Summary5 min read

Cyber Security Headlines – November 26, 2025

Podcast: Cyber Security Headlines
Host: Sarah Lane (CISO Series)
Main Theme:
A rapid-fire update on today’s top cybersecurity threats and incidents, highlighting major warnings, novel attack vectors, and emerging threats across the globe, with a particular spotlight on state-sponsored actors, evolving malware, and real-world consequences of cyber risk.

Key Discussion Points & Insights

1. CISA Warns of App Break-Ins

Summary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that both state-backed actors and cyber mercenaries are targeting high-value users of Signal and WhatsApp.
Techniques Highlighted:
- Spoofed apps
- Phishing attacks
- Malicious QR codes
- Zero-click exploits
Recent Campaigns:
- Russian-aligned groups exploiting Signal’s “linked device” feature.
- WhatsApp zero-click exploit deployed on Samsung phones.
- Spyware impersonating popular apps.
Quote:

"CISA says state backed hackers and cyber mercenaries are breaking into Signal and WhatsApp accounts using spoofed apps, phishing, malicious QR codes, and zero-click exploits to hijack devices belonging to high value users..."
(Sarah Lane, 00:15)

2. StealC V2 Spreads Through Blender Files

Summary:
Morphisec researchers link Russian threat actors to the spread of the StealC v2 infostealer via weaponized Blender files distributed on 3D model sites like CGTrader.
Attack Mechanism:
- Malicious Python embedded in Blender files triggers on autorun, then uses PowerShell to install StealC and a Python stealer.
Capabilities of New Variant:
- Data theft from over 23 browsers, 100+ crypto wallet extensions, 15 wallet apps, messaging, and VPN clients.
- Effective antivirus evasion.
Quote:

"The files contain embedded Python that executes when Blender's autorun feature is enabled, pulling down a PowerShell loader that installs Steelsea and a secondary Python stealer."
(Sarah Lane, 01:06)

3. Russian Cybersecurity Entrepreneur Arrested for Treason

Summary:
Timur Killeen, founder of a Russian cybersecurity firm, arrested for treason after publicly criticizing "Max"—the state-backed messaging app soon to be default on all Russian smartphones.
Reason for Arrest:
- Criticized Max’s poor security, claimed it ignored major vulnerabilities.
- Opposed legislation to criminalize disclosure of security flaws.
Quote:

"Killeen said Max was insecure, ignoring major vulnerabilities and proposed an anti cyber fraud law that would criminalize disclosing security flaws."
(Sarah Lane, 01:46)

4. Hash Jackattack Targets AI Browsers

Summary:
New Hash Jack technique exploits AI assistant features in web browsers.
Technical Details:
- Malicious instructions are hidden after a hash (#) in URLs—normally invisible to servers but read by browser-based AI tools.
- Targets Copilot (Edge), Gemini (Chrome), Perplexity’s Comment.
Threats Posed:
- Data exfiltration, phishing, spreading misinformation, or delivering dangerous guidance.
Vendor Response:
- Google called the issue "low severity."
- Microsoft and Perplexity since released fixes.
Quote:

"AI browser assistants... read these hidden fragments... letting attackers turn trusted sites into vectors for data exfiltration, phishing, misinformation or harmful guidance."
(Sarah Lane, 02:22)

5. Millions Stolen in Fraud Schemes

Summary:
The FBI reports over $262 million lost in account takeover fraud in 2025 alone.
Attack Vectors:
- Impersonation of banks and payment platforms via text, email, phone calls, spoofed links, and SEO “poisoned” ads.
- Holiday-themed scam domains targeting shoppers.
Statistics:
- Over 5,100 complaints since January.
Quote:

"Attackers impersonate banks and payment platforms through texts, emails, calls, spoofed links and SEO poisoned ads, tricking victims into handing over credentials before draining accounts..."
(Sarah Lane, 03:24)

6. Russian Hackers Target Ukrainian “Sister City” US Firm

Summary:
Russian group RomCom targeted a U.S. engineering firm with connections to a Ukrainian municipality as part of “cyber sister city” collaboration.
Incident Details:
- Attack identified by Arctic Wolf in September.
- The targeted firm has not been publicly named.

7. Cyberattack Disrupts Emergency Alert Systems

Summary:
OnSolve Code Red, emergency alert platform, was attacked, impacting notifications for U.S. government, police, and fire agencies.
Impact:
- Data breach of names, emails, phone numbers, and passwords.
- Inc Ransomware gang claimed responsibility, leaking clear text passwords and attempting to sell stolen data.
- Crisis24 forced to restore from March backup, causing loss of recent accounts.
Quote:

"The attack forced Crisis24 to rebuild the system from a backup from March, leaving some accounts missing."
(Sarah Lane, 04:38)

8. Akira Ransomware Exploits SonicWall in M&A Deals

Summary:
Ransomware affiliates exploited legacy SonicWall SSL VPNs inherited through mergers and acquisitions to launch attacks on acquiring firms.
Attack Details:
- Gained initial access via acquired devices.
- Sought legacy credentials, vulnerable hosts, predictable server names.
- Average 9.3 hours to domain controller lateral movement; under 1 hour to ransomware deployment.
Quote:

"Attackers gained access to the acquiring firm's networks via inherited devices, then searched for privileged legacy credentials, unprotected hosts, and predictable server names."
(Sarah Lane, 05:22)

Notable Quotes & Memorable Moments

App Hijacking:

"Zero-click exploits to hijack devices belonging to high-value users across the US, Europe and the Middle East."
(Sarah Lane, 00:17)
StealC Reach:

"Newest variant can steal data from more than 23 browsers, more than 100 crypto wallet extensions, 15 wallet apps, and multiple messaging and VPN clients."
(Sarah Lane, 01:18)
Ransomware Lateral Movement:

"Once inside, lateral movement to domain controllers took an average of 9.3 hours, and ransomware deployment averaged under one hour."
(Sarah Lane, 05:39)

Timestamps for Key Segments

App hijacking warning: 00:06 – 01:06
StealC V2 via Blender files: 01:06 – 01:46
Russian entrepreneur arrested: 01:46 – 02:03
Hash Jackattacks (AI browser AI): 02:03 – 02:56
Fraud schemes ($262M stolen): 03:24 – 03:58
Russian hackers’ cross-border targeting: 03:58 – 04:17
Emergency alert platform attack: 04:17 – 05:00
Akira ransomware in M&A: 05:00 – 05:53

Conclusion

This episode of Cyber Security Headlines delivers urgent insights into evolving attack techniques, from malicious Blender files to AI browser manipulations and ransomware eruptions in M&A. The discussion paints a picture of rapid attacker innovation and significant geopolitical and real-world impacts. A must-listen (or read) for security leaders and practitioners keen to track emerging cyber risk trends.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Wednesday, November 26, 2025. I'm Sarah Lane. CISO warns of app break ins CISA says state backed hackers and cyber mercenaries are breaking into Signal and WhatsApp accounts using spoofed apps, phishing malicious QR codes and zero click exploits to hijack devices belonging to high value users across the us, Europe and the Middle East. Recent campaigns include Russia aligned crews abusing signals, linked device feature and a WhatsApp zero click exploit on Samsung phones, along with spyware that impersonates popular apps. Steelsea V2 spread through Blender files Morphisec researchers say that Russian threat actors are spreading the Steelsea v2 infostealer through weaponized Blender files uploaded to 3D model sites like CGTrader. The files contain embedded Python that executes when Blender's autorun feature is enabled, pulling down a PowerShell loader that installs Steelsea and a secondary Python stealer. The newest variant can steal data from more than 23 browsers, more than 100 crypto wallet extensions, 15 wallet apps, and multiple messaging and VPN clients and many samples Evade antivirus detection Russia arrests cybersecurity entrepreneur for treason Russian cybersecurity founder Timur Killeen has been arrested on treason charges, with Russian outlets reporting he may have drawn government attention after publicly attacking Max, that is the state backed messaging app set to ship pre installed on all Russian smartphones next year. Keleen said Max was insecure, ignoring major vulnerabilities and proposed an anti cyber fraud law that would criminalize disclosing security flaws. Hash Jackattack fools AI browsers CATO Networks says that a new indirect prompt injection method called Hash Jack hides malicious instructions after a hash or pound sign in legitimate URLs. AI browser assistants like Copilot in Edge, Gemini in Chrome and Perplexity's comment read these hidden fragments each even though they never leave the client, letting attackers turn trusted sites into vectors for data exfiltration, phishing, misinformation or harmful guidance. Google categorized the issue as low severity and intended behavior. Microsoft and Perplexity applied fixes huge thanks to our sponsor Nob4. Cybersecurity isn't just a tech problem, it's a human one. That is why KnowBe4's Human Risk Management platform allows you to measure, quantify and actually reduce human risk across your organization with AI powered risk scoring, automated coaching and reporting. HRM helps you surface your highest risk users and reduce the risk of data breaches and cyber attacks proactively ready to move from awareness to action. Request a demo of HRM today at nobefore Millions stolen in fraud schemes the FBI says that cyber criminals have stolen more than $262 million through account takeover fraud this year, with over 5,100 complaints since January. Attackers impersonate banks and payment platforms through texts, emails, calls, spoofed links and SEO poisoned ads, tricking victims into handing over credentials before draining accounts and moving those funds to crypto wallets. Scams also use holiday themed domains designed to trap online shoppers. Russian hackers target Ukrainian sister city US Firm US Cybersecurity firm Arctic Wolf says Russian attackers targeted a US Engineering firm this fall because it had worked with a municipality linked to a Ukrainian cyber sister city. The attack was identified back in September. Arctic Wolf declined to name the US Firm, but said the attack was carried out by the Russia aligned group RomCom, known for hitting organizations supporting Ukraine Cyber attack disrupts emergency Alert systems the On Solve Code Red emergency alert platform suffered a cyber attack that disrupted notifications for U.S. state and local governments, police, police and fire agencies. Crisis24, which operates code Red, confirmed that data on names, emails, phone numbers and passwords was stolen. The Inc Ransomware gang claimed responsibility, posting screenshots of clear text passwords and offering the data for sale. The attack forced Crisis24 to rebuild the system from a backup from March, leaving some accounts missing. Corporate Takeovers meet SonicWall firewalls ReliaQuest reports that Akira ransomware affiliates exploited compromised SonicWall SSL VPN appliances in companies acquired through mergers and acquisitions. Attackers gained access to the acquiring firm's networks via inherited devices, then searched for privileged legacy credentials, unprotected hosts, and predictable server names. Once inside, lateral movement to domain controllers took an average of 9.3 hours, and ransomware deployment averaged under one hour. Remember to subscribe to the CISO series on YouTube. We've been publishing new shorts every weekday, having some fun with some of the biggest news stories of the week. Even if you're not hearing about the news there for the first time, you it's a great way to easily share a story with your network. Check them out and let us know what you think of the format. And if you have thoughts on the news from today or about our show in general, be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Sarah Lane reporting for the CISO series. Thank you so much for listening. Talk to you tomorrow.
[06:53]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines lines.