Digital Pirates, AI Backdoors, and the Critical Android RCE

Show Notes

Today, we expose a sophisticated campaign where hackers use Remote Monitoring and Management tools to hijack physical cargo, leading to billions in losses, and analyze the dangerous new trend of malware like SesameOp abusing trusted AI APIs for stealthy command-and-control operations. Plus, we cover the major patches released by both Apple and Google, including a critical Android Remote Code Execution flaw that requires zero user interaction.

Transcript

Welcome back to Cyber Scoops & Digital Shenanigans, the podcast diving into the deepest, darkest corners of the digital world. I’m your host, Mike Housch, and it is Tuesday, November 4th, 2025, and folks, we have a packed slate of news today showing how cybercrime is blurring the lines between the digital realm and physical world, alongside brand new tactics exploiting trust in modern collaboration and AI tools. Let’s jump right in.

Our first major scoop concerns the global supply chain, specifically the surface transportation industry. Threat actors are engaging in elaborate attack chains to breach freight brokers and trucking carriers, ultimately to steal physical cargo shipments. This isn't just about financial data theft; this is digitized cargo theft, a problem the National Insurance Crime Bureau (NICB) estimates costs the U.S. economy $35 billion annually.

Proofpoint researchers tracked this activity, noting nearly two dozen campaigns since August, though infrastructure has been active since at least January 2025. The process is disturbingly familiar, starting with social engineering. Hackers use a compromised load board account—that’s the marketplace used for booking truck loads—to post a fake load. When a carrier inquires, they respond with emails containing malicious URLs.

The payload is crucial: legitimate Remote Monitoring and Management, or RMM, tools. We’re talking about tools like ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. Once installed, these RMMs grant the attacker full remote control, reconnaissance, and credential harvesting capabilities. The threat actor can then control the compromised machine, modify bookings, block dispatcher notifications, and book loads under the victim carrier’s identity. One victim carrier reported that the hacker deleted every booking email and blocked notifications after tricking a dispatcher into installing the RMM tool.

This suggests a high degree of insider knowledge about routes, timing, and high-value cargo types, enabling the criminals to select the most profitable shipments to steal, ranging from food and beverages to electronics. Proofpoint assesses with high confidence that these threat actors are working directly with organized crime groups to hijack the freight. It’s a chilling reminder that your digital security posture now directly impacts your physical inventory.

Now, let’s pivot from physical theft to the next great frontier for cybercriminals: hacking trust. Two major reports this week highlight how attackers are turning trusted, cloud-hosted tools into their command-and-control infrastructure and vectors for executive fraud.

First, Microsoft detailed a previously unseen backdoor they named SesameOp. What makes SesameOp insidious is its use of the OpenAI Assistants API as a command-and-control channel. This technique allows the malware to relay instructions between the infected system and the attackers by blending its network chatter with legitimate AI traffic destined for api.openai.com.

For defenders, this is messy. Seeing a connection to OpenAI’s API typically screams "business as usual," not "compromise". The malware is designed for stealth and long-term persistence, using sophisticated techniques like payload compression, layered encryption, and .NET AppDomainManager injection. Microsoft identified an API key used in this attack and notified OpenAI, who subsequently disabled the key and associated account. This incident demonstrates that if a service is cloud-hosted and trusted, it is now "fair game" for threat actors.

On a similar note, cybersecurity firm Check Point has revealed four serious, now-patched vulnerabilities in Microsoft Teams, one of the world's most widely used collaboration tools. These flaws could have fundamentally broken the digital trust users place in the platform.

By chaining these vulnerabilities together, attackers could achieve devastating results. They could impersonate senior executives, silently overwrite existing chat content without the tell-tale "Edited" label, spoof alerts to appear from trusted colleagues, and even forge caller identities in audio or video calls. Check Point’s chief technologist noted that threat actors don't need to break in anymore; they just need to bend trust. The implications are significant, allowing for plausible setups for financial fraud, credential theft, or malware delivery. Microsoft patched these issues throughout 2024, completing the final fix for the caller identity flaw at the end of October 2025.

Let's shift gears and talk about patching. It was a busy start to November 2025 for mobile security, with critical updates released for both Android and Apple devices.

Starting with Android: Google announced a fresh set of security updates that resolve two vulnerabilities in the platform’s System component. The most severe of these is a critical security vulnerability, tracked as CVE-2025-48593. This flaw could lead to remote code execution (RCE) with no additional execution privileges needed, and crucially, user interaction is not needed for exploitation. This critical issue affects Android versions 13, 14, 15, and 16.

The November 2025 fixes also mark a procedural shift, as they come with a single security patch level, the 2025-11-01 patch level. Historically, updates were split into two security patch levels. The second flaw resolved this month, CVE-2025-48581, affects devices running Android 16 and is a local escalation of privilege flaw that could allow blocking security updates through mainline installations. If you have an Android device, ensure you have the 2025-11-01 security patch level installed.

Meanwhile, Apple also rolled out extensive updates. iOS 26.1 and iPadOS 26.1 were released, patching 56 security defects. macOS Tahoe 26.1 was also released, patching 105 security defects. A major focus was the WebKit browser engine, with 19 flaws addressed in the iOS/iPadOS updates. Successful exploitation of these WebKit flaws could allow websites to exfiltrate data cross-origin, cause memory corruption, or allow applications to monitor keystrokes.

It’s worth noting a fascinating detail here: many of these WebKit bugs were reported by Google’s Big Sleep AI agent. This highlights the increasing role of AI tools in vulnerability discovery. Apple also rolled out updates for macOS Sequoia, macOS Sonoma, tvOS, watchOS, visionOS, and Xcode. Neither Apple nor Google have reported that these specific flaws are currently being exploited in the wild.

So, what are the key takeaways for security leaders, the CISOs out there listening?

First, the cargo theft attacks underscore the need for rigorous control over legitimate RMM tools. If attackers are using tools like ScreenConnect, you must restrict installation of unapproved RMM software and monitor your network activity closely. Blocking .EXE and .MSI file attachments at the email gateway is also a crucial defense.

Second, the SesameOp and Teams exploits remind us that we must secure what people believe, not just what systems process. Organizations relying on trust-based communication tools must adopt layered defenses, including anomaly detection and employee verification protocols to guard against internal manipulation and spoofing. The convergence of chat, workflows, and AI assistants means that trust is becoming easier to exploit.

Finally, don't forget the fundamentals: Patch, patch, patch. Critical RCEs on Android and numerous vulnerabilities across the Apple ecosystem demonstrate that device hygiene remains paramount.

That wraps up this week’s dose of Cyber Scoops & Digital Shenanigans. We’ll catch you next time for more news from the front lines. Stay safe out there!