Byer-Nichols Threat Brief for November 1-15 2025
Season: 2 | Episode: 48
Published: November 17, 2025
By: Byer Co
One of the most concerning developments over this period has been the discovery of "zero-click" vulnerabilities in Samsung mobile devices, which have already been actively exploited by the Landfall spyware. We have also seen a newcomer in the ransomware space – Kazu, which a group focused on data theft. Meanwhile, Akira, a perennial ransomware actor is now believed to have made over $244 million from its malicious activities.
Link: Byer-Nichols Threat Brief for November 1-15 2025
Keywords:
Episode Transcript
00:00:00 - 00:00:03
[MUSIC PLAYING]
00:00:03 - 00:00:07
Welcome to The Deep Dive.
00:00:07 - 00:00:09
Today, we have a very clear mission.
00:00:09 - 00:00:12
We're doing a rapid extraction of the critical intelligence
00:00:12 - 00:00:14
from the BYER-Nichols Threat brief,
00:00:14 - 00:00:16
for the first half of November 2025.
00:00:16 - 00:00:17
Right.
00:00:17 - 00:00:18
It's a snapshot of the cyber battlefield
00:00:18 - 00:00:20
as it is right now.
00:00:20 - 00:00:22
And our goal is to make sure you walk away
00:00:22 - 00:00:25
with the most important strategic nuggets.
00:00:25 - 00:00:28
And that urgency really starts with two developments,
00:00:28 - 00:00:30
the brief flags immediately.
00:00:30 - 00:00:32
First, we have discovery.
00:00:32 - 00:00:33
And this is the key part.
00:00:33 - 00:00:38
The active exploitation of zero-click vulnerabilities
00:00:38 - 00:00:39
on Samsung mobile devices.
00:00:39 - 00:00:40
Zero-click.
00:00:40 - 00:00:42
That's always the maximum severity issue.
00:00:42 - 00:00:44
If the user doesn't have to do anything, it's a nightmare.
00:00:44 - 00:00:47
It is the ultimate nightmare scenario.
00:00:47 - 00:00:49
And the second thing is just about the economics of all this.
00:00:49 - 00:00:52
Established ransomware groups, like Akira,
00:00:52 - 00:00:56
are now believed to have earned over $244 million.
00:00:56 - 00:00:57
That number is just staggering.
00:00:57 - 00:00:59
And the whole economy is evolving.
00:00:59 - 00:01:01
You have newcomers like Kuzu, who are just focusing on data
00:01:01 - 00:01:02
theft.
00:01:02 - 00:01:04
They don't even bother with encryption anymore.
00:01:04 - 00:01:07
A quarter of a billion dollars from just one group.
00:01:07 - 00:01:10
That really frames the stakes.
00:01:10 - 00:01:11
OK, let's unpack this.
00:01:11 - 00:01:13
And let's start where the brief does,
00:01:13 - 00:01:16
with the threats that require you to do absolutely nothing.
00:01:16 - 00:01:20
The zero-click threat is frankly terrifying.
00:01:20 - 00:01:25
We're talking about a specific flaw, CVE 2025-21042,
00:01:25 - 00:01:27
in Samsung devices.
00:01:27 - 00:01:29
And it's not theoretical.
00:01:29 - 00:01:32
It's being used right now by a new spyware called Landfall.
00:01:32 - 00:01:34
And the delivery mechanism is so important here.
00:01:34 - 00:01:36
It is an a fishing link or some sketchy text message.
00:01:36 - 00:01:37
Exactly.
00:01:37 - 00:01:41
Landfall comes in through malicious DNG image files.
00:01:41 - 00:01:43
DNG is a raw image format, a digital negative.
00:01:43 - 00:01:46
So your phone's gallery app just processes it
00:01:46 - 00:01:48
in the background to create a thumbnail?
00:01:48 - 00:01:48
Precisely.
00:01:48 - 00:01:50
You never even have to open the file.
00:01:50 - 00:01:52
The moment your phone processes that image, the exploit
00:01:52 - 00:01:53
fires.
00:01:53 - 00:01:56
It is a seamless zero-click win for the attacker.
00:01:56 - 00:01:58
That is the very definition of insidious.
00:01:58 - 00:02:00
And this is where the brief gets really interesting,
00:02:00 - 00:02:01
because it's not just about the exploit.
00:02:01 - 00:02:04
It's about how attackers are using AI-large language
00:02:04 - 00:02:05
models to get smarter.
00:02:05 - 00:02:08
It's a quantum leap in evasion.
00:02:08 - 00:02:12
We're seeing AI baked right into the malware's core.
00:02:12 - 00:02:14
Take prompts flux, for example.
00:02:14 - 00:02:16
This thing uses Google's Gemini chatbot--
00:02:16 - 00:02:17
To do what?
