End-of-Day report
Timeframe: Mittwoch 19-11-2025 18:00 - Donnerstag 20-11-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
Critics scoff after Microsoft warns AI feature can infect machines and pilfer data
Integration of Copilot Actions into Windows is off by default, but for how long?
https://arstechnica.com/security/2025/11/critics-scoff-after-microsoft-warns-ai-feature-can-infect-machines-and-pilfer-data/
Salesforce investigates customer data theft via Gainsight breach
Salesforce says it revoked refresh tokens linked to Gainsight-published applications while investigating a new wave of data theft attacks targeting customers.
https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/
Sicherheitslücke wird ausgenutzt: Angreifer attackieren 7-Zip-Nutzer
Ältere Versionen des Packprogramms 7-Zip weisen eine gefährliche Schadcode-Lücke auf, die inzwischen ausgenutzt wird. Nutzer sollten handeln.
https://www.golem.de/news/sicherheitsluecke-wird-ausgenutzt-angreifer-attackieren-7-zip-nutzer-2511-202390.html
Fake-Softwareupdates: Cyberspione verteilen Malware über manipulierten DNS-Traffic
Eine APT-Gruppe leitet gezielt DNS-Traffic kompromittierter Router um, um Anwendern falsche Softwareupdates mit einer Backdoor unterzuschieben.
https://www.golem.de/news/dns-traffic-umgeleitet-cyberspione-verbreiten-malware-ueber-manipulierte-updates-2511-202397.html
Banking-Trojaner: Neue Android-Malware liest verschlüsselte Chats mit
Egal ob Signal, Telegram oder Whatsapp - kein Chat kann sich vor dem Sturnus-Trojaner verstecken. Opfer bemerken den Datenklau nicht.
https://www.golem.de/news/banking-trojaner-neue-android-malware-liest-verschluesselte-chats-mit-2511-202408.html
Blockchain and Node.js abused by Tsundere: an emerging botnet
Kaspersky GReAT experts discovered a new campaign featuring the Tsundere botnet. Node.js-based bots abuse web3 smart contracts and are spread via MSI installers and PowerShell scripts.
https://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/
Inside the dark web job market
This report examines how employment and recruitment function on the dark web, based on over 2,000 job-related posts collected from shadow forums between January 2023 and June 2025.
https://securelist.com/dark-web-job-market-2023-2025/118057/
SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp
Trustwave SpiderLabs researchers have recently identified a banking Trojan we dubbed Eternidade Stealer, which is distributed through WhatsApp hijacking and social engineering lures. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spiderlabs-ids-new-banking-trojan-distributed-through-whatsapp/
Iran-Linked Hackers Mapped Ship AIS Data Days Before Real-World Missile Strike Attempt
Threat actors with ties to Iran engaged in cyber warfare as part of efforts to facilitate and enhance physical, real-world attacks, a trend that Amazon has called cyber-enabled kinetic targeting.The development is a sign that the lines between state-sponsored cyber attacks and kinetic warfare are increasingly blurring, necessitating the need for a new category of warfare, the tech giants ..
https://thehackernews.com/2025/11/iran-linked-hackers-mapped-ship-ais.html
Zu gut, um wahr zu sein? Vorsicht vor betrügerischen Kredit-Angeboten!
Kein Einkommensnachweis nötig? Die Zinsen weit unter dem üblichen Niveau? Maximale Flexibilität? Kriminelle locken ihre Opfer mit unrealistischen Kredit-Versprechen in die Falle. Sie drängen sie zur Überweisung verschiedenster Steuern, Gebühren etc. - zu einer Auszahlung kommt es allerdings nie.
https://www.watchlist-internet.at/news/betruegerische-kredit-angebote/
NSO seeks to overturn WhatsApp case, saying it is -catastrophic- for the spyware maker
In a court filing ahead of the ruling, NSO told the judge that blocking it from targeting WhatsApp infrastructure to implant its spyware could -put NSO-s entire enterprise at risk- and -force NSO out of business.-
https://therecord.media/nso-seeks-to-overturn-whatsapp-case
Reoccurring Use of Highly Suspicious PDF Editors to Infiltrate Environments
The activities observed are the following: - File is downloaded from conmateapp[.]com ortrm[.]conmateapp[.]com (OSINT suggests that these are downloaded through ads but this has not ..
https://www.truesec.com/hub/blog/reoccurring-use-of-highly-suspicious-pdf-editors-to-infiltrate-environments
FortiWeb CVE-2025-64446: What We-re Seeing in the Wild
GreyNoise has begun seeing active exploitation of CVE-2025-64446, the critical path-traversal flaw that lets an unauthenticated actor run administrative commands on Fortinet FortiWeb appliances.
https://www.greynoise.io/blog/fortiweb-cve-2025-64446
Palo Alto Scanning Surges 40X in 24 Hours, Marking 90-Day High
GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high.
https://www.greynoise.io/blog/palo-alto-scanning-surges-90-day-high