Cybersecurity News Weekly Newsletter – Windows, Chrome, and Apple 0-days, Kali Linux 2025.4, and MITRE Top 25

As 2025 nears its close, the cybersecurity landscape shows no signs of slowing down. This week’s developments highlight how rapidly the threat environment continues to evolve with major zero-day vulnerabilities targeting Windows, Chrome, and Apple devices, each actively exploited in the wild.

These high-risk flaws underline the continued importance of swift patching, layered defense, and continuous threat monitoring across enterprise ecosystems.

Meanwhile, offensive security professionals received a major update as Kali Linux 2025.4 rolled out with new tools, kernel upgrades, and enhanced cloud integration, reinforcing its position as a cornerstone for penetration testing and digital forensics in both research and operational security settings.

On the defensive front, MITRE released its annual Top 25 Most Dangerous Software Weaknesses of 2025, spotlighting recurring coding errors that adversaries frequently weaponize. From inadequate input validation to risky resource management, the list serves as a vital reminder that secure coding is still the first line of defense against complex exploitation techniques and chained attack vectors.

Across the board, this week reflects a convergence of aggressive exploitation activity and heightened community response. Organizations are urged to prioritize visibility, validate software supply chains, and stay aligned with evolving security frameworks. Whether patching systems affected by 0-days, assessing exposure through MITRE’s latest findings, or adopting the latest features of Kali Linux, the takeaway is clear — cyber resilience depends on agility, awareness, and readiness.

Stay ahead of the threat curve with this week’s highlights, advisories, and actionable updates across infrastructure, endpoint, and application security domains.

​Threats

Malicious Go UUID Packages Target Developers

A long-running supply chain attack abused typo‑squatted Go packages github.com/bpoorman/uuid and github.com/bpoorman/uid to impersonate Google’s and pborman’s UUID libraries while silently exfiltrating sensitive data passed into a backdoored Valid helper function. Collected data is encrypted and uploaded to dpaste.com using a hardcoded API token, and the malicious packages have been available since 2021, highlighting the need for strict dependency verification in Go projects and regular audits of go.mod imports.

​Read more: https://cybersecuritynews.com/malicious-go-packages-as-googles-uuid-library/

VS Code & AI IDE Extensions as Backdoors

Researchers showed how attackers can publish malicious extensions to Visual Studio Code and AI IDEs like Cursor with minimal friction, exemplified by a typo‑squatted “Piithon-linter” that passed marketplace checks. Once installed, such extensions can auto‑execute on IDE launch, evade AV/EDR via environment checks, exfiltrate environment variables (secrets, tokens), and deploy Merlin C2 agents across Windows, macOS, and Linux.​

Read more: https://cybersecuritynews.com/hackers-compromising-developers-with-malicious-vs-code/

Anatsa Banking Trojan Hidden in Google Play Document Reader

An Android app called “Document Reader – File Manager” on Google Play, with over 50,000 installs, was found to act as a dropper for the Anatsa (TeaBot) banking trojan. The app fetches the payload from a remote server, uses emulator‑evasion and obfuscation techniques, abuses accessibility permissions, and overlays fake banking interfaces to steal credentials and enable fraudulent transactions against hundreds of financial institutions worldwide.

Read more: https://cybersecuritynews.com/malicious-document-reader-app-google-play/

GhostPenguin: Zero‑Detection Linux Backdoor

A previously unknown Linux backdoor dubbed GhostPenguin evaded all engines on VirusTotal for months while providing attackers with remote shell access and full file‑system operations over encrypted UDP. The malware uses RC5 encryption with a dynamically assigned session ID over UDP port 53, employs multi‑stage communication, heartbeat‑based C2, and supports around 40 commands, illustrating how bespoke, low‑noise backdoors can slip past conventional detection.

Read more: https://cybersecuritynews.com/ghostpenguin-backdoor-with-zero-detection/

Ransomware Surge Against Hyper‑V & ESXi

Recent reporting highlights a sharp rise in ransomware campaigns explicitly targeting Microsoft Hyper‑V and VMware ESXi environments, often to maximize impact by encrypting virtual machine images at scale. Threat actors increasingly abuse misconfigurations, flat network access, weak admin credentials, and inadequate segmentation around hypervisors to gain control of virtualization layers and disrupt entire fleets of workloads in a single operation.

