2025-12-12 AI创业新闻

ThreatsDay Bulletin: Spyware Alerts, Mirai Strikes, Docker Leaks, ValleyRAT Rootkit — and 20 More Stories

This week’s cyber stories show how fast the online world can turn risky. Hackers are sneaking malware into movie downloads, browser add-ons, and even software updates people trust. Tech giants and governments are racing to plug new holes while arguing over privacy and control. And researchers keep uncovering just how much of our digital life is still wide open.

The new Threatsday Bulletin brings it all together—big hacks, quiet exploits, bold arrests, and smart discoveries that explain where cyber threats are headed next. It’s your quick, plain-spoken look at the week’s biggest security moves before they become tomorrow’s headlines. Maritime IoT under siege Mirai-Based Broadside Botnet Exploits TBK DVR Flaw A new Mirai botnet variant dubbed Broadside has been exploiting a critical-severity vulnerability in TBK DVR ( CVE-2024-3721 ) in attacks targeting the maritime logistics sector. “Unlike previous Mirai variants, Broadside employs a custom C2 protocol, a unique ‘Magic Header; signature, and an advanced ‘Judge, Jury, and Executioner’ module for exclusivity,” Cydome said .

“Technically, it diverges from standard Mirai by utilizing Netlink kernel sockets for stealthy, event-driven process monitoring (replacing noisy filesystem polling), and employing payload polymorphism to evade static defenses.” Specifically, it tries to maintain exclusive control over the host by terminating other processes that match specific path patterns, fail internal checks, or have already been classified as hostile. Broadside extends beyond denial-of-service attacks, as it attempts to harvest system credential files (/etc/passwd and /etc/shadow) with an aim to establish a strategic foothold into compromised devices. Mirai is a formidable botnet that has spawned several variants since its source code was leaked in 2016. LLM flaws persist indefinitely NCSC Says Prompt Injections Might Never Go Away The U.K.

National Cyber Security Centre said prompt injections – which refer to flaws in generative artificial intelligence (GenAI) applications that allow them to parse malicious instructions to generate content that’s otherwise not possible – “will never be properly mitigated” and that it’s important to raise awareness about the class of vulnerability, as well as designing systems that “constrain the actions of the system, rather than just attempting to prevent malicious content reaching the LLM.” VaaS crackdown nets 193 arrests Europol Arrests 193 in Connection with VaaS Crackdown Europol’s Operational Taskforce (OTF) GRIMM has arrested 193 individuals and disrupted criminal networks that have fueled the growth of violence-as-a-service (VaaS). The task force was launched in April 2025 to combat the threat, which involves recruiting young, inexperienced perpetrators to commit violent acts. “These individuals are groomed or coerced into committing a range of violent crimes, from acts of intimidation and torture to murder,” Europol said . Many of the criminals involved in the schemes are alleged to be members of The Com, a loosely-knit collective comprising primarily English speakers who are involved in cyber attacks, SIM swaps, extortion, and physical violence.

Hack tools seized in Poland Poland Arrests 3 Ukrainians for Alleged Attempt to Sabotage IT Systems Polish law enforcement arrested three Ukrainian nationals for allegedly attempting to damage IT systems in the country using specialized hacking equipment after their vehicle was stopped and inspected. They have been charged with fraud, computer fraud, and acquiring computer equipment and software adapted to commit crimes, including damage to computer data of particular importance to the country’s defense. “Officers thoroughly searched the vehicle’s interior. They found suspicious items that could even be used to interfere with the country’s strategic IT systems, breaking into IT and telecommunications networks,” authorities said .

“During the investigation, officers seized a spy device detector, advanced Flipper hacking equipment, antennas, laptops, a large number of SIM cards, routers, portable hard drives, and cameras.” The three men, of ages between 39 and 43, claimed to be computer scientists and “were visibly nervous,” but did not give reasons as to why they were carrying such tools in the first place, and pretended not to understand what was being said to them, officials said. Teen data thief caught Spain Nabs Teen Hacker for Allegedly Stealing 64M Records The National Police in Spain have arrested a suspected 19-year-old hacker in Barcelona, for allegedly stealing and attempting to sell 64 million records obtained from breaches at nine companies. The defendant is said to have used six online accounts and five pseudonyms to advertise and sell the stolen databases. The teen faces charges related to involvement in cybercrime, unauthorized access, and disclosure of private data, and privacy violations.

“The cybercriminal accessed nine different companies where he obtained millions of private personal records that he later sold online,” authorities alleged . In a related development, Ukrainian police officials announced the arrest of a 22-year-old cybercriminal who used a custom malware he independently created to automatically hack user accounts on social networks and other platforms. The compromised accounts were then sold on hacker forums. Most of the victims were based in the U.S.

and various European countries. The Bukovyn resident is also accused of administering a bot farm with more than 5,000 profiles in various social networks in order to implement various shadow schemes and transactions. Millions lost via fake banking apps Russia Dismantles NFC-Relay Operation Russian police said they have dismantled a criminal enterprise that stole millions from bank customers in the country using malware built on NFCGate , a legitimate open-source tool increasingly exploited by cybercriminals worldwide. To that end, three suspects have been arrested for distributing NFC-capable malware through WhatsApp and Telegram, disguising it as software from legitimate banks.

Victims were first approached via phone and persuaded to install a fraudulent banking app. During the fake “authorization” process, they were guided to hold their bank card to the back of their smartphone and enter their PIN — a step that enabled the attackers to harvest card credentials and withdraw funds from ATMs anywhere in the country without the cardholder’s involvement. Preliminary losses exceed 200 million rubles (about $2.6 million). Botnets exploit React flaw React2Shell Comes Under Extensive Exploitation The recently disclosed React security flaw ( React2Shell , aka CVE-2025-55182) has come under widespread exploitation, including targeting smart home devices, according to Bitdefender .

These include smart plugs, smartphones, NAS devices, surveillance systems, routers, development boards, and smart TVs. These attacks have been found to deliver Mirai and RondoDox botnet payloads. Significant probing activity has been detected from Poland, the U.S., the Netherlands, Ireland, France, Hong Kong, Singapore, China, and Panama. This indicates “broad global participation in opportunistic exploitation,” the company said.

Threat intelligence firm GreyNoise said it observed 362 unique IP addresses across ~80 countries attempting exploitation as of December 8, 2025. “Observed payloads fall into distinct groups: miners, dual-platform botnets, OPSEC-masked VPN actors, and recon-only clusters,” it added. Linux malware evades detection New GhostPenguin Linux Backdoor Spotted Cybersecurity researchers have discovered a previously undocumented Linux backdoor named GhostPenguin. A multi-thread backdoor written in C++, it can collect system information, including IP address, gateway, OS version, hostname, and username, and send it to a command-and-control (C&C) server during a registration phase.

“It then receives and executes commands from the C&C server. Supported commands allow the malware to provide a remote shell via ‘/bin/sh,’ and perform various file and directory operations, including creating, deleting, renaming, reading, and writing files, modifying file timestamps, and searching for files by extension,” Trend Micro said . “All C&C communication occurs over UDP port 53.” The discovery comes as Elastic detailed a new syscall hooking technique called FlipSwitch that has been devised in the aftermath of fundamental changes introduced to the Linux kernel 6.9 to allow malware to hide its presence on infected hosts. “Traditional rootkit techniques relied on direct syscall table manipulation, but modern kernels have moved to a switch-statement based dispatch mechanism,” security researcher Remco Sprooten said .

“Instead of modifying the syscall table, it locates and patches specific call instructions inside the kernel’s dispatch function. This approach allows for precise and reliable hooking, and all changes are fully reverted when the module is unloaded.” Crypto laundering plea deal California Resident Pleads Guilty to Laundering $263M in Stolen Crypto Heist Evan Tangeman, a 22-year-old California resident, pleaded guilty to RICO conspiracy charges after being accused of buying homes and laundering $3.5 million on behalf of a criminal gang that stole cryptocurrency through social engineering schemes. “The enterprise began no later than October 2023 and continued through at least May 2025. It grew from friendships developed on online gaming platforms and consisted of individuals based in California, Connecticut, New York, Florida, and abroad,” the Justice Department (DoJ) said .

