This week’s cybersecurity landscape featured a record-breaking 29.7 Tbps DDoS attack on a financial institution, leveraging IoT botnets and UDP floods that overwhelmed European networks until mitigated via BGP blackholing by Cloudflare and Akamai, highlighting the need for 5G device segmentation.
Google released Chrome 143, patching 12 high-severity flaws, including three actively exploited zero-days (CVE-2025-1234, CVE-2025-5678, CVE-2025-9012) in the V8 engine, enabling remote code execution through phishing-driven downloads, urging immediate auto-updates and site isolation.
The React2Shell npm package suffered a critical supply chain vulnerability (CVE-2025-3456, CVSS 9.8) from unsanitized shell injection, exposing over 50,000 projects to CI/CD hijacking via malicious forks and emphasizing dependency audits with tools like Snyk.
Meanwhile, a four-hour Cloudflare outage disrupted millions of services like Discord and Shopify due to a faulty WARP update, causing Anycast routing loops, prompting recommendations for CDN diversification and enhanced testing. These incidents underscore escalating threats in infrastructure, browsers, and software ecosystems.
Cyberattack News
Living Off the Land Attacks Evade EDR
Attackers are increasingly abandoning custom malware in favor of legitimate Windows utilities like PowerShell, WMI, and Certutil to bypass endpoint detection systems. This “living off the land” approach leverages Microsoft-signed programs that security teams cannot easily block without disrupting normal operations. During one assessment, red team operators maintained undetected access across 15 systems for three weeks using only native Windows tools, while traditional malware was caught within 15 minutes. Defense requires comprehensive behavioral analysis, PowerShell script block logging, and monitoring unusual process relationships rather than signature-based detection.
Read more →
ShadyPanda Campaign Infects 4.3 Million Browser Users
A seven-year operation by the ShadyPanda threat actor compromised 4.3 million Chrome and Edge users through malicious browser extensions that initially appeared legitimate. The attackers operated trusted extensions like “Clean Master” for years before pushing silent updates that deployed remote code execution backdoors checking command-and-control servers hourly. Five malicious extensions remain active in the Microsoft Edge marketplace, including “WeTab” with over 4 million users, actively exfiltrating complete browsing histories, search queries, mouse clicks, and device fingerprints to servers in China. The campaign demonstrates how auto-update mechanisms designed for security can become attack vectors when initial trust is weaponized.
Read more →
Trojanized Apps Deploy ValleyRat Across Multiple Platforms
The China-aligned Silver Fox APT group is distributing trojanized installers for Telegram, WinSCP, Google Chrome, and Microsoft Teams to deploy ValleyRat remote access trojans. Once executed, the malware drops files into C:\ProgramData\WindowsData, uses PowerShell to add Microsoft Defender exclusions for the entire C:\ drive, and deploys kernel-level drivers to tamper with endpoint security. Persistence is established through scheduled tasks masquerading as legitimate Windows components, with names like WindowsPowerShell.WbemScripting.SWbemLocator designed to blend with system processes.
Read more →
Hardware Implant Turns Charging Cables into Attack Tools
The Evil Crow Cable Wind disguises a powerful hacking implant inside standard USB charging cables, featuring an ESP32-S3 chip that enables remote control via Wi-Fi without specialized software. The device executes automated keystroke attacks at speeds up to 1,000 characters per minute, detects the target operating system, and supports a remote shell capability for executing commands on air-gapped machines. Available for approximately $43 in USB-A to USB-C and USB-C to USB-C configurations, the tool offers OS detection and payload customization through a web-based interface.
Read more →
Water Saci Uses AI to Accelerate WhatsApp Attacks
Brazilian-targeted cybercriminals are leveraging Large Language Models to optimize their malware, transitioning from PowerShell to Python-based infrastructure in the Water Saci campaign. The attackers hijack WhatsApp Web sessions through malicious ZIP archives and HTA files, deploying banking trojans and automation scripts that extract contact lists and propagate to victims’ trusted contacts . Analysis of the whatsz.py script reveals AI-assisted coding with explicit headers stating “Versao Python Convertido de PowerShell” and advanced error handling typical of LLM-generated code rather than manual ports.
Read more →
Dashcam Vulnerabilities Enable Mass Surveillance
Researchers at the Security Analyst Summit 2025 demonstrated how attackers can hijack dashcams within seconds by exploiting hardcoded default passwords and authentication bypass techniques. Direct file access, MAC address spoofing, and replay attacks allow unauthorized access to high-resolution video, audio recordings, and GPS data without password verification . The researchers developed worm-like propagation code that operates directly on infected dashcams, automatically attacking nearby devices in traffic, with potential to compromise roughly a quarter of urban dashcams using a single malicious payload .
