A new ransomware threat named “The Gentlemen” has emerged in the cybersecurity landscape, demonstrating advanced attack capabilities and a well-structured operational model.
First appearing around July 2025, this group quickly established itself as a serious threat, publishing 48 victims on their dark web leak site between September and October 2025.
The ransomware operates as a Ransomware-as-a-Service platform, allowing affiliates to deploy attacks while the core operators maintain control over the infrastructure and negotiation processes.
The Gentlemen employs a dual-extortion strategy that combines file encryption with data theft. This approach not only locks victims out of their systems but also creates additional pressure by threatening to release stolen information on dark web leak sites unless ransom demands are met.
‘The Gentlemen’ DLS is Online (Source – Cybereason)
Before launching their own RaaS platform, the operators experimented with various affiliate models from other prominent ransomware groups, which helped them refine their methods and develop a more sophisticated operation.
Cybereason security researchers identified that the ransomware targets Windows, Linux, and ESXi platforms with specialized encryption tools.
The malware uses XChaCha20 and Curve25519 encryption algorithms to secure files, making recovery without the decryption key extremely difficult.
Recent updates introduced automatic self-restart and run-on-boot functionality, enhancing persistence on compromised systems.
Network Propagation and Lateral Movement Capabilities
The ransomware spreads across networks using Windows Management Instrumentation and PowerShell remoting techniques. When executed, the malware requires a password argument to begin its encryption routine.
It supports multiple operational modes, including system-level encryption under SYSTEM privileges and network share encryption through mapped drives and UNC paths.
The malware disables Windows Defender by executing PowerShell commands that turn off real-time protection and add directories and processes to exclusion lists.
‘The Gentlemen’ ransomware is written using ‘vibecoding’ techniques (Source – Cybereason)
It also enables network discovery and firewall rules, facilitating easier lateral movement across corporate networks.
The ransomware targets critical services and processes, including database engines like MSSQL and MySQL, backup utilities such as Veeam, and virtualization services like VMware.
To evade detection and complicate forensic investigations, the malware deletes Windows event logs, RDP connection logs, Windows Defender support files, and Prefetch data.
This anti-forensics approach significantly hinders incident response efforts and makes timeline reconstruction more challenging for security teams investigating the attack.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A China-aligned threat group known as PlushDaemon has been weaponizing a sophisticated attack method to infiltrate networks across multiple regions since 2018.
The group’s primary strategy involves intercepting legitimate software updates by deploying a specialized tool called EdgeStepper, which acts as a bridge between users’ computers and malicious servers.
This technique allows hackers to inject malware directly into what users believe are authentic update installations from trusted software vendors.
PlushDaemon’s campaign has targeted individuals and organizations in the United States, Taiwan, China, Hong Kong, New Zealand, and Cambodia.
The group employs multiple attack vectors, including exploitation of software vulnerabilities, weak network device credentials, and sophisticated supply-chain compromises.
First stages of the attack (Source – Welivesecurity)
During a 2023 investigation, researchers uncovered the group’s involvement in a major supply-chain attack affecting a South Korean VPN service, demonstrating their capability to operate at scale.
ESET security analysts identified and examined the EdgeStepper malware after discovering an ELF binary file on VirusTotal that contained infrastructure details linked to PlushDaemon operations.
The researchers found that the tool, internally codenamed dns_cheat_v2 by its developers, represents a critical component in the group’s attack infrastructure.
The analysis revealed how this network implant functions to intercept and redirect DNS queries, essentially hijacking the normal update process users expect from legitimate software.
Final stage of the update hijacking (Source – Welivesecurity)
The attack demonstrates a multi-stage infection process designed to evade traditional security defenses.
Once attackers compromise a network device such as a router through vulnerability exploitation or weak credentials, EdgeStepper begins its operation by intercepting DNS traffic.
When a user attempts to update software like Sogou Pinyin or similar Chinese applications, the malware redirects the connection to an attacker-controlled server.
This hijacking node then instructs the legitimate software to download a malicious DLL file instead of the genuine update.
DNS Interception and Traffic Redirection Mechanism
The technical foundation of EdgeStepper’s effectiveness lies in its elegant yet dangerous approach to network manipulation.
