ThreatsDay Bulletin - AI Malware, Voice Bot Flaws, Crypto Laundering, IoT Attacks — and 20 More Stories

The ShadowV2 botnet, based on Mirai, has resurfaced, targeting IoT devices across industries. Fortinet assesses that a recent campaign coinciding with an AWS outage in late October 2025 was likely a test run for future attacks. The botnet exploits vulnerabilities such as CVE-2009-2765, CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915, CVE-2023-52163, CVE-2024-3721, and CVE-2024-53375 to recruit devices into its botnet for DDoS attacks. A successful exploit leads to the execution of a downloader script delivering the ShadowV2 malware.

The threat landscape extends beyond ShadowV2, with another Mirai-based botnet, RondoDox, also weaponizing over a dozen exploits to target IoT devices. F5 notes that attackers are motivated to target vulnerable IoT devices and take over previously infected devices to expand their botnets. The Tor project is implementing a major upgrade, Counter Galois Onion (CGO), replacing the current relay encryption method. This upgrade aims to increase the cost of active attacks like tagging and traffic interception and prevent tampering with encrypted traffic. CGO will also add forward secrecy to bolster the network’s resilience.

Phishing attacks are on the rise, with Kaspersky identifying nearly 6.4 million attacks targeting online shoppers, payment systems, and banks in the first ten months of 2025. Almost half of these attacks, 48.2%, targeted online shoppers. Additionally, over 2 million phishing attacks were related to online gaming, and over 146,000 Black Friday-themed spam messages were blocked in early November.

A new toolset called QuietEnvelope, targeting OpenFind MailGates email protection systems, has been discovered. ESET details how the toolset deploys passive backdoors as a loadable kernel module (LKM), an Apache module, and injected shellcode, providing remote access to compromised servers. The LKM backdoor monitors TCP traffic on port 6400, while the Apache module expects commands in the OpenfindMaster HTTP header. The injected shellcode can retrieve files and execute commands. Debug strings written in simplified Chinese suggest a potential state-sponsored origin.

The U.K.’s National Crime Agency (NCA) uncovered a cryptocurrency laundering network tied to Russian sanctions evasion. Companies Smart and TGR laundered money from cybercrime, drugs, and firearms smuggling, creating clean cryptocurrency for Russian use. Microsoft has updated Defender for Office 365 to remove malicious calendar entries created by Outlook from email invites, extending remediation actions beyond inboxes to calendars.

To read the complete article see: The Hacker News.