F5 Threat Report - January 14th, 2026
Knownsec Leak Reveals China's Industrialized Cyber-Espionage Ecosystem A significant data leak from the Chinese company Knownsec in November 2025 exposed its true nature as a state-aligned cyber contractor deeply integrated into China's national security, intelligence, and military objectives, rather than a conventional cybersecurity vendor. Knownsec's internal documents reveal a sophisticated, industrialized cyber-espionage ecosystem, including tools like ZoomEye for global internet-wide scanning and the Critical Infrastructure Target Library (TargetDB) which maps millions of foreign IPs, domains, and organizations by strategic value across 26 regions, with a strong focus on Taiwan, Japan, South Korea, and India. The company also maintains a massive `"o_data_*"` data lake of global breach data for identity correlation and deanonymization, enabling targeted social engineering. Its offensive toolkit comprises GhostX for browser exploitation, routing manipulation, and credential theft; Un-Mail for covert email account takeover and exfiltration across major global providers; and Passive Radar for reconstructing internal network topologies from PCAP data. Knownsec's organizational structure, including the 404 Security Lab and Military Products Division, mirrors a defense integrator, with primary clients being Public Security Bureaus, defense research institutes, and state-owned enterprises like State Grid and China Mobile, indicating a vertically integrated espionage stack for reconnaissance, exploitation, collection, and persistence in support of both domestic surveillance and foreign intelligence operations. Severity: Critical Sources https://dti.domaintools.com/the-knownsec-leak-yet-another-leak-of-chinas-contractor-driven-cyber-espionage-ecosystem/ https://www.hendryadrian.com/the-knownsec-leak-yet-another-leak-of-chinas-contractor-driven-cyber-espionage-ecosystem-domaintools-investigations-dti/ Threat Details and IOCs Malware: GhostX, GhostX Framework, GhostX RAT, Un-Mail CVEs: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, CVE-2018-0171, CVE-2018-13379, CVE-2019-19781, CVE-2019-3396, CVE-2020-10189, CVE-2021-26855, CVE-2021-27065, CVE-2021-44207, CVE-2021-44228 Technologies: Check Point Security Gateway, Fortinet FortiGate, Google Gmail, Microsoft Outlook, Microsoft Windows, Sophos Firewall, Yahoo Mail Threat Actors: 404Lab, APT31, APT41, MUSTANGPANDA Attacker Countries: China Attacker IPs: 103.21.60.3, 210.242.194.198, 219.80.43.14, 220.130.186.202, 220.130.186.203, 61.65.236.240 Attacker Emails: anyh@knownsec.com, chenc6@knownsec.com, chenh4@xm.knownsec.com, chenjz@xm.knownsec.com, chenrl@xm.knownsec.com, evp@knownsec.com, hey5@knownsec.com, liuj13@knownsec.com, liwc@xm.knownsec.com, mas@knownsec.com, niexy2@knownsec.com, raosh@knownsec.com, suig@knownsec.com, wangcp2@knownsec.com, wangl8@xm.knownsec.com, wangll@xm.knownsec.com, xuc2@knownsec.com, yangwh2@knownsec.com, zhanghj@knownsec.com, zouxy2@knownsec.com Attacker Domains: creategroup.cn, ittc.sh.cn, knownsec.com, knownsec.com.hk, rusnod.ru, seebug.org, telderi.ru, www.knownsec.com.hk, xm.knownsec.com, zoomeye.aigithub.com Attacker URLs: github.com/Knownsec404team, http://creategroup.cn, https://github.com/zoomeye-ai, https://www.knownsec.com.hk, https://www.knownsec.com.hk/, https://www.linkedin.com/company/上海国际技贸联合有限公司, http://www.ittc.sh.cn, www.linkedin.com/company/knownsec-hong-kong/, zhuanlan.zhihu.com/p/21881117943, zoomeye.aigithub.com/zoomeye-ai Victim Industries: Automotive, Cloud Infrastructure, Defense, Education, Energy, Financial Services, Government, Healthcare, Industrials, Multimedia, Retail, Social Media, Technology Hardware, Telecommunications, Transportation Victim Countries: Brazil, China, India, Japan, Russia, South Africa, South Korea, Taiwan, United States, Vietnam Mitigation Advice Add the IP addresses listed in Appendix A (210.242.194.198, 219.80.43.14, 220.130.186.202, 220.130.186.203, 103.21.60.3, 61.65.236.240) to the firewall blocklist. Immediately audit and apply all available security patches to internet-facing Fortinet devices. Immediately audit and apply all available security patches to internet-facing Sophos devices. Immediately audit and apply all available security patches to internet-facing Check Point devices. Audit all network routers and firewalls for any recently created or unauthorized administrator-level accounts. Review internal and external DNS server configurations and forwarders to ensure they point only to authorized and expected IP addresses. Add all specific email addresses and the domains @knownsec.com and @xm.knownsec.com listed in the article to the email gateway's blocklist. Compliance Best Practices Prioritize and enforce the rollout of phishing-resistant multi-factor authentication (MFA) across all externally accessible services, including VPN, email, and cloud applications. Develop and implement a network segmentation strategy to isolate critical servers from user workstations and restrict east-west traffic based on the principle of least privilege. Deploy and tune an Endpoint Detection and Response (EDR) solution to create detection rules for suspicious browser process behavior, command-line execution patterns, and attempts to extract credentials from memory. Implement a Web Application Firewall (WAF) to protect all public-facing web applications and portals against common attacks like Cross-Site Scripting (XSS). Implement a network detection and response (NDR) tool to establish baseline traffic patterns and create alerts for anomalous activity, such as large outbound data transfers over FTP or SSH from non-standard servers. Establish a recurring security awareness training program that educates employees on identifying and reporting sophisticated phishing attacks that may leverage their personal or professional information found in data breaches. OWASP CRS Flaw Lets Encoded Attacks Slip Past WAFs A critical vulnerability, identified as CVE-2026-21876 with a CVSS score of 9.3, has been discovered in the OWASP Core Rule Set (CRS), allowing encoded Cross-Site Scripting (XSS) attacks to bypass Web Application Firewalls (WAFs). This flaw affects CRS versions 3.3.x through 3.3.7 and 4.0.0 through 4.21.0, specifically impacting rule 922110 in Apache ModSecurity, ModSecurity v3, and Coraza environments. The bypass occurs because rule 922110, designed to detect dangerous character encodings like UTF-7 in multipart form requests, only validates the final segment of such requests. Attackers can exploit this by embedding a malicious UTF-7 encoded JavaScript payload in an earlier part of a multipart request, followed by benign UTF-8 content in the final segment, thereby evading WAF detection. To mitigate this risk, immediate upgrades to CRS version 4.22.0 or 3.3.8 are essential, alongside verifying WAF configurations, restricting accepted character encodings to UTF-8, implementing custom WAF rules for mixed charset declarations, strengthening application-layer defenses with robust input validation and Content Security Policy headers, and enhancing monitoring and incident response capabilities. This incident underscores the necessity for continuous validation and updating of security controls, moving away from "set-and-forget" approaches towards principles of continuous verification. Severity: Critical Sources https://cyberpress.org/owasp-crs-vulnerability/ https://gbhackers.com/owasp-crs-vulnerability/ https://www.esecurityplanet.com/threats/owasp-crs-flaw-lets-encoded-attacks-slip-past-wafs/ https://www.thehackerwire.com/owasp-crs-bypass-multipart-request-charset-validation-flaw-cve-2026-21876/ Threat Details and IOCs Malware: Archer RAT, RUSTRIC, RustyWater CVEs: CVE-2026-21876 Technologies: ModSecurity, OWASP Coraza, OWASP Core Rule Set Victim Industries: E-commerce, Financial Services, Government, Healthcare, Technology Hardware Mitigation Advice Identify all Web Application Firewall (WAF) instances using OWASP Core Rule Set (CRS) and upgrade them to a patched version, either 4.22.0 or 3.3.8, to fix the vulnerability. Analyze WAF and web server logs for evidence of exploitation, specifically looking for multipart form requests that contain non-standard character encodings like UTF-7 or have mixed charsets across different parts. Configure all public-facing web servers, such as Apache or Nginx, to only accept UTF-8 character encoding and explicitly reject requests with other encodings, especially UTF-7 and UTF-16. If patching the OWASP Core Rule Set cannot be done immediately, create a custom WAF rule to inspect all parts of a multipart request for dangerous character encodings, not just the final part. Compliance Best Practices Establish a secure coding program to enforce strict, server-side input validation on all user-supplied data across all web applications to prevent XSS attacks at the source. Mandate the use of context-aware output encoding libraries and practices in all web application development to neutralize any malicious scripts before they are sent to the user's browser. Develop and deploy a restrictive Content Security Policy (CSP) across all web applications to limit the impact of potential XSS vulnerabilities by controlling script execution sources. Improve security monitoring capabilities by creating specific alerts for anomalous HTTP traffic patterns, such as multipart requests with unusual or mixed character set declarations, to detect novel bypass techniques. Schedule and conduct regular incident response tabletop exercises that simulate a WAF bypass and subsequent web application compromise to test and improve your team's detection and response procedures. CVE-2026-21858 aka Ni8mare: Critical Unauthenticated Remote Code Execution Vulnerability in n8n Platform A critical unauthenticated remote code execution vulnerability, tracked as CVE-2026-21858 and dubbed Ni8mare, has been identified in the n8n AI workflow automation platform, carrying a maximum CVSS score of 10.0. This flaw, affecting all n8n versions up to and including 1.65.0, stems from a weakness in the platform's webhook request parsing and file handling logic. Specifically, when a crafted HTTP request is sent to a Forms Webhook node with a deliberately misstated "Content-Type" header (other than `multipart/form-data`), the `parseBody()` function can be exploited to overwrite the `req.body.files` variable with attacker-controlled data. This allows an attacker to specify arbitrary file paths on the local system, leading to the `copyBinaryFile()` function copying these specified local files into persistent storage without verifying their origin. Exploitation of Ni8mare can grant unauthenticated attackers full control over exposed n8n instances, potentially leading to sensitive data exposure, workflow manipulation, and credential compromise. With over 26,500 internet-accessible n8n hosts reported globally, the potential attack surface is substantial. The vulnerability was reported on November 9, 2025, and addressed in version 1.121.0, released on November 18, 2025; users are strongly advised to upgrade immediately, and temporary mitigations include restricting or disabling publicly accessible webhook and form endpoints. Severity: Critical Sources https://arcticwolf.com/resources/blog/cve-2026-21858/ https://buaq.net/go-386499.html https://buaq.net/go-386542.html https://buaq.net/go-387142.html https://cyberpress.org/ni8mare-vulnerability/ https://cyberscoop.com/n8n-critical-vulnerability-massive-risk/ https://horizon3.ai/attack-research/attack-blogs/the-ni8mare-test-n8n-rce-under-the-microscope-cve-2026-21858/ https://infosecwriteups.com/critical-n8n-security-vulnerability-cve-2026-21858-demands-immediate-action-c4bd95b5d93c?source=rss----7b722bfd1b8d---4 https://orca.security/resources/blog/cve-2026-21858-n8n-rce-vulnerability/ https://securityonline.info/public-exploit-released-critical-n8n-flaw-cve-2026-21858-exposes-100k-servers/ https://socprime.com/blog/cve-2026-21858-vulnerability/ https://socradar.io/blog/ni8mare-flaw-n8n-cve-2026-21858/ https://sploitus.com/exploit?id=329E5BE3-360F-5C2E-8422-B4D96C9C6E68 https://thecyberexpress.com/cve-2026-21858-n8n-webhook-vulnerability/ https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/ https://www.cyberkendra.com/2026/01/how-100000-automation-servers-became.html https://www.hendryadrian.com/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/ https://www.infosecurity-magazine.com/news/maximum-severity-ni8mare-bug/ https://www.securityweek.com/critical-vulnerability-exposes-n8n-instances-to-takeover-attacks/ https://www.techzine.eu/news/security/137741/ni8mare-vulnerability-affects-n8n-platform-with-a-score-of-10-0/ https://www.thehackerwire.com/n8n-unauth-file-read-via-workflow-execution/ https://www.theregister.com/2026/01/08/n8n_rce_bug/ Threat Details and IOCs CVEs: CVE-2025-68613, CVE-2025-68668, CVE-2026-21858, CVE-2026-21877 Technologies: Docker, Linux, n8n, OpenAI, SQLite Attacker Countries: Bangladesh, Myanmar Victim Industries: Advertising Services, Airlines & Aviation, Artificial Intelligence, Construction, Customer Service, E-commerce, Education, Financial Services, Food and Beverage Services, Food & Beverage, Healthcare, Hospitals and Health Care, Human Resources, Information Technology, IT Services, Legal Services, Logistics, Manufacturing, Marketing & Advertising, Media and Entertainment, Professional Services, Real Estate, Retail, Sales & Marketing, Software, Software as a Service (SaaS), Supply Chain, Technology Hardware, Telecommunications, Transportation Equipment Manufacturing, Venture Capital & Private Equity Victim Countries: Australia, Brazil, Canada, Denmark, Finland, France, Germany, Iceland, India, Israel, Italy, Netherlands, Norway, Singapore, Spain, Sweden, Ukraine, United Arab Emirates, United Kingdom, United States, Vietnam Mitigation Advice Immediately upgrade all n8n instances to version 1.121.0 or later to patch the CVE-2026-21858 vulnerability. Immediately scan the network and review software inventories to identify all instances of the n8n platform in use within the organization. If you cannot immediately upgrade n8n, restrict access to or disable all publicly accessible webhook and form endpoints to prevent unauthenticated exploitation. Hunt for exploitation attempts by reviewing web server and application logs for requests to n8n webhook endpoints where the 'Content-Type' header is not 'multipart/form-data' but the request body contains file path definitions. Compliance Best Practices Develop and enforce a policy to place internal services like n8n behind a VPN or other authenticated access controls, and formally review all requests for public internet exposure. Implement network segmentation to isolate servers running workflow automation platforms like n8n from other critical internal network segments, limiting the potential impact of a successful compromise. Deploy or configure a Web Application Firewall (WAF) to inspect and block anomalous HTTP requests to web applications, including rules that detect mismatched 'Content-Type' headers and body content. Review and strengthen the vulnerability management program to ensure timely identification, prioritization, and patching of critical vulnerabilities in all third-party software, with specific focus on internet-facing applications. Trend Micro Apex Central RCE Flaw Scores 9.8 CVSS in On-Prem Windows Versions Trend Micro has issued security updates for multiple vulnerabilities affecting on-premise versions of Apex Central for Windows, specifically those below Build 7190. The most severe, CVE-2025-69258, is a Remote Code Execution (RCE) flaw with a CVSS score of 9.8. This LoadLibraryEX vulnerability enables an unauthenticated remote attacker to load a controlled DLL into the MsgReceiver.exe component by sending a specific message (0x0a8d, `"SC_INSTALL_HANDLER_REQUEST"),` resulting in code execution with SYSTEM privileges. Two additional Denial-of-Service (DoS) vulnerabilities, CVE-2025-69259 and CVE-2025-69260, both rated 7.5 CVSS, were also patched. These DoS flaws, stemming from a message unchecked NULL return value and a message out-of-bounds read, respectively, can be exploited by an unauthenticated remote attacker sending a specially crafted message (0x1b5b, `"SC_CMD_CGI_LOG_REQUEST")` to the MsgReceiver.exe process on TCP port 20001. Tenable is credited with discovering and reporting these vulnerabilities in August 2025. Organizations are advised to apply the necessary security updates and to review remote access to critical systems, ensuring that security policies and perimeter defenses are current. Severity: Critical Sources https://buaq.net/go-386777.html https://cyberpress.org/trend-micro-apex-central-vulnerabilities-enable-remote-code-execution-attacks/ https://cyberveille.esante.gouv.fr/alertes/trendmicro-cve-2025-69258-2026-01-09 https://gbhackers.com/trend-micro-apex-central-flaw/ https://securityonline.info/public-exploit-released-critical-trend-micro-flaw-grants-system-access/ https://thehackernews.com/2026/01/trend-micro-apex-central-rce-flaw.html https://www.esecurityplanet.com/threats/trend-micro-apex-central-flaws-enable-remote-code-execution/ https://www.helpnetsecurity.com/2026/01/08/trend-micro-apex-central-cve-2025-69258-rce-poc/ https://www.techzine.eu/news/security/137798/trend-micro-closes-critical-vulnerabilities-in-apex-central/ https://www.thehackerwire.com/trend-micro-apex-central-rce-via-loadlibraryex/ Threat Details and IOCs CVEs: CVE-2022-26871, CVE-2025-69258, CVE-2025-69259, CVE-2025-69260 Technologies: Microsoft Windows, Trend Micro Apex Central Victim Industries: Automotive, Cloud Infrastructure, Education, Energy, Financial Services, Government, Healthcare, Information Technology, Manufacturing, Oil & Gas, Retail Victim Countries: France, Japan, United States Mitigation Advice Identify all on-premise Trend Micro Apex Central for Windows instances and immediately apply the security updates to upgrade them to Build 7190 or a later version. Implement a firewall rule to block all inbound traffic to TCP port 20001 on Trend Micro Apex Central servers from untrusted networks and allow access only from required endpoints and management stations. On Trend Micro Apex Central servers, use endpoint security tools to monitor the `MsgReceiver.exe` process for the loading of unusual or unsigned DLLs and for spawning unexpected child processes. Scan network traffic logs for connection attempts to TCP port 20001 on Apex Central servers, investigating any connections from unexpected or external IP addresses. Compliance Best Practices Establish and enforce a formal patch management policy that defines specific timelines for applying security updates based on their severity, ensuring critical vulnerabilities are addressed within 72 hours. Implement network segmentation to create a secure management zone for critical infrastructure servers, including Trend Micro Apex Central, restricting all inbound and outbound traffic to only what is explicitly authorized. Develop and maintain a comprehensive software asset inventory that includes application names, versions, and owners, enabling rapid identification of systems vulnerable to newly disclosed threats. Conduct quarterly reviews of firewall rules and access control lists for critical servers to ensure they adhere to the principle of least privilege and that all access is documented and approved. ZDI-26-034 / CVE-2026-0768: 0-Day Code Injection RCE Vulnerability in Langflow A critical code injection remote code execution vulnerability, identified as ZDI-26-034 and CVE-2026-0768, affects installations of Langflow. This flaw, assigned a CVSS score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), allows unauthenticated remote attackers to execute arbitrary code. The vulnerability stems from insufficient validation of a user-supplied string within the `code` parameter provided to the `validate` endpoint, which is subsequently used to execute Python code. Successful exploitation grants an attacker the ability to execute code in the context of root. The vulnerability was reported on July 18, 2025, and publicly disclosed as a 0-day on January 9, 2026. The only salient mitigation strategy is to restrict interaction with the product. This vulnerability was discovered by Peter Girnus, William Gamazo Sanchez, and Alfredo Oliveira. Severity: High Sources https://www.zerodayinitiative.com/advisories/ZDI-26-034/ Threat Details and IOCs CVEs: CVE-2026-0768 Technologies: Langflow, Linux Victim Industries: Customer Service, Financial Services, Human Resources, Logistics, Manufacturing, Marketing & Advertising, Sales & Marketing Mitigation Advice Immediately conduct an inventory of all assets to identify any running instances of the Langflow application. Configure perimeter firewalls to deny all inbound internet traffic to any identified Langflow instances. Hunt for compromise by searching web server and application logs for requests to the '/validate' endpoint, particularly any requests containing a 'code' parameter. If Langflow must remain accessible, configure a Web Application Firewall (WAF) to block any HTTP requests targeting the '/validate' URI path. Compliance Best Practices Enforce the principle of least privilege by reconfiguring all production and development services, including Langflow, to run using dedicated, unprivileged service accounts instead of as the 'root' user. Implement a comprehensive software asset management program to maintain a real-time inventory of all applications deployed in the environment. Adopt a network segmentation strategy that isolates internal-facing tools and development environments from the public internet, requiring VPN access for remote users. Incorporate CVE-2026-0768 into the vulnerability management watchlist and ensure the official patch from the Langflow vendor is applied to all affected systems as soon as it is released. Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.F5 Threat Report - January 7th, 2026
Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia Transparent Tribe (APT36) has initiated new cyber espionage campaigns against Indian governmental, academic, and strategic entities. One campaign utilizes spear-phishing emails containing ZIP archives with weaponized Windows shortcut (LNK) files, disguised as PDFs, which execute a remote HTML Application (HTA) script via `mshta.exe`. This HTA loads a RAT payload (`iinneldc.dll`) directly into memory, adapting its persistence method based on the victim's installed antivirus software (Kaspersky, Quick Heal, Avast, AVG, or Avira), and provides comprehensive remote control, file management, and data exfiltration capabilities. A second APT36 campaign employs a malicious shortcut (`NCERT-Whatsapp-Advisory.pdf.lnk`) to deliver a .NET-based loader through an MSI installer retrieved from `aeroclubofindia.co[.]in`, establishing registry persistence and communicating with `dns.wmiprovider[.]com` via HTTP GET endpoints that use reversed characters for evasion. Concurrently, the Patchwork group (Maha Grass) has targeted Pakistan's defense sector with a Python-based backdoor, distributed via phishing emails containing MSBuild project files. This backdoor leverages `msbuild.exe` for execution, downloads a Python interpreter, and maintains persistence through scheduled tasks, communicating with command-and-control (C2) servers such as `nexnxky[.]info`. Patchwork is also associated with the newly identified StreamSpy trojan, distributed via ZIP archives from `firebasescloudemail[.]com`, which employs WebSocket and HTTP for C2 communication (`www.mydropboxbackup[.]com`, `www.virtualworldsapinner[.]com`), establishes persistence through various Windows mechanisms, and supports extensive remote control and data collection, with its digital signature correlating with the DoNot Team's ShadowAgent, indicating potential resource sharing. Severity: Critical Sources https://buaq.net/go-385045.html https://cyberpress.org/apt36-cyber-attack/ https://securityonline.info/apt-36-uses-fake-whatsapp-fraud-advisory-to-hack-government-systems/ https://thehackernews.com/2026/01/transparent-tribe-launches-new-rat.html https://www.hendryadrian.com/apt36-lnk-based-malware-campaign-leveraging-msi-payload-delivery/ https://www.hendryadrian.com/apt36-multi-stage-lnk-malware-campaign-targeting-indian-government-entities/ Threat Details and IOCs Malware: CapraRAT, Crimson, Crimson RAT, CrimsonRAT, DeskRAT, ElizaRAT, MSIL/Crimson, ObliqueRAT, RemCom, RemoteCommandExecution, SEACRIT, SEASTAR, ShadowAgent, Spyder, Spyder Patchwork, StreamSpy, WarHawk CVEs: CVE-2025-9491 Technologies: Avast, AVG, Avira, Kaspersky, Microsoft MSBuild, Microsoft PowerShell, Microsoft Windows, Quick Heal Threat Actors: APT36, DoNotTeam, DroppingElephant, Mahagra, Patchwork, QuiltedTiger, RazorTiger, Sidewinder, TransparentTribe, ViceroyTiger Attacker Countries: India, Pakistan Attacker IPs: 2.56.10.86 Attacker Domains: aeroclubofindia.co.in, brityservice.info, dns.wmiprovider.com, drjagrutichavan.com, firebasescloudemail.com, innlive.in, nexnxky.info, soptr.info, upxvion.info, wmiprovider.com, www.mydropboxbackup.com, www.virtualworldsapinner.com Attacker URLs: https://aeroclubofindia.co.in/css/NCERT-Whatsapp-Advisory/winc, https://drjagrutichavan.com/assetl/hp/pk5//ico/wd.ico, https://innlive.in/assets/public/01/jlp/jip.hta, hxxps://brityservice.info/ZxStpliGBsfdutMawer/sIOklbgrTYULKcsdGBZxsfetmw Attacker Hashes: 06fb22c743fcc949998e280bd5deaf8f80d616b371576b5e11fd5b1d3b23a5f2, 1c335be51fc637b50d41533f3bef2251, 30fda797535a0f367ea2809426760020, 4dd9e2085297515825416415413eae1c9632392cb159ac70e459d0ebeb2dd49d, 580d6401775cd9dbd029893a97d0523315b7ccf70feaa9383bd1a67bf2016ab6, 6baf7121594b84177eec4420875908cf, aa5fe3b75d16022198f4c89d1cc6dff07bd654a3c34933a0764a9d100b4e6ca2, bbcbce9a08d971a4bbcd9a0af3576f1e0aa0dad1b3cf281c139b7a8dd8147605, c1f3dea00caec58c9e0f990366ff40ae59e93f666f92e1c218c03478bf3abe17, ceb715db684199958aa5e6c05dc5c7f0, e23ad0cc6633674103b725288fcc1fcb5995ba348bd760096d6d8ac0d019723c, f78fd7e4d92743ef6026de98291e8dee, fc43f4c618bce57461df5752a8d3bedf243eacfdd3e648ea8b1310083764fd92 Victim Industries: Aerospace, Civil Society, Defense, Education, Government, Military Victim Countries: India, Pakistan Mitigation Advice Add the following domains to your network blocklist via firewall, DNS sinkhole, or web proxy: aeroclubofindia.co[.]in, dns.wmiprovider[.]com, firebasescloudemail[.]com, www.mydropboxbackup[.]com, www.virtualworldsapinner[.]com. Block all inbound and outbound traffic to and from the IP address 2.56.10[.]86 at the network firewall. Configure your email security gateway to block or quarantine all incoming emails with .lnk file attachments, including those within ZIP archives. Configure your email gateway and web proxy to block the download and execution of HTML Application (.hta) files. Using your EDR or endpoint management tool, scan all Windows systems for the existence of the directories 'C:\Users\Public\core\' and 'C:\ProgramData\PcDirvs\'. Using your EDR or endpoint management tool, hunt for the following file names across all systems: 'iinneldc.dll', 'nikmights.msi', 'PcDirvs.exe', 'PcDirvs.hta', 'Annexure.exe'. Audit the Windows Startup folders for all users on all endpoints for any recently created or suspicious .LNK files. Review scheduled tasks on all endpoints for entries with suspicious names or actions, particularly those executing scripts or binaries from unusual locations. Scan endpoint registry hives, specifically common autorun locations (e.g., Run, RunOnce), for entries configured to launch 'PcDirvs.exe'. In your network traffic logs or SIEM, search for outbound HTTP GET requests where the URI path ends with '/retsiger', '/taebtraeh', '/dnammoc_teg', or '/dnammocmvitna'. Compliance Best Practices Implement an application control policy, such as Windows Defender Application Control (WDAC) or AppLocker, to block or restrict the execution of mshta.exe. Implement an application control policy, such as Windows Defender Application Control (WDAC) or AppLocker, to block or restrict the execution of msbuild.exe, especially when initiated by non-developer users or from non-standard directories. Use Group Policy (GPO) to enforce a corporate-wide setting that requires Windows Explorer to always show file extensions for known file types. Enable PowerShell Script Block Logging and Module Logging via Group Policy and forward these logs to your SIEM for monitoring and analysis. Develop and deploy a detection rule in your EDR or SIEM to alert on suspicious process chains, such as an email client or browser spawning cmd.exe or mshta.exe to download or execute a remote script. Develop and deploy a detection rule in your SIEM or network monitoring tool to alert on new or unusual WebSocket connections to external IP addresses, especially to non-categorized or newly registered domains. Implement a continuous security awareness training program that includes phishing simulations focused on lures with attachments, especially those disguised as documents or contained within archives. Configure your email security gateway to perform deep content inspection on archive files (e.g., .zip, .rar) and block any archives that contain executable or script files such as .exe, .lnk, .hta, or .vbs. NoName057(16) DDoS Attack Disrupts La Poste and La Banque Postale Online Services French postal and banking services, La Poste and La Banque Postale, experienced significant disruptions on January 1, 2026, when a cyberattack rendered their websites and mobile applications largely inaccessible. This incident followed a previous denial-of-service (DDoS) attack from December 22-26, 2025, which had also affected parcel tracking services. The pro-Russian hacker group NoName057(16), known for targeting countries supporting Ukraine, claimed responsibility for both disruptions. While the attacks caused downtime and limited digital access, no customer data was compromised, as DDoS attacks primarily aim to overload servers. Despite the digital outages, essential postal services and banking transactions remained available at physical locations, and online payments with SMS authentication, card payments, and ATM withdrawals continued to function. The Paris prosecutor's office has launched an investigation, delegating the case to the General Directorate for Internal Security (DGSI) and the national cyber unit, as both organizations' teams are actively working to restore full digital access. This event is part of a broader trend of recent cyber incidents affecting French public institutions, including a breach of the Interior Ministry on December 17, 2025, and the French Football Federation in November 2025. Severity: High Sources https://hackread.com/ukraine-woman-us-custody-russia-noname057-hackers/ https://thecyberexpress.com/la-poste-la-banque-postale-cyberattack-2026/ https://www.cisa.gov/news-events/alerts/2025/12/09/opportunistic-pro-russia-hacktivists-attack-us-and-global-critical-infrastructure Threat Details and IOCs Malware: DDoSia, Dosia, Go-Stresser Threat Actors: APT44, CARR, Center16, CyberArmyOfRussiaReborn, NoName057(16), NoName05716, PeoplesCyberArmy, Sandworm, ZPentest Attacker Countries: Russia Attacker Domains: xss.is Victim Industries: Agriculture, Critical Manufacturing, Defense, Defense Industrial Base, Energy, Financial Services, Government, Postal and Courier Services, Telecommunications, Transportation, Utilities, Water & Wastewater Victim Countries: Czech Republic, Denmark, France, Germany, Lithuania, Poland, Spain, Sweden, Ukraine, United States Mitigation Advice Implement or tighten rate-limiting