VerSprite Weekly Threat Intelligence #47
Date
Follow Us
Date Range: 29 December 2025 – 02 January 2026
Issue: 47th Edition
Reported Period Victimology
Security Triumphs of the Week
This week highlighted critical insider threats and the importance of robust security responses. Coinbase addressed a data breach involving rogue overseas agents, leading to arrests and a $20M extortion countermeasure, while collaborating with authorities to charge a $16M social engineering scammer. Separately, two ex-cybersecurity professionals pleaded guilty to ransomware attacks, extorting $1.2M from a medical firm, underscoring risks posed by malicious insiders. Both cases emphasize the need for stringent oversight and swift legal action to mitigate evolving threats.
Indian Cops Cuff Ex-Coinbase Rep Over Selling Customer Info to Crims
A former Coinbase customer service agent in Hyderabad, India, was arrested for allegedly selling user data to criminals, as disclosed by CEO Brian Armstrong. The breach, initially reported in May 2024, involved rogue overseas support agents leaking nearly 70,000 customer records, including sensitive personal and financial data, though no 2FA or wallet access was compromised. Criminals used the stolen information to impersonate Coinbase employees, defraud users, and attempt a $20M extortion, which the company countered by offering a reward for attacker arrests. Critics blamed Coinbase’s outsourcing of customer service to India for enabling the breach. Separately, Coinbase collaborated with authorities to charge a Brooklyn man accused of stealing $16M via social engineering scams impersonating the platform. The incidents highlight ongoing security and customer service challenges at the exchange.
Read full article: Theregister
US Cybersecurity Professionals Plead Guilty to Blackcat Ransomware Attacks
Two former cybersecurity professionals, Ryan Clifford Goldberg and Kevin Tyler Martin, pleaded guilty to conducting ransomware attacks as affiliates of the ALPHV/BlackCat group. They successfully extorted $1.2 million from a medical device company in 2023 and attempted additional attacks on pharmaceutical, medical, engineering, and manufacturing firms. Both leveraged their cybersecurity expertise to deploy ransomware, encrypt data, and demand cryptocurrency payments. Charged with conspiracy, extortion, and computer damage, they face up to 20 years in prison. Sentencing is scheduled for March 12, 2026. The case underscores insider threats within the cybersecurity industry.
Read full article: Techradar
Security Setbacks of the Week
This week’s security setbacks underscore escalating third-party risks and ransomware threats. Major breaches at Coupang, ESA, and multiple banks via suppliers like Marquis Software highlight systemic vulnerabilities in external partnerships, while ALPHV-linked ransomware actors and insiders at Ubisoft exploited privileged access for financial gain. Crypto-sector hacks, including Trust Wallet and Coinbase breaches, coincided with regulatory actions against AI-driven scams. Geopolitical threats emerged as China-linked APTs and pro-Russian groups targeted critical infrastructure. Recurring themes of inadequate vendor oversight, delayed breach disclosures, and exploitable insider weaknesses emphasize persistent gaps in global cybersecurity accountability.
Coupang to Pay Almost $1.2 Billion in Compensation for Data Breach
Coupang, a South Korean e-commerce giant, faced one of the country’s largest cyberattacks, exposing data of 33.7 million customers in November 2025. The breach included names, emails, phone numbers, addresses, and order details. As compensation, Coupang offered $35 vouchers usable only on its platform, drawing criticism for minimizing costs and prioritizing marketing over genuine restitution. Lawmakers and consumer groups condemned the move as inadequate and exploitative, accusing the company of turning a crisis into a business opportunity. Police launched an investigation, raiding Coupang’s offices to determine the breach’s cause and scope. The incident highlights ongoing concerns over corporate accountability in data protection.
Read full article: Techradar
European Space Agency Hit Again as Cybercrims Claim 200 GB Data Up for Sale
The European Space Agency (ESA) reported a security breach impacting external servers used for unclassified engineering and scientific collaboration, claiming limited impact. Cybercriminals, however, advertised 200 GB of stolen data for sale, including source code, credentials, SQL files, and private Bitbucket repositories, allegedly accessed from ESA-linked servers over a week starting December 18. ESA initiated forensic analysis and secured affected devices but provided no further details. This follows prior incidents, including a 2023 online store attack and breaches in 2015 and 2011, where external systems were compromised. The agency maintains that core networks remain unaffected despite recurring breaches.
