Cyber Briefing: 2025.11.12
WhatsApp malware hits Brazil, GootLoader returns, npm hits GitHub, £5.5B crypto scam, Hamburg hack, GlobalLogic breach, Google AI privacy, China threat, UK Cyber Bill.
👉 What’s trending in cybersecurity today?
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please Subscribe
🚨 Cyber Alerts
1. WhatsApp Malware Hits Brazil Banks
Threat hunters have identified significant similarities between the banking malware Coyote and the recently discovered malicious program Maverick, which is spreading through WhatsApp, suggesting a possible evolutionary link between the two. Both strains, written in .NET and targeting Brazilian users and banks, share identical core functionality for decrypting, monitoring banking applications, and spreading via WhatsApp Web.
2. GootLoader Returns With Font Trick
The GootLoader malware has re-emerged, observed in recent infections that quickly led to hands-on keyboard intrusions and domain controller compromise, demonstrating significant evolution in its evasion tactics. Its latest version uses custom web fonts to obfuscate filenames and modifies its ZIP payload to appear as a harmless text file in automated analysis tools while still deploying its intended JavaScript backdoor, Supper, to victims.
3. Npm Package Targets GitHub Repos
Cybersecurity researchers found a malicious npm package, “@acitons/artifact”, using typosquatting against the legitimate GitHub package “@actions/artifact”. Its goal was to target GitHub-owned repositories by executing malware during a build, exfiltrating tokens, and using them to publish further malicious artifacts as GitHub.
For more alerts, click here!
💥 Cyber Incidents
4. Fraudster Jailed In £5.5Bn Bitcoin Scam
Zhimin Qian was sentenced to 11 years and eight months for masterminding a $\text{£}4.3$ billion Ponzi scheme that defrauded 128,000 victims in China, fleeing in 2017 and leading to the UK’s largest cryptocurrency seizure (over 61,000 Bitcoin, currently valued around $\text{£}5$ billion). She was apprehended in York in April 2024 after police tracked a dormant Bitcoin wallet that had become active, following a six-year international manhunt.
5. Hamburg Miniature Museum Hit By Hack
Miniatur Wunderland, the popular model railway museum in Hamburg, has alerted visitors to a major cyberattack that potentially compromised the credit card data of hundreds of thousands of customers. The museum believes its online ticket shop was breached between June 6th and October 29th,
6. GlobalLogic Confirms Data Breach
GlobalLogic, a digital engineering company owned by Hitachi, disclosed that personal data belonging to over 10,000 current and former employees was exposed in a mass-exploitation campaign targeting Oracle E-Business Suite (EBS) and attributed to the Clop ransomware group. The breach, which involved sensitive information like Social Security numbers and bank account details, makes GlobalLogic the latest high-profile victim in a growing roster that also includes The Washington Post and Allianz UK.
For more incidents click here!
📢 Cyber News
7. Google Launches Private AI Compute
Google introduced Private AI Compute, a new privacy technology that allows its powerful Gemini cloud AI models to process user queries securely. This system ensures personal data remains completely private to the user and is inaccessible to Google or anyone else, essentially offering the speed of cloud computing with the privacy of on-device processing.
8. Australia Warned Of China Sabotage
Australia’s spy chief, Mike Burgess of the Australian Security Intelligence Organisation (Asio), has warned that Chinese government and military-linked hackers are actively targeting the nation’s vital infrastructure—including water, energy, and transport—raising the risk of “high-impact sabotage.” He cautioned that “unprecedented levels of espionage” signal a growing, devastating threat of cyber-enabled disruption within the next five years.
9. UK Unveils Cyber Security Bill
The UK government introduced the Cyber Security and Resilience Bill to Parliament, aiming to strengthen national cyber defenses by reforming the existing Network and Information Systems (NIS) Regulations 2018. This legislation is designed to bolster the security of essential sectors like healthcare, energy, and water, as well as digital services, in response to a marked increase in major cyberattacks targeting critical infrastructure.
For more news click here
📈Cyber Stocks
On Wednesday, 12th November, cybersecurity stocks traded mostly higher as optimism returned to the broader technology sector. Investors appeared encouraged by strong enterprise spending trends, growing demand for AI-enhanced threat protection, and continued geopolitical cyber risks driving investment in network defense. Despite mild volatility in some identity-focused names, the sector maintained upward momentum, reflecting confidence in cybersecurity’s critical role in digital infrastructure resilience.
CrowdStrike closed slightly higher, buoyed by sustained enterprise investment in endpoint and AI-driven security as global cyber-threat activity remains elevated.
Zscaler ended modestly up, supported by the ongoing shift toward zero-trust cloud architectures and positive analyst sentiment on its growth trajectory.
Palo Alto Networks finished largely unchanged, as investors balanced optimism around its unified platform strategy with short-term concerns over acquisition integration.
Okta settled lower, weighed down by competitive pressures in identity management despite expanding adoption across regulated industries.
Fortinet closed marginally higher, aided by geopolitical tensions and continued enterprise demand for network and perimeter defense solutions.
💡 Cyber Tip
🦠 GootLoader Returns Using a Font Trick to Hide Malware
GootLoader has reappeared, spreading malicious ZIP files from compromised WordPress sites. Its latest campaign uses custom web fonts (WOFF2) to disguise malicious filenames and bypass detection. The ZIP payloads appear as harmless text files in automated scans but actually deliver a JavaScript backdoor called Supper (also known as SocksShell or ZAPCAT). Attackers use it to gain remote control and move laterally across networks.
🔐 What You Should Do
Keep all WordPress installations, themes, and plugins updated and remove unused components.
Block suspicious download links and scan systems for signs of the Supper backdoor.
Watch for unusual JavaScript files, new admin accounts, or unexpected WinRM activity.
Maintain offline backups and test restoration procedures regularly.
⚠️ Why This Matters
GootLoader’s new evasion techniques using custom fonts and ZIP tricks help attackers slip past detection tools and quickly compromise networks. Regular patching, proactive scans, and strict access control are essential to defend against this evolving threat.
📚 Cyber Book
Fighting Phishing by Roger A.Grimes
That concludes today’s briefing . You can check the top headlines here!
Copyright © 2025 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on:
Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.