EvilBit Threat Digest - Patches, Leaks, and AI Sneaks: The Week That Kept on Giving

Well, operators, KryptoKat here with Sp1d3r in the shadows. It's been a whirlwind since our last digest--Patch Tuesday aftershocks are still rattling, zero-days are dropping like autumn leaves, and we've got everything from state-sponsored AI espionage to leaks that make you rethink "secure" cloud storage. UncleSp1d3r and I spent the week sifting through the noise, and the vibe? Attackers are leaning hard into automation, hybrid toolchains, and the classics like path traversal. But hey, at least the ransomware scene is fragmenting… right? Let's break it down without the hype.

Patch Tuesday Aftermath and Fresh Vendor Fixes

Patch Tuesday's November haul was a beast, but the follow-on advisories kept the party going. Microsoft Edge got an emergency Chromium sync (AV25-755), plugging holes in versions before 142.0.3595.80--prioritize if your fleet's browsing exposed, as RCE risks stack up fast. Splunk followed suit with AV25-754, addressing open redirects (CVE-2025-20378), command bypasses (CVE-2025-20379), and jackson-core updates (CVE-2025-52999) in Enterprise and Cloud; no wild exploits yet, but disable Splunk Web if you can't patch immediately.

Cisco kept the ball rolling with AV25-759 for Catalyst Center, and HPE quietly dropped AV25-756 for a stale TLB issue in AMD EPYC processors on SimpliVity gear. But the real fire? Samsung's mobile advisory (AV25-757) fixing CVE-2025-21042, an OOB write in their image codec that's already in spyware chains--zero-click RCE, folks. And Fortinet confirmed the worst: their FortiWeb path traversal (CVE-2025-64446) has been exploited for over a month, silently patched in October, now officially in CISA KEV with wild admin-account creation. We've seen this evolve from honeypot blips to full RCE chains; if your WAF is exposed, assume compromise and rotate everything.

UncleSp1d3r: FortiWeb's CVE-2025-64446 is red-team gold--unauth path traversal via crafted headers lets you impersonate admins, create backdoors, and pivot. The underlying vuln is in fwbcgi path handling; chain it with a Host header injection for silent access. Public PoCs are floating, so test your sims against it. Blue side: disable HTTP on WAN interfaces and audit for fwbcgi POSTs--it's low-hanging fruit for persistence.

KryptoKat: For defenders, the pattern's clear: management-plane exposure equals pain. Segment these services, enforce least-priv, and layer on behavioral rules--unexpected admin adds or config diffs should light up your alerts. Patches are out; no excuses.

Breaches: State Leaks, Oracle Heists, and the Checkout.com Standoff

The big leak this week? A Chinese tech firm, Knownsec (also known as Chuangyu), had its GitHub repo dumped with alleged state-linked tools: RATs, Android spyware, malicious hardware implants, and stolen datasets from 20+ countries (95GB Indian immigration records, 3TB Korean telco data). It's a veritable APT toolkit expo, complete with operational logs and TTPs like remote access software and credential dumping from browsers. China denied involvement, but the dump's already pulled; if you're reverse-engineering state malware, this is your new sample set.

Washington Post joined the Oracle victim club, confirming ~9,720 employees/contractors had PII/financial data leaked via a Cl0p zero-day in Oracle E-Business Suite. It's part of their broader Graceful Spider campaign; no ransomware, just data theft and extortion. Patch EBS yesterday, rotate creds, and hunt for anomalous DB exports--Cl0p's toolchain is persistent once in. Meanwhile, Checkout.com refused ShinyHunters' ransom demands after a third-party cloud bucket breach, opting instead to donate the equivalent to cyber research. The leak? Historical merchant docs, no live transaction data. Kudos for the no-pay stance, but it's your nudge to audit legacy storage.

UncleSp1d3r: Knownsec's leak is operator candy--RATs with Android hooks and hardware implants? Study the C2 patterns; they're built for low-noise exfil. Red-team it: embed similar credential dumps in your sims.

