Threat Research | Weekly Recap [14 Dec 2025]

Cybersecurity Threat Research ‘Weekly’ Recap: A critical unauthenticated deserialization RCE in React Server Components (React2Shell, CVE-2025-55182) is being weaponized for mass scanning and arbitrary code execution, prompting patches and WAF/runtime protections while defenders hunt for indicators (MINOCAT, SNOWLIGHT, HISONIC, XMRig). A broad surge of activity across loaders, backdoors, info stealers, phishing, ransomware, and APTs—featuring EtherRAT, GhostPenguin, NANOREMOTE, CastleRAT, ValleyRAT, GrayBravo, AshTag, AshenLepus, Group123, APT31, Salt Typhoon, GOLD_SALEM, Warlock, Makop, 01flip, Storm-0249, and others—underscores supply-chain abuse, credential theft, and geopolitical intrusions.
#React2Shell #CVE-2025-55182 #MINOCAT #SNOWLIGHT #HISONIC #XMRig #EtherRAT #GhostPenguin #NANOREMOTE #CastleRAT #ValleyRAT #GrayBravo #AshTag #AshenLepus #Group123 #APT31 #SaltTyphoon #GOLD_SALEM #Warlock #Makop #01flip #Storm_0249 #FrostBeacon #Shai_Hulud_2_0 #NexusRoute #RTO_Challan #DroidLock #PhantomStealer #AMOSStealer #Banshee #LummaStealer #JSCEAL #NoteGPT #MoneyMount #VSCodeExtensions

Critical RCE — React2Shell (CVE-2025-55182)

Critical unauthenticated deserialization RCE in React Server Components rapidly weaponized for mass scanning and arbitrary code execution; patch and apply WAF/runtime protections — TrendMicro: React2Shell analysis
Multiple threat actors deployed Linux loaders, miners and payloads (MINOCAT, SNOWLIGHT, HISONIC, XMRig); defenders urged to patch, audit deps and hunt for indicators — Google Cloud: React2Shell exploitation
DPRK-linked implant EtherRAT observed using Ethereum-based C2 and multi-mechanism persistence after React2Shell exploitation — Sysdig: EtherRAT
Linux backdoors/tunnels (e.g., PeerBlight, CowTunnel, ZinFoq) and cryptomining seen in mass exploit chains — Huntress: PeerBlight & related
Runtime detection & Falco/WAF rules released as temporary mitigations while patches are applied — Sysdig: detecting React2Shell

Mobile & Android Threats

Large-scale Android phishing/malware campaign impersonating Indian gov services delivering obfuscated native-backed RATs, SMS/UPI interception and real-time fraud pipelines — CYFRIMA: NexusRoute
WhatsApp-distributed fake RTO/e‑Challan APK dropper banking/identity theft using two-stage loaders and persistent custom VPN — CYFRIMA: RTO Challan fraud
Android ransomware DroidLock spreads via phishing, abuses Accessibility & Device Admin to takeover devices and support overlays, VNC and screen capture — Zimperium: DroidLock

Infostealers & Cross‑Platform Data Theft

JSCEAL infostealer refactored for crypto users with hardened C2 patterns, staged PDF gating and PowerShell loader; SASE platforms block C2 flows — Cato: JSCEAL deep dive
ISO‑mounted executable campaign (ZIP→ISO→EXE) delivering Phantom Stealer to finance roles; exfil via Telegram, Discord webhooks and FTP — Seqrite: Operation MoneyMount‑ISO
Attackers poisoned AI search results to push malicious ChatGPT/Grok snippets that trick macOS users into running a one‑liner to deploy AMOS Stealer (keychain/wallet theft, LaunchDaemon persistence) — Huntress: AMOS via AI poisoning
macOS MaaS stealer Banshee phishes login to decrypt Keychain, harvests browser data and exfiltrates via XOR’d ZIP to hardcoded C2 — Deceptiq: macOS stealers (Banshee)
LummaStealer distributed via Itch.io/Patreon fake game updates; reflective loading and heavy sandbox checks to drop stealer payloads — G Data: LummaStealer

Phishing, AITM & Credential Capture

BlackForce phishing kit on the market steals credentials and performs Man‑in‑the‑Browser to capture OTPs/MFA tokens; uses evasion, sessionStorage persistence and Telegram exfiltration — Zscaler: BlackForce kit
Adversary‑in‑the‑middle campaign hijacks Microsoft 365/Okta SSO flows by hooking fetch/XHR to steal session cookies and bypass non‑phishing‑resistant MFA — Datadog: AITM M365/Okta
Phishers weaponize NoteGPT and OneDrive-branded lures to host malicious files that redirect to fake Microsoft login pages for credential capture — Cofense: NoteGPT phishing
Mass phishing from compromised Italian public admin accounts uses PDFs redirecting victims to Figma to harvest logins and stage follow‑ups — CERT‑AGID: Figma PDF campaign
ISO / staged‑attachment and LNK/HTA chains remain popular delivery vectors against finance and enterprise targets — Seqrite: phishing delivery trends

