![Cybersecurity News | Daily Recap [30 Dec 2025]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [30 Dec 2025]")
Daily Recap, Mustang Panda and allied state‑backed actors used a signed kernel‑mode rootkit to load and hide the ToneShell backdoor while DNS‑poisoning campaigns installed the MgBot backdoor. The roundup highlights MongoBleed exploitation affecting the US and Australia, major breaches at Coupang, Sax, and Korean Air‑supplier data, regulatory fines on NexPublica, MarquisSoftware and Gentlemen ransomware incidents, ValleyRAT phishing infrastructure, KMSAuto campaigns, Trust Wallet theft, and AI/security developments like Copilot GPT‑5.2 in SOC workflows. #MustangPanda #ToneShell #MgBot #MongoBleed #Coupang #Sax #KoreanAir #CNIL #NEXPUBLICA #MarquisSoftware #GentlemenRansomware #ValleyRAT #KMSAuto #TrustWallet
Chinese APTs
- Researchers say Mustang Panda and related state-backed actors used a signed kernel-mode rootkit to load and hide the ToneShell backdoor while DNS-poisoning campaigns installed the MgBot backdoor – Mustang Rootkit, ToneShell Driver, ToneShell Hide, MgBot Campaign
Vulnerabilities & Exploits
- The critical “MongoBleed” flaw is confirmed exploited in the wild with alerts from the US and Australia – MongoBleed Alert, MongoBleed Exploited
- Fortinet warns of new attacks leveraging an old, known vulnerability to evade defenses and compromise devices – Fortinet Warning
Data Breaches & Settlements
- e‑commerce giant Coupang will split/issue $1.17 billion in compensation to about 33.7 million breach victims as investigators recovered a smashed laptop the alleged leaker reportedly threw into a river – Coupang Payout, Coupang Vouchers, Laptop River, Laptop Recovered
- Top US accounting firm Sax disclosed a 2024 breach affecting about 220,000 individuals – Sax Breach
- Korean Air says customer data was compromised following an intrusion into its catering and duty‑free supplier and an Oracle EBS hack – Korean Air EBS, Korean Air Supplier
Regulatory Fines
- France’s data protection authority CNIL fined NEXPUBLICA €1.7 million for GDPR security failings and another French software firm was fined roughly $2 million for cyber weaknesses leading to a breach – NEXPUBLICA Fine, French Software Fine
Ransomware & Incidents
- Two more banks are notifying thousands of customers after a wave of incidents linked to the Marquis Software ransomware family – Marquis Ransomware
- A Romanian energy provider reported an operational-impacting attack using the Gentlemen ransomware – Gentlemen Attack
Malware & Phishing Infrastructure
- Threat actors are targeting India with tax-themed emails delivering the ValleyRAT remote access trojan in a campaign dubbed Silver Fox – ValleyRAT Campaign
- Police arrested a suspect behind the KMSAuto malware campaign that reportedly accumulated about 2.8 million downloads – KMSAuto Arrest
- Researchers found 27 malicious npm packages repurposed as phishing infrastructure to steal credentials from developers and CI systems – Malicious npm
- The industrialized “ClickFix” fraud operation (ErrTraffic) is being used at scale to monetise browser‑based fraud and credential theft – ClickFix Industrial
- Crypto wallet provider Trust Wallet reported a theft that drained 2,596 wallets and about $7 million in crypto funds – Trust Wallet Heist
AI & Security
- Microsoft is rolling out Copilot’s new GPT‑5.2 “Smart Plus” mode, expanding generative assistance across products – Copilot Rollout
- Guidance and research highlight how to integrate AI into modern SOC workflows and detail real‑world attacks behind the OWASP Agentic AI Top 10 to help defenders adapt – SOC AI Guide, Agentic AI Attacks