ToddyCat APT Evolving, Harvard Breach Reported, SitusAMC Vendor Breach– Cybersecurity News [November 24, 2025]

ToddyCat APT Adopts New Techniques to Steal Corporate Email Data

The threat actor ToddyCat has been spotted using fresh techniques to steal corporate email data and authentication tokens. They are deploying a custom C++ tool named TCSectorCopy, which allows them to copy Outlook OST files directly from the disk. By reading the sectors sequentially, they can bypass file locks and access data even when Outlook is running. Active since 2020, the group is also using a new PowerShell variant of their TomBerBil malware to harvest browser history, cookies, and login credentials via SMB. This tool is specifically built to capture encryption keys, allowing them to decrypt the stolen data offline.

On top of that, ToddyCat is aggressively pursuing cloud access tokens. They have been using tools like SharpTokenFinder to hunt for plaintext Microsoft 365 OAuth tokens in system memory. When security controls get in the way, they switch to ProcDump to extract the necessary authentication material from email processes. This group is actively refining its methods to remain undetected inside compromised networks for as long as possible while they siphon off sensitive corporate data.

Harvard University Reports Data Breach Affecting Alumni and Community Members

Harvard University has confirmed a data breach exposing the personal information of alums, donors, students, parents, and staff. The unauthorized access was detected last week within the Alumni Affairs and Development systems, after which the university immediately blocked the intrusion, and it is now working with Cybersecurity experts and law enforcement to investigate the incident and has reported no further suspicious activity. The breach started with a phone phishing attack, mirroring a similar security issue reported by another major institution earlier this month.

The compromised data is mainly related to fundraising and engagement, meaning it includes addresses, contact details, donation records, and event participation info. Fortunately, Harvard stated that these systems don’t typically store any highly sensitive data like Social Security numbers, passwords, or financial account details. The notifications began going out on November 22 to those affected, a group that ranges from alumni and their partners to university employees, though the full scale of the breach isn’t known yet.

Vendor Breach at SitusAMC Exposes Corporate Data From Leading Banks

SitusAMC, a major provider of real estate lending and investment solutions, has disclosed a data breach that exposed corporate data from several large financial institutions. The intrusion happened last week when an attacker managed to get into their systems. According to a public notice, the information accessed may include accounting records, legal agreements, and some details connected to clients’ customers. The company brought in law enforcement and outside security teams right away and has since reset credentials, shut down remote access tools, and updated its firewall rules. The good news is that no encryption malware was used, and all their services are still up and running.

The FBI is also involved in the response effort. FBI Director Kash Patel confirmed to The New York Times that the bureau is working with affected organizations to figure out the full extent of the breach. However, no operational impact on banking services has been found so far. SitusAMC has not said which clients were affected, but reports indicate that several large financial institutions were notified. Experts say the breach is another reminder that attacks aimed at quietly stealing data are becoming more common, and that banks need closer oversight of the vendors handling their information.

Ransomware Hit on Asahi Leads to Two Million People Data Theft

Asahi has confirmed that the ransomware attack in late September resulted in the theft of personal information for roughly two million people. The company reported the breach right away, but system recovery is still ongoing and services are being restored gradually. The Qilin ransomware group took credit for the breach, listing Asahi on their leak site and claiming they swiped 27 gigabytes of data. It turns out they accessed a wide range of sensitive details, including names, addresses, and phone numbers for over 1.5 million people who contacted customer support. They also grabbed data on 114,000 people who received congratulatory or condolence messages, along with details for roughly 107,000 employees and nearly 168,000 of their family members.

The attackers apparently compromised network equipment first before moving into the data centre to deploy ransomware across servers and staff devices. Asahi said it will only restore systems once they are confirmed to be secure and is putting additional safeguards in place to prevent future incidents. Although the stolen data has not appeared online, experts note that groups like Qilin often leak information when ransoms go unpaid. Recovery can be slow in complex manufacturing environments, so customers are advised to stay watchful for further updates.

OpenAI Confirms Exposure of User Information After Mixpanel Breach

OpenAI has reached out to some customers after their information was likely exposed during a security incident at Mixpanel, the analytics provider for its platform. Mixpanel flagged a smishing attack on November 8, though they reported that only a small number of accounts were affected. They responded by securing accounts and resetting passwords to lock out the intruders. OpenAI confirmed that its own internal systems were untouched, meaning ChatGPT conversations, API keys, passwords, and payment info remain safe. However, the attackers did access a dataset containing names, emails, device details, and approximate locations.

Because this data could be used for phishing or social engineering, the company is urging users to stay alert. OpenAI has taken Mixpanel out of its production environment as a precaution and is reviewing the exposed information with the vendor to determine the full impact. Affected organisations are being contacted directly, and OpenAI says it is monitoring closely for any misuse.