December 14, 2025

Cyber OSINT Overview, Dec 8 - Dec 14, 2025

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics

  • A critical Remote Code Execution (RCE) vulnerability in React Server Components, dubbed ‘React2Shell’ (CVE-2025-55182), is under active exploitation. The flaw allows unauthenticated attackers to execute arbitrary code via the Flight protocol and impacts frameworks like Next.js. Threat actors, including Chinese state-nexus groups and cryptojackers, are actively targeting this vulnerability.
  • Microsoft’s December 2025 Patch Tuesday addressed 57 vulnerabilities, including a zero-day in the Windows Cloud Files Mini Filter Driver (CVE-2025-62221) that is actively exploited in the wild. This elevation of privilege flaw allows attackers to gain SYSTEM privileges. The update also included fixes for a remote code execution vulnerability in GitHub Copilot.
  • Pro-Russian hacktivist groups, specifically Cyber Army of Russia Reborn (CARR) and NoName057(16), are conducting opportunistic attacks against critical infrastructure in the US and Europe. These groups are targeting Water, Energy, and Food sectors, often exploiting insecure VNC connections to access OT systems. Authorities have recently charged a Ukrainian national connected to these operations.

Critical Vulnerabilities

  • Google released Chrome updates to fix a high-severity zero-day vulnerability (CVE-2025-14174) in the ANGLE graphics component which is actively exploited in the wild. The flaw involves out-of-bounds memory access in the Metal renderer. CISA has subsequently added this to its Known Exploited Vulnerabilities (KEV) catalog.
  • Fortinet patched two critical authentication bypass vulnerabilities (CVE-2025-59718, CVE-2025-59719) affecting FortiOS, FortiProxy, FortiWeb, and FortiSwitchManager. These flaws allow unauthenticated attackers to bypass FortiCloud SSO login via crafted SAML messages if the feature is enabled. A critical advisory has been issued urging immediate patching.
  • Adobe released security updates for multiple products, including ColdFusion, Experience Manager (AEM), and Acrobat. The ColdFusion update addresses critical vulnerabilities that could lead to arbitrary code execution, including file upload and deserialization flaws. The AEM update fixes numerous Cross-Site Scripting (XSS) vulnerabilities.
  • A critical vulnerability in the GeoServer GeoTools library (CVE-2025-58360) is being actively exploited. The flaw involves improper restriction of XML External Entity References and can lead to remote code execution. CISA has added this to its KEV catalog.
  • Johnson Controls iSTAR controllers contain critical vulnerabilities (CVE-2025-43875, CVE-2025-43876) allowing remote OS command injection. These flaws enable attackers to modify firmware and gain full device access. Updates are available for affected Ultra and Edge versions.
  • Gladinet CentreStack and Triofox contain a hardcoded cryptographic key vulnerability (CVE-2025-14611) that is being actively exploited. Attackers can use this to access web.config files, leading to potential deserialization and remote code execution.

Major Incidents

  • The ‘Salt Typhoon’ cyber espionage campaign has compromised over 80 telecommunications companies globally. The operation, linked to Chinese nationals Yuyang and Qiu Daibing, intercepted calls and texts, including those of high-profile US political figures, and breached lawful intercept (CALEA) systems.
  • South Korean e-commerce giant Coupang suffered a massive data breach exposing personal information of nearly 34 million customers. The breach, which began in June 2025, resulted from attackers bypassing authentication using long-valid token signing keys that were not rotated after an employee’s departure.
  • The UK Information Commissioner’s Office (ICO) fined LastPass £1.2 million for a 2022 security breach affecting 1.6 million users. The breach involved attackers compromising an employee’s home computer to steal master credentials, highlighting failures in restricting system access and managing privileged accounts.
  • A cyberattack on the Pierce County Library System in Washington exposed the personal data of over 340,000 individuals, including Social Security numbers. The INC ransomware gang claimed responsibility for the attack, which forced a system-wide shutdown in April.
  • A massive unsecured MongoDB database containing 4.3 billion professional records was discovered, exposing 16TB of data. The data, primarily LinkedIn-style profiles with employment history and contact info, was left open to the internet, enabling potential large-scale social engineering attacks.

