SonicWall warned that attackers are actively exploiting a vulnerability in its SMA1000 Appliance Management Console (CVE-2025-40602) to escalate privileges. The flaw was chained with a pre-authentication deserialization bug (CVE-2025-23006), enabling remote unauthenticated code execution with root privileges. SonicWall patched CVE-2025-23006 in January 2025.
Separately, Cisco disclosed an actively exploited critical flaw in AsyncOS (CVE-2025-20393) affecting certain Secure Email Gateway and Secure Email and Web Manager deployments, with attacks linked by Cisco Talos to the suspected Chinese threat group UAT-9686.
CISA has added a critical ASUS Live Update vulnerability (CVE-2025-59374) to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The flaw stems from a supply chain compromise in which modified ASUS Live Update software contained embedded malicious code, enabling unintended actions on targeted devices. This issue is linked to the 2018–2019 Operation ShadowHammer supply chain campaign, when attackers breached ASUS servers and distributed compromised updates to select users.
WatchGuard has released security updates to fix a critical vulnerability in Fireware OS that has been actively exploited in the wild. The flaw, tracked as CVE-2025-14733, is an out-of-bounds write issue in the iked process. It could allow a remote, unauthenticated attacker to execute arbitrary code on affected devices.
The vulnerability impacts IKEv2-based Mobile User VPN and Branch Office VPN configurations using dynamic gateway peers. WatchGuard has issued fixes across multiple supported versions, including Fireware 2025.1.4, 12.11.6, 12.5.15, and 12.3.1 Update4, while 11.x versions are end-of-life and remain unpatched.
Interestingly, one of the IP addresses mentioned by WatchGuard among those involved in the exploitation was previously linked by cybersecurity firm Arctic Wolf to two recently disclosed security vulnerabilities in Fortinet FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager (CVE-2025-59718 and CVE-2025-59719).
Hewlett Packard Enterprise (HPE) has fixed a critical vulnerability (CVE-2025-37164) in its HPE OneView software that enables attackers to execute arbitrary code remotely. As there are no workarounds or mitigations for the issue, organizations are advised to patch vulnerable systems as soon as possible.
Google’s threat analysis team said that at least five Chinese state-sponsored threat groups have been seen exploiting the React2Shell flaw (CVE-2025-55182) to deploy various malware families, including the PeerBlight Linux backdoor, the CowTunnel reverse-proxy tunnel, the Go-based ZinFoq implant, and a Kaiji botnet variant. The exploitation of the vulnerability has also been observed in attacks delivering sophisticated malware families such as KSwapDoor and ZnDoor.
Incident responders in the Curated Intelligence community have spotted a new CLOP extortion campaign targeting Internet-facing CentreStack file servers. CLOP is believed to be exploiting an unknown vulnerability (n-day or zero-day). This activity matches CLOP’s usual behavior, where the group targets file transfer and file management systems to steal data and extort victims, similar to past attacks on Oracle EBS (CVE-2025-61882), Cleo FTP (CVE-2024-50623 and CVE-2024-55956), MOVEit (CVE-2023-34362), CrushFTP (CVE-2025-54309, CVE-2025-31161, CVE-2024-4040), SolarWinds Serv-U (CVE-2021-35211), PaperCut (CVE-2023-27350, CVE-2023-27351), and GoAnywhere (CVE-2023-0669).
Apple rolled out security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and its Safari browser to fix two WebKit vulnerabilities that the company says have been exploited in the wild. One of the flaws is the same issue Google addressed last week in its Chrome browser. The first vulnerability, tracked as CVE-2025-43529, is a use-after-free bug in WebKit that could allow attackers to execute arbitrary code via maliciously crafted web content. The second, CVE-2025-14174, is a memory corruption issue that could also be exploited by specially crafted web pages.
Russian state-backed hackers conducted a months-long phishing campaign targeting users of UKR.NET, a major Ukrainian webmail and news service, to steal credentials and gather intelligence. Active from June 2024 to April 2025, the operation was attributed to BlueDelta (APT28/Fancy Bear). The group used free web services, including Mocky, DNS EXIT, as well as proxy tunneling platforms such as ngrok and Serveo, to collect usernames, passwords, and two-factor authentication codes.
A long-running Russian state-sponsored cyber campaign targeting critical infrastructure organizations across Western countries has shifted from exploiting software vulnerabilities to compromising misconfigured customer network edge devices. According to Amazon Threat Intelligence, the activity has been observed between 2021 and 2025 and has been attributed “with high confidence” to Russia’s Main Intelligence Directorate (GRU). Earlier campaigns exploited known vulnerabilities, including WatchGuard (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084 and CVE-2023-22518), and a Veeam Backup & Replication issue tracked as CVE-2023-27532.
Danish intelligence officials have accused Russia of coordinating cyberattacks on Denmark’s critical infrastructure as part of broader hybrid warfare against Western countries. The Danish Defense Intelligence Service named two Russia-linked groups - Z-Pentest, linked to a water-utility attack, and NoName057(16), responsible for DDoS attacks ahead of Denmark’s local elections.
French intelligence is investigating a suspected foreign cyber operation after high-tech spyware was found on a ferry in Sète, southern France. Authorities said the spyware targeted the ship’s IT system, based on intelligence from Italy. Two crew members, Bulgarian and Latvian, were arrested. The Bulgarian has been released, while the Latvian remains in custody and faces charges of conspiring to breach a data system for a foreign power. Investigators seized a sophisticated remote access tool, with Russia suspected by some sources, though officials have not confirmed Moscow's involvement.
