Cyber OSINT Overview, Dec 1 - Dec 6, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• A critical remote code execution (RCE) vulnerability in React Server Components (RSC), tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), is being actively exploited. The flaw, dubbed ‘React2Shell,’ carries a CVSS score of 10.0 and allows unauthenticated attackers to execute arbitrary code via unsafe deserialization in the Flight protocol. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog following reports of exploitation by China-nexus threat groups Earth Lamia and Jackpot Panda. Millions of internet-facing services utilizing frameworks like Next.js, Waku, and RedwoodSDK are potentially exposed.

• CISA, the NSA, and the Canadian Centre for Cyber Security released a joint advisory regarding ‘BRICKSTORM,’ a sophisticated backdoor malware used by PRC state-sponsored actors. The malware targets VMware vSphere and Windows environments to maintain long-term persistence in government and IT sectors. It features self-monitoring capabilities to reinstall itself if disrupted and uses complex encryption and DNS-over-HTTPS to evade detection. Victims include dozens of organizations, with some intrusions dating back to 2022.

• The security of AI agents and large language models (LLMs) is under scrutiny following new research on ‘PromptPwnd’ and ‘Claude Code’ exploitation. Attackers can inject malicious prompts into CI/CD pipelines (like GitHub Actions) to steal secrets or manipulate workflows. Additionally, researchers demonstrated how poetic prompts can bypass LLM guardrails, and how compromised MCP (Model Context Protocol) servers can hijack conversations or steal resources. This highlights the growing attack surface introduced by autonomous AI agents in development environments.

Critical Vulnerabilities #

• A maximum severity vulnerability (CVSS 10.0) in React Server Components, CVE-2025-55182, allows unauthenticated remote code execution. The flaw exists in the ‘Flight’ protocol’s deserialization process and affects widely used frameworks like Next.js (tracked as CVE-2025-66478). CISA added this to the KEV catalog on December 5, 2025, due to active exploitation.

• Google patched 107 Android vulnerabilities in its December update, including two zero-days being actively exploited in the wild. CVE-2025-48633 and CVE-2025-48572 are high-severity flaws in the Android Framework involving information disclosure and privilege escalation, respectively. Attackers can exploit these issues to execute arbitrary code or access sensitive data.

• Apache Tika contains a critical XML External Entity (XXE) vulnerability (CVE-2025-66516) with a CVSS score of 10.0. The flaw affects Tika core, parsers, and PDF modules, allowing attackers to compromise servers by uploading malicious PDF files containing crafted XFA data. This vulnerability expands on a previously reported issue (CVE-2025-54988).

• Array Networks AG Series gateways are under active exploitation due to a command injection vulnerability in the DesktopDirect function. Although patched in May 2025, attackers have been leveraging the flaw since August 2025 to implant webshells and gain unauthorized network access. CISA has added a related Array Networks flaw (CVE-2023-28461) to its KEV catalog.

• Oracle Identity Manager contains a critical pre-authentication remote code execution vulnerability (CVE-2025-61757) with a CVSS score of 9.8. The flaw in REST WebServices allows unauthenticated attackers to bypass authentication and execute arbitrary code, potentially leading to full system compromise. CISA has added this CVE to the KEV catalog.

• Avast Antivirus contains four kernel heap overflow vulnerabilities (CVE-2025-13032) in its ‘aswSnx’ kernel driver, which is part of the sandbox implementation. These flaws allow a local attacker to escalate privileges to SYSTEM on Windows 11 by exploiting double-fetch conditions in IOCTL handling.

Major Incidents #

• Marquis Software Solutions, a vendor for over 700 US banks and credit unions, suffered a ransomware attack exposing the data of more than 780,000 individuals. Attackers gained access via a SonicWall firewall VPN vulnerability (likely CVE-2024-40766) and exfiltrated sensitive personal and financial information, including SSNs.

• Barts Health NHS Trust confirmed a data breach involving invoice data following a Cl0p ransomware attack exploiting an Oracle E-Business Suite zero-day. While clinical records were reportedly unaffected, the stolen data includes patient billing names and addresses, and staff salary information.

• Twin brothers were arrested for stealing and destroying US government data hosted by contractor Opexus. After being fired, they allegedly deleted databases and stole sensitive files from agencies including DHS, IRS, and EEOC. The pair had a prior conviction for hacking the State Department in 2015.

• North Korean threat actors were linked to the $1.4 billion crypto heist at Bybit exchange after a developer’s machine was infected with LummaC2 infostealer. Forensic analysis of the infected device revealed tools, infrastructure, and an email address directly connected to domains used in the Bybit attack.

• ASUS confirmed a data breach at a third-party supplier after the Everest ransomware gang leaked data and claimed to have hacked ASUS, ArcSoft, and Qualcomm. The leaked data reportedly includes camera source code, but ASUS states that its internal systems and customer data remain unaffected.

