Message in the malware.
CISA warns of spyware targeting messaging apps. CodeRED, this is not a test. Infostealer campaign spreads via malicious Blender files. Shai-Hulud’s second coming. Real estate finance firm SitusAMC investigates breach. Dartmouth College discloses Oracle EBS breach. Dave Bittner is joined by Tim Starks, Senior reporter from CyberScoop, to discuss the Trump administration’s upcoming cyber strategy. And tis the season for deals — and digital deception.
Today is Tuesday, November 25th, 2025. I’m Maria Varmazis, host of N2K’s T-Minus Space Daily podcast in for Dave Bittner. And this is your CyberWire Intel Briefing.
CISA warns of spyware targeting messaging apps.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory yesterday warning of "multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications." The spyware is delivered via phishing, zero-click exploits, and app impersonation. CISA notes that "[w]hile current targeting remains opportunistic, evidence suggests these cyber actors focus on high-value individuals, such as current and former high-ranking government, military, and political officials, as well as civil society organizations (CSOs) and individuals across the United States, the Middle East, and Europe."
CodeRED, this is not a test.
A sophisticated cyberattack on the CodeRED emergency notification system – managed by OnSolve – has forced its nationwide decommissioning and migration to a new platform due to service-disabling infrastructure compromise.
The breach exposed thousands of users’ names, phone numbers, email addresses, and passwords previously used to register for alerts — although no payment card or financial data was stored. Localities across Missouri and Colorado, among others, remain unable to send targeted voice, text or email alerts for water-main breaks, severe weather and other emergencies, leaving public-safety communications vulnerable.
Municipal officials are urging all affected users to change reused passwords immediately, while emergency-management agencies scramble to deploy alternative alerting channels and prepare communities for a protracted system-recovery timeline.
Infostealer campaign spreads via malicious Blender files.
Morphisec has published a report on a Russia-linked malware operation targeting users of the free 3D modeling suite Blender with malicious .blend files. The threat actor distributes the files on popular marketplaces for 3D models, such as CGTrader. The files are designed to install the StealC V2 infostealer. The attack chain moves from a weaponized .blend file to a loader, PowerShell stage, ZIP archives, and a Python environment, ultimately deploying StealC V2 which targets 23+ browsers, 15+ crypto wallets, messaging and VPN clients, and includes a UAC bypass.
Shai-Hulud’s second coming.
The supply-chain malware campaign dubbed “Shai‑Hulud – Second Coming” has resurfaced in the npm ecosystem, using malicious packages with a two-stage loader (setup_bun.js → bun_environment.js) that can propagate across 100 packages per execution and wipe a compromised developer’s home directory if authentication fails. The threat now leverages randomly named GitHub repos to reduce detection, abuses credential-accessed packages in CI pipelines, and has prompted security firms to rapidly add affected versions to their malicious-package databases. Checkmarx Developers and organizations are urged to temporarily block access to public npm registries, review npm token permissions, and configure endpoint protections to flag the loader filenames and malicious behaviour.
Real estate finance firm SitusAMC investigates breach.
Real estate finance technology vendor SitusAMC has confirmed that it discovered a breach on November 12th that resulted in the theft of client information, the Register reports. The company said in a statement, "Corporate data associated with certain of our clients’ relationships with SitusAMC, such as accounting records and legal agreements, has been impacted. Certain data relating to some of our clients’ customers may also have been impacted. The scope, nature, and extent of such impact remain under investigation by the Company and its third-party advisors."
The New York Times cites sources as saying the company has notified JPMorgan Chase, Citi, and Morgan Stanley that their client data may have been affected. The FBI is investigating the breach.
Dartmouth College discloses Oracle EBS breach.
Dartmouth College has disclosed that it was among the victims of a wave of zero-day attacks targeting Oracle E-Business Suite (EBS) instances, BleepingComputer reports. The university hasn't disclosed the total number of impacted individuals, but said in a breach notification with the Maine Attorney General's Office that just under 1,500 Maine residents were affected. The breach occurred in August 2025, and involved names and Social Security numbers. The Clop ransomware gang has posted the alleged stolen data to its leak site.
Other confirmed victims of Clop's Oracle EBS campaign include Logitech, Harvard University, the Washington Post, Envoy Air, and Mazda. John Hultquist, Chief Analyst at Google's Threat Intelligence Group, told BleepingComputer that dozens of additional organizations were likely breached.
Coming up after the break, we have Dave Bittner sitting down with Tim Starks, Senior reporter from CyberScoop, to discuss the Trump administration’s upcoming cyber strategy. And tis the season for deals — and digital deception.
Dave Bittner recently sat down with Tim Starks, Senior reporter from CyberScoop, to discuss the Trump administration’s upcoming cyber strategy. Here’s their conversation.
That was Tim Starks, Senior reporter from CyberScoop, discussing the Trump administration’s upcoming cyber strategy. If you enjoyed this conversation, and want to hear more from Tim on Trump, check out his story in the show notes.
Tis the season for deals — and digital deception.
Well, if you thought the holiday season was only stressful for shoppers, think again—turns out cybercriminals are also making their lists and checking them twice. According to the latest Semperis Ransomware Risk Report, attackers love striking when we’re distracted. Weekends, holidays, mergers, acquisitions—basically any time your SOC is running on half power. With 78% of companies slashing SOC staffing during off-hours, attackers basically get the run of the house.
And while organizations are distracted, shoppers aren’t doing much better. PreCrime Labs says threat actors are rolling out holiday-themed phishing domains like they’re wrapping paper — more than 1,700 suspicious sites popped up before December even started, with Halloween and Black Friday scams spiking triple digits. Fake luxury stores, crypto “seasonal tokens,” travel deals to zombie festivals — if it sounds festive, someone’s weaponizing it.
And if you’re bargain-hunting on your phone, there’s one more stocking stuffer: privacy risk. An analysis of top Black Friday apps found they request an average of 29 permissions — eight of them considered dangerous — and dozens weren’t exactly truthful in their privacy policies. Some apps said they don’t access your location while… absolutely accessing your location.
So whether you’re in the boardroom or the checkout line, remember: holidays may slow us down, but they speed cybercriminals up. Stay merry — just stay alert too.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
