Amazon Threat Intelligence has reported on a years-long campaign, spanning 2021-2025, conducted by a Russian state-sponsored actor strongly assessed to be Sandworm (also known as APT44 and Seashell Blizzard), linked to the GRU.
The NCSC's cyber deception trials assessed whether defensive techniques like honeypots can help improve detection, observability, and threat hunting in real-world environments.
The JumpCloud Remote Assist for Windows agent is affected by a critical security flaw, tracked as CVE-2025-34352, which enables Local Privilege Escalation (LPE) and Denial-of-Service (DoS) attacks.
In December 2025, security researchers exposed a sophisticated, long-running cybercrime campaign conducted by the threat actor ShadyPanda, which conducted a browser extension supply-chain attack that infected over 4.3 million Chrome and Edge users.
Gentlemen is a new ransomware group that emerged around August 2025. Like any other ransomware operation, the gang operates a double extortion model, where it will exfiltrate data and encrypt systems to pressure victims into complying with ransom demands.
he React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure.
On December 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (informally "React2Shell"), was publicly disclosed.
PyStoreRAT is an undocumented, multi-stage JavaScript Remote Access Trojan (RAT) primarily delivered through malicious GitHub repositories.
Campaigns observed in October and November 2025, tracked under the temporary intrusion set SHADOW-VOID-042, targeted several high-value sectors, including energy, defense, pharmaceuticals, and cybersecurity, according to Trend Micro.
Cybersecurity researchers have documented the return of CyberVolk, a pro-Russia hacktivist persona that has evolved into a Ransomware-as-a-Service (RaaS) provider following a period of dormancy in early 2025.
Cybersecurity researchers have documented the emergence of four sophisticated phishing kits, BlackForce, GhostFrame, InboxPrime AI, and Spiderman, designed to facilitate large-scale credential theft and bypass modern security perimeters.
Notepad++ recently addressed a security weakness in its update tool (WinGUp) after receiving word of several incidents wherein the updater was manipulated to download and run malicious executables instead of legitimate updates.
MITRE has shared this year's top 25 list of the most dangerous software weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
Cybersecurity researchers have unveiled details of NANOREMOTE, a newly observed, full-featured Windows backdoor written in C++ without obfuscation that utilizes the Google Drive API for C2.
Cybersecurity researchers have unveiled details of NANOREMOTE, a newly observed, full-featured Windows backdoor written in C++ without obfuscation that utilizes the Google Drive API for C2.
Wiz Threat Research has identified and publicly disclosed a critical zero-day vulnerability, CVE-2025-8110 (CVSS: 8.7), actively being exploited in-the-wild against Gogs, a popular self-hosted Git service.
U.S. agencies warned critical infrastructure organizations this week of attacks launched by multiple Russian groups backed financially by the country's government.
Researchers at Push Security have uncovered details of a new browser-native phishing technique, dubbed “ConsentFix” that steals Oauth authorization codes by tricking users into copying and pasting a URL from a legitimate Microsoft login flow into an attack-controlled phishing page.
Operation FrostBeacon is a targeted, financially motivated cybercrime campaign identified by Seqrite Labs, focusing on B2B enterprises within the Russian Federation, specifically targeting finance and legal departments in sectors like logistics and industrial production.
The highly sophisticated threat activity, JS#SMUGGLER, is a multi-stage web-based malware campaign engineered for stealth and the delivery of NetSupport RAT. The chain begins with Stage 1, a heavily obfuscated JavaScript loader injected via silent redirects, which uses advanced obfuscation, device-aware branching, and local storage for first-visit tracking before fetching the next stage from rotating C2 domains.
The financially motivated threat activity cluster, tracked as CL-CRI-1036, centers on a new, multi-platform ransomware family named 01flip. This ransomware is notable for being entirely written in the modern Rust programming language, allowing for seamless cross-compilation targeting both Windows and Linux operating systems.
Fortinet has issued security updates to address two critical vulnerabilities, CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that could allow threat actors to bypass FortiCloud SSO authentication.
As part of the Microsoft December Patch Tuesday, the vendor addressed 57 flaws, including three zero-days. Of the 57 flaws addressed, there were 28 Elevation of Privilege Vulnerabilities, 19 Remote Code Execution Vulnerabilities, 4 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, and 2 Spoofing Vulnerabilities.
Cisco Talos tracked new TTPs from a financially motivated threat actor that were utilized to deploy DeadLock ransomware on Windows machines. The key initial access technique involves a BYOVD attack using the legitimate but vulnerable Baidu Antivirus driver (disguised as DriverGay.sys) to exploit CVE-2024-51324.
Storm-0249 has evolved from relying on mass phishing to executing highly targeted, sophisticated post-exploitation tactics to facilitate ransomware attacks. This financially motivated actor now prioritizes stealth and persistence by weaponizing trusted enterprise components.