Read more: https://cybersecuritynews.com/ransomware-targeting-hyper-v-and-vmware-esxi-surges/

AI Conversations Weaponized to Deliver AMOS

Threat actors are abusing legitimate ChatGPT and Grok conversation links, which rank highly in search results, to lure macOS users into running malicious Terminal commands that install Atomic macOS Stealer (AMOS). The attack uses base64‑encoded payloads, leverages dscl and sudo -S to validate and reuse user credentials, and sets up persistence via LaunchDaemons, exploiting user trust in AI platforms rather than exploiting OS vulnerabilities.

Read more: https://cybersecuritynews.com/chatgpt-and-grok-conversations-weaponized/

Lifecycle of Data Stolen in Phishing Attacks

New research traces how credentials harvested via phishing move through a multi‑stage underground economy, from initial collection on fake pages to distribution via email, Telegram bots, or phishing‑as‑a‑service panels like BulletProofLink and Caffeine. Stolen data is aggregated, traded, and repeatedly reused for account takeover, fraud, and follow‑on intrusions, meaning even “old” phished credentials can continue to pose long‑term risk if not properly revoked and monitored.

Read more: https://cybersecuritynews.com/what-happens-to-data-stolen-in-a-phishing-attack/

Cyberattack

React2Shell RCE Actively Exploited in the Wild (CVE-2025-55182)

A critical unsafe deserialization flaw in the React Server Components Flight protocol, dubbed “React2Shell” (CVE-2025-55182), is under active exploitation across React and Next.js deployments. Attackers are using automated Mirai-style botnet kits, PowerShell “cheap math” probes for RCE validation, and encoded download‑and‑execute stagers that bypass AMSI by flipping AmsiUtils.amsiInitFailed to true.​
Defenders should urgently patch affected React/Next.js stacks, block known campaign IPs where possible, and monitor for repeated PowerShell arithmetic execution and AMSI-bypass indicators on Windows endpoints.​

Read more: https://cybersecuritynews.com/react2shell-rce-vulnerability/

OceanLotus Targets China’s Xinchuang Ecosystem via Supply Chain Attacks

OceanLotus (APT32) is conducting a focused surveillance campaign against China’s “Xinchuang” IT stack, abusing domestic hardware/software supply chains once considered resilient to foreign espionage. The group uses spear‑phishing with malicious .desktop files, WPS PDF lures, and JAR archives, then chains brute‑forcing of internal security servers with suspected zero‑days to push malicious update scripts.​
An N‑day bug in Atril (CVE-2023-52076) is weaponized via crafted EPUBs to achieve path traversal and arbitrary file write, dropping an autostart .desktop loader and encrypted payload that decrypts to a Python downloader on login.​

Read more: https://cybersecuritynews.com/oceanlotus-hacker-group-targeting-xinchuang-it-ecosystems/

Spiderman Phishing Kit Supercharges European Banking Fraud

A new “Spiderman” phishing framework is enabling low‑skill threat actors to build pixel‑perfect clones of dozens of European banking and crypto portals through a point‑and‑click interface. The kit centralizes support for major banks, adds real‑time session control, and includes dedicated modules to capture 2FA codes such as PhotoTAN and OTPs while operators watch sessions live.​
Spiderman further evades takedowns using granular geo/device filtering and anti‑analysis rules and extends fraud into crypto by harvesting wallet seed phrases for platforms like Ledger, MetaMask, and Exodus.​

Read more: https://cybersecuritynews.com/spiderman-phishing-kit-bank-login/

ChatGPT-Themed Lures Deliver AMOS InfoStealer to macOS

A new macOS campaign abuses sponsored Google Ads and fake ChatGPT “support” sessions to deliver AMOS InfoStealer under the guise of terminal troubleshooting commands. Victims looking to fix sound issues are funneled into a convincing chat flow that instructs them to run a single terminal line which silently downloads and executes a remote script to install AMOS and set up persistence.​
Once deployed, AMOS harvests browser data, credentials, cookies, and other secrets from Mac endpoints, enabling account takeover and lateral movement against both consumer and enterprise environments.​

Read more: https://cybersecuritynews.com/threat-actors-leverage-chatgpt/

Cisco‑Trained Chinese Hackers Turn Tools Against Cisco Devices

Two Chinese operators, Yuyang and Qiu Daibing, formerly standout Cisco Network Academy participants, have been identified as key figures behind the Salt Typhoon campaign targeting Cisco infrastructure worldwide. Leveraging deep familiarity with Cisco IOS and ASA firewalls, the operation compromised over 80 telecom providers, intercepting unencrypted communications involving US presidential candidates, staffers, and policy experts.

