Executive Summary A critical security vulnerability in the Triofox enterprise file-sharing and remote access platform, developed by Gladinet , is being actively exploited by sophisticated threat actors. Attackers are leveraging an authentication bypass flaw (CVE-2025-12480, CVSS 9.1) to gain unauthorized administrative access to Triofox servers. By abusing the platform’s antivirus configuration feature, adversaries are able to execute arbitrary code with SYSTEM privileges,

Executive Summary A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-12735 , has been identified in the popular JavaScript library expr-eval and its actively maintained fork, expr-eval-fork . This vulnerability enables attackers to execute arbitrary code on affected systems by supplying malicious input to the library’s evaluate() function. The flaw is rated as critical with a CVSS score of 9.8, reflecting its ease of exploitation and the potential fo

Executive Summary A highly sophisticated Android spyware campaign, identified as LANDFALL , has been uncovered targeting users of Samsung Galaxy devices. This operation leveraged a critical zero-day vulnerability, CVE-2025-21042 , within the Samsung image processing library, specifically libimagecodec.quram.so . The attack vector involved the delivery of malicious DNG (Digital Negative) image files, often transmitted via WhatsApp , which exploited the vulnerability in a zer

Executive Summary The GlassWorm malware campaign has re-emerged on the OpenVSX registry, targeting the Visual Studio Code (VSCode) ecosystem with three newly identified malicious extensions. These extensions, which have collectively been downloaded over 10,000 times, employ advanced obfuscation techniques—specifically, invisible Unicode characters—to evade both static and manual code analysis. The malware leverages the Solana blockchain for payload delivery and command-an

Executive Summary A new and highly sophisticated supply chain attack has been identified in the .NET ecosystem, leveraging malicious NuGet packages laced with hidden logic bombs set to detonate years after installation. These packages, published under the user shanhai666 between 2023 and 2024, target both database operations and industrial control systems (ICS) by embedding time-delayed sabotage mechanisms. The attack employs advanced techniques such as C# extension method

Executive Summary A critical zero-day vulnerability in Samsung Galaxy mobile devices, tracked as CVE-2025-21042 , has been actively exploited in the wild to deploy the advanced LANDFALL Android spyware. This campaign, uncovered by Palo Alto Networks Unit 42 and corroborated by multiple threat intelligence sources, leverages a flaw in the libimagecodec.quram.so image processing library. Attackers weaponized specially crafted DNG image files, often delivered via WhatsApp ,

Executive Summary The Congressional Budget Office (CBO) , a critical U.S. government agency responsible for providing nonpartisan budget and economic analysis to Congress, confirmed on November 6, 2025, that it had experienced a cybersecurity breach. The incident, which is under active investigation, potentially exposed sensitive government data to malicious actors. While the CBO has not officially attributed the breach to any specific threat actor, multiple independent sourc

Executive Summary Recent intelligence confirms that critical vulnerabilities in Cisco firewall products, specifically Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) , are being actively exploited in the wild. The vulnerabilities, tracked as CVE-2024-20353 , CVE-2024-20359 , and more recently CVE-2024-20362 , enable remote attackers to bypass authentication and execute arbitrary code, leading to full device compromise. Notably, these flaws a

Executive Summary ClickFix attacks represent a significant and rapidly evolving threat vector targeting macOS users, leveraging advanced social engineering and multi-platform payload delivery. These attacks utilize deceptive verification pages, dynamic OS detection, and psychological manipulation to coerce users into executing malicious terminal commands. The primary objective is credential theft, data exfiltration, and the deployment of sophisticated malware such as Atomic

Executive Summary A sophisticated cyber-espionage campaign has been identified targeting Ukrainian organizations through the use of trojanized ESET installers, which surreptitiously deploy the Kalambur backdoor. This operation, attributed to a Russia-aligned threat cluster known as InedibleOchotense , leverages highly convincing phishing lures that impersonate the reputable Slovak cybersecurity vendor ESET . The attackers utilize a combination of spear-phishing emails and i

