Daily Brief

Cybersecurity researchers uncovered a phishing campaign exploiting Google Cloud's Application Integration service to impersonate legitimate Google-generated messages, targeting approximately 3,200 customers globally. Attackers sent 9,394 phishing emails over a 14-day period in December 2025, affecting organizations across sectors including manufacturing, technology, finance, and retail. The campaign leverages Google Cloud's infrastructure to bypass email security filters, using the "noreply-application-integration@google[.]com" address to enhance credibility. Phishing emails mimic routine enterprise notifications like voicemail alerts and file access requests, prompting recipients to click on embedded links. The attack involves a multi-stage redirection flow, leading victims to a fake Microsoft login page to steal credentials after bypassing security tools with a CAPTCHA. Google has responded by blocking the misuse of its email notification feature and is implementing additional measures to prevent future exploitation. This incident illustrates the risk of attackers abusing legitimate cloud automation features to conduct phishing at scale, bypassing traditional spoofing methods.

Cisco is hosting a webinar on January 20 to discuss its network-led approach to extended detection and response (XDR), aimed at improving threat visibility and response times. The session, titled "XDR in 30: See the Threat, Know the Verdict, Act Fast," targets security practitioners and leaders seeking practical insights. Cisco XDR integrates data from endpoints, users, cloud workloads, and traffic flows to provide a comprehensive view of potential threats. The platform employs AI-driven verdicts to prioritize incidents, reducing investigation time while maintaining analyst confidence. This approach contrasts with traditional XDR solutions that primarily rely on endpoint data, offering a broader perspective to detect lateral movements and subtle threats. The webinar emphasizes augmenting human judgment with enhanced context, correlation, and intelligence to enable confident decision-making under pressure. Attendees will learn how Cisco's solution can help cut through alert noise and deliver actionable guidance, enhancing operational efficiency in modern security environments.

The ShinyHunters group breached PornHub's data, stealing 94 GB of Premium member activity from Mixpanel, affecting over 200 million records. The breach involves sensitive viewing, search, and download data, posing significant reputational risks for users if made public. Unlike financial breaches, this incident focuses on personal and reputational damage, reminiscent of the Ashley Madison breach. ShinyHunters is demanding a ransom to prevent the release of the stolen data, leveraging extortion as a primary tactic. The breach raises concerns about third-party data handling and security protocols, emphasizing the importance of robust vendor management. Companies are urged to reevaluate their data security practices, particularly with third-party analytics providers, to mitigate similar risks. This incident serves as a critical reminder of the potential real-world harm linked to breaches involving sensitive personal information.

A Lithuanian national was extradited to South Korea for distributing malware disguised as a Windows activation tool, affecting 2.8 million systems and stealing $1.2 million in virtual assets. A coordinated attack targeted Adobe ColdFusion servers, exploiting over 10 CVEs to execute code and harvest credentials, affecting multiple countries including the U.S. and Germany. Kaspersky identified pre-installed malware on Android tablets, allowing remote access for data theft and command execution, posing significant security risks. Reddit banned a community focused on AI jailbreaks after reports of non-consensual deepfake generation, highlighting ongoing challenges in AI safety and content moderation. A new cybercrime tool, ErrTraffic, automates ClickFix attacks across multiple platforms, tricking users into executing malicious instructions under false pretenses. The decentralized Unleash Protocol suffered a $3.9 million loss due to unauthorized smart contract activity, emphasizing vulnerabilities in blockchain governance frameworks. North Korean hackers stole over $2 billion in cryptocurrency in 2025, shifting tactics to infiltrate crypto companies through fake IT worker schemes, underscoring the evolving threat landscape.

Adapt Browser offers a streamlined, performance-oriented solution for professionals seeking to enhance productivity without relying on heavy extensions or complex configurations. Modern browsers often suffer from feature overload and excessive background processes, impacting speed and user efficiency. Adapt Browser minimizes resource consumption by reducing background activity and unnecessary services, maintaining responsiveness during extended sessions. Centralizing web-based workflows within the browser interface helps reduce inefficiencies caused by frequent tab and window switching. A simplified interface design in Adapt Browser reduces distractions, supporting tasks such as reading and writing with sustained user attention. By optimizing window and tab management, Adapt Browser allows users to stay organized and maintain browsing speed. Built as a non-Chromium browser, Adapt provides greater control over resource usage and meets AppEsteem's security and transparency standards. As web-based work expands, lightweight browsers like Adapt play a crucial role in improving daily operational efficiency.

