Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Alleged PoC for Critical Remote Code Execution Vulnerability Affecting Advanced Custom Fields: Extended WordPress Plugin(CVE-2025-13486), Published on GitHub - On 4 December 2025, GitHub user 0xanis published an alleged proof-of-concept exploit for CVE-2025-13486. CVE-2025-13486 is a critical remote code execution vulnerability affecting the Advanced Custom Fields: Extended (ACFE) WordPress plugin, impacting versions 0.9.0.5 through 0.9.1.1. The vulnerability allows unauthenticated threat actors to execute arbitrary PHP code on vulnerable WordPress servers via the plugin’s form handling functionality. This could be abused to deploy backdoors or create new administrator accounts. The issue was addressed on 2 December 2025, when WordPress released ACFE version 0.9.2 to remediate the vulnerability.
CVE-2025-13486 originates from the ACFE prepare_form() function, which accepts user-controlled input and passes it directly to PHP’s call_user_func_array() function without sufficient validation or sanitisation. This flaw enables unauthenticated remote attackers to craft malicious requests that invoke sensitive PHP functions with attacker-supplied parameters, resulting in arbitrary code execution. Successful exploitation may allow follow-on actions such as maintaining persistence through backdoors or automating the creation of privileged WordPress user accounts.
Japan-Based JPCERT Discloses Exploitation of Command Injection Vulnerability in Array Networks AG Series - On 3 December 2025, JPCERT reported active exploitation of a command injection vulnerability in Array Networks ArrayOS AG, affecting versions 9.4.5.8 and earlier when the DesktopDirect feature is enabled. Exploitation activity, first observed in August 2025, allows threat actors to execute arbitrary system commands on vulnerable devices. This has been used to deploy PHP web shells within the /ca/aproxy/webapp/ directory.
Post-exploitation activity includes the creation of unauthorised user accounts on affected systems, as well as the use of compromised devices to pivot into internal networks.
The vulnerability has not been assigned a CVE identifier. It was remediated in ArrayOS AG version 9.4.5.9, which was released in May 2025. Despite the availability of a fix, exploitation continues against systems that remain unpatched. The command injection flaw is only present when the DesktopDirect feature is enabled.
China-Nexus Threat Actors Earth Lamia and Jackpot Panda Exploit React2Shell Vulnerability (CVE-2025-55182) Following Public Disclosure - On 4 December 2025, Amazon’s Threat Intelligence team reported that multiple China-nexus threat actors, including Earth Lamia, Jackpot Panda, and several previously unidentified clusters, are actively exploiting CVE-2025-55182 (React2Shell) in React Server Components. Affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0.
The React Team disclosed the vulnerability on 3 December 2025 and released fixes in versions 19.0.1, 19.1.2, and 19.2.1. At the time of reporting, detailed technical information regarding the exploitation methods had not been made publicly available.
CVE-2025-55182 is caused by unsafe deserialisation of user-controlled payloads at React Server Function endpoints. Successful exploitation could allow threat actors to execute arbitrary code via specially crafted HTTP requests, potentially resulting in full compromise of affected backend systems.
Potential Threats
UTA0355 Uses Conference-Themed OAuth and Device Code Phishing to Steal Tokens and Access Microsoft Office 365 Data - On 4 December 2025, cybersecurity firm Volexity reported on an active campaign attributed to the Russian threat actor UTA0355, which uses highly tailored social engineering to compromise Microsoft Office 365 and Google accounts. The group impersonates legitimate conference organisers and engages targets in extended email and messaging conversations to build trust before delivering malicious OAuth authorisation links hosted on legitimate Microsoft infrastructure. Victims are tricked into completing normal sign-in flows and then instructed to copy and share URLs containing embedded OAuth tokens, enabling account compromise without harvesting passwords.
UTA0355 disguises access to compromised accounts using residential proxy infrastructure and registers new devices in Microsoft Entra ID that masquerade as the victim’s existing devices. The campaign includes polished phishing websites themed around international security conferences, where high-value targets are selectively redirected into device code or OAuth phishing workflows while non-targets see benign registration confirmations. The group also encourages recipients to share colleague contact details, expanding the pool of potential victims and supporting sustained credential and token theft operations.
