Spyware alerts, Mirai Strikes, Docker leaks, ValleyRAT rootkits — 20 more stories

A new Mirai botnet variant called Broadside is targeting the maritime logistics sector by exploiting the TBK DVR severity vulnerability (CVE-2024-3721). “Unlike previous Mirai variants, Broadside employs a custom C2 protocol, a unique ‘magic header’ signature, and an advanced ‘judge, jury and executioner’ module to ensure exclusivity,” Cydome said. “Technically, it diverges from standard Mirai by leveraging Netlink kernel sockets for stealthy, event-driven process monitoring (replacing noisy filesystem polling) and employing payload polymorphism to evade static defenses.” Specifically, it attempts to maintain exclusive control over the host by terminating processes that match certain path patterns, fail internal checks, or are already classified as hostile. Broadsides extend beyond denial-of-service attacks as they attempt to collect system credentials files (/etc/passwd and /etc/shadow) with the goal of establishing a strategic foothold on a compromised device. Mirai is a feared botnet that has spawned several variants since its source code was leaked in 2016.

The UK’s National Cyber ​​Security Center said prompt injections – a flaw in Generative Artificial Intelligence (GenAI) applications that allow them to parse malicious instructions and generate content that would otherwise be impossible – “will never be properly mitigated” and said it was important to raise awareness of the class of vulnerabilities and to design systems that “limit the behavior of systems rather than simply preventing malicious content from reaching the LLM”.

Europol’s Operational Task Force (OTF) Grimm has arrested 193 people and disrupted a criminal network that has been driving the growth of violence-as-a-service (VaaS). This task force was launched in April 2025 to combat this threat. This threat includes inviting inexperienced youth to participate in acts of violence. “These people are induced or coerced to commit a range of violent crimes, ranging from acts of intimidation and torture to murder,” Europol said. Many of the criminals involved in the scheme are said to be members of The Com, a loose organization comprised primarily of English speakers involved in cyber attacks, SIM swaps, extortion and physical violence.

After stopping and inspecting a vehicle, Polish law enforcement arrested three Ukrainian nationals on suspicion of attempting to damage the country’s IT systems using specialized hacking equipment. They are charged with fraud, computer fraud and obtaining computer equipment or software suitable for criminal activity, including damaging computer data of particular importance to national defense. “Officers conducted a thorough search of the vehicle. They found suspicious items that could be used to disrupt the country’s strategic IT systems and even infiltrate IT and communication networks,” authorities said. “During the investigation, officers seized spy device detectors, advanced flipper hacking equipment, antennas, laptops, numerous SIM cards, routers, portable hard drives and cameras.” Officials said the three men, aged between 39 and 43, were computer scientists who were “visibly nervous” but did not give a reason as to why they were carrying such tools in the first place and pretended not to understand what was being said.

Spanish National Police have arrested a 19-year-old hacker from Barcelona on suspicion of stealing and attempting to sell 64 million records obtained from the breach of nine companies. The defendants allegedly used six online accounts and five false names to advertise and sell the stolen databases. The teenager has been charged with offenses related to engaging in cybercrime, unauthorized access, disclosure of personal data and invasion of privacy. “Cybercriminals gained access to nine different companies, where they obtained millions of private personal records, which they then sold online,” authorities claimed. In this context, Ukrainian police authorities announced the arrest of a 22-year-old cybercriminal who automatically hacked user accounts on social networks and other platforms using custom malware of his own creation. The compromised accounts were then sold on hacker forums. Most of the victims were based in the United States and various European countries. The Bukovin resident is also suspected of managing a bot farm with more than 5,000 profiles on various social networks to carry out various shadow schemes and transactions.

Russian police say they have busted a criminal organization that stole millions of dollars from bank customers in the country using malware built on NFCGate, a legitimate open source tool that is increasingly being exploited by cybercriminals around the world. To that end, three suspects were arrested for distributing NFC-enabled malware through WhatsApp and Telegram disguised as software from legitimate banks. Victims were first approached by phone and persuaded to install a fraudulent banking app. A fake “authentication” process prompted them to hold their bank card against the back of their smartphone and enter a PIN. This allowed the attackers to collect card credentials and withdraw funds from ATMs located anywhere in the country without the involvement of the cardholder. Preliminary losses exceed 200 million rubles (approximately $2.6 million).

