Help Net Security’s November 28 roundup highlighted two releases we should operationalize in IR: Action1’s Intune-integrated third-party patching with risk-based prioritization, and Synack’s agentic AI “Sara Pentest.” Used together, they tighten mean time to remediate across Windows/macOS/Linux and turn pentest output into triage signals you can act on during containment and eradication (Help Net Security, Nov 28, 2025).

Intrusion Flow

Unpatched third-party applications remain one of the most common footholds; CISA’s KEV catalog is the authoritative list of CVEs actively exploited in the wild and should drive emergency patching during an incident (CISA KEV overview). Typical flow we see:

Holiday IR Playbook: Web Skimming and Credential-Stuffing at Retail Scale

Retailers see elevated risk during Black Friday and Cyber Monday, with advisories emphasizing exposure management (fix misconfigurations, enforce MFA, patch web apps and infrastructure) and pre-staging detections for web skimming and credential-stuffing to shorten time-to-containment. (cybersecasia.net)

Intrusion Flow

• Client-side web skimming (Magecart-style)

  • Initial access: exploit public-facing apps/CMS, stolen admin creds, or supply-chain injection to place malicious JavaScript. (trustwave.com)
  • Data capture: injected script hooks payment/checkout DOM, validates card data (e.g., Luhn), and encodes exfil (often Base64). (trustwave.com)
  • Exfiltration: outbound beacons via XHR/WebSocket/IMG requests, sometimes disguised as analytics or image loads. (akamai.com)
  • Server-side variants: malware persists in templates/filesystems or databases; data is staged and periodically exfiltrated to reduce noise. (sansec.io)

• Credential-stuffing → ATO (account takeover)

CERT-FR issued a bulletin on November 27, 2025 describing an active supply-chain campaign against npm packages that began on November 23, 2025, has affected 700+ packages, executes via a preinstall script to harvest secrets, self-propagate, and in some cases destroy user data; they advise hunting for bun_environment.js, auditing installed versions, temporarily freezing updates, and rotating exposed secrets. (cert.ssi.gouv.fr)

Intrusion Flow

• Initial execution (developer laptop or CI): Compromised npm package versions add a package.json preinstall that runs setup_bun.js, which installs or locates the Bun runtime and launches a large payload bun_environment.js. (wiz.io)
• Credential theft and exfiltration: The payload enumerates environment variables and config files and invokes TruffleHog to capture credentials, then exfiltrates to attacker-created GitHub repositories often labeled with Shai-Hulud-themed descriptions; cross-victim exfiltration has been observed. (cert.ssi.gouv.fr)
• Persistence and remote control: The malware registers a self-hosted runner named “SHA1HULUD” and drops a .github/workflows/discussion.yaml workflow so that creating a GitHub Discussion executes arbitrary commands on the victim’s self-hosted runner; a formatter_*.yml workflow is used to collect GitHub Actions secrets into actionsSecrets.json. (wiz.io)
• Self-replication: Stolen npm tokens and GitHub access allow the actor to publish trojanized versions of additional packages under compromised maintainers, driving rapid worm-like spread across ecosystems. (wiz.io)
• Destructive fallback: Analyses report a “dead man’s switch” that may delete user data (e.g., the home directory) when the malware cannot exfiltrate or persist; CERT-FR also warns about possible user-data deletion. (about.gitlab.com)

Key Artifacts to Pull

• Project and dependency state:
  • package.json, package-lock.json, yarn.lock, pnpm-lock.yaml (to diff against clean versions announced by vendors such as Postman and PostHog). (blog.postman.com)
• On-disk indicators:
  • setup_bun.js and bun_environment.js in package tarballs or node_modules; auxiliary files cloud.json, contents.json, environment.json, truffleSecrets.json. (wiz.io)
  • Suspicious GitHub workflows: .github/workflows/discussion.yaml and formatter_*.yml. (wiz.io)
• GitHub infrastructure state:
  • Presence of self-hosted runners named “SHA1HULUD.” Use the GitHub REST API to list runners at org/repo scope during triage. (wiz.io)
• Package manager caches and global install context:
  • npm cache directory (default on POSIX: ~/.npm with _cacache) for corroborating when/what versions were fetched. (docs.npmjs.com)

