Microsoft Patch Tuesday for November 2025 — Snort rules and prominent vulnerabilities

November 11, 2025/in Company Blogs

Microsoft has released its monthly security update for November 2025, which includes 63 vulnerabilities affecting a range of products, including 5 that Microsoft marked as “critical.” Current intelligence shows that one of the important vulnerabilities, CVE-2025-62215, has already been detected in the wild.

Out of five “Critical” entries, three are remote code execution (RCE) vulnerabilities in Microsoft Windows components including GDI+, Microsoft Office, and Visual Studio. One is an elevation of privilege vulnerability affecting the DirectX Graphics Kernel.

In the following sections we give a concise overview of the critical and important entries that are most relevant for defenders. The full catalogue of all reported issues can be found on Microsoft’s official update page.

Exploited in the Wild

One “important” vulnerability was confirmed to have been exploited in the wild.

CVE-2025-62215 is a Windows Kernel elevation of privilege vulnerability, given a CVSS 3.1 score of 7.8, where a race condition in Windows Kernel allows an authorized attacker to elevate privileges locally. Microsoft assessed that the attack complexity is “low”.

Critical Vulnerabilities

Among all the critical vulnerabilities, none of them were labelled as exploitation more likely. Five are considered exploitation less likely. Below we describe each of those five entries.

CVE-2025-60724 is a RCE vulnerability in GDI+, given a CVSS 3.1 score of 9.8, where a heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network. The vulnerability can be triggered by convincing a victim to download and open a document that contains a specially crafted metafile. In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile without user interaction. An attacker doesn’t require any privileges on the systems hosting the web services. Successful exploitation of this vulnerability could cause RCE or Information Disclosure on web services that are parsing documents that contain a specially crafted metafile, without the involvement of a victim user. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.

CVE‑2025‑30398 is a Nuance PowerScribe 360 information disclosure vulnerability, given a CVSS 3.1 score of 8.1, where missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network. An unauthenticated attacker could exploit this vulnerability by making an API call to a specific endpoint. The attacker could then use the data to gain access to sensitive information (including PII data) on the server. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.

CVE‑2025‑62199 is a RCE vulnerability in Microsoft Office applications, given a CVSS 3.1 score of 7.8, where a use‑after‑free flaw in Microsoft Office allows an unauthenticated attacker to execute code locally on a vulnerable workstation. To exploit this vulnerability, an attacker must send the user a malicious file and convince them to open it. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.

CVE‑2025‑60716 is a DirectX Graphics kernel elevation of privilege vulnerability, given a CVSS 3.1 score of 7, where a use‑after‑free flaw in Windows DirectX allows an authorized attacker to elevate privileges locally. Successful exploitation of this vulnerability requires an attacker to win a race condition. Microsoft assessed that the attack complexity is “high”, and that exploitation is “less likely”.

CVE‑2025‑62214 is a RCE vulnerability in Visual Studio, given a CVSS 3.1 score of 6.7, where AI command injection in Visual Studio allows an authorized attacker to execute code locally. Exploitation is not trivial for this vulnerability as it requires multiple steps: prompt injection, Copilot Agent interaction, and triggering a build. Microsoft assessed that the attack complexity is “high”, and that exploitation is “less likely”.

Important Vulnerabilities

Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that their exploitation is “more likely”:

CVE‑2025‑59512 – Customer Experience Improvement Program (CEIP) Elevation of Privilege Vulnerability.

CVE‑2025‑60705 – Windows CSC Service Elevation of Privilege Vulnerability

CVE-2025-60719 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

CVE-2025-62217 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

CVE-2025-62213 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 65496-65501, 65507-65510. There are also these Snort 3 rules: 301343-301345, 301347, 301348.

Cisco Talos Blog – Read More

What is the Pixnapping vulnerability, and how to protect your Android smartphone? | Kaspersky official blog

November 11, 2025/in Company Blogs

Android constantly tightens app restrictions to prevent scammers from using malicious software to steal money, passwords, and users’ private secrets. However, a new vulnerability dubbed Pixnapping bypasses every protective layer and allows an attacker to imperceptibly read image pixels from the screen — essentially taking a screenshot. A malicious app with zero permissions can see passwords, bank account balances, one-time codes, and anything else the owner views on the screen. Fortunately, Pixnapping is currently a purely research-based project and is not yet being actively exploited by threat actors. The hope is that Google will thoroughly patch the vulnerability before the attack code is integrated into real-world malware. As of now, the Pixnapping vulnerability (CVE-2025-48561) likely affects all modern Android smartphones, including those running the latest Android versions.

Why screenshots, media projection and screen reading are dangerous

As demonstrated by the SparkCat OCR stealer we discovered, threat actors have already mastered image processing. If an image on a smartphone contains a valuable piece of information, the malware can detect it, perform optical character recognition directly on the phone, and then exfiltrate the extracted data to the attacker’s server. SparkCat is particularly noteworthy because it managed to infiltrate official app marketplaces including the App Store. It would not be difficult for a malicious Pixnapping-enabled app to replicate this trick, especially given that the attack requires zero special permissions. An app that appears to offer a legitimate, useful feature could simultaneously and silently send one-time multi-factor authentication codes, cryptowallet passwords, and any other information to scammers.

Another popular tactic used by malicious actors is to view the required data as it’s shown, in real-time. For this social engineering approach, the victim is contacted via a messaging app and, under various pretexts, convinced to enable screen sharing.

Anatomy of the Pixnapping attack

The researchers were able to screenshot content from other apps by combining previously known methods of stealing pixels from browsers and from ARM phone graphics processing units (GPUs). The attacking app silently overlays translucent windows atop the target information and then measures how the video system combines the pixels of these layered windows into a final image.

