Cyware Daily Threat Intelligence, December 16, 2025

Attackers are getting into the holiday spirit, but they aren't bringing gifts. A new MaaS dubbed SantaStealer is being promoted on Telegram and hacker forums as a stealthy, memory-only threat. Actually a rebrand of an older tool, this subscription-based malware hunts for cryptocurrency wallets and browser data.

The Russian financial sector is being hit by a wave of digital bank heists disguised as routine transfers. A new campaign codenamed Operation MoneyMount-ISO is using malicious ISO files hidden in phishing emails to bypass defenses and mount virtual drives on victim machines. Once executed, the attack deploys Phantom Stealer.

Your office phone system might be the newest entry point for hackers. Multiple critical vulnerabilities have been found in FreePBX, including an authentication bypass that grants unauthorized access to the administrator panel. The flaws allow attackers to take full control of the system if specific configurations are enabled.

Top Malware Reported in the Last 24 Hours

New SantaStealer malware targets user data

A new MaaS called SantaStealer is being promoted on Telegram and hacker forums, operating in memory to avoid detection. This malware is a rebranding of BluelineStealer and is offered in two subscription tiers: Basic for $175/month and Premium for $300/month. SantaStealer employs 14 data-collection modules, each running separately to steal information from browsers, cryptocurrency wallets, and messaging apps like Telegram and Discord. It exfiltrates stolen data in chunks to a hardcoded command-and-control endpoint. Despite claims of advanced evasion techniques, current samples have shown vulnerabilities and are easy to analyze, indicating poor operational security by the developers. The exact distribution methods for SantaStealer remain uncertain, but it may involve tactics like phishing and malicious software downloads.

React2Shell abuse drops Linux backdoors

React2Shell (CVE-2025-55182) is a critical vulnerability currently exploited by threat actors to deploy Linux backdoors like KSwapDoor and ZnDoor, enabling stealthy remote access and lateral movement within networks. These malware variants employ advanced techniques such as military-grade encryption and a sleeper mode, which allows them to evade detection by firewalls. Multiple threat groups, particularly those linked to China, are utilizing this vulnerability to deliver various payloads targeting cloud infrastructures, including Azure and AWS. The ongoing Operation PCPcat has already compromised over 59,128 servers globally, with the majority of attacks occurring in the U.S. Additionally, attackers are harvesting sensitive credentials and conducting reconnaissance to facilitate further exploits.

Phantom Stealer targets Russian finance sector

An active phishing campaign, codenamed Operation MoneyMount-ISO, is targeting the Russian finance sector by delivering Phantom Stealer malware through malicious ISO files. Phishing emails masquerade as legitimate financial communications, urging recipients to confirm bank transfers. These emails contain ZIP archives that include ISO files, which, when executed, mount as virtual drives and launch Phantom Stealer. This malware is designed to extract sensitive information, such as cryptocurrency wallet data, Discord tokens, and browser passwords. Additionally, the campaign has seen the use of another implant called DUPERUNNER, which loads the AdaptixC2 framework. The attackers employ various tactics to compromise finance, legal, and aerospace sectors in Russia, utilizing spear-phishing techniques and redirecting users to phishing pages hosted on IPFS and Vercel to steal credentials.

Top Vulnerabilities Reported in the Last 24 Hours

FreePBX patches critical vulnerabilities for security

Multiple critical vulnerabilities have been identified in FreePBX, an open-source private branch exchange platform, including an authentication bypass flaw that could allow unauthorized access to the Administrator Control Panel. These vulnerabilities include SQL injection issues that affect various endpoints, enabling attackers to manipulate the underlying SQL database. Additionally, an arbitrary file upload vulnerability allows attackers to upload PHP web shells, facilitating remote code execution. The authentication bypass is particularly concerning when the "Authorization Type" is set to "webserver," allowing crafted HTTP requests to bypass security measures. Although these vulnerabilities do not affect the default configuration of FreePBX, they can be exploited if specific settings are enabled. The issues have been addressed in recent updates, with users urged to apply the patches to secure their systems against potential exploitation.

JumpCloud Remote Assist bug spotted

A critical local privilege escalation vulnerability, tracked as CVE-2025-34352, has been discovered in JumpCloud Remote Assist for Windows, affecting versions prior to 0.317.0. This flaw allows low-privileged users to gain NT AUTHORITY\SYSTEM privileges or crash the system. The vulnerability resides in the Windows uninstaller of the JumpCloud Remote Assist component, which executes file operations in a user-controlled directory, making it susceptible to exploitation. Attackers can manipulate a file named Un_A.exe in the user’s %TEMP% directory, leading to arbitrary file writes or deletions. Successful exploitation can grant full control over the machine, facilitating malware installation, data theft, or further lateral movement within the network.