Example triage commands (read-only where possible):

Wireshark 4.6.1 and 4.4.11 shipped on November 19, 2025 with fixes for two dissector crash issues; installers for Windows and macOS plus source are available now (Wireshark news). The patched issues are BPv7 (Bundle Protocol v7) and Kafka dissectors that could crash when parsing crafted traffic or trace files (wnpa-sec-2025-05, wnpa-sec-2025-06). Wireshark notes discovery during internal testing and no known in-the-wild exploitation, but a crash during triage still means lost analyst time and potentially missed signal (BPv7 advisory, Kafka advisory). The 4.6.1 release is also the first maintenance for the 4.6 branch (4.6.1 release notes).

Exterro has introduced FTK Imager Pro as a paid add-on to the longstanding free FTK Imager, bringing BitLocker decryption during imaging and iOS logical/advanced logical collection while keeping the free edition available; the Pro and Free editions share the same download with license-gated features, and the Pro subscription is currently listed at $499 USD. Android acquisition is “on the roadmap,” according to Exterro’s public remarks on a recorded interview. (Forensic Focus transcript, Nov 24, 2025; Exterro FTK Imager Pro store page).

YARA-X 1.10.0 adds a new subcommand that can automatically apply suggested fixes for certain compiler warnings. The command is invoked as yr fix warnings, and one common transformation replaces ambiguous 0 of (...) conditions with explicit none of (...). The tool edits your rule files in place, so use version control or work on copies first. (github.com)

Overview

YARA-X is a Rust rewrite of YARA with a modern CLI named yr. It targets high compatibility with existing rules while improving performance, safety, and developer ergonomics. (github.com)

On November 5, 2025, GitHub disabled creation of classic npm tokens and tightened controls on granular tokens; write-capable granular tokens now enforce 2FA by default and are limited to a maximum 90-day lifetime, with a seven-day default for new write tokens. GitHub also indicated that local publishing sessions would shift to two-hour tokens, and initially targeted November 19 for revoking all remaining classic tokens. Validate the current cutoff in your environment-GitHub’s community channel noted a possible shift to December 9 to coincide with CLI improvements-then proceed as if long-lived classic credentials are dead and rotation is mandatory. (GitHub Changelog, Nov 5, GitHub Changelog, Sep 29, GitHub Community discussion, Nov 13). (github.blog)

Trend Micro’s latest research reconstructs an end-to-end “scam assembly line” where threat actors chain large language model (LLM) lure generation, synthetic voice/video, and low-code automation (n8n) to spin up convincing phishing and merchandise scams at scale with minimal effort. The demo highlights modular pipelines that can swap prompts, assets, and delivery channels while hiding behind disposable infrastructure and cloud services (Trend Micro, Nov 18, 2025).