Lazarus Group-Linked Famous Chollima Targets US-Based Finance, Crypto, and Healthcare Entities in North Korean IT Workers Scheme - On 4 December 2025, ANY.RUN reported that the North Korea–aligned threat group Famous Chollima conducted a recruitment-themed social engineering campaign targeting software developers to fraudulently secure remote employment at US-based IT, finance, cryptocurrency, e-commerce, and healthcare organisations. The group avoids traditional malware, instead abusing legitimate remote monitoring tools, VPN services, AI-assisted applications, and one-time password browser extensions on compromised workstations to conduct corporate espionage and generate revenue for the regime.
The campaign begins with unsolicited job-related messages on GitHub and progresses through messaging and scheduling platforms, where victims are instructed to install remote access software, share identity and financial details, and provide full-time access to their workstations. Once access is obtained, the threat actor establishes persistence using browser synchronisation and remote desktop tools, masks location via VPN services, and leverages AI tools to automate job applications and interviews. ANY.RUN assesses Famous Chollima as part of the North Korean state-sponsored Lazarus Group, operating as “ghost developers” embedded within victim organisations to enable sustained access and espionage.
Pro-China Influence Network Targets UK, US, and Japanese Governments, Likely Based in Hong Kong - In December 2025, Insikt Group identified a cluster of at least seven inauthentic X accounts engaged in coordinated influence activity aligned with Chinese geopolitical interests. The accounts amplified narratives critical of the UK government, including content exploiting proposed changes to British National (Overseas) visa rules affecting Hong Kong citizens, while also spreading material undermining the United States and Japanese governments. Although no direct technical links to known Chinese influence networks were identified, the cluster’s tactics, content themes, and use of AI-generated imagery closely resemble those associated with the China-linked “Empire Dragon” (Spamouflage Dragon) influence network.
The accounts were created in February or September 2024, are listed as being based in Hong Kong, and post high volumes of politically focused content, with a primary emphasis on Hong Kong-related issues. Insikt Group assesses the activity as very likely inauthentic and consistent with state-aligned influence operations.
General News
Cloudflare Faces Worldwide Outage - On 5 December 2025, Cloudflare reported a 25-minute service outage that affected approximately 28% of its global HTTP traffic. The disruption was caused by a configuration error introduced during mitigation efforts for CVE-2025-55182 (React2Shell), a vulnerability affecting React Server Components.
The outage occurred when a change intended to disable an internal web application firewall (WAF) testing tool exposed a bug in the FL1 proxy rules module, resulting in widespread HTTP 500 errors. The impact was limited to customers using the FL1 proxy in conjunction with Cloudflare Managed Rulesets.
Cloudflare reverted the configuration change by 09:12 UTC, which restored normal service. The company confirmed that the incident was not the result of a cyberattack and stated that it is implementing additional resilience and change-management improvements to prevent similar incidents in future.
FinCEN says ransomware gangs extorted over $2.1bn from 2022 to 2024 - Between 2022 and 2024, ransomware groups extorted more than $2.1 billion from victims, according to a Financial Crimes Enforcement Network (FinCEN) analysis reported by BleepingComputer, nearly equalling the total amount reported over the previous eight years combined. FinCEN recorded over 4,000 ransomware-related suspicious activity reports, with activity peaking in 2023, when both incident volume and ransom payments sharply increased, before declining in 2024, likely due to sustained law-enforcement disruption of major ransomware operations.
The most frequently targeted sectors included manufacturing, financial services, healthcare, retail, and legal services, while a small number of ransomware families accounted for a disproportionate share of total payments.
Meta proposal for less data sharing is approved by European Commission - In early December 2025, the European Commission approved a Meta proposal allowing Facebook and Instagram users to share less personal data and receive fewer personalised advertisements. The new option, which will take effect across the EU in January, represents the first time Meta has offered users a clear choice to limit data sharing for advertising purposes.