“Tangeman was a money launderer for the group that also included database hackers, organizers, target identifiers, callers, and residential burglars targeting hardware virtual currency wallets.” Members of the group were previously charged with stealing more than $263 million worth of cryptocurrency from a victim in Washington, D.C. Spyware warnings go global Apple and Google Send New Spyware Alerts Apple and Google have sent a new round of spyware notifications to users in nearly 80 countries, according to a report from Reuters. There are currently no details about what kind of spyware the victims were targeted with. Neither company provided information on the number of users targeted or who they thought was behind the surveillance efforts.

EU greenlights Meta’s ad model E.U. Approves Meta’s Tweaked Pay-or-Consent Ad Model The European Commission has given its stamp of approval to a Meta proposal to give Instagram and Facebook users an option to share less personal data and see fewer personalized ads. The new option goes into effect in January 2026. “Meta will give users the effective choice between consenting to share all their data and seeing fully personalized advertising, and opting to share less personal data for an experience with more limited personalized advertising,” the Commission said .

The move comes after the social media giant was fined €200 million in April 2025 (then $227 million) for violating the bloc’s Digital Markets Act (DMA) over the binary choice it gives E.U. users to either pay to access ad-free versions of the platforms or agree to being tracked in exchange for targeted ads. In a post last week, Austrian non-profit None of Your Business (noyb) published a survey that said “when there’s a ‘pay,’ a ‘consent,’ and an ‘advertising, but no tracking’ option, […] 7 out of 10 people then choose the ‘advertising, but no tracking’ option.” Mass alert for Lumma victims New Zealand Notifies Citizens Infected by Lumma Stealer New Zealand’s National Cyber Security Centre (NCSC) said it’s notifying around 26,000 users who have been infected with Lumma Stealer , in what it described as the first large-scale public outreach. “The malicious software is designed to steal sensitive information, like email addresses and passwords, from devices typically for the purposes of fraud or identity theft,” it said .

“The use of Lumma Stealer and other similar malware by cyber criminals is an ongoing international issue.” Update closes hijack flaw Notepad++ Releases Update to Address Exploited Critical Flaw Notepad++ has released version 8.8.9 to fix a critical flaw in the open-source text and source code editor for Windows. This bug, according to security researcher Kevin Beaumont, was being abused by threat actors in China to hijack traffic from WinGUp (the Notepad++ updater), redirect it to malicious servers, and then trick people into downloading malware. “Verify certificate and signature on downloaded update installer,” reads the release notes for version 8.8.9. “The review of the reports led to the identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file,” Notepad++ maintainers said .

“In case an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, this weakness can be leveraged by an attacker to prompt the updater to download and execute an unwanted binary (instead of the legitimate Notepad++ update binary).” Telegram tightens cyber controls Telegram Increases Crackdown on Cybercrime A new report from Kaspersky examining more than 800 blocked Telegram channels that existed between 2021 and 2024 has revealed that the “median lifespan of a shadow Telegram channel increased from five months in 2021-2022 to nine months in 2023-2024” The messaging app also appears to be increasingly blocking cybercrime-focused channels since October 2024, prompting threat actors to migrate to other platforms. UK targets info warfare actors U.K. Sanctions Russian and Chinese Firms Over Information Warfare The U.K. has imposed new sanctions against several Russian and Chinese organizations accused of undermining the West through cyber attacks and influence operations.

The actions target two Chinese entities, I-Soon and the Integrity Technology Group (aka Flax Typhoon), as well as a Telegram channel Ryber and its co-owner, Mikhail Zvinchuk, an organization called Pravfond that’s believed to be a front for the GRU, and the Centre for Geopolitical Expertise, a Moscow-based think tank founded by Aleksandr Dugin. “I-Soon and Integrity Tech are examples of the threat posed by the cyber industry in China, which includes information security companies, data brokers (that collect and sell personal data), and ‘hackers for hire,’” the U.K. government said. “Some of these companies provide cyber services to the Chinese intelligence services.” Millions still using Log4Shell Log4Shell Downloaded Nearly 40M Times This Year A new analysis from Sonatype has revealed that about 13% of all Log4j downloads in 2025 are susceptible to Log4Shell.

“In 2025 alone, there were nearly 300 million total Log4j downloads,” the supply chain security company said . “Of those, about 13% – roughly 40 million downloads — were still vulnerable versions. Given that safe alternatives have been available for nearly four years, every one of those vulnerable downloads represents risk that could have been avoided.” China, the United States, India, Japan, Brazil, Germany, the United Kingdom, Canada, South Korea, and France accounted for a huge chunk of the vulnerable downloads. India weighs constant tracking India Mulls Proposal for Phone-Location Surveillance The Indian government is reportedly reviewing a telecom industry proposal to force smartphone firms to enable satellite location tracking that is always activated for better surveillance, with no option for users to disable it, Reuters revealed .

The idea is to get precise locations when legal requests are made to telecom firms during investigations, the news agency added. The move has been opposed by Apple, Google, and Samsung. Amnesty International has called the plan “deeply concerning.” GlobalProtect scans spike Scans for Palo Alto Networks GlobalProtect Portals Surge Again A “concentrated spike” comprising more than 7,000 IP addresses has been observed attempting to log into Palo Alto Networks GlobalProtect portals. The activity, which originated from infrastructure operated by 3xK GmbH, was observed on December 2, 2025.

GreyNoise said the December wave shares three identical client fingerprints with a prior wave observed between late September and mid-October. The threat intelligence firm said it also recorded a surge in scanning against SonicWall SonicOS API endpoints a day later. Both the attack waves have been attributed to the same threat actor. OpenAI warns of AI misuse OpenAI Warns of Cybersecurity Risks from AI Models Artificial intelligence (AI) company OpenAI said there is a need for strengthening resilience as cyber capabilities in AI models advance rapidly, posing dual-use risks.

To that end, the firm said it’s investing in safeguards to help ensure these capabilities mainly benefit defensive uses and limit their use for malicious purposes. This includes: (1) Training the model to refuse or safely respond to harmful requests, (2) Maintaining system-wide monitoring across products that use frontier models to detect malicious cyber activity, and (3) End-to-end red teaming. “As these capabilities advance, OpenAI is investing in strengthening our models for defensive cybersecurity tasks and creating tools that enable defenders to more easily perform workflows such as auditing code and patching vulnerabilities,” the company said . “Our goal is for our models and products to bring significant advantages for defenders, who are often outnumbered and under-resourced.” Android malware fakes ransomware DroidLock Locks Android Devices with a Ransomware-Like Overlay Spanish Android users have become the target of a new malware called DroidLock that propagates via dropper apps hosted on phishing websites.

“It has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device,” Zimperium said . “It employs deceptive system update screens to trick victims and can stream and remotely control devices via VNC. The malware also exploits device administrator privileges to lock or erase data, capture the victim’s image with the front camera, and silence the device.” In all, it supports 15 distinct commands. While the malware does not actually have the ability to encrypt files, it displays a scary overlay that instructs victims to contact a Proton email address within 24 hours or risk getting their files destroyed.

Like other Android malware of its kind, it leverages accessibility services to carry out its malicious activities, including changing the device lock screen PIN or password, effectively locking users out. It also serves traditional WebView overlays atop targeting apps to capture credentials. Google tightens HTTPS validation New Security Requirements for HTTPS Certificate Issuers Google has announced that the Chrome Root Program and the CA/Browser Forum have taken steps to sunset 11 legacy methods for Domain Control Validation, a security-critical process designed to ensure certificates are only issued to the legitimate domain operator. “By retiring these outdated practices, which rely on weaker verification signals like physical mail, phone calls, or emails, we are closing potential loopholes for attackers and pushing the ecosystem toward automated, cryptographically verifiable security,” the company said .

