Daily Brief

SantaStealer, a new modular infostealer, is being marketed on Telegram for $175 per month, targeting credentials and crypto wallets of high-value entities like governments and financial institutions. Despite claims of being "fully undetected," Rapid7's analysis reveals SantaStealer lacks advanced anti-analysis and evasion features, making it relatively easy to detect and analyze. The malware, a 64-bit DLL, is noted for its simplicity, with no string encryption or code obfuscation, and includes more than 500 exported symbols with self-explanatory names. SantaStealer is a rebrand of the Blueline Stealer, with its developers promoting the malware on Russian-speaking forums, indicating potential Russian origins. The malware operates by compressing stolen data into 10 MB chunks and transmitting it to a command-and-control server via unencrypted HTTP, posing significant data security risks. Organizations are advised to avoid unrecognized links and attachments and be cautious of fake verification or tech support instructions to prevent unauthorized access. Rapid7 provides a list of indicators of compromise to help organizations detect and mitigate potential threats from SantaStealer.

The Texas Attorney General has filed lawsuits against Sony, Samsung, LG, Hisense, and TCL for allegedly collecting user data without consent via Automated Content Recognition (ACR) technology. The legal action claims these TV manufacturers capture screenshots every 500 milliseconds, monitoring viewing habits and sending data back to company servers without user knowledge. Concerns are raised about Chinese companies Hisense and TCL potentially sharing data with the Chinese government under China's National Security Law. ACR technology is described as an invasive tool that unlawfully collects personal data from smart TVs, which is then sold for targeted advertising. The lawsuit emphasizes the protection of privacy rights, asserting that owning a television should not equate to surrendering personal information to technology companies or foreign entities. This case follows a precedent set in 2017 when Vizio settled for $2.2 million over similar unauthorized data collection practices. The Federal Trade Commission has advised consumers to adjust tracking settings on smart TVs to safeguard privacy, highlighting ongoing privacy challenges with Internet-connected devices.

A new campaign exploits compromised IAM credentials to deploy cryptocurrency mining operations on AWS, detected by Amazon's GuardDuty on November 2, 2025. Attackers quickly utilize admin-like privileges to probe environments, deploying mining resources within 10 minutes of initial access. The campaign uses the "DryRun" flag to validate permissions without incurring costs, minimizing detection risks. Attackers create numerous ECS clusters and use a malicious DockerHub image to initiate mining on ECS Fargate nodes. The campaign's persistence techniques, such as disabling API termination, complicate incident response and extend mining operations. AWS advises customers to strengthen security measures to mitigate risks from this advanced crypto mining methodology. The attack includes creating Lambda functions and IAM users with extensive permissions, potentially enabling further malicious activities like phishing.

Hackers are exploiting two critical vulnerabilities, CVE-2025-59718 and CVE-2025-59719, in Fortinet products to gain unauthorized administrative access and steal system configuration files. The vulnerabilities affect FortiCloud SSO authentication in FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb, allowing attackers to bypass authentication using malicious SAML assertions. Exploitation began on December 12, with attacks traced to IP addresses associated with The Constant Company, BL Networks, and Kaopu Cloud HK, targeting admin accounts. Once access is obtained, attackers download configuration files, exposing network layouts, firewall policies, and potentially vulnerable interfaces, indicating malicious intent rather than research activities. Fortinet advises disabling FortiCloud SSO temporarily and upgrading to secure versions, such as FortiOS 6.4, FortiWeb 7.0, or 7.2, to mitigate the risk of exploitation. Organizations are urged to rotate firewall credentials and restrict management access to trusted internal networks to prevent unauthorized access. The incident underscores the importance of timely patch management and robust identity and access management practices to safeguard critical infrastructure.

A rogue NuGet package, "Tracer.Fody.NLog," was discovered impersonating a popular .NET library to steal cryptocurrency wallet data, affecting developers and users within the ecosystem. The package, available since February 2020, has been downloaded over 2,000 times, exploiting a minor name variation to deceive users into downloading the malicious software. The malware scans the default Stratis wallet directory on Windows systems, extracting and exfiltrating wallet data and passwords to a server in Russia. Threat actors employed tactics like using Cyrillic lookalike characters and hiding malicious code in generic functions to avoid detection during casual reviews. The same IP address was linked to a similar attack in December 2023, indicating a pattern of using NuGet impersonation tactics to target cryptocurrency wallets. Security experts warn of potential future attacks targeting other common .NET libraries, urging developers to remain vigilant against typosquatting threats. Organizations are advised to enhance their software supply chain security measures to prevent similar breaches and protect sensitive data.

