Author: Mark

In early December 2025, security researchers exposed a cybercrime campaign that had quietly hijacked popular Chrome and Edge browser extensions on a massive scale.

A threat group dubbed ShadyPanda spent seven years playing the long game, publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into malware via silent updates. In total, about 4.3 million users installed these once-legitimate add-ons, which suddenly went rogue with spyware and backdoor capabilities.

This tactic was essentially a browser extension supply-chain attack.

The ShadyPanda operators even earned featured and verified badges in the official Chrome Web Store and Microsoft Edge Add-ons site for some extensions, reinforcing user confidence. Because extension updates happen automatically in the background, the attackers were able to push out malicious code without users noticing a thing.

Once activated in mid-2024, the compromised extensions became a fully fledged remote code execution (RCE) framework inside the browser. They could download and run arbitrary JavaScript with full access to the browser’s data and capabilities. This gave the attackers a range of spyware powers, from monitoring every URL and keystroke, to injecting malicious scripts into web pages, to exfiltrating browsing data and credentials.

One of the worst capabilities was session cookie and token theft, stealing the authentication tokens that websites use to keep users logged in. The extensions could even impersonate entire SaaS accounts (like Microsoft 365 or Google Workspace) by hijacking those session tokens.

Why Browser Extensions Are a SaaS Security Nightmare

For SaaS security teams, ShadyPanda’s campaign shows us a lot. It proved that a malicious browser extension can effectively become an intruder with keys to your company’s SaaS kingdom. If an extension grabs a user’s session cookie or token, it can unlock that user’s accounts in Slack, Salesforce, or any other web service they’re logged into.

In this case, millions of stolen session tokens could have led to unauthorized access to enterprise emails, files, chat messages, and more, all without triggering the usual security alarms. Traditional identity defenses like MFA were bypassed, because the browser session was already authenticated and the extension was piggybacking on it.

The risk extends beyond just the individual user. Many organizations allow employees to install browser extensions freely, without the scrutiny applied to other software. Browser extensions often slip through without oversight, yet they can access cookies, local storage, cloud auth sessions, active web content, and file downloads.

This blurs the line between endpoint security and cloud security. A malicious extension can be run on the user’s device (an endpoint issue), but it directly compromises cloud accounts and data (an identity/SaaS issue). ShadyPanda vividly shows the need to bridge endpoint and SaaS identity defense: security teams should think about treating the browser as an extension of the SaaS attack surface.

Steps to Reduce Browser Extension Risk

So based on all of this, what can organizations do to reduce the risk of another ShadyPanda situation? Below is a practical guide with steps to tighten your defenses against malicious browser extensions.

With the right platform, you can gain unified visibility into extensions across your environment and detect suspicious activity in real time. Reco can help bridge the gap between endpoint and cloud by correlating browser-side risks with SaaS account behavior, giving security teams a cohesive defense. By taking these proactive steps and leveraging tools like Reco to automate and scale your SaaS security, you can stay one step ahead of the next ShadyPanda.

Request a Demo: Get Started With Reco.

Note: This article is expertly written and contributed by Gal Nakash, Co-founder & CPO of Reco. Gal is a former Lieutenant Colonel in the Israeli Prime Minister’s Office. He is a tech enthusiast with a background as a security researcher and hacker. Gal has led teams in multiple cybersecurity areas, with expertise in the human element.

Dec 15, 2025Ravie LakshmananHacking News / Cybersecurity

If you use a smartphone, browse the web, or unzip files on your computer, you are in the crosshairs this week. Hackers are currently exploiting critical flaws in the daily software we all rely on—and in some cases, they started attacking before a fix was even ready.

Below, we list the urgent updates you need to install right now to stop these active threats.

⚡ Threat of the Week

Apple and Google Release Fixes for Actively Exploited Flaws — Apple released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari web browser to address two zero-days that the company said have been exploited in highly targeted attacks. CVE-2025-14174 has been described as a memory corruption issue, while the second, CVE-2025-43529, is a use-after-free bug. They can both be exploited using maliciously crafted web content to execute arbitrary code. CVE-2025-14174 was also addressed by Google in its Chrome browser since it resides in its open-source Almost Native Graphics Layer Engine (ANGLE) library. There are currently no details on how these flaws were exploited, but evidence points to it likely having been weaponized by commercial spyware vendors.

• SOAPwn Exploits HTTP Client Proxies in .NET for RCE — Cybersecurity researchers uncovered an unexpected behavior of HTTP client proxies in .NET applications, potentially allowing attackers to achieve remote code execution. The vulnerability has been codenamed SOAPwn. At its core, the problem has to do with how .NET applications might be vulnerable to arbitrary file writes because .NET’s HTTP client proxies also accept non-HTTP URLs such as files, a behavior that Microsoft says developers are responsible for guarding against — but not likely to expect. This, in turn, can open remote code execution (RCE) attack paths through web shells and malicious PowerShell scripts in many .NET applications, including commercial products. By being able to pass an arbitrary URL to a SOAP API endpoint in an affected .NET application, an attacker can trigger a leak of NTLM challenge. The issue can also be exploited through Web Services Description Language (WSDL) imports, which can then be used to generate client SOAP proxies that can be controlled by the attacker. “The .NET Framework allows its HTTP client proxies to be tricked into interacting with the filesystem. With the right conditions, they will happily write SOAP requests into local paths instead of sending them over HTTP,” watchTowr said. “In the best case, this results in NTLM relaying or challenge capture. In the worst case, it becomes remote code execution through webshell uploads or PowerShell script drops.”
• Attackers Exploit New Flaw in CentreStack and Triofox — A new vulnerability in Gladinet’s CentreStack and Triofox products is being actively exploited by unknown threat actors to achieve code execution. The vulnerability, which does not have a CVE identifier, can be abused to access the web.config file, which can then be used to execute arbitrary code. At the core of the issue is a design failure in how they generate the cryptographic keys used to encrypt the access tokens the products use to control who can retrieve what files. As a result, the cryptographic keys never change and can be used to access files containing valuable data. Huntress said, as of December 10, 2025, nine organizations have been affected by the newly disclosed flaw.
• WinRAR Flaw Exploited by Multiple Threat Actors — A high-severity flaw in WinRAR (CVE-2025-6218, CVSS score: 7.8) has come under active exploitation, fueled by three different threat actors tracked as GOFFEE (aka Paper Werewolf), Bitter (aka APT-C-08 or Manlinghua), and Gamaredon. CVE-2025-6218 is a path traversal vulnerability that allows an attacker to execute code in the context of the current user. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary fixes by December 30, 2025.
• Exploitation of React2Shell Surges — The recently disclosed maximum-severity security flaw in React (CVE-2025-55182, CVSS score: 10.0) has come under widespread exploitation, with threat actors targeting unpatched systems to deliver various kinds of malware. Public disclosure of the flaw triggered a “rapid wave of opportunistic exploitation,” according to Wiz. Google said it observed a China-nexus espionage cluster UNC6600 exploiting React2Shell to deliver MINOCAT, a tunneling utility based on Fast Reverse Proxy (FRP). Other exploitation efforts included the deployment of the SNOWLIGHT downloader by UNC6586 (China-nexus), the COMPOOD backdoor (linked to suspected China-nexus espionage activity since 2022) by UNC6588, an updated version of the Go-based HISONIC backdoor by UNC6603 (China-nexus), and ANGRYREBEL.LINUX (aka Noodle RAT) by UNC6595 (China-nexus). “These observed campaigns highlight the risk posed to organizations using unpatched versions of React and Next.js,” Google said.
• Hamas-Affiliated Group Goes After the Middle East — WIRTE (aka Ashen Lepus), a cyber threat group associated with Hamas, has been conducting espionage on government bodies and diplomatic entities across the Middle East since 2018. In recent years, the threat actor has broadened its targeting scope to include Oman and Morocco, while simultaneously evolving its capabilities. The modus operandi follows tried-and-tested cyber espionage tactics, using spear-phishing emails to deliver malicious attachments that deliver a modular malware suite dubbed AshTag. The components of the framework are embedded in a command-and-control (C2) web page within HTML tags in Base64-encoded format, from where they are parsed and decrypted to download the actual payloads. “Ashen Lepus remained persistently active throughout the Israel-Hamas conflict, distinguishing it from other affiliated groups whose activities decreased over the same period,” Palo Alto Networks Unit 42 said. “Ashen Lepus continued with its campaign even after the October 2025 Gaza ceasefire, deploying newly developed malware variants and engaging in hands-on activity within victim environments.” It’s being assessed that the group may be operating from outside Gaza, citing continued activity throughout the conflict.