Intrusion Flow

• Lure generation and refinement
  • Actors use LLMs to draft spear-phishing or promo copy and iteratively “jailbreak” guardrails through multi-turn prompt patterns, improving persuasion and filter evasion (Microsoft Security on Crescendo jailbreaks; OpenAI/Microsoft disruption of state-linked misuse).
• Synthetic assets
  • Deepfake voice and avatar video are used to front fake product ads, support calls, or romance/investment pitches, with measurable rise in AI-voice fraud calls reported in 2024-2025 (Hiya Q4 2024 call threat report release; FTC consumer alert and challenge outcomes on voice-clone detection/watermarking).
• Automation pipeline (orchestrator)
  • Low-code platforms like n8n can chain text, image, TTS, and video services into agentic workflows that batch-produce lures and publish them across email, web, and social channels (Trend Micro lab pipeline).
• Delivery and infrastructure
  • Distribution leans on clusters of newly registered or short-lived domains and lookalikes; domain age and deceptive links remain top phishing indicators in enterprise telemetry (Cloudflare phishing report). Short-lived domains are common-Spamhaus observed ~89% of studied phishing domains active for <48 hours, reflecting a churn model that evades daily snapshots and takedown latency (Spamhaus passive DNS research; DarkDNS paper on visibility gaps for transient domains). Some campaigns also rent fast-flux and bulletproof hosting to rotate IPs and extend uptime (Bitsight fast-flux investigation).
• Monetization and follow-through
  • Voice-cloned robocalls and impersonation continue despite new U.S. prohibitions on AI-voice robocalls under the TCPA, raising both criminal and regulatory exposure for operators and facilitators (AP coverage of FCC ruling).

Key Artifacts to Pull

• Email and messaging
  • Full RFC822 source with Received chain, DKIM/DMARC/SPF results, display-name vs. header anomalies, and any URL shorteners or tracking parameters aligned to the same infrastructure cluster (Cloudflare phishing indicators include domain age and deceptive links).
• Web infrastructure
  • Server and CDN logs for landing pages; TLS cert details; hosting ASNs; shared analytics IDs; favicon/screenshot hashes for kit clustering; newly registered domain (NRD) metadata and WHOIS; passive DNS pivoting across A/AAAA/CNAME/NS records to reveal rotating IP sets and lookalikes (Spamhaus: short duty cycle on phishing domains; DarkDNS transient-domain visibility; Bitsight fast-flux characteristics).
• Synthetic media
  • Original audio/video files when available; obtain transcoding logs from comms platforms; evaluate for liveness/clone indicators per emerging techniques (e.g., real-time clone detection and watermarked provenance described in FTC challenge winners) (FTC consumer alert).
• Automation backends (self-hosted n8n or similar)
  • If your environment runs n8n, collect workflow JSON, execution logs, credentials vault exports, environment variables, and API audit logs. The public REST API exposes workflow administration; disable if unused and scope API keys tightly (n8n API docs; disable public API guidance).
  • Validate patch levels against recent n8n CVEs that could aid takeover or phishing distribution, such as open-redirect in login (<1.98.0), DoS via binary-data endpoint (<1.99.0), stored XSS in LangChain Chat Trigger (<1.107.0), symlink traversal in file node (<1.106.0), and RCE via Git node pre-commit (<1.113.0) (NVD CVE-2025-49592; CVE-2025-49595; CVE-2025-58177; CVE-2025-57749; CVE-2025-62726).

Detection Notes

• Cluster the infrastructure, not the copy
  • Prioritize hunts for NRDs and lookalikes seen in email and web logs within their first 72 hours; many phishing domains die in under two days, so velocity detection matters (Spamhaus 48-hour activity finding).
• Example Splunk: clicks to NRDs (domain age < 7 days) from mail links

  index=proxy OR index=web (http_status=200 OR http_status=302)
  | eval host=coalesce(cs_host, dest_host, uri_host)
  | lookup whois_domains domain as host OUTPUT domain_age_days
  | where domain_age_days <= 7
  | stats count dc(src_ip) dc(user) values(referer) by host
  | sort - count
  

• Example pDNS pivot: fast-flux / low-TTL clusters

  -- Pseudo-SQL over PDNS
  SELECT qname, count(DISTINCT rrdata) AS ips, min(ttl) AS min_ttl,
         count(DISTINCT resolver) AS resolvers
  FROM pdns WHERE first_seen > now() - interval '48 hours'
  GROUP BY qname HAVING ips >= 10 OR min_ttl <= 120 ORDER BY ips DESC;
  

  Use ASN and nameserver co-occurrence to fingerprint rotating hosting and kit reuse (Bitsight fast-flux traits).
• Voice/phone fraud signals
  • Blend call intelligence with IT telemetry (voice events + subsequent login attempts or payment flows); vendors observed rising deepfake call losses in late 2024 (Hiya report summary). U.S. enforcement has made AI-voice robocalls illegal, aiding attribution and disruption (AP on FCC action).
• Model/agent risk in your stack
  • Treat AI assistants as part of the attack surface; indirect prompt injection remains a practical vector against summarizers and mail triage tools (Mozilla 0Din finding on Gemini Workspace summarizer manipulation; CISA multi-nation guidance for using AI securely).

