Cyware Weekly Threat Intelligence, December 08–12, 2025
The Good
The U.S. government is launching a legislative double-tap to secure its most critical assets: patient data and national defense. A bipartisan group of senators has reintroduced the Health Care Cybersecurity and Resiliency Act of 2025, which aims to modernize HIPAA with mandatory multifactor authentication and encryption, while offering grants to help rural providers keep up. Simultaneously, the NDAA for FY26 allocates substantial funding to bolster U.S. Cyber Command and harmonizes defense regulations, specifically targeting foreign influence operations and securing election systems against Russian and Chinese interference.
A bipartisan group of U.S. senators reintroduced the Health Care Cybersecurity and Resiliency Act of 2025 to strengthen healthcare cybersecurity. The bill proposes updates to HIPAA regulations, including multifactor authentication, encryption, audits, and minimum cybersecurity standards. Grants and training are suggested to offset regulatory burdens and improve cyber readiness, especially for rural healthcare providers. The legislation emphasizes the need for updated breach reporting mechanisms and guidance on corrective actions taken by regulators.
The National Defense Authorization Act (NDAA) for FY26 allocates substantial funding to enhance cybersecurity and artificial intelligence capabilities within U.S. defense and intelligence agencies. It designates $73 million for U.S. Cyber Command and mandates the harmonization of cybersecurity regulations across the Department of Defense by mid-2026. The bill also addresses foreign influence operations, particularly from Russia and China, directing agencies to bolster cybersecurity infrastructure in the Western Balkans. Key provisions include enhanced mobile phone security for senior officials and penetration testing for election systems.
Portugal has revised its cybercrime law to create a legal safe harbor for good-faith security researchers, exempting them from punishment under specific conditions. The new provision allows researchers to engage in activities previously considered illegal, such as unauthorized system access, as long as their intent is to identify vulnerabilities and enhance cybersecurity. Key conditions include the necessity of reporting discovered vulnerabilities to the system owner and the National Cybersecurity Center, ensuring actions do not disrupt services or harm systems. Researchers must not seek financial gain beyond standard compensation and must avoid using prohibited techniques like phishing or malware.
The Bad
The Makop ransomware is evolving, and it has Indian organizations in its crosshairs. This variant has upgraded its arsenal with privilege escalation exploits and the GuLoader malware. Microsoft's latest Patch Tuesday update fixes 57 vulnerabilities, including a zero-day flaw in the Cloud Files driver that attackers are actively exploiting right now to gain SYSTEM privileges. A massive malware operation has used malicious VSCode extensions to infect over 4.3 million browsers. Masquerading as helpful coding tools, these extensions execute scripts to steal WiFi passwords, hijack sessions, and capture screenshots.
Makop ransomware, a variant of the Phobos family, has evolved by incorporating techniques like privilege escalation exploits and loader malware, specifically GuLoader, into its operations. Targeting primarily Indian organizations, attackers exploit weak RDP credentials to gain initial access, followed by network scanning, lateral movement, and disabling security measures. The use of off-the-shelf tools facilitates their low-effort yet effective approach, allowing them to navigate through networks and deploy encryptors. Credential dumping tools such as Mimikatz and LaZagne are employed to harvest sensitive information, while various local privilege escalation vulnerabilities enhance their control over compromised systems.
Microsoft released its Patch Tuesday updates, addressing 57 vulnerabilities, including three zero-day flaws - one actively exploited and two publicly disclosed. The actively exploited vulnerability, CVE-2025-62221, affects the Windows Cloud Files Mini Filter Driver, allowing attackers to elevate privileges to SYSTEM level. Publicly disclosed vulnerabilities include CVE-2025-64671, a remote code execution flaw in GitHub Copilot for Jetbrains, and CVE-2025-54100, a PowerShell vulnerability that could execute commands via the Invoke-WebRequest function. Additionally, the updates include critical fixes for remote code execution vulnerabilities in Microsoft Office and SharePoint, enhancing the security of various Microsoft products.
Over seven years, a malware campaign has infected 4.3 million browsers through malicious VS Code extensions, notably Bitcoin Black and Codo AI. These extensions, masquerading as a harmless theme and an AI coding assistant, execute scripts that capture screenshots, steal WiFi passwords, and hijack browser sessions. The attacker evolved their methods, initially using complex PowerShell scripts before transitioning to simpler batch scripts for payload delivery. Additionally, malicious Go and npm packages utilized typosquatting techniques to impersonate trusted libraries, while a Rust package acted as a loader for further malware. DLL hijacking techniques allow the malware to leverage the legitimate Lightshot executable, making detection difficult.
The Predator spyware, developed by Intellexa, uses “Aladdin,” a zero-click infection method, delivered via malicious ads that infect devices without user interaction. The ads are funneled through a network of advertising firms across multiple countries, exploiting public IP addresses to target victims. Additional delivery vectors, such as “Triton,” exploit Samsung Exynos devices, and other methods like “Thor” and “Oberon” are suspected to exist. Intellexa has been linked to numerous zero-day exploits and remains active despite sanctions and investigations.
