Attackers are increasingly leveraging both AI platforms and massive-scale infrastructure attacks to gain an edge. This November saw Anthropic disclose a suspected nation-state campaign using Claude Code to autonomously scan, exploit, and exfiltrate data from major global organisations, alongside a record-breaking 15.7Tbps DDoS attack impacting Microsoft Azure services.
The month also reinforced persistent human and geopolitical risks, including an attempted insider data exfiltration at CrowdStrike, a major Nvidia chip smuggling operation bound for China, Europol-led takedowns targeting large-scale pirated IPTV streaming services, and continued success of phone-based social engineering attacks impacting Ivy League universities such as Harvard.
Techniques
Claude AI Platform Used for Sophisticated Cyber Espionage
Anthropic, makers of the Claude AI platform have publicly revealed that in September 2025, they identified a suspected nation state threat actor using their toolset to execute a sophisticated espionage campaign against approximately 30 large global companies. Targets spanned the technology, financial, chemical manufacturing, and government sectors, with Anthropic releasing their report publicly to raise awareness and knowledge of how quickly these attacks are advancing.
The attack worked by utilising Claude Code, a command line (CLI) tool that is intended to be used by developers to automate programming tasks. Claude Code can be used to create AI Agents which undertake autonomous actions, chain tasks together, and make decisions with minimal intervention from humans. In this instance the attacker developed an attack framework in Claude which could autonomously attack specified targets before jailbreaking the application by telling Claude it was an employee of a legitimate cybersecurity firm carrying out security testing, tricking the system into carrying out the attack against real-world targets. Claude was able to autonomously scan the target infrastructure to identify vulnerabilities, which it then attempted to exploit using code it had researched and developed itself. In the final attack stage, Claude ran these exploits to harvest credentials, create backdoors, and exfiltrate information back to the human attacker.
Anthropic reported that in this advanced attack, 80%-90% of the attack campaign was performed autonomously by AI with 4-6 decision points that required human input per campaign. It’s worth noting that the report mentions that Claude had moments of hallucination where it provided imaginary system data or credentials. The barriers to entry for creating and launching sophisticated cyberattacks are substantially lowered with AI, allowing less experienced attackers to operate advanced targeted attacks. It is paramount that organisations continue to follow good security practice when it comes to threat detection at the perimeter of their network, regularly scan for vulnerabilities, and patch all systems in a timely manner.
500,000 IP Addresses Hit in Azure Services 15tb DDoS Attack
Microsoft has confirmed that its Azure services were impacted by a 15.72 terabit per second DDoS (Distributed Denial of Service) attack from over 500,000 IP addresses in early November. Cloudflare attributed this attack to the Aisuru botnet following investigation – the same botnet holds the record for the largest DDoS attack recorded where it reached 22.2 terabits per second in September 2025 against gaming providers and Cloudflare services.
Aisuru is a Mirai-class botnet that is made up of networking and IoT equipment from predominantly residential IP addresses, which gained a further 100,000 in its arsenal after a TotoLink router firmware update server was compromised by the botnet operators who pushed malicious firmware to TotoLink equipment. This UDP flood attack targeted specific Microsoft public IP address located in Australia and used random source ports when launching the attack to increase the difficulty in responding. We have seen a continuous rise in large scale botnets recently as cheap IoT appliances and toys make their way into people’s homes, and more households obtain high speed fibre internet connections allowing for large amounts of traffic to and from personal networks. Thanks to Microsoft’s DDoS protection capabilities and network routing measures, the attack was able to be mitigated and did not cause an outage for customer workloads.
With the continued rapid escalation of DDoS attacks against public cloud infrastructure we will continue to see an increase in the size of attacks hitting major providers like Microsoft and Amazon. As organisations continue to adopt cloud infrastructure as the new standard, there is an increased global reliance upon these providers to manage, secure and provide resilient systems. We are beginning to see a race developing between botnet operators and cloud providers with ever larger attacks occurring, and more sophisticated defence mechanisms being developed.
These attacks come as a timely reminder for organisations who use public cloud services or infrastructure to have adequate business continuity planning (BCP) in place that identify the undertaking of core business processes in the event of a cloud system outage. It is likely more disruption and unanticipated outages are to come as these botnets continue to grow.
Happenings
[US] CrowdStrike Catches Insider Exfiltrating Information
CrowdStrike have confirmed that they identified and investigated an insider taking screenshots of sensitive information in return for cash payments in November 2025. The screenshots, shared through the encrypted messaging application Telegram, are suspected to have been sent to members of the ShinyHunters, Scattered Spider, and Lapsus$ hacking groups, with ShinyHunters claiming they paid the insider $25,000 USD to provide them with the information and remote access to CrowdStrike’s network.
