Good morning. This is your security briefing for Sunday, November 30, 2025, covering 15 articles analyzed from yesterday's threat intelligence. All attribution is by the article authors, and all article analysis is automated.
ClearSky Cyber Security reports a new wiper malware named GamaWiper targeting Ukraine. The VBS-based attack exploits a vulnerable version of WinRAR, specifically CVE-2025-80880, representing another destructive cyberattack against Ukrainian infrastructure.
Researcher meeswicky1100 has published an investigation unmasking DredSoftLabs as a North Korean front company. This work represents ongoing efforts to identify and expose DPRK-affiliated organizations engaged in cyber operations.
SIMKRA analyzed China-linked threat actors who exploited multiple Ivanti Connect Secure VPN vulnerabilities in early 2024. The attackers deployed custom malware including PHANTOMNET and TONERJAM, performed lateral movement to Active Directory and VMware vCenter servers, and ultimately obtained Domain Admin credentials through AD CS attacks.
The Nextron Threat Research Team discovered a malicious VS Code extension masquerading as Material Icon Theme containing Rust-based implants. These implants target Windows and macOS developer environments and use an innovative command and control mechanism through Solana blockchain wallets with Google Calendar events as fallback.
Isaac Dunham examines Risk-Based Alerting methodology for Microsoft Sentinel and Defender XDR. The article demonstrates how security teams can reduce alert fatigue by implementing dynamic risk scoring based on user account types and event characteristics, though noting limitations for time-sensitive threats like ransomware.
Ru Campbell provides a security guide outlining ten critical considerations for Microsoft 365 environments. The guide covers attack vectors including token theft, business email compromise, and data exfiltration, with defensive recommendations using Microsoft's security stack.
Nick Powers has released RelayInformer, a toolset using Python and BOF utilities to identify Extended Protection for Authentication enforcement levels on NTLM relay targets. The tool enables penetration testers to assess which targets have weak or missing EPA protections.
Intrinsec and Paul Saladin detail a lateral movement technique that abuses Group Policy Objects in Active Directory environments. Attackers create malicious GPOs with configurations like firewall rules, then use tools like SharpGPO to apply them to target computers through SYSVOL manipulation.
Darktrace observed a surge in sophisticated phishing attacks during Black Friday targeting consumers through brand impersonation of major retailers and luxury brands. Attackers used newly registered domains, domain generation algorithms, and redirect chains to bypass security filters for credential harvesting and malware delivery.
A codex-7 article demonstrates building custom Command and Control channels by hooking WinInet to tunnel malicious traffic through ICMP protocol. The technique uses encoded ICMP packets to communicate with a Python broker script while evading standard HTTP monitoring.
Jonathan Bar Or describes command line spoofing techniques on Windows designed to evade EDR systems through PEB modification. Two methods are detailed: basic spoofing that overwrites command line buffers, and advanced spoofing that attempts buffer reallocation but causes process crashes.
SaadAhla has released an Anti-Sandbox GitHub repository containing techniques to detect and evade sandbox environments, specifically targeting AnyRun. The repository provides methods including VM detection through registry keys, timing-based attacks, and API hooking for penetration testers.
Ivan Spiridonov describes Living Off the Land techniques where attackers leverage legitimate Windows utilities like PowerShell, WMI, and certutil for post-exploitation. These techniques enable reconnaissance, credential harvesting, and lateral movement while evading signature-based security tools.
Rasta Mouse analyzes the Crystal Palace obfuscation tool, identifying detectable artifacts in its core mechanisms. The research focuses on the resolve_hook intrinsic used for IAT hooking and call stack spoofing, providing defenders with methods to identify Crystal Palace-protected payloads through assembly-level indicators.
Adan disclosed a phishing vulnerability in the AWS CLI aws login remote command that exploits the OAuth 2.0 Authorization Code Flow. Attackers can trick developers into visiting malicious websites that generate legitimate AWS login URLs, capturing verification codes to steal credentials and gain unauthorized access. This concludes today's briefing.