According to Bitdefender, a recently revealed security flaw in React (React2Shell, also known as CVE-2025-55182) has been widely exploited, including targeting smart home devices. These include smart plugs, smartphones, NAS devices, surveillance systems, routers, development boards, and smart TVs. These attacks are known to deliver Mirai and RondoDox botnet payloads. Significant exploration activity was detected in Poland, the United States, the Netherlands, Ireland, France, Hong Kong, Singapore, China, and Panama. This shows “widespread global participation in opportunistic exploitation,” the company said. Threat intelligence firm GreyNoise announced that as of December 8, 2025, it had observed 362 unique IP addresses from approximately 80 countries being attempted to be exploited. “The observed payloads fall into different groups, including miners, dual-platform botnets, OPSEC-masked VPN actors, and reconnaissance-only clusters,” it added.

Cybersecurity researchers have discovered a previously undocumented Linux backdoor called GhostPenguin. A multi-threaded backdoor written in C++ that can collect system information such as IP address, gateway, OS version, hostname, and username and send it to a command and control (C&C) server during the registration phase. “It then receives and executes commands from the C&C server. The supported commands allow the malware to provide a remote shell via ‘/bin/sh’ to perform various file and directory operations, including creating, deleting, renaming, reading and writing files, changing file timestamps, and searching for files by extension,” Trend Micro said. “All C&C communication occurs over UDP port 53.” The discovery was made as Elastic detailed a new system call hooking technology called FlipSwitch, devised in response to fundamental changes introduced in Linux kernel 6.9 to allow malware to hide its presence on infected hosts. “While traditional rootkit technology relied on direct system call table manipulation, modern kernels have moved to a switch statement-based dispatch mechanism,” said security researcher Remko Spruten. “Instead of modifying the syscall table, we find and patch specific call instructions within the kernel’s dispatch function. This approach allows for precise and reliable hooking, and all changes are fully undone when the module is unloaded.”

Evan Tangeman, a 22-year-old California resident, is accused of buying homes and laundering $3.5 million for a criminal organization that stole cryptocurrencies through a social engineering scheme and has pleaded guilty to RICO conspiracy. “The business began no later than October 2023 and lasted until at least May 2025. It evolved from friendships fostered on online gaming platforms and consisted of individuals based in California, Connecticut, New York, Florida, and overseas,” the Department of Justice (DoJ) said. “Tangeman was a money launderer in a group that also included database hackers, organizers, target identifiers, callers, and home robbers targeting hardware cryptocurrency wallets.” Members of the group were previously charged in Washington, D.C., with stealing more than $263 million worth of cryptocurrency from victims.

Reuters reports that Apple and Google have sent new spyware notifications to users in about 80 countries. At this time, details about what type of spyware the victim was targeted with are unknown. Neither company provided information about how many users were targeted or who they believed was behind the surveillance efforts.

The European Commission has given its stamp of approval to meta-proposals that would give Instagram and Facebook users the option to share less personal data and see fewer personalized ads. This new option will take effect in January 2026. “Meta provides users with an effective choice between agreeing to share all their data and displaying fully personalized advertising, or choosing to share less personal data in order to experience more limited and personalized advertising,” the commission said. The move comes after the social media giant was fined 200 million euros ($227 million at the time) in April 2025 for violating the EU’s Digital Markets Act (DMA) over giving EU users a choice between paying to access an ad-free version of the platform or consenting to being tracked in exchange for targeted advertising. In a post last week, the Austrian non-profit organization None of Your Business (noyb) published a study that found that “when presented with the options of ‘Pay,’ ‘Consent,’ and ‘Ads, but no tracking,’ (…) 7 out of 10 people choose the ‘Ads, but no tracking’ option.”

New Zealand’s National Cyber ​​Security Center (NCSC) has announced that it will notify approximately 26,000 users infected with Lumma Stealer in its first major public intervention. “This malicious software is designed to steal sensitive information from devices, such as email addresses and passwords, typically for purposes of fraud or identity theft,” the report said. “The use of Lumma Stealer and other similar malware by cybercriminals is an ongoing international issue.”

Notepad++ has released version 8.8.9, which fixes critical flaws in its open-source text and source code editor for Windows. According to security researcher Kevin Beaumont, this bug was exploited by Chinese attackers to hijack traffic from WinGUp (Notepad++ updater), redirect it to malicious servers, and trick people into downloading malware. The release notes for version 8.8.9 state: “Verify the certificate and signature of the downloaded update installer.” “After reviewing the report, we identified weaknesses in the way the updater verifies the integrity and authenticity of downloaded update files,” Notepad++ maintainers said in a statement. “If an attacker is able to intercept network traffic between the Updater client and the Notepad++ update infrastructure, the attacker could exploit this vulnerability to prompt the Updater to download and run an unwanted binary (instead of the legitimate Notepad++ update binary).”

