From a SOC lens, last week’s activity in 2025 wasn’t dominated by a single headline breach, but by a series of smaller incidents that collectively exposed systemic weaknesses. Everyday tools started behaving in ways defenders did not anticipate. Legacy weaknesses resurfaced in current stacks. Newly disclosed bugs moved from patch notes to exploitation in production networks almost immediately.

The thread running through these events in 2025 is familiar to anyone running detections: adversaries consistently outpaced remediation. Access paths created for operations, support, updates, and convenience kept getting repurposed as intrusion vectors. And the operational impact didn’t end when tickets were closed — data stolen and footholds gained years ago continued to generate fresh incidents and fraud in 2025.

This recap consolidates the week’s most relevant events for SOC and IR teams. The goal is signal, not noise. Use it to update detections, tuning, and playbooks based on what actually shaped the threat landscape at the end of 2025 and what merits immediate attention in your environment now.

⚡ Threat of the Week

— A newly documented MongoDB security issue is now being actively exploited, with more than 87,000 potentially exposed instances identified globally. Tracked as CVE-2025-14847 (CVSS score: 8.7), it enables unauthenticated remote attackers to extract sensitive information directly from MongoDB server memory. The flaw has been nicknamed MongoBleed. Specific tradecraft and TTPs being used in the exploitation chains are still unclear. Recommended mitigation is to upgrade MongoDB to versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. Data from Censys indicates more than 87,000 instances may be at risk, heavily concentrated in the U.S., China, Germany, India, and France. Wiz reports that 42% of cloud environments contain at least one MongoDB instance running a version vulnerable to CVE-2025-14847, spanning both internet-facing services and internal assets that many SOCs may not yet be monitoring closely.

🔔 Top News

• — Trust Wallet has instructed users to immediately upgrade its Google Chrome extension after a security incident that resulted in roughly $7 million in losses. Users should move to version 2.69 without delay. “We’ve confirmed that approximately $7 million has been impacted, and we will ensure all affected users are refunded,” Trust Wallet said. The extension has about 1 million users. Mobile-only users and other browser extension variants are currently considered out of scope. Attribution remains unknown, but Trust Wallet believes an attacker pushed a malicious 2.68 build by abusing a leaked Chrome Web Store API key. Impacted users are being directed to complete a claims form so reimbursements can be processed.
• — A China-linked APT known as Evasive Panda has been tied to a focused espionage operation that used DNS poisoning to deliver its MgBot backdoor to victims in Türkiye, China, and India. The campaign ran between November 2022 and November 2024. Kaspersky reports that the actor conducted adversary-in-the-middle (AitM) operations against selected targets to serve trojanized updates for popular software such as SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ. These malicious updates ultimately deployed MgBot, a modular implant with broad collection capabilities. The exact mechanism for DNS response poisoning is still unknown. Two primary hypotheses are on the table: compromise of ISPs used by victims to implant network-level tooling on edge devices, or compromise of a router or firewall in the victim’s path to manipulate DNS traffic.
• — Data encrypted and exfiltrated in the 2022 LastPass breach is still driving new compromises. Encrypted vault backups stolen at the time have been systematically attacked using weak master passwords, enabling threat actors to decrypt vaults and drain cryptocurrency assets as late as Q4 2025. TRM Labs estimates associated losses at no less than $35 million as of September 2025 and links the activity to actors operating within or adjacent to the Russian cybercrime ecosystem. Indicators supporting the Russian nexus include: use of exchanges historically associated with Russian cybercriminal laundering pipelines and observed ties between wallets and mixers before and after laundering events.
• — Fortinet has observed fresh activity abusing CVE-2020-12812, a FortiOS SSL VPN flaw first disclosed five years ago that still surfaces in many enterprise networks. Under certain configuration conditions, the bug allows a user to successfully authenticate without receiving a second-factor prompt if the case of the username is altered. The updated advisory does not detail the current exploitation techniques or confirm whether any of the observed attempts resulted in successful compromise. Fortinet urges impacted customers to open a case with support and rotate all credentials if they detect admin or VPN user logins that bypassed expected two-factor authentication (2FA).
• — A malicious npm package named lotusbail was found masquerading as a fully functional WhatsApp API while secretly intercepting all messages and maintaining a persistent link between the attacker’s device and a victim’s WhatsApp account. Since May 2025, it has been downloaded more than 56,000 times by users of the npm registry account “seiren_primrose.” npm has removed the package. Once installed, the actor can read and send WhatsApp messages, download media, and enumerate contacts. “And here’s the critical part, uninstalling the npm package removes the malicious code, but the threat actor’s device stays linked to your WhatsApp account,” Koi said. “The pairing persists in WhatsApp’s systems until you manually unlink all devices from your WhatsApp settings. Even after the package is gone, they still have access.”