As far back as 2013, researchers described an attack that allowed one website to load another within part of its own window (via an iframe) and, by performing legitimate operations of image layering and transformation, infer exactly what was drawn or written on the other site. While modern browsers have mitigated that specific attack, a group of U.S. researchers have now figured out how to apply the same core principle to Android.

The malicious app first sends a system call to the target app. In Android, this is known as an intent. Intents typically enable not only simple app launching but also things like immediately opening a browser to a specific URL or a messaging app to a specific contact’s chat. The attacking app sends an intent designed to force the target app to draw the sensitive information onto the screen. Special hidden launch flags are used. The attacking app then sends a launch intent to itself. This specific combination of actions allows the victim app to not appear on the screen at all, yet it still renders the information sought by the attacker in its window, in the background.

In the second stage of the attack, the malicious app overlays the hidden window of the victim app with a series of translucent windows, each of which covers and blurs the content beneath it. This complex arrangement remains invisible to the user, but Android dutifully calculates how this combination of windows should look if the user were to bring it to the foreground.

The attacking app can only directly read the pixels from its own translucent windows; the final combined image, which incorporates the victim app’s screen content, is not directly accessible to the attacker. To bypass this restriction, the researchers employ two ingenious tricks. The specific pixel to be stolen is isolated from its surroundings by overlaying the victim app with a mostly opaque window that has a single transparent point precisely over the target pixel. A magnifying layer is then placed on top of this combination, consisting of a window with heavy blurring enabled.

How the Pixnapping vulnerability works

To decipher the resulting mush and determine the value of the pixel at the very bottom, the researchers leveraged another known vulnerability, GPU.zip (this may look like a file link, but it actually leads to a research paper site). This vulnerability is based on the fact that all modern smartphones compress the data of any images being sent from the CPU to the GPU. This compression is lossless (like a ZIP file), but the speed of packing and unpacking changes depending on the information being transmitted. GPU.zip permits an attacker to measure the time it takes to compress the information. By timing these operations, the attacker can infer what data is being transferred. With the help of GPU.zip, the isolated, blurred, and magnified single pixel from the victim app’s window can be successfully read by the attacking app.

Stealing something meaningful requires repeating the entire pixel-stealing process hundreds of times, as it needs to be applied to each point separately. However, this is entirely feasible within a short time frame. In a video demonstration of the attack, a six-digit code from Google Authenticator was successfully extracted in just 22 seconds, while it was still valid.

How Android protects screen confidentiality

Google engineers have nearly two decades of experience combating various privacy attacks, which has resulted in a layered defense built against illegal capture of screenshots and videos. A complete list of these measures would span several pages, so we only list some key protections:

The FLAG_SECURE window flag prevents the operating system from taking screenshots of content.
Access to media projection tools (capturing screen content as a media stream) requires explicit user confirmation and can only be performed by an app that is visible and active.
Tight restrictions are placed on access to administrative services like AccessibilityService and the ability to draw app elements over other apps.
One-time passwords and other secret data are hidden automatically if media projection is detected.
Android restricts apps from accessing other apps’ data. Additionally, apps cannot request a full list of all installed apps on the smartphone.

Unfortunately, Pixnapping bypasses all these existing restrictions and requires absolutely no special permissions. The attacking app only needs two fundamental capabilities: to draw within its own windows and to send system calls (intents) to other apps. These are basic building blocks of Android functionality, so they are very difficult to restrict.

Which devices are affected by Pixnapping, and how to defend oneself

The attack’s viability was confirmed on Android versions 13–16 across Google Pixel devices from generations 6–9, as well as Samsung Galaxy S25. The researchers believe the attack will be functional on other Android devices as well, as all the mechanisms used are standard. However, there may be nuances related to the implementation of the second phase of the attack (the pixel magnification technique).

Google released a patch in September after being notified of the attack in February. Unfortunately, the chosen method for fixing the vulnerability proved to be insufficiently reliable, and the researchers quickly devised a way to bypass the patch. A new attempt to eliminate the vulnerability is planned for Google’s December update release. As for GPU.zip, there are no plans to issue a patch for this specific data leakage channel. At least, no smartphone GPU manufacturer has announced plans to that effect since the flaw became public knowledge in 2024.

User capabilities to defend against Pixnapping are limited. We recommend the following measures:

Promptly update to the latest version of Android with all current security patches.
Avoid installing apps from unofficial sources, and exercise caution with apps from official stores if they are too new, have low download counts, or are poorly rated.
Ensure a full-fledged security system is used on your phone, such as Kaspersky for Android.

What other non-standard Android attack methods exist:

Spyware that pretends to be an antivirus

Trojan embedded in fake Android smartphones

Data theft during smartphone charging

Your pics are at risk: the threat posed by the new SparkKitty Trojan

How the Necro Trojan attacked 11 million Android users

Kaspersky official blog – Read More

What is FileFix — a ClickFix variation? | Kaspersky official blog

November 10, 2025/in Company Blogs

We recently covered the ClickFix technique. Now, malicious actors have begun deploying a new twist on it, which was dubbed “FileFix” by researchers. The core principle remains the same: using social engineering tactics to trick the victim into unwittingly executing malicious code on their own device. The difference between ClickFix and FileFix is essentially where the command is executed.

With ClickFix, attackers convince the victim to open the Windows Run dialog box and paste a malicious command into it. With FileFix, however, they manipulate the victim into pasting a command into the Windows File Explorer address bar. From a user perspective, this action doesn’t appear unusual — the File Explorer window is a familiar element, making its use less likely to be perceived as dangerous. Consequently, users unfamiliar with this particular ploy are significantly more prone to falling for the FileFix trick.

How attackers manipulate the victim into executing their code

Similar to ClickFix, a FileFix attack begins when a user is directed — most often via a phishing email — to a page that mimics the website of some legitimate online service. The fake site displays an error message preventing access to the service’s normal functionality. To resolve the issue, the user is told they need to perform a series of steps for an “environment check” or “diagnostic” process.

