Executive Summary This advisory report provides a comprehensive technical analysis of recent high-severity vulnerabilities patched by Ivanti and Zoom . The vulnerabilities affect Ivanti Endpoint Manager and the Zoom Workplace VDI Client for Windows , both of which are widely deployed in enterprise environments. The most critical issues allow authenticated local attackers to escalate privileges, write arbitrary files, and potentially compromise entire systems. While there is

Executive Summary Recent threat intelligence has uncovered a sophisticated campaign orchestrated by the North Korean state-sponsored group APT37 (also known as ScarCruft ), in which adversaries are abusing the legitimate Google Find Hub (formerly known as Find My Device ) service to remotely wipe Android devices. This attack chain leverages advanced social engineering, credential theft, and the exploitation of cloud-based device management features to achieve destructive ou

Executive Summary The resurgence of GlassWorm marks a significant escalation in the threat landscape for software supply chains, particularly those leveraging the Open VSX Registry and GitHub as distribution and collaboration platforms. GlassWorm is a highly sophisticated, self-propagating malware campaign that exploits the trust inherent in the Visual Studio Code (VS Code) extension ecosystem. By leveraging advanced obfuscation techniques, blockchain-based command and c

Executive Summary A sophisticated Android spyware campaign leveraging the newly discovered LANDFALL malware has been identified targeting users of Samsung Galaxy devices. This campaign exploits a critical zero-day vulnerability, CVE-2025-21042 , in the Samsung image processing library, libimagecodec.quram.so , enabling remote code execution via malicious DNG (Digital Negative) image files. The attack vector is primarily through WhatsApp , where threat actors deliver weapon

Executive Summary A critical supply chain attack, identified as GlassWorm , has been uncovered within the Visual Studio Code (VS Code) extension ecosystem. This campaign leverages malicious extensions to infiltrate developer environments, exfiltrate sensitive credentials, and propagate itself in a worm-like fashion. The attack is characterized by advanced obfuscation techniques, including the use of invisible Unicode characters, and a resilient blockchain-based command and c

Executive Summary A critical security vulnerability in the Triofox enterprise file-sharing and remote access platform, developed by Gladinet , is being actively exploited by sophisticated threat actors. Attackers are leveraging an authentication bypass flaw (CVE-2025-12480, CVSS 9.1) to gain unauthorized administrative access to Triofox servers. By abusing the platform’s antivirus configuration feature, adversaries are able to execute arbitrary code with SYSTEM privileges,

Executive Summary A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-12735 , has been identified in the popular JavaScript library expr-eval and its actively maintained fork, expr-eval-fork . This vulnerability enables attackers to execute arbitrary code on affected systems by supplying malicious input to the library’s evaluate() function. The flaw is rated as critical with a CVSS score of 9.8, reflecting its ease of exploitation and the potential fo

Executive Summary Publication Date: November 7, 2025 Microsoft has uncovered a novel side-channel attack, dubbed Whisper Leak , that enables adversaries to infer the topics of AI chatbot conversations—even when the traffic is encrypted with TLS . This attack leverages observable patterns in packet sizes and timings during streaming responses from large language models ( LLMs ) to classify the subject of user prompts. The vulnerability is systemic, affecting a wide range of L

Executive Summary A highly sophisticated Android spyware campaign, identified as LANDFALL , has been uncovered targeting users of Samsung Galaxy devices. This operation leveraged a critical zero-day vulnerability, CVE-2025-21042 , within the Samsung image processing library, specifically libimagecodec.quram.so . The attack vector involved the delivery of malicious DNG (Digital Negative) image files, often transmitted via WhatsApp , which exploited the vulnerability in a zer

Executive Summary The GlassWorm malware campaign has re-emerged on the OpenVSX registry, targeting the Visual Studio Code (VSCode) ecosystem with three newly identified malicious extensions. These extensions, which have collectively been downloaded over 10,000 times, employ advanced obfuscation techniques—specifically, invisible Unicode characters—to evade both static and manual code analysis. The malware leverages the Solana blockchain for payload delivery and command-an

