Get Support

Request a Quote

Platform
PSA and RMM

PSA

RMM

CPQ

Remote Access

Reporting

Documentation

Payments

Customer Feedback

Solve any challenge with one platform

Operate more efficiently, reduce complexity, improve EBITDA, and much more with the purpose-built platform for MSPs.

Explore the Platform

Cloud Services Hub and Portal Log-in

Explore ConnectWise Cloud Backup, SaaS Security, and more in our Cloud Services hub!
Cybersecurity and Data Protection

MDR

SIEM

Cloud Backup

BCDR

Email Security

x360Recover

SaaS Security

Vulnerability Management

Ensure security and business continuity, 24/7

Protect and defend what matters most to your clients and stakeholders with ConnectWise's best-in-class cybersecurity and BCDR solutions.

Explore Cyber and BCDR

Cloud Services Hub and Portal Log-in

Explore ConnectWise Cloud Backup, SaaS Security, and more in our Cloud Services hub!
Automation and Integrations

RPA

Sidekick

Integrations

Integrate and automate to unlock cost savings

Leverage generative AI and RPA workflows to simplify and streamline the most time-consuming parts of IT.

Explore Our Marketplace

Cloud Services Hub and Portal Log-in

Explore ConnectWise Cloud Backup, SaaS Security, and more in our Cloud Services hub!
Solutions
By Use Case

Client Onboarding

Increase agility and reduce complexity

Service Desk Ticketing

Deliver fast and efficient service

Cyber Remediation

Deliver holistic cybersecurity and data protection

Billing Reconciliation

Error-free invoicing and revenue protection

Patch Management

Automate patching across all your endpoints

Endpoint Management

Get complete clarity and command over every device

The first and only true MSP platform
By Market

MSPs

Purpose-built MSP solutions to accelerate profitability and growth

IT Departments

IT service management (ITSM) software and cybersecurity for IT teams

Managed Print

Print security, event management, and monitoring

VAR

Proven as-a-service offerings and integrations

The first and only true MSP platform
By Category

Business Management

Streamline end-to-end business management with robust professional services automation

Unified Monitoring & Management

Unlock workflows, automation, and insights you can’t get anywhere else with one suite of solutions

Cybersecurity & Data Protection

Get the software, services, and support you need to sell and secure your clients 24/7

Expert Services

Expert MSP Support and Help Desk Services

The first and only true MSP platform
Community
IT Nation

IT Nation Evolve™

Accelerate your MSP business growth with the premier annual membership program and peer experience focused on planning, accountability, and success

IT Nation Connect™ Global 

Join the groundbreaking MSP community at the can't-miss industry conference for education, inspiration, and networking. Attendees return year after year to be part of a collaborative community focused on helping individuals solve business challenges and grow. 

Service Leadership, Inc.®

Drive financial performance and Operational Maturity Level™ through benchmarking, advanced peer groups, industry best practices, education, and speaking.

Let’s meet up at the industry’s largest MSP event! 
Events

IT Nation Connect Global

November 4-6, 2026 | Orlando

IT Nation Connect Europe

March 9-11, 2026 | London

IT Nation Connect ANZ

August 26-28, 2026 | Sydney

IT Nation Grow

December 10-11, 2025 | Tampa

PitchIT

Apply Today for your chance at $100K in prize money!

Explore all ConnectWise Events

Join fellow IT pros at ConnectWise industry & customer events!

Explore Today

Let’s meet up at the industry’s largest MSP event! 
University

Product Training

Calendar

What's New

University Log-In

Check out our online learning platform, designed to help IT service providers get the most out of ConnectWise products and services.

ConnectWise University

Explore our product training course catalog.
Resources

Webinars

Blog

eBooks

Case Studies

Resources

Feature Sheets

On-demand Demos

Live Demos

Cybersecurity Glossary

Product Roadmap

Explore the ConnectWise Resource Center

Search our resource center for the latest MSP ebooks, white papers, infographics, webinars and more!

Explore Today

Explore the latest product innovations designed to enhance your ConnectWise experience.
About Us
About Us

Mission & Values

Careers

Leadership

Board of Directors

Philanthropy

Experience the ConnectWise Way

Join hundreds of thousands of IT professionals benefiting from and contributing to a legacy of industry leadership when you become a part of the ConnectWise community.