To do this, the user is told they need to run a specific file that, according to the attackers, is either already on the victim’s computer or has just been downloaded. All the user needs to do is copy the path to the local file and paste it into the Windows File Explorer address bar. Indeed, the field from which the user is instructed to copy the string shows the path to the file — which is why the attack is named “FileFix”. The user is then instructed to open File Explorer, press [CTRL] + [L] to focus on the address bar, paste the “file path” via [CTRL] + [V], and press [ENTER].

Here’s the trick: the visible file path is only the last few dozen characters of a much longer command. Preceding the file path is a string of spaces, and before that is the actual malicious payload the attackers intend to execute. The spaces are crucial for ensuring the user doesn’t see anything suspicious after pasting the command. Because the full string is significantly longer than the address bar’s visible area, only the benign file path remains in view. The true contents are only revealed if the information is pasted into a text file instead of the File Explorer window. For instance, in a Bleeping Computer article based on research by Expel, the actual command was found to launch a PowerShell script via conhost.exe.

The user believes they’re pasting a file path, but the command actually contains a PowerShell script. Source

What happens after the malicious script is run

A PowerShell script executed by a legitimate user can cause trouble in a multitude of ways. Everything depends on corporate security policies, the specific user’s privileges, and the presence of security solutions on the victim’s computer. In the case mentioned previously, the attack utilized a technique named “cache smuggling”. The same fake website that implemented the FileFix trick saved a file in JPEG format into the browser’s cache, but the file actually contained an archive with malware. The malicious script then extracted this malware and executed it on the victim’s computer. This method allows the final malicious payload to be delivered to the computer without overt file downloads or suspicious network requests, making it particularly stealthy.

How to defend your company against ClickFix and FileFix attacks

In our post about the ClickFix attack technique, we suggested that the simplest defense was to block the [Win] + [R] key combination on work devices. It’s extremely rare for a typical office employee to genuinely need to open the Run dialog box. In the case of FileFix, the situation is a bit more complex: copying a command into the address bar is perfectly normal user behavior.

Blocking the [CTRL] + [L] shortcut is generally undesirable for two reasons. First, this combination is frequently used in various applications for diverse, legitimate purposes. Second, it wouldn’t fully help, as users can still access the File Explorer address bar by simply clicking it with the mouse. Attackers often provide detailed instructions for users if the keyboard shortcut fails.

Therefore, for a truly effective defense against ClickFix, FileFix, and similar schemes, we recommend first and foremost deploying a reliable security solution on all employee work devices that can detect and block the execution of dangerous code in time.

Second, we advise regularly raising employee awareness about modern cyberthreats — particularly the social engineering methods employed in ClickFix and FileFix scenarios. The Kaspersky Automated Security Awareness Platform can help automate employee training.

Kaspersky official blog – Read More

The who, where, and how of APT attacks in Q2 2025–Q3 2025

November 8, 2025/in Company Blogs

ESET Chief Security Evangelist Tony Anscombe highlights some of the key findings from the latest issue of the ESET APT Activity Report

WeLiveSecurity – Read More

In memoriam: David Harley

November 8, 2025/in Company Blogs

Former colleagues and friends remember the cybersecurity researcher, author, and mentor whose work bridged the human and technical sides of security

WeLiveSecurity – Read More

How scammers use email for blackmail and extortion | Kaspersky official blog

November 7, 2025/in Company Blogs

“We’ve hacked your computer! Send money to the specified account, or all your photos will be posted online”. You or someone you know has probably encountered an email with this kind of alarming message.

We’re here to offer some reassurance: nearly every blackmail email we’ve ever seen has been a run-of-the-mill scam. Such messages, often using identical text, are sent out to a massive number of recipients. The threats described in them typically have absolutely no basis in reality. The attackers send these emails out in a “spray and pray” fashion to leaked email addresses, simply hoping that at least a few recipients will find the threats convincing enough to pay the “ransom”.

This article covers which types of spam emails are currently prevalent in various countries, and explains how to defend yourself against email blackmailers.

Classic scams: hacks, sextortion, and “your money or your life”

Classic scam emails may vary in their content, but their essence always remains the same: the blackmailer plays the role of a noble villain, allowing the victim to walk away unharmed if they transfer money (usually cryptocurrency). To make the threat more believable, attackers sometimes include some of the victim’s personal data in the email, such as their full name, tax ID, phone number, or even their physical address. This doesn’t mean you’ve actually been hacked — more often than not, this information is sourced from leaked databases widely available on the dark web.

The most popular theme among email blackmailers is a “hack” where they claim to have gained full access to your devices and data. Within this theme, there are three common scenarios:

The attacker is concise and gets straight to the point: they state the exact amount of money you need to transfer to prevent your private information from becoming public.
Detailed and dramatic emails: these elaborate spam emails contain a wealth of detail about the malware the attacker allegedly used to infect the recipient’s device, and the types of data they’ve accessed. This usually includes everything at once: the PC itself, the mouse, the webcam, and the keyboard. Sometimes, the scammers even graciously advise you to change your passwords regularly and avoid clicking on unknown links in the future to prevent unpleasant situations. On this point we actually agree with their recommendations.
The specific details of the “hacker attack” and the attacker’s demands are omitted from the email body. Instead, the recipient is prompted to find this information by clicking a link to a website. Scammers use this tactic to bypass email spam filters.

Blackmailers also don’t shy away from the topic of adult content. Typically, they simply intimidate the victim with threats that everyone will find out what kind of explicit content they’ve allegedly been viewing. Some attackers go further — they claim to have gained access to the person’s webcam and recorded intimate activity while simultaneously screen-recording their PC. The price of their silence starts at several hundred dollars in cryptocurrency. Crucially, these blackmailers intentionally try to isolate the victim by telling them not to report the email to law enforcement or loved ones, and claiming that doing so will immediately trigger the threats. By the way, safe and private viewing of adult content is a challenge unto itself, but we’ve covered that in Watching porn safely: a guide for grown-ups.

