Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Threat Actors Exploit CVE-2025-55182 in Multi-Malware Campaign Targeting Construction and Entertainment Sectors - On 9 December 2025, Huntress reported active and widespread exploitation of CVE-2025-55182 (“React2Shell”), a critical vulnerability in React Server Components that allows unauthenticated remote code execution. Exploitation was observed at scale from 8 December, with automated scanning targeting publicly exposed Next.js applications and no distinction made between Windows and Linux systems. The vulnerability arises from insecure deserialisation in the React Flight protocol, where crafted hydration data can trigger arbitrary code execution through maliciously constructed objects.
Following exploitation, threat actors performed basic host validation and OS fingerprinting before deploying a wide range of payloads, including cryptominers, Linux backdoors, reverse proxy implants, DDoS botnet variants, and command-and-control frameworks such as Sliver. The diversity of malware suggests multiple threat actors or modular delivery frameworks exploiting the vulnerability in parallel. Persistence and defence evasion techniques included system services, timestomping, process masquerading, and removal of shell history. Organisations using React Server Components are advised to urgently update to fixed versions and remediate exposed Next.js deployments to reduce risk of compromise.
PCI-SIG Discloses Three Vulnerabilities (CVE-2025-9612, CVE-2025-9613, and CVE-2025-9614) in PCIe IDE Protocol; No Active Exploitation Observed - On 9 December 2025, PCI-SIG disclosed three vulnerabilities affecting the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification in versions prior to 6.5-Rev7.0 and 7.1-Rev7.0. The issues could result in information disclosure, privilege escalation, or denial-of-service conditions and impact systems using affected Intel Xeon and AMD EPYC processors. PCI-SIG advised members to apply the relevant Engineering Change Notification updates, and there are currently no reports of exploitation in the wild.
The vulnerabilities include weaknesses in how PCIe IDE enforces transaction ordering, handles completion timeouts, and manages re-keying when devices move between trusted domains. In specific scenarios, a man-in-the-middle attacker could manipulate protected transaction sequences, cause stale or misdirected data completions, or trigger the processing of outdated write operations in a new security context. While exploitation would require a highly privileged position within the PCIe communication path, organisations using affected hardware are advised to review and apply vendor guidance to reduce exposure.
GEN Digital Disclosed CVE-2025-8351 Vulnerability in macOS Avast Antivirus; No Active Exploitation Observed - On 1 December 2025, GEN Digital disclosed CVE-2025-8351, a high-severity vulnerability affecting Avast Antivirus on macOS versions 8.3.70.94 through 8.3.70.98. The flaw is a heap-based buffer overflow with an associated out-of-bounds read, which could allow a local attacker to execute code in the context of the antivirus engine or cause a denial-of-service condition. At the time of reporting, there were no indications of active exploitation.
Although the vulnerability is no longer listed on GEN Digital’s public advisory page, both the US Cybersecurity and Infrastructure Security Agency and the National Vulnerability Database attribute the disclosure to GEN Digital. Organisations running affected Avast versions are advised to ensure they are updated to a fixed release to mitigate potential risk.
Potential Threats
China-Linked Threat Actor Ink Dragon Expands Espionage Operations to European Government Networks Using ShadowPad IIS Listener and FinalDraft Variant - On 16 December 2025, Check Point reported that the China-linked threat actor Ink Dragon expanded its long-running cyber-espionage activity into European government networks, deploying multiple malware families including ShadowPad variants, credential-dumping tools and a new backdoor named FinalDraft. Active since early 2023, the group initially targeted organisations in Southeast Asia and South America, but has since broadened its geographic focus.
