VerSprite Weekly Threat Intelligence #45
Date
Follow Us
Date Range: 15 December 2025 – 19 December 2025
Issue: 45th Edition
Reported Period Victimology
Security Triumphs of the Week
This week highlighted coordinated efforts to disrupt cybercrime: The FBI dismantled the ENote crypto laundering platform, targeting middlemen facilitating ransomware payments, while Amazon thwarted North Korean job scams diverting funds to weapons programs. French authorities arrested suspects in separate cases involving a Ministry of Interior breach and a malware-infected ferry, underscoring threats from state-linked actors and hacktivists. The FTC mandated Nomad repay $37.5 million for security failures enabling a $186 million hack, emphasizing accountability. Collectively, these actions reflect intensified global focus on choking financial networks, countering fraud, and addressing vulnerabilities exploited by criminals and nation-states.
FBI Dismantles Alleged $70M Crypto Laundering Operation
The FBI, alongside international and domestic agencies, dismantled the E-Note crypto laundering platform, seizing its infrastructure and charging Russian national Mykhalio Chudnovets. E-Note allegedly laundered over $70 million for cybercriminals, including ransomware groups, by converting illicit crypto into untraceable assets between 2017 and its takedown. The operation lacked anti-money laundering controls, enabling criminals to cash out proceeds from attacks on healthcare and critical infrastructure. Chudnovets faces up to 20 years if convicted but remains at large. This action reflects a broader strategy to disrupt cybercrime’s financial networks by targeting middlemen like mixers and exchanges. Authorities aim to increase operational costs for criminals by choking off money-laundering channels.
Read full article: Theregister
Amazon Blocked 1,800 Suspected North Korean Scammers Seeking Jobs
Amazon blocked over 1,800 suspected North Korean job applicants since April 2024, citing a 27% quarterly rise in DPRK-linked fraud attempts. Scammers use AI-generated resumes, deepfakes in interviews, and stolen identities to secure remote tech roles, diverting wages to fund North Korea’s weapons programs. They also exploit insider access to steal sensitive data and extort companies. A new BeaverTail malware variant with advanced evasion tactics targets multiple OS platforms, linked to North Korean hacking groups. Amazon employs AI screening and human verification but faces challenges as fraudsters hijack real accounts and use US-based “laptop farms” to mask locations. Recommendations include verifying identities, monitoring anomalies, and checking for resume inconsistencies.
Read full article: Theregister
France Arrests Suspect Tied to Cyberattack on Interior Ministry
French authorities arrested a 22-year-old suspect linked to a cyberattack on the Ministry of the Interior, which occurred in early December 2025. The individual, previously convicted for similar crimes, faces charges of unauthorized access to state data systems as part of an organized group. The breach compromised internal email servers and potentially exposed documents, though data theft remains unconfirmed. A BreachForums admin claimed responsibility, alleging retaliation for the 2025 arrests of five forum members and threatening to leak stolen police records on 16 million people. French officials have not verified these claims but tightened security protocols post-attack. Investigations by OFAC are ongoing, with further updates expected after the suspect’s custody period.
Read full article: Bleepingcomputer
France Arrests Latvian for Installing Malware on Italian Ferry
French authorities arrested a Latvian crew member of the Italian ferry “Fantastic” for allegedly installing malware to remotely control the vessel, suspecting foreign interference. A Bulgarian suspect was released without charges. The malware, detected by the ship’s operator Grandi Navi Veloci (GNV) while docked in Sète, was neutralized without operational impact. France’s counterespionage agency DGSI is investigating potential state-backed involvement, with Interior Minister Laurent Nuñez hinting at Russia’s history of sabotage. Separately, a 22-year-old was arrested for breaching the Interior Ministry’s email servers, facing up to 10 years in prison. Both cases highlight escalating cybersecurity threats.
Read full article: Bleepingcomputer
Blockchain Company Nomad to Repay Users Under FTC Deal After $186M Cyberattack
The FTC proposed a settlement requiring blockchain firm Nomad (Illusory Systems) to repay users $37.5 million following a 2022 cyberattack that stole $186 million. The breach exploited a vulnerability introduced via an inadequately tested code update, with customers losing around $100 million after partial recoveries. Nomad allegedly misled users about its “securityfirst” claims, failing to implement secure coding, vulnerability management, and incident response protocols. The settlement mandates Nomad to refund affected users within a year, establish a comprehensive security program, and undergo third-party audits. The company also launched a bounty program post-attack, offering immunity and 10% rewards for returning stolen funds. Nomad agreed to the terms, pending final FTC approval, and faces bans on security misrepresentations.
