{"id":17015,"date":"2025-11-26T09:52:56","date_gmt":"2025-11-26T09:52:56","guid":{"rendered":"\/cybersecurity-blog\/?p=17015"},"modified":"2025-11-26T10:32:49","modified_gmt":"2025-11-26T10:32:49","slug":"major-cyber-attacks-november-2025","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/","title":{"rendered":"Major Cyber Attacks in November 2025: XWorm,\u00a0JSGuLdr\u00a0Loader, Phoenix Backdoor, Mobile Threats, and More\u00a0"},"content":{"rendered":"\n<p>Stealers, loaders, and targeted campaigns dominated November\u2019s activity.&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;analysts examined cases ranging from PNG-based in-memory loading used to deploy&nbsp;XWorm&nbsp;to&nbsp;JSGuLdr, a three-stage JavaScript-to-PowerShell loader pushing&nbsp;PhantomStealer.&nbsp;<\/p>\n\n\n\n<p>Alongside these public cases, three Threat Intelligence Reports detailed new activity across Windows, Linux, and Android, including loader-enabled hijackers, Tor-based cryptotrojan communication, Linux ransomware in Go, MaaS stealers, and a WhatsApp-propagating campaign with geofencing controls.&nbsp;<\/p>\n\n\n\n<p>Each case was\u00a0analyzed\u00a0inside\u00a0<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a>, revealing execution flows, persistence mechanisms, and\u00a0behavioral\u00a0indicators that help teams tune detections and trace related activity.\u00a0<\/p>\n\n\n\n<p>Let\u2019s break down how these attacks unfolded, where they hit, and what security teams can take away to strengthen their defenses before the next wave arrives.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. XWorm: PNG Files Used as Containers for an In-Memory Loader&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/x.com\/anyrun_app\/status\/1986072813984240018\" target=\"_blank\" rel=\"noreferrer noopener\">Post on X<\/a>&nbsp;<\/p>\n\n\n\n<p>ANY.RUN analysts&nbsp;observed&nbsp;a new wave of&nbsp;XWorm&nbsp;infections in November, delivered through phishing pages and emails that distribute a JavaScript dropper named&nbsp;<strong>PurchaseOrder_25005092.js<\/strong>. While it appears&nbsp;benign at first glance, the&nbsp;script unpacks a full multi-stage chain designed to bypass quick checks, hide payloads inside PNG files, and execute a .NET assembly directly in memory.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How the attack begins&nbsp;<\/h3>\n\n\n\n<p>The campaign begins with a phishing lure&nbsp;<strong>(T1566.001)<\/strong>&nbsp;delivering a heavily obfuscated JavaScript installer&nbsp;<strong>(T1027)<\/strong>. Once executed, the script checks whether the required components exist on the system and writes the missing files to&nbsp;<strong>C:\\Users\\PUBLIC<\/strong>&nbsp;using Base64-encoded and AES-encrypted data&nbsp;<strong>(T1027.013)<\/strong>. The staged components are later used during the PowerShell-driven decryption and in-memory execution stages.&nbsp;<\/p>\n\n\n\n<p>The three staged files are:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Kile.cmd:&nbsp;<\/strong>A&nbsp;heavily obfuscated batch script filled with variable noise, percent-encoding, and fragmented Base64&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Vile.png:&nbsp;<\/strong>Not an image but a Base64-encoded and AES-encrypted payload&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Mands.png<\/strong>: Another encrypted data blob used during the second stage&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Attackers deliberately use the \u201c.png\u201d extension (<strong>T1036.008<\/strong>) to make the files look harmless and evade quick manual reviews.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-1024x1024.jpg\" alt=\"\" class=\"wp-image-17023\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-1024x1024.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-300x300.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-150x150.jpg 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-768x768.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-1536x1536.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-70x70.jpg 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-370x370.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-270x270.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-740x740.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image.jpg 1800w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>XWorm execution chain revealed with its 4&nbsp;main&nbsp;steps&nbsp;<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">In-memory execution chain&nbsp;<\/h3>\n\n\n\n<p>After writing the staged components to&nbsp;<strong>C:\\Users\\PUBLIC<\/strong>, the JavaScript dropper reconstructs readable commands from its fragments and launches a PowerShell payload&nbsp;<strong>(T1059)<\/strong>. This PowerShell script operates as a two-stage AES-CBC loader.