November’s Top Cyber Attacks: XWorm, JSGuLdr, Mobile Threats, and Multi-Stage Campaigns Surge Worldwide

DUBAI, DUBAI, UNITED ARAB EMIRATES, December 1, 2025 /EINPresswire.com/ -- Cyberattacks continued to intensify in November as attackers relied on multi-stage loaders, in-memory execution, and cross-platform payloads. ANY.RUN reports a noticeable rise in loader-driven intrusions, encrypted payload containers, and campaigns targeting Windows, Linux, and Android environments.

The November 2025 Threat Analysis shows how modern attacks blend JavaScript, PowerShell, Linux services, and mobile components to move quietly through enterprise networks, often without leaving traditional executables behind.

𝐏𝐍𝐆-𝐁𝐚𝐬𝐞𝐝 𝐈𝐧-𝐌𝐞𝐦𝐨𝐫𝐲 𝐋𝐨𝐚𝐝𝐢𝐧𝐠: 𝐗𝐖𝐨𝐫𝐦 𝐒𝐭𝐞𝐚𝐥𝐞𝐫 𝐑𝐞𝐭𝐮𝐫𝐧𝐬

A new XWorm wave used phishing pages to deliver an obfuscated JavaScript dropper that hid AES-encrypted payloads inside PNG files. By loading the .NET assembly directly in memory, the malware avoided on-disk artifacts and enabled credential theft and remote access attempts inside corporate environments.

𝐉𝐒𝐆𝐮𝐋𝐝𝐫: 𝐌𝐮𝐥𝐭𝐢-𝐒𝐭𝐚𝐠𝐞 𝐋𝐨𝐚𝐝𝐞𝐫 𝐃𝐞𝐥𝐢𝐯𝐞𝐫𝐢𝐧𝐠 𝐏𝐡𝐚𝐧𝐭𝐨𝐦𝐒𝐭𝐞𝐚𝐥𝐞𝐫

ANY.RUN analysts identified JSGuLdr, a multi-stage loader that begins with obfuscated JScript and uses COM to launch PowerShell under explorer.exe, making the activity appear routine. PowerShell then downloads and decrypts a payload from Google Drive and executes it, leading to PhantomStealer being injected into msiexec.exe. This approach enables quiet data theft inside corporate environments with almost no on-disk traces.

For deeper visibility into these threats, including live analyses, key indicators, and detection guidance, explore the ANY.RUN blog.

𝐎𝐭𝐡𝐞𝐫 𝐓𝐡𝐫𝐞𝐚𝐭𝐬 𝐈𝐦𝐩𝐚𝐜𝐭𝐢𝐧𝐠 𝐂𝐨𝐦𝐩𝐚𝐧𝐢𝐞𝐬

· 𝗥𝗼𝗻𝗶𝗻𝗴𝗟𝗼𝗮𝗱𝗲𝗿, 𝗛𝗼𝗹𝗱𝗶𝗻𝗴𝗛𝗮𝗻𝗱𝘀, 𝗦𝗻𝗼𝘄𝗹𝗶𝗴𝗵𝘁: Cross-platform loader and RAT chain enabling access to both corporate endpoints and Linux servers.

· 𝗣𝗗𝗙𝗖𝗵𝗮𝗺𝗽𝗶𝗼𝗻𝘀, 𝗘𝗳𝗶𝗺𝗲𝗿, 𝗕𝗧𝗠𝗢𝗕: Browser hijacking, Tor-based credential theft, and Android trojans targeting employee devices and corporate accounts.

· 𝗠𝗼𝗻𝗸𝗲𝘆, 𝗣𝗵𝗼𝗲𝗻𝗶𝘅, 𝗡𝗼𝗻𝗘𝘂𝗰𝗹𝗶𝗱: Linux ransomware, targeted Windows backdoors, and hybrid RAT–ransomware used for deeper intrusion into enterprise environments.

· 𝐕𝐚𝐥𝐤𝐲𝐫𝐢𝐞, 𝐒𝐟𝐮𝐳𝐮𝐚𝐧, 𝐒𝐨𝐫𝐯𝐞𝐩𝐨𝐭𝐞𝐥: Credential theft, adaptable backdoors, and WhatsApp-based malware spreading through trusted communication channels.

𝐀𝐛𝐨𝐮𝐭 𝐀𝐍𝐘.𝐑𝐔𝐍

ANY.RUN is a leading provider of interactive malware analysis and threat intelligence solutions used by 15,000 organizations and over 500,000 analysts worldwide. The service combines a live Interactive Sandbox, TI Lookup for instant IOC enrichment, and continuously updated Threat Intelligence Feeds to help security teams investigate faster, improve detection logic, and respond to emerging threats with confidence.

The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
LinkedIn
YouTube
X

¹ https://any.run/?utm_source=ein&utm_medium=press_release&utm_campaign=november_attacks&utm_content=landing&utm_term=011225
² https://any.run/cybersecurity-blog/major-cyber-attacks-november-2025/?utm_source=ein&utm_medium=press_release&utm_campaign=november_attacks&utm_content=blog&utm_term=011225