LATEST THREAT INTELLIGENCE.
China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)
Description: Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. This critical vulnerability in React Server Components has a maximum Common Vulnerability Scoring System (CVSS) score of 10.0 and affects React versions 19.x and Next.js versions 15.x and 16.x when using App Router.
Created at: 2025-12-05T17:57:24.639000
Updated at: 2026-01-04T17:02:50.863000
Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT
Description: A malicious Visual Studio Code extension named 'prettier-vscode-plus' was discovered on the official VSCode Marketplace, impersonating the legitimate Prettier formatter. This extension served as the entry point for a multi-stage malware chain, starting with the Anivia loader, which decrypted and executed further payloads in memory. The final stage, OctoRAT, is a comprehensive remote access toolkit providing over 70 commands for surveillance, file theft, remote desktop control, persistence, privilege escalation, and harassment. The attack chain employs sophisticated techniques like AES encryption, process hollowing, and UAC bypass. The threat actor's GitHub repository showed active payload rotation to evade detection. This supply-chain attack highlights the evolving threats targeting developers and the abuse of trusted tools in their ecosystem.
Created at: 2025-12-04T10:32:22.599000
Updated at: 2026-01-03T10:02:01.274000
Global Corporate Web
Description: This analysis explores the corporate structure and operations of Intellexa, a mercenary spyware vendor. It reveals new companies likely tied to Intellexa's network, particularly within a Czech cluster, and examines their roles in product shipment and potential infection vectors. The report traces Intellexa's activities across multiple countries, including new evidence of Predator spyware deployment in Iraq. It highlights the challenges in tracking such operations due to complex corporate structures and evolving techniques. The analysis also discusses broader trends in the spyware ecosystem, including geopolitical fragmentation, persistent facilitators, and expanding targeting beyond traditional victims to include corporate leaders.
Created at: 2025-12-04T08:11:30.961000
Updated at: 2026-01-03T08:02:06.051000
VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion
Description: VVS stealer is a Python-based malware targeting Discord users to exfiltrate sensitive information like credentials and tokens. It employs Pyarmor for obfuscation and detection evasion. The stealer's capabilities include stealing Discord data, intercepting active sessions, extracting browser data, and achieving persistence. Its code is heavily obfuscated using Pyarmor's BCC mode and AES-128-CTR encryption. The analysis reveals the stealer's ability to decrypt encrypted Discord tokens, query Discord APIs for user information, inject malicious JavaScript into the Discord application, and extract data from various web browsers. The malware also implements startup persistence and displays a fake error message to deceive victims.
Created at: 2026-01-02T13:40:42.632000
Updated at: 2026-01-02T16:15:47.853000
Operation DupeHike: Targeting Russian employees with DUPERUNNER and AdaptixC2
Description: A campaign targeting Russian corporate entities, particularly HR, payroll, and administrative departments, has been uncovered. The attack uses realistic decoy documents themed around employee bonuses and financial policies. The malware ecosystem involves a malicious LNK file leading to an implant dubbed DUPERUNNER, which then loads the AdaptixC2 Beacon to connect to the threat actor's infrastructure. The infection chain begins with a spear-phishing ZIP archive containing PDF-themed LNK files. The DUPERUNNER implant, programmed in C++, performs various functions including downloading and opening decoy PDFs, process enumeration, and shellcode injection. The final stage involves the AdaptixC2 Beacon, which communicates with the command-and-control server. The campaign, tracked as UNG0902, uses multiple malicious infrastructures and is believed to be targeting employees of various organizations.
Created at: 2025-12-03T14:29:45.022000
Updated at: 2026-01-02T14:02:11.156000
DeedRAT: Unpacking a Modern Backdoor's Playbook
Description: DeedRAT is a sophisticated backdoor associated with the Chinese APT group Salt Typhoon, targeting critical sectors globally. It infiltrates systems through phishing campaigns, utilizing DLL sideloading to evade detection. The malware establishes persistence via registry run keys and service creation, ensuring long-term access. DeedRAT's capabilities include file manipulation, system reconnaissance, and payload execution. The infection chain involves three files: a legitimate executable, a malicious DLL, and an encrypted file. Once installed, it attempts to connect to its command-and-control server. Defensive measures include monitoring email traffic, registry changes, and anomalous service creations.
Created at: 2025-12-31T22:59:16.941000
Updated at: 2026-01-02T10:57:57.003000
Rogue ScreenConnect: Common Social Engineering Tactics Seen in 2025
Description: In 2025, there was a significant increase in rogue ScreenConnect installations, part of a broader trend of threat actors abusing remote monitoring and management tools (RMMs). These tools were used to gain access, blend in, move laterally, and maintain persistence in target systems. Attackers employed various social engineering tactics to trick employees into downloading malicious RMMs. Common lures included fake Social Security statements, invitations, and financial documents. The Huntress Security Operations Center identified recurring patterns in lures, domains, and file hashes associated with these attacks. Some campaigns showed signs of targeting specific industries, such as accounting firms. The article provides detailed examples of attack patterns, top malicious domains, and file hashes observed throughout the year.
Created at: 2025-12-31T18:03:07.902000
Updated at: 2026-01-02T10:47:02.268000
ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading
Description: A ValleyRAT campaign is targeting job seekers through email, disguising itself as a Foxit PDF reader and using DLL side-loading for initial system access. The campaign exploits job seekers' eagerness by using recruitment-related lures in archive files. The attack employs sophisticated techniques, including obfuscation through nested directories and execution via DLL sideloading. Once activated, ValleyRAT can lead to system control, activity monitoring, and data theft. The campaign's success is evident from a spike in ValleyRAT detections. It demonstrates the integration of social engineering, legitimate software abuse, and advanced malware techniques to exploit vulnerabilities in both systems and human psychology.
Created at: 2025-12-03T09:29:56.695000
Updated at: 2026-01-02T09:00:48.810000
Snakes by the riverbank
Description: ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a more focused and refined approach, with the group adopting advanced techniques like CNG cryptography and reflective loading. MuddyWater's toolset includes browser data stealers, credential stealers, and reverse tunneling tools. The group primarily targeted critical infrastructure sectors through spearphishing emails containing links to remote monitoring and management software. This campaign indicates an evolution in MuddyWater's operational maturity, showcasing enhanced stealth and credential harvesting capabilities.
Created at: 2025-12-02T14:44:59.788000
Updated at: 2026-01-01T14:00:27.562000
DNS Uncovers Infrastructure Used in SSO Attacks
Description: The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, and this actor has used it to target at least 18 universities and educational institutions across the United States since April 2025. The campaigns were delivered through email and the phishing domains used subdomains that mimicked the legitimate SSO sites.
Created at: 2025-12-03T17:58:34.643000
Updated at: 2026-01-01T07:03:18.851000
