Daily Brief

The Curly COMrades threat group has been identified using Windows Hyper-V to deploy a concealed Linux virtual machine, bypassing traditional endpoint detection and response (EDR) systems. Bitdefender's report reveals that the group uses a lightweight Alpine Linux VM to host custom malware, including CurlyShell and CurlCat, for executing reverse shell operations and data transfers. This activity targets systems primarily in Georgia and Moldova, with indications of alignment with Russian interests, and has been ongoing since late 2023. Tools used by the group include RuRat for remote access, Mimikatz for credential theft, and MucorAgent, a modular .NET implant, indicating a sophisticated attack strategy. Collaboration with Georgia CERT unveiled further tools and methods, showing attempts to maintain long-term access by exploiting Hyper-V on Windows 10 hosts. The malware operates as a headless daemon, communicating with a command-and-control server via HTTP requests, allowing encrypted command execution. The use of diverse proxy and tunneling tools, such as Resocks and Ligolo-ng, highlights the group's adaptability and commitment to maintaining a robust reverse proxy capability.

SonicWall confirmed state-sponsored actors accessed firewall configuration backup files in a September breach, affecting less than 5% of its cloud backup service customers. The breach involved unauthorized API calls to a specific cloud environment, with no impact on SonicWall's products, firmware, or other systems. Google-owned Mandiant was engaged to investigate the breach, leading to the implementation of recommended security enhancements for SonicWall's network and cloud infrastructure. SonicWall has introduced an Online Analysis Tool and Credentials Reset Tool to assist customers in identifying affected services and securing their credentials. The company emphasizes its commitment to bolstering security for SMBs and distributed environments, as nation-state threats increasingly target edge security providers. Customers are advised to log in to MySonicWall.com to verify their devices and reset credentials for any impacted services.

The Gootloader malware operation has resumed after a 7-month hiatus, utilizing SEO poisoning to promote fake websites that distribute malicious documents. Gootloader employs JavaScript-based loaders to trick users into downloading harmful documents, often disguised as legal templates or agreements. Recent campaigns use innovative techniques to evade detection, including special web fonts that obscure real filenames and keywords from automated tools. Malformed ZIP archives are crafted to extract malicious JavaScript files when opened with specific tools, complicating detection efforts. The Supper SOCKS5 backdoor is deployed in these attacks, enabling remote access and facilitating rapid network compromise by ransomware affiliates like Vanilla Tempest. Security researchers have actively disrupted Gootloader operations by filing abuse reports, but the threat persists with new tactics. Organizations are advised to exercise caution when downloading legal documents online and to verify the credibility of websites offering such resources.

Hyundai AutoEver America reported a data breach affecting its IT environment, exposing sensitive personal information such as Social Security Numbers and driver's licenses. The breach was discovered on March 1, 2025, but investigations revealed unauthorized access began on February 22, 2025. Hyundai AutoEver America provides IT solutions for Hyundai and Kia, impacting systems used in 2.7 million cars and involving 5,000 employees. External cybersecurity experts were engaged to investigate the breach's scope, confirm containment, and identify affected data, with law enforcement also involved. The breach's impact on employees versus customers remains unclear, with the total number of affected individuals yet to be disclosed. No ransomware group has claimed responsibility, and the identity of the attackers remains unknown. Hyundai has faced multiple cybersecurity incidents recently, raising concerns about ongoing vulnerabilities within its systems.

CISA has issued a warning about a critical remote command execution vulnerability in CentOS Web Panel, now added to the Known Exploited Vulnerabilities catalog. The flaw, identified as CVE-2025-48703, allows remote attackers to execute arbitrary commands if they know a valid username on a CWP instance. This vulnerability affects all versions of CWP prior to 0.9.8.1204, impacting web hosting providers and system administrators using the panel. A detailed analysis by security researcher Maxime Rinaudo revealed the flaw stems from improper input handling in the file-manager ‘changePerm’ endpoint. Federal entities are required to apply security updates or cease using the product by November 25, in accordance with CISA's BOD 22-01 guidance. CISA's advisory serves as a reminder for organizations to monitor and prioritize addressing vulnerabilities listed in the KEV catalog. The vulnerability was patched in CWP version 0.9.8.1205, released on June 18, following the researcher's report in May.

