November 24, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Nov 24, 2025
Kroll

This week’s briefing covers:

00:00 – Intro

00:36 [VULNERABILITY] Second FortiWeb Zero-Day Vulnerability Patched
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.

02:26 [MALWARE] EVALUSION ClickFix Campaign Deploys Amatera Stealer and NetSupport RAT
A fresh wave of attacks leveraging the ClickFix technique to spread malware. The campaign, dubbed EVALUSION, has been observed involves the delivery of two major threats: Amatera Stealer and NetSupport RAT.

05:33 [MALWARE] LUMMASTEALER Resurgence and Updates
Reports shows an uptick in LUMMASTEALER activity in the past month. This follows on from a period of lower activity from the actor behind the malware, after Microsoft-led takedown actions were carried out in May 2025.

07:48 UNC1549 targets aerospace, aviation, and defense industries
Mandiant published a write up of a campaign orchestrated by UNC1549 targeting aerospace, aviation, and defence industries. The threat actor used a hybrid approach of exploiting trusted connections and spear-phishing campaigns targeting IT staff and administrators with job opportunity lures.

09:11 [RANSOMWARE] ShinySp1d3r RaaS Emerges with Advanced Features
ShinySp1d3r is the name of an emerging Ransomware-as-a-Service platform currently in development, created by threat actors associated with the ShinyHunters and Scattered Spider extortion groups. This platform is notable because the creators, who traditionally deployed encryptors from other gangs, are now building their own encryptor from scratch. The RaaS operation will be led by ShinyHunters but operate under the Scattered LAPSUS$ Hunters brand.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.