Cyber OSINT Overview, Dec 22 - Dec 28, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

The ‘MongoBleed’ vulnerability (CVE-2025-14847) is currently the highest-priority threat across the landscape, with over 87,000 servers exposed. It allows remote, unauthenticated attackers to extract sensitive data like plain-text passwords and AWS keys from server memory via a flaw in zlib decompression logic. Telemetry indicates that 42% of cloud environments host at least one vulnerable instance, and real-world exploitation is confirmed. Organizations are urged to patch immediately or disable zlib compression if patching is unfeasible.

gov cyber.gc.ca: MongoDB security advisory (AV25-862)
news cybersecuritynews.com: MongoBleed (CVE-2025-14847) Now Exploited in the Wild: MongoDB Servers at Critical Risk
news bleepingcomputer.com: Exploited MongoBleed flaw leaks MongoDB secrets, 87K servers exposed
personal blog.ecapuano.com: Hunting MongoBleed (CVE-2025-14847)

A critical zero-day vulnerability in WatchGuard Fireware OS (CVE-2025-14733) is being actively exploited in the wild to achieve remote code execution. The flaw resides in the iked process used for IKEv2 VPN connections and impacts configurations with dynamic gateway peers. CISA has added this to the Known Exploited Vulnerabilities (KEV) catalog with a rapid remediation deadline of December 26, 2025. Incident responders should rotate all credentials and shared secrets on devices that were exposed prior to patching.

gov cyber.gc.ca: AL25-020 – Vulnerability Impacting WatchGuard Fireware OS - CVE-2025-14733
gov cisecurity.org: A Vulnerability in WatchGuard Fireware OS Could Allow for Arbitrary Code Execution.
vendor socradar.io: CVE-2025-14733: WatchGuard Firebox RCE Vulnerability

The ‘React2Shell’ vulnerability (CVE-2025-55182) is emerging as a systemic risk comparable to Log4Shell due to the ubiquity of React Server Components and Next.js. Attackers exploit malformed payloads during deserialization in the RSC ‘Flight’ protocol to achieve unauthenticated remote code execution. Exploitation scale is rapidly accelerating, with hundreds of attacks per hour observed by security vendors. Defenders are advised to implement a 24-hour turnaround for assessment and patching given the internet-facing nature of these frameworks.

news thecyberexpress.com: 59,000 Servers Breached: Operation PCPcat Targets React and Next.js at Internet Scale
vendor socradar.io: Top 10 CVEs of 2025: High-Impact Vulnerabilities & Exploitation Trends
vendor huntress.com: Tradecraft Tuesday Recap: React2Shell, ClickFix, and the Rise of AI Scams

Critical Vulnerabilities #

LangChain Core contains a critical serialization injection vulnerability (CVE-2025-68664) dubbed ‘LangGrinch’ with a CVSS score of 9.3. The flaw allows attackers to instantiate unsafe objects through LLM response fields or prompt injection, leading to secret extraction from environment variables or remote code execution via Jinja2 templates. Because it resides in the framework core, it affects hundreds of millions of AI application deployments. Users should upgrade to version 0.3.81 or 1.2.5 immediately.

news gbhackers.com: Critical LangChain Vulnerability Allows Attackers to Steal Sensitive Secrets
vendor socradar.io: CVE-2025-68664: Critical LangChain Flaw Enables Secret Extraction

The n8n workflow automation platform is vulnerable to a critical RCE flaw (CVE-2025-68613) with a CVSS score of 9.9. Authenticated attackers can use expression injection during workflow configuration to execute code with the same privileges as the n8n process. Over 100,000 instances are internet-reachable, presenting a significant risk for credential theft since these platforms often store cloud service tokens. Patches have been released in versions 1.120.4 and later.

gov cyber.gc.ca: n8n security advisory (AV25-857)
vendor socradar.io: CVE-2025-68613: Critical RCE Vulnerability Disclosed in n8n Workflow Automation

HPE OneView Software is affected by a critical unauthenticated RCE vulnerability (CVE-2025-37164) with a CVSS score of 10.0. The flaw allows remote attackers to gain full control over data center management environments if the software is exposed to the internet. A public proof-of-concept and a Metasploit module have been released, significantly increasing the likelihood of widespread exploitation. All versions prior to 11.00 are impacted.

gov advisories.ncsc.nl: NCSC-2025-0399 [1.01] [M/H] Kwetsbaarheid verholpen in HPE OneView Software
vendor research.checkpoint.com: 22nd December – Threat Intelligence Report

