Executive Summary A critical OS command injection vulnerability, tracked as CVE-2025-11953 with a CVSS score of 9.8, has been identified in the React Native Community CLI ’s Metro Development Server . This vulnerability exposes developer environments to unauthenticated remote code execution attacks. The flaw is present in all versions of the Metro Development Server prior to the security patch and is especially severe on Windows platforms, though macOS and Linux are also

Executive Summary On November 4, 2025, Nikkei Inc. , a leading Japanese media conglomerate, publicly disclosed a data breach impacting over 17,000 employees and business partners. The breach was traced to unauthorized access to the company’s Slack messaging platform, following the compromise of an employee’s computer by malware. Attackers used stolen authentication credentials to access Slack accounts, resulting in the exposure of names, email addresses, and chat histories f

Executive Summary Operation SkyCloak is an advanced, ongoing cyber-espionage campaign targeting defense and military sectors, with a primary focus on organizations in Eastern Europe, notably Belarus and Russia. The operation employs highly targeted phishing emails containing military-themed lure documents to deliver a persistent, Tor-enabled OpenSSH backdoor. This backdoor leverages a legitimate, signed OpenSSH for Windows binary, combined with a custom Tor hidden service

Executive Summary In July 2025, Microsoft’s Detection and Response Team (DART) identified a highly sophisticated malware campaign leveraging the SesameOp backdoor, which uniquely abuses the OpenAI Assistants API as a covert command-and-control (C2) channel. This innovative TTP (Tactics, Techniques, and Procedures) enables threat actors to blend malicious C2 traffic with legitimate API usage, effectively bypassing traditional network security controls and evading detection.

Executive Summary Publication Date: November 3, 2025 Microsoft ’s Detection and Response Team (DART) has uncovered a sophisticated backdoor, named SesameOp , which leverages the OpenAI Assistants API as a covert command-and-control (C2) channel. This innovative approach allows attackers to blend malicious activity with legitimate API communications, significantly complicating detection and mitigation efforts. This report provides a comprehensive analysis of the technical mec

Executive Summary A new wave of cyberattacks is targeting the global logistics and freight sector, with threat actors weaponizing legitimate Remote Monitoring and Management ( RMM ) tools to hijack cargo freight operations. These attacks, first observed in mid-2025 and tracked by leading cybersecurity vendors such as Proofpoint and reported by TheHackerNews and BleepingComputer , exploit both unpatched vulnerabilities and the trusted status of RMM software to gain persisten

Executive Summary Between May 2023 and April 2025, three former employees of leading cybersecurity incident response firms— DigitalMint and Sygnia Cybersecurity Services —were indicted by U.S. prosecutors for orchestrating a series of high-impact ransomware attacks as affiliates of the ALPHV/BlackCat ransomware group. The defendants, including Kevin Tyler Martin and Ryan Clifford Goldberg, exploited their insider knowledge and access to conduct unauthorized intrusions, exfi

Executive Summary A newly identified backdoor, HttpTroy , has been observed in a sophisticated, targeted cyberattack campaign against South Korean organizations. This campaign, attributed to the North Korean advanced persistent threat group Kimsuky , leverages a spear-phishing email masquerading as a legitimate VPN invoice to deliver a multi-stage malware payload. The infection chain culminates in the deployment of the HttpTroy backdoor, which provides attackers with compreh

Executive Summary Publication Date: November 2025 In October 2025, Ukrainian national Yuriy Igorevich Rybtsov, known by the alias "MrICQ," was extradited from Italy to the United States to face charges stemming from his role as a developer for the infamous Jabber Zeus cybercrime group. This group, active since at least 2009, is responsible for orchestrating a series of highly sophisticated cyberattacks that leveraged custom variants of the ZeuS banking trojan to steal tens

Executive Summary On November 3, 2025, the Balancer decentralized finance (DeFi) protocol suffered a critical security breach resulting in the theft of over $128 million in digital assets from its V2 pools . The attack exploited vulnerabilities in the protocol’s smart contract logic, specifically targeting precision rounding errors and invariant manipulation within the Balancer V2 vaults . The incident affected deployments across multiple blockchains, including Ethereum , Ba