rules on web servers, load balancers, and API gateways to cap the number of requests from individual IP addresses. Configure your Web Application Firewall (WAF) to block or challenge traffic originating from geographic regions associated with the NoName057(16) group and other high-risk areas. Compliance Best Practices Procure and implement a cloud-based, always-on DDoS mitigation service to protect all internet-facing services and infrastructure. Develop and formalize a Denial-of-Service Incident Response Plan that includes technical containment procedures, internal and external communication templates, and defined roles for the response team. Design and deploy public-facing applications using auto-scaling groups and load balancers across multiple geographic regions or availability zones to build resilience and distribute traffic loads effectively. Establish a threat intelligence program to monitor hacktivist groups like NoName057(16), track their TTPs, and proactively adjust security controls based on their evolving campaigns and targets. Critical GNU Wget2 Vulnerability Allows Remote Attackers to Overwrite Sensitive Files A high-severity security flaw, tracked as CVE-2025-69194, has been identified in GNU Wget2, a widely used command-line tool for web file downloads. This vulnerability, rated "Important" with a CVSS score of 8.8 out of 10, is an Arbitrary File Write (Path Traversal) issue stemming from Wget2's improper handling of Metalink documents. Specifically, the application fails to correctly verify file paths listed in these documents, enabling remote attackers to craft malicious Metalink files using path traversal sequences (like `../`) to overwrite sensitive files anywhere on a victim's system. The consequences are severe, potentially leading to data loss, system crashes, execution of malicious code, or security bypasses by modifying critical system files, user documents, or configuration settings. Although exploitation requires user interaction with a malicious Metalink file, the significant potential for damage necessitates immediate action. Users are strongly advised to update GNU Wget2 to the latest version and to avoid processing Metalink files from untrusted or unknown sources until the software is patched. Severity: Critical Sources https://cyberpress.org/critical-gnu-wget2-vulnerability-allows-remote-attackers-to-overwrite-sensitive-files/ https://gbhackers.com/gnu-wget2-vulnerability/ https://securityonline.info/critical-wget2-flaws-expose-users-to-arbitrary-file-overwrites-and-memory-crashes/ Threat Details and IOCs Malware: Careto, GlassWorm, Shai-Hulud, Shai-Hulud 2.0, Shai-Hulud 3.0, The Golden Path, The Mask CVEs: CVE-2025-69194, CVE-2025-69195 Technologies: GNU Wget2, Linux, Microsoft Windows Mitigation Advice Scan all Linux, UNIX, and Windows endpoints and servers to identify all installed instances of GNU Wget2 and their current versions. Patch all identified installations of GNU Wget2 to the latest stable version that addresses CVE-2025-69194. Implement a detection rule in your SIEM or EDR to alert on Wget2 process executions where command-line arguments contain path traversal sequences such as "../". Issue an immediate advisory to all employees, especially developers and system administrators, instructing them not to use Wget2 to process Metalink files from untrusted sources. Compliance Best Practices Establish or enhance a software asset management (SAM) program to maintain a continuously updated inventory of all software and libraries on all company assets. Review and enforce the principle of least privilege for user and service accounts, ensuring that automated tools and scripts do not run with administrative rights unless absolutely necessary. Deploy and tune a File Integrity Monitoring (FIM) solution on critical servers to detect and alert on unauthorized changes to sensitive system files, configurations, and startup scripts. Update the security awareness training program to include modules on the risks of processing untrusted data and configuration files, using this Wget2 vulnerability as a practical example. Careto Hacker Group Resurfaces After a Decade, Unleashing New Attack Techniques Careto, also known as "The Mask," has re-emerged after a decade-long disappearance, employing sophisticated new attack methods that demonstrate the group’s continued evolution and technical prowess. This resurgence was unveiled by Kaspersky researchers during the 34th Virus Bulletin International Conference in October, marking the first significant discovery of Careto activity since early 2014. Severity: High Sources https://gbhackers.com/careto-hacker-group/ Threat Details and IOCs Malware: Careto, The Mask, Ugly Face Technologies: Apple macOS, Linux, MDaemon Technologies MDaemon Email Server, Microsoft 365, Microsoft Windows, Sophos Intercept X Threat Actors: Careto, TheMask Victim Industries: Energy, Financial Services, Government, Research & Development Mitigation Advice Ingest the Indicators of Compromise (IOCs) for the Careto threat actor from the Kaspersky research paper into your SIEM, EDR, and firewall blocklists. Create and enable detection rules in your SIEM to alert on anomalous or high-volume data uploads to public cloud storage services like OneDrive and Google Drive, particularly from servers or endpoints that do not typically perform such actions. Use a vulnerability scanner to identify all Microsoft Office installations vulnerable to CVE-2010-3333 and deploy the patches associated with Microsoft Security Bulletin MS10-087. Scan your network to identify all Windows systems vulnerable to the RDP vulnerability CVE-2012-0002 and deploy the patches from Microsoft Security Bulletin MS12-020. Configure your perimeter firewall to block all inbound traffic on TCP port 3389 (RDP) from the internet. Audit systems running MDaemon email server software for unauthorized configuration changes or suspicious scheduled tasks. Compliance Best Practices Implement a continuous security awareness training program that includes regular phishing simulations to train users to identify and report suspicious emails. Develop and implement a Data Loss Prevention (DLP) policy and deploy a Cloud Access Security Broker (CASB) to control and monitor data transfers to all cloud services, blocking unsanctioned platforms. Implement application control using a tool like AppLocker or a third-party solution to enforce a policy that only allows approved applications and scripts to execute on endpoints and servers. Enforce the use of Network Level Authentication (NLA) for all internal and external RDP connections via Group Policy. Ensure an Endpoint Detection and Response (EDR) solution with behavioral analysis capabilities is deployed and properly configured on all company endpoints, including Windows, macOS, and Linux systems. Configure Microsoft Office File Block settings via Group Policy to prevent users from opening RTF files that originate from the internet. New GlassWorm Malware Wave Targets Macs with Trojanized Crypto Wallets A fourth wave of the "GlassWorm" campaign is actively targeting macOS developers through malicious VSCode/OpenVSX extensions, delivering trojanized versions of crypto wallet applications. This latest iteration, identified by Koi Security, exclusively targets macOS systems, utilizing AppleScript for execution and LaunchAgents for persistence, a shift from previous Windows-focused attacks. The malware, embedded as an AES-256-CBC-encrypted payload within compiled JavaScript in extensions like `studio-velte-distributor.pro-svelte-extension`, `cudra-production.vsce-prettier-pro`, and `Puccin-development.full-access-catppuccin-pro-extension`, executes after a 15-minute delay. Its capabilities include stealing GitHub, npm, and OpenVSX account credentials, Keychain passwords, and data from over 50 browser crypto extensions and various desktop wallets. Notably, it attempts to replace legitimate hardware wallet applications such as Ledger Live and Trezor Suite with trojanized versions, though this functionality is currently failing due to empty payloads. The campaign maintains its Solana blockchain-based command-and-control (C2) mechanism. Developers who have installed these extensions are advised to remove them immediately, reset GitHub account passwords, revoke NPM tokens, and check their systems for signs of infection or consider a full reinstallation. Severity: Critical Sources https://gbhackers.com/glassworm-malware-2/ https://www.bleepingcomputer.com/news/security/new-glassworm-malware-wave-targets-macs-with-trojanized-crypto-wallets/ https://www.securitylab.ru/news/567691.php Threat Details and IOCs Malware: GlassWorm, js.glassworm, Trojan:JS/GlassWorm.A!MTB, ZOMBI CVEs: CVE-2025-6705 Technologies: Apple macOS, Eclipse Foundation Open VSX Registry, GitHub, Ledger Live, Microsoft Visual Studio, Microsoft Visual Studio Code Marketplace, npm, Open VSX Registry, Trezor Suite Threat Actors: GlassWorm Attacker Countries: Russia Attacker IPs: 140.82.52.31, 217.69.11.60, 217.69.3.218, 45.32.150.251, 45.32.151.157 Attacker Emails: uhjdclolkdn@gmail.com Attacker URLs: 140.82.52.31:80/wall, 45.32.150.251/p2p, http://217.69.3.218/get_arhive_npm/, http://217.69.3.218/qQD%2FJoi3WCWSk8ggGHiTdg%3D%3D, https://calendar.app.google/M2ZCvM8ULL56PD1d6 Victim Industries: Financial Services, Government, Manufacturing, Software, Technology Hardware Victim Countries: Finland, France, Germany, Netherlands, Sweden, United Kingdom, United States Mitigation Advice Scan all developer macOS systems for the presence of the malicious VSCode/OpenVSX extensions 'studio-velte-distributor.pro-svelte-extension', 'cudra-production.vsce-prettier-pro', and 'Puccin-development.full-access-catppuccin-pro-extension' and remove them immediately if found. Inspect the `~/Library/LaunchAgents` and `/Library/LaunchAgents` directories on all developer macOS endpoints for any recently created or suspicious files to detect the GlassWorm malware's persistence mechanism. Require all developers, particularly those using macOS, to immediately reset their GitHub passwords and revoke all active NPM access tokens. Instruct developers who use Ledger Live or Trezor Suite on macOS to verify the integrity of the application files or reinstall them directly from the official vendor websites to ensure they have not been replaced by a malicious version. Compliance Best Practices Develop and implement a corporate policy for Visual Studio Code that restricts extension installation to a pre-approved allow-list of vetted and trusted extensions from verified publishers. Configure Endpoint Detection and Response (EDR) solutions to monitor and alert on suspicious or anomalous AppleScript execution on macOS developer endpoints. Implement a recurring security awareness training program for developers focused on the risks of software supply chain attacks, including how to vet third-party IDE extensions and identify suspicious packages. Enhance SIEM and EDR monitoring to baseline normal LaunchAgent activity on macOS systems and create high-fidelity alerts for the creation of new or modified LaunchAgents by non-standard processes. Review and strengthen network egress filtering policies to restrict or monitor outbound traffic from developer workstations to unusual ports and destinations, including those associated with cryptocurrency blockchains. Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.F5 Threat Report - December 31st, 2025
Fortinet Warns of 5-Year-Old FortiOS 2FA Bypass Still Exploited in Attacks Fortinet has issued a warning regarding the continued active exploitation of CVE-2020-12812, a critical FortiOS vulnerability dating back five years. This improper authentication flaw, found in FortiGate SSL VPN, enables threat actors to bypass two-factor authentication (2FA) by manipulating the case of a username. The vulnerability arises from inconsistent case-sensitive matching between local and remote authentication when 2FA is enabled for local users linked to a remote authentication method like LDAP. Fortinet released patches in July 2020 with FortiOS versions 6.4.1, 6.2.4, and 6.0.10, and advised disabling username-case-sensitivity as a workaround. Despite these measures, the flaw is still being exploited, particularly against firewalls with LDAP enabled, under specific conditions where local user entries requiring 2FA are linked to LDAP and belong to an LDAP group configured on the FortiGate. Both the FBI and CISA have previously highlighted the exploitation of CVE-2020-12812 by state-backed hackers and ransomware groups, with CISA adding it to its catalog of known exploited vulnerabilities in November 2021, mandating federal agencies to secure their systems. Severity: Critical Sources https://cyberpress.org/hackers-abuse-3-year-old-fortigate-flaw/ https://gbhackers.com/unpatched-fortigate-security-flaw/ https://meterpreter.org/how-a-capital-letter-bypasses-fortinet-2fa/ https://securityonline.info/hackers-revive-2020-fortigate-flaw-to-bypass-2fa/ https://thehackernews.com/2025/12/fortinet-warns-of-active-exploitation.html https://www.bleepingcomputer.com/news/security/fortinet-warns-of-5-year-old-fortios-2fa-bypass-still-exploited-in-attacks/ https://www.securityweek.com/fortinet-warns-of-new-attacks-exploiting-old-vulnerability/ https://www.techzine.eu/news/security/137548/attackers-exploit-five-year-old-fortinet-vulnerability/ Threat Details and IOCs Malware: Hive, HiveLeaks, Mac.c, MacSync, MacSync Stealer CVEs: CVE-2020-12812 Technologies: Fortinet FortiGate, Fortinet FortiOS, Microsoft Active Directory Threat Actors: APT3, APT35, CharmingKitten, CobaltIllusion, CobaltMirage, COBALT MIRAGE, Hive, ImperialKitten, PHOSPHOROUS, Play Attacker Countries: Iran Victim Industries: Commercial Facilities, Education, Energy, Financial Services, Government, Healthcare, Information Technology, Manufacturing, Technology Hardware, Telecommunications, Transportation Victim Countries: Australia, Canada, France, Germany, Italy, Spain, United Kingdom, United States Mitigation Advice Patch all vulnerable FortiGate firewalls to FortiOS version 6.4.1, 6.2.4, 6.0.10, or a more recent version to remediate CVE-2020-12812. If immediate patching is not feasible, disable username case sensitivity on vulnerable FortiGate firewalls as a temporary workaround to prevent exploitation. Review FortiGate authentication configurations and immediately remove any secondary LDAP groups that are not explicitly required for business operations. Compliance Best Practices Establish a comprehensive vulnerability management program that includes asset inventory, regular scanning, risk-based prioritization, and defined Service Level Agreements (SLAs) for patching internet-facing systems. Develop and enforce security configuration baselines for all network devices, including FortiGate firewalls. Implement a regular, automated audit process to detect and remediate deviations from these approved baselines. Conduct a strategic review of the remote access authentication architecture to identify and simplify complex integrations, such as those between FortiGate local users and remote LDAP directories, in favor of more robust and less error-prone solutions. “Headphone Jacking”: Critical Flaws in Airoha Bluetooth SoCs Hijack Phones via Earbuds A new report from ERNW Enno Rey Netzwerke GmbH details "Headphone Jacking," a series of critical vulnerabilities (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702) found in Airoha Bluetooth Systems on a Chip (SoCs) widely used in popular True Wireless Stereo (TWS) earbuds and headphones from brands like Sony (e.g., WH-1000XM5, WF-1000XM5), JBL (e.g., Live Buds 3), Marshall (e.g., Major V), and Beyerdynamic (e.g., Amiron 300). These flaws stem from an unauthenticated, exposed proprietary diagnostic protocol called RACE, accessible over Bluetooth Classic and BLE, which allows attackers within range to connect to headphones, read/write memory, eavesdrop via the microphone, and spy on media. By chaining these vulnerabilities, attackers can perform "Headphone Jacking," stealing the Bluetooth Link Key from the headphone's flash memory to impersonate the trusted device and hijack the connected smartphone, enabling actions such as triggering voice assistants, sending text messages, or silently accepting calls and receiving audio streams. While some manufacturers are releasing patches, the fragmented Bluetooth market leaves many devices vulnerable, prompting recommendations for immediate firmware updates or, for high-risk individuals, the use of wired headphones. Severity: Critical Sources https://cyberpress.org/new-bluetooth-headphone-vulnerabilities/ https://securityonline.info/headphone-jacking-critical-flaws-in-popular-earbuds-let-hackers-hijack-your-phone/ Threat Details and IOCs CVEs: CVE-2025-20700, CVE-2025-20701, CVE-2025-20702 Technologies: Airoha Bluetooth SoC, Apple iOS, beyerdynamic, Bose, Google Android, Jabra, JBL, Marshall Victim Industries: Consumer Electronics, Semiconductors Victim Countries: Denmark, Germany, Japan, Sweden, Taiwan, United States Mitigation Advice Compile an inventory of all Bluetooth headphones used by employees, cross-referencing the list with the models mentioned in the article (e.g., Sony WH-1000XM5, JBL Live Buds 3) to identify potentially vulnerable Airoha-based devices. Instruct users with identified vulnerable headphone models to immediately check for and apply the latest firmware updates provided by the manufacturer via their respective mobile applications. Issue a security advisory to all employees, with specific guidance for high-risk individuals such as executives and finance personnel, recommending they use wired headphones until their Bluetooth devices are confirmed to be patched. Use the 'RACE Toolkit' released by ERNW to actively scan and verify the vulnerability status of corporate-issued or high-risk employee headphones. Compliance Best Practices Develop and implement a corporate policy governing the use of personal and corporate-issued peripheral devices, including Bluetooth headphones, specifying approved models and minimum security requirements. Establish a formal process for tracking and managing firmware updates for all approved IoT and peripheral devices, including headphones, to ensure they are patched in a timely manner. Update the security awareness training program to include modules on the risks associated with Bluetooth peripherals, teaching users how to update device firmware and recognize signs of compromise. Investigate and deploy Mobile Device Management (MDM) policies to restrict or control Bluetooth pairing on corporate smartphones, allowing connections only to approved and managed peripherals. LangChain Serialization Flaw (CVE-2025-68664) Enables Secret Extraction, Code Execution A critical serialization vulnerability, identified as CVE-2025-68664 (CVSS 9.3) for Python and CVE-2025-68665 (CVSS 8.6) for JavaScript, has been discovered in the LangChain ecosystem, affecting `langchain-core` and LangChain.js packages. Reported by Yarden Porat on December 4, 2025, and internally dubbed "LangGrinch," the flaw stems from improper handling of the internal `lc` key during serialization and deserialization by the `dumps()` and `dumpd()` functions. This allows user-controlled data containing the `lc` key to be misinterpreted as legitimate internal LangChain objects, leading to various impacts including secret extraction from environment variables (when `secrets_from_env` is enabled), arbitrary object creation, instantiation of classes from trusted namespaces, and potential arbitrary code execution via Jinja2 templates. A significant attack vector involves prompt injection through LLM response fields such as `metadata`, ``additional_kwargs`,` or ``response_metadata`.` Patches have been released, with `langchain-core` fixed in versions 1.2.5 and 0.3.81, `@langchain/core` in 1.1.8 and 0.3.80, and `langchain` in 1.2.3 and 0.3.37. These updates introduce an `allowed_objects` parameter for explicit class control during deserialization, disable Jinja2 templates by default, and turn off automatic loading of secrets from the environment. Users are strongly advised to update immediately to mitigate these risks, which underscore how classic deserialization vulnerabilities persist in AI-driven systems where model output must still be treated as untrusted input. Severity: Critical Sources https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/ https://gbhackers.com/critical-langchain-vulnerability/ https://securityonline.info/the-lc-leak-critical-9-3-severity-langchain-flaw-turns-prompt-injections-into-secret-theft/ https://socradar.io/blog/cve-2025-68664-langchain-flaw-secret-extraction/ https://sploitus.com/exploit?id=EEF971FE-5365-544C-A6DE-F7C32033DE93 https://thehackernews.com/2025/12/critical-langchain-core-vulnerability.html https://www.securitylab.ru/news/567625.php Threat Details and IOCs CVEs: CVE-2023-36188, CVE-2024-27302, CVE-2025-68613, CVE-2025-68664, CVE-2025-68665 Technologies: Jinja2, LangChain Core, LangChainGo, Microsoft TypeScript, n8n, Node.js, Python Victim Industries: E-commerce, Financial Services, Food Delivery, Government, Healthcare, IT Services, Legal Services, Logistics, Manufacturing, Professional Services, Recruitment, Retail, Software, Software as a Service (SaaS), Sports and Entertainment, Technology Hardware, Telecommunications Mitigation Advice Update all Python applications using the `langchain-core` package to version 1.2.5 or newer, or to version 0.3.81 or newer, to mitigate CVE-2025-68664. Update all JavaScript/TypeScript applications using the `@langchain/core` package to version 1.1.8 or newer (or 0.3.80 or newer) and the `langchain` package to version 1.2.3 or newer (or 0.3.37 or newer) to mitigate CVE-2025-68665. Perform an immediate scan of all code repositories and deployed applications to identify all instances of the vulnerable `langchain-core`, `@langchain/core`, and `langchain` packages and their versions. In all applications using LangChain, immediately review configurations and explicitly set the `secrets_from_env` (Python) and `secretsFromEnv` (JavaScript) parameters to `false` to prevent unauthorized access to environment variables. Compliance Best Practices Implement a secure development policy that mandates treating all output from Large Language Models (LLMs) as untrusted external input, requiring strict validation and sanitization before it is processed by sensitive functions like deserializers. Refactor all applications that use LangChain's deserialization functions (`load()`, `loads()`) to use the `allowed_objects` parameter, creating a strict allowlist of only the specific classes required for the application to function. Review and re-architect applications using AI/ML frameworks to operate under the Principle of Least Privilege, ensuring their execution environments are isolated and have access to the minimum set of secrets and permissions necessary for their function. Establish a secure baseline configuration standard for all AI/ML frameworks that disables high-risk features, such as remote code execution via templating engines, by default. Require a formal security review and exception process to enable them. Trust Wallet Confirms Extension Hack Led to $7 Million Crypto Theft On December 24, a compromised update to the Trust Wallet Chrome extension, specifically version 2.68.0, resulted in the theft of $7 million in cryptocurrency, with users reporting their wallets drained shortly after interacting with the extension. Security researchers identified malicious code within the 2.68.0 update, which exfiltrated sensitive wallet data, including seed phrases, to an external server hosted at `api.metrics-trustwallet[.]com`, a domain registered just days prior to the incident. Trust Wallet confirmed the security breach, advising affected users to immediately disable version 2.68.0 and update to the secure version 2.69; mobile-only users and other browser extension versions were not impacted. Binance founder Changpeng "CZ" Zhao stated that Trust Wallet would cover the losses. Simultaneously, a phishing campaign emerged, utilizing domains such as `fix-trustwallet[.]com` to impersonate Trust Wallet and solicit users' recovery seed phrases under the pretense of a "vulnerability fix." Users whose wallets may have been compromised are urged to transfer any remaining funds to a new wallet secured with a fresh seed phrase. Severity: Critical Sources https://buaq.net/go-383910.html https://coinedition.com/trust-wallet-confirms-extension-v2-68-security-issue-after-wallet-drains/ https://cyberinsider.com/trust-wallet-suffers-supply-chain-compromise-millions-in-crypto-stolen/ https://cyberpress.org/trust-wallet-chrome-plugin-under-attack/ https://financefeeds.com/trust-wallet-opens-claims-process-after-7m-chrome-extension-hack/ https://financefeeds.com/trust-wallet-reimburse-users-20m-hack-cz-confirms/ https://gbhackers.com/hackers-compromise-trust-wallet-chrome-extension/ https://malwaretips.com/threads/trustwallet-chrome-extension-hacked-%E2%80%93-users-reporting-millions-in-losses.138907/ https://securityonline.info/the-christmas-drain-how-a-backdoor-in-trust-wallet-v2-68-stole-7m/ https://slowmist.medium.com/christmas-heist-analysis-of-trust-wallet-browser-extension-hack-bdb35c3cc6dd?source=rss-4ceeedda40e8------2 https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html https://www.bleepingcomputer.com/news/security/trust-wallet-chrome-extension-hack-tied-to-millions-in-losses/ https://www.bleepingcomputer.com/news/security/trust-wallet-confirms-extension-hack-led-to-7-million-crypto-theft/ https://www.cryptoninjas.net/news/7m-lost-in-trust-wallet-browser-hack-cz-confirms-full-compensation-as-extension-flaw-exposed/ https://www.tronweekly.com/trust-wallet-pledges-to-cover-7m-lost-in/ https://www.tronweekly.com/trust-wallet-to-cover-7m-lost-on-hack/ Threat Details and IOCs Malware: Mac.c, MacSync, MacSync Stealer CVEs: CVE-2023-31290 Technologies: Brave Browser, Google Chrome, Google Chrome Web Store, Microsoft Edge, Opera, Trust Wallet Attacker Countries: North Korea, United Kingdom Attacker Domains: api.metrics-trustwallet.com, fix-trustwallet.com, metrics-trustwallet.com Attacker URLs: https://api.metrics-trustwallet.com, hxxp://api.metrics-trustwallet.com Victim Industries: Blockchain, Financials, Financial Services, Financial Technology, Information Technology, Software, Technology Hardware Victim Countries: Hong Kong, Russia, Singapore, United States, Vietnam Mitigation Advice Add the domains `api.metrics-trustwallet[.]com` and `fix-trustwallet[.]com` to the network firewall's blocklist. Configure the corporate DNS filtering service to block resolution of the domains `api.metrics-trustwallet[.]com` and `fix-trustwallet[.]com`. Use the endpoint management tool to scan all corporate devices for the presence of the Trust Wallet Chrome extension, specifically version 2.68.0, and report any findings to the security team for remediation. Send a company-wide security bulletin warning employees about the Trust Wallet supply chain attack and its associated phishing campaign. Instruct users to never enter credentials or recovery phrases in response to unsolicited prompts and to report suspicious browser behavior. Compliance Best Practices Develop and implement a corporate policy to only allow approved browser extensions on company devices, enforcing this policy via browser management tools like Group Policy or an MDM solution. Establish a formal supply chain risk management process to vet the security posture of all third-party software vendors and applications, including browser extensions, before they are approved for use in our environment. Incorporate modules on the risks of browser extensions and supply chain attacks into the recurring security awareness training program, reinforcing lessons with periodic phishing simulations. Design and implement a network egress filtering policy on the perimeter firewall to deny outbound traffic by default, only allowing connections to known-good, categorized, and business-required destinations. React2Shell Explained (CVE-2025-55182): From Vulnerability Discovery to Exploitation A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code on vulnerable servers via a single crafted HTTP request. This flaw exploits weaknesses in the React Flight protocol's deserialization process, specifically by manipulating prototype chains and injecting malicious code during server-side rendering. The exploit chain leverages JavaScript's prototype traversal `(`__proto__:constructor`),` the thenable behavior, the `@` syntax for raw chunk objects, forced execution of `initializeModelChunk()`, context confusion through the `_response` object, and blob resolution to trigger the `Function()` constructor with attacker-controlled code. Affected software includes React versions 19.0.0 through 19.2.0, Next.js applications utilizing the App Router (versions 16.0.0-16.0.6, 15.x, and early 16.x releases), and associated serialization libraries like `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` prior to vendor patches. Due to the widespread adoption of React and Next.js, this vulnerability presents a significant risk, bypassing traditional security defenses. Immediate mitigation requires upgrading to React 19.2.1+ and Next.js 16.0.7+, regenerating all secrets and credentials, implementing WAF/API Gateway rules to detect suspicious React Flight chunk structures or references to `__proto__` or `prototype`, hardening RSC/Next.js deployments with minimal privileges and isolation, and actively hunting for indicators of compromise such as unexpected `.then()` behavior or shell command execution from Node.js processes. Severity: Critical Sources https://arcticwolf.com/resources/blog/cve-2025-55182/ https://arcticwolf.com/resources/blog-uk/cve-2025-55182-critical-remote-code-execution-vulnerability-found-in-react-server-components/ https://arstechnica.com/security/2025/12/admins-and-defenders-gird-themselves-against-maximum-severity-server-vulnerability/ https://blog.checkpoint.com/securing-the-cloud/what-is-react2shell-cve-2025-55182-in-plain-english-and-why-check-point-cloudguard-waf-customers-carried-on-with-their-day/ https://blog.cloudflare.com/5-december-2025-outage/ https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/ https://blog.jakesaunders.dev/my-server-started-mining-monero-this-morning/ https://blog.qualys.com/product-tech/2025/12/10/react2shell-decoding-cve-2025-55182-the-silent-threat-in-react-server-components https://blog.securelayer7.net/cve-2025-55182/ https://bluefire-redteam.com/critical-react-next-js-vulnerability/ https://buaq.net/go-379373.html https://buaq.net/go-379393.html https://buaq.net/go-379471.html https://buaq.net/go-379472.html https://buaq.net/go-379487.html https://buaq.net/go-379621.html https://buaq.net/go-379669.html https://buaq.net/go-379678.html https://buaq.net/go-379693.html https://buaq.net/go-379725.html https://buaq.net/go-379832.html https://buaq.net/go-379834.html https://buaq.net/go-379997.html https://buaq.net/go-380062.html https://buaq.net/go-380063.html https://buaq.net/go-380074.html https://buaq.net/go-380124.html https://buaq.net/go-380126.html https://buaq.net/go-380241.html https://buaq.net/go-380275.html https://buaq.net/go-380329.html https://buaq.net/go-381014.html https://buaq.net/go-381261.html https://buaq.net/go-381582.html https://buaq.net/go-382312.html https://buaq.net/go-382608.html https://buaq.net/go-382617.html https://cloud.google.com/blog/products/identity-security/responding-to-cve-2025-55182/ https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/ https://coinedition.com/cloudflare-outage-exposes-centralized-internet-risks-for-crypto-platforms/ https://csirt.divd.nl/cases/DIVD-2025-00042/ https://cxsecurity.com/issue/WLB-2025120005 https://cxsecurity.com/issue/WLB-2025120006 https://cxsecurity.com/issue/WLB-2025120023 https://cyberinsider.com/chinese-hackers-rapidly-exploit-critical-react2shell-flaw/ https://cyberinsider.com/react2shell-exploitation-explodes-as-botnets-now-join-the-fray/ https://cyberinsider.com/react2shell-flaw-threatens-rce-in-39-of-all-cloud-environments/ https://cyberpress.org/2-15m-next-js-sites-found-vulnerable/ https://cyberpress.org/burp-suite-act2shell-vulnerabilities/ https://cyberpress.org/fake-mparivahan-e-challan-apps/ https://cyberpress.org/new-scanner-tool-for-detecting/ https://cyberpress.org/openai-gpt-5-2-codex-vulnerability-detection/ https://cyberpress.org/react2shell-etherrat-deployment/ https://cyberpress.org/react2shell-exploitation-campaign/ https://cyberpress.org/react2shell-vulnerability/ https://cyberpress.org/react2shell-vulnerability-2/ https://cyberpress.org/react2shell-vulnerability-3/ https://cyberpress.org/react2shell-vulnerability-4/ https://cyberpress.org/react4shell-flaw/ https://cyberpress.org/react-and-next-js-vulnerabilities/ https://cyberpress.org/react-server-components-flaw/ https://cyberscoop.com/attackers-exploit-react-server-vulnerability/ https://cyberscoop.com/react2shell-vulnerability-fallout-spreads/ https://cyberscoop.com/react-server-vulnerability-critical-severity-security-update/ https://cybersrcc.com/2025/12/10/critical-security-advisory-on-cve-2025-66478-and-its-active-exploitation-risks/ https://cyberveille.esante.gouv.fr/alertes/react-cve-2025-55182-2025-12-04 https://doublepulsar.com/cybersecurity-industry-overreacts-to-react-vulnerability-starts-panic-burns-own-house-down-again-e85c10ad1607?source=rss----8343faddf0ec---4 https://financefeeds.com/hackers-exploit-javascript-library-to-deploy/ https://gbhackers.com/2-15m-next-js-web-services-exposed-online-active-attacks-reported/ https://gbhackers.com/644k-websites-at-risk-due-to-critical-react-server-components-flaw/ https://gbhackers.com/burp-suite-upgrades-scanner-for-critical-react2shell-flaws/ https://gbhackers.com/cisa-adds-critical-react2shell-vulnerability-to-kev-catalog/ https://gbhackers.com/critical-react2shell-rce-flaw/ https://gbhackers.com/new-scanner-released-to-detect-exposed-reactjs-and-next-js-rsc-endpoints/ https://gbhackers.com/next-js-releases-scanner-react2shell-vulnerability/ https://gbhackers.com/openais-gpt-5-2-codex-boosts-agentic-coding/ https://gbhackers.com/react2shell-rce-vulnerability/ https://gbhackers.com/react2shell-vulnerability/ https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp https://gridinsoft.com/blogs/react2shell-cve-2025-55182-rce/ https://gridinsoft.com/blogs/react2shell-exploitation-china-apt/ https://hackread.com/north-korean-hackers-etherrat-malware-react2shell/ https://horizon3.ai/attack-research/vulnerabilities/cve-2025-55182/ https://industrialcyber.co/threats-attacks/amazon-warns-of-ongoing-exploitation-attempts-by-chinese-hackers-on-react2shell-vulnerability/ https://infosecwriteups.com/from-recon-to-rce-hunting-react2shell-cve-2025-55182-for-bug-bounties-4e3a3ed79876?source=rss----7b722bfd1b8d---4 https://isc.sans.edu/diary/32572 https://isc.sans.edu/diary/rss/32572 https://jfrog.com/blog/2025-55182-and-2025-66478-react2shell-all-you-need-to-know/ https://lab.wallarm.com/update-on-react-server-components-rce-vulnerability-cve-2025-55182-cve-2025-66478/ https://lab.wallarm.com/wallarm-blocks-exploitation-remote-code-execution-vulnerability-react-server-components/ https://malwaretips.com/threads/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks.138645/ https://malwaretips.com/threads/multiple-threat-actors-exploit-react2shell-cve-2025-55182-according-to-google.138719/ https://malwaretips.com/threads/react2shell-technical-deep-dive-in-the-wild-exploitation-of-cve-2025-55182.138631/ https://meterpreter.org/beyond-the-shell-critical-react2shell-exploit-hits-japan-to-deploy-stealthy-zndoor-rat/ https://meterpreter.org/china-apts-exploiting-react-server-rce-cve-2025-55182-hours-after-disclosure/ https://meterpreter.org/cloudflare-outage-caused-by-frantic-patching-of-critical-react2shell-cve-2025-55182-flaw/ https://meterpreter.org/react2shell-exploit-botnets-target-150k-devices-daily-with-node-js-flaw/ https://news.sophos.com/en-us/2025/12/11/react2shell-flaw-cve-2025-55182-exploited-for-remote-code-execution/ https://nextjs.org/blog/CVE-2025-66478 https://nsfocusglobal.com/react-next-js-remote-code-execution-vulnerability-cve-2025-55182-cve-2025-66478-notice/ https://orca.security/resources/blog/cve-2025-55182-react-nextjs-rce/ https://osintteam.blog/cve-2025-55182-a-pre-authentication-remote-code-execution-in-next-js-complete-guide-e39a35fa3156?source=rss----2983bc435765---4 https://osintteam.blog/react2shell-analysis-domain-level-detection-of-rsc-exposure-11db354612df?source=rss----2983bc435765---4 https://osintteam.blog/react2shell-cve-2025-55182-under-active-attack-analysis-of-global-threat-activity-against-rsc-68eb16c893cc?source=rss----2983bc435765---4 https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components https://rhisac.org/threat-intelligence/react-nextjs-vuln/ https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-react-flight-TYw32Ddb?vs_f=Cisco%20Security%20Advisory%26vs_cat=Security%20Intelligence%26vs_type=RSS%26vs_p=Remote%20Code%20Execution%20Vulnerability%20in%20React%20and%20Next.js%20Frameworks:%20December%202025%26vs_k=1 https://securelist.com/cve-2025-55182-exploitation/118331/ https://securityboulevard.com/2025/12/attackers-worldwide-are-zeroing-in-on-react2shell-vulnerability/ https://securityboulevard.com/2025/12/cloudflare-forces-widespread-outage-to-mitigate-exploitation-of-maximum-severity-vulnerability-in-react2shell/ https://securityboulevard.com/2025/12/dangerous-rce-flaw-in-react-next-js-threatens-cloud-environments-apps/ https://securityboulevard.com/2025/12/exploitation-efforts-against-critical-react2shell-flaw-accelerate/ https://securityboulevard.com/2025/12/google-finds-five-china-nexus-groups-exploiting-react2shell-flaw/ https://securityboulevard.com/2025/12/react-fixes-two-new-rsc-flaws-as-security-teams-deal-with-react2shell/ https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/ https://securityonline.info/catastrophic-react-flaw-cve-2025-55182-cvss-10-0-allows-unauthenticated-rce-on-next-js-and-server-components/ https://securityonline.info/critical-react2shell-vulnerability-cve-2025-55182-analysis-surge-in-attacks-targeting-rsc-enabled-services-worldwide/ https://securityonline.info/maximum-severity-alert-critical-rce-flaw-hits-next-js-cve-2025-66478-cvss-10-0/ https://securityonline.info/nexusroute-uncovered-android-rat-impersonates-indian-e-challan-via-github-for-upi-fraud-surveillance/ https://securityonline.info/operation-pcpcat-60000-next-js-servers-hijacked-in-just-48-hours/ https://securityonline.info/react2shell-crisis-critical-vulnerability-triggers-global-cyberattacks-by-state-sponsored-groups/ https://securityonline.info/react2shell-max-score-rce-cvss-10-0-triggers-widespread-exploitation-by-espionage-groups-miners/ https://securityonline.info/react2shell-storm-china-nexus-groups-weaponize-critical-react-flaw-hours-after-disclosure/ https://socprime.com/blog/react2shell-vulnerability-exploitation/ https://socradar.io/blog/react2shell-rce-flaw-react-nextjs/ https://testbnull.medium.com/and-then-and-then-and-then-give-me-the-react2-shell-3c4b60ebaef9?source=rss-6ac51190917c------2 https://thecyberexpress.com/pcpcat-react-servers-nextjs-breach/ https://thecyberexpress.com/react2shell-flaw-exploited-by-chinese-groups/ https://thehackernews.com/2025/12/chinese-hackers-have-started-exploiting.html https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html https://thehackernews.com/2025/12/react2shell-exploitation-delivers.html https://thehackernews.com/2025/12/react2shell-exploitation-escalates-into.html https://threatprotect.qualys.com/2025/12/04/react-server-components-rsc-remote-code-execution-vulnerabilities/ https://www.attackiq.com/2025/12/18/cve-2025-55182/ https://www.bitdefender.com/en-us/blog/businessinsights/advisory-react2shell-critical-unauthenticated-rce-in-react-cve-2025-55182 https://www.bleepingcomputer.com/news/security/cloudflare-blames-todays-outage-on-emergency-react2shell-patch/ https://www.bleepingcomputer.com/news/security/critical-react2shell-flaw-exploited-in-ransomware-attacks/ https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-react2shell-flaw-in-etherrat-malware-attacks/ https://www.bleepingcomputer.com/news/security/react2shell-critical-flaw-actively-exploited-in-china-linked-attacks/ https://www.bleepingcomputer.com/news/security/react2shell-flaw-exploited-to-breach-30-orgs-77k-ip-addresses-vulnerable/ https://www.catonetworks.com/blog/cato-ctrl-react2shell-vulnerability-targeting-react-server-components/ https://www.computerweekly.com/news/366635992/Cloudflare-fixes-second-outage-in-a-month https://www.computerweekly.com/news/366636015/Cyber-teams-on-alert-as-React2Shell-exploitation-spreads https://www.cybereason.com/blog/cve-2025-55182-rce-vulnerability https://www.cyberkendra.com/2025/12/critical-react2shell-vulnerability.html https://www.cyberkendra.com/2025/12/react2shell-exploited-cisa-issues.html https://www.cyberkendra.com/2025/12/react-patches-two-new-flaws-following.html https://www.darkreading.com/threat-intelligence/react2shell-exploits-flood-internet-attacks-continue https://www.darkreading.com/vulnerabilities-threats/exploitation-activity-ramps-react2shell https://www.esecurityplanet.com/threats/over-600k-sites-exposed-to-critical-react-server-components-flaw/ https://www.esecurityplanet.com/threats/react2shell-rce-flaws-put-react-and-next-js-apps-at-severe-risk/ https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far https://www.greynoise.io/blog/react2shell-payload-analysis https://www.hackthebox.com/blog/react2shell-cve-2025-55182-threat-spotlight https://www.helpnetsecurity.com/2025/12/04/react-node-js-vulnerability-cve-2025-55182/ https://www.hendryadrian.com/chinese-hackers-exploiting-react2shell-bug-impacting-countless-websites-amazon-researchers-say/ https://www.hendryadrian.com/cloudflare-blames-todays-outage-on-emergency-react2shell-patch/ https://www.hendryadrian.com/cloudflare-outage-caused-by-react2shell-mitigations/ https://www.hendryadrian.com/critical-react2shell-flaw-actively-exploited-in-china-linked-attacks/ https://www.hendryadrian.com/critical-react-next-js-flaw-lets-hackers-execute-code-on-servers/ https://www.hendryadrian.com/critical-vulnerabilities-in-react-server-components-and-next-js/ https://www.hendryadrian.com/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation/ https://www.hendryadrian.com/cve-2025-55182-react2shell-remote-code-execution-in-react-server-components-and-next-js-datadog-security-labs/ https://www.hendryadrian.com/detecting-next-js-cve-2025-66478-rce-vulnerability-with-wazuh/ https://www.hendryadrian.com/detecting-react2shell-the-maximum-severity-rce-vulnerability-affecting-react-server-components-and-next-js-sysdig/ https://www.hendryadrian.com/federal-agencies-now-only-have-one-more-day-to-patch-react2shell-bug/ https://www.hendryadrian.com/peerblight-linux-backdoor-exploits-react2shell-cve-2025-55182/ https://www.hendryadrian.com/react2shell-technical-deep-dive-in-the-wild-exploitation-of-cve-2025-55182/ https://www.hendryadrian.com/zero-day-to-zero-hour-react2shell-cve-2025-55182-becomes-one-of-the-most-rapidly-weaponized-rsc-vulnerability/ https://www.hkcert.org/security-bulletin/react-remote-code-execution-vulnerability_20251204 https://www.infosecurity-magazine.com/news/react2shell-exploit-campaigns/ https://www.infosecurity-magazine.com/news/react2shell-under-active/ https://www.infosecurity-magazine.com/news/reactjs-hit-by-react2shell/ https://www.kaspersky.com/blog/react4shell-vulnerability-cve-2025-55182/54915/ https://www.recordedfuture.com/blog/critical-react2shell-vulnerability https://www.recordedfuture.com/blog/the-bug-that-wont-die https://www.resecurity.com/blog/article/react2shell-explained-cve-2025-55182-from-vulnerability-discovery-to-exploitation https://www.resecurity.com/blog/article/synthetic-data-a-new-frontier-for-cyber-deception-and-honeypots https://www.securitylab.ru/news/566820.php https://www.securitylab.ru/news/566886.php https://www.securitylab.ru/news/567053.php https://www.securityweek.com/chinese-hackers-exploiting-react2shell-vulnerability/ https://www.securityweek.com/exploitation-of-react2shell-surges/ https://www.securityweek.com/google-sees-5-chinese-groups-exploiting-react2shell-for-malware-delivery/ https://www.securityweek.com/react2shell-attacks-linked-to-north-korean-hackers/ https://www.securityweek.com/react2shell-in-the-wild-exploitation-expected-for-critical-react-vulnerability/ https://www.securityweek.com/wide-range-of-malware-delivered-in-react2shell-attacks/ https://www.sentinelone.com/blog/protecting-against-critical-react2shell-rce-exposure/ https://www.sysdig.com/blog/detecting-react2shell https://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2 https://www.techradar.com/pro/security/maximum-severity-react2shell-flaw-exploited-by-north-korean-hackers-in-malware-attacks https://www.techtarget.com/searchsecurity/news/366636017/News-brief-RCE-flaws-persist-as-top-cybersecurity-threat https://www.techzine.eu/blogs/security/137062/is-react2shell-the-new-log4shell/ https://www.techzine.eu/news/security/137010/meta-warns-of-critical-vulnerability-in-react-server-components/ https://www.techzine.eu/news/security/137035/react2shell-exploited-hours-after-discovery/ https://www.techzine.eu/news/security/137273/three-new-vulnerabilities-discovered-in-react-server-components/ https://www.tenable.com/blog/react2shell-cve-2025-55182-react-server-components-rce https://www.thehackerwire.com/critical-security-flaw-found-in-react-server-components/ https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/ https://www.theregister.com/2025/12/05/aws_beijing_react_bug/ https://www.theregister.com/2025/12/05/react2shell_pocs_exploitation/ https://www.theregister.com/2025/12/12/new_react_secretleak_bugs/ https://www.theregister.com/2025/12/12/vulnerable_react_instances_unpatched/ https://www.theregister.com/2025/12/18/react2shell_exploitation_spreads_as_microsoft/ https://www.trendmicro.com/en_us/research/25/l/critical-react-server-components-vulnerability.html https://www.upguard.com/blog/understanding-and-mitigating-cve-2025-55182-react2shell https://www.uptycs.com/blog/critical-rce-vulnerability-react-server-components-nextjs https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182 https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive https://www.zscaler.com/blogs/security-research/react2shell-remote-code-execution-vulnerability-cve-2025-55182 Threat Details and IOCs Malware: Agenda, AIRASHI, Aisuru, Akira, Akira_v2, Albiriox, AMOS, ANGRYREBEL, Angryrebel.Linux, ANGRYREBEL.LINUX, Atomic macOS Stealer, Atomic Stealer, Auto-color, Auto-Color, Backdoor.Linux.BPFDOOR, Backdoor.Linux.GHOSTPENGUIN.A, Backdoor.PHP.GODZILLA.B, Backdoor.Solaris.BPFDOOR.ZAJE, BADCALL, Bashlite, Beacon, BEACON, BeaverTail, BlackWidow, BPFDoor, Brickstorm, BrickStorm, BRICKSTORM, Broadside, CatDDoS, Chaos, CinaRAT, Cobalt Strike, Cobalt Strike Beacon, Compood, COMPOOD, CowTunnel, CplRAT, DarkWisp, DDoS.Linux.KAIJI.A, EncryptHub, EncryptHub Stealer, EtherRAT, FARGO, Fast Reverse Proxy, Fickle Stealer, FRP, Gafgyt, GhostPenguin, GhostWebShell, GobRAT, Godzilla, Godzilla Webshell, GO Simple Tunnel, GOST, H2Miner, Hisonic, HISONIC, IceNova, Jackpot, Java/Webshell.AX, JustForFun, Kaiji, Kaiji_Pro, Kinsing, KSwapDoor, Lamia Loader, LamiaLoader, Latrodectus, LizardStresser, Lizkebab, Lotus, Mallox, Mario, Mario ESXi, Masuta, MedusaLocker, Megazord, MetaRAT, Minocat, MINOCAT, Miori, Mirai, MuddyViper, NexusRoute, Nezha, Nezha agent, Nezha Agent, Noodle RAT, NoodleRAT, NoodlerRat, Nood RAT, NosyDoor, NosyStealer, NSPPS, NTPClient, Okiru, OMG, Omni, PCPcat, PeerBlight, PlugX, Predator, PULSEPACK, PwnRig, Qbot, Qilin, Quasar RAT, QuasarRAT, RansomHouse, Rhadamanthys, Rondo, RondoDox, RondoWorm, Satori, Sha1-Hulud, ShadowPad, Shai-Hulud, SilentPrism, Sliver, Snowlight, SnowLight, SNOWLIGHT, Supershell, TargetCompany, ToolShell, Torlus, Unidentified 111, Vshell, VShell, VSHELL, Weaxor, White Rabbit, Wicked, Win64.Coinminer.Xmrig, XMRig, xRAT, XShade, Yggdrasil, ZinFoq, ZnDoor CVEs: CVE-2015-4852, CVE-2021-4034, CVE-2025-1338, CVE-2025-29927, CVE-2025-31324, CVE-2025-55182, CVE-2025-55183, CVE-2025-55184, CVE-2025-61757, CVE-2025-66478, CVE-2025-67779 Technologies: Akamai App & API Protector, Alibaba Cloud, Amazon AWS WAF, Amazon Elastic Compute Cloud (EC2), Amazon Lambda, Amazon Web Services, Amazon Web Services Fargate, AppArmor, busboy, Cloudflare, Dify, DigitalOcean App Platform, Docker, Electron, Expo, Express.js, F5 NGINX, Flask, Git, GitHub, Google Android, Google App Engine, Google Chrome, Google Cloud Armor, Google Cloud Platform, Google Cloud Run, Google Firebase, Google Kubernetes Engine, Koa, Kubernetes, Linux, LobeChat, Meta React Server Components, Microsoft Azure, Microsoft Edge, Microsoft Windows, Node.js, NUUO Camera, Oracle Fusion Middleware, Parcel, Parcel RSC plugin, PHP, PM2, PostgreSQL, Python, PyYAML, React, React Router, RedwoodJS, SAP NetWeaver, SELinux, Shopify React Router, TRENDnet, Vercel, Vercel Next.js, Vercel Turbopack, Vite, Vite plugin-rsc, Waku, Webpack Threat Actors: Angryrebel, APT22, APT29, APT32, APT41, Beavertail, BronzeSnowdrop, CL-STA-1015, CLSTA1015, CozyBear, DeceptiveDevelopment, DecisiveArchitect, DemonicAgents, DEV-0322, DicingTaurus, DragnetPanda, EarthBluecrow, EarthLamia, EarthLumia, ExoticLily, FamousChollima, GoldenFactory, GymkhanaStudio, HiddenOrbit, HoundstoothTyphoon, Jackpot Panda, JackpotPanda, Lamia, Lazarus, LazarusGroup, M00nlight, MUSTANGPANDA, NexusRoute, NickelTapestry, OceanLotus, PCP, PCPcat, PoisonCarp, RedMenschen, RedMenshen, RondoDoX, ShadyPanda, Shathak, Storm-1877, Suckfly, TA551, TunnelBuilders, Unc5174, UNC5267, UNC5342, UNC5454, UNC6586, UNC6588, UNC6595, UNC6600, UNC6603, VimImpersonators, WageMole Attacker Countries: Armenia, Azerbaijan, Belarus, Brazil, Bulgaria, China, Egypt, France, Georgia, Germany, Hong Kong, India, Indonesia, Iran, Ireland, Japan, Kazakhstan, Kyrgyzstan, Laos, Netherlands, North Korea, Panama, Poland, Russia, Singapore, Taiwan, Tajikistan, United States, Uzbekistan Attacker IPs: 102.41.112.148, 103.135.101.15, 104.168.9.49, 104.238.61.32, 107.174.123.91, 115.42.60.223, 128.199.143.161, 140.99.223.178, 143.198.92.82, 146.88.129.138, 149.28.25.254, 154.26.190.6, 154.61.77.105, 154.61.80.242, 154.89.152.240, 156.193.212.244, 156.234.209.103, 16.16.83.161, 162.215.170.26, 169.254.169.254, 171.252.32.135, 172.237.55.180, 172.245.79.16, 173.249.8.102, 176.117.107.154, 177.84.130.195, 183.6.80.214, 185.126.82.162, 185.229.32.220, 185.247.224.41, 185.253.118.70, 192.238.202.17, 193.143.1.153, 193.24.123.68, 193.34.213.150, 194.38.11.3, 194.69.203.32, 196.251.100.191, 196.251.66.201, 200.4.115.1, 206.237.3.150, 207.148.79.178, 209.141.49.251, 212.237.120.249, 212.69.85.41, 216.158.232.43, 216.238.68.169, 217.60.248.193, 23.132.164.54, 23.19.231.97, 23.226.71.197, 23.226.71.200, 23.226.71.209, 23.228.188.126, 23.235.188.3, 2.56.176.35, 31.56.27.76, 31.56.27.97, 31.57.46.28, 37.27.217.205, 38.162.112.141, 38.165.44.205, 38.47.103.117, 38.85.206.203, 39.97.229.220, 40.113.172.145, 41.231.37.153, 43.156.70.172, 45.129.56.148, 45.13.227.97, 45.134.174.235, 45.153.34.41, 45.157.233.80, 45.194.22.139, 45.221.113.96, 45.221.114.250, 45.32.126.137, 45.32.158.54, 45.76.155.14, 45.77.33.136, 46.36.37.85, 47.84.57.207, 47.84.79.46, 47.84.82.8, 47.98.194.60, 48.216.241.15, 49.51.230.175, 5.161.227.224, 51.81.104.115, 51.91.77.94, 52.252.226.141, 54.178.19.122, 59.7.217.245, 65.49.233.42, 67.215.246.10, 67.217.57.240, 68.142.129.4, 68.178.168.171, 72.62.67.33, 78.153.140.16, 80.210.220.54, 80.64.16.241, 8.134.195.179, 82.163.22.139, 82.221.103.244, 8.222.213.56, 87.98.162.88, 89.144.31.18, 91.215.85.42, 92.246.87.48, 95.169.180.135 Attacker Emails: gymkhanastudiodev@gmail.com, gymkhana.studio@gmail.com, support@c3pool.com Attacker Domains: 2f7ac6.ceye.io, 5axzi7.dnslog.cn, anywherehost.site, api.hellknight.xyz, api.qtss.cc, auto.c3pool.org, aws.orgserv.dnsnet.cloud.anondns.net, ax29g9q123.anondns.net, bafybeic6wxbl5h5adfuuh5r7n5vdbjwiy4w7zw42yb3tclutq6lscyefcm.ipfs.dweb.link, c3pool.com, conclusion-ideas-cover-customise.trycloudflare.com, cxsecurity.com, dashboard.checkstauts.site, dht.transmissionbt.com, donaldjtrmp.anondns.net, eth.drpc.org, ethereum-rpc.publicnode.com, eth.llamarpc.com, eth-mainnet.public.blastapi.io, eth.merkle.io, evil.com, f003.backblazeb2.com, gfxnick.emerald.usbx.me, ghostbin.axel.org, gist.github.com, gist.githubusercontent.com, github.com, grabify.link, help.093214.xyz, hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com, inerna1.site, ip.inovanet.pt, keep.camdvr.org, kisandost.online, krebsec.anondns.net, labubu.anondns.net, mail.wrufff.de, mainnet.gateway.tenderly.co, meomeoli.mooo.com, metadata.google.internal, mparivahan1.github.io, newratte.linkpc.net, nodejs.org, overcome-pmc-conferencing-books.trycloudflare.com, packetstormsecurity.com, pool.hashvault.pro, pool.supportxmr.com, proxy1.ip2worlds.vip, raw.githubusercontent.com, react2shell.com, reactcdn.windowserrorapis.com, repositorylinux.xyz, res.qiqigece.top, router.bittorrent.com, router.utorrent.com, rpc.flashbots.net, rpc.mevblocker.io, rpc.payload.de, rtochallan0283837.store, rtochallan09363737.store, rtochallan0963736.store, rtochallan1023456789.store, rtochallan1234567890.space, rtochallan1239542138464.shop, rtochallan5464643779878.online, rtochallan54648481854648.shop, rtochallan55354587558888.store, rtochallan6272526.store, rtochallan6392860193.store, rtochallan7337376.online, rtochallan78658857846758855.space, rtochallan8081458623124.shop, rtochallan8373737.store, rtochallan8373763635.online, rtochallan83937383839282.shop, rtochallan908102.store, rtochallan9087654532.store, rtochallan92727263.store, rtochallan9651382255.shop, sapo.shk0x.net, sup001.oss-cn-hongkong.aliyuncs.com, superminecraft.net.br, t.cnzzs.co, tr.earn.top, usbx.me, vip.kof97.lol, vps-zap812595-1.zap-srv.com, webhook.site, www.asc3t1c-nu11secur1ty.com, www.exploit-db.com, www.patreon.com, xpertclient.net, xss.pro, xwpoogfunv.zaza.eu.org Attacker URLs: 140.99.223.178/32736, 45.134.174.235/2.sh, 45.134.174.235/?h=45.134.174.235&p=80&t=tcp&a=l64&stage=true, 45.134.174.235/solra, auto.c3pool.org:443, bafybeic6wxbl5h5adfuuh5r7n5vdbjwiy4w7zw42yb3tclutq6lscyefcm.ipfs.dweb.link, git@github.com:acheong08/CVE-2025-55182-poc.git, git@github.com:klassiker/CVE-2025-55182.git, git@github.com:msanft/CVE-2025-55182.git, grabify.link/SEFKGU, hsxp://115.42.60.223:61236/slt, http://104.238.61.32:8080/zold, http://154.61.77.105:8082/, http://154.89.152.240/check.sh, http://156.234.209.103:20912/get.sh, http://156.234.209.103:63938/nrCrQ, http://162.215.170.26:3000/sex.sh, http://169.254.169.254/latest/meta-data/iam/security-credentials/, http://172.237.55.180/c, http://173.249.8.102, http://176.117.107.154/bot, http://177.84.130.195/sex.sh, http://177.84.130.195/sex.sh.2, http://185.229.32.220:21642/2lt4de8wgl54wtjgo8/winds, http://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh, http://193.34.213.150/nuts/bolts, http://193.34.213.150/nuts/x86, http://193.34.213.150/x86, http://200.4.115.1/promocionao.php, http://216.158.232.43:12000/sex.sh, http://23.132.164.54/bot, http://23.19.231.97:36169/222, http://23.19.231.97:44719/222, http://23.19.231.97:47023/222, http://23.228.188.126/rondo.aqu.sh, http://23.235.188.3:652/qMqSb, http://23.235.188.3:REDACTED, http://31.56.27.76/n2/x86, http://31.57.46.28/test.sh, http://40.113.172.145/EdgeConsulting/frontend/sex.sh, http://41.231.37.153/rondo.aqu.sh, http://45.32.158.54/5e51aff54626ef7f/x86_64, http://45.76.155.14/vim, http://46.36.37.85:12000/sex.sh, http://47.84.82.8/index, http://47.84.82.8/upload, http://48.216.241.15/newsite/sex.sh.2, http://51.81.104.115/nuts/poop, http://67.217.57.240:5656/domains, http://67.217.57.240:5656/health, http://67.217.57.240:5656/result, http://67.217.57.240:5656/stats, http://67.217.57.240:666/files/proxy.sh, http://67.217.57.240:666/files/react.py, http://78.153.140.16/re.sh, http://8.222.213.56/index, http://89.144.31.18/nuts/bolts, http://89.144.31.18/nuts/x86, http://91.215.85.42:3000, http://91.215.85.42:3000/crypto/keys, http://anywherehost.site/xb/runner.zip, http://anywherehost.site/xb/systemd-devd.$(uname-m), http://anywherehost.site/xms/k1.sh?grep, http://anywherehost.site/xms/kill2.sh, http://anywherehost.site/xms/su, http://anywherehost.site/xms/t1.ps1, http://api.qtss.cc:443/en/about?source=redhat&id=v1.0, http://api.qtss.cc:443/en/about?source=redhat&id=v1.1, http://api.qtss.cc:443/en/about?source=redhat&id=v1.21136868377216160297393798828125, http://ax29g9q123.anondns.net, http://gfxnick.emerald.usbx.me/bot, http://help.093214.xyz:9731/fn32.sh, http://inerna1.site/xb/runner.zip, http://inerna1.site/xb/systemd-devd.x86_64, http://inerna1.site/xms/k1.sh, http://inerna1.site/xms/t1.ps1, http://ip.inovanet.pt/systemprofile.zip, http://keep.camdvr.org:8000/BREAKABLE_PARABLE10, http://keep.camdvr.org:8000/BREAKABLE_PARABLE5, http://keep.camdvr.org:8000/d5.sh, http://metadata.google.internal/computeMetadata/v1/, https://api.qtss.cc:443/en/about?source=redhat&id=v1.2, https://c3pool.com, https://cxsecurity.com/, https://eth.drpc.org, https://ethereum-rpc.publicnode.com, https://eth.llamarpc.com, https://eth-mainnet.public.blastapi.io, https://eth.merkle.io, https://f003.backblazeb2.com/file/mova12/98201-1-8/bot, https://gist.github.com/HerringtonDarkholme/87f14efca45f7d38740be9f53849a89f, https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3, https://gist.githubusercontent.com/demonic-agents/39e943f4de855e2aef12f34324cbf150/raw/e767e1cef1c3538689ba4df9c6f7f29a6afba1a/setup_c3pool_miner.sh, https://github.com/assetnote/react2shell-scanner, https://github.com/ChaIIan-94, https://github.com/explore-delhi, https://github.com/hackersatyamrastogi/react2shell-ultimate/, https://github.com/l4rm4nd/CVE-2025-55182, https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc, https://github.com/Legus-Yeung/CVE-2025-55182-exploit/, https://github.com/levi-gundert/NextRce_RSC_Exploit, https://github.com/msanft/CVE-2025-55182, https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/2025/flask-3.0.0-RCE/PoC.py, https://github.com/pavan202006/NextGen-mParivahan, https://github.com/pyroxenites/Nextjs_RCE_Exploit_Tool/, https://github.com/xmrig/xmrig/releases/latest, https://github.com/yunaranyancat/CVE-2025-55182-NSE/blob/main/CVE-2025-55182.nse, https://github.com/zack0x01/CVE-2025-55182-advanced-scanner-, https://grabify.link/SEFKGU, https://grabify.link/SEFKGU?dry87932wydes/fdsgdsfdsjfkl, https://mainnet.gateway.tenderly.co, https://mparivahan1.github.io/chk1/, https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.gz, https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.xz, https://packetstormsecurity.com/, https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.bat, https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh, https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/xmrig.tar.gz, https://raw.githubusercontent.com/laolierzi-commits/phpbd/refs/heads/main/rjs/filemanager-standalone.js, https://raw.githubusercontent.com/nezhahq/scripts/main/agent/install.sh, https://react2shell.com/, https://repositorylinux.xyz/cron.sh, https://repositorylinux.xyz/script_kill.ps1, https://rpc.flashbots.net/fast, https://rpc.mevblocker.io, https://rpc.payload.de, https://sup001.oss-cn-hongkong.aliyuncs.com/123/python1.sh, https://t.me/Persy_PCP, https://t.me/teampcp, https://tr.earn.top/Log.php?id=, http://superminecraft.net.br:3000/sex.sh, https://webhook.site/63575795-ee27-4b29-a15d-e977e7dc8361, https://www.asc3t1c-nu11secur1ty.com/, https://www.exploit-db.com/, https://www.patreon.com/posts/flask-3-1-2-rce-145264728, https://www.patreon.com/posts/ultimate-for-cve-146576050, hxxp://103.135.101.15/wocaosinm.sh, hxxp://104.238.61.32:8080/zold, hxxp://115.42.60.223:61236/slt, hxxp://146.88.129.138:5511/443nb64, hxxp://154.89.152.240/check.sh, hxxp://156.234.209.103:20912/get.sh, hxxp://156.234.209.103:20913/get.sh, hxxp://162.215.170.26:3000/sex.sh, hxxp://172.237.55.180/b, hxxp://172.237.55.180/c, hxxp://176.117.107.154/bot, hxxp://185.229.32.220:21642/2lt4de8wgl54wtjgo8/winds, hxxp://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh, hxxp://193.34.213.150/nuts/bolts, hxxp://193.34.213.150/nuts.sh, hxxp://193.34.213.150/nuts/x86, hxxp://194.38.11.3:1790/b.sh, hxxp://194.69.203.32:81/hiddenbink/colonna.arc, hxxp://194.69.203.32:81/hiddenbink/colonna.i686, hxxp://194.69.203.32:81/hiddenbink/react.sh, hxxp://196.251.100.191/no_killer/Exodus.arm4, hxxp://196.251.100.191/no_killer/Exodus.x86, hxxp://196.251.100.191/no_killer/Exodus.x86_64, hxxp://196.251.100.191/update.sh, hxxp://207.148.79.178:6608/sys.sh, hxxp://216.158.232.43:12000/sex.sh, hxxp://23.132.164.54/bot, hxxp://31.56.27.76/n2/x86, hxxp://31.56.27.97/scripts/4thepool_miner.sh, hxxp://38.165.44.205/1, hxxp://38.165.44.205/k, hxxp://38.165.44.205/s, hxxp://39.97.229.220:8006/httd, hxxp://41.231.37.153/rondo.aqu.sh, hxxp://41.231.37.153/rondo.arc700, hxxp://41.231.37.153/rondo.armeb, hxxp://41.231.37.153/rondo.armebhf, hxxp://41.231.37.153/rondo.armv4l, hxxp://41.231.37.153/rondo.armv5l, hxxp://41.231.37.153/rondo.armv6l, hxxp://41.231.37.153/rondo.armv7l, hxxp://41.231.37.153/rondo.i486, hxxp://41.231.37.153/rondo.i586, hxxp://41.231.37.153/rondo.i686, hxxp://41.231.37.153/rondo.m68k, hxxp://41.231.37.153/rondo.mips, hxxp://41.231.37.153/rondo.mipsel, hxxp://41.231.37.153/rondo.powerpc, hxxp://41.231.37.153/rondo.powerpc-440fp, hxxp://41.231.37.153/rondo.sh4, hxxp://41.231.37.153/rondo.sparc, hxxp://41.231.37.153/rondo.x86_64, hxxp://45.32.158.54/5e51aff54626ef7f/x86_64, hxxp://45.76.155.14/vim, hxxp://46.36.37.85:12000/sex.sh, hxxp://47.84.57.207/index, hxxp://47.84.82.8/index, hxxp://47.84.82.8/upload, hxxp://51.81.104.115/nuts/bolts, hxxp://51.81.104.115/nuts/x86, hxxp://51.91.77.94:13339/termite/51.91.77.94:13337, hxxp://59.7.217.245:7070/app2, hxxp://59.7.217.245:7070/c.sh, hxxp://68.142.129.4:8277/download/c.sh, hxxp://8.222.213.56/index, hxxp://89.144.31.18/nuts/bolts, hxxp://89.144.31.18/nuts/x86, hxxp://95.169.180.135:8443/pamssod, hxxp://anywherehost.site/xb/runner.zip, hxxp://anywherehost.site/xb/systemd-devd.