Major Incidents #

Ubisoft’s Rainbow Six Siege suffered a massive breach resulting in hackers granting billions of in-game credits to accounts and hijacking administrative ban feeds. Rumors suggest the incident may be linked to the ‘MongoBleed’ vulnerability, which threat actors allegedly used to pivot into internal source code repositories. Ubisoft shut down servers and the in-game marketplace to investigate. No official confirmation of a larger data theft has been released by the publisher yet.

news cybersecuritynews.com: Ubisoft Rainbow Six Siege Servers Breach linked to MongoBleed Vulnerability
news bleepingcomputer.com: Massive Rainbow Six Siege breach gives players billions of credits

A malicious update to the Trust Wallet Chrome extension (version 2.68.0) led to the theft of $7 million in cryptocurrency. The supply-chain attack involved injecting code that exfiltrated seed phrases to an attacker-controlled domain (api.metrics-trustwallet.com). Trust Wallet has confirmed the loss and pledged refunds for hundreds of impacted users. Affected users must disable the compromised version and update to version 2.69 immediately.

news cybersecuritynews.com: TrustWallet Chrome Extension Hacked – Users Reporting Millions in Losses
news bleepingcomputer.com: Trust Wallet confirms extension hack led to $7 million crypto theft

Condé Nast is facing a significant data breach following the leak of 2.3 million WIRED subscriber records by a hacker named ‘Lovely’. The hacker claims to have access to a centralized identity platform containing 40 million records across brands like Vogue, The New Yorker, and GQ. Authenticated samples include names, emails, and home addresses, with some entries as recent as September 2025. This breach increases the risk of targeted spear-phishing and doxing for affected subscribers.

news hackread.com: Hacker Leaks 2.3M Wired.com Records, Claims 40M-User Condé Nast Breach
news bleepingcomputer.com: Hacker claims to leak WIRED database with 2.3 million records

Emerging Threats #

Agentic AI browsers like Atlas and Comet introduce novel attack vectors including indirect prompt injection and over-privileged automation. Malicious instructions can be hidden in websites to trick the AI agent into executing unauthorized tasks, such as emailing internal documents, while the user watches. These browsers often operate with black-box logic and lack granular permission controls, making them high-risk gateways for lateral movement. Organizations should limit agent autonomy and prioritize tools that use supervised ‘watch modes’.

news cyberscoop.com: How to determine if agentic AI browsers are safe enough for your enterprise
vendor security.com: You Deserve Every Advantage

The ‘BlackForce’ phishing kit is now utilizing Man-in-the-Browser (MitB) techniques to bypass multi-factor authentication (MFA). The kit features a target vetting system, after which a live operator takes over to guide the victim through a fraudulent compromise. This shift toward human-orchestrated phishing highlights the diminishing effectiveness of traditional MFA against sophisticated adversary-in-the-middle (AitM) attacks. Defenders should look for anomalous browser behavior and session hijacking indicators.

vendor knowbe4.com: New BlackForce Phishing Kit Bypasses Multifactor Authentication

A malicious NPM package named ’lotusbail’ with 56,000 downloads has been exposed as a Trojan targeting WhatsApp accounts. The package hijacks the device pairing process by using hardcoded codes to link the attacker’s device to the victim’s account during setup. It implements custom RSA encryption to scramble exfiltrated data and contains 27 anti-debugging traps to freeze analysis tools. Access persists even after the code is deleted until the session is manually revoked in WhatsApp’s linked devices settings.

news hackread.com: Popular NPM Package lotusbail Exposed as Trojan Stealing WhatsApp Chats
news securityaffairs.com: NPM package with 56,000 downloads compromises WhatsApp accounts

Regulatory and Policy Updates #

The Japanese government has adopted a new 5-year cybersecurity strategy to strengthen coordination between civilian, law enforcement, and defense institutions. The policy explicitly labels state-backed operations from China, Russia, and North Korea as serious national threats. It aims to accelerate the detection and neutralization of attacks targeting critical infrastructure. The strategy also includes specific focus on mitigating risks from AI-driven cyber threats.

news thecyberexpress.com: Japan Adopts New Cybersecurity Strategy to Counter Rising Cyber Threats

NIST and CISA have released draft Interagency Report (IR) 8597 for public comment, focusing on protecting identity tokens and assertions from forgery and misuse. The report responds to recent high-profile cloud incidents where attackers stole tokens to bypass authentication. It provides implementation guidance for federal agencies and cloud providers to define roles and responsibilities in IAM. The guidance emphasizes ‘Secure by Design’ principles to help consumers defend diverse cloud environments.