&nbsp;<\/p>\n\n\n\n<p><strong>Stage 1: Command runner<\/strong>&nbsp;<\/p>\n\n\n\n<p>Reads C:\\Users\\PUBLIC\\Mands.png as Base64&nbsp;\u2192&nbsp;AES-decrypt&nbsp;\u2192&nbsp;yields Base64-encoded commands. Each command is decoded and executed via Invoke-Expression, enabling the script to run attacker-controlled instructions without a traditional executable.&nbsp;<\/p>\n\n\n\n<p><strong>Stage 2:&nbsp;In-memory assembly load<\/strong>&nbsp;<\/p>\n\n\n\n<p>Reads C:\\Users\\PUBLIC\\Vile.png as Base64&nbsp;\u2192&nbsp;AES-decrypt&nbsp;\u2192&nbsp;raw bytes. Loader&nbsp;attempts&nbsp;to execute the resulting .NET assembly directly from memory&nbsp;<strong>(T1620)<\/strong>.&nbsp;<\/p>\n\n\n\n<p>This creates an in-memory loader that launches XWorm without dropping a traditional executable. A successful compromise enables credential theft, remote control, and lateral movement across corporate environments.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/bec21e02-8fb5-4a18-b43c-131e02e21041\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">See the full execution inside ANY.RUN<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"569\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-14-1024x569.png\" alt=\"\" class=\"wp-image-17026\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-14-1024x569.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-14-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-14-768x427.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-14-1536x853.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-14-2048x1138.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-14-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-14-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image-14-740x411.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>XWorm exposed inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Enrich this case using Threat Intelligence Lookup&nbsp;<\/h3>\n\n\n\n<p>Below are ready-to-use&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>&nbsp;queries for finding similar campaigns:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PowerShell&nbsp;with .Replace() obfuscation:&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookup#{%22query%22:%22imagePath:%5C%22%5C%5C%5C%5Cpowershell.exe$%5C%22%20AND%20commandLine:%5C%22.Replace(%5C%22%22,%22dateRange%22:60}\" target=\"_blank\" rel=\"noreferrer noopener\">imagePath:&#8221;\\\\powershell.exe$&#8221; AND&nbsp;commandLine:&#8221;.Replace(&#8220;<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PowerShell invoking IEX:&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookup#{%22query%22:%22imagePath:%5C%22%5C%5C%5C%5Cpowershell.exe$%5C%22%20AND%20commandLine:%5C%22iex%5C%22%22,%22dateRange%22:60}\" target=\"_blank\" rel=\"noreferrer noopener\">imagePath:&#8221;\\\\powershell.exe$&#8221; AND&nbsp;commandLine:&#8221;iex&#8221;<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>JavaScript droppers writing to Public\\Libraries:&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookup#{%22query%22:%22filePath:%5C%22^C:%5C%5C%5C%5CUsers%5C%5C%5C%5CPublic%5C%5C%5C%5CLibraries%5C%5C%5C%5C*.js$%5C%22%22,%22dateRange%22:60}\" target=\"_blank\" rel=\"noreferrer noopener\">filePath:&#8221;^C:\\\\Users\\\\Public\\\\Libraries\\\\*.js$&#8221;<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDetect evasive threats in a live, interactive sandbox VM\u00a0<br>\n<span class=\"highlight\">Simplify<\/span>  investigations, <span class=\"highlight\">reduce<\/span>  workload, and <span class=\"highlight\">cut <\/span> MTTR\n\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major-cyber-attacks-november-2025&#038;utm_term=261125&#038;utm_content=linktoregistration#register\" target=\"_blank\" rel=\"noopener\">\nSign up with business email\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">2. JSGuLdr: Multi-Stage Loader Delivering&nbsp;PhantomStealer&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/x.com\/anyrun_app\/status\/1991490202221613064\" target=\"_blank\" rel=\"noreferrer noopener\">Post on X<\/a>&nbsp;<\/p>\n\n\n\n<p>In November, ANY.RUN analysts&nbsp;identified&nbsp;<strong>JSGuLdr<\/strong>, a multi-stage loader that moves from JScript to PowerShell and&nbsp;ultimately deploys&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>PhantomStealer<\/strong><\/a>. The chain relies on obfuscation, COM-based execution, cloud-hosted payloads, and in-memory loading, allowing the final payload to run with limited on-disk exposure.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image2-12-1024x538.png\" alt=\"\" class=\"wp-image-17027\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image2-12-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image2-12-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image2-12-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image2-12-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image2-12-2048x1075.