Weekly Top 10: 11.17.2025: Quantum Route Redirect Phishing Kit; CPU Spike Exposes RansomHub Attack; Oracle E-Business Suite Hack Impacts 10,000, and More.

WEEKLY TOP TEN: November 17, 2025, 16:00 GMT

1. Quantum Route Redirect Phishing Kit
   
   A new phishing automation platform called Quantum Route Redirect (QRR) is targeting Microsoft 365 accounts globally. The kit uses smart, multi-stage redirects to distinguish bots from humans, sending scanners to benign pages while steering real users to credential-harvesting login clones. Researchers report campaigns across more than 90 countries, leveraging realistic lures such as DocuSign notifications and payment alerts, hosted on roughly a thousand parked or compromised domains. Because QRR focuses on redirect logic rather than exploiting software bugs, defenses need advanced URL behavior analysis, robust MFA, and better monitoring of anomalous sign-ins in Microsoft 365 tenants.
2. CPU Spike Exposes RansomHub Attack
   
   A large enterprise using Varonis tooling narrowly avoided encryption by the RansomHub ransomware gang after a suspicious CPU spike on a server triggered investigation. Analysts discovered a staged intrusion: a malicious “browser update” JavaScript payload, multi-layer encrypted Python malware configured as a SOCKS proxy, broad Active Directory enumeration, and credential harvesting. Within hours, attackers obtained domain admin privileges and began exfiltrating data with AzCopy before being contained. The case study highlights how behavioral alerts on atypical CPU and data-access patterns can surface advanced ransomware operations early enough to prevent actual file encryption and downtime.
3. CVE-2025-34299 Enables Full Server Takeover
   
   A critical flaw in the Monsta FTP web-based file manager, tracked as CVE-2025-34299, allows remote attackers to fully compromise servers without authentication. The bug combines path traversal and remote code execution, letting an attacker upload and run arbitrary PHP on web servers using Monsta FTP, potentially exposing hosted applications and data. Thousands of publicly reachable installations of Monsta FTP were found online, significantly widening the attack surface. Admins running Monsta FTP are urged to patch or restrict access immediately and review logs for suspicious activity around file upload and execution paths.
4. Infostealer Infrastructure Disrupted
   
   Law enforcement and security researchers have disrupted infrastructure associated with the Rhadamanthys infostealer, impacting the criminal ecosystem renting this stealer-as-a-service. Customers of the operation, which previously targeted corporate and consumer systems worldwide, suddenly lost access to their command-and-control servers and data panels. The takedown follows the broader Operation Endgame effort hitting multiple malware families. For organizations previously victimized, logs show Rhadamanthys focused heavily on browser and crypto-wallet credentials. The disruption provides temporary relief but also raises expectations that remaining operators may rebuild on new infrastructure using similar techniques.
5. ArcaneDoor Campaign Exploits CVE-2025-20362/20333
   
   Cisco customers running ASA firewalls and Firepower appliances are under active attack via two chained vulnerabilities, CVE-2025-20362 and CVE-2025-20333, now the focus of CISA Emergency Directive 25-03. The first bug allows login bypass on ASA/Firepower devices; the second enables code execution as root, together used in the ArcaneDoor campaign to take full control of edge firewalls. Many organizations incorrectly assumed devices were patched, but CISA found systems still running vulnerable versions. The article calls for verifying exact fixed builds, rotating secrets on affected appliances, and checking for signs of crash-and-reboot denial-of-service attempts noted in recent telemetry.
6. Self-Replicating Worm Floods Packages
   
   The npm JavaScript ecosystem is being abused by a self-replicating worm campaign that has pushed tens of thousands of malicious packages into the registry. Researchers at SourceCodeRed and JFrog, who call the malware IndonesianFoods and Big Red, traced more than 40,000–80,000 automatically generated packages tied to compromised npm accounts. The worm reuses victims’ npm credentials to continually publish new junk projects every few seconds, polluting search results and creating supply-chain risk if developers accidentally install them. While the code is currently spammy rather than overtly data-stealing, the same infrastructure could easily be repurposed to ship real malware in the future.
7. Google Lawsuit Disrupts $1B Operation
   
   Google reports that its lawsuit against operators of the Lighthouse phishing-as-a-service kit has successfully disrupted the platform, used by a China-based group known as Smishing Triad. Lighthouse provided turnkey SMS phishing campaigns impersonating brands like USPS and E-ZPass to harvest payment card data and credentials. Google estimates Lighthouse helped steal data tied to between 12.7 million and 115 million US payment cards and targeted over one million users across 120 countries. After the lawsuit, the criminals told customers their cloud servers were blocked, suggesting core infrastructure takedown. The move showcases legal pressure as a tool alongside technical countermeasures.
8. Ethereum Wallet Seed Theft
   
   Users of the Google Chrome extension “Safery”, marketed as an Ethereum wallet helper, are being warned that the add-on is actually designed to steal seed phrases for Ethereum wallets. Researchers found Safery intercepting and exfiltrating recovery phrases entered by users, embedding them in stealthy blockchain transactions and exfil channels rather than obvious HTTP calls. The campaign appears aimed at draining non-custodial wallets managed through the browser. The article pushes for immediate removal of Safery from browsers, revocation of any seeds ever entered on devices where it was installed, and migration of funds to fresh wallets generated on uncompromised systems.
9. Oracle E-Business Suite Hack Impacts 10,000
   
   The Washington Post has notified nearly 10,000 current and former employees after a compromise of systems tied to Oracle E-Business Suite that the Cl0p ransomware gang claims to have exploited. The attackers reportedly abused an Oracle EBS vulnerability to access HR-related data, including names and Social Security numbers, then posted almost 30 alleged victim organizations to their leak site. The article notes that the Washington Post is working with law enforcement, offering identity protection services, and hardening Oracle implementations. It also underscores lingering exposure from long-lived ERP platforms that often run with extensive privileges deep inside enterprise networks.
10. AV Feature Abused for Remote Access
    
    File-sharing vendor Gladinet is dealing with active exploitation of a critical vulnerability in its Triofox secure file sharing and remote access product. The flaw, tracked as CVE-2025-12480, is tied to a built-in antivirus integration feature that attackers are abusing to deploy remote access tools on customer infrastructure. Threat actors can pivot from Triofox servers into internal networks, gaining persistent access for data theft and lateral movement. The article explains that exploitation began within weeks of the vendor’s patch release, and it warns that unpatched Triofox deployments remain attractive footholds in hybrid environments.