Weekly Report: New Hacking Techniques and Critical CVEs 10 Dec – 17 Dec 2025

The week of December 10-17, 2025 witnessed unprecedented velocity in critical vulnerability exploitation and nation-state targeting of global infrastructure. Five CVSS 10.0/9.8-rated vulnerabilities entered active exploitation phases within 72 hours of disclosure, impacting 644,000+ domains and requiring emergency government directives. Simultaneously, APT36 demonstrated Linux-specific espionage capabilities against Indian government infrastructure, ToddyCat expanded email harvesting operations, and pro-Russia hacktivist groups initiated coordinated attacks on water, energy, and food production systems across multiple continents.

Critical Metrics:

• 5 Critical Zero-Days under active exploitation
• 15+ High-Severity CVEs disclosed and weaponized
• 2TB+ Data exfiltrated by Qilin RaaS campaign
• 644,000 Domains vulnerable to React2Shell exploitation as of December 17
• 25,000+ GitHub Repositories compromised by Shai-Hulud 2.0 worm
• 9th Apple Zero-Day of 2025 exploited in targeted nation-state campaigns

Strategic Implication: Threat actors have achieved exploitation velocity exceeding defensive patch management cycles. Organizations relying on quarterly patching strategies face 7-14 day windows of confirmed exploitation before remediation.

>>Outpace Attackers With AI-Based Automated Penetration Testing

NEW HACKING TECHNIQUES & ATTACK VECTORS

1. Chain-Based Privilege Escalation on Patched Legacy Systems

Technical Innovation: Attackers systematically exploit authorization flaws remaining after RCE patches are applied. CVE-2025-40602 + CVE-2025-23006 demonstrates this pattern—the January 2025 RCE patch closed initial access, but insufficient authorization controls in Appliance Management Console (AMC) permit escalation from compromised user accounts to root privileges.

Operational Impact: Legacy systems with partial patches create deceptive security postures. Organizations believing they’ve adequately patched SonicWall SMA 1000 devices remain vulnerable to complete appliance compromise. This technique will likely proliferate across other legacy products with multi-year patch histories.

2. Pre-Install Worm Propagation in Package Managers

Technical Innovation: Shai-Hulud 2.0 worm executes during npm’s pre-install phase (before dependency resolution completes) rather than post-install, achieving 100% execution rate on build systems without human interaction. This eliminates detection opportunities typically available during build-time vulnerability scanning.

Code Evolution: Worm uses Bun binary runtime disguised as legitimate installer, evading Node.js-specific monitoring rules. Stolen credentials trigger automated self-replication across all maintained packages with exponential propagation. Destructive fallback mechanism attempts home directory destruction if exfiltration fails.

3. DLL Side-Loading via Legitimate Binaries

Technical Innovation: ShadowPad leverages ETDCtrlHelper.exe (legitimate Acer signed executable) to load malicious ETDApix.dll, bypassing application whitelisting that often restricts DLL loading but permits signed executable execution. Memory-resident loader architecture ensures malware persists even after initial payload delivery system is removed.

Operational Advantage: Completely bypasses many endpoint detection and response (EDR) products configured to monitor direct DLL execution but not signed binary DLL injection patterns.

4. Unsafe Deserialization Gadget Chain Exploitation

Technical Innovation: Multiple vulnerabilities this week (React Flight protocol, WSUS reporting service, SonicWall management console) exploit unsafe deserialization of untrusted data. Attackers leverage .NET/Java gadget chains to execute arbitrary code during object instantiation. This represents a systemic architectural vulnerability across enterprise software.

5. OAuth Token Harvesting via Process Memory Dumping

Technical Innovation: ToddyCat’s evolution demonstrates sophisticated understanding of cloud security models. When direct OAuth token access is blocked, attackers pivot to extracting tokens from running Outlook process memory using Sysinternals ProcDump. Tokens remain valid indefinitely, enabling persistent access independent of initial compromise remediation.

Strategic Advantage: Breaks traditional incident response assumptions that access is terminated when compromised systems are isolated.