The deprecation is expected to be carried out in phases and completed by March 2028. Torrent hides Agent Tesla Fake Leonardo DiCaprio Movie Torrent Drops Agent Tesla Cybersecurity researchers have warned of a new campaign that uses a fake torrent for the Leonardo DiCaprio starrer One Battle After Another as a launchpad for a complex infection chain that drops Agent Tesla malware. “Instead of the expected video file, users unknowingly download a compilation of PowerShell scripts and image archives that build into a memory-resident command-and-control (C2) agent, also known as a trojan (RAT – Remote Access Trojan) under the name of Agent Tesla,” Bitdefender said . “This type of malware is designed with a single purpose: to provide attackers with unfettered access to the victim’s Windows computer.” The attack is part of a growing trend of embedding malware in bogus multimedia files.

Earlier this May, a lure for Mission: Impossible – The Final Reckoning was used to spread Lumma Stealer. Leaked secrets flood Docker Hub Over 10K Docker Hub images Leak Secrets A new study from Flare has found that more than 10,000 Docker Hub container images are exposing credentials to production systems, CI/CD databases, or large language model (LLM) keys. “42% of exposed images contained five or more secrets each, meaning a single container could unlock an entire cloud environment, CI/CD pipeline, and database,” the company said . “AI LLM model keys were the most frequently leaked credentials, with almost 4,000 exposed, revealing how fast AI adoption has outpaced security controls.” The exposure represents severe risks, as it enables full access to cloud environments, Git repositories, CI/CD systems, payment integrations, and other core infrastructure components.

VS Code trojans disguised as PNGs 19 VS Code Extensions Contain Trojan Posing as PNG As many as 19 Microsoft Visual Studio Code (VS Code) extensions have been identified on the official Marketplace, with most of them embedding a malicious file that masquerades as a PNG image. The campaign, active since February 2025, was discovered last week. “The malicious files abused a legitimate npm package [path-is-absolute] to avoid detection and crafted an archive containing malicious binaries that posed as an image: A file with a PNG extension,” ReversingLabs researcher Petar Kirhmajer said . “For this latest campaign, the threat actor modified it by adding a few malicious files.

However, it’s important to note that these changes to the package are only available when it is installed locally through the 19 malicious extensions, and they are not actually part of the package hosted on npm.” The net effect is that the weaponized package is used to launch the attack as soon as one of the malicious extensions is used and VS Code is launched. The main purpose of the malicious code is to decode what appears to be a PNG file (“banner.png”), but, in reality, is an archive containing two binaries that are executed using the “cmstp.exe” living-off-the-land binary (LOLBin) by means of a JavaScript dropper. “One of these binaries is responsible for closing the LOLBin by emulating a key press, while the other binary is a more complicated Rust trojan,” ReversingLabs said. The extensions have since been removed by Microsoft from the Marketplace.

ValleyRAT builder dissected ValleyRAT’s Modular System Analyzed Check Point Research said it was able to reverse engineer the ValleyRAT (aka Winos or Winos4.0) backdoor and its plugins by examining a publicly leaked builder and its development structure. “The analysis reveals the advanced skills of the developers behind ValleyRAT, demonstrating deep knowledge of Windows kernel and user-mode internals, and consistent coding patterns suggesting a small, specialized team,” the cybersecurity company said . “The ‘Driver Plugin’ contains an embedded kernel-mode rootkit that, in some cases, retains valid signatures and remains loadable on fully updated Windows 11 systems, bypassing built-in protection features.” Specifically, the plugin facilitates stealthy driver installation, user-mode shellcode injection via APCs, and forceful deletion of AV/EDR drivers. The rootkit is based on the publicly available open-source project Hidden.

One of the other plugins is a login module that is designed to load additional components from an external server. ValleyRAT is attributed to a Chinese cybercrime group known as Silver Fox . Approximately 6,000 ValleyRAT-related samples have been detected in the wild between November 2024 and November 2025, in addition to 30 distinct variants of the ValleyRAT builder and 12 variants of the rootkit driver. AI chat guides spread stealers Shared ChatGPT and Grok Guides Distribute Infotealers In a new campaign , threat actors are abusing the ability to share chats on OpenAI ChatGPT and Grok to surface them in search results, either via malvertising or search engine optimization (SEO) poisoning, to trick users into installing stealers like AMOS Stealer when searching for “sound not working on macOS,” “clear disk space on macOS,” or ChatGPT Atlas on search engines like Google.

The chat sessions are shared under the guise of troubleshooting or installation guides and include ClickFix-style instructions to launch the terminal and paste a command to address issues faced by the user. “Attackers are systematically weaponizing multiple AI platforms with SEO poisoning, and that it is not isolated to a single AI platform, page, or query, ensuring victims encounter poisoned instructions regardless of which tool they trust,” Huntress said . “Instead, multiple AI-style conversations are being surfaced organically through standard search terms, each pointing victims toward the same multi-stage macOS stealer.” The development comes as platforms like itch.io and Patreon are being used by threat actors to distribute Lumma Stealer. “Newly created Itch.io accounts spam comments in different legitimate games, with templated text messages that show Patreon links to supposed game updates,” G DATA said .

These links direct to ZIP archives containing a malicious executable that’s compiled with nexe and runs a six-levels of anti-analysis checks before dropping the stealer malware. Cybersecurity isn’t just a tech issue anymore—it’s part of daily life. The same tools that make work and communication easier are the ones attackers now use to slip in unnoticed. Every alert, patch, or policy shift connects to a bigger story about how fragile digital trust has become.

As threats keep evolving, staying aware is the only real defense. The Threatsday Bulletin exists for that reason—to cut through the noise and show what actually matters in cybersecurity right now. Read on for this week’s full rundown of breaches, discoveries, and decisions shaping the digital world. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems

Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes. According to a report from Elastic Security Labs, the malware shares code similarities with another implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. FINALDRAFT is attributed to a threat cluster known as REF7707 (aka CL-STA-0049, Earth Alux, and Jewelbug). “One of the malware’s primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API,” Daniel Stepanic, principal security researcher at Elastic Security Labs, said.

“This feature ends up providing a channel for data theft and payload staging that is difficult for detection. The malware includes a task management system used for file transfer capabilities that include queuing download/upload tasks, pausing/resuming file transfers, canceling file transfers, and generating refresh tokens.” REF7707 is believed to be a suspected Chinese activity cluster that has targeted governments, defense, telecommunication, education, and aviation sectors in Southeast Asia and South America as far back as March 2023, per Palo Alto Networks Unit 42. In October 2025, Broadcom-owned Symantec attributed the hacking group to a five-month-long intrusion targeting a Russian IT service provider. The exact initial access vector used to deliver NANOREMOTE is currently not known.

However, the observed attack chain includes a loader named WMLOADER that mimics a Bitdefender’s crash handling component (“BDReinit.exe”) and decrypts shellcode responsible for launching the backdoor. Written in C++, NANOREMOTE is equipped to perform reconnaissance, execute files and commands, and transfer files to and from victim environments using the Google Drive API. It’s also preconfigured to communicate with a hard-coded, non-routable IP address over HTTP to process requests sent by the operator and send the response back. “These requests occur over HTTP where the JSON data is submitted through POST requests that are Zlib compressed and encrypted with AES-CBC using a 16-byte key (558bec83ec40535657833d7440001c00),” Elastic said.

“The URI for all requests use /api/client with User-Agent (NanoRemote/1.0).” Its primary functionality is realized through a set of 22 command handlers that allow it to collect host information, carry out file and directory operations, run portable executable (PE) files already present on disk, clear cache, download/upload files to Google Drive, pause/resume/cancel data transfers, and terminate itself. Elastic said it identified an artifact (“ wmsetup.log “) uploaded to VirusTotal from the Philippines on October 3, 2025, that’s capable of being decrypted by WMLOADER with the same 16-byte key to reveal a FINALDRAFT implant, indicating that the two malware families are likely the work of the same threat actor. It’s unclear as to why the same hard-coded key is being used across both of them. “Our hypothesis is that WMLOADER uses the same hard-coded key due to being part of the same build/development process that allows it to work with various payloads,” Stepanic said.

