Daily Security Briefing #079

November 20, 2025 | Read Online

APT24 multi-vector espionage, surge in Black Friday scams, Tsundere botnet spreads with game lures…

Executive Summary

Recent cybersecurity developments highlight persistent threats from state-linked espionage groups and rapidly evolving botnets exploiting supply chain and social engineering vectors. The long-running APT24 campaign has shifted to more sophisticated multi-vector attacks utilizing novel malware like BadAudio. Meanwhile, cybercriminals are capitalizing on seasonal shopping with a surge in fraudulent Black Friday-themed domains impersonating major brands to harvest credentials. The Tsundere botnet is actively expanding, leveraging game-related lures and Ethereum-based command controls to target multiple operating systems. Additionally, critical vulnerabilities and malware campaigns continue to threaten AI infrastructure and everyday applications.

Top Articles

Beyond the Watering Hole: APT24’s Pivot to Multi-Vector Attacks
Google’s threat intelligence team reports that the China-linked espionage group APT24 has evolved its tactics from widespread website compromises to sophisticated multi-vector attacks. Central to their operations is BadAudio, a heavily obfuscated malware downloader used for persistent network access. This adaptive campaign has persisted for three years, recently intensifying with more complex attack methods to infiltrate targets.
BleepingComputer | Google Cloud

Scam USPS and E-Z Pass Texts and Websites
Google filed a legal complaint exposing a Chinese cybercriminal group selling “phishing for dummies” kits designed to enable large-scale phishing campaigns. These kits facilitate impersonation of government agencies and trusted brands, deceiving victims into submitting passwords and payment data. The sophisticated schemes demonstrate how criminal groups lower the barrier to entry for phishing operators globally.
Schneier on Security

The Black Friday Cyber Crime Economy: Surge in Fraudulent Domains and eCommerce Scams
Checkpoint Research reveals that roughly 9% of Black Friday-themed domains registered recently are malicious, with high rates of brand impersonation targeting Amazon, AliExpress, and Alibaba. Attackers create convincing fake storefronts to steal credentials and credit card data, exploiting holiday shopping surges to maximize fraud success. Notably, campaigns also mimic popular product lines to broaden their impact.
Checkpoint

Mozilla Says It’s Finally Done With Two-Faced Onerep
Mozilla has officially ended its controversial partnership with Onerep, an identity protection service embedded in Firefox. Onerep’s founder was found to operate numerous people-search services despite claims to the contrary. After 16 months of ongoing promotion, Mozilla ceases affiliation, acknowledging the reputational risks involved with Onerep’s contradictory business endorsements.
KrebsOnSecurity

TamperedChef Campaign Exploits Everyday Apps to Deploy Malware and Enable Remote Access
Acronis Threat Research Unit uncovered TamperedChef, a global malvertising campaign that spies disguise malware as legitimate everyday applications. These attacks leverage social engineering, SEO, and forged digital certificates to trick users into installing backdoors, granting attackers persistent remote access and control of infected systems worldwide.
GBHackers

Tsundere Botnet Targets Windows, Linux & macOS via Node.js Packages
The Russian-speaking threat actor “koneko” has launched Tsundere, a new botnet infecting Windows, Linux, and macOS devices through typosquatted Node.js packages. This campaign builds on methodologies from a similar October 2024 supply chain attack, propagating malware by exploiting developer dependencies to execute arbitrary code across platforms.
GBHackers

OpenAI Releases GPT-5.1-Codex-Max That Independently Performs Coding Tasks
OpenAI introduces GPT-5.1-Codex-Max, an advanced AI model capable of autonomously handling complex programming tasks throughout the development lifecycle. Enhanced reasoning, token efficiency, and expanded context windows mark significant improvements in AI-assisted software engineering, signaling a new era for coding automation.
CyberPress

Milvus Proxy Vulnerability Lets Attackers Forge Headers and Bypass Authorization Checks
A critical flaw (CVE-2025-64513) in Milvus Proxy, widely used in generative AI workloads, allows attackers to forge HTTP headers and bypass authorization entirely. This vulnerability grants full administrative access without valid credentials, posing serious risks to AI infrastructure reliant on the open-source vector database.
CyberPress

ShadowRay 2.0 Exploits Unpatched Ray Flaw to Build Self-Spreading GPU Cryptomining Botnet
Oligo Security reports that attackers continue exploiting a two-year-old vulnerability in the Ray AI framework to infect NVIDIA GPU clusters. The ShadowRay 2.0 botnet self-propagates by leveraging this unpatched flaw, converting AI compute clusters into cryptocurrency miners, extending an ongoing threat trend from prior campaigns.
The Hacker News

Tsundere Botnet Expands Using Game Lures and Ethereum-Based C2 on Windows
Researchers warn that the Tsundere botnet now targets Windows users by luring victims with game-related hooks. Its command-and-control infrastructure uses Ethereum blockchain technology to obscure control operations while executing arbitrary JavaScript code on compromised devices, increasing stealth and persistence.
The Hacker News

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.