EdgeStepper workflow (Source – Welivesecurity)
Written in Go programming language using the GoFrame framework and compiled for MIPS32 processors, the malware begins operation by reading an encrypted configuration file named bioset.conf.
The decryption process uses AES CBC encryption with a default key and initialization vector derived from the string “I Love Go Frame,” which is part of the GoFrame library’s standard implementation.
Once decrypted, the configuration reveals two critical parameters: toPort specifies the listening port, while host identifies the domain name of the malicious DNS node.
EdgeStepper then initializes two core systems called Distributor and Ruler. The Distributor component resolves the IP address of the malicious DNS node and coordinates the traffic flow, while the Ruler system issues iptables commands to redirect all UDP traffic on port 53 to EdgeStepper’s designated port.
The malware accomplishes this redirection using the command: “iptables -t nat -I PREROUTING -p udp –dport 53 -j REDIRECT –to-port [value_from_toPort]”.
This command essentially forces all DNS requests from devices on the network to pass through EdgeStepper before reaching legitimate DNS servers, creating a complete man-in-the-middle position that allows perfect interception and modification of update instructions sent to software applications.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A sophisticated cyber campaign known as Operation WrtHug has hijacked tens of thousands of ASUS WRT routers globally, turning them into potential espionage tools for suspected China-linked hackers.
SecurityScorecard’s STRIKE team, in collaboration with ASUS, revealed the operation on November 18, 2025, highlighting how attackers exploited outdated firmware to build a stealthy network infrastructure.
This breach underscores the rising threat to end-of-life consumer devices, with infections concentrated in Taiwan and spreading to the U.S., Russia, and Southeast Asia.
Researchers first detected Operation WrtHug through a suspicious self-signed TLS certificate shared across compromised devices, featuring an unusually long 100-year expiration date from April 2022.
maliciosu SSL Certificate
This certificate, with SHA1 thumbprint 1894a6800dff523894eba7f31cea8d05d51032b4, appeared on 99% of affected ASUS AiCloud services, a feature meant for remote home network access but now exploited as an entry point.
Router Login
The campaign targets exclusively ASUS WRT models, many of which are end-of-life and unpatched, allowing attackers to inject commands and gain root privileges without altering the device’s outward appearance.
The operation’s scale is alarming, with estimates of 50,000 unique IP addresses involved over the past six months, based on proprietary scans and tools like Driftnet.
Heatmap
Unlike random botnets, WrtHug shows a deliberate geographic focus, infecting 30-50% of devices in Taiwan, a pattern that aligns with geopolitical tensions. Smaller clusters hit South Korea, Japan, Hong Kong, central Europe, and the U.S., but mainland China remains largely untouched, aside from Hong Kong.
Exploited Vulnerabilities
Attackers chained six known flaws in ASUS firmware to propagate the malware, focusing on N-day exploits in AiCloud and OS injection vectors, SecurityScorecard said to CybersecurityNews.
These vulnerabilities, all patched by ASUS, primarily affect outdated routers running lighttpd or Apache web servers.
The table below details the key CVEs, their impacts, and prerequisites:
CVE ID
Affected Products
Impact
Exploit Prerequisites
CVSS Score
CVE-2023-41345
ASUS WRT routers
OS command injection
Authenticated access, token module flaw
8.8
CVE-2023-41346
ASUS WRT routers
OS command injection
Authenticated access, token module flaw
8.8
CVE-2023-41347
ASUS WRT routers
OS command injection
Authenticated access, token module flaw
8.8
CVE-2023-41348
ASUS WRT routers
OS command injection
Authenticated access, token module flaw
8.8
CVE-2024-12912
ASUS WRT routers
Arbitrary command execution
Remote access via AiCloud
7.2
CVE-2025-2492
ASUS WRT routers
Unauthorized function execution
Improper authentication control
9.2
These flaws link to CVE-2023-39780, a command injection bug tied to the earlier AyySSHush campaign, suggesting possible actor overlap. Seven IPs show dual compromise, hinting at coordinated efforts.
STRIKE assesses low-to-moderate confidence that China Nexus actors drive WrtHug, mirroring tactics in ORBs like LapDogs and PolarEdge. The focus on Taiwan and router persistence via SSH backdoors points to espionage infrastructure building.