Petróleos de Venezuela (PDVSA) experienced a cyberattack disrupting export operations, though the company claims operational areas remained unaffected due to secure protocols. An internal memo revealed instructions for staff to disconnect from the network, suggesting broader impact than publicly acknowledged. Systems managing Venezuela's main crude terminal were reportedly offline, halting cargo deliveries and affecting supply chain continuity. The attack coincides with rising tensions between Venezuela and the United States, following a U.S. seizure of a sanctioned Venezuelan oil tanker. PDVSA accused the U.S. and domestic conspirators of orchestrating the attack to destabilize national energy operations. Venezuela, a significant global oil exporter, relies heavily on PDVSA for its economic stability, making such disruptions particularly impactful. This incident underscores the vulnerability of critical infrastructure to cyber threats amid geopolitical tensions.

Huntress Labs reports a significant rise in ransomware attacks targeting hypervisors, with incidents increasing from 3% to 25% in 2025, driven by the Akira group. Hypervisors, crucial for virtualized environments, are being exploited due to limited visibility and protections, making them attractive for ransomware deployment. Attackers bypass traditional endpoint security by using built-in tools like openssl for encryption, avoiding the need for custom ransomware binaries. Vulnerabilities such as CVE-2024-37085 allow attackers to gain full administrative control of ESXi hosts, leading to mass encryption of virtual machines. Organizations are advised to harden hypervisors with rigorous patching, access control, and runtime hardening to mitigate these threats. Effective backup strategies, including immutable snapshots and rapid recovery capabilities, are essential to counteract potential ransomware impacts. Monitoring for anomalies and establishing a shared responsibility model with third-party SOCs are recommended to enhance detection and response efforts. A layered, proactive defense approach is critical to raising the barrier against ransomware actors targeting hypervisor infrastructures.

Pornhub experienced a data breach through Mixpanel, affecting select Premium users, but confirmed no exposure of passwords, payment details, or government IDs. SoundCloud faced user data exposure after unauthorized activity in an ancillary service dashboard, impacting approximately 28 million users, but no sensitive credentials were compromised. Askul, a Japanese retailer, suffered a ransomware attack leading to a significant service disruption and exposure of 740,000 customer and partner records. The Askul breach was facilitated by compromised subcontractor credentials lacking multi-factor authentication and inadequate server monitoring. SoundCloud's breach response caused temporary service disruptions, particularly for users connecting via VPNs, highlighting the operational impact of cybersecurity incidents. Askul confirmed ransomware encrypted and leaked data, including backups, due to insufficient endpoint detection and response measures. These incidents demonstrate varying vulnerabilities across sectors, emphasizing the need for robust third-party vendor management and internal security protocols.

Amazon's threat intelligence team exposed a Russian GRU-affiliated cyber campaign targeting Western critical infrastructure from 2021 to 2025, impacting energy and cloud sectors. The campaign, attributed to APT44, utilized misconfigured network edge devices for initial access, indicating a strategic shift away from exploiting vulnerabilities. Attackers focused on enterprise routers, VPN concentrators, and cloud-based systems to facilitate large-scale credential harvesting and lateral movement. Persistent connections were established with compromised EC2 instances on AWS, suggesting interactive access and data retrieval by threat actors. Credential replay attacks were observed against organizations' online services, although these attempts were reportedly unsuccessful. Overlaps with another cluster, Curly COMrades, hint at coordinated operations within a broader GRU campaign, targeting energy supply chains and critical infrastructure. Amazon disrupted active operations and advised organizations to audit network devices, enforce strong authentication, and monitor for unusual authentication attempts.

MI6's new chief, Blaise Metreweli, emphasized the integration of technology in intelligence operations, highlighting the evolving landscape between peace and war. Advances in AI, biotechnology, and quantum computing are reshaping conflict dynamics, posing both opportunities and challenges for intelligence agencies. Metreweli identified Russia as a primary threat, employing cyberattacks, drones, and propaganda to destabilize and test UK defenses. The agency aims to enhance its technological capabilities, requiring officers to be proficient in coding, akin to linguistic fluency. Recruitment efforts will focus on attracting linguists, data scientists, engineers, and technologists to bolster MI6's tech-driven approach. Despite technological advancements, human judgment remains critical in decision-making, with AI serving as a tool to augment human skills. Initiatives like the Silent Courier portal demonstrate MI6's commitment to secure communication and public engagement in intelligence efforts.