CRITICAL CVE ANALYSIS

CVE-2025-55182 (React2Shell) | CVSS 10.0 | UNAUTHENTICATED RCE

Incident Date: Active exploitation: December 5-17, 2025 (13-day active campaign)

Criticality Assessment: CVSS 10.0 (maximum severity). No authentication required. Complete remote code execution in application context. Affects 644,000+ internet-accessible domains.

Technical Deep Dive:

React Server Components utilize the “Flight” protocol for serializing server component state to client-side JavaScript. The vulnerability exists in the Flight protocol’s deserialization handler, which processes incoming POST requests containing serialized React component data.

Exploitation Mechanics:

text

POST /api/react-flight HTTP/1.1

Host: vulnerable-app.com

Content-Type: application/json

{

  “__id”:”flight-payload”,

  “__type”:”object”,

  “__constructor”:{

    “__name”:”exec”,

    “__args”:[“arbitrary command here”]

  }

}

Upon receipt, the server deserializes this object. Due to insufficient input validation, the deserialization process instantiates the attacker-specified constructor, executing arbitrary code with application privileges. The entire gadget chain executes synchronously during deserialization, completing before any application-level authentication checks execute.

Attack Surface: Any Next.js application using Server Components (versions 15.0.0+) or custom React implementations with Flight protocol.

Exploitation Timeline:

• December 2: Public disclosure of vulnerability and working proof-of-concept
• December 5: First exploitation detected by security researchers (72 hours post-disclosure)
• December 12: Google Threat Intelligence Group reports exploitation across hundreds of machines
• December 17: 644,000 vulnerable domains remain exposed; active exploitation continues

Observed Payloads:

• Coin miners (primary)
• Reverse shells for command access
• Web shells for persistence
• Cryptomining components
• Data exfiltration scripts

Real-World Impact:
Several hundred machines across diverse organizations compromised. Exploitation not limited to red team assessments—adversary-controlled payloads deliver multiple follow-on stages. Windows and Linux environments equally affected.

Remediation Requirement: React 19.1.0+ required; Next.js 15.1.0+ required

>>Outpace Attackers With AI-Based Automated Penetration Testing

CVE-2025-40602 (SonicWall SMA 1000 LPE) | CVSS 6.6 | CHAINED TO RCE

Incident Date: December 17, 2025 (Disclosure and active exploitation)

Criticality Assessment: Moderate severity standalone (CVSS 6.6), but critical when chained with CVE-2025-23006 (CVSS 9.8) for unauthenticated root code execution. CISA KEV addition requires federal remediation by December 24, 2025.

Exploitation Chain Technical Details:

Stage 1 – CVE-2025-23006 (Deserialization RCE, January 2025):

• Attacker sends specially crafted SOAP message to unpatched HTTPS management port
• Deserialization vulnerability in Appliance Management Console processes untrusted object
• Arbitrary OS command execution achieved as low-privilege appliance user
• Organizations believing they patched (version 12.4.3-02854) actually deployed partial patch

Stage 2 – CVE-2025-40602 (Authorization Bypass Escalation, December 2025):

• Despite January 2025 fix, insufficient authorization controls remain in AMC
• Compromised user accounts can interact with privileged management functions
• Role-Based Access Control (RBAC) not enforced on sensitive endpoints
• Attacker pivots from low-privilege user to root-level appliance control
• Root access enables complete VPN gateway compromise

Technical Architecture of Vulnerability:

text

Unauthenticated Attacker

        ↓

   HTTPS POST (8443)

        ↓

CVE-2025-23006 Deserialization

        ↓

Low-Privilege User Code Execution

        ↓

CVE-2025-40602 Authorization Bypass

        ↓

Root-Level Appliance Compromise

        ↓

VPN Traffic Interception

Credential Harvesting

Lateral Movement

Affected Versions:

• 12.4.3 through 12.4.3-03093
• 12.5.0 through 12.5.0-02002

Fixed Versions:

• 12.4.3-03245
• 12.5.0-02283

Internet Exposure Risk: SMA 1000 appliances frequently exposed on internet for administrative access. SonicWall documented targeting of end-of-life devices by UNC6148 group using OVERSTEP malware since October 2024.

