2025-12-31 AI创业新闻

CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution

The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution. The vulnerability, tracked as CVE-2025-52691 , carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution without requiring any authentication. “Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution,” CSA said.

Vulnerabilities of this kind allow the upload of dangerous file types that are automatically processed within an application’s environment. This could pave the way for code execution if the uploaded file is interpreted and executed as code, as is the case with PHP files. In a hypothetical attack scenario, a bad actor could weaponize this vulnerability to place malicious binaries or web shells that could be executed with the same privileges as the SmarterMail service. SmarterMail is an alternative to enterprise collaboration solutions like Microsoft Exchange, offering features like secure email, shared calendars, and instant messaging.

According to information listed on the website , it’s used by web hosting providers like ASPnix Web Hosting, Hostek, and simplehosting.ch. CVE-2025-52691 impacts SmarterMail versions Build 9406 and earlier. It has been addressed in Build 9413 , which was released on October 9, 2025. CSA credited Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT) for discovering and reporting the vulnerability.

While the advisory makes no mention of the flaw being exploited in the wild, users are advised to update to the latest version (Build 9483, released on December 18, 2025) for optimal protection. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware

The threat actor known as Silver Fox has turned its focus to India, using income tax-themed lures in phishing campaigns to distribute a modular remote access trojan called ValleyRAT (aka Winos 4.0). “This sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence,” CloudSEK researchers Prajwal Awasthi and Koushik Pal said in an analysis published last week. Also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne, Silver Fox is the name assigned to an aggressive cybercrime group from China that has been active since 2022. It has a track record of orchestrating a variety of campaigns whose motives range from espionage and intelligence collection to financial gain, cryptocurrency mining, and operational disruption, making it one of the few hacking crews with a multi-pronged approach to their intrusion activity.

Primarily focused on Chinese-speaking individuals and organisations, Silver Fox’s victimology has broadened to include organizations operating in the public, financial, medical, and technology sectors. Attacks mounted by the group have leveraged search engine optimization (SEO) poisoning and phishing to deliver variants of Gh0st RAT such as ValleyRAT , Gh0stCringe , and HoldingHands RAT (aka Gh0stBins). In the infection chain documented by CloudSEK, phishing emails containing decoy PDFs purported to be from India’s Income Tax Department are used to deploy ValleyRAT. Specifically, opening the PDF attachment takes the recipient to the “ggwk[.]cc” domain, from where a ZIP file (“tax affairs.zip”) is downloaded.

Present within the archive is a Nullsoft Scriptable Install system (NSIS) installer of the same name (“tax affairs.exe”), which, in turn, leverages a legitimate executable associated with Thunder (“thunder.exe”), a download manager for Windows developed by Xunlei, and a rogue DLL (“libexpat.dll”) that’s sideloaded by the binary. The DLL, for its part, disables the Windows Update service and serves as a conduit for a Donut loader, but not before performing various anti-analysis and anti-sandbox checks to ensure that the malware can run unimpeded on the compromised host. The lander then injects the final ValleyRAT payload into a hollowed “explorer.exe” process. ValleyRAT is designed to communicate with an external server and await further commands.

It implements a plugin-oriented architecture to extend its functionality in an ad hoc manner, thereby allowing its operators to deploy specialized capabilities to facilitate keylogging, credential harvesting, and defense evasion. “Registry-resident plugins and delayed beaconing allow the RAT to survive reboots while remaining low-noise,” CloudSEK said. “On-demand module delivery enables targeted credential harvesting and surveillance tailored to victim role and value.” The disclosure comes as NCC Group said it identified an exposed link management panel (“ssl3[.]space”) used by Silver Fox to track download activity related to malicious installers for popular applications, including Microsoft Teams, to deploy ValleyRAT. The service hosts information related to - Web pages hosting backdoor installer applications The number of clicks a download button on a phishing site receives per day Cumulative number of clicks a download button has received since launch The bogus sites created by Silver Fox have been found to impersonate CloudChat, FlyVPN, Microsoft Teams, OpenVPN, QieQie, Santiao, Signal, Sigua, Snipaste, Sogou, Telegram, ToDesk, WPS Office, and Youdao, among others.

An analysis of the origin IP addresses that have clicked on the download links has revealed that at least 217 clicks originated from China, followed by the U.S. (39), Hong Kong (29), Taiwan (11), and Australia (7). “Silver Fox leveraged SEO poisoning to distribute backdoor installers of at least 20 widely used applications, including communication tools, VPNs, and productivity apps,” researchers Dillon Ashmore and Asher Glue said . “These primarily target Chinese-speaking individuals and organisations in China, with infections dating back to July 2025 and additional victims across Asia-Pacific, Europe, and North America.” Distributed via these sites is a ZIP archive that contains an NSIS-based installer that’s responsible for configuring Microsoft Defender Antivirus exclusions, establishing persistence using scheduled tasks, and then reaching out to a remote server to fetch the ValleyRAT payload.

The findings coincide with a recent report from ReliaQuest, which attributed the hacking group to a false flag operation mimicking a Russian threat actor in attacks targeting organizations in China using Teams-related lure sites in an attempt to complicate attribution efforts. “Data from this panel shows hundreds of clicks from mainland China and victims across Asia-Pacific, Europe, and North America, validating the campaign’s scope and strategic targeting of Chinese-speaking users,” NCC Group said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

How to Integrate AI into Modern SOC Workflows

Artificial intelligence (AI) is making its way into security operations quickly, but many practitioners are still struggling to turn early experimentation into consistent operational value. This is because SOCs are adopting AI without an intentional approach to operational integration. Some teams treat it as a shortcut for broken processes. Others attempt to apply machine learning to problems that are not well defined.

Findings from our 2025 SANS SOC Survey reinforce that disconnect. A significant portion of organizations are already experimenting with AI, yet 40 percent of SOCs use AI or ML tools without making them a defined part of operations, and 42 percent rely on AI/ML tools “out of the box” with no customization at all. The result is a familiar pattern. AI is present inside the SOC but not operationalized.

Analysts use it informally, often with mixed reliability, while leadership has not yet established a consistent model for where AI belongs, how its output should be validated, or which workflows are mature enough to benefit from augmentation. AI can realistically improve SOC capability, maturity, process repeatability, as well as staff capacity and satisfaction. It only works when teams narrow the scope of the problem, validate their logic, and treat the output with the same rigor they expect from any engineering effort. The opportunity isn’t in creating new categories of work, but in refining the ones that already exist and enabling testing, development, and experimentation for expansion of existing capabilities.

When AI is applied to a specific, well-bounded task and paired with a clear review process, its impact becomes both more predictable and more useful. Here are five areas where AI can provide reliable support for your SOC. 1. Detection Engineering Detection engineering is fundamentally about building a high-quality alert that can be placed into a SIEM, an MDR pipeline, or another operational system.

To be viable, the logic needs to be developed, tested, refined, and operationalized with a level of confidence that leaves little room for ambiguity. This is where AI tends to be ineffectively applied. Unless it’s the targeted outcome, don’t assume AI will fix deficiencies in DevSecOps or resolve issues in the alerting pipeline. AI can be useful when applied to a well-defined problem that can support ongoing operational validation and tuning.

One clear example from the SANS SEC595: Applied Data Science and AI/ML for Cybersecurity course is a machine learning exercise that examines the first eight bytes of a packet’s stream to determine whether traffic reconstructs as DNS. If the reconstruction does not match anything previously seen for DNS, the system raises a high-fidelity alert. The value comes from the precision of the task and the quality of the training process, not from broad automation. The anticipated implementation is to inspect all flows on UDP/53 (and TCP/53) and assess the reconstruction loss from a machine learning tuned autoencoder.

Threshold-violating streams are flagged as anomalous. This granular example demonstrates an implementable, AI-engineered detection. By examining the first eight bytes of a packet stream and checking whether they reconstruct as DNS based on learned patterns in historical traffic, we create a clear, testable classification problem. When those bytes do not match what DNS normally looks like, the system alerts.

AI helps here because the scope is narrow and the evaluation criteria are objective. It may be more effective than a heuristic, rule-driven detection because it learns to encode/decode what is familiar. Things that are not familiar (in this case, DNS) cannot be encoded/decoded properly. What AI cannot do is fix vaguely defined alerting problems or compensate for a missing engineering discipline.

1. Threat Hunting Threat hunting is often portrayed as a place where AI might “discover” threats automatically, but that misses the purpose of the workflow. Hunting is not production detection engineering. It should be a research and development capability of the SOC, where analysts explore ideas, test assumptions, and evaluate signals that are not yet strong enough for an operationalized detection.

This is needed because the vulnerability and threat landscape is rapidly shifting, and security operations must constantly adapt to the volatility and uncertainty of the information assurance universe. AI fits here because the work is exploratory. Analysts can use it to pilot an approach, compare patterns, or check whether a hypothesis is worth investigating. It speeds up the early stages of analysis, but it does not decide what matters.

The model is a useful tool, not the final authority. Hunting also feeds directly into detection engineering. AI can help generate candidate logic or highlight unusual patterns, but analysts are still responsible for interpreting the environment and deciding what a signal means. If they cannot evaluate AI output or explain why something is important, the hunt may not produce anything useful.

The benefit of AI here is in speed and breadth of exploration rather than certainty or judgment. We caution you to use operational security (OpSec) and protection of information. Please only provide hunting-relevant information to authorized systems, AI, or otherwise. 3.

Software Development and Analysis Modern SOCs run on code. Analysts write Python to automate investigations, build PowerShell tooling for host interrogation, and craft SIEM queries tailored to their environment. This constant programming need makes AI a natural fit for software development and analysis. It can produce draft code, refine existing snippets, or accelerate logic construction that analysts previously built by hand.

But AI does not understand the underlying problem. Analysts must interpret and validate everything the model generates. If an analyst lacks depth in a domain, the AI’s output can sound correct even when it is wrong, and the analyst may have no way to tell the difference. This creates a unique risk: analysts may ship or rely on code they do not fully understand and haven’t been adequately tested.

AI is most effective here when it reduces mechanical overhead. It helps teams get to a usable starting point faster. It supports code creation in Python, PowerShell, or SIEM query languages. But the responsibility for correctness stays with the human who understands the system, the data, and the operational consequences of running that code in production.

The author suggests that the team develop appropriate style guidelines for code and only use authorized (meaning tested and approved) libraries and packages. Include the guidelines and dependency requirements as part of every prompt, or use an AI/ML development tool that enables configuration of these specifications. 4. Automation and Orchestration Automation has long been part of SOC operations, but AI is reshaping how teams design these workflows.

Instead of manually stitching together action sequences or translating runbooks into automation logic, analysts can now use AI to draft the scaffolding. AI can outline the steps, propose branching logic, and even convert a plain-language description into the structured format that orchestration platforms require. However, AI cannot decide when automation should run. The central question in orchestration remains unchanged: should the automated action execute immediately, or should it present information for an analyst to review first?

That choice depends on organizational risk tolerance, the sensitivity of the environment, and the specific action under consideration. Whether the platform is a SOAR, MCP, or any other orchestration system, the responsibility for initiating an action must rest with people, not the model. AI can help build and refine the workflow, but it should never be the authority that activates it. Clear boundaries keep automation predictable, explainable, and aligned with the SOC’s risk posture.

