Mass Router Hijacking Campaign Targets 50,000+ ASUS Devices
In November 2025, researchers uncovered a global cyber campaign dubbed “Operation WrtHug,” which successfully hijacked more than 50,000 outdated ASUS routers. Concentrated attacks took place across Southeast Asia, North America, and parts of Europe, posing a significant threat to individual users and enterprise networks relying on legacy hardware.
Tactics and Scope of Operation WrtHug
The operators of WrtHug exploited firmware vulnerabilities in older ASUS router models that were no longer receiving security updates. Attackers leveraged default credentials and unpatched critical flaws to gain persistent remote access, adding each compromised device to a large distributed network.
Technical Breakdown
The attackers deployed scripts to automatically scan IP address ranges for exposed web interfaces belonging to vulnerable routers. Upon detection, brute-force and credential stuffing techniques enabled access and the installation of customized malware. The deployed payloads allowed for:
- Remote code execution directly on router firmware
- Establishment of peer-to-peer communication between infected routers
- Redirection of network traffic, enabling man-in-the-middle attacks and C2 (command and control) communication
- Persistence through reboot and firmware reset events
Potential Impact and Mitigation
With a vast, globally distributed botnet, the attackers possess the capability to conduct coordinated attacks such as DDoS, distributed proxying for anonymized attacks, and interception of user data. The event underscores the risks of using unsupported or unpatched networking devices and the necessity for continuous monitoring, prompt firmware updates, and network segmentation.
Critical Vulnerability in 7-Zip Archiving Software Raises Global Security Concerns
Security researchers and national authorities disclosed a critical remote code execution (RCE) vulnerability in 7-Zip, the widely used open-source file archiver, in late November 2025. The flaw presents a severe threat, as 7-Zip is a staple tool for file compression and decompression across enterprise, government, and home computers globally.
Technical Details of the Exploit
The vulnerability resides in the handling of specially crafted archive files. Attackers can construct malicious archives that, when opened, allow arbitrary code execution with the privileges of the user running 7-Zip. Technical testing demonstrated that the flaw can be exploited via both the graphical user interface and command line, rendering a vast number of 7-Zip installations vulnerable.
Attack Vectors and Exploitation Scenarios
- Phishing campaigns distributing booby-trapped files via email or messaging platforms
- Embedding malicious archives in downloadable software bundles
- Drive-by download scenarios targeting organizations relying on automated file processing scripts
Mitigation Strategy
Security agencies have urged immediate patching or temporary decommissioning of 7-Zip on critical systems. Network administrators should search for exploitation indicators, implement file scanning for suspicious archives, and restrict execution privileges for archiving utilities whenever feasible.
New Android Trojan “Sturnus” Defeats End-to-End Encryption Protections
November 2025 saw the discovery of the Sturnus trojan, a sophisticated Android malware specimen with the proven capability to bypass end-to-end encryption in major secure messaging applications. Its emergence reveals a higher level of technical complexity than most previously observed Android malware campaigns.
Capabilities and Infection Mechanism
Sturnus spreads via malicious APK files resembling legitimate applications. Once installed with accessibility permission, the trojan intercepts plaintext messages directly before they are encrypted on the device or directly after decryption, nullifying the security benefits of app-level cryptography.
Technical Methods
- Abuse of Android’s Accessibility Service API to surveil app user interfaces in real time
- Keylogging and exfiltration of chat messages, contact lists, and authentication tokens
- Dynamic code loading and the use of side-loaded payloads to evade static security analysis
Risk Implications
The Sturnus campaign demonstrates the limitations of app-level end-to-end encryption in the face of device compromise. Threat intelligence experts recommend increased user awareness, minimization of untrusted app installations, and regular auditing of device accessibility permissions as defensive responses.
DoorDash Breach Exposes Customer and Merchant Data in Multi-Nation Attack
DoorDash, a leading food delivery platform, announced in November 2025 that attackers had gained unauthorized access to its systems, exposing sensitive data belonging to millions of customers, delivery contractors, and partner merchants. The exposure spanned the United States, Canada, Australia, and New Zealand, and marks the company’s third major incident since 2019.
Breach Dynamics and Root Cause
On October 25, 2025, a DoorDash employee was victimized by a sophisticated social engineering scam. The attacker harvested valid credentials, leading to the immediate compromise of internal systems. DoorDash security responded by terminating the access, engaging external cybersecurity forensics teams, and beginning breach notifications by November 13.
Exposed Data and Severity
- Customer, delivery worker, and merchant names
- Email addresses and phone numbers
- Home and business physical addresses
According to internal and independent investigators, payment data, Social Security numbers, driver’s license information, and government-issued IDs were not compromised. DoorDash’s prior significant breaches occurred in 2019 and 2022, elevating ongoing scrutiny of its security posture.
Regulatory and Security Implications
The breach heightened regulatory attention to customer data management and prompted renewed advocacy for multi-factor authentication, advanced phishing-resistant controls, and more robust incident response standards for large digital service providers.
Cl0p Ransomware Gang Launches Oracle E-Business Suite Campaign Targeting Dozens of Institutions
In November 2025, the Cl0p ransomware group publicized attacks targeting Oracle E-Business Suite (EBS) customers, naming nearly 30 high-profile organizations across journalism, academia, manufacturing, and enterprise sectors. Notable victims included The Washington Post, Logitech, Harvard University, Cox Enterprises, and Pan American Silver.
Vulnerability Explited: CVE-2025-61882
Attackers exploited an unauthenticated remote code execution flaw, CVE-2025-61882, affecting Oracle EBS versions 12.2.3 through 12.2.14. The vulnerability enabled attackers to execute arbitrary code over the network without credentials, resulting in full control over compromised systems and mass data exfiltration.
Scope of the Incident
Nearly 10,000 Oracle EBS users globally may have had data exposed based on victim notifications and Cl0p’s disclosures. Technical details indicate exploitation chains involving the deployment of offensive security tools for lateral network movement and high-speed extraction of sensitive business data prior to ransomware detonation.
Response Recommendations
- Immediate patching of affected Oracle EBS installations
- Comprehensive review of cross-domain trust relationships and service account permissions
- Rapid deployment of incident response playbooks and ransomware-specific mitigations
Insider Threats: Cybersecurity Professionals Indicted for Ransomware Attacks While Employed by Security Firms
An unprecedented indictment in November 2025 revealed that three cybersecurity professionals, employed as incident response specialists and ransomware negotiators, orchestrated their own ransomware campaigns against at least five victim organizations, including medical device manufacturers and pharmaceutical firms.
Case Details and Modus Operandi
According to the Department of Justice, the accused individuals (including an incident response manager at Sygnia and a negotiator at DigitalMint) exploited their privileged positions to deploy ransomware against clients for personal gain. Cases documented involve dual roles: working with victims as trusted advisors while simultaneously negotiating ransoms for attacks they themselves had launched.
Legal and Security Ramifications
These indictments highlight the profound risk of insider threats within security organizations and present new challenges for vetting and monitoring high-trust personnel. The incidents are expected to drive reforms in background checks, role-based access controls, and continuous auditing of personnel involved in sensitive cyber incident management.