TECHZONE™

A Browser Extension Risk Guide After the ShadyPanda Campaign https://thehackernews.com/2025/12/a-browser-extension-risk-guide-after.html In early December 2025, security researchers exposed a cybercrime campaign that had quietly hijacked popular Chrome and Edge browser extensions on a massive scale. A threat group dubbed ShadyPanda spent seven years playing the long game, publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into

Phantom Stealer Spread by ISO Phishing Emails Hitting Russian Finance Sector https://thehackernews.com/2025/12/phantom-stealer-spread-by-iso-phishing.html Cybersecurity researchers have disclosed details of an active phishing campaign that's targeting a wide range of sectors in Russia with phishing emails that deliver Phantom Stealer via malicious ISO optical disc images. The activity, codenamed Operation MoneyMount-ISO by Seqrite Labs, has primarily singled out finance and accounting entities, with those in the procurement, legal, payroll

VolkLocker Ransomware Exposed by Hard-Coded Master Key Allowing Free Decryption https://thehackernews.com/2025/12/volklocker-ransomware-exposed-by-hard.html The pro-Russian hacktivist group known as CyberVolk (aka GLORIAMIST) has resurfaced with a new ransomware-as-a-service (RaaS) offering called VolkLocker that suffers from implementation lapses in test artifacts, allowing users to decrypt files without paying an extortion fee. According to SentinelOne, VolkLocker (aka CyberVolk 2.x) emerged in August 2025 and is capable of targeting both Windows

CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks https://thehackernews.com/2025/12/cisa-adds-actively-exploited-sierra.html The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a high-severity flaw impacting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. CVE-2018-4063 (CVSS score: 8.8/9.9) refers to an unrestricted file upload vulnerability that could be exploited to achieve remote code

Black Hat Europe 2025: Was that device designed to be on the internet at all? https://www.welivesecurity.com/en/internet-of-things/black-hat-europe-2025-device-designed-internet/ Behind the polished exterior of many modern buildings sit outdated systems with vulnerabilities waiting to be found

Apple Issues Security Updates After Two WebKit Flaws Found Exploited in the Wild https://thehackernews.com/2025/12/apple-issues-security-updates-after-two.html Apple on Friday released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and its Safari web browser to address two security flaws that it said have been exploited in the wild, one of which is the same flaw that was patched by Google in Chrome earlier this week. The vulnerabilities are listed below - CVE-2025-43529 (CVSS score: N/A) - A use-after-free vulnerability in WebKit

Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.html Cybersecurity researchers are calling attention to a new campaign that's leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. "These repositories, often themed as development utilities or OSINT tools, contain only a few lines of code responsible for silently downloading a remote HTA file and executing

New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale https://thehackernews.com/2025/12/new-advanced-phishing-kits-use-ai-and.html Cybersecurity researchers have documented four new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman that are capable of facilitating credential theft at scale. BlackForce, first detected in August 2025, is designed to steal credentials and perform Man-in-the-Browser (MitB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA). The kit

Securing GenAI in the Browser: Policy, Isolation, and Data Controls That Actually Work https://thehackernews.com/2025/12/securing-genai-in-browser-policy.html The browser has become the main interface to GenAI for most enterprises: from web-based LLMs and copilots, to GenAI‑powered extensions and agentic browsers like ChatGPT Atlas. Employees are leveraging the power of GenAI to draft emails, summarize documents, work on code, and analyze data, often by copying/pasting sensitive information directly into prompts or uploading files.  Traditional

New React RSC Vulnerabilities Enable DoS and Source Code Exposure https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. The team said the issues were found by the security community while attempting to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a critical bug in RSC that has since been weaponized in

React2Shell Exploitation Escalates into Large-Scale Global Attacks, Forcing Emergency Mitigation https://thehackernews.com/2025/12/react2shell-exploitation-escalates-into.html The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization

Black Hat Europe 2025: Reputation matters – even in the ransomware economy https://www.welivesecurity.com/en/business-security/black-hat-europe-2025-reputation-ransomware/ Being seen as reliable is good for ‘business’ and ransomware groups care about 'brand reputation' just as much as their victims

Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity https://www.welivesecurity.com/en/business-security/locks-socs-cat-box-what-schrodinger-can-teach-us-about-cybersecurity/ If you don’t look inside your environment, you can’t know its true state – and attackers count on that

CISA Flags Actively Exploited GeoServer XXE Flaw in Updated KEV Catalog https://thehackernews.com/2025/12/cisa-flags-actively-exploited-geoserver.html The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild. The vulnerability in question is CVE-2025-58360 (CVSS score: 8.2), an unauthenticated XML External Entity (XXE) flaw that affects all versions prior to

Chrome Targeted by Active In-the-Wild Exploit Tied to Undisclosed High-Severity Flaw https://thehackernews.com/2025/12/chrome-targeted-by-active-in-wild.html Google on Wednesday shipped security updates for its Chrome browser to address three security flaws, including one it said has come under active exploitation in the wild. The vulnerability, rated high in severity, is being tracked under the Chromium issue tracker ID "466192044." Unlike other disclosures, Google has opted to keep information about the CVE identifier, the affected component, and

Active Attacks Exploit Gladinet's Hard-Coded Keys for Unauthorized Access and Code Execution https://thehackernews.com/2025/12/hard-coded-gladinet-keys-let-attackers.html Huntress is warning of a new actively exploited vulnerability in Gladinet's CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far. "Threat actors can potentially abuse this as a way to access the web.config file, opening the door for deserialization and remote code execution," security researcher Bryan Masters said.

Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece https://www.welivesecurity.com/en/business-security/seeking-symmetry-attck-season-harness-todays-diverse-analyst-tester-landscape-paint-security-masterpiece/ Interpreting the vast cybersecurity vendor landscape through the lens of industry analysts and testing authorities can immensely enhance your cyber-resilience.

React2Shell Exploitation Delivers Crypto Miners and New Malware Across Multiple Sectors https://thehackernews.com/2025/12/react2shell-exploitation-delivers.html React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families, according to new findings from Huntress. This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based

.NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL https://thehackernews.com/2025/12/net-soapwn-flaw-opens-door-for-file.html New research has uncovered exploitation primitives in the .NET Framework that could be leveraged against enterprise-grade applications to achieve remote code execution. WatchTowr Labs, which has codenamed the "invalid cast vulnerability" SOAPwn, said the issue impacts Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. But the number of affected vendors is likely to be

Three PCIe Encryption Weaknesses Expose PCIe 5.0+ Systems to Faulty Data Handling https://thehackernews.com/2025/12/three-pcie-encryption-weaknesses-expose.html Three security vulnerabilities have been disclosed in the Peripheral Component Interconnect Express (PCIe) Integrity and Data Encryption (IDE) protocol specification that could expose a local attacker to serious risks. The flaws impact PCIe Base Specification Revision 5.0 and onwards in the protocol mechanism introduced by the IDE Engineering Change Notice (ECN), according to the PCI Special