‎️‍🔥 Trending CVEs

Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected.

This week’s list includes — CVE-2025-43529, CVE-2025-14174 (Apple), CVE-2025-14174 (Google Chrome), CVE-2025-55183, CVE-2025-55184, CVE-2025-67779 (React), CVE-2025-8110 (Gogs), CVE-2025-62221 (Microsoft Windows), CVE-2025-59718, CVE-2025-59719 (Fortinet), CVE-2025-10573 (Ivanti Endpoint Manager), CVE-2025-42880, CVE-2025-55754, CVE-2025-42928 (SAP), CVE-2025-9612, CVE-2025-9613, CVE-2025-9614 (PCI Express Integrity and Data Encryption protocol), CVE-2025-27019, CVE-2025-27020 (Infinera MTC-9), CVE-2025-65883 (Genexis Platinum P4410 router), CVE-2025-64126, CVE-2025-64127, CVE-2025-64128 (Zenitel TCIV-3+), CVE-2025-66570 (cpp-httplib), CVE-2025-63216 (Itel DAB Gateway), CVE-2025-63224 (Itel DAB Encoder) CVE-2025-13390 (WP Directory Kit plugin), CVE-2025-65108 (md-to-pdf), CVE-2025-58083 (General Industrial Controls Lynx+ Gateway), CVE-2025-66489 (Cal.com), CVE-2025-12195, CVE-2025-12196, CVE-2025-11838, CVE-2025-12026 (WatchGuard), CVE-2025-64113 (Emby Server), CVE-2025-66567 (ruby-saml), CVE-2025-24857 (Universal Boot Loader), CVE-2025-13607 (D-Link DCS-F5614-L1, Sparsh Securitech, Securus CCTV), CVE-2025-13184 (TOTOLINK AX1800), CVE-2025-65106 (LangChain), CVE-2025-67635 (Jenkins), CVE-2025-12716, CVE-2025-8405, CVE-2025-12029, CVE-2025-12562 (GitLab CE/EE), and CVE-2025-64775 (Apache Struts 2).