Learn More

Transform your business with the ConnectWise community
News and Press

Press Room

Awards

Case Studies

Experience the ConnectWise Way

Join hundreds of thousands of IT professionals benefiting from and contributing to a legacy of industry leadership when you become a part of the ConnectWise community.

Learn More

ConnectWise Partner Success Stories
ConnectWise

12/15/2025 | 10 Minute Read

Monthly Threat Brief: November 2025

Topics:

Contents

    Ready to dive even deeper?

    Check out the 2025 MSP Threat Report for an in-depth analysis of overall trends.

    Access Report

    Welcome to the November 2025 edition of the ConnectWise Cyber Research Unit™ (CRU) Monthly Threat Brief. This report provides a comprehensive look at the most significant cybersecurity developments impacting the IT services and SMB landscape. We break down the month’s top stories, critical vulnerabilities, and prevalent malware families to help you stay informed and prepared in an evolving threat environment. We have also begun adding descriptions of all the new detection signatures added to the ConnectWise SIEM™.

    Top story for November 2025

    Invisible Developer-Extension Malware Threatens OpenVSX Supply Chains

    Recent research highlights two sophisticated campaigns, GlassWorm and SleepyDuck, that exploit developer toolchains as high-value attack vectors. GlassWorm infiltrates Visual Studio Code extensions via the Open VSX registry, hiding malicious payloads using invisible Unicode characters that evade human review and diff tools. Once installed, it harvests developer credentials and propagates through auto-updating extensions, leveraging resilient C2 channels, such as Solana blockchain and Google Calendar events. SleepyDuck, on the other hand, weaponizes a solidity-related extension, embedding a remote access trojan that activates when .sol files are opened. Using Ethereum smart contracts to dynamically resolve C2 addresses, this campaign demonstrates how attackers are innovating to maintain persistence and evade takedowns.

    These attacks underscore a critical shift: developer workstations and extension marketplaces are now prime real estate for adversaries. For managed service providers (MSPs) managing client environments, a single compromised extension can cascade into source code repositories, build pipelines, and production systems, amplifying supply-chain risk across multiple clients. The silent nature of these threats, hidden code, and automatic updates means detection often lags behind compromise. MSPs must expand their security posture beyond traditional endpoints to include developer tooling, extension governance, and supply-chain monitoring. Treating developer ecosystems as high-risk zones is no longer optional; it’s essential for safeguarding client estates.

    Top threats in November 2025

    The Diamond Model

    This section leverages the Diamond Model of Intrusion Analysis to structure the examination of recent malware activity, providing a clear analytical framework that links adversary, capabilities, infrastructure, and victimology. By applying the Diamond Model, we can better contextualize malicious behavior, identify patterns across campaigns, and highlight the relationships between threat actors, tools, and targeted entities.

    KongTuke

    KongTuke is a sophisticated traffic-distribution system (TDS) first publicly observed around May 2024. Its core modus operandi involves injecting malicious JavaScript into otherwise legitimate websites, typically compromised WordPress sites, causing visitors to be redirected to fake “CAPTCHA” or verification pages. Historically, KongTuke has served as a gateway delivery mechanism rather than a standalone malware, often acting as the first-stage distributor that loads other malware families, such as loaders or RATs.

    In the second half of 2025, KongTuke’s activity surged again, and it has been the number one most prevalent threat the CRU has observed in the past few months. One particularly alarming development is the use of a new, more stealthy social-engineering variation called FileFix, an evolution of the older “ClickFix” technique, in which victims are tricked into pasting commands into their File Explorer address bar rather than the Run dialog, making detection harder. Through this, attackers have distributed a newly observed PHP-based variant of the remote access trojan Interlock RAT, a successor/variant to the older NodeSnake RAT, starting around June 2025. Once deployed, the RAT performs reconnaissance on the infected host, collecting system information, enumerating services, drives, and network context.  