Read full article: Theregister
Security Setbacks of the Week
Critical infrastructure faced heightened cyber-physical threats as Venezuela’s PDVSA blamed U.S.-linked ransomware for disrupting oil operations amid escalating sanctions tensions, while Russian GRU-aligned actors exploited edge device misconfigurations to target Western energy sectors. Healthcare remained a prime ransomware focus, with Rhysida breaching MedStar Health and Sunflower Medical Group, exposing sensitive patient data and triggering lawsuits over inadequate safeguards. Third-party supply-chain vulnerabilities persisted, impacting 700Credit, the University of Sydney, and NHS supplier DXS International, alongside Clop’s exploitation of Gladinet servers. Geopolitical and criminal motives converged, exemplified by JLR’s costly payroll breach and Texas’ lawsuit against TV manufacturers over covert surveillance. Emerging threats included a critical Mintlify XSS flaw enabling cross-domain attacks, underscoring risks in shared infrastructure.
Medical Group Will Pay $1.2M to Settle Data Theft Lawsuit
Sunflower Medical Group agreed to a $1.2 million settlement following a ransomware attack by the Rhysida gang, compromising data of 255,734 individuals. The breach exposed sensitive information, including Social Security numbers, driver’s licenses, and insurance details. Victims can claim up to $5,000 for losses or a $10 payment, while plaintiff attorneys seek half the settlement for fees. Sunflower committed to enhancing cybersecurity measures, as required by the settlement. Rhysida continues to list the group as a victim, claiming theft of 3TB of data. The breach, occurring in December 2024, was reported in March 2025. A final settlement approval hearing is scheduled for March 6.
Read full article: Bankinfosec
Amazon Says Russian Hackers Behind Major Cyber Campaign to Target Western Energy Sector
Russian state-sponsored hackers linked to GRU have targeted Western energy sectors since 2021 by exploiting misconfigured edge devices, VPNs, and network appliances to infiltrate critical infrastructure. Amazon’s report highlights groups like Curly COMrades, which use Linux VMs on Windows systems and Hyper-V features for stealthy malware deployment. Attackers prioritize misconfigurations over zero-days to minimize detection, focusing on AWS-hosted virtual appliances. Amazon urges organizations to audit edge devices, check credential reuse, and monitor admin-portal access. The campaign underscores persistent threats to energy infrastructure, requiring enhanced edge security and threat-hunting measures ahead of 2026.
Read full article: Techradar
Venezuelan Oil Giant PVDSA Hit by Cyberattack Amid US Conflict
Venezuelan state-owned oil company PDVSA reported a cyberattack, suspected to be ransomware, disrupting systems and oil shipments, with internal memos indicating forced contingency measures. The Venezuelan government accused the U.S. of orchestrating the attack, linking it to escalating tensions over oil sanctions and a recent U.S. seizure of a Venezuelan oil tanker. PDVSA claims operations remain unaffected, but sources cite internal disruptions, including halted cargo deliveries and IT shutdowns. The U.S. has deployed warships near Venezuela and imposed a blockade on oil tankers, intensifying geopolitical conflict. PDVSA condemned the attack as part of U.S. efforts to undermine Venezuela’s energy sovereignty. The incident highlights ongoing cyber-physical threats in global energy sectors amid political strife.
Read full article: Techradar
MedStar Health Notifying Patients of Data Theft Breach
MedStar Health, a major Maryland-based healthcare provider, is notifying patients of a data breach involving the theft of 3.7 terabytes of sensitive information by the Rhysida ransomware gang. The breach occurred from September 12-16, 2025, compromising patient data such as Social Security numbers, diagnoses, medications, and treatment details. MedStar initiated an investigation, secured systems, and offered identity monitoring services. Rhysida leaked the data on its dark website, demanding 25 bitcoin, and faces a consolidated class-action lawsuit alleging negligence in safeguarding patient information. The gang has targeted multiple healthcare entities, including recent settlements with Sunflower Medical Group and Bayhealth Medical Center. This incident marks MedStar’s second major ransomware attack since 2016.
Read full article: Bankinfosec
Youth Sports, NCAA Insurance Claims Potentially Hacked
A Maine-based third-party administrator, National Accident Health General Agency (NAHGA), suffered a data breach in April 2025, potentially exposing the medical and personal data of 181,160 individuals. The breach involved claims data from youth sports, NCAA programs, daycare centers, and other organizations, compromising Social Security numbers, health insurance details, and medical treatment information. NAHGA detected unusual network activity on April 10, with unauthorized access occurring between April 8-11. Lawsuits allege inadequate security practices led to the theft of sensitive data, prompting class-action litigation seeking damages and improved safeguards. The incident follows a larger 2025 breach at Episource, affecting 5.4 million individuals. NAHGA has not yet appeared on HHS’s public breach tracker but faces scrutiny over its response.
Read full article: Bankinfosec
SoundCloud, Pornhub, and 700Credit All Reported Data Breaches, but the Similarities End There
The article discusses three distinct data breaches involving 700Credit, SoundCloud, and Pornhub, highlighting varying impacts and causes. 700Credit suffered a third-party API supplychain attack exposing sensitive PII (names, SSNs) of 5.6 million users, posing high identity theft risks. SoundCloud experienced unauthorized access to an internal dashboard, leaking emails and public data of 20% of its user base, deemed low-risk. Pornhub faced a disputed breach via third-party analytics provider Mixpanel, exposing Premium users’ activity records (e.g., viewing habits, emails), creating blackmail potential. Each breach underscores differing threats: 700Credit’s identity theft risks, Pornhub’s reputational harm, and SoundCloud’s minimal exposure.