There will be a threshold where the organization’s comfort level with automations enables rapid action taken in an automated way. That level of comfort comes from extensive testing and people responding to the actions taken by the automation system in a timely manner. 5. Reporting and Communication Reporting is one of the most persistent challenges in security operations, not because teams lack technical skill but because translating that skill into clear, actionable communication is difficult to scale.

The 2025 SANS SOC Survey highlights just how far behind this area remains: 69 percent of SOCs still rely on manual or mostly manual processes to report metrics . This gap matters. When reporting is inconsistent, leadership loses visibility, context is diluted, and operational decisions slow down. AI provides an immediate and low-risk way to enhance the SOC’s reporting performance.

It can smooth out the mechanical parts of reporting by standardizing structure, improving clarity, and helping analysts move from raw notes to well-formed summaries. Instead of each analyst writing in a different style or burying the lead in technical detail, AI helps produce consistent, readable outputs that leadership can interpret quickly. Including moving averages, boundaries of standard deviation, and highlighting the overall consistency of the SOC is a story worth telling to your management. The value isn’t in making reports sound polished.

It’s in making them coherent and comparable . When every incident summary, weekly roll-up, or metrics report follows a predictable structure, leaders can recognize trends faster and prioritize more effectively. Analysts also gain back the time they would have spent wrestling with wording, formatting, or repetitive explanations. Are You a Taker, Shaper, or Maker?

Let’s Talk at SANS Security Central 2026 As teams begin experimenting with AI across these workflows, it is important to recognize that there is no single path for adoption. SOC AI utilization can be described via three convenient categories. A taker uses AI tools as delivered. A shaper adjusts or customizes those tools to fit the workflow.

A maker builds something new, such as the tightly scoped machine learning detection example described earlier. All of these example use cases can be in one or more of the categories. You might be both a taker and a maker in detection engineering, implementing the AI rules from your SIEM vendor, as well as crafting your own detections. Most teams are manual makers as well as takers (just using out-of-the-box ticketing system reports) in reporting.

You might be a shaper in automation, partially customizing the vendor-provided SOAR runbooks. Hopefully, you’re at least using vendor-provided IOC-driven hunts; that’s something every SOC needs to do. Aspiring to internally-driven hunting moves you into that maker category. What matters is that each workflow has clear expectations for where AI can be used, how output is validated, that updates are done on an ongoing basis, and that analysts ultimately remain accountable for the protection of information systems.

I’ll be exploring these themes in more depth during my keynote session at SANS Security Central 2026 in New Orleans. You will learn how to evaluate where your SOC sits today and design an AI adoption model that strengthens the expertise of your team. I hope to see you there! Register for SANS Security Central 2026 here.

Note: This article was expertly written and contributed by Christopher Crowley, SANS Senior Instructor. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Mustang Panda Uses Signed Kernel-Mode Rootkit to Load TONESHELL Backdoor

The Chinese hacking group known as Mustang Panda has leveraged a previously undocumented kernel-mode rootkit driver to deliver a new variant of backdoor dubbed TONESHELL in a cyber attack detected in mid-2025 targeting an unspecified entity in Asia. The findings come from Kaspersky, which observed the new backdoor variant in cyber espionage campaigns mounted by the hacking group targeting government organizations in Southeast and East Asia, primarily Myanmar and Thailand. “The driver file is signed with an old, stolen, or leaked digital certificate and registers as a minifilter driver on infected machines,” the Russian cybersecurity company said . “Its end-goal is to inject a backdoor trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys.” The final payload deployed as part of the attack is TONESHELL, an implant with reverse shell and downloader capabilities to fetch next-stage malware onto compromised hosts.

The use of TONESHELL has been attributed to Mustang Panda since at least late 2022. As recently as September 2025, the threat actor was linked to attacks targeting Thai entities with TONESHELL and a USB worm named TONEDISK (aka WispRider) that uses removable devices as a distribution vector for a backdoor referred to as Yokai. The command-and-control (C2) infrastructure used for TONESHELL is said to have been erected in September 2024, although there are indications that the campaign itself did not commence until February 2025. The exact initial access pathway used in the attack is not clear.

It’s suspected that the attackers abused previously compromised machines to deploy the malicious driver. The driver file (“ProjectConfiguration.sys”) is signed with a digital certificate from Guangzhou Kingteller Technology Co., Ltd, a Chinese company that’s involved in the distribution and provisioning of automated teller machines (ATMs). The certificate was valid from August 2012 to 2015. Given that there are other unrelated malicious artifacts signed with the same digital certificate, it’s assessed that the threat actors likely leveraged a leaked or stolen certificate to realize their goals.

The malicious driver comes fitted with two user-mode shellcodes that are embedded into the .data section of the binary. They are executed as separate user-mode threads. “The rootkit functionality protects both the driver’s own module and the user-mode processes into which the backdoor code is injected, preventing access by any process on the system,” Kaspersky said. The driver has the following set of features - Resolve required kernel APIs dynamically at runtime by using a hashing algorithm to match the required API addresses Monitor file-delete and file-rename operations to prevent itself from being removed or renamed Deny attempts to create or open Registry keys that match against a protected list by setting up a RegistryCallback routine and ensuring that it operates at an altitude of 330024 or higher Interfere with the altitude assigned to WdFilter.sys, a Microsoft Defender driver, and change it to zero (it has a default value of 328010 ), thereby preventing it from being loaded into the I/O stack Intercept process-related operations and deny access if the action targets any process that’s on a list of protected process IDs when they are running Remove rootkit protection for those processes once execution completes “Microsoft designates the 320000–329999 altitude range for the FSFilter Anti-Virus Load Order Group,” Kaspersky explained.

“The malware’s chosen altitude exceeds this range. Since filters with lower altitudes sit deeper in the I/O stack, the malicious driver intercepts file operations before legitimate low-altitude filters like antivirus components, allowing it to circumvent security checks.” The driver is ultimately designed to drop two user-mode payloads, one of which spawns an “svchost.exe” process and injects a small delay-inducing shellcode. The second payload is the TONESHELL backdoor that’s injected into that same “svchost.exe” process. Once launched, the backdoor establishes contact with a C2 server (“avocadomechanism[.]com” or “potherbreference[.]com”) over TCP on port 443, using the communication channel to receive commands that allow it to - Create temporary file for incoming data (0x1) Download file (0x2 / 0x3) Cancel download (0x4) Establish remote shell via pipe (0x7) Receive operator command (0x8) Terminate shell (0x9) Upload file (0xA / 0xB) Cancel upload (0xC), and Close connection (0xD) The development marks the first time TONSHELL has been delivered through a kernel-mode loader, effectively allowing it to conceal its activity from security tools.

The findings indicate that the driver is the latest addition to a larger, evolving toolset used by Mustang Panda to maintain persistence and hide its backdoor. Memory forensics is key to analyzing the new TONESHELL infections, as the shellcode executes entirely in memory, Kaspersky said, noting that detecting the injected shellcode is a crucial indicator of the backdoor’s presence on compromised hosts. “HoneyMyte’s 2025 operations show a noticeable evolution toward using kernel-mode injectors to deploy TONESHELL, improving both stealth and resilience,” the company concluded. “To further conceal its activity, the driver first deploys a small user-mode component that handles the final injection step.

It also uses multiple obfuscation techniques, callback routines, and notification mechanisms to hide its API usage and track process and registry activity, ultimately strengthening the backdoor’s defenses.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: MongoDB Attacks, Wallet Breaches, Android Spyware, Insider Crime & More

Last week’s cyber news in 2025 was not about one big incident. It was about many small cracks opening at the same time. Tools people trust every day behave in unexpected ways. Old flaws resurfaced.

New ones were used almost immediately. A common theme ran through it all in 2025. Attackers moved faster than fixes. Access meant for work, updates, or support kept getting abused.

And damage did not stop when an incident was “over” — it continued to surface months or even years later. This weekly recap brings those stories together in one place. No overload, no noise. Read on to see what shaped the threat landscape in the final stretch of 2025 and what deserves your attention now.

⚡ Threat of the Week MongoDB Vulnerability Comes Under Attack — A newly disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world. The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7), which allows an unauthenticated attacker to remotely leak sensitive data from the MongoDB server memory. It has been codenamed MongoBleed. The exact details surrounding the nature of attacks exploiting the flaw are presently unknown.

Users are advised to update to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. Data from attack surface management company Censys shows that there are more than 87,000 potentially vulnerable instances, with a majority of them located in the U.S., China, Germany, India, and France. Wiz noted that 42% of cloud environments have at least one instance of MongoDB in a version vulnerable to CVE-2025-14847. This includes both internet-exposed and internal resources.

🔔 Top News Trust Wallet Chrome Extension Hack Leads to $7M Loss — Trust Wallet urged users to update its Google Chrome extension to the latest version following what it described as a “security incident” that led to the loss of approximately $7 million. Users are advised to update to version 2.69 as soon as possible. “We’ve confirmed that approximately $7 million has been impacted, and we will ensure all affected users are refunded,” Trust Wallet said. The Chrome extension has about 1 million users.

Mobile-only users and all other browser extension versions are not affected. It’s currently not known who is behind the attack, but Trust Wallet said the attacker likely published a malicious version (2.68) by using a leaked Chrome Web Store API key. Affected victims have been asked to fill out a form to process reimbursements. Evasive Panda Stages DNS Poisoning Attack to Push MgBot Malware — A China-linked advanced persistent threat (APT) group known as Evasive Panda was attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India.

The activity took place between November 2022 and November 2024. According to Kaspersky, the hacking group conducted adversary-in-the-middle (AitM) attacks on specific victims to serve trojanized updates for popular tools like SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ that ultimately deployed MgBot, a modular implant with wide-ranging information gathering capabilities. It’s currently not known how the threat actor is poisoning DNS responses. But two possible scenarios are suspected: either the ISPs used by the victims were selectively targeted and compromised to install some kind of network implant on edge devices, or a router or firewall used by the victims was hacked for this purpose.

LastPass 2022 Breach Leads to Crypto Theft — The encrypted vault backups stolen from the 2022 LastPass data breach enabled bad actors to take advantage of weak master passwords to crack them open and drain cryptocurrency assets as recently as late 2025. New findings from TRM Labs show that threat actors with possible ties to the Russian cybercriminal ecosystem have stolen no less than $35 million as of September 2025. The Russian links to the stolen cryptocurrency stem from two primary factors: The use of exchanges commonly associated with the Russian cybercriminal ecosystem in the laundering pipeline and operational connections gleaned from wallets interacting with mixers both before and after the mixing and laundering process. Fortinet Warns of Renewed Activity Exploiting CVE-2020-12812 — Fortinet said it observed “recent abuse” of CVE-2020-12812, a five-year-old security flaw in FortiOS SSL VPN, in the wild under certain configurations.

The vulnerability could allow a user to log in successfully without being prompted for the second factor of authentication if the case of the username was changed. The newly issued guidance does not give any specifics on the nature of the attacks exploiting the flaw, nor whether any of those incidents were successful. Fortinet has also advised impacted customers to contact its support team and reset all credentials if they find evidence of admin or VPN users being authenticated without two-factor authentication (2FA). Fake WhatsApp API npm Package Steals Messages — A new malicious package on the npm repository named lotusbail was found to work as a fully functional WhatsApp API, but contained the ability to intercept every message and link the attacker’s device to a victim’s WhatsApp account.