Read full article: Theregister
Cryptohack Roundup: $7M Trust Wallet Hack
The article details major cybersecurity incidents in the crypto sector, including a $7 million hack of Trust Wallet’s Chrome extension via a malicious update and leaked API key, prompting user reimbursements. Indian authorities arrested a former Coinbase support agent linked to a data breach exposing 69,500 customers. The U.S. SEC sued entities over a $14 million social media scam using AI-generated tips and fake platforms. Polymarket attributed account breaches to a third-party login service vulnerability. Flow blockchain faced backlash for a rollback after a $3.9 million exploit, while Grubhub investigated a Bitcoin scam via compromised emails. Former Alameda CEO Caroline Ellison’s early release was also noted.
Read full article: Bankinfosec
More Banks Issue Breach Notifications Over Supplier Breach
Multiple banks have issued breach notifications following a ransomware attack targeting their third-party supplier, Marquis Software Solutions. The August 14 incident compromised sensitive customer data, including names, Social Security numbers, financial account details, and dates of birth, stored by Marquis for over 700 financial institutions. Affected banks like Artisans’ Bank and VeraBank notified tens of thousands of customers, with total exposed individuals exceeding 1.4 million. The attack exploited a SonicWall firewall vulnerability, potentially linked to Akira ransomware affiliates. Marquis confirmed the breach was limited to its environment but has not attributed it to a specific group or disclosed ransom payments. Notifications were delayed as forensic reviews and customer identification processes extended into December. The breach underscores risks posed by third-party vendor vulnerabilities in the financial sector.
Read full article: Bankinfosec
Cybersecurity Pros Admit to Moonlighting as Ransomware Scum
Cybersecurity professionals Ryan Goldberg and Kevin Martin pleaded guilty to conducting ransomware attacks from May to November 2023, targeting five organizations, including a medical device firm that paid $1.2 million. The trio, leveraging their infosec expertise, collaborated with the ALPHV BlackCat ransomware gang, sharing 20% of ransoms. Only one victim paid, with proceeds split and laundered. The DOJ condemned their misuse of skills to commit crimes they were trained to prevent. Sentencing in March could bring 20-year prison terms. ALPHV, linked to the 2024 Change Healthcare attack, remains notorious, with gangs often rebranding post-law enforcement actions.
Read full article: Theregister
The Insider Crisis: How Bribed Outsourced Staff Sold Out Ubisoft’s Crown Jewels
A cybersecurity report revealed that Ubisoft faced insider threats involving bribed outsourced staff in India and South Africa, enabling hackers to infiltrate internal systems. Attackers accessed collaboration tools and project-tracking systems, exfiltrating 900 GB of data, primarily targeting Rainbow Six Siege’s source code and in-game assets. Exploiting a MongoDB vulnerability, hackers manipulated accounts but did not leak player data. Low compensation for outsourced roles made employees susceptible to bribes, echoing prior incidents like Coinbase’s breach. Experts highlight structural risks in multinational outsourcing, emphasizing the need for stricter access controls and auditing to mitigate insider threats. Ubisoft continues investigating the breach.
Read full article: Securityonline
The New Emerging Threats
Emerging threats in 2025 showcase escalating sophistication across multiple fronts, with cyber-espionage groups like HoneyMyte deploying kernel-mode rootkits for stealthy network hijacking and macOS campaigns like GlassWorm abusing developer tools to steal credentials. Malware trends highlight cross-platform expansion via Rust/Go-based payloads, while AI-driven social engineering leverages voice cloning and automated phishing to erode digital trust. Supply-chain compromises persist, from malicious VSCode extensions to trojanized Cardano installers abusing legitimate tools like LogMeIn. Concurrently, browser-based threats like Zoom Stealer exploit extensions for corporate espionage, and critical vulnerabilities (e.g., React2Shell) mirror past crises. These trends underscore a shift toward multi-vector, psychologically manipulative attacks demanding advanced detection and proactive defense.
