This threat intelligence report details multiple concurrent cyber threats and breaches observed during the week of 24th November 2025. The most prominent incident is a supply-chain attack by the “Scattered LAPSUS$ Hunters” group targeting Gainsight, a Salesforce-integrated platform, resulting in data compromise from approximately 300 organizations, including high-profile companies such as Verizon, GitLab, and Atlassian. Salesforce itself confirmed unusual activity related to Gainsight integrations and revoked all active access tokens, emphasizing no core Salesforce platform vulnerability. In Europe, Eurofiber France SAS experienced unauthorized access to its ticket management system, leading to customer data exfiltration, while Italian IT provider Almaviva suffered a cyberattack leaking 2.3 TB of sensitive files, including passenger passport data and defense contracts, though critical services remain operational. LG Energy Solution faced a ransomware attack at an overseas facility, with data theft claimed by the Akira gang. Microsoft Azure was targeted by a record 15.72 Tbps DDoS attack sourced from a Mirai-class IoT botnet, demonstrating the scale and sophistication of current threats. The report also highlights actively exploited vulnerabilities such as Fortinet FortiWeb command injection (CVE-2025-58034) allowing authenticated remote code execution, and a high-severity Chrome V8 engine type confusion flaw (CVE-2025-13223) enabling code execution via crafted web pages. Additionally, phishing campaigns and fraudulent domains surged around Black Friday, with 1 in 11 new domains being malicious and AI-driven scams impersonating European health regulators to sell fake products. Advanced persistent threats like APT24 continue to leverage sophisticated techniques including encrypted C2 traffic and browser fingerprinting for large-scale espionage. Overall, the report underscores a complex threat environment combining supply-chain compromises, ransomware, DDoS, data breaches, and social engineering attacks targeting European and global organizations.

European organizations face significant risks from these threats due to their reliance on cloud platforms like Salesforce and Gainsight, telecommunications infrastructure, and critical national services such as railways. The Gainsight supply-chain attack compromises sensitive corporate data, potentially exposing intellectual property, customer information, and internal communications. The Eurofiber France breach threatens the confidentiality of customer data in the telecommunications sector, which is critical for secure communications. Almaviva’s breach impacts Italy’s national railway operator, potentially affecting passenger privacy and operational security. The ransomware attack on LG Energy Solution’s overseas facility highlights risks to manufacturing and energy sectors, with potential operational disruptions and data loss. The massive DDoS attack on Microsoft Azure demonstrates vulnerabilities in cloud service availability, which could affect European businesses relying on Azure-hosted services. The active exploitation of Fortinet and Chrome vulnerabilities increases the attack surface for European enterprises using these products, risking unauthorized code execution and system compromise. The surge in phishing and AI-driven scams exploiting European health regulator identities threatens public trust and could lead to financial fraud and data theft. Collectively, these threats could result in data breaches, operational downtime, financial losses, regulatory penalties under GDPR, and reputational damage for European organizations.

European organizations should implement a multi-layered defense strategy tailored to these specific threats. For the Gainsight supply-chain attack, immediate revocation and rotation of integration tokens and credentials related to Gainsight and Salesforce integrations are critical, alongside enhanced monitoring of API usage and anomalous access patterns. Telecom providers like Eurofiber France must audit and harden access controls on ticketing and cloud systems, employing network segmentation and strict identity and access management (IAM) policies. Italian organizations, especially in critical infrastructure sectors like railways, should conduct comprehensive forensic analysis, enforce strict data access policies, and enhance endpoint detection and response (EDR) capabilities to detect lateral movement and ransomware deployment. To mitigate ransomware risks exemplified by the Akira gang, organizations should maintain offline backups, apply timely patches, and deploy advanced endpoint protection solutions with behavioral detection. Defenses against large-scale DDoS attacks require collaboration with cloud providers and ISPs to implement traffic filtering, rate limiting, and use of scrubbing services. Organizations must promptly patch known vulnerabilities such as Fortinet CVE-2025-58034 and Chrome CVE-2025-13223, and employ intrusion prevention systems (IPS) that can detect exploitation attempts. To combat phishing and AI-driven scams, organizations should enhance email filtering, conduct user awareness training focused on social engineering, and verify third-party communications through multiple channels. Finally, continuous threat intelligence sharing and incident response preparedness are essential to rapidly identify and contain emerging threats.