Welcome to this week’s edition of the Cybersecurity News Weekly Newsletter, where we dissect the latest threats shaking the digital landscape. As cyber risks evolve faster than ever, staying ahead means understanding the exploits that could target your devices, networks, and data.

This roundup spotlights zero-day vulnerabilities in Android and Cisco systems, critical flaws in Microsoft Teams, the rise of HackedGPT as a weaponized AI tool, and a major leak from OpenAI’s Whisper transcription service. These stories underscore the urgent need for proactive defenses in an era of sophisticated attacks.

Kicking off with mobile security, a newly disclosed zero-day in Android’s kernel has left millions of devices exposed to remote code execution. Google has rushed a patch, but unupdated devices remain at high risk especially in enterprise environments relying on BYOD policies. Exploited in the wild by state-sponsored actors, this vulnerability has prompted emergency advisories, reminding us why timely firmware updates are non-negotiable for infrastructure security.

Shifting to collaboration tools, Microsoft Teams harbors multiple high-severity vulnerabilities, including a privilege escalation bug that lets authenticated users access sensitive admin functions. These flaws, detailed in Microsoft’s October Patch Tuesday, could facilitate lateral movement in hybrid work setups, where Teams serves as a gateway to corporate resources. Organizations should prioritize patching to mitigate phishing and insider threats amplified by these weaknesses.

In the AI realm, HackedGPT emerges as a chilling development: a modified version of ChatGPT fine-tuned for malicious purposes, capable of generating phishing emails, malware code, and even social engineering scripts.

Researchers warn that this “jailbroken” AI democratizes cybercrime, lowering barriers for novice attackers. Complementing this, a massive data leak from OpenAI’s Whisper API has exposed over 1.5 million audio files, including sensitive conversations from healthcare and finance sectors.

The breach, attributed to misconfigured cloud storage, highlights the privacy pitfalls of AI-driven transcription tools and the cascading risks when voice data falls into the wrong hands.

These incidents reveal a common thread: the intersection of legacy systems, rapid tech adoption, and human oversight fueling exploits. As we dive deeper into each story with expert analysis, patch recommendations, and threat mitigation strategies, remember that vigilance starts with awareness. Stay secure, and let’s unpack the details ahead.

Threats

Hackers Deliver SSH-Tor Backdoor Via Weaponized Military Documents

In October 2025, Cyble researchers uncovered a state-sponsored cyber espionage campaign using weaponized Belarusian military documents to deploy an advanced SSH-Tor backdoor aimed at defense sector personnel, particularly those in unmanned aerial vehicle operations. The malware combines OpenSSH for Windows with a customized Tor hidden service using obfs4 obfuscation, enabling anonymous access to SSH, RDP, SFTP, and SMB protocols on infected systems. The multi-stage infection involves nested ZIP archives and LNK files with anti-analysis checks, such as verifying LNK file counts and process numbers, to evade sandboxes while establishing persistence via scheduled tasks. Attribution points to moderate confidence in UAC-0125/Sandworm (APT44), a Russian-linked group, with tactics echoing the December 2024 Army+ campaign.​ Read more

Conti Ransomware Member Extradited to the US

Oleksii Oleksiyovych Lytvynenko, a 43-year-old Ukrainian national, was extradited from Ireland to the US to face charges for his role in the Conti ransomware conspiracy between 2020 and June 2022. The operation hacked networks, encrypted data, and demanded cryptocurrency ransoms, affecting over 1,000 victims across 47 US states and 31 countries, generating at least $150 million by January 2022. Conti was the top ransomware variant targeting critical infrastructure in 2021, with Lytvynenko allegedly managing stolen data and ransom notes, including extorting over $500,000 in Tennessee. Arrested in July 2023 by Irish police at US request, he faces up to 25 years if convicted for conspiracy to commit computer and wire fraud. This case reflects ongoing US efforts to dismantle global ransomware networks, with over 180 convictions since 2020.​ Read more

Phishing Attack That Abuses Cloudflare Services

A Russian-speaking threat actor is abusing Cloudflare’s Pages and Workers services to host phishing pages disguised as DMCA takedown notices, tricking victims into downloading malicious files. The campaign directs users to malicious .lnk files via the “search-ms” protocol, which execute PowerShell scripts downloading ZIP archives containing Python-based payloads connected to Pyramid C2 servers for remote control. Over 20 domains have been identified, many reusing file names but altering contents, hosted on networks like Railnet LLC with exposed directories facilitating payload staging. This technique leverages legitimate Cloudflare domains like pages.dev and workers.dev for credibility, enabling widespread distribution through social engineering.​ Read more