New “Eternl Desktop” Phishing Lure Drops LogMeIn to Hijack Cardano Wallets
A sophisticated phishing campaign targets Cardano users via fake “Eternl Desktop” app announcements. Attackers distribute emails mimicking legitimate ecosystem initiatives, promoting a trojanized installer that silently deploys LogMeIn Resolve, a legitimate RMM tool, to hijack systems. This grants attackers persistent remote control, enabling potential credential theft or wallet manipulation. The campaign leverages trusted software to evade detection, signaling supply-chain abuse tactics. Researchers rate the threat as critical, urging users to verify updates through official channels only. High-conviction Cardano stakeholders are advised to treat unsolicited emails with extreme caution.
Read full article: Securityonline
5 Threats That Defined Security in 2025
The article outlines five major cybersecurity threats in 2025: Chinese APT Salt Typhoon intensified espionage against telecoms and the US National Guard. CISA faced budget cuts and layoffs under Trump’s administration, reducing support for state/local cybersecurity. React2Shell, a critical vulnerability (CVSS 10) in React, triggered rapid exploitation, mirroring Log4Shell’s impact. Self-propagating malware Shai-Hulud poisoned open-source dependencies, exploiting automation tools. Supply-chain attacks targeted Salesforce integrations via stolen OAuth tokens, impacting major firms. Despite challenges, ransomware payments declined, and international law enforcement disrupted cybercrime operations.
Read full article: Darkreading
The Ghost in the Kernel: How HoneyMyte Weaponized a Rootkit to Hijack Asian Governments
The cyber-espionage group HoneyMyte (aka Mustang Panda) has escalated attacks on Southeast and East Asian governments using a kernel-mode rootkit to hijack networks. Targeting Myanmar and Thailand, the group deployed a malicious driver (ProjectConfiguration.sys) signed with a stolen certificate to bypass security checks. The rootkit manipulates system driver load order, disables Microsoft Defender, and injects the ToneShell backdoor via a kernel-mode loader a first for the group. Malicious traffic is masked using fake TLS headers to mimic legitimate web activity. This stealthy, memory-based approach evades traditional detection, requiring advanced memory forensics for analysis. The campaign underscores HoneyMyte’s focus on persistent, high-value espionage.
Read full article: Securityonline
New GlassWorm malware wave targets Macs with trojanized crypto wallets
A fourth wave of the GlassWorm malware campaign is targeting macOS developers through malicious VSCode/OpenVSX extensions, delivering trojanized crypto wallet apps. This iteration uses AES-256-CBC–encrypted payloads in JavaScript, delays execution to evade detection, and employs AppleScript and LaunchAgents for persistence. The malware steals credentials (GitHub, npm), Keychain passwords, and crypto wallet data, while attempting to replace legitimate hardware wallet apps like Ledger Live with malicious versions, though this function currently fails. Over 33,000 installs of the malicious extensions were reported, though numbers may be inflated. Researchers warn the threat remains active, urging users to remove suspicious extensions, reset credentials, and check for infections.
Read full article: Bleepingcomputer
Malware in 2025 spread far beyond Windows PCs
The article highlights a significant shift in malware trends in 2025, with attacks increasingly targeting Android, macOS, and cross-platform systems. Android faces advanced banking Trojans like Herodotus, which mimic human behavior, and overlay attacks stealing credentials. macOS is impacted by campaigns like ClickFix, tricking users into executing malicious commands to deploy infostealers. Malware developers leverage Rust and Go to create cross platform threats affecting IoT and mobile devices, while Malware-as-a-Service models expand accessibility. Social engineering remains critical, exploiting human behavior via scams, fake apps, and financial-focused attacks like RATs and cryptocurrency theft. These trends signal a broader focus beyond Windows, combining technical sophistication and psychological manipulation, likely intensifying in 2026.
Read full article: Malwarebytes
How AI made scams more convincing in 2025
In 2025, AI significantly enhanced cybercrime by enabling more convincing social engineering scams. Voice cloning advanced, with scammers impersonating senior officials and family members to deceive victims, such as a Florida woman defrauded via cloned audio. AI agents autonomously crafted personalized phishing lures using stolen or public data, while combining social media information with breaches fueled romance and holiday scams. Attackers exploited AI platforms like Claude to automate malware campaigns and bypass safeguards via prompt injection tactics. These developments eroded trust in digital communication, emphasizing the need for robust identity verification as AI-generated content becomes indistinguishable from reality.