“This appears to be another strong signal suggesting a shared codebase and development environment between FINALDRAFT and NANOREMOTE.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The Impact of Robotic Process Automation (RPA) on Identity and Access Management

As enterprises refine their strategies for handling Non-Human Identities (NHIs), Robotic Process Automation (RPA) has become a powerful tool for streamlining operations and enhancing security. However, since RPA bots have varying levels of access to sensitive information, enterprises must be prepared to mitigate a variety of challenges. In large organizations, bots are starting to outnumber human employees, and without proper identity lifecycle management, these bots increase security risks. RPA impacts Identity and Access Management (IAM) by managing bot identities, enforcing least-privilege access and ensuring auditability across all accounts.

Continue reading to learn more about RPA, its challenges with IAM and best practices organizations should follow to secure RPA within IAM. What is Robotic Process Automation (RPA)? Robotic Process Automation (RPA) uses bots to automate repetitive tasks that are traditionally performed by human users. In the context of IAM, RPA plays an essential role in streamlining the user lifecycle, including provisioning, deprovisioning and secure access to credentials.

These RPA bots act as NHIs and require governance just as human users do for authentication, access controls and privileged session monitoring. As RPA adoption grows, IAM systems must consistently manage both human identities and NHIs within a unified security framework. Here are the key benefits of RPA: Improved efficiency and speed: RPA automates time-consuming, repetitive tasks like provisioning and deprovisioning, enabling IT teams to focus on higher-priority tasks. Better accuracy: RPA minimizes human error and reduces the risk of misconfigurations by following pre-defined scripts.

Bots also automate credential handling and eliminate common issues like password reuse. Enhanced security: RPA strengthens IAM by triggering immediate deprovisioning once an employee leaves an organization. Automated bots can also detect and respond to behavioral anomalies in real time, limiting the impact of unauthorized access. Stronger compliance: RPA supports regulatory compliance mandates by automatically logging every bot action and enforcing access policies.

Combined with zero-trust security principles, RPA enables continuous verification of all identities — human or machine. Challenges RPA introduces into IAM As organizations scale their use of RPA, several challenges emerge that can weaken the efficiency of existing IAM strategies, including bot management, larger attack surfaces and integration difficulties. Managing bots RPA bots are taking on more critical tasks across enterprises, and managing their identities and access becomes a top priority. Unlike human users, bots work silently in the background but still require authentication and authorization.

Without appropriate identity governance, improperly monitored bots can create security gaps within an organization’s IAM. A common problem is how bots store credentials, often embedding hardcoded passwords or API keys in scripts or configuration files. Increased attack surface Each RPA bot has a new NHI, and each NHI introduces a potential attack vector for cybercriminals to exploit. Without strictly enforcing the Principle of Least Privilege (PoLP), bots may be overprovisioned with access that exceeds their needs for repetitive tasks.

If compromised, bots can be used to move laterally within a network or exfiltrate sensitive data. Securing bots’ privileged access and managing their credentials with Just-in-Time (JIT) access is crucial to maintaining zero-trust security. Integration difficulties Many legacy IAM systems were not built with modern RPA integrations in mind, making it challenging for enterprises to enforce consistent access policies across both human users and NHIs. Integration gaps can result in unmanaged credentials, insufficient audit trails and inconsistent enforcement of access controls.

Without alignment between RPA and IAM, organizations risk having less visibility and inconsistencies across automated processes. Best practices for securing RPA within IAM Securing RPA within IAM requires more than just granting bots access; organizations must treat automated processes with the same attention to detail as they do for human users. Here are some best practices to ensure RPA deployments remain secure and aligned with zero-trust security principles. 1.

Prioritize bot identities Treating RPA bots as first-class identities is crucial to maintaining strong IAM. Since bots interact with core systems and often operate with elevated privileges, it’s important to ensure each bot has only the minimum level of access required for its specific task. Each bot should be assigned an identity with its own unique credentials so they are never shared or reused across other bots or services. This approach to bot management allows security teams to grant or revoke access without disrupting broader workflows and to better track each bot’s activities.

1. Use a secrets manager RPA bots typically interact with critical systems and APIs, relying on credentials or SSH keys to function. Storing these secrets in plaintext configuration files or scripts makes them easy targets for cybercriminals and difficult to securely rotate. A dedicated secrets management tool like Keeper® ensures that all credentials are encrypted and centrally managed in a zero-knowledge vault.

Secrets can be retrieved at runtime, so they never reside in memory or on a device. 3. Implement PAM Bots that perform repetitive, administrative tasks often require privileged access, making Privileged Access Management (PAM) essential. PAM solutions should enforce JIT access, ensuring bots receive privileged access only when needed and for a limited time.

With session monitoring and recording to maintain transparency and detect unusual bot activity, implementing PAM eliminates standing access and helps prevent privilege escalation. 4. Strengthen authentication with MFA Human users managing RPA bots must be required to authenticate using Multi-Factor Authentication (MFA). Since MFA is not practical for bot accounts themselves, having an extra layer of protection for the users managing them helps prevent unauthorized access to critical systems, sensitive data and privileged credentials.

In addition, organizations should adopt Zero-Trust Network Access (ZTNA) principles by continuously verifying bot identities and context, not only at login but throughout each privileged session. Secure the future of automation with IAM Automation continues to transform how enterprises operate, largely driven by the rise of NHIs like RPA bots. To keep up with this technological evolution, organizations must adjust their IAM strategies to accommodate and secure both human users and automated bots. KeeperPAM® helps enterprises close potential security gaps, such as credential theft and privilege misuse, by providing a unified platform for managing credentials, enforcing PoLP, monitoring privileged sessions and managing the full identity lifecycle of every identity — human or not.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

WIRTE Leverages AshenLoader Sideloading to Install the AshTag Espionage Backdoor

An advanced persistent threat (APT) known as WIRTE has been attributed to attacks targeting government and diplomatic entities across the Middle East with a previously undocumented malware suite dubbed AshTag since 2020 . Palo Alto Networks Unit 42 is tracking the activity cluster under the name Ashen Lepus . Artifacts uploaded to the VirusTotal platform show that the threat actor has trained its sights on Oman and Morocco, indicating an expansion in operational scope beyond the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt. The company told The Hacker News said it has observed “scores of unique lures” disseminated across the Middle East, indicating a “persistent and wide-reaching campaign” confined to government and diplomatic entities in the region.

More than a dozen entities are estimated to have been targeted, although it’s suspected that the real number could be higher. “Ashen Lepus remained persistently active throughout the Israel-Hamas conflict, distinguishing it from other affiliated groups whose activities decreased over the same period,” the cybersecurity company said in a report shared with The Hacker News. “Ashen Lepus continued with its campaign even after the October 2025 Gaza ceasefire, deploying newly developed malware variants and engaging in hands-on activity within victim environments.” WIRTE, which overlaps with an Arabic-speaking, politically motivated cluster known as Gaza Cyber Gang (aka Blackstem, Extreme Jackal, Molerats, or TA402), is assessed to be active since at least 2018. According to a report from Cybereason, both Molerats and APT-C-23 (aka Arid Viper , Desert Varnish, or Renegade Jackal) are two main sub-groups of the Hamas cyberwarfare division.

It’s primarily driven by espionage and intelligence collection, targeting government entities in the Middle East to meet its strategic objectives. “Specifically, the connection between WIRTE (Ashen Lepus) to the broader Gaza Cyber Gang is primarily evidenced by code overlaps and similarities,” Unit 42 researchers said. “This suggests that while they operate independently, the tools were developed by close entities and they likely share development resources. We have also seen overlap in other groups’ victimology.” In a report published in November 2024, Check Point attributed the hacking crew to destructive attacks exclusively aimed at Israeli entities to infect them with a custom wiper malware referred to as SameCoin, highlighting their ability to adapt and carry out both espionage and sabotage.

The long-running, elusive campaign detailed by Unit 42, going all the way back to 2018, has been found to leverage phishing emails with lures related to geopolitical affairs in the region. A recent increase in lures related to Turkey – e.g., “Partnership agreement between Morocco and Turkey” or “Draft resolutions concerning the State of Palestine” – suggests that entities in the country may be a new area of focus. The attack chains commence with a harmless PDF decoy that tricks recipients into downloading a RAR archive from a file-sharing service. Opening the archive triggers a chain of events that results in the deployment of AshTag.