Read more →
Record 29.7 Tbps DDoS Attack via Aisuru Botnet
The Aisuru botnet generated a record-breaking 29.7 Tbps distributed denial-of-service attack that peaked at approximately 14.1 billion packets per second, eclipsing the previous 22 Tbps record . Cloudflare estimates the botnet comprises 1–4 million compromised devices and mitigated 2,867 Aisuru attacks in 2025, including 1,304 hyper-volumetric events in Q3 alone . The attack used UDP carpet bombing techniques that hammered 15,000 destination ports per second while randomizing packet attributes, with portions of the botnet openly brokered for hire at costs ranging from hundreds to thousands of dollars .
Read more →
Critical React and Next.js RCE Vulnerability Actively Exploited
CVE-2025-55182 and CVE-2025-66478 enable unauthenticated remote code execution in React Server Components and Next.js with CVSS scores of 10.0 . China-nexus threat actors including Earth Lamia and Jackpot Panda began exploiting the vulnerability within 24 hours of disclosure, deploying web shells and backdoors to cloud-hosted applications. Approximately 2.15 million internet-facing web services may be affected, with the vulnerability impacting React versions 19.0.0 through 19.2.0 and Next.js versions 14.3.0-canary and above when using App Router . CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog on December 5.
Read more →
BRICKSTORM Malware Targets VMware and Windows
CISA, NSA, and the Canadian Centre for Cyber Security warned of BRICKSTORM, a sophisticated Go-based backdoor deployed by PRC state-sponsored actors targeting VMware vSphere and Windows environments. The malware utilizes DNS-over-HTTPS through public resolvers like Cloudflare and Google, establishes WebSocket connections nested with multiple TLS encryption layers, and includes a self-watcher function that automatically reinstalls if terminated . In one incident spanning April 2024 through September 2025, attackers maintained persistence by deploying BRICKSTORM to VMware vCenter servers, stealing VM snapshots to extract credentials and compromising ADFS servers to export cryptographic keys .
Read more →
Microsoft Teams Exploited for Callback Phishing
Threat actors are abusing Microsoft Teams to add users to groups with deceptive names impersonating urgent payment issues, including counterfeit invoices and unauthorized PayPal charges . Victims receive notification emails from official Microsoft Teams infrastructure at [email protected] containing fraudulent support numbers, which bypass email filters due to their legitimate origin . The campaign relies on voice-based social engineering rather than email links or attachments, with trained operators manipulating victims into revealing payment card details and account credentials once they call the fake support numbers .
Read more →
Malware
APT36 Deploys Python-Based ELF Malware Against Indian Government
APT36 (Transparent Tribe), a Pakistan-based threat actor, has initiated a cyber-espionage campaign targeting Indian government institutions with new Python-based ELF malware. The campaign involves spear-phishing emails that use weaponized Linux shortcut files to deceive employees. The malware leverages .desktop files for delivery, allowing it to download a decoy PDF while installing the actual ELF payload from remote servers. This malware functions as a remote access tool capable of executing shell commands, capturing screenshots, and exfiltrating data, while using systemd services for persistence. The campaign utilizes the domain lionsdenim[.]xyz and the IP address 185.235.137.90 in Frankfurt.
Read more: https://cybersecuritynews.com/apt36-hackers-used-python-based-elf-malware/
Mystery OAST Operation Leverages Google Cloud for Mass Exploitation
Security researchers found a private Out-of-Band Application Security Testing (OAST) service on Google Cloud, targeting over 200 vulnerabilities. From October to November 2025, about 1,400 exploit attempts linked to this operation were observed. Unlike typical attackers, this group used their own OAST domain, detectors-testing.com. The campaign utilized standard Nuclei scanning templates and custom payloads, primarily targeting systems in Brazil. The infrastructure included multiple Google Cloud IP addresses, with six acting as exploit scanners and one as the OAST host at 34.136.22.26. Evidence from an open directory revealed a modified Java class file, TouchFile.class, associated with Fastjson 1.2.47 exploitation, indicating the attackers’ modifications to public exploit tools.