New TruffleNet BEC Campaign Leverages AWS SES

FortiGuard Labs identified the TruffleNet campaign abusing stolen AWS credentials to exploit Simple Email Service (SES) for large-scale Business Email Compromise (BEC) attacks, primarily targeting the oil and gas sector. The infrastructure spans over 800 hosts across 57 networks, using TruffleHog for credential validation and Portainer for management, with initial API calls like GetCallerIdentity and GetSendQuota to confirm access. Attackers create email identities with stolen DKIM keys from compromised WordPress sites, impersonating vendors like ZoomInfo to send fraudulent $50,000 ACH invoices to typosquatted domains.[From fetch content] The tiered setup includes US-based providers like WS Telecom and Hivelocity, with open ports repurposed for operations, and FortiCNAPP detected anomalies through behavioral indicators. Read more

Threat Actors Leverage RMM Tools for Attacks

Threat actors are increasingly using legitimate Remote Monitoring and Management (RMM) tools as first-stage payloads in email campaigns for data collection, financial theft, lateral movement, and ransomware deployment. This trend aligns with a decline in traditional loaders and botnets, as RMMs provide robust remote features with inherent legitimacy, evading detection in enterprise environments. Examples include Hunters International using AnyDesk and ScreenConnect for persistent access in a UK manufacturing attack, maintaining tools for over a month before ransomware execution. Multiple commercial and open-source RMMs have been exploited for initial access and exfiltration, blurring the lines between admin activity and malicious intent.​ Read more

RondoDox Botnet Updates Arsenal with Expanded Exploits

The RondoDox botnet has evolved to v2, expanding from two exploits targeting DVRs to over 75 vectors across IoT and enterprise devices, a 650% increase first noted in September 2024. Detected on October 30, 2025, via honeypots from IP 124.198.131.83, it exploits CVEs like Shellshock (CVE-2014-6271), Dasan GPON (CVE-2018-10561), and recent ones in TBK DVRs (CVE-2024-3721). This shift bridges IoT opportunism to enterprise targeting, analyzed by Beelzebub’s AI deception platform capturing the full attack chain. FortiGuard Labs and Trend Micro have tracked its growth, emphasizing vulnerabilities spanning a decade of CVEs in routers and applications.​ Read more

XLoader Malware Analyzed Using ChatGPT

Researchers used ChatGPT to accelerate reverse engineering of XLoader, a FormBook successor evolving since 2020, decrypting over 100 functions and breaking modified RC4 schemes in hours rather than days. The AI workflow exported IDA Pro data for static analysis, extracting runtime values like encryption keys and C2 data via live debuggers, deobfuscating API calls hidden by custom hashing. XLoader employs runtime decryption and multi-layer encryption with hidden keys, regularly updating to counter analysis, making AI-assisted dissection a game-changer for malware teams.​ Read more

Threat Actors May Abuse VS Code Extensions

North Korean-linked actors are uploading rogue Visual Studio Code (VS Code) extensions to Microsoft’s marketplace, impersonating popular tools like Prettier to enable supply chain attacks on developers. Extensions run with full user privileges without sandboxing, allowing arbitrary code execution, file manipulation, and data theft once installed. Attackers exploit the marketplace’s lack of unique name enforcement and bypass verification badges, with a PoC fake Prettier extension installed over 1,000 times before removal. Users should verify sources, reviews, and download counts to mitigate risks from this developer-targeted vector.​ Read more

Cyberattack

WSUS Port Scanning Surge

Cybersecurity researchers have observed a sharp increase in scans targeting TCP ports 8530 and 8531 associated with Windows Server Update Services (WSUS) infrastructure. This activity links to CVE-2025-59287, a critical vulnerability enabling remote code execution without authentication, allowing attackers to run arbitrary scripts on vulnerable servers. Threat actors follow a reconnaissance-to-exploitation pattern, and experts recommend auditing exposed WSUS instances for compromise, applying patches, and segmenting networks to mitigate risks.​ The flaw affects multiple WSUS versions with a CVSS score of 9.8, urging immediate isolation and forensic analysis for internet-facing systems.​ Read more

Malvertising with PuTTY and Teams

A persistent malvertising campaign is distributing OysterLoader malware via fake ads for legitimate tools like PuTTY and Microsoft Teams on Bing search results. Linked to the Rhysida ransomware group, this operation uses code-signing certificates and obfuscation to evade detection, with over 40 certificates burned since June 2025. Attackers impersonate popular software to deliver initial access payloads, enabling ransomware deployment in corporate networks.​

