Developments in the APT landscape, new campaigns and previously unseen malware, multiple data breaches reported

Critical vulnerabilities in n8n, Italy in the crosshairs of phishing and ransomware activity, the latest from China

 View all
Threat Intelligence, News

Chinese and Russian APT activity tracked, multiple breach disclosures, ShadowV2 observed and malicious npm packages identified

Weekly Threats hor Telsy

 APT: updates on China- and Russia-linked adversaries 

Security researchers have uncovered Operation WrtHug, a campaign that in recent months has targeted SOHO devices worldwide by exploiting n-day vulnerabilities in the AiCloud service to obtain elevated privileges on end-of-life ASUS WRT routers. The operation impacts thousands of devices—primarily in Taiwan, the United States and Russia, and to a lesser extent in Southeast Asia and Europe. The attackers, likely based in China, exploit six different flaws in ASUS WRT AC and AX series routers for initial access: CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912 and CVE-2025-2492. The latter, the only one rated critical, can be triggered via specially crafted requests on routers with AiCloud enabled. Also attributed to China, a cyber-espionage campaign conducted by APT31 has been observed targeting the Russian IT sector. Initial access traces back to late-2022 compromises and 2024 phishing waves using fake messages delivering archives containing LNK files that execute decoy documents and CloudyLoader to deploy Cobalt Strike. In addition, two variants of ClickFix were observed in which adversaries hide malicious code within PNG pixel data. The first variant aims to load a reflective .NET assembly named Stego Loader; the second features frequently changing variables and hosting URLs, delivering final payloads such as Lumma Stealer and Rhadamanthys. Furthermore, ToddyCat APT was seen adopting a new PowerShell variant of the TomBerBil malware family, designed to extract cookies and saved browser credentials. The updated version executes on domain controllers with elevated privileges and accesses browser files via SMB shared resources. Besides Chrome and Edge, it now also supports Firefox. On the Russian side, researchers analyzed a multi-stage attack attributed to EncryptHub (aka Water Gamayun and LARVA-208), in which a seemingly innocuous web search led to sophisticated exploitation of the MSC EvilTwin CVE-2025-26633 vulnerability, ultimately delivering hidden PowerShell payloads, a loader and an unidentified final malware. Also linked to Moscow, an unsuccessful targeted attack was identified against a U.S. civil-engineering company by the Cuba Team (RomCom) group through SocGholish (FakeUpdate) infrastructure operated by DEV-0856, acting as an Initial Access Broker. The attack followed the classic SocGholish chain, compromising legitimate websites via malicious JavaScript injections presenting fake software updates to deliver the Mythic agent. 

 

Data breaches: victims worldwide 

Everest Team claimed responsibility for compromising Iberia, the Spanish airline. In recent days, the company began notifying customers of a security incident involving unauthorized access at one of its external providers, exposing full names, e-mail addresses and Iberia Club loyalty card identifiers. The adversary claims to have exfiltrated 596 GB of data, including 430 GB of .eml files containing over 5 million records, with information reportedly including names, contact details, birthdates, travel and booking details, partially masked credit-card data and marketing profiles. Meanwhile, Salesforce reported detecting unusual activity involving Gainsight-published applications, installed and managed directly by customers, which may have enabled unauthorized access to Salesforce data via the app connection. The company stated that it notified affected customers directly and reiterated that no vulnerabilities in the Salesforce platform have been identified. The activity appears solely related to the external connection used by Gainsight apps. U.S. cybersecurity firm CrowdStrike identified and terminated an employee who shared internal system screenshots with the collective known as Scattered Lapsus$ Hunters, while confirming that no systems were compromised and customer data remained protected. Harvard University disclosed that IT systems used by the Office of Alumni Affairs and Development were breached by unauthorized actors following a vishing attack. Additionally, U.S. firm SitusAMC reported that on 12 November 2025 it detected an incident that resulted in the compromise of certain data stored in its systems, including corporate documentation related to relationships with specific clients, such as accounting records and legal agreements, which may also include information pertaining to those clients’ end customers. INC RANSOM Team claimed responsibility for the attack on the OnSolve CodeRED platform, which disrupted emergency-notification systems used by U.S. state and local governments, police departments and fire agencies. The adversary claims to have compromised OnSolve’s systems on 1 November 2025 and encrypted files on 10 November, which were later offered for sale after ransom payment was not made. Cox Enterprises, Mazda, Canon and Dartmouth College—following TA505’s claims—confirmed they were affected by the large-scale extortion campaign targeting Oracle E-Business Suite (EBS) users via exploitation of CVE-2025-61882. On Wednesday 26 November, OpenAI announced that Mixpanel, a third-party analytics provider used for frontend analytics on its API product interface, suffered a cyberattack on 9 November 2025. The provider identified unauthorized access to part of its systems and the export of a dataset containing limited customer-identifiable information and analytics data. The incident did not involve unauthorized access to OpenAI’s infrastructure, remained confined to Mixpanel’s systems, and did not affect users of ChatGPT or other products. Finally, Milano Ristorazione S.p.A., a company owned by the Municipality of Milan, stated that it suffered a malware attack on 24 November 2025, which also affected its communication channels with customers. 

 

Malware: Mirai variant and infected npm packages observed 

At the end of October 2025, during a global AWS outage, researchers detected the spread of ShadowV2, an evolved variant of Mirai designed to compromise IoT devices. Malicious activity peaked during the AWS blackout, likely as preparatory testing for future operations. Attackers exploited vulnerabilities in devices from multiple vendors, including DD-WRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721) and TP-Link Archer routers (CVE-2024-53375), distributing the malware via downloader scripts hosted on specific IP addresses. The impact was global, hitting 28 countries, including Italy. The threat’s offensive capabilities include multilayer DDoS attacks such as multiple UDP flood variants, TCP SYN flood, TCP ACK and ACK STOMP, as well as HTTP flood, all remotely controlled via the C2 server. Also this week, hundreds of trojanized versions of well-known npm packages such as Zapier, ENS Domains, PostHog and Postman were observed as part of a new Shai-Hulud supply-chain campaign. Malicious packages were added to npm over the weekend to steal secrets from developers and CI/CD systems. The campaign introduces a new variant executing malicious code during the pre-installation phase, significantly increasing potential exposure across build and runtime environments. As with the Shai-Hulud attack first uncovered in September 2025, the latest activity publishes the stolen secrets on GitHub—this time under the repository description “Sha1-Hulud: The Second Coming.” 

 

Weekly Threats is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.