A new report from Kaspersky that examined more than 800 blocked Telegram channels that existed between 2021 and 2024 found that “the median lifespan of shadow Telegram channels increased from 5 months in 2021-2022 to 9 months in 2023-2024.” Messaging apps also appear to have increased blocking of cybercrime-specific channels since October 2024, prompting attackers to move to other channels on the platform.

Britain has imposed new sanctions on several Russian and Chinese entities accused of weakening Western countries through cyberattacks and influence operations. The action targets two Chinese companies, I-Soon and Integrity Technology Group (also known as Flax Typhoon), as well as the Telegram channel Ryber and its co-owner Mikhail Zvinchuk, an organization called Pravfond, which is believed to be a front for the GRU, and the Center for Geopolitical Expertise, a Moscow-based think tank founded by Aleksandr Dugin. “I-Soon and Integrity Tech are examples of the threat posed by China’s cyber industry, which includes information security companies, data brokers (who collect and sell personal data) and ‘hackers for hire,'” the UK government said. “Some of these companies also provide cyber services to Chinese intelligence agencies.”

New analysis from Sonatype reveals that approximately 13% of all Log4j downloads in 2025 are susceptible to Log4Shell. “In 2025 alone, Log4j totaled nearly 300 million downloads,” the supply chain security firm said. “Of these, approximately 13% (approximately 40 million downloads) were still vulnerable versions. All of these vulnerable downloads represent risks that could have been avoided, given that secure alternatives have been available for nearly four years.” China, the United States, India, Japan, Brazil, Germany, United Kingdom, Canada, South Korea, and France accounted for the majority of vulnerable downloads.

The Indian government is reportedly considering a proposal from the telecom industry that would force smartphone companies to enable satellite tracking, which is always enabled to increase surveillance, without giving users the option to disable it. The news agency added that the aim is to obtain precise location information in the event a legal request is made to the carrier during an investigation. The move is opposed by Apple, Google and Samsung. Amnesty International called the plan “deeply worrying”.

A “centralized spike” of over 7,000 IP addresses attempting to log into Palo Alto Networks’ GlobalProtect portal has been observed. This activity originates from infrastructure operated by 3xK GmbH and was observed on December 2, 2025. According to GreyNoise, the December wave shares three identical client fingerprints with previous waves observed from late September to mid-October. The threat intelligence firm announced that it also recorded a spike in scans against SonicWall SonicOS API endpoints the following day. Both waves of attacks are believed to be the work of the same attacker.

Artificial intelligence (AI) company OpenAI said AI models need to become more resilient as their cyber capabilities advance rapidly, creating dual-use risks. To this end, the company said it is investing in safeguards to ensure that these features primarily serve defensive purposes and limit their use for malicious purposes. This includes (1) training models to deny or safely respond to harmful requests, (2) maintaining system-wide monitoring across products to detect malicious cyber activity using frontier models, and (3) end-to-end red teaming. “As these capabilities advance, OpenAI is strengthening its model for defensive cybersecurity tasks and investing in creating tools that make it easier for defenders to perform workflows like auditing code and patching vulnerabilities,” the company said. “Our goal is for our models and products to provide significant advantages to defenders who are often outnumbered and under-resourced.”

Android users in Spain are being targeted by a new malware called DroidLock that propagates through dropper apps hosted on phishing websites. “It has the ability to lock a device’s screen with a ransomware-like overlay and illegally obtain App Lock credentials, leading to complete takeover of a compromised device,” Zimperium said. “The malware uses a deceptive system update screen to trick the victim, allowing it to stream and remotely control the device via VNC. The malware also abuses the device’s administrator privileges to lock or erase data, capture an image of the victim with the front camera, and silence the device.” A total of 15 different commands are supported. The malware does not actually have the ability to encrypt files, but instead displays a scary overlay instructing victims to contact Proton’s email address within 24 hours. Otherwise you risk destroying your files. Like other Android malware of its kind, this virus leverages accessibility services to perform malicious activities such as changing the device’s lock screen PIN and password, effectively locking the user out. It also provides a traditional WebView overlay on top of the targeting app to capture credentials.

Google announced that the Chrome Root Program and CA/Browser Forum have taken steps to deprecate 11 legacy methods of domain control validation, a security-critical process designed to ensure that certificates are only issued to legitimate domain operators. “By eliminating these outdated practices that rely on weak verification signals such as physical mail, phone calls, and emails, we are closing potential loopholes for attackers and driving the ecosystem toward automated and cryptographically verifiable security,” the company said. The phase-out will be implemented in phases and is expected to be completed by March 2028.