Rhysida’s tactics have escalated, including exploitation of Microsoft’s Trusted Signing service, prompting revocations of more than 200 certificates while operations continue.​ Read more

XWiki Eval Injection Flaw

The XWiki Platform suffers from CVE-2025-24893, a critical eval injection vulnerability in its SolrSearch feature that allows unauthenticated remote code execution. Added to CISA’s Known Exploited Vulnerabilities catalog on October 30, 2025, the flaw enables attackers to craft requests for arbitrary code runs, compromising wiki installations used in education, government, and corporate settings. Impacts include data theft, malware deployment, and network pivoting, with affected versions below 15.10.11, 16.4.1, and 16.5.0RC1.​

Mitigations involve patching to fixed releases or modifying the SolrSearchMacros file to enforce secure content types; CISA mandates immediate action per BOD 22-01.​ Read more

Curly COMrades Attack Innovations

The Curly COMrades threat actor group employs novel techniques using legitimate Windows tools for persistent access and evasion in targeted operations. This advanced persistent threat leverages system-native components to create backdoors and maintain footholds, posing risks to enterprise environments. Their methodology focuses on COM object manipulation for stealthy persistence, highlighting the dangers of living-off-the-land tactics.​ Organizations should monitor for anomalous Windows API calls and implement behavioral detection to counter such evasive behaviors.​ Read more

PROMPTFLUX AI-Enhanced Malware

Google Threat Intelligence has disclosed PROMPTFLUX, an experimental VBScript-based malware family that integrates Google’s Gemini API for real-time code obfuscation and evasion. Acting as a dropper disguised as installers, it queries the “gemini-1.5-flash-latest” model to generate antivirus-bypassing scripts, marking the first “just-in-time” AI use in malware. Advanced features include hourly self-mutation and lateral movement to drives, though currently in testing phases.​ Google disabled related API keys, and defenses emphasize monitoring for unusual API traffic and restricting model access in enterprise settings.​ Read more

NGate NFC Relay Attacks

NGate malware targets Android users in Poland via phishing, enabling unauthorized ATM cash withdrawals through NFC data relay without physical card theft. Distributed as fake banking apps, it captures card details and PINs during “verification” taps, relaying them to attacker devices at ATMs via a C2 server. The infection uses encrypted configurations and Host Card Emulation to mimic legitimate payment services, evading standard security checks.​ Users should verify apps from official sources and contact banks directly for suspicious calls; technical analysis reveals cleartext TCP exfiltration of sensitive data.​ Read more

Vulnerabilities

Cisco ASA/FTD RCE Exploitation

Cisco reports active exploitation of CVE-2025-20333, a critical buffer overflow in Secure Firewall ASA and FTD software’s VPN web server, allowing authenticated attackers root-level code execution. Disclosed September 25, 2025, with CVSS 9.9, it affects configurations enabling AnyConnect IKEv2 or SSL VPN, leading to data exfiltration or DoS via device reloads. No workarounds exist, requiring upgrades to patched versions like ASA 9.18.4.19.​ Administrators must audit VPN setups and enable multi-factor authentication to limit exposure in perimeter defenses.​ Read more

Windows Graphics RCE Vulnerabilities

Multiple vulnerabilities in Microsoft’s Graphics Device Interface (GDI) allow remote attackers to execute arbitrary code or steal data through malformed Enhanced Metafile (EMF) formats. Discovered via fuzzing by Check Point, these issues affect Windows 10/11 and Office apps, with exploits possible via rigged documents or images without user interaction. Patched in 2025 updates like KB5058411, they highlight risks in legacy graphics processing, rated up to Critical (CVSS 9.8).​ Read more

WSUS Patch Breaks Hotpatching

Microsoft’s October 2025 update for CVE-2025-59287, a critical WSUS RCE flaw, disrupted hotpatching on some Windows Server 2025 systems by pushing to enrolled devices prematurely. Affected servers now require reboots for updates until a January 2026 baseline realigns them, while untouched systems receive layered fixes without interruption. This incident stresses challenges in zero-downtime patching for enterprise environments reliant on WSUS.​ Read more

Apple Patches Critical iOS Flaws

Apple’s iOS 26.1 and iPadOS 26.1 updates fix over 50 vulnerabilities across WebKit, Kernel, and Accessibility, preventing privacy breaches, app crashes, and sandbox escapes on iPhone 11+ and compatible iPads. Key fixes include permissions issues allowing app detection (CVE-2025-43442) and malicious screenshotting (CVE-2025-43455), plus WebKit use-after-free bugs enabling code execution. Reported by researchers from ByteDance and Google, these patches enhance defenses against targeted malware and web exploits. Read more