A new wave of GlassWorm malware is targeting macOS developers, embedding malicious code in VSCode/OpenVSX extensions to deliver trojanized crypto wallet applications. The malware attempts to steal credentials from GitHub, npm, and OpenVSX accounts, alongside cryptocurrency wallet data, while enabling remote access through VNC and SOCKS proxy routing. Recent attacks utilize AES-256-CBC–encrypted payloads in compiled JavaScript, executing after a delay to evade sandbox detection, with persistence achieved via AppleScript and LaunchAgents. The campaign now targets over 50 browser crypto extensions and attempts to replace hardware wallet apps like Ledger Live and Trezor Suite with trojanized versions, though this mechanism is currently non-functional. Despite public exposure, GlassWorm has resurfaced on OpenVSX and VSCode, with over 33,000 installs reported, although figures may be manipulated to enhance credibility. Developers are advised to remove malicious extensions, reset GitHub passwords, revoke NPM tokens, and check systems for infection signs to mitigate risks. The ongoing evolution of GlassWorm signifies a persistent threat to macOS environments, emphasizing the need for robust security practices among developers.

Cybersecurity researchers have identified the RondoDox botnet leveraging the React2Shell vulnerability to compromise IoT devices and web servers over a nine-month period. The React2Shell flaw, CVE-2025-55182, affects React Server Components and Next.js, allowing remote code execution on vulnerable systems. Approximately 90,300 devices remain at risk, with the majority located in the U.S., followed by Germany, France, and India. The RondoDox campaign has evolved through three phases, incorporating various vulnerabilities and deploying cryptocurrency miners and a Mirai botnet variant. The botnet uses a tool to eliminate competing malware, establish persistence, and prevent reinfection by scanning and terminating non-whitelisted processes. Organizations are urged to update Next.js, segment IoT devices, deploy Web Application Firewalls, and block known command-and-control infrastructure to mitigate risks. Continuous monitoring for suspicious activities and process executions is essential to defend against this evolving threat.

New York City's 2026 mayoral inauguration has prohibited Flipper Zero and Raspberry Pi devices, listing them among items banned from the event. The ban includes other common prohibited items such as weapons, drones, and large bags, but specifically names these two tech devices. Flipper Zero is known for its use in testing wireless protocols, while Raspberry Pi is a versatile single-board computer used in various applications. The decision to ban these devices has sparked confusion, as laptops and smartphones with similar capabilities are not restricted. Past concerns about Flipper Zero include potential misuse in cybercrime, leading to previous bans by online retailers like Amazon. Event organizers have not clarified the rationale behind targeting these specific devices, raising questions about their security policies. The ban reflects ongoing challenges in balancing security measures with technological advancements at public events.

The European Space Agency (ESA) has experienced another security breach, with cybercriminals claiming to have stolen 200 GB of data, including confidential documents and source code. ESA reports the breach affected a small number of external servers used for unclassified engineering and scientific collaboration, asserting limited impact on core systems. Cybercriminals posted an offer to sell the stolen data on BreachForums, claiming access to ESA-linked servers from December 18 for about a week. Alleged stolen data includes source code files, CI/CD pipelines, API tokens, confidential documents, and a dump of private Bitbucket repositories. ESA has initiated a forensic security analysis and implemented measures to secure potentially affected devices, notifying relevant stakeholders of the incident. The agency has faced similar incidents in the past, with breaches in 2011, 2015, and 2022, often involving external systems rather than core networks. These recurring breaches suggest a pattern of vulnerabilities in ESA's external systems, highlighting the need for enhanced security measures and monitoring.

Trust Wallet's Chrome extension suffered a breach due to a supply chain attack, leading to the theft of $8.5 million in cryptocurrency assets from users. The attack exploited leaked GitHub secrets, granting the attacker access to the browser extension's source code and Chrome Web Store API key. A trojanized version of the extension was distributed, capable of harvesting users' wallet mnemonic phrases, affecting over 2,520 wallet addresses. Trust Wallet has initiated a reimbursement process for affected users, with claims being reviewed individually to mitigate potential fraudulent claims. Enhanced monitoring and controls have been implemented by Trust Wallet to strengthen release processes and prevent future incidents. The incident is part of the broader Shai-Hulud supply chain attack, which targets software dependencies, affecting multiple sectors beyond cryptocurrency. The emergence of Shai-Hulud 3.0 introduces increased obfuscation and reliability, focusing on stealing secrets from developer environments.

