Cyber Threat Weekly – #102

The week of November 3^rd through November 9^th, roughly 363 cyber news articles were reviewed. A moderate amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about how it feels like we are going in circles.

After 25 years in cybersecurity, it seems we have the same problems today, we had 20 years ago.  The common tactic appears to be, buy more tech.  Large disparate tool stacks, technical debt, lack of inventory / not enough knowledge of our environments, and misconfigurations all leading to massive visibility gaps.  Updated tech is important, no doubt, but an attackers view of our environments and consistent tool validation can help us prioritize defenses.

Let’s start with code repository (npm, PyPI, etc.) attack stories.  Early-stage AI malware observed.  ClickFix social engineering tactic continues to evolve.  Researchers continue to showcase how easily large language models can be manipulated.

A good write up on addressing agentic AI risks.  Gootloader is back after 7 months.  Russian nation-backed actors abuse Windows Hyper-V.  More indirect prompt injection, this time with vulnerable Claude Desktop extensions. 

Awareness in the AI attack surface, OpenAI Assistants API backdoored.  Cybercriminals fueling cargo theft stealing real goods.  Five software bugs found by Google’s AI ‘Big Sleep’.  An interesting observation on crypto mining.

Anthropic’s File API can be abused for exfiltration.

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – November 3^rd to November 9^th:

CVE-2025-48703 – CWP Control Web Panel OS Command Injection Vulnerability:
Allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

CVE-2025-11371 – Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability:
Allows unintended disclosure of system files.

Attack Stories Effecting Code Repositories

Right out the gate, GlassWorm malware returns to OpenVSX and Visual Studio Code marketplaces.  Time bombs found in malicious NuGet packages.  NPM packages deliver Vidar infostealer.

https://www.bleepingcomputer.com/news/security/glassworm-malware-returns-on-openvsx-with-3-new-vscode-extensions/

https://www.bleepingcomputer.com/news/security/malicious-nuget-packages-drop-disruptive-time-bombs/

https://socket.dev/blog/9-malicious-nuget-packages-deliver-time-delayed-destructive-payloads

https://securitylabs.datadoghq.com/articles/mut-4831-trojanized-npm-packages-vidar/

https://www.csoonline.com/article/4081492/modern-supply-chain-attacks-and-their-real-world-impact.html

Early-Stage AI Malware Detected in the Wild

A sign of what’s to come.  Researchers dig into five malware samples, three of which observed in the wild.  Threat actors are experimenting with ‘Just-in-Time’ AI during execution and using AI to augment the full attack lifecycle.  We’ve seen similar abuses from Anthropic and now Google Gemini.

https://thecyberexpress.com/ai-malware-detected-in-cyberattacks/

https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools

https://services.google.com/fh/files/misc/advances-in-threat-actor-usage-of-ai-tools-en.pdf

Hot and Evolving ClickFix Social Engineering Tactic

The ClickFix tactic started targeting MacOS a few months ago, but threat actors are getting better at it.  Threat actors are creating convincing ClickFix pages that look like an updated Cloudflare service including a video to walk you through the check. The pages even detect your browser and provide the proper instructions.

https://www.securityweek.com/clickfix-attacks-against-macos-users-evolving/

https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/

Manipulating Large Language Models (LLMs) – ChatGPT

Researchers use indirect prompt injections to get the model to do their bidding.  Seven different concepts were tested and proven to work.  As LLMs get more ingrained into our day-to-day, these types of attacks will become the go too for attackers.  To be fair, all LLMs are susceptible to indirect prompt injections.

https://www.securityweek.com/researchers-hack-chatgpt-memories-and-web-search-features/

https://www.tenable.com/blog/hackedgpt-novel-ai-vulnerabilities-open-the-door-for-private-data-leakage

Agentic AI and Thoughts Around Governance

We are constantly talking about and even deploying AI in our environments.  As we move towards deploying autonomous AI agents, governance will become a key factor.  While this article isn’t about threat actor behavior or possible attack vectors, it’s a good reminder of how to build agentic AI that allows for innovation while protecting the organization.

