Daily Security Briefing #071

November 12, 2025 | Read Online

Payroll Pirates’ malvertising spree, Windows authentication coercion surge, Google sues Chinese phishing platform…

Executive Summary

Today’s cybersecurity landscape reveals a rising tide of sophisticated, automated attacks targeting critical systems and end users alike. Financially motivated cybercriminals continue to leverage malvertising for widespread payroll theft, exemplified by the Payroll Pirates operation. Meanwhile, novel exploitation techniques like Windows authentication coercion attack core OS protocols to harvest credentials effortlessly. Law enforcement and tech firms are fighting back with coordinated takedowns and lawsuits, including Google’s legal action against a massive China-based phishing-as-a-service platform. Additionally, zero-day vulnerabilities in identity and access infrastructure have been actively exploited by advanced threat actors, raising alarm about the security of enterprise networks.

Top Articles

Payroll Pirates: One Network, Hundreds of Targets
A financially motivated threat group named Payroll Pirates has been conducting a large-scale malvertising campaign since mid-2023, targeting over 200 payroll systems, credit unions, and trading platforms across the United States. This coordinated effort has evolved significantly in tactics and geography, emphasizing the persistent risks to financial infrastructure from indirect attack vectors like advertising networks.
Checkpoint

Authentication Coercion: How Windows Machines Are Tricked into Leaking Credentials
Security researchers have uncovered a growing attack method known as authentication coercion that abuses Windows Remote Procedure Call (RPC) features to force computers into sending their credentials to attacker-controlled systems. These attacks bypass the need for user interaction or system vulnerabilities, exploiting legitimate Windows authentication processes to compromise credentials silently and efficiently.
GBHackers | CyberPress

Google sues to dismantle Chinese phishing platform behind US toll scams
Google initiated legal actions against the operators of “Lighthouse,” a China-based phishing-as-a-service platform responsible for global SMS phishing attacks impersonating entities like USPS and E-ZPass. This platform has ensnared over 1 million victims in 120 countries, illustrating a large-scale, commercially operated cybercriminal enterprise targeting credit card and personal information.
BleepingComputer | TheHackerNews

Amazon Uncovers Attacks Exploited Cisco ISE and Citrix NetScaler as Zero-Day Flaws
Amazon security teams identified attacks exploiting zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC to deploy custom malware. These critical flaws have attracted advanced persistent threats focused on identity and network access control infrastructure, underscoring the sensitivity and attractiveness of these systems to attackers.
TheHackerNews | DarkReading

Extending Zero Trust to AI Agents: “Never Trust, Always Verify” Goes Autonomous
With AI agents increasingly acting autonomously, traditional Zero Trust security models require adaptation. The article explores how the core principle of “never trust, always verify” must evolve to accommodate AI’s scope of access and decision-making autonomy through scoped permissions, continuous monitoring, and human oversight.
BleepingComputer

On Hacking Back
Former Department of Justice attorney John Carlin discusses the complexities of “hack back” operations—proactive cyber counterattacks designed to disrupt or gather intelligence on attackers. He highlights current legal frameworks permitting certain defensive measures but warns about risks and limitations inherent to offensive cyber responses.
Schneier

Servers Behind Hadamanthys Stealer May Have Been Seized, Admin Calls for Reinstalls
Reports indicate that law enforcement may have disrupted the infrastructure behind the Rhadamanthys information stealer, as its onion domains and control panels have gone offline. Cybercrime analysts suggest coordinated international efforts led to this seizure, prompting the malware’s administrators to urge reinstallations among users.
CyberPress

This newsletter highlights the continued evolution of cyber threats exploiting both traditional and novel vectors, emphasizing the need for adaptive security strategies and international cooperation.

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.