    Aliases

    • LOandUpdate808, TAG-124

    Infrastructure  

    Recent IOCs

    Related File(s)
    SHA256 Filename(s)
    df12e6ece031e8cd4f27d104e1e94e162b2a4e98dd4e230c30f0b4a8809b0a04 script.ps1
    14b19842669b44cad285fbbaaf789ec9bea30f2e959335da684009b3bb2493e2 test.ps1
    c5187f29c01001651425ef0e747b59ce4a2f692085abdda675a23df2bebf05ca 1.ps1
    Related IP Address(es)
    69.67.172[.]194
    72.5.43[.]147
    192.153.57[.]18
    64.111.92[.]212
    64.95.13[.]223
    206.166.251[.]184

    Victimology

    • Recently targeted business sectors: Non-profit, education, accountants, transportation, engineering

    Capabilities  

    MITRE ATT&CK Techniques

    Tactic Technique ID Technique Name
    Initial Access   T1189   Drive-by Compromise
    Execution   T1059.007   Command and Scripting Interpreter: JavaScript
    Execution   T1203   Exploitation for Client Execution
    Execution   T1204.004   User Execution: Malicious Copy and Paste
    Execution   T1106   Native API
    Defense Evasion   T1564.003   Hide Artifacts: Hidden Window
    Defense Evasion   T1202   Indirect Command Execution
    Defense Evasion   T1112   Modify Registry
    Defense Evasion   T1027   Obfuscated Files or Information
    Discovery   T1082   System Information Discovery
    Discovery   T1018   Remote System Discovery
    Discovery   T1518   Software Discovery

    Akira

    Akira first emerged in March 2023 as a ransomware-as-a-service (RaaS) operation. It quickly gained prominence by deploying a “double extortion” model, exfiltrating sensitive data from victims before encrypting files.  The group’s targets have spanned a broad range of sectors globally, including automotive, energy, IT services, manufacturing, and education. Files encrypted by Akira typically receive the extension “.akira”, and ransom notes such as “akira_readme.txt” are dropped in affected directories on both Windows and Linux systems.

    In 2025, Akira’s activity has evolved and intensified. A joint advisory by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and other international partners was issued in November 2025, highlighting new variants of Akira, expanded targeting, and updated observed techniques. One of the key recent trends is a sharp rise in attacks exploiting vulnerable SSL VPN infrastructure, particularly devices from SonicWall. In many cases, threat actors gained access through compromised credentials or possibly zero-day flaws in VPN appliances. Once inside, they moved laterally, exfiltrated data, and encrypted systems in a shockingly short timeframe, sometimes within an hour. Additionally, the group remains a dominant ransomware actor, and security firms continue to list it among the most active and dangerous ransomware threats.

    Aliases

    • Akira, Megazord, Redbike

    Infrastructure

    Recent IOCs

    Related IP Address(es)
    66.165.243[.]39
    104.238.220[.]216

    Victimology

    • Recently targeted business sectors: Advertising, MSPs, agriculture, publishing

    Capabilities  

    MITRE ATT&CK Techniques

    Tactic Technique ID Technique Name
    Initial Access   T1078   Valid Accounts
    Initial Access   T1190   Exploit Public-Facing Application
    Initial Access   T1133   External Remote Services
    Initial Access   T1566.001   Phishing: Spearphishing Attachment
    Initial Access   T1566.002   Phishing: Spearphishing Link
    Credential Access   T1003   OS Credential Dumping
    Credential Access   T1003.001   OS Credential Dumping: LSASS Memory
    Discovery   T1016   System Network Configuration Discovery
    Discovery   T1082   System Information Discovery
    Discovery   T1482   Domain Trust Discovery
    Discovery   T1057   Process Discovery
    Discovery   T1069.001   Permission Groups Discovery: Local Groups
    Discovery   T1069.002   Permission Groups Discovery: Domain Groups
    Discovery   T1018   Remote System Discovery
    Persistence   T1136.002   Create Account: Domain Account
    Defense Evasion   T1562.001   Impair Defenses: Disable or Modify Tools
    Command and Control   T1219   Remote Access Software
    Command and Control   T1090   Proxy
    Collection   T1560.001   Archive Collected Data: Archive via Utility
    Exfiltration   T1048   Exfiltration Over Alternative Protocol
    Exfiltration   T1537   Transfer Data to Cloud Account
    Exfiltration   T1567.002   Exfiltration Over Web Service: Exfiltration to Cloud Storage
    Impact   T1486   Data Encrypted for Impact
    Impact   T1490   Inhibit System Recovery
    Impact   T1657   Financial Theft