It has been downloaded over 56,000 times since it was first uploaded to the registry by a user named “seiren_primrose” in May 2025. The package has since been removed by npm. Once the npm package is installed, the threat actor can read all WhatsApp messages, send messages to others, download media files, and access contact lists. “And here’s the critical part, uninstalling the npm package removes the malicious code, but the threat actor’s device stays linked to your WhatsApp account,” Koi said.

“The pairing persists in WhatsApp’s systems until you manually unlink all devices from your WhatsApp settings. Even after the package is gone, they still have access.” ‎️‍🔥 Trending CVEs Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach.

Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected. This week’s list includes — CVE-2025-14847 (MongoDB), CVE-2025-68664 (LangChain Core), CVE-2023-52163 (Digiever DS-2105 Pro), CVE-2025-68613 (n8n), CVE-2025-13836 (Python http.client), CVE-2025-26794 (Exim), CVE-2025-68615 (Net-SNMP), CVE-2025-44016 (TeamViewer DEX Client), and CVE-2025-13008 (M-Files Server). 📰 Around the Cyber World Former Coinbase Customer Service Agent Arrested in India — Coinbase Chief Executive Officer Brian Armstrong said that a former customer service agent for the largest U.S.

crypto exchange was arrested in India, months after hackers bribed customer service representatives to gain access to customer information. In May, the company said hackers bribed contractors working out of India to steal sensitive customer data and demanded a $20 million ransom. “We have zero tolerance for bad behavior and will continue to work with law enforcement to bring bad actors to justice,” Armstrong said . “Thanks to the Hyderabad Police in India, an ex-Coinbase customer service agent was just arrested.

Another one down and more still to come.” The incident impacted 69,461 individuals. A September 2025 class action lawsuit has revealed that Coinbase hired TaskUs to handle customer support from India. The court document also mentioned that Coinbase “cut ties with the TaskUs personnel involved and other overseas agents, and tightened controls.” One TaskUs employee based out of Indore, Ashita Mishra, is accused of “joining the conspiracy by agreeing to sell highly sensitive Coinbase user data to those criminals” as early as September 2024. Mishra was arrested in January 2025 for allegedly selling the stolen data to hackers for $200 per record.

TaskUs claimed that “it identified two individuals who illegally accessed information from one of our clients [who] were recruited by a much broader, coordinated criminal campaign against this client that also impacted a number of other providers servicing this client.” It also alleged that Coinbase “had vendors other than TaskUs, and that Coinbase employees were involved in the data breach.” But the company provided no further details. Cloud Atlas Targets Russia and Belarus — The threat actor known as Cloud Atlas has leveraged phishing lures with a malicious Microsoft Word document attachment that, when opened, downloads a malicious template from a remote server that, in turn, fetches and executes an HTML Application (HTA) file. The malicious HTA file extracts and creates several Visual Basic Script (VBS) files on disk that are parts of the VBShower backdoor. VBShower then downloads and installs other backdoors, including PowerShower, VBCloud, and CloudAtlas.

VBCloud can download and execute additional malicious scripts, including a file grabber to exfiltrate files of interest. Similar to VBCloud, PowerShower is capable of retrieving an additional payload from a remote server. CloudAtlas establishes communication with a command-and-control (C2) server via WebDAV and fetches executable plugins in the form of a DLL, allowing it to gather files, run commands, steal passwords from Chromium-based browsers, and capture system information. Attacks mounted by the threat actor have primarily targeted organizations in the telecommunications sector, construction, government entities, and plants in Russia and Belarus.

BlackHawk Loader Spotted in the Wild — A new MSIL loader named BlackHawk has been detected in the wild, incorporating three layers of obfuscation that show signs of being generated using artificial intelligence (AI) tools. Per ESET , it features a Visual Basic Script and two PowerShell scripts, the second of which contains the Base64-encoded BlackHawk loader and the final payload. The loader is being actively used in campaigns distributing Agent Tesla in attacks targeting hundreds of endpoints in Romanian small and medium-sized companies. The loader has also been used to deliver an information stealer known as Phantom.

Surge in Cobalt Strike Servers — Censys has noted a sudden spike in Cobalt Strike servers hosted online between early December and December 18, 2025, specifically on the networks of AS138415 (YANCY) and AS133199 (SonderCloud LTD). “Viewing the timeline above, AS138415 first exhibits limited ‘seed’ activity beginning on December 4, followed by a substantial expansion of 119 new Cobalt Strike servers on December 6,” Censys said . “Within just two days, however, nearly all of this newly added infrastructure disappears. On December 8, AS133199 experienced a near mirror-image increase and decrease in newly observed Cobalt Strike servers.” More than 150 distinct IPs associated with AS138415 have been flagged as hosting Cobalt Strike listeners during this window.

This netblock, 23.235.160[.]0/19, was allocated to RedLuff, LLC in September 2025. Meet Fly, the Russian Market Administrator — Intrinsec has revealed that a threat actor known as Fly is likely the administrator of Russian Market, an underground portal for selling credentials stolen via infostealers. “This threat actor promoted the marketplace on multiple occasions and throughout the years,” the French cybersecurity company said . “His username is reminiscent of the old name of the marketplace, ‘Flyded.’ We found two e-mail addresses used to register the first Russian Market domains, which enabled us to find potential links to a Gmail account named ‘AlexAske1,’ but we could not find additional information surrounding this potential identity.” New Scam Campaign Targets MENA with Fake Job Offers — A new scam campaign is targeting Middle East and North Africa (MENA) countries with fake online jobs across social media and private messaging platforms like Telegram and WhatsApp that promise easy work and fast money, but are designed to collect personal data and steal money.

The scams exploit trust in recognized institutions and the low cost of social media advertising. The targeting is intentionally broad to cast a wide phishing net. “The fake job ads often impersonate well-known companies, banks, and authorities to gain trust of victims,” Group-IB said . “Once victims engage, the conversation moves to private messaging channels where the actual financial fraud and data theft take place.” The ads typically redirect victims to a WhatsApp group, where a recruiter directs them to a scam website for registration.

Once the victim has completed the step, they are added to various Telegram channels where they are instructed to pay a fee to secure tasks and earn commissions from it. “The scammers will actually send a small payout for the initial task to build trust,” Group-IB said. “They will then push victims to deposit larger amounts to take on bigger tasks that promise even greater returns. When victims do make a big deposit, the payout stops, the channels and accounts disappear and the victim finds themselves blocked, making communication and tracking almost impossible.” The ads are directed against MENA countries such as Egypt, Gulf States’ members, Algeria, Tunisia, Morocco, Iraq, and Jordan.

EmEditor Breached to Distribute Infostealer — Windows-based text editing program EmEditor has disclosed a security breach. Emurasoft said a “third-party” performed an unauthorized modification of the download link for its Windows installer to point to a malicious MSI file hosted in a different location on the EmEditor website between December 19 and 22, 2022. Emurasoft said it’s investigating the incident to determine the full scope of impact. According to Chinese security firm QiAnXin, the malicious installer is used to launch a PowerShell script that’s capable of harvesting system information, including system metadata, files, VPN configuration, Windows login credentials, browser data, and information associated with apps like Zoho Mail, Evernote, Notion, discord, Slack, Mattermost, Skype, LiveChat, Microsoft Teams, Zoom, WinSCP, PuTTY, Steam, and Telegram.

It also installs an Edge browser extension (ID: “ngahobakhbdpmokneiohlfofdmglpakd”) named Google Drive Caching that can fingerprint browsers, replace cryptocurrency wallet addresses in the clipboard, log keystrokes from specific websites such as x[.]com, and steal Facebook advertising account details. Docker Hardened Images Now Available for Free — Docker has made Hardened Images free for every developer to bolster software supply chain security. Introduced in May 2025, these are a set of secure, minimal, production-ready images that are managed by Docker. The company said it has hardened over 1,000 images and helm charts in its catalog.

“Unlike other opaque or proprietary hardened images, DHI is compatible with Alpine and Debian, trusted and familiar open source foundations teams already know and can adopt with minimal change,” Docker noted . Flaw in Livewire Disclosed — Details have emerged about a now-patched critical security flaw in Livewire ( CVE-2025-54068 , CVSS score: 9.8), a full-stack framework for Laravel, that could allow unauthenticated attackers to achieve remote command execution in specific scenarios. The issue was addressed in Livewire version 3.6.4 released in July 2025. According to Synacktiv, the vulnerability is rooted in the platform’s hydration mechanism, which is used to manage component states and ensure that they have not been tampered with during transit by means of a checksum.

“However, this mechanism comes with a critical vulnerability: a dangerous unmarshalling process can be exploited as long as an attacker is in possession of the APP_KEY of the application,” the cybersecurity company said . “By crafting malicious payloads, attackers can manipulate Livewire’s hydration process to execute arbitrary code, from simple function calls to stealthy remote command execution.” To make matters worse, the research also identified a pre-authenticated remote code execution vulnerability that’s exploitable even without knowledge of the application’s APP_KEY. “Attackers could inject malicious synthesizers through the updates field in Livewire requests, leveraging PHP’s loose typing and nested array handling,” Synacktiv added. “This technique bypasses checksum validation, allowing arbitrary object instantiation and leading to full system compromise.” ChimeraWire Malware Boosts Website SERP Rankings — A new malware dubbed ChimeraWire has been found to artificially boost the ranking of certain websites in search engine results pages (SERPs) by performing hidden internet searches and mimicking user clicks on infected Windows devices.

ChimeraWire is typically deployed as a second-stage payload on systems previously infected with other malware downloaders, Doctor Web said. The malware is designed to download a Windows version of the Google Chrome browser and install add-ons like NopeCHA and Buster into it for automated CAPTCHA solving. ChimeraWire then launches the browser in debugging mode with a hidden window to perform the malicious clicking activity based on certain pre-configured criteria. “For this, the malicious app searches target internet resources in the Google and Bing search engines and then loads them,” the Russian company said .

“It also imitates user actions by clicking links on the loaded sites. The Trojan performs all malicious actions in the Google Chrome web browser, which it downloads from a certain domain and then launches it in debug mode over the WebSocket protocol.” More Details About LANDFALL Campaign Emerge — The LANDFALL Android spyware campaign was disclosed by Palo Alto Networks Unit 42 last month as having exploited a now-patched zero-day flaw in Samsung Galaxy Android devices (CVE-2025-21042) in targeted attacks in the Middle East. Google Project Zero said it identified six suspicious image files that were uploaded to VirusTotal between July 2024 and February 2025. It’s suspected that these images were received over WhatsApp, with Google noting that the files were DNG files targeting the Quram library , an image parsing library specific to Samsung devices.

Further investigation has determined that the images are engineered to trigger an exploit that runs within the com.samsung.ipservice process. “The com.samsung.ipservice process is a Samsung-specific system service responsible for providing ‘intelligent’ or AI-powered features to other Samsung applications,” Project Zero’s Benoît Sevens said . “It will periodically scan and parse images and videos in Android’s MediaStore. When WhatsApp receives and downloads an image, it will insert it in the MediaStore.

