< Back
A panda in front of a screen

Tags:

Threat intelligence
28 November 2025

Weekly Summary Cyberattacks November 20-26

FlexibleFerret Malware Continues to Strike   

A new wave of activity linked to FlexibleFerret, a DPRK-aligned macOS malware family previously exposed in early 2025 and tied to the Contagious Interview operation, was identified. The latest attacks continue to rely on recruitment-themed social engineering, using fake hiring assessments to coerce victims into executing Terminal commands that deploy the malware. FlexibleFerret remains active and evolving, with attackers refining fake recruitment flows to bypass Gatekeeper, socially engineer macOS users, and prompt them to execute attacker-supplied commands under the guise of professional hiring assessments.  

Security Flaws in DeepSeek-Generated Code Linked to Political Triggers   

Researchers have disclosed that the China-based AI startup DeepSeek-R1, a high-quality large language model (LLM), exhibits a surprising and potentially dangerous pattern. The DeepSeek-R1 671B model underwent independent testing that revealed it could produce coding output of quality comparable to that of other market-leading LLMs of the time. This new research contrasts with previous public research, which largely focused on either traditional jailbreaks. Given that a majority of developers use AI coding assistants, this issue represents a high-impact security concern. 

Panda Smash Attacks: APT31 Today   

Researchers have revealed that the China-linked hacking group known as APT31 infiltrated Russia's technology sector for years and quietly exfiltrated data from companies. APT31 is a cyber espionage group that primarily targets industrial espionage and intellectual property theft. According to the report, the campaign, which ran into the current year, was meticulously planned and allowed intruders to remain undetected. In the period from 2024 to 2025, the Russian IT sector, especially companies that worked as contractors and integrators for government agencies, faced a series of targeted computer attacks. 

Global WhatsApp Hijacking Campaign: HackOnChat   

CTM360 has exposed a large-scale and rapidly expanding global campaign designed to hijack WhatsApp accounts through sophisticated phishing schemes that impersonate official WhatsApp interfaces and exploit user trust in the platform. Internally named HackOnChat, the operation relies on thousands of fraudulent URLs hosted across inexpensive and lightly regulated top-level domains (including .cc, .net, .icu, and .top) and deployed via platforms such as Vercel, WIX, GitHub, and Netlify, enabling attackers to generate new pages at scale. Over 9,000 phishing URLs and more than 450 recorded incidents in the past 45 days have been attributed to this activity, with a marked concentration of victims in the Middle East and Asia. 

ShadowRay 2.0: Attackers Turn AI Against Itself in Global Campaign that Hijacks AI Into Self-Propagating Botnet   

Cybersecurity researchers have uncovered an active, global hacking campaign known as ShadowRay 2.0, in which attackers weaponize AI systems to compromise and hijack exposed Ray clusters, transforming them into a self-propagating botnet. The campaign exploits CVE-2023-48022, a disputed remote code execution flaw in Ray’s Jobs API that remains unfixed because maintainers consider it a design feature intended for trusted environments. Since users routinely deploy Ray clusters with public exposure and no authentication, attackers continue to exploit the same weakness first observed in 2023 and again in March 2024. Attackers leverage Ray's legitimate distributed orchestration capabilities for reconnaissance, lateral movement, persistence, and autonomous propagation.