Cyware Daily Threat Intelligence, December 11, 2025

A new Android malware is pulling double duty: holding your phone hostage while stealing your most personal data. DroidLock targets Spanish-speaking users through fake applications, locking screens and demanding a ransom within 24 hours.

The details are shrouded in mystery, but the danger is clear and present. Google has released an urgent update for Chrome to fix a high-severity zero-day vulnerability that is already being exploited in the wild. Lacking a standard CVE identifier, the flaw is believed to be a memory corruption issue in the V8 engine.

A crack has been found in the foundation of enterprise applications, and the builder isn't planning to fix it. A new vulnerability in the .NET Framework, dubbed SOAPwn, allows attackers to execute remote code and write arbitrary files by manipulating web service imports.

Top Malware Reported in the Last 24 Hours

DroidLock: New Android malware spotted

A newly discovered Android malware, dubbed DroidLock, can lock victims' screens for ransom while accessing sensitive data such as text messages, call logs, and contacts. This malware targets Spanish-speaking users and spreads through malicious websites that promote fake applications. Once installed, DroidLock requests Device Admin and Accessibility Services permissions, allowing it to perform various malicious actions, including changing PINs and wiping devices. The ransomware uses an overlay to demand payment from victims, threatening to destroy files if the ransom is not paid within 24 hours. Additionally, it can steal device lock patterns, enabling remote access through a VNC sharing system. 

React2Shell exploitation drops new Linux backdoor

React2Shell is being heavily exploited by threat actors leveraging a critical vulnerability in React Server Components (CVE-2025-55182), enabling unauthenticated remote code execution. Attackers are deploying various malware, including cryptocurrency miners like XMRig and backdoors such as PeerBlight, across multiple sectors, particularly construction and entertainment. Automated tools are used to exploit vulnerable Next.js instances, with notable payloads including CowTunnel, a reverse proxy, and ZinFoq, a post-exploitation framework that disguises itself as legitimate Linux services. As of December 8, 2025, over 165,000 IP addresses and 644,000 domains were identified as vulnerable, with significant impacts observed in the U.S. and Germany. This exploitation has also been linked to various malware campaigns affecting more than 50 organizations globally.

Top Vulnerabilities Reported in the Last 24 Hours

Google patches mysterious Chrome 0-day

Google has released a security update for Chrome to address a high-severity zero-day vulnerability that is actively being exploited. This vulnerability, which currently lacks a CVE identifier, is tracked under bug tracker ID 466192044 and may involve memory corruption issues within the V8 JavaScript engine. The nature of the exploit suggests it could enable sandbox escapes and remote code execution, raising concerns about targeted attacks, particularly from government-sponsored espionage campaigns. Alongside the zero-day fix, the update also addresses two medium-severity vulnerabilities related to the browser’s password manager and toolbar component.

Actively exploited Gladinet vulnerability

A new vulnerability in Gladinet's CentreStack and Triofox products has been actively exploited, allowing attackers to leverage hard-coded cryptographic keys for unauthorized access and remote code execution. This issue arises from the "GenerateSecKey()" function, which produces static 100-byte text strings used to derive cryptographic keys, making them predictable and easily weaponized. Threat actors can craft specific URL requests to exploit this vulnerability, creating access tickets that do not expire, thereby enabling indefinite access to sensitive files like the web.config file. As of December 10, nine organizations across various sectors, including healthcare and technology, have reported being affected by these attacks, which also attempt to exploit previously disclosed vulnerabilities to access critical machine keys.

New .NET vulnerability enables remote code execution

A newly discovered vulnerability in the .NET Framework, known as SOAPwn, allows attackers to achieve remote code execution and arbitrary file writes in enterprise applications. This flaw arises from improper handling of Web Services Description Language (WSDL) imports and HTTP client proxies, particularly when SOAP clients are dynamically created from attacker-controlled WSDLs. By exploiting this vulnerability, threat actors can manipulate .NET Framework HTTP client proxies to write files to the file system, potentially overwriting existing files. Additionally, attackers can leverage this flaw to capture NTLM challenges, facilitating further exploitation. Despite responsible disclosures to Microsoft, the company has chosen not to address the issue, attributing it to application behavior. Some affected vendors, such as Barracuda and Ivanti, have released patches, while the vulnerability in Umbraco 8 remains unaddressed due to its end-of-life status.