Good morning. This is your security briefing for Thursday, November 20, 2025, covering 15 articles analyzed across attack techniques, nation-state operations, and critical vulnerabilities. All attribution is by the article authors, and all article analysis is automated.
Chollima Group researchers documented a Man-in-the-Middle attack technique targeting Microsoft Teams that uses a reverse proxy to intercept and modify traffic. The attack method enables credential theft, MFA bypass, and malicious content injection against organizations using MS Teams.
Security researchers at infosec.pub disclosed 'Pixnapping,' a novel attack technique that exploits vulnerabilities in Android browser image rendering to execute malicious code embedded in PNG files. The attack enables cross-site scripting, allowing attackers to steal cookies, hijack sessions, and bypass Content Security Policy protections.
AhnLab Security Intelligence Center reports that APT actors exploited CVE-2025-59287, a remote code execution vulnerability in Microsoft WSUS, to deploy ShadowPad backdoor malware with system privileges. Organizations with exposed WSUS servers should apply Microsoft patches immediately while monitoring for suspicious PowerShell and command-line activity.
Google Cloud reports that APT24, a China-linked threat actor, has conducted a three-year cyber espionage campaign targeting organizations in Taiwan using BADAUDIO malware for persistent access. The group has evolved from broad web compromises to sophisticated multi-vector attacks including supply chain compromise through a digital marketing firm.
CyberArmor documented Autumn Dragon, a China-nexus APT group conducting sustained espionage campaigns targeting government, media, and news sectors across Southeast Asia including Laos, Cambodia, Singapore, the Philippines, and Indonesia. The threat actors employed DLL sideloading techniques to compromise targets of interest.
Orange Cyberdefense reports that Operation DreamJob targeted an Asian subsidiary of a European manufacturing organization in August 2025 using WhatsApp-based social engineering with job lures. The attackers deployed BURNBOOK malware via DLL sideloading and conducted hands-on-keyboard activities for at least six hours using compromised WordPress sites for command and control infrastructure.
Amazon Web Services reports that Iranian nation-state actors Imperial Kitten and MuddyWater are conducting cyber-enabled kinetic targeting operations that bridge digital and physical warfare. These operations use multi-layered infrastructure including compromised CCTV and maritime systems to provide real-time intelligence for physical attacks on shipping vessels and critical infrastructure.
Atlantic Council's report analyzes nation-state cyber threats and the weaponization of cyberspace targeting critical infrastructure, governments, and democratic processes. The report emphasizes sophisticated cyberattacks, disinformation campaigns, and geopolitical tensions as key security challenges requiring proactive defense strategies and international cooperation.
FalconForce reports that Microsoft Defender for Endpoint introduced a Custom Collection feature allowing organizations to define custom rules for collecting telemetry data beyond standard capabilities. FalconForce released TelemetryCollectionManager, a toolkit for managing collection rules via YAML files and the Defender API.
Microsoft announced a preview feature for Defender for Endpoint that enables custom telemetry collection beyond default settings. Organizations can define rule-based filters to capture specific endpoint events and route them to Microsoft Sentinel workspaces for enhanced threat hunting and security monitoring.
A comprehensive technical analysis published by MDPI examines BlackCat ransomware, a Ransomware-as-a-Service operation that emerged in November 2021. The ransomware is notable for using Rust programming language for cross-platform compatibility and employing double-extortion tactics by exfiltrating data before encryption.
Kaspersky Lab discovered the Tsundere botnet in mid-2025, which uses Node.js and abuses Ethereum smart contracts to store command-and-control server addresses. The botnet spreads via MSI installers disguised as legitimate software and features a marketplace that allows malicious actors to register, create bots, and offer services.
SpecterOps disclosed a vulnerability in System Center Configuration Manager that could allow attackers to compromise the entire SCCM hierarchy through its integration with Entra ID. The vulnerability was addressed in patch KB35360093 and affects organizations using SCCM with Entra ID integration.
Project Zero disclosed an Elevation of Privilege vulnerability, CVE-2025-60718, in Windows Administrator Protection's RAiLaunchAdminProcess function. The vulnerability allows low-privileged processes to exploit improper application name validation to gain administrator privileges through DLL planting attacks.
Salesforce detected unusual activity involving Gainsight-published applications that may have enabled unauthorized access to customer Salesforce data through the app's external connection. Salesforce revoked all active tokens for Gainsight applications and temporarily removed them from AppExchange, noting the issue originated from the Gainsight application connection, not from vulnerabilities in the Salesforce platform itself.