Read full article: Malwarebytes
University of Sydney Suffers a Data Breach Exposing Student and Staff Info
The University of Sydney experienced a data breach after hackers accessed an online coding repository containing historical personal data of over 27,000 students, staff, and alumni. Compromised information includes names, birthdates, addresses, phone numbers, and employment details. The breach, detected and contained last week, impacted current and former staff (22,500) and students/alumni (5,000). The university notified authorities, initiated personalized alerts, and established a support service. While stolen data was downloaded, there is no evidence of public exposure or misuse. This follows a 2023 third-party breach affecting international applicants. Affected individuals are advised to enhance account security and monitor for phishing attempts.
Read full article: Bleepingcomputer
JLR: Payroll Data Stolen in Cybercrime That Shook The UK Economy
A cyberattack on Jaguar Land Rover (JLR) in August compromised sensitive payroll data of current and former employees, including bank details, tax codes, and benefits information. The breach, attributed to the Scattered Lapsus Hunters group, halted production for over a month, costing JLR £1.5 billion in lost sales and £196 million in breach-related expenses. The incident impacted the UK economy, contributing to a GDP contraction and estimated systemic losses up to £2.1 billion. JLR notified affected individuals and regulators but has not confirmed hackers’ claims of stolen customer data. Employees were warned to monitor for fraud and phishing. The attack underscores vulnerabilities in corporate cybersecurity, particularly for firms outsourcing critical IT functions.
Read full article: Theregister
NHS Tech Supplier Probes Cyberattack on Internal Systems
DXS International, an NHS technology supplier, experienced a cyberattack targeting its office servers early Sunday, prompting an investigation involving third-party forensics and NHS England. The incident was contained swiftly, with minimal disruption to frontline clinical services. DXS notified regulators, including the Information Commissioner’s Office, and law enforcement. While the company’s ExpertCare solution, used by 2,000 GPs managing 17 million patients, remained operational, the full scope of the breach is under review. NHS England stated no patient services were impacted, though DXS did not disclose the total number of affected NHS customers. The attack highlights ongoing cybersecurity risks facing healthcare supply chains.
Read full article: Theregister
Clop Ransomware Targets Gladinet CentreStack in Data Theft Attacks
The Clop ransomware group is actively targeting internet-exposed Gladinet CentreStack file servers in a data theft campaign, exploiting an unknown vulnerability (potentially a zero-day or unpatched flaw). Gladinet CentreStack, used globally for secure file sharing without VPNs, has faced prior attacks prompting security updates. Clop has a history of breaching file-transfer systems like Accellion, GoAnywhere, and MOVEit, with recent attacks leveraging an Oracle EBS zero-day (CVE-2025-61882). Over 200 CentreStack servers are potentially vulnerable, with stolen data leaked on Clop’s dark web site. The U.S. State Department offers a $10M reward for information linking Clop to foreign governments. Gladinet has not yet commented on the ongoing incidents.
Read full article: Bleepingcomputer
Texas is Suing All of the Big TV Makers for Spying On What You Watch
Texas is suing major TV manufacturers Sony, Samsung, LG, Hisense, and TCL for allegedly spying on users’ viewing habits via Automatic Content Recognition (ACR) technology. The lawsuit claims these companies secretly collect data on watched content including streaming, connected devices, and security cameras without clear consent, using it for targeted advertising. Texas Attorney General Ken Paxton accuses the firms of deceptive practices, citing hidden disclosures and frequent data capture, such as screenshots every 500 milliseconds. The suit highlights concerns over Chinese-based Hisense and TCL potentially enabling foreign surveillance. It seeks penalties and an injunction against unauthorized data collection, invoking Texas’ Deceptive Trade Practices Act. This follows Vizio’s 2017 $2.2 million settlement over similar ACR-related violations.
Read full article: Hackernews
We Pwned X, Vercel, Cursor, and Discord Through a Supply-Chain Attack
A 16-year-old researcher and collaborators discovered a critical cross-site scripting (XSS) vulnerability in Mintlify, an AI documentation platform used by major companies like Discord, X, Vercel, and Cursor. The flaw allowed injecting malicious scripts via SVG files through a misconfigured endpoint, enabling credential theft across customer domains via a single link. Exploiting Mintlify’s supply-chain role, attackers could compromise high-profile targets by hijacking shared infrastructure. Discord temporarily shut down its documentation, reverting to an older platform, while Mintlify patched the issue collaboratively. The team received ~$11,000 in bounties, highlighting risks of third-party dependencies in critical systems.