This fits a trend of state-sponsored router hijacks, evolving from brute-force to multi-stage infections.
Targeted models include RT-AC1200HP, GT-AC5300, and DSL-AC68U, often in homes or small offices. While post-exploitation details remain unclear, the setup enables proxying C2 traffic and data exfiltration.
Indicators of Compromise
Monitoring for these IOCs can help detect infections:
ASUS urges firmware updates and disabling unused features like AiCloud on supported devices. For EoL models, replacement is recommended, alongside network segmentation and TLS certificate monitoring.
Organizations should scan for the IOC certificate and apply CISA’s known exploited catalog patches.
As router attacks escalate in 2025, this incident highlights the need for vigilant SOHO security to thwart nation-state probing. SecurityScorecard calls for industry collaboration to counter such calculated threats.
Palo Alto, California, November 19th, 2025, CyberNewsWire SquareX released critical research exposing a hidden API in Comet that allows extensions in the AI Browser to execute local commands and gain full control over users’ devices. The research reveals that Comet has implemented a MCP API (chrome.perplexity.mcp.addStdioServer) that allows its embedded extensions to execute arbitrary local […]
Cybersecurity researchers have disclosed details of a new campaign that leverages a combination of social engineering and WhatsApp hijacking to distribute a Delphi-based banking trojan named Eternidade Stealer as part of attacks targeting users in Brazil.
“It uses Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the threat actor to
A new wave of cyberattacks has emerged using the Tuoni Command and Control (C2) framework, a sophisticated tool that allows threat actors to deploy malicious payloads directly into system memory.
This technique helps attackers avoid detection by traditional security solutions that rely on scanning files stored on disk.
The Tuoni framework has gained attention in the cybersecurity community for its modular design and ability to support multiple attack scenarios without leaving significant traces on compromised systems.
The attack typically begins with phishing emails or compromised websites that deliver the initial payload. Once executed, the malware establishes a connection to the attacker’s C2 server and waits for further instructions.
What makes Tuoni particularly dangerous is its use of in-memory execution, meaning the malicious code runs entirely within the computer’s RAM without writing files to the hard drive.
This approach significantly reduces the chances of detection by antivirus software and endpoint protection tools.
Morphisec security researchers identified the threat during routine monitoring of suspicious network activities. Their analysis revealed that attackers were using Tuoni to deliver secondary payloads including credential stealers, ransomware, and remote access trojans.
The framework supports various communication protocols and can blend its traffic with legitimate network activity, making it challenging for security teams to identify compromised machines.
Technical Analysis of Tuoni’s In-Memory Execution
The Tuoni framework employs several advanced techniques to maintain stealth while operating on infected systems. At its core, the malware uses process injection to insert its code into legitimate Windows processes such as svchost.exe or explorer.exe.
Invoke-DataBlock function (Source – Morphisec)
This is achieved through API calls like VirtualAllocEx and WriteProcessMemory, which allocate memory space within the target process and write the malicious payload into that space.
The framework also implements encryption for its network communications, using AES-256 to encode data transmitted between the infected host and the C2 server.
This prevents network monitoring tools from inspecting the content of commands and stolen data. Organizations should implement memory scanning capabilities and monitor for unusual process behaviors to detect Tuoni infections effectively.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Palo Alto, California, November 19th, 2025, CyberNewsWire
SquareX released critical research exposing a hidden API in Comet that allows extensions in the AI Browser to execute local commands and gain full control over users’ devices.
The research reveals that Comet has implemented a MCP API (chrome.perplexity.mcp.addStdioServer) that allows its embedded extensions to execute arbitrary local commands on users’ devices, capabilities that traditional browsers explicitly prohibit.
Concerningly, there is limited official documentation on the MCP API.
Existing documentation only covers the intent of the feature, without disclosing that Comet’s embedded extensions have persistent access to the API and the ability to launch local apps arbitrarily without user permission, creating a massive breach of user trust and transparency.
“For decades, browser vendors have adhered to strict security controls that prevent browsers, and especially extensions, from directly controlling the underlying device,” explains Kabilan Sakthivel, Researcher at SquareX.
