Daily Brief

Recent reports indicate that 50-61% of new vulnerabilities are exploited within 48 hours of disclosure, challenging traditional defense timelines. Threat actors have automated their response, using AI to rapidly assess and exploit new vulnerabilities, outpacing manual defensive efforts. The traditional quarterly or monthly patching cycles are inadequate, as attackers weaponize vulnerabilities long before organizations can deploy fixes. Automation and orchestration are essential for reducing exposure windows, allowing security teams to respond at machine speed. Organizations must transition from manual patching to automated, policy-driven remediation to maintain operational safety and competitiveness. Security teams are encouraged to adopt accelerated defense strategies, combining automation and controlled rollback to ensure agility and resilience. The future of cybersecurity will depend on the ability to execute rapid, informed actions, as the slowest responder risks immediate compromise.

Europol and Eurojust led a coordinated operation dismantling Rhadamanthys Stealer, Venom RAT, and the Elysium botnet, disrupting significant cybercrime infrastructures. The operation, conducted from November 10 to 13, 2025, resulted in the takedown of over 1,025 servers and seizure of 20 domains. Authorities arrested the primary suspect behind Venom RAT in Greece, marking a significant breakthrough in the fight against cybercrime. The dismantled networks affected hundreds of thousands of computers, with millions of credentials stolen, many victims unaware of their compromised systems. The Rhadamanthys malware was found to have advanced capabilities, including device and browser fingerprinting, enhancing its stealth. The suspect associated with Rhadamanthys had access to 100,000 cryptocurrency wallets, potentially involving millions of euros in stolen funds. Law enforcement agencies from nine countries, including the U.S., Germany, and Australia, collaborated in this extensive international effort.

Synnovis completed an 18-month forensic review of a ransomware attack by the Qilin gang that disrupted pathology services across London in 2024. The attack led to the cancellation of thousands of medical appointments and operations, severely impacting NHS service delivery. Security firm CaseMatrix estimated that data for over 900,000 NHS patients was leaked, though Synnovis has not confirmed this figure. The breach contributed to a patient's death, marking a rare instance where a ransomware attack has been linked to a fatality. Synnovis used specialized platforms to reconstruct compromised data, which was unstructured and fragmented, complicating the investigation. No ransom was paid, as Synnovis and NHS trusts opted against funding cybercriminal activities, despite the Qilin gang's double-extortion tactics. Synnovis is notifying affected NHS organizations, with patient notifications expected to take additional time due to the complexity of the breach. The Qilin group, believed to be of Russian origin, targets entities linked to political elites, employing data exfiltration and encryption in attacks.

Law enforcement from nine countries dismantled over 1,000 servers linked to Rhadamanthys, VenomRAT, and Elysium malware as part of Operation Endgame. Coordinated by Europol and Eurojust, the operation involved private partners like CrowdStrike and Proofpoint, enhancing international collaboration against cybercrime. Searches in Germany, Greece, and the Netherlands led to the seizure of 20 domains and the arrest of a key suspect in Greece associated with VenomRAT. The dismantled infrastructure included hundreds of thousands of infected systems, with millions of stolen credentials and over 100,000 compromised crypto wallets. Europol advises using resources like politie.nl/checkyourhack and haveibeenpwned.com to verify potential infections from these malware operations. The operation follows previous disruptions targeting ransomware and other malware infrastructures, demonstrating ongoing efforts to combat global cyber threats. The Rhadamanthys developer indicated suspicion of German law enforcement involvement due to activity logs showing German IP addresses before server access was lost.

A data breach at Knownsec resulted in the exposure of over 12,000 classified documents, revealing sensitive information about Chinese state cyber capabilities. Leaked documents include data on cyber weapons, internal tools, and global target lists, highlighting potential national security implications. The breach also exposed RATs capable of compromising multiple operating systems, including Linux, Windows, and macOS. Sensitive data such as 95GB of immigration records from India and 3TB of call records from South Korea were also leaked. The breach raises concerns about the security practices of vendors handling sensitive government contracts and data. The incident underscores the importance of robust security measures and regular audits for organizations managing critical and classified information.