📰 Around the Cyber World

• U.K. Fines LastPass for 2022 Breach — The U.K. Information Commissioner’s Office (ICO) fined LastPass’s British subsidiary £1.2 million ($1.6 million) for a data breach in 2022 that enabled attackers to access personal information belonging to its customers, including their encrypted password vaults. The hackers compromised a company-issued MacBook Pro of a software developer based in Europe to access the corporate development environment and related technical documentation, and exfiltrate a little over a dozen repositories. It’s unclear how the MacBook was infected. Subsequently, the threat actors gained access to one of the DevOps engineers’ PCs by exploiting CVE-2020-5741, a vulnerability in Plex Media Server, installed a keylogger used to steal the engineer’s master password, and breached the cloud storage environment. The ICO said LastPass failed to implement sufficiently robust technical and security measures. “LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure,” John Edwards, U.K. Information Commissioner, said. “However, the company fell short of this expectation, resulting in the proportionate fine being announced today.”
• APT-C-60 Targets Japan with SpyGlace — The threat actor known as APT-C-60 has been linked to continued cyber attacks targeting Japan to deliver SpyGlace using spear-phishing emails impersonating job seekers. The attacks were observed between June and August 2025, per JPCERT/CC. “In the previous attacks, victims were directed to download a VHDX file from Google Drive,” the agency said. “However, in the latest attacks, the malicious VHDX file was directly attached to the email. When the recipient clicks the LNK file contained within the VHDX, a malicious script is executed via Git, which is a legitimate file.” The attacks leverage GitHub to download the main malware components, marking a shift from Bitbucket.
• ConsentFix, a New Twist on ClickFix — Cybersecurity researchers have discovered a new variation of the ClickFix attack. Called ConsentFix, the new technique relies on tricking users into copy-pasting text that contains their OAuth material into an attacker-controlled web page. Push Security said it spotted the technique in attacks targeting Microsoft business accounts. In these attacks, targets are funneled through Google Search to compromised but reputable websites injected with a fake Cloudflare Turnstile challenge that instructs them to sign in to their accounts and paste the URL. Once the targets log in, they are redirected to a localhost URL containing the OAuth authorization code for their Microsoft account. The phishing process ends when the victims paste the URL back into the original page, granting the threat actors unauthorized access. The attack “sees the victim tricked into logging into Azure CLI, by generating an OAuth authorization code — visible in a localhost URL — and then pasting that URL, including the code, into the phishing page,” the security company said. “The attack happens entirely inside the browser context, removing one of the key detection opportunities for ClickFix attacks because it doesn’t touch the endpoint.” The technique is a variation of an attack used by Russian state-sponsored hackers earlier this year that deceived victims into sending their OAuth authorization code via Signal or WhatsApp to the hackers.
• 2025 CWE Top 25 Most Dangerous Software Weaknesses — The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the MITRE Corporation, released the 2025 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses, identifying the most critical vulnerabilities that adversaries exploit to compromise systems, steal data, or disrupt services. It was compiled from 39,080 CVEs published this year. Topping the list is cross-site scripting, followed by SQL Injection, Cross-Site Request Forgery (CSRF), missing authorization, and out-of-bounds write.
• Salt Typhoon Spies Reportedly Attended Cisco Training Scheme — Two of Salt Typhoon’s members, Yu Yang and Qiu Daibing, have been identified as participants of the 2012 Cisco Networking Academy Cup. Both Yu and Qiu are co-owners of Beijing Huanyu Tianqiong, one of the Chinese companies that the U.S. government and its allies allege as being fronts for Salt Typhoon activity. Yu is also tied to another Salt Typhoon-connected company, Sichuan Zhixin Ruijie. SentinelOne found that Yu and Qiu represented Southwest Petroleum University in Cisco’s academy cup in China. Yu’s team was placed second in the Sichuan region, while Qiu’s team took the first prize and later claimed the third spot nationally, despite the university being considered as a poorly-regarded academic institution. “The episode suggests that offensive capabilities against foreign IT products likely emerge when companies begin supplying local training and that there is a potential risk of such education initiatives inadvertently boosting foreign offensive research,” security researcher Dakota Cary said. The episode stresses the need for demonstrating technical competencies when hiring technical professionals and that offensive teams may benefit from putting their own employees through similar training initiatives like Huawei’s ICT academy.
• Freedom Chat Flaws Detailed — A pair of security flaws has been disclosed in Freedom Chat that could have allowed a bad actor to guess registered users’ phone numbers (similar to the recent WhatsApp flaw) and expose user-set PINs to others on the app. The issues, discovered by Eric Daigle, have since been addressed by the privacy-focused messaging app as of December 7, 2025. In an update pushed out to Apple and Google’s app stores, the company said: “A critical reset: A recent backend update inadvertently exposed user PINs in a system response. No messages were ever at risk, and because Freedom Chat does not support linked devices, your conversations were never accessible; however, we’ve reset all user PINs to ensure your account stays secure. Your privacy remains our top priority.”
• Unofficial Patch for New Windows RasMan 0-Day Released — Free unofficial patches have been made available for a new Windows zero-day vulnerability that allows unprivileged attackers to crash the Remote Access Connection Manager (RasMan) service. ACROS Security’s 0patch service said it discovered a new denial-of-service (DoS) flaw while looking into CVE-2025-59230, a Windows RasMan privilege escalation vulnerability exploited in attacks that was patched in October. The new flaw has not been assigned a CVE identifier, and there is no evidence of it having been abused in the wild. It affects all Windows versions, including Windows 7 through Windows 11 and Windows Server 2008 R2 through Server 2025.
• Ukrainian National Charged for Cyber Attacks on Critical Infra — U.S. prosecutors have charged a Ukrainian national for her role in cyberattacks targeting critical infrastructure worldwide, including U.S. water systems, election systems, and nuclear facilities, on behalf of Russian state-backed hacktivist groups. Victoria Eduardovna Dubranova (aka Vika, Tory, and SovaSonya), 33, was allegedly part of two pro-Kremlin hacktivist groups named NoName057(16) and CyberArmyofRussia_Reborn (CARR), the latter of which was founded, funded, and directed by Russia’s military intelligence service GRU. NoName057(16), a hacktivist group active since March 2022, has over 1,500 DDoS attacks against organizations in Ukraine and NATO countries. If found guilty, Dubranova faces up to 32 years in prison. She was extradited to the U.S. earlier this year. The U.S. Justice Department said the groups tampered with U.S. public water systems and caused an ammonia leak at a U.S. meat processing factory. Dubranova pleaded not guilty in a U.S. court last week. The U.S. government is also offering rewards for additional information on other members of the two groups. Prosecutors said administrators of the two collectives, dissatisfied with the level of support and funding from the GRU, went on to form Z-Pentest in September 2024 to conduct hack-and-leak operations and defacement attacks. “Pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups. These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate (or gain access to) OT control devices within critical infrastructure systems,” U.S. and other allies said in a joint advisory. “Pro-Russia hacktivist groups – Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), Sector 16, and affiliated groups – are capitalizing on the widespread prevalence of accessible VNC devices to execute attacks against critical infrastructure entities, resulting in varying degrees of impact, including physical damage.” These groups are known for their opportunistic attacks, typically leveraging unsophisticated tradecraft like known security flaws, reconnaissance tools, and common password-guessing techniques to access networks and conduct SCADA intrusions. While their ability to consistently cause significant impact is limited, they also tend to work together to amplify each other’s posts to reach a broader audience on platforms like Telegram and X. X’s Safety team said it cooperated with U.S. authorities to suspend NoName057(16)’s account (“@NoName05716”) for facilitating criminal conduct.
• APT36 Targets Indian Government Entities with Linux Malware — A new phishing campaign orchestrated by APT36 (aka Transparent Tribe) has been observed delivering tailored malware specifically crafted to compromise Linux-based BOSS operating environments prevalent in Indian government networks. “The intrusion begins with spear-phishing emails designed to lure recipients into opening weaponized Linux shortcut files,” CYFIRMA said. “Once executed, these files silently download and run malicious components in the background while presenting benign content to the user, thereby facilitating stealthy initial access and follow-on exploitation.” The attack culminates with the deployment of a Python-based Remote Administration Tool (RAT) that can collect system information, contact an external server, and run commands, granting the attackers remote control over infected hosts. “The group’s current activity reflects a broader trend in state-aligned espionage operations: the adoption of adaptive, context-aware delivery mechanisms designed to blend seamlessly into the target’s technology landscape,” the company said.
• Vietnamese IT and HR Firms Targeted by Operation Hanoi Thief — A threat cluster referred to as Operation Hanoi Thief has targeted Vietnamese IT departments and HR recruiters using fake resumes distributed as ZIP files in phishing emails to deliver malware called LOTUSHARVEST. The ZIP file contains a Windows shortcut (LNK) file that, when opened, executes a “pseudo-polyglot” payload present in the archive that serves as the lure and as well as the container for a batch script that displays a decoy PDF and uses DLL side-loading to load the LOTUSHARVEST DLL. The malware runs various anti-analysis checks and proceeds to harvest data from web browsers such as Google Chrome and Microsoft Edge. The activity has been attributed with medium confidence to a threat cluster of Chinese origin.
• Microsoft Adds New PowerShell Security Feature — With PowerShell 5.1, Microsoft has added a new feature to warn users when they’re about to execute web content. The warning will alert users when executing the Invoke-WebRequest command without additional special parameters. “This prompt warns that scripts in the page could run during parsing and advises using the safer -UseBasicParsing parameter to avoid any script execution,” Microsoft said. “Users must choose to continue or cancel the operation. This change helps protect against malicious web content by requiring user consent before potentially risky actions.” The company also said it’s rolling out a new Baseline Security Mode in Office, SharePoint, Exchange, Teams, and Entra that can automatically configure apps with minimum security requirements. The centralized experience began rolling out in phases last month and will be completed by March next year. “It provides admins with a dashboard to assess and improve security posture using impact reports and risk-based recommendations, with no immediate user impact,” Microsoft said. “Admins can view the tenant’s current security posture compared to Microsoft’s recommended minimum security bar.”
• U.S. to Require Foreign Travelers to Share 5-Year Social Media History — The U.S. government will soon require all foreign travelers to provide five years’ worth of social media history prior to their entry. This includes details about social media accounts, email addresses, and phone numbers used over the past five years. The new requirement will be applied to foreigners from all countries, including those who are eligible to visit the U.S. for 90 days without a visa. “We want to make sure we’re not letting the wrong people enter our country,” U.S. President Donald Trump said.
• New AitM Phishing Campaign Targets Microsoft 365 and Okta Users — An active adversary-in-the-middle (AitM) phishing campaign is targeting organizations that use Microsoft 365 and Okta for their single sign-on (SSO), with the main goal of hijacking the legitimate SSO flow and bypassing multi-factor authentication (MFA) methods that are not phishing-resistant. “When a victim uses Okta as their identity provider (IdP), the phishing page hijacks the SSO authentication flow to bring the victim to a second-stage phishing page, which acts as a proxy to the organization’s legitimate Okta tenant and captures the victim’s credentials and session tokens,” Datadog said.
  
