Microsoft reportedly patched a Windows Shortcut (LNK) file RCE flaw (CVE-2025-9491 also tracked as ZDI-CAN-25373), in its November 2025 Patch Tuesday updates. The vulnerability had been actively exploited since at least 2017. Trend Micro’s Zero Day Initiative reported in March 2025 that 11 state-sponsored groups from China, Iran, North Korea, and Russia had used the flaw in espionage, data theft, and financially motivated attacks. Although Microsoft initially said the issue did not warrant immediate patching, it has now addressed the problem.
Google’s December 2025 Android security bulletin fixes 107 vulnerabilities, including two high-severity flaws, CVE-2025-48633 (information disclosure) and CVE-2025-48572 (elevation of privilege). Both were actively exploited in targeted attacks and affect Android versions 13 through 16.
The React team has released patches for a critical vulnerability affecting React Server Components (RSC). Tracked as CVE-2025-55182 (React2Shell), the flaw stems from unsafe processing of serialized DOM elements and could allow remote code execution. The issue impacts React 19 as well as frameworks built on top of it, including Next.js versions 15 through 16. The vulnerability is already being targeted by Chinese threat actors. AWS security teams report that within hours of React2Shell’s public disclosure, they detected active exploitation attempts from multiple China-linked state-sponsored groups, including Earth Lamia and Jackpot Panda.
A command injection flaw in Array Networks AG Series secure access gateways has been actively exploited since August 2025 to deploy web shells, according to JPCERT/CC. The vulnerability, which has yet to receive a CVE identifier, resides in the DesktopDirect remote access feature. It affects ArrayOS versions 9.4.5.8 and earlier, and was fixed in version 9.4.5.9 on May 11, 2025. Administrators are urged to update as soon as possible. If patching isn’t possible, they should disable DesktopDirect and block URLs containing semicolons to reduce exposure.
OpenPLC ScadaBR flaw is being actively exploited in the wild. The vulnerability, tracked as CVE-2021-26829, is a cross-site scripting (XSS) flaw affecting Windows and Linux versions of the industrial control software through the system_settings.shtm component. It impacts OpenPLC ScadaBR through version 1.12.4 on Windows and through version 0.9.1 on Linux.
The Predator spyware, developed by surveillance firm Intellexa, has been found to use a previously unknown zero-click infection method called “Aladdin,” that compromises targets by viewing a malicious online advertisement. First deployed in 2024 and still believed to be active, Aladdin exploits commercial mobile advertising infrastructure to deliver the malware.
Cybersecurity authorities released a joint advisory on the China-linked Brickstorm malware targeting VMware vSphere servers. The attackers used Brickstorm to deploy hidden rogue virtual machines, steal VM snapshots, and extract credentials while evading detection through layered encryption (HTTPS, WebSockets, nested TLS), SOCKS tunneling, and DNS-over-HTTPS. The malware includes self-healing features to maintain persistence.
ClearSky Cyber Security has discovered a new destructive cyberattack targeting Ukrainian organizations with new malware. Dubbed “GamaWiper,” the malware is a VBS-based wiper designed to destroy data on infected systems. The intrusion chain begins with the exploitation of a vulnerable WinRAR version (CVE-2025-80880). Currently, it's not clear whether CVE-2025-80880 is a new vulnerability or just a typo. The malware hash referenced in the post is present in the VirusTotal database and is linked to CVE-2025-6218 and CVE-2025-8088, both of which are remote code execution flaws in WinRAR. ClearSky assesses with moderate confidence that the activity is linked to the Gamaredon APT group, a Russia-aligned threat actor known primarily for espionage operations.
A report from Sekoia.io details a new wave of spear-phishing attacks by the Russian group Star Blizzard (also known as ColdRiver or Calisto) linked to Russia’s FSB Center 18. Between May and June 2025, at least two organizations, including Reporters Without Borders, were targeted. Researchers note that Star Blizzard has updated its credential-harvesting techniques, using impersonation and deceptive follow-up messages containing malicious links.
The UK government expanded its sanctions list to include Russia’s GRU military intelligence agency and several individuals linked to its operations in Europe. The move is tied to the 2018 poisoning of Sergei and Yulia Skripal in Salisbury. Targets include GRU Unit 29155 members Dmitriy Goloshubov and Denis Denisenko, involved in cyber and sabotage operations. Other sanctioned individuals are GRU Unit 26165 officers Boris Antonov, Pavel Yershov, and Nikolay Kozachek, linked to X-Agent malware and past cyberattacks, including attempts against French President Emmanuel Macron and the 2016 US Democratic Party hack.
A cyberespionage group linked to Iran has been targeting critical infrastructure in Israel and Egypt with a sophisticated phishing campaign that leverages spyware disguised as the classic Snake computer game. According to new findings from ESET, the threat actor known as MuddyWater believed to be associated with Iran’s Ministry of Intelligence and Security, conducted the operation from September 2024 through March 2025. The group focused on organizations in Israel’s technology, engineering, local government, education, and manufacturing sectors.
A new malware campaign attributed to the Chinese Silver Fox APT has been observed that is combining multi-layered obfuscation, endpoint-security tampering, and kernel-level techniques. The campaign is delivered through repackaged installers for popular apps, including Telegram, WinSCP, Google Chrome, and Microsoft Teams. While the installers appear legitimate, the malware installs hidden components, deploys vulnerable drivers, disables defenses, and ultimately launches ValleyRat, a remote-access tool enabling long-term persistence.
Security researchers have exposed new tactics used by North Korean IT recruiters to lure software developers into renting out their identities in exchange for a cut of illicit earnings. The operation linked to the infamous Chollima (also known as WageMole) subgroup of North Korea’s Lazarus organization relies on social-engineering, deepfake-assisted interviews, and compromised developer accounts to infiltrate Western companies.
Cloudflare says that over a three-month span, the Aisuru botnet carried out more than 1,300 DDoS attacks, including a record-setting strike peaking at 29.7 Tbps. Aisuru operates as a large botnet-for-hire, leveraging one to four million compromised routers and IoT devices using known vulnerabilities or weak-password brute-forcing to build its network.
Researchers at Barracuda have detailed a new GhostFrame phishing framework responsible for over one million attacks. Unlike typical phishing-as-a-service kits, it hides its malicious activity inside an iframe within an otherwise harmless-looking HTML file. This makes phishing pages appear legitimate while masking their true source and intent.
A third wave of the Glassworm supply-chain attack campaign has been observed, with researchers identifying 24 newly uploaded malicious packages on both the OpenVSX and Microsoft Visual Studio Code marketplaces.
The popular open-source SmartTube YouTube client for Android TV has been compromised after an attacker gained access to the developer’s signing keys. This resulted in a malicious updates being distributed to users.
A years-long malware campaign dubbed “ShadyPanda” has compromised more than 4.3 million Chrome and Edge browsers through extensions that initially appeared to be legitimate tools. The operation run in four phases that gradually transformed benign add-ons into powerful spyware.
A new Android malware dubbed ‘Albiriox’ is being offered as a malware-as-a-service (MaaS) service. First spotted in late September 2025, the threat quickly evolved into a commercial service by October, advertising what developers call a “full spectrum” of tools for on-device fraud (ODF), screen manipulation, and real-time device interaction.
Europol-led international operation involving law enforcement agencies in Switzerland and Germany, has dismantled Cryptomixer, an illicit cryptocurrency mixing service linked to cybercriminal operations and international money-laundering schemes. Authorities seized three servers in Switzerland, along with the platform’s domain, cryptomixer.io, effectively shutting down the service. Following the takedown, investigators recovered 12 terabytes of data and more than $29 million (over EUR 25 million) worth of Bitcoin.
Another international operation has dismantled a major cryptocurrency scam and money-laundering network that handled over EUR 700 million. The criminals ran fake crypto-investment sites and used call centers and misleading ads to pressure victims into sending more money. Police raids in Cyprus, Germany and Spain led to nine arrests and the seizure of millions in bank funds, cryptocurrency, cash and digital devices. A second phase targeted the marketing networks behind the scams, including companies using deceptive ads and deepfake videos.
Twin brothers Muneeb and Sohaib Akhter, 34, from Virginia have been arrested for allegedly hacking into US government systems and deleting around 96 federal databases. Prosecutors say the pair used their access as federal contractors to destroy FOIA-related records and sensitive investigative files shortly after being fired. Muneeb faces charges including aggravated identity theft and conspiracy, carrying a maximum sentence of 45 years. Sohaib faces conspiracy and computer-fraud charges, with a maximum of six years in prison.
South Korean police have arrested four people accused of hacking over 120,000 IP cameras in homes and businesses and selling the stolen footage to a foreign adult website. Authorities are also pursuing those who viewed or purchased the illicit material, arresting three buyers so far. The police said they are working to identify the website’s operators and shut down the platform.