San Mateo, CA, November 3, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Hackers use fake LinkedIn invites to steal Microsoft logins
Hackers are using LinkedIn direct messages to target finance executives with phishing attacks disguised as invitations to join an investment board, as part of a campaign to steal Microsoft credentials. Push Security reports that the messages pose as exclusive offers to join “Common Wealth” investment fund, “a bold new venture capital fund launching an Investment Fund in South America.” However, clicking the embedded link triggers a redirect chain through Google and attacker-controlled domains before leading to a fake “LinkedIn Cloud Share” page hosted on Firebase. Victims are then prompted to “View with Microsoft,” which opens a counterfeit Microsoft login portal protected by CAPTCHA to evade security scans. Push found the page captures both credentials and session cookies using adversary-in-the-middle techniques. The firm warns that phishing is increasingly shifting away from email, with 34% of recent attempts occurring on platforms like LinkedIn. Read more.
Chrome 154 to make HTTPS the default
Google announced that, starting with Chrome 154 in October 2026, the browser will default to secure HTTPS connections under a new “Always Use Secure Connections” setting. The feature, rolling out first to Enhanced Safe Browsing users in April 2026, will make Chrome attempt every site visit over HTTPS and prompt users before loading any page that lacks encryption. Google says the shift reflects its goal to make secure browsing the global standard, citing that 95–99% of Chrome traffic now uses HTTPS. However, the Chrome team warned that “[Even] a few percentage points of insecure traffic is a lot of navigations… Attackers only need one insecure connection […] to compromise a user.” Internal and private network addresses will be exempt from alerts. Read more.
Ex-L3Harris manager sold U.S. cyber tools to Russia
Peter Williams, former general manager of L3Harris’s cyber division Trenchant, has pleaded guilty to stealing and selling U.S. national security software to a Russian broker known for purchasing “cyber tools.” According to the Department of Justice, Williams sold the software under contracts promising millions in cryptocurrency in return. “The material, stolen over a three-year period from the U.S. defense contractor where he worked, was comprised of national-security focused software that included at least eight sensitive and protected cyber-exploit components,” said the DOJ. Williams, an Australian citizen based in Washington, D.C., faces up to 20 years in prison for two counts of trade secret theft, with sentencing set for January 2026. Authorities estimate Trenchant’s losses exceed $35 million. Read more.
AI browsers can be tricked by fake web data
Security researchers are warning that AI browser agents such as ChatGPT, Atlas and Perplexity AI are vulnerable to manipulation through hidden web data, allowing bad actors to alter the information these systems collect and trust. AI security firm SPLX demonstrated how a website could detect an AI crawler and serve it different, phony content while still displaying standard pages to human users. CyberScoop describes how scammers and criminals could “use the technique to launch smear campaigns about individuals or organizations, knowing that browser agents searching for those same names or terms would find the manipulated information.” New research by the British Standards Institution found that only 17.5% of U.S. businesses have AI governance frameworks in place, suggesting the country is “sleepwalking” into an AI oversight crisis even as they continue to adopt the technology. Read more.
Google denies reports of Gmail password leak
Google has dismissed reports that 183 million Gmail passwords were exposed in a recent data leak, clarifying that the claims stem “from a misunderstanding of infostealer databases” rather than a new breach. The confusion began when Have I Been Pwned (HIBP) added 183 million new email addresses to its records after receiving 3.5 terabytes of stolen credentials from stealer logs and credential stuffing activity across the web. While Gmail accounts appear within that dataset, Google emphasized that the information doesn’t represent a single Gmail-specific breach. HIBP creator Troy Hunt echoed that view, explaining that the data reflects ongoing leaks from multiple sources rather than a single large attack. Users are reminded to enable two-step verification for added protection. Read more.
$200 malware kit offers full remote control
Atroposia, a new malware-as-a-service platform, offers a modular remote-access trojan for $200 per month that provides attackers with persistent access, stealthy remote desktop control, file system management, credential and crypto wallet theft, clipboard capture, DNS hijacking, and local vulnerability scanning. Discovered by Varonis researchers, the RAT communicates over encrypted channels, can bypass Windows User Account Control to elevate privileges, and includes an HRDP connect module that spawns hidden desktop sessions. Its grabber and stealer components compress and exfiltrate targeted files and credentials, while the vulnerability auditor helps attackers prioritize exploits in corporate environments. Varonis warns that the plug-and-play toolkit significantly lowers the skill barrier, enabling amateur cybercriminals to launch sophisticated attacks. Read more.
Scam victims face record mental health toll
Identity fraud and scams are inflicting severe and rising psychological harm on victims, according to the Identity Theft Resource Center’s (ITRC) 2025 Consumer Impact Report. Surveying over a thousand consumers, the U.S. nonprofit found that one in four victims of identity crime had seriously considered self-harm, a 20-point increase from last year. Among self-identified victims, that number rose to 68%, though it fell to 14% among those who sought ITRC’s help. The report also found that repeat victimization is on the rise, with nearly one-third targeted twice and a quarter three times in the past year. Financial losses have also climbed, with over 20% of victims losing more than $100,000 and 10% losing more than $1 million. ITRC CEO Eva Velasquez called the findings “ a call for action for policymakers, financial institutions, technology companies and consumers. The people being harmed are real. Their pain is real. For them, we should respond with humanity and urgency and confront the crisis head-on.” Read more.
Cyberattacks on U.S. agencies surge during shutdown
Cyberattacks against federal employees have nearly doubled since the U.S. government shutdown began on October 1, leaving vital agencies paused and tens of thousands of workers furloughed. With national cybersecurity capacity weakened, researchers at Media Trust warn that the federal government is facing more than 555 million cyberattacks this month, an 85% increase over September. CEO Chris Olson notes that these aren’t routine phishing campaigns but targeted digital attacks exploiting financially anxious employees through deceptive ads and credential-harvesting scams. The Department of Veterans Affairs and the Department of Justice are currently the most targeted agencies, as both rely heavily on “essential” staff still reporting to work without pay. Experts warn that the most serious consequences may surface later, when compromised accounts and devices are reconnected to government systems. Read more.
Hackers exploiting WordPress plugin flaws again
Wordfence warns that threat actors are exploiting three critical 2024 CVEs in two WordPress plugins, GutenKit and Hunk Companion, which have about 40,000 and 8,000 active installations. “These vulnerabilities make it possible for unauthenticated threat actors to install and activate arbitrary plugins, which can be leveraged to achieve remote code execution [RCE],” it warned in an update late last week. Wordfence discovered the bugs through its bug bounty program on September 25 and October 3, 2024, and says it has blocked almost 8.8 million exploitation attempts since the campaign resurfaced on October 8. The exploited CVEs are CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, each rated 9.8. Administrators should update plugins, audit sites for unauthorized installs, and block listed indicators. Also, review server logs, rotate credentials, and harden plugin permissions immediately to reduce exposure. Read more.
BreachForums returns to the open web
BreachForums, the infamous cybercrime marketplace, has returned after finding a new home on the clearnet. The site, long home to stolen data and hacking tools, disappeared earlier this year after law enforcement crackdowns and internal friction. Its administrator, koko, announced the relaunch, claiming restored backups and “enhanced anonymity” features and saying “we’ve learned from the mistakes.” Users can again access sections for ransomware, credentials, and zero-day exploits, though the forum’s former escrow system was reportedly hacked, resulting in major losses. Koko says a new, encrypted, multi-signature escrow is in development. While the clearnet move aims to attract broader participation, experts warn it also makes monitoring easier. “It’s too clean, too quick,” one anonymous poster cautioned, suspicious that the site could be a honeypot used by law enforcement. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
