Daily Security Briefing #083

November 24, 2025 | Read Online

Android adware campaign, Python backdoor attacks on defense sector, NVIDIA robotics vulnerability

Executive Summary

Today’s cybersecurity briefing highlights a range of evolving threats from mobile devices to critical infrastructure. A widespread Android adware campaign continues to impact millions by covertly draining device resources. Meanwhile, an advanced persistent threat group connected to India has launched sophisticated cyber-espionage attacks against Pakistan’s defense sector using Python-based backdoors delivered via MSBuild droppers. Cloud and robotics platforms also face growing risks with new vulnerabilities discovered in Fluent Bit and NVIDIA’s Isaac-GROOT platform, underscoring the expanding attack surface across technology stacks. Supply chain risks remain prominent with a renewed npm attack wave targeting thousands of repositories.

Top Articles

IACR Nullifies Election Because of Lost Decryption Key
The International Association of Cryptologic Research was forced to nullify its 2025 trustee election after a key trustee lost his decryption key, preventing secure vote decryption. The election committee, composed of independent trustees each holding parts of the cryptographic key, could not recover the missing piece in time, illustrating risks in key management practices even within prominent cryptography organizations.
Schneier on Security

GhostAd: Hidden Google Play Adware Drains Devices and Disrupts Millions of Users
Check Point researchers uncovered the extensive GhostAd adware campaign targeting Android devices via apps on Google Play disguised as utilities and emoji editors. These apps run persistent background advertising engines that drain battery and bandwidth while disrupting normal phone usage—even after users close them. This campaign reflects increasing sophistication in mobile adware evasion tactics.
Check Point

Is Your Android TV Streaming Box Part of a Botnet?
Warnings have emerged around Superbox media streaming devices sold by major retailers which, for a one-time fee, offer access to thousands of pay-per-view and streaming services. However, these boxes deploy intrusive software that forces users’ home networks to relay traffic for other parties, essentially enslaving them as nodes in a botnet. Users should exercise caution before purchasing these devices.
Krebs on Security

Elite Cyber Veterans Launch Blast Security with $10M to Turn Cloud Detection into Prevention
A new cybersecurity startup, Blast Security, has emerged from stealth in Tel Aviv with $10 million in funding. Founded by veterans from Solebit and Israeli elite IDF units, the company is pioneering a Preemptive Cloud Defense Platform aimed at replacing reactive detection models with continuous threat prevention in cloud environments.
GB Hackers

Elephant Group Launches Defense Sector Attacks Using MSBuild-Delivered Python Backdoor
The Indian-aligned advanced persistent threat group Dropping Elephant has initiated a cyber espionage campaign targeting Pakistan’s defense sector. Utilizing spear-phishing emails and MSBuild droppers, the group deploys a custom Python-based backdoor hidden within living-off-the-land binaries to achieve stealthy, persistent access to critical military networks. This campaign signals an evolution in threat actor tactics in the region.
GB Hackers | CyberPress

NVIDIA’s Isaac-GROOT Robotics Platform Vulnerability Lets Attackers Inject Malicious Code
Two critical vulnerabilities in NVIDIA’s Isaac-GROOT robotics platform—used for robotic manipulation and automation—have been patched. The flaws permitted authenticated local attackers to inject malicious code by exploiting improper code generation controls within Python components, raising concerns about the security of advanced robotics systems deployed in industrial and research settings.
CyberPress

New Fluent Bit Flaws Expose Cloud to RCE and Stealthy Infrastructure Intrusions
Researchers have disclosed five new vulnerabilities affecting Fluent Bit, the open-source telemetry agent widely used in cloud environments. The flaws allow attackers to bypass authentication, execute remote code, traverse paths, cause denial of service, and manipulate telemetry tags. The vulnerabilities can be chained for stealthy takeovers of cloud infrastructures, highlighting ongoing risks in telemetry software components.
The Hacker News

ClickFix Attack Uses Fake Windows Update Screen to Push Malware
A new variant of the “ClickFix” attack tricks users into running malware by displaying a highly convincing fake Windows Update animation in a full-screen browser window. The malicious payload is concealed within images, complicating detection. This social engineering approach emphasizes the continued effectiveness of UX deception in malware distribution.
BleepingComputer

Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft
A second wave of Sha1-Hulud supply chain attacks targets the npm registry with credential theft via preinstall scripts, compromising over 25,000 repositories. Multiple security firms have confirmed that hundreds of trojanized npm packages were uploaded to the public registry, threatening vast portions of the JavaScript ecosystem and developers worldwide.
The Hacker News

24th November – Threat Intelligence Report
The latest Check Point Threat Intelligence Bulletin highlights a major supply chain attack by the “Scattered LAPSUS$ Hunters” group, involving the Salesforce-integrated platform Gainsight. Data from 300 organizations, including Verizon, GitLab, and Atlassian, was compromised. The report details emerging tactics and breach patterns from recent campaigns affecting a diverse range of sectors.
Check Point Research

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.