Cyber Security Headlines – November 26, 2025

Podcast: Cyber Security Headlines
Host: Sarah Lane (CISO Series)
Main Theme:
A rapid-fire update on today’s top cybersecurity threats and incidents, highlighting major warnings, novel attack vectors, and emerging threats across the globe, with a particular spotlight on state-sponsored actors, evolving malware, and real-world consequences of cyber risk.

Key Discussion Points & Insights

1. CISA Warns of App Break-Ins

Summary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that both state-backed actors and cyber mercenaries are targeting high-value users of Signal and WhatsApp.
Techniques Highlighted:
- Spoofed apps
- Phishing attacks
- Malicious QR codes
- Zero-click exploits
Recent Campaigns:
- Russian-aligned groups exploiting Signal’s “linked device” feature.
- WhatsApp zero-click exploit deployed on Samsung phones.
- Spyware impersonating popular apps.
Quote:

"CISA says state backed hackers and cyber mercenaries are breaking into Signal and WhatsApp accounts using spoofed apps, phishing, malicious QR codes, and zero-click exploits to hijack devices belonging to high value users..."
(Sarah Lane, 00:15)

2. StealC V2 Spreads Through Blender Files

Summary:
Morphisec researchers link Russian threat actors to the spread of the StealC v2 infostealer via weaponized Blender files distributed on 3D model sites like CGTrader.
Attack Mechanism:
- Malicious Python embedded in Blender files triggers on autorun, then uses PowerShell to install StealC and a Python stealer.
Capabilities of New Variant:
- Data theft from over 23 browsers, 100+ crypto wallet extensions, 15 wallet apps, messaging, and VPN clients.
- Effective antivirus evasion.
Quote:

"The files contain embedded Python that executes when Blender's autorun feature is enabled, pulling down a PowerShell loader that installs Steelsea and a secondary Python stealer."
(Sarah Lane, 01:06)

3. Russian Cybersecurity Entrepreneur Arrested for Treason

Summary:
Timur Killeen, founder of a Russian cybersecurity firm, arrested for treason after publicly criticizing "Max"—the state-backed messaging app soon to be default on all Russian smartphones.
Reason for Arrest:
- Criticized Max’s poor security, claimed it ignored major vulnerabilities.
- Opposed legislation to criminalize disclosure of security flaws.
Quote:

"Killeen said Max was insecure, ignoring major vulnerabilities and proposed an anti cyber fraud law that would criminalize disclosing security flaws."
(Sarah Lane, 01:46)

4. Hash Jackattack Targets AI Browsers

Summary:
New Hash Jack technique exploits AI assistant features in web browsers.
Technical Details:
- Malicious instructions are hidden after a hash (#) in URLs—normally invisible to servers but read by browser-based AI tools.
- Targets Copilot (Edge), Gemini (Chrome), Perplexity’s Comment.
Threats Posed:
- Data exfiltration, phishing, spreading misinformation, or delivering dangerous guidance.
Vendor Response:
- Google called the issue "low severity."
- Microsoft and Perplexity since released fixes.
Quote:

"AI browser assistants... read these hidden fragments... letting attackers turn trusted sites into vectors for data exfiltration, phishing, misinformation or harmful guidance."
(Sarah Lane, 02:22)

5. Millions Stolen in Fraud Schemes

Summary:
The FBI reports over $262 million lost in account takeover fraud in 2025 alone.
Attack Vectors:
- Impersonation of banks and payment platforms via text, email, phone calls, spoofed links, and SEO “poisoned” ads.
- Holiday-themed scam domains targeting shoppers.
Statistics:
- Over 5,100 complaints since January.
Quote:

"Attackers impersonate banks and payment platforms through texts, emails, calls, spoofed links and SEO poisoned ads, tricking victims into handing over credentials before draining accounts..."
(Sarah Lane, 03:24)

6. Russian Hackers Target Ukrainian “Sister City” US Firm

Summary:
Russian group RomCom targeted a U.S. engineering firm with connections to a Ukrainian municipality as part of “cyber sister city” collaboration.
Incident Details:
- Attack identified by Arctic Wolf in September.
- The targeted firm has not been publicly named.