Google received clearance from the Department of Justice for its $32 billion acquisition of cloud security firm Wiz, marking its largest acquisition to date. The acquisition aims to integrate Wiz's unified cloud security platform into Google Cloud, enhancing security offerings with comprehensive multicloud visibility. Wiz's platform connects via API to customer environments, providing full-stack inventory and threat intelligence to assess risks across interconnected cloud services. The DOJ's antitrust investigation concluded without objections, but the deal still requires approval from other global regulators, including the UK, EU, and Japan. Google and Wiz emphasize that the acquisition will expand access to multicloud security solutions, offering businesses and governments more protection options. This acquisition follows a previous failed attempt by Google in 2024, where Wiz initially rejected a $23 billion offer, opting instead to pursue an IPO. The deal's progress reflects ongoing regulatory scrutiny of major tech acquisitions, highlighting the importance of compliance with international antitrust standards.

SonicWall's September breach involved state-sponsored actors accessing firewall configuration backup files, confirmed by Mandiant's investigation. The breach did not compromise SonicWall products, firmware, systems, tools, source code, or customer networks. Attackers used an API call to access cloud backup files, potentially exposing sensitive information such as access credentials and tokens. SonicWall advised customers to reset credentials and passwords for various network components to mitigate potential risks. The breach was isolated to a specific cloud environment, affecting all customers using SonicWall's cloud backup service. The incident was unrelated to attacks by the Akira ransomware group targeting SonicWall VPN accounts in late September. Huntress reported increased malicious activity targeting SonicWall SSLVPN accounts, but found no link to the September breach.

Major UK mobile carriers have agreed to upgrade networks to prevent phone number spoofing, aiming to eliminate this scam tactic within a year under the new Telecoms Charter. The initiative involves collaboration between law enforcement, government agencies, and top mobile networks, including BT EE, Virgin Media O2, and Vodafone Three. Advanced call tracing technology will be implemented to help police track and dismantle scam operations, enhancing the ability to combat fraud. Carriers will boost data sharing with police and improve support for scam victims, reducing response times to two weeks and setting clear fraud assistance goals. Virgin Media O2 and Vodafone Three report significant ongoing efforts, blocking billions of scam texts and millions of fraudulent calls monthly using AI technologies. The initiative responds to widespread caller ID usage, with 96% of users checking IDs and many blocking unknown international numbers, which scammers exploit by spoofing local numbers. The UK government aims to make the country the hardest place for scammers to operate, with fraud currently accounting for 50% of all crime in the UK.

The University of Pennsylvania confirmed a data breach involving internal systems related to development and alumni activities, accessed through compromised credentials from a social engineering attack. The breach allowed unauthorized access to systems including Salesforce, Qlik, SAP, and SharePoint, resulting in the theft of 1.71 GB of internal documents and 1.2 million donor records. Attackers sent an offensive mass email to 700,000 recipients using the university's Salesforce Marketing Cloud account after their access was revoked. The university has engaged the FBI and CrowdStrike to investigate the incident and is implementing enhanced security measures and employee training to prevent future breaches. The attackers have not yet leaked the stolen data but threatened potential disclosure, citing criticism of the university's policies and practices. Penn is advising students and alumni to remain vigilant against potential phishing or social engineering attempts following the breach. The institution plans to notify affected individuals once the investigation concludes, ensuring transparency and accountability in its response efforts.

Google's Threat Intelligence Group discovered PROMPTFLUX, a VB Script malware leveraging Gemini AI to alter its code for enhanced obfuscation and detection evasion. The malware queries the Gemini API using a hard-coded key to receive specific VB Script modifications, enabling just-in-time self-modification. PROMPTFLUX saves new code versions to the Windows Startup folder for persistence and attempts to spread via removable drives and network shares. The malware is currently in development, lacking capabilities to directly compromise networks or devices, but indicates a financially motivated actor's involvement. Google's findings suggest adversaries are increasingly using AI to create adaptable tools, enhancing their operational speed and effectiveness. The report also notes other instances of AI misuse by state-sponsored actors for reconnaissance, phishing, and data exfiltration activities. The trend of AI integration into cyber operations is expected to grow, making AI-driven attacks more prevalent and sophisticated.