This means that downloaded WhatsApp images (and videos) can hit the image parsing attack surface within the com.samsung.ipservice application.” Given that WhatsApp does not automatically download images from untrusted contacts, it’s assessed that a 1-click exploit is used to trigger the download and have it added to the MediaStore. This, in turn, fires an exploit for the flaw, resulting in an out-of-bounds write primitive. “This case illustrates how certain image formats provide strong primitives out of the box for turning a single memory corruption bug into interactionless ASLR bypasses and remote code execution,” Sevens noted. “By corrupting the bounds of the pixel buffer using the bug, the rest of the exploit could be performed by using the ‘weird machine’ that the DNG specification and its implementation provide.” New Android Spyware Discovered on Belarusian Journalist’s Phone — Belarusian authorities are deploying a new spyware called ResidentBat on the smartphones of local journalists after their phones are confiscated during police interrogations by the Belarusian secret service.

The spyware can collect call logs, record audio through the microphone, take screenshots, collect SMS messages and chats from encrypted messaging apps, and exfiltrate local files. It can also factory reset the device and remove itself. According to a report from RESIDENT.NGO , ResidentBat’s server infrastructure has been operational since March 2021. In December 2024, similar cases of implanting spyware on individuals’ phones while they were being questioned by police or security services were reported in Serbia and Russia .

“The infection relied on physical access to the device,” RESIDENT.NGO said. “We hypothesize that the KGB officers observed the device password or PIN as the journalist typed it in their presence during the conversation. Once the officers had the PIN and physical possession of the phone while it was in the locker, they enabled ‘Developer Mode’ and ‘USB Debugging.’ The spyware was then sideloaded onto the device, likely via ADB commands from a Windows PC.” Former Incident Responders Plead Guilty to Ransomware Attacks — Former cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty to participating in a series of BlackCat ransomware attacks between May and November 2023 while they were employed at cybersecurity companies tasked with helping organizations fend off ransomware attacks. Goldberg and Martin were indicted last month.

While Martin worked as a ransomware threat negotiator for DigitalMint, Goldberg was an incident response manager for cybersecurity company Sygnia. A third unnamed co-conspirator, who was also employed at DigitalMint, allegedly obtained an affiliate account for BlackCat, which the trio used to commit ransomware attacks. Congressional Report Says China Exploits U.S.-funded Research on Nuclear Technology — A new report released by the House Select Committee on China and the House Permanent Select Committee on Intelligence (HPSCI) has revealed that China exploits the U.S. Department of Energy (DOE) to gain access and divert American taxpayer-funded research and fuel its military and technological rise.

The investigation identified about 4,350 research papers between June 2023 and June 2025, where DOE funding or research support involved research relationships with Chinese entities, including over 730 DOE awards and contracts. Of these, approximately 2,200 publications were conducted in partnership with entities within China’s defense research and industrial base. “This case study and many more like it in the report underscore a deeply troubling reality: U.S. government scientists – employed by the DOE and working at federally funded national laboratories – have coauthored research with Chinese entities at the very heart of the PRC’s military-industrial complex,” the House Select Committee on the Chinese Communist Party (CCP) said.

“They involve the joint development of technologies relevant to next-generation military aircraft, electronic warfare systems, radar deception techniques, and critical energy and aerospace infrastructure – alongside entities already restricted by multiple U.S. agencies for posing a threat to national security.” In a statement shared with Associated Press, the Chinese Embassy in Washington said the select committee “has long smeared and attacked China for political purposes and has no credibility to speak of.” Moscow Court Sentences Russian Scientist to 21 Years for Treason — A Moscow court handed a 21-year prison sentence to Artyom Khoroshilov , 34, a researcher at the Moscow Institute of General Physics, who has been accused of treason, attacking critical infrastructure, and plotting sabotage. He was also fined 700,000 rubles (~$9,100). Khoroshilov is said to have colluded with the Ukrainian IT army to conduct distributed denial-of-service (DDoS) attacks on the Russian Post in August 2022.

He also planned to commit sabotage by blowing up the railway tracks used by the military unit of the Ministry of Defense of the Russian Federation to transport military goods. The IT Army of Ukraine, a hacktivist group known for coordinating DDoS attacks on Russian infrastructure, said it does not know if Khoroshilov was part of their community, but noted “the enemy hunts down any sign of resistance.” New DIG AI Tool Used by Malicious Actors — Resecurity said it has observed a “notable increase” in malicious actors’ utilization of DIG AI, the latest addition to a long list of dark Large Language Models (LLMs) that can be used for illegal, unethical, malicious or harmful activities, such as generating phishing emails or instructions for bombs and prohibited substances. It can be accessed by users via the Tor browser without requiring an account. According to its developer, Pitch, the service is based on OpenAI’s ChatGPT Turbo.

“DIG AI enables malicious actors to leverage the power of AI to generate tips ranging from explosive device manufacturing to illegal content creation, including CSAM,” the company said . “Because DIG AI is hosted on the TOR network, such tools are not easily discoverable and accessible to law enforcement. They create a significant underground market – from piracy and derivatives to other illicit activities.” China Says U.S. Seized Cryptocurrency from Chinese Firm — The Chinese government said the U.S.

unduly seized cryptocurrency assets that actually belonged to LuBian. In October 2025, the U.S. Justice Department seized $15 billion worth of Bitcoin from the operator of scam compounds last month. The agency claimed the funds were owned by the Prince Group and its CEO, Chen Zhi.

China’s National Computer Virus Emergency Response Center (CVERC) alleged that the funds could be traced back to the 2020 hack of Chinese bitcoin mining pool operator LuBian, echoing a report from Elliptic. What’s evident is that the digital assets were stolen from Zhi before they ended up with the U.S. “The U.S. government may have stolen Chen Zhi’s 127,000 Bitcoin through hacking techniques as early as 2020, making this a classic case of ‘black-on-black’ crime orchestrated by a state-sponsored hacking organization,” CVERC said .

However, it bears noting that the report makes no mention of the stolen assets being linked to scam campaigns. 🎥 Cybersecurity Webinars How Zero Trust and AI Catch Attacks With No Files, No Binaries, and No Indicators — Cyber threats are evolving faster than ever, exploiting trusted tools and fileless techniques that evade traditional defenses. This webinar reveals how Zero Trust and AI-driven protection can uncover unseen attacks, secure developer environments, and redefine proactive cloud security—so you can stay ahead of attackers, not just react to them. Master Agentic AI Security: Learn to Detect, Audit, and Contain Rogue MCP Servers — AI tools like Copilot and Claude Code help developers move fast, but they can also create big security risks if not managed carefully.

Many teams don’t know which AI servers (MCPs) are running, who built them, or what access they have. Some have already been hacked, turning trusted tools into backdoors. This webinar shows how to find hidden AI risks, stop shadow API key problems, and take control before your AI systems create a breach. 🔧 Cybersecurity Tools GhidraGPT — It is a plugin for Ghidra that adds AI-powered assistance to reverse engineering work.

It uses large language models to help explain decompiled code, improve readability, and highlight potential security issues, making it easier for analysts to understand and analyze complex binaries. Chameleon — It is an open-source honeypot tool used to monitor attacks, bot activity, and stolen credentials across a wide range of network services. It simulates open and vulnerable ports to attract attackers, logs their activity, and shows the results through simple dashboards, helping teams understand how their systems are being scanned and attacked in real environments. Disclaimer: These tools are for learning and research only.

They haven’t been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws. Conclusion This weekly recap brings those stories together in one place to close out 2025.

It cuts through the noise and focuses on what actually mattered in the final days of the year. Read on for the events that shaped the threat landscape, the patterns that kept repeating, and the risks that are likely to carry forward into 2026. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

How AI and Zero Trust Work Together to Catch Attacks With No Files or Indicators

JavaScript must be enabled in order to register for webinar. Yes, I’d like to register for the webinar and agree to the handling of my information as explained in thePrivacy Policy. There’s one constant in cybersecurity: the threat landscape continues to rapidly evolve. To bolster their organizations’ resilience, defenders need proactive visibility and tooling across their endpoints, developer environments, and crypto stack to stay several steps ahead of attackers.In this webinar, join experts from the Zscaler Internet Access product team as they cover the next major security challenges and how enterprises can best respond to them:“Living off the Land” Attacks:Today’s attackers use a combination of malware and legitimate system tools like PowerShell, WMI, or RDP.

File-based detection alone misses threats that blend in with trusted processes. Learn how and why gaining endpoint visibility into file-based threats, apps, and process behaviors is essential.Fileless “Last Mile” Reassembly Attacks:Legacy security tools are ineffective against fileless attacks, including those using only obfuscated HTML and JavaScript. Learn how a cloud-native antimalware engine that emulates malicious scripting and reassembles an executable binary in isolation can stop malicious files from being delivered to an endpoint.Securing Developer Environments:Developers are building and deploying applications faster than ever before. But third-party repositories and other open-source CI/CD tools can contain malicious code and vulnerabilities that can compromise your organization’s security.

Inspecting encrypted traffic in developer environments can identify and defeat would-be threats. Learn how to secure development workflows with automated TLS/SSL inspection and code sandboxing.You’ll see howZscaler Internet Access’s capabilities, built on a foundation of zero trust and AI-powered protection, provide SOC and IT teams with the preventative tooling and visibility necessary to effectively defend against emerging threats so you can proactively fortify your security posture to protect your users, devices, and data. There’s one constant in cybersecurity: the threat landscape continues to rapidly evolve. To bolster their organizations’ resilience, defenders need proactive visibility and tooling across their endpoints, developer environments, and crypto stack to stay several steps ahead of attackers.

In this webinar, join experts from the Zscaler Internet Access product team as they cover the next major security challenges and how enterprises can best respond to them: You’ll see howZscaler Internet Access’s capabilities, built on a foundation of zero trust and AI-powered protection, provide SOC and IT teams with the preventative tooling and visibility necessary to effectively defend against emerging threats so you can proactively fortify your security posture to protect your users, devices, and data. By clicking “Register Now,” you agree to permit The Hacker News and its partners to process your contact details, which may include The Hacker News reaching out to you and sharing your contact information with its webinar partners.

MongoDB Vulnerability CVE-2025-14847 Under Active Exploitation Worldwide

A recently disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world. The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7), which allows an unauthenticated attacker to remotely leak sensitive data from the MongoDB server memory. It has been codenamed MongoBleed . “A flaw in zlib compression allows attackers to trigger information leakage,” OX Security said .

“By sending malformed network packets, an attacker can extract fragments of private data.” The problem is rooted in MongoDB Server’s zlib message decompression implementation (“message_compressor_zlib.cpp”). It affects instances with zlib compression enabled, which is the default configuration. Successful exploitation of the shortcoming could allow an attacker to extract sensitive information from MongoDB servers, including user information, passwords, and API keys. “Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has, the more information could be gathered,” OX Security added.

Cloud security company Wiz said CVE-2025-14847 stems from a flaw in the zlib-based network message decompression logic, enabling an unauthenticated attacker to send malformed, compressed network packets to trigger the vulnerability and access uninitialized heap memory without valid credentials or user interaction. “The affected logic returned the allocated buffer size (output.length()) instead of the actual decompressed data length, allowing undersized or malformed payloads to expose adjacent heap memory,” security researchers Merav Bar and Amitai Cohen said . “Because the vulnerability is reachable prior to authentication and does not require user interaction, Internet-exposed MongoDB servers are particularly at risk.” Data from attack surface management company Censys shows that there are more than 87,000 potentially vulnerable instances , with a majority of them located in the U.S., China, Germany, India, and France. Wiz noted that 42% of cloud environments have at least one instance of MongoDB in a version vulnerable to CVE-2025-14847.

