Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Microsoft Patched CVE-2025-54100 Vulnerability in Windows PowerShell - On 9 December 2025, Microsoft released security updates for CVE-2025-54100, a high-severity command injection vulnerability affecting Windows PowerShell 5.1. On 13 December 2025, a GitHub user published an alleged proof-of-concept (PoC) demonstrating the issue.
The vulnerability is caused by improper handling of untrusted web content when the Invoke-WebRequest command is executed with Internet Explorer–based HTML parsing enabled. This allows attacker-controlled content to inject and execute commands in the current user context. The PoC hosts a malicious web page that leverages ActiveX objects to attempt execution of calc.exe, demonstrating potential arbitrary code execution.
Trust Wallet Disclosed Security Incident Affecting Browser Extension - On 24 December 2025, Trust Wallet disclosed a security incident impacting Trust Wallet browser extension version 2.68 and advised users to disable the extension and upgrade to version 2.69 via the official Chrome Web Store. The company stated it is actively investigating the issue, though technical details and impact remain unclear.
On the same day, a researcher claimed on X that the incident may involve a supply-chain compromise in the December 2025 update, with alleged theft exceeding $2 million from affected wallets. Trust Wallet has not confirmed these claims or reported evidence of active exploitation.
ConnectWise patched Critical CVE-2025-14265 in ScreenConnect - On 11 December 2025, ConnectWise released a patch for CVE-2025-14265, a critical-severity vulnerability affecting ScreenConnect versions prior to 25.8. At the time of writing, there were no reports of active exploitation.
The vulnerability is caused by insufficient server-side validation and missing integrity checks, potentially allowing attackers with elevated access to download untrusted code, access configuration data, or install malicious extensions under administrative conditions.
Potential Threats
Analysis of React2Shell Exploitation Leading to Weaxor Ransomware Deployment - On 16 December 2025, S-RM reported a financially motivated intrusion in which a threat actor exploited CVE-2025-55182 (React2Shell) to compromise an unnamed organisation and deploy Weaxor ransomware. The vulnerability affects React Server Components and enables remote code execution through crafted HTTP requests, though attribution to a specific threat actor remains unconfirmed.
According to S-RM, the attacker gained initial access by exploiting the vulnerable server, with limited forensic evidence due to log clearing. Post-compromise activity included executing obfuscated PowerShell to deploy a Cobalt Strike beacon, disabling Windows Defender, and delivering the Weaxor ransomware payload. The malware encrypted files with a “.weax” extension, dropped ransom notes, and likely exfiltrated the victim’s public IP address before deleting logs and shadow copies.
Analysis of CVE-2025-20393 Exploitation Against Cisco AsyncOS Systems - Between late November and 10 December 2025, the threat actor tracked as UAT-9686 targeted Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running Cisco AsyncOS by exploiting CVE-2025-20393. This improper input validation vulnerability allowed arbitrary command execution with root privileges, enabling full system compromise.
Cisco Talos reported on 17 December 2025 that affected systems had the Spam Quarantine interface exposed to the internet and confirmed deployment of multiple malicious tools. Post-exploitation activity included installing the AquaShell Python-based web backdoor, along with AquaTunnel, Chisel, and AquaPurge, to enable persistent access, tunnelling, and log manipulation. Analysts assessed moderate confidence that the activity is linked to Chinese-nexus operations due to overlaps with techniques and tooling associated with APT41 and UNC5174.
Glassworm Campaign Wave 4 Targets macOS Systems - On 29 December 2025, Koi Security reported on the fourth wave of the Glassworm campaign, observed on 19 December 2025. Glassworm is a self-propagating worm distributed through malicious Visual Studio Code extensions on the OpenVSX marketplace, using a supply-chain attack for initial access. While earlier waves focused on Windows systems, this wave shifted to macOS, disguising itself as legitimate developer extensions and embedding encrypted payloads with delayed execution to evade detection. The malicious extensions remained available for several days and were downloaded around 50,000 times.
After execution, the extensions decrypted a JavaScript payload that used the Solana blockchain to retrieve command-and-control endpoints before deploying a macOS payload. This enabled credential theft, persistence, and data exfiltration, targeting macOS Keychain data, browser credentials, developer secrets, and numerous cryptocurrency wallets. Although attempts to install trojanised wallet applications failed at the time of analysis, Glassworm still successfully established persistence and exfiltrated sensitive data, highlighting the ongoing risk posed by compromised developer ecosystems.
General News
Two Chrome Extensions Secretly Steal Credentials from 170+ Sites - On 23 December 2025, cybersecurity researchers disclosed that two malicious Google Chrome extensions were discovered intercepting user traffic and stealing credentials from more than 170 popular websites. The extensions, both named Phantom Shuttle and published by the same developer, masqueraded as a “multi-location network speed test plug-in” and were offered on the Chrome Web Store.
Once installed and activated (often after users paid a subscription fee), the extensions enabled a hidden proxy mode that routed users’ web traffic through attacker-controlled servers. Through this man-in-the-middle proxy and embedded scripts, the extensions could capture and exfiltrate authentication credentials, form data, API keys, cookies, and other sensitive information from targeted domains, which included major cloud services, developer platforms, and social networks.
The malicious functionality remained obscured behind legitimate-looking features such as network latency tests to maintain user trust. Security experts advise affected users to immediately uninstall the extensions and deploy stricter browser extension controls to prevent similar threats in the future.