‎️‍🔥 Trending CVEs

Adversaries are routinely operationalizing new vulnerabilities within hours of disclosure. From a SOC standpoint, a single missed patch on a high-value asset can quickly become the pivot point for a full compromise. Below are the week’s highest-impact issues. Prioritize validation, patching, and detection coverage for these in your environment.

This week’s list includes — CVE-2025-14847 (MongoDB), CVE-2025-68664 (LangChain Core), CVE-2023-52163 (Digiever DS-2105 Pro), CVE-2025-68613 (n8n), CVE-2025-13836 (Python http.client), CVE-2025-26794 (Exim), CVE-2025-68615 (Net-SNMP), CVE-2025-44016 (TeamViewer DEX Client), and CVE-2025-13008 (M-Files Server).

📰 Around the Cyber World

• Former Coinbase Customer Service Agent Arrested in India — Coinbase CEO Brian Armstrong confirmed that a former customer service agent for the exchange has been arrested in India, following an earlier incident in which support staff were bribed to hand over customer information. In May, Coinbase disclosed that contractors operating from India had been compromised, leading to theft of sensitive customer data and a $20 million ransom demand. “We have zero tolerance for bad behavior and will continue to work with law enforcement to bring bad actors to justice,” Armstrong said. “Thanks to the Hyderabad Police in India, an ex-Coinbase customer service agent was just arrested. Another one down and more still to come.” Approximately 69,461 individuals were affected. A September 2025 class action complaint revealed that Coinbase used TaskUs to provide customer support from India. The filing further states that Coinbase “cut ties with the TaskUs personnel involved and other overseas agents, and tightened controls.” A TaskUs employee in Indore, Ashita Mishra, is alleged to have “joined the conspiracy by agreeing to sell highly sensitive Coinbase user data to those criminals” starting in September 2024, with an arrest following in January 2025 for allegedly selling user records to attackers for $200 per record. TaskUs said it “identified two individuals who illegally accessed information from one of our clients [who] were recruited by a much broader, coordinated criminal campaign against this client that also impacted a number of other providers servicing this client.” It also argued that Coinbase “had vendors other than TaskUs, and that Coinbase employees were involved in the data breach,” but did not provide additional details.
• Cloud Atlas Targets Russia and Belarus — The actor referred to as Cloud Atlas has conducted new activity using phishing emails with malicious Microsoft Word attachments. When opened, the document retrieves a remote template which then drops and executes an HTML Application (HTA) file. The HTA payload writes multiple Visual Basic Script (VBS) components to disk that together form the VBShower backdoor. VBShower acts as a loader for additional implants, including PowerShower, VBCloud, and CloudAtlas itself. VBCloud can download and execute follow-on malicious scripts, including a file grabber that exfiltrates selected documents. PowerShower operates similarly, retrieving secondary payloads from remote infrastructure. The CloudAtlas implant communicates with its C2 via WebDAV and downloads plug-in DLLs, enabling it to enumerate and collect files, execute commands, extract credentials from Chromium-based browsers, and gather host-level information. The latest wave primarily hit telecom companies, construction firms, government entities, and industrial plants in Russia and Belarus.
• BlackHawk Loader Spotted in the Wild — A new MSIL-based loader dubbed BlackHawk has been observed in active campaigns, using three layers of obfuscation that appear to have been generated with artificial intelligence tooling. According to ESET, the infection chain uses a Visual Basic Script followed by two PowerShell scripts, with the second script embedding the Base64-encoded BlackHawk loader and the final payload. BlackHawk is currently being leveraged to distribute Agent Tesla against hundreds of endpoints in Romanian small and mid-sized businesses. The same loader has also been used to deploy an information stealer known as Phantom.
• Surge in Cobalt Strike Servers — Censys has identified an anomalous spike in internet-exposed Cobalt Strike servers between early December and December 18, 2025, especially within the networks of AS138415 (YANCY) and AS133199 (SonderCloud LTD). “Viewing the timeline above, AS138415 first exhibits limited ‘seed’ activity beginning on December 4, followed by a substantial expansion of 119 new Cobalt Strike servers on December 6,” Censys said. “Within just two days, however, nearly all of this newly added infrastructure disappears. On December 8, AS133199 experienced a near mirror-image increase and decrease in newly observed Cobalt Strike servers.” Over 150 unique IP addresses linked to AS138415 were identified as hosting Cobalt Strike listeners during this period. The associated netblock, 23.235.160[.]0/19, was assigned to RedLuff, LLC in September 2025.
