News Week: November 17th to November 23rd, 2025

Pennsylvania Attorney General Confirms Major Data Exposure After August Attack

In November 2025, the Pennsylvania Office of the Attorney General officially acknowledged that an August breach led to the theft of sensitive personal and medical information. The intrusion, later claimed by the INC Ransom group—an active RaaS (ransomware-as-a-service) operation — resulted in files containing names, Social Security details, and health-related data being accessed without permission. The office confirmed it refused to pay the ransom after systems were encrypted, leaving key digital services offline, including email, websites, and internal phone lines. Independent security researchers suggested that vulnerable Citrix NetScaler systems, linked to the Citrix Bleed 2 (CVE-2025-5777) exploit, may have provided the entry point for attackers. INC Ransom later stated it had removed over 5TB of information and even hinted at access to federal networks. The incident marks the third known ransomware breach involving Pennsylvania government organizations.

Azure Withstands Record-Scale DDoS Surge Driven by Aisuru Botnet

Microsoft has confirmed that Azure recently endured a massive DDoS assault peaking at 15.72 Tbps, sourced from roughly half a million IP addresses controlled by the Aisuru botnet. The attack consisted of extremely high-volume UDP floods directed at a public IP in Australia, hitting nearly 3.64 billion packets per second and representing one of the largest DDoS events Azure has faced to date. Aisuru, a Turbo Mirai-derived IoT botnet, is known for exploiting vulnerable consumer hardware such as routers, cameras, and Realtek-based devices to amplify its traffic. Cloudflare and Qi’anxin have also linked Aisuru to other historic DDoS attacks throughout 2025, including incidents exceeding 11 Tbps and even surpassing 22 Tbps. Researchers believe the botnet grew rapidly after attackers compromised a firmware server and pushed malware to thousands of devices. The scale and frequency of these DDoS attacks highlight escalating pressure on cloud platforms and global internet infrastructure.

Google Issues Emergency Patch for New Chrome Zero-Day Under Active Exploitation

Google has rolled out an urgent security update after confirming that CVE-2025-13223, a newly discovered Chrome zero-day, is being actively exploited in real-world attacks. The flaw stems from a type-confusion issue in the V8 JavaScript engine and was reported by Google’s Threat Analysis Group, which often uncovers zero-day activity linked to government-sponsored hacking and spyware operations. The fix is now available in Chrome versions 142.0.7444.175/.176 across Windows, Mac, and Linux, with automatic rollout progressing over the coming weeks. Users can manually verify they are protected by navigating to Help → About Google Chrome and relaunching the browser after updating. While Google confirmed exploitation, technical details remain restricted until most users apply the patch. This marks the seventh Chrome zero-day resolved in 2025, following multiple emergency updates throughout March, May, July, and September, reinforcing how frequently attackers are leveraging zero-day chains against high-value targets.

ShinySp1d3r: New RaaS Platform Built by ShinyHunters Emerges

A new ransomware-as-a-service (RaaS) operation known as ShinySp1d3r ransomware is taking shape, developed by actors linked with ShinyHunters and Scattered Spider. Unlike prior campaigns where these groups relied on third-party encryptors such as ALPHV/BlackCat, Qilin, RansomHub, or DragonForce, ShinySp1d3r is being constructed entirely in-house, signaling a shift toward fully controlled extortion operations. Early samples uploaded to VirusTotal reveal a feature-rich Windows encryptor capable of process killing, shadow copy deletion, free-space wiping, network propagation via SCM, WMI, or GPO, and anti-analysis behaviors. Encrypted files include unique extensions and metadata-packed headers marked SPDR→ENDS. Each impacted system receives a ransom note with negotiation details and a placeholder Tor leak portal. ShinyHunters plans versions for Linux, ESXi, and even a high-speed “lightning” build. Although healthcare entities are reportedly off-limits, history suggests RaaS rules are often ignored once affiliates join.

US, UK & Australia Sanction Russian Bulletproof Hosting Providers Linked to Ransomware

The United States, United Kingdom, and Australia have jointly issued sanctions targeting Russian bulletproof hosting (BPH) services long associated with ransomware groups and wider cybercrime activity. Central to the action is Media Land, a provider known for leasing infrastructure to LockBit, BlackSuit, Play, and other ransomware operations, alongside three connected firms: Media Land Technology, Data Center Kirishi, and ML Cloud. Authorities say these BPH networks enabled phishing campaigns, malware deployment, command-and-control operations, DDoS attacks, and illicit content hosting while ignoring takedown requests. Sanctions also extend to executives Aleksandr Volosovik (aka Yalishanda), Kirill Zatolokin, and Yulia Pankova, as well as Aeza Group LLC, Hypercore Ltd, and affiliated Serbian and Uzbek support companies. Five Eyes cybersecurity agencies published guidance urging ISPs to track malicious resources, monitor traffic, and enforce stronger identity verification. Assets in the US, UK, and Australia are now frozen, and associated parties face secondary penalties.

Sneaky2FA PhaaS Evolves with New Browser-in-the-Browser Techniques

The Sneaky2FA phishing-as-a-service (PhaaS) platform has expanded its capabilities by integrating a browser-in-the-browser (BitB) attack method, adding a highly convincing new layer to Microsoft 365 credential theft. Previously known for SVG-based and attacker-in-the-middle (AitM) session interception, the PhaaS kit now generates a pop-up that visually imitates a real Microsoft login window, including OS-specific styling, spoofed URL bars, and OAuth-like interface elements. When victims click “Sign in with Microsoft,” the BitB overlay loads the existing AitM phishing pipeline, enabling attackers to harvest logins and session tokens even when multi-factor authentication is active. Sneaky2FA’s PhaaS approach mirrors other services like Tycoon2FA and Mamba2FA, but now includes obfuscated HTML, conditional content delivery, and defensive evasion designed to bypass scanners. The update reflects a broader shift in PhaaS tooling, where BitB acts as a deception layer rather than the core mechanism—further blurring the line between red-team tooling and live cybercrime.

Scattered Spider Members Plead Not Guilty in TfL Cyberattack Case

Two alleged members of the Scattered Spider cybercrime collective—19-year-old Thalha Jubair and 18-year-old Owen Flowers—have pleaded not guilty to charges linked to the August 2024 breach of Transport for London (TfL). The intrusion caused major operational disruption, halted refund processing, and was later confirmed to have exposed customer data including names, addresses, and contact details. Both suspects were arrested by the UK’s National Crime Agency and City of London Police, accused of offenses involving fraud, computer misuse, and actions that risked severe harm to public welfare. Court filings connect Flowers to additional healthcare network intrusion attempts in the United States, while Jubair is separately charged with withholding passwords seized in March 2025 and faces U.S. indictments tied to widespread extortion campaigns. Authorities estimate victims paid over $115 million in related ransom demands, and Scattered Spider remains under investigation for attacks on critical infrastructure and major retailers.

Conclusion

The charges against alleged Scattered Spider members highlight the growing impact of youth-driven cybercrime and the severe damage these intrusions inflict on public services and private organizations. With millions in losses, exposed data, and cross-border prosecutions, the case reinforces how critical strong cyber resilience and rapid response mechanisms are for organizations of all sizes.

As experts in ransomware recovery and cybersecurity, we offer comprehensive support through Ransomware Recovery Services, effective Ransomware Negotiation Services, and a proactive Incident Response Retainer. If you need fast assistance recovering encrypted systems, negotiating with threat actors, or strengthening your defensive readiness, reach out today for immediate support.