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image2-12-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image2-12-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image2-12-740x389.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>JSGuLdr execution chain with the final delivery of PhantomStealer<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Stage 1:&nbsp;JScript Execution and COM-Based PowerShell Launch&nbsp;<\/h3>\n\n\n\n<p>The first stage is an obfuscated JScript file signed with a fake Authenticode certificate to appear trustworthy&nbsp;<strong>(T1027, T1553.006)<\/strong>. It generates an encrypted PowerShell string and writes it to&nbsp;<strong>%APPDATA%\\Registreri62<\/strong>, forming the second-stage component.&nbsp;<\/p>\n\n\n\n<p>Execution then shifts to&nbsp;<strong>Shell.Application<\/strong>&nbsp;and Explorer COM interaction, which launches&nbsp;<strong>powershell.exe<\/strong>&nbsp;under&nbsp;<strong>explorer.exe<\/strong>, masking the activity as normal user behavior&nbsp;<strong>(T1559.001, T1218)<\/strong>.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 2:&nbsp;PowerShell Loader, Cloud Retrieval, and In-Memory Execution&nbsp;<\/h3>\n\n\n\n<p>The PowerShell code decodes the contents of&nbsp;<strong>Registreri62<\/strong>, reconstructs hidden commands, and downloads an encrypted payload from&nbsp;<strong>Google Drive<\/strong>&nbsp;using a&nbsp;WebClient&nbsp;request&nbsp;<strong>(T1105)<\/strong>.&nbsp;This payload is stored as&nbsp;<strong>%APPDATA%\\Autorise131.Tel<\/strong>, used as the on-disk container for the next stage&nbsp;<strong>(T1074.001)<\/strong>.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 3: In-Memory Loading and&nbsp;PhantomStealer&nbsp;Injection&nbsp;<\/h3>\n\n\n\n<p>PowerShell decrypts&nbsp;<strong>Autorise131.Tel<\/strong>, extracts raw bytes, and loads the resulting .NET assembly directly in memory&nbsp;<strong>(T1620)<\/strong>.&nbsp;The final payload,&nbsp;<strong>PhantomStealer<\/strong>, is then injected into&nbsp;<strong>msiexec.exe<\/strong>, allowing it to run under a trusted Windows process and steal data without creating a conventional executable on disk&nbsp;<strong>(T1055, T1218.007)<\/strong>.&nbsp;<\/p>\n\n\n\n<p><strong>Execution chain<\/strong>: wscript.exe \u2192 explorer.exe \u2192 explorer.exe (COM) \u2192 powershell.exe \u2192 msiexec.exe&nbsp;<\/p>\n\n\n\n<p>Review the complete execution chain and&nbsp;behavioral&nbsp;indicators in the&nbsp;<a href=\"https:\/\/app.any.run\/tasks\/7b295f6f-5f16-4a44-a02b-5d59fd4b1e8f\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>JSGuLdr&nbsp;analysis session<\/strong><\/a><strong>.&nbsp;<\/strong>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image3-large-1-1024x568.jpeg\" alt=\"\" class=\"wp-image-17028\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image3-large-1-1024x568.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image3-large-1-300x166.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image3-large-1-768x426.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image3-large-1-370x205.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image3-large-1-270x150.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image3-large-1-740x410.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image3-large-1.jpeg 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN sandbox reveals full execution chain of JSGuLdr<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Track similar activity with TI Lookup&nbsp;<\/h3>\n\n\n\n<p>Use the following&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>&nbsp;query to&nbsp;identify&nbsp;related&nbsp;JSGuLdr&nbsp;activity, pivot from shared IOCs, and uncover&nbsp;additional&nbsp;loader variants across recent submissions.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookup#{%22query%22:%22commandLine:%5C%22windowssystem32%5C%22%20and%20imagePath:%5C%22explorer.exe%5C%22%22,%22dateRange%22:60}\" target=\"_blank\" rel=\"noreferrer noopener\">commandLine:&#8221;windowssystem32&#8243; and imagePath:&#8221;explorer.exe&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"569\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image4-10-1024x569.png\" alt=\"\" class=\"wp-image-17029\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image4-10-1024x569.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image4-10-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image4-10-768x427.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image4-10-1536x853.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image4-10-2048x1138.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image4-10-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image4-10-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image4-10-740x411.