Before we begin today's briefing, we have a critical security alert. CVE-2025-58034, a command injection in Fortinet FortiWeb, has been added to the CISA Known Exploited Vulnerabilities catalog.
Good morning. This is your security briefing for Tuesday, November 18, 2025, covering five critical developments in the threat landscape. All attribution is by the article authors, and all article analysis is automated.
0x0d4y Malware Research reports that North Korea's Lazarus APT Group deployed the ScoringMathTea RAT in their 'Gotta Fly' campaign, targeting UAV technology companies. The malware employs reflective DLL injection, API hashing, and TEA/XTEA encrypted communications to steal intellectual property and potentially disrupt defense supply chains.
Binding Hook reveals that China has fundamentally shifted its cyber attribution counter-strategy from outright denial to producing sophisticated disinformation. Since 2021, Beijing has claimed that attributed threat groups like Volt Typhoon are Western fabrications, expanding these narratives beyond Western countries to Africa, Southeast Asia, and Latin America.
Mandiant's analysis of UNC1549 details an Iran-nexus threat group targeting aerospace, aviation, and defense industries through sophisticated phishing and supplier relationship exploitation. The group focuses on credential theft and intellectual property collection, compromising less secure third-party partners to pivot into high-security organizations.
JPCERT/CC has released YAMAGoya, an open-source threat hunting tool combining Event Tracing for Windows monitoring with memory scanning using Sigma and YARA rules. The tool is designed to detect fileless malware and obfuscated threats, supporting both GUI and CLI operations with SIEM integration capabilities.
S2W Inc. has identified HeadCalls, a new Android malware family targeting Korean mobile users through voice phishing campaigns impersonating public and financial institutions. The malware abuses Android Accessibility Services to automatically grant permissions and force call forwarding, redirecting communications with banks and investigative agencies to attackers for financial fraud.