Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
China-Nexus Threat Actors Earth Lamia and Jackpot Panda Exploit React2Shell Vulnerability (CVE-2025-55182) Following Public Disclosure - On 4 December 2025, Amazon’s Threat Intelligence team reported that multiple China-nexus threat actors, including Earth Lamia, Jackpot Panda, and several previously untracked clusters, are actively exploiting CVE-2025-55182 (React2Shell) in React Server Components (versions 19.0, 19.1.0, 19.1.1, and 19.2.0). The React Team disclosed the vulnerability a day earlier, on 3 December 2025, and released patches in versions 19.0.1, 19.1.2, and 19.2.1. At the time of writing, technical details about the exploitation are not publicly available.
CVE-2025-55182 stems from unsafe payload deserialisation at React Server Function endpoints. Successful exploitation could allow threat actors to execute arbitrary code via crafted HTTP requests, potentially leading to full compromise of the affected back end.
Facebook Discloses CVE-2025-55181 in Proxygen Library - Around 3 December 2025, Facebook patched CVE-2025-55181, a medium-severity vulnerability in proxygen affecting versions v2025.08.25.00 through v2025.12.01.00. CVE-2025-55181 was patched in version v2025.12.02.00. The vulnerability stems from an infinite loop triggered when handling an HTTP request or response body larger than 2^31 bytes, resulting in unbounded memory growth due to repeated vector allocations within proxygen::coro::HTTPQuicCoroSession.
Successful exploitation can exhaust system memory, block the event loop, and ultimately cause the process to crash. At the time of writing, there are no reports of active exploitation.
Apache Patches Stack Exhaustion Vulnerability CVE-2025-59789 Affecting Apache bRPC - On 30 November 2025, Apache patched CVE-2025-59789, a critical-severity vulnerability affecting Apache bRPC versions before 1.15.0. The vulnerability was patched in version 1.15.0. CVE-2025-59789 is an uncontrolled recursion vulnerability in the json2pb JSON parser that allows threat actors to send deeply nested JSON structures to exhaust the call stack. Successful exploitation results in a stack overflow and a server crash. At the time of writing, no active exploitation has been reported.
Potential Threats
Researchers Identify Holiday-Themed Phishing Campaigns Using DocuSign Branding and Fraudulent Loan Emails to Steal Credentials and Financial Data - On 22 December 2025, Forcepoint published an analysis describing two holiday-themed email patterns observed during the Christmas and New Year period: DocuSign-branded phishing that captured corporate credentials and holiday loan emails that collected personal and banking data.
According to Forcepoint, threat actors sent DocuSign-branded “Review Document” emails to prompt users to click. The messages used authentic-looking branding but routed victims through non-Docusign infrastructure hosted on third-party content delivery and user-generated hosting services, such as Fastly, Glitch, and Surge[.]sh, and then displayed a fake log-in page that captured corporate email credentials entered by the victim.
Malicious NPM Packages Deliver Backdoor Payload in NeoShadow Campaign - On 5 January 2026, Aikido Security reported on a Node Package Manager (npm) supply-chain campaign tracked as NeoShadow, involving typosquatted JavaScript packages impersonating popular web3 and frontend dependencies. The malicious packages, uploaded in late December 2025, executed a hidden installer that targeted Windows systems and deployed a stealthy backdoor.
Aikido Security assessed that the malware used multi-stage execution, including abuse of MSBuild and process injection into RuntimeBroker.exe, to establish encrypted command-and-control over HTTPS. The backdoor supported system reconnaissance, in-memory payload execution, and additional payload delivery, while evading detection through obfuscation and suppression of Windows telemetry. A second iteration identified in early January 2026 introduced a native Node.js add-on, increasing complexity and resistance to analysis.
Threat Actors Abuse Google Cloud Services to Steal Microsoft Credentials in Phishing Campaign - On 6 January 2026, MalwareBytes disclosed an ongoing phishing campaign in which threat actors are sending fake Google notifications to steal usernames and passwords. The threat actors use the legitimate address, noreply-application-integration@google[.]com, by abusing Google Cloud Application Integration’s Send Email feature.
The attack chain begins with phishing emails that reference routine actions, such as voicemail alerts or document access, and include links to legitimate Google Cloud Storage URLs. When victims click the link, they execute the workflow by passing through a second Google-owned domain, googleusercontent[.]com, which presents a CAPTCHA-style check to frustrate automated analysis and evade defences. After completing the check, victims are redirected to a look-alike Microsoft 365 sign-in page hosted on a non-Microsoft domain, where any entered credentials are immediately captured by the threat actors. Google confirmed that it blocked multiple campaigns and emphasised that the activity resulted from the abuse of a workflow automation feature, not a compromise of Google’s infrastructure.
General News
UK government admits years of cyber policy have failed, announces reset - In early January 2026, the UK government acknowledged that its long-standing approach to securing public sector systems has been ineffective and confirmed it will not meet its previous goal of protecting all government organisations from known cyber threats by 2030. The admission accompanied the release of a new Government Cyber Action Plan, described as a significant reset in how Whitehall manages cyber risk.
The action plan outlines a shift away from voluntary guidance towards a more centralised and mandatory model, including the creation of a Government Cyber Unit to set policy, coordinate response, and establish clearer accountability. It highlights systemic weaknesses driven by unclear ownership, supply-chain risk, legacy technology, and underinvestment, warning that cyber risk across the public sector remains critically high despite years of mitigation efforts.
