ALERTS DECEMBER HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY | 2024 2025
2025 January(36) February(50) March(77) April(54) May(54) June(65) July(50) August(54) SEPTEMBER(61) October(61) November(51) December(40)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
|
25.12.25 |
Mamont Malware Shifts from Fake Stores to SMS & Chats | A recent report highlights Mamont Android banking malware activity in 2025, showing a surge in attacks targeting Russian banks' customers. The infection vector has shifted from fake app stores to direct phishing delivery, with malicious APKs distributed via SMS and popular messenger groups, often relayed from already compromised devices. | ALERTS | VIRUS |
|
25.12.25 |
Pytric and Rustric implants leveraged in UNG0801 malicious operations | A new malicious activity attributed to a persistent threat cluster designated as UNG0801 (aka Operation IconCat) has been reported in the wild. The campaign targets specifically Israeli enterprise environments. The attackers employ sophisticated social engineering techniques, utilizing Hebrew-language phishing lures that mimic internal corporate communications. | GROUP | |
|
25.12.25 |
MacSync Stealer malware | Jamf Threat Labs has identified an updated variant of the MacSync Stealer malware, that leverages code-signed binaries able to deliver the malicious payloads without user interaction. To evade detection, the attackers also inflate the malicious application bundle to over 25 MBs using decoy PDFs and employ a Swift-based helper to execute the malicious scripts. | VIRUS | |
|
25.12.25 |
CVE-2025-34392 - Barracuda Service Center absolute path traversal vulnerability | CVE-2025-34392 is a recently disclosed critical (CVSS score 10.0) absolute path traversal vulnerability affecting Barracuda Service Center, which is a web-based management console for Barracuda Managed Workplace (RMM). If successfully exploited the flaw might allow unauthorized attackers to perform arbitrary file write operations and remote code execution via malicious webshell upload. | VULNEREBILITY | |
|
25.12.25 |
Paper Werewolf campaign delivering EchoGather malware | Researchers from Intezer reported on a new malicious activity attributed to the Paper Werewolf threat group (aka GOFFEE). The attackers leverage XLL-based delivery techniques to distribute a custom backdoor dubbed EchoGather. | CAMPAIGN | |
|
25.12.25 |
Caminho and DCRAT malware variants leveraged by the Blind Eagle APT | Zscaler researchers identified a recent spear-phishing campaign attributed to the BlindEagle threat group that has been targeting Colombian institutions. The operation utilized phishing emails, a fake web portal, PowerShell scripts, steganography to hide payloads, and legitimate services like Discord to host arbitrary payloads. | VIRUS | |
|
25.12.25 |
AshTag malware distributed by the Ashen Lepus APT | Researchers from Palo Alto have detailed an evolving espionage campaign attributed to the Ashen Lepus APT group. This campaign has introduced a fully featured, modular .NET malware dubbed AshTag. The infection chain relies on social engineering and DLL side-loading performed by the AshenLoader malware. | APT | |
|
25.12.25 |
PyStoreRAT malware | A new sophisticated supply chain attack utilizing dormant GitHub accounts to distribute a previously undocumented malware dubbed PyStoreRAT has been reported in the wild. | VIRUS | |
|
25.12.25 |
RansomHouse RaaS | RansomHouse is a Ransomware-as-a-Service (RaaS) operation attributed to the threat actor Jolly Scorpius. This group employs a double-extortion method, generating revenue through ransoming encrypted files and sensitive data, and primarily targets virtualized environments through their MrAgent and Mario components. | RANSOM | |
|
25.12.25 |
SantaStealer - a new MaaS infostealer | Rapid7 Labs has identified a new infostealer variant dubbed SantaStealer, which is currently advertised on underground forums and offered for sale under the Malware-as-a-Service (MaaS) offering. Functionally, SantaStealer is designed to harvest sensitive data from browsers, including credentials, cookies, and credit card details. | VIRUS | |
|
25.12.25 |
Frogblight mobile malware | Frogblight is a sophisticated Android banking malware operating under the Malware-as-a-Service model and targeting specifically Turkish users through a combination of banking theft and spyware capabilities. As reported by the researchers from Securelist, the malware spreads via social engineering, utilizing phishing SMS messages that falsely warn victims of pending court cases. | VIRUS | |
|
25.12.25 |
CVE-2025-6389 - WordPress Sneeit Framework plugin vulnerability under active exploitation | CVE-2025-6389 is a recently disclosed critical (CVSS score 9.8) Remote Code Execution (RCE) vulnerability affecting Sneeit Framework plugin for WordPress. | VULNEREBILITY | |
|
25.12.25 |
Longlegs group attributed to multiple campaigns delivering ransomware | The Longlegs (aka Gold Salem, Storm-2603) threat actor group has established itself in early 2025 through the distribution of Warlock ransomware. The group gained notoriety in mid-2025 following exploitation of ToolShell, a collection of Microsoft SharePoint vulnerabilities. | GROUP | |
