2026-01-02 AI创业新闻
ThreatsDay Bulletin: GhostAd Drain, macOS Attacks, Proxy Botnets, Cloud Exploits, and 12+ Stories
The first ThreatsDay Bulletin of 2026 lands on a day that already feels symbolic — new year, new breaches, new tricks. If the past twelve months taught defenders anything, it’s that threat actors don’t pause for holidays or resolutions. They just evolve faster. This week’s round-up shows how subtle shifts in behavior, from code tweaks to job scams, are rewriting what “cybercrime” looks like in practice.
Across the landscape, big players are being tested, familiar threats are mutating, and smaller stories are quietly signaling bigger patterns ahead. The trend isn’t about one big breach anymore; it’s about many small openings that attackers exploit with precision. The pace of exploitation, deception, and persistence hasn’t slowed; it’s only become more calculated. Each update in this edition highlights how the line between normal operations and compromise is getting thinner by the week.
Here’s a sharp look at what’s moving beneath the surface of the cybersecurity world as 2026 begins. KMSAuto malware scam busted Lithuanian National Extradited to S. Korea for Allegedly Distributing Malware A Lithuanian national has been arrested for his alleged involvement in infecting 2.8 million systems with clipboard-stealing malware disguised as the KMSAuto tool for illegally activating Windows and Office software. The 29-year-old man has been extradited from Georgia to South Korea.
“From April 2020 to January 2023, the hacker distributed 2.8 million copies worldwide of malware disguised as an illegal Windows license activation program (KMSAuto),” South Korean authorities said . “Through this malware, the hacker stole virtual assets worth approximately KRW 1.7 billion ($1.2 million) in 8,400 transactions from users of 3,100 virtual asset addresses.” The suspect is alleged to have used KMSAuto as a lure to trick victims into downloading a malicious executable that functioned as a clipper malware. Holiday ColdFusion exploit spree Coordinated Campaign Targets Adobe ColdFusion A new “coordinated exploitation” campaign has been observed targeting Adobe ColdFusion servers over the Christmas 2025 holiday period. “The attack appears to be a single threat actor operating from Japan-based infrastructure (CTG Server Limited),” GreyNoise said .
“This source was responsible for ~98% of attack traffic, systematically exploiting 10+ ColdFusion CVEs from 2023-2024.” The activity originated from 8 unique IP addresses and leveraged over 10 different CVEs (CVE-2023-26359, CVE-2023-38205, CVE-2023-44353, CVE-2023-38203, CVE-2023-38204, CVE-2023-29298, CVE-2023-29300, CVE-2023-26347, CVE-2024-20767, and CVE-2023-44352) to target the U.S., Spain, India, Canada, Chile, Germany, Pakistan, Cambodia, Ecuador, and France. Some of the payloads deployed following the exploitation enable direct code execution, credential harvesting (by accessing “/etc/passwd”), and JNDI lookups. Android tablets backdoored Kaspersky Discovers New Keenadu Pre-Installed Malware Kaspersky said it discovered pre-installed malware on certain models of tablets running Android. The malware has been codenamed Keenadu.
“It’s a backdoor in libandroid_runtime.so,” the Russian cybersecurity company said . While the company has yet to provide additional details, backdoors of this kind can allow remote access for data exfiltration, command execution, and other forms of post-exploitation. AI jailbreak hub shut down r/ChatGPTjailbreak Subreddit Banned Reddit has taken the step of banning r/ChatGPTJailbreak, a community of over 229,000 users dedicated to finding workarounds and jailbreaks for safety filters and guardrails erected by developers of large language models (LLMs). Reddit said the “community was banned for violating Rule 8 ,” which refers to any effort that could break the site or interfere with its normal use.
“Do not interrupt the serving of Reddit, introduce malicious code onto Reddit, make it difficult for anyone else to use Reddit due to your actions, block sponsored headlines, create programs that violate any of our other API rules, or assist anyone in misusing Reddit in any way,” the rule states . The move follows a WIRED report about how some chatbot users were sharing instructions on generating non-consensual deepfakes using photos of fully clothed women. Following the ban, the community has resurfaced at chatgptjailbreak.tech on a federated alternative called Lemmy. While the subreddit sprang forth as a red teaming hub for discussing AI jailbreaks, it goes without saying that content shared on the forum had the potential to trigger indirect prompt injections, given that the data (along with everything else posed on the platform) powers Reddit Answers, and serves as a real-time dataset for other models that leverage retrieval-augmented generation (RAG) techniques to incorporate new information.
The development comes as prompt injections and jailbreaks continue to plague artificial intelligence (AI) systems, with actors, both good and bad, continuously exploring ways to circumvent protections put in place to prevent misuse. Indeed, a new study from Italy’s Icaro Lab, Sapienza University of Rome, and Sant’Anna School of Advanced Studies found that adversarial poetic prompts have a higher attack-success rate (ASR) against LLMs and cause them to skirt contemporary safety mechanisms designed to block production of explicit or harmful content like child sex abuse material, hate speech, and instructions on how to make chemical and nuclear weapons. “When prompts with identical task intent were presented in poetic rather than prose form, the Attack Success Rate (ASR) increased from 8.08% to 43.07%, on average – a fivefold increase,” researchers said. Macs join GlassWorm hitlist GlassWorm Shows Up Again, This Time Targeting Macs The supply chain campaign known as GlassWorm has resurfaced a fourth time with three suspicious extensions on the Open VSX marketplace that are designed to exclusively target macOS users.
These extensions attracted 50,000 downloads. The primary objective of these extensions is to target over 50 browser extension wallets and steal funds. The names of the extensions are: studio-velte-distributor.pro-svelte-extension, cudra-production.vsce-prettier-pro, and Puccin-development.full-access-catppuccin-pro-extension. Conspicuously absent are the invisible Unicode techniques and the Rust binaries.
“This time, the payload is wrapped in AES-256-CBC encryption and embedded in compiled JavaScript – but the core mechanism remains the same: fetch the current C2 endpoint from Solana, execute what it returns,” Koi said . “What’s new is the target: code designed to replace hardware wallet applications with trojanized versions.” As of December 29, 2025, the C2 server endpoints for the trojanized wallets are returning empty files, suggesting that the campaign is still under development. The targeting of Macs is intentional, as the devices are prevalent in cryptocurrency, Web3, and startup environments. The shift is complemented by the use of AppleScript for stealth execution instead of PowerShell and LaunchAgents for persistence.
The malware, besides waiting for 15 minutes before activating its malicious behavior, is designed to facilitate the theft of iCloud Keychain database and developer credentials, such as GitHub tokens, npm tokens, and the contents of the ~/.ssh directory. Regulators misled by cleanup tactic Meta Drafted “Playbook” to Stall Efforts to Tackle Scammers With Meta attracting scrutiny for allowing scammers to advertise through its platform, a new report from Reuters found that the company attempted to fend off pressure from regulators to crack down on the threat by make scam ads and problematic content “not findable” when authorities search for them through its Ad Library , at the same time it launched an “enforcement blitz” to reduce the volume of offending ads. “To perform better on that test, Meta staffers found a way to manage what they called the ‘prevalence perception’ of scam ads returned by Ad Library searches, the documents show. First, they identified the top keywords and celebrity names that Japanese Ad Library users employed to find the fraudulent ads.
Then they ran identical searches repeatedly, deleting ads that appeared fraudulent from the library and Meta’s platforms,” Reuters reported . “The tactic successfully removed some fraudulent advertising of the sort that regulators would want to weed out. But it also served to make the search results that Meta believed regulators were viewing appear cleaner than they otherwise would have.” The search result cleanup effort was so successful that Japanese regulators did not enforce rules that would have otherwise required it to verify the identity of all its advertisers. The tactic was then added to its “general global playbook” to avoid regulatory scrutiny in other markets, including the U.S., Europe, India, Australia, Brazil, and Thailand, according to leaked internal documents.
Meta has pushed back against the claims, stating the cleaning effort also helps to remove the ads from its systems as well. Smart contract upgrade exploited Unleash Protocol Loses $3.9M in Crypto Following Hack The decentralized intellectual property platform Unleash Protocol said it “detected unauthorized activity” involving its smart contracts that led to the withdrawal and transfer of user funds worth approximately $3.9 million, per blockchain security company PeckShield . “Our initial investigation indicates that an externally owned address gained administrative control via Unleash’s multisig governance and carried out an unauthorized contract upgrade,” it said . “This upgrade enabled asset withdrawals that were not approved by the Unleash team and occurred outside our intended governance and operational procedures.” Once they were withdrawn, the assets were bridged using third-party infrastructure and transferred to external addresses.
The incident originated within Unleash Protocol’s governance and permission framework, the company added. The stolen funds have been deposited into the Tornado Cash cryptocurrency mixing service in the form of 1,337.1 ETH. Users are advised to refrain from interacting with Unleash Protocol contracts until further notice. FTC fines Disney over COPPA Disney to Pay $10M to Settle Children Privacy Violations in the U.S.
The U.S. Justice Department (DoJ) said Disney has agreed to pay a $10 million civil penalty as part of a settlement to resolve Federal Trade Commission (FTC) allegations that the entertainment giant violated children’s privacy laws in connection with its YouTube video content. The FTC had argued that Disney failed to correctly designate YouTube video content as directed toward children, allowing the company to serve targeted ads on the platform and unlawfully collect their information without parental notice and consent. The order also bars Disney from operating on YouTube in a manner that violates child privacy laws in the U.S.
and requires it to create a program that will ensure it properly complies with COPPA on YouTube going forward. Fake glitch scam toolkit exposed New ErrTraffic Service Enables ClickFix Attacks via Fake Browser Glitches A new cybercrime tool called ErrTraffic allows threat actors to automate ClickFix attacks by generating fake glitches on compromised websites to induce a false sense of urgency and deceive users into following malicious instructions. Hudson Rock, which detailed the toolkit, said the “comprehensive software suite industrializes the deployment of ClickFix lures.” The service, advertised by a threat actor named “LenAI,” is a cross-platform threat capable of targeting Windows, macOS, Linux, and Android to deliver tailored payloads. The ErrTraffic control panel is a self-hosted PHP application that incorporates hard-coded exclusions for Commonwealth of Independent States (CIS) countries.
Once set up, an attacker can connect the panel to compromised websites via a single line of HTML injection. This allows them to serve information stealers and Android banking trojans via ClickFix-style instructions that claim to fix the issue by installing a browser update, downloading a system font, or pasting something in the command prompt. Magecart evolves into ID theft New Magecart Campaign Discovered Source Defense Research has flagged a new global Magecart campaign that hijacks checkout and account creation flows. The activity leverages modular, localized payloads targeting services like Stripe, Mollie, PagSeguro, OnePay, and PayPal.
