Daily Briefing for 11.26.25

Top stories.

• Russian threat actor targets US civil engineering firm.
• FBI says $262 million has been stolen in account takeover scams this year.
• HashJack attack tricks AI browser assistants.
• London councils disrupted by cyberattacks.

Russian threat actor targets US civil engineering firm.

The Russia-aligned threat actor "RomCom" used the SocGolish to breach a US-based civil engineering company that had done work for Ukraine, according to researchers at Arctic Wolf. While SocGolish is operated by a criminal malware-as-a-service group, Arctic Wolf "assesses with a medium-to-high confidence level that Russia’s GRU unit 29155 is utilizing SocGholish to target victims."

The researchers note, "This SocGholish activity demonstrates the ongoing exploitation of compromised legitimate websites as a malware delivery framework, turning routine web browsing into a potential vector for ransomware access. Even a single interaction with a malicious fake update prompt can provide threat actors with an entry point that may escalate into full network compromise, data theft, and ransomware deployment, posing a significant risk to organizations globally."

FBI says $262 million has been stolen in account takeover scams this year.

The US Federal Bureau of Investigation (FBI) has issued an advisory on account takeover (ATO) fraud schemes, noting that these attacks have caused $262 million in losses since January 2025. The attackers use well-known social engineering techniques to impersonate financial institutions and trick users into granting access to their accounts. The crooks are targeting banks, payrolls, and health savings accounts.

The Bureau notes, "In some instances, cyber criminals impersonating financial institutions reported to the account owner that their information was used to make fraudulent purchases, including firearms. The cyber criminal convinces the account owner to provide information to a second cyber criminal impersonating law enforcement, who then convinces the account owner to provide account information."

HashJack attack tricks AI browser assistants.

Cato Networks has published a report on an indirect prompt injection technique affecting several AI browser assistants, including Perplexity's Comet, Copilot for Edge, and Gemini for Chrome. The technique, which Cato calls "HashJack," uses the pound or hash sign (#) to place malicious prompts after legitimate URLs. The researchers explain, "When an AI browser loads a page and the user interacts with the AI assistant, these hidden prompts are fed directly into large language models (LLMs). In agentic AI browsers like Comet, the attack can escalate further, with the AI assistant automatically sending user data to threat actor-controlled endpoints."

Perplexity and Microsoft have since implemented mitigations against this technique, while Google acknowledged the issue and gave Cato permission to publicly disclose the flaw. The issue is still unresolved in the Chrome browser.

London councils disrupted by cyberattacks.

The BBC reports that at least three London councils were hit by disruptive cyberattacks over the past few days. The Royal Borough of Kensington & Chelsea (RBKC) and Westminster City Council sustained an attack that affected shared IT systems and took down phone services, while Hammersmith & Fulham Council said it was working to recover from a "serious cyber security incident." The Hammersmith & Fulham attack appears to be connected to the incident affecting RBKC and Westminster City. A memo from the Hammersmith & Fulham Council instructed staff not to click on any Outlook or Teams links from RBKC and Westminster City colleagues until further notice. The BBC says the Met Police is investigating the incidents.