Anomali Cyber Watch: New Chrome Zero-Day, Sneaky 2FA Phishing Kit, DigitStealer, APT24 "BadAudio" Malware, and More
Chrome Zero-Day Exploited Through Malicious Websites
(published: November 18, 2025)
A high-severity zero-day vulnerability in Google Chrome, tracked as CVE-2025-13223, is being actively exploited through malicious websites. The flaw is a type-confusion bug in Chrome’s V8 JavaScript engine that allows attackers to trigger heap corruption and execute arbitrary code after a user loads a crafted page. No additional interaction is required. Google confirmed exploitation and released fixed builds in Chrome 142.0.7444.175 for Windows and Linux and 142.0.7444.176 for macOS. All earlier versions remain vulnerable. Security vendors report that threat actors are already using drive-by techniques to lure victims to exploit pages, with technical details withheld until a larger portion of users have updated.
Analyst Comment: Chrome hitting its seventh exploited zero-day this year should be a wake-up call. It isn’t bad luck; it’s the natural outcome of being the most widely used browser on the planet. High usage creates high incentive, and attackers follow that incentive relentlessly. This is why patch management matters just as much at home as it does in the office. Your personal laptop, your phone, your family’s devices and your workstations all sit on the same internet and face the same exploitation chains. Treat browser updates as non-negotiable, verify that auto-update is actually enabled and remind the people around you to do the same. Expect more Chrome zero-days and assume attackers will move quickly.
MITRE ATT&CK: T1189 - Drive-By Compromise | T1203 - Exploitation For Client Execution
Sneaky 2FA Phishing Kit Adds Browser-in-the-Browser Pop-ups to Steal Microsoft Credentials
(published: November 18, 2025)
A Phishing-as-a-Service toolkit known as Sneaky 2FA has been upgraded to include a “Browser-in-the-Browser” (BitB) technique that allows attackers to display fake browser windows within a user’s actual browser to mimic legitimate login flows. The lure often begins with a seemingly benign document link requiring a “Sign in with Microsoft” click; once clicked, the BitB pop-up presents a convincing Microsoft login screen (complete with a spoofed address bar) and captures both credentials and active session tokens. In addition to this UI spoofing, the kit employs bot-protection checks, conditional loading (to select high-value targets), rapid domain rotation, and code obfuscation to evade detection.
Analyst Comment: What makes this upgrade significant is how it changes the defender’s problem space. BitB collapses the visual trust boundary by placing a counterfeit Microsoft login window inside the user’s real browser, which removes the cues people rely on and pushes the burden onto identity telemetry instead of human judgment. Conditional loading prevents analysts from ever seeing the real payload, bot checks block scanning tools, developer-tool restrictions hinder inspection, and rapid domain rotation limits detection time. For defenders, the most actionable step may be to monitor for anomalies in session creation rather than focusing solely on login events. If a new session appears without a corresponding legitimate sign-in, that is often the only early signal you will get that a BitB-style phish succeeded.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1056.002 - Input Capture: Gui Input Capture | T1556.002 - Modify Authentication Process: Password Filter Dll | T1185 - Man In The Browser | T1027 - Obfuscated Files Or Information | T1202 - Indirect Command Execution | T1036 - Masquerading | T1608.006 - Stage Capabilities: Seo Poisoning | T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion
DigitStealer macOS Infostealer Emerges
(published: November 13, 2025)
A newly reported macOS infostealer, dubbed DigitStealer, was analyzed by Jamf Threat Labs and is notable for its stealthy design and targeted data-exfiltration capabilities. Distribution begins with a malicious disk image (DMG) masquerading as a legitimate macOS utility ("DynamicLake.dmg"), relying on user interaction to bypass Gatekeeper. The malware uses AppleScript/JXA automation, extensive environment checks, and evasion techniques to access browser cookies, keychains, wallet data and other sensitive artifacts. Initial samples were undetected on VirusTotal, indicating either sophisticated evasion techniques or a relatively new threat variant. This activity aligns with broader industry trends of increasing macOS-infostealer activity where credential theft, browser data harvesting, and crypto-wallet compromise are central objectives.
