A recent cybersecurity incident involved hackers exploiting the critical React2Shell vulnerability (CVE-2025-55182) to gain access and deploy Weaxor ransomware rapidly. This attack highlights the urgency for system administrators to review security logs and patch vulnerabilities proactively. #React2Shell #WeaxorRansomware
Tag: EDR
Check Point Research attributes a sustained espionage campaign to the Chinese-aligned cluster Ink Dragon that exploits ASP.NET ViewState deserialization and ToolShell SharePoint vulnerabilities to gain initial access and then deploys ShadowPad IIS listener modules and FinalDraft implants to build a distributed relay and cloud-backed C2 fabric. The operator harvests credentials (LSASS dumps, IIS worker accounts), uses RDP/SMB lateral movement, DLL sideloading, debugger-based loaders, scheduled tasks/services for persistence, and turns victims into active C2 relay nodes. #InkDragon #ShadowPad
Parked and lookalike domains are increasingly weaponized via “direct search” parking and complex traffic distribution systems (TDS) to funnel real users to scams, scareware, spyware, and malware while presenting benign pages to scanners. The report details three distinct domain portfolio actors and examples of delivered threats, including infections by Tedy and typosquats targeting Scotiabank users. #Tedy #Scotiabank
An ongoing cyberattack targets AWS customers by exploiting compromised IAM credentials to deploy cryptocurrency mining operations, utilizing sophisticated persistence techniques. Amazon warns users to enhance their security measures to prevent further damage and unauthorized resource consumption. #IAMCredentials #CryptoMining…
Japanese e-commerce company Askul Corporation suffered a ransomware attack by RansomHouse, resulting in data theft and system failures that disrupted shipments. The attack involved compromised credentials and multiple ransomware variants, highlighting cybersecurity vulnerabilities in supply chain management. #RansomHouse #AskulCorporation
Sophos reviews its participation in the 2025 MITRE ATT&CK Enterprise Evaluations, which emulated two threat actor profiles—SCATTERED SPIDER (GOLD HARVEST) and MUSTANG PANDA (BRONZE PRESIDENT)—across realistic end-to-end attack chains spanning on-premises and cloud environments. The report highlights specific TTPs used in the emulations (AiTM phishing and session cookie replay, SSO and IAM abuse, DLL sideloading and process injection, VSCode tunnels, wstunnel, AirByte, S3/FTP exfiltration) and shows where Sophos XDR detected activity and where scenarios deviated from public reporting. #SCATTERED_SPIDER #MUSTANG_PANDA #AirByte #PlugX #wstunnel
In 2025, phishing attacks increasingly used omni-channel methods, bypassing traditional email filters by exploiting social media, search engines, and malvertising channels. Attackers also used advanced tools like Phishing-as-a-Service kits and sophisticated evasion techniques to evade detection and bypass security controls. #ScatteredLapsus$Hunters #Evilginx #PushSecurity
A new sophisticated malware campaign exploits GitHub using AI-crafted projects to lure victims, primarily targeting IT professionals and cybersecurity experts. The malware, PyStoreRAT, is highly evasive, adaptable, and capable of deploying additional harmful software, representing a significant evolution in cyber threats. #PyStoreRAT #GitHubThreat #AI-DrivenAttack #SupplyChainAttack…
CrowdStrike announced Falcon AI Detection and Response (AIDR), a unified extension of the Falcon platform that secures the AI interaction layer — prompts, agents, models, MCP servers, gateways, and cloud environments — across the full AI lifecycle. Falcon AIDR provides visibility into shadow AI, detects prompt injection, jailbreaks, and model manipulation,…
![Threat Research | Weekly Recap [14 Dec 2025]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [14 Dec 2025]")
Cybersecurity Threat Research ‘Weekly’ Recap: A critical unauthenticated deserialization RCE in React Server Components (React2Shell, CVE-2025-55182) is being weaponized for mass scanning and arbitrary code execution, prompting patches and WAF/runtime protections while defenders hunt for indicators (MINOCAT, SNOWLIGHT, HISONIC, XMRig). A broad surge of activity across loaders, backdoors, info stealers, phishing, ransomware, and APTs—featuring EtherRAT, GhostPenguin, NANOREMOTE, CastleRAT, ValleyRAT, GrayBravo, AshTag, AshenLepus, Group123, APT31, Salt Typhoon, GOLD_SALEM, Warlock, Makop, 01flip, Storm-0249, and others—underscores supply-chain abuse, credential theft, and geopolitical intrusions.
#React2Shell #CVE-2025-55182 #MINOCAT #SNOWLIGHT #HISONIC #XMRig #EtherRAT #GhostPenguin #NANOREMOTE #CastleRAT #ValleyRAT #GrayBravo #AshTag #AshenLepus #Group123 #APT31 #SaltTyphoon #GOLD_SALEM #Warlock #Makop #01flip #Storm_0249 #FrostBeacon #Shai_Hulud_2_0 #NexusRoute #RTO_Challan #DroidLock #PhantomStealer #AMOSStealer #Banshee #LummaStealer #JSCEAL #NoteGPT #MoneyMount #VSCodeExtensions
Gentlemen is a Go-based ransomware group identified in August 2025 that uses double extortion, rapid internal propagation, GPO manipulation, BYOVD, and targeted evasion techniques to attack medium-to-large organizations across multiple industries and regions. The ransomware encrypts files using X25519 and XChaCha20 with per-file ephemeral keys, requires a correct execution password, and…
Cybersecurity researchers have uncovered a new campaign utilizing GitHub repositories to distribute PyStoreRAT, a modular JavaScript-based Remote Access Trojan. The campaign employs legitimate-looking development tools to stealthily deliver malware capable of system profiling, data theft, and remote command execution. #PyStoreRAT #SetcodeRat…
JSCEAL, an information stealer targeting cryptocurrency application users, evolved in August 2025 to adopt a hardened C2 architecture with single-word domains, standardized .faro and .api subdomains, strict User‑Agent filtering and staged PDF gating to increase stealth. Cato observed the active campaign, noted a refactored PowerShell loader and modified build.zip stages, and reports that the Cato SASE Cloud Platform blocks JSCEAL C2 communication and prevents payload execution #JSCEAL #CatoSASE
React2Shell (CVE-2025-55182) is a critical deserialization vulnerability in React Server Components that allows unauthenticated remote code execution via a single malicious HTTP request, impacting React versions 19.0.0–19.2.0 and frameworks that use the same Flight deserialization logic; widespread exploitation has led to rapid deployment of Linux loaders, multi-layer persistence, and observed deployments of malware such as EtherRAT. #React2Shell #EtherRAT
![Cybersecurity News | Daily Recap [11 Dec 2025]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [11 Dec 2025]")
Daily Recap, authorities pursue a broad set of cybercrime actions—from Myanmar digital arrest-fraud charges and Accenture fraud to FedRAMP-related contractor concerns and indictments targeting Russian-linked hacktivists. The recap also flags data breaches and privacy risks at Pierce County Library, LastPass fines, Petco Vetco exposure, doorbell and camera privacy debates, and widespread vulnerabilities and malware activity including NANOREMOTE, BRICKSTORM, Mirai, CastleLoader, Spiderman Phishing, DroidLock, and large Docker Hub credential leaks.
#NANOREMOTE #BRICKSTORM #WarpPanda #LastPass #PierceLibrary #Petco #Vetco #DroidLock #CastleLoader #SpidermanPhishing #DockerHub #Mirai