Good morning. This is your security briefing for Saturday, November 15, 2025, covering six critical developments in the threat landscape. All attribution is by the article authors, and all article analysis is automated.
Ricardo Ruiz documented SAMDump, a Windows credential theft tool that automates extraction of SAM and SYSTEM files using the Volume Shadow Copy Service API. The tool features multiple exfiltration methods and XOR obfuscation specifically designed to evade detection mechanisms that monitor vssadmin usage, requiring administrator privileges to operate.
Knownsec 404 Team's GhostX R&D division developed an offensive security platform for military and public security use, integrating automated Wi-Fi attack capabilities. The platform automates attack chains targeting WEP, WPA2, and WPA3 networks, including WEP cracking, Karma attacks, and KRACK exploits with CLI commands and JSON reporting.
Researchers at keowu documented Ryūjin, a custom binary-to-binary obfuscator for Windows PE x64 binaries that implements code virtualization, anti-debugging, and IAT protection. The article covers both the creation process and methods for fully deobfuscating the protected binaries, providing insight into advanced evasion techniques.
Amazon Web Services reported that Amazon Inspector detected over 150,000 malicious packages in the npm registry linked to a token farming campaign exploiting tea.xyz's cryptocurrency reward system. This represents one of the largest package flooding incidents in open-source registry history, creating significant supply chain risks.
IIJ Security Diary reported that UNC5174, a threat actor with potential ties to China's Ministry of State Security, deployed the Windows variant of SNOWLIGHT malware targeting Japanese organizations in October 2025. SNOWLIGHT functions as a shellcode loader delivering VShell, a Go-based remote access trojan with WebSocket C2 communication capabilities.
Tencent researchers presented methods for using large language models to assist in automated discovery of vulnerabilities related to Bring Your Own Vulnerable Driver attacks. The research focuses on leveraging AI and machine learning capabilities to improve automated vulnerability discovery in driver-based attack vectors that enable kernel-level access.