This advisory provides an overview of phishing email trends observed in November 2025, highlighting the tactics, techniques, and procedures (TTPs) employed by threat actors.

The Kimwolf botnet has emerged as a significant threat, hijacking 1.8 million Android-based devices, including TVs, set-top boxes, and tablets, to conduct large-scale DDoS attacks. This botnet is linked to the AISURU botnet.

Ink Dragon, a sophisticated Chinese threat actor, has been leveraging a custom ShadowPad IIS Listener module to transform compromised servers into distributed relay nodes.

A new spyware, dubbed ResidentBat, has been discovered on a Belarusian journalist's phone. This spyware targets Android devices and can access call logs, SMS, encrypted app messages, microphone recordings, locally stored files, and screen captures.

The Richmond Behavioral Health Authority in Virginia experienced a data breach, affecting 113,232 individuals. The compromised data includes names, SSNs, passport numbers, financial account information, and protected health information.

A critical vulnerability has been patched in SonicWall's Secure Mobile Access (SMA) 1000 appliances. This vulnerability, when combined with CVE-2025-23006, allows attackers to achieve unauthenticated remote code execution with root privileges.

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation. These vulnerabilities pose significant risks to federal enterprises and require immediate attention.

A critical vulnerability in ASUS Live Update, identified as CVE-2025-59374 with a CVSS score of 9.3, has been actively exploited. This flaw, resulting from a supply chain compromise, allows attackers to perform unintended actions on affected devices.

Multiple bugs have been identified in Apple products, with the most severe potentially allowing for arbitrary code execution. Apple is aware of reports that CVE-2025-43529 and CVE-2025-14174 may have been exploited in sophisticated attacks.

A sophisticated cryptocurrency mining campaign has been identified targeting AWS customers. The attackers leverage compromised IAM credentials to deploy crypto miners, using advanced persistence techniques to evade detection and maintain operations.