Hyper-V Malware, Malicious AI Bots, RDP Exploits, WhatsApp Lockdown and Extra

Cyber threats did not decelerate final week—and attackers are getting smarter. We’re seeing malware hidden in digital machines, side-channel leaks exposing AI chats, and spyware and adware quietly focusing on Android units within the wild.

However that is simply the floor. From sleeper logic bombs to a recent alliance between main menace teams, this week’s roundup highlights a transparent shift: cybercrime is evolving quick, and the traces between technical stealth and strategic coordination are blurring.

It is value your time. Each story right here is about actual dangers that your staff must find out about proper now. Learn the entire recap.

⚡ Menace of the Week

Curly COMrades Abuses Hyper-V to Disguise Malware in Linux VMs — Curly COMrades, a menace actor supporting Russia’s geopolitical pursuits, has been noticed abusing Microsoft’s Hyper-V hypervisor in compromised Home windows machines to create a hidden Alpine Linux-based digital machine and deploy malicious payloads. This technique permits the malware to run utterly outdoors the host working system’s visibility, successfully bypassing endpoint safety instruments. The marketing campaign, noticed in July 2025, concerned the deployment of CurlyShell and CurlyCat. The victims weren’t publicly recognized. The menace actors are mentioned to have configured the digital machine to make use of the Default Swap community adaptor in Hyper-V to make sure that the VM’s site visitors travels by way of the host’s community stack utilizing Hyper-V’s inner Community Tackle Translation (NAT) service, inflicting all malicious outbound communication to seem to originate from the official host machine’s IP tackle. Additional investigation has revealed that the attackers first used the Home windows Deployment Picture Servicing and Administration (DISM) command-line software to allow the Hyper-V hypervisor, whereas disabling its graphical administration interface, Hyper-V Supervisor. The group then downloaded a RAR archive masquerading as an MP4 video file and extracted its contents. The archive contained two VHDX and VMCX information equivalent to a pre-built Alpine Linux VM. Lastly, the menace actors used the Import-VM and Begin-VM PowerShell cmdlets to import the digital machine into Hyper-V and launch it with the identify WSL, a deception tactic meant to present the impression that the Home windows Subsystem for Linux was employed. “The sophistication demonstrated by Curly COMrades confirms a key pattern: as EDR/XDR options develop into commodity instruments, menace actors are getting higher at bypassing them by way of tooling or methods like VM isolation,” Bitdefender mentioned. The findings paint an image of a menace actor that makes use of subtle strategies to take care of long-term entry in goal networks, whereas leaving a minimal forensic footprint.