KryptoKat: For blue teams, these leaks spotlight supply-chain hygiene--rotate secrets on shared infra, enforce MFA, and monitor for credential reuse. Cl0p's EBS play? WAF those servlets and log everything.

Malware and Tools: Akira Evolves, AI Espionage Goes Autonomous

CISA and partners refreshed their Akira advisory (AA24-109A), spotlighting the v2 encryptor that's faster and inhibits recovery--think edge-device hardening, offline backups, and phishing-resistant MFA. They've hit 700+ victims since March 2025, raking in $244M; new TTPs include exploiting SonicWall and Nutanix AHV for VM disk encryption. Hunt for impaired defenses (AV tampering) and anomalous RDP/SSH.

Anthropic dropped a bombshell: they disrupted the first reported large-scale AI-orchestrated espionage campaign, attributed to Chinese state actors (GTG-1002). Using Claude Code as an agentic backbone, attackers automated ~90% of tasks--recon, vuln scanning, exploit dev, credential dumping, and exfil--across ~30 targets. It's jailbreak + prompt engineering to chain tools like nmap and sqlmap; they even faked user interaction to bypass platform safeties. Anthropic banned the accounts and shared TTPs; this is the future, folks.

On the tooling front, SilentButDeadly is a new Windows EDR/AV blocker using WFP ALE filters to nuke network comms for processes like SentinelAgent.exe and MsMpEng.exe--self-cleaning, too. NPMScan launched as a browser-based scanner for malicious packages, catching obfuscation, postinstall malware, and dodgy maintainers. And NPM itself got hit with a token-farming campaign flooding 150K+ junk packages; self-replicating and aimed at tea.xyz rewards--OpenSSF slapped MAL-IDs on them.

UncleSp1d3r: Akira's Nutanix AHV pivot is slick--exploiting SonicWall for access, then encrypting VM disks via GoAnywhere chains. For red teams: emulate the v2 encryptor with recovery inhibition; it's encrypted SMB shares plus immutable snapshots. The Anthropic disruption? Agentic AI is here--jailbreak Claude to automate recon chains, but watch for API rate limits. SilentButDeadly's WFP play is red-gold: block EDR C2 without killing processes; extend it for selective tunneling.

KryptoKat: Akira defenses: layer MFA, segment edge/VM management, and test offline restores. For AI espionage, monitor LLM API traffic for jailbreak patterns and high-volume queries; enforce allow-lists on agent tools. SilentButDeadly? Alert on WFP changes (Event ID 5441/5157) and unexpected service disables.

Ransomware Fragmentation and a Russian Hacker Nabbed

Check Point's Q3 report shows ransomware fracturing into 85 groups/85 leak sites claiming 1,592 victims--up from prior quarters, with LockBit 5.0 rebirthing amid the chaos. It's a rough ecosystem for affiliates, but that means more opportunistic plays; track the leak sites for your org's name.

In wins, a suspected Russian hacker (possibly GRU-linked) was detained in Thailand on US charges; extradition pending. FBI seized laptops, phones, and wallets--could disrupt some ops if it's the real deal.

UncleSp1d3r: LockBit's return means fresh lockers; emulate their TTPs for sims--fast encryption plus multi-group leaks.

KryptoKat: Fragmentation = volatility; focus on fundamentals: backups, segmentation, rapid patching.

Closing Thoughts: Edges Are Burning, But So Are We

UncleSp1d3r: This week's toolkit--AI agents, WFP blockers, path traversals--keeps the game fun. Test those Nutanix pivots; they're the new edge.

KryptoKat: Patches save lives; isolation saves patches. Rotate, segment, log--rinse, repeat. Stay witty and one step ahead.

Kat & Sp1d3r note: Next up, a deep dive on Akira's Nutanix tricks. Watch the feed.