A scammer threatens to publish a victim’s intimate videos and demands cryptocurrency

Perhaps the most extreme form of email blackmail involves death threats. Naturally, such an email would make anyone uneasy, and many people become genuinely worried for their own safety. The noble hitman, however, is always willing to spare the victim’s life if they can “outbid the one who ordered the hit”.

“You have 72 hours left to live.” The blackmailer suggests not involving the police and simply paying off “the one who ordered the hit” instead

You’ve been served: law enforcement impersonation scams in Europe

Besides legends of “noble hackers” and “hitmen” who immediately offer a way out for a hefty fee, there are longer, more elaborate scams.

In these attacks, scammers pose as law enforcement officers. They don’t ask for money right away, as that would arouse suspicion. Instead, the victim receives a “summons” accusing them of committing a serious, often highly delicate crime. This typically involves allegations of distributing pornography (including child pornography), of pedophilia, human trafficking, or even indecent exposure. The “evidence” isn’t pulled out of thin air, but supposedly taken directly from the victim’s computer, to which the “special services” have gained “remote access”.

Spam blackmail targeting users in France

The document is designed to instill absolute terror: it includes a threat of arrest and a large fine, a signature with a seal, an official address, and names of high-ranking prosecutors. The scammers demand that the victim promptly makes contact via the email address provided in the message to offer an explanation — then, perhaps, the charges will be dropped. If the victim fails to respond, they’re threatened with arrest, registration on a list of sex offenders, and having their “file” passed to the media.

When the terrified victim contacts the attackers, the scammers then offer to “pay a fine” for an “out-of-court settlement of the criminal case” — a case that, of course, doesn’t exist.

Scammers once again accuse victims of viewing child pornography

These types of emails are sent under the guise of coming from major law enforcement organizations like Europol. They’re most frequently addressed to residents of France, Spain, the Czech Republic, Portugal, and other European countries. They also share a curious feature: typically, the subject line and the body of the email are quite brief, with the entire fraudulent case being laid out in attached documents. Reminder: we can’t stress this enough — never open email attachments if you don’t know or trust the sender! And to ensure that malicious and phishing emails don’t even reach your inbox, use a reliable protective solution.

Authority scams in CIS countries

The “law enforcement theme” is also prevalent in CIS (former-Soviet-Union) countries. In 2025, scammers circulated “Summons for Criminal Investigation” alleging the initiation of a criminal case. This was supposedly issued by the Russian Ministry of Internal Affairs in collaboration with such fantastic units as “Russian Interpol” and the “Bureau of Investigation Against Organized Crime”.

According to the fictional narrative, a certain “National Center for the Analysis of Child Pornography and Exhibitionism Images” had seized computers somewhere and determined that the recipient’s IP address was used to “access inappropriate and pornographic websites”. Of course, a quick online search will reveal that none of the organizations mentioned in that email have ever officially existed in Russia.

The “Director of the Police Criminal Investigation Department” will, for added persuasiveness, write in ALL CAPS, and sign their name with an English transliteration

In another similar email, the recipient, at the behest of the head of the “Russian Federal Bureau of Investigation (FBI)”, supposedly became a person of interest to a certain “International Criminal Police Organization — Interpol of the Federal Police of Russia”. (We should clarify that no law enforcement agencies with even remotely similar names have ever existed in Russia.) In the email, the attackers refer to a “Cybercrime Act in accordance with the Crimes Act of 1900 (sic!) from 245RU(2)” — laws so secret that apparently no legal expert knows they exist. Moreover, the message, sent from a generic Gmail address, is supposedly from the Minister of Internal Affairs himself. However, in the attached summons, he is referred to as the “Commissioner of the Federal Police of the Russian Federation” — likely a clumsy translation from English.

The scam email from the non-existent “Russian Federal Bureau of Investigation” is signed by none other than the Minister of Internal Affairs

Similar scam emails also reach residents of Belarus, arriving in both Russian and Belarusian. The victims are supposedly being pursued by multiple agencies simultaneously: the Ministry of Internal Affairs and Ministry of Foreign Affairs of Belarus, the Militsiya of the Republic of Belarus, and a certain “Main Directorate for Combating Cybercrime of the Minsk City Internal Affairs Directorate for Interpol in Belarus”. One might assume that the email recipient is the country’s most wanted villain, being hunted by the “cyberpolice” itself.

In the summons, the blackmailers cite non-existent laws, and threaten to add the victim to a fictitious “National Register of Underage (sic!) Sexual Offenders” — a clear machine translation failure — and, of course, request an urgent reply to the email.

An email from the non-existent cyberpolice of Belarus

In another campaign, attackers sent emails in the name of the real State Security Committee of Belarus. However, they referenced a fake law and contacted the accused at the behest of the President of Europol — never mind that Europol doesn’t have a President, and the name of the real executive director is completely different.

Another scam campaign in Belarusian

In addition to sex crimes, citizens of Belarus are also accused of “repeated use of necrotic (sic!) and psychotropic drugs”. In these emails, the attackers claim to be from the DEA — the U.S. Drug Enforcement Administration. Why a U.S. federal agency would be interested in Belarusian citizens remains a mystery.

The scammers failed to realize that the law enforcement body in Belarus is called the “militsya” (militia) rather than “politsya” (police)

Identifying scam emails

As you can see from the examples above, the majority of these scam emails appear highly implausible — and yet they still find victims. That said, with scammers increasingly adopting AI tools, it’s reasonable to expect a significant improvement in both the text quality and design of these fraudulent campaigns. Let’s highlight several indicators that will help you recognize even the most skillfully crafted fakes.

