Daily Brief

Google Threat Intelligence Group (GTIG) exposed APT24's use of the BadAudio malware in a three-year campaign, targeting Windows systems through sophisticated attack methods. The malware was delivered via spearphishing, supply-chain compromises, and watering hole attacks, impacting over 1,000 domains by compromising a digital marketing firm in Taiwan. APT24 utilized malicious JavaScript injected into legitimate websites and libraries, employing techniques like DLL search order hijacking and control flow flattening to evade detection. BadAudio collects and encrypts system details, sending them to a command-and-control server, and can execute further payloads in memory, including the Cobalt Strike Beacon. Despite its long-term use, BadAudio remained largely undetected, with only two of eight samples flagged as malicious by more than 25 antivirus engines. Google notes APT24's shift towards stealthier tactics, demonstrating their persistent and adaptive capabilities in espionage activities. The campaign's evolution reveals the importance of robust cybersecurity measures and continuous monitoring to detect and mitigate advanced persistent threats.

Salesforce disclosed a breach involving Gainsight-published applications, potentially compromising customer data through unauthorized access. The breach was linked to third-party app connections rather than Salesforce platform vulnerabilities. The incident is attributed to ShinyHunters, a group previously involved in similar breaches, including an attack on SalesLoft's Drift application, exploiting OAuth tokens for unauthorized access. In response, Salesforce revoked all active and refresh tokens for Gainsight applications and temporarily removed them from the AppExchange to mitigate further unauthorized access. Google's Mandiant incident response team is collaborating with Salesforce to alert affected organizations and recommend auditing SaaS environments for potential vulnerabilities. Organizations are advised to review third-party applications connected to Salesforce, revoke tokens for unused or suspicious apps, and rotate credentials upon detecting unusual activity. The breach underscores the importance of robust security practices in managing third-party application connections to prevent unauthorized data access.

Netskope Threat Labs investigated whether large language models (LLMs) like GPT-3.5-Turbo and GPT-4 could generate operationally reliable malware, finding current capabilities insufficient for autonomous attacks. Researchers managed to trick LLMs into creating Python scripts for malicious purposes, but these scripts proved unreliable in practical deployment scenarios. Tests revealed moderate success in virtualized environments, with a 50-60% reliability rate, but significant failures in AWS environments, indicating limitations in current LLM-generated code. Preliminary tests with GPT-5 showed improved code quality, achieving a 90% success rate in AWS VDI environments, though bypassing its advanced guardrails remains challenging. Despite advances, LLMs still require human intervention for effective cyber operations, as demonstrated by recent attempts by Chinese cyber spies using AI tools. Google disclosed criminals' experimental use of Gemini for developing self-rewriting malware, yet these efforts remain theoretical without current capability to compromise networks. Continuous monitoring of LLM advancements is crucial for network defenders to preemptively address potential threats as AI capabilities evolve.

A threat actor breached Almaviva, an IT services provider for FS Italiane Group, stealing 2.3TB of data and leaking it on a dark web forum. The compromised data reportedly includes sensitive documents, technical documentation, HR archives, and accounting data, impacting FS Italiane Group's operations. FS Italiane Group, a state-owned railway operator, manages critical infrastructure and transport services, with annual revenues exceeding $18 billion. Almaviva confirmed the breach, stating that security monitoring identified and isolated the attack, and initiated counter-response procedures to protect critical services. Authorities, including the police and national cybersecurity agency, have been informed, and an investigation is underway with government assistance. The breach's full impact remains uncertain, particularly regarding passenger information and the potential effect on other clients. Almaviva has committed to providing transparent updates as the investigation progresses, highlighting the importance of robust incident response protocols.

Oligo Security reports ongoing exploitation of a critical flaw in Ray's AI framework, leading to the creation of a self-replicating cryptomining botnet using NVIDIA GPUs. The attack exploits CVE-2023-48022, a severe vulnerability with a CVSS score of 9.8, leveraging Ray's unauthenticated Job Submission API to hijack computing resources. ShadowRay 2.0 uses GitLab and GitHub for malware distribution, with cybercriminals adapting quickly to takedown efforts by creating new accounts to continue operations. The campaign employs advanced tactics to avoid detection, such as disguising processes and limiting CPU usage, while eliminating rival miners to maximize gains. Anyscale, Ray's developer, has released tools like the "Ray Open Ports Checker" to help secure clusters, alongside recommendations for firewall configurations and dashboard access controls. The botnet's capabilities extend beyond cryptojacking, with compromised clusters potentially used for DDoS attacks against rival mining infrastructure, adding a new monetization avenue. More than 230,500 Ray servers are exposed to the internet, highlighting a significant attack surface due to improper network configurations and lack of authentication measures.