• ‘Whisper Leak’ That Identifies AI Chat Matters in Encrypted Site visitors — Microsoft has disclosed particulars of a novel side-channel assault focusing on distant language fashions that might allow a passive adversary with capabilities to watch community site visitors to glean particulars about mannequin dialog subjects regardless of encryption protections. “Cyber attackers able to watch the encrypted site visitors (for instance, a nation-state actor on the web service supplier layer, somebody on the native community, or somebody linked to the identical Wi-Fi router) might use this cyber assault to deduce if the person’s immediate is on a particular subject,” the corporate mentioned. The assault has been codenamed Whisper Leak. In a proof-of-concept (PoC) check, researchers discovered that it is attainable to glean dialog subjects from Alibaba, DeepSeek, Mistral, Microsoft, OpenAI, and xAI fashions with successful fee of over 98%. In response, OpenAI, Mistral, Microsoft, and xAI have deployed mitigations to counter the chance.
• Samsung Cell Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spyware and adware — A now-patched safety flaw in Samsung Galaxy Android units was exploited as a zero-day to ship a “commercial-grade” Android spyware and adware dubbed LANDFALL in precision assaults in Iraq, Iran, Turkey, and Morocco. The exercise concerned the exploitation of CVE-2025-21042 (CVSS rating: 8.8), an out-of-bounds write flaw within the “libimagecodec.quram.so” element that might enable distant attackers to execute arbitrary code, in accordance with Palo Alto Networks Unit 42. The problem was addressed by Samsung in April 2025. LANDFALL, as soon as put in and executed, acts as a complete spy software, able to harvesting delicate knowledge, together with microphone recording, location, pictures, contacts, SMS, information, and name logs. Whereas Unit 42 mentioned the exploit chain might have concerned the usage of a zero-click method to set off the exploitation of CVE-2025-21042 with out requiring any person interplay, there are presently no indications that it has occurred or that there exists an unknown safety difficulty in WhatsApp to help this speculation. The Android spyware and adware is particularly designed to focus on Samsung’s Galaxy S22, S23, and S24 collection units, together with Z Fold 4 and Z Flip 4. There aren’t any conclusive clues but on who’s concerned, neither is it clear how many individuals had been focused or exploited.
• Hidden Logic Bombs in Malicious NuGet Packages Go Off Years After Deployment — A set of 9 malicious NuGet packages has been recognized as able to dropping time-delayed payloads to sabotage database operations and corrupt industrial management programs. The packages had been revealed in 2023 and 2024 by a person named “shanhai666” and are designed to run malicious code after particular set off dates in August 2027 and November 2028, except for one library, which claims to increase the performance of one other official NuGet package deal referred to as Sharp7. Sharp7Extend, because it’s referred to as, is about to activate its malicious logic instantly following set up and continues till June 6, 2028, when the termination mechanism stops by itself.
• Flaws in Microsoft Groups Expose Customers to Impersonation Dangers — A set of 4 now-patched safety vulnerabilities in Microsoft Groups might have uncovered customers to critical impersonation and social engineering assaults. The vulnerabilities “allowed attackers to control conversations, impersonate colleagues, and exploit notifications,” in accordance with Examine Level. These shortcomings make it attainable to change message content material with out leaving the “Edited” label and sender id and modify incoming notifications to alter the obvious sender of the message, thereby permitting an attacker to trick victims into opening malicious messages by making them seem as if they’re coming from a trusted supply, together with high-profile C-suite executives. The issues additionally granted the power to alter the show names in personal chat conversations by modifying the dialog subject, in addition to arbitrarily modify show names utilized in name notifications and in the course of the name, allowing an attacker to forge caller identities within the course of. The problems have since been addressed by Microsoft.
• Three Excessive-Profile Teams Come Collectively — Scattered LAPSUS$ Hunters (SLH), a merger shaped between Scattered Spider, LAPSUS$, and ShinyHunters, has cycled by way of at least 16 Telegram channels since August 8, 2025. The group, which has marketed an extortion-as-a-service providing and can be testing “Sh1nySp1d3r” ransomware, has now been recognized not simply as a fluid collaboration however as a coordinated alliance mixing the operational ways of the three high-profile prison clusters beneath a shared banner for extortion, recruitment, and viewers management. The brand new group is intentionally bringing collectively the reputational capital related to the manufacturers to create a potent, unified menace id. The hassle is being seen as the primary cohesive alliance inside The Com, a historically loose-knit community, leveraging the merger as a power multiplier for financially motivated assaults.

‎️‍🔥 Trending CVEs

Hackers transfer quick. They usually exploit new vulnerabilities inside hours, turning a single missed patch into a significant breach. One unpatched CVE will be all it takes for a full compromise. Under are this week’s most crucial vulnerabilities gaining consideration throughout the business. Assessment them, prioritize your fixes, and shut the hole earlier than attackers take benefit.

This week’s checklist consists of — CVE-2025-20354, CVE-2025-20358 (Cisco Unified CCX), CVE-2025-20343 (Cisco Id Companies Engine), CVE-2025-62626 (AMD), CVE-2025-5397 (Noo JobMonster theme), CVE-2025-48593, CVE-2025-48581 (Android), CVE-2025-11749 (AI Engine plugin), CVE-2025-12501 (GameMaker IDE), CVE-2025-23358 (NVIDIA App for Home windows), CVE-2025-64458, CVE-2025-64459 (Django), CVE-2025-12058 (Keras AI), CVE-2025-12779 (Amazon WorkSpaces consumer for Linux), CVE-2025-12735 (JavaScript expr-eval), CVE-2025-62847, CVE-2025-62848, CVE-2025-62849 (QNAP QTS and QuTS hero), CVE-2024-12886, CVE-2025-51471, CVE-2025-48889 (Ollama), CVE-2025-34299 (Monsta FTP), CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 (RunC), CVE-2025-55315 (ASP.NET Core Kestrel server), CVE-2025-64439 (langgraph-checkpoint), CVE-2025-37735 (Elastic Defend on Home windows), and seven vulnerabilities in django-allauth.