• Meet Fly, the Russian Market Administrator — Intrinsec’s research suggests that a threat actor operating under the alias Fly is likely the administrator of Russian Market, an underground marketplace specializing in credentials harvested by information stealers. “This threat actor promoted the marketplace on multiple occasions and throughout the years,” the French cybersecurity company said. “His username is reminiscent of the old name of the marketplace, ‘Flyded.’ We found two e-mail addresses used to register the first Russian Market domains, which enabled us to find potential links to a Gmail account named ‘AlexAske1,’ but we could not find additional information surrounding this potential identity.”
• New Scam Campaign Targets MENA with Fake Job Offers — A large-scale fraud operation is abusing social media and private messaging platforms such as Telegram and WhatsApp to push fake online job offers across the Middle East and North Africa (MENA). The lures emphasize quick, easy income but are designed to harvest personal data and siphon funds. The campaign leverages recognizable brands and the low cost of online ads, with broad targeting to maximize volume. “The fake job ads often impersonate well-known companies, banks, and authorities to gain trust of victims,” Group-IB said. “Once victims engage, the conversation moves to private messaging channels where the actual financial fraud and data theft take place.” Typically, users are redirected to a WhatsApp group where a recruiter sends them to a fraudulent registration site. After sign-up, victims are moved into multiple Telegram channels and told to pay a fee to receive tasks and earn commissions. “The scammers will actually send a small payout for the initial task to build trust,” Group-IB said. “They will then push victims to deposit larger amounts to take on bigger tasks that promise even greater returns. When victims do make a big deposit, the payout stops, the channels and accounts disappear and the victim finds themselves blocked, making communication and tracking almost impossible.” Countries most targeted include Egypt, Gulf States, Algeria, Tunisia, Morocco, Iraq, and Jordan.
• EmEditor Breached to Distribute Infostealer — Emurasoft, the vendor behind the Windows text editor EmEditor, has disclosed a compromise of its distribution channel. The company reported that an external actor tampered with the Windows installer download link to instead serve a malicious MSI file hosted elsewhere on the EmEditor site between December 19 and 22, 2022. Emurasoft is still investigating to determine the full impact. Analysis by QiAnXin indicates that the trojanized installer launches a PowerShell script capable of collecting extensive host data, including system metadata, files, VPN configurations, Windows credential material, browser information, and data from applications such as Zoho Mail, Evernote, Notion, discord, Slack, Mattermost, Skype, LiveChat, Microsoft Teams, Zoom, WinSCP, PuTTY, Steam, and Telegram. The malware also deploys an Edge browser extension (ID: “ngahobakhbdpmokneiohlfofdmglpakd”) labeled Google Drive Caching that₹₹₹ can fingerprint browsers, hijack cryptocurrency wallet addresses in the clipboard, log keystrokes on sites like x[.]com, and steal Facebook advertising account information.
• Docker Hardened Images Now Available for Free — Docker has made its Hardened Images generally available at no cost to all developers, aiming to reduce software supply chain risk. Initially launched in May 2025, these are curated, minimal, production-ready images maintained by Docker. The company says it now offers more than 1,000 hardened images and Helm charts. “Unlike other opaque or proprietary hardened images, DHI is compatible with Alpine and Debian, trusted and familiar open source foundations teams already know and can adopt with minimal change,” Docker noted.
• Flaw in Livewire Disclosed — Researchers have detailed a critical Livewire vulnerability (CVE-2025-54068, CVSS 9.8) that has since been patched but could previously enable unauthenticated remote command execution under specific conditions in applications built with the Laravel full-stack framework. The fix was shipped in Livewire version 3.6.4, released in July 2025. Synacktiv attributes the root cause to Livewire’s hydration mechanism, which maintains component state and guards against tampering via a checksum. “However, this mechanism comes with a critical vulnerability: a dangerous unmarshalling process can be exploited as long as an attacker is in possession of the APP_KEY of the application,” the cybersecurity company said. “By crafting malicious payloads, attackers can manipulate Livewire’s hydration process to execute arbitrary code, from simple function calls to stealthy remote command execution.” Further research uncovered an additional pre-authentication RCE path that does not require the APP_KEY. “Attackers could inject malicious synthesizers through the updates field in Livewire requests, leveraging PHP’s loose typing and nested array handling,” Synacktiv added. “This technique bypasses checksum validation, allowing arbitrary object instantiation and leading to full system compromise.”