CISA has issued a warning to government agencies about a critical vulnerability in WatchGuard Firebox firewalls, urging immediate patching to prevent remote code execution attacks. The vulnerability, CVE-2025-9242, affects Fireware OS 11.x, 12.x, and 2025.1, and has been added to the Known Exploited Vulnerabilities catalog. Federal agencies have been given a deadline of December 3 to secure their systems, following the Binding Operational Directive 22-01. WatchGuard released patches on September 17; however, the flaw was only recognized as actively exploited on October 21. Shadowserver reports a decrease in vulnerable Firebox appliances from 75,000 to 54,000 globally, with most located in Europe and North America. Although the directive targets federal agencies, all organizations are advised to prioritize patching due to the attractiveness of firewalls to threat actors. The Akira ransomware gang has been exploiting similar vulnerabilities, highlighting the persistent threat to firewall security.

CISA added a critical vulnerability in WatchGuard Fireware to its Known Exploited Vulnerabilities catalog due to active exploitation, affecting over 54,000 Firebox devices globally. The flaw, identified as CVE-2025-9242 with a CVSS score of 9.3, involves an out-of-bounds write in the OS iked process, allowing unauthenticated remote code execution. A missing length check during the IKE handshake process is the root cause, making the vulnerable code accessible before authentication, as noted by security researcher McCaulay Hudson. More than 18,500 vulnerable devices are located in the U.S., with significant numbers also in Italy, the U.K., Germany, and Canada, according to Shadowserver Foundation data. Federal Civilian Executive Branch agencies are urged to implement WatchGuard's patches by December 3, 2025, to mitigate potential risks. The vulnerability's inclusion in CISA's catalog coincides with the addition of other critical flaws, such as a Windows kernel issue and a Gladinet Triofox access control vulnerability. This development serves as a reminder of the importance of timely patch management to prevent exploitation of known security flaws.

A large-scale spam campaign has flooded the npm registry with over 46,000 fake packages since early 2024, targeting the software supply chain ecosystem. The campaign, dubbed "IndonesianFoods," uses a worm-like propagation mechanism and distinctive naming patterns, including Indonesian names and food terms. These packages masquerade as Next.js projects, remaining dormant until manually executed by users, thus evading automated detection systems. The attack leverages a self-replicating network of dependencies, straining registry bandwidth and creating supply chain risks for developers. The campaign's monetization strategy involves abusing the Tea protocol to earn tokens by artificially inflating impact scores. GitHub has removed the malicious packages and is committed to evolving detection methods to prevent similar threats. This incident underscores the need for enhanced security measures in package registries to address automation and scale threats.

Google has initiated legal action against 25 China-based individuals linked to the Lighthouse phishing scheme, which has reportedly stolen over 115 million credit card numbers in the US. Lighthouse offers a "phishing for dummies" kit, providing criminals with tools to create fraudulent websites mimicking over 400 legitimate entities, including Google services. The operation has generated over 200,000 fake websites in just 20 days, targeting more than one million victims across 121 countries, causing significant financial losses. Google's lawsuit, citing the RICO Act and other legal frameworks, aims to dismantle the Lighthouse operation and recover damages from the cybercriminals involved. Despite the legal efforts, the 25 defendants are unlikely to face a US court due to their location in China, where extradition is rare and local prosecution is improbable. Google is collaborating with US lawmakers to support legislation that tackles foreign cybercrime, endorsing bipartisan bills to enhance law enforcement capabilities and prevent scams. The proposed legislation includes measures to trace cryptocurrency transactions, block foreign robocalls, and sanction international scam operators, aiming to bolster national cybersecurity defenses.

Google has initiated legal action against "Lighthouse," a phishing-as-a-service platform, aiming to dismantle its infrastructure used for global smishing attacks. The platform has been linked to over 1 million victims across 120 countries, stealing up to 115 million payment cards in the U.S. alone. Lighthouse provides phishing templates and infrastructure, enabling cybercriminals to impersonate services like USPS and E-ZPass in text message scams. Google's lawsuit cites federal racketeering and fraud statutes, including the Racketeer Influenced and Corrupt Organizations Act and the Computer Fraud and Abuse Act. Researchers have associated Lighthouse with the Chinese threat actor "Wang Duo Yu," who sells smishing kits via Telegram, facilitating toll scam operations in multiple U.S. states. Google is enhancing its AI capabilities to detect scam messages and is supporting U.S. policy initiatives to protect consumers from foreign-based cybercrime. The company is also expanding public education efforts and improving user account recovery processes to combat phishing threats.

