Tageszusammenfassung - 09.12.2025

End-of-Day report

Timeframe: Freitag 05-12-2025 18:00 - Dienstag 09-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a

News

Malicious VSCode extensions on Microsofts registry drop infostealers

Two malicious extensions on Microsoft's Visual Studio Code Marketplace infect developers' machines with information-stealing malware that can take screenshots, steal credentials, crypto wallets, and hijack browser sessions.

https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/

Ransomware gangs turn to Shanya EXE packer to hide EDR killers

Multiple ransomware gangs are using a packer-as-a-service platform named Shanya to help them deploy payloads that disable endpoint detection and response solutions on victim systems.

https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-shanya-exe-packer-to-hide-edr-killers/

North Korean hackers exploit React2Shell flaw in EtherRAT malware attacks

A new malware implant called EtherRAT, deployed in a recent React2Shell attack, runs five separate Linux persistence mechanisms and leverages Ethereum smart contracts for communication with the attacker.

https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-react2shell-flaw-in-etherrat-malware-attacks/

-Broadside- Mirai Variant Targets Maritime Logistics Sector

Yet another variant of the Mirai botnet is threatening the maritime logistics sector by exploiting a critical flaw in digital recording devices used by companies on seagoing vessels. The attacks allow for remote command injection via the vulnerability, enabling attackers to establish Netlink-based process monitoring for persistence and other malicious activities.

https://www.darkreading.com/threat-intelligence/broadside-mirai-variant-maritime-logistics

Lumma Stealer: Danger lurking in fake game updates from itch.io and Patreon

After patches on mainstream gaming platforms like Steam, indie game platforms as well as Patreon have become the latest platforms for distributing malware.

https://feeds.feedblitz.com/~/932262560/0/gdatasecurityblog-en~Lumma-Stealer-Danger-lurking-in-fake-game-updates-from-itchio-and-Patreon

Attacken laufen bereits: Rund 29.000 Server über React-Lücke angreifbar

Angreifer attackieren eine React2Shell genannte kritische Lücke im React-Framework. Allein in Deutschland gibt es noch über 3.000 anfällige Server.

https://www.golem.de/news/attacken-laufen-bereits-rund-29-000-server-ueber-react-luecke-angreifbar-2512-202992.html

Zero-Click Agentic Browser Attack Can Delete Entire Google Drive Using Crafted Emails

A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents, findings from Straiker STAR Labs show.

https://thehackernews.com/2025/12/zero-click-agentic-browser-attack-can.html

Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features

Cybersecurity researchers have disclosed details of two new Android malware families dubbed FvncBot and SeedSnatcher, as another upgraded version of ClayRat has been spotted in the wild.

https://thehackernews.com/2025/12/android-malware-fvncbot-seedsnatcher.html

Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT

Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT.

https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html

STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware

Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565.

https://thehackernews.com/2025/12/stac6565-targets-canada-in-80-of.html

Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading

The threat actor known as Storm-0249 is likely shifting from its role as an initial access broker to adopt a combination of more advanced tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks.

https://thehackernews.com/2025/12/storm-0249-escalates-ransomware-attacks.html

Novel clickjacking attack relies on CSS and SVG

Security researcher Lyra Rebane has devised a novel clickjacking attack that relies on Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS).

https://go.theregister.com/feed/www.theregister.com/2025/12/05/css_svg_clickjacking/

Crims using social media images, videos in virtual kidnapping scams

Criminals are altering social media and other publicly available images of people to use as fake proof of life photos in "virtual kidnapping" and extortion scams, the FBI warned on Friday.

https://go.theregister.com/feed/www.theregister.com/2025/12/05/virtual_kidnapping_scam/

New Prompt Injection Attack Vectors Through MCP Sampling

This article examines the security implications of the Model Context Protocol (MCP) sampling feature in the context of a widely used coding copilot application. MCP is a standard for connecting large language model (LLM) applications to external data sources and tools.

https://unit42.paloaltonetworks.com/model-context-protocol-attack-vectors/

New BYOVD loader behind DeadLock ransomware attack

Talos observed a threat actor leveraging a BYOVD technique to disable endpoint detection and escalate privileges in an attack that eventually delivered DeadLock ransomware as the payload.

https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/

Space Bears Ransomware Claims Comcast Data Theft Through QuasarBreach

Space Bears ransomware group is claiming that it obtained internal Comcast material by exploiting a breach at Quasar Inc., a telecommunications engineering contractor based in Georgia.

https://hackread.com/space-bears-ransomware-comcast-quasar-breach/

ChrimeraWire Trojan Fakes Chrome Activity to Manipulate Search Rankings

ChrimeraWire is a new Windows trojan that automates web browsing through Chrome to simulate user activity and manipulate search engine rankings.

https://hackread.com/chrimerawire-trojan-fakes-chrome-search-activity/

SimpleX Chat X Account Hacked, Fake Site Promotes Crypto Wallet Scam

SimpleX Chat-s X account hacked to promote fake crypto site urging users to connect wallets. Site mimicked official design to steal funds.

https://hackread.com/simplex-chat-x-account-hacked-fake-site-wallet-scam/

Coupongogo: Remote-Controlled Crypto Stealer Targeting Developers on GitHub

Deep dive into the Coupongogo browser extension (v1.1.12): The alarming cryptostealer waiting for activation.

https://www.rastersec.com/blog/coupongogo-cryptostealer

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.

https://www.ibm.com/think/x-force/cve-2023-20078-technical-analysis

Malicious Crate Mimicking -Finch- Exfiltrates Credentials via a Hidden Dependency

Socket found a Rust typosquat (finch-rust) that loads sha-rust to steal credentials, using impersonation and an unpinned dependency to auto-deliver updates.

https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials?utm_medium=feed

Researchers Uncover 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks

Over 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution.

https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html

Vulnerabilities

DSA-6073-1 ffmpeg - security update

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

https://lists.debian.org/debian-security-announce/2025/msg00239.html

Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity.

https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html

Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks

A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence. The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active installations.

https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.html

Security updates for Monday

Security updates have been issued by Debian (ffmpeg, krita, lasso, and libpng1.6), Fedora (abrt, cef, chromium, tinygltf, webkitgtk, and xkbcomp), Oracle (buildah, delve and golang, expat, python-kdcproxy, qt6-qtquick3d, qt6-qtsvg, sssd, thunderbird, and valkey), Red Hat (webkit2gtk3), and SUSE (git-bug, go1, and libpng12-0).

https://lwn.net/Articles/1049657/

Security updates for Tuesday

Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (abrt and mingw-libpng), Mageia (apache and libpng), Oracle (abrt, go-toolset:rhel8, kernel, sssd, and webkit2gtk3), Red Hat (kernel and kernel-rt), SUSE (gimp, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, and postgresql13), and Ubuntu (gnupg2, python-apt, radare2, and webkit2gtk).

https://lwn.net/Articles/1049769/

iOS 26.2: Apple behebt kritische Bugs im zweiten Release Candidate

Das wahrscheinlich letzte große iOS-Update des Jahres, iOS 26.2, lässt etwas länger auf sich warten: Apple hat stattdessen am Montagabend deutscher Zeit einen zweiten Release Candidate des Updates für das iPhone-Betriebssystem veröffentlicht. Was genau im RC2 geändert wurde, verrieten die Kalifornier bisher nicht. Es gilt aber als sicher, dass einer oder mehrere kritische Fehler behoben werden. Offen bleibt, wann mit dem finalen Release zu rechnen ist.

https://heise.de/-11108257