Exploitation Status: Active exploitation confirmed; scale and affected organizations not disclosed by SonicWall

GitLab Multiple Critical Vulnerabilities | December 10 Release

Incident Date: December 10, 2025

Total Vulnerabilities: 10 security issues; 4 high-severity

Affected Versions (Pre-Patch):

• 18.6.0 through 18.6.1
• 18.5.0 through 18.5.3
• 18.4.0 through 18.4.5

Critical Vulnerabilities:

CVE-2025-12716 – Stored XSS in Wiki Pages (CVSS 8.7)

Authenticated users inject malicious JavaScript into wiki page content. Upon rendering to other users, arbitrary scripts execute in browser context:

• Session hijacking via cookie theft
• Project data exfiltration
• Administrative credential capture
• Pull request approval manipulation

Attack Flow:

text

Attacker (GitLab user) → Malicious Wiki Content → Other Users’ Browsers → JavaScript Execution

CVE-2025-12029 – Reflected XSS in Swagger UI (CVSS 8.0)

Unauthenticated attackers craft malicious links targeting Swagger API documentation interface. When developers click links, arbitrary scripts execute:

• API token harvesting
• Administrative interface access
• Development environment reconnaissance

CVE-2025-8405 – Improper Encoding in Vulnerability Reports (CVSS 7.7)

HTML injection in vulnerability report code flow displays. Insufficient entity encoding allows HTML/JavaScript injection:

• Unauthorized repository access
• CI/CD pipeline manipulation
• Build artifact poisoning

CVE-2025-12562 – GraphQL Query Complexity DoS (CVSS 7.5)

Unauthenticated users send complex GraphQL queries bypassing complexity limits:

• Resource exhaustion
• Instance unavailability
• Development workflow disruption
• Potential data access via nested query exploitation

CVE-2025-11984 – WebAuthn Authentication Bypass (CVSS 6.8)

Authenticated users manipulate session state to bypass WebAuthn two-factor authentication:

• Account takeover via session manipulation
• Circumvention of security policies
• Unauthorized administrative access

Impact Assessment: GitLab instances host source code, CI/CD pipelines, build artifacts, and configuration management. Compromise creates complete development infrastructure access enabling supply chain attacks.

CVE-2025-59287 (WSUS Deserialization RCE) | CVSS 9.8 | ACTIVE EXPLOITATION

Incident Date: Active exploitation since October 22, 2025 (2+ months)

Criticality Assessment: Critical remote code execution in Windows Server Update Services. Deserialization vulnerability allows unauthenticated attackers to execute code with SYSTEM privileges on patch management infrastructure.

Attack Execution Technical Details:

WSUS Architecture Context:
Windows Server Update Services manages security patch distribution across enterprise networks. WSUS reporting services accept status updates from managed systems via SOAP XML on TCP 8530 (HTTP) and 8531 (HTTPS).

Vulnerability Mechanics:

text

Attacker Scanning (TCP 8530/8531)

        ↓

Internet-Exposed WSUS Identified

        ↓

Crafted SOAP XML Payload (Serialized Object Gadget Chain)

        ↓

POST /ReportingWebService/ReportingService.asmx

        ↓

Unsafe Deserialization in Reporting Handler

        ↓

Gadget Chain Executes During Object Instantiation

        ↓

PowerShell Code Execution (SYSTEM Context)

        ↓

PowerCat Shell Spawned

        ↓

ShadowPad Malware Downloaded (149.28.78[.]189:42306)

 

Observed Attack Chain (November 2025):

1. WSUS vulnerability exploitation via SOAP deserialization
2. PowerCat netcat utility deployment for interactive shell
3. Windows utilities (curl.exe, certutil.exe) for payload staging
4. Base64-encoded ShadowPad downloaded and decoded
5. DLL side-loading via ETDCtrlHelper.exe → ETDApix.dll
6. Memory-resident loader plugin execution
7. Anti-forensics and persistence mechanisms activated

ShadowPad Malware Profile:

• Modular backdoor with plugin architecture
• Historically used by Chinese state-sponsored APT groups
• Capabilities: command execution, file transfer, plugin loading, log deletion
• Persistence: scheduled tasks, registry modifications, boot-level hooks
• Obfuscation: 10MB+ payload with extreme obfuscation techniques

Exploitation Timeline:

• October 4: Microsoft patches CVE-2025-59287
• October 22: Proof-of-concept exploitation released
• October 22+: Rapid weaponization and active exploitation begins
• November 6: ShadowPad deployment via WSUS documented
• December 17: Continued active exploitation confirmed

Internet Exposure Context: WSUS often internet-exposed for administrative access, creating attractive target for large-scale exploitation campaigns

>>Outpace Attackers With AI-Based Automated Penetration Testing

CVE-2025-43529 (Apple WebKit Use-After-Free) | CVSS 9.8 | TARGETED EXPLOITATION

Incident Date: December 14-17, 2025 (Patch release and KEV addition)

Criticality Assessment: Critical use-after-free vulnerability in WebKit engine used by Safari, Mail, App Store. Actively exploited in targeted nation-state campaigns against high-profile individuals.

Target Profile:

• Government officials
• Journalists and human rights workers
• Opposition activists
• Diplomats and NGO leadership

Exploitation Method: Processing maliciously crafted web content triggers memory management flaw in WebKit HTML rendering. Use-after-free condition enables arbitrary code execution in Safari/Mail context.

Attack Delivery: Likely sophisticated watering hole attacks or targeted link distribution to known targets

Strategic Significance: Ninth Apple zero-day of 2025, indicating:

• Sustained nation-state vulnerability research against Apple platforms
• Continuous zero-day stockpiling by sophisticated adversaries
• Targeting of civil society and government leadership
• Persistent espionage operations

CISA KEV Addition: Deadline January 5, 2026 for patch application

DARKWEB INTELLIGENCE & RANSOMWARE ECOSYSTEM

Ransomware-as-a-Service (RaaS) Activity Summary

Market Leaders (December 2025):

Qilin Ransomware Group – Dominance Consolidated

• Responsible for 29% of all ransomware attacks in 2025
• October 2025: 180+ victim claims; single month dominance
• “Korean Leaks” campaign: 28 victims in financial sector, 2TB data exfiltrated, 1M+ files
• December 10: Targets Don Ricardo (Peru) business services firm
• Supply chain methodology: Single MSP compromise → 28+ downstream victims
• Affiliate earnings: 80-85% of ransom payments (minus $3M threshold)
• Ransom demands: $50M+ observed in major incidents

RansomHub – Active Recruitment

• Prominent placement on dark web forums
• Aggressive affiliate recruitment campaign
• Multi-sector targeting (financial, healthcare, retail, government)

Medusa – Legacy Vulnerability Exploitation

• Exploiting 2025-vintage SimpleHelp vulnerabilities (CVE-2024-57727, CVE-2024-57728)
• Despite patches available since January 2025, continued successful exploitation
• Demonstrates slow organizational patch management cycles

Emerging Groups:

• Morpheus: New group with recent victim claims; growing activity
• BianLian: Block-by-block data publication strategy for pressure campaigns
• Rhysida: Government and utility infrastructure focus
• Lynx: Multi-sector diversification

Dark Web Publishing Patterns:

• Leak sites as primary victim pressure mechanism
• Extended publication timelines for negotiation pressure
• Named campaigns for attribution and publicity
• Social media coordination for maximum impact
• Ransom negotiation conducted via Telegram, session, and email

Supply Chain Attack: npm Shai-Hulud 2.0 Worm

Campaign Scale (November-December 2025):

• 25,000+ malicious repositories
• 350+ unique GitHub users compromised
• 294,842 unique secret occurrences identified
• 33,185 unique secrets (API keys, tokens, credentials)
• 3,760 valid secrets confirmed as of November 27

Stolen Asset Categories:

• GitHub Personal Access Tokens
• Slack webhook URLs
• GitHub OAuth tokens
• AWS IAM keys and credentials
• OpenAI Project API keys
• Claude API keys
• Google API Keys
• GitLab personal access tokens

Exfiltration Method:
Stolen secrets automatically committed to public GitHub repositories named “Shai-Hulud: The Second Coming” under compromised user accounts. Repositories completely public and searchable on internet.