• ChimeraWire Malware Boosts Website SERP Rankings — New malware labeled ChimeraWire is being used to artificially manipulate search engine rankings for targeted websites by running covert searches and simulating user clicks on infected Windows machines. Doctor Web notes that ChimeraWire usually appears as a second-stage payload delivered after initial compromise via other downloaders. The malware programmatically fetches a Windows build of Google Chrome and installs extensions such as NopeCHA and Buster for automated CAPTCHA solving. It then launches Chrome in debugging mode within a hidden window and drives automated browsing and click behavior based on preconfigured rules. “For this, the malicious app searches target internet resources in the Google and Bing search engines and then loads them,” the Russian company said. “It also imitates user actions by clicking links on the loaded sites. The Trojan performs all malicious actions in the Google Chrome web browser, which it downloads from a certain domain and then launches it in debug mode over the WebSocket protocol.”
• More Details About LANDFALL Campaign Emerge — The LANDFALL Android spyware cluster, previously documented by Palo Alto Networks Unit 42 as abusing a zero-day in Samsung Galaxy devices (CVE-2025-21042), continues to be dissected. Google Project Zero has identified six suspicious image files uploaded to VirusTotal between July 2024 and February 2025. These are believed to be DNG images delivered via WhatsApp, targeting Samsung’s Quram image library. The images are engineered to exploit a vulnerability within the com.samsung.ipservice process. “The com.samsung.ipservice process is a Samsung-specific system service responsible for providing ‘intelligent’ or AI-powered features to other Samsung applications,” Project Zero’s Benoît Sevens said. “It will periodically scan and parse images and videos in Android’s MediaStore. When WhatsApp receives and downloads an image, it will insert it in the MediaStore. This means that downloaded WhatsApp images (and videos) can hit the image parsing attack surface within the com.samsung.ipservice application.” Because WhatsApp does not auto-download media from unknown senders, researchers assess this is a 1-click vector requiring user interaction to trigger the download and insertion into MediaStore. That then triggers an exploit chain that culminates in an out-of-bounds write primitive. “This case illustrates how certain image formats provide strong primitives out of the box for turning a single memory corruption bug into interactionless ASLR bypasses and remote code execution,” Sevens noted. “By corrupting the bounds of the pixel buffer using the bug, the rest of the exploit could be performed by using the ‘weird machine’ that the DNG specification and its implementation provide.”
• New Android Spyware Discovered on Belarusian Journalist’s Phone — Authorities in Belarus are deploying a new Android spyware family called ResidentBat on phones belonging to local journalists after the devices are confiscated during interrogations by the Belarusian security service. The implant can exfiltrate call logs, record microphone audio, capture screenshots, harvest SMS and encrypted messaging app content, and access local files. It also includes functionality to perform a factory reset and self-remove. According to RESIDENT.NGO, the C2 infrastructure for ResidentBat has been active since March 2021. In December 2024, similar physical-access spyware deployment patterns were reported in Serbia and Russia. “The infection relied on physical access to the device,” RESIDENT.NGO said. “We hypothesize that the KGB officers observed the device password or PIN as the journalist typed it in their presence during the conversation. Once the officers had the PIN and physical possession of the phone while it was in the locker, they enabled ‘Developer Mode’ and ‘USB Debugging.’ The spyware was then sideloaded onto the device, likely via ADB commands from a Windows PC.”