Emerging Threats

  • Attackers are poisoning search results for AI tools like ChatGPT and Grok to deliver the AMOS macOS stealer. Victims searching for common queries like ‘Clear disk space on macOS’ are directed to fake AI conversation pages that provide malicious terminal commands, leading to data theft without triggering standard security warnings.
  • A new Android malware dubbed ‘DroidLock’ has been identified, which locks users out of their devices and demands a ransom. Unlike traditional ransomware that encrypts files, DroidLock uses device admin privileges to change PINs and wipe devices while stealing credentials and spying via the front camera.
  • A sophisticated supply chain attack named ‘PyStoreRAT’ is targeting developers and OSINT professionals via GitHub. Attackers revive dormant accounts to post AI-generated, legitimate-looking projects that are later updated with a malicious backdoor capable of deploying Rhadamanthys stealer.
  • The ‘GhostFrame’ phishing-as-a-service kit is gaining traction, using dynamic subdomains and hidden iframes to evade detection. It has powered over a million phishing attacks since September 2025, impersonating brands like Microsoft 365 by hiding login forms within non-obvious HTML features.
  • A new malware implant called ‘NANOREMOTE’ was discovered, sharing code with the FINALDRAFT implant and utilizing the Google Drive API for command and control (C2). This technique allows data theft and payload staging to blend in with legitimate traffic, making detection difficult.
  • Hamas-affiliated threat actor ‘Ashen Lepus’ (aka WIRTE) has deployed a new malware suite called ‘AshTag’ to target Middle Eastern government and diplomatic entities. The group has updated its C2 architecture to use legitimate subdomains and in-memory execution to evade analysis.

Regulatory and Policy Updates

  • President Trump signed an executive order to establish a ’national framework’ for AI regulation, aiming to preempt ‘onerous’ state-level AI laws. The order blocks federal broadband funding from states enforcing such laws and creates a DOJ task force to challenge them, sparking debate over state versus federal control.
  • Global cybersecurity agencies, including CISA and the FBI, released joint guidance on integrating Artificial Intelligence into Operational Technology (OT) and critical infrastructure. The guidance differentiates between safety and security, advising against using AI for critical safety decisions and recommending push-based architectures.
  • The European Commission fined social media platform X (formerly Twitter) €120 million ($140 million) for violations of the Digital Services Act, specifically regarding its deceptive blue checkmark verification system and lack of advertising transparency. This is the first penalty under the EU’s new digital regulations.
  • The US Department of State implemented a new policy requiring H-1B and H-4 visa applicants to make their social media profiles public for vetting. Critics warn this ‘digital doxxing’ exposes skilled workers in sensitive industries to targeting by foreign adversaries and cybercriminals.

Security Operations

  • CISA and MITRE released the 2025 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. This list highlights the most critical and frequently exploited software flaws, such as injection and memory safety defects, urging organizations to prioritize these in their secure-by-design initiatives.
  • Researchers published detailed methods for attacking System Center Operations Manager (SCOM), demonstrating how insecure default configurations allow attackers to harvest credentials and compromise management groups. This highlights a significant, often overlooked attack surface in enterprise environments.
  • The UK’s NCSC updated its guidance on domain validation, phasing out less secure methods like WHOIS lookups in favor of cryptographic proof. This initiative, aligned with CA/Browser Forum ballots, aims to modernize PKI security and reduce the risk of fraudulent certificate issuance.
  • Organizations are leveraging integrated platforms like Cisco XDR and Splunk Enterprise Security to accelerate threat containment. Case studies from the Cisco Live SOC demonstrate how unifying telemetry, automated triage, and full packet capture (via Endace) can resolve incidents in minutes rather than hours.

Wins

  • The US Department of Justice charged a Ukrainian national, Victoria Dubranova, for her role in Russian state-sponsored hacktivist groups CARR and NoName057(16). This marks the first use of a specific law designed to protect water systems against cyberattacks.
  • Federal prosecutors secured a guilty plea from Alan Hao Hsu for a scheme to smuggle $160 million worth of advanced NVIDIA AI chips to China. The DOJ continues to actively prosecute export control violations to protect national security despite policy debates.
  • Security researchers identified ‘Operation Talent’ and ‘Operation Phobos Aetor’ as major wins in 2025. These operations took down significant criminal infrastructure, including the Cracked/Nulled forums and the Phobos ransomware network, leading to arrests and server seizures.

Disclaimer

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.