Read full article: Hackernews
The New Emerging Threats
Emerging cyber threats increasingly exploit trusted platforms and advanced evasion tactics, with malvertising campaigns like AtomicOS targeting macOS users via poisoned AI content and Google ads, while YouTube’s Ghost Network distributes GachiLoader through hijacked accounts. RansomHouse’s upgraded Mario ransomware employs dual-key encryption to hinder decryption, and Phantom Stealer v3.5 leverages obfuscated XML files to mimic Adobe installers. Decentralized crime models, task scams, and law enforcement impersonation tactics highlight attackers’ diversification, alongside supply chain attacks like Tea Protocol token farming and malicious Firefox extensions. These trends underscore adversaries’ growing sophistication in exploiting trust, evading detection, and monetizing stolen data, necessitating proactive defense strategies and user vigilance.
New MacOS Malware Exploits Trusted AI and Search Tools
A new macOS malware campaign dubbed AtomicOS (AMOS) uses malvertising and poisoned AI-generated content to distribute infostealers. Attackers created fake ChatGPT and Grok conversations offering fraudulent “free disk space” guides, instructing users to run malicious Terminal commands. These conversations were promoted via Google ads, appearing atop search results for related queries. The malware steals sensitive data, passwords, and crypto wallet info. The campaign exploits trust in Google, ChatGPT, and Grok to enhance credibility, mimicking legitimate troubleshooting. This method mirrors the ClickFix technique but targets users actively seeking solutions to real issues, increasing infection risks. Researchers confirmed the attacks’ effectiveness in real-world cases.
Read full article: Techradar
Task Ccams are Tricking Thousands, Costing Jobseekers Millions
A surge in “task scams” or “gamified job scams” targeting job seekers has led to over $6.8 million in losses in 2025, marking a 485% annual increase. Scammers lure victims with simple online tasks (e.g., liking videos) and small cryptocurrency payouts to build trust, then escalate demands for larger deposits to unlock earnings. Withdrawals are blocked, and victims are pressured to keep investing, resulting in significant financial harm. These scams exploit the challenging job market, with 7.5 million Americans unemployed. Experts warn that legitimate employers never require payments for earnings access. CNC Intelligence highlights communication via platforms like WhatsApp or Telegram and overly generous terms as red flags.
Read full article: Techradar
YouTube Ghost Network: The New GachiLoader Malware Hiding in Your Favorite Video Links
A new malware campaign dubbed “YouTube Ghost Network” is exploiting hijacked YouTube accounts to distribute GachiLoader, a Node.js-based malware loader. Attackers upload videos promoting cracked software or game cheats, embedding links to malicious files hosted externally. GachiLoader employs heavy obfuscation and deploys Kidkadi, a component using a novel Portable Executable injection technique to evade detection by abusing Vectored Exception Handling. This facilitates the delivery of Rhadamanthys, a credential-stealing infostealer. Check Point Research highlights the campaign’s sophistication, leveraging trust in YouTube to target users seeking pirated tools. Users are advised to avoid suspicious downloads, while platforms and security teams work to mitigate the threat.
Read full article: Securityonline
Phantom v3.5 Alert: New Info-Stealer Disguised as Adobe Update Uses SMTP to Loot Digital Lives
A new variant of the Phantom info-stealer (v3.5) is distributing malware disguised as a fake Adobe 11.7.7 installer via obfuscated XML files. The malware uses embedded JavaScript to trigger PowerShell commands, downloading payloads from malicious domains to harvest sensitive data, including browser credentials, crypto wallets, and system information. Unlike typical stealers, Phantom v3.5 exfiltrates stolen data via SMTP, with base64-encoded credentials hardcoded into its configuration. The campaign underscores risks of unverified software downloads, as attackers exploit legitimate-looking files to bypass user suspicion. Users are urged to verify update sources and avoid non-standard installer formats like XML scripts.
Read full article: Securityonline
Mario’s Deadly Upgrade: RansomHouse Unveils Dual-Key Encryption to Defeat Backups and Recovery
RansomHouse, operated by the Jolly Scorpius group, has upgraded its “Mario” ransomware with a dual-key encryption system and dynamic chunk processing to hinder decryption and analysis. The new multi-layered approach replaces simpler methods, encrypting files in variable-sized chunks to complicate reverse engineering. The dual-key mechanism requires both keys for decryption, rendering backups and recovery tools ineffective. The group, linked to 123 victims since 2021, targets critical sectors via double extortion (data theft and encryption). This evolution highlights ransomware actors’ increasing investment in advanced techniques to bypass security controls, urging defenders to adopt adaptive strategies against evolving threats.
Read full article: Securityonline
Darkweb Powers Decentralized Financial Crimes
The article discusses the rise of decentralized financial crimes facilitated by darkweb tools and ransomware-as-a-service (RaaS) models, targeting financial institutions. Ryan Cole of Searchlight Cyber highlights how attackers leverage decentralized operations, resembling franchises, to evade takedowns disrupting one group doesn’t halt others. Initial access brokers exploit third-party vendors’ weak defenses, using anonymity and darkweb resources to amplify ransomware threats. Cole emphasizes proactive defense strategies, urging organizations to simulate attacks to identify vulnerabilities before criminals do. The darkweb’s role in credential sales and supply chain gaps further exacerbates breach risks. Effective mitigation hinges on speed: discovering and patching vulnerabilities faster than attackers can exploit them.