It “uses fake payment forms, phishing iframes, and silent skimming, plus anti-forensics tricks (hidden inputs, Luhn-valid junk cards).” The activity is also designed to steal credentials and personal information, enabling account takeovers and long-term persistence via rogue admin access. “This is Magecart evolving into [a] full identity compromise,” it said . Deniable cyber activism detailed How Hacktivist Proxies Offer Plausible Deniability Hacktivist proxy operations refer to activities in which ideologically aligned, non-state cyber groups conduct disruptive operations that align with state geopolitical interests without requiring formal sponsorship, command-and-control, or direct tasking. These activities primarily rely on public claims, volunteer participation, and low-complexity techniques to impose psychological, political, and operational costs on adversaries while allowing the benefiting state to enjoy plausible deniability.
“The model follows a consistent activation sequence: geopolitical trigger events such as sanctions, military assistance announcements, or diplomatic escalations are followed by rapid narrative mobilization in hacktivist communication channels, volunteer coordination, targeted disruptive activity (primarily DDoS attacks, defacement, and symbolic intrusions), and public amplification of claimed impact,” CYFIRMA said . “Activity typically de-escalates once signalling objectives are achieved, distinguishing these operations from sustained cybercrime or espionage campaigns.” The development comes as cyber operations have become an integral component to pursuing strategic geopolitical objectives. Under the Hacktivist Proxy Operations model, ideologically aligned cyber groups function as deniable instruments of pressure without direct control from the state. This allows hacktivist groups to apply disruptive force or shape narratives in a manner that gives the state a strategic advantage without assuming explicit responsibility.
OceanLotus adapts to Xinchuang OceanLotus Targets China’s Xinchuang Initiative In 2022, the Chinese government ramped up a major initiative called Xinchuang that aims for technological self-reliance by replacing foreign hardware and software with domestic alternatives in key sectors like government and finance, with an aim to build an independent IT ecosystem and mitigate geopolitical risks. According to a new report from QiAnXin, the OceanLotus group has been targeting such domestic information innovation platforms and Windows systems using phishing lures containing desktop files, PDF documents, and Java Archive (JAR) files to download next-stage payloads. As of mid-2025, the threat actor was observed exploiting CVE-2023-52076 (CVSS score: 8.5), a remote code execution flaw impacting the Atril document viewer, to launch a desktop file that ultimately executes a Python downloader. “The ELF Trojan released by the OceanLotus group on indigenous innovation platforms has slight differences from traditional Linux ELF files,” QiAnXin said.
“This indigenous innovation Trojan achieves a precise compatibility attack by zeroing out the three bytes following the ELF file Magic Number (used to identify bitness, endianness, and version). This results in traditional Linux systems refusing to execute the file due to format errors, while the indigenous innovation platform can parse and run it normally. This carefully designed detail fully demonstrates OceanLotus’s in-depth understanding of the underlying operation mechanism of domestic indigenous innovation systems.” Also deployed by OceanLotus is a passive backdoor targeting IoT devices such as routers. AWS key deletion delay risk Exploiting AWS IAM Eventual Consistency for Persistence Researchers have found that AWS IAM eventual consistency creates a 4-second window that attackers can exploit, allowing them to leverage deleted AWS access keys.
“The cause is eventual consistency in AWS Identity and Access Management and, if improperly handled, can be exploited by attackers to have access in your AWS environment, even after defenders believe credentials are revoked,” OFFENSAI said . “The distributed nature of AWS infrastructure means that credential validation, caching layers, and edge services may create brief windows where revoked access keys remain temporarily valid. In short, the attacker can use a deleted set of access keys to create a new one, achieving persistence this way.” To mitigate any potential security risks, AWS customers are advised to avoid long-term IAM access keys and instead use temporary credentials or leverage IAM roles and federation for programmatic access to AWS services. New global proxy botnet uncovered New IPCola Proxy Network Emerges A new proxy network called IPCola (“ipcola[.]com”) has claimed to offer more than 1.6 million unique IP addresses comprising IoT, desktop, and mobile devices from over 100 countries for sale.
A majority of the infected devices are located in India, Brazil, Mexico, and the U.S. “IPCola is a non-KYC proxy provider, allowing anyone to sign up on the platform, deposit crypto, and […] start using the proxies without restriction,” Synthient said . “Like most platforms, IPCola allows users to purchase residential, datacenter, and ISP proxies, each with its own drawbacks and advantages.” Further infrastructure analysis has revealed that the service is powered by GaGaNode , a decentralized bandwidth monetization service that enables users and publishers to earn cryptocurrency for their bandwidth or monetize other people’s bandwidth. Users either have an option to run the standalone GaGaNode application or integrate into their apps a software development kit (SDK) that implements the proxy functionality.
More significantly, the SDK facilitates remote code execution (RCE) on any device running the SDK, representing a major escalation of the threat. It’s believed that a Chinese company named NuoChen is behind IPCola and its Chinese-only version, InstaIP. Hidden ad fraud drains devices GhostAd and SkyWalk Adware Targets Android, iOS A large-scale Android adware campaign has been observed silently draining resources and interfering with normal phone use through persistent background activity. The campaign, dubbed GhostAd, leverages a network of at least 15 Android applications on Google Play masquerading as harmless utility and emoji-editing tools.
These apps were cumulatively downloaded millions of times, with one of the apps reaching the #2 spot in Google Play’s “Top Free Tools” category. The names of some of the apps are Vivid Clean and GenMoji Studio. All these apps have since been removed from Google Play. “Behind their cheerful icons, these apps created a persistent background advertising engine – one that kept running even after users closed or rebooted their devices, quietly consuming battery and mobile data,” Check Point said .
Besides enabling persistent execution via a foreground service, the malware uses a JobScheduler to trigger ad-loading tasks every time it’s terminated. The attacks appear to be concentrated around the Philippines, Pakistan, and Malaysia. “GhostAd integrates multiple legitimate advertising software development kits (SDKs), including Pangle, Vungle, MBridge, AppLovin, and BIGO, but uses them in a way that violates fair-use policies,” the company said. “Instead of waiting for user interaction, the apps continuously load, queue, and refresh ads in the background, using Kotlin coroutines to sustain the cycle.
This design quietly generates ad impressions and revenue, all while draining device resources.” In a related development, DoubleVerify revealed details of a fraud scheme codenamed SkyWalk that uses innocent-seeming iOS gaming apps to charge advertisers for phony ad impressions. The operation uses a set of iOS games that serve ads inside invisible browser windows using the UniSkyWalking iOS mobile framework. “But when a user opens one, the app also secretly launches hidden websites on the user’s iOS device,” DoubleVerify said . “As the user plays ‘Sushi Party’ or ‘Bicycle Race’ in the app, the hidden sites run in the background, undetected, serving ads no one sees.
Impressions are reported. Advertisers get billed. Not a single ad is viewed by a human.” Amazon thwarts DPRK job infiltration Amazon Blocks N. Korea IT Worker Scheme Hackers affiliated with North Korea (aka DPRK) stole more than $2 billion worth of cryptocurrency in 2025, a significant increase from the roughly $1.3 billion recorded in 2024.
This includes the record-breaking $1.5 billion Bybit heist in February 2025. Despite the overall jump in stolen cryptocurrency in 2025, the actual frequency of attacks conducted by North Korean hackers has declined. This drop in operational tempo in the wake of the Bybit hack is likely an attempt to focus on laundering the stolen cryptocurrency. At the same time, Pyongyang’s crypto theft operations are increasingly relying on its IT workers to land jobs at cryptocurrency exchanges, custodians, and Web3 companies.
While North Korea’s effort to infiltrate Western companies with fake IT workers is well-known, 2025 may have been the first time the IT army has shifted from securing positions to posing as recruiters for crypto and other types of Web3 businesses. As part of these efforts, the threat actors run fake technical assessments that grant them unauthorized access to developer machines and ultimately steal credentials and source code, giving them remote access to target networks. The pervasive threat posed by the IT worker threat was exemplified recently by Amazon, which stopped more than 1,800 suspected North Korea operatives from joining its workforce since April 2024. “We’ve detected 27% more DPRK-affiliated applications quarter over quarter this year,” the tech giant’s chief security officer, Stephen Schmidt, said last month.
In one case, Amazon said it caught an IT worker by identifying an “infinitesimal delay in the typed commands.” The IT worker was hired by an Amazon contractor and was subsequently ousted from their systems within days. “For years, the regime has weaponized crypto theft as a revenue engine for weapons proliferation, sanctions evasion, and destabilizing activity,” TRM Labs said . “What the last three years make unmistakably clear is that North Korea is the most sophisticated, financially motivated cyber operator in the crypto theft ecosystem.” The year starts with no pause, just new tricks and quieter attacks. Hackers are getting smarter, not louder.
Each story here connects to a bigger shift: less noise, more precision. 2026 is already testing how alert we really are. The threats that matter now don’t shout. They blend in — until they don’t.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers
Cybersecurity researchers have disclosed details of a persistent nine-month-long campaign that has targeted Internet of Things (IoT) devices and web applications to enroll them into a botnet known as RondoDox. As of December 2025, the activity has been observed leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) flaw as an initial access vector, CloudSEK said in an analysis. React2Shell is the name assigned to a critical security vulnerability in React Server Components (RSC) and Next.js that could allow unauthenticated attackers to achieve remote code execution on susceptible devices. According to statistics from the Shadowserver Foundation, there are about 90,300 instances that remain susceptible to the vulnerability as of December 31, 2025, out of which 68,400 instances are located in the U.S., followed by Germany (4,300), France (2,800), and India (1,500).
RondoDox, which emerged in early 2025, has broadened its scale by adding new N-day security vulnerabilities to its arsenal, including CVE-2023-1389 and CVE-2025-24893 . It’s worth noting that the abuse of React2Shell to spread the botnet was previously highlighted by Darktrace , Kaspersky , and VulnCheck . The RondoDox botnet campaign is assessed to have gone through three distinct phases prior to the exploitation of CVE-2025-55182 - March - April 2025 - Initial reconnaissance and manual vulnerability scanning April - June 2025 - Daily mass vulnerability probing of web applications like WordPress, Drupal, and Struts2, and IoT devices like Wavlink routers July - early December 2025 - Hourly automated deployment on a large-scale In the attacks detected in December 2025, the threat actors are said to have initiated scans to identify vulnerable Next.js servers, followed by attempts to drop cryptocurrency miners (“/nuts/poop”), a botnet loader and health checker (“/nuts/bolts”), and a Mirai botnet variant (“/nuts/x86”) on infected devices. “/nuts/bolts” is designed to terminate competing malware and coin miners before downloading the main bot binary from its command-and-control (C2) server.