$(uname-m), hxxp://anywherehost.site/xms/k1.sh, hxxp://anywherehost.site/xms/k1.sh?grep, hxxp://anywherehost.site/xms/kill2.sh, hxxp://anywherehost.site/xms/su, hxxp://anywherehost.site/xms/t1.ps1, hxxp://ax29g9q123.anondns.net, hxxp://donaldjtrmp.anondns.net:1488/labubu, hxxp://gfxnick.emerald.usbx.me/bot, hxxp://help.093214.xyz:9731/FF22, hxxp://help.093214.xyz:9731/fn32.sh, hxxp://inerna1.site/xb/runner.zip, hxxp://inerna1.site/xb/systemd-devd.x86_64, hxxp://inerna1.site/xms/k1.sh, hxxp://inerna1.site/xms/t1.ps1, hxxp://ip.inovanet.pt/systemprofile.zip, hxxp://keep.camdvr.org:8000/BREAKABLE_PARABLE10, hxxp://keep.camdvr.org:8000/BREAKABLE_PARABLE5, hxxp://keep.camdvr.org:8000/d5.sh, hxxp://krebsec.anondns.net:2316/dong, hxxp://labubu.anondns.net:1488/dong, hxxp://meomeoli.mooo.com:8820/CLoadPXP/lix.exe?pass=PXPa9682775lckbitXPRopGIXPIL, hxxp://res.qiqigece.top/nginx1, hxxps://216.238.68.169/ReactOS, hxxps://72.62.67.33/meshagents?id=w%40Exooh1EQmSgfpvXk%24Kctk3F4RFhqP5EYgH2mHXjcZDuo3H61xfEs%24OKLnWsj6D&installflags=0&meshinstall=6, hxxps://api.hellknight.xyz/js, hxxps://api.qtss.cc:443/en/about?source=redhat&id=v1.0, hxxps://api.qtss.cc:443/en/about?source=redhat&id=v1.1, hxxps://api.qtss.cc:443/en/about?source=redhat&id=v1.2, hxxps://conclusion-ideas-cover-customise.trycloudflare.com, hxxps://ghostbin.axel.org/paste/evwgo/raw, hxxps://gist.githubusercontent.com/demonic-agents/39e943f4de855e2aef12f34324cbf150/raw/e767e1cef1c35738689ba4df9c6f7f29a6afba1a/setup_c3pool_miner.sh, hxxps://hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com/agent, hxxps://overcome-pmc-conferencing-books.trycloudflare.com/p.png, hxxps://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh, hxxps://sup001.oss-cn-hongkong.aliyuncs.com/123/python1.sh, hxxps://tr.earn.top/Log.php?id=SHA1, hxxp://superminecraft.net.br:3000/sex.sh, hxxp://vps-zap812595-1.zap-srv.com:3000/sex.sh, hxxp://xpertclient.net:3000/sex.sh, hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com/agent, reactcdn.windowserrorapis.com:443/?h=reactcdn.windowserrorapis.com&p=443&t=tcp&a=l64&stage=true, tcp://vip.kof97.lol:443 Attacker Hashes: 011a62df99e52c8b73e259284ab1db47, 025f5e04e54497242749ec480310fd7e, 025f5e04e54497242749ec480310fd7e3ba4d5e0cf0557f03ee5a97a2de56511, 02d43e18172ed9a1be8edc44781228ba, 0450fe19cfb91660e9874c0ce7a121e0, 05f4407eb2e413c3babdc3054e6db032cadc51b2, 0972859984decfaf9487f9a2c2c7f5d2b03560a0, 0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696, 0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce, 13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274, 1663d98c259001f1b03f82d0c5bee7cfd3c7623ccb83759c994f9ab845939665, 18c68a982f91f665effe769f663c51cb0567ea2bfc7fab6a1a40d4fe50fc382b, 1a3e7b4ee2b2858dbac2d73dd1c52b1ea1d69c6ebb24cc434d1e15e43325b74e, 1cdd9b0434eb5b06173c7516f99a832dc4614ac10dda171c8eed3272a5e63d20, 1ce4b6a89d2daa0cab820711d8424a7676ef5ff2, 1e31dc074a4ea7f400cb969ea80e8855b5e7486660aab415da17591bc284ac5b, 1e54a769e692a69d74f598e0b1fdb2949f242de3, 1f3f0695c7ec63723b2b8e9d50b1838df304821fcb22c7902db1f8248a812035, 20e1465fd07f0d4e19c299fb0d9af8e5ec1b21d2, 264e1a820b8b3bbd13325955f06aff2678c69935, 267b27460704e41e27d6f2591066388f, 2937c58115c131ae84a1b2a7226c666f6a27ef88, 2b0dc27f035ba1417990a21dafb361e083e4ed94a75a1c49dc45690ecf463de4, 2ca913556efd6c45109fd8358edb18d22a10fb6a36c1ab7b2df7594cd5b0adbc, 2cd41569e8698403340412936b653200005c59f2ff3d39d203f433adb2687e7f, 2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457, 33641bfbbdd5a9cd2320c61f65fe446a2226d8a48e3bd3c29e8f916f0592575f, 34551bca762be99d732c0ced6ad8b0a2f7b11ad7, 3854862bb3ee623f95d91fa15b504e2bbc30e23f1a15ad7b18aedb127998c79c, 3a7b89429f768fdd799ca40052205dd4, 3ba4d5e0cf0557f03ee5a97a2de56511, 3ba7c58df9b6d21c04eaa822738291b60c65b7c8, 3efbaca4b784bc49455565d443232c72, 470ce679589e1c3518c3ed2b818516f27ccad089, 4745703f395282a0687def2c7dcf82ed1683f3128bef1686bd74c966273ce1c5, 4a74676bd00250d9b905b95c75c067369e3911cdf3141f947de517f58fc9f85c, 4a759cbc219bcb3a1f8380a959307b39873fb36a9afd0d57ba0736ad7a02763b, 4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d, 4ec926d579c8540e4eb8e4eff3d0fc9060410ce5218293ddebd9ddb36e76b7e6, 4ff096fbea443778fec6f960bf2b9c84da121e6d63e189aebaaa6397d9aac948, 533585eb6a8a4aad2ad09bbf272eb45b, 55ae00bc8482afd085fd128965b108cca4adb5a3a8a0ee2957d76f33edd5a864, 5a6fdcb5cf815ce065ee585a210c19d1c9efb45c293476554bf1516cc12a1bab, 5bde055523d3b5b10f002c5d881bed882e60fa47393dff41d155cab8b72fc5f4, 5d368356bd49c4b8e3c423c10ba777ff52a4f32a, 622f904bb82c8118da2966a957526a2b, 622f904bb82c8118da2966a957526a2ba51a5c1e7d2bc3f7b2e3489f92a55d46, 62e9a01307bcf85cdaeecafd6efb5be72a622c43a10f06d6d6d3b566b072228d, 65d840b059e01f273d0a169562b3b368051cfb003e301cc2e4f6a7d1907c224a, 661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1, 6957c6d7f21f698d5ce6734dc00aeddc317d5875c3fd16b8b4a54259e02c46c5, 6e43e26fa62dfa89fe8b016dc831a9ec44507af9, 73000ab2f68ecf2764af133d1b7b9f0312d5885a75bf4b7e51cd7b906b36e2d4, 732226c0966fe29116b147e893c35ce7df1c8f1a, 776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273, 791f123b3aaff1b92873bd4b7a969387, 7c2d9c6ae9c811c62e67a6279fec0b68047a031eae674d3d5f9279a4ec7e8a25, 7c8010d9ab6dfdc7a99aba7075a793260acbf2b8, 7d25a97be42b357adcc6d7f56ab01111378a3190134aa788b1f04336eb924b53, 7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5, 7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a, 7fe3826fc7b90e20c9fe76a7891eff350d73b6b3, 858874057e3df990ccd7958a38936545938630410bde0c0c4b116f92733b1ddb, 876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13, 88af4a140ec63a15edc17888a08a76b2, 895f8dff9cd26424b691a401c92fa7745e693275c38caf6a6aff277eadf2a70b, 8fee14142577734282aa1f53ea2e5cddaf4a588de40e7b179b13855330077b96, 91152e6ffe0474b06bb52f41ab3f3545ac360e64, 92064e210b23cf5b94585d3722bf53373d54fb4114dca25c34e010d0c010edf3, 9c931f7f7d511108263b0a75f7b9fcbbf9fd67ebcc7cd2e5dcd1266b75053624, 9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331, a26c70f34d35f78f0b95bf402d513f69e196720576d9115dba0efdb4c57deb81, a455731133c00fdd2a141bdfba4def34ae58195126f762cdf951056b0ef161d4, a51a5c1e7d2bc3f7b2e3489f92a55d46, a605a70d031577c83c093803d11ec7c1e29d2ad530f8e95d9a729c3818c7050d, aaca45131c5a5a95d384431e415474f7ca7f4b8e296fc4ef46ecb07218434e1b, aba3e587430fae0877a2e0fb07866427a092dc4eccb0db17715d62b7a7c0c992, ac2182dfbf56d58b4d63cde3ad6e7a52fed54e52959e4c82d6fc999f20f8d693, ac7027f30514d0c00d9e8b379b5ad8150c9827c827dc7ee54d906fc2585b6bf6, b38ec4c803a2d84277d9c598bfa5434fb8561ddad0ec38da6f9b8ece8104d787, b568582240509227ff7e79b6dc73c933dcc3fae674e9244441066928b1ea0560, b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8, b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f, bc31561c44a36e1305692d0af673bc5406f4a5bb2c3f2ffdb613c09b4e80fa9f, be86823d73a01266b096dab1628cfa2e4ca77265, bf602b11d99e815e26c88a3a47eb63997d43db8b8c60db06d6fbddf386fd8c4a, bf9d7224e709b4ac90a498418af20d3a, c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c, c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a, c3924fc5a90b6120c811eb716a25c168c72db0ba, c50db4734195579e83834b2a84758ceae13a61420568eb596224ff8e48ea415a, c6381ebf8f0349b8d47c5e623bbcef6b, c67e8aa881317cb32d7c36b2e3c0c5cfa21bf5e3, c6c7e7dd85c0578dd7cb24b012a665a9d5210cce8ff735635a45605c3af1f6ad, d033d0e44b4f4be7ca3b8d063ea95699d1c894896ef912bf52c2296bc73f8838, d17e958bf9b079c7ca98f54324e6c2f31e9c1d4c7945e8bc190895c08c762655, d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a, d3e7b234cf76286c425d987818da3304, d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f, d6e97c9783f0907f1ee9415736816e272a9df060, d704541cde64a3eef5c4f80d0d7f96dc96bae8083804c930111024b274557b16, d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d, d9313f949af339ed9fafb12374600e66b870961eeb9b2b0d4a3172fd1aa34ed0, da33bda52e9360606102693d68316f4ec1be673e, ddbbd528c3d0bcdd39617676c85dde33, df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540, e2d7c8491436411474cef5d3b51116ddecfee68bab1e15081752a54772559879, e82057e481a2d07b177d9d94463a7441, ebdb85704b2e7ced3673b12c6f3687bc0177a7b1b3caef110213cc93a75da837, f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7, f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b, f6083acf5fde12d17fb5b3098242e92a48cbf122, f88ce150345787dd1bcfbc301350033404e32273c9a140f22da80810e3a3f6ea, fb3a6bdf98d5010350c04b2712c2c8357e079dec2d2a848d0dc2def2bafcc984, fc9e53675e315edeea2292069c3fbc91337c972c936ca0f535da01760814b125 Victim Industries: Aerospace, Artificial Intelligence, Automotive, Business Services, Cloud Infrastructure, Computer and Electronic Product Manufacturing, Construction, Consulting Services, Consumer Electronics, Consumer Packaged Goods, Critical Manufacturing, Cryptocurrency, Defense, E-commerce, Education, Energy, Financial, Financial and Insurance, Financials, Financial Services, Food & Beverage, Gambling & Gaming, Gaming, Government, Healthcare, Hospitality, Human Resources, Industrials, Information Technology, Internet & Cloud Services, Internet of Things (IoT), Internet Service Providers, IT Services, Legal and Professional Services, Legal Services, Logistics, Managed Security Service Provider (MSSP), Management Consulting, Manufacturing, Marketing & Advertising, Media and Entertainment, Multimedia, Online Gambling, Professional Services, Public Administration, Public Sector, Publishing, Real Estate, Retail, Social Media, Software, Sports and Entertainment, Supply Chain, Technology Hardware, Telecommunications, Transportation, Transportation & Logistics, Travel, Universities, Web Hosting Victim Countries: Afghanistan, Antigua and Barbuda, Argentina, Australia, Austria, Bahamas, Bahrain, Barbados, Belgium, Belize, Bolivia, Brazil, Brunei, Bulgaria, Cambodia, Canada, Chile, China, Colombia, Costa Rica, Croatia, Cuba, Cyprus, Czech Republic, Denmark, Dominica, Dominican Republic, Ecuador, Egypt, El Salvador, Estonia, Finland, France, Germany, Greece, Grenada, Guatemala, Guyana, Haiti, Honduras, Hong Kong, Hungary, India, Indonesia, Iran, Iraq, Ireland, Israel, Italy, Jamaica, Japan, Jordan, Kazakhstan, Kuwait, Kyrgyzstan, Laos, Latvia, Lebanon, Lithuania, Luxembourg, Malaysia, Malta, Mexico, Mongolia, Myanmar, Nepal, Netherlands, New Zealand, Nicaragua, Nigeria, North Korea, Oman, Pakistan, Palestine, Panama, Paraguay, Peru, Philippines, Poland, Portugal, Qatar, Romania, Russia, Rwanda, Saint Kitts and Nevis, Saint Lucia, Saint Vincent and the Grenadines, Saudi Arabia, Singapore, Slovakia, Slovenia, South Africa, South Korea, Spain, Suriname, Sweden, Switzerland, Syria, Taiwan, Thailand, Timor-Leste, Trinidad and Tobago, Turkey, United Arab Emirates, United Kingdom, United States, Uruguay, Venezuela, Vietnam, Yemen Mitigation Advice Upgrade all applications using React Server Components to React version 19.2.1 or later. Upgrade all Next.js applications that use the App Router to version 16.0.7 or later. Immediately rotate all API keys used by applications running vulnerable versions of React or Next.js. Immediately rotate all database credentials used by applications running vulnerable versions of React or Next.js. Immediately rotate all cloud infrastructure access tokens (e.g., AWS IAM roles, GCP service accounts, Azure Managed Identities) associated with environments running vulnerable applications. Implement WAF rules to block or alert on HTTP POST requests to React Server Component endpoints that contain `__proto__` or `prototype` keywords in the request body. Actively hunt for indicators of compromise by searching application and server logs for suspicious POST requests to RSC endpoints or evidence of shell command execution originating from Node.js processes. Compliance Best Practices Review and reconfigure service accounts for applications using React Server Components to ensure they operate under the principle of least privilege, with minimal necessary OS and cloud permissions. Implement network segmentation policies to strictly control traffic between application servers, databases, and internal services, preventing lateral movement from a compromised web server. Modify the deployment process for web applications to use read-only file systems or immutable container images, preventing attackers from persisting malware on the server. Establish a secure coding program to audit all application components that perform data deserialization, ensuring they strictly validate and sanitize all client-provided input before processing. Integrate an automated dependency scanning tool, such as Snyk or Dependabot, into the CI/CD pipeline to continuously monitor for and alert on newly discovered vulnerabilities in third-party libraries. Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.F5 Threat Report - December 24th, 2025
CISA Warns ASUS Live Update Backdoor Is Still Exploitable, Seven Years On The Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability in ASUS Live Update, tracked as CVE-2025-59374 with a CVSS score of 9.3, to its catalog of Known Exploited Vulnerabilities (KEV), indicating active exploitation. This utility, preinstalled on ASUS devices for firmware and software updates, was previously compromised in a sophisticated 2018 supply chain attack attributed to Chinese state-sponsored actors, which inserted a backdoor. Although the attack initially targeted a small, specific group of approximately 600 devices based on hashed MAC addresses, millions may have downloaded the backdoored utility. While support for ASUS Live Update has been discontinued, it continues to provide updates, making the legacy software a persistent risk for unintended actions on affected devices. Users are urged to update ASUS Live Update to version 3.6.8 or later, either through the utility itself or by manually downloading the latest version from the official ASUS website for their specific device model, to mitigate known security issues and avoid third-party sources due to the history of supply chain abuse. Severity: Critical Sources https://gbhackers.com/actively-exploited-asus-vulnerability-added-to-cisas-kev-list/ https://thehackernews.com/2025/12/cisa-flags-critical-asus-live-update.html https://www.malwarebytes.com/blog/news/2025/12/cisa-warns-asus-live-update-backdoor-is-still-exploitable-seven-years-on https://www.securityweek.com/cisa-warns-of-exploited-flaw-in-asus-update-tool/ Threat Details and IOCs Malware: Backdoor:Win32/Shadowpad.AA!MSR, PassCV, ShadowHammer, ShadowPad, Trojan.Win32.Agentb.jqco, Winnti CVEs: CVE-2025-59374 Technologies: ASUS, Microsoft Windows Threat Actors: APT41, Barium, BrassTyphoon, WickedPanda, Winnti Attacker Countries: China Attacker IPs: 141.105.71.116 Attacker Domains: asushotfix.com, liveupdate01.asus.com Attacker URLs: hxxp://liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip Victim Industries: Gaming, Government, Healthcare, Pharmaceuticals, Sports and Entertainment, Technology Hardware, Telecommunications Victim Countries: South Korea, Taiwan, United States Mitigation Advice Use asset inventory systems to generate a report of all ASUS-manufactured devices operating within the environment. Uninstall the ASUS Live Update utility from all identified corporate ASUS devices. Add the domain 'asushotfix[.]com' to network firewall and web proxy blocklists. Run a full endpoint scan with your EDR or antivirus solution to detect infections related to the 'ShadowHammer' campaign, ensuring signatures are updated to detect 'HEUR:Trojan.Win32.ShadowHammer.gen'. Compliance Best Practices Develop and implement a software lifecycle management policy to audit, track, and remove end-of-life and unsupported applications from all corporate systems on a recurring basis. Establish a supply chain risk management program to formally assess the security posture of software vendors and validate the integrity of third-party software updates before enterprise-wide deployment. Deploy an application control solution, such as Windows AppLocker or a similar tool, to enforce an allowlist of approved software and block the execution of unauthorized or non-essential utilities. Configure perimeter firewalls to enforce a default-deny egress filtering policy, allowing outbound connections only for explicitly approved services, protocols, and destinations required for business operations. UK Government Confirms Foreign Office Cyber Attack The UK government confirmed a cyber attack on the Foreign, Commonwealth and Development Office (FCDO) in October, stating there was a low risk of personal data compromise, though Trade Minister Chris Bryant indicated the perpetrator was unclear despite reports attributing it to the China-based Storm 1849 group. This group was previously linked to exploiting zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) equipment, known as the "ArcaneDoor" campaign, which led to a National Cyber Security Centre (NCSC) warning in September about the risks of end-of-life Cisco systems. The FCDO breach reportedly involved access to confidential data and documents, potentially including visa details, and has fueled criticism regarding a national digital ID scheme and the government's "One Login" system. The year 2025 was marked by numerous high-profile cyber attacks, including ransomware incidents affecting Jaguar Land Rover (which impacted the UK economy), Co-op, Marks & Spencer, Oxford City Council, Harrods, multiple airports, Glasgow City Council, Adidas, and Peter Green Chilled, in addition to attacks on four London councils, with Westminster confirming data exfiltration. Severity: Critical Sources https://www.computerweekly.com/news/366636539/UK-government-confirms-Foreign-Office-cyber-attack https://www.hendryadrian.com/uk-confirms-foreign-office-hacked-says-low-risk-of-impact-to-individuals/ Threat Details and IOCs Malware: AquaPurge, AquaShell, AquaTunnel, Line Dancer, Line Runner, LINE VIPER, RayInitiator, ReverseSSH CVEs: CVE-2024-20353, CVE-2024-20359, CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, CVE-2025-20393 Technologies: Cisco Adaptive Security Appliance, Cisco AsyncOS, Cisco Firepower Threat Defense Software Threat Actors: STORM1849, Uat4356, UAT9686 Attacker Countries: China Victim Industries: Automotive, Defense, Financial Services, Government, Healthcare, Logistics, Public Sector, Retail, Telecommunications, Transportation Victim Countries: Belgium, Germany, United Kingdom Mitigation Advice Apply the latest security patches to all Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices to mitigate the vulnerabilities associated with the ArcaneDoor campaign. Review logs and system configurations on all Cisco ASA devices for indicators of compromise related to the ArcaneDoor campaign, such as unexpected reboots, unauthorized configuration changes, or suspicious credential activity. Compliance Best Practices Create an inventory of all network perimeter devices and prioritize the replacement of any Cisco Adaptive Security Appliance (ASA) models that are at or near their end-of-life (EoL) date. Establish and enforce a formal hardware and software lifecycle management policy that mandates the replacement of any network or security appliance before it reaches its end-of-support date. Implement network segmentation to create security zones that isolate critical servers and data from user workstations and other less-sensitive areas, thereby limiting an attacker's lateral movement capabilities. CVE-2025-68260: First Rust Vulnerability in Linux Kernel's Android Binder Driver A vulnerability, designated CVE-2025-68260, has been identified and fixed in the Linux kernel, marking the first CVE formally assigned to Rust code in the mainline kernel. This issue, reported by Greg Kroah-Hartman, affects the Android Binder driver, which was rewritten in Rust. The core of the bug is an unsafe operation within the Rust-based Binder implementation where an element is removed from a linked list while another thread concurrently manipulates the same `prev/next` pointers. Specifically, the `Node::release` function's logic involved moving elements to a temporary stack-based list before releasing a lock, creating a race condition if another thread performed an unsafe removal on the original list. This could lead to memory corruption, ultimately causing kernel crashes, exemplified by "Unable to handle kernel paging request" errors in the `rust_binder` module. The vulnerability was introduced in Linux 6.18 (commit `eafedbc7c050c44744fbdf80b7513`) and resolved in 6.18.1 (commit `3428831264096d32f830a7fcfc7885dd263e511a`) and 6.19-rc1 (commit `3e0ae02ba831da2b707905f4e602e43f8507b8cc`), with the fix involving a rewrite of `Node::release` to extract elements directly from the original list. Upgrading to a current stable kernel release is strongly recommended as a mitigation. Severity: Critical Sources https://cyberpress.org/linux-kernel-rust-component-hit-by-vulnerability/ https://gbhackers.com/new-linux-kernel-rust-vulnerability/ https://securityonline.info/rusts-first-breach-cve-2025-68260-marks-the-first-rust-vulnerability-in-the-linux-kernel/ https://www.cyberkendra.com/2025/12/first-rust-vulnerability-in-linux.html https://www.phoronix.com/news/First-Linux-Rust-CVE Threat Details and IOCs Malware: Akira, Akira_v2, Aqua, AquaShell, Cl0p, Clop, CryptoMix, Megazord CVEs: CVE-2025-68260 Technologies: Google Android, Linux Attacker Hashes: 3428831264096d32f830a7fcfc7885dd263e511a, 3e0ae02ba831da2b707905f4e602e43f8507b8cc Victim Industries: Consumer Electronics, Information Technology, Manufacturing, Retail, Technology Hardware, Telecommunications, Transportation Victim Countries: United States Mitigation Advice Execute the command 'uname -r' on all Linux hosts to create an inventory of running kernel versions and identify all systems running version 6.18. For all systems identified with the vulnerable kernel version 6.18, schedule and apply an upgrade to a patched stable version (6.18.1 or newer) and reboot the system to activate the new kernel. Compliance Best Practices Implement a formal patch management policy that mandates the review, testing, and deployment of operating system security updates on a defined, recurring schedule (e.g., monthly). Audit the kernel configuration of production Linux servers to identify and disable non-essential kernel modules, creating a hardened baseline configuration that reduces the overall attack surface. Configure system logging and monitoring tools to collect kernel logs from all Linux hosts and create high-priority alerts for messages containing terms like 'kernel panic', 'Oops', or 'Unable to handle kernel paging request'. APT35 Leak Unveils Spreadsheets Containing Domain, Payment, and Server Information A recent data leak, dubbed Episode 4, has exposed the operational infrastructure of the Iran-linked threat actor APT35 (Charming Kitten), revealing a bureaucratic and meticulously managed cyber apparatus rather than a loose hacker collective. The leaked files, including `0-SERVICE-Service.csv`, `0-SERVICE-payment BTC.csv`, and `1-NET-Sheet1.csv`, detail the group's procurement, funding, and administration processes. `0-SERVICE-Service.csv` contains over 170 rows linking domains, registrars like EDIS Global, NameSilo, and ImprezaHost, along with more than 50 ProtonMail aliases and 80 email-password pairs, complete with pricing and renewal information. `0-SERVICE-payment BTC.csv` documents 55 Bitcoin transactions, averaging $56 (0.0019 BTC) each, processed via Cryptomus between October 2023 and December 2024, with small, recurring transfers designed to evade regulatory scrutiny. Finally, `1-NET-Sheet1.csv` lists network ranges and IP allocations, including blocks under AS203391 and AS21340, across European hosting providers, with several traced to active VPS rentals. These records also link APT35's procurement network to the Moses Staff hacktivist group, with the domain "moses" appearing in the service ledger and shared ProtonMail accounts, indicating administrative support for Moses Staff's operations. This leak highlights the "economic engine" behind Iranian cyber operations, demonstrating how long-term intrusion campaigns are sustained through spreadsheet-managed budgets and micro-crypto payments. Severity: High Sources https://cyberpress.org/apt35-leak/ https://dti.domaintools.com/the-apt35-dump-episode-4-leaking-the-backstage-pass-to-an-iranian-intelligence-operation/ https://gbhackers.com/apt35-leak/ https://www.securitylab.ru/news/567373.php Threat Details and IOCs Malware: DCrSrv, DCSrv, PyDCrypt, StrifeWater, StrifeWater RAT CVEs: CVE-2012-1823, CVE-2018-13379, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-31207, CVE-2021-34473, CVE-2021-34523, CVE-2021-44228, CVE-2022-30190, CVE-2024-1709 Technologies: Ivanti Connect Secure, Microsoft 365, Microsoft Exchange Server, Microsoft Windows Threat Actors: AbrahamsAx, APT35, CharmingKitten, MosesStaff Attacker Countries: Iran Attacker IPs: 109.125.132.66, 109.230.93.128, 109.230.93.128/29, 1.235.222.140, 128.199.237.132, 185.103.130.16, 185.103.130.16/30, 185.212.193.240, 185.212.193.240/29, 195.191.44.73, 212.12.178.178, 212.175.168.58, 83.96.77.227 Attacker Emails: 3cx@protonmail.com, abrahamsax@protonmail.com, ali.rezaei@protonmail.com, amir.hossein@protonmail.com, bashiriansul@proton.me, bbmovement@protonmail.com, bbmovement@protonmail.com, b.laws32@proton.me, bulgaria@protonmail.com, carlos.patel@protonmail.com, clark.norman@protonmail.com, clarknorman@protonmail.com, clark.norman@proton.me, cou.nic@protonmail.com, cybersonix@protonmail.com, cybersonix@protonmail.com, edgar.evseev@protonmail.com, edgarevseev@protonmail.com, edgar.evseev@proton.me, fatemeh.hashemi@protonmail.com, gdavies007@proton.me, hossein.alizadeh@protonmail.com, jhjbmuugtfftdd@proton.me, john.porter857@protonmail.com, julius.yermolayev@protonmail.com, juliusyermolayev@protonmail.com, julius.yermolayev@proton.me, kanplus@protonmail.com, karaj@protonmail.com, kashef@protonmail.com, leviscross@protonmail.com, levis.cross@proton.me, lolita259@proton.me, mahabosman@protonmail.com, maja.bosman@protonmail.com, maja.bosman@proton.me, maryam.safari@protonmail.com, mehdi.karimi@protonmail.com, mekhaeel.kalashnikova@protonmail.com, mekhaeelkalashnikova@protonmail.com, mekhaeel.kalashnikova@proton.me, mekhaeelkalashnikova@proton.me, meriyalee@protonmail.com, meriyalee@protonmail.com, misvps@protonmail.com, mlw.services.313@protonmail.com, molden5@protonmail.com, mosesstaff.io@protonmail.com, mosesstaff@protonmail.com, nansi.morad@protonmail.com, narges.moradi@protonmail.com, reza.mohammadi@protonmail.com, rona_yanga@proton.me, sanjilankopylova@proton.me, sara.ahmadi@protonmail.com, secnetdc@protonmail.com, serversamane@protonmail.com, sheldon.bayer@protonmail.com, sheldonbayer@protonmail.com, sheldon.bayer@proton.me, shirley7070@proton.me, shirley.bishop@protonmail.com, shirleybishop@protonmail.com, shirley.bishop@proton.me, sskmt@protonmail.com, tecret@protonmail.com, termite@protonmail.com, timothyefimov@protonmail.com, vpn@protonmail.com, zahra.ebrahimi@protonmail.com Attacker Domains: bbmovements.com, cavinet.org, dreamy-jobs.com, israel-talent.com, israel-talent.xyz, kanplus.org, misvps.io, modernizmir.net, moses-staff.io, moses-staff.se, moses-staff.to, secnetdc.com, sskmt.com, tecret.com, termite.nu, wazayif-halima.org Attacker URLs: http://dreamy-jobs.com Victim Industries: Aerospace, Defense, Education, Energy, Financial Services, Government, Information Technology, Legal Services, Manufacturing, Multimedia, Transportation & Logistics, Utilities Victim Countries: Afghanistan, Bulgaria, Chile, Cyprus, Germany, India, Israel, Italy, Jordan, Kuwait, Netherlands, Russia, Saudi Arabia, South Korea, Turkey, United Arab Emirates, United Kingdom, United States Mitigation Advice Block all inbound and outbound traffic to and from IP ranges associated with Autonomous System Numbers AS203391 and AS21340 at the network firewall. Conduct an emergency scan for and prioritize patching of vulnerabilities known to be exploited by APT35, including ProxyShell (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) and Log4Shell (CVE-2021-44228). Configure email security gateways to block or quarantine emails originating from ProtonMail domains to mitigate phishing attempts from this threat actor. Obtain the list of 80 leaked email-password pairs from threat intelligence providers and immediately search all authentication logs and systems for any matches, forcing password resets and investigating any accounts found. Use EDR or other system scanning tools to perform a targeted search across all endpoints and file shares for the filenames `0-SERVICE-Service.csv`, `0-SERVICE-payment BTC.csv`, and `1-NET-Sheet1.csv`. Compliance Best Practices Implement a continuous security awareness training program that includes phishing simulations based on APT35's known TTPs, such as credential harvesting from fake login pages. Develop a phased rollout plan to enforce phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2 security keys, for all user accounts, prioritizing externally-facing services and privileged access. Implement a strict network egress filtering policy that denies outbound traffic by default and only allows connections required for business operations through an explicit approval process. Establish a formal vendor risk management program to assess and monitor the security posture of third-party service providers, including domain registrars and hosting companies. NuGet Malware Mimic: .NET Integration Library Steals Crypto Wallets and OAuth Tokens ReversingLabs researchers have identified a sophisticated malware campaign targeting the .NET developer ecosystem through the NuGet package manager, active since July 2025. This campaign involves 14 malicious packages designed to mimic legitimate cryptocurrency libraries, employing social engineering tactics like homoglyph attacks (e.g., "Netherеum.All" impersonating "Nethereum"), version bumping, and artificially inflated download counts. The packages are categorized into three groups: "Wallet Stealers" (e.g., Netherеum.All, SolnetPlus) exfiltrate private keys, seed phrases, and Wallet Import Format (WIF) keys via a `Shuffle` function to a dynamically generated URL like solananetworkinstance[.]info; "Funds Redirectors" (e.g., Coinbase.Net.Api) inject a `MapAddress` function into `SendMoneyAsync` to silently overwrite destination addresses for transactions exceeding $100; and "OAuth Credential Theft" packages (e.g., GoogleAds.API) exfiltrate Google Ads OAuth Client IDs, secrets, and developer tokens, enabling fraudulent ad spending. Despite NuGet's mandatory two-factor authentication, attackers bypassed defenses through social engineering, with packages published by authors such as AngelDev, DamienMcdougal, and jackfreemancodes. Developers are advised to scrutinize package publish dates and author histories rather than relying solely on download metrics. Severity: Critical Sources https://cyberpress.org/malicious-nuget-package/ https://gbhackers.com/nuget-malware/ https://hackread.com/nuget-malicious-packages-steal-crypto-ad-data/ https://securityonline.info/poisoned-dependencies-how-nethereum-all-and-10m-fake-downloads-looted-net-crypto-developers/ https://www.reversinglabs.com/blog/nuget-malware-crypto-oauth-tokens Threat Details and IOCs Malware: GachiLoader, NBitcoin.Unified, Nethereum.All, Netherеum.All, Phantom Stealer, SolnetAll, Stealerium Technologies: Coinbase Wallet, Google Ads, Google Ads API, Microsoft .NET Framework, Microsoft NuGet, NBitcoin, Nethereum, NuGet, Solana, Solnet Attacker IPs: 176.113.82.163 Attacker Domains: solananetworkinstance.info Attacker URLs: hxxps://solananetworkinstance.info/api/gads Attacker Hashes: 03ff8f5352e42dbb0f2e60ae9bc36b27c35860b3, 05a29102d2769834b87cf8505cf64fb910625d1e, 08aeac51c5af03a3dd769d339fb8a4b08729a4de, 0907e15fceae4ac81383ea576a44b71ed1a9643a, 09618bc8f2dde467890403b5ad71ab8349dd7339, 0a70ea53f4ade70ce2616522ffb601ee1778c0ea, 0ad97d12add68d0e998d40d69c9e4b189f4a9588, 0b267bc5cbba9a96b3c7ecf56222776fccf8d13e, 0efe44b572d3fd481cb16a47dd3b7516c104d4d2, 10094b31992f597142dff3a01b16874459ca9d4b, 10206b3d71e972a415c26d8275080a2b1d91554d, 10e6d3c4bc327409b7f2af76be4153dbe470e0af, 1128c17ebe42617d75277987b384a6a15f1d7000, 11c46b9a5235b24370dec636e0bc2f8d8cfbc0ba, 130b16b10b1e6a5e235097630f9b8fa2251fb7ce, 14a567ef4b0c4cc480056d951dcca6d3648c5a73, 157c0f2d09621c37d638fcc42d9c6bc7107f018f, 16553a6418a4035c5a3c5b66482fad3189039beb, 169539b741d054a01e91707d8ac0008474785b58, 174716911ef4bec98a2defd165a27eb4752e61ad, 182de4f79db336e706391ef7a3431a5a4cbfde77, 1876c5cc5cb5d8c10aab3d4b479e1561f3fd5e6a, 18df861bbf1b00ce4046dce4d952be5bf6f3f825, 