Executive Summary Publication Date: November 3, 2025 Microsoft ’s Detection and Response Team (DART) has uncovered a sophisticated backdoor, named SesameOp , which leverages the OpenAI Assistants API as a covert command-and-control (C2) channel. This innovative approach allows attackers to blend malicious activity with legitimate API communications, significantly complicating detection and mitigation efforts. This report provides a comprehensive analysis of the technical mec

Executive Summary A new wave of cyberattacks is targeting the global logistics and freight sector, with threat actors weaponizing legitimate Remote Monitoring and Management ( RMM ) tools to hijack cargo freight operations. These attacks, first observed in mid-2025 and tracked by leading cybersecurity vendors such as Proofpoint and reported by TheHackerNews and BleepingComputer , exploit both unpatched vulnerabilities and the trusted status of RMM software to gain persisten

Executive Summary Between May 2023 and April 2025, three former employees of leading cybersecurity incident response firms— DigitalMint and Sygnia Cybersecurity Services —were indicted by U.S. prosecutors for orchestrating a series of high-impact ransomware attacks as affiliates of the ALPHV/BlackCat ransomware group. The defendants, including Kevin Tyler Martin and Ryan Clifford Goldberg, exploited their insider knowledge and access to conduct unauthorized intrusions, exfi

Executive Summary A newly identified backdoor, HttpTroy , has been observed in a sophisticated, targeted cyberattack campaign against South Korean organizations. This campaign, attributed to the North Korean advanced persistent threat group Kimsuky , leverages a spear-phishing email masquerading as a legitimate VPN invoice to deliver a multi-stage malware payload. The infection chain culminates in the deployment of the HttpTroy backdoor, which provides attackers with compreh

Executive Summary Publication Date: November 2025 In October 2025, Ukrainian national Yuriy Igorevich Rybtsov, known by the alias "MrICQ," was extradited from Italy to the United States to face charges stemming from his role as a developer for the infamous Jabber Zeus cybercrime group. This group, active since at least 2009, is responsible for orchestrating a series of highly sophisticated cyberattacks that leveraged custom variants of the ZeuS banking trojan to steal tens

Executive Summary On November 3, 2025, the Balancer decentralized finance (DeFi) protocol suffered a critical security breach resulting in the theft of over $128 million in digital assets from its V2 pools . The attack exploited vulnerabilities in the protocol’s smart contract logic, specifically targeting precision rounding errors and invariant manipulation within the Balancer V2 vaults . The incident affected deployments across multiple blockchains, including Ethereum , Ba

Executive Summary Cybercriminals are increasingly exploiting legitimate Remote Monitoring and Management (RMM) tools to infiltrate logistics and freight networks, resulting in a surge of sophisticated attacks targeting the global supply chain. Since mid-2025, threat actors have orchestrated highly organized campaigns, often in collaboration with traditional organized crime groups, to gain unauthorized access to trucking carriers, freight brokers, and logistics companies. By

Executive Summary A new Android malware family, dubbed Crocodilus , has been observed in the wild targeting users in Spain and Turkey, with confirmed infections exceeding 1,200 devices and over $2.8 million in cryptocurrency assets stolen within two weeks. Crocodilus leverages advanced abuse of Android accessibility services to perform device takeover, mute system alerts, and harvest sensitive credentials, including crypto wallet seed phrases. The malware is distributed via t

Executive Summary A highly sophisticated supply-chain attack has been identified targeting blockchain and smart contract developers through a counterfeit Solidity extension distributed on the Open VSX marketplace. This malicious extension, camouflaged as a legitimate development tool, was engineered to compromise developer environments, resulting in the confirmed theft of at least $500,000 in cryptocurrency. The campaign demonstrates advanced threat actor tradecraft, levera

Executive Summary The Open VSX registry, an open-source alternative to the Microsoft Visual Studio Marketplace for VS Code -compatible extensions, experienced a significant supply-chain security incident in 2025. Privileged access tokens were inadvertently leaked by developers in public repositories, enabling threat actors to publish malicious extensions to the Open VSX registry. The attack, identified as the GlassWorm campaign, leveraged these tokens to distribute malwar