Daily Cyber News – November 4th, 2025
This is today’s cyber news for November 4th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
U S prosecutors announced charges against several security professionals accused of helping the BlackCat ransomware group carry out attacks. Investigators say the defendants shared tools, advised on how to dodge network controls, and split proceeds with the criminals. The case ties chat logs, cryptocurrency wallets, and operational artifacts to intrusions at hospitals and manufacturers. Authorities say arrests have been made and the investigation is ongoing.
Conduent confirmed a January breach that exposed personal data for more than ten million people connected to public sector and healthcare services. The company says the incident involved a third party system and included names, contact information, and some identifiers. Notifications are underway as forensics continue to narrow which programs and states were affected. The firm reports regulators have been informed and remediation steps are in progress.
Researchers detailed an espionage campaign they call Operation SkyCloak that prioritizes stealth and persistence in sensitive networks. The operators use scripted PowerShell, P O W E R S H E L L, and covert Secure Shell, S S H, tunnels to quietly maintain access and move data. Initial footholds are followed by staged scripts that hide among normal administrator activity. The investigation indicates the focus is defense and government targets, and containment actions are underway.
Attackers siphoned roughly one hundred twenty million dollars from Balancer related decentralized finance pools in a fast moving heist. The theft spanned multiple tokens and chains and routed some funds through mixers to hide the trail. Project teams urged liquidity providers to withdraw from affected pools and published addresses linked to the exploit. Exchanges and investigators began freezing assets while tracing transactions in real time.
A malicious Solidity extension for Visual Studio Code compatible editors on the Open V S X registry planted a backdoor dubbed SleepyDuck. The package posed as a popular toolchain, gathered environment details and credentials, and then waited for commands from attacker servers. Thousands of downloads occurred before the listing was removed, and mirrors may still carry copies. Advisories recommend removing the extension and rotating developer secrets while cleanup continues.
Google pushed a stable Chrome update addressing two high severity bugs in the V8 engine. The flaws could be triggered by crafted web pages, enabling code execution against users who have not yet updated. Rollouts have begun across desktop platforms and enterprise channels urged organizations to verify the new build number on managed devices. Administrators report automatic updates are progressing, with manual installs available for lagging fleets.
A sprawling “Ghost Network” on YouTube used thousands of tutorial style videos to funnel viewers to information stealing malware. Operators dressed up cracked software guides and optimizer tips, then redirected clicks to booby trapped downloads hosted off platform. The scheme ran for months before a coordinated takedown removed channels and blocked many of the links that sustained the campaign. Some domains quickly reappeared, indicating the operation is trying to regenerate reach.
Proton said it uncovered roughly three hundred million stolen credentials circulating on criminal markets and forums. The trove blends logs from multiple malware families with data from older breaches, raising the odds of account takeover against popular services. Notifications went to major platforms and users were urged to enable multi factor authentication, M F A, and reset reused passwords. Investigators noted recent timestamps in some logs, suggesting active compromise windows.
Researchers warned that hundreds of Android apps misused near field communication, N F C, features to read or relay payment card data. Several families masqueraded as wallet helpers and utilities while requesting broad device permissions and phoning home to attacker servers. Removals began in official stores, but sideload sites continued to host risky variants that can skim details during taps. Payment networks issued general guidance and urged users to stick to trusted apps.
A refreshed BankBot mobile trojan spread through look alike apps that imitate local banks and delivery services in Indonesia. Once installed, it overlays login screens, intercepts one time passcodes, and siphons contact lists to fuel new waves of messages. Distribution relied on smishing links and third party app stores, which helped the campaign bypass official protections. Financial institutions reported account drain cases and warned customers to avoid unofficial downloads.
Google released a stable update to Chrome that fixes two high severity bugs in the V8 JavaScript engine. Attackers could trigger the flaws with crafted pages, creating risk of drive by compromise for users who have not updated. Enterprises received coordinated releases across desktop platforms, and automatic updates have started to roll out widely. Administrators are urged to confirm the new build version is installed on managed devices.
Investigators uncovered a large content farm on YouTube that pushed information stealing malware through more than three thousand fake tutorial videos. The operators lured viewers with cracked software and optimizer claims, then redirected them to download links that planted infostealers. A coordinated takedown and link blocking slowed the campaign, though some domains quickly reappeared. Platform teams continue removals while security firms share indicators of the content network.