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN sandbox analyses related&nbsp;to JSGuLdr&nbsp;activity<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Gathered IOCs:&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>URL:<\/strong>&nbsp;hxxps:\/\/drive[.]google[.]com\/uc?export=download&amp;id=1gUB_fKBej5Va_l3ZSEXk_7r5Q4EeJuwd&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Files<\/strong>: %APPDATA%\\Registreri62, %APPDATA%\\Autorise131[.]Tel&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CMD<\/strong>: powershell.exe &#8220;$Citize=$env:appdata+&#8217;\\Registreri62&#8242;;$Guazuma=gc&nbsp;$Citize;$Aristape=$Guazuma[4460..4462] -join &#8221;&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nCatch attacks early with <span class=\"highlight\">instant IOC enrichment<\/span>  in TI Lookup<br>Power your proactive defense with data from 15K SOCs\u00a0\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major-cyber-attacks-november-2025&#038;utm_term=261125&#038;utm_content=linktoregistration\" target=\"_blank\" rel=\"noopener\">\nStart Investigation\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Threat Intelligence Report&nbsp;1:&nbsp;PDFChampions,&nbsp;Efimer, and BTMOB&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/reports\/11-20-threat-brief-pdfchampions-efimer-btmob\" target=\"_blank\" rel=\"noreferrer noopener\">Full analysis in TI Report<\/a>&nbsp;&nbsp;<\/p>\n\n\n\n<p>This Threat Brief provides a focused breakdown of three active threats, including how each sample behaves in the sandbox, its persistence and execution patterns, and the key detection points analysts can rely on. The report includes details about process activity, file system changes, network&nbsp;behavior, and extracted indicators, along with TI Lookup queries tailored to each malware family;&nbsp;PDFChampions\u2019 mutex-based signature,&nbsp;Efimer\u2019s&nbsp;Tor-based curl command, and BTMOB\u2019s Android configuration file.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image5-7-1024x587.png\" alt=\"\" class=\"wp-image-17031\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image5-7-1024x587.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image5-7-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image5-7-768x441.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image5-7-1536x881.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image5-7-2048x1175.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image5-7-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image5-7-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image5-7-740x425.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI report revealing&nbsp;PDFChampions,&nbsp;Efimer, and BTMOB<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong>PDFChampions&nbsp;(Windows)&nbsp;<\/strong><\/p>\n\n\n\n<p>A browser hijacker distributed via malvertising that also acts as a loader. It changes the default search engine,&nbsp;terminates&nbsp;competing browsers, and can download and run&nbsp;additional&nbsp;payloads directly in memory.<\/p>\n\n\n\n<p><strong>Detection&nbsp;note:<\/strong>&nbsp;identify&nbsp;activity via the mutex&nbsp;<strong>\u201cChampion.\u201d<\/strong><\/p>\n\n\n\n<p><strong>TI Lookup:<\/strong>&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522syncObjectName:%255C%2522Champion%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">syncObjectName:&#8221;Champion&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Efimer&nbsp;(Windows)&nbsp;<\/strong><\/p>\n\n\n\n<p>A cryptocurrency-focused trojan spread through phishing and compromised WordPress sites. It&nbsp;steals wallets and credentials&nbsp;and uses&nbsp;<strong>curl.exe<\/strong>&nbsp;to reach a Tor-hidden C2 endpoint (.onion\/route.php).&nbsp;<br><strong>Detection&nbsp;note:<\/strong>&nbsp;monitor curl connections to .onion\/route.php.&nbsp;<br><strong>TI Lookup:<\/strong>&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522commandLine:%255C%2522curl.exe*.onion\/route.php%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">commandLine:&#8221;curl.exe*.onion\/route.php&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>BTMOB RAT (Android)&nbsp;<\/strong><\/p>\n\n\n\n<p>An Android RAT sold as&nbsp;MaaS. It abuses Accessibility Services for full device control, records screen and audio, and targets financial apps. Distributed through phishing APKs.<\/p>\n\n\n\n<p><strong>Detection&nbsp;note:<\/strong>&nbsp;presence of&nbsp;<strong>BTConfig.xml<\/strong>&nbsp;in the app\u2019s shared preferences.<\/p>\n\n\n\n<p><strong>TI Lookup:<\/strong>&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522filePath:%255C%2522\/data\/data\/*\/shared_prefs\/BTConfig.xml%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">filePath:&#8221;\/data\/data\/*\/shared_prefs\/BTConfig.xml&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Threat Intelligence Report 2:&nbsp;Monkey, Phoenix, and NonEuclid&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/reports\/11-14-threat-brief-monkey-phoenix-noneuclid\" target=\"_blank\" rel=\"noreferrer noopener\">Full analysis in TI Report<\/a>&nbsp;<\/p>\n\n\n\n<p>This month\u2019s Threat Brief examines three threats in detail, with execution-flow screenshots, detection indicators, persistence artifacts, and public-sample telemetry. The report also provides ready-to-use TI Lookup queries and IOCs so teams can expand visibility and identify similar cases in their environments.