19774417312a7204716176d86101a53e1ec7de83, 1a8549071a86de50bb78f51ed3e5ebfcd4c3942b, 1a9493f509371d9dc1056958337d7b74798f5661, 1a986ac0865ee9c34227b049d3959e3de14a6509, 1c0d4ecd29ea197b41cd65409b89d9b8620812fe, 1c9bd2aed6739155d256981990cfa814ce0f77b6, 1cde8da0dd07326657eba749806541b767d93aac, 1cf71a5de91d7a90673b389a15cffdfb3915682d, 1f6dbf2a29e85ee6b31d57004125d42b73e079b5, 20c146f2205a96925b14f18059aca1ff38d5dcb8, 232a17f920a526ea6ef57b854589f97faeb53994, 232f619a8444cd8b484ece901accb45a6be2df1e, 29c4f29a2c6d7929eba10301f6d861a5591cbe56, 2a32919bffc04b3c4c124b8383f5eedad457c4d5, 2ce05bc2380a97fca39f84c54fc14f8c9a26545a, 2d1007c76962cac395abb38a20216b7b02feae4a, 310cdb353ba2dda94989f65b20de4f67e0cff93a, 316a9b6cd308d2de74cf3bfcf51e75919b71e8ea, 32876e3127fbbd329ba10ff2e2844aa8d5205b29, 32ea26acb233b573b3e4f1b874f9768d11751e38, 345a8837b87936cedf37f62e4a2014481a4e0d24, 34da48fa43e4325ed448f47bd4570079b320dd22, 36276d55f741825d42eff099d4f79b9c1b19a5a6, 3654ff5509d494b29f418b042c7c8a02fe46a127, 37b17099788e0b5b3f7b5c4a9175c271f43bc1f2, 3841005cd1aacc0ae8f8f5907d38daefd1582b20, 385b8a72dbd18dae1b8e4e310fcdbb38ed288307, 3c094cd90d2f83b1c4e3f0a391ef0871d2ffaf95, 3da74f705246b95e07c5d459488e5f48befe10f7, 3e29b26f141cfb7532b6cfb277f32c7191b4b915, 3f98fb94b3268e9c6e2c6cad120d762bd2c136bb, 3fe9db489407533718e6246c4a56994561326da7, 40cd8703d940c4f3fe880c7292a6b92a099a7f5e, 456eecf8311491a242c0984918936d422185a881, 457136952da8784d6c4cede431d816d99b60c327, 461a9192674bdf2c29fa586cdb7c2cd733d66663, 4697e60cc77722eb3e7567899fb4a6d56db2487d, 476411c66c27227574a51466d44a05d14c5cf647, 47fa246f312ae447fa3849a33644fbdc91c1b3c5, 4a43f89ce32f3c4c7dedfbd782c2cb4d3834478c, 4d21fbe0c099b9e21db89fef5d167ba6593265ec, 4e38e286139bdb93d9760279171634745e1f531d, 4eb148d83d9a3f5c1187a9d8d5a0e85459fa9c87, 5149d3e9eda7ae65116d7e0780294191c153de5c, 51c5304ac9cb69505bc6182d05b0aa18356d01c7, 52620426caf465180318147db633f2ce26efe35d, 528adc0d2e7a6e1357aa3676a69bc43648f99776, 52b078c85b5a76d8f97feb3701d9d6ff0de4e284, 52fd4d3a3e1f62fdffb94d5745bb0a543a3ff780, 53997fafbe623aa5bda1ea56db224c8d8827d860, 53d099e308b65232f2a878730ce01af9b85ea08c, 5469b29c9848b785d9f993973f0fc59dff993dcd, 5558c729ce1d1b0a9b7d9567bfc825686d4d13cc, 56da8268211cd9b3806e8ad4a3d9f6b017773872, 575dc8c4e7fb9deb3826f546c442c0c96364a0d7, 57ec7112931de3ce7ba4502e1fa5299ad148085d, 5853de4cfbbbf9313d0c07ed5f54d00acc57cec8, 5882be86bda0108432d74f8b00364ef57bf7864f, 58e42f6d7762505f5ef7d70caee8fe4fb3e6939f, 59ccbc15564036c46447e510b040e9f0b3d65fe4, 5cefe3a11a27572136c1363f963b7d3205c47915, 5d337ae9885c310d02512e4fbdd80d4012410c4b, 5dd1ed264cede60268515aaa4fedb4bb7c39e1f0, 5f52ae106239e4f38ba278f575216736a3541ae0, 5fc1b9d3d1bfc8033cd22e59dc3b0e1084c2abb1, 5fcaa9633c79ee0fe0b92d1a50e0c855a7a339ac, 60a10913c7209c169c08cc95415501228ed6c190, 61b9de7fcc3e50533afbe6684bfadc8a7a3116e4, 62d0408d04580c9269f18efc5f6ef77b138d6c07, 667422e49dd772521d98afdb5e3d1b28932ef92e, 67b720c373f2f419c1a9dfa9076623676d0d9e9a, 6911ebd9335115c217ad996c66d3cf283b03503d, 6933371ae2bf4cf4fa5af8fb22b8d7a5afdf1334, 6a46ddaa83ca62ba5051741b9c7d3ca0821b7592, 6a482d405135104991292e75b1c1483463a3fc64, 6aa4a534ced10e137992ff514fbdccc590032899, 6ab4ea8808fbeca07b627d93b4623ed7a8c855f1, 6b01128dd88845de610cbcc95b61930cefab5fdd, 6e6416fe7df1febc384301d1e57d6d6d0fe419a5, 70fd70c3b07899c472724e08af492c07fba02f4f, 716142789814a181bd0b207e36255c0eacae3918, 71f5b45a7ea86737fd83e7af3edc549244e1143a, 73b20663a3e8605c09c11842809d78cce829eb0e, 73dcf1d461b0d2b3ebeee56c61458475e2c22575, 74083896f0c74c87b8e951880b40b98edd0829ab, 746620fd7a2e95935afbe299ded82fd88c108ca7, 746cfd19100f7c33e3c459d68fa98849bfb4774c, 78aee77335e800a51d7bce8cfd8d7da272e32750, 7a0304bbde9782b6a903c67b0ebc4684aff21692, 7a39bf8e572fce19a18909f3d022b231e0e14eb7, 7add61312ddd21f524c253a67ae2d85be4f99d19, 7b5b190ca5778fa1d3116734c0cbc1ccdb883817, 7ce96efdf37c1b98b7f801363dd4c639a46663a2, 7dcf458ce124b1ef88ab456c052a5989c213818a, 7e01e044c480c7e3647be88da1b8741e3304a561, 7e55a5e24829ab196ff26f6d8ee40d2c9ff45343, 82f96da4cf96d076848e7358f6dd24c089bbf5e2, 83bf02af6b681182a274c0d60e35b5bf3cdcfefa, 86819f74f2c0c97a69266cb0a17c63bb31b9651a, 86b1d3712644631b1b363e74a393816646232816, 87c22069e002f28cd5ae615c8d603b8e4c67a817, 87c46a3997de4c5c8b51bab0e3b5021726237fac, 8a2ac011763b06aaf566d23892391e563bda7c36, 8b1a06de6635be56009d8eec236bdad18734f9ab, 8b264896adeca78c1bd653c288321800a16e1f95, 8b53f692a1bbc0be65cfc161f0cf90c6be3c698e, 8c69d88224b6b7a1e3069ad44e07dcf6c1fc9696, 8e88e49530b464e5d22a03b57cd47b03d5af30d9, 8ea2556c2e0b3a36acbaf6397977cd9888ebc222, 8f812048e7471867c2322481a3c4ebdcbe9fb8d6, 8fe92eb9e875a51629dd48660cf6d3fbbf28df01, 901151376b9c44b8d25dfa55d9e35a6862bcd808, 90a3fba12c7c394b5b6e60d68f5fc0dea8a1994f, 90d272a5e53d9d128e826216742ab7e149055e72, 916a5f26c3ae694620dd69c3d9c807907982aaf4, 916ad2a01cef76047ef622e7701f79c671710202, 92bc8caa5a736faaa9a576763cd8fa04ce627702, 953491446afeb169c0247c3afe9df83ff1c3c860, 96342bf9937286e863fb794ed3a74dd18e8dfc07, 971715a2a50fd2ec54a50f2679fc4cbca2306fc0, 9812aac1de9c57b006cb3355ec3cc1d879c8e3b6, 9891b0fae7769adbe3fb986748d5dc84202169cc, 991ba17dc340c3a33dded6199ee2529a06b41674, 994a072c85febd71f65ca470b0fbf6fafce64b38, 99a80f47cf5439877088c23b061331ddac8f346f, 99b88373d48273c2a2d2e9ac4b4680f19312f3aa, 9a020d9727e3ef215c5aba35e68ec420ce892d78, 9a084686fb5dd62aefd59a9c8bddb07e8eb6fbe9, 9a18401c7d8aff223c5b0cd7d4ee6a989afdbf63, 9bef50f330c4f6bbd62897b320847418688afe10, 9d3d7573979e22fb11da05db3ec004b18aae08d5, 9fe95bc153e64854c8c3c11ff406f8df1db5b00c, a02ed8ef30323f3cdd54df42d564a035ab52317e, a16281e36ac1376268f90f8c9656dcafb02f418b, a301153605eee5a2ffb80728d9c8d4d122026e76, a3a8e75f7b6c66373a38820296f1837026988734, a3e7690e1af94641351aab1e2203674dcd5c768a, a3f3b9ce5e89ccb36de9566d4f12b0c495554a18, a4c70c1803b9a81f88c967b738c36830c8555a66, a5e35d3b9ef6766bac1d66103788c5595d47953c, a6a0452dded3a963fa403fc5ade9a89acf92bb74, a845202d5040185974d1a986eb42380d4c1662f6, aa23a65caddade19ade5c99122dff8a5bd5ec513, aa7f08a8def57c9adfa04174d0730139303fb9a1, ab0eb4dbc78441868951a03d0cc639ec8eaf2e8d, ab6557c3b350facfef4abbd351365368e38017c5, ac1bf32b2ebe1cb70622fa3fdc65a066001e16e4, ad14acc3862e0ef5a096d6f744358131a8be0fae, ad5869daa3a63889f953158f84e0f1a99de2c516, ad77ae6f47d60a5218d5fcab7fcd0fc7ddfc5d44, ae33843dfe79475f3f58374a16eec7b175392d3b, ae908e3dab4a228b03b2e32156ace35e7bad79ce, b146df7b3b0b162e2d5e4aa9cdffce21c854b541, b179f7979143d2ce07f3837099fd2940506d4f12, b1f3ad0a7e4b8173baf9866d39807ceab0fa4ffe, b269c1d6c4e2aea61ee7d8358e2f1a2408adf7df, b314482e6346be36a4fae3a965dc4d21be5af020, b42b7fb966498104e726eb675065a7590d765aa8, b730bd077801f57a7e827ea00ec7fd964dfbaf7b, b7fa31a6da1c95e599ce3078404b3efa4668a6bb, b84bb9c557f5fa4168b09d93119b074d40df2d6b, b9702d3ca9894f2cab51de43901b7f4c4a658eab, ba79071ba7628916b4ced6ccb93d7fba82272f9a, bae1bf585ed8abd948f7b2a0f337da4d1a31b5e5, bcf22c449c1dadef96bc6042bcc18d20b4db2965, bd2d6aa6ed5f3e394ea651693b6b9c28058ab370, be8590abce6219aa6581df3d9411ecbbaa73e692, c1f03e0e76ddce47826572a91865a946fdf01204, c53b91501151fa4bb820456b5ea1253cffb5070a, c6249d3c4ea9dfbef0156c4dcf3999b0274ef270, c70c8fec3387e5f32a798c0f697ce72df45b2b0c, c71993c4c1e92a88059d1a278e29968af3aa84b2, c789b6cc93f298cf7cce2975b53a970c9c5ee3bf, c9d40e5f7effe57a16e6dfaef8aace617c82bd31, caefe957befb93e0d20e9d1b4a114c574321be89, cceca9475b29b0afe273fe1e00332e7d3ec52552, cdb2b23a7cfe9b8776e757d67f094bbfebc02de3, cdcfd4f8dfd5b815eed2b328899d1e55d8d6582d, ce8060e2401ca49e9445122f57b467c07b8e4686, ce9d108c0d0bf5a75c965b4cb04cb38b786108d4, cf7c56e73b9dd670b500ae5d50f6d37a633794d1, cfce69a52a25fd4924892dc1a1838bb196c1e3e8, cfd72a92e2ddec0954dd43df5c06fe702673e606, d11e9df40727d3ae453309c681654f07701a44e1, d14d888744c49f7a7e67e5abc0955ccec2fc31b0, d3af0cd42892e7075c31be4fd08271640c91ab90, d53651fdc3a0c3cf42b83b3d20327be3b810aff0, d8447113afb073a363aebaeea377b3d0a151f65c, d933d97e6725132ac717da4d21e3043d6406c8a8, d9357152d648bcd9f83c4bd66e22187437f19d3a, d93fc7c8b82719f0538ee33102fba689e562187e, d9998997d0186467de88c41308df1351d64825d1, dac0bfc8b9983ff1bff649d1648c8f9e30c8cb68, dad2d61356bd57d7212e81d1f1b47f5153300e07, dad97925ad91943de87879b00ec45be1ab6c29da, dc4a4579cf784be3bba98a1ab2dd08d0c00a4cb1, dd6c262538f5452a0dd343ce05eff7d0b463bbdf, dee343519ad4a9b6c8a7be36b2c9c95a17a3a347, e0b041f5ce0e4458782734dba455cc7c22927cbf, e0fe2ab98dfad287feb9b08adfcf7ea6632e7c76, e1627ed04f36c396f8d3a80ba2211429934b1e49, e1d399818a2960b83184934e9c2f431e53fb88bc, e43ad112bda98d4bd8c8c247cb37110d6e56a7a1, e7f7b50b8eb4d52d60e33b2753c969518db223ae, e8bb49debb66c90f3c82e1e2102b423889eb4560, ec381ffa97255fe6fe32f3e1c4cca0876b1c17c8, ec49820ad8ac06a60300ac77a0d0d444f2e07269, ed3525c36d61601a36e6f5908f1103ed397f111e, ed4ff3cc664afea95b072af39b750e8bf6e4d7dc, edbabb8d170d795ed9b7452e4f895e3d658f1868, ef5f6cf6c7869ee6f2cb46430e0e9e9dc0a60376, efa8335bad0bf75a130f61f7944d86ab253cba42, f0ccc91433b7e6b6d47d9813cf6d9d86a9a28baf, f12a2492385d382c11133c37265e4c3082f3b018, f15759160ee919a9f41c6adc7f68937fe8fa879f, f1936d99858a7facd6ee922073479a606844522b, f235cb9abde5e88fa647f4b41370c84e56ce3099, f39470c88f34fb639d291b59db595b1ab19a2900, f3a028991baf032ddcb62f03276f030875675e13, f48be90c73ddb5a0e273d4012ae20350495314ab, f7fa8e5b4cebb4f83b3a15b8bc72251094785eee, f80239f9376dfe08c35756910caadd49eaeae300, f81607d4db058c20c5441f8a11b56c5190feae89, f92a7fa4650d13b86693f32631ef4b6108f00125, f9e34ab400bac027b10d1262966e66fbdea7751b, fc6587c6b75c5a0ca4cf9ebd6ee1c01ac13ebb6b, fd9de8e9ea59d972e9f0e63a6c3acbca03a7e5cb, fe057c5e80b78a81f0f579b39a9cb11d78fd90a2, fe977e8a2a03396d1a057a30cb02db88811573f5, ff9a074df4c5f96c728aab29e3710fc31183694b Victim Industries: Advertising Services, Financial Services, Information Technology, Software, Technology Hardware Mitigation Advice Block the domain `solananetworkinstance[.]info` at the network perimeter firewall and in DNS filtering services. Scan all developer workstations and CI/CD build servers to detect the presence of the malicious NuGet packages: `Netherеum.All`, `SolnetPlus`, `Coinbase.Net.Api`, and `GoogleAds.API`. Create a detection rule in your SIEM to generate a high-priority alert for any network traffic to or from the domain `solananetworkinstance[.]info`. Instruct all .NET developers to immediately review their projects' dependencies for any packages published by the authors `AngelDev`, `DamienMcdougal`, or `jackfreemancodes`. Compliance Best Practices Establish a formal policy for vetting and approving third-party libraries, requiring developers to check package age, author history, and source code repository activity before use. Integrate a Software Composition Analysis (SCA) tool into the CI/CD pipeline to automatically scan dependencies for known vulnerabilities, malicious code patterns, and suspicious package attributes. Implement a private internal artifact repository (e.g., private NuGet feed) to host only company-vetted and approved third-party packages. Develop and mandate recurring security awareness training for developers that specifically covers software supply chain risks, including how to spot typosquatting, homoglyph attacks, and manipulated package metrics. Enforce the use of a centralized secrets management vault for all credentials and API tokens, and restrict CI/CD pipeline access to only the specific secrets required for a given build job. Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.F5 Threat Report - December 17th, 2025
Notepad++ Fixes Flaw That Let Attackers Push Malicious Update Files Notepad++ version 8.8.9 was released to address a security vulnerability in its WinGUp update tool, which had been exploited to deliver malicious executables instead of legitimate software updates. Reports indicated that the GUP.exe updater spawned an unauthorized "%Temp%\AutoUpdater.exe" process, which executed reconnaissance commands such as `netstat -ano`, `systeminfo`, `tasklist`, and `whoami`, subsequently exfiltrating the collected data in `a.txt` to `temp[.]sh` using `curl.exe`. To mitigate this, Notepad++ developer Don Ho initially released version 8.8.8 on November 18th, restricting updates to GitHub. A more robust fix arrived with version 8.8.9 on December 9th, which hardens the update process by verifying the digital signature and certificate of downloaded installers, aborting any update that fails this validation. Security expert Kevin Beaumont also noted three organizations experiencing security incidents linked to Notepad++ processes spawning initial access, suggesting potential hijacking of the update URL (`https://notepad-plus-plus.org/update/getDownloadUrl.php`) to redirect users to malicious downloads. Users are advised to upgrade to version 8.8.9 and remove any custom root certificates installed prior to v8.8.7, as all official binaries are now signed. Severity: Critical Sources https://buaq.net/go-380719.html https://gbhackers.com/notepad-flaw-attackers-hijack-update-traffic/ https://malwaretips.com/threads/notepad-updater-installed-malware.138657/ https://securityonline.info/urgent-patch-notepad-wingup-flaw-allowed-malware-to-hijack-updates/ https://www.bleepingcomputer.com/news/security/notepad-plus-plus-fixes-flaw-that-let-attackers-push-malicious-update-files/ https://www.hendryadrian.com/notepad-fixes-flaw-that-let-attackers-push-malicious-update-files/ https://www.securitylab.ru/news/567129.php Threat Details and IOCs Technologies: Microsoft Windows, Notepad++ Threat Actors: FatBeehive Attacker Countries: China Attacker Domains: temp.sh Attacker URLs: https://notepad-plus-plus.org/update/getDownloadUrl.php Victim Industries: Critical Manufacturing, Financial, Financial Services, Government, Healthcare, Information Technology, Manufacturing, Software, Telecommunications Victim Countries: Afghanistan, Bangladesh, Bhutan, China, India, Japan, Maldives, Mongolia, Nepal, North Korea, Pakistan, South Korea, Sri Lanka, Taiwan Mitigation Advice Identify all assets with Notepad++ installed and upgrade them to version 8.8.9 or newer. Using an EDR or endpoint management tool, scan all endpoints for the existence of the file `AutoUpdater.exe` in any `%Temp%` directory. Query endpoint and command-line logs for the execution of reconnaissance commands (`netstat`, `systeminfo`, `tasklist`, `whoami`) that redirect output to a file named `a.txt`. Add the domain `temp.sh` to your network blocklist on your firewall, DNS sinkhole, and web proxy. Audit user and system certificate stores for any custom root certificates related to older Notepad++ installations and remove them. Compliance Best Practices Implement a software asset management (SAM) program to maintain a real-time inventory of all applications and versions installed on company assets to ensure timely patching. Develop and deploy an application control policy that prevents the execution of programs from user-writable directories such as `%Temp%`. Configure your EDR to generate alerts when common software updater processes spawn command shells (like cmd.exe or powershell.exe) to execute discovery commands. Implement a network egress filtering policy that denies outbound traffic by default and explicitly allows only traffic required for business operations. Incorporate modules into your security awareness training program that teach users how to verify official software download sources and recognize the risks of installing software from advertisements or untrusted websites. Denial of Service and Source Code Exposure in React Server Components Two new vulnerabilities have been identified in React Server Components, necessitating immediate upgrades for affected applications. These include a High Severity Denial of Service (CVE-2025-55184 and CVE-2025-67779, CVSS 7.5) and a Medium Severity Source Code Exposure (CVE-2025-55183, CVSS 5.3). The Denial of Service vulnerability allows a malicious HTTP request to trigger an infinite loop, consuming CPU and hanging the server process, even if an application does not implement React Server Function endpoints but supports React Server Components. The Source Code Exposure vulnerability enables an attacker to retrieve the source code of a Server Function if it explicitly or implicitly stringifies an argument, potentially leaking hardcoded secrets, though runtime secrets are unaffected. These vulnerabilities impact `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` in versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.2.2. Fixes have been backported to versions 19.0.3, 19.1.4, and 19.2.3, and all users are strongly advised to upgrade to these patched versions. Affected frameworks and bundlers include next, react-router, waku, @parcel/rsc, @vite/rsc-plugin, and rwsdk. Applications not using a server or not utilizing a framework/bundler that supports React Server Components are not affected. Severity: Critical Sources https://buaq.net/go-381099.html https://cyberpress.org/react-server-components-flaws-enable-dos-attacks-and-source-code-exposure/ https://gbhackers.com/severe-flaws-in-react-server-components-enable-dos-attacks/ https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components https://securityonline.info/react-patches-two-new-flaws-risking-server-crashing-dos-and-source-code-disclosure/ https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html Threat Details and IOCs Malware: Agent Tesla, AISURU, ANGRYREBEL, AshTag, BEACON, BPFDoor, BRICKSTORM, Cobalt Strike, EtherRAT, Noodle RAT, Nood RAT, Predator, Sliver, ValleyRAT, Winos CVEs: CVE-2025-55182, CVE-2025-55183, CVE-2025-55184, CVE-2025-67779 Technologies: Meta React Server Components, Node.js, Parcel, React, React Router, Vercel Next.js, Vercel Turbopack, Vite, Waku, Webpack Threat Actors: Calypso, Earth Bluecrow, Earth Lamia, EarthLamia, Iron Tiger, Jackpot Panda, JackpotPanda, Lazarus Group, Red Menshen, RedMenshen, Rocke, UNC5342 Attacker Countries: China, North Korea Attacker IPs: 78.153.140.16 Attacker URLs: 78.153.140.16/re.sh Victim Industries: Business Services, E-commerce, Education, Financial Services, Gaming, Government, Healthcare, Legal and Professional Services, Logistics, Manufacturing, Multimedia, Retail, Software, Technology Hardware, Telecommunications, Web Hosting Victim Countries: Australia, Canada, China, France, Germany, Hong Kong, India, Singapore, United Kingdom, United States Mitigation Advice Scan all code repositories to identify applications using React Server Components, specifically looking for the vulnerable packages: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`, or affected frameworks like `next` and `react-router`. For any application identified as using a vulnerable version of `react-server-dom-webpack`, upgrade the package to a patched version such as 19.0.3, 19.1.4, or 19.2.3. For any application identified as using a vulnerable version of `react-server-dom-parcel`, upgrade the package to a patched version such as 19.0.3, 19.1.4, or 19.2.3. For any application identified as using a vulnerable version of `react-server-dom-turbopack`, upgrade the package to a patched version such as 19.0.3, 19.1.4, or 19.2.3. For applications using affected frameworks like Next.js or react-router, upgrade the framework to a version that incorporates the patched React Server Component packages. Compliance Best Practices Implement a centralized secrets management solution, such as HashiCorp Vault or a cloud-native option like AWS Secrets Manager or Azure Key Vault, to store and manage all application secrets instead of hardcoding them in source files. Integrate static application security testing (SAST) tools into the CI/CD pipeline to automatically scan for and block any code commits that contain hardcoded secrets. Configure and tune the Web Application Firewall (WAF) with rate-limiting rules to detect and block anomalous or high-volume requests targeting application endpoints, which can help mitigate denial-of-service attacks. Review and formalize the third-party software patch management policy to ensure critical vulnerabilities are identified and remediated within a defined timeframe, including subscribing to security advisories for all critical libraries and frameworks. NanoRemote: Advanced Windows Backdoor Leveraging Google Drive API for Stealthy C2 NanoRemote is a sophisticated Windows backdoor, first identified in October 2025 by Elastic Security Labs, that leverages the Google Drive API for stealthy command-and-control (C2) and file staging, allowing its malicious traffic to blend with legitimate cloud operations. This C++ implant, associated with the espionage-linked REF7707 threat cluster (also known as CL‑STA‑0049, Earth Alux, Jewelbug), targets government, telecom, aviation, and education sectors, demonstrating an evolution from previous implants like FINALDRAFT which used the Microsoft Graph API. The attack chain typically involves WMLOADER, a loader masquerading as Bitdefender Security’s BDReinit.exe with an invalid signature, which decrypts and executes the NanoRemote payload from `wmsetup.log` using a rolling XOR routine followed by AES-CBC decryption with a key of `3A5AD78097D944AC`. NanoRemote itself communicates via HTTP POST, sending Zlib-compressed, AES-CBC encrypted JSON data to a non-routable IP at `/api/client` with the User-Agent `NanoRemote/1.0`, utilizing a hard-coded AES-CBC key of `558bec83ec40535657833d7440001c00` and Google Drive API OAuth 2.0 tokens for authentication. Its 22 command handlers enable extensive capabilities including system enumeration, file system operations, custom PE loader execution, remote command execution, and Google Drive download/upload tasks, further enhanced by `libPeConv` and Microsoft Detours for stealth. Detection is complicated by its cloud API abuse, necessitating behavioral detection rules, YARA rules for artifacts like `wmsetup.log`, and adherence to MITRE ATT&CK mappings (Exfiltration over Web Service, Masquerading, Discovery, Command Execution, Defence Evasion). Immediate incident response includes isolating infected machines, rotating Google API credentials, forensic analysis, auditing API logs for atypical Google Drive activity, and blocking known C2 IPs, while long-term remediation focuses on Zero-Trust principles, cloud API monitoring, and SIEM/UEBA integration. Severity: Critical Sources https://buaq.net/go-381078.html https://cyberpress.org/nanoremote-malware/ https://cybersrcc.com/2025/12/11/nanoremote-advanced-windows-backdoor-leveraging-google-drive-api-for-stealthy-c2/ https://malwaretips.com/threads/meet-nanoremote-a-newly-discovered-windows-backdoor-that-leverages-the-google-drive-api-for-data-theft-and-payload-staging.138663/ https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html https://www.hendryadrian.com/nanoremote-cousin-of-finaldraft/ Threat Details and IOCs Malware: FINALDRAFT, NanoRemote, NANOREMOTE, Squidoor, WMLOADER Technologies: Bitdefender, Google Drive, Microsoft Graph, Microsoft Windows, Trend Micro Threat Actors: CLSTA0049, EarthAlux, Finaldraft, Jewelbug, REF7707 Attacker Countries: China Attacker URLs: /api/client, /drive/v3/files/%s?alt=media, /upload/drive/v3/files Attacker Hashes: 1e28c01387e0f0229a3fb3df931eaf80, 35593a51ecc14e68181b2de8f82dde8c18f27f16fcebedbbdac78371ff4f8d41, 558bec83ec40535657833d7440001c00, 57e0e560801687a8691c704f79da0c1dbdd0f7d5cc671a6ce07ec0040205d728, 999648bd814ea5b1e97918366c6bd0f82b88f5675da1d4133257b9e6f4121475, b26927ca4342a19e9314cf05ee9d9a4bddf7b848def2db941dd281d692eaa73c, fff31726d253458f2c29233d37ee4caf43c5252f58df76c0dced71c4014d6902 Victim Industries: Aerospace, Defense, Education, Financial Services, Government, Healthcare, Information Technology, Logistics, Manufacturing, Retail, Software, Technology Hardware, Telecommunications Victim Countries: Argentina, Bolivia, Brazil, Brunei, Cambodia, Chile, Colombia, Ecuador, Guyana, Indonesia, Laos, Malaysia, Myanmar, Paraguay, Peru, Philippines, Russia, Singapore, Suriname, Taiwan, Thailand, Timor-Leste, Uruguay, Venezuela, Vietnam Mitigation Advice Scan all Windows endpoints for the presence of files named 'wmsetup.log' and executables named 'BDReinit.exe' that have an invalid or missing digital signature. Search all available network logs (e.g., proxy, firewall, DNS) for outbound HTTP requests containing the User-Agent string 'NanoRemote/1.0'. Obtain and deploy the publicly available YARA rules for NanoRemote and WMLOADER into your endpoint detection and response (EDR) or other file scanning solutions. Use an EDR or endpoint management tool to query all Windows systems for the existence of the environment variable 'NR_GOOGLE_ACCOUNTS'. Create a SIEM or network intrusion detection system (NIDS) rule to alert on HTTP POST requests to any URI ending in '/api/client' that also originate from a process with the User-Agent 'NanoRemote/1.0'. If a compromise is suspected or confirmed, immediately review and revoke suspicious Google Workspace OAuth tokens and rotate API credentials for the affected accounts. Compliance Best Practices Implement a Cloud Access Security Broker (CASB) to gain visibility into Google Drive API usage and establish policies to detect and alert on anomalous activity, such as unusually frequent uploads or downloads by a service account. Establish a data pipeline to ingest Google Workspace audit logs, specifically including Google Drive API activity, into your SIEM for centralized analysis and alerting. Initiate a recurring audit of all Google Workspace OAuth applications and service account permissions, revoking unnecessary or overly permissive API access based on the principle of least privilege. Refine and tune your Endpoint Detection and Response (EDR) platform's behavioral rules to generate high-fidelity alerts for suspicious memory allocation (VirtualAlloc) followed by execution, especially from non-standard processes. Implement application control policies on endpoints to restrict which executables are permitted to make outbound connections to known cloud service domains like 'googleapis.com'. New ConsentFix Attack Hijacks Microsoft Accounts via Azure CLI A novel ConsentFix attack, a variant of the ClickFix social engineering technique, has been identified that exploits the Azure CLI OAuth app to compromise Microsoft accounts, circumventing both password requirements and multi-factor authentication (MFA). This method, discovered by Push Security, initiates when a victim navigates to a compromised, high-ranking website displaying a deceptive Cloudflare Turnstile CAPTCHA that requests a business email. Upon validation against a target list, the victim is prompted to click a "Sign in" button, which directs them to a legitimate Microsoft Azure CLI login page. Following successful authentication or account selection, Microsoft redirects the user to a localhost URL containing an Azure CLI OAuth authorization code. The attacker then instructs the victim to paste this URL back into the malicious site, thereby granting the attacker full control over the Microsoft account via the Azure CLI OAuth app without ever acquiring the user's credentials or bypassing MFA directly. The attack is designed to trigger only once per victim IP address. To mitigate this threat, organizations should monitor for anomalous Azure CLI login activity, particularly from new IP addresses, and scrutinize the use of legacy Graph scopes. Detection can be further enhanced through Microsoft Defender for Cloud Apps' "Malicious OAuth app consent" policies, Azure AD Identity Protection's consent phishing and workload identity risk detections, and by actively monitoring AADGraphActivityLogs for unusual activity. Severity: Critical Sources https://cyberpress.org/consentfix-attack/ https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijacks-microsoft-accounts-via-azure-cli/ Threat Details and IOCs Malware: CyberVolk 2.x, NANOREMOTE, VolkLocker Technologies: Microsoft 365, Microsoft Azure, Microsoft Azure CLI, Microsoft Entra ID, Microsoft Intune Attacker IPs: 12.75.116.137, 12.75.216.90, 182.3.36.223 Attacker Domains: fastwaycheck.com, previewcentral.com, trustpointassurance.com Attacker URLs: hxxps://fastwaycheck.com/, hxxps://previewcentral.com, hxxps://trustpointassurance.com/ Victim Industries: Aerospace, Government, Healthcare, Non-Governmental Organizations (NGOs), Retail, Supply Chain Victim Countries: United States Mitigation Advice Review Azure AD sign-in logs for unusual Azure CLI login activity, focusing on logins from unexpected IP addresses, geolocations, or by users who do not typically use the Azure CLI. Create detection rules in your SIEM to alert on the use of legacy Azure AD Graph API scopes within OAuth consent grants, as this is a known attacker technique to evade detection. Send an immediate security bulletin to all employees warning them to never copy and paste a full URL from their browser's address bar into a website form, especially if the URL contains 'localhost' or authentication codes. Compliance Best Practices Implement a recurring process to audit all OAuth applications in Azure AD, reviewing their permissions, usage, and business justification, and remove any unnecessary or overly permissive applications. Deploy and configure Microsoft Defender for Cloud Apps, enabling specific policies like 'Malicious OAuth app consent' to automatically detect and alert on suspicious OAuth application activity. Enable and monitor detections within Azure AD Identity Protection, specifically focusing on 'Consent Phishing' and 'workload identity risk' alerts, and create automated response actions for high-severity findings. Develop and enforce a policy based on the principle of least privilege to restrict Azure CLI access to only authorized administrative and developer roles. Establish a continuous security awareness training program that includes modules on identifying and responding to sophisticated phishing and consent grant attacks. Google Patches Chrome Zero-Day Vulnerability Exploited in Attack Google has released urgent updates for Chrome to address a newly patched zero-day vulnerability, tracked as 466192044, which is actively being exploited in the wild. This marks the eighth such security flaw fixed this year, following CVE-2025-13223, CVE-2025-10585, CVE-2025-6558, CVE-2025-6554, CVE-2025-5419, CVE-2025-2783, and CVE-2025-4664. While specific details on 466192044 are limited due to ongoing coordination, Google confirmed its active exploitation. Additionally, the updates resolve CVE-2025-14372, a Use-After-Free vulnerability in the Password Manager, and CVE-2025-14373, an inappropriate implementation issue in the Toolbar. All Google Chrome versions prior to 143.0.7499.109 are affected, and users are advised to upgrade immediately to stable channel version 143.0.7499.109/.110 for Windows/Mac or 143.0.7499.109 for Linux to mitigate these risks. Severity: Critical Sources https://buaq.net/go-380989.html https://threatprotect.qualys.com/2025/12/11/google-patches-zero-day-vulnerability-exploited-in-attack/ https://www.techradar.com/pro/security/google-releases-emergency-fix-for-yet-another-zero-day Threat Details and IOCs CVEs: CVE-2025-14372, CVE-2025-14373 Technologies: Apple macOS, Google Chrome, Linux, Microsoft Edge, Microsoft Windows Threat Actors: DarkHotel, Lazarus, TaxOff, Team46 Victim Industries: Financial Services, Government, Healthcare, Technology Hardware Victim Countries: United States Mitigation Advice Update all Google Chrome installations on Windows and macOS to version 143.0.7499.109/.110 and on Linux to version 143.0.7499.109. Initiate a vulnerability scan using Qualys QID 386201 to identify all endpoints with vulnerable versions of Google Chrome. Compliance Best Practices Implement and configure an automated patch management solution to ensure security updates for all third-party software, especially web browsers, are deployed within 72 hours of release. Develop and enforce a security policy using Group Policy Objects (GPO) or a similar endpoint management tool to disable non-essential browser features, such as the built-in password manager, and enforce the use of a dedicated enterprise password management tool. Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.F5 Threat Report - December 10th, 2025