Cybersecurity researchers have warned of a new campaign using fake torrents from the Leonardo DiCaprio movie One Battle After Another as a launchpad for complex infection chains that drop Agent Tesla malware. “Instead of the expected video file, users unknowingly download a compilation of PowerShell scripts and image archives that are embedded in a memory-resident command and control (C2) agent, also known as a Trojan (RAT – Remote Access Trojan) under the name Agent Tesla,” Bitdefender said. “This type of malware is designed with one purpose: to give the attacker unfettered access to the victim’s Windows computer.” This attack is part of a growing trend of embedding malware in fake multimedia files. In early May of this year, the lure from Mission: Impossible – The Final Reckoning was used to popularize the Lumma Stealer.

New research from Flare reveals that more than 10,000 Docker Hub container images expose credentials to production systems, CI/CD databases, or large language model (LLM) keys. “42% of published images each contain five or more secrets, meaning a single container can unlock an entire cloud environment, CI/CD pipeline, or database,” the company said. “AI LLM model keys were the most frequently compromised credentials, with approximately 4,000 breached, demonstrating that AI adoption is outpacing security controls.” This exposure represents a significant risk, as it provides complete access to cloud environments, Git repositories, CI/CD systems, payment integrations, and other core infrastructure components.

As many as 19 Microsoft Visual Studio Code (VS Code) extensions have been identified in the official marketplace, most of which contain malicious files disguised as PNG images. The campaign has been active since February 2025 and was discovered last week. “The malicious file exploited a legitimate npm package (absolute path) to evade detection and created an archive containing a malicious binary disguised as an image (file with PNG extension),” said Petar Kirhmajer, a researcher at ReversingLabs. “In this latest campaign, the attackers modified the package by adding several malicious files. However, it is important to note that these changes to the package are only available if installed locally through 19 malicious extensions and are not actually part of the package hosted on npm.” As soon as the is activated, the attack begins using the weaponized package. The main purpose of the malicious code is to decode what appears to be a PNG file (‘banner.png’), but is actually an archive containing two binaries, which is executed by the JavaScript dropper using the resident binary (LOLBin) of ‘cmstp.exe’. ReversingLabs said, “One of these binaries is responsible for emulating a keypress and closing LOLBin, and the other binary is a more complex Rust Trojan.” These extensions have since been removed from the marketplace by Microsoft.

Check Point Research announced that it was able to reverse engineer the ValleyRAT (also known as Winos or Winos4.0) backdoor and its plugin by examining the published builder and its development structure. “This analysis revealed the advanced skills of the developers behind ValleyRAT, demonstrating deep knowledge of the internals of the Windows kernel and user mode, as well as consistent coding patterns suggesting a small, specialized team,” the cybersecurity firm said. “‘Driver plugins’ contain kernel-mode rootkits that, in some cases, retain valid signatures and remain loadable on fully updated Windows 11 systems, bypassing built-in protections.” Specifically, the plugins facilitate stealth driver installation, user-mode shellcode injection via APC, and forced removal of AV/EDR drivers. The rootkit is based on the publicly available open source project Hidden. One of the other plugins is a login module designed to load additional components from external servers. ValleyRAT is believed to be the work of a Chinese cybercrime group known as Silver Fox. Approximately 6,000 ValleyRAT-related samples were detected between November 2024 and November 2025, in addition to 30 different variants of the ValleyRAT builder and 12 variants of the rootkit driver.

In new campaigns, threat actors exploit the ability to share chats in OpenAI ChatGPT and Grok to display chats in search results via malvertising or search engine optimization (SEO) poisoning, tricking users into installing stealers such as AMOS Stealer when searching for “sound not working on macOS,” “clear disk space on macOS,” or ChatGPT Atlas on search engines like Google. Chat sessions are shared under the guise of troubleshooting or installation guides and include ClickFix-style instructions for starting a terminal and pasting commands to address the issue the user is facing. “Because attackers are systematically weaponizing multiple AI platforms through SEO poisoning, and it is not isolated to a single AI platform, page, or query, victims are guaranteed to encounter poisoned instructions regardless of which tool they trust,” Huntress said. “Instead, multiple AI-style conversations have surfaced organically through standard search terms, each pointing victims toward the same multi-stage macOS stealer.” This development comes as platforms like itch.io and Patreon are being used by threat actors to distribute Lumma Stealer. “Newly created Itch.io accounts are spamming comments for various legitimate games with templated text messages showing Patreon links for what appear to be game updates,” G DATA said. These links directly link to a ZIP archive containing a malicious executable that is compiled with nexe and runs six levels of anti-analysis checks before dropping the stealer malware.