The approval follows regulatory action earlier in the year, when the Commission fined Meta €200 million for breaching the Digital Markets Act between November 2023 and November 2024. The change is viewed as a privacy win for consumers and reflects increased regulatory scrutiny of large technology firms operating within the EU.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CLOP Ransomware Group | ● High | → | ● High | ● 81 | → | ● 82 | ● 49 | → | ● 49 |
| Dragon Force Group | ● Moderate | → | ● Moderate | ● 70 | → | ● 69 | ● 49 | → | ● 49 |
| BlackShrantac Ransomware Group | NEW | → | ● Basic | NEW | → | ● 40 | NEW | → | ● 30 |
|
Scattered PlushDaemon |
NEW | → | ● Basic | NEW | → | ● 40 | NEW | → | ● 25 |
| thegiven | NEW | → | ● Basic | NEW | → | ● 35 | NEW | → | ● 25 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Beregini | ▲ | Cobalt Strike | ▲ | CVE-2025-55182 | ▲ |
Social Media/Network |
▲ | |
|
Coinbase Cartel |
▲ |
Coinbase Cartel |
▲ | CVE-2025-62221 | ▲ |
Tencent |
▲ | |
|
PalachPro |
▲ | TA0042 | ▲ | CVE-2025-64671 | ▲ |
Packaging |
▲ | |
| Z-Pentest | ▲ |
Account Takeover |
▲ | CVE-2025-62215 | ▲ | NHS | ▲ | |
|
KillSecurity |
▲ |
TA0011 |
▲ |
CVE-2025-3248 |
▲ |
|
▲ | |
Prominent Information Security Events
UTA0355 Uses Conference-Themed OAuth and Device Code Phishing to Steal Tokens and Access Microsoft 365 Data
Source: Insikt Group | Validated Intelligence Event
IOC: URL - bsc2025[.]org
IOC: URL - brussels[-]indo[-]pacific[-]forum[.]org
On December 4, 2025, Volexity reported a social-engineering campaign attributed to Russian threat actor UTA0355 targeting Microsoft 365 (O365) and Google accounts using highly tailored conference-themed lures. The actor builds credibility through realistic spearphishing emails and follow-up conversations (including WhatsApp from compromised accounts), then delivers links to legitimate Microsoft OAuth or Device Code authentication flows. Victims are tricked into completing normal sign-in steps and then instructed to copy and return a resulting URL, allowing UTA0355 to capture OAuth material (e.g., access tokens) embedded in the redirect.
Parallel infrastructure includes polished fake conference websites that selectively route high-value registrants into O365 phishing workflows while benignly handling others to reduce detection. Post-compromise, UTA0355 accesses mail and data via residential proxy networks, registers new Entra ID devices that reuse familiar device names (e.g., “iPhone”) while presenting Android user agents, and continues activity across multiple conference-themed campaigns (e.g., Belgrade Security Conference, Brussels Indo-Pacific Dialogue).
Lazarus Group-Linked Famous Chollima Targets US-Based Finance and Healthcare Entities in North Korean Workers Scheme
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 194[.]33[.]45[.]165
IOC: IP - hxxps[:]//jackson[-]portfolio[.]vercel[.]app
On December 4, 2025, ANY.RUN reported that the North Korean–aligned threat group Famous Chollima (overlapping with activity tracked as PurpleBravo and PurpleDelta) conducted a recruitment-themed social-engineering campaign targeting software developers to fraudulently secure remote employment at U.S. IT, financial, cryptocurrency, e-commerce, and healthcare organisations. Rather than deploying conventional malware, the group abused legitimate tools and services, including remote monitoring and management (RMM) software, VPNs, AI-based applications, and one-time password (OTP) browser extensions on assigned workstations to enable long-term access, corporate espionage, and revenue generation for the North Korean regime.
The campaign originated through mass GitHub pull request messages offering job placement assistance, then transitioned victims into off-platform communication via Calendly and Telegram with a recruiter persona (“Aaron” / “Blaze”), who requested sensitive identity, banking, and SSN information, directed targets to install AnyDesk with shared credentials, and required persistent workstation availability. ANY.RUN, with supporting analysis from external researchers, assessed Famous Chollima as a subdivision of the Lazarus Group based on shared infrastructure, tactics, operational behaviour, and victim targeting patterns.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-13486: This vulnerability can be remediated by upgrading the Advanced Custom Fields: Extended (ACFE) WordPress plugin to version 0.9.2 or later, which addresses the unsafe use of user-controlled input in the form handling functionality.
-
Array Networks ArrayOS AG Command Injection: This issue can be mitigated by upgrading ArrayOS AG to version 9.4.5.9 or later and disabling the DesktopDirect feature if it is not required.
-
CVE-2025-55182 (React2Shell): This vulnerability can be addressed by updating React Server Components to a fixed version.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.