Read full article: Malwarebytes
Zoom Stealer browser extensions harvest corporate meeting intelligence
A malicious campaign dubbed Zoom Stealer uses 18 browser extensions to harvest corporate meeting data from 2.2 million Chrome, Firefox, and Edge users. Attributed to China-linked threat actor DarkSpectre, the campaign targets 28 video-conferencing platforms, stealing meeting URLs, IDs, passwords, participant details, and metadata for espionage or social engineering. DarkSpectre, linked to prior campaigns like GhostPoster and ShadyPanda, employs functional extensions (e.g., Chrome Audio Capture) to exfiltrate data via WebSocket in real time. Despite reports, some malicious extensions remain on the Chrome Web Store. Researchers urge users to minimize extensions and review permissions to mitigate risks of impersonation or data exploitation.
Read full article: Bleepingcomputer
Vulnerability Spotlight: Critical Exposures Unveiled
Critical vulnerabilities across databases, telecom infrastructure, and decentralized platforms exposed systemic risks, with APT groups and ransomware actors exploiting unpatched systems (MongoDB, Ivanti EPMM) and insecure configurations (KT femtocells). High-impact attacks leveraged zero-days, stolen credentials, and weaponized flaws like React2Shell, enabling data theft, cryptomining, and financial fraud. Decentralized governance weaknesses led to a $3.9M crypto heist, while services like ErrTraffic automated malware delivery via social engineering. Global sectors face escalating threats from state-aligned and criminal actors, underscoring urgent patching, credential management, and IoT isolation to mitigate cross-industry exploitation.
75,000 MongoDBs Exposed as Attackers Exploit ‘MongoBleed’
A critical MongoDB vulnerability dubbed “MongoBleed” (CVE-2025-14847) is being actively exploited, exposing 75,000 databases globally. The flaw, present in versions since 2017, allows attackers to leak memory data via zlib compression, compromising credentials, API keys, and sensitive information. Over 74,800 exposed instances remain unpatched, with China, the U.S., Germany, and France most affected. MongoDB released patches for recent versions, but older releases (pre-4.4) lack fixes. Ransomware groups are leveraging public proof-of-concept exploits, prompting urgent patching advisories from agencies like CISA. Mitigations include disabling zlib compression and securing internet-facing servers.
Read full article: Bankinfosec
Sunken Ships: Will Orgs Learn From Ivanti EPMM Attacks?
The article discusses the 2025 Ivanti EPMM zero-day attacks, where threat actors exploited vulnerabilities (CVE-2025-4427 and CVE-2025-4428) in the mobile device management platform to gain control over enterprise devices, enabling data exfiltration and espionage. Affecting sectors like healthcare, government, and finance, attackers leveraged unencrypted credentials and legitimate platform features to deploy reverse shells, access cloud services, and intercept communications. EclecticIQ attributed the campaign to a China-nexus APT group, citing infrastructure and tooling patterns. The incident underscores risks in internet facing systems and poor credential management, urging organizations to prioritize threat modeling, monitor administrative actions, and reduce patching delays to mitigate future zero day threats.
Read full article: Darkreading
Korean telco failed at femtocell security, exposed customers to snooping and fraud
South Korean telecom KT exposed customers to fraud and surveillance due to insecure femtocells, which lacked root passwords, stored keys in plaintext, and used a single long expiring certificate for authentication. Attackers cloned these devices to intercept communications, steal subscriber data, and facilitate a $169,000 micropayment scam. Vulnerable femtocells allowed automatic connections, enabling SMS interception and call monitoring. KT’s lack of fleet management tools exacerbated risks. Police linked the attacks to a criminal gang, arresting 13 suspects, and suspect ties to prior breaches involving BPFDoor malware. South Korea mandated penalty-free contract cancellations for affected customers amid broader national cybersecurity concerns.