“Traditional browsers require native messaging APIs with explicit registry entries and user consent for any local system access. In their ambition to make the browser more powerful, Comet has bypassed all of these safeguards with a hidden API that most users don’t even know exists. This erosion of user trust fundamentally reverses the clock on decades of browser security principles established by vendors like Chrome, Safari, and Firefox.”
Currently, the API is found in the Agentic extension, and it can be triggered by the perplexity.ai page, creating a covert channel for Comet to access local data and launch arbitrary commands/apps without any user control.
While there is no evidence that Perplexity is currently misusing the MCP API, the question is not if but when Perplexity will be compromised.
A single XSS vulnerability, a successful phishing attack against a Perplexity employee, or an insider threat would instantly grant attackers unprecedented control via the browser over every Comet user’s device.
This creates catastrophic third-party risk where users have resigned their device security to Perplexity’s security posture, with no easy way to assess or mitigate the risk.
In SquareX’s attack demo, the research team used extension stomping to disguise a malicious extension as the embedded Analytics Extension by spoofing its extension ID.
Once sideloaded, the malicious Analytics Extension injects a script into the perplexity.ai page, which in turn invokes the Agentic Extension which finally uses the MCP to execute WannaCry on the victim’s device.
While the demonstration leveraged extension stomping, other techniques such as XSS, MitM network attacks that exploits the perplexity.ai or the embedded extensions can also lead to the same result.
More worryingly, as both extensions are critical to Comet’s agentic functionality, Perplexity has hidden them from Comet extension dashboard, preventing users from disabling them even if they are compromised.
These embedded extensions become a “hidden IT” that security teams nor users have zero visibility over. Furthermore, due to the lack of documentation, there is no way to know whether or when Comet might expand access to other “trusted” sites.
While other AI Browsers also have embedded extensions, we have only found the MCP API in Comet for now. We have disclosed the attack to Perplexity, but have not heard a response.
Similar to the OS and search engine, owning the platform where the majority of modern work occurs has always been the grand ambition for many tech companies. With AI, there is now the opportunity to make browsers more powerful than ever before.
Yet, in the race to win the next browser war, many AI Browser companies are shipping features so quickly that it has come at the cost of proper documentation and security measures.
The MCP API exploits serve as an early warning to the third-party risks that poor implementation of AI Browsers can expose users to.
“The early implementation of device control APIs in AI browsers is extremely dangerous,” Vivek Ramachandran, Founder of SquareX emphasizes.
“We’re essentially seeing browser vendors grant themselves, and potentially third parties, the kind of system-level access that would require explicit user consent and security review in any traditional browser. Users deserve to know when software has this level of control over their devices.”
Without demand for accountability from users and the security community, other AI browsers will race to implement similar, or more invasive, capabilities to remain competitive.
SquareX is calling on AI browser vendors to mandate disclosure for all APIs, undergo third-party security audits, and provide users with controls to disable embedded extensions. This isn’t just about one API in one browser.
If the industry doesn’t establish boundaries now, we’re setting a precedent where AI browsers can bypass decades of security principles under the banner of innovation.
For more information, users can refer to the technical blog.
About SquareX
SquareX‘s browser extension turns any browser on any device into an enterprise-grade secure browser, including AI Browsers.
SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including rogue AI agents, Last Mile Reassembly Attacks, malicious extensions and identity attacks.
Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, delivering security without compromising user experience. Users can find out more about SquareX’s research-led innovation at www.sqrx.com.
Microsoft has launched an investigation into a widespread issue affecting Microsoft Copilot in Microsoft 365, where users are experiencing significant limitations when performing actions on files.
The technology giant confirmed the incident via official Microsoft 365 Status channels, assigning the tracking identifier CP1188020 for administrative reference.
Official Microsoft 365 Status channels
The Issue and Impact
The reported problem prevents users from executing any operations on files directly within the Microsoft Copilot interface.
This includes activities such as uploading, downloading, editing, sharing, or otherwise manipulating documents and files that users need to work with through the Copilot application.
The disruption has affected multiple users across the Microsoft 365 ecosystem, suggesting a potentially significant infrastructure or application-level issue.
The inability to process files through Copilot directly impacts productivity workflows that rely on the AI assistant to analyze documents, extract information, or perform collaborative file management tasks.