A new China-aligned hacker group, dubbed LongNosedGoblin by cybersecurity firm ESET, has been targeting government institutions in Southeast Asia and Japan since at least September 2023. The group has been observed abusing Windows Group Policy, a legitimate administrative tool, to spread malware and move within networks. Its main malware called NosyHistorian steals browser history to identify high-value victims, enabling further attacks using additional tools such as the NosyDoor backdoor.
Check Point Research has spotted and analyzed a new wave of cyber-espionage activity attributed to a Chinese threat actor known as Ink Dragon, a cluster overlapping with groups publicly tracked as Earth Alux, Jewelbug, REF7707, and CL-STA-0049. The group has previously been targeting Southeast Asia and South America, however, the recent campaign shows an increasing focus on Europe.
Darktrace has linked a new variant of the BeaverTail information-stealer to North Korean cybercrime outfit Lazarus Group. The threat actor orchestrated a targeted malware campaign using fake job interviews to lure crypto developers and finance professionals. Victims were tricked into installing BeaverTail disguised as legitimate video conferencing tools like MiroTalk and FreeConference. Once installed, the malware stole browser credentials, credit card information, and cryptocurrency wallet keys, alongside related malware such as InvisibleFerret and OtterCookie.
Another North Korean threat actor known as Kimsuky has launched a campaign that distributes a new version of the DocSwap Android-malware via QR codes hosted on phishing sites disguised as Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express).
An automated campaign is targeting VPN platforms, including Palo Alto Networks GlobalProtect and Cisco SSL VPN, using stolen credentials. On December 11, GreyNoise reported 1.7 million login attempts over 16 hours, originating from over 10,000 IP addresses. The attacks focused on systems in the US, Mexico, and Pakistan.
Cybersecurity researchers have uncovered an active phishing campaign targeting a broad range of sectors in Russia, using malicious email attachments to deliver the Phantom Stealer malware. The operation, dubbed ‘Operation MoneyMount-ISO,’ by Seqrite Labs, mainly targets finance and accounting organizations, with procurement, legal, and payroll departments also affected.
A pro-Russia hacktivist group known as CyberVolk has launched a new ransomware-as-a-service (RaaS) operation called VolkLocker, which however, comes with serious implementation flaws that may allow victims to recover their data without paying a ransom. According to researchers at SentinelOne, VolkLocker’s encryptor relies on a hardcoded master key embedded directly in the malware binary and the same key is written in plaintext to a hidden file on infected systems.
Security researchers have uncovered a new malware campaign dubbed “GhostPoster,” which hides malicious JavaScript code inside the image logos of Firefox browser extensions. The campaign involves at least 17 compromised Firefox extensions that use steganography to conceal a JavaScript loader within PNG logo files.
Zscaler ThreatLabz has discovered a new phishing kit dubbed ‘BlackForce,’ first observed in early August 2025. Researchers say the toolkit has appeared in at least five distinct versions and is actively marketed on Telegram for between €200 and €300. BlackForce is designed to steal user credentials and conduct Man-in-the-Browser (MitB) attacks, allowing attackers to capture one-time passwords and dynamically bypass multi-factor authentication (MFA) in real time.
A popular browser extension marketed as a free VPN has been secretly collecting and transmitting users’ conversations with major AI chat platforms, potentially affecting millions of people. According to new research from security firm Koi Security, the Chrome extension Urban VPN Proxy, which has more than 6 million users and carries a Google “Featured” badge, contains functionality that intercepts AI chat traffic and sends it to company-controlled servers. The activity allegedly occurs regardless of whether the VPN is switched on.
American authorities have seized the illicit crypto exchange and money mule network E-Note, and indicted Russian national Mykhalio Petrovich Chudnovets, who allegedly ran the operation since 2010. Authorities say E-Note laundered at least $70 million in illegal funds since 2017, much from ransomware attacks targeting US healthcare and critical infrastructure. Chudnovets allegedly provided a “cashout” service to convert cryptocurrency into cash and transfer it internationally. The takedown included confiscation of E-Note’s servers, mobile apps, and the e-note[.]com, e-note[.]ws, and jabb[.]mn websites.
Law enforcement agencies from across Europe have dismantled a major fraud operation based in Ukraine that is believed to have caused victims more than €10 million ($11.7 million) in losses.
Fifty-four individuals have been indicted in the US for participating in a conspiracy to deploy malware and commit ATM jackpotting fraud. The Venezuelan crime syndicate Tren de Aragua (TdA) is alleged to have used the scheme to steal millions in the US and launder the proceeds among members. The group developed a malware variant called Ploutus, which forced ATMs to dispense cash. Conspirators conducted reconnaissance on ATMs, then installed the malware by tampering with or replacing hard drives, or using external devices. The malware was designed to trigger unauthorized cash withdrawals and erase evidence to avoid detection. Stolen funds were divided among the conspirators according to prearranged shares.
French authorities have arrested 22-year-old hacker Melvin L., aka “SSRQM,” allegedly involved in a recent data breach of France’s Ministry of the Interior. The suspect could face up to ten years in prison. The breach reportedly involved sensitive data on millions of citizens, including personal information and potentially criminal records.