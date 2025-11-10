Cyber threats didn't slow down last week—and attackers are getting smarter. We're seeing malware hidden in virtual machines, side-channel leaks exposing AI chats, and spyware quietly targeting Android devices in the wild.

But that's just the surface. From sleeper logic bombs to a fresh alliance between major threat groups, this week's roundup highlights a clear shift: cybercrime is evolving fast, and the lines between technical stealth and strategic coordination are blurring.

It's worth your time. Every story here is about real risks that your team needs to know about right now. Read the whole recap.

⚡ Threat of the Week

Curly COMrades Abuses Hyper-V to Hide Malware in Linux VMs — Curly COMrades, a threat actor supporting Russia's geopolitical interests, has been observed abusing Microsoft's Hyper-V hypervisor in compromised Windows machines to create a hidden Alpine Linux-based virtual machine and deploy malicious payloads. This method allows the malware to run completely outside the host operating system's visibility, effectively bypassing endpoint security tools. The campaign, observed in July 2025, involved the deployment of CurlyShell and CurlyCat. The victims were not publicly identified. The threat actors are said to have configured the virtual machine to use the Default Switch network adaptor in Hyper-V to ensure that the VM's traffic travels through the host's network stack using Hyper-V's internal Network Address Translation (NAT) service, causing all malicious outbound communication to appear to originate from the legitimate host machine's IP address. Further investigation has revealed that the attackers first used the Windows Deployment Image Servicing and Management (DISM) command-line tool to enable the Hyper-V hypervisor, while disabling its graphical management interface, Hyper-V Manager. The group then downloaded a RAR archive masquerading as an MP4 video file and extracted its contents. The archive contained two VHDX and VMCX files corresponding to a pre-built Alpine Linux VM. Lastly, the threat actors used the Import-VM and Start-VM PowerShell cmdlets to import the virtual machine into Hyper-V and launch it with the name WSL, a deception tactic meant to give the impression that the Windows Subsystem for Linux was employed. "The sophistication demonstrated by Curly COMrades confirms a key trend: as EDR/XDR solutions become commodity tools, threat actors are getting better at bypassing them through tooling or techniques like VM isolation," Bitdefender said. The findings paint a picture of a threat actor that uses sophisticated methods to maintain long-term access in target networks, while leaving a minimal forensic footprint.

🔔 Top News

'Whisper Leak' That Identifies AI Chat Topics in Encrypted Traffic — Microsoft has disclosed details of a novel side-channel attack targeting remote language models that could enable a passive adversary with capabilities to observe network traffic to glean details about model conversation topics despite encryption protections. "Cyber attackers in a position to observe the encrypted traffic (for example, a nation-state actor at the internet service provider layer, someone on the local network, or someone connected to the same Wi-Fi router) could use this cyber attack to infer if the user's prompt is on a specific topic," the company said. The attack has been codenamed Whisper Leak. In a proof-of-concept (PoC) test, researchers found that it's possible to glean conversation topics from Alibaba, DeepSeek, Mistral, Microsoft, OpenAI, and xAI models with a success rate of over 98%. In response, OpenAI, Mistral, Microsoft, and xAI have deployed mitigations to counter the risk.

‎️‍🔥 Trending CVEs

Hackers move fast. They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week's most critical vulnerabilities gaining attention across the industry. Review them, prioritize your fixes, and close the gap before attackers take advantage.

This week's list includes — CVE-2025-20354, CVE-2025-20358 (Cisco Unified CCX), CVE-2025-20343 (Cisco Identity Services Engine), CVE-2025-62626 (AMD), CVE-2025-5397 (Noo JobMonster theme), CVE-2025-48593, CVE-2025-48581 (Android), CVE-2025-11749 (AI Engine plugin), CVE-2025-12501 (GameMaker IDE), CVE-2025-23358 (NVIDIA App for Windows), CVE-2025-64458, CVE-2025-64459 (Django), CVE-2025-12058 (Keras AI), CVE-2025-12779 (Amazon WorkSpaces client for Linux), CVE-2025-12735 (JavaScript expr-eval), CVE-2025-62847, CVE-2025-62848, CVE-2025-62849 (QNAP QTS and QuTS hero), CVE-2024-12886, CVE-2025-51471, CVE-2025-48889 (Ollama), CVE-2025-34299 (Monsta FTP), CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 (RunC), CVE-2025-55315 (ASP.NET Core Kestrel server), CVE-2025-64439 (langgraph-checkpoint), CVE-2025-37735 (Elastic Defend on Windows), and seven vulnerabilities in django-allauth.

📰 Around the Cyber World

🔧 Cybersecurity Tools

FuzzForge is an open-source tool that helps security engineers and researchers automate application and offensive security testing using AI and fuzzing. It lets you run vulnerability scans, manage workflows, and use AI agents to analyze code, find bugs, and test for weaknesses across different platforms. It's built to make cloud and AppSec testing faster, smarter, and easier to scale for individuals and teams.

Butler is a tool that scans all repositories in a GitHub organization to find and review workflows, actions, secrets, and third-party dependencies. It helps security teams understand what runs in their GitHub environment and produces easy-to-read HTML and CSV reports for audits, compliance checks, and workflow management.

Find-WSUS is a PowerShell tool that helps security teams and system admins find every WSUS server defined in Group Policy. It checks both normal policy settings and hidden Group Policy Preferences that don't show up in standard reports. This matters because a compromised WSUS server can push fake updates and take control of all domain computers. Using Find-WSUS ensures you know exactly where your update servers are configured—before attackers do.

🔒 Tip of the Week

Stop Sensitive Data From Reaching AI Chats — Many teams use AI chat tools to get things done faster, like writing scripts, fixing bugs, or making reports shorter. But everything typed into these systems leaves your company network and may be stored, logged, or reused. If that data includes credentials, internal code, or client information, it becomes an easy leak point.

Attackers and insiders can retrieve this data later, or models could accidentally expose it in future outputs. One careless prompt can expose a lot more than expected.

✅ Add a security layer before the AI. Use OpenGuardrails or similar open-source frameworks to scan and block sensitive text before it's sent to the model. These tools integrate directly into your apps or internal chat systems.

✅ Pair it with DLP monitoring. Tools like MyDLP or OpenDLP can watch outbound data for patterns like passwords, API keys, or client identifiers.

✅ Create prompt policies. Define what employees can and can't share with AI systems. Treat prompts like data, leaving your network.

Don't trust AI companies to keep your secrets safe. Add guardrails to your workflow and keep an eye on what leaves your space. You don't want sensitive data to end up training someone else's model.

Conclusion

Just reading headlines won't cut it. These attacks show what's coming next—more hidden, more focused, and harder to spot.

Whether you work in security or just want to stay in the loop, this update breaks it down fast. Clear, useful, no extra noise. Take a few minutes and get caught up before the next big threat lands.