Read full article: Theregister
Hackers drain $3.9M from Unleash Protocol after multisig hijack
Unleash Protocol suffered a $3.9 million cryptocurrency theft after attackers hijacked its multisig governance system, gaining administrative control to execute an unauthorized contract upgrade. This allowed unauthorized withdrawals of wrapped IP (WIP), USDC, WETH, and other assets. The stolen funds were routed through third-party bridges and laundered via Tornado Cash, a sanctioned crypto-mixing service. The breach bypassed the platform’s governance protocols, enabling asset drainage outside approved procedures. Unleash Protocol has paused operations, initiated an investigation, and advised users to avoid interacting with its contracts until resolved. The incident underscores vulnerabilities in decentralized governance and multisig security.
Read full article: Bleepingcomputer
RondoDox botnet exploits React2Shell flaw to breach Next.js servers
The RondoDox botnet is actively exploiting the critical React2Shell vulnerability (CVE-2025-55182) to compromise Next.js servers via unauthenticated remote code execution. Since early December 2025, the botnet has deployed cryptominers, Mirai variants, and botnet loaders while eliminating competing malware. Over 94,000 internet-exposed assets remain vulnerable to React2Shell, which has also been weaponized by North Korean hackers for EtherRAT malware. RondoDox’s 2025 operations evolved from reconnaissance to large-scale IoT exploitation, targeting routers and conducting hourly attack waves. CloudSEK advises patching Next.js Server Actions, isolating IoT devices, and monitoring suspicious processes to mitigate risks.
Read full article: Bleepingcomputer
New ErrTraffic service enables ClickFix attacks via fake browser glitches
A new cybercrime service named ErrTraffic automates ClickFix attacks by generating fake browser or system glitches on compromised websites, tricking users into downloading malware or executing malicious commands. Sold for $800 on hacking forums, the tool uses geolocation and OS fingerprinting to target victims, delivering payloads like Lumma/Vidar stealers (Windows), Cerberus (Android), and macOS/Linux malware. The platform modifies website content to display errors (e.g., corrupted text, fake Chrome updates), prompting victims to follow harmful “fixes.” Campaigns exclude CIS countries, hinting at developer origins. Hudson Rock researchers note its 60% conversion rates and integration into credential theft cycles, with stolen data often sold on darknet markets.
Read full article: Bleepingcomputer
In-Depth Expert CTI Analysis
Recent cyber incidents underscore escalating insider threats and third-party risks, exemplified by breaches at Coinbase and Ubisoft involving bribed outsourced staff. Ransomware groups like ALPHV/BlackCat leveraged insider expertise, while attacks on Coupang, ESA, and Marquis Software exposed systemic vulnerabilities in vendor ecosystems. AI-driven social engineering, cross-platform malware, and zero-day exploits (e.g., React2Shell, MongoBleed) highlight evolving attack sophistication. Law enforcement disrupted operations like GlassWorm and RondoDox, but budget cuts and unpatched systems persist as challenges. Corporate responses, such as Coupang’s inadequate compensation, reveal gaps in accountability amid growing regulatory scrutiny.
Proactive Defense and Strategic Foresight
Proactive defense demands rigorous third-party risk management, exemplified by breaches at Coinbase, Coupang, and Marquis Software, where outsourced access and vendor vulnerabilities enabled large-scale data theft. Strategic foresight requires anticipating evolving tactics like AI-driven social engineering, kernel-mode rootkits (HoneyMyte), and cross-platform malware, necessitating investments in behavioral analytics and memory forensics. Insider threats, from rogue employees (Ubisoft) to compromised cybersecurity professionals (ALPHV affiliates), highlight the need for stringent access controls and continuous monitoring. The exploitation of unpatched vulnerabilities (MongoDB, React2Shell) underscores the urgency of zero-day mitigation strategies. Organizations must prioritize threat modeling, secure development practices, and international collaboration to disrupt ransomware ecosystems and espionage campaigns, transforming reactive postures into resilient, adaptive frameworks.