Ink Dragon gained initial access by scanning internet-facing Microsoft IIS and SharePoint servers, exploiting insecure ASP.NET machineKey values and unpatched ToolShell vulnerabilities to achieve remote code execution and deploy web shells. Post-compromise activity included credential theft, privilege escalation, lateral movement via RDP and SMB, and the staged deployment of ShadowPad loaders. Persistence was established through scheduled tasks, disguised services and abuse of legitimately signed binaries. At the domain level, the group modified firewall rules and installed IIS listener modules to obscure command-and-control traffic, before deploying FinalDraft on high-value systems to maintain long-term, stealthy access using Microsoft Graph mailbox drafts for C2 and data exfiltration. Check Point also noted parallel intrusions by the China-aligned group RudePanda exploiting the same servers, but assessed the activity as separate operations rather than a shared campaign.
Russian State-Sponsored GRU-Linked Sandworm Cluster Targets Western Critical Infrastructure Via Misconfigured Network Edge Devices In Multi-Year Campaign - On 15 December 2025, Amazon Threat Intelligence reported on a long-running campaign attributed to a Russian GRU-linked activity cluster associated with Sandworm, targeting Western critical infrastructure, with a particular focus on the energy sector. Active since 2021, the campaign has evolved in 2025 to prioritise the compromise of misconfigured network edge devices, reducing reliance on exploiting new vulnerabilities. Earlier activity involved exploitation of known flaws in products such as WatchGuard, Confluence and Veeam, alongside abuse of poorly secured devices. Amazon confirmed the affected systems were customer-managed network appliance software hosted on EC2 and stressed that no AWS service vulnerabilities were involved.
In this campaign, the threat actor compromised routers, VPN gateways and network management appliances, enabling packet capture to collect authentication traffic. Harvested credentials were then replayed against online services associated with targeted organisations, with the aim of establishing persistent access and enabling further lateral movement. Targeted services included those used by energy providers, cloud platforms, code repositories and telecommunications firms across North America, Europe and the Middle East. Amazon reported that it identified and disrupted related infrastructure, notified affected customers and provided remediation support to limit further impact.
Digitstealer macOS Malware Campaign Targeting Credentials and Cryptocurrency Wallets - On 13 November 2025, Jamf Threat Labs published analysis of DigitStealer, a multi-stage macOS infostealer distributed via malicious disk images posing as legitimate utilities. The campaign targets credentials, sensitive user data and cryptocurrency wallets, including Ledger Live, and relies on a “drag-to-Terminal” technique to bypass Gatekeeper. Once executed, an obfuscated bash script performs environment checks before downloading multiple AppleScript and JavaScript for Automation (JXA) payloads that steal browser, wallet, VPN and Keychain data, tamper with Ledger Live binaries and configuration, and establish persistence.
DigitStealer deploys an AppleScript component that prompts for the user’s password, resets TCC permissions, collects files and exfiltrates data over HTTPS, followed by JXA modules that harvest credentials, redirect Ledger Live network endpoints and install a persistent LaunchAgent-backed backdoor. The final stage polls attacker-controlled infrastructure for commands and supports ongoing data theft and task execution. Jamf assessed the activity as a stealthy macOS-focused malware operation combining social engineering, staged payload delivery and durable persistence to support long-term credential and cryptocurrency theft.
General News
Google links more Chinese hacking groups to React2Shell attacks - On 15 December 2025, Google’s threat intelligence team linked at least five additional Chinese hacking groups to ongoing attacks exploiting the critical React2Shell remote code execution vulnerability (CVE-2025-55182) in the React and Next.js ecosystems. The flaw allows unauthenticated attackers to execute arbitrary code on vulnerable applications via a single HTTP request, and its widespread adoption has resulted in numerous breaches of internet-facing systems. According to Google Threat Intelligence Group, clusters tracked as UNC6600, UNC6586, UNC6588, UNC6603 and UNC6595 have been observed weaponising the vulnerability to deliver a variety of malware, including tunnelling utilities, downloaders and backdoors.
Observers have also seen exploitation by other nation-state actors and financially motivated adversaries deploying cryptomining software on unpatched systems. The expanded linkages to China-aligned threat actors underscore the urgent need for organisations to patch affected React components, review exposure and bolster monitoring for malicious activity.