00:02:17 - 00:02:21
To continuously rewrite its own code signature.
00:02:21 - 00:02:21
Wait, hold on.
00:02:21 - 00:02:25
You're saying the malware is asking an AI
00:02:25 - 00:02:27
to give it a new disguise every few minutes?
00:02:27 - 00:02:29
Essentially, yes.
00:02:29 - 00:02:31
It's advanced polymorphism.
00:02:31 - 00:02:33
So if your detection tools are looking for a specific file
00:02:33 - 00:02:36
hash or a string of code, prompt flux just
00:02:36 - 00:02:37
makes that obsolete instantly.
00:02:37 - 00:02:39
It's a perpetually moving target.
00:02:39 - 00:02:42
And the LLMs are also making the attack itself more
00:02:42 - 00:02:44
efficient, not just harder to catch.
00:02:44 - 00:02:44
Exactly.
00:02:44 - 00:02:46
That's what we see with prompt steel.
00:02:46 - 00:02:48
This one uses language models from places like hugging
00:02:48 - 00:02:51
face to generate short tailored Windows commands
00:02:51 - 00:02:51
on the fly.
00:02:51 - 00:02:53
So it automates the reconnaissance.
00:02:53 - 00:02:54
It does.
00:02:54 - 00:02:55
It cuts down the time the attacker needs
00:02:55 - 00:02:57
to spend manually scripting things.
00:02:57 - 00:03:00
But the third one, sesame knob, might be the most chilling.
00:03:00 - 00:03:03
Because it uses a commercial API for its communication.
00:03:03 - 00:03:05
That's the critical insight.
00:03:05 - 00:03:06
It's a backdoor.
00:03:06 - 00:03:08
And its command and control channel isn't some shady IP
00:03:08 - 00:03:09
address you can just block.
00:03:09 - 00:03:12
It's the actual open AI assistance API.
00:03:12 - 00:03:14
So the malicious traffic is hidden inside what
00:03:14 - 00:03:18
looks like perfectly normal, legitimate, encrypted API
00:03:18 - 00:03:19
calls to open AI.
00:03:19 - 00:03:20
You got it.
00:03:20 - 00:03:21
Wow.
00:03:21 - 00:03:23
We're going to have to circle back to what that implies
00:03:23 - 00:03:23
for defense later.
00:03:23 - 00:03:25
We absolutely must.
00:03:25 - 00:03:28
And before we move on, we have to mention the supply chain.
00:03:28 - 00:03:30
The brief highlights a big attack
00:03:30 - 00:03:31
on the open VSX marketplace.
00:03:31 - 00:03:33
For visual studio code extensions,
00:03:33 - 00:03:35
that's a massive surface.
00:03:35 - 00:03:37
Millions of developers use those.
00:03:37 - 00:03:38
A huge surface.
00:03:38 - 00:03:41
They found two strains, glassworm and sleepy duck,
00:03:41 - 00:03:44
spreading through extensions to steel credentials.
00:03:44 - 00:03:48
It was so bad, open VSX had to rotate all of its access tokens.
00:03:48 - 00:03:51
It just shows that the tools you trust every day
00:03:51 - 00:03:52
are now part of the perimeter.
00:03:52 - 00:03:55
OK, let's shift from the tech to the economy of the crime.
00:03:55 - 00:04:00
That $244 million figure for Akira is just who's
00:04:00 - 00:04:02
on top of the ransomware leader board right now.
00:04:02 - 00:04:04
Well, the ecosystem is always competitive,
00:04:04 - 00:04:06
but Krylan is holding the top spot.
00:04:06 - 00:04:10
They account for about 14.24% of victims in this period.
00:04:10 - 00:04:13
Akira is right behind them at 11.34%.
00:04:13 - 00:04:15
And what about that newcomer you mentioned, Kazoo?
00:04:15 - 00:04:16
They're the interesting one.
00:04:16 - 00:04:20
Kazoo is the disruptor in third place with 10.17%.
00:04:20 - 00:04:22
And they represent that trend.
00:04:22 - 00:04:24
They skip encryption entirely.
00:04:24 - 00:04:25
Just data theft and extortion.
00:04:25 - 00:04:26
Right.
00:04:26 - 00:04:27
It simplifies their whole operation,
00:04:27 - 00:04:29
makes them faster, more scalable.
00:04:29 - 00:04:33
And I and C. Ransom and CL-Z are still very active right below them.
00:04:33 - 00:04:35
So who are they hitting?
00:04:35 - 00:04:38
You hear these numbers, and you assume it's giant corporations.
00:04:38 - 00:04:40
But the brief tells a very different story.
00:04:40 - 00:04:41
It really does.
00:04:41 - 00:04:43
The data is so consistent here.