European law enforcement dismantled a fraud network operating from call centers in Ukraine, defrauding over 400 victims across Europe of more than 10 million euros. Authorities arrested 12 suspects out of 45 identified, seizing vehicles, weapons, cash, and counterfeit IDs during 72 searches in Dnipro, Ivano-Frankivsk, and Kyiv. The fraudsters impersonated bank employees and police officers, tricking victims into transferring funds to accounts controlled by the criminals. Some victims were persuaded to install remote access software, allowing criminals to hijack their bank accounts and steal credentials. The network operated on a commission basis, with employees promised bonuses for high earnings, although these were never distributed. This action is part of ongoing efforts by European authorities to dismantle similar fraud rings, following recent successful operations in various countries. The dismantling of this network underscores the importance of international cooperation in combating transnational cybercrime.

The surge in AI-assisted coding has increased software development pace, challenging security and privacy teams to manage expanding data exposure risks without additional resources. Traditional data security measures are reactive, often addressing issues only after data is in production, missing early-stage vulnerabilities and hidden data flows. HoundDog.ai offers a privacy-focused static code scanner that identifies sensitive data leaks early in development, preventing risks before data is processed. The scanner, integrated with platforms like Replit, provides continuous visibility into privacy risks across millions of AI-generated applications. Automated generation of privacy compliance documentation helps maintain up-to-date data maps, essential for meeting GDPR and US Privacy Framework requirements. By embedding privacy controls directly into the development process, companies can prevent incidents and compliance gaps, reducing data mapping overhead. Fortune 1000 companies in healthcare and financial services are leveraging HoundDog.ai to enhance privacy governance and maintain compliance without hindering development speed.

Cyber attackers are exploiting two critical vulnerabilities in Fortinet FortiGate devices, identified as CVE-2025-59718 and CVE-2025-59719, with CVSS scores of 9.8. Arctic Wolf reported active intrusions involving malicious single sign-on logins on FortiGate appliances as of December 12, 2025. These vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages when FortiCloud SSO is enabled. Fortinet has released patches for the affected products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, urging immediate application. Attackers have used IP addresses from specific hosting providers to execute malicious logins and export device configurations. Organizations are advised to disable FortiCloud SSO and limit management interface access to trusted users until systems are patched. Fortinet customers should reset hashed firewall credentials if indicators of compromise are detected, as weak credentials may be cracked offline.

React2Shell, tracked as CVE-2025-55182 with a CVSS score of 10.0, is actively exploited to deploy Linux backdoors like KSwapDoor and ZnDoor, impacting global organizations. The vulnerability facilitates remote access through a mesh network, using military-grade encryption and stealth features to evade detection and bypass firewalls. Attackers leverage CloudFlare tunnel endpoints to bypass security defenses, conducting reconnaissance and credential theft across cloud platforms like Azure, AWS, GCP, and Tencent Cloud. The malware impersonates legitimate Linux processes, enabling command execution, file operations, and lateral movement, complicating detection and mitigation efforts. Microsoft and Google have identified multiple threat groups, including at least five China-nexus actors, exploiting the flaw to deploy payloads such as VShell, EtherRAT, and ShadowPad. Over 111,000 IP addresses are vulnerable, with significant exposure in the U.S., Germany, France, and India, highlighting the widespread risk and need for immediate patching. Organizations are advised to update systems promptly, monitor for suspicious activity, and implement robust security measures to mitigate the threat of React2Shell exploitation.

Google plans to retire its dark web monitoring tool in February 2026, initially launched to help users detect personal data breaches. Scans for new breaches will cease on January 15, 2026, with the full discontinuation of the tool by February 16, 2026. Feedback indicated the tool lacked actionable guidance, prompting Google to refocus on more effective online protection tools. All data associated with the dark web report will be deleted upon the feature's retirement, with users able to preemptively delete their profiles. Originally launched in March 2023, the tool expanded in July 2024 to include all Google account holders, not just Google One subscribers. Google encourages users to enhance account security by implementing phishing-resistant MFA and managing personal data visibility in search results. The decision reflects a strategic pivot towards providing users with clearer, actionable security measures for online safety.