New Threats
A new Android malware is pulling double duty: holding your phone hostage while stealing your most personal data. DroidLock targets Spanish-speaking users through fake applications. A new vulnerability in the .NET Framework, dubbed SOAPwn, allows attackers to execute remote code and write arbitrary files by manipulating web service imports. A cybercriminal entrepreneur known as GrayBravo is arming multiple threat groups with a sophisticated new toolkit. Four distinct clusters have been spotted using CastleLoader under a MaaS model to target the logistics sector.
A newly discovered Android malware, dubbed DroidLock, can lock victims' screens for ransom while accessing sensitive data such as text messages, call logs, and contacts. This malware targets Spanish-speaking users and spreads through malicious websites that promote fake applications. Once installed, DroidLock requests Device Admin and Accessibility Services permissions, allowing it to perform various malicious actions, including changing PINs and wiping devices. The ransomware uses an overlay to demand payment from victims, threatening to destroy files if the ransom is not paid within 24 hours. Additionally, it can steal device lock patterns, enabling remote access through a VNC sharing system.
React2Shell is being heavily exploited by threat actors leveraging a critical vulnerability in React Server Components (CVE-2025-55182), enabling unauthenticated remote code execution. Attackers are deploying various malware, including cryptocurrency miners like XMRig and backdoors such as PeerBlight, across multiple sectors, particularly construction and entertainment. Automated tools are used to exploit vulnerable Next.js instances, with notable payloads including CowTunnel, a reverse proxy, and ZinFoq, a post-exploitation framework that disguises itself as legitimate Linux services. As of December 8, 2025, over 165,000 IP addresses and 644,000 domains were identified as vulnerable, with significant impacts observed in the U.S. and Germany. This exploitation has also been linked to various malware campaigns affecting more than 50 organizations globally.
A newly discovered vulnerability in the .NET Framework, known as SOAPwn, allows attackers to achieve remote code execution and arbitrary file writes in enterprise applications. This flaw arises from improper handling of Web Services Description Language (WSDL) imports and HTTP client proxies, particularly when SOAP clients are dynamically created from attacker-controlled WSDLs. By exploiting this vulnerability, threat actors can manipulate .NET Framework HTTP client proxies to write files to the file system, potentially overwriting existing files. Additionally, attackers can leverage this flaw to capture NTLM challenges, facilitating further exploitation. Despite responsible disclosures to Microsoft, the company has chosen not to address the issue, attributing it to application behavior. Some affected vendors, such as Barracuda and Ivanti, have released patches, while the vulnerability in Umbraco 8 remains unaddressed due to its end-of-life status.
Four distinct threat clusters have emerged utilizing the CastleLoader malware, indicating its distribution under a MaaS model by the actor known as GrayBravo. This group, previously identified as TAG-150, exhibits rapid development cycles and technical sophistication. Notable tools in their arsenal include CastleRAT and CastleBot, which facilitate the delivery of various malware families such as DeerStealer and RedLine Stealer. The clusters employ diverse tactics, including phishing campaigns targeting the logistics sector and impersonation of legitimate brands like Booking[.]com. GrayBravo has established a multi-tiered infrastructure, leveraging compromised accounts on freight-matching platforms to enhance the credibility of its phishing efforts.
Google has released a security update for Chrome to address a high-severity zero-day vulnerability that is actively being exploited. This vulnerability, which currently lacks a CVE identifier, is tracked under bug tracker ID 466192044 and may involve memory corruption issues within the V8 JavaScript engine. The nature of the exploit suggests it could enable sandbox escapes and remote code execution, raising concerns about targeted attacks, particularly from government-sponsored espionage campaigns. Alongside the zero-day fix, the update also addresses two medium-severity vulnerabilities related to the browser’s password manager and toolbar component.
MuddyWater, an Iranian hacking group, has been observed deploying a new backdoor known as UDPGangster, utilizing the User Datagram Protocol (UDP) for C2 operations. This cyberespionage campaign targets users in Turkey, Israel, and Azerbaijan through spear-phishing tactics that involve sending booby-trapped Microsoft Word documents. These documents, disguised as invitations to a seminar from the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs, prompt users to enable macros, which execute embedded malicious code. The UDPGangster payload establishes persistence by modifying the Windows Registry and incorporates extensive anti-analysis checks to evade detection. Once operational, it gathers system information and connects to an external server over UDP to exfiltrate data, execute commands, and deploy additional payloads.
FvncBot, a new Android banking trojan, has been targeting Polish users, disguised as a security app developed by mBank. The malware payload includes features like keylogging, web-inject attacks, screen streaming, and hidden virtual network computing (HVNC) for financial fraud. FvncBot’s code is entirely new and not derived from other Android trojans like Ermac or Hook. The malware uses Android’s accessibility services to capture sensitive user data, including passwords and one-time passwords (OTPs). It implements advanced H.264 video compression for low-latency screen streaming, which is more efficient than traditional JPEG streaming.