Latest Cybersecurity News,Summarized

A severe vulnerability, named React2Shell and tracked as CVE-2025-55182, has been discovered in React Server Components (RSC) Flight protocol. This flaw enables unauthenticated remote code execution by exploiting unsafe deserialization. Affected versions include React 19.x and Next.js 15.x/16.x. Security researcher Lachlan Davidson reported the issue, which has a CVSS score of 10.0. Organizations are urged to apply patches immediately to mitigate risks.

Cybersecurity authorities revealed details about a state-sponsored espionage campaign using Brickstorm malware, which has been active since 2022. The malware, described as highly sophisticated, allows attackers to maintain long-term access to critical infrastructure and government networks. Officials warn that dozens of organizations have been impacted, with the scope of the damage potentially much greater. The campaign involves stealing sensitive data and deploying additional malware, highlighting the evolving tradecraft of state-sponsored actors.

The Predator spyware from Intellexa uses a zero-click infection mechanism called 'Aladdin,' which compromises targets by viewing malicious advertisements. This infection vector is hidden behind shell companies spread across multiple countries. The mechanism leverages the commercial mobile advertising system to deliver malware, forcing weaponized ads onto specific targets identified by their public IP address and other identifiers. The ads trigger redirections to Intellexa’s exploit delivery servers, funneled through a complex network of advertising firms. Defending against these malicious ads is complex, but blocking ads on the browser and hiding the public IP from trackers are potential defense measures.

Threat actors are increasingly using Velociraptor, a legitimate digital forensics tool, to establish command-and-control infrastructure and facilitate ransomware attacks. Recent incidents involved exploiting critical vulnerabilities to gain initial access before deploying Velociraptor for persistent remote access and lateral movement. The trend reflects growing sophistication in attack tactics, with threat actors abusing trusted security tools to evade detection. By leveraging legitimate software signed by reputable vendors, attackers can blend malicious activity with routine administrative operations, bypassing traditional antivirus and network security controls. The incidents reveal consistent patterns in exploitation methodology and post-compromise behavior, offering critical insights into how financially motivated threat clusters are executing attacks against enterprise environments.

Silent Push analysts have uncovered infrastructure used by the Lazarus APT Group, linking them to a $1.4 billion crypto heist and job scams on LinkedIn. The group registered the domain bybit-assessment[.]com hours before the heist and used Astrill VPN IPs for their operations. Fake job interviews lure victims into downloading malware, with brands like Stripe, Coinbase, and Binance being impersonated. The investigation revealed 27 unique Astrill VPN IPs and multiple malicious domains connected to Lazarus.

DragonForce, a ransomware-as-a-service group, has rebranded as a cartel, allowing affiliates to white-label payloads and create variants like Devman and Mamona/Global. The group employs BYOVD attacks using vulnerable drivers to terminate processes and has reinforced its encryptor to avoid weaknesses. Scattered Spider, a financially driven actor, has partnered with DragonForce, leading to over 200 victims across various sectors. The group's most notable attack targeted a major retailer in collaboration with Scattered Spider.

Cybersecurity agencies have identified BRICKSTORM malware being used by a country's state-sponsored actors for long-term persistence on victim systems. The malware targets VMware vSphere and Windows environments, using sophisticated techniques for initiation, persistence, and secure command and control (C2). Organizations are urged to use provided indicators of compromise (IOCs) and detection signatures to identify and mitigate the threat. The malware analysis report includes YARA and Sigma rules for detection.

In late November 2025, a sophisticated supply-chain attack leveraging the Visual Studio Code extension ecosystem was discovered. A malicious extension masquerading as the popular Prettier code formatter briefly appeared on the official VSCode Marketplace, compromising at least three systems. The attack involved a multi-stage malware chain, including the Anivia loader and OctoRAT, a remote access toolkit with over 70 command modules. The threat actor used a GitHub repository named 'vscode' to host obfuscated VBScript payloads, employing payload rotation techniques to evade detection. The attack highlights the evolving threat landscape targeting developer ecosystems, emphasizing the need for strict extension management policies and enhanced endpoint detection capabilities.

A malicious Rust package named evm-units, authored by ablerust, was discovered by the Socket Threat Research Team. The package, disguised as an Ethereum Virtual Machine (EVM) utility, was downloaded over 7,000 times from Crates.io. It silently executes OS-specific payloads, targeting systems based on the presence of a specific antivirus software. The package was removed promptly after being reported. The incident highlights the growing trend of malware in open source ecosystems, particularly in cryptocurrency infrastructure.

Security researcher Kiddo demonstrated a sophisticated exploit chain combining three distinct vulnerabilities to fully compromise Synology BeeStation devices. Presented at Pwn2Own 2024, the attack leverages a 'Dirty File Write' technique to bypass standard web shell methods and achieve root privileges. The exploit involves CRLF injection, improper authentication, and SQL injection, culminating in a complete system takeover. Synology has addressed these issues in the latest updates.

A significant vulnerability in Yearn Finance's yETH pool on Ethereum allowed an attacker to drain approximately $9 million in assets. The flaw in the pool's internal accounting enabled the perpetrator to mint an astronomical number of yETH tokens after depositing a negligible amount. The attacker exploited a desynchronization in the protocol's cached storage system, repeatedly cycling deposit and withdrawal transactions through flash loans to accumulate phantom balances. This sophisticated exploit underscores the risks associated with complex AMM mechanics and gas-saving optimizations in DeFi protocols.

The Water Saci campaign has escalated significantly, with threat actors using artificial intelligence to enhance malware propagation. The campaign employs a complex attack chain involving multiple file formats and scripting languages to evade detection. The transition from PowerShell to Python scripts, likely converted using AI tools, has improved the malware's capabilities and reach. The campaign targets financial institutions and cryptocurrency exchanges, using sophisticated banking trojans to steal credentials and maintain persistent access. Security experts recommend implementing multi-layered defenses and user awareness training to combat this threat.