The campaign also abused lawful‑intercept (CALEA) infrastructure for large‑scale intelligence collection, raising hard questions about the geopolitical risks of vendor training programs in adversarial markets.​

Read more: https://cybersecuritynews.com/chinese-hackers-attacking-cisco-devices/

ValleyRAT Builder Leak Fuels Stealthy Windows 11 Rootkit Campaigns

ValleyRAT (aka Winos/Winos4.0) has evolved into a modular backdoor with an embedded kernel‑mode rootkit that can retain valid signatures and load on fully patched Windows 11 systems. Following the public leak of its builder, detections have surged, with roughly 85% of samples observed in the last six months and increasing use by diverse threat actors.
The malware chains first‑stage beaconing modules with a driver plugin that stealthily installs a signed rootkit, injects user‑mode shellcode, and forcibly removes AV/EDR drivers from vendors like Qihoo 360, Huorong, Tencent, and Kingsoft to create a blind spot.

Read more: https://cybersecuritynews.com/valleyrat-malware-uses-stealthy-driver-install/

CyberVolk’s VolkLocker Hits Linux and Windows with RaaS Model

Pro‑Russia group CyberVolk has resurfaced with VolkLocker, a cross‑platform ransomware‑as‑a‑service written in Go that targets both Linux and Windows environments. Despite rushed development and leftover test artifacts, the platform combines Telegram‑based automation with robust encryption, giving affiliate operators an easy path to broad infrastructure compromise.
VolkLocker uses a registry‑based “ms-settings” UAC bypass for stealthy privilege escalation, then performs extensive environment checks to avoid sandboxes and focus on production systems, while encouraging affiliates to apply UPX packing for additional evasion.

Read more: https://cybersecuritynews.com/cybervolk-hackers-group-with-new-volklocker-payloads/

Vulnerability

WatchGuard Firebox: 10 flaws enabling code execution

WatchGuard Firebox appliances received fixes for ten vulnerabilities, including multiple out-of-bounds write bugs in the CLI and certificate daemon that let authenticated admins gain arbitrary code execution, a high-severity XPath injection exposing configuration data, and several stored XSS bugs in third‑party integrations. Patches are available in Fireware OS 2025.1.3, 12.11.5, and 12.5.14, and organizations with exposed management interfaces or legacy IPSec setups are urged to update immediately.​

Read more: https://cybersecuritynews.com/watchguard-firebox-vulnerabilities/

Fortinet SSO bypass across FortiOS, FortiWeb, and FortiProxy

Fortinet disclosed a critical improper cryptographic signature verification issue in FortiCloud SSO handling that allows unauthenticated attackers to forge SAML messages and gain admin access when FortiCloud login is enabled (often auto‑enabled during registration). A broad range of FortiOS, FortiProxy, FortiWeb, and FortiSwitchManager releases require urgent upgrades, with disabling FortiCloud SSO offered as an interim workaround for environments that cannot patch immediately.

Read more: https://cybersecuritynews.com/critical-fortinet-vulnerability/

FortiSandbox OS command injection

A separate FortiSandbox issue allows attackers to exploit an OS command injection flaw to run arbitrary commands on affected appliances, threatening both sandbox integrity and adjacent monitored networks. Fortinet has issued fixed firmware versions and recommends immediate upgrades for any internet‑exposed or shared multi‑tenant sandbox deployments.

Read more: https://cybersecuritynews.com/fortisandbox-os-command-injection-vulnerability/

AWS IAM eventual consistency is abused for stealthy persistence

Research from OFFENSAI shows how IAM’s 3–4 second consistency delay lets attackers keep or reestablish access even after defenders delete compromised access keys or apply deny policies, because stale state remains usable briefly across regions. Recommended mitigations include enforcing account‑level SCPs via AWS Organizations, favoring short‑lived STS and role‑based access over long‑term keys, and updating incident‑response playbooks to explicitly account for propagation delays.​

Read more: https://cybersecuritynews.com/aws-iam-eventual-consistency-exploited/

“ConsentFix” attack hijacks Microsoft accounts via OAuth consent abuse

A new “ConsentFix” technique manipulates OAuth consent flows and existing app grants to silently escalate access to Microsoft accounts, allowing attackers to persist without traditional credential theft. Organizations should review enterprise app consents, enforce admin‑only consent for high‑risk scopes, and tighten conditional access and app governance policies.