AMD is addressing a high-severity vulnerability, CVE-2025-62626, affecting cryptographic security in Zen 5 Ryzen and Epyc CPUs, potentially compromising data encryption. The flaw involves the RDSEED function, which may return zero instead of random numbers, weakening cryptographic keys and allowing potential data decryption. Exploiting this vulnerability requires local privileges, indicating attackers would need significant system access to leverage the flaw. AMD has released patches for Epyc 9005 series chips, with additional updates for other affected processors expected by January. Users can mitigate risks by using the unaffected 64-bit RDSEED version or disabling the function in system configurations. The issue was initially identified by Gregory Price, a Linux kernel engineer at Meta, and communicated via the Linux kernel mailing list. AMD's proactive patching efforts aim to maintain trust and security for users relying on their processor architectures.

Google's Threat Intelligence Group identified a shift towards AI-driven malware, with adversaries using large language models for dynamic malware execution and adaptation. The PromptFlux malware dropper and PromptSteal data miner exemplify this trend, utilizing AI for script generation and obfuscation to evade detection. PromptFlux uses Google's LLM Gemini to periodically update its code, aiming to create a constantly evolving "metamorphic script" for antivirus evasion. Google has disabled PromptFlux's access to the Gemini API and removed associated assets, although attribution to a specific threat actor remains unclear. Other AI-powered threats include FruitShell, a PowerShell reverse shell, and QuietVault, a JavaScript credential stealer targeting GitHub/NPM tokens. AI-powered cybercrime tools are gaining traction on underground forums, lowering the technical barrier for sophisticated attacks and offering multifunctional capabilities. Google emphasizes the need for responsible AI development with robust safety measures to prevent misuse and bolster security against AI-enhanced threats.

Organizations face challenges in maintaining real-time cybersecurity due to rapid changes and manual update lags, leading to potential vulnerabilities. Common security gaps include undocumented cloud instances, interrupted vulnerability scans, overwhelming threat intelligence, and endpoint coverage gaps. Point solutions often increase complexity, as analysts manage multiple tools and data formats, leading to inefficiencies and alert fatigue. Outpost24 introduces CompassDRP, combining External Attack Surface Management (EASM) with Digital Risk Protection (DRP) to provide a comprehensive view of digital risk. EASM offers visibility into internet-facing assets, while DRP monitors for leaked credentials and sensitive data exposures across various web layers. The integrated solution allows security teams to prioritize fixes based on real-world threat potential, reducing risk efficiently. By consolidating EASM and DRP, organizations can transition from reactive measures to proactive risk management, enhancing overall cybersecurity posture.

Google Threat Intelligence Group reports nation-state actors leveraging Gemini AI to develop innovative malware and data processing agents for espionage and cyber operations. APT42, linked to Iran's IRGC, experimented with AI to convert natural language requests into SQL queries, analyzing personal data for insights on asset ownership and behavior. New malware, PromptFlux, utilizes large language models (LLMs) to generate malicious scripts dynamically, enhancing obfuscation and evasion capabilities against traditional detection tools. While PromptFlux is not yet operational, its development indicates a shift towards AI-driven malware, with potential future impacts on network security. APT28, associated with Russia's GRU, deployed PromptSteal malware in Ukraine, using LLMs for real-time command generation, marking a novel application in live cyber operations. Google's intervention has disabled accounts linked to these AI-driven malware activities, mitigating immediate threats while highlighting the evolving landscape of AI in cyber warfare. The report underscores the need for enhanced defenses against AI-enabled threats, as adversaries continue to innovate and integrate AI into cyber strategies.

Cybersecurity researchers have discovered seven vulnerabilities in OpenAI's ChatGPT models, GPT-4o and GPT-5, which could be exploited to extract personal data from users. These vulnerabilities enable indirect prompt injection attacks, allowing attackers to manipulate large language models into performing unintended actions. Some vulnerabilities have been addressed by OpenAI, but systemic fixes for prompt injection issues remain elusive, posing ongoing risks. The research highlights the expanded attack surface when AI chatbots interact with external tools, increasing opportunities for threat actors. Studies suggest that training AI models on "junk data" can lead to degradation, while poisoning attacks on training data are more feasible than previously assumed. The findings emphasize the need for robust safety mechanisms to prevent prompt injection and mitigate potential damage. Concerns arise over market-driven optimization of AI models, which may compromise safety for competitive advantage, risking deceptive practices.