• Phishing Campaign Uses Fake Calendly Invites to Spoof Major Brands — A large-scale phishing campaign has Calendly-themed phishing lures entered around a fake job opportunity to steal Google Workspace and Facebook business account credentials. These emails purport to originate from brands like Louis Vuitton, Unilever, Lego, and Disney, among others. “Only after the victim has responded to an initial email was the phishing link delivered under the guise of a Calendly link to book time for a call,” Push Security said. “Clicking the link takes the victim to an authentic-looking page impersonating a Calendly landing page. From there, users are prompted to complete a CAPTCHA check and continue to sign in with their Google account, which causes their credentials to be stolen using an AitM phishing page. A similar variant has also been observed tricking victims into entering their Facebook account credentials on bogus pages, while another targets both Google and Facebook credentials using Browser-in-the-Browser (BitB) techniques that display fake pop-up windows featuring legitimate URLs to steal account credentials. The fact that the campaign is focused on compromising accounts responsible for managing digital ads on behalf of businesses shows that the threat actors are looking to launch malvertising campaigns for other kinds of attacks, including ClickFix. This is not the first time job-related lures have been used to steal account information. In October 2025, phishing emails impersonating Google Careers were used to phish credentials. In tandem, Push Security said it also observed a malvertising campaign in which users who searched for “Google Ads” on Google Search were served a malicious sponsored ad that’s designed to capture their credentials.
• Calendar Subscriptions for Phishing and Malware Delivery — Threat actors have been found leveraging digital calendar subscription infrastructure to deliver malicious content. “The security risk arises from third-party calendar subscriptions hosted on expired or hijacked domains, which can be exploited for large-scale social engineering,” Bitsight said. “Once a subscription is established, they can deliver calendar files that may contain harmful content, such as URLs or attachments, turning a helpful tool into an unexpected attack vector.” The attack takes advantage of the fact that these third-party servers can add events directly to users’ schedules. The cybersecurity company said it discovered more than 390 abandoned domains related to iCalendar synchronization (sync) requests for subscribed calendars, potentially putting about four million iOS and macOS devices at risk. All the identified domains have been sinkholed.
• The Gentlemen Ransomware Uses BYOVD Technique in Attacks — A nascent ransomware group called The Gentlemen has employed tactics common to advanced e-crime groups, such as Group Policy Objects (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD), as part of double extortion attacks aimed at manufacturing, construction, healthcare, and insurance sectors across 17 countries. “Since its emergence, Gentlemen has been evaluated as one of the most active emerging ransomware groups in 2025, having attacked multiple regions and industries in a relatively short period,” AhnLab said. The group emerged around July 2025, with PRODAFT noting in mid-October that Phantom Mantis (ArmCorp), led by LARVA-368 (hastalamuerte), tested Qilin (Pestilent Mantis), Embargo (Primeval Mantis), LockBit (Tenacious Mantis), Medusa (Venomous Mantis), and BlackLock (Incredible Mantis), before building their own ransomware-as-a-service (RaaS): The Gentlemen.

🎥 Cybersecurity Webinars

• Defining the New Layers of Cloud Defense with Zero Trust and AI: This webinar shows how Zero Trust and AI help stop modern, fileless attacks. Zscaler experts explain new tactics like “living off the land” and fileless reassembly, and how proactive visibility and secure developer environments keep organizations ahead of emerging threats.
• Speed vs. Security: How to Patch Faster Without Opening New Doors to Attackers: This session explores how to balance speed and security when using community patching tools like Chocolatey and Winget. Gene Moody, Field CTO at Action1, examines real risks in open repositories—outdated packages, weak signatures, and unverified code—and shows how to set clear guardrails that keep patching fast but safe. Attendees will learn when to trust community sources, how to detect version drift, and how to run controlled rollouts without slowing operations.

🔧 Cybersecurity Tools

• Strix: A small open-source tool that helps developers build command-line interfaces (CLIs) more easily. It focuses on keeping setup simple and commands clear, so you can create tools that behave the same way every time. Instead of dealing with complex frameworks, you can use Strix to define commands, handle arguments, and manage output in a few straightforward steps.
• Heisenberg: It is a simple, open-source tool that looks at the software your projects depend on and checks how healthy and safe those parts are. It reads information about packages from public sources and “software bills of materials” (SBOMs) to find security problems or bad signals in your dependency chain and can produce reports for one package or many at once. The idea is to help teams spot risky or vulnerable components early, especially as they change, so you can understand supply chain risks without a complex setup.

Disclaimer: These tools are for learning and research only. They haven’t been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws.

Conclusion

We listed a lot of fixes today, but reading about them doesn’t secure your device—installing them does. The attackers are moving fast, so don’t leave these updates for ‘later.’ Take five minutes right now to check your systems, restart if you need to, and head into the weekend knowing you are one step ahead of the bad guys.

Dec 15, 2025Ravie LakshmananVulnerability / Software Security

Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations.

The shortcomings, discovered by Horizon3.ai and reported to the project maintainers on September 15, 2025, are listed below –

• CVE-2025-61675 (CVSS score: 8.6) – Numerous authenticated SQL injection vulnerabilities impacting four unique endpoints (basestation, model, firmware, and custom extension) and 11 affected parameters that enable read and write access to the underlying SQL database
• CVE-2025-61678 (CVSS score: 8.6) – An authenticated arbitrary file upload vulnerability that allows an attacker to exploit the firmware upload endpoint to upload a PHP web shell after obtaining a valid PHPSESSID and run arbitrary commands to leak the contents of sensitive files (e.g., “/etc/passwd”)
• CVE-2025-66039 (CVSS score: 9.3) – An authentication bypass vulnerability that occurs when the “Authorization Type” (aka AUTHTYPE) is set to “webserver,” allowing an attacker to log in to the Administrator Control Panel via a forged Authorization header

It’s worth mentioning here that the authentication bypass is not vulnerable in the default configuration of FreePBX, given that the “Authorization Type” option is only displayed when the three following values in the Advanced Settings Details are set to “Yes”:

• Display Friendly Name
• Display Readonly Settings, and
• Override Readonly Settings

However, once the prerequisite is met, an attacker could send crafted HTTP requests to sidestep authentication and insert a malicious user into the “ampusers” database table, effectively accomplishing something similar to CVE-2025-57819, another flaw in FreePBX that was disclosed as having been actively exploited in the wild in September 2025.

“These vulnerabilities are easily exploitable and enable authenticated/unauthenticated remote attackers to achieve remote code execution on vulnerable FreePBX instances,” Horizon3.ai security researcher Noah King said in a report published last week.

