Anomali Cyber Watch: OWASP Top Ten Updates, AI Voice Scams, DanaBot Malware, Lumma Stealer, and More
OWASP Elevates Software Supply Chain Failures in Its 2025 Top 10 Revision
(published: November 13, 2025)
OWASP’s Top 10:2025 introduces a major shift by placing Software Supply Chain Failures in the third position, reflecting the increasing impact of upstream compromise. The category covers risks created when organizations adopt components without security assurances, visibility, or integrity verification. OWASP highlights failures such as malicious dependency substitution, tampered build pipelines, dependency confusion, and unvalidated third-party packages. This shift follows OWASP’s analysis of more than 220,000 CVEs and the growing frequency of ecosystem-level attacks targeting package registries and build systems. The update signals that modern application risk is shaped as much by the software ecosystem surrounding an application as by the application itself.
Analyst Comment: Defenders should view this update as a cue to revisit the wider OWASP Top 10, not just the supply chain category. The rise of Security Misconfiguration to the second position and the reshaping of Broken Access Control highlight areas where real incidents continue to originate. Reviewing these shifts helps teams understand where attacker success is clustering and where existing controls may be too shallow.
ClickFix Campaign Targets Hotels and Their Customers
(published: November 10, 2025)
Recent investigations reveal a global phishing scheme leveraging the social-engineering tactic known as “ClickFix” to compromise hotel systems and then exploit guest data. Attackers begin by sending spear-phishing emails to hotel administrators, often impersonating booking platforms such as Booking.com, with links that redirect through malicious domains. On arrival, the victim is prompted to execute a PowerShell command that deploys an infostealer and the remote access Trojan PureRAT (also known as zgRAT) via DLL sideloading. Compromised systems are then used to extract credentials for booking-platform accounts or reservation data, sold via cybercrime forums, and weaponized in secondary attacks against hotel guests through WhatsApp or email messages asking them to reconfirm payment details, effectively a “pay-twice” fraud model.
Analyst Comment: Telemetry from ESET and others shows ClickFix use exploding through 2025, growing by more over 500 percent and now ranking among the top social-engineering vectors. Every new case reinforces the same uncomfortable truth: attackers keep using ClickFix because it keeps working. It shifts the phish from a fake form or attachment into a simple prompt asking the user to “fix” something, then shepherds them through a browser flow that ultimately convinces them to run a PowerShell command. That single action hands the operator everything they need to drop malware, steal credentials, and pivot into high-value systems. The pattern is predictable, which means defenders have an opportunity. Treat ClickFix as a rising-priority threat, train staff to recognize the tell-tale “click to fix” pretext, and harden policies around script execution. Awareness and execution controls are the easiest wins here. This vector is scaling because the human response to “something is broken” is predictable. Break that pattern, and you may break the attack.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1204.004 - User Execution: Malicious Copy and Paste | T1059.001 - Command and Scripting Interpreter: Powershell | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1056.001 - Input Capture: Keylogging | T1041 - Exfiltration Over C2 Channel
Target Industry: Hospitality leisure, Commercial
The Call You Hope Never Comes: AI Voice Scams Are Targeting the People We Care About Most
(published: November 11, 2025)
Cybercriminals are weaponizing AI voice-cloning and publicly available personal data to impersonate family members and pressure older adults into urgent money transfers. The FBI reports that victims over 60 lost nearly $4.9 billion in 2024, a steep rise driven largely by highly personalized social-engineering scams. Attackers gather relatives’ names, locations, and relationships from data-broker sites, then generate convincing audio that sounds like a distressed grandchild or loved one. Traditional cybersecurity controls rarely detect this type of fraud because the attack pathway is entirely human. Effective defenses rely on out-of-band verification, reducing data exposure on search-aggregation sites, and widening digital-literacy efforts so families understand how easily trust can be manipulated.
Analyst Comment: This type of fraud hits close to home because it bypasses every firewall and lands straight in a loved one’s emotions. Many older adults do not know that a few seconds of audio online is enough to recreate a convincing voice, and without that awareness they have no chance of spotting the trap. If we want to protect our families, we have to treat cybersecurity as a shared responsibility rather than a technical niche. Talking openly about these scams, checking in with relatives, and teaching simple verification habits can make the difference between panic and pause. A more cyber-aware society starts with conversations around the kitchen table, long before an attacker tries to sound like someone we love.
MITRE ATT&CK: T1589 - Gather Victim Identity Information | T1593 - Search Open Websites/Domains | T1656 - Impersonation
UK Tables Cyber Security and Resilience Bill for Parliamentary Debate
(published: November 12, 2025)
The UK has introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament, marking the start of a legislative process rather than the activation of new rules. The proposal aligns the UK more closely with the EU’s NIS2 directive, which came into force nearly two years ago, though several EU states have yet to fully adopt it. The Bill seeks to tighten oversight of critical infrastructure and the service providers supporting it, expand mandatory incident reporting to 24 hours, and increase regulatory powers and potential penalties of up to £17 million or 4 % of global turnover. The urgency behind the legislation reflects a series of damaging incidents, including the Synnovis ransomware breach and a state-sponsored compromise of Ministry of Defence staff data. Government figures estimate the average cost of a significant cyberattack at more than £190,000, amounting to £14.7 billion annually across the UK economy. NCSC leadership urged all organizations to take immediate steps to strengthen resilience while the Bill progresses through Parliament.
Analyst Comment: This update is a useful heads-up that the rules around cyber resilience in the UK are likely to broaden in the future. The Bill is still in debate, but it points to shifts in how incidents are reported, how services are assured and how providers are expected to support their customers. If you operate in the UK, it’s worth taking a moment to check whether your current processes would meet stricter timelines or tighter service obligations. If you’re based outside the UK but work with UK clients, remember that these changes often surface through contracts and supply-chain expectations long before they become formal requirements.
DanaBot Malware Resurfaces With Version 669 After Earlier Takedown
(published: November 12, 2025)
DanaBot has returned to active Windows targeting after a six-month lull triggered by Operation Endgame. The new strain, version 669, appears tied to the same operator and replaces the older 443 build. Researchers report a rebuilt command-and-control architecture that mixes standard IP and domain servers with Tor-based infrastructure, improving resilience and complicating tracking. The malware continues to operate as a modular platform capable of credential theft, browser and email data harvesting, cryptocurrency wallet targeting and acting as a loader for secondary payloads. Delivery remains centered on malicious emails and trojanized files. The rapid re-establishment of infrastructure and tooling suggests an effort to restore DanaBot’s place in the broader criminal MaaS ecosystem.
Analyst Comment: The value here is the reminder that a takedown is so often only a pause, not protection. DanaBot’s return means defenders should ensure they are not relying on outdated assumptions about what is active in the wild. Updating detection logic, refreshing network and email filtering rules and reviewing telemetry for loader-style activity will help surface this variant early. Because DanaBot is often the first step in a larger intrusion chain, catching it quickly prevents whatever secondary payload the operator intended to deliver.
MITRE ATT&CK: T1566 - Phishing | T1608 - Stage Capabilities | T1204 - User Execution | T1547 - Boot Or Logon Autostart Execution | T1555 - Credentials From Password Stores | T1539 - Steal Web Session Cookie | T1056 - Input Capture | T1027 - Obfuscated Files Or Information | T1041 - Exfiltration Over C2 Channel | T1499 - Endpoint Denial Of Service
Target Region: Asia
Target Country: Australia
Quantum Route Redirect Phishing Platform Streamlines Global Credential-Harvesting Campaigns
(published: November 13, 2025)
Quantum Route Redirect is a phishing platform that enables low skill operators to run large scale credential theft campaigns with almost no technical overhead. First observed in August, it provides ready-made lures, hosting infrastructure and automated traffic filtering across roughly 1,000 domains. Campaigns commonly impersonate DocuSign, Microsoft 365 login pages, SharePoint file shares, payroll notifications, voicemail alerts and QR-code based prompts. The platform identifies security scanners and automated crawlers and redirects them to benign sites, while real users are sent to credential harvesting pages. This smart-routing approach allows many campaigns to bypass Microsoft 365 and secure email gateway inspections. Researchers have observed activity in approximately 90 countries, with the United States accounting for most of the victim traffic.
Analyst Comment: The key value for defenders is recognising how QRR shifts the balance between email filtering and identity protection. If a kit can reliably disguise itself during automated inspection, then even mature environments should expect more phishing messages to reach users. The defensive focus needs to move toward controls that still hold up after a click, including strong authentication, fast investigation of unusual login attempts and user reporting workflows that close the gap between exposure and containment. Understanding QRR’s model helps teams adapt before similar platforms become commonplace.
MITRE ATT&CK: T1566 - Phishing | T1078 - Valid Accounts | T1562 - Impair Defenses
Target Region: Americas
Lumma Stealer Adopts Browser Fingerprinting
(published: November 13, 2025)
A recent report on Lumma Stealer (also tracked as “Water Kurita”) reveals a marked resurgence in its activity, beginning the week of 20 Oct 2025, despite a prior disruption following the doxxing of its operators. The malware now supplements its traditional command and control traffic with a dedicated browser-fingerprinting endpoint (/api/set_agent), collecting system, network, hardware and browser metadata through JavaScript execution and stealthy HTTP GET and POST requests. The fingerprinting logic runs alongside older exfiltration flows, indicating an additive rather than replacement tactic. Background research confirms that Lumma operates as a malware-as-a-service platform with multiple affiliates and ongoing infrastructure instability, including outdated or degraded C2 domains.
Analyst Comment: The key shift here is that Lumma is no longer just harvesting whatever it can reach; it is actively profiling victim environments before taking action. That makes its activity quieter and more deliberate, which means defenders relying on large exfiltration events will struggle to catch it early. The initial metadata collection offers a valuable detection window if teams monitor for subtle outbound requests and build signatures around endpoints like /api/set_agent. This change also reflects a broader trend in criminal tooling where environment awareness becomes the foundation for more tailored follow-on activity, making early visibility the most effective defensive advantage.
MITRE ATT&CK: T1204.002 - User Execution: Malicious File | T1059.001 - Command and Scripting Interpreter: Powershell | T1055.003 - Process Injection: Thread Execution Hijacking | T1217 - Browser Bookmark Discovery | T1119 - Automated Collection | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel
Massive Fake npm-Package Flood Hits JavaScript Package Ecosystem
(published: November 13, 2025)
A sprawling and coordinated spam campaign has inundated the npm registry with tens of thousands of bogus packages under a campaign dubbed the “IndonesianFoods” worm. Researchers from Endor Labs and others report more than 40,000–67,000 packages uploaded since early 2024, many under Indonesian-name plus food-term patterns. The fake packages masquerade as legitimate Next.js projects and embed a dormant JavaScript file (e.g., auto.js) that does not execute upon installation but, if manually triggered, will repeatedly publish new packages, thereby amplifying the ecosystem noise. Motives appear to include gaming dev-reward systems (e.g., TEA token harvesting) rather than immediate data theft, though the built infrastructure could be leveraged later for malicious supply-chain insertion.
Analyst Comment: While the packages are not currently delivering malware, they already function as latent footholds inside the ecosystem. If even one of these fake modules ends up in a developer’s dependency chain, it may quietly drag in many more without visibility or review. That kind of hidden sprawl is what turns a nuisance into an operational risk. The real concern is not what these packages are doing today, but what the threat actor can do once they have this footprint established. A single malicious version update could rapidly propagate through CI pipelines and production applications. Organizations should tighten dependency hygiene, alert on newly created low-reputation packages, and monitor for version changes in packages tied to this campaign. The earlier defenders take this seriously, the smaller the blast radius becomes.
MITRE ATT&CK: T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | T1059.004 - Command and Scripting Interpreter: Unix Shell | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1552.001 - Unsecured Credentials: Credentials In Files | T1014 - Rootkit
Target Industry: Technology
Kraken Ransomware Benchmarks Systems for Optimal Encryption Choice
(published: November 13, 2025)
The ransomware family known as Kraken has been observed conducting performance benchmarks on victim machines, including Windows, Linux and VMware ESXi systems, to determine whether it should carry out full or partial encryption of data. The attack chain typically begins with exploitation of internet-exposed SMB services for initial access, followed by credential theft, remote access via RDP, deployment of tools such as Cloudflared (for reverse tunnels) and SSHFS (for data exfiltration). During the final stage the malware destroys shadow copies and recycle bin, then runs modules to encrypt local drives, network shares, SQL databases or virtual disks (depending on target environment). The benchmark routine creates a temporary file, encrypts it, measures throughput, and uses the results to decide on encryption mode, enabling the adversary to maximise damage while reducing detection risk.
Analyst Comment: If you own SMB or RDP, if credentials are reused, if your environment allows ad-hoc tunneling tools like Cloudflared, you are already in Kraken’s blast radius. They move through weak perimeter services, collect valid credentials, open hidden tunnels, and then pivot across Windows, Linux and ESXi without needing anything sophisticated. That is why this matters for you. It means the earliest, easiest points of failure are the ones Kraken uses every time. If you do not harden remote access, enforce MFA, restrict tunneling utilities and segment your virtual infrastructure, you are giving them the exact path they expect.
MITRE ATT&CK: T1210 - Exploitation Of Remote Services | T1133 - External Remote Services | T1021.001 - Remote Services: Remote Desktop Protocol | T1021.004 - Remote Services: Ssh | T1048 - Exfiltration Over Alternative Protocol | T1041 - Exfiltration Over C2 Channel | T1059 - Command And Scripting Interpreter | T1497.001 - Virtualization/Sandbox Evasion: System Checks | T1486 - Data Encrypted For Impact | T1531 - Account Access Removal
Akira RaaS Targets Virtualization Layers
(published: November 14, 2025)
Akira ransomware affiliates have shifted their focus toward virtualization infrastructure, with CISA confirming incidents where operators encrypted Nutanix AHV VM disk files after gaining access through exploited VPN appliances, SonicWall CVE-2024-40766, and weaknesses in backup platforms such as Veeam. This marks a clear expansion beyond prior targeting of VMware and Hyper-V. The group continues to rely on credential abuse, exposed remote-access services and legitimate tools including AnyDesk for lateral movement and persistence. Akira’s operations span critical infrastructure sectors including manufacturing, healthcare, finance, education and IT. With more than US$240 million in ransom proceeds, the group remains well resourced and consistently updates its intrusion methods, placing hypervisors, backup servers and remote-access gateways at heightened risk.
Analyst Comment: The important shift to understand is that Akira is no longer treating virtual environments as secondary targets. By going after Nutanix AHV directly, the group is aiming at the systems that underpin entire workloads. When a hypervisor falls, dozens of dependent services can go down with it. This should push defenders to elevate monitoring, patching and hardening around VPNs, backup infrastructure and virtual platforms, not just endpoints. Hypervisors are now part of the frontline, and ignoring them creates an easy path for high-impact ransomware events.
MITRE ATT&CK: T1078 - Valid Accounts | T1133 - External Remote Services | T1190 - Exploit Public-Facing Application | T1566.001 - Phishing: Spearphishing Attachment | T1566.002 - Phishing: Spearphishing Link | T1059.001 - Command and Scripting Interpreter: Powershell | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1059.005 - Command and Scripting Interpreter: Visual Basic | T1569.002 - System Services: Service Execution | T1098 - Account Manipulation | T1136.001 - Create Account: Local Account | T1136.002 - Create Account: Domain Account | T1068 - Exploitation For Privilege Escalation | T1027 - Obfuscated Files Or Information | T1027.015 - Obfuscated Files or Information: Compression | T1036 - Masquerading | T1222.001 - File and Directory Permissions Modification: Windows File And Directory Permissions Modification | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1562.004 - Impair Defenses: Disable Or Modify System Firewall | T1604 - Proxy Through Victim | T1003 - Os Credential Dumping | T1003.001 - OS Credential Dumping: Lsass Memory | T1003.002 - OS Credential Dumping: Security Account Manager | T1003.003 - OS Credential Dumping: Ntds | T1110 - Brute Force | T1110.003 - Brute Force: Password Spraying | T1555 - Credentials From Password Stores | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1555.004 - Credentials from Password Stores: Windows Credential Manager | T1016 - System Network Configuration Discovery | T1018 - Remote System Discovery | T1046 - Network Service Scanning | T1057 - Process Discovery | T1069.001 - Permission Groups Discovery: Local Groups | T1069.002 - Permission Groups Discovery: Domain Groups | T1082 - System Information Discovery | T1087.002 - Account Discovery: Domain Account | T1482 - Domain Trust Discovery | T1021 - Remote Services | T1021.001 - Remote Services: Remote Desktop Protocol | T1021.004 - Remote Services: Ssh | T1550.002 - Use Alternate Authentication Material: Pass The Hash | T1560.001 - Archive Collected Data: Archive Via Utility | T1090 - Proxy | T1105 - Ingress Tool Transfer | T1219 - Remote Access Software | T1572 - Protocol Tunneling | T1048 - Exfiltration Over Alternative Protocol | T1537 - Transfer Data To Cloud Account | T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage | T1486 - Data Encrypted For Impact | T1490 - Inhibit System Recovery | T1657 - Financial Theft
Target Industry: Manufacturing, Healthcare, Financial services, Education, Technology, Infrastructure
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