Read more: https://cybersecuritynews.com/consentfix-attack-hijack-microsoft-accounts/

SAP December Patch Day: 3 critical code‑execution paths

SAP’s December Security Patch Day delivered 14 notes, including three critical issues such as a 9.9‑rated code injection in SAP Solution Manager and critical flaws in Commerce Cloud (Tomcat) and jConnect deserialization that can enable remote code execution and systemic compromise. Additional high and medium notes span Web Dispatcher, NetWeaver, Business Objects, SAPUI5, and Enterprise Search, with SAP urging rapid patching via the Support Portal and non‑production testing first.​
Read more: https://cybersecuritynews.com/sap-security-patch-day-december/

Microsoft Patch Tuesday: 56 CVEs, 3 zero‑days

Microsoft’s final 2025 Patch Tuesday fixes 56 vulnerabilities across Windows, Office, Exchange, Azure components, and developer tooling, including three zero‑days: two command‑injection RCEs in PowerShell and GitHub Copilot for JetBrains, and an actively exploited elevation‑of‑privilege bug in the Windows Cloud Files Mini Filter Driver. With 19 RCEs and 28 EoP issues, defenders should prioritize zero‑days and “more likely” exploits, especially on internet‑facing services and high‑value endpoints heading into the holiday period.

Read more: https://cybersecuritynews.com/microsoft-december-2025-patch-tuesday/

Chromium ANGLE zero‑day added to CISA KEV

CISA added CVE‑2025‑14174, an out‑of‑bounds memory access bug in Chromium’s ANGLE graphics layer, to its Known Exploited Vulnerabilities catalog after in‑the‑wild abuse for remote code execution via malicious HTML content. Organizations must move Chrome to at least 131.0.6778.201, Edge to 131.0.3139.95, and ensure rapid updates across all Chromium‑based browsers before CISA’s early‑January mitigation deadline.
Read more: https://cybersecuritynews.com/chromium-0-day-vulnerability-exploited/

Google Chrome 0‑day targeting mainstream users

A separate Chrome 0‑day has been patched after active exploitation, allowing attackers to compromise users through crafted web content and potentially deploy spyware or ransomware. Enterprises should enforce browser auto‑update policies, monitor crash and anomaly telemetry, and validate that high‑risk user groups (admins, developers, execs) are on fixed builds.

Read more: https://cybersecuritynews.com/chrome-0-day-vulnerability-2/

Apple zero‑days exploited in the wild

Apple shipped emergency fixes for multiple zero‑days across iOS, iPadOS, macOS, and Safari that attackers were already leveraging for code execution and potential spyware deployment. Admins should prioritize mobile device management enforcement of the latest releases, especially for high‑risk travelers and BYOD fleets.

Read more: https://cybersecuritynews.com/apple-0-day-vulnerabilities-exploited-2/

GeminiJack: Zero‑click data exfiltration via Gemini Enterprise

The “GeminiJack” issue in Google Gemini Enterprise (and earlier Vertex AI Search) exploited prompt‑injection in shared Docs, Calendar events, and emails to trick Gemini’s RAG pipeline into querying sensitive Workspace data and exfiltrating results via hidden image requests, all without user interaction. Google has separated services and hardened instruction handling, but the case underscores the need to restrict AI data sources, monitor RAG behavior, and treat AI assistants as privileged data processors in threat models.

Read more: https://cybersecuritynews.com/gemini-zero-click-vulnerability/

SoapWn.NET vulnerabilities in SOAP testing tooling

Vulnerabilities disclosed in SoapWn.NET, a .NET SOAP testing framework, can be abused to run arbitrary code or manipulate test configurations when opening crafted project files or responses. Development and QA teams should patch to the latest release, avoid loading untrusted test artifacts, and consider sandboxing tooling used to inspect attacker‑controlled inputs.

Read more: https://cybersecuritynews.com/soapwn-net-vulnerabilities/

Notepad++ vulnerability exploited for lure delivery

Threat actors are exploiting a Notepad++ flaw to deliver malicious payloads, using weaponized plugins or crafted files to execute code on developer and IT endpoints. Updating to fixed builds and restricting plugin sources are essential, along with treating developer utilities as high‑risk targets in endpoint protection policies.