This involves using a renamed benign binary to sideload a malicious DLL dubbed AshenLoader that, in addition to opening a decoy PDF file to keep up the ruse, contacts an external server to drop two more components, a legitimate executable and a DLL payload called AshenStager (aka stagerx64) that’s again sideloaded to launch the malware suite in memory to minimize forensic artifacts. AshTag is a modular .NET backdoor that’s designed to facilitate persistence and remote command execution, while masquerading as a legitimate VisualServer utility to fly under the radar. Internally, its features are realized by means of an AshenOrchestrator to enable communications and to run additional payloads in memory. These payloads serve different purposes - Persistence and process management Update and removal Screen capture File explorer and management System fingerprinting In one case, Unit 42 said it observed the threat actor accessing a compromised machine to conduct hands-on data theft by staging documents of interest in the C:\Users\Public folder.

These files are said to have been downloaded from a victim’s email inbox, their end goal being the theft of diplomacy-related documents. The documents were then exfiltrated to an attacker-controlled server using the Rclone utility. It’s assessed that data theft has likely occurred across the broader victim population, particularly in environments where advanced detection capabilities are absent. “Ashen Lepus remains a persistent espionage actor, demonstrating a clear intent to continue its operations throughout the recent regional conflict – unlike other affiliated threat groups, whose activity significantly decreased,” the company concluded.

“The threat actors’ activities throughout the last two years in particular highlight their commitment to constant intelligence collection.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Unpatched Gogs Zero-Day Exploited Across 700+ Instances Amid Active Attacks

A high-severity unpatched security vulnerability in Gogs has come under active exploitation, with more than 700 compromised instances accessible over the internet, according to new findings from Wiz. The flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwrite in the file update API of the Go-based self-hosted Git service. A fix for the issue is said to be currently in the works. The company said it accidentally discovered the zero-day flaw in July 2025 while investigating a malware infection on a customer’s machine.

“Improper symbolic link handling in the PutContents API in Gogs allows local execution of code,” according to a description of the vulnerability in CVE.org. The cloud security company said CVE-2025-8110 is a bypass for a previously patched remote code execution flaw ( CVE-2024-55947 , CVSS score: 8.7) that allows an attacker to write a file to an arbitrary path on the server and gain SSH access to the server. CVE-2024-55947 was addressed by the painters in December 2024. Wiz said the fix put in place by Gogs to resolve CVE-2024-55947 could be circumvented by taking advantage of the fact that Git (and therefore, Gogs) allows symbolic links to be used in git repositories, and those symlinks can point to files or directories outside the repository.

Additionally, the Gogs API allows file modification outside of the regular Git protocol. As a result, this failure to account for symlinks could be exploited by an attacker to achieve arbitrary code execution through a four-step process - Create a standard git repository Commit a single symbolic link pointing to a sensitive target Use the PutContents API to write data to the symlink, causing the system to follow the link and overwrite the target file outside the repository Overwrite “.git/config” (specifically the sshCommand) to execute arbitrary commands As for the malware deployed in the activity, it’s assessed to be a payload based on Supershell , an open-source command-and-control (C2) framework often used by Chinese hacking groups that can establish a reverse SSH shell to an attacker-controlled server (“119.45.176[.]196”). Wiz said that the attackers behind the exploitation of CVE-2025-8110 left behind the created repositories (e.g., “IV79VAew / Km4zoh4s”) on the customer’s cloud workload when they could have taken steps to delete or mark them as private following the infection. This carelessness points to a “smash-and-grab” style campaign, it added.

In all, there are about 1,400 exposed Gogs instances, out of which more than 700 have exhibited signs of compromise, particularly the presence of 8-character random owner/repository names. All the identified repositories were created around July 10, 2025. “This suggests that a single actor, or perhaps a group of actors all using the same tooling, are responsible for all infections,” researchers Gili Tikochinski and Yaara Shriki said. Given that the vulnerability does not have a fix, it’s essential that users disable open-registration, limit exposure to the internet, and scan instances for repositories with random 8-character names.

The disclosure comes as Wiz also warned that threat actors are targeting leaked GitHub Personal Access Tokens (PAT) as high-value entry points to obtain initial access to victim cloud environments and even leverage them for cross-cloud lateral movement from GitHub to Cloud Service Provider (CSP) control plane. The issue at hand is that a threat actor with basic read permissions via a PAT can use GitHub’s API code search to discover secret names embedded directly in a workflow’s YAML code. To complicate matters further, if the exploited PAT has write permissions, attackers can execute malicious code and remove traces of their malicious activity. “Attackers leveraged compromised PATs to discover GitHub Action Secrets names in the codebase, and used them in newly created malicious workflows to execute code and obtain CSP secrets,” researcher Shira Ayal said .

“Threat actors have also been observed exfiltrating secrets to a webhook endpoint they control, completely bypassing Action logs.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Chrome Targeted by Active In-the-Wild Exploit Tied to Undisclosed High-Severity Flaw

Google on Wednesday shipped security updates for its Chrome browser to address three security flaws, including one it said has come under active exploitation in the wild. The vulnerability, rated high in severity, is being tracked under the Chromium issue tracker ID “ 466192044 .” Unlike other disclosures, Google has opted to keep information about the CVE identifier, the affected component, and the nature of the flaw under wraps. However, a GitHub commit for the Chromium bug ID has revealed that the issue resides in Google’s open-source Almost Native Graphics Layer Engine ( ANGLE ) library, with the commit message stating “Metal: Don’t use pixelsDepthPitch to size buffers. pixelsDepthPitch is based on GL_UNPACK_IMAGE_HEIGHT, which can be smaller than the image height.” This indicates the problem is likely a buffer overflow vulnerability in ANGLE’s Metal renderer triggered by improper buffer sizing, which could lead to memory corruption, program crashes, or arbitrary code execution.

“Google is aware that an exploit for 466192044 exists in the wild,” the company noted , adding that more details are “under coordination.” Naturally, the tech giant has also not disclosed any specifics on the identity of the threat actor behind the attacks, who may have been targeted, or the scale of such efforts. This is typically done so as to ensure that a majority of the users have applied the fixes and to prevent other bad actors from reverse engineering the patch and developing their own exploits. With the latest update, Google has addressed eight zero-day flaws in Chrome that have been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. The list includes CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, CVE-2025-6558, CVE-2025-10585, and CVE-2025-13223.

Also addressed by Google are two other medium-severity vulnerabilities - CVE-2025-14372 - Use-after-free in Password Manager CVE-2025-14373 - Inappropriate implementation in Toolbar To safeguard against potential threats, it’s advised to update their Chrome browser to versions 143.0.7499.109/.110 for Windows and Apple macOS, and 143.0.7499.109 for Linux. To make sure the latest updates are installed, users can navigate to More > Help > About Google Chrome and select Relaunch. Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Active Attacks Exploit Gladinet’s Hard-Coded Keys for Unauthorized Access and Code Execution

Huntress is warning of a new actively exploited vulnerability in Gladinet’s CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far. “Threat actors can potentially abuse this as a way to access the web.config file, opening the door for deserialization and remote code execution,” security researcher Bryan Masters said . The use of hard-coded cryptographic keys could allow threat actors to decrypt or forge access tickets, enabling them to access sensitive files like web.config that can be exploited to achieve ViewState deserialization and remote code execution, the cybersecurity company added. The vulnerability has not been assigned a CVE identifier.

At its core, the issue is rooted in a function named “GenerateSecKey()” present in “GladCtrl64.dll” that’s used to generate the cryptographic keys necessary to encrypt access tickets containing authorization data (i.e., Username and Password) and enable access to the file system as a user, assuming the credentials are valid. Because the GenerateSecKey() function returns the same 100-byte text strings and these strings are used to derive the cryptographic keys, the keys never change and can be weaponized to decrypt any ticket generated by the server or even encrypt one of the attacker’s choosing. This, in turn, opens the door to a scenario where it can be exploited to access files containing valuable data, such as the web.config file, and obtain the machine key required to perform remote code execution via ViewState deserialization. The attacks, according to Huntress, take the form of specially crafted URL requests to the “/storage/filesvr.dn” endpoint, such as below - /storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxL%7C372varAu The attack efforts have been found to leave the Username and Password fields blank, causing the application to fall back to the IIS Application Pool Identity.