The screenshots are reported to have contained SSO (Single Sign On) authentication cookies, which is likely to have allowed the attackers to access the back end of CrowdStrike – a very serious issue for a company which develops and distributes a widely used cybersecurity defence tool. However, by the time the attackers received the cookie information, CrowdStrike had internally identified the exfiltration of information and shut down the insider’s account with no customer information compromised in the attack.
Even within security focused organisations that develop products to thwart cyber-attacks, employees can be corrupted by malicious actors offering money and turn rogue. Thanks to well configured internal security monitoring, CrowdStrike were able to prevent what would have been a devastating attack against their business.
[US] US Authorities Uncover Nvidia Chip Smuggling Operation Bound for China
US authorities allege that four individuals working under the guise of a real estate company have conspired to send advanced Nvidia chips to China in an effort to circumnavigate the export controls on Nvidia GPUs. Prosecutors allege the shipment included 400 Nvidia A100 GPUs, with a further attempt by the group to export 50 of Nvidia’s latest H200 chips, and 10 HP supercomputers containing the H100 chipsets caught before reaching Asia. The group were reported to have been paid $3.9 million USD by two undisclosed Chinese companies to falsify the documents related to the shipment including the consignment and value, before shipping the chipsets.
Shipments were routed via Thailand and Malaysia before arriving in China, with Southeast Asia now becoming a hotspot for chip smuggling and a region that both Nvidia and the US government are keeping close eyes on. Restrictions on chip exports to both Thailand and Malaysia are currently being considered by the US Department of Commerce as a method to curb further smuggling activities.
Text messages uncovered during the investigation suggest that this may have been to supply the Chinese government, who are unable to legally get a hold of the latest Nvidia semi-conductors to further advance their AI, military, and surveillance capabilities. With the four defendants facing a raft of charges related to violating export control laws and could land them in prison for up to 20 years, it shows how serious the US is about slowing China’s advances in the AI race.
[EU] Europol Takes Down IPTV Pirated Steaming Services
The rise of illegal IPTV (Internet Protocol Television) services has gained significant traction in the last few years as a cheap way to gain access to TV channels and live sport from around the world, without the need to pay for separate subscriptions to each event or service. IPTV services often run 1000+ HD channels from around the world that users can pay a small subscription fee to access over the web.
Europol recently worked on undertaking an OSINT (Open-Source Intelligence) gathering exercise and the tracking of cryptocurrency payments to shut down Photocall, a platform that provided 1,127 pirated channels to its 26 million annual users. Part of the investigation uncovered approximately $100 million NZD cryptocurrency transactions related to the streaming service, showcasing that there are many users willing to pay reasonable amounts to access the content hosted on IPTV platforms. A settlement was reached with the operators of Photocall with details of the bargain remaining undisclosed, and the domain has been handed over to the Alliance for Creativity and Entertainment (ACE) – an organisation formed by over 50 major TV networks and film studios.
This latest takedown follows the recent trend of law enforcement and the private sector targeting these streaming services as they rise in popularity, with Calcio, a sports streaming site with 123 million annual visitors being taken down in September, along with Streameast, which boasted 1.6 billion annual visits. Unfortunately for law enforcement the problem is one they are yet to fully resolve as further providers pop up overnight to fill the gap in the market left by those who get their domains seized.
[US] Harvard the Latest Ivy League University to Fall Victim to a Social Engineering Attack
Following the recent data breaches of Princeston and University of Pennsylvania in early November 2025, Harvard has now confirmed a new data breach has occurred in their environment. The university believes that information related to alumni (of which they have approximately 400,000 worldwide), donors, parents of current and former students, and information on some current students has been leaked. Attackers are believed to have used a phone-based phishing attack to socially engineer their way into access to Harvard systems, with Princeston and the University of Pennsylvania also confirming that they were also compromised due to phishing and social engineering in late 2025. Information included in the breach include names, addresses, phone numbers, donation details, and event attendance records. While not the most highly sensitive information the university holds on its students and alumni, this puts those involved in the breach at risk and caused reputational damage to these revered institutions.
The attack is bad timing for Harvard as they are currently investigating another data breach that occurred in mid-October 2025, when the infamous Cl0p ransomware gang added Harvard to its ransom extortion site claiming they had sensitive information
that had been stolen from the institution that would be released if ransom demands were not met. Cl0p claim to have utilised a recently discovered zero-day exploit in Oracle E-Business application suite which is widely used across the globe, and we are likely to see further breaches comes to light in coming weeks. While security experts may often sound like a broken record when it comes to phishing, it still proves to be one of the most successfully mechanisms for breaching organisations in an attacker’s arsenal. It is recommended to continue conducting regular phishing exercises and social engineering tests against staff from all areas of the organisation and educate them on how to confront and deal with these types of threats. Providing staff with the confidence to challenge or check suspicious behaviour can make all the difference to protecting an organisation.