Worm Propagation Mechanism:

1. Initial access via phishing campaign (MFA bypass lures)
2. Pre-install phase execution during npm dependency resolution
3. Credential harvesting from environment variables and configuration files
4. Automated package reinfection using stolen npm tokens
5. GitHub Actions workflow injection for persistence and command execution
6. Self-hosted runner registration for remote command execution

Destructive Capability:
Fallback mechanism attempts complete home directory destruction if credential exfiltration fails:

• Secure file overwriting and deletion
• All files owned by current user targeted
• Intended to punish defensive actions

Technical Innovation:

• Bun Binary: Malware disguises as Bun runtime installer
• Node.js Evasion: Alternative runtime reduces monitoring detection
• Stealth Execution: Fork into background process to avoid build visibility
• Massive Obfuscation: 10MB+ payload with extreme code obfuscation

Darkweb Information Markets

Trello Data (21.1GB, 15 Million Users):

• Original breach: January 2024 API exploitation
• Publication: November-December 2025 (11-month delay)
• Data includes: email addresses, usernames, project information, activity logs
• Hacker handle: “Emo”
• Vulnerability: Unauthenticated API endpoint allowed email enumeration

Active Trading Categories:

• Botnet access and command infrastructure
• Stolen credential databases
• Malware-as-a-Service offerings
• Exploit code repositories
• Zero-day exploit sales
• Phishing-as-a-Service campaigns

ADVANCED PERSISTENT THREAT CAMPAIGNS

APT36 (Transparent Tribe) – Linux BOSS Operating System Campaign

Campaign Designation: APT36 BOSS Linux Targeting 2025

Strategic Context: Represents first confirmed targeting of BOSS (Bharat Operating System Solutions), India’s national operating system widely deployed across government infrastructure.

Campaign Timeline:

• Observed First: November 19, 2025
• Ongoing: Active December 2025

Target Profile:

• Geography: India
• Sector: Government entities and critical infrastructure
• Systems: Linux-based BOSS operating systems

Attack Delivery Mechanism:

Stage 1 – Phishing Vector:

• Spear-phishing emails with weaponized ZIP archives
• Filenames designed for social engineering: “Analysis_Proc_Report_Gem_2025.zip”
• Targeting government analytical personnel and administrators

Stage 2 – .desktop File Social Engineering:

• ZIP contains .desktop shortcut files (misidentified as system configuration)
• Upon user double-click, .desktop file executes embedded command
• Legitimate window content displayed to user for operational cover
• Background execution of malicious ELF binary
• File: Analysis_Proc_Report_Gem.desktop

Stage 3 – ELF Malware Deployment:

• Python-compiled ELF binary (swcbc)
• Related shell scripts (swcbc.sh)
• Establishes bidirectional command and control channel
• C2 Domain: lionsdenim[.]xyz
• C2 IP: 185.[redacted]

Malware Technical Capabilities:

System Identification:

python

# Malware constructs unique tracking ID

unique_id = username + MAC_address (via uuid.getnode())

# Enables persistent identification across reboots

# Device tracking in C2 infrastructure

Command and Control:

• Bidirectional communication with attacker infrastructure
• Remote command execution capability
• Data exfiltration pipelines
• Malware self-update functionality

Data Targeting:

• Sensitive government documents
• Strategic information assets
• Network configuration data
• Credential materials
• Intellectual property

Evasion Techniques:

• .desktop file social engineering exploits user assumptions about executable types
• Silent background execution avoids user awareness
• Python-based implementation enables cross-platform compilation
• Targets BOSS Linux where security monitoring may be less mature

Threat Actor Profile:

APT36 (Transparent Tribe)

• Attribution: Pakistan-based threat actor group
• Active Since: At least 2013
• Historical Focus: Windows malware (Crimson RAT family), spear-phishing campaigns
• Geographic Targeting: Consistently targets Indian government and defense sectors
• Recent Evolution: 2025 expansion to Linux-specific malware development

Strategic Assessment:

• Represents significant capability expansion into Linux platforms
• Indicates specialized payload development for BOSS Linux environment
• Suggests long-term espionage operation rather than opportunistic attacks
• Demonstrates understanding of Indian infrastructure deployment patterns

>>Outpace Attackers With AI-Based Automated Penetration Testing

ToddyCat APT – Email Data Harvesting Evolution

Campaign Designation: ToddyCat Email Compromise 2025

Historical Context:

• Active Since: At least 2020
• Traditional Target: High-value government and technology organizations (Europe, Asia)
• Initial Focus: Browser credential theft (Chrome, Edge, Firefox)
• 2024 Evolution: Domain controller-based PowerShell execution
• 2025 Evolution: Complete email archive and Microsoft 365 token harvesting

2025 Campaign Phases:

On-Premises Exchange Targeting:

• Compromise internet-facing Microsoft Exchange servers
• Extract Outlook PST files (complete email archives)
• Use XstReader tool for offline email analysis
• Exfiltrate complete organizational email history

Cloud Microsoft 365 Targeting:

• Focus on OAuth 2.0 access token harvesting
• Tokens enable indefinite mailbox access independent of password changes
• Multiple token extraction methods:
  1. Browser cache analysis via SharpTokenFinder
  2. Environment variable scanning
  3. Running Outlook process memory dumping (ProcDump)

Token Persistence Strategy:

• OAuth tokens remain valid indefinitely
• Enable mailbox access after network compromise remediation
• Persist across password resets and account lockdowns
• Function across geographic and IP address changes

Advanced Evasion – Process Memory Extraction:

When direct OAuth token access is blocked:

text

1. Identify compromised user with Microsoft 365 access
2. Execute ProcDump (Sysinternals utility):

   ProcDump.exe -p [Outlook.exe PID] -o memory.dmp

3. Extract tokens from memory dump
4. Use extracted tokens for indefinite mailbox access

Legitimate Tool Abuse: ProcDump is Microsoft-signed, bypasses many security controls

Attack Indicators:

• Suspicious ProcDump execution on email servers
• Unusual Outlook process memory access
• SharpTokenFinder process execution
• Unexpected OAuth token usage patterns in Microsoft 365 logs
• Domain controller PowerShell execution (TomBerBill malware)
• XstReader tool presence in post-compromise analysis

Impact Assessment:

• Email Compromise: Complete access to organizational communications
• Persistent Access: OAuth tokens enable indefinite access
• Data Exfiltration: Complete email archive accessibility
• Regulatory Violation: GDPR, HIPAA, industry-specific regulation violations likely
• Espionage Capability: Suitable for nation-state intelligence operations

Pro-Russia Hacktivist Operations – Critical Infrastructure Targeting

Campaign Designation: Pro-Russia Critical Infrastructure Campaign 2025

Official Warning: December 12, 2025 Joint Cybersecurity Advisory (AA25-343A) from CISA, FBI, NSA, and international partners

Targeting Profile:

• Scope: Global critical infrastructure organizations
• Focus: Operational Technology (OT) and Industrial Control Systems
• Sectors: Water and wastewater systems, energy infrastructure, food and agriculture production
• Real-World Consequences: Potential physical system damage and service disruption

Attack Methodology – Opportunistic Approach:

Characterized by simplicity and speed rather than sophisticated nation-state techniques:

1. Internet-Wide Scanning: Identify exposed OT devices (water treatment, energy generation, agricultural systems)
2. Credential Exploitation: Attempt default credentials (admin/admin, etc.)
3. Unpatched System Exploitation: Target known vulnerabilities in OT software
4. Temporary Disruption: Modify system settings or interrupt operations
5. Media Campaign: Publicize disruption on social media with political messaging

Technical Sophistication: Low-to-medium (compensated by volume and ideological motivation)

Threat Persistence: High (politically motivated, not profit-driven; capable of sustained operations)

Real-World Risk Assessment:

• Water system compromise: Public health impact
• Energy system disruption: Regional economic consequences
• Food production disruption: Supply chain effects
• Cascading failures: Interdependent infrastructure effects

Geopolitical Context:

• Joint warning indicates high-level concern
• International coordination suggests coordinated response planning
• Reflects broader pattern of geopolitical cyber operations
• Suggests Russian government tolerance or encouragement of hacktivist activity

CYBERSECURITY RECOMMENDATIONS

Immediate Actions (24 Hours)

1. React2Shell Patch (CVE-2025-55182)
   • Identify all React 19.x and Next.js 15.x deployments
   • Apply patches immediately (React 19.1.0+, Next.js 15.1.0+)
   • Scan deployment logs for exploitation attempts (December 5-17)
   • Monitor for coin miner and reverse shell process spawning
2. SonicWall SMA 1000 Emergency Patching
   • Apply hotfixes: 12.4.3-03245 or 12.5.0-02283
   • Restrict AMC access to trusted administrative IPs only
   • Review VPN logs for suspicious authentication patterns
   • Verify no unauthorized configuration changes occurred
3. GitLab Emergency Patches
   • Apply patch releases: 18.6.2, 18.5.4, 18.4.6
   • Review wiki pages for injected JavaScript content
   • Audit GraphQL query logs for resource exhaustion attempts
   • Monitor Swagger UI for suspicious API access patterns
4. Apple Security Updates
   • Deploy iOS/macOS patches for CVE-2025-43529
   • Patch deadline: January 5, 2026
   • Prioritize devices of government officials, human rights workers, journalists
5. WSUS Infrastructure Assessment
   • Review WSUS server logs for exploitation attempts since October 22
   • Restrict WSUS server network access to specific subnets
   • Scan for ShadowPad indicators: ETDCtrlHelper.exe, ETDApix.dll, 149.28.78[.]189:42306
   • Conduct forensic analysis if internet-exposed WSUS identified

>>Outpace Attackers With AI-Based Automated Penetration Testing

Short-Term Actions (1 Week)

1. Supply Chain Risk Assessment
   • Audit npm dependencies for Shai-Hulud 2.0 worm indicators
   • Identify GitHub repositories named “Shai-Hulud: The Second Coming”
   • Review GitHub Actions workflows for suspicious definitions
   • Conduct credential rotation for all development team secrets
2. Email Infrastructure Security
   • Audit Microsoft 365 for suspicious OAuth token creation
   • Implement Conditional Access policies to restrict token usage
   • Monitor for unusual token consumption patterns
   • Restrict ProcDump and memory dumping tools on email servers
3. Critical Infrastructure Protection
   • Identify all internet-exposed operational technology devices
   • Implement air-gapped networks for critical production systems
   • Rotate all default credentials on OT systems
   • Deploy network monitoring for OT-specific protocols
4. APT36 Campaign Defense
   • Block lionsdenim[.]xyz domain communications
   • Monitor for .desktop file execution from email-sourced ZIPs
   • Scan for swcbc.sh and swcbc ELF malware
   • Deploy Linux-specific endpoint detection and response (EDR)

Strategic Initiatives (30 Days)

1. Zero-Trust Architecture Implementation
   • Reduce reliance on network perimeter controls
   • Implement micro-segmentation for critical systems
   • Deploy continuous authentication verification
   • Eliminate implicit trust in legacy infrastructure
2. Red Team Vulnerability Chain Testing
   • Verify inability to chain partial patches (e.g., CVE-2025-40602 + CVE-2025-23006)
   • Simulate OAuth token extraction and persistence techniques
   • Test exploitation of deserialization vulnerabilities
   • Validate compensating controls
3. Incident Response Capability Enhancement
   • Establish 24/7 incident response for critical infrastructure
   • Develop playbooks for ransomware response
   • Create detection rules for APT36, ToddyCat, UNC6148 malware
   • Coordinate with CISA and FBI for real-time threat intelligence
4. Supply Chain Risk Management
   • Develop third-party risk assessment framework
   • Audit OAuth token usage across all integrated applications
   • Implement software composition analysis (SCA) tools
   • Establish secure development environment controls

CTA: FIRECOMPASS ATTACK SURFACE MANAGEMENT SOLUTION

Why Static Vulnerability Scanning Fails in This Threat Landscape

Exploitation Velocity Problem:

• CVE-2025-55182: Disclosed December 2, exploited December 5 (72-hour exploitation window)
• Organizations scanning quarterly or monthly systems miss active exploitation periods entirely
• By the time vulnerability scanning completes, exploitation campaigns may have already compromised assets

Hidden Risk Problem:

• CVE-2025-40602 demonstrates that patches don’t eliminate risk—improper authorization remains
• Organizations believe they’ve patched SonicWall after January 2025 update, but December vulnerability chains are undetectable by traditional scanning
• WSUS vulnerability remained actively exploited for 2+ months before widespread awareness

Supply Chain Problem:

• Shai-Hulud 2.0 worm demonstrates that software dependencies represent direct attack vectors
• Quarterly patching cycles incompatible with worm propagation velocity
• Darkweb intelligence reveals ongoing credential trading and exploitation

FireCompass Continuous Attack Surface Management

1. Real-Time Vulnerability Assessment

• Continuous scanning for CVEs matching your specific environment
• Automatic prioritization based on CISA KEV and active exploitation patterns
• Correlation with Google Threat Intelligence Group indicators
• Specialized scanning for: React/Next.js, SonicWall SMA, WSUS, GitLab, critical OT systems

2. Exploitation Chain Detection

• Simulation of CVE-2025-40602 + CVE-2025-23006 chaining
• Verification of authorization model bypass possibilities
• DLL side-loading detection (ShadowPad indicators)
• OAuth token harvesting simulation (ToddyCat techniques)

3. Supply Chain Risk Intelligence

• npm package dependency analysis for worm propagation vulnerability
• GitHub repository monitoring for suspicious commits
• OAuth integration audit and trust boundary testing
• Third-party application risk assessment

4. Darkweb & Threat Intelligence Integration

• Real-time ransomware campaign tracking (Qilin, RansomHub, etc.)
• APT campaign attribution and MITRE ATT&CK mapping
• Nation-state targeting pattern identification
• Credential database breach correlation

5. Red Team Attack Simulation

• Live vulnerability exploitation verification
• Exploitation chain testing
• Privilege escalation path identification
• Incident response capability validation

Limited-Time Offer: Free Security Assessment

FireCompass Attack Surface Security Assessment

What’s Included:

• Complete external attack surface discovery and mapping
• Vulnerability scanning with CVSS 9.8+ prioritization
• Red team exploitation attempts on critical systems
• Supply chain risk analysis
• Ransomware campaign correlation
• APT targeting risk assessment
• Technical deep-dive on discovered vulnerabilities
• Prioritized remediation roadmap with risk metrics

Investment: Free for organizations with 500+ employees

Duration: 2-week continuous assessment with ongoing reporting

Deliverables:

• Executive summary highlighting critical findings
• Technical analysis with exploitation feasibility scoring
• Red team engagement report
• Supply chain risk summary
• 90-day remediation timeline

How to Access:
[FIRECOMPASS DEMO AND ASSESSMENT REGISTRATION]

CONCLUSION

The December 10-17 threat landscape represents the most concentrated critical vulnerability exploitation activity observed this year. Organizations that remain reliant on reactive patching strategies face unacceptable risk exposure. The convergence of:

• CVSS 10.0 unauthenticated RCE vulnerabilities in development frameworks
• Supply chain attacks through package managers affecting thousands of organizations simultaneously
• Nation-state targeting of government and civil society infrastructure
• Ransomware campaigns affecting 29% of all cyberattacks (Qilin RaaS)

…demands proactive, continuous attack surface management.

This report provides CISOs and security teams with the threat intelligence necessary to prioritize remediation efforts, allocate resources strategically, and implement compensating controls while patches are being deployed.

Next Week’s Briefing: December 18-24, 2025

Report Classification: For Internal Distribution – Chief Information Security Officers and Security Operations Center Leadership

Report Date: December 18, 2025
Coverage Period: December 10-17, 2025
Version: 1.0 – Final

Prepared by: FireCompass Threat Intelligence Team
Distribution: CISOs, CIOs, Security Operations Center Leadership, IT Risk Management

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial