EvilBit Threat Digest - The Long November: Patch Tuesday, Zero-Days, and Attackers’ Creativity

Well, it was Patch Tuesday. And like clockwork, the sky opened and rained down a torrential downpour of CVEs, zero-day exploits, and general chaos. Microsoft led the parade with an actively exploited kernel bug, but not to be outdone, we saw attackers abusing antivirus features to get SYSTEM, weaponizing "Find My Phone" features to wipe devices, and a whole new ransomware-as-a-service crew targeting everything from Windows to VMware. It’s a week that reminds you why we can’t have nice things.

My husband, UncleSp1d3r, surveyed the week’s carnage, took a long sip of his soda, and muttered, “Just another Tuesday in paradise.” He then went back to reverse-engineering a malicious NuGet package designed to sabotage industrial control systems, because that’s his idea of a good time. He keeps mumbling, "its elegant in its subtlety." He’s not wrong on either topic, though. The sheer breadth of the week’s events is a testament to the attacker's relentless creativity. Let's get into it.

Patch Now or Weep Later: A Multi-Vendor Patch-a-Palooza

It was a heavy one. If your patch management teams look tired, buy them a beer. They’ve earned it.

Microsoft's Zero-Day Leads the Charge: The main event was, of course, Microsoft’s November Patch Tuesday release, which addressed 68 vulnerabilities. The headliner is CVE-2025-62215, a Windows Kernel Elevation of Privilege (EoP) vulnerability that is confirmed to be exploited in the wild. It’s a classic local privilege escalation bug, the kind attackers love to use after getting a foothold to take over a system entirely.

But the fun didn't stop there. The release also includes multiple critical RCEs, including one in the GDI+ graphics component (CVE-2025-60724) that could be triggered with a malicious file, and another in Microsoft Office (CVE-2025-62199) that uses the Preview Pane as a vector. That’s right, just looking at the wrong email could ruin your day. Patching this month is not optional.

SAP and Adobe Join the Party: Not to be left out, SAP dropped fixes for multiple critical vulnerabilities, led by CVE-2025-42890, a CVSS 10.0 bug in SQL Anywhere Monitor caused by hardcoded credentials. It doesn't get much easier than that for an attacker. Meanwhile, Adobe addressed 29 vulnerabilities across its Creative Cloud applications, many of which could lead to arbitrary code execution.

Actively Exploited & Critical Flaws

Beyond the scheduled patches, several other vulnerabilities are making waves.

• Gladinet Triofox Gets Hit: Google and Mandiant reported that CVE-2025-12480, a critical authentication bypass in Gladinet's Triofox file sharing product, is being actively exploited. Attackers are abusing a Host header injection to create admin accounts and then using the product's own antivirus integration to execute code as SYSTEM. It’s a beautifully constructed chain of failure. Patches are available.
• Samsung Zero-Click RCE in the Wild: CISA has added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog. This is a nasty zero-click Remote Code Execution flaw in Samsung's image processing library that can be triggered by a malicious DNG image, for instance, sent over WhatsApp. The vulnerability has been used to deploy the LANDFALL spyware. If you have a fleet of Samsung phones, getting the April 2025 (and later) security updates applied is paramount.
• runc Container Escape: For those of you living in the world of containers, three new vulnerabilities in runC (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881) can be chained to allow a container to escape and gain root on the host. Patched versions are available and should be deployed across your Kubernetes and Docker estates immediately.

Malware, APTs, and Living Off Your Land

The attackers have been busy refining their tools and techniques.

Lazarus Group Targets Aerospace & Defense: The Lazarus Group is at it again, this time with a spearphishing campaign targeting aerospace and defense firms. They're using weaponized Word documents with lures themed around Airbus and others to drop a new variant of their "Comebacker" backdoor. The C2 traffic is AES-encrypted over HTTPS to domains like office-theme[.]com. Block macros, hunt for the IOCs, and be wary of any unsolicited documents.

Gootloader's Evasive Maneuvers: The operators of the Gootloader initial access malware have returned with some clever new tricks. As detailed by Huntress, they're using compromised WordPress sites and SEO poisoning to deliver malformed ZIP files. These archives appear to contain benign files to sandboxes and analysis tools, but present a malicious JavaScript file to the user in Windows Explorer. It's a slick bit of tradecraft to bypass automated defenses. We've talked a bit about this in previous editions, but it just seems to keep coming around and this time there's new details on the indicators and timeline.

KONNI Weaponizes "Find My Device": In a brilliant example of abusing trusted systems, the North Korean APT group KONNI is using compromised Google accounts to access the "Find My Device" feature and remotely wipe their targets' Android phones. It's a perfect anti-forensics and disruption tool that requires no exploit, just stolen credentials. It’s a good time to ensure your critical accounts have phishing-resistant MFA.

The Supply Chain and Other Assorted Horrors

Finally, a few stories to keep you up at night.

• Leaky AI Secrets: Research from Wiz found that ~65% of the top 50 AI companies had exposed verified API keys and other secrets on GitHub, often in personal developer repos or old forks. These keys granted access to private models and training data.
• Malicious NuGet Packages: Researchers at Socket uncovered a malicious NuGet campaign targeting Industrial Control Systems. Nine packages, downloaded thousands of times, contained time-delayed payloads designed to silently sabotage database and PLC operations.
• Phishing-as-a-Service Evolves: A new Phishing-as-a-Service kit called "Quantum Route Redirect" is using over 1,000 domains and sophisticated cloaking to steal Microsoft 365 credentials at scale, routing security scanners to benign sites while serving phishing pages to real users.

It's a lot to take in. The takeaway is that the fundamentals have never been more critical. Patch your systems—all of them. Monitor your logs. Scrutinize your supply chain. And for goodness sake, use multi-factor authentication. The basics won't stop everything, but they’ll give you a fighting chance.

Stay safe out there. You’ll need it.

— KryptoKat & UncleSp1d3r