|
25.12.25 |
CVE-2025-58360 - OSGeo GeoServer XML External Entity (XXE) vulnerability | CVE-2025-58360 is a recently disclosed critical (CVSS score 9.8) XML External Entity (XXE) vulnerability affecting GeoServer, which is an open-source software server written in Java that allows for editing and sharing of geospatial data. If successfully exploited the flaw might allow an unauthenticated attacker to access arbitrary files from the server's file system or to conduct Server-Side Request Forgery (SSRF) attacks | VULNEREBILITY | |
| 13.12.25 | UDPGangster backdoor deployments attributed to the Seedworm APT | UDPGangster is a sophisticated backdoor attributed to the Seedworm APT group (aka MuddyWater). This malware distinguishes itself by utilizing the User Datagram Protocol (UDP) for its command-and-control (C2) communications. | VIRUS | |
| 13.12.25 | Makop ransomware incorporates GuLoader in recently observed campaign | A recent campaign involving Makop ransomware has been observed, with over 50% of the targets attributed to Indian businesses. Researchers at Acronis have shared details of the campaign, which include: | RANSOM | |
| 13.12.25 | Malspam campaign delivers Cobalt Strike to Russian orgs via maldocs and LNKs | Researchers have uncovered a financially motivated campaign dubbed “Operation FrostBeacon” that targets Russian enterprises. The actors run two parallel email-based infection chains: one uses archives with malicious LNK files disguised as PDFs, while the other weaponizes DOCX lures that exploit CVE-2017-0199 and then chain into CVE-2017-11882, with both paths converging on remote HTA execution. | CAMPAIGN | |
| 13.12.25 | NANOREMOTE backdoor | Elastic Security Labs has uncovered NANOREMOTE, a sophisticated new Windows backdoor likely tied to the same espionage actor behind FINALDRAFT and REF7707, which blends remote command execution, discovery, and advanced file transfer capabilities. | VIRUS | |
| 13.12.25 | MetaRAT (PlugX Variant) Activity Observed Targeting Japan | Recent reporting warns that a China-linked threat actor is conducting a targeted campaign against Japanese companies in the maritime and logistics sectors. The group is exploiting vulnerabilities in ICS devices (CVE-2024-21893 / CVE-2024-21887) to gain initial access, before deploying new variants of PlugX, including MetaRAT and Talisman. | VIRUS | |
| 13.12.25 | DroidLock Android malware | DroidLock is a new mobile malware variant for Android discovered recently by the researchers from Zimperium. The malware is distributed in a disguise of legitimate apps and spread via phishing websites. | VIRUS | |
| 13.12.25 | CVE-2025-44823 & CVE-2025-44824 - Nagios Log Server vulnerabilities | CVE-2025-44823 (CVSS Score 9.9) and CVE-2025-44824 (CVSS Score 8.5) are two vulnerabilities affecting Nagios Log Server that have been disclosed back in October. | VULNEREBILITY | |
| 13.12.25 | AdaptixC2 and Havoc tools among the updated arsenal of the Tomiris APT group | Researchers from Securelist reported on updated activities of the Advanced Persistent Threat (APT) group known as Tomiris. The threat actors have been increasingly relying on known public services like Telegram and Discord for command-and-control (C2) communications. | APT | |
| 13.12.25 | New campaign distributing ClayRAT mobile malware | Zimperium researchers have identified a new variant of the mobile malware known as ClayRAT. While the original malware focused on stealing SMS messages, call logs, and photos, this updated strain now exploits Android Accessibility Services in addition to default SMS privileges in an effort to gain deeper control over infected devices. | CAMPAIGN | |
| 13.12.25 | CVE-2025-9501 - W3 Total Cache WordPress plugin vulnerability | CVE-2025-9501 is a recently disclosed critical (CVSS score 9.0) pre-auth RCE vulnerability affecting the W3 Total Cache (W3TC) WordPress plugin. | VULNEREBILITY | |
| 13.12.25 | SeedSnatcher mobile malware | Researchers at Cyfirma have identified a new Android malware dubbed SeedSnatcher. Specifically designed to target cryptocurrency users, the malware is propagated through social channels like Telegram or WeChat. | VIRUS | |
| 13.12.25 | Monarch APT delivers ValleyRAT malware via Microsoft Teams impersonation | ReliaQuest researchers have identified a campaign conducted by the Advanced Persistent Threat (APT) group known as Monarch (aka Silver Fox, Void Arachne). | APT | |
| 13.12.25 | FvncBot mobile banking malware | FvncBot is a new Android banking trojan targeting Polish users that has been just recently discovered by the researchers from Intel471. | VIRUS | |
| 13.12.25 | DeadLock ransomware used vulnerable driver tactic in recent attacks | Exploitation of vulnerable drivers is a common tactic observed in attacks perpetrated by threat groups, known as Bring Your Own Vulnerable Driver (BYOVD). | RANSOM | |
