Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
Turn Insights Into Action with Free Threat Intel
Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.
This Edition’s Articles
Mid December 2025 Cyber Threat Reports highlight how rapidly evolving threats are colliding with geopolitics, cloud infrastructure, and everyday consumer tech. This roundup spans everything from React2Shell mass exploitation to new Android banking malware, Mirai botnets at sea, and fresh ransomware tooling targeting ESXi and EDR.
Investigating an AiTM Phishing Campaign Targeting M365 and Okta
Source: Datadog Security Labs
(Published: 10 December 2025)
Datadog researchers detail an adversary-in-the-middle phishing campaign designed to bypass MFA protections for Microsoft 365 and Okta users. Read more.
Share ChatGPT Chat ClickFix: macOS AMOS Infostealer
Source: Kaspersky
(Published: 9 December 2025)
Kaspersky researchers describe a macOS infostealer campaign abusing fake ChatGPT sharing prompts to trick users into executing malicious commands. Read more.
Detecting Mythic C2 in Network Traffic
Source: Kaspersky Securelist
(Published: 11 December 2025)
This research outlines techniques for identifying Mythic command-and-control traffic using network-level indicators and behavioral patterns. Read more.
IT, Geopolitics, and Cyber Risk: How Global Tensions Shape the Attack Surface
Source: Rapid7
(Published: 11 December 2025)
Rapid7 examines how geopolitical instability influences cyber operations, threat actor targeting, and organizational risk exposure. Read more.
CyberVolk Returns: Flawed VolkLocker Brings New Features With Growing Pains
Source: SentinelOne
(Published: 10 December 2025)
SentinelOne analyzes the reemergence of CyberVolk ransomware, highlighting technical flaws alongside newly added capabilities. Read more.
Cato CTRL: Deep Dive Into New JSCeal Infostealer Campaign
Source: Cato Networks
(Published: 11 December 2025)
Cato Networks investigates a new JSCeal infostealer campaign leveraging obfuscated JavaScript to harvest credentials at scale. Read more.
What Happens to Stolen Data After Phishing Attacks?
Source: Kaspersky Securelist
(Published: 12 December 2025)
This article examines how stolen credentials and personal data are monetized, resold, and reused following phishing attacks. Read more.
The Infostealer to APT Pipeline: How Lazarus Hijacked a Yemen Disinformation Network
Source: Infostealers.com
(Published: 12 December 2025)
Researchers describe how the Lazarus Group leveraged infostealer infrastructure to compromise and repurpose a Yemen-based disinformation network. Read more.
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite
Source: Unit 42 (Palo Alto Networks)
(Published: 11 December 2025)
Unit 42 researchers detail how Hamas-affiliated threat actor Ashen Lepus is using a new AshTag malware suite to target Middle Eastern diplomatic entities. Read more.
Apple fixes two zero-day flaws exploited in ‘sophisticated’ attacks
Source: BleepingComputer
(Published: 12 December 2025)
Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an extremely sophisticated attack targeting specific individuals. Read more.
Operation MoneyMount-ISO – Deploying Phantom Stealer via ISO-Mounted Executables
Source: Seqrite
(Published: 12 December 2025)
At Seqrite Labs, we continuously monitor global cyber threat activity. Read more.
Threats Behind the Mask of Gentlemen Ransomware
Source: ASEC
(Published: 11 December 2025)
ASEC researchers analyze threats hidden behind the so-called Gentlemen ransomware, including its infection vector, encryption behavior, and tactics for evading detection. Read more.
Evolution of Composite Cyber Threats: 2025 Analysis and 2026 Key Response Strategies
Source: Medium (@nshcthreatrecon)
(Published: 15 December 2025)
This long-form analysis explores how composite cyber threats evolved in 2025 and outlines key response strategies defenders should prioritize in 2026. Read more.
Free Micropatches for Windows Remote Access Connection Manager DoS
Source: 0patch
(Published: 11 December 2025)
0patch ships free micropatches for a Windows Remote Access Connection Manager zero day that attackers can abuse to gain Local System privileges on vulnerable hosts. Read more.
Microsoft Teams to Introduce External Domains Anomalies Report for Enhanced Security
Source: Cybersecurity News
(Published: 11 December 2025)
Microsoft is adding an External Domains Anomalies report to Teams so administrators can spot unusual communication patterns with outside tenants and clamp down on risky connections. Read more.