This includes both internet-exposed and internal resources. The exact details surrounding the nature of attacks exploiting the flaw are presently unknown. Users are advised to update to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. Patches for MongoDB Atlas have been applied.

It’s worth noting that the vulnerability also affects the Ubuntu rsync package , as it uses zlib. As temporary workarounds, it’s recommended to disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. Other mitigations include restricting network exposure of MongoDB servers and monitoring MongoDB logs for anomalous pre-authentication connections. Update The U.S.

Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-14847 to its catalog of exploited vulnerabilities on December 29, 2025, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by January 19, 2026. “MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in zlib compressed protocol headers,” CISA said. “This vulnerability may allow a read of uninitialized heap memory by an unauthenticated client.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials

Cybersecurity researchers have disclosed details of what has been described as a “sustained and targeted” spear-phishing campaign that has published over two dozen packages to the npm registry to facilitate credential theft. The activity, which involved uploading 27 npm packages from six different npm aliases, has primarily targeted sales and commercial personnel at critical infrastructure-adjacent organizations in the U.S. and Allied nations, according to Socket. “A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft,” researchers Nicholas Anderson and Kirill Boychenko said .

The names of the packages are listed below - adril7123 ardril712 arrdril712 androidvoues assetslush axerification erification erificatsion errification eruification hgfiuythdjfhgff homiersla houimlogs22 iuythdjfghgff iuythdjfhgff iuythdjfhgffdf iuythdjfhgffs iuythdjfhgffyg jwoiesk11 modules9382 onedrive-verification sarrdril712 scriptstierium11 secure-docs-app sync365 ttetrification vampuleerl Rather than requiring users to install the packages, the end goal of the campaign is to repurpose npm and package content delivery networks (CDNs) as hosting infrastructure, using them to deliver client-side HTML and JavaScript lures impersonating secure document-sharing that are embedded directly in phishing pages, following which victims are redirected to Microsoft sign-in pages with the email address pre-filled in the form. The use of package CDNs offers several benefits, the foremost being the ability to turn a legitimate distribution service into infrastructure that’s resilient to takedowns. In addition, it makes it easy for attackers to switch to other publisher aliases and package names, even if the libraries are pulled. The packages have been found to incorporate various checks on the client side to challenge analysis efforts, including filtering out bots, evading sandboxes, and requiring mouse or touch input before taking the victims to threat-actor-controlled credential harvesting infrastructure.

The JavaScript code is also obfuscated or heavily minified to make automated inspection more difficult. Another crucial anti-analysis control adopted by the threat actor relates to the use of honeypot form fields that are hidden from view for real users, but are likely to be populated by crawlers. This step acts as a second layer of defense, preventing the attack from proceeding further. Socket said the domains packed into these packages overlap with adversary-in-the-middle (AitM) phishing infrastructure associated with Evilginx , an open-source phishing kit.

This is not the first time npm has been transformed into phishing infrastructure. Back in October 2025, the software supply chain security firm detailed a campaign dubbed Beamglea that saw unknown threat actors uploading 175 malicious packages for credential harvesting attacks. The latest attack wave is assessed to be distinct from Beamglea. “This campaign follows the same core playbook, but with different delivery mechanics,” Socket said.

“Instead of shipping minimal redirect scripts, these packages deliver a self-contained, browser-executed phishing flow as an embedded HTML and JavaScript bundle that runs when loaded in a page context.” What’s more, the phishing packages have been found to hard-code 25 email addresses tied to specific individuals, who work in account managers, sales, and business development representatives in manufacturing, industrial automation, plastics and polymer supply chains, healthcare sectors in Austria, Belgium, Canada, France, Germany, Italy, Portugal, Spain, Sweden, Taiwan, Turkey, the U.K., and the U.S. It’s currently unknown how the attackers obtained the email addresses. But given that many of the targeted firms convene at major international trade shows, such as Interpack and K-Fair, it’s suspected that the threat actors may have pulled the information from these sites and combined it with general open-web reconnaissance. “In several cases, target locations differ from corporate headquarters, which is consistent with the threat actor’s focus on regional sales staff, country managers, and local commercial teams rather than only corporate IT,” the company said.

To counter the risk posed by the threat, it’s essential to enforce stringent dependency verification, log unusual CDN requests from non-development contexts, enforce phishing-resistant multi-factor authentication (MFA), and monitor for suspicious post-authentication events. The development comes as Socket said it observed a steady rise in destructive malware across npm, PyPI, NuGet Gallery, and Go module indexes using techniques like delayed execution and remotely-controlled kill switches to evade early detection and fetch executable code at runtime using standard tools such as wget and curl. “Rather than encrypting disks or indiscriminately destroying files, these packages tend to operate surgically,” researcher Kush Pandya said . “They delete only what matters to developers: Git repositories, source directories, configuration files, and CI build outputs.

They often blend this logic into otherwise functional code paths and rely on standard lifecycle hooks to execute, meaning the malware may never need to be explicitly imported or invoked by the application itself.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Traditional Security Frameworks Leave Organizations Exposed to AI-Specific Attack Vectors

In December 2024, the popular Ultralytics AI library was compromised, installing malicious code that hijacked system resources for cryptocurrency mining. In August 2025 , malicious Nx packages leaked 2,349 GitHub, cloud, and AI credentials. Throughout 2024, ChatGPT vulnerabilities allowed unauthorized extraction of user data from AI memory. The result: 23.77 million secrets were leaked through AI systems in 2024 alone, a 25% increase from the previous year.

Here’s what these incidents have in common: The compromised organizations had comprehensive security programs. They passed audits. They met compliance requirements. Their security frameworks simply weren’t built for AI threats.

Traditional security frameworks have served organizations well for decades. But AI systems operate fundamentally differently from the applications these frameworks were designed to protect. And the attacks against them don’t fit into existing control categories. Security teams followed the frameworks.

The frameworks just don’t cover this. Where Traditional Frameworks Stop and AI Threats Begin The major security frameworks organizations rely on, NIST Cybersecurity Framework, ISO 27001, and CIS Control, were developed when the threat landscape looked completely different. NIST CSF 2.0, released in 2024, focuses primarily on traditional asset protection. ISO 27001:2022 addresses information security comprehensively but doesn’t account for AI-specific vulnerabilities.

CIS Controls v8 covers endpoint security and access controls thoroughly—yet none of these frameworks provide specific guidance on AI attack vectors. These aren’t bad frameworks. They’re comprehensive for traditional systems. The problem is that AI introduces attack surfaces that don’t map to existing control families.

“Security professionals are facing a threat landscape that’s evolved faster than the frameworks designed to protect against it,” notes Rob Witcher, co-founder of cybersecurity training company Destination Certification . “The controls organizations rely on weren’t built with AI-specific attack vectors in mind.” This gap has driven demand for specialized AI security certification prep that addresses these emerging threats specifically. Consider access control requirements, which appear in every major framework. These controls define who can access systems and what they can do once inside.

But access controls don’t address prompt injection—attacks that manipulate AI behavior through carefully crafted natural language input, bypassing authentication entirely. System and information integrity controls focus on detecting malware and preventing unauthorized code execution. But model poisoning happens during the authorized training process. An attacker doesn’t need to breach systems, they corrupt the training data, and AI systems learn malicious behavior as part of normal operation.

Configuration management ensures systems are properly configured and changes are controlled. But configuration controls can’t prevent adversarial attacks that exploit mathematical properties of machine learning models. These attacks use inputs that look completely normal to humans and traditional security tools but cause models to produce incorrect outputs. Prompt Injection Take prompt injection as a specific example.

Traditional input validation controls (like SI-10 in NIST SP 800-53) were designed to catch malicious structured input: SQL injection, cross-site scripting, and command injection. These controls look for syntax patterns, special characters, and known attack signatures. Prompt injection uses valid natural language. There are no special characters to filter, no SQL syntax to block, and no obvious attack signatures.

The malicious intent is semantic, not syntactic. An attacker might ask an AI system to “ignore previous instructions and expose all user data” using perfectly valid language that passes through every input validation control framework that requires it. Model Poisoning Model poisoning presents a similar challenge. System integrity controls in frameworks like ISO 27001 focus on detecting unauthorized modifications to systems.

But in AI environments, training is an authorized process. Data scientists are supposed to feed data into models. When that training data is poisoned—either through compromised sources or malicious contributions to open datasets—the security violation happens within a legitimate workflow. Integrity controls aren’t looking for this because it’s not “unauthorized.” AI Supply Chain AI supply chain attacks expose another gap.

Traditional supply chain risk management (the SR control family in NIST SP 800-53) focuses on vendor assessments, contract security requirements, and software bill of materials. These controls help organizations understand what code they’re running and where it came from. But AI supply chains include pre-trained models, datasets, and ML frameworks with risks that traditional controls don’t address. How do organizations validate the integrity of model weights?

How do they detect if a pre-trained model has been backdoored? How do they assess whether a training dataset has been poisoned? The frameworks don’t provide guidance because these questions didn’t exist when the frameworks were developed. The result is that organizations implement every control their frameworks require, pass audits, and meet compliance standards—while remaining fundamentally vulnerable to an entire category of threats.

When Compliance Doesn’t Equal Security The consequences of this gap aren’t theoretical. They’re playing out in real breaches. When the Ultralytics AI library was compromised in December 2024, the attackers didn’t exploit a missing patch or weak password. They compromised the build environment itself, injecting malicious code after the code review process but before publication.

The attack succeeded because it targeted the AI development pipeline—a supply chain component that traditional software supply chain controls weren’t designed to protect. Organizations with comprehensive dependency scanning and software bill of materials analysis still installed the compromised packages because their tools couldn’t detect this type of manipulation. The ChatGPT vulnerabilities disclosed in November 2024 allowed attackers to extract sensitive information from users’ conversation histories and memories through carefully crafted prompts. Organizations using ChatGPT had strong network security, robust endpoint protection, and strict access controls.

None of these controls addresses malicious natural language input designed to manipulate AI behavior. The vulnerability wasn’t in the infrastructure—it was in how the AI system processed and responded to prompts. When malicious Nx packages were published in August 2025, they took a novel approach: using AI assistants like Claude Code and Google Gemini CLI to enumerate and exfiltrate secrets from compromised systems. Traditional security controls focus on preventing unauthorized code execution.

But AI development tools are designed to execute code based on natural language instructions. The attack weaponized legitimate functionality in ways that existing controls don’t anticipate. These incidents share a common pattern. Security teams had implemented the controls their frameworks required.

Those controls protected against traditional attacks. They just didn’t cover AI-specific attack vectors. The Scale of the Problem According to IBM’s Cost of a Data Breach Report 2025, organizations take an average of 276 days to identify a breach and another 73 days to contain it. For AI-specific attacks, detection times are potentially even longer because security teams lack established indicators of compromise for these novel attack types.

