F5 Threat Report - December 24th, 2025

CISA Warns ASUS Live Update Backdoor Is Still Exploitable, Seven Years On

The Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability in ASUS Live Update, tracked as CVE-2025-59374 with a CVSS score of 9.3, to its catalog of Known Exploited Vulnerabilities (KEV), indicating active exploitation. This utility, preinstalled on ASUS devices for firmware and software updates, was previously compromised in a sophisticated 2018 supply chain attack attributed to Chinese state-sponsored actors, which inserted a backdoor. Although the attack initially targeted a small, specific group of approximately 600 devices based on hashed MAC addresses, millions may have downloaded the backdoored utility. While support for ASUS Live Update has been discontinued, it continues to provide updates, making the legacy software a persistent risk for unintended actions on affected devices. Users are urged to update ASUS Live Update to version 3.6.8 or later, either through the utility itself or by manually downloading the latest version from the official ASUS website for their specific device model, to mitigate known security issues and avoid third-party sources due to the history of supply chain abuse.

Severity: Critical

Sources

• https://gbhackers.com/actively-exploited-asus-vulnerability-added-to-cisas-kev-list/
• https://thehackernews.com/2025/12/cisa-flags-critical-asus-live-update.html
• https://www.malwarebytes.com/blog/news/2025/12/cisa-warns-asus-live-update-backdoor-is-still-exploitable-seven-years-on
• https://www.securityweek.com/cisa-warns-of-exploited-flaw-in-asus-update-tool/

Threat Details and IOCs

Mitigation Advice

• Use asset inventory systems to generate a report of all ASUS-manufactured devices operating within the environment.
• Uninstall the ASUS Live Update utility from all identified corporate ASUS devices.
• Add the domain 'asushotfix[.]com' to network firewall and web proxy blocklists.
• Run a full endpoint scan with your EDR or antivirus solution to detect infections related to the 'ShadowHammer' campaign, ensuring signatures are updated to detect 'HEUR:Trojan.Win32.ShadowHammer.gen'.

Compliance Best Practices

• Develop and implement a software lifecycle management policy to audit, track, and remove end-of-life and unsupported applications from all corporate systems on a recurring basis.
• Establish a supply chain risk management program to formally assess the security posture of software vendors and validate the integrity of third-party software updates before enterprise-wide deployment.
• Deploy an application control solution, such as Windows AppLocker or a similar tool, to enforce an allowlist of approved software and block the execution of unauthorized or non-essential utilities.
• Configure perimeter firewalls to enforce a default-deny egress filtering policy, allowing outbound connections only for explicitly approved services, protocols, and destinations required for business operations.

---

UK Government Confirms Foreign Office Cyber Attack

The UK government confirmed a cyber attack on the Foreign, Commonwealth and Development Office (FCDO) in October, stating there was a low risk of personal data compromise, though Trade Minister Chris Bryant indicated the perpetrator was unclear despite reports attributing it to the China-based Storm 1849 group. This group was previously linked to exploiting zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) equipment, known as the "ArcaneDoor" campaign, which led to a National Cyber Security Centre (NCSC) warning in September about the risks of end-of-life Cisco systems. The FCDO breach reportedly involved access to confidential data and documents, potentially including visa details, and has fueled criticism regarding a national digital ID scheme and the government's "One Login" system. The year 2025 was marked by numerous high-profile cyber attacks, including ransomware incidents affecting Jaguar Land Rover (which impacted the UK economy), Co-op, Marks & Spencer, Oxford City Council, Harrods, multiple airports, Glasgow City Council, Adidas, and Peter Green Chilled, in addition to attacks on four London councils, with Westminster confirming data exfiltration.

Severity: Critical

Sources

• https://www.computerweekly.com/news/366636539/UK-government-confirms-Foreign-Office-cyber-attack
• https://www.hendryadrian.com/uk-confirms-foreign-office-hacked-says-low-risk-of-impact-to-individuals/

Threat Details and IOCs

Mitigation Advice

• Apply the latest security patches to all Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices to mitigate the vulnerabilities associated with the ArcaneDoor campaign.
• Review logs and system configurations on all Cisco ASA devices for indicators of compromise related to the ArcaneDoor campaign, such as unexpected reboots, unauthorized configuration changes, or suspicious credential activity.

Compliance Best Practices

• Create an inventory of all network perimeter devices and prioritize the replacement of any Cisco Adaptive Security Appliance (ASA) models that are at or near their end-of-life (EoL) date.
• Establish and enforce a formal hardware and software lifecycle management policy that mandates the replacement of any network or security appliance before it reaches its end-of-support date.
• Implement network segmentation to create security zones that isolate critical servers and data from user workstations and other less-sensitive areas, thereby limiting an attacker's lateral movement capabilities.