The issues have been addressed in the following versions –

• CVE-2025-61675 and CVE-2025-61678 – 16.0.92 and 17.0.6 (Fixed on October 14, 2025)
• CVE-2025-66039 – 16.0.44 and 17.0.23 (Fixed on December 9, 2025)

In addition, the option to choose an authentication provider has now been removed from Advanced Settings and requires users to set it manually through the command-line using fwconsole. As temporary mitigations, FreePBX has recommended that users set “Authorization Type” to “usermanager,” set “Override Readonly Settings” to “No,” apply the new configuration, and reboot the system to disconnect any rogue sessions.

“If you did find that web server AUTHTYPE was enabled inadvertently, then you should fully analyze your system for signs of any potential compromise,” it said.

Users are also displayed a warning on the dashboard, stating “webserver” may offer reduced security compared to “usermanager.” For optimal protection, it’s advised to avoid using this authentication type.

“It’s important to note that the underlying vulnerable code is still present and relies on authentication layers in front to provide security and access to the FreePBX instance,” King said. “It still requires passing an Authorization header with a basic Base64-encoded username:password.”

“Depending on the endpoint, we noticed a valid username was required. In other cases, such as the file upload shared above, a valid username is not required, and you can achieve remote code execution with a few steps, as outlined. It is best practice not to use the authentication type webserver as it appears to be legacy code.”

A Google Chrome extension with a “Featured” badge and six million users has been observed silently gathering every prompt entered by users into artificial intelligence (AI)-powered chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity.

The extension in question is Urban VPN Proxy, which has a 4.7 rating on the Google Chrome Web Store. It’s advertised as the “best secured Free VPN access to any website, and unblock content.” Its developer is a Delaware-based company named Urban Cyber Security Inc. On the Microsoft Edge Add-ons marketplace, it has 1.3 million installations.

Despite claiming that it allows users to “protect your online identity, stay protected, and hide your IP,” the extension was updated on July 9, 2025, when version 5.5.0 was released with the AI data harvesting enabled by default using hard-coded settings.

Specifically, this is achieved by means of a tailored executor JavaScript that’s triggered for each of the AI chatbots (i.e., chatgpt.js, claude.js, gemini.js) to intercept and gather the conversations every time a user who has installed the extension visits any of the targeted platforms.

Once the script is injected, it overrides the browser APIs used to handle network requests – fetch() and XMLHttpRequest() – to make sure that every request is first routed through the extension’s code so as to capture the conversation data, including users’ prompts and the chatbot’s responses, and exfiltrate them to two remote servers (“analytics.urban-vpn[.]com” and “stats.urban-vpn[.]com”).

The exact list of data captured by the extension is as follows –

• Prompts entered by the user
• Chatbot responses
• Conversation identifiers and timestamps
• Session metadata
• AI platform and model used

“Chrome and Edge extensions auto-update by default,” Koi Security’s Idan Dardikman said in a report published today. “Users who installed Urban VPN for its stated purpose – VPN functionality – woke up one day with new code silently harvesting their AI conversations.”

It’s worth mentioning that Urban VPN’s updated privacy policy, as of June 25, 2025, mentions that it collects this data to enhance Safe Browsing and for marketing analytics purposes, and that any other secondary use of the gathered AI prompts will be carried out on de-identified and anonymized data –

One of the third-parties it shares “Web Browsing Data” with is an affiliated ad intelligence and brand monitoring firm named BIScience. The company uses the raw (not anonymized) data to create insights that are “commercially used and shared with Business Partners,” the VPN software maker notes.

It’s worth noting BiScience, which also happens to own Urban Cyber Security Inc., was called out by an anonymous researcher earlier this January for collecting users’ browsing history, or clickstream data, as it’s called, under misleading privacy policy disclosures.

The company is alleged to provide a software development kit (SDK) to partner third-party extension developers to collect clickstream data from users, which is transmitted to the sclpfybn[.]com and other endpoints under its control.

“BIScience and partners take advantage of loopholes in the Chrome Web Store policies, mainly exceptions listed in the Limited Use policy, which are the ‘approved use cases,’” the researcher noted, adding they “develop user-facing features that allegedly require access to browsing history, to claim the ‘necessary to providing or improving your single purpose’ exception.”

On the extension listing page, Urban VPN also highlights an “AI protection” feature, which it says checks prompts for personal data, chatbot responses for suspicious or unsafe links, and displays a warning before users submit their prompts or click on them.

While this monitoring is framed as preventing users from accidentally sharing any personal information, what the developers fail to mention is that the data collection happens regardless of whether the feature is enabled.

“The protection feature shows occasional warnings about sharing sensitive data with AI companies,” Dardikman said. “The harvesting feature sends that exact sensitive data – and everything else – to Urban VPN’s own servers, where it’s sold to advertisers. The extension warns you about sharing your email with ChatGPT while simultaneously exfiltrating your entire conversation to a data broker.”

Koi Security said it observed identical AI harvesting functionality in three other unique extensions from the same publisher across Chrome and Microsoft Edge, taking its total install base to over eight million –

• 1ClickVPN Proxy
• Urban Browser Guard
• Urban Ad Blocker

All these extensions, with the exception of Urban Ad Blocker for Edge, carry the “Featured” badge, giving users an impression that they follow the platform’s “best practices and meet a high standard of user experience and design.”

“These badges signal to users that the extensions have been reviewed and meet platform quality standards,” Dardikman pointed out. “For many users, a Featured badge is the difference between installing an extension and passing it by – it’s an implicit endorsement from Google and Microsoft.”

The findings once again demonstrate how trust associated with extension marketplaces can be abused to amass sensitive data at scale, especially at a time when users are increasingly sharing deeply personal information, getting advice, and discussing emotions with AI chatbots.

The Hacker News has reached out to both Google and Microsoft for comment, and we will update the story if we hear back.

Dec 15, 2025Ravie LakshmananRansomware / Cybercrime

The pro-Russian hacktivist group known as CyberVolk (aka GLORIAMIST) has resurfaced with a new ransomware-as-a-service (RaaS) offering called VolkLocker that suffers from implementation lapses in test artifacts, allowing users to decrypt files without paying an extortion fee.

According to SentinelOne, VolkLocker (aka CyberVolk 2.x) emerged in August 2025 and is capable of targeting both Windows and Linux systems. It’s written in Golang.

“Operators building new VolkLocker payloads must provide a bitcoin address, Telegram bot token ID, Telegram chat ID, encryption deadline, desired file extension, and self-destruct options,” security researcher Jim Walter said in a report published last week.

Once launched, the ransomware attempts to escalate privileges, performs reconnaissance and system enumeration, including checking local MAC address prefixes against known virtualization vendors like Oracle and VMware. In the next stage, it lists all available drives and determines the files to be encrypted based on the embedded configuration.

VolkLocker uses AES-256 in Galois/Counter Mode (GCM) for encryption through Golang’s “crypto/rand” package. Every encrypted file is assigned a custom extension such as .locked or .cvolk.

However, an analysis of the test samples has uncovered a fatal flaw where the locker’s master keys are not only hard-coded in the binaries, but are also used to encrypt all files on a victim system. More importantly, the master key is also written to a plaintext file in the %TEMP% folder (“C:UsersAppDataLocalTempsystem_backup.key”).