Evolving Ransomware and Malware Tactics
Ransomware and malware tactics are rapidly evolving, with threat actors leveraging insider expertise, zero-day exploits, and AI-enhanced social engineering. Recent incidents highlight ransomware affiliates like ALPHV/BlackCat recruiting cybersecurity professionals to optimize attacks, while groups such as Clop exploit Oracle vulnerabilities for data extortion. Cross-platform malware campaigns (e.g., GlassWorm targeting macOS via VSCode) and kernel-mode rootkits (HoneyMyte) demonstrate technical sophistication, evading detection through memory-based persistence and encrypted payloads. Supply chain risks persist, as seen in third-party breaches at Marquis Software and Ubisoft, where underpaid outsourced staff were bribed for access. Malware-as-a-Service models and tools like ErrTraffic automate attacks, blending fake system errors with credential theft. Proactive patching, stricter vendor audits, and behavioral analytics are critical to counter these adaptive threats.
State-Sponsored and Organized Cybercrime Convergence
The convergence of state-sponsored cyber operations and organized cybercrime is accelerating, with nation-state actors increasingly leveraging criminal infrastructure, malware-as-a-service, and monetization techniques for deniability and self-funding, while cybercriminal groups adopt nation-state tradecraft for stealth and scale. China-linked actors such as HoneyMyte (Mustang Panda) and DarkSpectre blur espionage and cybercrime through kernel-mode rootkits, malicious browser extensions, and update hijacking, while operating via credential theft and data resale ecosystems. In parallel, North Korean–aligned actors and ransomware groups exploit zero-day vulnerabilities (React2Shell, Ivanti EPMM, Oracle) and crypto platforms to finance strategic objectives. The abuse of legitimate RMM tools, AI-driven phishing services like ErrTraffic, and ransomware affiliate models further obscures attribution. Law enforcement actions against ALPHV/BlackCat affiliates and insider-enabled breaches at Coinbase and Ubisoft reveal progress but also highlight how outsourcing and supply-chain trust are increasingly weaponized, eroding traditional distinctions between criminal and state-sponsored threats and necessitating coordinated intelligence-sharing and unified defensive strategies.
Operational and Tactical Implications
Operational Implications: Recent incidents reinforce third-party and supply-chain ecosystems as primary attack surfaces, with breaches at Marquis Software, Coupang, ESA, and Ubisoft exposing how outsourced access, delayed disclosures, and vendor trust are exploited for scale and persistence. Ransomware groups continue expanding beyond endpoints into hypervisors, VPNs, and cloud control planes, while browser-based and extension-delivered malware (Zoom Stealer, GlassWorm) bypass traditional perimeter defenses. State-aligned actors favor stealth through kernel-mode implants, signed drivers, and memory-resident malware, while AI-enabled phishing and fake update lures compress attack timelines to machine speed. Persistent patch latency for critical flaws (MongoBleed, React2Shell, Ivanti) enables rapid mass exploitation, signaling growing gaps across identity, cloud, and edge visibility.
Tactical Implications: Organizations require stricter governance over third-party integrations, OAuth tokens, and software dependencies to curb supply-chain risk. Zero-trust enforcement, hardened privileges, and continuous access validation are essential as attackers pivot to hypervisors, VPN appliances, and administrative tooling. Detecting fileless and kernel-level threats demands behavioral EDR, memory telemetry, and kernel monitoring. Browser-centric attacks necessitate advanced anti-phishing controls, browser isolation, and hardware-backed credentials. AI-automated attacks and cryptojacking waves further require anomaly-driven identity monitoring, adversarial-aware AI controls, and cloud/GPU usage baselining to maintain tactical resilience.
Forward-Looking Recommendations
- Enhance third-party vendor risk management with mandatory audits, strict access controls, and real-time monitoring to mitigate supply-chain vulnerabilities.
- Implement zero-trust architectures and behavioral analytics to detect insider threats, particularly in outsourced or low-wage roles susceptible to bribery.
- Prioritize patching for critical vulnerabilities (e.g., React2Shell, MongoBleed) and enforce multi-factor authentication to reduce exploit risks.
- Adopt AI-driven threat detection to counter evolving social engineering, AI-generated scams, and memory-resident malware like HoneyMyte’s rootkits.
- Strengthen developer ecosystems against malicious extensions and dependency poisoning via code-signing verification and sandboxed environments.
- Mandate cybersecurity training for employees and customers to recognize phishing, fake updates, and social engineering tactics.
- Advocate for regulatory frameworks enforcing transparent breach disclosures and penalties for inadequate corporate accountability in data protection.