https://www.securityweek.com/follow-pragmatic-interventions-to-keep-agentic-ai-in-check/

After Seven Months, Gootloader is back

This threat group uses search engine ads or SEO poisoning to promote fake websites.  Using thousands of unique keywords driving traffic to 100 websites with legal themes.  The goal, get victims to download a ZIP archive with a Jscript (.JS) file that is the initial payload.

https://www.bleepingcomputer.com/news/security/gootloader-malware-is-back-with-new-tricks-after-7-month-break/

https://gootloader.wordpress.com/2025/11/05/gootloader-is-back-back-again/

Windows Hyper-V Abused by Russian Threat Actors

Curly COMrades hide in plain sight via Linux-based virtual machines deployed within Hyper-V.  The goal, persistence, malware delivery, and defense evasion.  Your EDR has no visibility within a VM running on the system.  Network traffic is needed for visibility into the communication traffic from the VM.  Legit technology continues to be abused for attacker gain.

https://www.csoonline.com/article/4085272/russian-apt-abuses-windows-hyper-v-for-persistence-and-malware-execution.html

https://www.bitdefender.com/en-gb/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines

Indirect Prompt Injection via Claude Desktop Extensions

MCP, as of this writing is less than a year old.  The MCP industry is immature and moving fast, verify your MCP servers when getting from repositories.  The good news, these bugs are fixed.

https://www.infosecurity-magazine.com/news/claude-desktop-extensions-prompt/

https://www.koi.ai/blog/promptjacking-the-critical-rce-in-claude-desktop-that-turn-questions-into-exploits

AI Attack Surface Awareness, OpenAI Assistants API Abused

As a fan of AI and the benefits not just promised but being seen when properly deployed, it’s critical we understand the AI attack surface.  A backdoor malware took advantage of OpenAI’s Assistants API for command-and-control traffic.  Blending with legitimate traffic is the norm for nation states and criminals. 

https://www.darkreading.com/cyberattacks-data-breaches/sesameop-backdoor-openai-api-covert-c2

https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/

Cargo Theft Powered by Cybercriminals

With digital transformation comes those who take advantage.  In this case, cybercriminals use remote access tools to take over communications and direct shipments to organized crime groups for intercept.  The use of standard cybercriminal activity to facilitate these crimes is interesting.  With ransomware profits dwindling, cybercriminals will look for other ways to use their skills for profit.

https://www.securityweek.com/transportation-companies-hacked-to-steal-cargo/

https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics

Five New Bugs in Apple’s Safari WebKit Found by Google’s AI ‘Big Sleep’

The ‘Big Sleep’ AI was launched to help find software bugs.  Apple credited the AI for finding five bugs in it’s WebKit.  It’s good to see AI can help us with software bug discovery, and new agents such as Code Mender and Aardvark kind find and fix bugs.

https://thehackernews.com/2025/11/googles-ai-big-sleep-finds-5-new.html

Cryptomining Economics, PHP Scanning, and Scaled Operations

Researchers visualize scanning of exposed web servers with PHP / PHP frameworks and a large cryptomining capable attack surface.  PHP is ubiquitous, low visibility, and high-value for crypto mining criminals.  With the anticipated rise in Bitcoin prices, criminals are ramping up.

https://www.greynoise.io/blog/php-cryptomining-campaign

Another Example of Indirect Prompt Injection, Claude APIs

All large language models are susceptible to indirect prompt injection; it’s one of the biggest risks.  In this case, researchers share how Claude’s network access can be abused to perform data exfiltration of chat conversations.

https://www.securityweek.com/claude-ai-apis-can-be-abused-for-data-exfiltration/

https://embracethered.com/blog/posts/2025/claude-abusing-network-access-and-anthropic-api-for-data-exfiltration/