Personal data. Although it makes scam emails look formal and believable, even if the email features your address, tax ID, phone number, or passport details, it doesn’t mean that the threat is legitimate. In all likelihood, your information was simply sourced from leaked databases and exploited by the scammers. The opposite is also true: impersonal greetings like “Dear Sir/Madam” or “Dear Customer” are undoubtedly also a red flag.
The sender’s address is registered on a free email service.
A request to open an attached file, or follow a link to “find out the details”.
Manipulation, threats, calls for urgent action, and demands not to tell anyone about the email. Attackers deliberately use these psychological tricks to throw you off balance and deprive you of external support.
Typos and grammatical errors. If you suspect the email is a very poor word-for-word translation from another language, you’re probably right. However, a well-written email is no reason to let your guard down: while scammers are often not the most skilled linguists, they sometimes create exceptionally high-quality spam campaigns.
Character substitution to bypass spam filters. Attackers mix alphabets, use characters with diacritics such as “Ƙ” instead of “K”, and sometimes simply insert chunks of incoherent text or “noise up” the body with random characters. The text remains readable but often looks odd.

An example of scammers attempting to bypass spam filters by substituting characters and adding meaningless blocks of text

How to protect yourself from email blackmail

Don’t panic. Scammers deliberately use fear, create a sense of urgency, and rely on your trust in authority. Their goal is for you to believe their fabricated story, but they have no real leverage. If you’re being rushed, threatened, or given ultimatums, make a conscious effort to slow down and avoid making impulsive decisions.
Install a reliable security solution that will promptly alert you about suspicious emails, malicious files, or links.
Pay attention to the details. If you receive an email supposedly from a government or law enforcement agency, first examine the sender’s email address. If there’s a reply-to address, compare it with the sender’s. Use search engines to check if the organizations mentioned in the email actually exist, and who manages them. Look up the laws they cite. Pay close attention to signatures and titles — in short, do a full fact-check. Finally, ask yourself if you’re really important enough for, say, the Minister of Internal Affairs to be writing to you personally.
Use only verified communication channels. Remember that government agencies will never blackmail or threaten you in official correspondence. If you’re still unsure whether the email is real or fake, find the official contact information of the organization mentioned in it, and reach out through an alternative, verified channel — for instance, by phone. Don’t click links or call phone numbers (especially mobile numbers) provided in the email you received — always verify contacts online.
If you receive an email with a death threat, don’t engage with the scammer, and contact the police immediately. The vast majority of these scare tactics are blatant blackmail, which is a criminal offense in most countries. The key is to remain calm.

Read more on popular scammer tricks:

How phishers and scammers use AI

The scam on your doorstep

Beware of Google Forms bearing crypto gifts

You’re in for a big payout again

Spam 101: what is spam, and how to defeat it

Kaspersky official blog – Read More

Remember, remember the fifth of November

November 6, 2025/in Company Blogs

Welcome to this week’s edition of the Threat Source newsletter.

Ever heard the phrase in this week’s title?

For our non-British readers, here’s the quick version: Every year on November 5, people across the U.K. gather for bonfires, sparklers, fireworks, and attempting to literally handle a hot potato. I used to love these outings as a kid, but now, as a pet owner, I tend to stay in and try to calm the poor, scared creature during the fireworks.

Anyway, Bonfire Night is all about marking the evening when the Houses of Parliament didn’t get blown to pieces with gunpowder.

The Gunpowder Plot was the work of a group of conspirators who planned to assassinate King James I by detonating explosives beneath the House of Lords during the State Opening of Parliament on Tuesday, Nov. 5, 1605. They rented a vault in the cellars below the building, packed it with 36 barrels of gunpowder, and designated a fellow named Guy Fawkes to light the fuse.

Unbeknownst to the conspirators, an anonymous warning (the “Monteagle Letter”) was sent to one nobleman (who was due to attend the State Opening of Parliament), suggesting he come up with some sort of excuse to miss it:

“My lord, out of the love I bear to some of your friends, I have a care of your preservation. I would advise you, as you tender your life, to devise some excuse to shift your attendance at this Parliament; for God and man hath concurred to punish the wickedness of this time.

…for though there be no appearance of any stir, yet I say they shall receive a terrible blow this Parliament; and yet they shall not see who hurts them.”

Taking the warning seriously, the message was passed up the chain to Robert Cecil, the King’s chief minister, and the authorities ordered a search. Sir Thomas Knyvet, a Justice of the Peace, led a team to check the cellarsbeneath the House of Lords. There they found Fawkes guarding the barrels, carrying a lantern and some slow matches. He was arrested on the spot.

Several of Fawkes’ co-conspirators were killed while fleeing; the rest were captured, tried, and condemned. Fawkes himself was sentenced to be hanged, drawn, and quartered — though he died instantly after leaping from the scaffold and breaking his neck.

To this day, November 5th events across the UK include the burning of an effigy of Guy Fawkes in the middle of the bonfire. It’s always struck me as a very odd national tradition. But then again, we are a country of strange customs… such as when we chase a wheel of cheese down a near-vertical hill.

Centuries later, Fawkes’ face was stylised into a white mask with a sly grin for the graphic novel V for Vendetta. The mask became shorthand for protest and, eventually, for hacktivism. The man who didn’t light the fuse became the symbol for people trying to spark something. And that, Alanis, is ironic.

For the Gunpowder Plot, it was the act of someone doing the Jacobean equivalent of “better check that out,” based on some received threat intelligence. It’s a similar gut impulse that still saves many a day in modern cybersecurity settings: the analyst who follows a hunch, the responder who looks twice at a legitimate tool behaving oddly…

By the way, if you haven’t yet, do check out our latest Cisco Talos Incident Response report. It’s such a helpful tool for analysts whose days revolve around spotting suspicious behaviour.