Read full article: Bankinfosec
Hackers Posing as Law Enforcement are Tricking Big Tech to Get Access to Private Data
Cybercriminals are impersonating law enforcement to fraudulently obtain private user data from major tech companies like Apple and Google. Tactics include typosquatted email domains mimicking police agencies and Business Email Compromise (BEC) attacks to hijack official accounts. Tech firms, legally obligated to share data with law enforcement under specific conditions, are targeted via forged emergency requests or investigations. These scams exploit corporate compliance processes to steal personal information for identity theft and fraud. Companies now rely on verified data-request portals to mitigate risks, though BEC attacks remain effective due to their perceived legitimacy. The trend highlights vulnerabilities in handling sensitive law enforcement data exchanges.
Read full article: Techradar
Pig Butchering is the Next “Humanitarian Global Crisis” (Lock and Code S06E25)
The article discusses “pig butchering,” a devastating online investment scam where fraudsters build emotional connections with victims via social platforms before luring them into fake cryptocurrency investments. Scammers use fabricated websites to display false returns, convincing victims to invest life savings, which are stolen outright. With over $6.5 billion stolen globally in 2024, the scam’s scale and human toll are likened to a humanitarian crisis. Experts criticize platforms like Meta for inadequate prevention and highlight their ties to transnational crime networks. The podcast features Erin West, who underscores the scam’s societal impact beyond financial loss, emphasizing urgent global intervention.
Read full article: Malwarebytes
VPN Betrayal: Popular “Free” Extensions Caught Siphoning 8 Million Users’ Private AI Chats
A popular free VPN browser extension, Urban VPN Proxy, along with related extensions, was found harvesting 8 million users’ private AI chat data from platforms like ChatGPT, Claude, and Gemini. The extensions hijacked browser APIs to steal full chat transcripts, including personal details, and shared them with marketing firms for targeted ads. Collected data included user prompts, AI responses, session metadata, and identifiers. Disabling VPN or ad-blocking features did not stop data collection; uninstalling the extensions was the only remedy. Some extensions were removed from Chrome and Edge stores, with affected users seeing automatic uninstalls. This breach highlights risks of free VPN tools exploiting browser extensions for covert data exfiltration.
Read full article: Securityonline
The Ghosts of WhatsApp: How GhostPairing Hijacks Accounts
A new WhatsApp account takeover campaign dubbed GhostPairing tricks users into linking attackers’ devices via phishing. Attackers send messages with fake Facebook login pages, prompting victims to enter their phone numbers, then exploit WhatsApp’s device-pairing flow by sending QR codes or numeric codes. The latter method is stealthier, as victims unknowingly approve the attacker’s device. Once linked, attackers gain full access to messages, media, and contacts, enabling impersonation, scam propagation, and data theft. To mitigate risks, enable two-step verification, avoid unsolicited links, and monitor linked devices. If compromised, revoke unauthorized devices and alert contacts immediately.
Read full article: Malwarebytes
SantaStealer Stuffs Credentials, Crypto Wallets Into a Brand New Bag
A new infostealer named SantaStealer, advertised on Telegram as a rebranded version of Blueline Stealer, targets credentials, sensitive documents, and cryptocurrency wallets. Marketed by Russian-speaking operators for $175–$300 monthly, it claims undetectability but currently lacks robust anti-analysis features, making samples easy to analyze. The malware uses in-memory execution to evade detection and exfiltrates data via unencrypted HTTP. Rapid7 researchers note its operators avoid targeting Russian-speaking victims, suggesting their origin. Despite its shortcomings, SantaStealer poses risks as an initial access tool for ransomware groups. Defenders are advised to monitor for IoCs and avoid suspicious links or commands.
Read full article: Theregister
Crypto Theft in 2025 Concentrated in Fewer, Larger Breaches
In 2025, cryptocurrency theft surged to over $3.4 billion, driven by fewer but larger breaches, notably North Korean state-linked attacks. The Bybit hack alone accounted for $1.5 billion, highlighting a trend where sophisticated actors target centralized services for high-value exploits. Chainalysis data reveals that the top three breaches constituted 69% of losses, emphasizing the disproportionate impact of access-driven compromises. While DeFi protocols saw reduced theft despite increased capital inflows, individual wallet breaches rose, though losses per victim declined. North Korean hackers relied on specialized laundering networks, favoring Chinese services and cross-chain tools. Improved detection and response in DeFi mitigated some attacks, but centralized platforms remain prime targets due to their high returns.
