SecurityWeek’s cybersecurity news roundup provides a concise compilation of noteworthy stories that might have slipped under the radar.
We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.
Each week, we curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.
Here are this week’s stories:
Suspected Scattered Spider members plead not guilty to TfL attack
Thalha Jubair and Owen Flowers, the two suspected Scattered Spider members arrested earlier this year in the UK, have pleaded not guilty to the charges accusing them of launching a disruptive cyberattack against Transport for London (TfL). Jubair has also been charged in the US, where he has been accused of hacking into networks, stealing and encrypting victims’ data, and extorting them.
HashJack attack targets AI browsers
Researchers at Cato Networks have disclosed HashJack, a new indirect prompt injection attack targeting AI browser assistants. HashJack involves malicious prompts being hidden after the ‘#’ symbol in legitimate URLs. AI browser assistants in Comet, Edge, and Chrome execute the commands when they process the URL, potentially leading to phishing, data exfiltration, malware delivery, and misinformation. Impacted browser vendors have been notified and, except for Google (which classified it as a low-severity issue), they have released patches.
Leak reveals inner workings of Iranian APT Charming Kitten
Internal documents belonging to the Iranian threat group Charming Kitten (APT35) were leaked last month on GitHub, revealing the actor’s inner workings. An analysis conducted by DomainTools showed that the hackers operate as a “regimented, quota-driven cyber operations unit operating inside a bureaucratic military chain of command”. Members are assigned to specific tasks, and supervisors file monthly performance reports that include information such as phishing success rate, exploitation metrics, completed tasks, and hours worked.
Scattered Lapsus$ Hunters member Rey identified as teen from Jordan
Cybersecurity blogger Brian Krebs claims to have uncovered the real identity of ‘Rey’, a key member of the Scattered Lapsus$ Hunters cybercrime group. Krebs says Rey is 16-year-old Saif Al-Din Khader from Amman, Jordan. The teen reportedly admitted that he is Rey and claimed he is trying to retire from Scattered Lapsus$ Hunters while also collaborating with law enforcement in Europe, but Krebs was unable to verify those claims.
TP-Link sues Netgear over false China link claims
TP-Link has filed a lawsuit against Netgear in Delaware, accusing it of defamatory claims as part of a smear campaign falsely claiming that TP-Link has ties to the Chinese government. Underlining that it is incorporated and headquartered in California, TP-Link claims that Netgear’s campaign is creating an unfair advantage in the marketplace and that the false assertions violate federal and state laws.
Comcast agrees to $1.5 million fine over vendor data breach
Telecommunications provider Comcast has agreed (PDF) to pay a $1.5 million fine to settle an FCC investigation into a data breach at one of its third-party services providers. The incident occurred in February 2024 and involved debt collection agency Financial Business and Consumer Solutions (FBCS). Roughly 238,000 Comcast customers were impacted.
High-severity Firefox vulnerability
Aisle has published technical details on CVE-2025-13016, a high-severity vulnerability in Firefox’s WebAssembly engine that could lead to remote code execution. The vulnerable code was added to the browser in April 2025 alongside its own regression test, but remained unnoticed until October. It was patched in Firefox 145. “The vulnerable code passed code review, included a test specifically designed to exercise the same code path, and shipped in multiple Firefox releases,” Aisle notes.
Gainsight says only a handful of customers affected by Salesforce attack
The investigation into the attack that disrupted Gainsight-Salesforce integrations last week continues, but Gainsight continues to downplay the impact from the incident. After the company said last week that only three organizations were impacted by the data breach, its CEO said on Tuesday that only “a handful of customers” had their data compromised. Google, on the other hand, told the media that roughly 200 Salesforce instances might have been affected.
ShadowV2 IoT botnet active during AWS outage
ShadowV2, a Mirai-based botnet ensnaring vulnerable IoT devices, mainly routers, was seen active at the end of October, during a massive AWS outage that affected organizations in multiple countries worldwide. “So far, the malware appears to have only been active during the time of the large-scale AWS outage. We believe this activity was likely a test run conducted in preparation for future attacks,” Fortinet says. In September, Darktrace revealed that ShadowV2 was targeting Docker daemons running on internet-accessible AWS cloud instances.
Bloody Wolf APT expands operations across Central Asia
The Bloody Wolf APT is impersonating government agencies, mainly ministries of justice, in fresh attacks against entities in a broader set of countries in Central Asia, Group-IB reports. Relying on spear-phishing, the hacking group was seen deploying the STRRAT malware and the legitimate remote administration tool NetSupport. Historically, it has been targeting entities in Kazakhstan and Russia, but recently expanded to Kyrgyzstan and Uzbekistan.
Related: In Other News: ATM Jackpotting, WhatsApp-NSO Lawsuit Continues, CISA Hiring
Related: In Other News: Deepwatch Layoffs, macOS Vulnerability, Amazon AI Bug Bounty