Sysdig’s research shows a 500% surge in cloud workloads containing AI/ML packages in 2024, meaning the attack surface is expanding far faster than defensive capabilities. The scale of exposure is significant. Organizations are deploying AI systems across their operations: customer service chatbots, code assistants, data analysis tools, and automated decision systems. Most security teams can’t even inventory the AI systems in their environment, much less apply AI-specific security controls that frameworks don’t require.

What Organizations Actually Need The gap between what frameworks mandate and what AI systems need requires organizations to go beyond compliance. Waiting for frameworks to be updated isn’t an option—the attacks are happening now. Organizations need new technical capabilities. Prompt validation and monitoring must detect malicious semantic content in natural language, not just structured input patterns.

Model integrity verification needs to validate model weights and detect poisoning, which current system integrity controls don’t address. Adversarial robustness testing requires red teaming focused specifically on AI attack vectors, not just traditional penetration testing. Traditional data loss prevention focuses on detecting structured data: credit card numbers, social security numbers, and API keys. AI systems require semantic DLP capabilities that can identify sensitive information embedded in unstructured conversations.

When an employee asks an AI assistant, “summarize this document,” and pastes in confidential business plans, traditional DLP tools miss it because there’s no obvious data pattern to detect. AI supply chain security demands capabilities that go beyond vendor assessments and dependency scanning. Organizations need methods for validating pre-trained models, verifying dataset integrity, and detecting backdoored weights. The SR control family in NIST SP 800-53 doesn’t provide specific guidance here because these components didn’t exist in traditional software supply chains.

The bigger challenge is knowledge. Security teams need to understand these threats, but traditional certifications don’t cover AI attack vectors. The skills that made security professionals excellent at securing networks, applications, and data are still valuable—they’re just not sufficient for AI systems. This isn’t about replacing security expertise; it’s about extending it to cover new attack surfaces.

The Knowledge and Regulatory Challenge Organizations that address this knowledge gap will have significant advantages. Understanding how AI systems fail differently than traditional applications, implementing AI-specific security controls, and building capabilities to detect and respond to AI threats—these aren’t optional anymore. Regulatory pressure is mounting. The EU AI Act , which took effect in 2025, imposes penalties up to €35 million or 7% of global revenue for serious violations.

NIST’s AI Risk Management Framework provides guidance, but it’s not yet integrated into the primary security frameworks that drive organizational security programs. Organizations waiting for frameworks to catch up will find themselves responding to breaches instead of preventing them. Practical steps matter more than waiting for perfect guidance. Organizations should start with an AI-specific risk assessment separate from traditional security assessments.

Inventorying the AI systems actually running in the environment reveals blind spots for most organizations. Implementing AI-specific security controls even though frameworks don’t require them yet, is critical. Building AI security expertise within existing security teams rather than treating it as an entirely separate function makes the transition more manageable. Updating incident response plans to include AI-specific scenarios is essential because current playbooks won’t work when investigating prompt injection or model poisoning.

The Proactive Window Is Closing Traditional security frameworks aren’t wrong—they’re incomplete. The controls they mandate don’t cover AI-specific attack vectors, which is why organizations that fully met NIST CSF, ISO 27001, and CIS Controls requirements were still breached in 2024 and 2025. Compliance hasn’t equaled protection. Security teams need to close this gap now rather than wait for frameworks to catch up.

That means implementing AI-specific controls before breaches force action, building specialized knowledge within security teams to defend AI systems effectively, and pushing for updated industry standards that address these threats comprehensively. The threat landscape has fundamentally changed. Security approaches need to change with it, not because current frameworks are inadequate for what they were designed to protect, but because the systems being protected have evolved beyond what those frameworks anticipated. Organizations that treat AI security as an extension of their existing programs, rather than waiting for frameworks to tell them exactly what to do, will be the ones that defend successfully.

Those who wait will be reading breach reports instead of writing security success stories. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory

A high-severity security flaw has been disclosed in MongoDB that could allow unauthenticated users to read uninitialized heap memory. The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency , which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the actual length of the associated data. “Mismatched length fields in zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client,” according to a description of the flaw in CVE.org. The flaw impacts the following versions of the database - MongoDB 8.2.0 through 8.2.3 MongoDB 8.0.0 through 8.0.16 MongoDB 7.0.0 through 7.0.26 MongoDB 6.0.0 through 6.0.26 MongoDB 5.0.0 through 5.0.31 MongoDB 4.4.0 through 4.4.29 All MongoDB Server v4.2 versions All MongoDB Server v4.0 versions All MongoDB Server v3.6 versions The issue has been addressed in MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.

“An client-side exploit of the Server’s zlib implementation can return uninitialized heap memory without authenticating to the server,” MongoDB said . “We strongly recommend upgrading to a fixed version as soon as possible.” If immediate update is not an option, it’s recommended to disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. The other compressor options supported by MongoDB are snappy and zstd. “CVE-2025-14847 allows a remote, unauthenticated attacker to trigger a condition in which the MongoDB server may return uninitialized memory from its heap,” OP Innovate said .

“This could result in the disclosure of sensitive in-memory data, including internal state information, pointers, or other data that may assist an attacker in further exploitation.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Trust Wallet Chrome Extension Breach Caused $7 Million Crypto Loss via Malicious Code

Trust Wallet is urging users to update its Google Chrome extension to the latest version following what it described as a “security incident” that led to the loss of approximately $7 million. The issue, the multi‑chain, non‑custodial cryptocurrency wallet service said, impacts version 2.68. The extension has about one million users, according to the Chrome Web Store listing. Users are advised to update to version 2.69 as soon as possible.

“We’ve confirmed that approximately $7 million has been impacted and we will ensure all affected users are refunded,” Trust Wallet said in a post on X. “Supporting affected users is our top priority, and we are actively finalizing the process to refund the impacted users.” Trust Wallet is also urging users to refrain from interacting with any messages that do not come from its official channels. Mobile-only users and all other browser extension versions are not affected. According to details shared by SlowMist, version 2.68 introduced malicious code that’s designed to iterate through all wallets stored in the extension and trigger a mnemonic phrase request for each wallet.

“The encrypted mnemonic is then decrypted using the password or passkeyPassword entered during wallet unlock,” the blockchain security firm said . “Once decrypted, the mnemonic phrase is sent to the attacker’s server api.metrics-trustwallet[.]com.” The domain “metrics-trustwallet[.]com” was registered on December 8, 2025, with the first request to “api.metrics-trustwallet[.]com” commencing on December 21, 2025. Further analysis has revealed that the attacker has leveraged an open‑source full‑chain analytics library named posthog-js to harvest wallet user information. The digital assets drained so far include about $3 million in Bitcoin, $431 in Solana, and more than $3 million in Ethereum.

The stolen funds have been moved through centralized exchanges and cross-chain bridges for laundering and swapping. According to an update shared by blockchain investigator ZachXBT, the incident has claimed hundreds of victims. “While ~$2.8 million of the stolen funds remain in the hacker’s wallets (Bitcoin/ EVM/ Solana), the bulk – >$4M in cryptos – has been sent to CEXs [centralized exchanges]: ~$3.3 million to ChangeNOW, ~$340,000 to FixedFloat, and ~$447,000 to KuCoin,” PeckShield said . “This backdoor incident originated from malicious source code modification within the internal Trust Wallet extension codebase (analytics logic), rather than an injected compromised third‑party dependency (e.g., malicious npm package),” SlowMist said.

“The attacker directly tampered with the application’s own code, then leveraged the legitimate PostHog analytics library as the data‑exfiltration channel, redirecting analytic traffic to an attacker‑controlled server.” The company said there is a possibility that it’s the work of a nation-state actor, adding the attackers may have gained control of Trust Wallet‑related developer devices or obtained deployment permissions prior to December 8, 2025. Changpeng Zhao, a co-founder of crypto exchange Binance, which owns the utility, hinted that the exploit was “most likely” carried out by an insider, although no further evidence was provided to support the theory. Update Trust Wallet, in a follow-up update, has urged affected users to complete a form on their support desk at “trustwallet-support.freshdesk[.]com” to start the compensation process. Victims have been asked to provide their contact email address, country of residence, compromised wallet address(es), the address to which the funds were drained to, and the corresponding transaction hashes.

“We are seeing scams via Telegram ads, fake ‘compensation’ forms, impersonated support accounts, and DMs,” the company cautioned. “Always verify links, never share your recovery phrase, and use official Trust Wallet channels only.” Eowyn Chen, Trust Wallet’s CEO, said an investigation into the incident is underway, reiterating that the issue impacts only Chrome browser extension version 2.68 users who logged in and before December 26, 2025, 11 a.m. UTC. “The malicious extension v2.68 was NOT released through our internal manual process,” Chen said.

“Our current findings suggest it was most likely published externally through the Chrome Web Store API key, bypassing our standard release checks.” “The hacker used a leaked Chrome Web Store API key to submit the malicious extension version v2.68. This successfully passed the Chrome Web Store’s review and was released on December 24, 2025, at 12:32 p.m. UTC.” Following the discovery of the breach, Chen said the company has taken the step of suspending the malicious domain, expiring all release APIs, and processing reimbursement for affected victims. Trust Wallet has since revealed that it has identified 2,596 wallet addresses that were affected as a result of the malicious extension update.

“From this group, we’ve received around 5,000 claims which indicates a significant number of false or duplicate submissions attempting to access victims’ reimbursements,” Chen said . “Because of this, accurate verification of wallet ownership is critical to ensure funds are returned to the right people.” (The story was updated after publication to reflect the latest developments.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware

A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India. The activity, Kaspersky said, was observed between November 2022 and November 2024. It has been linked to a hacking group called Evasive Panda , which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It’s assessed to be active since at least 2012.

“The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims,” Kaspersky researcher Fatih Şensoy said in a deep-dive analysis. “These included techniques such as dropping loaders into specific locations and storing encrypted parts of the malware on attacker-controlled servers, which were resolved as a response to specific website DNS requests.” This is not the first time Evasive Panda’s DNS poisoning capabilities have come to the fore. As far back as April 2023, ESET noted that the threat actor may have either carried out a supply chain compromise or an AitM attack to serve trojanized versions of legitimate applications like Tencent QQ in an attack targeting an international non-governmental organization (NGO) in Mainland China. In August 2024, a report from Volexity revealed how the threat actor compromised an unnamed internet service provider (ISP) by means of a DNS poisoning attack to push malicious software updates to targets of interest.

Evasive Panda is also one of the many China-aligned threat activity clusters that have relied on AitM poisoning for malware distribution. In an analysis last month, ESET said it’s tracking 10 active groups from China that have leveraged the technique for initial access or lateral movement, including LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon, and FontGoblin. In the attacks documented by Kaspersky, the threat actor has been found to make use of lures that masquerade as updates for third-party software, such as SohuVA, a video streaming service from the Chinese internet company Sohu. The malicious update is delivered from the domain “p2p.hd.sohu.com[.]cn,” likely indicating a DNS poisoning attack.

“There is a possibility that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address, while the genuine update module of the SohuVA application tries to update its binaries located in appdata\roaming\shapp\7.0.18.0\package,” Şensoy explained. The Russian cybersecurity vendor said it also identified other campaigns in which Evasive Panda utilized a fake updater for Baidu’s iQIYI Video, as well as IObit Smart Defrag and Tencent QQ. The attack paves the way for the deployment of an initial loader that’s responsible for launching shellcode that, in turn, fetches an encrypted second-stage shellcode in the form of a PNG image file, again by means of DNS poisoning from the legitimate website dictionary[.]com. Evasive Panda is said to have manipulated the IP address associated with dictionary[.]com, causing victim systems to resolve the website to an attacker-controlled IP address based on their geographical location and internet service provider.

