End-of-Day report
Timeframe: Donnerstag 27-11-2025 18:00 - Freitag 28-11-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
News
Malicious LLMs empower inexperienced hackers with advanced tools
Unrestricted large language models (LLMs) like WormGPT 4 and KawaiiGPT are improving their capabilities to generate malicious code, delivering functional scripts for ransomware encryptors and lateral movement.
https://www.bleepingcomputer.com/news/security/malicious-llms-empower-inexperienced-hackers-with-advanced-tools/
GreyNoise launches free scanner to check if youre part of a botnet
GreyNoise Labs has launched a free tool called GreyNoise IP Check that lets users check if their IP address has been observed in malicious scanning operations, like botnet and residential proxy networks.
https://www.bleepingcomputer.com/news/security/greynoise-launches-free-scanner-to-check-if-youre-part-of-a-botnet/
Seit Wochen auf Github: Virenscanner scheitern an öffentlichem Android-Trojaner
Ein neuer Android-Trojaner namens Radzarat kursiert seit Wochen auf Github. Nur die wenigsten Virenscanner sehen ihn bisher als Bedrohung.
https://www.golem.de/news/auf-github-verfuegbar-virenscanner-erkennen-oeffentlichen-android-trojaner-nicht-2511-202715.html
Tomiris wreaks Havoc: New tools and techniques of the APT group
Kaspersky discloses new tools and techniques discovered in 2025 Tomiris activities: multi-language reverse shells, Havoc and AdaptixC2 open-source frameworks, communications via Discord and Telegram.
https://securelist.com/tomiris-new-tools/118143/
Prompt Injection Through Poetry
In a new paper, -Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models,- researchers found that turning LLM prompts into poetry resulted in jailbreaking the models.
https://www.schneier.com/blog/archives/2025/11/prompt-injection-through-poetry.html
MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants
Cybersecurity researchers have shed light on a cross-tenant blind spot that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature in Teams.
https://thehackernews.com/2025/11/ms-teams-guest-access-can-remove.html
The Anatomy of a Bulletproof Hoster: A Data-Driven Reconstruction of Media Land
This post uses the leaked internal database of Media Land, a sanctioned bulletproof hosting provider, to reconstruct how its platform organised customers, subscriptions, virtual machines, and IP address space across billing, compute, and network layers.
https://disclosing.observer/2025/11/24/bulletproof-hoster-anatomy-data-driven-reconstruction.html
How CVSS v4.0 works: characterizing and scoring vulnerabilities
This blog explains why vulnerability scoring matters, how CVSS works, and what-s new in version 4.0.
https://www.malwarebytes.com/blog/news/2025/11/how-cvss-v4-0-works-characterizing-and-scoring-vulnerabilities
Achtung, Falle! Gefälschte BMF-Rückerstattung-Mails im Umlauf
Wer aktuell eine E-Mail im Postfach hat, in der das Bundesministerium für Finanzen (BMF) eine Steuerrückerstattung verspricht, sollte vorsichtig sein. Denn derzeit versenden Kriminelle solche E-Mails, um Sie zur Preisgabe von Daten und zur Überweisung von Geld zu bewegen.
https://www.watchlist-internet.at/news/achtung-falle-gefaelschte-bmf-rueckerstattung-mails-im-umlauf/
3 OAuth TTPs Seen This Month - and How to Detect Them with Entra ID Logs
How OAuth tokens, JWT fields and Entra sign-in logs reveal attacker behavior, and how to turn those signals into reliable detections.
https://www.wiz.io/blog/recent-oauth-attacks-detection-strategies
Vulnerabilities
Installer of INZONE Hub may insecurely load Dynamic Link Libraries
The installer of INZONE Hub provided by Sony Corporation may insecurely load Dynamic Link Libraries.
https://jvn.jp/en/jp/JVN28247549/
Security updates for Friday
Security updates have been issued by Debian (krita and tryton-server), Oracle (bind9.18, ipa, kernel, libssh, redis, redis:7, sqlite, sssd, and vim), Slackware (cups), SUSE (containerd, cups, curl, dovecot24, git-bug, gitea-tea, glib2, grub2, himmelblau, java-25-openjdk, kernel, libmicrohttpd, libvirt, pnpm, powerpc-utils, python311, python313, redis, rnp, runc, sssd, tomcat11, unbound, and xwayland), and Ubuntu (cups, libxml2, openvpn, and webkit2gtk).
https://lwn.net/Articles/1048596/