📰 Across the Cyber World

• RDP Accounts Breached to Drop Cephalus Ransomware — A brand new Go-based ransomware referred to as Cephalus has been breaching organizations by stealing credentials by way of Distant Desktop Protocol (RDP) accounts that shouldn’t have multi-factor authentication (MFA) enabled since mid-June 2025. It is presently not recognized if it operates beneath a ransomware-as-a-service (RaaS). “Upon execution, it disables Home windows Defender’s real-time safety, deletes VSS backups, and stops key providers equivalent to Veeam and MSSQL to extend its encryption success fee and reduce the probabilities of restoration,” AhnLab mentioned. “Cephalus makes use of a single AES-CTR key for encryption, and this secret is managed to attenuate publicity on the disk and in reminiscence. Lastly, the AES secret is encrypted utilizing an embedded RSA public key, guaranteeing that solely menace actors with the corresponding RSA personal key can decrypt the important thing. It disrupts dynamic evaluation by producing a pretend AES key.”
• WhatsApp to Roll Out Enhanced Protections for Excessive-Threat Accounts — Customers beneath a better threat of being focused by hacking makes an attempt will quickly have the choice to allow an additional set of safety features on WhatsApp, in accordance with a beta model of the app analyzed by WABetaInfo. Much like Apple’s Lockdown Mode, the characteristic blocks media and attachments from unknown senders, provides calling and messaging restrictions, and allows different settings, together with silencing unknown callers, limiting automated group invitations to recognized contacts, disabling hyperlink previews, notifying customers about encryption code adjustments, activating two-step verification, and limiting the visibility of non-public info for unknown contacts.
• Aurologic Offers Internet hosting for Sanctioned Entities — German internet hosting supplier aurologic GmbH has emerged as a “central nexus throughout the international malicious infrastructure ecosystem” offering upstream transit and knowledge middle providers to a big focus of high-risk internet hosting networks, together with the Doppelgänger disinformation community and the not too long ago sanctioned Aeza Group, together with Metaspinner internet GmbH (AsyncRAT, njRAT, Quasar RAT), Femo IT Options Restricted (CastleLoader and different malware), World-Information System IT Company (Cobalt Strike, Sliver, Quasar RAT, Remcos RAT, and different malware), and Railnet. The corporate was established in October 2023. “Regardless of its core give attention to official community and knowledge middle operations, Aurologic has emerged as a hub for a few of the most abusive and high-risk networks working throughout the international internet hosting ecosystem,” Recorded Future mentioned.
• Australia Sanctions North Korean Menace Actors — The Australian Authorities has imposed monetary sanctions and journey bans on 4 entities and one particular person — Park Jin Hyok, Kimsuky, Lazarus Group, Andariel, and Chosun Expo — for partaking in cybercrime to help and fund North Korea’s illegal weapons of mass destruction and ballistic missile applications. “The size of North Korea’s involvement in malicious cyber-enabled actions, together with cryptocurrency theft, fraudulent IT work and espionage, is deeply regarding,” the International Affairs ministry mentioned.
• U.Ok. Takes Motion on Spoofed Cell Numbers — U.Ok. cell carriers will improve their networks to “get rid of the power for international name centres to spoof U.Ok. numbers.” The businesses will mark when calls come from overseas to stop scammers from impersonating U.Ok. cellphone numbers. The businesses may also roll out “superior name tracing expertise” to permit regulation enforcement the instruments to trace down scammers working throughout the nation and dismantle their operations. “It would make it more durable than ever for criminals to trick folks by way of rip-off calls, utilizing cutting-edge expertise to reveal fraudsters and convey them to justice,” the U.Ok. authorities mentioned.
• Safety Flaw in Superior Installer — A vulnerability has been disclosed in Superior Installer (model 22.7), a framework for constructing Home windows installers. The bug can allow menace actors to hijack app replace mechanisms and run malicious exterior code if replace packages are usually not digitally signed. By default, and in frequent observe, they aren’t digitally signed, Cyderes mentioned. In line with its web site, Superior Installer is utilized by builders and system directors in additional than 60 international locations “to package deal or repackage all the pieces from small shareware merchandise, inner purposes, and gadget drivers, to large mission-critical programs.” The safety threat poses a significant provide chain threat because of the reputation of Superior Installer, opening the door for Carry Your Personal Updates (BYOU), enabling attackers to hijack trusted updaters to execute arbitrary code, whereas bypassing safety controls. “These assaults are particularly harmful as a result of they exploit belief and scale: a single poisoned replace from a broadly used software (for instance, an installer or construct software like Superior Installer) can silently distribute signed, trusted malware to numerous international firms, inflicting broad knowledge theft, operational outages, regulatory penalties, and extreme reputational injury throughout many sectors,” safety researcher Reegun Jayapaul mentioned.
