Threat Briefing: November 7, 2025

Recent events highlight the escalating scale of cyber threats and the fast-paced evolution of attacker tactics. In one alarming case, trusted incident responders were charged with deploying ALPHV ransomware—revealing serious insider risks within cybersecurity teams. At the same time, the merger of major threat groups into the so-called Scattered LAPSUS$ Hunters signals a shift toward a more organized, brand-driven model of cybercrime.

North Korea continues to leverage overseas IT workers to evade sanctions and fund weapons programs, while Cisco has warned of active zero-day exploits targeting its firewalls, urging customers to patch immediately. Meanwhile, Europol’s takedown of extensive credit card fraud networks underscores the global reach and growing sophistication of financial cybercrime.

• Incident Responders Charged with Orchestrating Ransomware Attacks on U.S. Companies – Federal prosecutors have accused three cybersecurity incident response professionals of using the ALPHV/BlackCat ransomware to attack five U.S. businesses between May 2023 and April 2025. The group allegedly extorted $1.3 million from a Florida medical firm but failed to obtain payments from other victims. One suspect fled to Europe before being apprehended, while another remains in pretrial detention. Both face charges carrying potential sentences of up to 50 years in prison. CyberScoop
• Cybercriminal Groups Unite Under New Banner – Scattered Spider, LAPSUS$, and ShinyHunters have merged to form Scattered LAPSUS$ Hunters (SLH), operating on Telegram since August 2025. Using an “extortion-as-a-service” model, SLH combines resources and branding for coordinated data extortion. The group’s organized structure blurs the line between hacktivism and profit-driven crime, and it has hinted at developing a new ransomware strain, Sh1nySp1d3r, to rival LockBit and DragonForce. The Hacker News
• North Korea Exploits Overseas IT Workers to Fund WMD Programs – The U.S. Treasury has sanctioned North Korean entities and front companies that deploy IT workers abroad to support the regime’s weapons programs. Earning up to $300K annually, these workers often use stolen identities and fake personas while working in China, Russia, and elsewhere, sometimes gaining privileged access to virtual-currency firms and major employers. The sanctions target both the facilitators of these operations and their financial backers. The Record 
• Cisco Alerts on Actively Exploited September 2025 Vulnerabilities – Cisco has reported zero-day exploits targeting ASA and FTD firewalls (CVE‑2025‑20333 and CVE‑2025‑20362) that allow arbitrary code execution and unauthenticated URL access. Observed attacks involve malware families RayInitiator and LINE VIPER, and successful exploits may trigger unexpected device reloads, causing Denial of Service (DoS). Cisco urges immediate patching and has also released fixes for critical vulnerabilities in its Unified CCX and ISE products. The Hacker News
• Operation Chargeback: €300M Credit Card Fraud Rings Busted – International authorities have dismantled three credit card fraud networks responsible for €300 million in losses, impacting over 4.3 million cardholders across 193 countries. The coordinated Operation Chargeback, involving Germany, the U.S., Canada, Singapore, and multiple EU nations, led to 18 arrests and €35 million in seized assets. The networks exploited German payment service providers and shell companies to create 19 million fake subscriptions valued at €50 each. Bleeping Computer