    ClearFake

    ClearFake is a malicious JavaScript framework first identified in July 2023. It works by compromising legitimate websites, often sites built with CMS platforms such as WordPress, and injecting malicious JavaScript into pages. When an unsuspecting user visits one of these compromised sites, ClearFake displays fake browser-update or error messages, such as “you need to update your browser” or “cannot display page, via overlays or iframes.”

    Through social engineering, the user is tricked into downloading a supposed “update” or update-fix that is in fact malware, a loader that then brings down other malicious payloads, mainly information stealers. Over time, ClearFake has evolved: By mid-2024, it began using a technique dubbed ClickFix, in which victims are instructed to copy and paste malicious PowerShell commands into their terminal to continue the infection.

    In 2025, ClearFake remains a significant threat, and its operators have upgraded their tactics further. The latest variants incorporate Web3/blockchain capabilities: Instead of hosting payloads on traditional servers, ClearFake now often retrieves malicious code from smart contracts on blockchains, notably the BNB Smart Chain. The “lures” shown to victims have also shifted: Many campaigns now present fake CAPTCHA or Cloudflare-style human verification challenges to trick users into unwittingly executing the payload. Through this mechanism, 2025 saw thousands of websites, reportedly over 9,300, compromised and used to deliver malware, including information-stealers such as Lumma Stealer and Vidar Stealer, to victims. Security analysts warn that this evolution, combining blockchain obfuscation, social engineering, and multi-platform targeting (Windows and macOS), makes ClearFake especially dangerous and harder to defend against.

    Aliases

    • clearfake

    Infrastructure

     Recent IOCs

    Related File(s)
    SHA256 Filename(s)
    ec9b964f0fa279e0b3817d2bd9ad646ae31b52eec88a59348c90915266e9588c t9q5jss612.otf
    c068213bd3dcbc06b97973ff612a977bf4ea5b9261b3eeecd37b6b29d39fe676 tv54nlhz.htm
    e79f8c332a7b3fa8bfbfe0b05552c3adb27fa6d7c25e8ae2a63b0a010251a8db incrash.txt
    Related Domain Name(s)
    dh0-6[.]ru
    dawnanker[.]ru
    fcq.z2q2[.]ru
    z2q2[.]ru
    dawnanker[.]ru
    boargrund[.]ru

    Victimology

    • Recently targeted business sectors: Healthcare, lawyers, non-profits, education

    Capabilities  

    MITRE ATT&CK Techniques

    Tactic Technique ID Technique Name
    Initial Access   T1189   Drive-by Compromise
    Command and Control   T1102   Web Service
    Execution   T1059.001   Command and Scripting Interpreter: PowerShell
    Defense Evasion   T1027.010   Obfuscated Files or Information: Command Obfuscation
    Execution   T1059.007   Command and Scripting Interpreter: JavaScript
    Resource Development   T1584   Compromise Infrastructure
    Defense Evasion   T1027   Obfuscated Files or Information
    Command and Control   T1132.001   Data Encoding: Standard Encoding
    Defense Evasion   T1036   Masquerading
    Defense Evasion   T1140   Deobfuscate/Decode Files or Information
    Exfiltration   T1041   Exfiltration Over C2 Channel
    Command and Control   T1071.001   Application Layer Protocol: Web Protocols
    Command and Control   T1105   Ingress Tool Transfer
    Defense Evasion   T1574.001   Hijack Execution Flow: DLL
    Defense Evasion   T1218.005   System Binary Proxy Execution: Mshta

    New detections

    The following is a list of new detection signatures added to the ConnectWise SIEM in November 2025.

    [CRU][Windows] Obfuscated attempt to download JavaScript file

    Detects a file download attempt where obfuscated commands have been used to download malicious JavaScript files. This activity is suspicious and should immediately be investigated. False positives may occur for encoding errors or other legitimate applications.