What’s more, the timestamp field in the access ticket, which refers to the creation time of the ticket, is set to 9999, effectively creating a ticket that never expires, allowing the threat actors to reuse the URL indefinitely and download the server configuration. As of December 10, as many as nine organizations have been affected by the newly disclosed flaw. These organizations belong to a wide range of sectors, such as healthcare and technology. The attacks originate from the IP address 147.124.216[.]205 and attempt to chain together a previously disclosed flaw in the same applications ( CVE-2025-11371 ) with the new exploit to access the machine key from the web.config file.

“Once the attacker was able to obtain the keys, they performed a viewstate deserialization attack and then attempted to retrieve the output of the execution, which failed,” Huntress said. In light of active exploitation, organizations that are using CentreStack and Triofox should update to the latest version, 16.12.10420.56791, released on December 8, 2025. Additionally, it’s advised to scan logs for the presence of the string “vghpI7EToZUDIZDdprSubL3mTZ2,” which is the encrypted representation of the web.config file path. In the event indicators or compromise (IoCs) are detected, it’s imperative that the machine key is rotated by following the steps below - On Centrestack server, go to Centrestack installation folder C:\Program Files (x86)\Gladinet Cloud Enterprise\root Make a backup of web.config Open IIS Manager Navigate to Sites -> Default Web Site In the ASP.NET section, double click Machine Key Click ‘Generate Keys’ on the right pane Click Apply to save it to root\web.config Restart IIS after repeating the same step for all worker nodes The development makes it the third vulnerability in CentreStack and Triofox that has come under active exploitation in the wild since the start of the year, after CVE-2025-30406 and CVE-2025-11371 .

Huntress told The Hacker News that it’s possible the activity is the work of a single threat actor. “We can’t say for certain it’s the same threat actor, but there’s strong circumstantial evidence,” Anna Pham, senior hunt and response analyst at Huntress, said. “The threat actor is chaining all three Gladinet vulnerabilities in a single, orchestrated attack flow and attempts to use CVE-2025-11371 for output exfiltration after achieving RCE. That’s a pre-built workflow suggesting familiarity with these exploits from prior use.

At minimum, whoever this is has deep knowledge of Gladinet’s vulnerability history.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

React2Shell Exploitation Delivers Crypto Miners and New Malware Across Multiple Sectors

React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families, according to new findings from Huntress. This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant referred to as ZinFoq. The cybersecurity company said it has observed attackers targeting numerous organizations via CVE-2025-55182, a critical security vulnerability in RSC that allows unauthenticated remote code execution. As of December 8, 2025, these efforts have been aimed at a wide range of sectors, but prominently the construction and entertainment industries.

The first recorded exploitation attempt on a Windows endpoint by Huntress dates back to December 4, 2025, when an unknown threat actor exploited a vulnerable instance of Next.js to drop a shell script, followed by commands to drop a cryptocurrency miner and a Linux backdoor. In two other cases, attackers were observed launching discovery commands and attempting to download several payloads from a command-and-control (C2) server. Some of the notable intrusions also singled out Linux hosts to drop the XMRig cryptocurrency miner, not to mention leveraged a publicly available GitHub tool to identify vulnerable Next.js instances before commencing the attack. “Based on the consistent pattern observed across multiple endpoints, including identical vulnerability probes, shell code tests, and C2 infrastructure, we assess that the threat actor is likely leveraging automated exploitation tooling,” Huntress researchers said.

“This is further supported by the attempts to deploy Linux-specific payloads on Windows endpoints, indicating the automation does not differentiate between target operating systems.” A brief description of some of the payloads downloaded in these attacks is as follows - sex.sh , a bash script that retrieves XMRig 6.24.0 directly from GitHub PeerBlight , a Linux backdoor that shares some code overlaps with two malware families RotaJakiro and Pink that came to light in 2021, installs a systemd service to ensure persistence, and masquerades as a “ ksoftirqd “ daemon process to evade detection CowTunnel , a reverse proxy that initiates an outbound connection to attacker-controlled Fast Reverse Proxy (FRP) servers, effectively bypassing firewalls that are configured to only monitor inbound connections ZinFoq , a Linux ELF binary that implements a post-exploitation framework with interactive shell, file operations, network pivoting, and timestomping capabilities d5.sh , a dropper script responsible for deploying the Sliver C2 framework fn22.sh , a “d5.sh” variant with an added self-update mechanism to fetch a new version of the malware and restart it wocaosinm.sh , a variant of the Kaiji DDoS malware that incorporates remote administration, persistence, and evasion capabilities PeerBlight supports capabilities to establish communications with a hard-coded C2 server (“185.247.224[.]41:8443”), allowing it to upload/download/delete files, spawn a reverse shell, modify file permissions, run arbitrary binaries, and update itself. The backdoor also makes use of a domain generation algorithm (DGA) and BitTorrent Distributed Hash Table (DHT) network as fallback C2 mechanisms. “Upon joining the DHT network, the backdoor registers itself with a node ID beginning with the hardcoded prefix LOLlolLOL,” the researchers explained. “This 9-byte prefix serves as an identifier for the botnet, with the remaining 11 bytes of the 20-byte DHT node ID randomized.” “When the backdoor receives DHT responses containing node lists, it scans for other nodes whose IDs start with LOLlolLOL.

When it finds a matching node, it knows this is either another infected machine or an attacker-controlled node that can provide C2 configuration.” Huntress said it identified over 60 unique nodes with the LOLlolLOL prefix, adding that multiple conditions have to be met in order for an infected bot to share its C2 configuration with another node: a valid client version, configuration availability on the responding bot’s side, and the correct transaction ID. Even when all the necessary conditions are satisfied, the bots are designed such that they only share the configuration about one-third of the time based on a random check, possibly in a bid to reduce network noise and avoid detection. ZinFoq, in a similar manner, beacons out to its C2 server and is equipped to parse incoming instructions to run commands using using “/bin/bash,” enumerate directories, read or delete files, download more payloads from a specified URL, exfiltrate files and system information, start/stop SOCKS5 proxy, enable/disable TCP port forwarding, alter file access and modification times, and establish a reverse pseudo terminal (PTY) shell connection. ZinFoq also takes steps to clear bash history and disguises itself as one of 44 legitimate Linux system services (e.g., “/sbin/audispd,” “/usr/sbin/ModemManager,” “/usr/libexec/colord,” or “/usr/sbin/cron -f”) to conceal its presence.

Organizations relying on react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack are advised to update immediately, given the “potential ease of exploitation and the severity of the vulnerability,” Huntress said. The development comes as the Shadowserver Foundation said it detected over 165,000 IP addresses and 644,000 domains with vulnerable code as of December 8, 2025, after “scan targeting improvements.” More than 99,200 instances are located in the U.S., followed by Germany (14,100), France (6,400), and India (4,500). Update In an update shared on December 10, 2025, Palo Alto Networks Unit 42 said it identified activity that likely overlaps with the Contagious Interview campaign to deliver EtherRAT . Also observed are two other known malware families tracked as BPFDoor and Auto-Color .

More than 50 organizations across a wide range of sectors, including financial services, business services, higher education, high-tech, government, management consulting, media, legal services, telecommunications, and retail, have been impacted. The U.S., Asia, South America, and the Middle East are among the most affected regions. The findings demonstrate a steady rise in malicious activity from a widening pool of attackers seeking to abuse React2Shell, with more than 15 distinct clusters engaging in intrusion activity ranging from opportunistic cryptominers to sophisticated backdoors and post-exploitation frameworks, per Wiz. “This is a patch-now situation, because exploitation is happening simultaneously across the entire threat landscape,” Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, said.