Android Zero-Click RCE Bug

Google’s November 2025 bulletin discloses CVE-2025-48593, a critical zero-click RCE in Android’s System component, allowing remote code execution via network packets or malicious apps on AOSP versions 13-16. No user interaction is needed, risking full device compromise including data theft or botnet inclusion. A companion high-severity EoP flaw (CVE-2025-48581) further elevates risks; users should apply the 2025-11-01 patch level immediately.​ Read more

Microsoft Teams Feature Exposes Risks

Microsoft Teams’ “Chat with Anyone” feature, allowing external email chats without validation, enlarges phishing vectors by enabling spoofed communications from attackers posing as contacts. This update, rolled out in late 2025, bypasses traditional safeguards, potentially leading to credential theft or malware delivery in hybrid work settings. With over 320 million users, organizations must enforce strict external chat policies and monitor for anomalous invites to mitigate social engineering threats.​ Read more

CWP OS Command Injection Exploited

CISA warns of CVE-2025-48703, an unauthenticated OS command injection in Control Web Panel’s file manager, allowing arbitrary command execution with just a valid non-root username. Added to KEV catalog on November 4, 2025, it’s actively exploited via shell metacharacters in the t_total parameter, classified as CWE-78. Federal agencies must patch by November 25 or discontinue use; admins should audit logs for suspicious requests.​ Read more

HackedGPT Vulnerabilities in ChatGPT

Tenable uncovered seven flaws in GPT-4o and GPT-5, including zero-click prompt injections via SearchGPT that enable data exfiltration from user memories without interaction. Attacks hide malicious instructions in websites or markdown, bypassing safety mechanisms like url_safe for persistent leaks across sessions. OpenAI patched some via TRAs, but inherent LLM risks persist; users should limit sensitive data sharing in AI tools.​ Read more

Chrome Emergency Update

Google’s Chrome 142 update patches five flaws, including high-severity out-of-bounds writes in WebGPU (CVE-2025-12725) and V8 implementation issues enabling RCE via malicious web content. Affecting Windows, macOS, and Linux, these could compromise systems during routine browsing; Omnibox bugs aid phishing. Apply via “About Chrome” immediately, as details are restricted to curb exploits.​ Read more

Windows

New BOF Tool Targets Microsoft Teams Cookies

A specialized Beacon Object File (BOF) from Tier Zero Security exploits Microsoft Teams’ cookie encryption to extract authentication tokens without alerting users. The tool injects into the ms-teams.exe process, duplicates file handles to the locked Cookies SQLite database, and decrypts values using the user’s DPAPI master key, enabling attackers to impersonate users and access chats, emails, and Microsoft Graph API data. This stealthy approach adapts browser exploitation techniques, bypassing file-locking mechanisms and highlighting gaps in Teams’ security compared to hardened Chromium browsers. Organizations should monitor for process injections and enforce least-privilege execution to counter this threat.​

Read more: https://cybersecuritynews.com/bof-tool-exploits-microsoft-teams/cybersecuritynews​

Windows 11 Update Causes Task Manager Glitch

Microsoft’s KB5067036 optional update for Windows 11 versions 24H2 and 25H2 results in Task Manager remaining active in the background after closure, consuming unnecessary resources. This known issue affects the utility’s termination behavior and includes improvements to AI features like Copilot Plus, alongside a non-removable servicing stack update KB5067035. Users can remove the cumulative update via DISM, but Microsoft advises waiting for a fix in future releases. The problem underscores the importance of testing optional updates before deployment in enterprise environments.​

Read more: https://cybersecuritynews.com/windows-11-update-task-manager/cybersecuritynews​

BitLocker Recovery Prompt After Windows Updates

Microsoft warns that security updates from October 14, 2025, may trigger BitLocker recovery screens on Intel-based Windows 11 (25H2/24H2) and Windows 10 (22H2) systems supporting Connected Standby. The glitch requires a one-time recovery key entry upon restart but does not compromise data integrity. Affected versions include KB5066835 for Windows 11 and KB5066791 for Windows 10, with no impact on server editions. Mitigation involves applying Known Issue Rollbacks via Microsoft Support or ensuring recovery keys are accessible.​

Read more: https://cybersecuritynews.com/windows-systems-bitlocker-recovery/cybersecuritynews​