    [Meraki] Configuration settings changed

    This detection identifies configuration changes made to Cisco Meraki devices. Configuration changes can indicate authorized administrative activity, but unauthorized or unexpected changes may represent insider threats, compromised administrative credentials, or persistence mechanisms established by an attacker.

    [EA][CRU][Windows] PowerShell script obfuscation via array

    Obfuscating malicious activity can often cause alerts to miss, but some of the obfuscation techniques themselves can be detected. One method of attempting to evade detection is to list the characters of a script in an array and then join them.

    [EA][CRU][Windows] Reverse SSH Tunnel

    SSH tunneling has legitimate uses, such as securing connections or allowing them to bypass certain restrictions, but it also allows attackers to get around firewall rules and obscure connections. Any surrounding activity should be investigated.

    [CRU][Windows] ZoomInfo Email InfoStealer Process Activity

    Detects process execution events seen from “ZoomInfoContactContributor.exe” or derivative processes. This product scrapes email information to be shared externally for lookup by anyone outside your organization who also uses the software. Data scraped includes email headers, address books, signatures, contacts, subject lines, V2 signatures, phone numbers, locations, and bounce codes. We recommend investigating this activity and removing this software.

    [CRU][Windows] ZoomInfo Email InfoStealer File Activity

    Detects file creation or DLL load events from processes associated with “ZoomInfo” or “ZoomInfoLite.” This product scrapes email information to be shared externally for lookup by anyone outside your organization who also uses the software. Data scraped includes email headers, address books, signatures, contacts, subject lines, V2 signatures, phone numbers, locations, and bounce codes. We recommend removing this software.

    [EA][CRU][Windows][LOLBAS] Suspicious fsutil execution

    Fsutil is a living-off-the-land binary (LOLBIN) used for legitimate file system operations. Attackers have been observed abusing fsutil in order to erase file data and query/manipulate USN journals to cover their tracks, in addition to a vulnerability discovered allowing arbitrary execution of a binary in the current working directory via the command “fsutil trace decode.”

    [CRU][Windows] Browser Extension Loaded via Command Line while Disabling Other Extensions

    Detects likely loading of a malicious extension observed in recent cryptomining attacks. Command line parameters that trigger this alert indicate the malicious extension is loaded, while also disabling all other extensions to ensure that they don’t interfere with its execution. We recommend investigating this activity.  

    Topics:

    Bryson Medlock
    by Bryson Medlock

    Bryson Medlock is the Threat Intelligence Evangelism Director of the Cyber Research Unit at Connectwise. He is responsible for organizing the MSP Threat Report and communicating the research and intelligence produced by the CRU. Bryson started at Perch as a Senior Security Analyst and joined Connectwise in November 2020 following its acquisition of Perch.

    Bryson has over 20 years of experience in the technology industry. Prior to Perch, he served as the Lead SOC Trainer at Alert Logic and as a Linux Systems Administrator at HostGator. Bryson is an Offensive Security Certified Professional (OSCP). Connect with Bryson on LinkedIn

    Related Articles

    Blog

    EDR vs. SIEM: How they differ and why you need both

    03/07/2025

    EDR and SIEM software shouldn’t be an “either or” scenario. Learn why you need both of these powerful tools to help your clients.
    Blog

    What is attack surface management?

    03/03/2025

    Learn about the critical role of attack surface management in identifying, reducing, and protecting your organization's digital vulnerabilities.
    Blog

    How to prevent ransomware: Mitigation strategies for MSPs

    03/10/2025

    While it’s not possible to prevent ransomware attacks, we can significantly reduce the potential and impact of a ransomware event. Learn essential detection and mitigation techniques.
    Blog

    Phishing prevention tips: 8 ways MSPs and SMBs can prevent attacks

    08/18/2025

    Discover essential phishing prevention tips for MSPs and SMBs. Learn how to stop phishing attacks and protect sensitive data with these expert strategies from ConnectWise. 
    Blog

    10 common cybersecurity threats and attacks: 2025 update

    08/01/2025

    Learn about the top most common cybersecurity threats and attacks that are used today and how to prevent them with ConnectWise.