Anomali Cyber Watch: ShadowPad Backdoor, Password Strength Analysis, HashJack, FlexibleFerret, and More
ShadowPad Operators Exploit Recently Patched WSUS RCE to Achieve SYSTEM-Level Access
(published: November 28, 2025)
Researchers report that a recently patched remote code execution flaw in Microsoft Windows Server Update Services (CVE-2025-59287) is being actively exploited to deploy the ShadowPad backdoor. Threat actors are targeting unpatched WSUS servers, using the vulnerability to obtain SYSTEM-level access. After gaining control, the attackers execute PowerCat to establish an interactive shell and retrieve additional components using certutil and curl before deploying ShadowPad through DLL sideloading, pairing the legitimate ETDCtrlHelper.exe with a malicious DLL. The backdoor creates persistence under service-like names and initiates command-and-control communication. The attack chain and tooling align with patterns previously associated with ShadowPad-linked intrusion activity.
Analyst Comment: This activity highlights how a single missed patch on a high-privilege service can hand attackers complete control of a network. WSUS sits at the center of Windows administration, so exploiting this flaw gives intruders SYSTEM-level access and the ability to deploy a mature backdoor like ShadowPad with very little resistance. The techniques observed here also provide defenders with clear detection points, including unexpected PowerCat usage, certutil or curl fetching external files, and suspicious DLL pairings beside trusted executables. The most important takeaway is that this intrusion chain is fully preventable: the vulnerability is already patched, and unprotected WSUS servers are the only viable targets. Organizations should verify patch status immediately, lock down access to update infrastructure, and review logs for any remote shell activity or signs of sideloaded DLLs.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1059.005 - Command and Scripting Interpreter: Visual Basic | T1574.002 - Hijack Execution Flow: Dll Side-Loading | T1105 - Ingress Tool Transfer | T1543.003 - Create or Modify System Process: Windows Service | T1219 - Remote Access Software | T1071.001 - Application Layer Protocol: Web Protocols
Password Strength Analysis Through Social Network Data Exposure
(published: November 28, 2025)
A new research paper demonstrates that publicly available personal data meaningfully weakens user-created passwords. By reconstructing personal details from social media activity, the researchers show that attackers can dramatically narrow their guessing space, even when passwords appear syntactically strong. Traditional strength meters fail to detect this weakness because they cannot evaluate the underlying semantic links between the user and their chosen password. The authors also show that LLM-generated passwords consistently outperform human-created ones, largely because they avoid personal bias. The study concludes that the real issue is not complexity rules but the overlap between a user’s digital footprint and their password choices. The work highlights that educating people about oversharing is important for overall security, while stronger technical controls such as generators, password managers, and semantic-aware filtering offer more dependable support for reducing predictable password patterns.
Analyst Comment: The key value for defenders is understanding where policy can and cannot help. You cannot realistically prevent staff from using personal themes in passwords, because most personal details sit outside the company’s visibility. What you can do is treat online footprint exposure as part of the attack surface and communicate why oversharing fuels attacker workflows far beyond passwords alone. This improves cooperation with stronger controls. The technical fix is clear: remove human bias by enforcing password generators, password managers, and checks that block any password tied to corporate or user-known attributes. Education builds understanding, but controls provide protection.
HashJack: First Known URL-Fragment Indirect Prompt Injection Targets AI Browsers
(published: November 25, 2025)
Researchers detailed a new attack method called HashJack, the first documented indirect prompt injection delivered through URL fragments. Attackers add hidden instructions after the “#” in a legitimate link, allowing AI-powered browser assistants to read and act on those instructions even though the website itself is safe. When a user opens the link, the AI assistant ingests the full URL, interprets the fragment as part of the user’s intent, and can be manipulated to redirect the user, fabricate “security advice,” or surface attacker-controlled content. This turns trusted domains into delivery vehicles without any compromise of the site or its infrastructure. Because the entire attack occurs on the client side, server logs, web filters, and traditional URL-inspection controls provide no visibility or protection. Major browser vendors have begun deploying mitigations, but AI-browsing features remain an exposed and fast-moving attack surface.
