Daily Brief

Multiple ransomware gangs, including Medusa and Akira, are utilizing the Shanya packer to deploy payloads that disable endpoint detection and response (EDR) solutions on victim systems. Shanya emerged in late 2024 as a packer-as-a-service, gaining traction across regions such as Tunisia, the UAE, Costa Rica, Nigeria, and Pakistan, according to Sophos Security data. The service provides a unique wrapper for each customer, using encryption and compression to obfuscate malicious code, making it difficult for security tools to detect. Shanya's technique involves inserting the decrypted payload into a memory-mapped copy of the Windows DLL file 'shell32.dll,' avoiding disk writes and complicating detection. The packer checks for EDR solutions by triggering crashes under user-mode debuggers, thus preventing automated analysis before payload execution. Ransomware operators often disable EDR tools using DLL side-loading, combining legitimate executables with Shanya-packed malicious DLLs to facilitate data theft and encryption. Sophos researchers identified the use of signed and unsigned drivers for privilege escalation and disabling security products, highlighting the sophistication of these techniques. Recent campaigns, such as ClickFix, have also used Shanya to package other malware like CastleRAT, indicating the packer's versatility beyond ransomware operations.

Two malicious extensions, Bitcoin Black and Codo AI, have been identified on Microsoft's Visual Studio Code Marketplace, targeting developers with information-stealing malware. These extensions masquerade as a color theme and AI assistant, respectively, and were published under the developer name 'BigBlack'. Bitcoin Black activates on every VSCode action, using PowerShell and batch scripts to download and execute malicious payloads, including a DLL file for infostealing. Codo AI, while offering code assistance, includes a malicious component that deploys malware via DLL hijacking, using the Lightshot screenshot tool as a vector. The malware collects extensive data, including screenshots, credentials, crypto wallets, and browser session cookies, by launching Chrome and Edge in headless mode. Only 29 out of 72 antivirus engines on VirusTotal have flagged the malicious DLL, indicating a need for improved detection measures. Developers are advised to download extensions only from reputable publishers to mitigate the risk of such malicious activities infiltrating their systems.

The Financial Crimes Enforcement Network (FinCEN) reported $2.1 billion in ransomware payments between 2022 and 2024, nearly matching the total from 2013 to 2021. Ransomware activity peaked in 2023 with 1,512 incidents and $1.1 billion in payments, driven by ALPHV/BlackCat and LockBit gangs. A decline in 2024 incidents and payments, down to $734 million, is attributed to law enforcement actions against major ransomware groups. Manufacturing, financial services, and healthcare sectors were most frequently targeted, with financial institutions experiencing the largest financial losses. FinCEN identified 267 ransomware families, with Akira, ALPHV/BlackCat, and LockBit being the most prevalent and lucrative. Bitcoin was the primary payment method, accounting for 97% of transactions, with other cryptocurrencies like Monero and Ether used less frequently. FinCEN urges continued reporting of ransomware incidents to law enforcement to aid in disrupting cybercriminal activities.

Europol's Operational Taskforce GRIMM has arrested 193 individuals, including minors, over six months for involvement in violence-for-hire schemes across Europe. The operation targets crime networks recruiting young individuals online to execute violent acts, including intimidation, torture, and murder. Arrests include 63 individuals directly involved in violent crimes, 40 facilitators, 84 recruiters, and six instigators, with five labeled as "high-value targets." Significant cases include the arrest of suspects linked to a triple homicide in the Netherlands and a foiled murder plot in Germany. The operation has involved collaboration among multiple European countries and online service providers, highlighting a coordinated international effort. Authorities seized firearms and ammunition, preventing potential tragedies and disrupting criminal networks. The rise in violence-as-a-service reflects a concerning trend of cybercriminals leveraging digital platforms to orchestrate real-world violence. The FBI has issued warnings about the IRL Com subgroup, which engages in swat-for-hire activities, posing a growing threat to public safety.

Polish police detained three Ukrainian nationals suspected of attempting to compromise national IT systems using advanced hacking equipment. The suspects, aged 39 to 43, face charges of fraud, computer fraud, and possession of devices meant for criminal use. Seized items included a spy device detector, FLIPPER hacking equipment, antennas, laptops, SIM cards, routers, and cameras, indicating potential for significant cyber threats. The FLIPPER Zero device, known for its pentesting capabilities, can interact with radio frequencies and emulate input devices, raising concerns about its misuse. Authorities are investigating multiple scenarios for the suspects' presence in Poland, with encrypted data on storage devices under examination by cybercrime experts. The suspects claimed to be IT specialists, but their nervous behavior and inability to explain their equipment raised suspicions. The individuals are detained for three months pending trial, as authorities continue to probe the extent of their cyber activities.

