December 01, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks – The Hacker News

On November 03, three former employees of the cybersecurity companies DigitalMint and Sygnia were indicted in district court for “allegedly hacking the networks of five U.S. companies with BlackCat (aka ALPHV) ransomware between May and November 2023 and extorting them.” The individuals Kevin Tyler Martin of Roanoke, Texas, and Ryan Clifford Goldberg of Watkinsville, Georgia, and an unnamed accomplice are facing multiple charges including interference with interstate commerce by extortion, and intentional damage to protected computers. During the aforementioned time period, BlackCat gained access to victims networks, stole data, employed malware and demanded cryptocurrency in exchange for decryption keys and to not leak the stolen data. Read full article.

2. Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack – The Hacker News

On October 28, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed three new vulnerabilities that have impacted Dassault Systèmes DELMIA Apriso and XWiki. The vulnerabilities CVE-2025-6204, CVE-2025-6205, and CVE-2025-24893 allow threat actors to execute arbitrary code and gain access to applications. Both CVE-2025-6204 and CVE-2025-6205 affect versions of DELMIA Apriso dating back to 2020. Combining these vulnerabilities allow creation of accounts that obtain elevated privileges and deposit executable files into a web-served directory, resulting in complete compromise of the application. Starting in March, CVE-2025-24893 impacted XWiki by using a two-stage attack chain that delivers a cryptocurrency miner. Article here.

3. University of Pennsylvania confirms data stolen in cyberattack – Bleeping Computer

On October 31, the University of Pennsylvania announced their information systems for development and alumni activities had been compromised. Using an employee’s PennKey SSO account the threat actor was able to gain access to “the university’s Salesforce instance, Qlik analytics platform, SAP business intelligence system, and SharePoint files.” This access provided the threat actors with 1.71 GB of internal documents as well as 1.2 million records of donor information. The hackers claim the attack was not politically motivated but posted on hacking forums that they targeted the university due to its “alleged DEI practices, admissions policies, and love of nepobabies.” Read more here.

4. “Bitcoin Queen” gets 11 years in prison for $7.3 billion Bitcoin scam – Bleeping Computer

Following a seven-year investigation by the Met’s Economic Crime team, 47-year-old woman, Zhimin Qian (also known as Yadi Zhang), was found guilty of a large-scale fraud campaign that defrauded over 128,000 victims in China between 2014 and 2017. Qian earned the name “Bitcoin Queen” in China after promoting the currency as “digital gold”. After her scheme was uncovered in 2017, she converted the proceeds into Bitcoin and fled to the United Kingdom, where, with the help of an associate named Jian Wen, she attempted to launder the cryptocurrency through property purchases. Qian was arrested in 2024 where law enforcement seized assets worth $14.4 million, as well as cryptocurrency wallets, encrypted devices, cash, and gold. Read here.

6. APT37 hackers abuse Google Find Hub in Android data-wiping attacks – Bleeping Computer

North Korean hackers, APT37, have been discovered abusing Google’s Find Hub Tool to target South Koreans. Victims are approached through KakaoTalk messenger, a popular instant messaging app. Spear-phishing messages transmitted through KakaoTalk impersonate South Korea’s National Tax Service, the police, and other agencies to deceive recipients into interacting. If someone opens the attached MSI file (or a ZIP that contains it), the program runs two hidden scripts: one to install the malicious code and one that pops up a fake “language pack error” to fool the user. Meanwhile the malware grabs the victim’s Google and Naver login details, signs into their email accounts, changes security settings, and deletes traces of the break-in. Read full article.

7. Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks – The Hacker News

Iranian threat actors, known for espionage driven attacks, have been observed deploying backdoors TWOSTROKE and DEEPROOT against Middle East industries. Mandiant attributes the activity to UNC1549 (aka Numbus Manticore and Subtle Snail). According to Google, these infection chains blend phishing campaigns aimed at stealing credentials with malware delivery operations that exploit trusted relationships with third-party vendors. Although the primary targets maintain strong security defenses, some third-party partners remain vulnerable, creating a ‘weak link’ that groups like UNC1549 can exploit. Read full article.

8. Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters – Bleeping Computer

The threat actor group, Scattered Lapsus$ Hunters, has announced the development of a Ransomware-as-a-Service (RaaS) platform named, ShinySp1d3r. The group announced on their Telegram channel that the ransomware was in development and will be led by ShinyHunters but operated under the “Scattered Lapsus$ Hunters” brand. Samples of the ransomware have been uploaded to VirusTotal and show a mix of common features and new features developed by the group. The encrypted files will contain “information on what happened to a victim’s files, how to negotiate the ransom, and a TOX address for communications”. Learn more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.