One variant of the tool has been found to remove known botnets, Docker-based payloads, artifacts left from prior campaigns, and associated cron jobs, while also setting up persistence using “/etc/crontab.” “It continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds, effectively preventing reinfection by rival actors,” CloudSEK said. To mitigate the risk posed by this threat, organizations are advised to update Next.js to a patched version as soon as possible, segment all IoT devices into dedicated VLANs, deploy Web Application Firewalls (WAFs), monitor for suspicious process execution, and block known C2 infrastructure. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
How To Browse Faster and Get More Done Using Adapt Browser
As web browsers evolve into all-purpose platforms, performance and productivity often suffer. Feature overload, excessive background processes, and fragmented workflows can slow down browsing sessions and introduce unnecessary friction, especially for users who rely on the browser as a primary work environment. This article explores how adopting a lightweight, task-focused browser, like Adapt Browser , can help users browse faster, reduce distractions, and complete everyday tasks more efficiently, without relying on heavy extensions or complex configurations. The Productivity Problem With Modern Browsing For many professionals, the browser functions as a central hub for research, communication, content consumption, and operational work.
However, common challenges persist: High CPU and memory usage caused by background services Excessive tab proliferation leading to loss of context Frequent switching between browser tabs and external applications Reliance on extensions that negatively impact performance and stability These issues are not always caused by the websites themselves, but by how browsers manage processes, interfaces, and workflows. This emphasizes the importance of using a fast, lightweight browser. Some fast browsing options include Adapt Browser, Opera, Edge, and Vivaldi. Step 1: Prioritize Performance by Reducing Browser Overhead One of the most effective ways to improve browsing speed is to minimize the browser’s baseline resource consumption.
Lightweight browsers take a different architectural approach by reducing background activity and avoiding unnecessary services that run regardless of user intent. This can result in: Faster page load times Improved responsiveness when switching tabs or windows Lower memory usage on systems running multiple applications By focusing on essential functionality rather than feature parity, Adapt Browser, a performance-oriented browser, can remain responsive even during extended work sessions. Step 2: Centralize Web-Based Workflows A major source of inefficiency in browsing comes from constantly switching between tabs, windows, and desktop applications. Centralizing commonly used web tools within the browser interface helps streamline daily workflows.
This approach allows users to: Access frequently used web applications without opening new tabs Maintain visibility into active tools while browsing or researching Reduce time spent navigating between disconnected contexts Adapt Browser achieves this by keeping work-critical tools accessible in one place, so that users can maintain momentum and reduce cognitive load. Step 3: Reduce Distractions Through Interface Simplicity Interface design plays a significant role in user focus. Excessive UI elements, notifications, and visual clutter can interrupt attention and slow task completion. A streamlined browser interface emphasizes: Clean layouts with minimal visual noise Clear separation between content and controls Reduced interruption during focused work Adapt Browser supports this design philosophy for sustained attention, particularly for tasks such as reading, writing, and analysis.
Step 4: Improve Task Management With Smarter Window Usage Opening multiple tabs is often a workaround for limited visibility. Instead of relying on dozens of tabs, modern browsers can optimize how content is displayed and managed. Effective strategies include: Viewing related content side-by-side without opening additional tabs Keeping search results visible while exploring linked pages Reducing duplicate browsing actions By improving how windows and views are handled, users can stay organized while maintaining browsing speed. Adapt Browser offers this exact functionality, empowering users to adapt the browser to fit their workflow.
Applying These Principles With Adapt Browser Adapt Browser follows a lightweight design philosophy centered on performance and task efficiency. Rather than attempting to replicate feature-heavy browser ecosystems, it focuses on optimizing core browsing behavior and integrated workflows. Key characteristics include: A lightweight architecture designed to reduce CPU and memory usage Integrated access to commonly used web applications and tools Interface elements designed to reduce distraction and tab clutter Adapt is built as a non-Chromium browser , allowing greater control over resource usage and core browser behavior compared to browsers that rely on Chromium-based architectures. It is also AppEsteem certified , indicating that the browser meets established security and transparency standards for consumer software.
This approach supports users who want faster browsing and a more focused work experience without complex setup or customization. Additional technical details and updates can be found in Adapt Browser’s official website. Browsing faster and getting more done is not solely about internet speed, it is largely influenced by how the browser manages resources, workflows, and user attention. By reducing overhead, simplifying interfaces, and centralizing essential tools, a lightweight browser can significantly improve productivity.
As web-based work continues to expand, browser design choices play an increasingly important role in daily efficiency. Adopting a task-focused browsing approach can help users spend less time navigating and more time completing meaningful work. Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack
Trust Wallet on Tuesday revealed that the second iteration of the Shai-Hulud (aka Sha1-Hulud) supply chain outbreak in November 2025 was likely responsible for the hack of its Google Chrome extension, ultimately resulting in the theft of approximately $8.5 million in assets. “Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said in a post-mortem published Tuesday. “The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet’s standard release process, which requires internal approval/manual review.” Subsequently, the attacker is said to have registered the domain “metrics-trustwallet[.]com” and pushed a trojanized version of the extension with a backdoor that’s capable of harvesting users’ wallet mnemonic phrases to the sub-domain “api.metrics-trustwallet[.]com.” Cybersecurity company Koi said the malicious code triggers on every unlock and not just during seed phrase import, causing sensitive data to be exfiltrated regardless of whether victims used a password or biometrics, and whether the wallet extension had been used for months or just opened once after it was updated to version 2.68. “The code loops through every wallet in the user’s account, not just the active one.
If you had multiple wallets configured, all of them were compromised,” researchers Oren Yomtov and Yuval Ronen said . “Seed phrases are stuffed into a field called errorMessage inside what looks like standard unlock telemetry. A casual code review sees an analytics event tracking unlock success with some error metadata.” The domain “metrics-trustwallet[.]com,” for its part, resolves to “138.124.70.40,” which is hosted on Stark Industries Solutions, a bulletproof hosting service provider that was incorporated in the U.K. in February 2022, just two weeks prior to Russia’s full-scale invasion of Ukraine.
It has a history of enabling Russian state-sponsored cyber operations, as well as other cybercriminal activity . Interestingly, Koi’s analysis also found that querying the server directly returned the response “ He who controls the spice controls the universe ,” a Dune reference that echoes similar references observed in the Shai-Hulud npm incident. “The Last-Modified header reveals the infrastructure was staged by December 8 – over two weeks before the malicious update was pushed on December 24,” it added. “This wasn’t opportunistic.
It was planned.” The disclosure comes days after Trust Wallet urged about one million users of its Chrome extension to update to version 2.69 after a malicious update (version 2.68) was pushed by unknown threat actors on December 24, 2025, to the browser’s extension marketplace. The security incident ultimately led to $8.5 million in cryptocurrency assets being drained from 2,520 wallet addresses to no less than 17 wallet addresses controlled by the attacker. The first wallet-draining activity was publicly reported a day after the malicious update. Trust Wallet has since initiated a reimbursement claim process for impacted victims.
The company noted that reviews of submitted claims are ongoing and are being handled on a case-by-case basis. It also stressed that processing times may vary with each case due to the need to distinguish between victims and bad actors, and further protect against fraud. To prevent such breaches from occurring again, Trust Wallet said it has implemented additional monitoring capabilities and controls related to its release processes. “Sha1-Hulud was an industry-wide software supply chain attack that affected companies across multiple sectors, including but not limited to crypto,” the company said.
“It involved malicious code being introduced and distributed through commonly-used developer tooling. This allowed attackers to gain access through trusted software dependencies rather than directly targeting individual organizations.” Trust Wallet’s disclosure coincides with the emergence of Shai-Hulud 3.0 with increased obfuscation and reliability improvements, while still remaining laser-focused on stealing secrets from developer machines. “The primary difference lies in string obfuscation, error handling, and Windows compatibility, all aimed at increasing campaign longevity rather than introducing novel exploitation techniques,” Upwind researchers Guy Gilad and Moshe Hassan said . Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide
The threat actor behind two malicious browser extension campaigns, ShadyPanda and GhostPoster , has been attributed to a third attack campaign codenamed DarkSpectre that has impacted 2.2 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox. The activity is assessed to be the work of a Chinese threat actor that Koi Security is tracking under the moniker DarkSpectre . In all, the campaigns have collectively affected over 8.8 million users spanning a period of more than seven years. ShadyPanda was first unmasked by the cybersecurity company earlier this month as targeting all three browser users to facilitate data theft, search query hijacking, and affiliate fraud.
It has been found to affect 5.6 million users, including 1.3 newly identified victims stemming from over 100 extensions flagged as connected to the same cluster. This also includes an Edge add-on named “New Tab - Customized Dashboard” that features a logic bomb that waits for three days prior to triggering its malicious behavior. The time-delayed activation is an attempt to give the impression that it’s legitimate during the review period and get it approved. Nine of these extensions are currently active, with an additional 85 “dormant sleepers” that are benign and meant to attract a user base before they are weaponized via malicious updates.
Koi said the updates were introduced after more than five years in some cases. The second campaign, GhostPoster, is mostly focused on Firefox users, targeting them with seemingly harmless utilities and VPN tools to serve malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud. Further investigation into the activity has unearthed more browser add-ons, including a Google Translate (developer “charliesmithbons”) extension for Opera with nearly one million installs. The most recent discovery, The Zoom Stealer, is the third such campaign from DarkSpectre, employing a set of 18 extensions across Chrome, Edge, and Firefox for facilitating corporate intelligence by collecting online meeting-related data like meeting URLs with embedded passwords, meeting IDs, topics, descriptions, scheduled times, and registration status.
The list of identified extensions and their corresponding IDs is below - Google Chrome - Chrome Audio Capture (kfokdmfpdnokpmpbjhjbcabgligoelgp) ZED: Zoom Easy Downloader (pdadlkbckhinonakkfkdaadceojbekep) X (Twitter) Video Downloader (akmdionenlnfcipmdhbhcnkighafmdha) Google Meet Auto Admit (pabkjoplheapcclldpknfpcepheldbga) Zoom.us Always Show “Join From Web” (aedgpiecagcpmehhelbibfbgpfiafdkm) Timer for Google Meet (dpdgjbnanmmlikideilnpfjjdbmneanf) CVR: Chrome Video Recorder (kabbfhmcaaodobkfbnnehopcghicgffo) GoToWebinar & GoToMeeting Download Recordings (cphibdhgbdoekmkkcbbaoogedpfibeme) Meet auto admit (ceofheakaalaecnecdkdanhejojkpeai) Google Meet Tweak (Emojis, Text, Cam Effects) (dakebdbeofhmlnmjlmhjdmmjmfohiicn) Mute All on Meet (adjoknoacleghaejlggocbakidkoifle) Google Meet Push-To-Talk (pgpidfocdapogajplhjofamgeboonmmj) Photo Downloader for Facebook, Instagram, + (ifklcpoenaammhnoddgedlapnodfcjpn) Zoomcoder Extension (ebhomdageggjbmomenipfbhcjamfkmbl) Auto-join for Google Meet (ajfokipknlmjhcioemgnofkpmdnbaldi) Microsoft Edge - Edge Audio Capture (mhjdjckeljinofckdibjiojbdpapoecj) Mozilla Firefox - Twiter X Video Downloader ({7536027f-96fb-4762-9e02-fdfaedd3bfb5}, published by “invaliddejavu”) x-video-downloader (xtwitterdownloader@benimaddonum.com, published by “invaliddejavu”) As is evident by the names of the extensions, a majority of them are engineered to mimic tools for enterprise-oriented videoconferencing applications like Google Meet, Zoom, and GoTo Webinar to exfiltrate meeting links, credentials, and participant lists over a WebSocket connection in real-time. It’s also capable of harvesting details about webinar speakers and hosts, such as names, titles, bios, profile photos, and company affiliations, along with logos, promotional graphics, and session metadata, every time a user visits a webinar registration page via the browser with one of the extensions installed. These add-ons have been found to request access to more than 28 video conferencing platforms, including Cisco WebEx, Google Meet, GoTo Webinar, Microsoft Teams, and Zoom, among others, regardless of whether they required access to them in the first place. “This isn’t consumer fraud - this is corporate espionage infrastructure,” researchers Tuval Admoni and Gal Hachamov said.