It’s currently not known how the threat actor is poisoning DNS responses. But two possible scenarios are suspected: either the ISPs used by the victims were selectively targeted and compromised to install some kind of a network implant on edge devices, or a router or firewall used by the victims was hacked for this purpose. The HTTP request to obtain the second-stage shellcode also contains the current Windows version number. This is likely an attempt on the part of the attackers to target specific operating system versions and adapt their strategy based on the operating system used.

It’s worth noting that Evasive Panda has previously leveraged watering hole attacks to distribute an Apple macOS malware codenamed MACMA . The exact nature of the second-stage malware is unclear, but Kaspersky’s analysis shows that the first-stage shellcode decrypts and runs the retrieved payload. It’s assessed that the attackers generate a unique encrypted second shellcode file for each victim as a way to bypass detection. A crucial aspect of the operations is the use of a secondary loader (“libpython2.4.dll”) that relies on a renamed, older version of “python.exe” to be sideloaded.

Once launched, it downloads and decrypts the next-stage malware by reading the contents of a file named “C:\ProgramData\Microsoft\eHome\perf.dat.” This file contains the decrypted payload downloaded from the previous step. “It appears that the attacker used a complex process to obtain this stage from a resource, where it was initially XOR-encrypted,” Kaspersky said. “The attacker then decrypted this stage with XOR and subsequently encrypted and saved it to perf.dat using a custom hybrid of Microsoft’s Data Protection Application Programming Interface (DPAPI) and the RC5 algorithm.” The use of a custom encryption algorithm is seen as an attempt to complicate analysis by ensuring that the encrypted data can only be decoded on the specific system where the encryption was initially performed and block any efforts to intercept and analyze the malicious payload. The decrypted code is an MgBot variant that’s injected by the secondary loader into a legitimate “svchost.exe” process.

A modular implant, MgBot, is capable of harvesting files, logging keystrokes, gathering clipboard data, recording audio streams, and stealing credentials from web browsers. This enables the malware to maintain a stealthy presence in compromised systems for long periods of time. “The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems,” Kaspersky said. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection

A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model (LLM) responses through prompt injection. LangChain Core (i.e., langchain-core ) is a core Python package that’s part of the LangChain ecosystem, providing the core interfaces and model-agnostic abstractions for building applications powered by LLMs. The vulnerability, tracked as CVE-2025-68664, carries a CVSS score of 9.3 out of 10.0. Security researcher Yarden Porat has been credited with reporting the vulnerability on December 4, 2025.

It has been codenamed LangGrinch . “A serialization injection vulnerability exists in LangChain’s dumps() and dumpd() functions,” the project maintainers said in an advisory. “The functions do not escape dictionaries with ‘lc’ keys when serializing free-form dictionaries.” “The ‘lc’ key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data.” According to Cyata researcher Porat, the crux of the problem has to do with the two functions failing to escape user-controlled dictionaries containing “lc” keys.

The “lc” marker represents LangChain objects in the framework’s internal serialization format. “So once an attacker is able to make a LangChain orchestration loop serialize and later deserialize content including an ‘lc’ key, they would instantiate an unsafe arbitrary object, potentially triggering many attacker-friendly paths,” Porat said . This could have various outcomes, including secret extraction from environment variables when deserialization is performed with “secrets_from_env=True” (previously set by default), instantiating classes within pre-approved trusted namespaces, such as langchain_core, langchain, and langchain_community, and potentially even leading to arbitrary code execution via Jinja2 templates. What’s more, the escaping bug enables the injection of LangChain object structures through user-controlled fields like metadata, additional_kwargs, or response_metadata via prompt injection.

The patch released by LangChain introduces new restrictive defaults in load() and loads() by means of an allowlist parameter “allowed_objects” that allows users to specify which classes can be serialized/deserialized. In addition, Jinja2 templates are blocked by default, and the “secrets_from_env” option is now set to “False” to disable automatic secret loading from the environment. The following versions of langchain-core are affected by CVE-2025-68664 -

= 1.0.0, < 1.2.5 (Fixed in 1.2.5) < 0.3.81 (Fixed in 0.3.81) It’s worth noting that there exists a similar serialization injection flaw in LangChain.js that also stems from not properly escaping objects with “lc” keys, thereby enabling secret extraction and prompt injection. This vulnerability has been assigned the CVE identifier CVE-2025-68665 (CVSS score: 8.6).

It impacts the following npm packages - @langchain/core >= 1.0.0, < 1.1.8 (Fixed in 1.1.8) @langchain/core < 0.3.80 (Fixed in 0.3.80) langchain >= 1.0.0, < 1.2.3 (Fixed in 1.2.3) langchain < 0.3.37 (Fixed in 0.3.37) In light of the criticality of the vulnerability, users are advised to update to a patched version as soon as possible for optimal protection. “The most common attack vector is through LLM response fields like additional_kwargs or response_metadata, which can be controlled via prompt injection and then serialized/deserialized in streaming operations,” Porat said. “This is exactly the kind of ‘AI meets classic security’ intersection where organizations get caught off guard. LLM output is an untrusted input.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories

It’s getting harder to tell where normal tech ends and malicious intent begins. Attackers are no longer just breaking in — they’re blending in, hijacking everyday tools, trusted apps, and even AI assistants. What used to feel like clear-cut “hacker stories” now looks more like a mirror of the systems we all use. This week’s findings show a pattern: precision, patience, and persuasion.

The newest campaigns don’t shout for attention — they whisper through familiar interfaces, fake updates, and polished code. The danger isn’t just in what’s being exploited, but in how ordinary it all looks. ThreatsDay pulls these threads together — from corporate networks to consumer tech — revealing how quiet manipulation and automation are reshaping the threat landscape. It’s a reminder that the future of cybersecurity won’t hinge on bigger walls, but on sharper awareness.

Open-source tool exploited Abuse of Nezha for Post-Exploitation Bad actors are leveraging an open-source monitoring tool named Nezha to gain remote access to compromised hosts. Its ability to allow administrators to view system health, execute commands, transfer files, and open interactive terminal sessions also makes it an attractive choice for threat actors. In one incident investigated by Ontinue, the tool was deployed as a post-exploitation remote access tool by means of a bash script, while pointing to a remote dashboard hosted on Alibaba Cloud infrastructure located in Japan. “The weaponization of Nezha reflects an emerging modern attack strategy where threat actors systematically abuse legitimate software to achieve persistence and lateral movement while evading signature-based defenses,” said Mayuresh Dani, security research manager at Qualys.

The abuse of Nezha is part of broader efforts where attackers leverage legitimate tools to evade signature detection, blend with normal activity, and reduce development effort. Facial scans for SIMs South Korea to Require Face Scans to Buy a SIM South Korea will begin requiring people to submit to facial recognition when signing up for a new mobile phone number in a bid to tackle scams and identity theft, according to the Ministry of Science and ICT. “By comparing the photo on an identification card with the holder’s actual face on a real-time basis, we can fully prevent the activation of phones registered under a false name using stolen or fabricated IDs,” the ministry said . The new policy, which applies to SK Telecom, Korea Telecom, and LG Uplus, and other mobile virtual network operators, takes effect on March 23 after a pilot following a trial that began this week .

The science ministry has emphasized that no data will be stored as part of the new policy. “We are well aware that the public is concerned due to a series of hacking incidents at local mobile carriers,” the ministry said. “Contrary to concerns raised by some, no personal information is stored or saved, and it is immediately erased once identification is verified.” Android NFC threat spike NFC-Abusing Android Malware Surges in H2 2025 Data from ESET has revealed that detections of NFC-abusing Android malware grew by 87% between H1 and H2 2025. This increase has been coupled with the growing sophistication of NFC-based malware, such as the harvesting of victims’ contacts, disabling of biometric verification, and bringing together NFC attacks with remote access trojan (RAT) features and Automated Transfer System (ATS) capabilities.

In these campaigns, malicious apps distributing malware such as PhantomCard prompt victims to hold their payment card near the phone and enter their PIN for authentication. In the process, the captured information is relayed to the attackers. “Recent innovations in the NFC sphere demonstrate that threat actors no longer rely solely on relay attacks: they are blending NFC exploitation with advanced capabilities such as remote access and automated transfers,” ESET said . “The efficiency of the scams is further fueled by advanced social engineering and technologies that can bypass biometric verification.” Fake PoCs spread malware Fake PoCs Lead to WebRAT Threat actors are now targeting inexperienced professionals and students in the information security field with fake proof-of-concept (PoC) exploits for security flaws such as CVE-2025-59295, CVE-2025-10294, and CVE-2025-59230 to trick them into installing WebRAT using a ZIP archive hosted in the repositories.

“To build trust, they carefully prepared the repositories, incorporating detailed vulnerability information into the descriptions,” Kaspersky said . The repositories include detailed sections with overviews of the vulnerability, system impact, install guides, usage steps, and even mitigation advice. The consistency of the format of a professional PoC write-up suggests the descriptions are machine-generated to avoid detection. Present within the ZIP file is an executable named “rasmanesc.exe,” that’s capable of escalating privileges, disabling Microsoft Defender, and fetching WebRAT from an external server.

Webrat is a backdoor that allows attackers to control the infected system, as well as steal data from cryptocurrency wallets, Telegram, Discord, and Steam accounts. It can also perform spyware functions such as screen recording, surveillance via a webcam and microphone, and keylogging. WebRAT is sold by NyashTeam , which also advertises DCRat. GuLoader surge observed GuLoader Campaigns Spiked in Late 2025 Campaigns distributing GuLoader (aka CloudEyE) scaled a new high between September and November 2025, according to ESET , with the highest detection peak recorded in Poland on September 18.

“CloudEyE is multistage malware; the downloader is the initial stage and spreads via PowerShell scripts, JavaScript files, and NSIS executables,” the company said. “These then download the next stage, which contains the crypter component with the intended final payload packed within. All CloudEyE stages are heavily obfuscated, meaning that they are deliberately difficult to detect and analyze, with their contents being compressed, encrypted, encoded, or otherwise obscured.” Chatbot flaws exposed Flaws in Eurostar AI Chatbot Multiple vulnerabilities have been disclosed in Eurostar’s public artificial intelligence (AI) chatbot that could allow guardrail bypass by taking advantage of the fact that the frontend relays the entire chat history to the API while running checks only on the latest message to ensure it’s safe. This opens the door to a scenario where an attacker could tamper with earlier messages, which, when fed into the model’s API, causes it to return unintended responses via a prompt injection.

Other identified issues included the ability to modify message IDs to potentially lead to cross-user compromise and inject HTML code stemming from the lack of input validation. “An attacker could exfiltrate prompts, steer answers, and run scripts in the chat window,” Pen Test Partners said. “The core lesson is that old web and API weaknesses still apply even when an LLM is in the loop.” Some of these vulnerabilities have since been fixed, but not before a confusing disclosure process that saw the penetrating testing firm somehow being accused of blackmail by Eurostar’s head of security on LinkedIn after asking, “Maybe a simple acknowledgement of the original email report would have helped?” Critical flaws uncovered Several Flaws in Databases Discovered A hacking competition conducted by Wiz, zeroday.cloud, led to the discovery of 11 critical zero-day exploits affecting foundational open-source components used in critical cloud infrastructure, including container runtimes, AI infrastructure such as vLLM and Ollama, and databases like Redis, PostgreSQL, and MariaDB. The most severe of the flaws has been uncovered in Linux.