• Former Incident Responders Plead Guilty to Ransomware Attacks — Two former security practitioners, Ryan Clifford Goldberg and Kevin Tyler Martin, have entered guilty pleas in connection with a string of BlackCat ransomware incidents carried out between May and November 2023, during which they were employed by companies responsible for defending organizations against ransomware. Goldberg and Martin were indicted in the prior month. At the time, Martin worked as a ransomware negotiator for DigitalMint, while Goldberg was an incident response manager at Sygnia. A third unnamed co-conspirator, also with DigitalMint, allegedly obtained a BlackCat affiliate account that the group used to orchestrate their ransomware operations.
• Congressional Report Says China Exploits U.S.-funded Research on Nuclear Technology — A joint report released by the House Select Committee on China and the House Permanent Select Committee on Intelligence (HPSCI) concludes that China is leveraging the U.S. Department of Energy (DOE) to access and redirect taxpayer-funded research for military and technological advantage. Investigators identified roughly 4,350 research publications from June 2023 to June 2025 where DOE funding or support overlapped with collaborations involving Chinese entities, including more than 730 DOE awards and contracts. About 2,200 of those papers involved entities in China’s defense R&D and industrial sectors. “This case study and many more like it in the report underscore a deeply troubling reality: U.S. government scientists – employed by the DOE and working at federally funded national laboratories – have coauthored research with Chinese entities at the very heart of the PRC’s military-industrial complex,” the House Select Committee on the Chinese Communist Party (CCP) said. “They involve the joint development of technologies relevant to next-generation military aircraft, electronic warfare systems, radar deception techniques, and critical energy and aerospace infrastructure – alongside entities already restricted by multiple U.S. agencies for posing a threat to national security.” In a statement to the Associated Press, the Chinese Embassy in Washington said the committee “has long smeared and attacked China for political purposes and has no credibility to speak of.”
• Moscow Court Sentences Russian Scientist to 21 Years for Treason — A court in Moscow sentenced 34-year-old researcher Artyom Khoroshilov of the Moscow Institute of General Physics to 21 years in prison on charges that include treason, attacks on critical infrastructure, and sabotage plotting. He was additionally fined 700,000 rubles (~$9,100). Authorities allege that he worked with the Ukrainian IT Army to launch DDoS attacks on Russian Post infrastructure in August 2022 and that he planned bomb attacks on railway tracks used by a Russian Ministry of Defense military unit to transport materiel. The IT Army of Ukraine, known for organizing DDoS campaigns against Russian infrastructure, stated that it does not know whether Khoroshilov was part of its community but emphasized that “the enemy hunts down any sign of resistance.”
• New DIG AI Tool Used by Malicious Actors — Resecurity reports a “notable increase” in threat actors adopting DIG AI, a new entry in the ecosystem of darknet-hosted Large Language Models tailored for illegal and harmful tasks, including crafting phishing content and providing guidance on explosives and banned substances. Access is provided over Tor without requiring registration. The operator, Pitch, states that the system is powered by OpenAI’s ChatGPT Turbo. “DIG AI enables malicious actors to leverage the power of AI to generate tips ranging from explosive device manufacturing to illegal content creation, including CSAM,” the company said. “Because DIG AI is hosted on the TOR network, such tools are not easily discoverable and accessible to law enforcement. They create a significant underground market – from piracy and derivatives to other illicit activities.”
• China Says U.S. Seized Cryptocurrency from Chinese Firm — Chinese authorities claim that cryptocurrency recently seized by the U.S. in a large enforcement action actually belongs to the mining pool operator LuBian. In October 2025, the U.S. Department of Justice confiscated $15 billion in Bitcoin from the operator of scam compounds, stating that the assets were tied to the Prince Group and its CEO, Chen Zhi. China’s National Computer Virus Emergency Response Center (CVERC) now alleges, echoing Elliptic’s analysis, that the funds instead originate from the 2020 compromise of LuBian’s Bitcoin mining pool. According to CVERC, the evidence indicates that the cryptocurrency was first stolen from Zhi before being seized by U.S. authorities. “The U.S. government may have stolen Chen Zhi’s 127,000 Bitcoin through hacking techniques as early as 2020, making this a classic case of ‘black-on-black’ crime orchestrated by a state-sponsored hacking organization,” CVERC said. The report does not, however, assert that the confiscated funds are directly tied to the scam operations cited in the DOJ case.