Read more: https://cybersecuritynews.com/notepad-vulnerability-exploited/

Other News

Porsche Cars Immobilized by Satellite Security Glitch

Hundreds of Porsche owners in Russia found their internal combustion models suddenly undrivable after a malfunction in the factory-installed alarm and telematics stack blocked satellite connectivity and engine start. The issue affects multiple ICE lines—from sports models to SUVs—and requires towing to authorized centers, where technicians manually reset immobilized alarm units without a definitive permanent fix yet. With no reported impact on hybrids or EVs and growing speculation around firmware bugs, supply chain tampering, or even remote kill-switch logic, the incident underscores how tightly vehicle safety now depends on opaque backend ecosystems and OTA logic.​

Read more: https://cybersecuritynews.com/porsche-cars-immobilized/

“Careless Whisper”: Silent Delivery Receipts Expose WhatsApp & Signal Activity

Researchers detailed a critical privacy weakness dubbed “Careless Whisper” that lets attackers probe WhatsApp and Signal users using only a phone number and stealth delivery receipts. By sending invisible reactions, invalid deletions, or timed-out edits, adversaries can measure round-trip delays from each device to infer screen state, usage patterns, and multi-device presence with sub-second granularity—without triggering notifications or needing prior conversations. High-rate probing, including oversized reactions that generate sustained traffic, can also inflate data usage and drain batteries, while the lack of effective rate limiting or receipt filtering for unknown contacts leaves billions of users exposed until platforms redesign their messaging metadata flows.​

Read more: https://cybersecuritynews.com/hackers-leverage-delivery-receipts/

Microsoft Copilot Disruption Hits UK Users

A significant outage in Microsoft Copilot affected users across the UK and parts of Europe, leaving many unable to authenticate to Copilot endpoints or experiencing severely degraded AI features across Edge and Microsoft 365 experiences. The disruption, tracked under a cloud incident ID, blocked or slowed AI-assisted workflows such as content drafting, data summarization, and in-app copilots, demonstrating how quickly productivity pipelines stall when centralized AI inference services fail. For security and IT leaders, the event reinforces the need for contingency planning around AI dependencies, including fallbacks for critical business processes and explicit incident playbooks for SaaS-level AI outages.​

Read more: https://cybersecuritynews.com/microsoft-copilot-disruption-in-the-uk/

Google Pushes New Gemini-Powered AI Features in Chrome

Google announced a sweeping AI upgrade for Chrome that embeds Gemini-powered capabilities directly into the browser, including in-page assistance, summarization, and smarter security protections. On the security front, enhanced Safe Browsing logic uses on-device AI to better flag scam pages and fake alerts, while new privacy models aim to reduce tracking and unwanted notification prompts at scale. At the same time, deeper AI integration increases Chrome’s attack surface, requiring defenders to watch for abuse of AI-driven content generation, prompt injection scenarios, and potential misconfigurations in new security and privacy controls.​

Read more: https://cybersecuritynews.com/google-new-ai-features/

GitHub Outage Disrupts Developers with “No Server Available” Errors

GitHub users around the world reported intermittent outages, seeing unicorn error pages and “No server is currently available to service your request” while attempting to access repositories, perform Git operations, or log in. The disruption, tied to increased backend request failures impacting core services and automation pipelines, caused delays for both open-source projects and enterprise CI/CD workflows that depend on GitHub Actions and webhooks. While initial indicators point to infrastructure and capacity issues rather than a cyberattack, the incident again highlights how central code-hosting platforms have become to vulnerability management, incident response, and daily development.​

Read more: https://cybersecuritynews.com/github-down/

MITRE’s 2025 CWE Top 25: Memory Safety & Authorization Flaws Dominate

MITRE published the 2025 CWE Top 25 Most Dangerous Software Weaknesses, analyzing tens of thousands of CVEs to identify the most frequently exploited root causes. Cross-site scripting and SQL injection remain near the top of the list, but the ranking also shows a surge in authorization weaknesses such as missing authorization and incorrect access control, along with persistent memory errors like out-of-bounds writes, use-after-free, and classic buffer overflows. For defenders and engineering leaders, the list offers a practical roadmap for secure-by-design initiatives, suggesting a stronger emphasis on memory-safe languages, robust input validation, and systematic authorization checks in cloud and microservices architectures.​

Read more: https://cybersecuritynews.com/mitre-releases-top-25-most-dangerous-software/

Kali Linux 2025.4: New Tools, Wayland, and NetHunter Enhancements

The Kali Linux team released version 2025.4, the final rolling update of the year, bringing kernel 6.16, refreshed GNOME, KDE, and Xfce environments, and a fully Wayland-focused desktop experience—even in virtual machines. Offensive tooling receives a boost with several new packages, while NetHunter gains tighter integration with Wifipumpkin3 to support advanced wireless attacks such as Evil Twin setups, captive portal phishing, and traffic interception from mobile devices. For penetration testers, the release improves day-to-day usability and broadens assessment coverage, making it a timely upgrade ahead of 2026 engagement cycles.​

Read more: https://cybersecuritynews.com/kali-linux-2025-4/