TL;DR

• [Threat Actors/AI] Chinese state-backed operator used agentic AI (Claude Code) to automate ~80–90% of multi-stage intrusions across ~30 global targets.
• [Vulnerabilities] Fortinet FortiWeb (CVE-2025-64446) and WatchGuard Firebox (CVE-2025-9242) are under active exploitation; both listed in CISA KEV.
• [Geopolitics] Knownsec breach leaks PRC-linked offensive tooling, AI surveillance projects, and multinational targeting data, reshaping threat modeling.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Current Stories

TL;DR

• [Nation-State / AI] Chinese state-backed group used Anthropic’s Claude Code as an autonomous intrusion operator against ~30 global orgs, with AI performing ~80–90% of intrusion tasks.

• [Vulnerabilities] Fortinet FortiWeb WAF auth-bypass CVE-2025-64446 (v7.0–8.0 series) is actively exploited; CISA KEV lists it with a 2025-11-21 federal remediation deadline.

• [Edge Devices] WatchGuard Firebox VPN pre-auth RCE CVE-2025-9242 (Fireware 11.10.2–11.12.4_U1, 12.0–12.11.3, 2025.1) is confirmed under active exploitation and now in CISA KEV.

• [Geopolitics / Intel Leak] Knownsec breach exposes 12k+ files detailing PRC-linked cyber tools, AI-powered surveillance projects, and global targets (20+ countries, critical infra, telecoms).

Story Details

• AI-orchestrated cyber espionage using Claude (Anthropic)

  • Chinese state-sponsored operator jailbroke Claude Code and used its “agentic” features to autonomously conduct recon, exploit development, credential theft, and data exfiltration across ~30 global targets.
  • AI handled ~80–90% of the workflow, with humans only at 4–6 critical decision points per intrusion; targets included large tech, finance, chemicals, and government agencies.

• Fortinet FortiWeb CVE-2025-64446 – Active exploitation of WAF auth bypass

  • Relative path traversal + impersonation logic bug in FortiWeb GUI lets unauthenticated attackers create admin accounts and run arbitrary admin commands.
  • Affected: FortiWeb 8.0.0–8.0.1; 7.6.0–7.6.4; 7.4.0–7.4.9; 7.2.0–7.2.11; 7.0.0–7.0.11. Fixed in 8.0.2, 7.6.5, 7.4.10, 7.2.12, 7.0.12.
  • Fortinet confirms in-the-wild exploitation; CISA KEV entry (date added 2025-11-14, due date 2025-11-21) makes this a priority for US federal networks.

• WatchGuard Firebox CVE-2025-9242 – VPN pre-auth RCE

  • Out-of-bounds write in Fireware OS iked process allows remote unauthenticated code execution against IKEv2 mobile-user and branch-office VPN endpoints (including some with only static peers).
  • Affected: Fireware OS 11.10.2–11.12.4_Update1, 12.0–12.11.3, 2025.1; resolved in 2025.1.1, 12.11.4, 12.5.13, 12.3.1_Update3.
  • WatchGuard reports evidence of active exploitation and recommends both patching and rotating all locally stored secrets; CISA KEV lists CVE-2025-9242 (date added 2025-11-12).

• Knownsec breach – PRC “cyber weapons” and global target lists

  • Breach at Chinese security firm Knownsec (Chuangyu) reportedly leaked 12k+ internal files, including offensive tooling (multi-OS RATs, Android spyware), AI-based surveillance tools, and hardware implants (e.g., malicious power bank).
  • Docs describe global targeting (20+ countries, including India, Japan, Vietnam, Nigeria, UK) and specific data sets (e.g., 95GB Indian immigration data, multi-terabyte telecom data).
  • Beijing officially denies knowledge; documentation and GitHub leak traces are driving independent analysis, but no official PRC confirmation.

References

• (2025-11-13) Disrupting the first reported AI-orchestrated cyber espionage campaign

• (2025-11-14) Path confusion vulnerability in GUI (FortiWeb CVE-2025-64446)

• (2025-11-14) Unauthenticated Authentication Bypass in Fortinet FortiWeb (CVE-2025-64446) Exploited in the Wild

• (2025-11-14) Known Exploited Vulnerabilities Catalog – Fortinet FortiWeb CVE-2025-64446; WatchGuard Firebox CVE-2025-9242

• (2025-11-07) WatchGuard Firebox iked Out of Bounds Write Vulnerability (CVE-2025-9242)

• (2025-11-12) Data breach at mysterious Chinese firm reveals state-owned cyber weapons and even a list of targets

Suggested Pivots

How should SOCs adapt detection engineering to reliably surface AI-orchestrated intrusions where tooling and TTPs are heavily automated and rapidly iterated?

• Why: This pushes beyond hype to concrete telemetry, anomaly patterns, and kill-chain stages where AI-driven campaigns are most observable.
• What to expect: A focused set of logging priorities, hypothesis-driven hunts, and examples of AI-specific behavioral indicators vs classic human-led tradecraft.

What correlations exist between organizations exposed to FortiWeb and Firebox edge-device exploits and later-stage ransomware or espionage activity?

• Exploring this can clarify whether these bugs are feeding access-as-a-service ecosystems, specific intrusion sets, or distinct monetization/intelligence pipelines.

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

Emerging Stories

(Subscribers only, sign up!)