Organizations leveraging Copilot for document intelligence and file processing have reported workflow interruptions, forcing teams to seek alternative methods for file handling.
Microsoft’s incident management team has officially acknowledged the situation through the Microsoft 365 Status communication channel, confirming that technical teams are actively investigating the root cause.
Additional technical details and real-time updates on the investigation progress are available in the Microsoft 365 admin center under the incident ticket CP1188020.
The admin center serves as the central location where Microsoft 365 administrators can monitor incident status, view available mitigation steps, and receive estimated resolution timelines.
Organizations should check this resource regularly for the latest updates on the investigation findings and any recommended workarounds.
Currently, users experiencing issues with file operations in Microsoft Copilot should be aware that Microsoft’s engineering teams are working to identify the underlying cause and implement a resolution.
During this investigation period, users may need to temporarily use alternative methods for file processing tasks or defer non-critical operations until service restoration.
The incident highlights the importance of having backup workflows and contingency plans for critical file management operations that depend on cloud-based AI services.
Organizations should ensure their teams are aware of alternative methods for completing essential file-related tasks.
Microsoft typically provides hourly updates during active service investigations, with communications shared through the admin center and the Microsoft 365 Status page.
Administrators and end-users are encouraged to monitor these official channels for resolution announcements and any subsequent guidance once the issue is resolved.
The company’s track record demonstrates a commitment to rapid incident resolution, and users can expect continued transparency regarding investigation progress and remediation efforts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A global data storage and infrastructure company fell victim to a severe ransomware attack orchestrated by Howling Scorpius, the group responsible for distributing Akira ransomware.
The incident began with what appeared to be a routine security check on a compromised car dealership website. An employee clicked on what seemed like a standard verification prompt to prove they were human.
This single interaction triggered a 42-day compromise that exposed critical vulnerabilities in the company’s security infrastructure and demonstrated how social engineering continues to bypass even enterprise-grade defenses.
The attack leveraged ClickFix, a sophisticated social engineering tactic that disguises malware delivery as legitimate security checks.
When the unsuspecting employee interacted with the fake CAPTCHA, they unknowingly downloaded SectopRAT malware, a .NET-based remote access Trojan (RAT). This malware gave Howling Scorpius their initial foothold into the organization’s network.
Palo Alto Networks security analysts identified that SectopRAT operates in stealth mode, allowing attackers to remotely control infected systems, monitor user activity, steal sensitive data, and execute commands without detection.
The attackers established a command-and-control backdoor on a server and immediately began mapping the virtual infrastructure to plan their next moves.
Infection mechanism
The infection mechanism demonstrated the attackers’ technical sophistication. Over the subsequent 42 days, Howling Scorpius compromised multiple privileged accounts, including domain administrators.
They moved laterally through the network using Remote Desktop Protocol (RDP), Secure Shell (SSH), and Server Message Block (SMB) protocols.
The group accessed domain controllers, staged massive data archives using WinRAR across multiple file shares, and pivoted from one business unit domain into the corporate environment and eventually cloud resources.
Before deploying the Akira ransomware payload, the attackers deleted backup storage containers and exfiltrated nearly one terabyte of data using FileZillaPortable.
They then deployed Akira ransomware across servers in three separate networks, causing virtual machines to go offline and halting operations entirely. The attackers demanded ransom payment.
The incident revealed a critical security gap: while the organization had deployed two enterprise-grade endpoint detection and response (EDR) solutions that logged all malicious activities, these tools generated very few alerts.
Security logs contained complete records of every suspicious connection and lateral movement, but the lack of proper alerting left critical evidence hidden in plain sight.
Palo Alto Networks Unit 42 responded by conducting a comprehensive investigation, reconstructing the complete attack path and negotiating the ransom demand down by approximately 68 percent.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Cybereason Threat Intelligence Team has uncovered a sophisticated ransomware operation known as “The Gentlemen,” which emerged around July 2025 and quickly established itself as a formidable threat actor. Operating with a dual-extortion methodology, the group encrypts sensitive files while simultaneously exfiltrating critical business data, threatening to publish stolen information on dark web leak sites unless […]
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