• Jailbreak Detection in Authenticator App — Microsoft mentioned it is going to introduce Jailbreak/Root detection for Microsoft Entra credentials within the Authenticator app beginning February 2026. “This replace strengthens safety by stopping Microsoft Entra credentials from performing on jail-broken or rooted units. All present credentials on such units will likely be wiped to guard your group,” it mentioned. The change applies to each Android and iOS units.
• Unhealthy Actors Exploit Flaws in RMM Software program — Menace actors have been discovered exploiting recognized safety vulnerabilities within the SimpleHelp Distant Monitoring and Administration (RMM) platform (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) to realize downstream entry into buyer environments and deploy Medusa and DragonForce ransomware. “By compromising third-party RMM servers working as SYSTEM, attackers achieved full management over sufferer networks, deploying discovery instruments, disabling defences, exfiltrating knowledge through RClone and Restic, and eventually encrypting programs,” Zensec mentioned.
• Cambodia Raids Rip-off Compounds in Bavet city — The Cambodian authorities raided two cyber rip-off compounds within the metropolis of Bavet on November 4, 2025, taking greater than 650 suspects, largely international nationals, into custody. One rip-off compound specialised in impersonating authorities authorities to threaten victims, whereas the second web site ran pretend high-profit funding schemes, solid banking platforms, romance scams, pretend marathon registrations, and the usage of AI deepfake movies and pictures to forge identities.
• Samourai Pockets Co-Founder Sentenced to five Years in Jail — Keonne Rodriguez, the co-founder and CEO of cryptocurrency mixing service Samourai Pockets, was sentenced to 5 years in jail. Authorities shut down the Samourai Pockets web site in April 2024. The service was used to launder greater than $237 million in cryptocurrency linked to hacks, on-line fraud, and drug trafficking. Samourai Pockets CTO William Lonergan Hill is predicted to be sentenced later this month. Each people pleaded responsible to cash laundering expenses again in August.
• Russian Man Pleads Responsible for Yanluowang Assaults — A 25-year-old Russian nationwide, Aleksei Olegovich Volkov, has pleaded responsible to hacking U.S. firms and promoting entry to ransomware teams. Volkov went on-line beneath the hacker identify of chubaka.kor, and labored as an preliminary entry dealer (IAB) for the Yanluowang ransomware by exploiting safety flaws between July 2021 and November 2022. As many as seven U.S. companies had been attacked throughout that interval, out of which an engineering agency and a financial institution paid a mixed $1.5 million in ransoms. Volkov was arrested on January 18, 2024, in Rome and was later extradited to the U.S. to face expenses.
• Malicious AI Bots Impersonate Legit Brokers — Menace actors have been discovered to develop and deploy bots that impersonate official AI brokers from suppliers like Google, OpenAI, Grok, and Anthropic. “Malicious actors can exploit up to date bot insurance policies by spoofing AI agent identities to bypass detection programs, probably executing large-scale account takeover (ATO) and monetary fraud assaults,” Radware mentioned. “Attackers want solely spoof ChatGPT’s person agent and use residential proxies or IP spoofing methods to be categorised as a “good AI bot” with POST permissions.”
• Faux Installers Mimic Productiveness Instruments in Ongoing Campaigns — Data stealer campaigns are leveraging malicious installers impersonating official productiveness instruments with backdoor functionality, that are doubtless created utilizing EvilAI to distribute malware generally known as TamperedChef/BaoLoader. “The backdoor can be able to extracting DPAPI secrets and techniques and supplies full command-and-control performance, together with arbitrary command execution, file add and obtain, and knowledge exfiltration,” CyberProof mentioned. “In most noticed instances, the malware proceeds with the deployment of second-stage binaries and establishes extra persistence mechanisms, equivalent to ASEP registry run keys and .LNK startup information.”

