Daily Threat Briefing
Diamond Trail

Cyware Daily Threat Intelligence, December 18, 2025

Illustrated-image-2183906543

Speed is the name of the game for modern ransomware, and a new vulnerability is helping attackers break records. React2Shell is being exploited to deploy file-encrypting malware in under sixty seconds. The Weaxor ransomware gang is leveraging this insecure deserialization bug to bypass authentication and lock down corporate networks before defenders even realize they have been breached.

Your smart TV might be streaming more than just movies; it could be blasting malicious traffic across the globe. A massive new botnet named Kimwolf has enslaved approximately 1.8 million Android-based devices to launch extensive DDoS attacks. Linked to the notorious AISURU group, this resilient network uses advanced encryption techniques to hide its tracks.

Cisco has sounded the alarm on a critical zero-day vulnerability that is already in the hands of state-sponsored spies. A Chinese threat group tracked as UAT-9686 is actively exploiting a flaw in Cisco AsyncOS to compromise SEGs. The attackers are targeting appliances where the Spam Quarantine feature is exposed to the internet.

Top Malware Reported in the Last 24 Hours

React2Shell now exploited in ransomware attacks

A critical vulnerability in React2Shell (CVE-2025-55182) has been exploited by a ransomware gang to gain rapid access to corporate networks, deploying file-encrypting malware within a minute. This flaw, stemming from an insecure deserialization issue in the React Server Components' Flight protocol, allows remote code execution without authentication. Following its disclosure, both nation-state hackers and cybercriminals quickly leveraged React2Shell for various attacks, including cyberespionage and cryptocurrency mining. On December 5, a threat actor used this vulnerability to launch the Weaxor ransomware, a rebrand of the Mallox/FARGO operation, which targets public-facing servers. The attackers executed a series of commands to disable security measures and encrypt files, leaving ransom notes with payment instructions. 

Kimsuky drops DocSwap Android malware

Kimsuky, a North Korean threat actor, has launched a campaign distributing a new variant of Android malware called DocSwap through QR codes on phishing sites that mimic the South Korean logistics firm CJ Logistics. The attackers use smishing texts and phishing emails disguised as delivery notifications to trick victims into clicking on malicious URLs. Once redirected, users are prompted to scan a QR code to download a fake shipment tracking app, which appears legitimate but contains malware. This app decrypts an embedded APK and activates a RAT that allows attackers to log keystrokes, capture audio, and access files. Additionally, Kimsuky has repackaged legitimate applications, like the BYCOM VPN, injecting malicious functionalities. The campaign also includes phishing sites that resemble popular platforms like Naver and Kakao, aimed at harvesting user credentials.

Kimwolf botnet targets millions of devices

A new botnet named Kimwolf has compromised approximately 1.8 million Android-based devices, including TVs and set-top boxes, launching extensive DDoS attacks. This botnet, linked to the notorious AISURU, has executed around 1.7 billion attack commands within a short span. Primarily targeting residential TV boxes, Kimwolf infections are prevalent in countries such as Brazil, India, and the U.S. The malware utilizes advanced techniques, including DNS-over-TLS and Ethereum Name Service (ENS) domains, to enhance its resilience against takedown efforts. Notably, over 96% of the commands issued by Kimwolf focus on exploiting compromised devices for proxy services, reflecting a shift in attackers' strategies towards monetizing IoT device bandwidth. 

Top Vulnerabilities Reported in the Last 24 Hours

AsyncOS 0-day under exploitation

Cisco has alerted customers about a critical zero-day vulnerability (CVE-2025-20393) in its AsyncOS, actively exploited by a Chinese threat group known as UAT-9686. This vulnerability affects Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances that have non-standard configurations, particularly when the Spam Quarantine feature is exposed to the internet. The attackers utilize this flaw to execute arbitrary commands and deploy various malware, including AquaShell, AquaTunnel, and Chisel. Cisco Talos has linked this activity to other Chinese state-backed hacking groups and noted that the campaign has been active since at least late November 2025, with attacks first detected on December 10.

SonicWall warns of critical SMA1000 vulnerability

SonicWall has alerted customers to a zero-day vulnerability in its SMA1000 Appliance Management Console (AMC), identified as CVE-2025-40602, which allows local privilege escalation. Attackers have exploited this vulnerability in conjunction with a critical pre-authentication deserialization flaw, CVE-2025-23006, enabling them to execute arbitrary OS commands remotely with root privileges. Currently, over 950 SMA1000 appliances are exposed online, raising concerns for organizations relying on these devices for secure remote access.

Discover Related Resources