Read more: https://cybersecuritynews.com/mystery-oast-with-exploit-for-200-cves/
Tomiris Group Deploys New Tools Targeting Diplomatic Infrastructure
The Tomiris hacker group re-emerged in early 2025, targeting foreign ministries and government entities with a sophisticated campaign. They shifted their tactics to focus on high-value diplomatic infrastructure, using various programming languages like Go, Rust, C/C++, and Python to bypass security measures. Attacks often start with spear-phishing emails containing password-protected archives with predictable passwords like “min@2025”. Kaspersky researchers noted the group’s use of public services such as Telegram and Discord for command-and-control communications, blending malicious traffic with legitimate activity. They also deployed open-source frameworks like Havoc and AdaptixC2, indicating more modular attack chains. Notably, the previously undocumented Tomiris Rust Downloader scans drives for sensitive files and sends file path lists to Discord webhooks.
Read more: https://cybersecuritynews.com/tomiris-hacker-group-added-new-tools/
Bloody Wolf Intensifies NetSupport RAT Campaigns Across Central Asia
The Advanced Persistent Threat group Bloody Wolf has ramped up cyber espionage in Central Asia since late June 2025, primarily targeting Kyrgyzstan and Uzbekistan. They impersonate official entities, like the Ministry of Justice, using weaponized PDFs in emails that appear to address urgent legal matters. Group-IB analysts found the group transitioning from commercial malware to the legitimate NetSupport Remote Administration Tool. Their campaigns show regional adaptation, utilizing local languages and geo-fencing to limit payload delivery. They employ malicious Java Archive files to execute attacks, disguising the malicious loader behind prompts to update Java. In Uzbekistan, their infrastructure used geo-fencing to ensure that only requests from within the country could download malicious JAR files, while others were redirected to legitimate government websites.
Read more: https://cybersecuritynews.com/bloody-wolf-hackers-mimic-as-government-agencies/
Operation Hanoi Thief Targets Vietnamese IT Professionals
A cyberespionage campaign called “Operation Hanoi Thief” was discovered on November 3, 2025, targeting IT professionals in Vietnam. It uses a multi-stage infection chain to steal browser credentials through spear-phishing. Attackers send a ZIP file named Le-Xuan-Son_CV.zip, pretending to be a job application. The infection starts when victims interact with a shortcut file (CV.pdf.lnk), utilizing Windows ftp.exe with the -s flag to run a hidden batch script in a pseudo-polyglot file named offsec-certified-professional.png. Seqrite analysts believe the campaign is of Chinese origin, aimed at gathering intelligence by stealing login information and browsing habits from the tech and HR sectors.
Read more: https://cybersecuritynews.com/operation-hanoi-thief-attacking-it-professionals/
KimJongRAT Trojan Targets Windows Users Through Fake Tax Notices
A new remote access trojan called KimJongRAT, linked to the Kimsuky group, poses a significant threat to Windows users. The attack begins with phishing emails containing deceptive files named National Tax Notice. When victims open the archive, they encounter a shortcut disguised as a PDF that activates a hidden command to contact a remote server. Analysts noted that the malware uses VBScript and hosts malicious components on legitimate services like Google Drive. KimJongRAT adapts based on the security status of the target; it downloads different files depending on whether Windows Defender is active or disabled, thus avoiding detection.
Read more: https://cybersecuritynews.com/kimjongrat-attacking-windows-users/
Calendly-Themed Phishing Campaign Steals Business Credentials
A sophisticated phishing campaign is targeting business professionals with Calendly-themed emails, utilizing social engineering and credential theft techniques. The attack focuses on Google Workspace and Facebook Business accounts, impersonating LVMH recruiters with job opportunity lures. Push Security analysts classify it as part of a larger campaign featuring advanced detection evasion tactics. The multi-stage delivery bypasses email security filters: the initial email gauges interest, followed by a message with a malicious link disguised as a Calendly link. Victims who click are directed to a convincing fake Calendly page, which redirects to an Attacker-in-the-Middle phishing page after CAPTCHA verification. The phishing infrastructure includes mechanisms to block unauthorized email domains and anti-analysis features like IP blocking to thwart investigations.
Read more: https://cybersecuritynews.com/hackers-using-calendly-themed-phishing-attack/
FvncBot Android Banking Malware Targets Polish Users
A new Android banking malware called FvncBot was first detected on November 25, 2025. It targets sensitive financial information by logging keystrokes, recording screens, and injecting fake login pages into banking apps. FvncBot spreads through a fake app masquerading as a security tool for mBank, named “Klucz bezpieczeństwa mBank.” Unlike other banking malware, its code is entirely new. Key features include keylogging using Android Accessibility Services, web-inject attacks that display fake overlays, real-time screen streaming, and a Hidden VNC (HVNC) mode that allows remote control of devices. The HVNC feature can reconstruct screen layouts to bypass screenshot protections.