Analyst Comment: DigitStealer stands out due to several characteristics that challenge common assumptions about macOS threats. The fact that it achieved zero initial AV detections demonstrates advanced evasion capabilities. The threat's use of JXA is particularly significant, as this approach gives the stealer native access to Safari, Chrome, Finder, System Events and even the Keychain without relying on suspicious binaries or obvious persistence mechanisms. According to Jamf researchers, detection capabilities often focus on unsigned apps or kernel-level tampering rather than trusted automation frameworks being used maliciously. The malware's use of hardware-specific checks (targeting only Apple Silicon M2 or newer systems) and its multi-stage, in-memory execution represent an evolution in sophistication. As Jamf notes, behavioral detection paired with static detection is essential to catch these threats, as many payloads execute entirely in memory with minimal disk footprint.
MITRE ATT&CK: T1204.002 - User Execution: Malicious File | T1204.004 - User Execution: Malicious Copy and Paste | T1059.006 - Command and Scripting Interpreter: Python | T1555.001 - Credentials from Password Stores: Keychain | T1005 - Data From Local System | T1041 - Exfiltration Over C2 Channel
Stolen VPN Credentials Drive Nearly Half of Ransomware Intrusions
(published: November 19, 2025)
According to a recent report from Beazley Security, compromised VPN credentials were the initial access vector in approximately 48 % of ransomware incidents during the third quarter of 2025. The findings highlight that attackers frequently exploited valid credentials, via credential stuffing or reuse, against remote access infrastructure such as VPN appliances. Major ransomware operators like Akira and Qilin dominated the landscape, leveraging exposed VPN and RDP services to move into target networks. Analysts emphasise that multi-factor authentication (MFA), strong account monitoring, and rapid patching of remote-access appliances (such as VPNs and SSL gateways) are critical mitigation steps.
Analyst Comment: Nearly half of intrusions start with nothing more than stolen VPN or RDP credentials, which should make every defender pause and take stock. If attackers are winning this consistently with such simple access paths, it’s a clear sign to reassess how exposed your remote access really is. Take this as an opportunity to review identity hygiene, check for legacy VPN paths, and make sure MFA is truly enforced rather than assumed. This isn’t about chasing cutting edge threats; it’s about closing the doors that keep being left open.
MITRE ATT&CK: T1078 - Valid Accounts | T1110.004 - Brute Force: Credential Stuffing | T1133 - External Remote Services
China-Linked APT24 Deploys “BadAudio” Malware in Multi-Vector Espionage
(published: November 20, 2025)
Since late 2022, the threat actor APT24 has leveraged a previously undocumented loader dubbed BadAudio as part of a persistent espionage campaign against primarily Windows systems. The campaign evolved from watering-hole attacks on more than 20 public websites (injecting malicious JavaScript) to repeated supply-chain compromises of a Taiwan-based digital-marketing firm, impacting over 1,000 downstream domains. BadAudio is delivered via DLL sideloading and hijacking search-order paths, uses control-flow flattening for obfuscation, collects host info (hostname, username, architecture), encrypts it with a hard-coded AES key, and contacts a C2 server where further payloads (including a Cobalt Strike Beacon in one case) are fetched and executed in memory. The actor also abused legitimate cloud-storage services for malware delivery and used tracking pixels in spear-phishing lures
Analyst Comment: This is not just a new loader but a reminder that watering-hole compromises, third-party script injections, DLL sideloading, and cloud-hosted payload delivery can all sit inside the same operation without raising obvious noise. When one actor comfortably crosses that many boundaries, it is a good moment to pause and check whether your own visibility matches the reality of the threat surface. Look closely at how you handle DLL search-order integrity, how well you track changes in third-party web code, and whether outbound traffic to cloud storage aligns with normal user behavior.
MITRE ATT&CK: T1189 - Drive-By Compromise | T1566.001 - Phishing: Spearphishing Attachment | T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking | T1140 - Deobfuscate/Decode Files Or Information | T1041 - Exfiltration Over C2 Channel
Target Region: Asia
Target Country: Taiwan, province of china
Source Country: China
Source Region: Asia
Critical SonicWall SonicOS SSLVPN Flaw Allows Remote Firewall Crashes
(published: November 20, 2025)
A newly disclosed vulnerability in SonicWall’s SonicOS SSLVPN service (CVE-2025-40601) enables unauthenticated attackers to trigger a stack-based buffer overflow that can crash affected firewalls. The issue impacts Gen7 and Gen8 devices when SSLVPN is enabled. While there is no public proof-of-concept and no confirmed exploitation, the flaw is low-complexity, remotely triggered, and affects a widely deployed class of perimeter appliances. SonicWall has issued fixed firmware (Gen7: 7.3.1-7013+, Gen8: 8.0.3-8011+). Administrators unable to patch immediately are advised to disable SSLVPN or restrict access to trusted hosts only.
Analyst Comment: This is a timely reminder to treat network appliances with the same urgency as endpoint patching. If you run SonicWall, validate your firmware version, check whether SSLVPN is publicly exposed, and restrict access while patching. If you do not run SonicWall, still treat this as a cue to audit all remote-access surfaces and ensure patch cycles for edge devices are fast, tracked, and enforced.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1499 - Endpoint Denial Of Service
Microsoft Azure Mitigates Record-Breaking 15.72 Tbps DDoS Attack
(published: November 18, 2025)
On 24 Oct 25, Microsoft’s Azure DDoS Protection service automatically detected and mitigated a multivector distributed denial-of-service (DDoS) attack that peaked at approximately 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps). The assault was launched from over 500,000 source IP addresses across multiple regions and targeted a single public IP address in Australia. The responsible botnet, identified as AISURU, is a Turbo-Mirai-class Internet of Things (IoT) botnet comprising compromised home routers, cameras, and DVRs, and is reported to have participated in other record-level volumetric attacks. The attack utilised high-rate UDP floods with minimal source spoofing and randomized source ports, aiding in traceability and enforcement. Microsoft warns that the increasing baseline for volumetric DDoS attacks is driven by faster residential internet speeds and proliferation of powerful IoT devices.
Analyst Comment: The Azure incident is another datapoint in a year where DDoS activity remains consistently higher than in previous years, and the frequency of large, high-intensity bursts continues to rise. The useful takeaway for defenders is not the specific target or provider, but what attacks of this scale tell us about readiness. Multi-terabit floods now materialize in seconds, leaving no time for manual intervention or improvised response. This is a good moment for organizations to pressure-test their own exposure: do you know how your external footprint behaves under sudden saturation, whether critical services degrade gracefully, and whether your current safeguards are sized for this level of traffic? Asking those questions now, before an incident, matters.
MITRE ATT&CK: T1584.005 - Compromise Infrastructure: Botnet | T1498 - Network Denial Of Service | T1498.001 - Network Denial of Service: Direct Network Flood
Target Industry: Technology
New “ShinySp1d3r” Ransomware-as-a-Service Emerges From ShinyHunters
(published: November 19, 2025)
A new ransomware-as-a-service (RaaS) platform called ShinySp1d3r has surfaced, developed by the threat group ShinyHunters. Unlike prior operations that used existing ransomware codebases, this build is reportedly developed in-house and includes advanced features such as hooking the EtwEventWrite Windows API to evade logging and forcibly terminating processes holding file handles to facilitate encryption. The group is connected to the broader cyber-crime ecosystem that includes Scattered Spider and LAPSUS$, forming an alliance observed on underground Telegram channels. While ShinySp1d3r is still in development, early samples show support for Windows environments and hints of future targeting of VMware ESXi hypervisors.
Analyst Comment: What makes ShinySp1d3r worth paying attention to isn’t just that a new ransomware family has appeared. It’s that it comes from a crew already known for high-impact intrusion techniques long before they ever touched encryption. ShinyHunters and their close affiliates have a track record of social engineering, SIM swapping, MFA fatigue abuse, insider recruitment, and cloud admin compromise. If they carry those behaviours into this new ransomware phase, defenders should expect attack chains built around access theft rather than flashy malware. That combination of established entry tactics and a purpose-built encryptor means this group is moving into a far more capable tier. The value here is in recognising the shift early and making sure your organisation can spot and disrupt the access-driven stages long before any payload becomes a problem.
MITRE ATT&CK: T1562.002 - Impair Defenses: Disable Windows Event Logging | T1489 - Service Stop | T1486 - Data Encrypted For Impact | T1078 - Valid Accounts | T1621 - Multi-Factor Authentication Request Generation
Critical Oracle Identity Manager RCE Under Active Exploitation
(published: November 21, 2025)
CISA has added CVE-2025-61757 to the Known Exploited Vulnerabilities catalog after confirmation that attackers are abusing a flaw in Oracle Identity Manager. The vulnerability allows unauthenticated users to bypass access controls by appending patterns such as ?WSDL or ;.wadl to service endpoints, exposing an internal Groovy script compilation interface. By abusing Java annotation processors, an attacker can execute arbitrary code on affected systems. Impacted versions include OIM 12.2.1.4.0 and 14.1.2.1.0. The issue was patched in Oracle's October 2025 Critical Patch Update. Because OIM is widely deployed across large enterprises and public-sector environments, successful exploitation offers attackers a direct path into identity infrastructure, including access workflows, credential governance, and privileged account provisioning.
Analyst Comment: The reason this vulnerability deserves priority attention is simple. OIM sits at the center of identity operations, and a pre-authentication RCE on that tier gives an attacker influence over the entire lifecycle of user access. Defenders can use this intelligence in three clear ways. First, confirm patch status for all OIM instances without delay. Second, review web logs for unusual access patterns tied to the bypass methods, especially traffic hitting WSDL and WADL variations or the Groovy script status endpoint. Third, validate the integrity of entitlements, new accounts, and workflow changes, since identity-layer tampering can persist long after initial exploitation.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059 - Command And Scripting Interpreter
Target Industry: Enterprise
ToddyCat APT Expands Toolset to Steal Corporate Outlook Data
(published: November 24, 2025)
Researchers have identified a new phase in ToddyCat’s operations focused on extracting corporate email data directly from endpoints. The group is deploying an updated PowerShell-based variant of TomBerBil that collects browser cookies, saved credentials and OAuth tokens used for Outlook and other enterprise services. Two additional tools, TCSectorCopy and XstReader, enable the actor to copy locked Outlook OST files and parse mailbox contents once removed from the host. This approach allows ToddyCat to access mailboxes from outside the victim network without maintaining a foothold on internal infrastructure. The shift follows earlier Exchange-level exploitation and demonstrates a move toward identity and token abuse rather than server compromise.
Analyst Comment: This campaign highlights that defenders cannot rely on perimeter-focused controls when attackers are harvesting the keys stored in user browsers. The most effective response is to strengthen identity protections by reducing token lifetimes, enforcing conditional access and closely monitoring unusual token use. Pairing identity telemetry with endpoint alerts will help detect when credentials or tokens are abused externally. OST file access anomalies and PowerShell-based credential scraping should be added to detection priorities. The goal is to ensure that even if a workstation leaks tokens, the attacker gains little value before controls cut the session short.
MITRE ATT&CK: T1059.001 - Command and Scripting Interpreter: Powershell | T1053.005 - Scheduled Task/Job: Scheduled Task | T1021.002 - Remote Services: Smb/Windows Admin Shares | T1555 - Credentials From Password Stores | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1528 - Steal Application Access Token | T1114.001 - Email Collection: Local Email Collection | T1550.001 - Use Alternate Authentication Material: Application Access Token | T1048 - Exfiltration Over Alternative Protocol
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