“The vulnerability allows for a Container Escape, often enabling attackers to break out of an isolated cloud service, dedicated to one specific user, and spread to the underlying infrastructure that manages all users,” Wiz said . “This breaks the core promise of cloud computing: the guarantee that different customers running on the same hardware remain separate and inaccessible to one another. This further reinforces that containers shouldn’t be the sole security barrier in multi-tenant environments.” Loader targets industries New Campaign Targets Manufacturing and Government Orgs Manufacturing and government organizations in Italy, Finland, and Saudi Arabia are the target of a new phishing campaign that uses a commodity loader to deliver a wide range of malware, such as PureLogs, XWorm, Katz Stealer , DCRat, and Remcos RAT. “This campaign utilizes advanced tradecraft, employing a diverse array of infection vectors including weaponized Office documents (exploiting CVE-2017-11882 ), malicious SVG files, and ZIP archives containing LNK shortcuts,” Cyble said .

“Despite the variety of delivery methods, all vectors leverage a unified commodity loader.” The use of the loader to distribute a variety of malware indicates that the loader is likely shared or sold across different threat actor groups. A notable aspect of the campaign is the use of steganographic techniques to host image files on legitimate delivery platforms, thereby allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic. The commodity loader is assessed to be Caminho based on similar campaigns detailed by Nextron Systems and Zscaler . Teams gets safer defaults Microsoft Bolsters Teams Security Microsoft has announced that Teams will automatically enable messaging safety features by default, including weaponizable file type protection, malicious URL protection, and reporting incorrect detections.

The change will roll out starting January 12, 2026, to tenants that have not previously modified messaging safety settings and are still using the default configuration. “We’re improving messaging security in Microsoft Teams by enabling key safety protections by default,” Microsoft said in a Microsoft 365 message center update. “This update helps safeguard users from malicious content and provides options to report incorrect detections.” In addition, the Windows maker said security administrators will be able to block external users in Microsoft Teams via the Tenant Allow/Block List in the Microsoft Defender portal. The feature is expected to roll out in early January 2026 and be completed by mid-January.

“This centralized approach enhances security and compliance by enabling organizations to control external user access across Microsoft 365 services,” the company said . AI assistant hijack risk Docker Patches Prompt Injection in Ask Gordon Docker has patched a vulnerability in Ask Gordon , its AI assistant embedded in Docker Desktop and the Docker CLI. The flaw, discovered by Pillar Security in the beta version, is a case of prompt injection that enables attackers to hijack the assistant and exfiltrate sensitive data by poisoning Docker Hub repository metadata with malicious instructions. An attacker could have created a malicious Docker Hub repository that contained crafted instructions for the AI to exfiltrate sensitive data when unsuspecting developers ask the chatbot to describe the repository.

“By exploiting Gordon’s inherent trust in Docker Hub content, threat actors can embed instructions that trigger automatic tool execution – fetching additional payloads from attacker-controlled servers, all without user consent or awareness,” security researcher Eilon Cohen said . The issue was addressed in version 4.50.0 released on November 6, 2025. Firewall bypass threat IoT Devices Facing Silent Takeover Researchers have demonstrated how to breach Internet of Things (IoT) devices through firewalls, without the need for any kind of software vulnerability. “We present a new attack technique that allows attackers anywhere in the world to impersonate target intranet devices, hijack cloud communication channels, spoof the cloud, and bypass companion app authentication, and ultimately achieve Remote Code Execution (RCE) with root privileges,” researchers Jincheng Wang and Nik Xe said .

“Our research exposes flaws in existing cloud-device authentication mechanisms, and a widespread absence of proper channel verification mechanisms.” Faster BitLocker encryption Microsoft Announces Hardware-Accelerated BitLocker in Windows 11 Microsoft said it’s rolling out hardware-accelerated BitLocker in Windows 11 to balance robust security with minimal performance impact. “Starting with the September 2025 Windows update for Windows 11 24H2 and the release of Windows 11 25H2, in addition to existing support for UFS (Universal Flash Storage) Inline Crypto Engine technology, BitLocker will take advantage of upcoming system on chip (SoC) and central processing unit (CPU) capabilities to achieve better performance and security for current and future NVMe drives,” the company said . As part of this effort, BitLocker will hardware wrap BitLocker bulk encryption keys and offload bulk cryptographic operations from the main CPU to a dedicated crypto engine. “When enabling BitLocker, supported devices with NVMe drives, along with one of the new crypto offload capable SoCs, will use hardware-accelerated BitLocker with the XTS-AES-256 algorithm by default,” the tech giant added.

Israel-targeted phishing Israeli Entities Targeted by UNG0801 Information Technology (IT), Managed Service Providers (MSPs), human resources, and software development companies in Israel have become the target of a threat cluster likely originating from Western Asia that has used phishing lures written in Hebrew and designed to resemble routine internal communications to infect their systems with a Python- and Rust-based implants tracked as PYTRIC and RUSTRIC. The activity has been tracked by Seqrite Labs under the monikers UNG0801 and Operation IconCat. “A recurring pattern across the observed campaigns is the actor’s heavy reliance on antivirus icon spoofing,” the company said . “Branding from well-known security vendors, most notably SentinelOne and Check Point, is abused to create a false sense of legitimacy.” The PDF attachment in the email messages instructs recipients to download a security scanner by clicking on a Dropbox link that delivers the malware.

PYTRIC is equipped to scan the file system and perform a system-wide wipe. Attack chains distribute RUSTRIC leverage Microsoft Word documents with a malicious macro, which then extracts and launches the malware. Besides enumerating the antivirus programs installed on the infected host, it gathers basic system information and contacts an external server. EDR killer tool sold NtKiller Advertised on Cybercrime Forums A threat actor known as AlphaGhoul is promoting a tool called NtKiller that they claim can stealthily terminate antivirus and security solutions, such as Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro.

The core functionality, per Outpost24 , is available for $500, with a rootkit add-on and a UAC Bypass add-on costing $300 each. The disclosure comes weeks after a security researcher, who goes by the name Zero Salarium, demonstrated how Endpoint Detection and Response (EDR) programs can be undermined on Windows by exploiting the Bind Filter driver (“bindflt.sys”). In recent months, the security community has also identified ways to bypass web application firewalls (WAFs) by abusing ASP.NET’s parameter pollution, subvert EDRs using an in-memory Portable Executable (PE) loader, and even manipulate Microsoft Defender Antivirus to sideload DLLs and delete executable files to prevent the service from running by exploiting its update mechanism to hijack its execution folder. AI exploits blockchain AI Agents Find $4.6M in Blockchain Smart Contract Exploits AI company Anthropic said Claude Opus 4.5, Claude Sonnet 4.5, and GPT-5 developed exploits in blockchain smart contracts that would have allowed the theft of $4.6 million worth of digital assets.

“Both agents uncovered two novel zero-day vulnerabilities and produced exploits worth $3,694, with GPT-5 doing so at an API cost of $3,476,” Anthropic’s Frontier Red Team said . “This demonstrates as a proof-of-concept that profitable, real-world autonomous exploitation is technically feasible, a finding that underscores the need for proactive adoption of AI for defense.” North Korea’s new lure ScarCruft Behind New Operation Artemis Campaign The North Korean threat actor known as ScarCruft has been linked to a new campaign dubbed Artemis that involves the adversary posing as a writer for Korean TV programs to reach out to targets for casting or interview arrangements. “A short self-introduction and legitimate-looking instructions are used to build trust,” Genians said . “The attacker distributes a malicious HWP file disguised as a pre-interview questionnaire or event guide document.” The end goal of these attacks is to trigger the sideloading of a rogue DLL that ultimately delivers RokRAT, which uses Yandex Cloud for command-and-control (C2).

The campaign gets its name from the fact that one of the identified HWP documents has its Last Saved By field set to the value “Artemis.” AI-fueled disinfo surge CopyCop Scales AI-Driven Influence Ops The Russian influence operation CopyCop (aka Storm-1516) is using AI tools to scale its efforts to a global reach, quietly deploying more than 300 inauthentic websites disguised as local news outlets, political parties, and even fact-checking organizations targeting audiences across North America, Europe, and other regions, including Armenia, Moldova, and parts of Africa. The primary objective is to further Russia’s geopolitical goals and erode Western support for Ukraine. “What sets CopyCop apart from earlier influence operations is its large-scale use of artificial intelligence,” Recorded Future said . “The network relies on self-hosted LLMs, specifically uncensored versions of a popular open-source model, to generate and rewrite content at scale.

Thousands of fake news stories and ‘investigations’ are produced and published daily, blending factual fragments with deliberate falsehoods to create the illusion of credible journalism.” RomCom-themed phishing SHADOW-VOID-042 Behind Trend Micro-Themed Phishing Campaign A threat cluster dubbed SHADOW-VOID-042 has been linked to a November 2025 spear-phishing campaign featuring a Trend Micro-themed social engineering lure to trick victims in the defense, energy, chemical, cybersecurity (including Trend and a subsidiary), and ICT sectors with messages instructing them to install a fake update for alleged security issues in Trend Micro Apex One. The activity, Trend Micro said, shares overlaps with prior campaigns attributed to RomCom (aka Void Rabisu), a threat actor with both financial and espionage motivations that aligned with Russian interests. However, in the absence of a definitive connection, the latter attack waves are being tracked under a separate temporary intrusion set. What’s more, the November 2025 campaign shares tactical and infrastructure overlaps with another campaign in October 2025, which used alleged harassment complaints and research participation as social engineering lures.

“The campaign utilized a multi-stage approach, tailoring every stage to the specific target machine and delivering intermediate payloads to a select number of targets,” Trend Micro said . The URLs embedded in the emails redirect victims to a fake landing page impersonating Cloudflare, while, in the background, attempts are made to exploit a now-patched Google Chrome security flaw (CVE-2018-6065) using a JavaScript file. In the event exploitation fails, they are taken to a decoy site named TDMSec, impersonating Trend Micro. The JavaScript file also contains shellcode responsible for gathering system information and contacting an external server to fetch a second-stage payload, which acts as a loader for an encrypted component that then proceeds to contact a server to obtain an unspecified next-stage malware.

While Void Rabisu has exploited zero-days in the past, the new findings raise the possibility that it could be undergoing several changes. The stories this week aren’t just about new attacks — they’re a snapshot of how the digital world is maturing under pressure. Every exploit, fake lure, or AI twist is a sign of systems being tested in real time. The takeaway isn’t panic; it’s awareness.

The more we understand how these tactics evolve, the less power they hold. Cybersecurity now sits at the crossroads of trust and automation. As AI learns to defend, it’s also learning how to deceive. That tension will define the next chapter — and how ready we are to face it depends on what we choose to notice today.

Stay curious, stay skeptical, and read between the lines. The biggest threats often hide in what feels most routine — and that’s exactly where the next breakthrough in defense will begin. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.