---

CVE-2025-68260: First Rust Vulnerability in Linux Kernel's Android Binder Driver

A vulnerability, designated CVE-2025-68260, has been identified and fixed in the Linux kernel, marking the first CVE formally assigned to Rust code in the mainline kernel. This issue, reported by Greg Kroah-Hartman, affects the Android Binder driver, which was rewritten in Rust. The core of the bug is an unsafe operation within the Rust-based Binder implementation where an element is removed from a linked list while another thread concurrently manipulates the same `prev/next` pointers. Specifically, the `Node::release` function's logic involved moving elements to a temporary stack-based list before releasing a lock, creating a race condition if another thread performed an unsafe removal on the original list. This could lead to memory corruption, ultimately causing kernel crashes, exemplified by "Unable to handle kernel paging request" errors in the `rust_binder` module. The vulnerability was introduced in Linux 6.18 (commit `eafedbc7c050c44744fbdf80b7513`) and resolved in 6.18.1 (commit `3428831264096d32f830a7fcfc7885dd263e511a`) and 6.19-rc1 (commit `3e0ae02ba831da2b707905f4e602e43f8507b8cc`), with the fix involving a rewrite of `Node::release` to extract elements directly from the original list. Upgrading to a current stable kernel release is strongly recommended as a mitigation.

Severity: Critical

Sources

• https://cyberpress.org/linux-kernel-rust-component-hit-by-vulnerability/
• https://gbhackers.com/new-linux-kernel-rust-vulnerability/
• https://securityonline.info/rusts-first-breach-cve-2025-68260-marks-the-first-rust-vulnerability-in-the-linux-kernel/
• https://www.cyberkendra.com/2025/12/first-rust-vulnerability-in-linux.html
• https://www.phoronix.com/news/First-Linux-Rust-CVE

Threat Details and IOCs

Mitigation Advice

• Execute the command 'uname -r' on all Linux hosts to create an inventory of running kernel versions and identify all systems running version 6.18.
• For all systems identified with the vulnerable kernel version 6.18, schedule and apply an upgrade to a patched stable version (6.18.1 or newer) and reboot the system to activate the new kernel.

Compliance Best Practices

• Implement a formal patch management policy that mandates the review, testing, and deployment of operating system security updates on a defined, recurring schedule (e.g., monthly).
• Audit the kernel configuration of production Linux servers to identify and disable non-essential kernel modules, creating a hardened baseline configuration that reduces the overall attack surface.
• Configure system logging and monitoring tools to collect kernel logs from all Linux hosts and create high-priority alerts for messages containing terms like 'kernel panic', 'Oops', or 'Unable to handle kernel paging request'.

---

APT35 Leak Unveils Spreadsheets Containing Domain, Payment, and Server Information

A recent data leak, dubbed Episode 4, has exposed the operational infrastructure of the Iran-linked threat actor APT35 (Charming Kitten), revealing a bureaucratic and meticulously managed cyber apparatus rather than a loose hacker collective. The leaked files, including `0-SERVICE-Service.csv`, `0-SERVICE-payment BTC.csv`, and `1-NET-Sheet1.csv`, detail the group's procurement, funding, and administration processes. `0-SERVICE-Service.csv` contains over 170 rows linking domains, registrars like EDIS Global, NameSilo, and ImprezaHost, along with more than 50 ProtonMail aliases and 80 email-password pairs, complete with pricing and renewal information. `0-SERVICE-payment BTC.csv` documents 55 Bitcoin transactions, averaging $56 (0.0019 BTC) each, processed via Cryptomus between October 2023 and December 2024, with small, recurring transfers designed to evade regulatory scrutiny. Finally, `1-NET-Sheet1.csv` lists network ranges and IP allocations, including blocks under AS203391 and AS21340, across European hosting providers, with several traced to active VPS rentals. These records also link APT35's procurement network to the Moses Staff hacktivist group, with the domain "moses" appearing in the service ledger and shared ProtonMail accounts, indicating administrative support for Moses Staff's operations. This leak highlights the "economic engine" behind Iranian cyber operations, demonstrating how long-term intrusion campaigns are sustained through spreadsheet-managed budgets and micro-crypto payments.