Hacker Claims Leak of WIRED Subscriber Database - On 20 December 2025, a threat actor claimed to have leaked a WIRED subscriber database containing approximately 2.3 million records, allegedly obtained from parent company Condé Nast. The exposed data includes subscriber IDs and email addresses, with some records also containing names, phone numbers, physical addresses, birthdays, and gender.
The data was posted on a hacking forum, with the attacker alleging that Condé Nast ignored prior vulnerability reports. Data samples were independently verified as belonging to real WIRED subscribers, and the breach has since been added to the Have I Been Pwned notification service.
Condé Nast has not officially confirmed the breach or disclosed details about the intrusion. The incident highlights ongoing risks to subscriber data held by large media organisations and the potential for further leaks affecting other Condé Nast publications.
Massive Rainbow Six Siege Security Breach - In late December 2025, Ubisoft confirmed a major breach affecting Tom Clancy’s Rainbow Six Siege that allowed attackers to abuse internal systems and grant players billions of R6 Credits and Renown, the game’s premium and earnable currencies. Hackers were also able to unlock cosmetic items and manipulate moderation features.
In response, Ubisoft temporarily shut down the game and its Marketplace and initiated a rollback to reverse unauthorised currency and item changes. The company stated that affected players would not be penalised for spending the credits during the incident.
Ubisoft gradually restored services after implementing fixes and additional safeguards, though it has not publicly disclosed the root cause of the breach. The incident underscores the security risks facing large live-service gaming platforms.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| BlackShrantac Ransomware Group | ● Basic | → | ● Basic | ● 40 | → | ● 40 | ● 30 | → | ● 40 |
| Gunra Ransomware Group | ● Basic | → | ● Basic | ● 30 | → | ● 30 | ● 35 | → | ● 45 |
| Cloak Ransomware Group | ● Basic | → | ● Basic | ● 35 | → | ● 35 | ● 26 | → | ● 36 |
| Kazu Ransomware Group | ● Basic | → | ● Basic | ● 25 | → | ● 25 | ● 26 | → | ● 36 |
| Arcus Media Ransomware Group |
● Basic | → | ● Basic | ● 30 | → | ● 25 | ● 49 | → | ● 49 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Handala Hack Team | ▲ | Stealware | ▲ | CVE-2025-14847 (MongoBleed) | ▲ | DApps Platform Inc. | ▲ | |
| PalachPro | ▲ | T1005 (Data from Local System) | ▲ | CVE-2025-54322 | ▲ | Trust Wallet | ▲ | |
| Iranian Hackers | ▲ | TA0009 (Collection) | ▲ | CVE-2020-12812 | ▲ | Insurance | ▲ | |
| Lovely | ▲ | Malicious Update | ▲ | CVE-2008-0166 | ▲ | Aflac | ▲ | |
| Lapsus$ Group (DEV-0537, Strawberry Tempest, UNC3661) | ▲ | WebRAT | ▲ | MS08-067 | ▲ | Ubisoft | ▲ | |
Prominent Information Security Events
Analysis of React2Shell Exploitation Leading to Weaxor Ransomware Deployment
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 45[.]221[.]113[.]96
IOC: Hash - 05f4407eb2e413c3babdc3054e6db032cadc51b2
On 16 December 2025, S-RM reported that a financially motivated threat actor exploited CVE-2025-55182 (React2Shell), a critical remote code execution vulnerability in React Server Components, to compromise an unnamed organisation and deploy Weaxor ransomware. At the time of reporting, the activity had not been attributed to a specific threat actor.
The intrusion began with the exploitation of a vulnerable server, leaving limited forensic evidence due to log clearing. However, S-RM identified contextual indicators consistent with React2Shell exploitation, including localhost file server connections associated with the vulnerable process and the spawning of cmd.exe and PowerShell.exe from node.exe.
Following initial access, the threat actor deployed a Cobalt Strike beacon via an obfuscated PowerShell command, disabled Windows Defender protections, and executed the Weaxor ransomware payload. The malware encrypted files, appended the “.weax” extension, and dropped ransom notes, while also collecting the victim’s public IP address, likely for exfiltration to command-and-control in.
Analysis of CVE-2025-20393 Exploitation Against Cisco AsyncOS Systems
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 172[.]237[.]29[.]147
IOC: Hash - 2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef
Between late November and 10 December 2025, Cisco Talos reported that threat actor UAT-9686 exploited CVE-2025-20393, an improper input validation vulnerability in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager running AsyncOS, to gain root-level command execution. The activity targeted systems with the Spam Quarantine interface exposed to the internet and has been assessed with moderate confidence as China-nexus–linked, based on overlaps with known APT41 and UNC5174 techniques and infrastructure.
The attack chain began with the exploitation of CVE-2025-20393 to obtain privileged access, after which the threat actor deployed AquaShell, a Python-based persistent backdoor embedded in the web interface to execute unauthenticated commands. UAT-9686 then used AquaTunnel and Chisel to establish reverse SSH connections and HTTP tunnels for remote access and lateral movement, and finally executed AquaPurge to delete logs and reduce detection selectively.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-54100 (Microsoft PowerShell Vulnerability) - This vulnerability can be addressed by installing Microsoft's December security update.
- Trust Wallet 2.68 Vulnerability - This vulnerability can be addressed by updating the browser extension to 2.69 via the official Chrome Web Store.
- CVE-2025-14265(Screen Connect) - This vulnerability can be addressed by upgarding to ScreenConnect version 25.8, and update your guest clients to the same version
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.