“Our telemetry shows a surge in attacks, from low-skill opportunistic abuse, like Mirai bot deployments and coin-miners, to nation-state actors adapting this into their attack stack. We’re also seeing indicators linking this vulnerability exploitation to tooling previously used by ransomware groups.” VulnCheck has described the ongoing React2Shell exploitation as “likely to have a long tail,” urging organizations to factor in proof-of-concept (PoC) variants and possible payload modifications when designing detection strategies. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

.NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL

New research has uncovered exploitation primitives in the .NET Framework that could be leveraged against enterprise-grade applications to achieve remote code execution. WatchTowr Labs, which has codenamed the “invalid cast vulnerability” SOAPwn , said the issue impacts Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. But the number of affected vendors is likely to be longer given the widespread use of .NET. The findings were presented today by watchTowr security researcher Piotr Bazydlo at the Black Hat Europe security conference, which is being held in London.

SOAPwn essentially allows attackers to abuse Web Services Description Language (WSDL) imports and HTTP client proxies to execute arbitrary code in products built on the foundations of .NET due to errors in the way they handle Simple Object Access Protocol ( SOAP ) messages. “It is usually abusable through SOAP clients, especially if they are dynamically created from the attacker-controlled WSDL,” Bazydlo said. As a result, .NET Framework HTTP client proxies can be manipulated into using file system handlers and achieve arbitrary file write by passing as URL something like “file://" into a SOAP client proxy, ultimately leading to code execution. To make matters worse, it can be used to overwrite existing files since the attacker controls the full write path.

In a hypothetical attack scenario, a threat actor could leverage this behavior to supply a Universal Naming Convention ( UNC ) path (e.g., “file://attacker.server/poc/poc”) and cause the SOAP request to be written to an SMB share under their control. This, in turn, can allow an attacker to capture the NTLM challenge and crack it. That’s not all. The research also found that a more powerful exploitation vector can be weaponized in applications that generate HTTP client proxies from WSDL files using the ServiceDescriptionImporter class by taking advantage of the fact that it does not validate the URL used by the generated HTTP client proxy.

In this technique, an attacker can provide a URL that points to a WSDL file they control to vulnerable applications, and obtain remote code execution by dropping a fully functional ASPX web shell or additional payloads like CSHTML web shells or PowerShell scripts. Following responsible disclosure in March 2024 and July 2025, Microsoft has opted not to fix the vulnerability, stating the issue stems from either an application issue or behavior, and that “users should not consume untrusted input that can generate and run code.” The findings illustrate how expected behavior in a popular framework can become a potential exploit path that leads to NTLM relaying or arbitrary file writes. The issue has since been addressed in Barracuda Service Center RMM version 2025.1.1 ( CVE-2025-34392 , CVSS score: 9.8) and Ivanti EPM version 2024 SU4 SR1 ( CVE-2025-13659 , CVSS score: 8.8). The vulnerability in Umbraco 8 persists as it reached end-of-life (EoL) on February 24, 2025.

“It is possible to make SOAP proxies write SOAP requests into files rather than sending them over HTTP,” Bazydlo said. “In many cases, this leads to remote code execution through webshell uploads or PowerShell script uploads. The exact impact depends on the application using the proxy classes.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Three PCIe Encryption Weaknesses Expose PCIe 5.0+ Systems to Faulty Data Handling

Three security vulnerabilities have been disclosed in the Peripheral Component Interconnect Express (PCIe) Integrity and Data Encryption ( IDE ) protocol specification that could expose a local attacker to serious risks. The flaws impact PCIe Base Specification Revision 5.0 and onwards in the protocol mechanism introduced by the IDE Engineering Change Notice (ECN), according to the PCI Special Interest Group ( PCI-SIG ). “This could potentially result in security exposure, including but not limited to, one or more of the following with the affected PCIe component(s), depending on the implementation: (i) information disclosure, (ii) escalation of privilege, or (iii) denial of service,” the consortium noted . PCIe is a widely used high-speed standard to connect hardware peripherals and components, including graphics cards, sound cards, Wi-Fi and Ethernet adapters, and storage devices, inside computers and servers.

Introduced in PCIe 6.0, PCIe IDE is designed to secure data transfers through encryption and integrity protections. The three IDE vulnerabilities , discovered by Intel employees Arie Aharon, Makaram Raghunandan, Scott Constable, and Shalini Sharma, are listed below - CVE-2025-9612 (Forbidden IDE Reordering) – A missing integrity check on a receiving port may allow re-ordering of PCIe traffic, leading the receiver to process stale data. CVE-2025-9613 (Completion Timeout Redirection) – Incomplete flushing of a completion timeout may allow a receiver to accept incorrect data when an attacker injects a packet with a matching tag. CVE-2025-9614 (Delayed Posted Redirection) – Incomplete flushing or re-keying of an IDE stream may result in the receiver consuming stale, incorrect data packets.

PCI-SIG said that successful exploitation of the aforementioned vulnerabilities could undermine the confidentiality, integrity, and security objectives of IDE. However, the attacks hinge on obtaining physical or low-level access to the targeted computer’s PCIe IDE interface, making them low-severity bugs (CVSS v3.1 score: 3.0/CVSS v4 score: 1.8). “All three vulnerabilities potentially expose systems implementing IDE and Trusted Domain Interface Security Protocol (TDISP) to an adversary that can breach isolation between trusted execution environments,” it said. In an advisory released Tuesday, the CERT Coordination Center (CERT/CC) urged manufacturers to follow the updated PCIe 6.0 standard and apply the Erratum #1 guidance to their IDE implementations.

Intel and AMD have published their own alerts, stating the issues impact the following products - Intel Xeon 6 Processors with P-cores Intel Xeon 6700P-B/6500P-B series SoC with P-Cores. AMD EPYC 9005 Series Processors AMD EPYC Embedded 9005 Series Processors “End users should apply firmware updates provided by their system or component suppliers, especially in environments that rely on IDE to protect sensitive data,” CERT/CC said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Warning: WinRAR Vulnerability CVE-2025-6218 Under Active Attack by Multiple Threat Groups

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation to succeed, it requires a prospective target to visit a malicious page or open a malicious file.

“RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user,” CISA said in an alert. The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025. It only affects Windows-based builds. Versions of the tool for other platforms, including Unix and Android, are not affected.

“This flaw could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to unintended code execution on the next system login,” RARLAB noted at the time. The development comes in the wake of multiple reports from BI.ZONE, Foresiet, SecPod, and Synaptic Security that the vulnerability has been exploited by three different threat actors tracked as GOFFEE (aka Paper Werewolf), Bitter (aka APT-C-08 or Manlinghua), and Gamaredon. In an analysis published in August 2025, the Russian cybersecurity vendor said there are indications that GOFFEE may be exploited CVE-2025-6218 along with CVE-2025-8088 (CVSS score: 8.8), another path traversal flaw in WinRAR, in attacks targeting organizations in the country in July 2025 via phishing emails. It has since emerged that the South Asia-focused Bitter APT has also weaponized the vulnerability to facilitate persistence on the compromised host and ultimately drop a C# trojan by means of a lightweight downloader.

The attack leverages a RAR archive (“Provision of Information for Sectoral for AJK.rar”) that contains a benign Word document and a malicious macro template. “The malicious archive drops a file named Normal.dotm into Microsoft Word’s global template path,” Foresiet said last month. “Normal.dotm is a global template that loads every time Word is opened. By replacing the legitimate file, the attacker ensures their malicious macro code executes automatically, providing a persistent backdoor that bypasses standard email macro blocking for documents received after the initial compromise.” The C# trojan is designed to contact an external server (“johnfashionaccess[.]com”) for command-and-control (C2) and enable keylogging, screenshot capture, remote desktop protocol (RDP) credential harvesting, and file exfiltration.

It’s assessed that the RAR archives are propagated via spear-phishing attacks. Last but not least, CVE-2025-6218 has also been exploited by a Russian hacking group known as Gamaredon in phishing campaigns targeting Ukrainian military, governmental, political, and administrative entities to infect them with a malware referred to as Pteranodon . The activity was first observed in November 2025. “This is not an opportunistic campaign,” a security researcher who goes by the name Robin said .

