Daily Digest

Qilin Ransomware Strikes Globally: Asahi and South Korean Financial Sector Hit in Major Campaigns

Qilin Ransomware Strikes Globally: Asahi and South Korean Financial Sector Hit in Major Campaigns

November 29, 2025
9 articles (9 new)
27 min read

Summary

This cybersecurity brief for November 29, 2025, covers a series of high-impact attacks led by the Qilin ransomware group, including a massive data breach at Japanese beverage giant Asahi affecting nearly 2 million individuals and a sophisticated supply-chain attack that compromised 28 South Korean financial firms. Additional major events include espionage campaigns by APT groups Bloody Wolf and APT36, data breaches at Under Armour and DoorDash, and a cloud misconfiguration incident at Oracle. The period was marked by significant ransomware activity, nation-state espionage, and supply chain vulnerabilities.

Filter by Category

New Articles (9)

Asahi Confirms Qilin Ransomware Breach Exposed Data of Nearly 2 Million

HIGH

Japanese Beverage Giant Asahi Confirms Qilin Ransomware Attack Exposed Data of 1.9 Million Individuals

Japanese beverage giant Asahi Group Holdings has confirmed a September 2025 ransomware attack by the Qilin group resulted in a massive data breach affecting 1.914 million individuals. The breach exposed the personal information of customers, employees, and business contacts, leading to significant operational disruptions, including production halts and product shortages. The attackers gained initial access through compromised network equipment and moved laterally to deploy ransomware across Asahi's domestic data centers. While no financial data was stolen, the exposed PII includes names, addresses, phone numbers, and dates of birth.

November 29, 2025
6 min read
ransomwareqilindata breachjapanmanufacturing +1 more
Asahi Confirms Qilin Ransomware Breach Exposed Data of Nearly 2 Million
Ransomware
Data Breach
Cyberattack

Qilin's "Korean Leaks" Hits 28 Financial Firms via MSP Supply Chain Attack

CRITICAL

Qilin Ransomware's "Korean Leaks" Campaign Compromises 28 South Korean Financial Firms via MSP Breach

The Qilin ransomware group has executed a devastating supply-chain attack, dubbed "Korean Leaks," by breaching GJTec, a South Korean managed service provider (MSP). This single point of failure allowed the attackers to compromise at least 28 of the MSP's downstream financial services clients. The campaign, which ran in waves from September to October 2025, resulted in the exfiltration of over 2TB of data. Researchers from Bitdefender have noted potential links to the North Korean state-affiliated group Moonstone Sleet, suggesting a hybrid operation blending financial extortion with geopolitical motives.

November 29, 2025
6 min read
supply chain attackqilinransomwaresouth koreamsp +2 more
Qilin's "Korean Leaks" Hits 28 Financial Firms via MSP Supply Chain Attack
Supply Chain Attack
Ransomware
Threat Actor

TryHackMe Apologizes for All-Male Panel After Community Backlash

INFORMATIONAL

TryHackMe Faces Backlash and Apologizes for Lack of Female Representation in "Advent of Cyber" Event

Cybersecurity training platform TryHackMe issued a public apology on November 28, 2025, after announcing an all-male list of 18 industry helpers for its popular "Advent of Cyber" event. The omission sparked significant backlash from the cybersecurity community regarding the lack of gender diversity and representation. The company acknowledged the mistake was unintentional, stating several female creators had been invited but were unavailable. TryHackMe is now actively working with community members to recruit and onboard women to the panel before the event's launch.

November 29, 2025
3 min read
diversityinclusioncybersecurity communitytryhackmetraining
TryHackMe Apologizes for All-Male Panel After Community Backlash
Other

Pakistan-linked APT36 Targets Indian Government with New Linux Malware

HIGH

APT36 (Transparent Tribe) Deploys New Python-Based ELF Malware in Espionage Campaign Against Indian Government

The Pakistan-based threat group APT36, also known as Transparent Tribe, is conducting an active cyber-espionage campaign against Indian government entities. A CYFIRMA report published on November 29, 2025, details the group's use of a new Python-based malware compiled for Linux systems (ELF format). This development signifies an expansion of APT36's toolkit to target non-Windows environments within sensitive Indian government and strategic sector networks, continuing the group's long-standing focus on intelligence gathering against India.