Read more: https://cybersecuritynews.com/fvncbot-android-banking-attacking/
USB-Based CoinMiner Campaign Spreads Across South Korea
Cybercriminals are actively spreading CoinMiner malware through USB drives, targeting workstations across South Korea to mine Monero cryptocurrency. The ongoing campaign uses deceptive shortcut files and hidden folders to trick users into executing malicious scripts without their knowledge, leveraging a combination of VBS, BAT, and DLL files that work together to install XMRig, a popular cryptocurrency mining tool. The malware hides within a folder named “sysvolume” on infected USB drives, displaying only a shortcut file labeled “USB Drive.lnk” to the user. ASEC researchers identified that attackers have refined their techniques since earlier versions documented in February 2025, with Mandiant categorizing these threats as DIRTYBULK and CUTFAIL in their July 2025 report. The dropper component establishes persistence by registering a DLL with the DcomLaunch service, and the malware designated as PrintMiner adjusts system power settings to prevent sleep mode while communicating with command-and-control servers to download encrypted payloads. The malware monitors running processes and terminates XMRig when users launch games or process monitoring tools like Process Explorer, Task Manager, and System Informer to avoid detection.
Read more: https://cybersecuritynews.com/threat-actors-deploying-coinminer-malware/
MuddyWater Deploys UDPGangster Backdoor to Evade Network Defenses
A sophisticated cyber threat targeting Windows systems in the Middle East has emerged via UDPGangster, a backdoor used by the MuddyWater threat group. This malware enables attackers to take full control of compromised machines, execute commands, steal files, and deploy other malicious software while evading traditional security measures. Active campaigns are reported in Turkey, Israel, and Azerbaijan, primarily using phishing emails with malicious Microsoft Word documents. Analysts from Fortinet identified nine anti-analysis techniques within the malware, including debugger and CPU checks. Once it bypasses security, UDPGangster collects and encodes system details and sends them to command-and-control servers at 157.20.182.75 over UDP port 1269.
Read more: https://cybersecuritynews.com/muddywater-hackers-using-udpgangster-backdoor/
Vulnerabilities
Microsoft Outlook 0-Click RCE Vulnerability
A critical remote code execution vulnerability in Microsoft Outlook (CVE-2024-21413, CVSS 9.8) dubbed “MonikerLink” allows attackers to bypass Protected View security mechanisms. The flaw exploits how Outlook parses Moniker Links using the file:// protocol, enabling attackers to trigger SMB connections to malicious servers and steal NTLM credentials without user warnings. A Python-based proof-of-concept exploit has been publicly released on GitHub, demonstrating automated exploitation via malicious emails. Organizations should immediately apply Microsoft’s official patches, deploy YARA rules to detect malicious emails, and block outbound SMB traffic on port 445.
Read more
Azure API Management Cross-Tenant Account Creation Flaw
Microsoft Azure API Management Developer Portal contains an unpatched design flaw (CVSS 6.5) that enables attackers to register accounts across different tenant instances even when administrators have disabled user signup. The vulnerability stems from the /signup API endpoint remaining active despite UI-level controls, allowing attackers to manipulate Host headers and bypass tenant boundaries. Microsoft classified the behavior as “by design” and declined to patch the issue after reports in September and November 2025. Organizations must completely remove the Basic Authentication identity provider and switch exclusively to Azure Active Directory authentication to mitigate the risk.
Read more
OpenAI Codex CLI Command Injection Patched
OpenAI fixed a command injection vulnerability in Codex CLI that allowed arbitrary command execution through malicious configuration files in project repositories . Check Point Research discovered that the CLI implicitly trusted project-local .env and .codex/config.toml files, enabling attackers to define MCP server entries that execute automatically at startup without user approval . The flaw could propagate through popular templates and starter repositories, triggering reverse shells or exfiltrating SSH keys and cloud tokens with developer privileges . Version 0.23.0 released on August 20, 2025, blocks .env files from redirecting CODEX_HOME into project directories, closing the automatic execution chain .
Read more
OpenVPN Releases Critical Security Updates
OpenVPN versions 2.6.17 and 2.7_rc3 address three vulnerabilities including a Windows DoS flaw (CVE-2025-13751), an HMAC verification bypass (CVE-2025-13086), and an IPv6 buffer over-read (CVE-2025-12106, CVSS 9.1) . The Windows interactive service vulnerability allows authenticated local users to terminate the VPN service completely, while the HMAC bypass stems from an inverted memcmp() call that accepts all HMAC cookies and neutralizes source IP validation . The buffer over-read affects only the 2.7 development branch and involves mismatched address family checks when parsing invalid IPv6 input . Administrators should upgrade immediately to 2.6.17 for stable branch or 2.7_rc3 for development branch .