Since this backup key file is never deleted, the design blunder enables self-recovery. That said, VolkLocker has all the hallmarks typically associated with a ransomware strain. It makes Windows Registry modifications to thwart recovery and analysis, deletes volume shadow copies, and terminates processes associated with Microsoft Defender Antivirus and other common analysis tools.

However, where it stands out is in the use of an enforcement timer, which wipes the content of user folders, viz. Documents, Desktop, Downloads, and Pictures, if victims fail to pay within 48 hours or enter the wrong decryption key three times.

CyberVolk’s RaaS operations are managed through Telegram, costing prospective customers between $800 and $1,100 for either a Windows or Linux version, or between $1,600 and $2,200 for both operating systems. VolkLocker payloads come with built-in Telegram automation for command-and-control, allowing users to message victims, initiate file decryption, list active victims, and get system information.

As of November 2025, the threat actors have advertised a remote access trojan and keylogger, both priced at $500 each, indicating a broadening of their monetization strategy.

CyberVolk launched its own RaaS in June 2024. Known for conducting distributed denial-of-service (DDoS) and ransomware attacks on public and government entities to support Russian government interests, it’s believed to be of Indian origin.

“Despite repeated Telegram account bans and channel removals throughout 2025, CyberVolk has reestablished its operations and expanded its service offerings,” Walter said. “Defenders should see CyberVolk’s adoption of Telegram-based automation as a reflection of broader trends among politically-motivated threat actors. These groups continue to lower barriers for ransomware deployment while operating on platforms that provide convenient infrastructure for criminal services.”

Dec 15, 2025Ravie LakshmananMalware / Cybercrime

Cybersecurity researchers have disclosed details of an active phishing campaign that’s targeting a wide range of sectors in Russia with phishing emails that deliver Phantom Stealer via malicious ISO optical disc images.

The activity, codenamed Operation MoneyMount-ISO by Seqrite Labs, has primarily singled out finance and accounting entities, with those in the procurement, legal, payroll verticals emerging as secondary targets.

“This campaign employs a fake payment confirmation lure to deliver the Phantom information-stealing malware through a multi-stage attachment chain,” the cybersecurity company said.

The infection chain begins with a phishing email that masquerades as legitimate financial communications, urging recipients to confirm a recent bank transfer. Attached to the email is a ZIP archive that claims to contain additional details, but, instead, contains an ISO file that, when launched, mounts on the system as a virtual CD drive.

The ISO image (“Подтверждение банковского перевода.iso” or “Bank transfer confirmation.iso”) serves as an executable that’s designed to launch Phantom Stealer by means of an embedded DLL (“CreativeAI.dll”).

Phantom Stealer is capable of extracting data from cryptocurrency wallet browser extensions installed in Chromium-based browsers and desktop wallet apps, as well as grab files, Discord authentication tokens, and browser-related passwords, cookies, and credit card details.

It also monitors clipboard content, logs keystrokes, and runs a series of checks to detect virtualized, sandboxed, or analysis environments, and if so, aborts its execution. Data exfiltration is achieved via a Telegram bot or to an attacker-controlled Discord webhook. On top of that, the stealer enables file transfer to an FTP server.

In recent months, Russian organizations, mainly human resources and payroll departments, have also been targeted by phishing emails that employ lures related to bonuses or internal financial policies to deploy a previously undocumented implant named DUPERUNNER that loads AdaptixC2, an open-source command-and-control (C2) framework.

Dubbed DupeHike, the campaign has been attributed to a threat cluster named UNG0902.

“The ZIP has been used as a preliminary source of spear-phishing-based infection containing decoys with PDF and LNK extension, which downloads the implant DUPERUNNER, which finally executes the Adaptix C2 Beacon,” Seqrite said.

The LNK file (“Документ_1_О_размере_годовой_премии.pdf.lnk” or “Document_1_On_the_amount_of_the_annual_bonus.pdf.lnk”), in turn, proceeds to download DUPERUNNER from an external server using “powershell.exe.” The primary responsibility of the implant is to retrieve and display a decoy PDF and launch AdaptixC2 by injecting it into a legitimate Windows process like “explorer.exe,” “notepad.exe,” and “msedge.exe.”

Other phishing campaigns have taken aim at finance, legal, and aerospace sectors in Russia to distribute Cobalt Strike and malicious tools like Formbook, DarkWatchman, and PhantomRemote that are capable of data theft and hands-on keyboard control. The email servers of compromised Russian companies are used to send the spear-phishing messages.

French cybersecurity company Intrinsec has attributed the intrusion set targeting the Russian aerospace industry to hacktivists aligned with Ukrainian interests. The activity, detected between June and September 2025, shares overlaps with Hive0117, Operation CargoTalon, and Rainbow Hyena (aka Fairy Trickster, Head Mare, and PhantomCore).

Some of these efforts have also been found to redirect users to phishing login pages hosted on the InterPlanetary File System (IPFS) and Vercel, designed to steal credentials associated with Microsoft Outlook and Bureau 1440, a Russian aerospace company.

“The campaigns observed between June and September 2025 […] aimed at compromising entities actively cooperating with Russia’s army amidst the current conflict with Ukraine, largely assessed by the Western sanctions imposed on them,” Intrinsec said.

Dec 13, 2025Ravie LakshmananNetwork Security / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a high-severity flaw impacting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.

CVE-2018-4063 (CVSS score: 8.8/9.9) refers to an unrestricted file upload vulnerability that could be exploited to achieve remote code execution by means of a malicious HTTP request.

“A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver,” the agency said. “An attacker can make an authenticated HTTP request to trigger this vulnerability.”

Details of the six-year-old flaw were publicly shared by Cisco Talos in April 2019, describing it as an exploitable remote code execution vulnerability in the ACEManager “upload.cgi” function of Sierra Wireless AirLink ES450 firmware version 4.9.3. Talos reported the flaw to the Canadian company in December 2018.

“This vulnerability exists in the file upload capability of templates within the AirLink 450,” the company said. “When uploading template files, you can specify the name of the file that you are uploading.”

“There are no restrictions in place that protect the files that are currently on the device, used for normal operation. If a file is uploaded with the same name of the file that already exists in the directory, then we inherit the permissions of that file.”

Talos noted that some of the files that exist in the directory (e.g., “fw_upload_init.cgi” or “fw_status.cgi”) have executable permissions on the device, meaning an attacker can send HTTP requests to the “/cgi-bin/upload.cgi” endpoint to upload a file with the same name to achieve code execution.

This is compounded by the fact that ACEManager runs as root, thereby causing any shell script or executable uploaded to the device to also run with elevated privileges.

The addition of CVE-2018-4063 to the KEV catalog comes a day after a honeypot analysis conducted by Forescout over a 90-day period revealed that industrial routers are the most attacked devices in operational technology (OT) environments, with threat actors attempting to deliver botnet and cryptocurrency miner malware families like RondoDox, Redtail, and ShadowV2 by exploiting the following flaws –

Attacks have also been recorded from a previously undocumented threat cluster named Chaya_005 that weaponized CVE-2018-4063 in early January 2024 to upload an unspecified malicious payload with the name “fw_upload_init.cgi.” No further successful exploitation efforts have been detected since then.