“The Zoom Stealer represents something more targeted: systematic collection of corporate meeting intelligence. Users got what was advertised. The extensions earned trust and positive reviews. Meanwhile, surveillance ran silently in the background.” The cybersecurity company said the gathered information could be used to fuel corporate espionage by selling the data to other bad actors, and enable social engineering and large-scale impersonation operations.
The Chinese links to the operation are based on several clues: consistent use of command-and-control (C2) servers hosted on Alibaba Cloud, Internet Content Provider (ICP) registrations linked to Chinese provinces like Hubei, code artifacts containing Chinese-language strings and comments, and fraud schemes specifically aimed at Chinese e-commerce platforms such as JD.com and Taobao. “DarkSpectre likely has more infrastructure in place right now – extensions that look completely legitimate because they are legitimate, for now,” Koi said. “They’re still in the trust-building phase, accumulating users, earning badges, waiting.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
How AI and Zero Trust Work Together to Catch Attacks With No Files or Indicators
JavaScript must be enabled in order to register for webinar. Yes, I’d like to register for the webinar and agree to the handling of my information as explained in thePrivacy Policy. There’s one constant in cybersecurity: the threat landscape continues to rapidly evolve. To bolster their organizations’ resilience, defenders need proactive visibility and tooling across their endpoints, developer environments, and crypto stack to stay several steps ahead of attackers.In this webinar, join experts from the Zscaler Internet Access product team as they cover the next major security challenges and how enterprises can best respond to them:“Living off the Land” Attacks:Today’s attackers use a combination of malware and legitimate system tools like PowerShell, WMI, or RDP.
File-based detection alone misses threats that blend in with trusted processes. Learn how and why gaining endpoint visibility into file-based threats, apps, and process behaviors is essential.Fileless “Last Mile” Reassembly Attacks:Legacy security tools are ineffective against fileless attacks, including those using only obfuscated HTML and JavaScript. Learn how a cloud-native antimalware engine that emulates malicious scripting and reassembles an executable binary in isolation can stop malicious files from being delivered to an endpoint.Securing Developer Environments:Developers are building and deploying applications faster than ever before. But third-party repositories and other open-source CI/CD tools can contain malicious code and vulnerabilities that can compromise your organization’s security.
Inspecting encrypted traffic in developer environments can identify and defeat would-be threats. Learn how to secure development workflows with automated TLS/SSL inspection and code sandboxing.You’ll see howZscaler Internet Access’s capabilities, built on a foundation of zero trust and AI-powered protection, provide SOC and IT teams with the preventative tooling and visibility necessary to effectively defend against emerging threats so you can proactively fortify your security posture to protect your users, devices, and data. There’s one constant in cybersecurity: the threat landscape continues to rapidly evolve. To bolster their organizations’ resilience, defenders need proactive visibility and tooling across their endpoints, developer environments, and crypto stack to stay several steps ahead of attackers.
In this webinar, join experts from the Zscaler Internet Access product team as they cover the next major security challenges and how enterprises can best respond to them: You’ll see howZscaler Internet Access’s capabilities, built on a foundation of zero trust and AI-powered protection, provide SOC and IT teams with the preventative tooling and visibility necessary to effectively defend against emerging threats so you can proactively fortify your security posture to protect your users, devices, and data. By clicking “Register Now,” you agree to permit The Hacker News and its partners to process your contact details, which may include The Hacker News reaching out to you and sharing your contact information with its webinar partners.
Critical CVSS 9.8 Flaw Found in IBM API Connect Authentication System
IBM has disclosed details of a critical security flaw in API Connect that could allow attackers to gain remote access to the application. The vulnerability, tracked as CVE-2025-13915 , is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an authentication bypass flaw. “IBM API Connect could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application,” the tech giant said in a bulletin.
The shortcoming affects the following versions of IBM API Connect -
10.0.8.0 through 10.0.8.5
10.0.11.0
Customers are advised to
follow the steps
outlined below -
Download the fix from Fix Central
Extract the files: Readme.md and ibm-apiconnect-
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Researchers Spot Modified Shai-Hulud Worm Testing Payload on npm Registry
Cybersecurity researchers have disclosed details of what appears to be a new strain of Shai Hulud on the npm registry with slight modifications from the previous wave observed last month. The npm package that embeds the novel Shai Hulud strain is “ @vietmoney/react-big-calendar ,” which was uploaded to npm back in March 2021 by a user named “hoquocdat.” It was updated for the first time on December 28, 2025, to version 0.26.2. The package has been downloaded 698 times since its initial publication. The latest version has been downloaded 197 times.
Aikido, which spotted the package, said it has not spotted any major spread or infections following the release of the package. “This suggests we may have caught the attackers testing their payload,” security researcher Charlie Eriksen said . “The differences in the code suggests that this was obfuscated again from the original source, not modified in place. This makes it highly unlikely to be a copy-cat, but was made by somebody who had access to the original source code for the worm.” The Shai-Hulud attack first came to light in September 2025, when trojanized npm packages were found stealing sensitive data like API keys, cloud credentials, and npm and GitHub tokens, and exfiltrating them to GitHub repositories using the pilfered tokens.
In the second wave spotted in November 2025, the repositories contained the description “Sha1-Hulud: The Second Coming.” But the most important aspect of the campaign is its ability to weaponize the npm tokens to fetch 100 other most-downloaded packages associated with the developer, introduce the same malicious changes, and push them to npm, thereby expanding the scale of the supply chain compromise in a worm-like manner. The new strain comes with noticeable changes - The initial file is now called “bun_installer.js” and the main payload is referred to as “environment_source.js” The GitHub repositories to which the secrets are leaked feature the description “Goldox-T3chs: Only Happy Girl.” The names of files that contain the secrets are: 3nvir0nm3nt.json, cl0vd.json, c9nt3nts.json, pigS3cr3ts.json, and actionsSecrets.json The removal of “dead man switch” that resulted in the execution of a wiper if no GitHub or npm tokens were found to abuse for data exfiltration and self-replication Other important modifications include better error handling when TruffleHog’s credential scanner times out, improved operating system-based package publishing, and tweaks to the order in which data is collected and saved. Fake Jackson JSON Maven Package Drops Cobalt Strike Beacon The development comes as the supply chain security company said it identified a malicious package (“org.fasterxml.jackson.core/jackson-databind”) on Maven Central that poses as a legitimate Jackson JSON library extension (“com.fasterxml.jackson.core”), but incorporates a multi-stage attack chain that delivers platform-specific executables. The package has since been taken down.
Present within the Java Archive (JAR) file is heavily obfuscated code that kicks into action once an unsuspecting developer adds the malicious dependency to their “pom.xml” file. “When the Spring Boot application starts, Spring scans for @Configuration classes and finds JacksonSpringAutoConfiguration,” Eriksen said . “The @ConditionalOnClass({ApplicationRunner.class}) check passes (ApplicationRunner is always present in Spring Boot), so Spring registers the class as a bean. The malware’s ApplicationRunner is invoked automatically after the application context loads.
No explicit calls required.” The malware then looks for a file named “.idea.pid” in the working directory. The choice of the file name is intentional and is designed to blend in with IntelliJ IDEA project files. Should such a file exist, it’s a signal to the malware that an instance of itself is already running, causing it to silently exit. In the next step, the malware proceeds to check the operating system and contact an external server (“m.fasterxml[.]org:51211”) to fetch an encrypted response containing URLs to a payload to be downloaded based on the operating system.
The payload is a Cobalt Strike beacon , a legitimate adversary simulation tool that can be abused for post-exploitation and command-and-control. On Windows, it’s configured to download and execute a file called “svchosts.exe” from “103.127.243[.]82:8000,” while a payload referred to as “update” is downloaded from the same server for Apple macOS systems. Further analysis has revealed that the typosquatted domain fasterxml[.]org was registered via GoDaddy on December 17, 2025, merely a week before the malicious Maven package was detected. “This attack exploited a specific blind spot: TLD-style prefix swaps in Java’s reverse-domain namespace convention,” Eriksen said.
“The legitimate Jackson library uses com.fasterxml.jackson.core, while the malicious package used org.fasterxml.jackson.core.” The problem, Aikido said, stems from Maven Central’s inability to detect copycat packages that employ similar prefixes as their legitimate counterparts to deceive developers into downloading them. It’s recommending that the package repository maintainers consider flagging such packages for review, and maintain a list of high-value namespaces and subject any package published under similar-looking namespaces to additional verification to ensure they are legitimate. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
U.S. Treasury Lifts Sanctions on Three Individuals Linked to Intellexa and Predator Spyware
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Tuesday removed three individuals linked to the Intellexa Consortium, the holding company behind a commercial spyware known as Predator , from the specially designated nationals list. The names of the individuals are as follows - Merom Harpaz Andrea Nicola Constantino Hermes Gambazzi Sara Aleksandra Fayssal Hamou Hamou was sanctioned by OFAC in March 2024, and Harpaz and Gambazzi were targeted in September 2024 in connection with developing, operating, and distributing Predator. The Treasury’s press release does not give any reason as to why they were removed from the list.
However, in a statement shared with Reuters, it said the removal “was done as part of the normal administrative process in response to a petition request for reconsideration.” The department added that the individuals had “demonstrated measures to separate themselves from the Intellexa Consortium.” Harpaz is said to be working as a manager of Intellexa S.A., while Gambazzi was identified as the owner of Thalestris Limited and Intellexa Limited. Thalestris, Treasury Department said, held the distribution rights to the spyware, and processed transactions on behalf of other entities within the Intellexa Consortium. It’s also the parent company to Intellexa S.A. Hamou was listed by the Treasury as one of the key enablers of the Intellexa Consortium, working as a corporate off-shoring specialist in charge of providing managerial services, including renting office space in Greece on behalf of Intellexa S.A.