Response Guidance

• Triage fast, contain faster
  • Quarantine endpoints that interacted with suspected NRDs/lookalikes; block and sinkhole the domain cluster and any shared IPs/NS immediately to beat the 48-hour churn (Spamhaus short-lived domain analysis).
• Eradicate pipeline footholds
  • If n8n (or similar) is present internally, rotate API keys, disable the public API where unused, and patch to remediate recent CVEs; export workflow JSON for IR timelines and disable active lures (n8n API; disable public API; NVD/GitLab advisories).
• Takedown and legal levers
  • Submit abuse to registrars/hosts with evidence of brand impersonation, fast-flux indicators, and victim impact. For AI-voice robocalls, cite the FCC prohibition when engaging telecom partners and state AGs to expedite blocks and civil actions (AP on FCC ban).
• Harden controls for the next wave
  • Enforce NRD/“confusable” domain blocks or holds at the gateway; several providers support lookalike and scam categories to preempt clicks (Cloudflare brand impersonation defenses; Cloudflare Gateway “Scam” category).
  • Sandbox or disable AI auto-summarization on untrusted content; adopt allow-lists and content provenance where available (CISA secure AI use).
  • Train helpdesk/finance to challenge-response on voice instructions; FTC guidance highlights real-time liveness/clone detection and watermarking concepts that can be integrated into call flows (FTC consumer alert).

Takeaways

• Hunt infrastructure clusters: NRDs, lookalikes, and fast-flux indicators are your highest-leverage pivots in the first 48 hours (Spamhaus; Bitsight).
• Treat low-code orchestrators as Tier-1 assets: lock down n8n APIs, rotate credentials, and patch recent CVEs before they become distribution points (n8n docs; NVD/GitLab).
• Don’t trust “smart” summarizers by default: indirect prompt injection against AI assistants is practical; sandbox or disable on untrusted mail/web (Gemini finding via 0Din; CISA).
• Use telecom and legal levers early for voice-clone fraud; the policy environment now supports faster blocking of AI-voice robocalls (AP on FCC rule).

SANS ISC documented a fresh KongTuke lure on November 18, 2025 that uses a fake CAPTCHA page and a ClickFix-style clipboard injection to run a PowerShell one-liner, which pulls a ZIP containing a malicious Python script and a bundled Windows Python runtime. Post-infection artifacts land under AppData\Roaming\DATA with persistence via a Scheduled Task; IOCs include multiple paths on 64.111.92[.]212:6655 and later HTTPS to telegra.ph, which itself is legitimate infrastructure often abused as an intermediary. See the primary diary for details and hashes (SANS ISC).

Fortinet has acknowledged active exploitation of a FortiWeb GUI path traversal that lets an unauthenticated attacker reach a CGI endpoint and impersonate users, including admins, to run privileged actions such as creating new administrator accounts (CVE-2025-64446) (Fortinet PSIRT FG-IR-25-910; NVD entry). SANS ISC’s Stormcast on November 17, 2025 highlighted widespread scanning and recommended treating exposed, unpatched appliances as compromised until proven otherwise (SANS Stormcast 2025-11-17). In parallel, ClickFix lures are leveraging Windows finger.exe to fetch follow-on commands over the legacy Finger protocol, making egress on TCP/79 a simple detection point (SANS ISC diary; BleepingComputer).