Cloud Files Driver Vulnerability Enables Escalation

CVE-2025-55680 in the Windows Cloud Files Mini Filter Driver (cldsync.sys) allows local privilege escalation through a TOCTOU race condition in file path validation. Attackers exploit this by modifying kernel memory paths to create symbolic links, injecting malicious DLLs into system processes like rasman for full SYSTEM access. The flaw, rated 7.8 CVSS, affects placeholder file operations and builds on prior Microsoft patches. Immediate patching is recommended, as any authenticated user can achieve kernel-level compromise.​

Read more: https://cybersecuritynews.com/windows-cloud-files-vulnerability-exploited/cybersecuritynews​

Teams “Chat with Anyone” Feature Risks Phishing

Microsoft Teams’ new feature, rolling out in November 2025, lets users start chats with external email addresses without requiring a Teams account, enabling guest joins. This default setting expands phishing opportunities by allowing spoofed invites to deliver malware or harvest credentials within the platform. Risks include data leaks and compliance issues under GDPR, as interactions bypass email filters. Admins can disable it via PowerShell by setting UseB2BInvitesToAddExternalUsers to false and enforcing MFA.

Read more: https://cybersecuritynews.com/microsoft-teams-chat-with-anyone-feature/

Active Directory Sites for Privilege Escalation

Attackers with write permissions on Active Directory sites can link malicious Group Policy Objects (GPOs) to escalate privileges across domains, including forest roots. Permissions like GenericAll or WriteGPLink allow injecting commands that add attacker accounts to admin groups on connected systems. This technique bypasses SID filtering via forest-wide replication, enabling rapid lateral movement. Organizations should audit site permissions and monitor GPO changes to prevent domain compromise.

Read more: https://cybersecuritynews.com/active-directory-sites-escalate-privileges/

Other News

Dark Web Credential Exposures

Proton launched the Data Breach Observatory initiative, revealing over 300 million stolen credentials circulating on dark web cybercrime markets, posing significant risks to businesses and individuals. Small businesses face particular threats, with four out of five experiencing recent breaches that can cost over one million dollars per incident, often going unreported due to delays in detection. The observatory monitors underground forums in real time, identifying ten major 2025 breaches across industries, including Qantas Airways (11.8 million records with names, birth dates, addresses, phone numbers, and emails) and Free in France (19 million records including IBANs). Other notable incidents involve Allianz Life in Germany (1 million records with social security numbers), SkilloVilla in India (33 million records of contact information), and several U.S. and European firms exposing passwords, usernames, and banking details.​ Read more​

Microsoft Entra Credential Security

Microsoft will enhance security in its Authenticator app by automatically detecting and deleting Microsoft Entra credentials on jailbroken iOS devices and rooted Android devices starting February 2026. This measure addresses vulnerabilities where modified devices bypass security controls, enabling credential theft and unauthorized access to organizational resources. The feature deploys automatically without IT configuration, applying only to enterprise credentials while sparing personal or third-party accounts. Organizations are advised to notify users in advance, recommending device upgrades or removal of modifications to avoid authentication disruptions.​ Read more​

HydraPWK Penetration Testing OS Update

The HydraPWK project’s Apes-T1 snapshot updates its Debian-based penetration testing Linux distribution by replacing Elasticsearch with open-source OpenSearch to resolve licensing issues and improve industrial security tools. This semi-rolling release enhances network forensics via Arkime and adds OpenSearch Dashboards for observability, alongside UI fixes like improved terminal colorschemes for better error visibility. Compared to Kali Linux, HydraPWK offers a lightweight, low-latency alternative with PREEMPT_RT kernel support for hardware like UAVs and ECUs, emphasizing plug-and-play efficiency for targeted ethical hacking without Kali’s broader overhead.​ Read more​

OneDrive DLL Sideloading Attack

Threat actors exploit OneDrive.exe via DLL sideloading by placing a malicious version.dll in the application’s directory, tricking it into loading harmful code instead of the legitimate library during startup. The technique uses DLL proxying to forward calls to the real system library while executing payloads stealthily, maintaining normal app functionality to evade detection. Advanced hooking via Vectored Exception Handling and PAGE_GUARD flags intercepts API calls like CreateWindowExW without inline modifications, allowing persistent control and spawning of hidden processes. Defenses include application whitelisting, DLL loading monitoring, and signature validation to counter these attacks on trusted Microsoft processes.​ Read more​

The post Cybersecurity News Weekly Newsletter – Android and Cisco 0-Day, Teams Flaws, HackedGPT, and Whisper Leak appeared first on Cyber Security News.