Severity: High

Sources

• https://cyberpress.org/apt35-leak/
• https://dti.domaintools.com/the-apt35-dump-episode-4-leaking-the-backstage-pass-to-an-iranian-intelligence-operation/
• https://gbhackers.com/apt35-leak/
• https://www.securitylab.ru/news/567373.php

Threat Details and IOCs

Mitigation Advice

• Block all inbound and outbound traffic to and from IP ranges associated with Autonomous System Numbers AS203391 and AS21340 at the network firewall.
• Conduct an emergency scan for and prioritize patching of vulnerabilities known to be exploited by APT35, including ProxyShell (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) and Log4Shell (CVE-2021-44228).
• Configure email security gateways to block or quarantine emails originating from ProtonMail domains to mitigate phishing attempts from this threat actor.
• Obtain the list of 80 leaked email-password pairs from threat intelligence providers and immediately search all authentication logs and systems for any matches, forcing password resets and investigating any accounts found.
• Use EDR or other system scanning tools to perform a targeted search across all endpoints and file shares for the filenames `0-SERVICE-Service.csv`, `0-SERVICE-payment BTC.csv`, and `1-NET-Sheet1.csv`.

Compliance Best Practices

• Implement a continuous security awareness training program that includes phishing simulations based on APT35's known TTPs, such as credential harvesting from fake login pages.
• Develop a phased rollout plan to enforce phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2 security keys, for all user accounts, prioritizing externally-facing services and privileged access.
• Implement a strict network egress filtering policy that denies outbound traffic by default and only allows connections required for business operations through an explicit approval process.
• Establish a formal vendor risk management program to assess and monitor the security posture of third-party service providers, including domain registrars and hosting companies.

---

NuGet Malware Mimic: .NET Integration Library Steals Crypto Wallets and OAuth Tokens

ReversingLabs researchers have identified a sophisticated malware campaign targeting the .NET developer ecosystem through the NuGet package manager, active since July 2025. This campaign involves 14 malicious packages designed to mimic legitimate cryptocurrency libraries, employing social engineering tactics like homoglyph attacks (e.g., "Netherеum.All" impersonating "Nethereum"), version bumping, and artificially inflated download counts. The packages are categorized into three groups: "Wallet Stealers" (e.g., Netherеum.All, SolnetPlus) exfiltrate private keys, seed phrases, and Wallet Import Format (WIF) keys via a `Shuffle` function to a dynamically generated URL like solananetworkinstance[.]info; "Funds Redirectors" (e.g., Coinbase.Net.Api) inject a `MapAddress` function into `SendMoneyAsync` to silently overwrite destination addresses for transactions exceeding $100; and "OAuth Credential Theft" packages (e.g., GoogleAds.API) exfiltrate Google Ads OAuth Client IDs, secrets, and developer tokens, enabling fraudulent ad spending. Despite NuGet's mandatory two-factor authentication, attackers bypassed defenses through social engineering, with packages published by authors such as AngelDev, DamienMcdougal, and jackfreemancodes. Developers are advised to scrutinize package publish dates and author histories rather than relying solely on download metrics.

Severity: Critical

Sources

• https://cyberpress.org/malicious-nuget-package/
• https://gbhackers.com/nuget-malware/
• https://hackread.com/nuget-malicious-packages-steal-crypto-ad-data/
• https://securityonline.info/poisoned-dependencies-how-nethereum-all-and-10m-fake-downloads-looted-net-crypto-developers/
• https://www.reversinglabs.com/blog/nuget-malware-crypto-oauth-tokens

Threat Details and IOCs

Mitigation Advice

• Block the domain `solananetworkinstance[.]info` at the network perimeter firewall and in DNS filtering services.
• Scan all developer workstations and CI/CD build servers to detect the presence of the malicious NuGet packages: `Netherеum.All`, `SolnetPlus`, `Coinbase.Net.Api`, and `GoogleAds.API`.
• Create a detection rule in your SIEM to generate a high-priority alert for any network traffic to or from the domain `solananetworkinstance[.]info`.
• Instruct all .NET developers to immediately review their projects' dependencies for any packages published by the authors `AngelDev`, `DamienMcdougal`, or `jackfreemancodes`.

Compliance Best Practices

• Establish a formal policy for vetting and approving third-party libraries, requiring developers to check package age, author history, and source code repository activity before use.
• Integrate a Software Composition Analysis (SCA) tool into the CI/CD pipeline to automatically scan dependencies for known vulnerabilities, malicious code patterns, and suspicious package attributes.
• Implement a private internal artifact repository (e.g., private NuGet feed) to host only company-vetted and approved third-party packages.
• Develop and mandate recurring security awareness training for developers that specifically covers software supply chain risks, including how to spot typosquatting, homoglyph attacks, and manipulated package metrics.
• Enforce the use of a centralized secrets management vault for all credentials and API tokens, and restrict CI/CD pipeline access to only the specific secrets required for a given build job.

---