“Chaya_005 appears to be a broader reconnaissance campaign testing multiple vendor vulnerabilities rather than focusing on a single one,” Forescout Research – Vedere Labs said, adding it’s likely the cluster is no longer a “significant threat.”

In light of active exploitation of CVE-2018-4063, Federal Civilian Executive Branch (FCEB) agencies are advised to update their devices to a supported version or discontinue the use of the product by January 2, 2026, since it has reached end-of-support status.

Dec 13, 2025Ravie LakshmananZero-Day / Vulnerability

Apple on Friday released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and its Safari web browser to address two security flaws that it said have been exploited in the wild, one of which is the same flaw that was patched by Google in Chrome earlier this week.

The vulnerabilities are listed below –

• CVE-2025-43529 (CVSS score: N/A) – A use-after-free vulnerability in WebKit that may lead to arbitrary code execution when processing maliciously crafted web content
• CVE-2025-14174 (CVSS score: 8.8) – A memory corruption issue in WebKit that may lead to memory corruption when processing maliciously crafted web content

Apple said it’s aware that the shortcomings “may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.”

It’s worth noting that CVE-2025-14174 is the same vulnerability that Google issued patches for in its Chrome browser on December 10, 2025. It’s been described by the tech giant as an out-of-bounds memory access in the company’s open-source Almost Native Graphics Layer Engine (ANGLE) library, specifically in its Metal renderer.

Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) have been credited with discovering and reporting the flaw, while Apple credited TAG with finding CVE-2025-43529.

This indicates that the vulnerabilities were likely weaponized in highly-targeted mercenary spyware attacks, given that they both affect WebKit, the rendering engine that’s also used in all third-party web browsers on iOS and iPadOS, including Chrome, Microsoft Edge, Mozilla Firefox, and others.

The flaws have been addressed in the following versions and devices –

• iOS 26.2 and iPadOS 26.2 – iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
• iOS 18.7.3 and iPadOS 18.7.3 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
• macOS Tahoe 26.2 – Macs running macOS Tahoe
• tvOS 26.2 – Apple TV HD and Apple TV 4K (all models)
• watchOS 26.2 – Apple Watch Series 6 and later
• visionOS 26.2 – Apple Vision Pro (all models)
• Safari 26.2 – Macs running macOS Sonoma and macOS Sequoia

With these updates, Apple has now patched nine zero-day vulnerabilities that were exploited in the wild in 2025, including CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, CVE-2025-43200, and CVE-2025-43300.

Cybersecurity researchers have documented four new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman that are capable of facilitating credential theft at scale.

BlackForce, first detected in August 2025, is designed to steal credentials and perform Man-in-the-Browser (MitB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA). The kit is sold on Telegram forums for anywhere between €200 ($234) and €300 ($351).

The kit, according to Zscaler ThreatLabz researchers Gladis Brinda R and Ashwathi Sasi, has been used to impersonate over 11 brands, including Disney, Netflix, DHL, and UPS. It’s said to be in active development.

“BlackForce features several evasion techniques with a blocklist that filters out security vendors, web crawlers, and scanners,” the company said. “BlackForce remains under active development. Version 3 was widely used until early August, with versions 4 and 5 being released in subsequent months.”

Phishing pages connected to the kit have been found to use JavaScript files with what has been described as “cache busting” hashes in their names (e.g., “index-[hash].js”), thereby forcing the victim’s web browser to download the latest version of the malicious script instead of using a cached version.

In a typical attack using the kit, victims who click on a link are redirected to a malicious phishing page, after which a server-side check filters out crawlers and bots, before serving them a page that’s designed to mimic a legitimate website. Once the credentials are entered on the page, the details are captured and sent to a Telegram bot and a command-and-control (C2) panel in real-time using an HTTP client called Axios.

When the attacker attempts to log in with the stolen credentials on the legitimate website, an MFA prompt is triggered. At this stage, the MitB techniques are used to display a fake MFA authentication page to the victim’s browser through the C2 panel. Should the victim enter the MFA code on the bogus page, it’s collected and used by the threat actor to gain unauthorized access to their account.

“Once the attack is complete, the victim is redirected to the homepage of the legitimate website, hiding evidence of the compromise and ensuring the victim remains unaware of the attack,” Zscaler said.

GhostFrame Fuels 1M+ Stealth Phishing Attacks

Another nascent phishing kit that has gained traction since its discovery in September 2025 is GhostFrame. At the heart of the kit’s architecture is a simple HTML file that appears harmless while hiding its malicious behavior within an embedded iframe, which leads victims to a phishing login page to steal Microsoft 365 or Google account credentials.

“The iframe design also allows attackers to easily switch out the phishing content, try new tricks or target specific regions, all without changing the main web page that distributes the kit,” Barracuda security researcher Sreyas Shetty said. “Further, by simply updating where the iframe points, the kit can avoid being detected by security tools that only check the outer page.”

Attacks using the GhostFrame kit commence with typical phishing emails that claim to be about business contracts, invoices, and password reset requests, but are designed to take recipients to the fake page. The kit uses anti-analysis and anti-debugging to prevent attempts to inspect it using browser developer tools, and generates a random subdomain each time someone visits the site.

The visible outer pages come with a loader script that’s responsible for setting up the iframe and responding to any messages from the HTML element. This can include changing the parent page’s title to impersonate trusted services, modifying the site favicon, or redirecting the top-level browser window to another domain.

In the final stage, the victim is sent to a secondary page containing the actual phishing components through the iframe delivered via the constantly changing subdomain, thereby making it harder to block the threat. The kit also incorporates a fallback mechanism in the form of a backup iframe appended at the bottom of the page in the event the loader JavaScript fails or is blocked.

InboxPrime AI Phishing Kit Automates Email Attacks

If BlackForce follows the same playbook as other traditional phishing kits, InboxPrime AI goes a step further by leveraging artificial intelligence (AI) to automate mass mailing campaigns. It’s advertised on a 1,300-member-strong Telegram channel under a malware-as-a-service (MaaS) subscription model for $1,000, granting purchasers a perpetual license and full access to the source code.

“It is designed to mimic real human emailing behavior and even leverages Gmail’s web interface to evade traditional filtering mechanisms,” Abnormal researchers Callie Baron and Piotr Wojtyla said.

“InboxPrime AI blends artificial intelligence with operational evasion techniques and promises cybercriminals near-perfect deliverability, automated campaign generation, and a polished, professional interface that mirrors legitimate email marketing software.”

The platform employs a user-friendly interface that allows customers to manage accounts, proxies, templates, and campaigns, mirroring commercial email automation tools. One of its core features is a built-in AI-powered email generator, which can produce entire phishing emails, including the subject lines, in a manner that mimics legitimate business communication.

In doing so, these services further lower the barrier to entry for cybercrime, effectively eliminating the manual work that goes into drafting such emails. In its place, attackers can configure parameters, such as language, topic, or industry, email length, and desired tone, which the toolkit uses as inputs to generate convincing lures that match the chosen theme.

What’s more, the dashboard enables users to save the produced email as a reusable template, complete with support for spintax to create variations of the email messages by substituting certain template variables. This ensures that no two phishing emails look identical and helps them bypass signature-based filters that look for similar content patterns.