Malicious scanning of Palo Alto Networks GlobalProtect VPN portals surged 40-fold within 24 hours, marking the highest activity in 90 days, as reported by GreyNoise. The activity spike began on November 14, 2025, and aligns with previous campaigns, suggesting a coordinated effort using recurring TCP/JA4t fingerprints and ASNs. GreyNoise identified 2.3 million scan sessions targeting the */global-protect/login.esp URI, with login attempts focused on the United States, Mexico, and Pakistan. The primary ASN involved is AS200373 (3xK Tech GmbH), with most IP addresses geolocated in Germany and Canada, indicating a geographically diverse attack base. Historical data suggests that such scanning spikes often precede the disclosure of new vulnerabilities, with a strong correlation noted for Palo Alto Networks' products. Previous incidents in 2025 included exploitation of vulnerabilities CVE-2025-0108, CVE-2025-0111, and CVE-2024-9474, highlighting ongoing security challenges for Palo Alto Networks. Organizations are advised to actively monitor and block these attempts, treating them as malicious probes rather than disregarding them as failed exploit attempts.

The Tsundere botnet is actively expanding, targeting Windows users by executing arbitrary JavaScript code from a command-and-control server, according to Kaspersky's recent analysis. The botnet employs game-themed lures, such as Valorant and Counter-Strike 2, to entice users searching for pirated versions, potentially increasing its reach among gaming communities. Attackers utilize a legitimate Remote Monitoring and Management tool to download malicious MSI installer files, which install Node.js and execute botnet payloads. The malware ensures persistence by using the pm2 package to write to the registry, allowing it to restart upon system login and maintain activity on infected systems. The Tsundere botnet leverages the Ethereum blockchain to dynamically update its WebSocket C2 server addresses, enhancing its resilience and adaptability. Analysis reveals the botnet's infrastructure includes a control panel for managing botnets, facilitating the creation of new artifacts, and even hosting a marketplace for botnet transactions. Evidence suggests Russian-speaking origins, with the source code containing Russian language and restrictions on targeting Russia and CIS countries, indicating possible geopolitical motivations. The presence of the 123 Stealer on the same server, offered on a subscription basis, suggests a broader malicious ecosystem supporting various cybercriminal activities.

An Ohio IT contractor, Maxwell Schultz, pleaded guilty to sabotaging his former employer's network, causing $862,000 in damages after his termination. Schultz accessed the company's systems by impersonating another contractor, resetting 2,500 passwords, and locking out thousands of employees and contractors. The incident disrupted operations significantly, impacting employee productivity, customer service, and necessitating costly remediation efforts. Schultz employed a PowerShell script to execute the attack and attempted to cover his tracks by deleting system logs and clearing PowerShell events. The attack occurred on May 14, 2021, and Schultz faces up to ten years in prison and a $250,000 fine, with sentencing scheduled for January 30, 2026. Insider threats remain a persistent challenge for organizations, with similar cases reported across various sectors, highlighting the need for robust insider threat management. The company affected, reportedly Houston-based Waste Management, exemplifies the ongoing risks posed by malicious insiders in today’s digital landscape.

Salesforce is investigating a data breach involving Gainsight-published applications, which may have enabled unauthorized access to certain customers' Salesforce data. The breach does not originate from Salesforce's CRM platform but is linked to external connections via Gainsight applications. In response, Salesforce revoked all active access and refresh tokens associated with Gainsight applications and temporarily removed them from the AppExchange. Impacted customers have been notified, and Salesforce has advised them to contact the Salesforce Help team for further assistance. The incident is reminiscent of the 2025 Salesloft breach, where the Scattered Lapsus$ Hunters group accessed sensitive data from Salesforce instances. ShinyHunters claims to have accessed 285 Salesforce instances through secrets stolen in the Salesloft breach, affecting numerous high-profile companies. Gainsight confirmed the breach involved stolen OAuth tokens, compromising business contact details and support case contents. The ongoing investigation aims to prevent further unauthorized access and ensure the security of Salesforce's customer data.

TP-Link has initiated legal proceedings against Netgear, alleging a smear campaign that falsely linked TP-Link to Chinese government infiltration, damaging its reputation in the U.S. market. The lawsuit, filed in Delaware, claims Netgear violated a previous agreement by spreading misleading information about TP-Link, affecting its business operations and market perception. TP-Link seeks damages for commercial disparagement, defamation, and breach of contract, citing a $135 million settlement with Netgear in 2024 as part of the violated agreement. The complaint includes exhibits from Netgear's earnings calls, where TP-Link alleges false statements were made regarding its security posture and ties to Chinese state-sponsored cyber activities. TP-Link asserts its U.S. incorporation and operations, emphasizing its California headquarters and local workforce, countering claims of being a national security risk. Netgear has responded to the lawsuit, declaring the allegations unfounded and stating intentions to address the claims through legal channels. The case draws attention to competitive tensions in the networking industry and the impact of national security concerns on corporate reputations.