Backdoors, Loaders & Botnets

NANOREMOTE Windows backdoor abuses Google Drive API for stealthy staging, uses WMLOADER loader and shares code/keys with FINALDRAFT — Elastic: NANOREMOTE
AI‑assisted hunting uncovered GhostPenguin, a multi‑threaded Linux UDP backdoor with RC5 channel and DNS/UDP handshake — TrendMicro: GhostPenguin
UDPGangster (MuddyWater) backdoor uses macro docs for initial access, UDP C2, anti‑analysis and registry persistence targeting Turkey/Israel/Azerbaijan — Fortinet: UDPGangster
ValleyRAT modular Windows backdoor includes a kernel‑mode rootkit and APC/driver abuse to disable AV/EDR; builder leak increased in‑the‑wild activity — Check Point: ValleyRAT analysis
CastleRAT C variant provides keystroke/screen capture, remote shell and RC4 C2; detection guidance and MITRE mappings available — Splunk: CastleRAT detection
GrayBravo MaaS clusters (CastleLoader/CastleRAT) continue targeted campaigns via malvertising, fake updates and ClickFix phishing — Recorded Future: GrayBravo

Ransomware & Intrusion Tradecraft

GOLD SALEM used SharePoint exploits (ToolShell zero‑day chain) and attacker-hosted Cloudflare Workers to stage tools and ultimately deploy Warlock/LockBit/Babuk — Sophos: GOLD SALEM / Warlock tradecraft
Makop continues targeting exposed RDP; operators added GuLoader and AV uninstallers to improve success and privilege escalation — Acronis: Makop update
New Rust ransomware 01flip targets Windows/Linux in APAC with manual activity, Sliver implants and alleged data leak posts — Unit42: 01flip
Storm‑0249 evolved to precision post‑exploitation abusing trusted EDR processes (DLL sideloading of SentinelAgentWorker.exe) to hide C2 and reconnaissance — ReliaQuest: Storm‑0249
Operation FrostBeacon: multi‑cluster Cobalt Strike delivery to Russian orgs using LNK/HTA and obfuscated PowerShell loaders — Seqrite: Operation FrostBeacon

Supply Chain & Developer Ecosystem Abuse

Shai‑Hulud 2.0 compromised hundreds of npm packages via preinstall scripts that install Bun, create GitHub runners and harvest credentials; guidance: scan build artifacts and isolate CI/CD agents — Microsoft: Shai‑Hulud 2.0
Malicious VS Code extensions (19 samples) bundled fake image archives containing trojans and weaponized modified npm deps to execute droppers on startup — ReversingLabs: malicious VS Code extensions
DomainTools tracked ~5,000 suspected malware delivery domains (Chinese‑language cluster) and demonstrated an agentic AI analysis pipeline to rapidly triage thousands of sites — DomainTools: malware delivery domains

Forensics, Detection & Research Tooling

FortiGuard found deleted malware artifacts retained in AutoLogger‑Diagtrack‑Listener.etl ETW files; useful but inconsistently populated across Windows builds — Fortinet: AutoLogger‑Diagtrack forensic evidence
Reproducible Jupyter/Docker workflow for extracting QuasarRAT .NET config (AES‑256/PBKDF2 recovery) to automate static config extraction — Sekoia: QuasarRAT config extraction
Check Point and others published deep reverse‑engineering of complex toolchains (e.g., ValleyRAT) including builder leaks and kernel rootkit details to support detection development — Check Point: ValleyRAT reverse engineering

Credential & Session Theft Techniques

ROPC OAuth flow abused to bypass MFA by exchanging stolen creds for tokens; mitigations include disabling legacy grants and correlating token/grant logs — Varonis: ROPC‑enabled MFA bypass
Three browser‑hijacking techniques documented (prefs tampering, remote control via simulated keypresses, Chromium CLI/registry abuse) with IoCs and detection tips — G Data: browser hijacking techniques

APTs & Geopolitical Threats

Ashen Lepus (Hamas‑affiliated) delivered new modular .NET suite AshTag to Middle Eastern diplomatic/government targets using DLL sideloading, in‑memory execution and Rclone exfiltration — Unit42: Ashen Lepus / AshTag
Group123 (North Korea) continues Windows‑focused espionage with loaders, DLL sideloading and cloud C2; some campaigns trending toward revenue generation (Maui ransomware) — CYFRIMA: Group123 profile
APT31 (Judgment Panda) linked to long‑running targeted ops vs. Russia IT sector using disguised malware, encrypted bidirectional C2 and clipboard keyloggers — PT Security: APT31
Report traces telecom compromises by Salt Typhoon operators from Cisco Academy participation to large‑scale interceptions and Cisco CVE abuses — SentinelOne: Salt Typhoon
Joint CISA/FBI/NSA advisory: pro‑Russia hacktivists scanning/exploiting exposed VNC to access OT/ICS systems (CARR, NoName057(16), Z‑Pentest); guidance on segmentation and reducing internet exposure — CISA: pro‑Russia hacktivist advisory

AI & Defensive Posture

Study shows IT leaders underestimate AI‑driven malware risk; legacy tools miss AI‑generated threats and defenders should adopt preemptive ML/behavioral defenses — DeepInstinct: AI risk in IT

Threat Research | Weekly Recap – hendryadrian.com