< Back
Blue background with padlock

Tags:

Threat intelligence
13 November 2025

Weekly Summary Cyberattacks November 06-12

New KomeX Android RAT Hits Hacker Forums with Tiered Subscriptions   

A new Android Remote Access Trojan (RAT) known as KomeX RAT has surfaced on underground hacking forums, where it is being sold by the threat actor Gendirector. The malware is based on the previously documented BTMOB codebase. It is marketed through a tiered subscription model: $500 for a one-month license, $1,200 for a lifetime license, and $3,000 for full source code access. KomeX RAT features an extensive set of malicious capabilities that grant attackers full control over compromised Android devices. The malware can automatically grant itself all required permissions and bypass Google Play Protect, thereby evading one of Android's primary security defenses. Its surveillance functions include live screen streaming at up to 60 frames per second, camera and microphone capture, SMS read/send/delete, geolocation tracking with integrated map visualization, and a forced chat function that allows direct interaction between attacker and victim. 

Danabot Malware Reemerges with Version 669 After Operation Endgame   

The notorious Danabot banking malware has resurfaced with the release of version 669, marking its return nearly six months after the Operation Endgame law enforcement takedown that occurred in May 2025. This comeback demonstrates that the cybercriminal operators behind Danabot have successfully regrouped and rebuilt their command-and-control (C2) infrastructure, effectively restoring the malware's operations despite international disruption efforts. Researchers observed that the new Danabot 669 variant incorporates an updated, diversified C2 network, featuring both traditional IP-based servers and Tor-based hidden service domains to enhance persistence and anonymity. In addition, the malware uses backconnect C2 servers, enabling remote control and maintaining continuous access to infected systems through reverse shell connections. The updated version maintains cryptocurrency theft as its primary objective. 

GTIG Warns of Growing Adoption of Self-Modifying AI Malware by Threat Actors   

Google's Threat Intelligence Group (GTIG) reports a major shift in threat actor behaviour: adversaries are no longer using artificial intelligence solely for productivity or tooling assistance, but are now deploying AI-enabled malware that dynamically modifies itself during execution. GTIG's latest assessment shows that both state-sponsored groups from North Korea, Iran, and China, and financially motivated cybercriminals are integrating generative AI into every phase of the attack lifecycle, including reconnaissance, malware development, execution, command-and-control, and exfiltration. 

HackedGPT: Novel AI Vulnerabilities Open the Door for Private Data Leakage   

Seven newly discovered vulnerabilities and attack techniques affecting OpenAI's ChatGPT were discovered, including the latest GPT-5 model. The flaws enable indirect prompt injection, exfiltration of private user data from persistent memory and chat history, bypasses of safety mechanisms, and long-term persistence across conversations. The report highlights that adversaries can weaponize trusted websites, cached browsing results, Bing-indexed links, and even one-click URLs to trigger malicious behavior without user awareness. 

Infection URLs Used in Regional Phishing Campaigns   

A detailed analysis of phishing campaigns that bypassed secure e-mail gateways (SEGs) and delivered malware through embedded "infection URLs" across the top five non-English languages used in global phishing operations: Spanish, Thai, German, Chinese, and Portuguese were released. The findings are based on data collected over two years from more than 35 million trained employees worldwide, revealing that infection URLs remain a primary initial access vector and are increasingly abused to access legitimate cloud services. Across all languages studied, legitimate services were more frequently abused than compromised or malicious domains, except in Chinese- and Portuguese-language campaigns, where attacker-controlled or compromised infrastructure dominated.