New DroidLock Malware Locks Android Devices and Demands a Ransom
Source: Cybersecurity News
(Published: 11 December 2025)
Researchers warn that the DroidLock Android malware is being pushed via phishing sites, locking victims’ phones for ransom while also enabling attackers to take remote control. Read more.
Notepad++ Vulnerability Let Attackers Hijack Network Traffic to Install Malware via Updates
Source: Cybersecurity News
(Published: 11 December 2025)
A vulnerability in Notepad++ update traffic could allow threat actors to intercept requests on the network and deliver malicious payloads disguised as legitimate software updates. Read more.
Threat actors exploit React2Shell CVE-2025-55182
Source: Google Cloud Threat Intelligence
(Published: 12 December 2025)
Google Threat Intelligence details how multiple actors quickly weaponized the React2Shell (CVE-2025-55182) remote code execution flaw in React Server Components to gain initial access to internet facing services. Read more.
How NoName05716 Uses DDoSia to Attack NATO Targets
Source: Picus Security
(Published: 14 December 2025)
Picus analyzes how pro Russian hacktivist group NoName05716 leverages its DDoSia platform to coordinate politically motivated DDoS attacks against NATO aligned governments and organizations. Read more.
Frogblight threatens you with a court case: a new Android banker targets Turkish users
Source: Securelist
(Published: 15 December 2025)
Kaspersky describes Frogblight, an Android banking trojan distributed via smishing and fake government court case portals that steals banking credentials and can remotely control infected devices. Read more.
DDoS Threat Intelligence: Belgium, 15 Dec 2025
Source: SOCRadar
(Published: 15 December 2025)
SOCRadar details a DDoSia campaign by pro Russian group NoName05716 that generated thousands of DDoS attacks focusing on Belgium as well as Ukraine and other European targets between 8 and 14 December 2025. Read more.
Cyberattack on the Sun
Source: Cato Networks
(Published: 15 December 2025)
Cato Networks examines how insecure legacy protocols in solar power infrastructure could let attackers manipulate inverters at scale and cause widespread power disruption. Read more.
TR SantaStealer Is Coming to Town: A New, Ambitious Infostealer Advertised on Underground Forums
Source: Rapid7
(Published: 15 December 2025)
Rapid7 profiles SantaStealer, a new information stealing malware as a service offering on underground forums that targets browser, cryptocurrency wallet, and application credentials. Read more.
Phishing Kits: An Interactive Deep Dive
Source: Flare
(Published: 15 December 2025)
Flare takes an interactive look at modern phishing kits, showing how they bundle cloned login pages, evasion features, and automation to let low skill actors harvest credentials at scale. Read more.
GhostPairing Attacks: from phone number to full access in WhatsApp
Source: Gen Digital
(Published: 15 December 2025)
Gen researchers describe GhostPairing, a WhatsApp account takeover technique where attackers trick victims into pairing an attacker controlled device without ever stealing their password. Read more.
16TB of MongoDB Database Exposes 4.3 Billion Lead Gen Records
Source: Hackread
(Published: 15 December 2025)
Hackread reports on an unsecured 16TB MongoDB instance left open online that exposed over 4.3 billion professional lead generation records containing extensive personal and business data. Read more.
BreachForums Reemerges, Admin Apologizes for Honeypot Confusion, Claims the Attack the French Govt Announced Impacting Over 16M Individuals
Source: TechNadu
(Published: 15 December 2025)
TechNadu covers BreachForums administrators resurfacing to deny being a law enforcement honeypot while claiming responsibility for a French government data breach affecting more than 16 million people. Read more.
Kimsuky Distributing Malicious Mobile App via QR Code
Source: Enki White Hat
(Published: 16 December 2025)
Enki’s White Hat team analyzes new DOCSWAP APK variants delivered via QR code phishing sites and attributes the campaign to DPRK aligned threat actor Kimsuky. Read more.
Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation
Source: Check Point Research
(Published: 16 December 2025)
Check Point Research exposes Chinese espionage actor Ink Dragon, showing how it turns compromised IIS servers into a ShadowPad based relay mesh spanning government and telecom victims worldwide. Read more.
CastleRAT malware detection with Splunk and MITRE ATT&CK
Source: Splunk
(Published: 5 December 2025)
Splunk Threat Research shows how defenders can detect CastleRAT infections by mapping the malware’s behaviors to MITRE ATT&CK techniques and translating them into Splunk detections. Read more.