JPCERT Confirms Active Command Injection Attacks on Array AG Gateways JPCERT/CC has confirmed active command injection attacks targeting Array Networks AG Series secure access gateways, exploiting a vulnerability in the DesktopDirect feature since August 2025. This flaw, which currently lacks a CVE identifier, affects ArrayOS versions 9.4.5.8 and earlier, allowing attackers to execute arbitrary commands and drop web shells, with observed attacks originating from the IP address 194.233.100[.]138. Array Networks released a fix on May 11, 2025, in ArrayOS version 9.4.5.9, and users are advised to apply this update promptly; alternatively, disabling DesktopDirect services or implementing URL filtering to deny access to URLs containing semicolons can serve as mitigation. While a separate authentication bypass flaw (CVE-2023-28461) in the same product was previously exploited by the China-linked MirrorFace group, there is no current evidence connecting them to these latest command injection incidents. Severity: High Sources https://buaq.net/go-379737.html https://cyberpress.org/arrayos-ag-vpn-vulnerability/ https://gbhackers.com/arrayos-ag-vpn/ https://thecyberexpress.com/cve-2023-28461-jpcert-array-gateway-warning/ https://thehackernews.com/2025/12/jpcert-confirms-active-command.html https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/ Threat Details and IOCs Malware: Agenda, Albiriox, PoisonPlug, Qilin, Sha1-Hulud, ShadowPad, Shai-Hulud CVEs: CVE-2023-28461 Technologies: Array Networks AG Series, Array Networks ArrayOS, Array Networks vxAG, PHP Threat Actors: APT10, EarthKasha, MirrorFace Attacker Countries: China Attacker IPs: 194.233.100.138 Victim Industries: Aerospace, Defense, E-commerce, Education, Energy, Financial Services, Government, Healthcare, Information and Communication, Manufacturing, Multimedia, Public Sector, Semiconductors, Technology Hardware, Telecommunications, Utilities Victim Countries: China, India, Japan, Taiwan, United States Mitigation Advice Update all Array Networks AG Series gateways to ArrayOS version 9.4.5.9 or a later version to remediate the command injection vulnerability. If patching Array AG gateways to version 9.4.5.9 is not immediately feasible, disable the 'DesktopDirect' feature on all vulnerable devices. Configure your perimeter firewall or Web Application Firewall (WAF) to block all inbound HTTP/HTTPS requests to Array AG gateways that contain a semicolon character (';') in the URL. Add the IP address 194.233.100.138 to your network firewall's blocklist to deny all inbound and outbound traffic. Scan the file systems of all Array AG gateways for indicators of compromise, such as recently created or modified web shell files (e.g., .php, .asp) in web-accessible directories. Compliance Best Practices Establish a formal patch management policy that mandates regular vulnerability scanning of all internet-facing systems and defines strict service-level agreements (SLAs) for applying critical security patches. Implement a recurring configuration review process for all network security appliances to identify and disable any non-essential features and services, thereby minimizing the device's attack surface. Design and implement a DMZ network segment for all internet-facing services, including secure access gateways, and enforce strict firewall rules that only permit essential, pre-approved traffic between the DMZ and the internal corporate network. Configure all internet-facing appliances to forward detailed system, process, and network logs to a centralized SIEM, and develop detection rules to alert on anomalous file creation, command execution, and unusual outbound connections. LangChain Prompt Template Injection Vulnerability: Property Access (CVE-2025-65106) A prompt template injection vulnerability has been discovered in the LangChain `langchain-core` package, affecting versions up to `1.0.6` and `0.3.79`, with fixes implemented in versions `1.0.7` and `0.3.80`. Identified as CVE-2025-65106 and GHSA-6qv9-48xg-fc7f, this vulnerability allows attackers who can control template strings—rather than just template variables—to access Python object attributes, internal properties, and sensitive information, potentially escalating to more severe attacks. The flaw impacts F-string, Mustache, and Jinja2 template formats, stemming from issues such as attribute access in F-strings, `getattr()` fallback in Mustache, and insufficient sandboxing in Jinja2. Applications are at high risk if they accept untrusted template strings, dynamically construct prompts based on user input, or allow users to customize or create prompt templates. Remediation requires updating to the patched `langchain-core` versions, auditing code for any template strings originating from untrusted sources, and ensuring a clear separation between template structure and user-provided data. Specific fixes include F-string validation to restrict variable names to simple Python identifiers, strict type checking for Mustache to limit object traversal to dict, list, and tuple types, and the introduction of a `_RestrictedSandboxedEnvironment` for Jinja2 to block all attribute and method access. Severity: High Sources https://buaq.net/go-379721.html Threat Details and IOCs CVEs: CVE-2025-65106 Technologies: Jinja2, LangChain LangGraph, Python Victim Industries: E-commerce, Financial Services, Healthcare, Legal Services, Retail, Software Mitigation Advice Update all instances of the `langchain-core` Python package to version 1.0.7 or 0.3.80 or newer to patch the template injection vulnerability (GHSA-6qv9-48xg-fc7f). Audit your codebase to identify all applications using LangChain's `ChatPromptTemplate`. Prioritize remediation for any applications found to accept template strings from untrusted sources. Compliance Best Practices Enforce a secure coding standard for all AI/LLM applications that strictly separates the prompt template structure from user-provided data. Ensure that user input can only populate predefined variables within a static, developer-controlled template. During application design and code reviews, challenge the necessity of using string-based prompt templating. Where possible, refactor applications to use direct message objects (e.g., `HumanMessage`, `AIMessage`) to eliminate the risk of template injection vulnerabilities. Create a development policy that restricts the use of the Jinja2 template format (`template_format="jinja2"`) in LangChain to only those instances where the template content is hardcoded or originates from a fully trusted, internally-controlled source. Chinese State-Sponsored Actors Deploy Brickstorm Backdoor in US Critical Networks for Years Chinese state-sponsored actors, identified as UNC5221 by Mandiant and Warp Panda by CrowdStrike, have maintained long-term access, sometimes for years, within critical US networks, including at least eight government services and IT organizations, and dozens of other entities across legal, SaaS, business process outsourcing, technology, and manufacturing sectors. These groups deployed the sophisticated, cross-platform Brickstorm backdoor, which operates across Linux, VMware, and Windows environments, alongside new Go-based implants named Junction (for VMware ESXi, listening on port 8090) and GuestConduit (for guest VMs, using VSOCK on port 5555). Initial access was often gained by exploiting internet-facing edge devices, followed by pivoting to vCenter environments using valid credentials or vulnerabilities. Once inside, the adversaries stole cryptographic keys from domain controllers and Active Directory Federation Services servers, accessed and exfiltrated sensitive data from Microsoft Azure environments (OneDrive, SharePoint, Exchange), and established persistence by registering new multi-factor authentication devices. Warnings from CISA, NSA, and the Canadian Cyber Security Centre, along with reports from Google Threat Intelligence (Mandiant) and CrowdStrike, highlight the ongoing threat and the actors' evolving techniques, with Palo Alto Networks' Unit 42 also monitoring the activity. Severity: Critical Sources https://cyberpress.org/china-nexus-hackers/ https://federalnewsnetwork.com/cybersecurity/2025/12/agencies-it-companies-impacted-by-latest-malware-from-china/ https://gbhackers.com/vmware-vcenter-systems/ https://industrialcyber.co/cisa/cisa-nsa-sound-alarm-on-brickstorm-backdoor-used-by-china-linked-actors-targeting-vmware-windows-systems/ https://securitybrief.asia/story/warp-panda-cyberespionage-group-targets-us-cloud-networks https://thecyberexpress.com/cisa-prc-hackers-target-vmware-with-brickstorm/ https://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.html https://www.bleepingcomputer.com/news/security/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers/ https://www.cisa.gov/news-events/alerts/2025/12/04/prc-state-sponsored-actors-use-brickstorm-malware-across-public-sector-and-information-technology https://www.cisa.gov/news-events/analysis-reports/ar25-338a https://www.cisa.gov/news-events/news/cisa-nsa-and-cyber-centre-warn-critical-infrastructure-brickstorm-malware-used-peoples-republic https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/ https://www.darkreading.com/cyberattacks-data-breaches/cisa-ongoing-brickstorm-backdoor-attacks https://www.hendryadrian.com/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers/ https://www.infosecurity-magazine.com/news/chinalinked-warp-panda/ https://www.safebreach.com/blog/safebreach-coverage-for-updated-cisa-ar25-338a-brickstorm-backdoor/ https://www.securityweek.com/us-organizations-warned-of-chinese-malware-used-for-long-term-persistence/ https://www.theregister.com/2025/12/04/prc_spies_brickstrom_cisa/ Threat Details and IOCs Malware: BRICKSTEAL, BrickStorm, BRICKSTORM, GuestConduit, Junction, RESURGE, SPAWN, SPAWNANT, SPAWNCHIMERA, SPAWNMOLE, SPAWNSNAIL, ZIPLINE CVEs: CVE-2021-22005, CVE-2023-34048, CVE-2023-46747, CVE-2023-46805, CVE-2023-4966, CVE-2024-21887, CVE-2024-21893, CVE-2024-38812, CVE-2025-0282, CVE-2025-22457 Technologies: BSD, F5 BIG-IP, Ivanti Connect Secure, Ivanti Policy Secure, Linux, Microsoft 365, Microsoft Active Directory, Microsoft Azure, Microsoft Windows, Microsoft Windows Server, VMware ESXi, VMware vCenter Server, VMware vSphere Threat Actors: RedDev61, Unc5221, Uta0178, WarpPanda Attacker Countries: China Attacker IPs: 1.0.0.1, 1.1.1.1, 149.112.112.11, 149.112.112.112, 149.28.120.31, 208.83.233.14, 45.90.28.160, 45.90.30.160, 8.8.4.4, 8.8.8.8, 9.9.9.11, 9.9.9.9 Attacker URLs: https://1.0.0.1/dns-query, https://1.1.1.1/dns-query, https://149.112.112.112/dns-query, https://149.112.112.11/dns-query, https://45.90.28.160/dns-query, https://45.90.30.160/dns-query, https://8.8.4.4/dns-query, https://8.8.8.8/dns-query, https://9.9.9.11/dns-query, https://9.9.9.9/dns-query Attacker Hashes: 013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf, 0a4fa52803a389311a9ddc49b7b19138, 10d811029f6e5f58cd06143d6353d3b05bc06d0f, 18f895e24fe1181bb559215ff9cf6ce3, 22c15a32b69116a46eb5d0f2b228cc37cd1b5915a91ec8f38df79d3eed1da26b, 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759, 39111508bfde89ce6e0fe6abe0365552, 39b3d8a8aedffc1b40820f205f6a4dc041cd37262880e5030b008175c45b0c46, 40992f53effc60f5e7edea632c48736ded9a2ca59fb4924eb6af0a078b74d557, 40db68331cb52dd3ffa0698144d1e6919779ff432e2e80c058e41f7b93cec042, 44a3d3f15ef75d9294345462e1b82272b0d11985, 4c52caf2e5f114103ed5f60c6add3aa26c741b07869bb66e3c25a1dc290d4a8bf87c42c336e8ac8ebf82d9a9b23eaa18c31f7051a5970a8fe1125a2da890340f, 57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d, 5e654776e9c419e11e6f93a452415a601bd9a2079710f1074608570e498a9af37b81bb57c98cb8bb626c5ee4b3e35757d3ae8c1c3717f28d9f3fe7a4cebe0608, 659205fa2cfa85e484c091cc2e85a7ec4e332b196e423b1f39bafdc8fca33e3db712bbe07afcc091ff26d9b4f641fa9a73f2a66dce9a0ced54ebeb8c2be82a7f, 65ebf5dfafb8972ffead44271436ec842517cfaaf3d1f1f1237a32d66e1d280943bd3a69f1d539a1b7aca6152e96b29bc822e1047e2243f6aec8959595560147, 73fe8b8fb4bd7776362fd356fdc189c93cf5d9f6724f6237d829024c10263fe5, 74b4c6f7c7cae07c6f8edf3f2fb1e9206d4f1f9734e8e4784b15d192eec8cd8a4f59078fc0c56dc4ad0856cdd792337b5c92ffd3d2240c8a287a776df4363bba, 79276523a6a507e3fa1b12b96e09b10a01c783a53d58b9ae7f5780a379431639a80165e81154522649b8e2098e86d1a310efffebe32faafc7b3bc093eec60a64, 82bf31e7d768e6d4d3bc7c8c8ef2b358, 88db1d63dbd18469136bf9980858eb5fc0d4e41902bf3e4a8e08d7b6896654ed, 8e29aeb3603ffe307b2d60f7401bd9978bebe8883235eb88052ebf6b9e04ce6bf35667480cedea5712c1e13e8c6dcfb34d5fde0ddca6ca31328de0152509bf8f, 8e4c88d00b6eb46229a1ed7001451320, 97001baaa379bcd83677dca7bc5b8048fdfaaddc, 9a0e1b7a5f7793a8a5a62748b7aa4786d35fc38de607fb3bb8583ea2f7974806, 9bf4c786ebd68c0181cfe3eb85d2fd202ed12c54, a02469742f7b0bc9a8ab5e26822b3fa8, a52e36a70b5e0307cbcaa5fd7c97882c, aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38, b3b6a992540da96375e4781afd3052118ad97cfe60ccf004d732f76678f6820a, b91881cb1aa861138f2063ec130b2b01a8aaf0e3f04921e5cbfc61b09024bf12, bbe18d32bef66ccfa931468511e8ba55b32943e47a1df1e68bb5c8f8ae97a5bf991201858ae9632fa24df5f6c674b6cb260297a1c11889ca61bda68513f440ce, bfb3ffd46b21b2281374cd60bc756fe2dcc32486dcc156c9bd98f24101145454, c3549d4e5e39a11f609fc6fbf5cc1f2c0ec272b4, dbca28ad420408850a94d5c325183b28, de28546ec356c566cd8bca205101a733e9a4a22d, dfac2542a0ee65c474b91d3b352540a24f4e223f1b808b741cfe680263f0ee44, f639d9404c03af86ce452db5c5e0c528b81dc0d7, f7cda90174b806a34381d5043e89b23ba826abcc89f7abd520060a64475ed506, fb11c6caa4ea844942fe97f46d7eb42bc76911ab Victim Industries: Business Process Outsourcing, Critical Manufacturing, Facilities Services, Government, Information Technology, Legal Services, Manufacturing, Public Sector, Software as a Service (SaaS), Technology Hardware Victim Countries: Australia, Austria, Canada, Germany, Greece, Mexico, New Zealand, United Kingdom, United States Mitigation Advice Download and run the open-source Brickstorm scanner from Mandiant's GitHub repository on all Linux, VMware, and Windows environments, prioritizing vCenter servers. Scan VMware ESXi hosts for the 'Junction' implant and monitor for suspicious processes masquerading as legitimate VMware services. Scan guest VMs within your VMware environment for the 'GuestConduit' implant, paying close attention to unusual VSOCK listener activity. Immediately scan all internet-facing edge devices for vulnerabilities and apply all available security patches, prioritizing any devices with known exploits. Audit all Microsoft 365 and Azure AD accounts for any recently registered MFA devices and verify the legitimacy of each new registration with the account owner. Review Microsoft 365 audit logs for anomalous access patterns to OneDrive, SharePoint, and Exchange Online, specifically looking for session replay activity or access from unusual IP addresses or locations. Compliance Best Practices Implement network segmentation to create isolated security zones for critical assets like VMware vCenter servers, ESXi hosts, and Domain Controllers, restricting access from less secure network segments. Enforce the principle of least privilege for all accounts, especially service accounts and administrative accounts, ensuring they only have the minimum permissions necessary to perform their functions on systems like vCenter and Active Directory. Implement a default-deny egress filtering policy on the network firewall, allowing outbound traffic only for explicitly approved protocols, ports, and destinations to disrupt command-and-control communications. Enhance security logging for critical systems, including VMware vCenter, ESXi hosts, Domain Controllers, and ADFS servers. Forward these logs to a SIEM and develop correlation rules to detect lateral movement and credential access techniques. Strengthen MFA policies by requiring re-authentication for sensitive actions such as registering a new MFA device, and enforce phishing-resistant MFA for all administrative and privileged accounts. Intellexa Deployed Predator Spyware via iOS Zero-Day Exploit Chain Against Egyptian Targets Sanctioned commercial surveillance vendor Intellexa deployed a three-stage iOS zero-day exploit chain, internally codenamed "smack," against targets in Egypt to install its Predator spyware. The initial stage leveraged a Safari remote code execution zero-day (CVE-2023-41993), which Google assessed Intellexa likely acquired externally due to its use of the "JSKit" framework, previously observed in attacks by other surveillance vendors and Russian government-backed actors. The second stage achieved sandbox escape and privilege escalation by exploiting kernel vulnerabilities CVE-2023-41991 and CVE-2023-41992, providing kernel memory read/write capabilities. The final stage, PREYHUNTER, comprised "helper" and "watcher" modules; the "watcher" module performed anti-detection by monitoring for security tools, specific locale settings, and other anomalies, while the "helper" module used custom frameworks (DMHooker, UMHooker) to hook system functions for VOIP recording, keylogging, and camera capture, also hiding notifications. Intellexa has been linked to 15 zero-day vulnerabilities since 2021, including several Chrome V8 engine exploits (CVE-2021-38003, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, CVE-2025-6554) observed in Saudi Arabia. Google Threat Intelligence Group and CitizenLab collaborated on this discovery, leading Google to issue warnings to Intellexa's customers across multiple countries and add associated domains to Safe Browsing. Severity: Critical Sources https://gbhackers.com/ios-zero-day/ https://thecyberexpress.com/ios-zero-day-exploit-chain-egypt/ Threat Details and IOCs Malware: Alien, ALIEN, Nova, Predator, PREYHUNTER CVEs: CVE-2021-38003, CVE-2022-42856, CVE-2023-2033, CVE-2023-3079, CVE-2023-41991, CVE-2023-41992, CVE-2023-41993, CVE-2023-4762, CVE-2025-6554 Technologies: Apple iOS, Apple Safari, Google Chrome Threat Actors: Intellexa Attacker Countries: Russia Attacker Hashes: 85d8f504cadb55851a393a13a026f1833ed6db32cb07882415e029e709ae0750, e3314bcd085bd547d9b977351ab72a8b83093c47a73eb5502db4b98e0db42cac Victim Industries: Government, Multimedia, Technology Hardware Victim Countries: Angola, Egypt, Kazakhstan, Mongolia, Pakistan, Saudi Arabia, Tajikistan, Uzbekistan Mitigation Advice Update all corporate and BYOD iOS devices to the latest available OS version to mitigate vulnerabilities CVE-2023-41993, CVE-2023-41991, and CVE-2023-41992. Ensure all Google Chrome and Chromium-based browsers on corporate endpoints are updated to the latest version to protect against CVE-2021-38003, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, and CVE-2025-6554. Scan managed mobile devices for the presence of unauthorized security research tools such as Bash, tcpdump, frida, sshd, or checkra1n, as these can be indicators of compromise or reconnaissance. Audit managed mobile devices for unauthorized custom HTTP proxy configurations and non-corporate root certificate installations. Compliance Best Practices Implement or enhance a Mobile Device Management (MDM) solution to enforce mandatory and timely OS and application updates on all mobile devices accessing corporate data. Develop and enforce a security policy that enables Apple's Lockdown Mode on iOS devices used by executives and other employees at high risk of being targeted by sophisticated spyware. Establish a continuous security awareness training program that educates users on how to identify and report phishing attempts and suspicious links on mobile devices. Implement and maintain network egress filtering to block outbound connections from all corporate devices to known malicious domains and un-categorized websites. Use MDM to establish and enforce a policy that prohibits the use of Developer Mode on all corporate-managed iOS devices unless there is a documented and approved business justification. Microsoft Patches Critical Windows .LNK Flaw (CVE-2025-9491) Exploited by State-Sponsored Groups Microsoft has addressed a critical Windows shortcut file (.lnk) vulnerability, tracked as CVE-2025-9491 (ZDI-CAN-25373), which allowed malicious .lnk files to conceal harmful command-line arguments, enabling hidden code execution. This flaw, exploited by at least 11 state-sponsored groups from North Korea, Iran, Russia, and China since 2017 for cyber espionage and data theft, involved padding commands with whitespace to make the "Target" field appear innocuous in Windows properties. Despite initially downplaying its severity, Microsoft issued a "silent mitigation" in its November 2025 Patch Tuesday, which now reveals the full command in the "Properties" dialog. The fix follows a recent campaign by the China-linked UNC6384/Mustang Panda group, which leveraged CVE-2025-9491 in spear-phishing attacks against European diplomatic entities, deploying the PlugX remote access trojan. The .lnk format remains a significant threat due to its ability to bypass email filters and facilitate remote code execution through social engineering, and the risk persists until all vulnerable systems are updated. Severity: Critical Sources https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html https://cyberpress.org/microsoft-windows-lnk-vulnerability/ https://dataconomy.com/2025/11/24/why-that-harmless-looking-desktop-icon-might-actually-be-a-weapon/ https://gbhackers.com/hackers-actively-exploit-new-windows-lnk-0-day/ https://it.slashdot.org/story/25/12/04/1744255/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day?utm_source=rss1.0mainlinkanon&utm_medium=feed https://meterpreter.org/microsoft-finally-patches-lnk-flaw-cve-2025-9491-exploited-by-spies-since-2017/ https://thehackernews.com/2025/12/microsoft-silently-patches-windows-lnk.html https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/ https://www.hendryadrian.com/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/ https://www.techrepublic.com/article/news-microsoft-fixes-security-flaw/ https://www.theregister.com/2025/12/04/microsoft_lnk_bug_fix/ Threat Details and IOCs Malware: CirenegRAT, C_Major, Destroy RAT, DestroyRAT, Dreambot, Farfli, Gh0st, Gh0st RAT, Ghost RAT, Gozi, Gozi-ISFB, HiddenGh0st, Hodur, ISFB, Kaba, Konni, KONNI, Korplug, LDR4, Moudour, Papras, PCrat, PCRat, PlugX, QNAP-Worm, Raspberry Robin, Roshtyak, Snifula, Sogu, SOGU, Storm-0856, SugarGh0st RAT, TheTrick, TIGERPLUG, Trickbot, TrickBot, TrickLoader, Trickster, UpDog, Ursnif, UsrRunVGA.exe, XDigo CVEs: CVE-2025-9491 Technologies: Microsoft Windows, Microsoft Windows Server Threat Actors: APT10, APT15, APT17, APT20, APT21, APT22, APT26, APT27, APT3, APT31, APT37, APT40, APT41, APT43, Barium, Bitter, BronzePresident, BronzeUnion, Daggerfly, DoubleDragon, DragonOK, EarthIktomi, EarthLusca, EarthPreta, EmissaryPanda, EvilCorp, HazyTiger, Hellsing, HurricanePanda, Kimsuky, Konni, LuckyMouse, MenuPass, MUSTANGPANDA, OpalSleet, RazorTiger, RedDelta, RedHotel, SadFuture, SAMURAIPANDA, Sidewinder, TA416, TA505, TEMPHex, TwillTyphoon, UNC1878, UNC6384, VelvetAnt, WaterPoukai, WickedPanda, WickedSpider, WIZARDSPIDER, XDSpy Attacker Countries: China, India, Iran, North Korea, Russia Attacker IPs: 195.154.152.70 Attacker Domains: cseconline.org, d32tpl7xt7175h.cloudfront.net, dorareco.net, mydownload.z29.web.core.windows.net, naturadeco.net, paquimetro.net, racineupci.org, vnptgroup.it.com Victim Industries: Aerospace, Civic and Social Organizations, Defense, Education, Energy, Financial, Financial Services, Government, Healthcare, Mining, Non-Governmental Organizations (NGOs), Technology Hardware, Telecommunications Victim Countries: Afghanistan, Algeria, Australia, Austria, Bangladesh, Belarus, Belgium, Bhutan, Brazil, Bulgaria, Cambodia, China, Cyprus, Czech Republic, Djibouti, Egypt, Estonia, Ethiopia, Finland, France, Germany, Greece, Hong Kong, Hungary, India, Indonesia, Ireland, Italy, Japan, Kuwait, Laos, Latvia, Malaysia, Maldives, Moldova, Mongolia, Mozambique, Myanmar, Nepal, Netherlands, Nigeria, Pakistan, Palestine, Philippines, Romania, Russia, Rwanda, Saudi Arabia, Serbia, Singapore, Slovakia, South Africa, South Korea, Sri Lanka, Sudan, Sweden, Taiwan, Thailand, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Vatican City, Vietnam Mitigation Advice Prioritize and deploy the November 2025 Microsoft Patch Tuesday security updates to all Windows endpoints and servers to apply the mitigation for CVE-2025-9491. Conduct a threat hunt across all endpoints for indicators of compromise related to this campaign, such as anomalous PowerShell execution originating from .lnk files, evidence of the PlugX RAT, and signs of DLL sideloading. Configure your email security gateway to block or quarantine all incoming emails containing .lnk file attachments, including those within compressed archives like .zip files. Issue an immediate security alert to all employees, warning them not to open or click on unexpected shortcut (.lnk) files, especially those received in emails, and to report any suspicious emails to the security team. Compliance Best Practices Implement an application allowlisting policy, such as Windows Defender Application Control (WDAC), to restrict the execution of unauthorized applications and scripts on endpoints. Enable PowerShell Script Block Logging and Module Logging on all Windows systems and forward these logs to a centralized SIEM for monitoring and alerting on suspicious script execution. Deploy or tune an Endpoint Detection and Response (EDR) tool to create detection rules for suspicious process chains, such as explorer.exe spawning a .lnk file which then launches PowerShell or cmd.exe. Establish a continuous security awareness training program that includes regular phishing simulations using lures with various attachment types, including shortcuts and archives, to train users to identify and report threats. Enforce the principle of least privilege by removing local administrator rights from all standard user accounts to contain the impact of malware execution. Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.F5 Threat Report - December 3rd, 2025
Hundreds of Abandoned iCalendar Sync Domains Put Nearly 4 Million Devices at Risk A study has revealed that over 390 abandoned or hijacked iCalendar sync domains are still receiving daily synchronization requests from nearly 4 million iOS and macOS devices, posing significant security risks. When users subscribe to external calendars, their devices automatically fetch updates via .ics files, and attackers can register expired domains to serve malicious .ics files. These files can contain harmful event links, phishing URLs, or prompts for unwanted applications, appearing legitimate within users' calendars. Apple devices' calendar sync daemons, identified by user-agent strings like `dataaccessd/1.0`, continuously request updates. Further investigation linked these hijacked servers to JavaScript payloads that trick users into granting push notification permissions or subscribing to spam calendars, often overlapping with large-scale notification scam campaigns and infrastructure previously compromised by Balada Injector malware. While most attacks leverage social engineering, some campaigns have distributed weaponized .ics files exploiting vulnerabilities such as CVE-2025-27915 in Zimbra, allowing JavaScript execution without user interaction. Security experts warn that calendar-based threats are an overlooked attack vector, recommending that organizations review active calendar subscriptions, implement whitelist-based firewall rules, and include calendar security in employee awareness training to mitigate risks from large-scale phishing, malware delivery, and data harvesting. Severity: Critical Sources https://cyberpress.org/icalendar-sync-domains/ https://www.hkcert.org/security-bulletin/zimbra-multiple-vulnerabilities_20251107 Threat Details and IOCs Malware: Balada Injector CVEs: CVE-2025-27915 Technologies: Apple iOS, Apple macOS, Zimbra Collaboration Threat Actors: APT28, UNC1151 Attacker IPs: 193.29.58.37 Attacker Emails: spam_to_junk@proton.me Attacker Domains: 0.allowandgo.com, 0.blueandbesthome.com, 0.mo12.biz, 1downloadss0ftware.xyz, bestresulttostart.com, ffrk.net, linetoslice.com, linetowaystrue.com, mo17.biz, mos3.biz, perfectlinestarter.com, readytocheckline.com, recordsbluemountain.com, taskscompletedlists.com, topwebsites1d.com Attacker URLs: http://mos3.biz/?webcal=me2tanrymi5gi3bpgu4tmna&u=230c9837-23ee-4208-8df0-1fa854490c90&l=24&t=1620652575&g=3&al=ar&sub1=&sub2=&sub3=&sub4=b0690ftho9zwh124, https://mo17.biz/?p=gy3ggyrzgm5gi3bpgy2dsny, https://mo17.biz/?webcal=me2tanrymi5gi3bpgu4tmna&u=230c9837-23ee-4208-8df0-1fa854490c90&l=24&t=1620652575&g=3&al=ar&sub1=&sub2=&sub3=&sub4=b0690ftho9zwh124, hxxps://ffrk.net/apache2_config_default_51_2_1 Attacker Hashes: e05c546f30212173ba878c31bbd8b93216cab1e847676b7bae870719f37dd7a5 Victim Industries: Government, Technology Hardware Victim Countries: Brazil, China Mitigation Advice Instruct all users to immediately review their calendar subscriptions on all corporate and BYOD Apple devices (iOS and macOS) and remove any unrecognized or unnecessary subscriptions. Configure network monitoring tools to create alerts for outbound traffic from Apple devices that contains both the user-agent 'dataaccessd/1.0' and the 'Accept: text/calendar' header, destined for non-standard or uncategorized domains. If your organization uses the Zimbra Collaboration Suite, immediately apply the vendor-supplied patches to mitigate the actively exploited cross-site scripting vulnerability, CVE-2025-27915. Send an immediate security bulletin to all employees warning them about the risks of unsolicited calendar events and browser push notification prompts. Instruct them to decline all unexpected requests to 'Allow' notifications and to avoid clicking links in suspicious calendar entries. Compliance Best Practices Develop and implement a network firewall policy that whitelists approved domains for iCalendar synchronization and blocks all other outbound requests matching the 'dataaccessd/1.0' user-agent. Update the corporate security awareness training program to include a dedicated module on the risks of calendar subscriptions, phishing via calendar events, and social engineering tactics used in browser push notification scams. Develop and deploy a Mobile Device Management (MDM) configuration profile to restrict or disable the ability for users to add arbitrary calendar subscriptions on corporate-managed iOS and macOS devices. Configure the email security gateway to specifically inspect incoming `.ics` file attachments for malicious links and embedded scripts, and consider implementing content disarm and reconstruction (CDR) for these files. Microsoft Teams Guest Chat Flaw Could Let Hackers Deliver Malware A critical vulnerability in Microsoft Teams guest chat allows attackers to bypass Defender for Office 365 protections by exploiting an architectural gap in cross-tenant collaboration. When users accept guest invitations to external Teams tenants, they fall under the hosting tenant's security policies, which attackers can disable in low-cost Microsoft 365 tenants lacking Defender for Office 365. The November 2025 rollout of feature MC1182004, enabling chats with anyone via email by default, makes this attack