Read full article: Bankinfosec
CEO Spills the Tea About Massive Token Farming Campaigns
The Tea Protocol, aimed at rewarding open source developers, faced large-scale token farming attacks during its testnet phase, with attackers flooding npm registries with over 15,000 spam packages in 2024 and 150,000+ malicious packages in 2025 to exploit rewards. These campaigns highlighted vulnerabilities in software supply chains, mirroring tactics used by groups like North Korea’s Lazarus. Tea’s founders, including Homebrew creator Max Howell, are redesigning the protocol for its 2026 mainnet launch, adding ownership checks, Sybil attack monitoring, and integration with PKGW to verify code quality and penalize spam. Future plans include automated bug bounties and SBOMs to help enterprises secure dependencies, with banking firms already piloting bounty programs. The goal is to sustainably reward developers while deterring fraud.
Read full article: Theregister
Firefox Security Warning – Multiple Browser Addons Found to be Riddled With Malware, So Be On Your Guard
Koi Security identified 17 malicious Firefox browser extensions, collectively named “GhostPoster,” which were downloaded over 50,000 times. These add-ons contained backdoors, injected tracking code, hijacked affiliate links, stripped security headers, and enabled ad fraud. Some extensions hid malicious JavaScript in PNG files to fetch payloads from remote servers. The malware also bypassed CAPTCHAs and injected self-destructing iframes for click fraud. Mozilla removed the extensions and updated detection systems to block similar threats. Users are urged to uninstall affected add-ons and secure accounts, as attackers could escalate to credential theft or phishing.
Read full article: Techradar
Vulnerability Spotlight: Critical Exposures Unveiled
Critical vulnerabilities across network appliances, cloud platforms, and firmware components dominated this week’s threat landscape, with multiple zero-days actively exploited by advanced threat actors. State-linked groups targeted Cisco Secure Email Gateways and SonicWall SMA devices for persistent access, while SAML authentication bypass flaws in Fortinet products exposed enterprise networks to SSO compromise. Highrisk flaws in Kubernetes, FreeBSD, and Apache Log4j highlighted systemic risks in credential caching, IPv6 handling, and TLS validation, requiring immediate patching. Cross-platform vulnerabilities in visualization tools (Kibana) and webmail systems (Roundcube) demonstrated persistent risks in input sanitization, enabling data exfiltration and session hijacking. Urgent firmware updates and credential rotation remain critical as attackers exploit memory corruption, UEFI weaknesses, and VPN flaws to bypass security controls.
Visualizations Weaponized: New Kibana Flaw Allows XSS Attacks via Vega Charts
A high-severity XSS vulnerability (CVE-2025-68385, CVSS 7.2) in Kibana’s Vega visualization tool allows authenticated attackers to inject malicious scripts via crafted charts. Exploiting improper input sanitization, attackers could hijack sessions, execute unauthorized actions, or exfiltrate data when victims view compromised dashboards. The flaw impacts Kibana versions 7.x, 8.0.0–8.19.8, 9.0.0–9.1.8, and 9.2.0–9.2.2. Elastic released patched versions (8.19.9, 9.1.9, 9.2.3) and advises immediate upgrades, particularly for 7.x users. The issue highlights risks in visualization tool flexibility and underscores the need for prompt patch deployment to mitigate privilege escalation threats.
Read full article: Securityonline
Another Bad Week for SonicWall as SMA 1000 Zero-Day Under Active Exploit
SonicWall disclosed an actively exploited zero-day vulnerability (CVE-2025-40602) in its SMA 1000 series appliances, enabling privilege escalation and remote code execution when chained with a previously patched flaw (CVE-2025-23006). The vendor urged immediate updates and restricted console access to trusted networks. This follows a September breach where state-backed actors compromised SonicWall’s MySonicWall cloud backup service, exposing all customer firewall configurations, contradicting initial claims of limited impact. Hundreds of exposed SMA 1000 devices remain online, heightening risks if unpatched. SonicWall continues addressing infrastructure vulnerabilities amid persistent targeting by advanced threat actors.
Read full article: Theregister
WatchGuard Under Siege: Critical CVSS 9.3 Zero-Day Exploited in the Wild to Hijack Corporate Firewalls
A critical zero-day vulnerability (CVE-2025-14733, CVSS 9.3) in WatchGuard Firebox appliances allows unauthenticated attackers to execute arbitrary code via an out-of-bounds write flaw in the IKEv2 VPN daemon (iked). Exploits target Mobile User and Branch Office VPN configurations, persisting even if dynamic VPNs are removed but static tunnels remain. Active attacks involve crafted packets to hijack firewalls, with IoAs including abnormal certificate payloads and specific malicious IPs. WatchGuard released patches (Fireware OS 2025.1.4, 12.11.6, 12.5.15) and advises rotating stored secrets (pre-shared keys, certificates) post-patch due to potential prior compromise.