Hypervisor defenses against ransomware targeting ESXi
Source: Huntress
(Published: 8 December 2025)
Hypervisors are the backbone of modern virtualized environments, but when ransomware targets ESXi hosts the blast radius can quickly extend across an entire organization. Read more.
White Lynx uses CAPTCHA macros
Source: Unit 42 (Palo Alto Networks)
(Published: 8 December 2025)
This Unit 42 timely threat intel note documents a White Lynx phishing campaign that uses a CAPTCHA themed Word macro to deliver malware and harvest victim credentials. Read more.
React2Shell exploitation escalates into mass attacks
Source: The Hacker News
(Published: 10 December 2025)
The Hacker News reports that a critical ReactPHP vulnerability dubbed React2Shell, tracked as CVE 2025 55182, is now being widely exploited to deploy web shells on vulnerable servers. Read more.
Windows PowerShell 0 day vulnerability allows attackers to execute malicious code
Source: Cybersecurity News
(Published: 10 December 2025)
Security researchers warn that a newly disclosed Windows PowerShell 0 day vulnerability could allow attackers to execute arbitrary code on Windows systems if it is abused by threat actors. Read more.
Fortinet FortiGate under active attack
Source: The Hacker News
(Published: 11 December 2025)
A critical flaw in Fortinet FortiOS and FortiProxy is being actively exploited, allowing attackers to bypass authentication on FortiGate devices and gain full control of vulnerable appliances. Read more.
NANOREMOTE, cousin of FINALDRAFT
Source: Elastic Security Labs
(Published: 11 December 2025)
In October 2025, Elastic Security Labs discovered a newly observed Windows backdoor in telemetry that they call NanoRemote, which closely resembles the FINALDRAFT implant. Read more.
Shanya emerges as top EDR killing tool for ransomware gangs
Source: Techworm
(Published: 11 December 2025)
Techworm profiles Shanya, a new EDR killing utility aggressively marketed to ransomware gangs for disabling security tools before encryption begins. Read more.
Intellexa leaks: Predator spyware operations exposed
Source: Amnesty International Security Lab
(Published: 11 December 2025)
Amnesty International’s Security Lab analyzes a large leak of Intellexa documents that exposes how the Predator spyware platform has been sold and deployed around the world. Read more.
Cracking ValleyRAT: from builder secrets to kernel rootkits
Source: Check Point Research
(Published: 12 December 2025)
Throughout 2025, Check Point Research tracked the evolution of ValleyRAT, following the malware from leaked builder tools to sophisticated kernel level rootkits used in the wild. Read more.
Technical analysis of the BlackForce phishing kit
Source: Zscaler
(Published: 12 December 2025)
Zscaler ThreatLabz provides a technical deep dive into the BlackForce phishing as a service kit, which automates Microsoft 365 credential theft using reverse proxy techniques and extensive anti analysis features. Read more.
China-Nexus Cyber Threat Groups Rapidly Exploit React2Shell Vulnerability (CVE-2025-55182)
Source: AWS Security Blog
(Published: 4 December 2025)
Within hours of the React2Shell CVE-2025-55182 disclosure, Amazon threat intelligence teams observed multiple China-nexus actors attempting to exploit vulnerable Next.js applications at scale. Read more.
Advent of Configuration Extraction – Part 2: Unwrapping QuasarRAT’s Configuration
Source: Sekoia.io
(Published: 8 December 2025)
This second installment of the Advent of Configuration Extraction series shows how analysts can unpack QuasarRAT samples and extract their encrypted configuration from the .NET binary. Read more.
BYOVD Loader Deploys DeadLock Ransomware
Source: Talos Intelligence
(Published: 9 December 2025)
Cisco Talos details a new bring-your-own-vulnerable-driver (BYOVD) loader used to disable security products and deploy DeadLock ransomware in targeted attacks. Read more.
Cydome Identifies Broadside, a New Mirai Botnet Variant Targeting Maritime IoT
Source: Cydome
(Published: 3 December 2025)
Cydome researchers uncover Broadside, a Mirai-based botnet variant that abuses weakly secured maritime IoT devices to build a DDoS-capable fleet. Read more.
Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT
Source: Hunt.io
(Published: 3 December 2025)
Hunt.io describes a malicious Visual Studio Code extension that delivers a multi-stage attack chain, ultimately deploying the Anivia loader and OctoRAT for persistent remote control. Read more.
SMS Phishers Pivot to Points, Taxes, Fake Retailers
Source: Krebs on Security
(Published: 4 December 2025)
Brian Krebs reports that China-based SMS phishing crews now sell phishing kits for mass-creating fake e-commerce sites that funnel victims’ card data into mobile wallets, alongside lures about tax refunds and rewards points. Read more.
OSINT Kitten: The Headquarters for Hacktivist Operations Against Israel
Source: Medium
(Published: 5 December 2025)
This investigation profiles OSINT Kitten as a coordination hub for hacktivist campaigns targeting Israel, outlining how propaganda, leaks, and operational chatter intersect on the platform. Read more.
Inside Shanya: A Packer-as-a-Service Fueling Modern Attacks
Source: Sophos News
(Published: 6 December 2025)
Sophos examines Shanya, a packer-as-a-service offering that ransomware groups increasingly use to obfuscate payloads, evade analysis, and extend the lifespan of their campaigns. Read more.
Nothing to Steal? Let’s Wipe. We Are Analyzing the Shai Hulud 2.0 npm Worm
Source: Securelist (Kaspersky)
(Published: 9 December 2025)
Kaspersky researchers dissect Shai Hulud 2.0, a destructive npm worm that abuses developer tooling and supply chain trust to spread and wipe systems instead of stealing data. Read more.
Cato CTRL: Weaponizing Claude Skills with MedusaLocker
Source: Cato Networks
(Published: 10 December 2025)
Cato Networks describes how red-teamers simulated an attack in which MedusaLocker operators combine LLM-powered automation with C2 infrastructure to accelerate discovery, lateral movement, and impact. Read more.
New eBPF Filters for Symbiote and BPFdoor Malware
Source: Fortinet
(Published: 9 December 2025)
Fortinet introduces new eBPF-based detection filters that help defenders identify and hunt for stealthy Linux threats such as Symbiote and BPFdoor in production environments. Read more.
UDPGangster Campaigns Target Multiple Countries
Source: Fortinet
(Published: 4 December 2025)
FortiGuard Labs reveals UDPGangster, a UDP-based backdoor linked to MuddyWater that is being used in campaigns against organizations across several Middle Eastern and neighboring states. Read more.
Investigating Indonesia’s Gambling Ecosystem: Indicators of National-Level Cyber Operations
Source: Malanta
(Published: 3 December 2025)
Malanta’s research team maps Indonesia’s online gambling infrastructure and highlights technical and behavioral indicators that could signal involvement by state-linked operators. Read more.
Deceptive Layoff-Themed HR Email Distributes Remcos RAT Malware
Source: Seqrite
(Published: 9 December 2025)
Seqrite analyzes phishing emails masquerading as layoff notifications that deliver a weaponized attachment used to install the Remcos remote access trojan. Read more.
Operation DupeHike: UNG0902 Targets Russian Employees with DupeRunner and AdaptixC2
Source: Seqrite
(Published: 3 December 2025)
This report documents Operation DupeHike, where the UNG0902 group uses phishing lures and custom malware families DupeRunner and AdaptixC2 to target employees in Russia. Read more.
Africa in the Crosshairs: Covert Influence, Cyber Operations, and the New Geopolitics
Source: Silobreaker
(Published: 9 December 2025)
Silobreaker explores how non-Western powers use information operations, cyber activity, and local partnerships to shape narratives and political outcomes across Africa. Read more.
AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows
Source: Trend Micro
(Published: 8 December 2025)
Trend Micro introduces GhostPenguin, a previously undocumented Linux backdoor discovered through AI-assisted threat hunting and low-detection telemetry analysis. Read more.
Dangerous Invitations: Russian Threat Actor Spoofs European Security Events in Targeted Phishing Attacks
Source: Volexity
(Published: 4 December 2025)
Volexity details a campaign in which a Russian threat actor sends spoofed invitations to high-profile European security conferences to deliver malware to selected targets. Read more.
Attackers Actively Exploiting Critical Vulnerability in King Addons for Elementor Plugin
Source: Wordfence
(Published: 2 December 2025)
Wordfence warns that a critical privilege escalation flaw in the King Addons for Elementor plugin is under active exploitation, enabling unauthenticated attackers to gain admin access. Read more.
Technical Analysis of Matanbuchus 3.0
Source: Zscaler
(Published: 2 December 2025)
Zscaler ThreatLabz provides a deep technical dive into Matanbuchus 3.0, a C++ downloader malware-as-a-service that now plays a growing role in ransomware operations. Read more.
Want more articles? Check out the previous edition of Security Signals here.