Some of the other supported features in InboxPrime AI are listed below –

• A real-time spam diagnostic module that can analyze a generated email for common spam-filter triggers and suggest precise corrections
• Sender identity randomization and spoofing, enabling attackers to customize display names for each Gmail session

“This industrialization of phishing has direct implications for defenders: more attackers can now launch more campaigns with more volume, without any corresponding increase in defender bandwidth or resources,” Abnormal said. “This not only accelerates campaign launch time but also ensures consistent message quality, enables scalable, thematic targeting across industries, and empowers attackers to run professional-looking phishing operations without copywriting expertise.”

Spiderman Creates Pixel-Perfect Replicas of European Banks

The third phishing kit that has come under the cybersecurity radar is Spiderman, which permits attackers to target customers of dozens of European banks and online financial services providers, such as Blau, CaixaBank, Comdirect, Commerzbank, Deutsche Bank, ING, O2, Volksbank, Klarna, and PayPal.

“Spiderman is a full-stack phishing framework that replicates dozens of European banking login pages, and even some government portals,” Varonis researcher Daniel Kelley said. “Its organized interface provides cybercriminals with an all-in-one platform to launch phishing campaigns, capture credentials, and manage stolen session data in real-time.”

What’s notable about the modular kit is that its seller is marketing the solution in a Signal messenger group that has about 750 members, marking a departure from Telegram. Germany, Austria, Switzerland, and Belgium are the primary targets of the phishing service.

Like in the case of BlackForce, Spiderman utilizes various techniques like ISP allowlisting, geofencing, and device filtering to ascertain that only the intended targets can access the phishing pages. The toolkit is also equipped to capture cryptocurrency wallet seed phrases, intercept OTP and PhotoTAN codes, and trigger prompts to gather credit card data.

“This flexible, multi-step approach is particularly effective in European banking fraud, where login credentials alone often aren’t enough to authorize transactions,” Kelley explained. “After capturing credentials, Spiderman logs each session with a unique identifier so the attacker can maintain continuity through the entire phishing workflow.”

Hybrid Salty-Tycoon 2FA Attacks Spotted

BlackForce, GhostFrame, InboxPrime AI, and Spiderman are the latest additions to a long list of phishing kits like Tycoon 2FA, Salty 2FA, Sneaky 2FA, Whisper 2FA, Cephas, and Astaroth (not to be confused with a Windows banking trojan of the same name) that have emerged over the past year.

In a report published earlier this month, ANY.RUN said it observed a new Salty-Tycoon hybrid that’s already bypassing detection rules tuned to either of them. The new attack wave coincides with a sharp drop in Salty 2FA activity in late October 2025, with early stages matching Salty2FA, while later stages load code that reproduces Tycoon 2FA’s execution chain.

“This overlap marks a meaningful shift; one that weakens kit-specific rules, complicates attribution, and gives threat actors more room to slip past early detection,” the company said.

“Taken together, this provides clear evidence that a single phishing campaign, and, more interestingly, a single sample, contains traces of both Salty 2FA and Tycoon, with Tycoon serving as a fallback payload once the Salty infrastructure stopped working for reasons that are still unclear.”

Cybersecurity researchers are calling attention to a new campaign that’s leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT.

“These repositories, often themed as development utilities or OSINT tools, contain only a few lines of code responsible for silently downloading a remote HTA file and executing it via ‘mshta.exe,’” Morphisec researcher Yonatan Edri said in a report shared with The Hacker News.

PyStoreRAT has been described as a “modular, multi-stage” implant that can execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware also deploys an information stealer known as Rhadamanthys as a follow-on payload.

Attack chains involve distributing the malware through Python or JavaScript loader stubs embedded in GitHub repositories masquerading as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities that are designed to appeal to analysts and developers.

The earliest signs of the campaign go back to mid-June 2025, with a steady stream of “repositories” published since then. The tools are promoted via social media platforms like YouTube and X, as well as artificially inflate the repositories’ star and fork metrics – a technique reminiscent of the Stargazers Ghost Network.

The threat actors behind the campaign leverage either newly created GitHub accounts or those that lay dormant for months to publish the repositories, stealthily slipping the malicious payload in the form of “maintenance” commits in October and November after the tools began to gain popularity and landed on GitHub’s top trending lists.

In fact, many of the tools did not function as they were advertised, only displaying static menus or non-interactive interfaces in some cases, while others performed minimal placeholder operations. The intention behind the operation was to lend them a veneer of legitimacy by abusing GitHub’s inherent trust and deceiving users into executing the loader stub that’s responsible for initiating the infection chain.

Persistence is achieved by setting up a scheduled task that’s disguised as an NVIDIA app self-update. In the final stage, the malware contacts an external server to fetch commands to be executed on the host. Some of the supported commands are listed below –

• Download and execute EXE payloads, including Rhadamanthys
• Download and extract ZIP archives
• Downloads a malicious DLL and executes it using “rundll32.exe”
• Fetch raw JavaScript code and execute it dynamically in memory using eval()
• Download and install MSI packages
• Spawn a secondary “mshta.exe” process to load additional remote HTA payloads
• Execute PowerShell commands directly in memory
• Spread via removable drives by replacing legitimate documents with malicious Windows Shortcut (LNK) files
• Delete the scheduled task to remove the forensic trail

It’s currently not known who is behind the operation, but the presence of Russian-language artifacts and coding patterns alludes to a threat actor of likely Eastern European origin, Morphisec said.

“PyStoreRAT represents a shift toward modular, script-based implants that can adapt to security controls and deliver multiple payload formats,” Edri concluded. “Its use of HTA/JS for execution, Python loaders for delivery, and Falcon-aware evasion logic creates a stealthy first-stage foothold that traditional EDR solutions detect only late in the infection chain.”

The disclosure comes as Chinese security vendor QiAnXin detailed another new remote access trojan (RAT) codenamed SetcodeRat that’s likely being propagated across the country since October 2025 via malvertising lures. Hundreds of computers, including those belonging to governments and enterprises, are said to have been infected in a span of one month.

“The malicious installation package will first verify the region of the victim,” the QiAnXin Threat Intelligence Center said. “If it is not in the Chinese-speaking area, it will automatically exit.”

The malware is disguised as legitimate installers for popular programs like Google Chrome and proceeds to the next stage only if the system language corresponds to Mainland China (Zh-CN), Hong Kong (Zh-HK), Macao (Zh-MO), and Taiwan (Zh-TW). It also terminates the execution if a connection to a Bilibili URL (“api.bilibili[.]com/x/report/click/now”) is unsuccessful.

In the next stage, an executable named “pnm2png.exe” is launched to sideload “zlib1.dll,” which then decrypts the contents of a file called “qt.conf” and runs it. The decrypted payload is a DLL that embeds the RAT payload. SetcodeRat can either connect to Telegram or a conventional command-and-control (C2) server to retrieve instructions and carry out data theft.

It enables the malware to take screenshots, log keystrokes, read folders, set folders, start processes, run “cmd.exe,” set socket connections, collect system and network connection information, update itself to a new version.