00:04:43 - 00:04:47
Small businesses organizations with 500 or fewer employees
00:04:47 - 00:04:49
are the primary target.
00:04:49 - 00:04:49
By how much?
00:04:49 - 00:04:54
A staggering 70.03% of all victims.
00:04:54 - 00:04:56
The story just doesn't change.
00:04:56 - 00:04:59
They don't have the big security teams, the resources,
00:04:59 - 00:05:01
to fight these organized criminal groups.
00:05:01 - 00:05:02
And what about the sectors?
00:05:02 - 00:05:05
Are we seeing any shifts in who's getting hit the hardest?
00:05:05 - 00:05:05
We are.
00:05:05 - 00:05:08
Manufacturing is still number one at about 20%.
00:05:08 - 00:05:11
But the fascinating change is the technology sector.
00:05:11 - 00:05:13
It jumped from fifth place all the way up to second.
00:05:13 - 00:05:15
Yeah, now at 11.34%.
00:05:15 - 00:05:20
It shows attackers are realizing the value of IP and data from tech companies
00:05:20 - 00:05:21
themselves.
00:05:21 - 00:05:24
Financial services and construction got nudged down a bit.
00:05:24 - 00:05:28
And geographically, I assume the US is still the main target?
00:05:28 - 00:05:31
By a huge margin, almost 48%.
00:05:31 - 00:05:34
But the key thing to note is the global expansion.
00:05:34 - 00:05:37
We saw new entries on the list this time, Mexico, the UK, Austria.
00:05:37 - 00:05:41
It confirms this is a multinational, easily-exported criminal business model.
00:05:41 - 00:05:46
That focus on tech and the global spread really underlines the organization here.
00:05:46 - 00:05:50
Okay, let's pivot from profit-driven crime to state-level threats.
00:05:50 - 00:05:55
The brief highlights a few trending adversaries, and the common thread seems to be nation-state
00:05:55 - 00:05:56
alignment.
00:05:56 - 00:06:02
And when the motive shifts from profit to sabakaj, the threat profile changes completely.
00:06:02 - 00:06:05
The brief calls out San Worm as the most concerning adversary in this space.
00:06:05 - 00:06:08
And that's because they specialize in destructive attacks, wipers.
00:06:08 - 00:06:09
Exactly.
00:06:09 - 00:06:13
And targeting critical infrastructure, especially in Ukraine, their goal isn't money.
00:06:13 - 00:06:16
It's operational disruption, pure damage.
00:06:16 - 00:06:20
And the evasion tactics these state-sponsored groups use are getting really esoteric.
00:06:20 - 00:06:23
Tell us about the Russian-aligned group, Curly Comrades.
00:06:23 - 00:06:25
They're using virtualization.
00:06:25 - 00:06:28
This is an extremely sophisticated technique.
00:06:28 - 00:06:34
They use Microsoft's Hyper-V to run a whole Linux virtual machine inside the victim's
00:06:34 - 00:06:35
Windows machine.
00:06:35 - 00:06:36
Why?
00:06:36 - 00:06:37
Why go to all that trouble?
00:06:37 - 00:06:39
It's an elaborate hiding trick.
00:06:39 - 00:06:44
It's designed specifically to beat endpoint detection and response tools, EDR.
00:06:44 - 00:06:47
Because the EDR is watching the main Windows operating system?
00:06:47 - 00:06:48
Right.
00:06:48 - 00:06:50
But it's not looking deep inside the VM that's running within it.
00:06:50 - 00:06:55
The attackers are basically partitioning their activity away from where the security tools
00:06:55 - 00:06:56
are looking.
00:06:56 - 00:07:00
So the EDR just sees Hyper-V running, which is a legitimate process, but it misses the
00:07:00 - 00:07:02
actual malware running inside that virtual bubble.
00:07:02 - 00:07:03
Precisely.
00:07:03 - 00:07:05
Hiding in plain sight.
00:07:05 - 00:07:12
We're also, of course, tracking other major groups like APT-37, TIC and UAC-009-9, all
00:07:12 - 00:07:14
using advanced espionage tools.
00:07:14 - 00:07:18
So if the attackers are that sophisticated, what are the basic flaws they're using to
00:07:18 - 00:07:19
get in?
00:07:19 - 00:07:21
What are the actual front doors they're walking through?
00:07:21 - 00:07:27
The common thread for all the actively exploited CVEs in the brief is pretty clear.
00:07:27 - 00:07:33
They're flaws that allow for unauthenticated remote code execution RCE or privilege escalation.
00:07:33 - 00:07:36
Meaning they get full control without needing a password.
00:07:36 - 00:07:37
It's the keys to the kingdom.
00:07:37 - 00:07:38
The highest payoff you can get.
00:07:38 - 00:07:41
And the list of vulnerable products is all over the place.
00:07:41 - 00:07:44
It's hitting everything from the network edge to the Core OS.