For example, this quarter we saw an internal phishing campaign that was launched from compromised O365 accounts, where attackers “modified the email-management rules to hide the sent phishing emails and any replies.” As Craig pointed out in the most recent episode of The Talos Threat Perspective, he often asks his customers, “Can you effectively identify malicious inbox rules across your environment — not just for a single user’s mailbox, and not just for the last 90 days?”

So yes, while I think it’s still a bit odd that “Remember, rememberthe fifth of November” commemorates a disaster that never happened, most analysts I know would drink to that.

The one big thing

Two Tool Talks in a row? Christmas came early.

With the latest article, Cisco Talos’ Martin Lee explores how to empower autonomous AI agents with cybersecurity know-how, enabling them to make informed decisions about internet safety, such as evaluating the trustworthiness of domains. He demonstrates a proof-of-concept using LangChain and OpenAI, connected to the Cisco Umbrella API, so that AI agents can access real-time threat intelligence and make smarter security choices.

Why do I care?

As AI agents become more autonomous and interact with the internet on your behalf, their ability to distinguish safe from unsafe sites directly impacts your digital security. Equipping AI with real-time threat intelligence means fewer mistakes and better protection for your data and devices in an evolving threat landscape.

So now what?

If you work with or develop AI systems, consider incorporating real-time threat intelligence APIs like Cisco Umbrella to enhance your agents’ decision-making. As this technology evolves, staying informed and adapting these best practices will help ensure both your users and AI agents make safer choices online.

Top security headlines of the week

CISA: High-severity Linux flaw now exploited by ransomware gangs
Potential impact includes system takeover once root access is gained (allowing attackers to disable defenses, modify files, or install malware), lateral movement through the network, and data theft. (Bleeping Computer)

Phone location data of top EU officials for sale, report finds
Journalists in Europe found it was “easy” to spy on top European Union officials using commercially obtained location histories sold by data brokers, despite the continent having some of the strongest data protection laws in the world. (TechCrunch)

Poland hit by another major cyberattack
Polish authorities are investigating a large-scale cyberattack that compromised personal data belonging to clients of SuperGrosz, an online loan platform, Deputy Prime Minister and Minister for Digital Affairs Krzysztof Gawkowski confirmed. (Polskie Radio)

Conduent admits its data breach may have affected around 10 million people
The breach lasted nearly three months. Conduent is a major government contractor and works with more than 600 government entities globally, including those on state, local, and federal levels, and a majority ofFortune 100 companies. (Tech Radar)

The password for the Louvre’s video surveillance system was “Louvre”
Experts have been raising concerns about the museum’s security for more than a decade. In 2014, the museum’s video surveillance server password was “LOUVRE,” while a software program provided by the company Thales was secured with a password “THALES.” (Cybernews)

Can’t get enough Talos?

Tales from the Frontlines
On Wednesday, Nov. 12, hear Talos IR share candid stories of critical incidents last quarter, how we handled them, and what they mean for your organization. Registration is required.

Harnessing threat intel in Hybrid Mesh Firewall
Join us on Thursday, Nov. 13 to learn how Talos combines expert human research with advanced AI/ML to detect and stop emerging threats.

Dynamic binary instrumentation (DBI) with DynamoRio
This blog introduces DBI and guides you through building your own DBI tool with the open-source DynamoRIO framework on Windows 11.

Upcoming events where you can find Talos

DeepSec IDSC (Nov. 18 – 21) Vienna, Austria
AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia

Most prevalent malware files from Talos telemetry over the past week

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe
Detection Name: Win.Worm.Coinminer::1201

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
MD5: 85bbddc502f7b10871621fd460243fbc
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe
Detection Name: W32.41F14D86BC-100.SBX.TG

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe
Detection Name: W32.Injector:Gen.21ie.1201

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe
Detection Name: Win.Dropper.Miner::95.sbx.tg

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a
MD5: 1f7e01a3355b52cbc92c908a61abf643
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a
Example Filename: cleanup.bat
Detection Name: W32.D933EC4AAF-90.SBX.TG

Cisco Talos Blog – Read More

How enterprise efficiency grows with Kaspersky SD-WAN

November 6, 2025/in Company Blogs

The implementation of Software-Defined Wide Area Networks (SD-WANs) boosts enterprise operational efficiency, saves money, and enhances security. These impacts are so significant that they’re sometimes visible on a national scale. According to The Transformative Impact of SD-WAN on Society and Global Development article from the International Journal for Multidisciplinary Research, the technology’s implementation can result in a 1.38% increase in GDP for developing countries. At the company level, the effects are even more pronounced. For example, in modern, deeply digitized industrial manufacturing, it can reduce unplanned downtime by 25%.

Furthermore, SD-WAN implementation projects not only offer a fast return on investment, but also continue to deliver additional benefits and increased efficiency as the solution receives updates, and new versions are released. To demonstrate this, we present the new Kaspersky SD-WAN 2.5 and its most compelling features.

Optimized traffic rerouting algorithms

This is a classic SD-WAN feature, and one of the technology’s primary competitive advantages. Traffic routing depends on the nature and location of the business application, but it also considers current priorities and network conditions: in some cases, reliability is paramount; in others, speed or low latency is key. The new version of Kaspersky SD-WAN improves the algorithm, and factors in detailed data about traffic loss on every possible path. This ensures the stable operation of critical services across geographically distributed networks — for example, by reducing issues with large-scale, nationwide video conferences. Crucially, this increase in reliability is accompanied by a reduced workload on network engineers and support staff, as the route adaptation process is fully automated.

Conditional DNS forwarding

This feature optimizes the speed of domain name resolution, and helps maintain security policies for different types of applications. For example, requests related to MS Office cloud infrastructure will be forwarded directly from the local office to Microsoft’s CDN, while internal network server names will be resolved through the corporate DNS server. This approach significantly improves the speed of establishing connections, and eliminates the need for manual configuration of routers in every office. Instead, a single, unified policy is sufficient for the entire network.

