Good morning. This is your security briefing for Wednesday, November 26, 2025, covering 9 articles analyzed overnight. All attribution is by the article authors, and all article analysis is automated.
Communications Security Establishment Canada has issued a joint statement warning that Canadian critical infrastructure sectors including power, water, health, finance, and transportation are experiencing increased malicious cyber activity. State-sponsored actors are pre-positioning for potential service disruptions during crises, while non-state cybercriminals target infrastructure for financial gain and geopolitical motives.
SlowMist reports that the DPRK systematically violates UN sanctions through state-sponsored cyber operations, stealing an estimated 1.19 billion dollars in 2024 and 1.65 billion dollars in the first nine months of 2025, primarily through cryptocurrency theft. These operations target exchanges, defense industrial base entities, and government institutions using malware, supply chain intrusions, and social engineering.
NSHC ThreatRecon Team has analyzed SectorA01, also known as Lazarus Group, conducting multi-stage attacks using Tsunami Malware disguised as cryptocurrency trading applications. The attack chain progresses through multiple stages including NSIS installer, JavaScript frameworks, and Python-based malware, primarily targeting the cryptocurrency industry.
Jamf Threat Labs has identified FlexibleFerret, a macOS backdoor linked to DPRK-aligned operators, distributed through fake job recruitment websites in the Contagious Interview campaign. Victims are socially engineered into executing Terminal commands that download multi-stage payloads, establishing a Golang-based backdoor capable of credential theft and command execution.
The Canadian Centre for Cyber Security has assessed cyber threats targeting Canada's water and wastewater systems from financially motivated cybercriminals and state-sponsored actors. Primary attacks focus on Operational Technology networks including SCADA and IIoT devices, with state actors aiming to cause societal chaos while cybercriminals seek financial gain through ransomware.
Arctic Wolf Networks reports that Russian-aligned threat group RomCom used the SocGholish malware delivery framework to deploy Mythic Agent loader against a U.S. civil engineering firm with Ukraine connections. This marks the first observed case of RomCom payloads distributed via SocGholish, highlighting the group's targeting of entities with even minor connections to Ukraine.
AhnLab Security Intelligence Center has identified the UNC5174 threat actor group deploying a Discord Bot-based backdoor malware that uses Discord API for Command and Control communication. The malware achieves very low detection rates of 1 out of 64 on VirusTotal and enables persistent system control through legitimate-appearing traffic.
Consumer Reports has launched KeyDrop, a cybersecurity research project that scans the internet for publicly exposed API keys and reports them to service providers. As of September 2025, KeyDrop identified 4,700 instances of exposed OpenAI keys, which create significant risks including financial losses through cryptomining and data theft from cloud environments.
InfoSec.pub reports on a sophisticated phishing campaign targeting job seekers using compromised email accounts to send fake job offers impersonating recruiters from well-known companies. The attackers employ credential harvesting sites and malware delivery through malicious attachments, utilizing social engineering tactics and URL shortening services to evade detection. That concludes this briefing.