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"592\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image6-5-1024x592.png\" alt=\"\" class=\"wp-image-17033\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image6-5-1024x592.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image6-5-300x174.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image6-5-768x444.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image6-5-1536x889.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image6-5-2048x1185.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image6-5-370x214.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image6-5-270x156.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image6-5-740x428.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI report revealing&nbsp;Monkey, Phoenix, and NonEuclid<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong>Monkey (Linux)&nbsp;<\/strong><\/p>\n\n\n\n<p>Monkey is a Go-based x64 ELF ransomware that disables security controls,&nbsp;establishes&nbsp;persistence through&nbsp;<strong>cron<\/strong>,&nbsp;<strong>rc.local<\/strong>, and&nbsp;<strong>systemd<\/strong>, collects system information, and encrypts files with a&nbsp;<strong>.monkeyRansomware<\/strong>&nbsp;extension. It also drops a ransom note and changes the system wallpaper.<\/p>\n\n\n\n<p><strong>Detection&nbsp;note:<\/strong>&nbsp;creation of&nbsp;<strong>\/etc\/systemd\/system\/monkey.service<\/strong>.<\/p>\n\n\n\n<p><strong>Lookup:<\/strong>&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522filePath:%255C%2522\/etc\/systemd\/system\/monkey.service%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">filePath:&#8221;\/etc\/systemd\/system\/monkey.service&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Phoenix (Windows)&nbsp;<\/strong><\/p>\n\n\n\n<p>Phoenix is a Windows backdoor delivered as a second-stage payload in targeted email campaigns. It creates a mutex, copies itself for persistence, gathers system information, and communicates with its C2 via&nbsp;<strong>WinHTTP<\/strong>. The malware also uses process injection during execution.<\/p>\n\n\n\n<p><strong>Detection&nbsp;note:<\/strong>&nbsp;dropped binary&nbsp;<strong>sysProcUpdate.exe<\/strong>&nbsp;used for injection.<\/p>\n\n\n\n<p><strong>Lookup:<\/strong>&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522registryValue:%255C%2522sysProcUpdate.exe%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">registryValue:&#8221;sysProcUpdate.exe&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>NonEuclid (Windows)&nbsp;<\/strong><\/p>\n\n\n\n<p>NonEuclid is a C# RAT with persistence, AMSI and Defender bypass, anti-VM checks, UAC bypass, and optional AES-based file encryption using the&nbsp;<strong>.NonEuclid<\/strong>&nbsp;extension. Sold as a crimeware kit, it combines remote control features with ransomware capabilities and uses obfuscated strings and NTSTATUS codes that can be detected via a dedicated YARA rule.&nbsp;<br><strong>Detection note:<\/strong>&nbsp;YARA detection based on obfuscated Unicode strings and NTSTATUS markers.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Threat Intelligence Report 3: Valkyrie,&nbsp;Sfuzuan, and&nbsp;Sorvepotel&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/reports\/11-05-threat-brief-valkyrie-sfuzuan-sorvepotel\" target=\"_blank\" rel=\"noreferrer noopener\">Full analysis in TI Report<\/a>&nbsp;<\/p>\n\n\n\n<p>This Threat Brief examines three Windows-based threats with different infection vectors and persistence patterns. The report includes sandbox screenshots, process activity, on-disk artifacts, and TI Lookup queries for tracking related&nbsp;behavior&nbsp;across public submissions.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"592\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image7-3-1024x592.png\" alt=\"\" class=\"wp-image-17035\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image7-3-1024x592.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image7-3-300x173.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image7-3-768x444.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image7-3-1536x888.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image7-3-2048x1184.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image7-3-370x214.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image7-3-270x156.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/11\/image7-3-740x428.