Scheduled CPE configuration changes

Any large-scale network reconfiguration increases the risk of interruptions and outages — even if brief. To ensure such an event doesn’t disrupt critical business processes, any policy change within Kaspersky SD-WAN can be scheduled for a specific time. Want to change the router settings in a hundred offices simultaneously? Schedule the change for 02:00 local time or Saturday morning. This eliminates the need for regional IT staff to be physically present during the deployment.

Simplified BGP and OSPF debugging

Analysis of BGP routing can now be done entirely through the orchestrator’s graphical interface. Did a routing loop suddenly appear somewhere between the Milan and Paris offices? Instead of logging into the equipment in each office and all intermediary nodes via SSH, you can now identify and resolve the issue through a single interface — significantly reducing downtime.

Easy CPE replacement

If the network equipment in an office needs to be replaced, you can now preserve all existing settings when swapping it out. The technician in the office simply plugs in the new CPE unit, and the Kaspersky SD-WAN orchestrator automatically restores all policies and tunnels on it. This offers several immediate benefits: it significantly reduces downtime; the replacement can be performed by a technician without deep expert knowledge of network protocols; and it substantially reduces the probability of additional failures caused by manual configuration errors.

LTE diagnostics

While often the fastest and most cost-effective corporate communication channel to deploy, LTE comes with a drawback: instability. Both cellular coverage and operational speed can fluctuate frequently, requiring network engineers to take action — such as relocating the CPE to an area with better reception. Now, you can make these decisions with diagnostic data collected directly within the orchestrator. It displays the service parameters of connected LTE devices, including the signal strength level.

Handling power failures

For companies with the most stringent requirements for fault tolerance and recovery time, specialized CPE variants equipped with a small built-in power source are available by special order. In the event of a power failure, the CPE will be able to send detailed data about the failure type to the orchestrator. This gives administrators time to investigate the cause so they can resolve the issue much faster.

These are just some of the innovations in Kaspersky SD-WAN. Others include the ability to configure security policies for connections to the CPE console port, and support for large-scale networks with 2000+ CPEs and load balancing across multiple orchestrators. To learn more about how all these new features increase the value of SD-WAN for your organization, our experts are available to provide a personalized demo. The solution is available in select regions.

Kaspersky official blog – Read More

Do robots dream of secure networking? Teaching cybersecurity to AI systems

November 6, 2025/in Company Blogs

This blog explores how to equip autonomous AI agents with cybersecurity knowledge, enabling them to make informed decisions about internet safety, such as identifying trustworthy links and websites.
It demonstrates a proof of concept using LangChain and OpenAI, integrated with the Cisco Umbrella API, to provide AI agents with real-time threat intelligence for evaluating domain dispositions.
By learning to assess the safety of domains, AI agents can develop better cyber hygiene, making more intelligent decisions rather than simply being restricted by security gateways, which is crucial for the next generation of autonomous AI systems.

In the late 1960s, the science fiction author Philip K. Dick wrote “Do Androids Dream of Electric Sheep,” which, among other themes, explored the traits that distinguish humans from autonomous robots. As advances in generative AI allow us to create autonomous agents that are able to reason and act on humans’ behalf, we must consider the human traits and knowledge that we must equip agentic AI with to allow them to act autonomously, reasonably, and safely.

One skill we need to impart on our AI agents is the ability to stay safe when navigating the internet. If agentic AI systems are interacting with websites and APIs in the same way as a human internet user, they need to be aware that not all websites or public APIs are trustworthy, and nor is user supplied input. Therefore, we must empower our AI agents with the ability to make appropriate cyber hygiene decisions. In an agentic world, it is for the autonomous agent to decide if it is safe and appropriate to “click the link.”

The threat landscape is constantly shifting, so there are no hard and fast rules that we can teach AI systems about what is a safe link and what is not. AI agents must verify the disposition of links in real time to determine if something is malicious.

There are many emerging approaches to building AI workflow systems that can integrate multiple sources of information to allow an AI agent to come to a decision about an appropriate course of action. In this blog, I show how it is possible to use one of these frameworks, LangChain, with OpenAI to enable an AI agent to access real-time threat intelligence via the Cisco Umbrella API.

Prerequisites

To implement this example you will need API keys for Cisco Umbrella and a paid OpenAI account.

Obtain a new API key from OpenAI account with available credit. The key will not work if you have a free, unfunded account.
Obtain a Cisco Umbrella API Key and Secret by following these steps. Be sure the check the “Investigate” box for the Key Scope.
Save your keys as shell environment variables named “OPENAI_API_KEY”, “UMBRELLA_KEY” and “UMBRELLA_SECRET” (e.g., export UMBRELLA_KEY=”nnnnnnnnnnnnnnnnnn”).

Code

Follow along with the full sample code, which can be found in Talos’ GitHub repository.

First, we need to describe the tool to the AI agent.

Do robots dream of secure networking? Teaching cybersecurity to AI systems

Then we include the newly described tool in the list of available tools.

Next, we create the large language model (LLM) instance that we will use. This example uses GPT-3.5-Turbo from OpenAI, but other LLM models are supported.

Now, let’s give instructions to the LLM, describing what the LLM should do using natural language structured in a Question, Thought, Action, Observation format.

Create the agent and the executor instance that we will interact with.

As part of querying the Umbrella API, we must obtain a session token to pass to the Umbrella API with our request. This is obtained from an authentication call using our API key and secret.

Next, let’s define the tool that we have described to the AI system. It accepts input text as a parameter and checks for the presence of any domains. If any are found, the disposition of each one is checked.

The key functionality within the above code is “getDomainDisposition” which passes the domain to the Umbrella API to retrieve the disposition and categorization information about the domain.

We can now pass input text to “agent_executor” to discover the agent’s opinion.

This gives the response:

“Agent Response: www.cisco.com is safe to browse.”

