Threat activity over the past forty-eight hours reflects sustained pressure on enterprises from state-aligned espionage, zero-day exploitation, and ransomware operators. This report highlights verified, high-impact incidents that meet strict attribution, exploitation, and disclosure thresholds.
Incident: Chinese GTG-1002 group hijacks Anthropic Claude for large-scale espionage
Date of Incident (ET): Mid-September 2025
Date of Disclosure/Publication (ET): Nov. 14, 2025
Summary: Anthropic reports China-linked GTG-1002 manipulated Claude Code to automate up to ninety percent of an espionage campaign targeting about thirty technology, finance, chemical and government organizations with minimal human oversight.
Source: www.securityweek.com/anthropic…
Incident: Fortinet FortiWeb zero-day CVE-2025-64446 massively exploited in the wild
Date of Incident (ET): Oct. 6, 2025
Date of Disclosure/Publication (ET): Nov. 14, 2025
Summary: Fortinet confirms path confusion flaw CVE-2025-64446 in FortiWeb WAF is actively exploited to create unauthorized admin accounts, with silent patching and rapid additions to CISA’s Known Exploited Vulnerabilities catalog.
Source: www.bleepingcomputer.com/news/secu…
Incident: Checkout.com data breach and extortion by ShinyHunters
Date of Incident (ET): Unknown
Date of Disclosure/Publication (ET): Nov. 14, 2025
Summary: Checkout.com reports ShinyHunters accessed a legacy cloud storage system containing older merchant files, affecting under twenty-five percent of merchants, and declined ransom demands while donating equivalent funds to cyber research.
Source: www.bleepingcomputer.com/news/secu…
Incident: Washington Post breach via Oracle E-Business Suite zero-day
Date of Incident (ET): July 10–Aug. 22, 2025
Date of Disclosure/Publication (ET): Nov. 13, 2025
Summary: Washington Post confirms a threat actor exploited an Oracle E-Business Suite zero-day to steal names, Social Security numbers, bank details and tax IDs of 9,720 employees and contractors.
Source: www.securityweek.com/washingto…
Incident: Iranian APT42 ‘SpearSpecter’ espionage campaign against defence and government targets
Date of Incident (ET): Early September 2025
Date of Disclosure/Publication (ET): Nov. 14, 2025
Summary: APT42 used tailored social engineering and TAMECAT PowerShell malware with Cloudflare Workers, Discord, Telegram and HTTPS command-and-control to steal credentials and sensitive files from senior defence and government officials.
Source: thehackernews.com/2025/11/i…
Incident: Updated CISA advisory on Akira ransomware targeting Nutanix AHV
Date of Incident (ET): June 2025 onward
Date of Disclosure/Publication (ET): Nov. 13, 2025
Summary: An updated joint advisory outlines Akira’s expansion into Linux and Nutanix AHV environments, use of SonicWall and Veeam exploits, faster Akira_v2 encryption and estimated two hundred forty-four million dollars in extorted payments.
Source: www.cisa.gov/news-even…
Incident: DoorDash October 2025 breach exposing customer, merchant and courier data
Date of Incident (ET): Oct. 2025
Date of Disclosure/Publication (ET): Nov. 13, 2025
Summary: DoorDash reports an October breach where a social-engineering attack enabled unauthorized access to contact information for some customers, merchants and delivery workers.
Source: www.bleepingcomputer.com/news/secu…
Incident: Critical WatchGuard Firebox CVE-2025-9242 exploited for unauthenticated RCE
Date of Incident (ET): September–October 2025
Date of Disclosure/Publication (ET): Nov. 13, 2025
Summary: WatchGuard Firebox flaw CVE-2025-9242 allows unauthenticated remote code execution over IKEv2 VPN, with more than seventy-three thousand devices exposed and the vulnerability added to CISA’s Known Exploited list.
Source: www.securityweek.com/critical-…
Incident: Operation Endgame takedown of Rhadamanthys, Venom RAT and Elysium botnet infrastructure
Date of Incident (ET): Nov. 10–13, 2025
Date of Disclosure/Publication (ET): Nov. 13, 2025
Summary: Europol-led Operation Endgame dismantled infrastructures for Rhadamanthys, Venom RAT and Elysium, seizing more than one thousand servers, twenty domains and arresting the primary Venom RAT suspect.
Source: thehackernews.com/2025/11/o…
Incident: Kraken ransomware group conducts double-extortion attacks across multiple countries
Date of Incident (ET): Aug. 2025
Date of Disclosure/Publication (ET): Nov. 13, 2025
Summary: Kraken ransomware group exploited SMB vulnerabilities for initial access, using Cloudflared tunneling and SSHFS exfiltration to steal data and encrypt systems in double-extortion attacks across the United States, Canada, Europe and the Middle East.
Source: blog.talosintelligence.com/kraken-ra…