Proton reported a cache of roughly three hundred million stolen credentials circulating on criminal forums and markets. The trove mixes data from malware logs and past breaches, including email and service logins with device fingerprints. Notifications went to major platforms, and users were urged to reset passwords and enable multi factor authentication, M F A. Some entries carried recent timestamps, signaling ongoing account takeover risk.
Researchers identified hundreds of Android apps that misuse near field communication, N F C, to read or relay payment data in risky ways. Several families request broad device permissions and masquerade as wallet helpers while forwarding card data to attacker controlled servers. App store removals began after disclosures, but sideloading sites continue to host copies that target less protected devices. Payment networks and mobile security teams are assessing follow on fraud activity.
A refreshed BankBot mobile trojan is targeting Indonesian users with convincing look alike apps for banks and delivery services. Once installed, the malware overlays login screens, intercepts one time passcodes, and exfiltrates contact lists to spread further. Distribution relies on smishing links and popular third party stores, raising reach beyond official marketplaces. Financial institutions issued warnings as reports of drained accounts increased and takedown work continued.
Researchers reported a spyware toolkit named Dante appearing in new phishing campaigns worldwide. The tool provides remote control, file search, and screenshot capture while using staged updates to avoid attention. Targets included journalists, dissidents, and business leaders across several regions, with some binaries signed to look legitimate. Investigations continue as providers block infrastructure and victims receive remediation guidance.
Analysts in Korea observed the Kimsuky group sending spear phishing emails that masqueraded as a virtual private network, V P N, invoice. The lure installed a lightweight backdoor called HttpTroy that gathered host details, listed files, and executed commands. Traffic blended into normal web patterns, helping the actors persist inside telecommunications and research networks. Authorities and response teams are sharing indicators and urging stricter mail filtering.
Investigators documented real time deepfakes used by North Korean operatives to pass remote job interviews for crypto roles. The actors matched resumes to stolen profiles and used face mapped avatars with voice cloning to gain access. Some startups and outsourced development shops reported access to repositories and cloud dashboards before anomalies raised suspicion. Companies are adding identity checks and hardware backed keys to onboarding.
A long pursued developer linked to the Jabber Zeus banking malware was extradited to the United States. Authorities connected the individual to code and infrastructure used to siphon credentials and wire funds. The case merges earlier warrants and includes evidence collected with partner agencies overseas. Court proceedings are expected, and financial sector teams are refreshing legacy indicators.
New research compared how attackers exploit the device code flow in sign in systems from Microsoft and Google. Differences in prompts, rate limits, and detection hooks change the friction attackers feel and what defenders can see. In the wild, phishing kits automate the flow and exchange codes for tokens within seconds. Vendors issued guidance while organizations tune conditional access and monitoring for rapid token issuance.
Researchers found phishers hosting convincing login pages on Cloudflare Pages and Zendesk subdomains. Victims landed on look alike portals for webmail and software as a service, then entered credentials that were relayed in real time. Some kits proxied sessions to capture multi factor prompts and cookie tokens for reuse. Cleanup is ongoing as teams tighten allowlists and block newly seen subdomains.
Multiple case reports describe the same post compromise playbook after a cloud account takeover. Attackers enumerate tenant directories and inbox rules, then stage business email compromise by impersonating finance staff. The activity uses built in features, including hidden forwarding and mailbox searches for invoices, to avoid obvious alerts. Remediation emphasizes token rotation, rule cleanup, and verified callbacks for payment changes.
Follow up reporting on Operation SkyCloak shows expanded persistence with scheduled tasks and covert Secure Shell, S S H, tunnels. Operators drop obfuscated PowerShell, P O W E R S H E L L, scripts that blend with administrator activity and mask lateral movement. The focus remains defense and government networks where help desk patterns can hide long lived access. Organizations are enabling tighter script logging and blocking unsanctioned clients.
As infrastructure takedowns began, the SkyCloak operators rotated to fresh command and control domains. New certificates and hostnames mimicked software update sites, and some implants attempted domain fronting to slip past simple filters. Telemetry linked registrar accounts and reused contact details despite the pivots. Providers are adding behavioral detections while threat intel distributes new indicators.
Analysts suspect a SkyCloak loader is piggybacking on commercial remote management tools via plugin folders. The method installs lightweight launchers under legitimate service names, granting persistence that looks like routine support work. Targets include defense contractors and government suppliers that rely on outsourced information technology. Vendors issued guidance on plugin integrity checks as customers audit service accounts.
That’s the BareMetalCyber Daily Brief for November 4th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com. We’re back tomorrow.