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI report revealing&nbsp;Valkyrie,&nbsp;Sfuzuan, and&nbsp;Sorvepotel<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong>Valkyrie (Windows)&nbsp;<\/strong><\/p>\n\n\n\n<p>Valkyrie is a credential-stealing&nbsp;MaaS&nbsp;platform linked to&nbsp;Prysmax. It collects browser and system data, stores temporary output in&nbsp;<strong>Valkyrie.zip<\/strong>&nbsp;under the Temp directory, and exfiltrates the archive to a remote C2. Detection is possible through the Temp-path signature or a dedicated YARA rule included in the report.<\/p>\n\n\n\n<p><strong>TI Lookup:<\/strong>&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522filePath:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255Cadmin%255C%255C%255C%255CAppData%255C%255C%255C%255CLocal%255C%255C%255C%255CTemp%255C%255C%255C%255CValkyrie.zip%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">filePath:&#8221;C:\\\\Users\\\\admin\\\\AppData\\\\Local\\\\Temp\\\\Valkyrie.zip&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Sfuzuan&nbsp;(Windows)&nbsp;<\/strong><\/p>\n\n\n\n<p>Sfuzuan&nbsp;is a backdoor distributed through multiple, unrelated sources. It bypasses system protections to gain access, gathers system and location details, and connects to a set of rotating command-and-control domains. The malware drops a distinctive TXT file that serves as a reliable detection point.<\/p>\n\n\n\n<p><strong>TI Lookup:<\/strong>&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522filePath:%255C%2522C:%255C%255C%255C%255CWindows%255C%255C%255C%255C864ac8%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">filePath:&#8221;C:\\\\Windows\\\\864ac8&#8243;<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Sorvepotel&nbsp;(Windows)&nbsp;<\/strong><\/p>\n\n\n\n<p>Sorvepotel&nbsp;is a self-propagating campaign spread through WhatsApp messages&nbsp;containing&nbsp;malicious ZIP archives. After launch, it uses PowerShell and VBS scripts for execution and persistence, creates scheduled tasks, and automatically sends the same archive to all WhatsApp Web contacts. The campaign targets Portugal and Brazil using geofencing based on IP and system language.<\/p>\n\n\n\n<p><strong>TI Lookup:<\/strong>&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522filePath:%255C%2522Orcamento-2025*%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">filePath:&#8221;Orcamento-2025*&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Empower Your SOC with Real-Time&nbsp;Behavioral&nbsp;Insights&nbsp;<\/h2>\n\n\n\n<p>Multi-stage loaders,&nbsp;encrypted payload containers, and region-aware campaigns are getting harder to catch with static filtering alone. While these threats unfold across PowerShell chains, COM-triggered executions, Linux services, or Android components, attackers move quickly, and manual triage&nbsp;can\u2019t&nbsp;keep up.&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>gives SOC teams the&nbsp;behavioral&nbsp;visibility they need to respond at the speed of modern attacks.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s how teams stay ahead:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Surface hidden execution paths&nbsp;immediately:<\/strong>&nbsp;Detonate loaders, encrypted payloads, and cloud-hosted components inside a live VM and watch each stage, JavaScript, PowerShell, .NET, Linux services, or APK&nbsp;behavior,&nbsp;as it unfolds.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Shorten investigation time:<\/strong>&nbsp;Automated unpacking, network tracing, and live indicators turn multi-stage chains into readable timelines, reducing time spent reversing obfuscated scripts or in-memory loaders.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Catch stealthy techniques earlier:<\/strong>&nbsp;From fileless PowerShell commands to COM-based execution and WhatsApp-triggered propagation, behavioral cues expose activity that traditional tools overlook.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Strengthen detections with instant enrichment:<\/strong>&nbsp;Use Threat Intelligence Lookup to pivot from a single IOC,&nbsp;file path, mutex, command line, or domain,&nbsp;to related submissions and shared TTPs across hundreds of cases.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Feed continuous intelligence into your stack:<\/strong>&nbsp;Integrate&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotifeeds\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>&nbsp;with your SIEM, SOAR, or XDR to keep detections updated as new loader variants, stealer kits, and region-specific campaigns&nbsp;emerge.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>For SOC teams, MSSPs, and threat researchers,&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;provides the depth and real-time visibility needed to investigate faster,&nbsp;validate&nbsp;threats quickly, and turn emerging&nbsp;behaviors&nbsp;into reliable detection logic.