Reassuringly, the agent reports that “cisco.com” is safe to connect to. If necessary, we can output the domain disposition report to see the logic by which the system arrives at this conclusion:

“This contains a URL. Considering www.cisco.com. The domain www.cisco.com has a positive disposition. The domain www.cisco.com is classified as: Computers and Internet, Software/Technology. Known malicious domains are never safe, domains with positive disposition are usually safe. A domain with an unknown disposition might be safe if it is categorized.”

Let’s try a different domain which is known to be malicious.

“Agent Response: do not connect”

When provided with a known malicious domain, the system identifies that the domain has a negative disposition and concludes that this is not a domain which is safe for connection.

Now let’s try input text with two domains.

“Agent Response: www.umbrella.com is safe to connect to. test.example.com has an unknown disposition, so it is uncertain if it is safe to connect to.”

The system is able to provide separate advice for each domain when supplied with input containing a domain with a positive disposition and one with an unknown disposition.

Finally, let’s see what happens when we pose an unrelated question without any domains.

“Agent Response: no opinion”

Examining the logic shows that the system made the correct decision not to attempt to answer the question.

“No URLs found. Since no internet domains were found in the user input, I have no information to assess the safety of any websites.“

Discussion

This is very much proof-of-concept code, but it does show how we can integrate APIs offering real-time authoritative facts, such as the security disposition of domains from Umbrella, into the decision making process of AI agents.

There are other approaches that we can use to arrive at the same result. We could put the AI agent behind a web security gateway or require the agent to use Umbrella DNS, which would enforce the restriction not to connect to malicious sites. However, to do so removes the ability for the AI agent to learn how to make sense of potentially conflicting information and to make good decisions.

The current generation of LLM-based generative AI systems is only the beginning of the forthcoming advances in autonomous agentic AI. As part of building this next generation of AI systems, we need to ensure that they not only make good decisions, but understand cyber hygiene and have access to real-time threat intelligence on which to base their decision-making.

Cisco Talos Blog – Read More

ANY.RUN Wins Trailblazing Threat Intelligence at the 2025 Top InfoSec Innovators Awards

November 6, 2025/in Company Blogs

Big news from the ANY.RUN team; we’ve just been named the 2025 “Trailblazing Threat Intelligence” winner at the Top InfoSec Innovators Awards!

This recognition means a lot to us because it celebrates what we care about most: helping analysts, SOC teams, and researchers access live, actionable threat intelligence that makes a real difference in investigations every day.

A Milestone That Reflects Our Mission

The Top InfoSec Innovator Awards celebrate cybersecurity companies that shape the future of the industry with new ideas and bold technology. Now in its 13th year, the program is known worldwide for spotlighting organizations that truly move the field forward.

Winning the Trailblazing Threat Intelligence award reinforces what drives us, transforming how teams investigate and respond to cyber threats through a connected, behavioral approach to intelligence.

*TI Lookup with 40+ parameters, used to discover relevant intel from real-world threat investigations*

For our users, this award reflects the impact they experience every day:

Connected intelligence, powered by 15,000+ company data sources worldwide: ANY.RUN’s ecosystem gathers insights from thousands of live environments, helping teams detect threats that traditional feeds often miss.

24× more IOCs per incident for wider visibility: Live data from global attacks ensures comprehensive coverage of new malware and phishing campaigns, giving analysts the full picture behind each alert.

99% unique IOCs to cut noise and workload: In-depth behavioral intelligence filters out duplicates and low-value data, reducing Tier 1/Tier 2 investigation time and supporting faster, more confident decisions.

21 minutes faster MTTR per case: Real-time context for IOCs, IOAs, and IOBs provides the insight analysts need to prioritize critical alerts and accelerate incident resolution.

Connecting People and Data Through Innovative Threat Intelligence

We earned this recognition because innovation at ANY.RUN is built around real analyst needs. Instead of scattering data across multiple tools, we created an ecosystem where threat intelligence is connected, interactive, and human-centered.

Our Threat Intelligence Lookup and Threat Intelligence Feeds bridge live malware behavior with verified indicators, giving teams instant context they can trust. Whether it’s uncovering hidden links between campaigns or enriching detections automatically, these solutions help analysts see more, decide faster, and collaborate better.

*TI Feeds gather fresh threat data and enrich your system with it for expanded threat coverage*

That’s what this award stands for: innovation that connects people and data to make threat intelligence more practical, powerful, and ready for what’s next.

Looking Ahead: Building the Future of Threat Intelligence

This recognition fuels our drive to keep innovating.
In the coming months, we’re expanding our Threat Intelligence products with even deeper enrichment, new integrations for SIEM and SOAR platforms, and broader OS coverage.

But most importantly, we’ll keep growing together with our community; the analysts, researchers, and security teams who make ANY.RUN what it is today. Every sample executed, every IOC shared, every insight contributed helps make global defense stronger.

So, this win is yours as much as it is ours.

See Why the Industry Calls It Trailblazing

Experience threat intelligence that helps analysts act 21 minutes faster per case and uncover 24× more IOCs per incident.

With behavior-driven data and real-world context, ANY.RUN turns every investigation into clear, actionable insight.

Book a live demo and see how connected intelligence can sharpen your team’s response.

About ANY.RUN

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, makes advanced investigation fast, visual, and accessible.
The service processes millions of analysis sessions and is trusted by 15,000+ organizations and over 500,000 cybersecurity professionals worldwide.

Teams using ANY.RUN report tangible gains; up to 3× higher SOC efficiency, 90% faster detection of unknown threats, and a 60% reduction in false positives thanks to real-time interactivity and behavior-based analysis.

Explore ANY.RUN’s capabilities with a 14-day trial

The post ANY.RUN Wins Trailblazing Threat Intelligence at the 2025 Top InfoSec Innovators Awards appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – Read More