A new malware implant dubbed EtherRAT has been observed in active attacks exploiting the recently disclosed React2Shell vulnerability (CVE-2025-55182). The React2Shell flaw, a critical deserialization bug in the React Server Components Flight protocol, allows unauthenticated remote code execution via crafted HTTP requests. EtherRATcomes with sophisticated mix of features, including blockchain-based command-and-control, multi-layered persistence, and a full Node.js runtime for evasion.
Since its public disclosure on December 3, 2025, React2Shellhas been actively exploited by multiple threat actors for reconnaissance and to deploy various malware families. Observed payloads include cryptominers, the PeerBlight Linux backdoor, the CowTunnel reverse-proxy tunnel, the Go-based ZinFoq implant, and a Kaiji botnet variant.
Researchers report a surge in opportunistic attacks primarily targeting internet-exposed Next.js applications and containerized workloads in Kubernetes and managed cloud environments. Cloudflare notes that attackers are profiling potential victims by gathering application metadata, such as icon hashes, SSL certificate details, and regional identifiers, before exploiting the flaw. Alongside the React2Shell issue, two RSC-related vulnerabilities (CVE-2025-55183 and CVE-2025-55184) were also disclosed, both linked to RSC payload handling and Server Function behavior. The flaws are not related to React2Shell.
Hackers are actively exploiting a zero-day vulnerability in popular self-hosted Git service Gogs. A symlink bypass (CVE-2025-8110) of a previously patched RCE (CVE-2024-55947) allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution (RCE). Wiz researchers identified over 700 compromised instances public-facing on the internet. As of now, a patch is not yet available.
Google has released a security update to fix yet another actively exploited Chrome zero-day vulnerability, marking the eighth such flaw patched since the beginning of the year. The company withheld technical details, including the CVE identifier, saying coordination is still underway.
Microsoft has rolled out its December 2025 Patch Tuesday updates, addressing over 50 security vulnerabilities, including one actively exploited zero-day and two publicly disclosed flaws. The actively exploited vulnerability is CVE-2025-62221 (Windows Cloud Files Mini Filter Driver Elevation of Privilege), a use-after-free issue that could allow an authorized attacker to gain SYSTEM-level privileges.
Fortinet and Ivanti have released security updates to address multiple critical and high-risk vulnerabilities that could enable attackers to bypass authentication mechanisms or execute malicious code on affected systems. Fortinet’s patches cover serious flaws in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, stemming from improper verification of cryptographic signatures. Tracked as CVE-2025-59718 and CVE-2025-59719, the vulnerabilities could allow an unauthenticated attacker to bypass FortiCloud SSO login protections using a crafted SAML message.
Ivanti, has issued fixes for four security issues in its Endpoint Manager (EPM) product, including a high-risk vulnerability (CVE-2025-10573) affecting the EPM core and remote consoles. The flaw, which is a stored cross-site scripting (XSS) issue, allows remote, unauthenticated attackers to run arbitrary JavaScript in an administrator’s browser session.
Notepad++ version 8.8.9 was released to address a security flaw in its WinGUp update tool, which had been exploited to deliver malicious executables. The update introduces stricter security measures by requiring signature and certificate verification for downloaded installers. If verification fails, the update process is stopped, according to the Notepad++ 8.8.9 security notice.
Attackers are exploiting an previously undocumented cryptographic vulnerability in Gladinet’s CentreStack and Triofox that allows to steal hardcoded keys and execute code remotely. Gladinet has urged customers to update to the November 29 release. Researchers at Huntress report at least nine organizations targeted, sometimes in combination with the older CVE-2025-30406 local file inclusion flaw.
The US Cybersecurity and Infrastructure Security Agency (CISA) added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These are CVE-2025-6218, a path traversal flaw in WinRAR, and the OSGeo GeoServer XXE vulnerability (CVE-2025-58360).
MITRE has released top 25 list of the most dangerous software weaknesses in 2025. While Cross-Site Scripting (CWE-79) remains at the top, Missing Authorization (CWE-862), Null Pointer Dereference (CWE-476), and Missing Authentication (CWE-306) saw the largest jumps in this year’s rankings.
An advanced persistent threat (APT) called WIRTE has been linked to attacks on government and diplomatic targets in the Middle East since 2020, using a previously unknown malware suite named AshTag. Palo Alto Networks’ Unit 42 tracks the activity as Ashen Lepus. VirusTotal artifacts suggest the group has expanded its operations to Oman and Morocco, in addition to previously targeted regions such as the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt.