gov cisa.gov: NIST and CISA Release Draft Interagency Report on Protecting Tokens and Assertions from Tampering Theft and Misuse for Public Comment

Russian authorities are aggressively cracking down on the ‘probiv’ market, an illicit information economy where corrupt officials sell personal data. President Putin signed laws imposing up to 10 years in prison for accessing or distributing leaked data. High-profile broker services like Usersbox and Himera have been targeted, prompting many operators to relocate abroad. This crackdown is partly a response to Ukrainian intelligence exploiting leaked databases to identify Russian military officials.

news theguardian.com: ‘All brakes are off’: Russia’s attempt to rein in illicit market for leaked data backfires

Security Operations #

Automated Moving Target Defense (AMTD) is being prioritized for 2026 as a strategy to shift from reactive detection to preemptive protection. AMTD continuously changes system configurations to increase uncertainty and complexity for attackers, hindering their ability to gain traction. Unlike EDR/XDR, it uses lightweight agents to block unauthorized processes deterministically rather than probabilistically. This approach is intended to silence the ‘97% distraction’ of theoretical alerts by focusing on real, exploitable risk paths.

vendor morphisec.com: Automated Moving Target Defense Research Guide
vendor tenable.com: The 3% Rule: How To Silence 97% of Your Cloud Alerts and Be More Secure

ServiceNow’s $7.75 billion acquisition of Armis signals a major industry shift toward consolidating IT, OT, and medical device visibility into unified workflow platforms. The move aims to create an ‘AI control tower’ for exposure management, allowing organizations to automate risk prioritization across sprawling networks. This trend toward integrated security platforms is driven by the inability of human analysts to manually triage the volume of vulnerabilities in hybrid environments. Other recent acquisitions like Zscaler’s SplxAI and Palo Alto’s Chronosphere reinforce this platform-first movement.

news cyberscoop.com: ServiceNow agrees to buy cyber firm Armis for $7.75B
news darkreading.com: ServiceNow Buys Armis for $7.75B, Boosts 'AI Control Tower'

A new five-stage maturity model for observability is being adopted to transform reactive monitoring into autonomous business resolution. Progressing through stages involves moving from threshold-based metrics to causal graphs and finally to AI-driven systems that resolve issues based on revenue impact. High-maturity programs leverage OpenGraph to map attack paths and deception technologies, creating high-fidelity detections within abusable privilege chains. This shift helps reduce ‘alert fatigue’ by tying technical telemetry to specific business risk contexts.

news cio.com: 5 stages to observability maturity
vendor specterops.io: Mapping Deception with BloodHound OpenGraph

Wins #

Interpol-led ‘Operation Sentinel’ resulted in 574 arrests across 19 African countries, targeting syndicates involved in business email compromise, digital extortion, and ransomware. Authorities recovered $3 million in stolen funds and took down over 6,000 malicious links. Major prevented losses included a $7.9 million fraudulent wire transfer from a petroleum company in Senegal and the decryption of 100TB of data for a Ghanaian financial institution. This operation demonstrates growing regional cooperation against accelerating cyber threats.

news thecyberexpress.com: Agencies Across Africa Arrest 574, Recover $3 Million in Cybercrime Crackdown
news darkreading.com: Sprawling 'Operation Sentinel' Neutralizes African Cybercrime Syndicates

Authorities in Nigeria have arrested three high-profile cybercriminals, including the lead developer of the RaccoonO365 phishing-as-a-service (PhaaS) scheme. RaccoonO365 was used to create fraudulent Microsoft 365 login portals to steal corporate credentials. The arrest followed a civil lawsuit and investigative efforts by Microsoft and Health-ISAC. This takedown disrupts a significant phishing infrastructure that targeted major global corporations.

community health-isac.org: Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

The US Department of Justice disrupted a bank account takeover fraud operation responsible for $28 million in unauthorized transfers. Federal authorities seized the domain ‘web3adspanels.org’ and its supporting database, which functioned as a backend control panel for storing stolen logins. The criminals used fraudulent search engine advertisements mimicking legitimate banks to redirect users to malicious pages. The seizure identified at least 19 victims and dismantled the infrastructure used for ongoing credential harvesting.

community reddit.com: Feds seize password database used in massive bank account takeover scheme
news thecyberexpress.com: U.S. Authorities Seize Domain Linked to $28 Million Bank Account Takeover Fraud

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.

December 28, 2025