Emerging Threats #

• A new attack class called ‘PromptPwnd’ leverages prompt injection in CI/CD pipelines to compromise AI agents like Gemini CLI, Claude Code, and OpenAI Codex. Attackers can inject malicious instructions via issue titles or pull requests, tricking the AI into executing privileged commands or leaking secrets from GitHub/GitLab workflows.

• The Shai-Hulud npm worm has evolved into version 2.0, now featuring wiper capabilities and broader targeting including Russia, India, and Brazil. The malware spreads via compromised npm tokens to republish packages and is designed to harvest credentials from GitHub and cloud providers like AWS and Azure.

• New mobile malware strains are emerging, including ‘FvncBot,’ an Android banking trojan targeting Poland that uses a fake mBank security app, and ‘Albiriox,’ a sophisticated MaaS RAT targeting over 400 financial apps globally. Albiriox features live remote control and on-device fraud capabilities to bypass MFA.

• Despite sanctions, commercial spyware vendor Intellexa continues to operate, using new zero-day exploit chains and a zero-click ad-based infection vector dubbed ‘Aladdin’. Investigations reveal Intellexa retained remote access to customer systems, allowing them to view live targeting data, and deployed a new ‘Predator’ infrastructure in multiple countries.

• A new phishing kit named ‘GhostFrame’ uses a stealthy iframe-based approach to evade detection. The kit hides malicious content within an iframe on a benign-looking HTML page, allowing attackers to swap content dynamically and generate unique subdomains for each victim, complicating analysis by security tools.

Regulatory and Policy Updates #

• CISA, the Australian Cyber Security Centre, and international partners released joint guidance on securely integrating Artificial Intelligence into Operational Technology (OT). The principles focus on understanding AI risks, assessing use cases, establishing governance, and embedding safety to balance efficiency benefits with security in critical infrastructure.

• The European Commission fined X (formerly Twitter) €120 million for violating the Digital Services Act (DSA). The fine addresses misleading ‘blue checkmark’ verification practices and a lack of transparency in advertising and data access for researchers, marking the first financial penalty under the new EU regulation.

• The Trump administration’s new national security strategy emphasizes collaboration with the private sector and regional partners to protect critical infrastructure. It calls for deregulation to boost competitiveness and focuses on the Western Hemisphere, while a separate national cybersecurity strategy is expected in January 2025.

• A Maryland man was sentenced to 15 months in prison for allowing North Korean IT workers to use his identity to secure employment at U.S. companies, including government contractors. This case highlights ongoing efforts by the DOJ to crack down on DPRK revenue generation schemes involving identity fraud.

• China amended its Cybersecurity Law to explicitly codify Chinese Communist Party leadership over cybersecurity work. The changes increase penalties for non-compliance, expand the scope of covered network operators, and strengthen extraterritorial reach, further aligning cybersecurity with national security objectives.

Security Operations #

• GreyNoise detected a coordinated campaign targeting Palo Alto GlobalProtect and SonicWall APIs. Over 7,000 IPs from a single German hosting provider (3xK GmbH) utilized identical client fingerprints to launch credential-based attacks, indicating a single threat actor leveraging shared tooling across multiple vendors.

• Security researchers emphasize the importance of ’tuning requests’ and feedback loops in SOCs. By adding custom fields to Kibana cases (e.g., ‘True Positive’, ‘Detection rule valid’), teams can automate the process of flagging noisy rules for engineering review, improving detection fidelity and reducing alert fatigue.

• Cisco showcased an ‘Agentic AI’ proof of concept for SOCs using a fine-tuned Llama model. The system uses autonomous agents to investigate incidents by calling tools (e.g., retrieving observables, summarizing events) and reasoning over the data, aiming to accelerate analyst workflows without relying on public cloud AI.

• Splunk and Cisco demonstrated an automated response workflow using Splunk SOAR and ES at GovWare. The integration detected clear-text credentials in network traffic and automatically triggered a playbook to email affected users, closing the loop without analyst intervention.

Wins #

• Cloudflare successfully mitigated a record-breaking 29.7 Tbps DDoS attack launched by the ‘Aisuru’ botnet. The hyper-volumetric attack utilized UDP carpet-bombing techniques, highlighting the need for automated defenses against increasingly powerful IoT botnets.

• Researchers discovered and exposed malicious Go packages impersonating Google’s UUID library. These packages had been stealing data since 2021, and their discovery allows developers to clean up their supply chains and remove the compromised dependencies.

• An OPSEC failure by a North Korean threat actor led to their own infection by the LummaC2 infostealer. The logs revealed direct links between the developer’s machine and the infrastructure used in the $1.4 billion Bybit crypto heist, providing rare intelligence on their operations.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.