Read full article: Securityonline
Log4j’s Security Blind Spot: New TLS Flaw Lets Attackers Intercept Sensitive Logs Despite Encryption
A new vulnerability (CVE-2025-68161) in Apache Log4j’s Socket Appender component allows attackers to intercept encrypted log data via man-in-the-middle (MitM) attacks. Affecting versions 2.0-beta9 through 2.25.2, the flaw disables TLS hostname verification even when enabled, permitting attackers with a valid CA-issued certificate to redirect or capture sensitive logs. Exploiting this requires network interception and presenting a trusted certificate, risking exposure of debugging data, user activities, or system errors. Apache resolved the issue in Log4j Core 2.25.3, urging immediate upgrades. Unpatched users can mitigate risks by restricting trusted certificates to specific log servers.
Read full article: Securityonline
Kubernetes Alert: Headlamp Flaw (CVE-2025-14269) Lets Unauthenticated Users Hijack Helm Clusters
A high-severity vulnerability (CVE-2025-14269, CVSS 8.8) in Kubernetes’ Headlamp UI allows unauthenticated attackers to hijack Helm clusters via insecure credential caching. The flaw affects in-cluster Headlamp installations (v0.38.0 and earlier) with Helm enabled, enabling attackers to reuse cached admin credentials after legitimate Helm use. Exploitation permits unauthorized Helm operations like deploying, modifying, or deleting releases. Patched in v0.39.0, administrators should upgrade immediately. Mitigations include restricting public exposure via ingress and monitoring Helm-related endpoint access logs. Specific configurations (in-cluster setup, Helm enabled, prior admin Helm access) are required for exploitation.
Read full article: Securityonline
FreeBSD Network Alert: Malicious IPv6 Packets Can Trigger Remote Code Execution via resolvconf (CVE-2025-14558)
A critical vulnerability (CVE-2025-14558) in FreeBSD’s IPv6 handling allows remote code execution via malicious router advertisements. The flaw stems from improper input validation in the rtsol/rtsold daemons, which pass untrusted network data (like domain search lists) to resolvconf, a shell script vulnerable to command injection. Attackers on the same network can craft packets with embedded shell commands, executing them with system privileges. Exploitation is limited to local network segments, as router advertisements are not routable. Systems using default IPv6 configurations are at risk. FreeBSD users must apply patches or disable vulnerable components to mitigate the threat.
Read full article: Securityonline
Fortinet Products Hit by Further Security Flaws – Giving Hackers Access to Systems and More
Two critical SAML signature validation flaws (CVE-2025-59718/59719) in Fortinet products allow attackers to bypass SSO authentication, enabling unauthorized access. Affected products include FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb, with severity scores of 9.8/10. Exploitation began December 12, with attackers extracting configuration files to expose network layouts, firewall settings, and hashed passwords. Fortinet advises immediate upgrades to patched versions (e.g., FortiOS 7.6.4+, FortiProxy 7.6.4+) and disabling FortiCloud login. Vulnerable versions span multiple releases, requiring urgent action to mitigate risks of active in-the-wild attacks.
Read full article: Techradar
Attacks Pummeling Cisco AsyncOS 0-Day Since Late November
Suspected Chinese state-linked threat actors have exploited a critical Cisco AsyncOS zeroday (CVE-2025-20393) since late November, targeting vulnerable Secure Email Gateway and Web Manager appliances with exposed Spam Quarantine features. The flaw allows root-level command execution, enabling attackers to deploy persistent backdoors like AquaShell, tunneling tools, and log-clearing utilities. Cisco confirmed ongoing attacks but provided no fix timeline, urging customers to follow mitigation steps. The U.S. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog. Cisco Talos attributes the campaign with moderate confidence to Chinese APT group UAT-9686, highlighting the use of custom malware for sustained access.
Read full article: Theregister
Roundcube Alert: High-Severity SVG XSS and CSS Sanitizer Flaws Threaten Webmail Privacy
Roundcube Webmail addressed two high-severity vulnerabilities (CVSS 7.2) threatening user privacy. The first flaw (CVE-2025-68461) enables XSS attacks via malicious SVG images containing embedded JavaScript, triggering execution upon viewing. This could lead to session hijacking or phishing. The second issue (CVE-2025-68460) involves CSS sanitizer bypasses, allowing attackers to infer or leak sensitive data from the webmail interface. Both vulnerabilities affect Roundcube 1.6 and 1.5 LTS branches. Patches have been released, urging administrators to update immediately to mitigate risks of script execution and information exfiltration via crafted emails.
Read full article: Securityonline
Early-Boot Attack: UEFI Flaw in ASRock, ASUS, & MSI Boards Lets Hackers Bypass OS Security via PCIe
A critical UEFI firmware vulnerability (CVE-2025-14304 and others) affects ASRock, ASUS, MSI, and Gigabyte motherboards, enabling attackers with physical access to bypass OS security via PCIe devices. The flaw stems from improper IOMMU initialization during early boot, leaving DMA protections inactive despite firmware claims. This allows malicious PCIe hardware to read or modify system memory before OS security loads, facilitating pre-boot code injection or data theft. The issue impacts environments where physical device access is possible, requiring urgent firmware updates to mitigate. CERT/CC advises treating firmware patches with high priority, especially in high-risk settings. Vendors are releasing updates, but timelines vary, necessitating continuous monitoring for advisories.
