End-of-Day report
Timeframe: Freitag 28-11-2025 18:00 - Montag 01-12-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
News
Arkanix Stealer: Newly discovered short term profit malware
Recently, we stumbled upon a new stealer named Arkanix. This stealer possibly belongs to the short-lived category of stealers which aim for short-term quick financial gains.
https://feeds.feedblitz.com/~/930747470/0/gdatasecurityblog-en~Arkanix-Stealer-Newly-discovered-short-term-profit-malware
Bis zu 16 Jahre alt: Zehntausende gültige Zugangsdaten bei Gitlab geleakt
Ein Forscher hat alle öffentlichen Gitlab-Repos auf Zugangsdaten gescannt. Er fand mehr als 17.000, erhielt aber nur eine recht dürftige Belohnung.
https://www.golem.de/news/bis-zu-16-jahre-alt-zehntausende-gueltige-zugangsdaten-bei-gitlab-entdeckt-2512-202779.html
North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware
The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 more malicious packages since last month.
https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html
New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control
A new Android malware named Albiriox has been advertised under a malware-as-a-service (MaaS) model to offer a "full spectrum" of features to facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices.
https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html
Google and Apple ordered to stop fake government TXTs
Singapore-s government last week told Google and Apple to prevent fake government messages.
https://go.theregister.com/feed/www.theregister.com/2025/12/01/asia_tech_news_roundup/
The WIRED Guide to Digital Opsec for Teens
Practicing good -operations security- is essential to staying safe online. Here-s a complete guide for teenagers (and anyone else) who wants to button up their digital lives.
https://www.wired.com/story/digital-opsec-for-teens/
how i found a europa.eu compromise (thanks to cricket)
While looking for a way to stream the India vs Pakistan cricket match on 14th September 2025, I stumbled across a suspicious search result on a europa.eu dev subdomain. It was being abused for blackhat SEO and redirecting users to scam streaming sites. I traced similar behavior across other high-profile domains, reported the issue to CERT-EU via email (after some Twitter help) and the problem was later confirmed as fixed on 6th November 2025. This post walks through how I found it, how I reported it and what we can learn from it.
https://blog.himanshuanand.com/2025/11/how-i-found-a-europa.eu-compromise-thanks-to-cricket/
Südkorea: Bei Onlinehändler Daten zu zwei Dritteln der Bevölkerung abgegriffen
Ein inzwischen nicht mehr bei Coupang arbeitender Angestellter soll bei Südkoreas größtem Onlinehändler Daten zur gesamten Kundschaft abgegriffen haben.
https://www.heise.de/news/Suedkorea-Bei-Onlinehaendler-Daten-zu-zwei-Dritteln-der-Bevoelkerung-abgegriffen-11097841.html
Webinar: Smartphone, Tablet & Co sicher nutzen
Wie kann ich meine persönlichen Daten am Smartphone, Tablet & Co. schützen? Wie erkenne ich Viren und Trojaner auf meinem Gerät - und was ist dann zu tun? In diesem Webinar zeigen wir Ihnen die wichtigsten Sicherheitseinstellungen - von Berechtigungen über Datenschutz bis hin zu Nutzungszeiten.
https://www.watchlist-internet.at/news/webinar-smartphone-tablet-co-sicher-nutzen-6/
Fußballtrikots zum Schnäppchenpreis? Bei diesen Fake-Shops gibt es nur Eigentore
Fußballspieler:innen aufgepasst! Gerade wimmelt es von Fake-Shops mit günstigen Trikots.
https://www.watchlist-internet.at/news/fussballtrikots-zum-schnaeppchenpreis-bei-diesen-fake-shops-gibt-es-nur-eigentore/
Awareness für Web-Security: Die OWASP Top Ten 2025
Der erste Release Candidate der neuen OWASP Top Ten enthüllt die größten Sicherheitsrisiken in der Webentwicklung - von Konfiguration bis Software Supply Chain.
https://heise.de/-11098119
India Enforces Mandatory SIM-Binding for Messaging Apps Under New DoT Rules
India-s Department of Telecommunications (DoT) has introduced a shift in the way messaging platforms operate in the country, mandating the adoption of SIM-binding as a core security requirement. Under the Telecommunication Cybersecurity Amendment Rules, 2025, all major messaging services, including Telegram, and regional platforms such as Arattai, must ensure that their applications remain continuously linked to an active SIM card on the user-s device.
https://thecyberexpress.com/sim-binding-dot-rule/
Vulnerabilities
VU#633103: Insufficient Session Cookie Invalidation in nopCommerce ASP.NET Core eCommerce Platform
nopCommerce, an ecommerce platform, fails to invalidate session cookies upon user logout or session termination, enabling attackers to use the captured cookie to gain access to the application. Version 4.70 and after, with the exception of 4.80.3, fixes the vulnerability put forth by CVE-2025-11699. Users on version 4.80.3, or any version of nopCommerce prior to version 4.70, should update to the latest version, 4.90.3, as soon as possible.
https://kb.cert.org/vuls/id/633103
CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a security flaw impacting OpenPLC ScadaBR, citing evidence of active exploitation.
https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html
Security updates for Monday
Security updates have been issued by AlmaLinux (bind9.18, cups, gimp, ipa, kernel, libssh, mingw-expat, openssl, pcs, sssd, tigervnc, and valkey), Debian (gnome-shell-extension-gsconnect, mistral-dashboard, pagure, python-mistralclient, pytorch, qtbase-opensource-src, sogo, tryton-server, and unbound), Fedora (cef, drupal7, glib2, linux-firmware, migrate, pack, pgadmin4, rnp, and unbound), Slackware (libxslt), SUSE (cpp-httplib, curl, glib2, grub2, kernel, libcoap-devel, libcryptopp, libwireshark19, postgresql15, and postgresql17), and Ubuntu (edk2).
https://lwn.net/Articles/1048817/
Sicherheitsupdate: Präparierte XML-Dateien können GeoServer lahmlegen
Nutzen Angreifer erfolgreich Schwachstellen in GeoServer aus, können sie unter anderem Schadcode ausführen. In aktuellen Versionen haben die Entwickler nun die Sicherheitsprobleme gelöst.
https://heise.de/-11097923
Microsoft Entra ID blockt externe Fremd-Scripte
Kleiner Nachtrag von letzter Woche, der Administratoren in Unternehmensumgebungen tangieren kann. Microsoft will die Sicherheit der Microsoft Entra ID-Authentifizierung verbessern. Dazu sollen indem externe Skriptinjektionen blockiert werden, wie ein Entwickler in einem Blog-Beitrag im Microsoft Entra-Blog erklärt hat.
https://www.borncity.com/blog/2025/12/01/microsoft-entra-id-blockt-externe-fremd-scripte/