November 29, 2025
5 min read
apt36transparent tribecyberespionageindiapakistan +2 more
Pakistan-linked APT36 Targets Indian Government with New Linux Malware
Threat Actor
Cyberattack
Malware

North Korea's Cybercrime is Statecraft, Report Warns

INFORMATIONAL

New Report Analyzes North Korea's Use of Cybercrime as a Tool of Statecraft Following UN Panel Dissolution

A strategic intelligence report published by CYFIRMA on November 28, 2025, analyzes North Korea's increasing reliance on cybercrime as a core instrument of its statecraft. The report's release is timely, following Russia's 2024 veto that disbanded the UN Panel of Experts responsible for monitoring North Korean sanctions evasion. The analysis details how state-sponsored groups like the Lazarus Group conduct large-scale cyber operations, including cryptocurrency heists and ransomware attacks, to generate revenue that directly funds the nation's weapons programs and sustains the regime.

November 29, 2025
4 min read
north koreadprklazarus groupcybercrimestate-sponsored +2 more
North Korea's Cybercrime is Statecraft, Report Warns
Threat Intelligence
Threat Actor
Policy and Compliance

Under Armour Investigates Ransomware Attack, Data Theft Claims

HIGH

Under Armour Investigating Ransomware Attack After Threat Actors Claim Theft of Data on "Millions"

Athletic apparel giant Under Armour is investigating a ransomware attack that has impacted its internal corporate systems. According to a report from November 28, 2025, an unidentified ransomware group has claimed responsibility and alleges it has exfiltrated a large volume of data, including personal records for "millions of individuals." Under Armour has acknowledged the unauthorized access and launched a forensic investigation to determine the scope of the breach and verify the attackers' claims. The incident has caused internal disruptions and poses a significant data privacy risk.

November 29, 2025
5 min read
ransomwaredata breachunder armourretaildouble extortion
Under Armour Investigates Ransomware Attack, Data Theft Claims
Ransomware
Data Breach
Cyberattack

DoorDash Discloses Another Breach via Third-Party Vendor

MEDIUM

DoorDash Confirms Data Breach Stemming from Compromised Third-Party Service Provider

Food delivery service DoorDash disclosed another data breach on November 27, 2025, resulting from a compromise at an unnamed third-party service provider. The incident, reported on November 28, exposed information belonging to both customers and delivery drivers. This breach marks the latest in a series of security incidents for DoorDash involving its supply chain, highlighting persistent vulnerabilities in its network of external vendors and raising concerns about the security of its platform.

November 29, 2025
5 min read
data breachsupply chain attackdoordashthird party riskapi security
DoorDash Discloses Another Breach via Third-Party Vendor
Data Breach
Supply Chain Attack
Cloud Security

Oracle Cloud Misconfiguration Exposes Customer Data

MEDIUM

Oracle Reports Data Breach Caused by Misconfigured Cloud Resources

Oracle has reported a data breach stemming from misconfigured resources within its own Oracle Cloud Infrastructure (OCI). The incident, first noted on November 13 and analyzed in a report on November 28, 2025, allowed external, unauthorized access to a portion of its cloud environment where customer data was stored. While the full scope and specific customers affected have not been detailed, the breach highlights the significant security challenges of managing large-scale cloud environments, demonstrating that even major cloud providers are susceptible to internal configuration errors.

November 29, 2025
4 min read
cloud securitydata breachoracleocimisconfiguration +1 more
Oracle Cloud Misconfiguration Exposes Customer Data
Cloud Security
Data Breach
Vulnerability

MaaS Provider TAG-150 Distributes Modular Loader and RAT

MEDIUM

Malware-as-a-Service Group TAG-150 Identified Operating Modular Loader and RAT Campaign

A Malware-as-a-Service (MaaS) provider, tracked as TAG-150, has been identified operating a campaign active since at least March 2025. According to a threat intelligence report from November 29, 2025, the group is distributing a modular loader that delivers a Remote Access Trojan (RAT). The operation is focused on information theft and leverages user interaction and living-off-the-land techniques to compromise systems. The campaign highlights the ongoing threat from the MaaS ecosystem, which provides cybercriminals with ready-made tools to conduct attacks.

November 29, 2025
4 min read
maasmalware-as-a-serviceratloadertag-150 +1 more
MaaS Provider TAG-150 Distributes Modular Loader and RAT
Malware
Threat Actor

📢 Share This Publication

Help others stay informed about cybersecurity threats