UK-Based Higham Lane School Reports IT Outage Following Suspected Cyberattack on Internal Systems - On 3 January 2026, UK-based Higham Lane School announced plans to close until 7 January 2026 following a cyberattack that disrupted its IT infrastructure. The incident resulted in the loss of access to key digital services, including email, telephones, servers, and school management systems.
In an update issued on 5 January 2026, the school confirmed the disruption was ongoing and instructed staff and students not to access any school platforms, including Google Classroom and SharePoint, until further notice. The school stated it was continuing its response with support from the Department for Education’s Cyber Incident Response Team and external IT partners.
Higham Lane School did not disclose the identity of the threat actors, and the initial access vector remains unknown.
Jaguar Land Rover wholesale volumes down 43% after cyberattack - In January 2026, Jaguar Land Rover (JLR) disclosed that a cyberattack in September 2025 caused a 43% year-on-year decline in third-quarter wholesale volumes, driven by prolonged production disruption and delays in global vehicle distribution. Manufacturing only returned to normal levels by mid-November following a phased restart, significantly limiting order fulfilment.
JLR reported that the incident, which also involved data theft later claimed by a cybercrime collective, cost the company approximately £196 million in the quarter and contributed to wider economic impact noted by the Bank of England. The disruption affected all major markets and prompted UK government intervention in late September through a £1.5 billion loan guarantee to stabilise JLR’s supply chain and resume production.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| POisoN | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 49 |
| Sandworm Team | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 5 |
| RALord-RaaS | ● Basic | → | ● Basic | ● 30 | → | ● 45 | ● 49 | → | ● 49 |
| Radiant | ● Basic | → | ● Basic | ● 30 | → | ● 25 | ● 35 | → | ● 30 |
| Arcus Media Ransomware Group |
● Basic | → | ● Basic | ● 25 | → | ● 30 | ● 36 | → | ● 36 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Martha Root | ▲ | Lynx Ransomware | ▲ | CVE-2026-0625 | ▲ | Manage My Health | ▲ | |
| Lynx Ransomware Group | ▲ | T1566 (Phishing) | ▲ | CVE-2025-14847 (MongoBleed) | ▲ | Ledger | ▲ | |
| Crimson Collective | ▲ | ClickFix | ▲ | CVE-2025-38352 | ▲ | Global-e | ▲ | |
| zestix | ▲ | Stealware | ▲ | CVE-2026-21877 | ▲ | Bitmart | ▲ | |
| PubPeer | ▲ | Sinobi | ▲ | CVE-2020-0096 | ▲ | NordVPN | ▲ | |
Prominent Information Security Events
Researchers Identify Holiday-Themed Phishing Campaigns Using DocuSign Branding and Fraudulent Loan Emails to Steal Credentials and Financial Data
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 195[.]54[.]161[.]105
IOC: Domain - financier[.]com
On 22 December 2025, Forcepoint published an analysis describing two holiday-themed email patterns observed during the Christmas and New Year period: DocuSign-branded phishing that captured corporate credentials and holiday loan emails that collected personal and banking data.
According to Forcepoint, threat actors sent DocuSign-branded “Review Document” emails designed to prompt users to click. The messages used authentic-looking branding but routed victims through non-DocuSign infrastructure hosted on third-party content delivery and user-generated hosting services, such as Fastly, Glitch, and Surge, before displaying a fake login page that captured corporate email credentials entered by the victim. Threat actors also sent holiday loan emails that redirected victims to an online questionnaire presented as a loan application.
The questionnaire requested a loan amount and then asked victims to enter their identity details, employment and income information, and bank details. After submission, threat actors redirected victims to additional fraudulent websites that continued to collect personal and financial data.
Malicious NPM Packages Deliver Backdoor Payload in NeoShadow Campaign
Source: Insikt Group | Validated Intelligence Event
IOC: Domain - metrics[-]flow[.]com
IOC: IP - 80[.]78[.]22[.]206
Once installed, the malicious NPM package runs a JavaScript file that initiates a multi-stage infection chain on Windows systems. The script first validates its environment by checking the operating system and reviewing recent Windows event logs to avoid running on non-genuine workstations. It then attempts to obtain a command-and-control address from an Ethereum smart contract, falling back to a hard-coded domain if this fails.
The malware downloads a secondary JavaScript payload and extracts a Base64-encoded component, which it executes by creating a temporary MSBuild project containing inline C# code. This code decrypts the payload into shellcode, spawns a suspended RuntimeBroker.exe process, injects the shellcode into memory, and executes it using APC injection. In some cases, a configuration file is also written to the user’s AppData directory.
Aikido Security identified the shellcode as a backdoor capable of collecting system information, communicating with the C2 over encrypted HTTPS, adjusting beacon intervals, and executing further payloads entirely in memory. The malware encrypts its traffic, disguises network activity, and suppresses telemetry to evade detection. A second NeoShadow variant identified in early January 2026 introduced stronger obfuscation and a native Node.js component, further complicating analysis.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2025-55182 (React2Shell – React Server Components) – This vulnerability can be addressed by upgrading React Server Components to patched versions 19.0.1, 19.1.2, or 19.2.1, and ensuring all exposed server function endpoints are updated accordingly.
-
CVE-2025-55181 (Facebook Proxygen Library) – This vulnerability can be addressed by updating the proxygen library to version v2025.12.02.00 or later to prevent memory exhaustion and process crashes.
-
CVE-2025-59789 (Apache bRPC Stack Exhaustion) – This vulnerability can be addressed by upgrading Apache bRPC to version 1.15.0 or later, which includes fixes for the uncontrolled recursion issue in the json2pb parser.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.