practical, allowing attackers to invite targets to their unprotected environments and deliver phishing or malware without detection. To mitigate this, organizations should restrict B2B guest invitations to trusted domains via Microsoft Entra ID, configure granular cross-tenant access policies, limit external Teams communication to specific domains through the Teams Admin Center, and consider disabling the MC1182004 feature using the PowerShell command `Set-CsTeamsMessagingPolicy -UseB2BInvitesToAddExternalUsers $false`. This issue highlights that security protections follow the resource tenant, a distinction organizations must address to prevent sophisticated attacks. Severity: Critical Sources https://buaq.net/go-378428.html https://gbhackers.com/microsoft-teams-guest-chat-flaw/ https://hackread.com/microsoft-teams-guest-chat-flaw-malware/ Threat Details and IOCs Technologies: Microsoft 365, Microsoft Entra ID, Microsoft Teams Attacker Emails: email protected Victim Industries: Critical Manufacturing, Financial, Government Mitigation Advice In Microsoft Entra ID, navigate to 'External Identities' -> 'External collaboration settings' and change the 'Guest invite settings' to 'Allow invitations only to specified domains'. Populate the list with currently known and trusted partner domains. In the Microsoft Teams Admin Center, under 'Users' -> 'External access', set the policy for Teams and Skype for Business users in external organizations to 'Allow only specific external domains' and add the domains of trusted business partners. Use PowerShell to connect to your Microsoft Teams instance and run the command 'Set-CsTeamsMessagingPolicy -Identity Global -UseB2BInvitesToAddExternalUsers $false' to disable the ability for users to start chats with external users using just an email address. In Microsoft Entra ID, under 'External Identities' -> 'Cross-tenant access settings', configure the default settings to block all inbound and outbound B2B collaboration and B2B direct connect access for both users and applications. Compliance Best Practices Develop and implement a formal policy and process for vetting, approving, and periodically reviewing external organizations for Teams collaboration. Use this process to manage the allowlists in Entra ID's cross-tenant access settings and the Teams Admin Center. Develop and deploy a recurring security awareness training module that specifically educates users on the risks of accepting Microsoft Teams guest invitations from unknown organizations. The training should explain that security protections do not carry over and should instruct users on how to verify and report suspicious invitations. DPRK-Linked Kimsuky and Lazarus Coordinate Espionage and Financial Theft via CVE-2024-38193 Kimsuky and Lazarus operate a coordinated campaign, combining Kimsuky's precise espionage with Lazarus's financial theft capabilities, both under DPRK control. Kimsuky initiates attacks through academic-themed spearphishing, using malicious HWP and MSC attachments to harvest credentials and reconnaissance data, deploying backdoors like FPSpy and the KLogEXE keylogger. Lazarus then leverages zero-day Windows privilege escalation, specifically CVE-2024-38193, and malicious Node.js packages to gain SYSTEM privileges and deploy the InvisibleFerret backdoor for cryptocurrency wallet theft. The groups share C2 infrastructure, intelligence, and tools, employing advanced evasion techniques such as encrypted/HTTP-like C2 traffic, multi-layer packing (Fudmodule), domain rotation, and anti-EDR capabilities to avoid detection. This collaboration has resulted in the rapid exfiltration of sensitive documents and significant cryptocurrency thefts, including a single incident of $32 million and over $120 million cumulatively since 2024. The campaign utilizes various MITRE ATT&CK techniques, including Phishing (T1566), Input Capture (T1056), Exploitation for Privilege Escalation (T1068), Command and Scripting Interpreter (T1059), Ingress Tool Transfer (T1105), Boot or Logon Autostart Execution (T1547), Obfuscated Files or Information (T1027), Application Layer Protocol (T1071), Exfiltration Over C2 Channel (T1041), Valid Accounts (T1078), and Domain Policy Modification (T1484). Key indicators of compromise include FPSpy (MD5: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6) and InvisibleFerret (MD5: f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1) hashes, shared C2 IP addresses like 192.168.xxx.xxx, the academic lure domain academic-symposium[.]info, and the exploitation of CVE-2024-38193. Severity: Critical Sources https://buaq.net/go-375362.html https://buaq.net/go-376034.html https://cyberpress.org/exploiting-code-hosting-platforms/ https://cyberpress.org/north-korean-job-fraud/ https://gbhackers.com/json-storage/ https://securityonline.info/north-koreas-contagious-interview-apt-uses-json-keeper-and-gitlab-to-deliver-beavertail-spyware/ https://slowmist.medium.com/explanation-msmt-the-dprks-violation-and-evasion-of-un-sanctions-via-cyber-and-it-worker-e2a674d3a2c5?source=rss-4ceeedda40e8------2 https://thehackernews.com/2025/11/north-korean-hackers-turn-json-services.html https://www.hendryadrian.com/inside-dprks-fake-job-platform-targeting-u-s-ai-talent-validin/ https://www.hendryadrian.com/kimsuky-and-lazarus-coordinated-campaign/ https://www.hendryadrian.com/kimsuky-health-checkup-email-malware/ Threat Details and IOCs Malware: Agenda, AkdoorTea, AlphaSeed, AppleJeus, AppleSeed, ATMDtrack, BabyShark, Beavertail, BeaverTail, Dtrack, FPSpy, FudModule, InfoKey, InvisibleFerret, JamBog, Kaiten, KGH_SPY, KLogEXE, MoonPeak, OtterCookie, Play, Playcrypt, Qilin, RokRAT, TrollAgent, Troll Stealer, Tropidoor, Tsunami, TsunamiKit, XenoRAT, XORIndex CVEs: CVE-2017-0199, CVE-2018-13379, CVE-2019-0708, CVE-2020-12812, CVE-2022-42475, CVE-2023-27532, CVE-2023-27997, CVE-2024-21762, CVE-2024-27198, CVE-2024-38193, CVE-2024-55591 Technologies: Apple macOS, Atlassian Bitbucket, BtcTurk, Bybit, DMM Bitcoin, ESTsoft ALZIP, Exclusible, GitHub, GitLab, Google Chrome, Hancom Hangul Word Processor, JSONsilo, Keeper, LinkedIn, Linux, MetaMask, Microsoft .NET Framework, Microsoft Windows, Munchables, Node.js, npm, npoint.io, OnyxDAO, Pastebin, Phantom, Python, Radiant Capital, TronLink, WazirX Threat Actors: Agenda, AlluringPisces, Andariel, APT37, APT38, APT43, APT45, Beavertail, BlackBanshee, Bluenoroff, CitrineSleet, CL-STA-0240, CryptoCore, DeceptiveDevelopment, DEV#POPPER, EmeraldSleet, FamousChollima, GleamingPisces, GwisinGang, InvisibleFerret, JadeSleet, Kimsuky, Lazarus, LazarusGroup, MoonstoneSleet, OnyxSleet, OtterCookie, Qilin, SapphireSleet, SilentChollima, SparklingPisces, StardustChollima, Temp.Hermit, TenaciousPungsan, Thallium, TraderTraitor, UNC4899, UNC5342, VelvetChollima, VoidDokkaebi, WageMole Attacker Countries: North Korea, Russia Attacker IPs: 104.200.67.96, 107.189.25.109, 144.172.100.142, 144.172.103.97, 144.172.95.226, 144.172.97.7, 146.70.253.10, 146.70.253.107, 147.124.197.138, 147.124.197.149, 147.124.212.146, 147.124.212.89, 147.124.214.129, 147.124.214.131, 147.124.214.237, 165.140.86.227, 167.88.36.13, 172.86.84.38, 172.86.98.240, 173.211.106.101, 185.153.182.241, 185.235.241.208, 216.126.229.166, 216.189.150.185, 23.106.253.194, 23.106.253.215, 23.106.253.221, 23.106.253.242, 23.106.70.154, 23.227.202.242, 23.227.202.244, 23.254.164.156, 38.92.47.151, 38.92.47.85, 38.92.47.91, 45.128.52.14, 45.137.213.30, 45.43.11.201, 45.61.133.110, 45.61.150.30, 45.61.150.31, 45.61.151.71, 45.76.160.53, 5.253.43.122, 66.235.168.232, 66.235.175.109, 67.203.7.163, 67.203.7.171, 69.62.86.78, 72.61.9.45, 86.104.74.51, 88.218.0.78, 94.131.97.195, 95.164.17.24 Attacker Emails: ahmadbahai07@gmail.com, drgru854@gmail.com, jackhill2765@gmail.com, jack.murray.tf7@gmail.com, magalhaesbruno236@gmail.com, reichenausteve@gmail.com, stromdev712418@gmail.com, trungtrinh0818@gmail.com Attacker Domains: advisorflux.com, api.jsonsilo.com, api.npoint.io, app.lenvny.com, assureeval.com, bitbucket.org, bloxholder.com, carrerlilla.com, cloudflariz.com, cookiemanager.ne.kr, effertz-carroll.com, evangelia.edu, freeconference.io, ftpserver0909.com, generated.photos, github.com, gitlab.com, ipcheck.cloud, jsonkeeper.com, jsonsilo.com, kupaywallet.com, lenvny.com, load.samework.o-r.kr, mirotalk.io, mirotalk.net, n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion, naverbox.pe.kr, nidiogln.ne.kr, npoint.io, pastebin.com, railway.app, regioncheck.net, thispersondoesntexist.com, unioncrypto.vip, wud.wuaze.com, www.jsonkeeper.com Attacker URLs: http://147.124.214.129:1244, http://173.211.106.101:1245, https://app.lenvny.com/cam-v-abc123.fix, hxxp://146.70.253.107:1224/client/99/81, hxxp://146.70.253.107:1224/pdown, hxxp://23.254.164.156/introduction-video, hxxp://n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion, hxxps://api.jsonsilo.com/public/0048f102-336f-45dd-aef6-3641158a4c5d, hxxps://api.jsonsilo.com/public/942acd98-8c8c-47d8-8648-0456b740ef8b, hxxps://api.npoint.io/03f98fa639fa37675526, hxxps://api.npoint.io/148984729e1384cbe212, hxxps://api.npoint.io/2169940221e8b67d2312, hxxps://api.npoint.io/336c17cbc9abf234d423, hxxps://api.npoint.io/38acf86b6eb42b51b9c2, hxxps://api.npoint.io/62755a9b33836b5a6c28, hxxps://api.npoint.io/832d58932fcfb3065bc7, hxxps://api.npoint.io/8df659fd009b5af90d35, hxxps://api.npoint.io/a1dbf5a9d5d0636edf76, hxxps://api.npoint.io/cb0f9d0d03f50a5e1ebe, hxxps://api.npoint.io/e6a6bfb97a294115677d, hxxps://api.npoint.io/f4be0f7713a6fcdaac8b, hxxps://api.npoint.io/f6dd89c1dd59234873cb, hxxps://github.com/0x3ca54/arena-world, hxxps://github.com/adammajoros250-creator/123456ddd, hxxps://github.com/adammajoros250-creator/alex111, hxxps://github.com/adammajoros250-creator/Apexora-test, hxxps://github.com/adammajoros250-creator/bot111, hxxps://github.com/adammajoros250-creator/corex-arc-fork, hxxps://github.com/adammajoros250-creator/demotest, hxxps://github.com/carlotalentengine-sketch, hxxps://github.com/edwardtam919/staking-platform-main, hxxps://github.com/harrypotter060327-netizen/David-test, hxxps://github.com/harrypotter060327-netizen/eeeee, hxxps://github.com/harrypotter060327-netizen/Harry-Potter, hxxps://github.com/harrypotter060327-netizen/Test_Estoken, hxxps://github.com/harrypotter060327-netizen/TEST_LORD, hxxps://github.com/harrypotter060327-netizen/test_project, hxxps://github.com/InfiniGods-Tech/rei, hxxps://github.com/meta-stake/RaceStake, hxxps://github.com/meta-stake/RealEstateVC, hxxps://github.com/parth5805/iGuru-Task, hxxps://github.com/TommyMinion/DeFi-Market, hxxps://gitlab.com/goldencity-group/goldencity-demo, hxxps://gitlab.com/real-world-assest-tokenization/goldencity, hxxps://gitlab.com/technicalmanager-group/real-esate, hxxps://jsonkeeper.com/b/4NAKK, hxxps://jsonkeeper.com/b/6OCFY, hxxps://jsonkeeper.com/b/86H03, hxxps://jsonkeeper.com/b/8RLOV, hxxps://jsonkeeper.com/b/BADWN, hxxps://jsonkeeper.com/b/E4YPZ, hxxps://jsonkeeper.com/b/FM8D6, hxxps://jsonkeeper.com/b/GCGEX, hxxps://jsonkeeper.com/b/GNOX4, hxxps://jsonkeeper.com/b/IARGW, hxxps://jsonkeeper.com/b/IXHS4, hxxps://jsonkeeper.com/b/JV43N, hxxps://pastebin.com/u/AmendMinds7934, hxxps://pastebin.com/u/AmendMinds7934_LoverTumor2853, hxxps://pastebin.com/u/AmendMinds7934LoverTumor2853, hxxps://pastebin.com/u/NotingRobe2871, hxxps://pastebin.com/u/NotingRobe2871_FranzStill8494, hxxps://pastebin.com/u/NotingRobe2871FranzStill8494, hxxps://pastebin.com/u/ShadowGates1462, hxxps://pastebin.com/u/ShadowGates1462_PastPhys9067, hxxps://pastebin.com/u/ShadowGates1462PastPhys9067, hxxps://www.jsonkeeper.com/b/JNGUQ, hxxps://www.jsonkeeper.com/b/O2QKK, hxxps://www.jsonkeeper.com/b/RZATI, hxxps://www.jsonkeeper.com/b/T7Q4V, hxxps://www.jsonkeeper.com/b/VBFK7 Attacker Hashes: 3aed5502118eb9b8c9f8a779d4b09e11, 5e2186e65f84726e8c8284d48db66805fc7e02ce43a73a7ac6bf5a5fff3a35e2, 84d25292717671610c936bca7f0626f5, 94ef379e332f3a120ab16154a7ee7a00, 9d9a25482e7e40e8e27fdb5a1d87a1c12839226c85d00c6605036bd1f4235b21, b29ddcc9affdd56a520f23a61b670134 Victim Industries: Construction, Cryptocurrency, Defense Industrial Base, Education, Financial Services, Financial Technology, Government, Healthcare, Information Technology, Insurance, Market Research, Real Estate, Software, Technology Hardware Victim Countries: Argentina, Brazil, Cambodia, Canada, China, Colombia, Costa Rica, Egypt, Equatorial Guinea, France, Germany, Guinea, India, Indonesia, Japan, Kenya, Laos, Mexico, Netherlands, Nigeria, Pakistan, Philippines, Portugal, Russia, Serbia, South Korea, Tanzania, Turkey, United Arab Emirates, United Kingdom, United States, Vietnam Mitigation Advice Immediately apply the security patch for CVE-2024-38193 to all vulnerable Windows systems. Block the domain 'academic-symposium[.]info' at the web proxy, DNS firewall, and email gateway. Add the file hashes for FPSpy (MD5: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6) and InvisibleFerret (MD5: f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1) to your Endpoint Detection and Response (EDR) and antivirus blocklists. Configure email security gateways to block or quarantine incoming emails with HWP and MSC file attachments. Run threat hunting queries in your SIEM and EDR to search for suspicious process behaviors, such as HWP files spawning 'winlogon.exe' or any process accessing cryptocurrency wallet paths like '%APPDATA%\MetaMask'. Compliance Best Practices Develop and implement a mandatory, recurring security awareness training program that focuses on identifying spearphishing emails and the risks of handling unsolicited attachments or links. Implement application control policies, such as AppLocker, to restrict the execution of unauthorized scripts and executables, particularly in developer environments. Establish a secure software development lifecycle (SDLC) policy that includes vetting all third-party libraries, such as those from npm, for known vulnerabilities or malicious code before they are approved for use. Implement regular auditing and alerting for any modifications to Group Policy Objects (GPOs) to quickly detect unauthorized changes used for lateral movement. Implement network segmentation to isolate critical assets, such as domain controllers and servers handling financial data, from the general user network. Deploy a network security solution capable of TLS inspection to decrypt and analyze outbound web traffic for signs of command-and-control (C2) activity. Establish and enforce a corporate policy that requires all company-managed cryptocurrency assets to be stored in hardware wallets and prohibits the use of software wallets on networked endpoints. ShadowV2 Botnet Exploits AWS Outage to Infect IoT Devices in 28 Countries A Mirai-based botnet, ShadowV2, emerged during a widespread AWS outage last October, infecting IoT devices across 28 countries and multiple sectors including technology, retail, government, and education. This activity, potentially a "test run" for future attacks, involved the botnet exploiting vulnerabilities in devices from vendors like DD-WRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), and TP-Link (CVE-2024-53375). The infection process involved dropping a `binary.sh` downloader that delivered "shadow" prefixed malware binaries from 81[.]88[.]18[.]108, utilizing an XOR-encoded configuration to connect to a command-and-control server for DDoS attacks, and displaying the string "ShadowV2 Build v1.0.0 IoT version." While ShadowV2's observed activity was limited to the outage period, its emergence underscores the persistent vulnerability of IoT devices, a point further highlighted by a subsequent 15.72 Tbps DDoS attack on Azure by the Aisuru botnet, which was successfully mitigated. Severity: Critical Sources https://cyberpress.org/shadowv2-malware/ https://dataconomy.com/2025/11/27/shadowv2-botnet-exploited-aws-outage-timeline-to-test-global-iot-attacks/ https://www.bleepingcomputer.com/news/security/new-shadowv2-botnet-malware-used-aws-outage-as-a-test-opportunity/ https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices https://www.securitylab.ru/news/566583.php https://www.securitylab.ru/news/566590.php https://www.theregister.com/2025/11/26/miraibased_botnet_shadowv2/ Threat Details and IOCs Malware: Airashi, Aisuru, Bash0day, Bashlite, BASHLITE, boatnet, Gafgyt, Gayfemboy, Hakai, Katana, LizardStresser, Lizkebab, Lzrd, LZRD, Miori, Mirai, Okiru, Pandora, Qbot, Satori, ShadowV2, SpeakUp, Torlus, TurboMirai, Yowai CVEs: CVE-2009-2765, CVE-2020-25506, CVE-2022-37055, CVE-2023-52163, CVE-2024-10914, CVE-2024-10915, CVE-2024-3721, CVE-2024-53375 Technologies: Amazon Web Services, DD-WRT, Digiever, Digiever Network Video Recorders, D-Link, D-Link GO-RT-AC750, D-Link ShareCenter, Linux, TBK, TBK DVRs, TP-Link, TP-Link Archer Threat Actors: LZRD Attacker IPs: 198.199.72.27, 23.97.62.139, 81.88.18.108 Attacker Domains: silverpath.shadowstresser.info Attacker Hashes: 0408d57c5ded5c79bf1c5b15dfde95547e17b81214dfc84538edcdbef4e61ffe, 22aa3c64c700f44b46f4b70ef79879d449cc42da9d1fe7bad66b3259b8b30518, 24ad77ed7fa9079c21357639b04a526ccc4767d2beddbd03074f3b2ef5db1b69, 499a9490102cc55e94f6a9c304eea86bbe968cff36b9ac4a8b7ff866b224739f, 5b5daeaa4a7e89f4a0422083968d44fdfe80e9a32f25a90bf023bca5b88d1e30, 6f1a5f394c57724a0f1ea517ae0f87f4724898154686e7bf64c6738f0c0fb7b6, 7dfbf8cea45380cf936ffdac18c15ad91996d61add606684b0c30625c471ce6a, 80ee2bf90545c0d539a45aa4817d0342ff6e79833e788094793b95f2221a3834, bb326e55eb712b6856ee7741357292789d1800d3c5a6be4f80e0cb1320f4df74, c0ac4e89e48e854b5ddbaef6b524e94cc86a76be0a7a8538bd3f8ea090d17fc2, c62f8130ef0b47172bc5ec3634b9d5d18dbb93f5b7e82265052b30d7e573eef3, cb42ae74216d81e87ae0fd51faf939b43655fe0be6740ac72414aeb4cf1fecf2, dfaf34b7879d1a6edd46d33e9b3ef07d51121026b8d883fdf8aced630eda2f83 Victim Industries: Education, Government, Hospitality, Information Technology, Managed Service Providers, Manufacturing, Retail, Technology Hardware, Telecommunications Victim Countries: Australia, Austria, Belgium, Bolivia, Brazil, Canada, Chile, China, Croatia, Czech Republic, Egypt, France, Greece, Italy, Japan, Kazakhstan, Mexico, Morocco, Netherlands, Philippines, Russia, Saudi Arabia, South Africa, Taiwan, Thailand, Turkey, United Kingdom, United States Mitigation Advice Add the IP address 81.88.18.108 to the network firewall blocklist to prevent connections to and from the ShadowV2 malware delivery server. Use your SIEM or EDR solution to search for executions of a script named 'binary.sh' and the presence of any files with the prefix 'shadow' on all endpoints. Scan the network to identify all devices running DD-WRT firmware and immediately update any vulnerable instances to a version that patches CVE-2009-2765. Scan the network to identify all D-Link devices vulnerable to CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, or CVE-2024-10915. Apply vendor patches where available or isolate and plan for the replacement of end-of-life devices. Scan the network to identify TBK DVRs vulnerable to CVE-2024-3721. Since no patch is available, isolate these devices from the network immediately and prioritize their replacement. Scan the network to identify all TP-Link routers vulnerable to CVE-2024-53375 and apply the necessary firmware updates immediately. Compliance Best Practices Design and implement a separate network segment (VLAN) for all IoT devices to isolate them from critical business systems and user networks. Develop and enforce an IoT security policy that defines standards for the procurement, deployment, configuration, and lifecycle management of all connected devices. Establish a formal vulnerability management program that includes regular, automated scanning of all network assets, including IoT devices, to proactively identify and remediate vulnerabilities. Implement a default-deny egress filtering policy on the network firewall, allowing outbound connections only for specifically approved protocols, ports, and destinations required for business operations. Implement a Cloud Security Posture Management (CSPM) tool to continuously monitor AWS environments for misconfigurations and security risks in EC2 instances and other services. ASUS Warns of Critical Auth Bypass Flaw (CVE-2025-59366) in AiCloud Routers ASUS has released new firmware to address nine security vulnerabilities, including a critical authentication bypass flaw, CVE-2025-59366, affecting its routers with AiCloud enabled. This vulnerability, stemming from an unintended side effect of Samba functionality, allows remote attackers to execute specific functions without proper authorization by chaining path traversal and OS command injection weaknesses, requiring low complexity and no user interaction. Users are strongly advised to update their router firmware to the latest versions, specifically those in the `3.0.0.4_386,` `3.0.0.4_388,` and `3.0.0.6_102` series. For end-of-life models that will not receive updates, mitigation steps include disabling all internet-accessible services such as remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP, as well as cutting remote access to devices running vulnerable AiCloud software, and employing strong passwords for router administration and wireless networks. This follows a previous critical authentication bypass, CVE-2025-2492, patched in April, which was exploited in "Operation WrtHug" to compromise thousands of ASUS WRT routers globally. Severity: Critical Sources https://buaq.net/go-378236.html https://cyberinsider.com/asus-patches-critical-vulnerabilities-in-routers-and-pc-software/ https://meterpreter.org/asus-patches-critical-aicloud-flaw-cve-2025-59366-allowing-remote-router-takeover/ https://securityonline.info/8-flaws-asus-routers-urgently-need-patch-for-authentication-bypass-cve-2025-59366-cvss-9-4/ https://www.bleepingcomputer.com/news/security/asus-warns-of-new-critical-auth-bypass-flaw-in-aicloud-routers/ https://www.hkcert.org/security-bulletin/asus-router-multiple-vulnerabilities_20251126 Threat Details and IOCs Malware: PoisonPlug, RingReaper, ShadowPad CVEs: CVE-2023-41345, CVE-2023-41348, CVE-2024-12912, CVE-2025-12003, CVE-2025-2492, CVE-2025-59365, CVE-2025-59366, CVE-2025-59368, CVE-2025-59369, CVE-2025-59370, CVE-2025-59371, CVE-2025-59372, CVE-2025-59373 Technologies: ASUS, ASUS ASUSWRT, ASUS Router, ASUSWRT, Linux, Microsoft Windows, Samba Threat Actors: AyySSHush Attacker Countries: China Victim Industries: Consumer Electronics, Hospitality, Retail, Technology Hardware Victim Countries: Austria, Brunei, Cambodia, Croatia, Czech Republic, Germany, Hungary, Indonesia, Laos, Liechtenstein, Malaysia, Myanmar, Philippines, Poland, Russia, Singapore, Slovakia, Slovenia, Switzerland, Taiwan, Thailand, Timor-Leste, United States, Vietnam Mitigation Advice Identify all ASUS routers on the network and update their firmware to the latest version to patch CVE-2025-59366 and other listed vulnerabilities. For any ASUS routers that cannot be immediately patched or do not require the AiCloud feature, disable AiCloud to remove the primary attack vector for CVE-2025-59366. On unpatchable or end-of-life ASUS routers, disable all remote administration access from the WAN. On unpatchable or end-of-life ASUS routers, disable the built-in VPN server functionality to reduce the external attack surface. Review and disable all non-essential port forwarding, DMZ, and port triggering rules on ASUS routers that cannot be updated. On unpatchable or end-of-life ASUS routers, disable the built-in FTP server to prevent potential exploitation. Compliance Best Practices Establish and enforce a hardware lifecycle management policy to ensure network devices like routers are replaced before they reach end-of-life and no longer receive security patches. Implement a network security policy that requires all non-essential services on internet-facing devices to be disabled by default. Enforce a strong password policy for all network device administrative accounts, requiring unique, complex passwords and periodic audits for compliance. Develop a formal vulnerability management program that includes regular, automated scanning of all network perimeter devices to identify outdated firmware, open ports, and insecure configurations. Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.F5 Threat Report - November 26th, 2025
Shai-Hulud 2.0 npm Supply Chain Attack Steals Credentials A new npm supply-chain campaign, dubbed Shai-Hulud 2.0, has compromised numerous popular packages, including those from Zapier, ENS Domains, PostHog, and Postman, by leveraging compromised maintainer accounts to publish trojanized versions. This variant executes malicious code during the `preinstall` phase, leading to credential theft and exfiltration of developer and CI/CD secrets to GitHub repositories named "Shai-Hulud." The attack, observed between November 21-23, 2025, creates files like `cloud.json`, `contents.json`, `environment.json`, `truffleSecrets.json`, and attempts to create `discussion.yaml`. Key indicators of compromise include specific package versions (e.g., `@zapier/zapier-sdk` 0.15.5-0.15.7, `@ensdomains/ens-validation` 0.1.1, `@posthog/agent` 1.24.1), the presence of `pre-install` scripts, a GitHub Actions workflow named `shai-hulud-workflow.yml`, access to cloud metadata endpoints, outbound connections to `webhook[.]site`, and `data.json` files containing encoded secrets. Immediate actions recommended include removing and replacing compromised packages, clearing npm cache, pinning dependencies to known clean versions or rolling back to pre-November 21, 2025 builds, revoking and regenerating npm tokens, GitHub PATs, SSH keys, and cloud provider credentials, enforcing phishing-resistant MFA, searching for "Shai-Hulud" repositories, reviewing for unauthorized workflows, monitoring new npm publishes, restricting or disabling lifecycle scripts in CI/CD, limiting outbound network access, and using short-lived, scoped automation tokens. Severity: Critical Sources https://cyberinsider.com/second-wave-of-shai-hulud-npm-malware-hits-zapier-ens-domains/ https://financefeeds.com/shai-hulud-malware-hits-400-javascript-packages-in-major-npm-supply-chain-attack/ https://gbhackers.com/zapiers-npm-account-hacked-multiple-packages-infected/ https://hackread.com/shai-hulud-npm-worm-supply-chain-attack/ https://securitylabs.datadoghq.com/articles/supply-chain-attacks-runtime-security-detection/ https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html https://www.bitcoininsider.org/article/293565/shai-hulud-malware-hits-npm-crypto-libraries-face-growing-security-crisis https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/ https://www.hendryadrian.com/shai-hulud-npm-attack-what-you-need-to-know/ https://www.theregister.com/2025/11/24/shai_hulud_npm_worm/ https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack Threat Details and IOCs Malware: Anivia Stealer, Sha1-Hulud, SHA1-HULUD, Shai Hulud, Shai-Hulud, ZeroTrace Stealer CVEs: CVE-2025-10894, CVE-2025-59037, CVE-2025-59140, CVE-2025-59141, CVE-2025-59142, CVE-2025-59143, CVE-2025-59144, CVE-2025-59162, CVE-2025-59330, CVE-2025-59331, CVE-20S-59143 Technologies: Amazon Web Services, Amazon Web Services (AWS), Apple macOS, AsyncAPI, Bun, Ethereum, Ethereum Name Service, GitHub, GitHub Actions, Google Cloud Platform, Google Cloud Platform (GCP), Kubernetes, Linux, Microsoft Azure, Microsoft Windows, Node.js, npm, PostHog, Postman, SSH, Vercel Next.js, Zapier Attacker Domains: bun.sh, shai-hulud-2.github.io, webhook.site Attacker URLs: bun.sh/install.ps1, https://bun.sh/install, https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js, https://github.com/search?q=Sha1-Hulud%3A+The+Second+Coming.