Google has initiated legal action to dismantle the "Lighthouse" phishing-as-a-service platform, which has facilitated global SMS phishing scams targeting over 1 million victims across 120 countries. The platform exploited brands like USPS and E-ZPass to steal credit card information, affecting millions of users and compromising up to 115 million payment cards in the U.S. alone. Google's lawsuit leverages federal racketeering and fraud statutes, including the Racketeer Influenced and Corrupt Organizations Act, to target Lighthouse's infrastructure. Lighthouse offered phishing templates and infrastructure to cybercriminals, enabling them to impersonate well-known services and bypass spam filters via iMessage and RCS. Cisco Talos linked Lighthouse to the Chinese threat actor "Wang Duo Yu," who marketed the platform through Telegram, with subscription prices ranging from $88 per week to $1,588 per year. Google's response includes enhancing AI capabilities to detect scams, improving Google Messages security, and supporting U.S. policy initiatives to combat foreign-based cybercrime. The case underscores the growing threat of phishing-as-a-service platforms and the need for robust legal and technical measures to protect consumers globally.

Microsoft has introduced native support for third-party passkey managers in Windows 11, enhancing passwordless authentication with the November 2025 security update. Initial support includes 1Password and Bitwarden, allowing users to manage passkeys more flexibly and securely across platforms. The new passkey system utilizes FIDO2/WebAuthn standards, offering improved security through private-public key cryptography and reducing phishing attack risks. Users can now choose between Microsoft Password Manager, 1Password, or Bitwarden for storing private keys, with authentication facilitated via Windows Hello. This development is part of Microsoft's broader strategy to promote passwordless authentication, aiming to increase convenience and security for users. Bitwarden's integration is currently in beta, suggesting potential functional limitations until further testing and refinement are completed. The initiative reflects a significant step towards eliminating traditional passwords, aligning with industry trends for enhanced digital security.

Advanced attackers exploited zero-day vulnerabilities in Citrix and Cisco systems to deploy custom malware, as detected by Amazon's MadPot honeypot. The Citrix vulnerability, CVE-2025-5777, involves an out-of-bounds read flaw in NetScaler Gateway, enabling remote memory content leaks. Cisco's vulnerability, CVE-2025-20337, allows remote code execution with root privileges due to flawed deserialization logic in Cisco Identity Services Engine. Amazon identified a custom backdoor designed for Cisco ISE environments, featuring advanced evasion techniques and minimal forensic traces. The malware's sophisticated design suggests a threat actor with deep knowledge of Cisco ISE and Java applications, indicating significant resources and capabilities. Despite the critical nature of these vulnerabilities, both Cisco and Citrix have yet to comment on the exploitation incidents. Organizations are urged to apply patches immediately to mitigate risks associated with these high-severity vulnerabilities.

DanaBot, a banking trojan, has re-emerged with a new version after a six-month hiatus following law enforcement disruption. The latest variant, version 669, utilizes Tor domains and “backconnect” nodes for command-and-control infrastructure. Zscaler ThreatLabz identified cryptocurrency addresses linked to DanaBot for receiving stolen funds in multiple cryptocurrencies. Initially disclosed by Proofpoint, DanaBot has evolved into a modular information stealer targeting credentials and cryptocurrency wallets. Despite Operation Endgame's success in degrading DanaBot's operations, the malware's infrastructure has been rebuilt. DanaBot infections typically occur through malicious emails, SEO poisoning, and malvertising, sometimes leading to ransomware. Organizations are advised to update blocklists with new indicators of compromise and enhance security tools to mitigate DanaBot threats.

Google has initiated a lawsuit in the U.S. against Chinese hackers operating the Lighthouse Phishing-as-a-Service platform, responsible for defrauding over 1 million users globally. Lighthouse exploits trusted brands like E-ZPass and USPS through large-scale SMS phishing, stealing financial information via deceptive links. The platform has generated over $1 billion illegally in three years, leveraging Google's trademarks to create fraudulent websites. Google's legal strategy involves dismantling Lighthouse's infrastructure using the RICO Act, Lanham Act, and Computer Fraud and Abuse Act. Lighthouse, part of a broader Chinese cybercrime network, has been linked to over 17,500 phishing domains targeting 316 brands across 74 countries. Phishing templates from Lighthouse are sold on a subscription basis, with prices ranging from $88 to $1,588. Chinese smishing syndicates have potentially compromised millions of payment cards in the U.S., with new tools developed to exploit stolen data. The ongoing threat from platforms like Lighthouse underscores the need for robust defenses against evolving phishing tactics and cybercrime networks.