00:07:44 - 00:07:45
It is.
00:07:45 - 00:07:46
It's a huge attack surface.
00:07:46 - 00:07:50
We're seeing exploits against enterprise software like Gladnet, Triophox.
00:07:50 - 00:07:52
There are two severe RCEs there.
00:07:52 - 00:07:57
CVE 2025, 120480 and 11371.
00:07:57 - 00:07:59
Fordonets 40-Wib is also getting hit hard.
00:07:59 - 00:08:00
And then you have the perimeter devices.
00:08:00 - 00:08:01
Yep.
00:08:01 - 00:08:05
Firebox, ASUS DSL routers, all being actively exploited.
00:08:05 - 00:08:07
And of course, they're still going after the Core.
00:08:07 - 00:08:13
The Microsoft Windows kernel itself with vulnerabilities like CVE 2025, 622.15, it's a
00:08:13 - 00:08:14
full stat problem.
00:08:14 - 00:08:16
Okay, so let's try to bring all these threads together.
00:08:16 - 00:08:21
We've got AI malware, nation-state sabotage, huge financial crime.
00:08:21 - 00:08:24
What does this all mean when we pull the lens back and look at the bigger picture?
00:08:24 - 00:08:27
Well, the top news items in the brief really provide that context.
00:08:27 - 00:08:31
You see these geopolitical tensions playing out directly.
00:08:31 - 00:08:36
The US Congressional Budget Office was hit by a suspected foreign cyber attack.
00:08:36 - 00:08:41
Sonic Wall is now publicly blaming state-sponsored hackers for a breach back in September.
00:08:41 - 00:08:43
And there's direct government action too.
00:08:43 - 00:08:44
Absolutely.
00:08:44 - 00:08:49
The US is putting sanctions on North Korean bankers who are tied directly to cybercrime and
00:08:49 - 00:08:51
those IT worker fraud schemes.
00:08:51 - 00:08:55
It shows that states are using this stuff as a tool of national power.
00:08:55 - 00:08:59
And the sheer amount of money we talked about at the top that's constantly making headlines,
00:08:59 - 00:09:02
including context to a group like Akira's success.
00:09:02 - 00:09:03
It's a relentless cycle of crime.
00:09:03 - 00:09:10
You know, the Bitcoin queen was just sentenced to 11 years for a $7.3 billion scam.
00:09:10 - 00:09:13
Over 120 million was stolen from the Balanter DeFi protocol.
00:09:13 - 00:09:15
And law enforcement is trying to keep up.
00:09:15 - 00:09:16
They are.
00:09:16 - 00:09:21
We saw arrests in Europe for a 600 million Euro crypto fraud ring.
00:09:21 - 00:09:26
And the US just announced a new strike force aimed specifically at Chinese crypto scammers.
00:09:26 - 00:09:30
The financial incentive is just astronomical and it fuels everything we've been talking about.
00:09:30 - 00:09:33
This has been an incredibly dense period.
00:09:33 - 00:09:35
So let's synthesize this.
00:09:35 - 00:09:39
What is the single main point you think our listeners should take away from all this?
00:09:39 - 00:09:43
The key takeaway is really about acceleration and convergence.
00:09:43 - 00:09:48
The threat landscape is moving so fast toward these highly evasive low-noise techniques.
00:09:48 - 00:09:52
The zero clicks, the AI malware, the stealth VMs.
00:09:52 - 00:09:53
Exactly.
00:09:53 - 00:10:00
And that acceleration is being driven by nation-state motives for sabotage and espionage.
00:10:00 - 00:10:02
But and this is the convergence part.
00:10:02 - 00:10:07
The bulk of the economic damage that 70% is still landing squarely on small businesses.
00:10:07 - 00:10:10
Which brings us right back to that point about the sesame out back door.
00:10:10 - 00:10:15
If malware is now using legitimate commercial APIs from Google and OpenAI to hide its command
00:10:15 - 00:10:19
and control traffic, we have to completely rethink our defenses.
00:10:19 - 00:10:20
I do.
00:10:20 - 00:10:23
So here's the question for you to mull over as you integrate this intelligence.
00:10:23 - 00:10:27
How long until our detection strategies have to shift from just blocking known bad traffic
00:10:27 - 00:10:32
to critically analyzing the intent behind what looks like perfectly benign API calls?
00:10:32 - 00:10:34
That is the new defensive frontier.
00:10:34 - 00:10:38
Until the next deep dive, stay safe.
00:10:38 - 00:10:41
Reach out to us at jbuyer.com for comments and questions.
00:10:41 - 00:10:44
Follow us at buyer company on social media.
00:10:44 - 00:10:46
And if you'd be so kind, please rate and review us in your podcast app.
00:10:46 - 00:10:48
[Music]