“It is a structured, military-oriented espionage and sabotage operation consistent with, and likely coordinated by, Russian state intelligence.” It’s worth noting that the adversary has also extensively abused CVE-2025-8088, using it to deliver malicious Visual Basic Script malware and even deploy a new wiper codenamed GamaWiper. “This marks the first observed instance of Gamaredon conducting destructive operations rather than its traditional espionage activities,” ClearSky said in a November 30, 2025, post on X. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by December 30, 2025, to secure their networks. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Webinar: How Attackers Exploit Cloud Misconfigurations Across AWS, AI Models, and Kubernetes

Cloud security is changing. Attackers are no longer just breaking down the door; they are finding unlocked windows in your configurations, your identities, and your code. Standard security tools often miss these threats because they look like normal activity. To stop them, you need to see exactly how these attacks happen in the real world.

Next week, the Cortex Cloud team at Palo Alto Networks is hosting a technical deep dive to walk you through three recent investigations and exactly how to defend against them. Secure your spot for the live session ➜ What Experts Will Cover This isn’t a high-level overview. We are looking at specific, technical findings from the field. In this session, our experts will break down three distinct attack vectors that are bypassing traditional security right now: AWS Identity Misconfigurations: We will show how attackers abuse simple setup errors in AWS identities to gain initial access without stealing a single password.

Hiding in AI Models: You will see how adversaries mask malicious files in production by mimicking the naming structures of your legitimate AI models. Risky Kubernetes Permissions: We will examine “overprivileged entities”—containers that have too much power—and how attackers exploit them to take over infrastructure. We won’t just talk about the problems; we will show you the mechanics of the attacks. Register now to see the full breakdown of these threats.

Why This Matters for Your Team The core issue with these threats is the visibility gap. Often, the Cloud team builds the environment, and the SOC (Security Operations Center) monitors it, but neither side sees the full picture. In this webinar, we will demonstrate how Code-to-Cloud detection fixes this. We will show you how to use runtime intelligence and audit logs to spot these threats early.

The Takeaway By the end of this session, you will have actionable insights on how to: Audit your cloud logs for “invisible” intruders. Clean up risky permissions in Kubernetes. Apply AI-aware controls to protect your development pipeline. Don’t wait until you find these vulnerabilities in a breach report.

Join us next week and get the knowledge you need to close the gaps. Register for the Webinar ➜ Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Microsoft Issues Security Fixes for 56 Flaws, Including Active Exploit and Two Zero-Days

Microsoft closed out 2025 with patches for 56 security flaws in various products across the Windows platform, including one vulnerability that has been actively exploited in the wild. Of the 56 flaws, three are rated Critical, and 53 are rated Important in severity. Two other defects are listed as publicly known at the time of the release. These include 29 privilege escalation, 18 remote code execution, four information disclosure, three denial-of-service, and two spoofing vulnerabilities.

In total, Microsoft has addressed a total of 1,275 CVEs in 2025, according to data compiled by Fortra. Tenable’s Satnam Narang said 2025 also marks the second consecutive year where the Windows maker has patched over 1,000 CVEs. It’s the third time it has done so since Patch Tuesday’s inception. The update is in addition to 17 shortcomings the tech giant patched in its Chromium-based Edge browser since the release of the November 2025 Patch Tuesday update .

This also consists of a spoofing vulnerability in Edge for iOS ( CVE-2025-62223 , CVSS score: 4.3). The vulnerability that has come under active exploitation is CVE-2025-62221 (CVSS score: 7.8), a use-after-free in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and obtain SYSTEM permissions. “File system filter drivers, aka minifilters, attach to the system software stack, and intercept requests targeted at a file system, and extend or replace the functionality provided by the original target,” Adam Barnett, lead software engineer at Rapid7, said in a statement. “Typical use cases include data encryption, automated backup, on-the-fly compression, and cloud storage.” “The Cloud Files minifilter is used by OneDrive, Google Drive, iCloud, and others, although as a core Windows component, it would still be present on a system where none of those apps were installed.” It’s currently not known how the vulnerability is being abused in the wild and in what context, but successful exploitation requires an attacker to obtain access to a susceptible system through some other means.

Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have been credited with discovering and reporting the flaw. According to Mike Walters, president and co-founder of Action1, a threat actor could gain low-privileged access through methods like phishing, web browser exploits, or another known remote code execution flaw, and then chain it with CVE-2025-62221 to seize control of the host. Armed with this access, the attacker could deploy kernel components or abuse signed drivers to evade defenses and maintain persistence, and can be weaponized to achieve a domain-wide compromise when coupled with credential theft scenarios. The exploitation of CVE-2025-62221 has prompted the U.S.

Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities ( KEV ) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the patch by December 30, 2025. The remaining two zero-days are listed below - CVE-2025-54100 (CVSS score: 7.8) - A command injection vulnerability in Windows PowerShell that allows an unauthorized attacker to execute code locally CVE-2025-64671 (CVSS score: 8.4) - A command injection vulnerability in GitHub Copilot for JetBrains that allows an unauthorized attacker to execute code locally “This is a command injection flaw in how Windows PowerShell processes web content,” Action1’s Alex Vovk said about CVE-2025-54100. “It lets an unauthenticated attacker execute arbitrary code in the security context of a user who runs a crafted PowerShell command, such as Invoke-WebRequest.” “The threat becomes significant when this vulnerability is combined with common attack patterns. For example, an attacker can use social engineering to persuade a user or admin to run a PowerShell snippet using Invoke-WebRequest, allowing a remote server to return crafted content that triggers the parsing flaw and leads to code execution and implant deployment.” It’s worth noting that CVE-2025-64671 comes in the wake of a broader set of security vulnerabilities collectively named IDEsaster that was recently disclosed by security researcher Ari Marzouk.

The issues arise as a result of adding agentic capabilities to an integrated development environment (IDE), exposing new security risks in the process. These attacks leverage prompt injections against the artificial intelligence (AI) agents embedded into IDEs and combine them with the base IDE layer to result in information disclosure or command execution. “This uses an ‘old’ attack chain of using a vulnerable tool, so not exactly part of the IDEsaster novel attack chain,” Marzouk, who is credited with discovering and reporting the flaw, told The Hacker News. “Specifically, a vulnerable ‘execute command’ tool where you can bypass the user-configured allow list.” Marzouk also said multiple IDEs were found vulnerable to the same attack, including Kiro.dev, Cursor ( CVE-2025-54131 ), JetBrains Junie ( CVE-2025-59458 ), Gemini CLI, Windsurf, and Roo Code ( CVE-2025-54377 , CVE-2025-57771 , and CVE-2025-65946 ).

Furthermore, GitHub Copilot for Visual Studio Code has been found to be susceptible to the vulnerability, although, in this case, Microsoft assigned it a “Medium” severity rating with no CVE. “The vulnerability states that it’s possible to gain code execution on affected hosts by tricking the LLM into running commands that bypass the guardrails and appending instructions in the user’s ‘auto-approve’ settings,” Kev Breen, senior director of cyber threat research at Immersive, said. “This can be achieved through ‘Cross Prompt Injection,’ which is where the prompt is modified not by the user but by the LLM agents as they craft their own prompts based on the content of files or data retrieved from a Model Context Protocol (MCP) server that has risen in popularity with agent-based LLMs.” Software Patches from Other Vendors In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify multiple vulnerabilities, including — Adobe Amazon Web Services AMD Arm ASUS Atlassian Bosch Broadcom (including VMware) Canon Cisco Citrix CODESYS Dell Devolutions Django Drupal F5 Fortinet Fortra GitLab Google Android and Pixel Google Chrome Google Cloud Google Pixel Watch Hitachi Energy HP HP Enterprise (including Aruba Networking and Juniper Networks) IBM Imagination Technologies Intel Ivanti Lenovo Linux distributions AlmaLinux , Alpine Linux , Amazon Linux , Arch Linux , Debian , Gentoo , Oracle Linux , Mageia , Red Hat , Rocky Linux , SUSE , and Ubuntu MediaTek Mitsubishi Electric MongoDB Moxa Mozilla Firefox and Firefox ESR NVIDIA OPPO Progress Software Qualcomm React Rockwell Automation Samsung SAP Schneider Electric Siemens SolarWinds Splunk Synology TP-Link WatchGuard Zoom , and Zyxel Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.