Cellik Android Malware builds Malicious versions from Google Play Apps - On 16 December 2025, researchers reported the emergence of Cellik, a new Android malware-as-a-service (MaaS) that allows cybercriminals to generate malicious versions of legitimate apps found on the Google Play Store. Cellik’s framework includes an integrated APK builder that lets attackers pick popular apps and automatically embed a remote access trojan payload, producing repackaged installers that retain the original app’s interface and functionality while carrying hidden malware.
Once installed on a victim’s device, operators can capture and stream the screen, intercept notifications, browse the file system, exfiltrate data and communicate with command-and-control servers over encrypted channels. The tool also features a hidden browser mode and app injection capabilities that can overlay fake login screens or otherwise abuse trusted applications, and its authors claim this repackaging approach may help evade Google Play Protect detection.
Cellik is being advertised on underground forums with subscription pricing, signalling growing accessibility of advanced Android RAT capabilities to less sophisticated threat actors.
French Interior Ministry confirms cyberattack on email servers - On 11/12 December 2025, the French Ministry of the Interior confirmed it was the victim of a significant cyberattack that compromised its email servers, allowing threat actors to gain access to a number of internal document files, though there is no confirmed evidence of widespread data theft or exfiltration at this stage. The breach was detected overnight, prompting the ministry to tighten security protocols and strengthen access controls as part of an ongoing investigation into the origin and scope of the intrusion.
Interior Minister Laurent Nuñez stated investigators are considering several possibilities, including foreign interference, hacktivism, or cybercrime, but as yet there has been no public attribution to a specific threat actor. Given the ministry’s role in supervising police forces and internal security, it remains a high-value target for sophisticated adversaries, and the incident underscores the challenges government bodies face in protecting critical communications infrastructure.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Sandworm Team | ● High | → | ● High | ● 77 | → | ● 78 | ● 25 | → | ● 25 |
| RALord-RaaS | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 31 |
| Radiant | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 31 |
|
Doodlejumptraff |
NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| Payout Kings Ransomware | ● Basic | → | ● Basic | ● 25 | → | ● 25 | ● 26 | → | ● 46 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| ShinyHunters | ▲ | Denial-Of-Service | ▲ | CVE-2025-55182 | ▲ |
Information Technology |
▲ | |
|
Killnet |
▲ |
DDoS |
▲ | CVE-2025-59718 | ▲ |
Information Technology |
▲ | |
|
Scattered LAPSUS$ Hunters |
▲ | T1005 | ▲ | CVE-2025-14174 | ▲ |
Software |
▲ | |
| Main Intelligence Directorate | ▲ |
T1190 |
▲ | CVE-2025-8110 | ▲ | SoundCloud | ▲ | |
|
j**********u |
▲ |
Cyber Espionage |
▲ |
CVE-2025-53773 |
▲ |
Fortinet |
▲ | |
Prominent Information Security Events
China-Linked Threat Actor Ink Dragon Expands Espionage Operations to European Government Networks Using ShadowPad IIS Listener and FinalDraft Variant
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1
IOC: Hash - 36f00887f6c0af63ef3c70a60a540c64040b13a4209b975e96ce239e65548d4a
On December 16, 2025, Check Point reported that the China-linked cyber-espionage actor Ink Dragon (also tracked as Jewelbug, REF7707, CL-STA-0049, and Earth Alux) expanded its operations into European government networks. Active since early 2023, the group had previously focused on Southeast Asia and South America, but recent activity shows a broader geographic scope and increased targeting of high-value government infrastructure. Ink Dragon leveraged multiple malware families during these intrusions, including ShadowPad Loader and IIS Listener components, LalsDumper, CDBLoader, 032Loader, and an updated FinalDraft backdoor.
