Week that Was for 11.15.25

Top stories.

• Anthropic describes an AI-assisted Chinese espionage campaign.
• Patch Tuesday notes.
• Google files lawsuit against alleged China-based phishing operation.
• Europol operation disrupts malware infrastructure.
• Synnovis begins notifying healthcare providers of data breach following June 2024 ransomware attack.
• Lumma Stealer rebounds after doxxing campaign.

Anthropic describes an AI-assisted Chinese espionage campaign.

Anthropic has published a report on a Chinese cyberespionage campaign that abused the company's Claude AI tool to automate operations in every stage of the attack. The campaign targeted around thirty organizations—including large tech companies, financial institutions, chemical manufacturing companies, and government agencies—and succeeded in "a small number of cases." The attackers managed to jailbreak Claude by telling it that they were employees of a cybersecurity company and were using the tool for defensive purposes. Anthropic calls this "the first documented case of a large-scale cyberattack executed without substantial human intervention."

Anthropic explains, "The architecture incorporated Claude’s technical capabilities as an execution engine within a larger automated system, where the AI performed specific technical actions based on the human operators’ instructions while the orchestration logic maintained attack state, managed phase transitions, and aggregated results across multiple sessions. This approach allowed the threat actor to achieve operational scale typically associated with nation-state campaigns while maintaining minimal direct involvement, as the framework autonomously progressed through reconnaissance, initial access, persistence, and data exfiltration phases by sequencing Claude’s responses and adapting subsequent requests based on discovered information."

Outside researchers have questioned the significance of Anthropic's findings, however, noting that the attackers relied heavily on common open-source tools and that white-hat hackers have been unable to replicate similar levels of success. Dan Tentler, executive founder of Phobos Group, told Ars Technica, "I continue to refuse to believe that attackers are somehow able to get these models to jump through hoops that nobody else can." Anthropic itself observed that Claude frequently hallucinated during the campaign: "This AI hallucination in offensive security contexts presented challenges for the actor's operational effectiveness, requiring careful validation of all claimed results. This remains an obstacle to fully autonomous cyberattacks."

Patch Tuesday notes.

November's Patch Tuesday saw more than 60 fixes from Microsoft, including an actively exploited zero-day (CVE-2025-62215) affecting the Windows kernel. The vulnerability can allow a local attacker to escalate privileges. Microsoft also patched a critical remote code execution bug (CVE-2025-60724) in the Windows GDI+ graphics library with a CVSS score of 9.8. The flaw can be exploited by uploading a maliciously crafted image file.

Infosecurity Magazine notes that this update cycle is the first since Windows 10 reached its end-of-life. Individuals or organizations that are still using Windows 10 can enroll in Microsoft's Extended Security Updates (ESU) to continue receiving patches. Users can enroll in ESU for free if they register their PCs, or they can pay a one-time fee of $30.

Ivanti, Zoom, and Adobe also issued patches yesterday, SecurityWeek reports. Ivanti patched two flaws (CVE-2025-9713 and CVE-2025-11622) that were disclosed last month, while Zoom fixed three high-severity privilege escalation bugs. Adobe issued fixes for 29 flaws across InDesign, InCopy, Photoshop, Illustrator, Pass, Substance 3D Stager, and Format Plugins.

SecurityWeek also has a round-up of patches from ICS vendors, including Siemens, Schneider Electric, Rockwell Automation, and Aveva.

Google files lawsuit against alleged China-based phishing operation.

Google has file a lawsuit against an organization based in China that allegedly runs a phishing-as-a-service operation, NPR reports. The organization, dubbed "Lighthouse," is accused of providing a phishing kit that spoofs hundreds of organizations, and has been used to create more than 32,000 phishing sites.

The lawsuit likely won't result in anyone being brought to trial, but Google's general counsel, Halimah DeLaine Prado, told NPR that the goal of the suit is deterrence. DeLaine Prado said, "It allows us a legal basis on which to go to other platforms and services and ask for their assistance in taking down different components of this particular illegal infrastructure. Even if we can't get to the individuals, the idea is to deter the overall infrastructure in some cases."

Europol operation disrupts malware infrastructure.

Law enforcement agencies have disrupted infrastructure used by the Rhadamanthys infostealer, the VenomRAT Trojan, and the Elysium botnet. Authorities also arrested the administrator of VenomRAT in Greece earlier this month. Europol said in a press release, "The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Many of the victims were not aware of the infection of their systems. The main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros."

Synnovis begins notifying healthcare providers of data breach following June 2024 ransomware attack.

UK pathology laboratory services provider Synnovis is informing healthcare providers of a data breach following a ransomware attack the company sustained in June 2024, BleepingComputer reports. The affected providers will notify impacted individuals directly.

The HIPAA Journal reported in June of last year that the Qilin ransomware group had posted the alleged stolen data to its leak site, and that the data appeared to affect up to 300 million patients. Synnovis says the length of the investigation was due to the fragmented nature of the data.

Lumma Stealer rebounds after doxxing campaign.

Trend Micro warns of an increase in Lumma Stealer malware activity after an initial decline following the alleged doxxing of the malware operation's core members last month. The researchers note that a "key development in this resurgence is the implementation of browser fingerprinting techniques by the malware, representing a significant evolution in its C&C infrastructure while maintaining core communication protocols consistent with previous versions."