It’s not known if these individuals are still holding the same positions. At that time, the agency said the proliferation of commercial spyware presents a growing security risk to the U.S. and its citizens. It called for the need to establish guardrails to ensure the responsible development and use of these technologies while balancing human rights and civil liberties of individuals.
“Any hasty decisions to remove sanctions from individuals involved in attacking U.S. persons and interests risk signaling to bad actors that this behavior may come with little consequences as long as you pay enough [money] for fancy lobbyists,” said Natalia Krapiva, senior tech legal counsel at Access Now. The development comes merely weeks after an Amnesty International report revealed that a human rights lawyer from Pakistan’s Balochistan province was targeted by a Predator attack attempt via a WhatsApp message. Active since at least 2019, Predator is designed for stealth, leaving little to no traces of compromise, while harvesting sensitive data from infected devices.
It’s typically delivered via 1-click or zero-click attack vectors. Similar to NSO Group’s Pegasus, the tool is officially marketed for counterterrorism and law enforcement use. But investigations have revealed a broader pattern of its deployment against civil society figures, including journalists, activists, and politicians. A Recorded Future analysis of Intellexa’s corporate web published this month found continued use of Predator despite increased public reporting and international measures.
“Several key trends are shaping the spyware ecosystem, including growing balkanization as companies split along geopolitical lines, with some sanctioned entities seeking renewed legitimacy through acquisitions while others shift toward regions with weaker oversight,” the Mastercard-owned company said. “Furthermore, rising competition and secrecy surrounding high-value exploit technologies are heightening risks of corruption, insider leaks, and attacks on spyware vendors themselves.” (The story was updated after publication to include additional information from Reuters.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution
The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution. The vulnerability, tracked as CVE-2025-52691 , carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution without requiring any authentication. “Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution,” CSA said.
Vulnerabilities of this kind allow the upload of dangerous file types that are automatically processed within an application’s environment. This could pave the way for code execution if the uploaded file is interpreted and executed as code, as is the case with PHP files. In a hypothetical attack scenario, a bad actor could weaponize this vulnerability to place malicious binaries or web shells that could be executed with the same privileges as the SmarterMail service. SmarterMail is an alternative to enterprise collaboration solutions like Microsoft Exchange, offering features like secure email, shared calendars, and instant messaging.
According to information listed on the website , it’s used by web hosting providers like ASPnix Web Hosting, Hostek, and simplehosting.ch. CVE-2025-52691 impacts SmarterMail versions Build 9406 and earlier. It has been addressed in Build 9413 , which was released on October 9, 2025. CSA credited Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT) for discovering and reporting the vulnerability.
While the advisory makes no mention of the flaw being exploited in the wild, users are advised to update to the latest version (Build 9483, released on December 18, 2025) for optimal protection. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware
The threat actor known as Silver Fox has turned its focus to India, using income tax-themed lures in phishing campaigns to distribute a modular remote access trojan called ValleyRAT (aka Winos 4.0). “This sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence,” CloudSEK researchers Prajwal Awasthi and Koushik Pal said in an analysis published last week. Also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne, Silver Fox is the name assigned to an aggressive cybercrime group from China that has been active since 2022. It has a track record of orchestrating a variety of campaigns whose motives range from espionage and intelligence collection to financial gain, cryptocurrency mining, and operational disruption, making it one of the few hacking crews with a multi-pronged approach to their intrusion activity.
Primarily focused on Chinese-speaking individuals and organisations, Silver Fox’s victimology has broadened to include organizations operating in the public, financial, medical, and technology sectors. Attacks mounted by the group have leveraged search engine optimization (SEO) poisoning and phishing to deliver variants of Gh0st RAT such as ValleyRAT , Gh0stCringe , and HoldingHands RAT (aka Gh0stBins). In the infection chain documented by CloudSEK, phishing emails containing decoy PDFs purported to be from India’s Income Tax Department are used to deploy ValleyRAT. Specifically, opening the PDF attachment takes the recipient to the “ggwk[.]cc” domain, from where a ZIP file (“tax affairs.zip”) is downloaded.
Present within the archive is a Nullsoft Scriptable Install system (NSIS) installer of the same name (“tax affairs.exe”), which, in turn, leverages a legitimate executable associated with Thunder (“thunder.exe”), a download manager for Windows developed by Xunlei, and a rogue DLL (“libexpat.dll”) that’s sideloaded by the binary. The DLL, for its part, disables the Windows Update service and serves as a conduit for a Donut loader, but not before performing various anti-analysis and anti-sandbox checks to ensure that the malware can run unimpeded on the compromised host. The lander then injects the final ValleyRAT payload into a hollowed “explorer.exe” process. ValleyRAT is designed to communicate with an external server and await further commands.
It implements a plugin-oriented architecture to extend its functionality in an ad hoc manner, thereby allowing its operators to deploy specialized capabilities to facilitate keylogging, credential harvesting, and defense evasion. “Registry-resident plugins and delayed beaconing allow the RAT to survive reboots while remaining low-noise,” CloudSEK said. “On-demand module delivery enables targeted credential harvesting and surveillance tailored to victim role and value.” The disclosure comes as NCC Group said it identified an exposed link management panel (“ssl3[.]space”) used by Silver Fox to track download activity related to malicious installers for popular applications, including Microsoft Teams, to deploy ValleyRAT. The service hosts information related to - Web pages hosting backdoor installer applications The number of clicks a download button on a phishing site receives per day Cumulative number of clicks a download button has received since launch The bogus sites created by Silver Fox have been found to impersonate CloudChat, FlyVPN, Microsoft Teams, OpenVPN, QieQie, Santiao, Signal, Sigua, Snipaste, Sogou, Telegram, ToDesk, WPS Office, and Youdao, among others.
An analysis of the origin IP addresses that have clicked on the download links has revealed that at least 217 clicks originated from China, followed by the U.S. (39), Hong Kong (29), Taiwan (11), and Australia (7). “Silver Fox leveraged SEO poisoning to distribute backdoor installers of at least 20 widely used applications, including communication tools, VPNs, and productivity apps,” researchers Dillon Ashmore and Asher Glue said . “These primarily target Chinese-speaking individuals and organisations in China, with infections dating back to July 2025 and additional victims across Asia-Pacific, Europe, and North America.” Distributed via these sites is a ZIP archive that contains an NSIS-based installer that’s responsible for configuring Microsoft Defender Antivirus exclusions, establishing persistence using scheduled tasks, and then reaching out to a remote server to fetch the ValleyRAT payload.
The findings coincide with a recent report from ReliaQuest, which attributed the hacking group to a false flag operation mimicking a Russian threat actor in attacks targeting organizations in China using Teams-related lure sites in an attempt to complicate attribution efforts. “Data from this panel shows hundreds of clicks from mainland China and victims across Asia-Pacific, Europe, and North America, validating the campaign’s scope and strategic targeting of Chinese-speaking users,” NCC Group said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
How to Integrate AI into Modern SOC Workflows
Artificial intelligence (AI) is making its way into security operations quickly, but many practitioners are still struggling to turn early experimentation into consistent operational value. This is because SOCs are adopting AI without an intentional approach to operational integration. Some teams treat it as a shortcut for broken processes. Others attempt to apply machine learning to problems that are not well defined.
Findings from our 2025 SANS SOC Survey reinforce that disconnect. A significant portion of organizations are already experimenting with AI, yet 40 percent of SOCs use AI or ML tools without making them a defined part of operations, and 42 percent rely on AI/ML tools “out of the box” with no customization at all. The result is a familiar pattern. AI is present inside the SOC but not operationalized.
Analysts use it informally, often with mixed reliability, while leadership has not yet established a consistent model for where AI belongs, how its output should be validated, or which workflows are mature enough to benefit from augmentation. AI can realistically improve SOC capability, maturity, process repeatability, as well as staff capacity and satisfaction. It only works when teams narrow the scope of the problem, validate their logic, and treat the output with the same rigor they expect from any engineering effort. The opportunity isn’t in creating new categories of work, but in refining the ones that already exist and enabling testing, development, and experimentation for expansion of existing capabilities.
When AI is applied to a specific, well-bounded task and paired with a clear review process, its impact becomes both more predictable and more useful. Here are five areas where AI can provide reliable support for your SOC. 1. Detection Engineering Detection engineering is fundamentally about building a high-quality alert that can be placed into a SIEM, an MDR pipeline, or another operational system.
To be viable, the logic needs to be developed, tested, refined, and operationalized with a level of confidence that leaves little room for ambiguity. This is where AI tends to be ineffectively applied. Unless it’s the targeted outcome, don’t assume AI will fix deficiencies in DevSecOps or resolve issues in the alerting pipeline. AI can be useful when applied to a well-defined problem that can support ongoing operational validation and tuning.
One clear example from the SANS SEC595: Applied Data Science and AI/ML for Cybersecurity course is a machine learning exercise that examines the first eight bytes of a packet’s stream to determine whether traffic reconstructs as DNS. If the reconstruction does not match anything previously seen for DNS, the system raises a high-fidelity alert. The value comes from the precision of the task and the quality of the training process, not from broad automation. The anticipated implementation is to inspect all flows on UDP/53 (and TCP/53) and assess the reconstruction loss from a machine learning tuned autoencoder.
Threshold-violating streams are flagged as anomalous. This granular example demonstrates an implementable, AI-engineered detection. By examining the first eight bytes of a packet stream and checking whether they reconstruct as DNS based on learned patterns in historical traffic, we create a clear, testable classification problem. When those bytes do not match what DNS normally looks like, the system alerts.
AI helps here because the scope is narrow and the evaluation criteria are objective. It may be more effective than a heuristic, rule-driven detection because it learns to encode/decode what is familiar. Things that are not familiar (in this case, DNS) cannot be encoded/decoded properly. What AI cannot do is fix vaguely defined alerting problems or compensate for a missing engineering discipline.
- Threat Hunting Threat hunting is often portrayed as a place where AI might “discover” threats automatically, but that misses the purpose of the workflow. Hunting is not production detection engineering. It should be a research and development capability of the SOC, where analysts explore ideas, test assumptions, and evaluate signals that are not yet strong enough for an operationalized detection.
This is needed because the vulnerability and threat landscape is rapidly shifting, and security operations must constantly adapt to the volatility and uncertainty of the information assurance universe. AI fits here because the work is exploratory. Analysts can use it to pilot an approach, compare patterns, or check whether a hypothesis is worth investigating. It speeds up the early stages of analysis, but it does not decide what matters.
The model is a useful tool, not the final authority. Hunting also feeds directly into detection engineering. AI can help generate candidate logic or highlight unusual patterns, but analysts are still responsible for interpreting the environment and deciding what a signal means. If they cannot evaluate AI output or explain why something is important, the hunt may not produce anything useful.
