to enter their PIN during sign-ins. Microsoft confirmed this is a side effect of updated security requirements enforcing stronger key-usage validation. While not a vulnerability, the change affects authentication workflows in enterprise environments. Microsoft is reviewing user feedback and may adjust the behavior in future patches.

6. Akira Ransomware Exploits SonicWall VPN Vulnerability

The Akira ransomware gang is exploiting a recently disclosed SonicWall VPN vulnerability to gain initial access to corporate networks. Once inside, the group deploys double-extortion tactics—stealing data before encrypting systems. Security researchers warn that unpatched SonicWall appliances are being mass-scanned and targeted. Urgent patching and MFA enforcement are recommended.

7. Fake IC3 Website Used to Steal Victim Information

Threat actors created a convincing clone of the FBI’s IC3 crime-reporting website, tricking users into submitting personal data. Victims believed they were reporting cybercrimes, but their information was harvested for follow-up scams and identity theft. The fake site used professional branding and HTTPS certificates to appear legitimate. Users are urged to verify domains before submitting sensitive data.

8. Microsoft Secures Entra ID Sign-Ins Against Script Injection Attacks

Microsoft announced new protections for Entra ID to defend against external script-injection attempts targeting web-based authentication flows. Attackers previously manipulated embedded scripts to hijack login sessions or steal tokens. The updated controls harden the identity platform and reduce the ability for malicious code to tamper with the sign-in pipeline. Organizations should ensure app integrations follow Microsoft’s security best practices.

9. ToddyCat APT Now Targets Outlook Archives & Microsoft 365 Tokens

The ToddyCat APT group has evolved its toolkit to extract local Outlook archives, browser-stored credentials, and Microsoft 365 authentication tokens. Researchers say the group is improving persistence and exfiltration methods to target diplomatic and government networks. Their updated malware families now include enhanced stealth and data-theft modules. Organizations should increase monitoring of email clients and cloud-token activity.

10. New Indirect Shellcode Executor Evades AV & EDR Systems

A newly observed malware tool uses indirect shellcode execution to bypass antivirus and EDR solutions. Instead of injecting code directly into memory, it routes payload execution through legitimate system processes, reducing detectable anomalies. This approach is gaining popularity among advanced threat actors. Security teams are advised to deploy behavioral monitoring and memory-integrity controls.

11. Tor Adopts Galois-Based Onion Encryption Algorithm

The Tor Project has fully adopted its new Galois onion-encryption standard, improving both performance and resistance to traffic analysis. The algorithm modernizes Tor’s cryptographic stack and is optimized for long-term resilience against state-level adversaries. Early tests show reduced latency and stronger relay-to-relay confidentiality. Users should upgrade Tor clients to benefit from the change.

12. Iran Leveraging Cyber Operations to Support Kinetic Strikes

U.S. intelligence agencies warn that Iran is increasingly pairing cyber intrusion campaigns with real-world kinetic operations. Analysts say cyber teams gather targeting data—such as GPS, cameras, and email intelligence—to support military decision-making. This fusion of cyber and physical warfare expands Iran’s operational reach. The report urges critical-infrastructure operators to treat cyber threats as potential precursors to physical harm.

13. Cobalt Strike 4.12 Released with Security Hardening & New Controls

Cobalt Strike released version 4.12, adding new obfuscation controls, enhanced operator logging, and tighter safeguards to prevent unauthorized use. The update also adjusts how beacons communicate to reduce signature-based detection. Despite these improvements, defenders remain concerned that older pirated versions continue circulating among ransomware groups. Legitimate users are encouraged to upgrade to maintain security and compliance.