Daily Threat Briefing
Diamond Trail

Cyware Daily Threat Intelligence, December 19, 2025

shutterstock 2375148841

Government secrets are being sniffed out by a group with a fittingly intrusive name. ESET researchers have identified LongNosedGoblin, a China-aligned APT group that has been conducting cyberespionage against targets in Southeast Asia and Japan since 2023. The group uses a tool dubbed NosyHistorian to harvest browser history for target identification.

The Lazarus Group is proving that old tricks can still learn new, dangerous code. A sophisticated new variant of the BeaverTail malware has been linked to this North Korean hacker group targeting cryptocurrency traders and financial institutions. This modular, cross-platform threat exploits developer trust to steal credentials and monitor clipboard activity on Windows, macOS, and Linux systems.

Your computer's firmware might be lying to you about its security. A newly discovered vulnerability affects motherboards from major manufacturers, allowing attackers with physical access to perform direct memory access attacks during the boot process. The flaw stems from a failure to properly configure memory protections.

Top Malware Reported in the Last 24 Hours

LongNosedGoblin APT targets government entities

ESET researchers have identified LongNosedGoblin, a China-aligned APT group that conducts cyberespionage against governmental entities in Southeast Asia and Japan. Active since at least September 2023, the group employs a sophisticated toolset, including malware like NosyHistorian and NosyDoor, which utilize Group Policy for lateral movement and cloud services like Microsoft OneDrive for command and control. NosyHistorian collects browser history to identify potential targets, while NosyDoor functions as a backdoor, gathering metadata and executing commands remotely. The group has demonstrated advanced evasion techniques, such as bypassing security measures and masquerading as legitimate files. 

About the YouTube Ghost Network

The YouTube Ghost Network is a malware distribution campaign utilizing compromised accounts to promote malicious videos, primarily targeting users interested in game cheats and cracked software. A key component of this campaign is GachiLoader, a heavily obfuscated Node.js loader that deploys additional malware, including a second-stage payload known as Kidkadi. This loader employs a novel technique called Vectored Overloading for PE injection, allowing it to manipulate legitimate DLLs to load malicious payloads. The campaign has been active for over nine months, with more than 100 videos accumulating approximately 220,000 views. GachiLoader uses various anti-analysis techniques to evade detection, such as checking for virtual environments and executing PowerShell commands to gather system information.

Lazarus drops new BeaverTail malware variant

A newly identified variant of the BeaverTail malware has been linked to North Korea's Lazarus Group, targeting cryptocurrency traders and financial institutions for espionage and financial gain. This JavaScript-based malware functions as both an information stealer and a loader, employing advanced obfuscation techniques such as layered Base64 and XOR encoding to conceal its activities. BeaverTail is distributed through various channels, including trojanized npm packages and fake job interview platforms, exploiting trust in development workflows. Since 2022, it has evolved into a modular, cross-platform framework capable of running on Windows, macOS, and Linux, featuring keylogging, screenshot capture, and clipboard monitoring. 

Top Vulnerabilities Reported in the Last 24 Hours

HPE patches max-severity bug

Hewlett Packard Enterprise (HPE) has patched a critical RCE vulnerability in its OneView software, identified as CVE-2025-37164. This flaw allows unauthenticated attackers to execute arbitrary code remotely and affects all OneView versions prior to v11.00. The vulnerability poses significant risks for unpatched systems. HPE has not confirmed whether this vulnerability has been actively exploited in attacks. The company has previously addressed multiple security issues, including vulnerabilities in StoreOnce and Aruba Instant On Access Points.

New UEFI flaw enables early-boot attacks

A newly discovered vulnerability in UEFI implementations affects motherboards from ASRock, ASUS, GIGABYTE, and MSI, allowing early-boot direct memory access attacks. This flaw arises from a failure to properly configure the input-output memory management unit (IOMMU) during the boot phase, despite firmware indicating that DMA protection is active. As a result, a malicious PCIe device with physical access can read or modify system memory before the operating system's security features are engaged. The vulnerabilities are identified as CVE-2025-14304, CVE-2025-11901, CVE-2025-14302, and CVE-2025-14303, all scoring 7.0 on the CVSS scale. Successful exploitation could compromise sensitive data and undermine the integrity of the boot process, highlighting significant risks for affected systems.

Discover Related Resources