Good morning. This is your security briefing for Thursday, November 27, 2025, covering 12 articles across security tools, attack techniques, malware operations, data breaches, and nation-state activity. All attribution is by the article authors, and all article analysis is automated.
Amazon Security reports on their Autonomous Threat Analysis system, an AI-powered security platform that uses red-team and blue-team agents to proactively simulate adversary techniques. The system automatically validates detection coverage and generates improved security rules, achieving perfect precision and recall in case studies since its development from an August 2024 hackathon.
Bluraven presents a detection method for identifying Cobalt Strike HTTP beacons by exploiting the tool's predictable use of single GET and POST URIs for command and control. The technique analyzes web proxy logs to find internal hosts communicating with low-prevalence domains using only one or two unique URIs, providing coverage against commonly used cracked versions employed by ransomware affiliates and nation-state actors.
FFRI Security and researcher Koh Nakagawa have released Custom Mach-O Image Loader, an open-source project featuring a modified dynamic linker for loading unsigned Mach-O files from memory on macOS systems. The tool demonstrates in-memory loading techniques relevant for understanding binary execution and defense evasion methods.
CodeXTF2 has released a proof-of-concept template for developing custom Command and Control channels for Cobalt Strike using Import Address Table hooks applied via reflective loader. This technique hooks Windows APIs to intercept callback data, providing an alternative to Cobalt Strike's ExternalC2 interface for stealthy communications.
Security researcher Hitesh Duseja reports on a revival of the Pass-The-Cert attack technique from 2020, which enables lateral movement across Entra ID-joined devices. The attack allows adversaries to impersonate users by obtaining and leveraging Peer-to-Peer certificates to move laterally within compromised environments.
VulnCheck identified an attacker operating a private out-of-band application security testing service on Google Cloud infrastructure to conduct targeted exploit operations, primarily focused on Brazil with additional activity in Serbia and Turkey. The operation involved approximately 1,400 exploit attempts across 200 CVEs using custom Fastjson payloads, with Google Cloud infrastructure allowing malicious traffic to blend with legitimate communication.
Huntress reports on a ClickFix malware campaign using steganography to hide malicious payloads within images, delivered through fake software update pages and consent verification lures. The malware uses multi-stage URL chains to deliver payloads that can lead to system compromise, data theft, and secondary infections by disguising itself as legitimate Windows updates.
DeceptIQ provides field notes on the evolution of command and control evasion techniques, including BOFs, shellcode, and sleep obfuscation, while more advanced methods like RISC-V VM remain underutilized. Traditional signature-based and runtime behavior EDR systems face increasing challenges as evasion techniques themselves become detectable signatures, creating a continuous adversarial evolution cycle.
The U.S. Attorney's Office for the Southern District of Texas reports that former IT contractor Maxwell Schultz hacked his ex-employer's network after termination by impersonating another contractor to obtain credentials. He executed a PowerShell script that reset approximately 2,500 passwords, locking thousands of employees out of their systems and causing over $862,000 in damages.
Reuters reports that Polish authorities arrested a Russian citizen in Krakow on suspicion of hacking IT systems and gaining unauthorized access to databases of multiple Polish companies. The incident is part of broader Russian cyber threats against Poland and European nations amid the ongoing war in Ukraine.
The National Institute for Defense Studies has published the China Security Report analyzing China's strategic and military trends and their impact on international security. The report focuses on China's growing military and economic power and implications for Japan and East Asian countries.
Analysis of North Korea's Contagious Interview operation reveals a systematic campaign targeting developers through malicious npm packages that deliver the OtterCookie infostealer and remote access trojan. The attackers use fake job interviews to trick developers, particularly in blockchain and Web3 sectors, into installing typosquatted packages that execute second-stage payloads from GitHub and Vercel infrastructure while stealing credentials, cryptocurrency wallets, and establishing remote access. That concludes today's briefing.