24th November – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 24th November, please download our Threat Intelligence Bulletin.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

TOP ATTACKS AND BREACHES

• The notorious “Scattered LAPSUS$ Hunters” group claimed responsibility for a supply-chain attack involving the Salesforce-integrated platform Gainsight. The group stated that data from 300 organizations was compromised, including Verizon, GitLab and Atlassian. Salesforce has confirmed unusual activity related to Gainsight integrations and has revoked all active access tokens as a precaution, emphasizing there is no vulnerability in the Salesforce’s core platform.
• Eurofiber France SAS, the French unit of Dutch telecommunications provider Eurofiber Group N.V., has been a victim of a data breach. The attack resulted in an unauthorized access to its French ticket management system and exfiltration of customer information from its cloud division and regional sub-brands. A threat actor “ByteToBreach” claimed responsibility for the attack.
• Italian IT provider Almaviva has confirmed a cyberattack, with stolen data including information from Ferrovie dello Stato Italiane, Italy’s national railway operator. Nearly 2.3 TB of sensitive files were leaked, including passenger passport data, employee records across FS subsidiaries, defense-related contracts, and financial documents. Almaviva says critical services remain operational.
• South Korean giant battery maker LG Energy Solution has experienced a ransomware attack at a single overseas facility, which the company says has been restored, with headquarters unaffected. The Akira gang claimed to have stolen 1.7 terabytes of data.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Akira.ta.*; Ransomware.Wins.Akira; Trojan.Win.Akira)

• Microsoft’s Azure cloud was hit by a massive 15.72 Tbps distributed denial-of-service (DDoS) attack (3.64 billion packets per second) against a public IP address in Australia, sourced from over 500,000 IPs. The high-rate UDP flood is attributed to the Aisuru Turbo Mirai-class IoT botnet, which abuses compromised home routers, cameras, and other internet-connected devices.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Trojan.Wins.Mirai)

• French social security service provider, Pajemploi, has suffered a data breach that resulted in the theft of personal data linked to up to 1.2 million of private employers using its childcare services. Exposed information reportedly includes full names, places of birth, postal addresses, Social Security numbers, Pajemploi and accreditation numbers, and banking institution names.
• AIPAC, a US political advocacy organization, has encountered a data breach tied to an external third-party system, with notification filed to the Maine attorney general on November 14^th. Unauthorized access occurred between October 2024 and February 2025, impacting 810 individuals and exposing personal identifiers. No threat actor claimed responsibility.

VULNERABILITIES AND PATCHES

• Fortinet warned of CVE-2025-58034, a FortiWeb command injection flaw actively exploited in the wild. The bug lets authenticated attackers run unauthorized code via crafted requests, with updates available for multiple 7.x and 8.x releases.

Check Point IPS provides protection against this threat (Fortinet FortiWeb Command Injection (CVE-2025-58034))

• Google fixed CVE-2025-13223, a high-severity type confusion flaw in Chrome’s V8 engine. The bug is being actively exploited to run malicious code via crafted web pages. Google has issued fixes in Chrome 142.0.7444.175 and later.
• Researchers warns of active exploitation and a public proof of concept of CVE-2025-11001, a 7-Zip Windows vulnerability that lets attackers run code by abusing ZIP symbolic link handling. The flaw carries a CVSS 7.0 score and was fixed in 7-Zip version 25.00.

THREAT INTELLIGENCE REPORTS

• Check Point Research uncovered a surge in fraudulent Black Friday domains and brand impersonation. Roughly 1 in 11 new Black Friday domains are malicious, and 1 in 25 domains referencing Amazon, AliExpress, or Alibaba pose active threats, with fake storefronts stealing credentials and payment data. Recent examples also mimic HOKA and AliExpress.
• Check Point researchers detailed a Europe-wide scam in which criminal networks use generative AI to impersonate health regulators and sell fake GLP-1 weight-loss products. The criminals clone logos and endorsements from the official health services, then localize persuasive ads to exploit drug shortages and public trust.
• Akamai discovered a RAT that disguises its C2 traffic as LLM chat completions API requests, sending Base64- and XOR-encoded payloads without standard headers. The malware steals data from remote access tools and browsers and deploys a .NET proxy toolkit with persistence.
• Researchers analyzed a Howling Scorpius campaign that used fake CAPTCHA prompts to install SectopRAT on a global data storage and infrastructure company, enabling remote control and lateral movement. Over 42 days, the attackers stole nearly 1 TB of data, deleted cloud backups, and deployed Akira ransomware across three networks, halting operations.
• Google analyzed a nearly three-year APT24 cyber-espionage campaign centered on the BadAudio C++ downloader, which uses AES-encrypted C2 traffic, cookie-embedded host profiling, and control-flow flattening to deploy payloads such as Cobalt Strike Beacon in memory. The research details how APT24 shifted from strategic web compromises to large-scale supply-chain and spear-phishing operations that weaponize FingerprintJS-based browser fingerprinting, DLL search-order hijacking, and repeatedly re-compromised Taiwanese marketing infrastructure to deliver BADAUDIO across more than 1,000 domains.

The post 24th November – Threat Intelligence Report appeared first on Check Point Research.

Article Link: 24th November – Threat Intelligence Report - Check Point Research

1 post - 1 participant

Read full topic

Malware Analysis, News and Indicators - Latest topics