Executive Summary A new and highly sophisticated supply chain attack has been identified in the .NET ecosystem, leveraging malicious NuGet packages laced with hidden logic bombs set to detonate years after installation. These packages, published under the user shanhai666 between 2023 and 2024, target both database operations and industrial control systems (ICS) by embedding time-delayed sabotage mechanisms. The attack employs advanced techniques such as C# extension method

Executive Summary A critical zero-day vulnerability in Samsung Galaxy mobile devices, tracked as CVE-2025-21042 , has been actively exploited in the wild to deploy the advanced LANDFALL Android spyware. This campaign, uncovered by Palo Alto Networks Unit 42 and corroborated by multiple threat intelligence sources, leverages a flaw in the libimagecodec.quram.so image processing library. Attackers weaponized specially crafted DNG image files, often delivered via WhatsApp ,

Executive Summary The Congressional Budget Office (CBO) , a critical U.S. government agency responsible for providing nonpartisan budget and economic analysis to Congress, confirmed on November 6, 2025, that it had experienced a cybersecurity breach. The incident, which is under active investigation, potentially exposed sensitive government data to malicious actors. While the CBO has not officially attributed the breach to any specific threat actor, multiple independent sourc

Executive Summary Recent intelligence confirms that critical vulnerabilities in Cisco firewall products, specifically Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) , are being actively exploited in the wild. The vulnerabilities, tracked as CVE-2024-20353 , CVE-2024-20359 , and more recently CVE-2024-20362 , enable remote attackers to bypass authentication and execute arbitrary code, leading to full device compromise. Notably, these flaws a

Executive Summary ClickFix attacks represent a significant and rapidly evolving threat vector targeting macOS users, leveraging advanced social engineering and multi-platform payload delivery. These attacks utilize deceptive verification pages, dynamic OS detection, and psychological manipulation to coerce users into executing malicious terminal commands. The primary objective is credential theft, data exfiltration, and the deployment of sophisticated malware such as Atomic

Executive Summary A sophisticated cyber-espionage campaign has been identified targeting Ukrainian organizations through the use of trojanized ESET installers, which surreptitiously deploy the Kalambur backdoor. This operation, attributed to a Russia-aligned threat cluster known as InedibleOchotense , leverages highly convincing phishing lures that impersonate the reputable Slovak cybersecurity vendor ESET . The attackers utilize a combination of spear-phishing emails and i

Executive Summary Between February 22 and March 2, 2025, Hyundai AutoEver America, LLC , a key automotive IT provider for Hyundai and Kia affiliates, experienced a data breach involving unauthorized access to its IT environment. The breach was discovered on March 1, 2025, and public notification was issued on November 4–5, 2025, in accordance with regulatory requirements. The incident resulted in the exposure of sensitive personal information, including names, Social Securi

Executive Summary On November 4, 2025, Eurojust announced the arrest of nine individuals suspected of operating a sophisticated cryptocurrency fraud and money laundering network that defrauded victims of over €600 million. The coordinated law enforcement operation, conducted across Cyprus, Spain, and Germany, targeted a transnational group that created dozens of fake cryptocurrency investment websites. These sites lured victims through social engineering tactics such as soci

Executive Summary A newly identified and highly sophisticated cyber-espionage campaign has been attributed to the North Korean advanced persistent threat group Kimsuky . This operation leverages a novel backdoor, HTTPTroy , to target South Korean users through a meticulously crafted spear-phishing campaign. The attack chain employs advanced social engineering, multi-stage payload delivery, and state-of-the-art obfuscation and anti-analysis techniques. The primary objective is

Executive Summary On October 30, 2025, the Akira ransomware gang publicly claimed to have breached the Apache OpenOffice project, alleging the theft of 23GB of sensitive corporate data, including employee and financial information. The Apache Software Foundation (ASF), which oversees Apache OpenOffice , has categorically disputed these claims, stating that the project does not possess the types of data described by the attackers and that no evidence of compromise has been f