| 13.12.25 | React2Shell flaw (CVE-2025-55182) exploited | According to reports, APT groups, including Earth Lamia and Jackpot Panda, began exploiting the newly disclosed React2Shell flaw (CVE-2025-55182) within hours of its publication, using both functional and broken public PoCs to scan the internet for vulnerable React Server Components and Next.js applications. | VULNEREBILITY | |
| 13.12.25 | JS#SMUGGLER | Researchers at Securonix recently published an article on a JavaScript loader known as JS#SMUGGLER, observed in multi-stage web-based malware campaigns. | VIRUS | |
| 13.12.25 | Shanya crypter | Ransomware attack groups use numerous tools to accomplish their goals, and a recently popular inclusion involves the Shanya crypter, a Packer-as-a-Service offering. Researchers at Sophos have published details of recently observed attacks in which Shanya-packed EDR Killer payloads were delivered. | VIRUS | |
| 5.12.25 | Benzona Ransomware | A new ransomware operation known as Benzona has surfaced, showing signs of rapid development and growing confidence. The malware encrypts victim files using the “.benzona” extension and drops a ransom note titled RECOVERY_INFO.txt, warning that sensitive data has already been exfiltrated. Victims are given a 72-hour deadline to negotiate via a Tor-based chat portal, with threats of data publication should they refuse. | RANSOM | |
| 5.12.25 | DupeRunner and AdaptixC2 malware deployed within the Operation DupeHike | The SEQRITE researchers have uncovered a targeted cyber espionage campaign dubbed Operation DupeHike. The campaign is focused on various sectors including HR, payroll, and administrative departments. The attack utilizes sophisticated social engineering tactics, deploying realistic decoy documents centered on employee financial bonuses to lure victims. | OPERATION | |
| 5.12.25 | Symbiote and BPFdoor Linux malware variants implement new eBPF filters | Symbiote and BPFdoor are two Linux malware strains known to utilize Berkeley Packet Filter (BPF) packet sniffer to monitor network traffic and send packets only on existing open ports, bypassing firewall rules and network protections. As reported by researchers from Fortinet, both called out malware families have recently implemented new extended Berkeley Packet Filters (eBPFs) within the distributed payloads. | VIRUS | |
| 5.12.25 | Datebug APT deploys malware targeting BOSS Linux systems | The Pakistan-based advanced persistent threat (APT) group known as Datebug (aka APT36, Transparent Tribe, Storm-0156) is reported to be behind recent attacks targeting Indian government entities running Bharat Operating System Solutions (BOSS) Linux. | APT | |
| 5.12.25 | CVE-2025-61757 - Oracle Fusion Middleware vulnerability | CVE-2025-61757 is a recently disclosed critical (CVSS score 9.8) missing authentication vulnerability affecting the Identity Manager product of Oracle Fusion Middleware. If successfully exploited the flaw might provide unauthenticated attackers with network access via HTTP to compromise Identity Manager leading up to takeover of the vulnerable Identity Manager instance by the threat actors. | VULNEREBILITY | |
| 5.12.25 | CVE-2025-12480 - Gladinet Triofox vulnerability | CVE-2025-12480 is a recently disclosed critical (CVSS score 9.1) improper access control vulnerability affecting Gladinet Triofox file server and storage solution. If successfully exploited the flaw might allow unauthenticated remote attackers access to the vulnerable application configuration pages and enable them to perform upload and execution of arbitrary payloads. | VULNEREBILITY | |
| 5.12.25 | LotusHarvest malware deployed in Operation Hanoi Thief | SEQRITE Labs’ researchers have identified "Operation Hanoi Thief," a malicious cyber campaign targeting IT professionals and HR recruiters in Vietnam. The campaign employs spear-phishing emails containing fake resumes to deliver malware used to steal confidential user data. | OPERATION | |
| 5.12.25 | Arkanix Stealer | Researchers at G DATA recently observed a new infostealer dubbed Arkanix. According to their findings, it was initially built in Python and distributed via Discord as a fake “utility,” but it quickly evolved — a native C++ “premium” version now exists, complete with VMProtect obfuscation. Its capabilities are standard for commodity stealers. | VIRUS | |
| 5.12.25 | Albiriox mobile RAT | Albiriox is a new Android malware operating under a Malware-as-a-Service (MaaS) model, designed to facilitate on-device fraud, VNC‑based remote control and overlay attacks. As reported by researchers from Cleafy, the malware spreads through social engineering, specifically targeting Austrian victims via fake applications distributed through SMS and WhatsApp lures | VIRUS | |
| 5.12.25 | CVE-2025-34299 - Monsta FTP vulnerability | CVE-2025-34299 is a recently disclosed critical (CVSS score 9.3) arbitrary file upload vulnerability affecting Monsta FTP solution (version 2.11.2 and earlier). If successfully exploited the flaw might allow unauthenticated remote attackers to perform arbitrary code execution by uploading a specially crafted file from malicious SFTP or FTP servers. | VULNEREBILITY | |