🎥 Cybersecurity Webinars

• Study How Prime Consultants Safe Multi-Cloud Workloads With out Slowing Innovation — Be part of this expert-led session to learn to defend your cloud workloads with out slowing innovation. You will uncover easy, confirmed methods to regulate identities, meet international compliance guidelines, and cut back threat throughout multi-cloud environments. Whether or not you’re employed in tech, finance, or operations, you will depart with clear, sensible steps to strengthen safety and hold what you are promoting agile, compliant, and prepared for what’s subsequent.
• Guardrails, Not Guesswork: How Mature IT Groups Safe Their Patch Pipelines — Be part of this session to learn to patch sooner with out dropping safety. You will see actual examples of how group repositories like Chocolatey and Winget can expose your community if not managed safely — and get clear, sensible guardrails to keep away from it. Gene Moody, Discipline CTO at Action1, will present you precisely when to belief group repos, when to go vendor-direct, and tips on how to stability pace with security so your patching stays quick, dependable, and safe.
• Uncover How Main Enterprises Are Slicing Publicity Time in Half with DASR — Be part of this stay session to find how Dynamic Assault Floor Discount (DASR) helps you chop by way of limitless vulnerability lists and truly cease assaults earlier than they occur. You will see how good automation and context-driven choices can shrink your assault floor, shut hidden entry factors, and free your staff from alert fatigue. Stroll away with a transparent plan to scale back exposures sooner, strengthen defenses, and keep one step forward of hackers—with out including further work.

🔧 Cybersecurity Instruments

• FuzzForge is an open-source software that helps safety engineers and researchers automate software and offensive safety testing utilizing AI and fuzzing. It enables you to run vulnerability scans, handle workflows, and use AI brokers to investigate code, discover bugs, and check for weaknesses throughout totally different platforms. It is constructed to make cloud and AppSec testing sooner, smarter, and simpler to scale for people and groups.
• Butler is a software that scans all repositories in a GitHub group to search out and evaluate workflows, actions, secrets and techniques, and third-party dependencies. It helps safety groups perceive what runs of their GitHub atmosphere and produces easy-to-read HTML and CSV studies for audits, compliance checks, and workflow administration.
• Discover-WSUS is a PowerShell software that helps safety groups and system admins discover each WSUS server outlined in Group Coverage. It checks each regular coverage settings and hidden Group Coverage Preferences that do not present up in customary studies. This issues as a result of a compromised WSUS server can push pretend updates and take management of all area computer systems. Utilizing Discover-WSUS ensures you recognize precisely the place your replace servers are configured—earlier than attackers do.

Disclaimer: These instruments are for academic and analysis use solely. They have not been absolutely security-tested and will pose dangers if used incorrectly. Assessment the code earlier than attempting them, check solely in secure environments, and comply with all moral, authorized, and organizational guidelines.

🔒 Tip of the Week

Cease Delicate Information From Reaching AI Chats — Many groups use AI chat instruments to get issues finished sooner, like writing scripts, fixing bugs, or making studies shorter. However all the pieces typed into these programs leaves your organization community and could also be saved, logged, or reused. If that knowledge consists of credentials, inner code, or consumer info, it turns into a simple leak level.

Attackers and insiders can retrieve this knowledge later, or fashions might by chance expose it in future outputs. One careless immediate can expose much more than anticipated.

✅ Add a safety layer earlier than the AI. Use OpenGuardrails or comparable open-source frameworks to scan and block delicate textual content earlier than it is despatched to the mannequin. These instruments combine straight into your apps or inner chat programs.

✅ Pair it with DLP monitoring. Instruments like MyDLP or OpenDLP can watch outbound knowledge for patterns like passwords, API keys, or consumer identifiers.

✅ Create immediate insurance policies. Outline what staff can and may’t share with AI programs. Deal with prompts like knowledge, leaving your community.

Do not belief AI firms to maintain your secrets and techniques secure. Add guardrails to your workflow and regulate what leaves your area. You don’t need delicate knowledge to finish up coaching another person’s mannequin.

Conclusion

Simply studying headlines will not minimize it. These assaults present what’s coming subsequent—extra hidden, extra centered, and more durable to identify.

Whether or not you’re employed in safety or simply wish to keep within the loop, this replace breaks it down quick. Clear, helpful, no further noise. Take a couple of minutes and get caught up earlier than the following large menace lands.