The benefit of AI here is in speed and breadth of exploration rather than certainty or judgment. We caution you to use operational security (OpSec) and protection of information. Please only provide hunting-relevant information to authorized systems, AI, or otherwise. 3.
Software Development and Analysis Modern SOCs run on code. Analysts write Python to automate investigations, build PowerShell tooling for host interrogation, and craft SIEM queries tailored to their environment. This constant programming need makes AI a natural fit for software development and analysis. It can produce draft code, refine existing snippets, or accelerate logic construction that analysts previously built by hand.
But AI does not understand the underlying problem. Analysts must interpret and validate everything the model generates. If an analyst lacks depth in a domain, the AI’s output can sound correct even when it is wrong, and the analyst may have no way to tell the difference. This creates a unique risk: analysts may ship or rely on code they do not fully understand and haven’t been adequately tested.
AI is most effective here when it reduces mechanical overhead. It helps teams get to a usable starting point faster. It supports code creation in Python, PowerShell, or SIEM query languages. But the responsibility for correctness stays with the human who understands the system, the data, and the operational consequences of running that code in production.
The author suggests that the team develop appropriate style guidelines for code and only use authorized (meaning tested and approved) libraries and packages. Include the guidelines and dependency requirements as part of every prompt, or use an AI/ML development tool that enables configuration of these specifications. 4. Automation and Orchestration Automation has long been part of SOC operations, but AI is reshaping how teams design these workflows.
Instead of manually stitching together action sequences or translating runbooks into automation logic, analysts can now use AI to draft the scaffolding. AI can outline the steps, propose branching logic, and even convert a plain-language description into the structured format that orchestration platforms require. However, AI cannot decide when automation should run. The central question in orchestration remains unchanged: should the automated action execute immediately, or should it present information for an analyst to review first?
That choice depends on organizational risk tolerance, the sensitivity of the environment, and the specific action under consideration. Whether the platform is a SOAR, MCP, or any other orchestration system, the responsibility for initiating an action must rest with people, not the model. AI can help build and refine the workflow, but it should never be the authority that activates it. Clear boundaries keep automation predictable, explainable, and aligned with the SOC’s risk posture.
There will be a threshold where the organization’s comfort level with automations enables rapid action taken in an automated way. That level of comfort comes from extensive testing and people responding to the actions taken by the automation system in a timely manner. 5. Reporting and Communication Reporting is one of the most persistent challenges in security operations, not because teams lack technical skill but because translating that skill into clear, actionable communication is difficult to scale.
The 2025 SANS SOC Survey highlights just how far behind this area remains: 69 percent of SOCs still rely on manual or mostly manual processes to report metrics . This gap matters. When reporting is inconsistent, leadership loses visibility, context is diluted, and operational decisions slow down. AI provides an immediate and low-risk way to enhance the SOC’s reporting performance.
It can smooth out the mechanical parts of reporting by standardizing structure, improving clarity, and helping analysts move from raw notes to well-formed summaries. Instead of each analyst writing in a different style or burying the lead in technical detail, AI helps produce consistent, readable outputs that leadership can interpret quickly. Including moving averages, boundaries of standard deviation, and highlighting the overall consistency of the SOC is a story worth telling to your management. The value isn’t in making reports sound polished.
It’s in making them coherent and comparable . When every incident summary, weekly roll-up, or metrics report follows a predictable structure, leaders can recognize trends faster and prioritize more effectively. Analysts also gain back the time they would have spent wrestling with wording, formatting, or repetitive explanations. Are You a Taker, Shaper, or Maker?
Let’s Talk at SANS Security Central 2026 As teams begin experimenting with AI across these workflows, it is important to recognize that there is no single path for adoption. SOC AI utilization can be described via three convenient categories. A taker uses AI tools as delivered. A shaper adjusts or customizes those tools to fit the workflow.
A maker builds something new, such as the tightly scoped machine learning detection example described earlier. All of these example use cases can be in one or more of the categories. You might be both a taker and a maker in detection engineering, implementing the AI rules from your SIEM vendor, as well as crafting your own detections. Most teams are manual makers as well as takers (just using out-of-the-box ticketing system reports) in reporting.
You might be a shaper in automation, partially customizing the vendor-provided SOAR runbooks. Hopefully, you’re at least using vendor-provided IOC-driven hunts; that’s something every SOC needs to do. Aspiring to internally-driven hunting moves you into that maker category. What matters is that each workflow has clear expectations for where AI can be used, how output is validated, that updates are done on an ongoing basis, and that analysts ultimately remain accountable for the protection of information systems.
I’ll be exploring these themes in more depth during my keynote session at SANS Security Central 2026 in New Orleans. You will learn how to evaluate where your SOC sits today and design an AI adoption model that strengthens the expertise of your team. I hope to see you there! Register for SANS Security Central 2026 here.
Note: This article was expertly written and contributed by Christopher Crowley, SANS Senior Instructor. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Mustang Panda Uses Signed Kernel-Mode Rootkit to Load TONESHELL Backdoor
The Chinese hacking group known as Mustang Panda has leveraged a previously undocumented kernel-mode rootkit driver to deliver a new variant of backdoor dubbed TONESHELL in a cyber attack detected in mid-2025 targeting an unspecified entity in Asia. The findings come from Kaspersky, which observed the new backdoor variant in cyber espionage campaigns mounted by the hacking group targeting government organizations in Southeast and East Asia, primarily Myanmar and Thailand. “The driver file is signed with an old, stolen, or leaked digital certificate and registers as a minifilter driver on infected machines,” the Russian cybersecurity company said . “Its end-goal is to inject a backdoor trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys.” The final payload deployed as part of the attack is TONESHELL, an implant with reverse shell and downloader capabilities to fetch next-stage malware onto compromised hosts.
The use of TONESHELL has been attributed to Mustang Panda since at least late 2022. As recently as September 2025, the threat actor was linked to attacks targeting Thai entities with TONESHELL and a USB worm named TONEDISK (aka WispRider) that uses removable devices as a distribution vector for a backdoor referred to as Yokai. The command-and-control (C2) infrastructure used for TONESHELL is said to have been erected in September 2024, although there are indications that the campaign itself did not commence until February 2025. The exact initial access pathway used in the attack is not clear.
It’s suspected that the attackers abused previously compromised machines to deploy the malicious driver. The driver file (“ProjectConfiguration.sys”) is signed with a digital certificate from Guangzhou Kingteller Technology Co., Ltd, a Chinese company that’s involved in the distribution and provisioning of automated teller machines (ATMs). The certificate was valid from August 2012 to 2015. Given that there are other unrelated malicious artifacts signed with the same digital certificate, it’s assessed that the threat actors likely leveraged a leaked or stolen certificate to realize their goals.
The malicious driver comes fitted with two user-mode shellcodes that are embedded into the .data section of the binary. They are executed as separate user-mode threads. “The rootkit functionality protects both the driver’s own module and the user-mode processes into which the backdoor code is injected, preventing access by any process on the system,” Kaspersky said. The driver has the following set of features - Resolve required kernel APIs dynamically at runtime by using a hashing algorithm to match the required API addresses Monitor file-delete and file-rename operations to prevent itself from being removed or renamed Deny attempts to create or open Registry keys that match against a protected list by setting up a RegistryCallback routine and ensuring that it operates at an altitude of 330024 or higher Interfere with the altitude assigned to WdFilter.sys, a Microsoft Defender driver, and change it to zero (it has a default value of 328010 ), thereby preventing it from being loaded into the I/O stack Intercept process-related operations and deny access if the action targets any process that’s on a list of protected process IDs when they are running Remove rootkit protection for those processes once execution completes “Microsoft designates the 320000–329999 altitude range for the FSFilter Anti-Virus Load Order Group,” Kaspersky explained.
“The malware’s chosen altitude exceeds this range. Since filters with lower altitudes sit deeper in the I/O stack, the malicious driver intercepts file operations before legitimate low-altitude filters like antivirus components, allowing it to circumvent security checks.” The driver is ultimately designed to drop two user-mode payloads, one of which spawns an “svchost.exe” process and injects a small delay-inducing shellcode. The second payload is the TONESHELL backdoor that’s injected into that same “svchost.exe” process. Once launched, the backdoor establishes contact with a C2 server (“avocadomechanism[.]com” or “potherbreference[.]com”) over TCP on port 443, using the communication channel to receive commands that allow it to - Create temporary file for incoming data (0x1) Download file (0x2 / 0x3) Cancel download (0x4) Establish remote shell via pipe (0x7) Receive operator command (0x8) Terminate shell (0x9) Upload file (0xA / 0xB) Cancel upload (0xC), and Close connection (0xD) The development marks the first time TONSHELL has been delivered through a kernel-mode loader, effectively allowing it to conceal its activity from security tools.
The findings indicate that the driver is the latest addition to a larger, evolving toolset used by Mustang Panda to maintain persistence and hide its backdoor. Memory forensics is key to analyzing the new TONESHELL infections, as the shellcode executes entirely in memory, Kaspersky said, noting that detecting the injected shellcode is a crucial indicator of the backdoor’s presence on compromised hosts. “HoneyMyte’s 2025 operations show a noticeable evolution toward using kernel-mode injectors to deploy TONESHELL, improving both stealth and resilience,” the company concluded. “To further conceal its activity, the driver first deploys a small user-mode component that handles the final injection step.
It also uses multiple obfuscation techniques, callback routines, and notification mechanisms to hide its API usage and track process and registry activity, ultimately strengthening the backdoor’s defenses.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
⚡ Weekly Recap: MongoDB Attacks, Wallet Breaches, Android Spyware, Insider Crime & More
Last week’s cyber news in 2025 was not about one big incident. It was about many small cracks opening at the same time. Tools people trust every day behave in unexpected ways. Old flaws resurfaced.
New ones were used almost immediately. A common theme ran through it all in 2025. Attackers moved faster than fixes. Access meant for work, updates, or support kept getting abused.
And damage did not stop when an incident was “over” — it continued to surface months or even years later. This weekly recap brings those stories together in one place. No overload, no noise. Read on to see what shaped the threat landscape in the final stretch of 2025 and what deserves your attention now.
⚡ Threat of the Week MongoDB Vulnerability Comes Under Attack — A newly disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world. The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7), which allows an unauthenticated attacker to remotely leak sensitive data from the MongoDB server memory. It has been codenamed MongoBleed. The exact details surrounding the nature of attacks exploiting the flaw are presently unknown.
Users are advised to update to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. Data from attack surface management company Censys shows that there are more than 87,000 potentially vulnerable instances, with a majority of them located in the U.S., China, Germany, India, and France. Wiz noted that 42% of cloud environments have at least one instance of MongoDB in a version vulnerable to CVE-2025-14847. This includes both internet-exposed and internal resources.