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Explore ANY.RUN with a 14-day trial \u2192<\/strong><\/a>\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;supports more than 15,000 organizations worldwide across finance, healthcare, telecom, retail, and technology, helping security teams investigate threats with clarity and confidence.&nbsp;<\/p>\n\n\n\n<p>Built for speed and deep visibility, the\u00a0solution\u00a0combines\u00a0<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive malware analysis<\/a>\u00a0with live threat intelligence, allowing SOC analysts to\u00a0observe\u00a0real execution\u00a0behavior, extract indicators, and understand attacker techniques in seconds.\u00a0<\/p>\n\n\n\n<p>By integrating&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-november-2025&amp;utm_term=261125&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Threat Intelligence<\/a>&nbsp;suite into existing security workflows, teams can accelerate investigations, reduce uncertainty during incidents, and strengthen resilience against fast-evolving malware families and multi-stage attack chains.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Stealers, loaders, and targeted campaigns dominated November\u2019s activity.&nbsp;ANY.RUN&nbsp;analysts examined cases ranging from PNG-based in-memory loading used to deploy&nbsp;XWorm&nbsp;to&nbsp;JSGuLdr, a three-stage JavaScript-to-PowerShell loader pushing&nbsp;PhantomStealer.&nbsp; Alongside these public cases, three Threat Intelligence Reports detailed new activity across Windows, Linux, and Android, including loader-enabled hijackers, Tor-based cryptotrojan communication, Linux ransomware in Go, MaaS stealers, and a WhatsApp-propagating campaign [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":17018,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-17015","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Major Cyber Attacks in November 2025\u00a0<\/title>\n<meta name=\"description\" content=\"See November\u2019s top cyber attacks, from XWorm and JSGuLdr to new TI Report findings, and learn what SOC teams can use to improve detection.\u00a0\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Major Cyber Attacks in November 2025: XWorm,\u00a0JSGuLdr\u00a0Loader, Phoenix Backdoor, Mobile Threats, and More\u00a0\",\"datePublished\":\"2025-11-26T09:52:56+00:00\",\"dateModified\":\"2025-11-26T10:32:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/\"},\"wordCount\":2248,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/\",\"name\":\"Major Cyber Attacks in November 2025\u00a0\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-11-26T09:52:56+00:00\",\"dateModified\":\"2025-11-26T10:32:49+00:00\",\"description\":\"See November\u2019s top cyber attacks, from XWorm and JSGuLdr to new TI Report findings, and learn what SOC teams can use to improve detection.\u00a0\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Major Cyber Attacks in November 2025: XWorm,\u00a0JSGuLdr\u00a0Loader, Phoenix Backdoor, Mobile Threats, and More\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Major Cyber Attacks in November 2025\u00a0","description":"See November\u2019s top cyber attacks, from XWorm and JSGuLdr to new TI Report findings, and learn what SOC teams can use to improve detection.\u00a0","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Major Cyber Attacks in November 2025: XWorm,\u00a0JSGuLdr\u00a0Loader, Phoenix Backdoor, Mobile Threats, and More\u00a0","datePublished":"2025-11-26T09:52:56+00:00","dateModified":"2025-11-26T10:32:49+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/"},"wordCount":2248,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/","url":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/","name":"Major Cyber Attacks in November 2025\u00a0","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-11-26T09:52:56+00:00","dateModified":"2025-11-26T10:32:49+00:00","description":"See November\u2019s top cyber attacks, from XWorm and JSGuLdr to new TI Report findings, and learn what SOC teams can use to improve detection.\u00a0","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-november-2025\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Major Cyber Attacks in November 2025: XWorm,\u00a0JSGuLdr\u00a0Loader, Phoenix Backdoor, Mobile Threats, and More\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17015"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=17015"}],"version-history":[{"count":15,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17015\/revisions"}],"predecessor-version":[{"id":17050,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17015\/revisions\/17050"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/17018"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=17015"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=17015"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=17015"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}