Initial access was achieved by scanning internet-facing Microsoft IIS and SharePoint servers for insecure ASP.NET machineKey configurations or ToolShell-vulnerable endpoints. Ink Dragon exploited predictable machineKey values to perform ViewState deserialization attacks on IIS servers, resulting in remote code execution, and in other cases abused ToolShell vulnerabilities (CVE-2025-49706, CVE-2025-53771, CVE-2025-49704, CVE-2025-53770) to gain unauthenticated RCE and deploy web shells. Following compromise, the actor decrypted IIS configuration data to extract service account credentials, escalated privileges using tools such as PrintNotifyPotato, and moved laterally to nearby servers via reused credentials, RDP tunnels, and SMB shares. Payload staging commonly involved ShadowPad Loader “triads” consisting of a benign-looking executable, a malicious DLL, and an encrypted TMP payload.
Ink Dragon established persistence through SYSTEM-level scheduled tasks and disguised services executing renamed but legitimately signed binaries. Credential access activities included dumping LSASS memory using LalsDumper via a malicious SSP DLL, as well as offline registry hive dumping to recover NTLM hashes and Kerberos tickets. After gaining domain-level access, the threat actor modified local firewall rules to allow unrestricted outbound traffic and deployed the ShadowPad IIS Listener Module on perimeter servers, creating a distributed relay network that masked command-and-control traffic. For long-term access, Ink Dragon deployed a newer FinalDraft variant that abuses Microsoft Graph API mailbox drafts for stealthy C2, supporting operator-defined check-in windows, background data exfiltration, and detailed host profiling. Check Point also observed overlapping but separate activity attributed to RudePanda on some of the same vulnerable servers, noting no direct operational link between the two campaigns.
Russian State-Sponsored GRU-Linked Sandworm Cluster Targets Western Critical Infrastdcuter Via Misconfigured Network Edge Devices In Multi-Year Campaign
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 103[.]11[.]190[.]99
IOC: IP - 217[.]153[.]191[.]190
On December 15, 2025, Amazon Threat Intelligence reported that a Russian military intelligence–associated activity cluster linked to Sandworm targeted Western critical infrastructure, particularly the energy sector, in a campaign active since 2021. In 2025, the threat actor shifted to primarily targeting misconfigured customer network edge devices, reducing its reliance on exploiting newly disclosed vulnerabilities. Between 2021 and 2024, the actor leveraged vulnerabilities in enterprise network and application platforms while also opportunistically targeting misconfigured devices. Amazon confirmed that the compromised assets were customer-managed network appliance software running on EC2 instances and emphasized that the activity did not involve vulnerabilities in AWS services. Amazon also observed infrastructure overlap with a separate Russian-linked cluster and disrupted active threat actor operations through investigation, customer notification, and remediation support.
In this campaign, the threat actor compromised misconfigured routers, VPN gateways, and network management appliances, likely enabling packet-capture functionality to collect authentication traffic traversing those devices. Credentials harvested from captured traffic were then replayed against online services associated with victim organizations. The observed activity followed a consistent pattern: compromise of a misconfigured network edge device, passive credential collection via traffic capture, replay of harvested credentials against external services, and establishment of persistent access to enable follow-on activity and potential lateral movement. These attempts were directed at services commonly used by energy providers, cloud platforms, code repositories, and telecommunications organizations across North America, Europe, and the Middle East.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-55182 (React2Shell): This vulnerability can be addressed by updating React Server Components to a fixed version and remediating publicly exposed Next.js deployments.
- PCIe IDE Protocol Vulnerabilities (CVE-2025-9612, CVE-2025-9613, CVE-2025-9614): These issues can be mitigated by applying vendor-provided Engineering Change Notification updates for affected Intel Xeon and AMD EPYC systems and reviewing PCIe transaction handling configurations.
- CVE-2025-8351 (Avast macOS): This vulnerability can be remediated by updating Avast Antivirus on macOS to a fixed release that resolves the heap-based buffer overflow and out-of-bounds read issues.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.