Analyst Comment: The critical point for defenders is that HashJack requires nothing more than a user clicking a legitimate link with a malicious fragment appended. From there, the AI assistant does the attacker’s work by obediently executing hidden instructions the user never sees. This can result in convincing phishing prompts, silent redirections, or false “insights” that appear to come from a trusted site. The browser shows a real domain, the content looks normal, and yet the AI assistant becomes an interpreter for attacker-supplied commands. This changes the threat model entirely: AI helpers are no longer passive UI features but active processing layers that can be steered through URL metadata. Any environment allowing AI-augmented browsing should treat these assistants as high-risk until vendors fully isolate or sanitize what they ingest from URLs.
MITRE ATT&CK: T1566 - Phishing | T1204.001 - User Execution: Malicious Link | T1659 - Content Injection | T1598 - Phishing For Information
Critical FlexibleFerret macOS Malware Update
(published: November 25, 2025)
A newly refined macOS malware chain dubbed FlexibleFerret, part of the long-running “Contagious Interview” operation, has been observed exploiting fake job-interview lures to infect victims. Attackers typically pose as recruiters, leading candidates to bogus platforms that then direct them to run a curl command in Terminal under the guise of a “software update.” The malware proceeds via a multi-stage shell script that delivers a Go-based backdoor (named “CDrivers”), implants persistence via a LaunchAgent, and displays decoy Chrome-style permission and password prompts to harvest credentials. Once installed, FlexibleFerret allows remote attackers to collect system details, execute commands, upload/download files, and extract browser data, effectively converting the device into a long-term foothold.
Analyst Comment: FlexibleFerret’s real strength is not technical sophistication, but the way it weaponizes trust. The entire chain depends on convincing a victim to run a Terminal command as part of a fake recruitment process, which neatly sidesteps macOS hardening rather than defeating it. Defenders should focus on the execution pathway: block or alert on curl-initiated script downloads, unexpected LaunchAgents, and newly signed or recently revoked developer certificates. Just as importantly, organizations should educate staff and applicants that legitimate recruiters never require shell commands or “verification tools.” The main insight here is that macOS compromise increasingly comes from manipulating user behavior rather than exploiting software flaws, and FlexibleFerret is a textbook example of how attackers turn trust into code execution.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1204.001 - User Execution: Malicious Link | T1059.004 - Command and Scripting Interpreter: Unix Shell | T1106 - Native Api | T1543.001 - Create or Modify System Process: Launch Agent | T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution With Prompt | T1056.002 - Input Capture: Gui Input Capture | T1082 - System Information Discovery | T1083 - File And Directory Discovery | T1005 - Data From Local System | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel
Shai-Hulud 2.0 Supply-Chain Malware Escalates to Cloud and CI/CD Compromise
(published: November 27, 2025)
Shai-Hulud 2.0 marks a significant escalation in npm-based supply-chain attacks by shifting from simple package tampering to direct compromise of cloud and developer systems. The malware steals AWS, GCP, Azure, GitHub, and npm credentials during package installation and immediately uses them to backdoor additional packages, causing a self-propagating “worm-like” spread across the ecosystem. Researchers report that hundreds of packages and tens of thousands of repositories were affected. The campaign’s most critical development is its ability to breach CI/CD pipelines and cloud environments through stolen secrets embedded in build systems, turning trusted developer workflows into entry points for further compromise.
Analyst Comment: The key point to understand is that Shai-Hulud 2.0 is no longer just tampering with packages; it turns the entire development pipeline into an access vector. A single install can leak cloud keys or developer tokens, and those stolen credentials are then used to corrupt more packages and pivot into cloud environments. The strongest defense is removing long-lived secrets from build systems, isolating CI/CD runners, and enforcing strict publishing controls on npm and GitHub accounts. If your build process treats dependencies as inherently trusted, this campaign shows why that assumption is dangerous.