7. Cyberattack Disrupts Emergency Alert Systems

Summary:
OnSolve Code Red, emergency alert platform, was attacked, impacting notifications for U.S. government, police, and fire agencies.
Impact:
- Data breach of names, emails, phone numbers, and passwords.
- Inc Ransomware gang claimed responsibility, leaking clear text passwords and attempting to sell stolen data.
- Crisis24 forced to restore from March backup, causing loss of recent accounts.
Quote:

"The attack forced Crisis24 to rebuild the system from a backup from March, leaving some accounts missing."
(Sarah Lane, 04:38)

8. Akira Ransomware Exploits SonicWall in M&A Deals

Summary:
Ransomware affiliates exploited legacy SonicWall SSL VPNs inherited through mergers and acquisitions to launch attacks on acquiring firms.
Attack Details:
- Gained initial access via acquired devices.
- Sought legacy credentials, vulnerable hosts, predictable server names.
- Average 9.3 hours to domain controller lateral movement; under 1 hour to ransomware deployment.
Quote:

"Attackers gained access to the acquiring firm's networks via inherited devices, then searched for privileged legacy credentials, unprotected hosts, and predictable server names."
(Sarah Lane, 05:22)

Notable Quotes & Memorable Moments

App Hijacking:

"Zero-click exploits to hijack devices belonging to high-value users across the US, Europe and the Middle East."
(Sarah Lane, 00:17)
StealC Reach:

"Newest variant can steal data from more than 23 browsers, more than 100 crypto wallet extensions, 15 wallet apps, and multiple messaging and VPN clients."
(Sarah Lane, 01:18)
Ransomware Lateral Movement:

"Once inside, lateral movement to domain controllers took an average of 9.3 hours, and ransomware deployment averaged under one hour."
(Sarah Lane, 05:39)

Timestamps for Key Segments

App hijacking warning: 00:06 – 01:06
StealC V2 via Blender files: 01:06 – 01:46
Russian entrepreneur arrested: 01:46 – 02:03
Hash Jackattacks (AI browser AI): 02:03 – 02:56
Fraud schemes ($262M stolen): 03:24 – 03:58
Russian hackers’ cross-border targeting: 03:58 – 04:17
Emergency alert platform attack: 04:17 – 05:00
Akira ransomware in M&A: 05:00 – 05:53

Conclusion

This episode of Cyber Security Headlines delivers urgent insights into evolving attack techniques, from malicious Blender files to AI browser manipulations and ransomware eruptions in M&A. The discussion paints a picture of rapid attacker innovation and significant geopolitical and real-world impacts. A must-listen (or read) for security leaders and practitioners keen to track emerging cyber risk trends.

Cyber Security Headlines – November 26, 2025

Key Discussion Points & Insights

1. CISA Warns of App Break-Ins

Summary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that both state-backed actors and cyber mercenaries are targeting high-value users of Signal and WhatsApp.
Techniques Highlighted:
- Spoofed apps
- Phishing attacks
- Malicious QR codes
- Zero-click exploits
Recent Campaigns:
- Russian-aligned groups exploiting Signal’s “linked device” feature.
- WhatsApp zero-click exploit deployed on Samsung phones.
- Spyware impersonating popular apps.
Quote:

"CISA says state backed hackers and cyber mercenaries are breaking into Signal and WhatsApp accounts using spoofed apps, phishing, malicious QR codes, and zero-click exploits to hijack devices belonging to high value users..."
(Sarah Lane, 00:15)

2. StealC V2 Spreads Through Blender Files

Summary:
Morphisec researchers link Russian threat actors to the spread of the StealC v2 infostealer via weaponized Blender files distributed on 3D model sites like CGTrader.
Attack Mechanism:
- Malicious Python embedded in Blender files triggers on autorun, then uses PowerShell to install StealC and a Python stealer.
Capabilities of New Variant:
- Data theft from over 23 browsers, 100+ crypto wallet extensions, 15 wallet apps, messaging, and VPN clients.
- Effective antivirus evasion.
Quote:

"The files contain embedded Python that executes when Blender's autorun feature is enabled, pulling down a PowerShell loader that installs Steelsea and a secondary Python stealer."
(Sarah Lane, 01:06)

3. Russian Cybersecurity Entrepreneur Arrested for Treason

Summary:
Timur Killeen, founder of a Russian cybersecurity firm, arrested for treason after publicly criticizing "Max"—the state-backed messaging app soon to be default on all Russian smartphones.
Reason for Arrest:
- Criticized Max’s poor security, claimed it ignored major vulnerabilities.
- Opposed legislation to criminalize disclosure of security flaws.
Quote:

"Killeen said Max was insecure, ignoring major vulnerabilities and proposed an anti cyber fraud law that would criminalize disclosing security flaws."
(Sarah Lane, 01:46)

4. Hash Jackattack Targets AI Browsers

Summary:
New Hash Jack technique exploits AI assistant features in web browsers.
Technical Details:
- Malicious instructions are hidden after a hash (#) in URLs—normally invisible to servers but read by browser-based AI tools.
- Targets Copilot (Edge), Gemini (Chrome), Perplexity’s Comment.
Threats Posed:
- Data exfiltration, phishing, spreading misinformation, or delivering dangerous guidance.
Vendor Response:
- Google called the issue "low severity."
- Microsoft and Perplexity since released fixes.
Quote:

"AI browser assistants... read these hidden fragments... letting attackers turn trusted sites into vectors for data exfiltration, phishing, misinformation or harmful guidance."
(Sarah Lane, 02:22)

5. Millions Stolen in Fraud Schemes

Summary:
The FBI reports over $262 million lost in account takeover fraud in 2025 alone.
Attack Vectors:
- Impersonation of banks and payment platforms via text, email, phone calls, spoofed links, and SEO “poisoned” ads.
- Holiday-themed scam domains targeting shoppers.
Statistics:
- Over 5,100 complaints since January.
Quote:

"Attackers impersonate banks and payment platforms through texts, emails, calls, spoofed links and SEO poisoned ads, tricking victims into handing over credentials before draining accounts..."
(Sarah Lane, 03:24)

6. Russian Hackers Target Ukrainian “Sister City” US Firm

Summary:
Russian group RomCom targeted a U.S. engineering firm with connections to a Ukrainian municipality as part of “cyber sister city” collaboration.
Incident Details:
- Attack identified by Arctic Wolf in September.
- The targeted firm has not been publicly named.

7. Cyberattack Disrupts Emergency Alert Systems

Summary:
OnSolve Code Red, emergency alert platform, was attacked, impacting notifications for U.S. government, police, and fire agencies.
Impact:
- Data breach of names, emails, phone numbers, and passwords.
- Inc Ransomware gang claimed responsibility, leaking clear text passwords and attempting to sell stolen data.
- Crisis24 forced to restore from March backup, causing loss of recent accounts.
Quote:

"The attack forced Crisis24 to rebuild the system from a backup from March, leaving some accounts missing."
(Sarah Lane, 04:38)

8. Akira Ransomware Exploits SonicWall in M&A Deals

Summary:
Ransomware affiliates exploited legacy SonicWall SSL VPNs inherited through mergers and acquisitions to launch attacks on acquiring firms.
Attack Details:
- Gained initial access via acquired devices.
- Sought legacy credentials, vulnerable hosts, predictable server names.
- Average 9.3 hours to domain controller lateral movement; under 1 hour to ransomware deployment.
Quote:

"Attackers gained access to the acquiring firm's networks via inherited devices, then searched for privileged legacy credentials, unprotected hosts, and predictable server names."
(Sarah Lane, 05:22)

Notable Quotes & Memorable Moments

App Hijacking:

"Zero-click exploits to hijack devices belonging to high-value users across the US, Europe and the Middle East."
(Sarah Lane, 00:17)
StealC Reach:

"Newest variant can steal data from more than 23 browsers, more than 100 crypto wallet extensions, 15 wallet apps, and multiple messaging and VPN clients."
(Sarah Lane, 01:18)
Ransomware Lateral Movement:

"Once inside, lateral movement to domain controllers took an average of 9.3 hours, and ransomware deployment averaged under one hour."
(Sarah Lane, 05:39)

Timestamps for Key Segments

App hijacking warning: 00:06 – 01:06
StealC V2 via Blender files: 01:06 – 01:46
Russian entrepreneur arrested: 01:46 – 02:03
Hash Jackattacks (AI browser AI): 02:03 – 02:56
Fraud schemes ($262M stolen): 03:24 – 03:58
Russian hackers’ cross-border targeting: 03:58 – 04:17
Emergency alert platform attack: 04:17 – 05:00
Akira ransomware in M&A: 05:00 – 05:53

wavePod

CISA warns of app break-ins, StealC V2 spread through blender files, Russian entrepreneur arrested for treason

Powered by Wave AI

Summary

Cyber Security Headlines – November 26, 2025

Key Discussion Points & Insights

1. CISA Warns of App Break-Ins

2. StealC V2 Spreads Through Blender Files

3. Russian Cybersecurity Entrepreneur Arrested for Treason

4. Hash Jackattack Targets AI Browsers

5. Millions Stolen in Fraud Schemes

6. Russian Hackers Target Ukrainian “Sister City” US Firm

7. Cyberattack Disrupts Emergency Alert Systems

8. Akira Ransomware Exploits SonicWall in M&A Deals

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Conclusion

Summary

Cyber Security Headlines – November 26, 2025

Key Discussion Points & Insights

1. CISA Warns of App Break-Ins

2. StealC V2 Spreads Through Blender Files

3. Russian Cybersecurity Entrepreneur Arrested for Treason

4. Hash Jackattack Targets AI Browsers

5. Millions Stolen in Fraud Schemes

6. Russian Hackers Target Ukrainian “Sister City” US Firm

7. Cyberattack Disrupts Emergency Alert Systems

8. Akira Ransomware Exploits SonicWall in M&A Deals

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Conclusion