DarkSpectre, a Chinese threat actor, has targeted 8.8 million users through malicious browser extensions across Chrome, Edge, and Firefox over seven years. The campaigns, ShadyPanda and GhostPoster, facilitate data theft, search query hijacking, and affiliate fraud, impacting millions of users globally. ShadyPanda's extensions include a logic bomb that delays malicious activity to evade detection during initial reviews, affecting 5.6 million users. GhostPoster targets Firefox users with utilities and VPN tools, executing affiliate link hijacking and ad fraud via malicious JavaScript. The latest campaign, The Zoom Stealer, aims at corporate meeting intelligence, collecting sensitive data from video conferencing platforms. Extensions mimic legitimate tools for platforms like Zoom and Google Meet, exfiltrating meeting details and participant information in real-time. Evidence of Chinese involvement includes command-and-control servers on Alibaba Cloud and code artifacts with Chinese-language elements. The stolen data could be sold for corporate espionage, enabling social engineering and impersonation operations on a large scale.

Unleash Protocol, a decentralized IP management platform, suffered a $3.9 million loss following an unauthorized contract upgrade by an attacker. The attacker gained administrative control over Unleash's multisig governance system, enabling unauthorized withdrawals of various cryptocurrency assets. Assets stolen included WIP, USDC, WETH, stIP, and vIP, which were subsequently transferred to external addresses to obscure their origin. The stolen funds were deposited into Tornado Cash, a mixing service known for its use in laundering illicit cryptocurrency, complicating recovery efforts. In response, Unleash Protocol has paused operations and engaged external security experts to investigate and address the security breach. Users are advised to refrain from interacting with Unleash Protocol's contracts until further notice is provided confirming their safety. This incident underscores the vulnerabilities inherent in decentralized finance platforms and the ongoing challenge of securing multisig governance systems.

The RondoDox botnet is actively exploiting the React2Shell vulnerability (CVE-2025-55182) to compromise Next.js servers, deploying malware and cryptominers. First identified in July 2025, RondoDox targets multiple n-day vulnerabilities globally, with recent focus on CVE-2025-24893 in the XWiki Platform. CloudSEK reports that RondoDox began scanning for vulnerable Next.js servers on December 8, deploying botnet clients by December 11. React2Shell, an unauthenticated RCE flaw, affects frameworks using the React Server Components protocol, with North Korean actors using it to deploy EtherRAT malware. Over 94,000 internet-exposed assets remain vulnerable to React2Shell, according to the Shadowserver Foundation's December 30 report. RondoDox's recent operations include hourly IoT exploitation waves and deploying payloads like coinminers and Mirai variants, removing competing malware to maintain control. CloudSEK advises companies to audit and patch Next.js Server Actions, isolate IoT devices, and monitor for suspicious processes to mitigate RondoDox threats.

IBM announced a critical vulnerability in API Connect, tracked as CVE-2025-13915, with a CVSS score of 9.8, potentially allowing attackers to bypass authentication remotely. The flaw affects multiple versions of API Connect, a widely used solution for managing APIs in cloud and on-premises environments. Impacted organizations include major entities such as Axis Bank, Etihad Airways, and Tata Consultancy Services, highlighting the widespread use of the affected software. IBM advises users to apply interim fixes promptly or disable self-service sign-up on Developer Portals to mitigate exposure to the vulnerability. Although there is no current evidence of exploitation, the potential for unauthorized access necessitates immediate action to safeguard systems. This incident serves as a reminder of the critical importance of regular patch management and vulnerability assessment in maintaining secure API infrastructures.

Cybersecurity researchers have identified a modified version of the Shai-Hulud worm on the npm registry, embedded within the "@vietmoney/react-big-calendar" package. The package, updated in December 2025, has been downloaded 197 times, indicating potential testing rather than widespread deployment. The worm is capable of stealing sensitive data such as API keys and cloud credentials, leveraging npm tokens to propagate malicious changes. Key modifications in the new strain include enhanced error handling and improved data collection processes, suggesting active development and refinement. A separate incident involved a fake Jackson JSON Maven package delivering a Cobalt Strike beacon, exploiting Java's reverse-domain namespace convention. The malicious Maven package was removed, highlighting the need for improved detection of typosquatted domains and deceptive package names. These incidents underscore the critical importance of vigilance in monitoring and securing software supply chains against evolving threats.