Insikt Group has rebranded the technically sophisticated threat actor TAG-150 as GrayBravo, confirming its operation of a Malware-as-a-Service (MaaS) ecosystem centered around the custom malware families CastleLoader, CastleBot, and the newly discovered CastleRAT (a remote access trojan with C and Python variants).
In April 2025, a China-linked threat group launched a campaign targeting Japanese shipping and transportation companies, using several variants of the PlugX remote access trojan (RAT).
North Korean state-sponsored actors have begun leveraging the critical React2Shell flaw (CVE-2025-55182) to deploy a new, highly sophisticated Linux malware called EtherRAT.
CrowdStrike researchers have identified a critical, high-level threat from the China-nexus adversary WARP PANDA, who is actively engaged in long-term, covert intelligence-collection operations primarily targeting VMware vCenter/ESXi and Microsoft Azure/365 environments at U.S.-based legal, technology, and manufacturing entities.
Shanya is packer-as-a-service that has been promoted on underground forums since late 2024. Under this model, cybercriminals can pay to have their malware re-packed and encrypted to avoid detection.
A campaign has been observed targeting publicly exposed security devices, namely Palo Alto Networks GlobalProtect portals and SonicWall SonicOS API endpoints, starting on December 2nd. According to GreyNoise, this large-scale reconnaissance originated from over 7,000 distinct IP addresses within the infrastructure of German hosting provider 3xK GmbH (AS200373).
According to a researcher named Rakesh Krishnan on X, LockBit 5.0 has accidently exposed some of their internal infrastructure. Specifically, the IP address 205[.]185[.]116[.]233 and the domain karma0[.]xyz are being used to host the ransomware group's latest data leak website.
Within hours of the React2Shell flaw (CVE-2025-55182) becoming public, China-linked threat actors began exploiting this pre-authentication Remote Code Execution (RCE) vulnerability. The flaw exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 across packages like react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.
CastleRAT is a remote access trojan (RAT) that was first identified in March 2025. Two different variants of CastleRAT have been observed to date: one written in Python and another that is a C compiled version.
A command injection flaw in Array Networks AG Series gateways has been under exploitation since August 2025, according to a new advisory from JPCERT/CC. The flaw, which has yet to be assigned a CVE number, resides in the DesktopDirect function of the Array AG series, a feature that provides remote desktop access.
The Intellexa Leaks, a new joint investigation published by Inside Story, Haaretz, and the WAV Research Collective, with technical analysis from Amnesty International's Security Lab, has exposed the persistent global threat posed by the mercenary Predator spyware and its maker, Intellexa, despite the company and its executives being subjected to U.S. sanctions.
The GOLD BLADE threat group has undergone a significant strategic evolution, shifting from a primary focus on cyberespionage to operating as a hybrid operation that successfully blends data theft with selective ransomware deployment.
More details on the BRICKSTORM campaign emerge, as Chinese nexus adversaries were seen leveraging Managed Service Provider (MSP) credentials for initial access. The attackers' strategy focused on high-value, centralized management platforms, specifically VMware vCenter servers and Active Directory Federation Services (ADFS), in both Windows and VMware ESXi environments.
Microsoft has mitigated a high-severity Windows LNK vulnerability, CVE-2025-9491, which has been widely exploited as a zero-day by multiple state-sponsored groups (including Mustang Panda) and MaaS platforms, according to research from Trend Micro.
Barracuda's threat analysts first spotted the GhostFrame phishing kit in September 2025, and by December, the team had identified over a million attacks utilizing this novel and stealthy Phishing-as-a-Service (PhaaS) framework.
CyberProof Threat Hunters recently reviewed an MDR team alert that detailed a highly targeted and effective social engineering attack utilizing the Microsoft Teams "Chat with Anyone" feature for initial access.
Evilginx, an attacker-in-the-middle phishing toolkit, is increasingly being leveraged by actors to steal session cookies and bypass multi-factor authentication.
A long-running and increasingly sophisticated phishing operation is targeting Google Workspace and Facebook Business accounts, specifically those tied to business ad management. The campaign begins with highly tailored, multi-stage job-recruitment lures impersonating brands like LVMH, LEGO, Mastercard, and Uber, using Calendly-themed links to avoid email scanners.
Koi researchers uncovered a long-running threat actor known as ShadyPanda, responsible for a seven-year browser extension operation impacting 4.3 million Chrome and Edge users.
The ongoing GlassWorm supply chain attack, which began in mid-October 2025, resurfaced in late November with new packages that successfully infiltrated both the Microsoft VS Marketplace and Open VSX, introducing 24 malicious extensions, doubling the total extension count from when it was initially discovered.
GreyNoise Labs has released a free tool, GreyNoise IP Check, that allows users to quickly determine whether their IP address has been involved in malicious scanning operations, such as those associated with botnets and residential proxy networks.
The cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH) has rapidly intensified its activity following a brief hiatus, marked by the creation of a new Telegram channel and several significant events since mid-November 2025.