Good morning. This is your security briefing for Tuesday, November 25, 2025, covering nine critical security developments. All attribution is by the article authors, and all article analysis is automated.
The Cybersecurity and Infrastructure Security Agency reports that cyber threat actors are deploying commercial spyware to compromise mobile messaging applications through phishing, malicious QR codes, and zero-click exploits. The campaign targets high-value individuals including government, military, and political officials across the United States, Middle East, and Europe, granting unauthorized access to messaging apps and enabling complete device compromise.
The Acronis Threat Research Unit has identified TamperedChef, a global malvertising operation distributing malicious installers disguised as legitimate applications signed with valid digital certificates. The campaign primarily targets U.S. users in healthcare, construction, and manufacturing sectors, deploying obfuscated JavaScript backdoors for remote access and credential theft.
Morphisec reports that Russian-linked threat actors are distributing the StealC V2 infostealer through malicious .blend files on 3D asset-sharing platforms targeting Blender users. The malware exploits Blender's Auto Run Python Scripts feature and steals credentials from over 23 browsers, 100 extensions, cryptocurrency wallets, and messaging applications.
A major leak analyzed by Nariman Gharib has exposed Department 40, an IRGC cyber unit also known as APT35 and Charming Kitten. The leaked documents reveal personnel, organizational structure, and operational methods of this Iranian nation-state group that builds intelligence infrastructure enabling assassination operations.
Federal Communications Commission Commissioner Anna Gomez has released a dissenting statement regarding Salt Typhoon, described as the worst telecommunications hack in U.S. history. The highly coordinated nation-state attack breached American telecommunications infrastructure and affected targets including the President, exploiting vulnerabilities that were not addressed by existing cybersecurity requirements.
Kaspersky Lab reports that the ToddyCat APT group has evolved its techniques to steal business correspondence, deploying new tools including a PowerShell variant of TomBerBil and methods to steal Microsoft 365 access tokens. The group targets organizations relying on email for business operations, extracting cookies, passwords, and Outlook OST files to enable unauthorized access to sensitive business emails and cloud services.
Bitsight has identified attackers exploiting calendar subscription features to deliver malicious content to approximately 4 million devices, primarily Apple iOS and macOS systems. The attack technique leverages webcal requests and Base64-encoded URIs to automatically sync malicious calendar events containing phishing links and malware.
White Knight Labs details techniques attackers use to discreetly load malicious or vulnerable drivers into Windows systems while bypassing EDR detection. Methods include using unsigned drivers, exploiting vulnerable legitimate drivers through Bring Your Own Vulnerable Driver attacks, and modifying PE file structures to gain kernel-level privileges.
Finally, research from arianvp shows that macOS Tahoe introduces native support for Secure Enclave-backed SSH keys through hardware-isolated key storage and biometric authentication. The implementation uses Apple's Secure Enclave hardware security module to prevent key extraction and requires TouchID for authentication. That concludes today's briefing.