🔔 Top News Trust Wallet Chrome Extension Hack Leads to $7M Loss — Trust Wallet urged users to update its Google Chrome extension to the latest version following what it described as a “security incident” that led to the loss of approximately $7 million. Users are advised to update to version 2.69 as soon as possible. “We’ve confirmed that approximately $7 million has been impacted, and we will ensure all affected users are refunded,” Trust Wallet said. The Chrome extension has about 1 million users.
Mobile-only users and all other browser extension versions are not affected. It’s currently not known who is behind the attack, but Trust Wallet said the attacker likely published a malicious version (2.68) by using a leaked Chrome Web Store API key. Affected victims have been asked to fill out a form to process reimbursements. Evasive Panda Stages DNS Poisoning Attack to Push MgBot Malware — A China-linked advanced persistent threat (APT) group known as Evasive Panda was attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India.
The activity took place between November 2022 and November 2024. According to Kaspersky, the hacking group conducted adversary-in-the-middle (AitM) attacks on specific victims to serve trojanized updates for popular tools like SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ that ultimately deployed MgBot, a modular implant with wide-ranging information gathering capabilities. It’s currently not known how the threat actor is poisoning DNS responses. But two possible scenarios are suspected: either the ISPs used by the victims were selectively targeted and compromised to install some kind of network implant on edge devices, or a router or firewall used by the victims was hacked for this purpose.
LastPass 2022 Breach Leads to Crypto Theft — The encrypted vault backups stolen from the 2022 LastPass data breach enabled bad actors to take advantage of weak master passwords to crack them open and drain cryptocurrency assets as recently as late 2025. New findings from TRM Labs show that threat actors with possible ties to the Russian cybercriminal ecosystem have stolen no less than $35 million as of September 2025. The Russian links to the stolen cryptocurrency stem from two primary factors: The use of exchanges commonly associated with the Russian cybercriminal ecosystem in the laundering pipeline and operational connections gleaned from wallets interacting with mixers both before and after the mixing and laundering process. Fortinet Warns of Renewed Activity Exploiting CVE-2020-12812 — Fortinet said it observed “recent abuse” of CVE-2020-12812, a five-year-old security flaw in FortiOS SSL VPN, in the wild under certain configurations.
The vulnerability could allow a user to log in successfully without being prompted for the second factor of authentication if the case of the username was changed. The newly issued guidance does not give any specifics on the nature of the attacks exploiting the flaw, nor whether any of those incidents were successful. Fortinet has also advised impacted customers to contact its support team and reset all credentials if they find evidence of admin or VPN users being authenticated without two-factor authentication (2FA). Fake WhatsApp API npm Package Steals Messages — A new malicious package on the npm repository named lotusbail was found to work as a fully functional WhatsApp API, but contained the ability to intercept every message and link the attacker’s device to a victim’s WhatsApp account.
It has been downloaded over 56,000 times since it was first uploaded to the registry by a user named “seiren_primrose” in May 2025. The package has since been removed by npm. Once the npm package is installed, the threat actor can read all WhatsApp messages, send messages to others, download media files, and access contact lists. “And here’s the critical part, uninstalling the npm package removes the malicious code, but the threat actor’s device stays linked to your WhatsApp account,” Koi said.
“The pairing persists in WhatsApp’s systems until you manually unlink all devices from your WhatsApp settings. Even after the package is gone, they still have access.” ️🔥 Trending CVEs Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach.
Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected. This week’s list includes — CVE-2025-14847 (MongoDB), CVE-2025-68664 (LangChain Core), CVE-2023-52163 (Digiever DS-2105 Pro), CVE-2025-68613 (n8n), CVE-2025-13836 (Python http.client), CVE-2025-26794 (Exim), CVE-2025-68615 (Net-SNMP), CVE-2025-44016 (TeamViewer DEX Client), and CVE-2025-13008 (M-Files Server). 📰 Around the Cyber World Former Coinbase Customer Service Agent Arrested in India — Coinbase Chief Executive Officer Brian Armstrong said that a former customer service agent for the largest U.S.
crypto exchange was arrested in India, months after hackers bribed customer service representatives to gain access to customer information. In May, the company said hackers bribed contractors working out of India to steal sensitive customer data and demanded a $20 million ransom. “We have zero tolerance for bad behavior and will continue to work with law enforcement to bring bad actors to justice,” Armstrong said . “Thanks to the Hyderabad Police in India, an ex-Coinbase customer service agent was just arrested.
Another one down and more still to come.” The incident impacted 69,461 individuals. A September 2025 class action lawsuit has revealed that Coinbase hired TaskUs to handle customer support from India. The court document also mentioned that Coinbase “cut ties with the TaskUs personnel involved and other overseas agents, and tightened controls.” One TaskUs employee based out of Indore, Ashita Mishra, is accused of “joining the conspiracy by agreeing to sell highly sensitive Coinbase user data to those criminals” as early as September 2024. Mishra was arrested in January 2025 for allegedly selling the stolen data to hackers for $200 per record.
TaskUs claimed that “it identified two individuals who illegally accessed information from one of our clients [who] were recruited by a much broader, coordinated criminal campaign against this client that also impacted a number of other providers servicing this client.” It also alleged that Coinbase “had vendors other than TaskUs, and that Coinbase employees were involved in the data breach.” But the company provided no further details. Cloud Atlas Targets Russia and Belarus — The threat actor known as Cloud Atlas has leveraged phishing lures with a malicious Microsoft Word document attachment that, when opened, downloads a malicious template from a remote server that, in turn, fetches and executes an HTML Application (HTA) file. The malicious HTA file extracts and creates several Visual Basic Script (VBS) files on disk that are parts of the VBShower backdoor. VBShower then downloads and installs other backdoors, including PowerShower, VBCloud, and CloudAtlas.
VBCloud can download and execute additional malicious scripts, including a file grabber to exfiltrate files of interest. Similar to VBCloud, PowerShower is capable of retrieving an additional payload from a remote server. CloudAtlas establishes communication with a command-and-control (C2) server via WebDAV and fetches executable plugins in the form of a DLL, allowing it to gather files, run commands, steal passwords from Chromium-based browsers, and capture system information. Attacks mounted by the threat actor have primarily targeted organizations in the telecommunications sector, construction, government entities, and plants in Russia and Belarus.
BlackHawk Loader Spotted in the Wild — A new MSIL loader named BlackHawk has been detected in the wild, incorporating three layers of obfuscation that show signs of being generated using artificial intelligence (AI) tools. Per ESET , it features a Visual Basic Script and two PowerShell scripts, the second of which contains the Base64-encoded BlackHawk loader and the final payload. The loader is being actively used in campaigns distributing Agent Tesla in attacks targeting hundreds of endpoints in Romanian small and medium-sized companies. The loader has also been used to deliver an information stealer known as Phantom.
Surge in Cobalt Strike Servers — Censys has noted a sudden spike in Cobalt Strike servers hosted online between early December and December 18, 2025, specifically on the networks of AS138415 (YANCY) and AS133199 (SonderCloud LTD). “Viewing the timeline above, AS138415 first exhibits limited ‘seed’ activity beginning on December 4, followed by a substantial expansion of 119 new Cobalt Strike servers on December 6,” Censys said . “Within just two days, however, nearly all of this newly added infrastructure disappears. On December 8, AS133199 experienced a near mirror-image increase and decrease in newly observed Cobalt Strike servers.” More than 150 distinct IPs associated with AS138415 have been flagged as hosting Cobalt Strike listeners during this window.
This netblock, 23.235.160[.]0/19, was allocated to RedLuff, LLC in September 2025. Meet Fly, the Russian Market Administrator — Intrinsec has revealed that a threat actor known as Fly is likely the administrator of Russian Market, an underground portal for selling credentials stolen via infostealers. “This threat actor promoted the marketplace on multiple occasions and throughout the years,” the French cybersecurity company said . “His username is reminiscent of the old name of the marketplace, ‘Flyded.’ We found two e-mail addresses used to register the first Russian Market domains, which enabled us to find potential links to a Gmail account named ‘AlexAske1,’ but we could not find additional information surrounding this potential identity.” New Scam Campaign Targets MENA with Fake Job Offers — A new scam campaign is targeting Middle East and North Africa (MENA) countries with fake online jobs across social media and private messaging platforms like Telegram and WhatsApp that promise easy work and fast money, but are designed to collect personal data and steal money.
The scams exploit trust in recognized institutions and the low cost of social media advertising. The targeting is intentionally broad to cast a wide phishing net. “The fake job ads often impersonate well-known companies, banks, and authorities to gain trust of victims,” Group-IB said . “Once victims engage, the conversation moves to private messaging channels where the actual financial fraud and data theft take place.” The ads typically redirect victims to a WhatsApp group, where a recruiter directs them to a scam website for registration.
Once the victim has completed the step, they are added to various Telegram channels where they are instructed to pay a fee to secure tasks and earn commissions from it. “The scammers will actually send a small payout for the initial task to build trust,” Group-IB said. “They will then push victims to deposit larger amounts to take on bigger tasks that promise even greater returns. When victims do make a big deposit, the payout stops, the channels and accounts disappear and the victim finds themselves blocked, making communication and tracking almost impossible.” The ads are directed against MENA countries such as Egypt, Gulf States’ members, Algeria, Tunisia, Morocco, Iraq, and Jordan.
EmEditor Breached to Distribute Infostealer — Windows-based text editing program EmEditor has disclosed a security breach. Emurasoft said a “third-party” performed an unauthorized modification of the download link for its Windows installer to point to a malicious MSI file hosted in a different location on the EmEditor website between December 19 and 22, 2022. Emurasoft said it’s investigating the incident to determine the full scope of impact. According to Chinese security firm QiAnXin, the malicious installer is used to launch a PowerShell script that’s capable of harvesting system information, including system metadata, files, VPN configuration, Windows login credentials, browser data, and information associated with apps like Zoho Mail, Evernote, Notion, discord, Slack, Mattermost, Skype, LiveChat, Microsoft Teams, Zoom, WinSCP, PuTTY, Steam, and Telegram.
It also installs an Edge browser extension (ID: “ngahobakhbdpmokneiohlfofdmglpakd”) named Google Drive Caching that can fingerprint browsers, replace cryptocurrency wallet addresses in the clipboard, log keystrokes from specific websites such as x[.]com, and steal Facebook advertising account details. Docker Hardened Images Now Available for Free — Docker has made Hardened Images free for every developer to bolster software supply chain security. Introduced in May 2025, these are a set of secure, minimal, production-ready images that are managed by Docker. The company said it has hardened over 1,000 images and helm charts in its catalog.
“Unlike other opaque or proprietary hardened images, DHI is compatible with Alpine and Debian, trusted and familiar open source foundations teams already know and can adopt with minimal change,” Docker noted . Flaw in Livewire Disclosed — Details have emerged about a now-patched critical security flaw in Livewire ( CVE-2025-54068 , CVSS score: 9.8), a full-stack framework for Laravel, that could allow unauthenticated attackers to achieve remote command execution in specific scenarios. The issue was addressed in Livewire version 3.6.4 released in July 2025. According to Synacktiv, the vulnerability is rooted in the platform’s hydration mechanism, which is used to manage component states and ensure that they have not been tampered with during transit by means of a checksum.
