Good morning. This is your security briefing for Saturday, November 29, 2025, covering 15 articles across malware threats, critical vulnerabilities, security tools, attack techniques, APT activity, threat research, and industry news. All attribution is by the article authors. All article analysis is automated.
Qi'anxin Threat Intelligence Center has exposed SetcodeRat, a Telegram-based trojan targeting Chinese-speaking regions that intercepts and modifies cryptocurrency wallet addresses while providing extensive remote control capabilities. The malware uses multi-stage execution with encrypted payloads and DLL sideloading, enabling keylogging, screenshot capture, file manipulation, and browser credential theft.
Nozomi Networks disclosed CVE-2025-11243, a critical vulnerability in Shelly Pro 4PM smart home devices that allows attackers to crash the device and lock users out of their smart home systems. The flaw stems from unbounded memory allocation in the Frozen library's json_scanf function, exploitable through a specially crafted message.
Researchers from Mississippi State University and The University of Alabama introduce IRSDA, an agent-orchestrated framework for autonomous and policy-compliant enterprise cyber defense. The framework integrates Self-Adaptive Autonomic Computing Systems with the MAPE-K loop to address limitations of traditional static rule-based intrusion detection systems.
A team of researchers has introduced GREBE, an object-driven kernel fuzzing technique that extends Syzkaller to uncover the full exploitation potential of Linux kernel bugs. Testing on 60 real-world bugs demonstrated GREBE's ability to identify higher exploitation potential, including converting seemingly unexploitable bugs into exploitable ones.
A technical tutorial from iximiuz demonstrates implementation of an eBPF/XDP program for kernel-level rate limiting of network traffic to mitigate DoS attacks. The solution uses LRU hash maps to track client timestamps and provides high-performance packet filtering at the network interface level.
Adepts of 0xCC have demonstrated a pure VBA implementation of the Kerberoasting attack technique that queries Active Directory for Service Principal Names and requests Kerberos tickets for offline password cracking. Organizations using Active Directory with configured SPNs are vulnerable if service accounts have weak passwords.
Researchers have published code reproducing the SETUP attack on RSA key generation, originally proposed by Young and Yung in 1996. The attack embeds a hidden trapdoor in RSA key pairs that appear normal but enable the attacker to later recover the victim's private key using their own secret key.
Gibson has released csrest and csbot, automation tools for Cobalt Strike operations that enable red teamers to execute complex post-exploitation workflows through YAML-driven configurations. The tools automate credential harvesting, privilege escalation, and other offensive operations through the Cobalt Strike REST API.
Wiz details three OAuth abuse techniques targeting Azure and Entra ID environments: Device Code Phishing to bypass MFA, Resource Owner Password Credentials flows for credential stuffing, and device registration for persistence using Primary Refresh Tokens. The article provides detection methods using Entra ID sign-in logs by analyzing key JWT fields.
Krebs on Security has unmasked Rey, identified as the technical operator and public persona of the cybercriminal group Scattered LAPSUS$ Hunters. The revelation provides attribution details about the group's operational structure and key personnel behind multiple high-profile attacks against technology companies.
According to infosec.pub, APT-C-35, also known as Brain Worm, has conducted recent trojan attack campaigns specifically targeting Pakistan. This represents continued nation-state threat activity by this advanced persistent threat group using new trojan malware variants.
Kaspersky Lab reports that the Tomiris APT group launched the Tomiris 2025 campaign targeting government and intergovernmental organizations in Russian-speaking regions and Central Asian countries. The group deploys multi-language malware modules and leverages open-source frameworks like Havoc and AdaptixC2 for remote access and long-term persistence.
ANSSI has released an analysis of mobile phone threats since 2015, documenting attacks by state-sponsored actors conducting espionage and surveillance, as well as cybercriminals pursuing financial theft. The report details exploitation of vulnerabilities across mobile networks, operating systems, and applications.
A security researcher has demonstrated a complete methodology for intercepting, decrypting, and spoofing Globalstar satellite uplink communications, according to a report on the Weixin Official Accounts Platform. The research presents a full technical reproduction of attacking the satellite communication provider's signal chain.
Arista Networks published a security advisory regarding vulnerabilities in the Arista Edge Threat Management NG Firewall product. Details of specific vulnerabilities and their impact are pending further disclosure.