Executive Summary Cybercriminals are increasingly exploiting legitimate Remote Monitoring and Management (RMM) tools to infiltrate logistics and freight networks, resulting in a surge of sophisticated attacks targeting the global supply chain. Since mid-2025, threat actors have orchestrated highly organized campaigns, often in collaboration with traditional organized crime groups, to gain unauthorized access to trucking carriers, freight brokers, and logistics companies. By

Executive Summary A new Android malware family, dubbed Crocodilus , has been observed in the wild targeting users in Spain and Turkey, with confirmed infections exceeding 1,200 devices and over $2.8 million in cryptocurrency assets stolen within two weeks. Crocodilus leverages advanced abuse of Android accessibility services to perform device takeover, mute system alerts, and harvest sensitive credentials, including crypto wallet seed phrases. The malware is distributed via t

Executive Summary A highly sophisticated supply-chain attack has been identified targeting blockchain and smart contract developers through a counterfeit Solidity extension distributed on the Open VSX marketplace. This malicious extension, camouflaged as a legitimate development tool, was engineered to compromise developer environments, resulting in the confirmed theft of at least $500,000 in cryptocurrency. The campaign demonstrates advanced threat actor tradecraft, levera

Executive Summary The Open VSX registry, an open-source alternative to the Microsoft Visual Studio Marketplace for VS Code -compatible extensions, experienced a significant supply-chain security incident in 2025. Privileged access tokens were inadvertently leaked by developers in public repositories, enabling threat actors to publish malicious extensions to the Open VSX registry. The attack, identified as the GlassWorm campaign, leveraged these tokens to distribute malwar

Executive Summary On October 30, 2025, a threat actor gained unauthorized access to the University of Pennsylvania’s ( Penn ) internal systems by compromising an employee’s PennKey Single Sign-On (SSO) account. This breach enabled the attacker to access multiple critical platforms, including Salesforce Marketing Cloud , Qlik , SAP , and SharePoint , resulting in the exfiltration of sensitive data belonging to approximately 1.2 million donors, alumni, and students. The compro

Executive Summary On October 31, 2025, the University of Pennsylvania experienced a coordinated campaign in which offensive emails with the subject "We got hacked (Action Required)" were sent to students, alumni, and faculty from various university email addresses, including those associated with the Graduate School of Education. The emails claimed that university data had been stolen and threatened to leak sensitive information, while also containing highly offensive languag

Executive Summary Ribbon Communications , a major U.S. telecommunications and networking provider, experienced a prolonged network breach attributed to a nation-state actor. The intrusion began as early as December 2024 and was detected in September 2025, with public disclosure following on October 23, 2025 ( TechCrunch , BleepingComputer , GovInfoSecurity ). The attackers accessed Ribbon’s IT network for nearly a year, compromising files belonging to several customers store

Executive Summary A critical zero-day vulnerability in Motex Lanscope Endpoint Manager (tracked as CVE-2025-61932 ) has been exploited in the wild by a sophisticated China-linked threat actor known as Tick (also referred to as Bronze Butler , Daserf , REDBALDKNIGHT , Stalker Panda , Stalker Taurus , and Swirl Typhoon ). This vulnerability enables remote, unauthenticated attackers to execute arbitrary commands with SYSTEM privileges on vulnerable on-premise installations of

Executive Summary A newly identified malware family, Airstalk , has emerged as a significant threat in the cybersecurity landscape, representing a sophisticated supply chain attack attributed to a suspected nation-state actor. Airstalk leverages the trusted AirWatch (now VMware Workspace ONE UEM) MDM API as a covert command-and-control (C2) channel, enabling attackers to exfiltrate sensitive browser data and screenshots from compromised endpoints. The malware is distributed

Executive Summary Russian law enforcement authorities have arrested three individuals in Moscow and the surrounding region, suspected to be the primary developers and operators of the Meduza Stealer malware. This action follows a significant breach in May 2025, where the group used Meduza Stealer to exfiltrate confidential data from a government institution in Astrakhan, Russia. The malware, which has been active since mid-2023, is a sophisticated information stealer distri