&ref=opensearch&type=repositories, hxxps://shai-hulud-2.github.io/data.json, hxxps://webhook.site/a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6, hxxps://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 Attacker Hashes: 2efa4dff59bc3d3cecdf897ccf178f99b115d63d Victim Industries: Critical Manufacturing, Cryptocurrency, Financial Services, Healthcare, Information Technology, Manufacturing, Software, Technology Hardware Victim Countries: Belgium, Cayman Islands, United States Mitigation Advice Scan all development and CI/CD environments for the specific compromised npm packages and versions listed in the article. If any compromised npm packages are found, remove them, clear the npm cache, and delete the `node_modules` directory from the affected project. Block all outbound network connections from build servers and developer workstations to `webhook[.]site` at the network firewall. Search all company-managed GitHub organizations for newly created repositories containing "Shai-Hulud" in the title or description. Scan all GitHub repositories for the presence of a workflow file named `shai-hulud-workflow.yml`. Immediately revoke and regenerate all npm tokens, GitHub Personal Access Tokens (PATs), and SSH keys used in development and CI/CD environments. Immediately revoke and regenerate all cloud provider credentials, such as AWS IAM roles or GCP service account keys, accessible from CI/CD environments. Compliance Best Practices Implement and enforce a strict policy for all development projects to pin npm package dependencies to specific, audited versions using a lock file. Update CI/CD pipeline configurations to disable or restrict the execution of npm lifecycle scripts, such as `preinstall` and `postinstall`, by default. Enforce the use of phishing-resistant Multi-Factor Authentication (MFA) for all developer and administrator accounts on code repositories like GitHub and package registries like npm. Implement network egress filtering on all CI/CD build runners to only allow outbound connections to a pre-approved list of essential domains. Re-architect CI/CD pipelines to use dynamically generated, short-lived, and narrowly-scoped access tokens for authentication instead of static, long-lived credentials. Implement automated monitoring to generate security alerts for any new packages published to public registries under your organization's name or scopes. APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains A China-nexus threat actor, APT24 (also known as Pitty Tiger), has been observed deploying a previously undocumented malware named BADAUDIO in a nearly three-year espionage campaign primarily targeting Taiwan, alongside government, healthcare, construction, mining, non-profit, and telecommunications sectors in the U.S. BADAUDIO, a highly obfuscated C++ first-stage downloader, utilizes control flow flattening to resist reverse engineering and leverages DLL Search Order Hijacking for execution. It gathers system information, exfiltrates it, and downloads AES-encrypted payloads, such as Cobalt Strike Beacon. Initial access vectors include watering holes, where over 20 legitimate websites were compromised from November 2022 to September 2025 to inject JavaScript that targeted Windows users with fake Google Chrome update pop-ups using FingerprintJS. A significant supply chain compromise occurred in July 2024 when APT24 breached a Taiwanese digital marketing firm, injecting malicious JavaScript into a widely used library, affecting over 1,000 domains. Targeted phishing campaigns, active since August 2024, use animal rescue lures and tracking pixels to deliver BADAUDIO via encrypted archives hosted on Google Drive and Microsoft OneDrive. Separately, another China-nexus threat actor, codenamed Autumn Dragon, has conducted a sustained espionage campaign against government, media, and news sectors in Laos, Cambodia, Singapore, the Philippines, and Indonesia. This campaign exploits a WinRAR vulnerability (CVE-2025-8088, CVSS 8.8) via spear-phishing with malicious RAR archives, leading to DLL sideloading using legitimate executables like `obs-browser-page.exe` and `Creative Cloud Helper.exe` to establish persistence, communicate via Telegram for reconnaissance, and deploy a C++ implant capable of executing various commands. Severity: Critical Sources https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/ https://securityonline.info/chinas-apt24-launches-stealth-badaudio-malware-hitting-1000-domains-via-taiwanese-supply-chain-hack/ https://thehackernews.com/2025/11/apt24-deploys-badaudio-in-years-long.html https://www.hendryadrian.com/apt24s-pivot-to-multi-vector-attacks-google-cloud-blog/ https://www.hendryadrian.com/beyond-the-watering-hole-apt24s-pivot-to-multi-vector-attacks/ https://www.securitylab.ru/news/566430.php https://www.securityweek.com/chinese-cyberspies-deploy-badaudio-malware-via-supply-chain-attacks/ Threat Details and IOCs Malware: Agentemis, BadAudio, BADAUDIO, Beacon, BEACON, Cobalt Strike, CobaltStrike, Cobalt Strike Beacon, cobeacon, Enfal, Gh0st, Gh0st RAT, Lurid Downloader, Roudan, Specas, Taidoor CVEs: CVE-2012-0158, CVE-2014-1761, CVE-2025-8088 Technologies: Adobe Creative Cloud, Google Chrome, Google Drive, Microsoft OneDrive, Microsoft Windows, RARLAB WinRAR Threat Actors: APT24, AutumnDragon, EarthAughisky, G0011, PITTY PANDA, PittyTiger, Taidoor, Temp.Pittytiger, TempPittytiger Attacker Countries: China Attacker Domains: clients.brendns.workers.dev, jarzoda.net, jsdelivrs.com, public.megadatacloud.com, roller.johallow.workers.dev, taiwantradoshows.com, tradostw.com, trcloudflare.com, wispy.geneva.workers.dev, www.availableextens.com, www.brighyt.com, www.cundis.com, www.decathlonm.com, www.gerikinage.com, www.growhth.com, www.p9-car.com, www.twisinbeth.com Attacker URLs: https://cdn.jsdelivr.net/npm/@fingerprintjs/fingerprintjs@2/dist/fingerprint2.min.js, https://wispy.geneva.workers.dev/pub/static/img/merged?version=65feddea0367, https://www.twisinbeth.com/query.php, https://www.twisinbeth.com/query.php?id= Attacker Hashes: 032c333eab80d58d60228691971d79b2c4cd6b9013bae53374dd986faa0f3f4c, 07226a716d4c8e012d6fabeffe2545b3abfc0b1b9d2fccfa500d3910e27ca65b, 0e98baf6d3b67ca9c994eb5eb9bbd40584be68b0db9ca76f417fb3bcec9cf958, 176407b1e885496e62e1e761bbbb1686e8c805410e7aec4ee03c95a0c4e9876f, 1f31ddd2f598bd193b125a345a709eedc3b5661b0645fc08fa19e93d83ea5459, 2ea075c6cd3c065e541976cdc2ec381a88b748966f960965fdbe72a5ec970d4e, 55e02a81986aa313b663c3049d30ea0158641a451cb8190233c09bef335ef5c7, 5c37130523c57a7d8583c1563f56a2e2f21eef5976380fdb3544be62c6ad2de5, 83fb652af10df4574fa536700fa00ed567637b66f189d0bbdb911bd2634b4f0e, 88fa2b5489d178e59d33428ba4088d114025acd1febfa8f7971f29130bda1213, 9ce49c07c6de455d37ac86d0460a8ad2544dc15fb5c2907ed61569b69eefd182, ae8473a027b0bcc65d1db225848904e54935736ab943edf3590b847cb571f980, c4e910b443b183e6d5d4e865dd8f978fd635cd21c765d988e92a5fd60a4428f5, c7565ed061e5e8b2f8aca67d93b994a74465e6b9b01936ecbf64c09ac6ee38b9, cfade5d162a3d94e4cba1e7696636499756649b571f3285dd79dea1f5311adcd, d23ca261291e4bad67859b5d4ee295a3e1ac995b398ccd4c06d2f96340b4b5f8, f086c65954f911e70261c729be2cdfa2a86e39c939edee23983090198f06503c, f1e9d57e0433e074c47ee09c5697f93fde7ff50df27317c657f399feac63373a Victim Industries: Advertising Services, Arts, Entertainment, and Recreation, Construction, Engineering, Government, Healthcare, Industrials, Marketing & Advertising, Mining, Multimedia, Non-Governmental Organizations (NGOs), Retail, Telecommunications Victim Countries: Cambodia, Indonesia, Laos, Philippines, Singapore, Taiwan, United States Mitigation Advice Immediately patch all instances of WinRAR to version 7.13 or later to mitigate the actively exploited vulnerability CVE-2025-8088. Block the domain 'public.megadatacloud[.]com' at the network perimeter using your firewall, web proxy, or DNS filtering solution. Use your endpoint detection and response (EDR) tool to hunt for the legitimate executables 'obs-browser-page.exe' or 'Creative Cloud Helper.exe' loading malicious DLLs named 'libcef.dll' or 'CRClient.dll'. Configure endpoint detection rules to alert on legitimate applications loading DLLs from non-standard paths or user-writable directories to detect potential DLL Search Order Hijacking. Configure security controls to block or perform enhanced content inspection on encrypted archives downloaded from Google Drive. Configure security controls to block or perform enhanced content inspection on encrypted archives downloaded from Microsoft OneDrive. Compliance Best Practices Develop and implement a continuous security awareness training program that educates users on identifying and reporting phishing attempts, especially those with suspicious attachments or links to cloud services. Establish a vendor risk management program to vet and continuously monitor the security posture of third-party suppliers, particularly those who provide code or services integrated into your company's websites. Deploy an application control solution, such as AppLocker or a third-party tool, to restrict software execution to only authorized applications, scripts, and DLLs. Implement a network egress filtering policy that denies all outbound traffic by default and only allows connections to known-good domains and ports required for business operations. Harden PowerShell across the environment by enabling Constrained Language Mode and forwarding all PowerShell script block and module logs to a centralized SIEM for analysis. Implement Subresource Integrity (SRI) on all corporate websites to ensure that third-party JavaScript libraries and other resources are not modified without authorization. Chinese Hackers Exploiting WSUS Remote Code Execution Vulnerability to Deploy ShadowPad Malware Chinese hackers are actively exploiting CVE-2025-59287, a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), to deploy the ShadowPad backdoor malware. Microsoft issued a security advisory for this vulnerability on October 14, 2025, with public proof-of-concept exploits emerging on October 22, 2025. The attack initiates by exploiting the WSUS vulnerability to execute PowerCat, establishing a reverse shell to 154.17.26.41 on port 8080. Subsequently, on November 6, 2025, attackers utilized legitimate Windows utilities such as curl.exe and certutil.exe to install ShadowPad. This modular backdoor, associated with Chinese state-sponsored APT groups, employs DLL side-loading techniques involving components like ETDCtrlHelper.exe, ETDApix.dll, and 0C137A80.tmp, and establishes persistence through Windows Registry modifications, scheduled tasks, and service creation under the identifier "Q-X64." It communicates with command-and-control servers at 163.61.102.245 via HTTP/HTTPS on port 443, using Firefox user-agent strings and injecting into processes such as Windows Mail, Windows Media Player, and svchost.exe. Organizations must immediately apply the security update for CVE-2025-59287, audit WSUS server exposure to block inbound traffic on TCP ports 8530 and 8531 from non-Microsoft Update sources, and conduct threat hunting for suspicious PowerShell execution (specifically involving certutil.exe and curl.exe) and network connections to the identified C2 infrastructure. Severity: Critical Sources https://bluefire-redteam.com/cve-2025-59287-deep-dive-response-playbook-and-siem-edr-detection-recipes/ https://buaq.net/go-371618.html https://buaq.net/go-373861.html https://buaq.net/go-375698.html https://cyberpress.org/cisa-alerts-on-active-exploitation-of-windows-server-update-services-rce-flaw/ https://cyberpress.org/cisa-warns-wsus-vulnerability/ https://cyberpress.org/hackers-exploit-wsus-vulnerability-to-steal-sensitive-organizational-data/ https://cyberpress.org/microsofts-wsus-patch/ https://cyberpress.org/shadowpad-malware/ https://cyberpress.org/tcp-ports-8530-8531-wsus/ https://cyberscoop.com/microsoft-windows-server-update-services-vulnerability-exploited-attacks/ https://gbhackers.com/attackers-exploit-windows-server-update-services-flaw/ https://gbhackers.com/cisa-alerts-on-of-wsus-vulnerability/ https://gbhackers.com/hackers-actively-scanning-tcp-ports-8530-8531/ https://gbhackers.com/microsofts-wsus-patch-causes-hotpatching-failures/ https://gbhackers.com/wsus-vulnerability/ https://hackread.com/hackers-exploit-wsus-skuld-stealer-microsoft-patch/ https://horizon3.ai/attack-research/vulnerabilities/cve-2025-59287/ https://hothardware.com/news/windows-server-update-service-is-under-attack https://isc.sans.edu/diary/rss/32440 https://latesthackingnews.com/2025/10/28/microsoft-october-patch-tuesday-is-huge-with-170-fixes/ https://meterpreter.org/windows-server-wsus-flaw-under-active-attack-cve-2025-59287-cvss-9-8-with-public-poc/ https://orca.security/resources/blog/cve-2025-59287-critical-wsus-rce/ https://securityboulevard.com/2025/10/critical-microsoft-wsus-security-flaw-is-being-actively-exploited/ https://securityboulevard.com/2025/10/windows-server-update-service-wsus-remote-code-execution-vulnerability-cve-2025-59287/ https://securityonline.info/critical-wsus-rce-cve-2025-59287-actively-exploited-to-deploy-shadowpad-backdoor/ https://socprime.com/blog/cve-2025-59287-detection/ https://thehackernews.com/2025/10/cisa-and-nsa-issue-urgent-guidance-to.html https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287 https://www.bleepingcomputer.com/news/microsoft/microsoft-patch-for-wsus-flaw-disabled-windows-server-hotpatching/ https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-windows-server-wsus-flaw-exploited-in-attacks/ https://www.esecurityplanet.com/news/wsus-vulnerability/ https://www.helpnetsecurity.com/2025/10/30/wsus-vulnerability-infostealer-cve-2025-59287/ https://www.hendryadrian.com/analysis-of-shadowpad-attack-exploiting-wsus-remote-code-execution-vulnerability-cve-2025-59287/ https://www.hendryadrian.com/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability-cve-2025-59287/ https://www.hendryadrian.com/microsoft-wsus-remote-code-execution-cve-2025-59287-actively-exploited-in-the-wild/ https://www.infosecurity-magazine.com/news/actively-exploited-wsus-bug-cisa/ https://www.scworld.com/brief/attacks-involving-critical-wsus-vulnerability-under-investigation https://www.scworld.com/brief/dozens-impacted-by-active-wsus-vulnerability-abuse https://www.theregister.com/2025/10/27/microsoft_wsus_attacks_multiple_orgs/ Threat Details and IOCs Malware: Alureon, BadCandy, BADCANDY, CryptoDefense, CryptoLocker, GlassWorm, Gokcpdoor, Locky, Lukitus, Msevents, MS Juan, PoisonPlug, POISONPLUG.SHADOW, SesameOp, ShadowPad, Skuld, Skuld Stealer, Stealit, TDL3, TDL-4, TDSS, Tidserv, TMPN Stealer, Virtumonde, Vundo, WinFixer CVEs: CVE-2024-11972, CVE-2024-9234, CVE-2024-9707, CVE-2025-0033, CVE-2025-24052, CVE-2025-24990, CVE-2025-2884, CVE-2025-47827, CVE-2025-49708, CVE-2025-55315, CVE-2025-59218, CVE-2025-59230, CVE-2025-59246, CVE-2025-59287 Technologies: Microsoft Entra ID, Microsoft Exchange Server, Microsoft Internet Information Services, Microsoft .NET Framework, Microsoft Windows, Microsoft Windows Server, Microsoft Windows Server Update Services, QNAP NetBak PC Agent, WordPress Threat Actors: APT17, APT23, APT41, AquaticPanda, DaggerPanda, EarthLusca, Skuld, TontoTeam, UNC6512, WetPanda, WickedPanda Attacker Countries: China Attacker IPs: 129.153.98.207, 134.122.38.84, 149.28.78.189, 154.17.26.41, 158.247.199.185, 163.61.102.245, 207.180.254.242, 45.158.12.7 Attacker Domains: api.braintreegateway.com, api.stripe.com, asec.ahnlab.com, avatars.githubusercontent.com, billing.epac.to, cybaq.chtq.net, dscriy.chtq.net, i.ibb.co, loglog.ac.d189493a.digimg.store, raw.githubusercontent.com, remote-auth-gateway.discord.gg, royal-boat-bf05.qgtxtebl.workers.dev, webhook.site, workersdev, wsus.ac.d189493a.digimg.store, yogswgeacbepthpjozvsf8frv90962ejy.oast.fun, ysoserial.net Attacker URLs: HTTP://163.61.102.245:443, HTTPS://163.61.102.245:443, https://api.braintreegateway.com/merchants/49pp2rp4phym7387/client_api/v*/payment_methods/paypal_accounts, https://api.stripe.com/v*/tokens, https://asec.ahnlab.com/wp-admin/admin-ajax.php, https://asec.ahnlab.com/wp-content/plugins/elementor-pro/assets/, https://asec.ahnlab.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.16.1, https://asec.ahnlab.com/wp-content/plugins/elementor-pro/assets/js/preloaded-elements-handlers.min.js?m=1709594534, https://asec.ahnlab.com/wp-content/plugins/elementor-pro/modules/lottie/assets/animations/default.json, https://asec.ahnlab.com/wp-json/, https://avatars.githubusercontent.com/u/145487845?v=4, https://discordapp.com/api/v*/auth/sessions, https://*.discord.com/api/v*/auth/sessions, https://discord.com/api/v*/auth/sessions, https://i.ibb.co/GJGXzGX/discord-avatar-512-FCWUJ.png, https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1, https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js, http://webhook.site/REDACTED, hxxp://134.122.38.84/dl, hxxp://134.122.38.84/ex, hxxp://149.28.78.189:42306, hxxp://149.28.78.189:42306/dll.txt, hxxp://149.28.78.189:42306/exe.txt, hxxp://149.28.78.189:42306/tmp.txt, hxxps://royal-boat-bf05.qgtxtebl.workers.dev/v3.msi, hxxps://webhook.site/0f20cd3b-e570-4205-8049-c37627af0f5c, hxxps://webhook.site/7b483bdd-5134-4671-b9cd-310800303f32, hxxp://webhook.site/22b6b8c8-2e07-4878-a681-b772e569aa6a, hxxp://webhook.site/5771a289-0b13-4ee7-902a-21147cac31ef, hxxp://webhook.site/94f6da9d-b785-461b-bc5e-bbce7acaa35c, hxxp://yogswgeacbepthpjozvsf8frv90962ejy.oast.fun/check, wss://remote-auth-gateway.discord.gg/* Attacker Hashes: 27e00b5594530e8c5e004098eef2ec50, 3ebeb4e08c82b220365b1e7dd0cc199b765eed91, 564e7d39a9b6da3cf0da3373351ac717, 85b935e80e84dd47e0fa5e1dfb2c16f4, 9d686ceed21877821ab6170a348cc073, a0f65fcd3b22eb8b49b2a60e1a7dd31c, f7d8c52bec79e42795cf15888b85cbad Victim Industries: Aerospace, Construction, Critical Manufacturing, Education, Energy, Financial Services, Government, Healthcare, Health Care Technology, Information, Information and Communication, Information Technology, Logistics, Manufacturing, Multimedia, Public Health, Public Safety, Retail, Software, Technology Hardware, Telecommunications, Transportation, Utilities Victim Countries: Afghanistan, Germany, Malaysia, Netherlands, Pakistan, Taiwan, United States Mitigation Advice Immediately apply the security update for CVE-2025-59287 to all Windows Servers running the WSUS service. Create rules on the perimeter firewall to block all inbound and outbound traffic to IP addresses 154.17.26.41 and 163.61.102.245. Configure host-based and network firewalls to restrict inbound access to WSUS servers on TCP ports 8530 and 8531, allowing connections only from required Microsoft Update IP ranges. Use your EDR solution or other endpoint scanning tools to conduct a targeted search across all servers for the files `ETDApix.dll` and `0C137A80.tmp`. In your SIEM or EDR, search for executions of `curl.exe` or `certutil.exe` on WSUS servers that are followed by the creation of new executable files or services. Scan for any newly created scheduled tasks or system services on WSUS servers, paying special attention to any containing the identifier "Q-X64". Compliance Best Practices Review and re-architect network segmentation to ensure critical internal infrastructure like WSUS servers are not directly accessible from the internet and are isolated from general user subnets. Develop and deploy advanced EDR and SIEM detection rules to alert on anomalous use of built-in Windows utilities (e.g., `powershell.exe`, `certutil.exe`, `curl.exe`), especially when initiated by web server processes like w3wp.exe. Plan and implement an application control solution, such as Windows Defender Application Control (WDAC), on critical servers to restrict executable and script execution to only known, authorized software. Formalize and resource a vulnerability management program that prioritizes patching based on threat intelligence and mandates strict SLAs for critical vulnerabilities on high-value assets. Implement TLS/SSL inspection on network egress points to enable detection of malicious C2 communications hiding within encrypted web traffic. GlobalProtect VPN Portals Probed with 2.3 Million Scan Sessions Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals increased 40 times within 24 hours, starting November 14, 2025, signaling a coordinated campaign. Real-time intelligence company GreyNoise observed 2.3 million scan sessions between November 14 and 19, specifically probing the `*/global-protect/login.esp` URI, which is the web endpoint for VPN user authentication. This surge follows previous spikes reported by GreyNoise in April and October 2025, with the current activity linked to earlier campaigns through recurring TCP/JA4t fingerprints and shared Autonomous System Numbers (ASNs), primarily AS200373 (3xK Tech GmbH) with IPs largely from Germany and Canada, and AS208885 (Noyobzoda Faridduni Saidilhom). Login attempts are predominantly directed at the United States, Mexico, and Pakistan. GreyNoise highlights that these scanning spikes often precede the disclosure of new security flaws, a correlation particularly strong for Palo Alto Networks products, noting past incidents like the active exploitation of CVE-2025-0108 (chained with CVE-2025-0111 and CVE-2024-9474) in February and a data breach in September. Severity: Critical Sources https://cyberpress.org/2-3-million-attacks-hit-palo-alto-networks-globalprotect-vpn-portals/ https://www.bleepingcomputer.com/news/security/globalprotect-vpn-portals-probed-with-23-million-scan-sessions/ https://www.securitylab.ru/news/566393.php Threat Details and IOCs Malware: Alureon, CryptoDefense, CryptoLocker, CryptorBit, HowDecrypt, Locky, Lukitus, MS Juan, Odin, TDL-4, TDSS, Thor, Tidserv, Virtumonde, Vundo, Zepto CVEs: CVE-2024-9474, CVE-2025-0108, CVE-2025-0111, CVE-2025-0140, CVE-2025-0141, CVE-2025-2183 Technologies: Apple macOS, Linux, Microsoft Windows, Palo Alto Networks Threat Actors: ShinyHunters Attacker Countries: Canada, Germany Attacker URLs: /global-protect/login.esp Victim Industries: Automotive, Business Services, Education, Financial Services, Government, Healthcare, Industrial Control Systems, Information Technology, Manufacturing, Oil & Gas, Public Sector, Retail, Transportation, Utilities Victim Countries: Mexico, Pakistan, United States Mitigation Advice Verify that all Palo Alto Networks PAN-OS devices are patched against vulnerabilities CVE-2025-0108, CVE-2025-0111, and CVE-2024-9474. Query firewall, VPN, and web proxy logs for inbound connection attempts to the URI path containing '/global-protect/login.esp' to identify potential targeting. Implement firewall rules to block all inbound traffic from Autonomous System Numbers AS200373 and AS208885. Compliance Best Practices Reconfigure network architecture to ensure the Palo Alto Networks GlobalProtect management interface is not exposed to the public internet and is only accessible from a trusted internal network segment. Configure SIEM or other log monitoring tools to establish a baseline for normal traffic to the GlobalProtect VPN portal and create alerts for significant deviations or anomalous increases in login attempts. Establish a comprehensive vulnerability management program that includes regular, authenticated scanning of all internet-facing infrastructure and defines service-level agreements (SLAs) for patching critical vulnerabilities. Active Exploitation of Oracle Identity Manager CVE-2025-61757 Observed in September Active exploitation attempts for CVE-2025-61757, an Oracle Identity Manager vulnerability, were observed between August 30th and September 9th, preceding Oracle's patch release on October 21st as part of their Critical Patch Update. This vulnerability, initially reported by Searchlight Cyber, enables authentication bypass and potential remote code execution by appending `;.wadl` to URLs, exemplified by `/iam/governance/applicationmanagement/templates;.wadl`. Logs indicate scans targeting `/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl` via POST requests containing a 556-byte payload. Multiple IP addresses (89.238.132.76, 185.245.82.81, 138.199.29.153) were involved, all using the consistent User Agent: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36`. These same IP addresses were also noted scanning for CVE-2025-4581 (Liferay Portal), bug bounty targets, and Log4j exploits. Severity: Critical Sources https://buaq.net/go-377039.html https://isc.sans.edu/diary/rss/32506 https://www.securityweek.com/critical-oracle-identity-manager-flaw-possibly-exploited-as-zero-day/ Threat Details and IOCs Malware: Aisuru, BadAudio, Sturnus, TurboMirai CVEs: CVE-2025-4581, CVE-2025-61757 Technologies: Oracle Fusion Middleware, Oracle Identity Manager Attacker IPs: 138.199.29.153, 185.245.82.81, 89.238.132.76 Attacker URLs: /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl, /iam/governance/applicationmanagement/templates;.wadl, /o/portal-settings-authentication-opensso-web/com.liferay.portal.settings.web/test_opensso.jsp Victim Industries: Construction & Real Estate, Defense, Financial Services, Government, Hospitality, Information Security, Information Technology, Insurance, Internet & Cloud Services, Life Sciences, Managed Service Providers, Professional Services, Technology Hardware Victim Countries: United Kingdom, United States Mitigation Advice Immediately apply the October Critical Patch Update to all Oracle Identity Manager instances to patch CVE-2025-61757. Add the IP addresses 89.238.132.76, 185.245.82.81, and 138.199.29.153 to your firewall's blocklist. Create a rule in your WAF or IDS/IPS to detect and block any HTTP requests containing the string ';.wadl' in the URL path. Query web server logs and SIEM data for requests containing ';.wadl' in the URL or matching the User-Agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36' to identify potential past or current malicious activity. Compliance Best Practices Establish or enhance a formal vulnerability management program that includes regular scanning, risk assessment, and a defined service-level agreement (SLA) for applying critical security patches. Review and harden Web Application Firewall (WAF) policies to block anomalous URL patterns, such as the use of semicolons for path parameter manipulation, to provide a generic defense against similar authentication bypass techniques. Enhance logging capabilities for critical web applications to capture and retain full HTTP request bodies, especially for POST requests, to improve future incident response and forensic analysis. Implement network segmentation to isolate internet-facing application servers, like Oracle Identity Manager, from internal corporate and database networks to limit the blast radius of a potential compromise.HTTP Request Smuggling Using Chunk Extensions (CVE-2025-55315)
Executive Summary HTTP request smuggling remains one of the nastier protocol-level surprises: it happens when different components in the HTTP chain disagree about where one request ends and the next begins. A recent, high-visibility ASP.NET Core disclosure brought one particular flavor of this problem into the spotlight: attackers abusing chunk extensions in chunked transfer encoding to craft ambiguous request boundaries. The vulnerability was assigned a very high severity (CVSS 9.9) by Microsoft, their highest for ASP.NET Core to date. This article explains what chunk extensions are, why they can be abused for smuggling, how the recent ASP.NET Core issue fits into the bigger picture, and what defenders, implementers, and F5 customers should consider: particularly regarding HTTP normalization, compliance settings, and protection coverage across F5 Advanced WAF, NGINX App Protect, and Distributed Cloud. Background: What Are Chunk Extensions? In HTTP/1.1, chunked transfer encoding (via Transfer-Encoding: chunked) allows the body of a message to be sent in a sequence of chunks, each preceded by its size in hex, terminated by a zero-length chunk. The specification also allows chunk extensions to be appended after the chunk length, e.g.: In theory, chunk extensions were meant for metadata or transfer-layer options: for example, integrity checks or special directives. But in practice, they’re almost never used by legitimate clients or servers: many HTTP libraries ignore or inconsistently handle them, and this inconsistency across intermediaries (proxies and servers) can serve as a source of request smuggling vulnerabilities. But if a lot of servers and proxies ignore it, why would that even be an issue? Let’s see. Root Cause Analysis for CVE-2025-55315 The CVE description reads: “Inconsistent interpretation of HTTP requests (‘HTTP request/response smuggling’) in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.” Examining the GitHub commit reveals a relatively straightforward fix. In essence, the patch adjusts the chunk-extension parser to correctly handle \r\n line endings and to throw an error if either \r or \n appears unpaired. Additionally, a new flag was introduced for backward compatibility. As expected, the vulnerable logic resides in the ParseExtension function. The new InsecureChunkedParsing flag preserves legacy behavior - but it must be explicitly enabled, since that mode reflects the prior (and now considered insecure) implementation. Previously, the parser looked only for the carriage return (\r) character to determine the end of a line. In the updated implementation, it now checks for either a line feed (\n) or a carriage return (\r). Next, we encounter the following condition: The syntax may look a bit dense, but the logic is straightforward. In short, they retained the old insecure behavior when the InsecureChunkedParsing flag is enabled, which is checking the presence of \n only after encountering \r . This is problematic because it allows injecting a single \r or \n inside the chunk extension. In depth, the vulnerable condition, suffixSpan[1] == ByteLF, mirrors the old behavior - it verifies that the second character is \n. We reach this part only if we previously saw \r. The new condition validates that the last two characters of the chunk extension are \r\n. Remember that in the new version, we reach this part when encountering either \r or \n. The fixed condition ensures that if an attacker tries to inject a single \r or \n somewhere within the chunk extension, the check will fail - the condition will evaluate to false. When that happens, and if the backward-compatibility flag is not enabled, the parser throws an exception: Bad chunk extension. And what happened before the patch if the character following \r wasn’t \n? They simply continued parsing, making the following characters part of the chunk extension. That means that a chunk extension could include line terminator characters. The attack affecting unpatched ASP.NET Core applications is HTTP request smuggling via chunk extensions, a technique explained clearly and in depth in this article, which we’ll briefly summarize in this post. Request smuggling using chunk extensions variants Before diving into the different chunk-extension smuggling variants, it’s worth recalling the classic Content-Length / Transfer-Encoding (CL.TE and TE.CL) request smuggling techniques. These rely on discrepancies between how proxies and back-end servers interpret message boundaries: one trusts the Content-Length, the other trusts Transfer-Encoding, allowing attackers to sneak an extra request inside a single HTTP message. If you’re not familiar with CL.TE and TE.CL and other variants, this article gives an excellent overview of how these desync vulnerabilities work in practice. TERM.EXT (terminator - extension mismatch): The proxy treats a line terminator (usually \n) inside a chunk extension as the end of the chunk header, while the backend treats the same bytes as part of the extension. EXT.TERM (extension - terminator mismatch) The proxy treats only \r\n sequence as the end of the chunk header, while the backend treats the line terminator character inside the chunk extension as the end of the chunk header. The ASP.NET Core issue Previously, ASP.NET Core allowed lone \r or \n characters to appear within a chunk extension if the line ended with \r\n, placing it in the EXT category. If a proxy ahead has TERM behavior (treating \n as line end), their parsing mismatch can enable request smuggling. The figure shows an example malicious request that exploits this parsing mismatch. The proxy treats a lone \n as the end of the chunk extension. As a result, the bytes xx become the start of the body and 47 is interpreted as the size of the following chunk. If the proxy forwards the request unchanged (i.e., it does not strip the extension), those next chunks can effectively carry a second, smuggled request destined for an internal endpoint that the proxy would normally block. When Kestrel (the ASP.NET Core backend) receives that same raw stream, it enforces a strict \r\n terminator for extensions. Because the backend searches specifically for the \r\n sequence, it parses the received stream differently - splitting the forwarded data into two requests (the extension content, 2;\nxx is treated as a chunk header + chunk body). The end result: a GET /admin request can reach the backend, even though the proxy would have blocked such a request if it had been observed as a separate, external request. F5 WAF Protections NGINX App Protect and F5 Distributed Cloud NGINX App Protect and F5 Distributed Cloud (XC) normalize incoming HTTP requests and do not support chunk extensions. This means that any request arriving at NAP or XC with chunk extensions will have those extensions removed before being forwarded to the backend server. As a result, both NAP and XC are inherently protected against this class of chunk-extension smuggling attacks by design. To illustrate this, let’s revisit the example from the referenced article. NGINX, which treats a lone \n as a valid line terminator, falls under the TERM category. When this request is sent through NAP, it is parsed and normalized accordingly - effectively split into two separate requests: What does this mean? NAP does not forward the request the same as it arrived. It normalizes the message by stripping out any chunk extensions, replacing the Transfer-Encoding header with a Content-Length, and ensuring the body is parsed deterministically - leaving no room for ambiguity or smuggling. If a proxy precedes NAP and interprets the traffic as a single request, NAP will safely split and sanitize it. F5 Distributed Cloud (XC) doesn’t treat lone \n as line terminators and also discards chunk extensions entirely. Advanced WAF Advanced WAF does not support chunk extensions. Requests containing a chunk header that is too long (more than 10 bytes) are treated as unparsable and trigger an HTTP compliance violation. To improve detection, we’ve released a new attack signature, “ASP.NET Core Request Smuggling - 200020232", which helps identify and block malicious attempts that rely on chunk extensions. Conclusions HTTP request smuggling via chunk extensions remains a very real threat, even in modern stacks. The disclosure of CVE-2025-55315 in the Kestrel web server underlines this: a seemingly small parsing difference (how \r, \n, and \r\n are treated in chunk extensions) can allow an attacker to conceal a second request within a legitimate one, enabling account takeover, code injection, SSRF, and many other severe attacks. This case offers a great reminder: don’t assume that because “nobody uses chunk extensions” they cannot be weaponized. And of course - use HTTP/2. Its binary framing model eliminates chunked encoding altogether, removing the ambiguity that makes these attacks possible in HTTP/1.1.
