Svoboda Cybersecurity Brief November 11, 2025

Samsung Zero-Day Exploited to Deploy LandFall Spyware

A critical Samsung vulnerability (CVE-2025-21042) in libimagecodec.quram.so was exploited as a zero-day to deploy LandFall spyware via malicious DNG images sent over WhatsApp. The spyware harvests sensitive data, including call logs, SMS, photos, and microphone recordings. Targets include Samsung Galaxy S22-S24, Z Fold 4, and Z Flip 4 devices.
Impact: Remote code execution and extensive data theft.
Mitigation: Patch Samsung devices with April 2025 updates.
Source: BleepingComputer

Yanluowang Initial Access Broker Pleads Guilty

Russian national Aleksei Volkov (“chubaka.kor”) admitted to breaching 7 U.S. companies and selling access to Yanluowang ransomware affiliates. Victims included a bank, telco, and engineering firm, with ransoms reaching $15M. Volkov faces up to 53 years in prison and $9.1M restitution.
Source: BleepingComputer

Quantum Route Redirect PhaaS Targets Microsoft 365 Credentials

A phishing automation platform (QRR) uses 1,000 domains to evade detection, mimicking DocuSign/payment lures. It filters bots from humans and logs stats via a dashboard. 76% of attacks target U.S. users.
Impact: Credential theft leading to account compromise.
Mitigation: Implement URL filtering and monitor for anomalous logins.
Source: BleepingComputer

expr-eval JavaScript Library Vulnerable to RCE (CVE-2025-12735)

A critical flaw in the expr-eval library (800K+ weekly downloads) allows remote code execution via malicious input. The fork expr-eval-fork v3.0.0 includes fixes.
Impact: Arbitrary code execution in applications using the library.
Mitigation: Migrate to expr-eval-fork v3.0.0 or apply pull requests for the original library.
Source: BleepingComputer

Triofox Flaw Exploited to Install Remote Access Tools

UNC6485 exploited CVE-2025-12480 (auth bypass) in Triofox to upload malicious scripts via the antivirus feature, deploying Zoho Assist/AnyDesk. Attackers escalated to Domain Admins.
Impact: Full network compromise.
Mitigation: Update to Triofox v16.7.10368.56560, audit admin accounts.
Source: TheHackerNews

Konni APT Abuses Google Find Hub for Remote Wipes

North Korean hackers used stolen Google credentials to remotely wipe Android devices via Find Hub. Attacks combined Lilith RAT on Windows and EndRAT for data exfiltration.
Impact: Data destruction and persistent access.
Mitigation: Enable MFA, monitor Google account activity.
Source: TheHackerNews

GlassWorm Malware Resurfaces in VS Code Extensions

Three new infected extensions (ai-driven-dev, adhamu.history-in-sublime-merge, yasuyuky.transient-emacs) were found in Open VSX, stealing GitHub/NPM credentials and crypto wallet data. Attackers used Solana blockchain for C2 updates.
Impact: Credential theft and supply chain compromise.
Mitigation: Audit installed extensions, revoke exposed tokens.
Source: TheHackerNews

Cl0p Ransomware Lists 29 Oracle EBS Victims

FIN11/Cl0p leaked data from Harvard, Envoy Air, and Schneider Electric after exploiting Oracle EBS vulnerabilities (likely CVE-2025-61882/CVE-2025-61884).
Impact: Sensitive data exposure.
Mitigation: Apply Oracle EBS patches, monitor for SSRF.
Source: SecurityWeek

Runc Container Escape Vulnerabilities Patched

Three flaws (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) in Runc allow escaping containers to host root access. Exploits require malicious container images.
Impact: Host compromise in Kubernetes/Docker environments.
Mitigation: Update Runc, restrict untrusted container deployments.
Source: SecurityWeek

Forbes AI 50 Companies Leak Secrets on GitHub

65% of Forbes AI 50 firms exposed API keys, tokens, and credentials on GitHub, including Google API, Hugging Face, and ElevenLabs. Wiz found leaks in commit histories and forks.
Impact: Unauthorized access to private models/data.
Mitigation: Mandate GitHub secret scanning, establish disclosure channels.
Source: SecurityWeek

Share this brief: https://svo.bz/O5C8