MITRE ATT&CK: T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | T1059.004 - Command and Scripting Interpreter: Unix Shell | T1552 - Unsecured Credentials | T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage | T1526 - Cloud Service Discovery | T1538 - Cloud Service Dashboard | T1580 - Cloud Infrastructure Discovery
Target Industry: Technology
ClickFix Campaign Uses Fake System Screens and Image-Based Payloads to Deliver Infostealers
(published: November 25, 2025)
A new wave of the ClickFix campaign is using highly polished fake system pages, including Windows Update screens, CAPTCHA checks, and security-verification prompts, to trick users into running attacker-supplied commands. Once executed, the command retrieves a PNG image containing embedded shellcode that is decoded directly in memory, leading to the installation of infostealers such as LummaC2 and Rhadamanthys. Recent public analysis shows that the operators are iterating rapidly, refining their lure designs and adding guided on-screen instructions to increase user compliance. The combination of convincing visuals, clipboard-driven execution, and image-steganography allows the campaign to evade traditional signature-based defenses and rely heavily on social engineering rather than software exploits.
Analyst Comment: The enduring success of ClickFix rests on a simple truth: the user, not the system, is the entry point. The operators have turned infection into a guided experience, using familiar-looking update and verification screens to convince victims to paste commands without hesitation. Their ongoing A/B-style refinement shows a clear intent to reduce friction and boost compliance, making the campaign feel more like a polished onboarding flow than a malware delivery chain. The core insight for defenders is that there is no exploit to patch; the tactic works because users trust what looks legitimate. Raising awareness around any webpage that asks for command execution, and tightening monitoring around browser-to-shell behaviors, is likely to be more effective than relying on signatures alone.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1204.001 - User Execution: Malicious Link | T1204.002 - User Execution: Malicious File | T1059 - Command And Scripting Interpreter | T1620 - Reflective Code Loading | T1027 - Obfuscated Files Or Information | T1140 - Deobfuscate/Decode Files Or Information | T1555 - Credentials From Password Stores | T1005 - Data From Local System | T1041 - Exfiltration Over C2 Channel
UK Outlines Key Provisions Planned for the Cyber Security and Resilience Bill
(published: November 28, 2025)
The UK government has released a detailed clarification of the measures it intends to include in the upcoming Cyber Security and Resilience Bill, expanding on earlier policy signals by setting out the specific regulatory powers and obligations that may apply once the legislation is passed. The update outlines planned mandatory cybersecurity standards for essential digital services, enhanced regulator authority to conduct security audits, compulsory incident reporting requirements, and strengthened oversight of managed service providers. It also highlights the government’s intention to introduce board-level accountability and clearer security expectations for suppliers. Although the Bill remains at an early stage in Parliament, this announcement provides the most concrete description to date of how the government plans to enforce national cyber resilience requirements.
Analyst Comment: This update matters because it clarifies what “tighter scrutiny” is expected to look like if the Bill becomes law. The government has now described the obligations organizations should prepare for, and the effects will reach beyond UK-based companies. Any supplier, partner, or service provider supporting UK organizations will likely be drawn into similar assurance expectations as regulators push for clearer visibility across the supply chain. In practice, organizations should expect more explicit contractual requirements and a greater need to demonstrate the maturity of their controls, reporting processes, and supplier oversight. If these changes apply to your environment, the most effective step now is to assess whether internal governance and third-party arrangements could withstand formal inspection once the Bill progresses. Preparing early will reduce operational pressure later in the legislative process.
Scattered LAPSUS$ Hunters Target Zendesk Users
(published: November 28, 2025)
The cybercriminal collective Scattered LAPSUS$ Hunters (SLH) is suspected of expanding its campaign to target users of Zendesk, a cloud-based customer support platform that companies use to manage help-desk tickets, authenticate support agents, and communicate with customers. Because Zendesk often integrates with corporate SSO and handles sensitive service interactions, it presents a valuable entry point for attackers. Researchers identified more than 40 typosquatted or impersonating domains mimicking real Zendesk environments. Some host fake SSO pages to steal credentials, while others are used to submit fraudulent support tickets to legitimate portals with the aim of delivering malware, including remote-access tools, to help-desk or support staff.
Analyst Comment: The key insight here is that SLH is not exploiting technical flaws in Zendesk but the trust baked into support operations. By cloning SSO portals and injecting malicious tickets, they are trying to compromise organizations through the very workflows meant to help customers. Defenders should treat platforms like Zendesk and similar SaaS support tools as part of the core attack surface, not peripheral tooling. A practical step is to deploy proactive domain monitoring and DNS filtering to detect and block typosquatted domains before they can be weaponized. Prefer phishing-resistant MFA such as security keys for Zendesk admin and support accounts, avoid SMS-only codes where possible, and enable IP allowlisting and tighter session controls where feasible. Finally, heighten inspection of support tickets that request urgent system changes or credential resets, since these are likely pretexts for delivering malware or harvesting credentials.
