Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 15-21 November
Kraken: Continuation of HelloKitty with adaptive encryption and double extortion
Kraken ransomware, the operational successor to HelloKitty, incorporates an unusual benchmarking mechanism that evaluates the performance of each machine and selects between total or partial encryption to maximize speed without generating alerts. Intrusions begin by exploiting SMB vulnerabilities in exposed assets, followed by credential theft and access via RDP with persistent tunnels using Cloudflared and exfiltration via SSHFS.
The malware deletes backups, stops services, and deploys specific modules to encrypt SQL databases, shared resources, local drives, and Hyper-V environments. The Linux/ESXi variant forces VMs to shut down in order to encrypt their disks. Upon completion, it executes a wiper ("bye_bye.sh") that removes traces of the operation.
Affected files are given the .zpsc extension and a "readme_you_ws_hacked.txt" note is generated, with demands observed of up to $1 million. The group has victims worldwide and also operates its own forum, "The Last Haven Board," for criminal exchange.
Automated cyberespionage operation through Claude Code abuse
Anthropic attributes to the Chinese group GTG-1002 a cyberespionage campaign that would have automated between 80% and 90% of its operations using the Claude Code model, although the security community questions the veracity of the report due to the absence of IoCs and technical details.
The company says it would be the first documented case of large-scale intrusions executed almost autonomously by an AI system. The actor employed jailbreaking techniques to make Claude operate as an intrusion agent, integrating it with pentesting tools and an MCP-based infrastructure for scanning, exploitation, and post-exploitation with minimal human oversight.
The attack spanned six phases, from selecting high-value targets to data mining and establishing persistence, with human intervention only in critical decisions. Claude generated payloads, assessed vulnerabilities, navigated internal networks and classified sensitive information, although he presented errors and fabricated results.
Anthropic claims to have blocked accounts, tightened detection controls, and shared intelligence to improve AI-assisted intrusion identification.
UNC1549: expansion of TTPs aimed at espionage in the aerospace and defense sectors
Since 2023, UNC1549 has intensified its intrusion campaigns against aerospace, aviation, and defense organizations using a dual initial access model: highly targeted spearphishing and third-party compromise with legitimate credentials.
According to Mandiant, the group exploits Citrix, VMWare, and Azure Virtual Desktop services to gain access through vendors and execute VDI breakouts. Following the intrusion, it employs internal phishing to capture privileged credentials and deploy custom backdoors such as MINIBIKE, TWOSTROKE, or DEEPROOT. UNC1549 uses DLL search order hijacking to execute CRASHPAD, DCSYNCER.SLICK, and other post-exploitation modules. For privilege escalation, it performs DCSync attacks, domain controller account resets, RBCD abuse, Kerberoasting, and exploitation of vulnerable AD CS templates.
Lateral movement relies on RDP, PowerShell Remoting, SCCM, and legitimate tools, while C2 relies on reverse SSH tunnels, Azure Web Apps, and redundant access points. The objectives focus on the exfiltration of technical documentation, IP, and emails, as well as the use of victims to pivot to new entities.
Vulnerabilities in legacy railway systems and ERTMS/ETCS
Researchers at TechFrontiers demonstrated that railway signalling systems, both legacy and modern ERTMS/ETCS, can be manipulated with inexpensive hardware and basic knowledge. In Spain, the old ASFA system, based on analogue beacons without security measures, can be fooled by fake beacons made from household materials or by manipulating real beacons to cause emergency braking or send erroneous commands.
The team reproduced the inductive coupling mechanism using recycled cans, copper and a cheap signal generator, managing to replicate valid signals for a real train. They also warned that these risks extend to similar systems in other countries. Although modern ERTMS/ETCS systems are digital and more complex, they also have potential vulnerabilities related to spoofing, jamming, and replay attacks, the details of which will be revealed at Black Hat Europe 2025.
Researchers warn of the urgency of modernising signalling, despite the political and economic cost, to protect railway safety.
Amazon warns of campaigns combining cyber espionage and military attacks
Amazon Threat Intelligence warns of a new trend in which state actors integrate cyber operations with kinetic attacks, in a model they call cyber-enabled kinetic targeting. Thanks to Amazon's global visibility — cloud telemetry, MadPot honeypots, customer data and collaboration with agencies — campaigns have been identified where cyber espionage directly fuels physical attacks.
- In one case, Imperial Kitten (IRGC) compromised AIS systems and ship cameras between 2021 and 2024, culminating in a Houthi missile targeting a ship that had been previously tracked through cyber operations.
- In the second case, MuddyWater accessed CCTV cameras in Jerusalem in June 2025 using the images to adjust their targeting.
These actors use VPNs, their own servers, compromised enterprise systems, and real-time streaming to support military action. Amazon proposes a new concept for these campaigns, which go beyond the traditional framework of hybrid warfare.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