“However, this mechanism comes with a critical vulnerability: a dangerous unmarshalling process can be exploited as long as an attacker is in possession of the APP_KEY of the application,” the cybersecurity company said . “By crafting malicious payloads, attackers can manipulate Livewire’s hydration process to execute arbitrary code, from simple function calls to stealthy remote command execution.” To make matters worse, the research also identified a pre-authenticated remote code execution vulnerability that’s exploitable even without knowledge of the application’s APP_KEY. “Attackers could inject malicious synthesizers through the updates field in Livewire requests, leveraging PHP’s loose typing and nested array handling,” Synacktiv added. “This technique bypasses checksum validation, allowing arbitrary object instantiation and leading to full system compromise.” ChimeraWire Malware Boosts Website SERP Rankings — A new malware dubbed ChimeraWire has been found to artificially boost the ranking of certain websites in search engine results pages (SERPs) by performing hidden internet searches and mimicking user clicks on infected Windows devices.
ChimeraWire is typically deployed as a second-stage payload on systems previously infected with other malware downloaders, Doctor Web said. The malware is designed to download a Windows version of the Google Chrome browser and install add-ons like NopeCHA and Buster into it for automated CAPTCHA solving. ChimeraWire then launches the browser in debugging mode with a hidden window to perform the malicious clicking activity based on certain pre-configured criteria. “For this, the malicious app searches target internet resources in the Google and Bing search engines and then loads them,” the Russian company said .
“It also imitates user actions by clicking links on the loaded sites. The Trojan performs all malicious actions in the Google Chrome web browser, which it downloads from a certain domain and then launches it in debug mode over the WebSocket protocol.” More Details About LANDFALL Campaign Emerge — The LANDFALL Android spyware campaign was disclosed by Palo Alto Networks Unit 42 last month as having exploited a now-patched zero-day flaw in Samsung Galaxy Android devices (CVE-2025-21042) in targeted attacks in the Middle East. Google Project Zero said it identified six suspicious image files that were uploaded to VirusTotal between July 2024 and February 2025. It’s suspected that these images were received over WhatsApp, with Google noting that the files were DNG files targeting the Quram library , an image parsing library specific to Samsung devices.
Further investigation has determined that the images are engineered to trigger an exploit that runs within the com.samsung.ipservice process. “The com.samsung.ipservice process is a Samsung-specific system service responsible for providing ‘intelligent’ or AI-powered features to other Samsung applications,” Project Zero’s Benoît Sevens said . “It will periodically scan and parse images and videos in Android’s MediaStore. When WhatsApp receives and downloads an image, it will insert it in the MediaStore.
This means that downloaded WhatsApp images (and videos) can hit the image parsing attack surface within the com.samsung.ipservice application.” Given that WhatsApp does not automatically download images from untrusted contacts, it’s assessed that a 1-click exploit is used to trigger the download and have it added to the MediaStore. This, in turn, fires an exploit for the flaw, resulting in an out-of-bounds write primitive. “This case illustrates how certain image formats provide strong primitives out of the box for turning a single memory corruption bug into interactionless ASLR bypasses and remote code execution,” Sevens noted. “By corrupting the bounds of the pixel buffer using the bug, the rest of the exploit could be performed by using the ‘weird machine’ that the DNG specification and its implementation provide.” New Android Spyware Discovered on Belarusian Journalist’s Phone — Belarusian authorities are deploying a new spyware called ResidentBat on the smartphones of local journalists after their phones are confiscated during police interrogations by the Belarusian secret service.
The spyware can collect call logs, record audio through the microphone, take screenshots, collect SMS messages and chats from encrypted messaging apps, and exfiltrate local files. It can also factory reset the device and remove itself. According to a report from RESIDENT.NGO , ResidentBat’s server infrastructure has been operational since March 2021. In December 2024, similar cases of implanting spyware on individuals’ phones while they were being questioned by police or security services were reported in Serbia and Russia .
“The infection relied on physical access to the device,” RESIDENT.NGO said. “We hypothesize that the KGB officers observed the device password or PIN as the journalist typed it in their presence during the conversation. Once the officers had the PIN and physical possession of the phone while it was in the locker, they enabled ‘Developer Mode’ and ‘USB Debugging.’ The spyware was then sideloaded onto the device, likely via ADB commands from a Windows PC.” Former Incident Responders Plead Guilty to Ransomware Attacks — Former cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty to participating in a series of BlackCat ransomware attacks between April and December 2023 while they were employed at cybersecurity companies tasked with helping organizations fend off ransomware attacks. Goldberg and Martin were indicted last month.
While Martin worked as a ransomware threat negotiator for DigitalMint, Goldberg was an incident response manager for cybersecurity company Sygnia. A third unnamed co-conspirator, who was also employed at DigitalMint, allegedly obtained an affiliate account for BlackCat, which the trio used to commit ransomware attacks. The three individuals agreed to pay BlackCat administrators a 20% share of any ransoms received in exchange for access to the ransomware and BlackCat’s extortion platform. The defendants are scheduled to be sentenced on March 12, 2026, and face a maximum penalty of 20 years in prison.
“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks – the very type of crime that they should have been working to stop,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Extortion via the internet victimizes innocent citizens every bit as much as taking money directly out of their pockets.” Congressional Report Says China Exploits U.S.-funded Research on Nuclear Technology — A new report released by the House Select Committee on China and the House Permanent Select Committee on Intelligence (HPSCI) has revealed that China exploits the U.S. Department of Energy (DOE) to gain access and divert American taxpayer-funded research and fuel its military and technological rise.
The investigation identified about 4,350 research papers between June 2023 and June 2025, where DOE funding or research support involved research relationships with Chinese entities, including over 730 DOE awards and contracts. Of these, approximately 2,200 publications were conducted in partnership with entities within China’s defense research and industrial base. “This case study and many more like it in the report underscore a deeply troubling reality: U.S. government scientists – employed by the DOE and working at federally funded national laboratories – have coauthored research with Chinese entities at the very heart of the PRC’s military-industrial complex,” the House Select Committee on the Chinese Communist Party (CCP) said.
“They involve the joint development of technologies relevant to next-generation military aircraft, electronic warfare systems, radar deception techniques, and critical energy and aerospace infrastructure – alongside entities already restricted by multiple U.S. agencies for posing a threat to national security.” In a statement shared with Associated Press, the Chinese Embassy in Washington said the select committee “has long smeared and attacked China for political purposes and has no credibility to speak of.” Moscow Court Sentences Russian Scientist to 21 Years for Treason — A Moscow court handed a 21-year prison sentence to Artyom Khoroshilov , 34, a researcher at the Moscow Institute of General Physics, who has been accused of treason, attacking critical infrastructure, and plotting sabotage. He was also fined 700,000 rubles (~$9,100). Khoroshilov is said to have colluded with the Ukrainian IT army to conduct distributed denial-of-service (DDoS) attacks on the Russian Post in August 2022.
He also planned to commit sabotage by blowing up the railway tracks used by the military unit of the Ministry of Defense of the Russian Federation to transport military goods. The IT Army of Ukraine, a hacktivist group known for coordinating DDoS attacks on Russian infrastructure, said it does not know if Khoroshilov was part of their community, but noted “the enemy hunts down any sign of resistance.” New DIG AI Tool Used by Malicious Actors — Resecurity said it has observed a “notable increase” in malicious actors’ utilization of DIG AI, the latest addition to a long list of dark Large Language Models (LLMs) that can be used for illegal, unethical, malicious or harmful activities, such as generating phishing emails or instructions for bombs and prohibited substances. It can be accessed by users via the Tor browser without requiring an account. According to its developer, Pitch, the service is based on OpenAI’s ChatGPT Turbo.
“DIG AI enables malicious actors to leverage the power of AI to generate tips ranging from explosive device manufacturing to illegal content creation, including CSAM,” the company said . “Because DIG AI is hosted on the TOR network, such tools are not easily discoverable and accessible to law enforcement. They create a significant underground market – from piracy and derivatives to other illicit activities.” China Says U.S. Seized Cryptocurrency from Chinese Firm — The Chinese government said the U.S.
unduly seized cryptocurrency assets that actually belonged to LuBian. In October 2025, the U.S. Justice Department seized $15 billion worth of Bitcoin from the operator of scam compounds last month. The agency claimed the funds were owned by the Prince Group and its CEO, Chen Zhi.
China’s National Computer Virus Emergency Response Center (CVERC) alleged that the funds could be traced back to the 2020 hack of Chinese bitcoin mining pool operator LuBian, echoing a report from Elliptic. What’s evident is that the digital assets were stolen from Zhi before they ended up with the U.S. “The U.S. government may have stolen Chen Zhi’s 127,000 Bitcoin through hacking techniques as early as 2020, making this a classic case of ‘black-on-black’ crime orchestrated by a state-sponsored hacking organization,” CVERC said .
However, it bears noting that the report makes no mention of the stolen assets being linked to scam campaigns. 🎥 Cybersecurity Webinars How Zero Trust and AI Catch Attacks With No Files, No Binaries, and No Indicators — Cyber threats are evolving faster than ever, exploiting trusted tools and fileless techniques that evade traditional defenses. This webinar reveals how Zero Trust and AI-driven protection can uncover unseen attacks, secure developer environments, and redefine proactive cloud security—so you can stay ahead of attackers, not just react to them. Master Agentic AI Security: Learn to Detect, Audit, and Contain Rogue MCP Servers — AI tools like Copilot and Claude Code help developers move fast, but they can also create big security risks if not managed carefully.
Many teams don’t know which AI servers (MCPs) are running, who built them, or what access they have. Some have already been hacked, turning trusted tools into backdoors. This webinar shows how to find hidden AI risks, stop shadow API key problems, and take control before your AI systems create a breach. 🔧 Cybersecurity Tools GhidraGPT — It is a plugin for Ghidra that adds AI-powered assistance to reverse engineering work.
It uses large language models to help explain decompiled code, improve readability, and highlight potential security issues, making it easier for analysts to understand and analyze complex binaries. Chameleon — It is an open-source honeypot tool used to monitor attacks, bot activity, and stolen credentials across a wide range of network services. It simulates open and vulnerable ports to attract attackers, logs their activity, and shows the results through simple dashboards, helping teams understand how their systems are being scanned and attacked in real environments. Disclaimer: These tools are for learning and research only.
They haven’t been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws. Conclusion This weekly recap brings those stories together in one place to close out 2025.
It cuts through the noise and focuses on what actually mattered in the final days of the year. Read on for the events that shaped the threat landscape, the patterns that kept repeating, and the risks that are likely to carry forward into 2026. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.