MITRE ATT&CK: T1566 - Phishing | T1078 - Valid Accounts | T1195 - Supply Chain Compromise | T1213 - Data From Information Repositories | T1567 - Exfiltration Over Web Service
Target Industry: Technology , Commercial
CISA Warns of Active Spyware Campaigns Targeting Signal and WhatsApp Users
(published: November 25, 2025)
CISA has issued an alert describing active campaigns in which multiple threat actors, including state-sponsored groups, are deploying commercial spyware and remote access trojans to compromise users of messaging applications such as Signal and WhatsApp. The campaigns use malicious installers, spoofed updates, zero-click exploits, and abuse of legitimate features like QR-based device linking to gain unauthorized access. Once installed, the spyware provides persistent surveillance capabilities that can capture messages, files, device activity, and account data. CISA reports that the primary targets include government officials, military personnel, political dissidents, journalists, and civil society members across the United States, Europe, and the Middle East. The agency has released detailed mobile security recommendations advising users to restrict sideloading, review device permissions, validate QR codes, and monitor for unexpected linking prompts.
Analyst Comment: Although the campaigns center on government, military, and civil-society figures, CISA makes clear the targeting is also opportunistic, meaning anyone who can be persuaded to install a fake update, sideload an app, or scan a malicious QR code is at risk. The attackers are not breaking encryption; they are bypassing it by compromising the device before Signal or WhatsApp ever protect the data. The strongest defense is treating any request to scan a QR code for account linking, install app updates outside official stores, or grant unexpected permissions as hostile until proven otherwise. Users should consult CISA's Mobile Communications Best Practice Guidance, disable Android's 'Install from Unknown Sources' setting, keep all apps and OS versions current, and periodically review linked devices in app settings to detect unauthorized pairings.
MITRE ATT&CK: T1204 - User Execution | T1203 - Exploitation For Client Execution | T1412 - Capture Sms Messages | T1547 - Boot Or Logon Autostart Execution | T1620 - Reflective Code Loading | T1517 - Access Notifications | T1592 - Gather Victim Host Information | T1105 - Ingress Tool Transfer | T1071 - Application Layer Protocol | T1041 - Exfiltration Over C2 Channel
Target Region: Americas
Target Country: United states
CrowdStrike Insider Leaks Internal Screenshots to Hacker Group
(published: November 21, 2025)
CrowdStrike confirmed that a “suspicious insider” shared screenshots of internal systems with a hacking collective known as Scattered Lapsus$ Hunters, who later published them on Telegram. The images showed internal dashboards, including an Okta Single-Sign-On portal, Falcon platform navigation elements, and links to internal resources, but no customer data or backend access. CrowdStrike says the activity was limited to screenshots and that no systems were breached. ShinyHunters claimed they paid the insider twenty-five thousand dollars for the images and attempted to purchase internal CrowdStrike reports on investigations into ShinyHunters and Scattered Spider, which they did not receive. CrowdStrike stated the insider had already been separated from the company, and the incident has been escalated to law enforcement.
Analyst Comment: ShinyHunters openly told reporters they offered the insider twenty-five thousand dollars for access to CrowdStrike’s network and even tried to buy internal reports about their own activity. That is the real warning. Threat groups are no longer relying solely on technical intrusion; they are actively recruiting, bribing, and financially incentivizing employees on the inside. What many organizations underestimate is just how common these recruitment attempts have become. Groups like Medusa, LockBit affiliates, and various extortion crews routinely approach staff across tech, media, finance, and healthcare, often offering sums that can easily tempt someone under pressure. If someone at a mature security company can be targeted, the same pressure exists in every environment. The takeaway for you is straightforward: insider risk is now an access-as-a-service economy, and ignoring it gives adversaries the easiest possible path in. Strengthen privilege controls, tighten behavioral monitoring, and create an environment where unusual activity is noticed quickly.
MITRE ATT&CK: T1113 - Screen Capture | T1078 - Valid Accounts
Target Industry: Technology
Target Region: Northern-america
Target Country: United states
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