Google introduces 'User Alignment Critic' in Chrome to secure Gemini AI's agentic browsing, enhancing protection against potential threats from autonomous web interactions. Agentic browsing allows AI to autonomously navigate, read, and interact with web content, posing new security challenges that Google aims to address with this update. The new security architecture mitigates risks of indirect prompt injection, where malicious content could manipulate AI into unsafe actions, potentially exposing user data. Google's layered defense strategy includes deterministic rules, model-level protections, and isolation boundaries, ensuring robust security measures for AI interactions. Automated red-teaming systems are employed to simulate attacks and test defenses, with updates rapidly deployed via Chrome’s auto-update mechanism. A bug bounty program offers up to $20,000 for researchers who identify vulnerabilities, encouraging community involvement in strengthening Chrome's AI security framework. This initiative reflects Google's proactive approach to AI security, contrasting with other vendors vulnerable to similar AI manipulation attacks.

Cybersecurity researchers have identified a campaign named JS#SMUGGLER, which uses compromised websites to distribute the NetSupport RAT, a remote access trojan providing extensive control over infected systems. The attack sequence involves an obfuscated JavaScript loader, an HTML Application (HTA) running encrypted PowerShell stagers, and a PowerShell payload for malware execution. NetSupport RAT enables attackers to perform remote desktop access, file operations, command execution, data theft, and proxy activities on victim systems. The campaign targets enterprise users and employs device-aware branching to tailor infection paths, enhancing its success rate while minimizing detection risks. Attackers utilize silent redirects and hidden iframes to direct victims to malicious URLs, with the JavaScript loader ensuring the attack executes only once per device. The operation's sophistication suggests a professional-grade malware framework, with recommendations for defenders to implement strong CSP enforcement, script monitoring, and PowerShell logging. The disclosure follows another campaign, CHAMELEON#NET, which uses phishing emails to deliver Formbook malware, highlighting the ongoing threat of multi-stage malware operations.

Picus Security has unveiled an AI-driven platform that transforms threat intelligence into validated defense strategies within hours, enhancing organizational readiness against cyber threats. Traditional methods of threat emulation faced delays due to manual processes and vendor SLAs, creating significant windows of vulnerability for organizations. The new platform employs a multi-agent framework, utilizing AI to orchestrate threat simulations based on a comprehensive threat library, ensuring safety and accuracy. Key agents include a Planner, Researcher, Threat Builder, and Validation Agent, each with distinct roles to prevent errors and ensure reliable threat emulation. The system maps real-world threat behaviors to safe simulations, allowing organizations to test defenses without exposing themselves to actual threats. A case study on the FIN8 threat group demonstrated the platform's ability to convert threat intelligence into actionable defense strategies quickly and effectively. Picus is advancing towards a conversational interface, "Numi AI," to simplify security validation processes, enabling intent-based interactions for security engineers. This approach allows organizations to prioritize patching and response efforts based on exploitable threats, enhancing overall cybersecurity posture.

The UK government launched the Atlantic Bastion program to bolster undersea cable defense, responding to increased Russian surveillance activities involving submarines and the spy ship Yantar. The initiative integrates autonomous vessels, AI technologies, and crewed warships to create a hybrid force aimed at detecting and deterring threats to undersea infrastructure. Defense Secretary John Healey emphasized the program's role in safeguarding critical maritime infrastructure, with a focus on the UK's strategic vulnerabilities. The Atlantic Bastion program is expected to generate significant economic benefits, potentially creating thousands of jobs within the UK defense sector. Key partners include US-based Anduril, Germany's Helsing, and UK defense giant BAE Systems, all contributing to the development of autonomous systems. The UK relies heavily on undersea cables for internet connectivity, with a notable concentration of transatlantic traffic through two cables in Cornwall. A recent parliamentary report stressed the importance of preparing for potential threats to national connectivity in the event of a security crisis.

A severe vulnerability, CVE-2025-55182, in React Server Components allows remote code execution, exploited within hours of its disclosure. The flaw, also known as React2Shell, has a CVSS score of 10.0, making it a critical threat to affected systems. Amazon identified attack attempts from Chinese hacking groups Earth Lamia and Jackpot Panda shortly after the vulnerability's disclosure. Multiple cybersecurity firms, including Coalition and Wiz, report widespread exploitation efforts, indicating opportunistic attacks by various threat actors. The Shadowserver Foundation detected a decrease in vulnerable IP addresses, from 77,664 to 28,964, as organizations respond to the threat. The vulnerability's rapid exploitation underscores the need for immediate patching and proactive vulnerability management to mitigate risks. Organizations are urged to prioritize updates and monitor systems closely to prevent potential breaches and operational disruptions.