SonicWall has identified a critical vulnerability, CVE-2025-40601, in its SonicOS SSLVPN service, which could allow remote attackers to crash Gen8 and Gen7 firewalls. The vulnerability is a stack-based buffer overflow that could lead to a denial-of-service (DoS) attack, though no active exploitation has been reported. SonicWall's Gen6 firewalls and certain SSL VPN products are not affected by this vulnerability, reducing the potential impact on some users. The company recommends immediate patching or disabling of the SSLVPN service to mitigate risks, especially for those unable to deploy updates promptly. Additional vulnerabilities, CVE-2025-40604 and CVE-2025-40605, have been patched in SonicWall's Email Security appliances, addressing risks of arbitrary code execution and unauthorized data access. Recent incidents include a state-sponsored breach exposing firewall configurations and a firmware update to counteract OVERSTEP rootkit malware in SMA 100 devices. SonicWall's proactive advisories and patches aim to strengthen defenses against potential exploitation and enhance overall network security.

D-Link has issued a warning about three remote command execution vulnerabilities in its DIR-878 routers, which have reached end-of-life status. Despite the device's discontinuation in 2021, it remains available in several markets, with prices ranging from $75 to $122. Technical details and proof-of-concept exploit code for these vulnerabilities have been released by a researcher, raising potential security concerns. D-Link advises replacing the DIR-878 with a supported product, as no security updates will be provided for this model. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has rated these vulnerabilities with a medium-severity score. Publicly available exploits often attract threat actors, including botnet operators, who may integrate these vulnerabilities into their attack strategies. The RondoDox botnet, known for using numerous flaws, and the Aisuru botnet, which recently launched a significant DDoS attack, exemplify the potential risks.

With Windows 10 support ending in October 2025, businesses face critical decisions regarding operating system upgrades and security implications. Windows 11 migration presents a chance to evaluate and improve overall cybersecurity posture, addressing potential vulnerabilities in legacy systems. Microsoft offers Extended Security Updates for Windows 10 until October 2026, but managing these can be complex and costly for businesses. Unpatched vulnerabilities remain a significant threat vector, particularly for managed service providers, emphasizing the need for timely OS upgrades. Transitioning to Linux or other alternatives is impractical for most businesses due to complexity and potential security challenges. Organizations are encouraged to use the migration to Windows 11 as a catalyst for comprehensive data backup and disaster recovery planning. The Acronis Threat Research Unit identifies unpatched systems as a leading risk, urging proactive measures during OS transitions.

The PowerSchool breach in December 2024 exposed personal data of approximately 3.86 million Ontarians and over 700,000 Albertans, affecting students and staff across multiple school boards. Privacy commissioners from Ontario and Alberta identified inadequate contractual, security, and oversight measures by school boards as significant contributors to the breach's impact. Attackers exploited compromised credentials to access PowerSchool's systems, subsequently exfiltrating entire student and educator database tables, causing widespread data exposure. PowerSchool had previously paid a ransom, believing the data was deleted, but extortionists later targeted individual school districts, indicating the data was not erased. Reports criticized school boards for failing to implement mandatory privacy clauses, proper vendor oversight, and multi-factor authentication, amplifying the breach's severity. The breach underscores the critical need for coordinated sector-wide efforts to enhance contract negotiations, oversight, and compliance with privacy laws among educational institutions. The incident serves as a cautionary tale about the risks of dependency on third-party platforms without adequate responsibility and control measures in place.

Photocall, a TV piracy platform with 26 million annual visits, was shut down following a probe by the Alliance for Creativity and Entertainment (ACE) and DAZN. The service provided unauthorized access to 1,127 TV channels from 60 countries, including popular sports content like MotoGP and Formula 1. Spain accounted for nearly 30% of Photocall's traffic, with significant user bases in Mexico, Germany, Italy, and the United States. Photocall operators agreed to cease operations and transferred all domains to ACE, redirecting them to ACE's Watch Legally website. The shutdown is part of a broader Europol-coordinated effort targeting digital piracy, linking $55 million in cryptocurrency to illegal streaming activities. ACE, comprising over 50 media firms, collaborates with global law enforcement to dismantle illegal streaming networks, impacting services like Rare Breed TV and Streameast. These actions reflect ongoing efforts to protect intellectual property and reduce financial losses in the entertainment industry.