Read full article: Securityonline
In-Depth Expert CTI Analysis
Recent cyber operations highlight intensified efforts against state-aligned threats, including the FBI’s E-Note crypto takedown and Amazon’s blocking of North Korean job fraud linked to weapons funding. Ransomware persists in healthcare, with Rhysida attacks on MedStar and Sunflower, while Russian GRU actors target Western energy via misconfigured devices. Critical vulnerabilities in Log4j, Kubernetes, and Fortinet products underscore patch urgency, alongside Chinese APTs exploiting Cisco zero-days. Financial crimes escalate through crypto theft ($3.4B in 2025), task scams, and “pig butchering,” exploiting decentralized tools. State-backed hackers and evolving malware (AtomicOS, GachiLoader) emphasize the need for proactive defense and international collaboration to disrupt cybercriminal ecosystems.
Proactive Defense and Strategic Foresight
Proactive defense demands continuous threat intelligence integration, as seen in Amazon’s AI-driven fraud detection and FBI’s E-Note takedown, disrupting cybercrime’s financial backbone. Strategic foresight requires anticipating adversarial evolution: North Korean AIdriven job scams, Clop’s zero-day exploitation, and RansomHouse’s encryption upgrades highlight adaptive tactics. Energy sector targeting via edge devices and state-backed UEFI firmware exploits underscore infrastructure hardening needs. Organizations must prioritize third-party risk management (e.g., DXS, NAHGA breaches) and preemptive patching (Log4j, Kubernetes flaws). Collaboration across sectors, leveraging threat-hunting and redteaming, is critical to counter decentralized crime networks and mitigate cascading impacts in healthcare, finance, and critical infrastructure.
Evolving Ransomware and Malware Tactics
Ransomware and malware tactics are rapidly evolving, leveraging AI-driven social engineering, advanced evasion techniques, and supply-chain vulnerabilities. Recent campaigns like AtomicOS use poisoned AI-generated content and malvertising, while Clop exploits zero-days in file-sharing systems. RansomHouse’s upgraded “Mario” ransomware employs dual-key encryption and dynamic chunking to hinder decryption. State-backed actors target critical infrastructure via misconfigured edge devices, as seen in GRU-linked energy sector attacks. Financial networks remain key targets, with crypto laundering platforms like E-Note facilitating ransomware payouts. Healthcare faces relentless double extortion, exemplified by Rhysida’s breaches. Mitigation requires patching vulnerabilities, securing third-party dependencies, and disrupting financial flows through coordinated law enforcement actions.
State-Sponsored and Organized Cybercrime Convergence
The convergence of state-sponsored and organized cybercrime is intensifying, evidenced by ransomware groups leveraging crypto laundering platforms (E-Note) to fund geopolitical agendas, as seen in North Korea’s AI-driven job scams targeting Amazon. State actors exploit criminal tactics for plausible deniability, such as Russian GRU-linked energy sector intrusions via misconfigured devices, while criminal enterprises adopt nation-state tools, like RansomHouse’s upgraded encryption. Geopolitical tensions further blur lines, with Venezuela attributing PDVSA’s disruption to U.S. sanctions. This symbiosis erodes traditional threat boundaries, demanding coordinated financial, technical, and diplomatic countermeasures to address hybrid adversaries.
Operational and Tactical Implications
The operational landscape reflects heightened targeting of financial intermediaries, critical infrastructure, and third-party vendors by state and criminal actors, necessitating robust edge device audits, AI-enhanced fraud detection, and cross-sector collaboration. Tactically, adversaries exploit misconfigurations, supply-chain vulnerabilities, and social engineering, requiring organizations to prioritize secure coding, multi-factor authentication, and real-time threat hunting. Law enforcement’s focus on disrupting money laundering and ransomware infrastructure underscores the need for proactive intelligence sharing and hardened incident response protocols to mitigate cascading operational risks.
Forward-Looking Recommendations
- Enhance Financial Disruption Prioritize cross-agency collaboration to dismantle crypto laundering networks, targeting mixers and exchanges to increase cybercriminal operational costs.
- Secure Critical Infrastructure Mandate audits of edge devices, VPNs, and network appliances in energy and transport sectors, enforcing strict configuration and credential management.
- Strengthen Identity Verification Deploy AI-driven anomaly detection and multi-factor authentication to counter AI-generated fraud in hiring and third-party access.
- Proactive Threat Hunting Simulate ransomware and supply-chain attacks to identify vulnerabilities, focusing on misconfigured cloud services and legacy systems.
- Accelerate Patch Management Prioritize updates for high-risk vulnerabilities (e.g., Log4j, Kubernetes, UEFI firmware) and enforce third-party vendor security compliance.
- Combat Social Engineering Launch public awareness campaigns on task scams, pig butchering schemes, and phishing tactics, emphasizing verified communication channels.
- Regulate Data Collection Enforce transparency for IoT and connected devices, requiring explicit consent for data harvesting and banning deceptive practices like covert ACR tracking.