The UK's Information Commissioner's Office (ICO) criticized the Home Office for not disclosing biases in police facial recognition technology, despite ongoing engagements. The ICO learned of historical biases in the Police National Database's (PND) facial recognition algorithm only recently, raising concerns about transparency. Tests revealed Cognitec's algorithm had significant weaknesses, particularly in accurately identifying Black subjects, with a higher false positive rate for Black females. The Home Office has reissued training and guidance to police forces to mitigate risks and ensure manual reviews of facial recognition results. A new algorithm, tested independently, showed no statistically significant bias and is slated for evaluation next year to enhance accuracy and fairness. The UK government continues to invest heavily in facial recognition technology, emphasizing its role in law enforcement despite criticisms of its deployment. The Inspectorate of Constabulary and the Forensic Science Regulator will review police use of facial recognition technology following the recent findings.

Retailers face heightened cyber risks during the holiday season, with increased bot-driven fraud, credential stuffing, and account takeover attempts. Attackers leverage leaked username/password lists to automate credential stuffing, targeting retail login portals and mobile apps for immediate financial gain. Historical breaches, like the 2013 Target incident, illustrate the risks of third-party access, emphasizing the need for stringent credential management. Retailers must balance security and user experience by implementing adaptive multi-factor authentication (MFA) to protect against risky logins without disrupting customer journeys. Strong security measures, including blocking compromised credentials and using passwordless options, are recommended to mitigate credential abuse. Protecting employee and partner accounts with mandatory MFA and strict access controls can reduce the operational impact of potential breaches. Retailers should prepare for peak season by investing in layered defenses against automated attacks and testing failover procedures to ensure operational continuity.

Barts Health NHS Trust confirmed a data breach involving patient and staff information due to Clop's exploitation of an Oracle E-Business Suite vulnerability. The breach impacted individuals liable for treatment payments and former staff with salary-related issues, alongside supplier details in the public domain. The trust is pursuing a High Court order to prevent the publication of stolen data, which Clop has threatened to release on the dark web. The breach was linked to a critical Oracle EBS flaw, CVE-2025-61882, exploited by Clop since August 2025, before Oracle's patch release in October. Barts Health is collaborating with NHS England, the National Cyber Security Centre, and law enforcement to address the breach and secure its systems. Despite the breach, Barts Health reports that its electronic patient record and core IT systems remain unaffected and secure. The incident adds Barts Health to a list of high-profile victims, including the University of Pennsylvania, affected by Clop's widespread Oracle EBS attacks.

Cybersecurity experts from Intel 471, CYFIRMA, and Zimperium have identified two new Android malware families, FvncBot and SeedSnatcher, alongside an upgraded version of ClayRat, posing significant threats to users. FvncBot masquerades as a security app targeting Polish mobile banking users, utilizing features such as keylogging, web-inject attacks, and hidden virtual network computing for financial fraud. SeedSnatcher, distributed via Telegram, is designed to steal cryptocurrency wallet seed phrases and intercept SMS messages to capture two-factor authentication codes, with operations likely based in China. ClayRat's latest version exploits Android's accessibility services to perform keystroke logging, screen recording, and deploy phishing overlays, enhancing its ability to take over devices completely. The malware families employ advanced evasion techniques, including dynamic class loading and stealthy content injection, making detection and prevention more challenging for cybersecurity defenses. FvncBot and ClayRat leverage accessibility services intended for aiding users with disabilities, allowing them to gain elevated privileges and execute malicious activities undetected. These developments highlight the evolving threat landscape of Android malware, emphasizing the need for robust security measures and user awareness to mitigate risks associated with mobile device vulnerabilities.

A critical RCE vulnerability in the Sneeit Framework plugin for WordPress, CVE-2025-6389, is actively exploited, affecting over 1,700 installations. The flaw allows unauthenticated code execution and backdoor creation. Wordfence reported over 131,000 exploitation attempts since public disclosure on November 24, 2025, with attackers creating malicious admin accounts and uploading backdoor PHP files. The vulnerability is patched in version 8.4, released on August 5, 2025, but many installations remain unpatched, posing ongoing risks to affected sites. Concurrently, a critical flaw in ICTBroadcast, CVE-2025-2611, is being exploited to deploy the "Frost" DDoS botnet, targeting specific systems with tailored attack logic. The "Frost" binary leverages fourteen exploits for fifteen CVEs, executing attacks only when specific indicators are detected, suggesting a highly targeted approach. Less than 10,000 systems are vulnerable to the ICTBroadcast flaw, indicating a limited but focused botnet operation. Organizations using these platforms are urged to apply patches immediately and monitor for signs of compromise to mitigate potential threats.