The Iranian state-linked hacking group MuddyWater has been observed using a new backdoor dubbed ‘UDPGangster,’ which leverages the User Datagram Protocol (UDP) for command-and-control communication, according to Fortinet FortiGuard Labs. The cyber-espionage activity has primarily targeted users in Turkey, Israel, and Azerbaijan. Researchers say the malware provides full remote control of infected systems, allowing attackers to run commands, steal files, and deploy additional payloads through stealthy UDP channels designed to bypass traditional network defenses.
A long-running cyber-espionage campaign orchestrated by a previously unknown threat actor dubbed ‘Warp Panda,’ has been targeting VMware vCenter environments at US-based companies and deploying the Brickstorm malware. Researchers assess the threat actor is aligned with People’s Republic of China (PRC) strategic intelligence priorities.
Recorded Future’s Insikt Group reports that after being designated a terrorist organization in the UK in July 2025, Palestine Action has likely encouraged global affiliates to escalate attacks while avoiding operations in the UK. This strategy aims to pressure multinational targets without hindering legal challenges. The group’s network poses ongoing threats to facilities in Western Europe, North America, and Australia, targeting primarily defense contractors linked to Israel, as well as banks, insurers, and shipping companies. Common tactics include vandalism, facility obstruction, and sabotage. Recent UK arrests and the Israel-Hamas conflict have likely increased the frequency of militant actions.
Cybersecurity researchers have uncovered a new Windows backdoor named NANOREMOTE, which leverages the Google Drive API for command-and-control (C2) operations. It shares code similarities with FINALDRAFT (aka Squidoor), linked to the REF7707 threat group, which uses Microsoft Graph API for C2. NANOREMOTE enables stealthy data theft and payload staging through Google Drive, featuring a task management system that supports queuing, pausing, resuming, and canceling file transfers, as well as generating refresh tokens.
A new ransomware-style malware called Droidlock has been targeting Android devices. It can lock screens with a ransomware overlay, steal app lock credentials, and take full control of infected devices. Spreading through phishing websites, Droidlock tricks users with fake system update screens and can stream or remotely control devices via VNC.
A campaign dubbed ‘JS#SMUGGLER’ is using compromised websites to deliver the NetSupport remote access trojan (RAT). Researchers say the multi-stage attack chain consists of three core components: an obfuscated JavaScript loader injected into legitimate websites, an HTML Application (HTA) executed via mshta.exe, and an encrypted PowerShell payload that ultimately downloads and launches NetSupport RAT.
Multiple ransomware groups are adopting a packer-as-a-service platform known as Shanya to conceal and deploy payloads designed to disable endpoint detection and response (EDR) systems. Shanya, which emerged in late 2024, provides threat actors with a way to wrap their malware in highly customized, obfuscated code that bypasses most security tools. Among customers are such ransomware operations as Medusa, Qilin, Crytox, and Akira, with the latter appearing to be the most frequent user.
Two malicious Visual Studio Code (VSCode) extensions were discovered on Microsoft’s marketplace, infecting developers’ machines with powerful information-stealing malware capable of taking screenshots, harvesting credentials, stealing cryptocurrency wallets, and hijacking browser sessions.
A new technique targeting Perplexity’s Comet browser can turn an ordinary-looking email into a command that erases the contents of a user’s Google Drive. The zero-click exploit, dubbed ‘Zero Click Google Drive Wiper,’ leverages Comet’s ability to connect with services such as Gmail and Google Drive to automate everyday tasks. By granting the browser agent OAuth access, users allow it to read emails, browse files, and carry out organizational actions.
Portugal has updated its cybercrime legislation to formally protect ethical hackers who probe systems responsibly. The new provision exempts certain actions previously classified as illegal system access or data interception from criminal liability when performed strictly for the purpose of identifying vulnerabilities and strengthening cybersecurity.
The US Justice Department has announced two federal indictments against Ukrainian national Victoria Eduardovna Dubranova, 33, accusing her of helping Russian-backed hackers carry out damaging cyberattacks on critical infrastructure in the United States and around the world. Dubranova, aka “Vika,” “Tory,” and “SovaSonya,” was extradited to the United States earlier this year. She pleaded not guilty to all charges. Her trial in the NoName case is set for February 3, 2026, and her trial in the CARR case is scheduled for April 7, 2026.
A former Accenture product manager, Danielle Hillmer, has been charged by the US authorities for repeatedly lying to government customers about her company’s cloud product meeting security requirements. Between March 2020 and November 2021, she allegedly concealed that Accenture’s platform failed to comply with Department of Defense and FedRAMP security standards, while instructing others to do the same. Hillmer also allegedly misled the US Army to secure a provisional authorization for the platform. She faces charges including wire fraud, major government fraud, and obstruction of a federal audit, carrying potential decades in prison.