🎥 Cybersecurity Webinars

• How Zero Trust and AI Catch Attacks With No Files, No Binaries, and No Indicators — Modern intrusion sets increasingly lean on trusted admin tooling and fileless techniques that slip past legacy detection stacks. This session walks through how Zero Trust principles and AI-driven detection can expose these stealthy behaviors, protect developer and cloud workloads, and shift teams from reactive incident handling to proactive control of their attack surface.
• Master Agentic AI Security: Learn to Detect, Audit, and Contain Rogue MCP Servers — Developer-facing AI services such as Copilot and Claude Code can quietly introduce new attack surface if MCPS are deployed without inventory, ownership, or access boundaries. Many teams lack visibility into which MCP servers exist, who operates them, and what data and credentials they touch — and some have already been co-opted as backdoors. This webinar focuses on practical methods to discover unmanaged AI endpoints, stop shadow API key usage, and regain control before AI infrastructure becomes the root cause of a breach.

🔧 Cybersecurity Tools

• GhidraGPT — A Ghidra plugin that layers AI-assisted analysis on top of traditional reverse engineering workflows. It can summarize and explain decompiled routines, suggest more readable labeling and structuring, and call out code regions that warrant deeper review from a security perspective, helping analysts work through complex binaries more efficiently.
• Chameleon — An open-source honeypot framework for emulating a range of network services to attract real-world attackers, bots, and credential stuffing attempts. It exposes simulated open and weakly secured ports, logs interaction details, and surfaces the resulting telemetry in straightforward dashboards so defenders can study live scanning and exploitation patterns against their exposed footprint.

Disclaimer: These tools are for learning and research only. They have not gone through full security hardening or code review. Misuse can cause real damage. Always inspect the source, test only in isolated lab environments, and comply with all applicable laws and organizational policies.

Conclusion

This recap pulls together the week’s key developments as 2025 closes out, with an emphasis on what actually shifted attacker behavior and defender workload. Use these stories to update your watchlists, detection rules, and incident playbooks for early 2026. The same patterns — rapid exploit adoption, supply chain weakness, abuse of trusted tools, and long-tail impact from “resolved” breaches — are likely to continue shaping SOC priorities in the months ahead.