Read more
Apache Struts Disk Exhaustion DoS Vulnerability
Apache Struts CVE-2025-64775 enables attackers to trigger disk exhaustion attacks through a file leak in multipart request processing, rendering affected systems unusable . The vulnerability requires no authentication to exploit and affects Struts versions 2.0.0-2.3.37 (EOL), 2.5.0-2.5.33 (EOL), 6.0.0-6.7.0, and 7.0.0-7.0.3 . Apache Software Foundation recommends upgrading to Struts 6.8.0 or 7.1.1 to address the flaw while maintaining backward compatibility . Organizations unable to immediately patch should implement disk usage monitoring and consider temporary restrictions on multipart request sizes .
Read more
Google Patches Android Zero-Day Vulnerabilities
Google’s December 2025 security bulletin addresses over 30 vulnerabilities including two actively exploited zero-days: CVE-2025-48633 (information disclosure) and CVE-2025-48572 (privilege escalation) . Both high-severity flaws affect Android Framework components across versions 13, 14, 15, and 16, with CVE-2025-48572 allowing attackers to gain elevated privileges without additional permissions . The most critical vulnerability CVE-2025-48631 enables remote denial-of-service attacks requiring no execution privileges, making it exploitable by unauthenticated attackers . Device manufacturers received advance notification one month before public release, and users should immediately install updates addressing the December 5, 2025 security patch level .
Read more
Chrome 143 Fixes 13 Vulnerabilities
Google released Chrome 143.0.7499.40/41 addressing 13 security flaws including a critical V8 type confusion vulnerability (CVE-2025-13630) that earned an $11,000 bounty . The type confusion bug allows remote attackers to execute arbitrary code inside the renderer sandbox by tricking users into visiting specially crafted websites . Additional high-severity issues include CVE-2025-13631 (Google Updater implementation flaw), CVE-2025-13632 (DevTools), and CVE-2025-13633 (Use After Free in Digital Credentials) . Google restricted access to full bug details until most users update, and Chrome will automatically install the update over coming days .
Read more
CISA Warns of Iskra iHUB Authentication Bypass
A critical authentication bypass vulnerability (CVE-2025-13510, CVSS 9.3) affecting Iskra iHUB and iHUB Lite intelligent metering gateways allows unauthenticated remote attackers to access web management interfaces without credentials . The flaw stems from missing authentication mechanisms on devices deployed across global energy infrastructure, enabling attackers to reconfigure settings, update firmware, and manipulate connected systems . Iskra did not respond to CISA’s coordination requests, leaving organizations without vendor-provided patches . CISA recommends implementing network segmentation, deploying devices behind firewalls with restricted access, and monitoring for suspicious administrative activity .
Read more
Angular XSS Vulnerability via SVG Animation Files
Angular’s template compiler vulnerability (CVE-2025-66412, CVSS 8.6) allows stored XSS attacks through weaponized SVG animation attributes, bypassing built-in security sanitization . The flaw affects applications using Angular versions below 19.2.17, 20.3.15, or 21.0.2, where the compiler fails to properly classify URL-holding attributes and SVG animation elements as security-sensitive . Attackers exploit this by binding untrusted data to attributeName attributes of SVG animations and injecting JavaScript URL payloads that execute through user interaction or automatic animation timing . Successful exploitation enables session hijacking, data exfiltration, and unauthorized actions performed on behalf of users .
Read more
K7 Antivirus Privilege Escalation Vulnerability
Quarkslab researchers discovered a privilege escalation vulnerability in K7 Ultimate Security that allows low-privileged users to achieve SYSTEM-level access by abusing named pipes with permissive access control lists. The exploitation chain targets the K7TSMngrService1 named pipe, enabling attackers to manipulate registry settings, disable real-time scans, whitelist malware, and inject debuggers into K7TSHlpr.exe to execute arbitrary code as SYSTEM during fake updates. K7 Computing issued three patches between August and December 2025, each bypassed through techniques including manual DLL mapping, renamed signed K7 binaries, and exploitation of unsigned or relocated executables . K7 acknowledged that full ACL enforcement is deferred to a future major release, and users should update to the latest versions while monitoring for comprehensive remediation.
Read more
