{"id":9212,"date":"2025-12-15T10:04:37","date_gmt":"2025-12-15T10:04:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/15\/cybersecurity-news-weekly-newsletter-windows-chrome-and-apple-0-days-kali-linux-2025-4-and-mitre-top-25\/"},"modified":"2025-12-15T10:04:37","modified_gmt":"2025-12-15T10:04:37","slug":"cybersecurity-news-weekly-newsletter-windows-chrome-and-apple-0-days-kali-linux-2025-4-and-mitre-top-25","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/15\/cybersecurity-news-weekly-newsletter-windows-chrome-and-apple-0-days-kali-linux-2025-4-and-mitre-top-25\/","title":{"rendered":"Cybersecurity News Weekly Newsletter \u2013 Windows, Chrome, and Apple 0-days, Kali Linux 2025.4, and MITRE Top 25"},"content":{"rendered":"

Cybersecurity News Weekly Newsletter \u2013 Windows, Chrome, and Apple 0-days, Kali Linux 2025.4, and MITRE Top 25
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

As 2025 nears its close, the cybersecurity landscape shows no signs of slowing down. This week\u2019s developments highlight how rapidly the threat environment continues to evolve with major zero-day vulnerabilities targeting Windows, Chrome, and Apple devices, each actively exploited in the wild.<\/p>\n

These high-risk flaws underline the continued importance of swift patching, layered defense, and continuous threat monitoring across enterprise ecosystems.<\/p>\n

Meanwhile, offensive security professionals received a major update as Kali Linux 2025.4<\/a> rolled out with new tools, kernel upgrades, and enhanced cloud integration, reinforcing its position as a cornerstone for penetration testing and digital forensics in both research and operational security settings.<\/p>\n

On the defensive front, MITRE released its annual Top 25 Most Dangerous Software Weaknesses of 2025<\/a>, spotlighting recurring coding errors that adversaries frequently weaponize. From inadequate input validation to risky resource management, the list serves as a vital reminder that secure coding is still the first line of defense against complex exploitation techniques and chained attack vectors.<\/p>\n

Across the board, this week reflects a convergence of aggressive exploitation activity and heightened community response. Organizations are urged to prioritize visibility, validate software supply chains, and stay aligned with evolving security frameworks. Whether patching systems affected by 0-days, assessing exposure through MITRE\u2019s latest findings, or adopting the latest features of Kali Linux, the takeaway is clear \u2014 cyber resilience depends on agility, awareness, and readiness.<\/p>\n

Stay ahead of the threat curve with this week\u2019s highlights, advisories, and actionable updates across infrastructure, endpoint, and application security domains.<\/p>\n

\u200bThreats<\/strong><\/h2>\n

Malicious Go UUID Packages Target Developers<\/strong><\/h3>\n

A long-running supply chain attack abused typo\u2011squatted Go packages github.com\/bpoorman\/uuid<\/code> and github.com\/bpoorman\/uid<\/code> to impersonate Google\u2019s and pborman\u2019s UUID libraries while silently exfiltrating sensitive data passed into a backdoored Valid<\/code> helper function. Collected data is encrypted and uploaded to dpaste.com using a hardcoded API token, and the malicious packages have been available since 2021, highlighting the need for strict dependency verification in Go projects and regular audits of go.mod<\/code> imports.<\/p>\n

\u200bRead more: https:\/\/cybersecuritynews.com\/malicious-go-packages-as-googles-uuid-library\/<\/a><\/p>\n

VS Code & AI IDE Extensions as Backdoors<\/strong><\/h3>\n

Researchers showed how attackers can publish malicious extensions to Visual Studio Code and AI IDEs like Cursor with minimal friction, exemplified by a typo\u2011squatted \u201cPiithon-linter\u201d that passed marketplace checks. Once installed, such extensions can auto\u2011execute on IDE launch, evade AV\/EDR via environment checks, exfiltrate environment variables (secrets, tokens), and deploy Merlin C2 agents across Windows, macOS, and Linux.\u200b<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/hackers-compromising-developers-with-malicious-vs-code\/<\/a><\/p>\n

Anatsa Banking Trojan Hidden in Google Play Document Reader<\/strong><\/h3>\n

An Android app called \u201cDocument Reader \u2013 File Manager\u201d on Google Play, with over 50,000 installs, was found to act as a dropper for the Anatsa (TeaBot) banking trojan. The app fetches the payload from a remote server, uses emulator\u2011evasion and obfuscation techniques, abuses accessibility permissions, and overlays fake banking interfaces to steal credentials and enable fraudulent transactions against hundreds of financial institutions worldwide.<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/malicious-document-reader-app-google-play\/<\/a><\/p>\n

GhostPenguin: Zero\u2011Detection Linux Backdoor<\/strong><\/h3>\n

A previously unknown Linux backdoor dubbed GhostPenguin evaded all engines on VirusTotal for months while providing attackers with remote shell access and full file\u2011system operations over encrypted UDP. The malware uses RC5 encryption with a dynamically assigned session ID over UDP port 53, employs multi\u2011stage communication, heartbeat\u2011based C2, and supports around 40 commands, illustrating how bespoke, low\u2011noise backdoors can slip past conventional detection.<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/ghostpenguin-backdoor-with-zero-detection\/<\/a><\/p>\n

Ransomware Surge Against Hyper\u2011V & ESXi<\/strong><\/h3>\n

Recent reporting highlights a sharp rise in ransomware campaigns explicitly targeting Microsoft Hyper\u2011V and VMware ESXi environments, often to maximize impact by encrypting virtual machine images at scale. Threat actors increasingly abuse misconfigurations, flat network access, weak admin credentials, and inadequate segmentation around hypervisors to gain control of virtualization layers and disrupt entire fleets of workloads in a single operation.<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/ransomware-targeting-hyper-v-and-vmware-esxi-surges\/<\/a><\/p>\n

AI Conversations Weaponized to Deliver AMOS<\/strong><\/h3>\n

Threat actors are abusing legitimate ChatGPT and Grok conversation links, which rank highly in search results, to lure macOS users into running malicious Terminal commands that install Atomic macOS Stealer (AMOS). The attack uses base64\u2011encoded payloads, leverages dscl<\/code> and sudo -S<\/code> to validate and reuse user credentials, and sets up persistence via LaunchDaemons, exploiting user trust in AI platforms rather than exploiting OS vulnerabilities.<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/chatgpt-and-grok-conversations-weaponized\/<\/a><\/p>\n

Lifecycle of Data Stolen in Phishing Attacks<\/strong><\/h3>\n

New research traces how credentials harvested via phishing move through a multi\u2011stage underground economy, from initial collection on fake pages to distribution via email, Telegram bots, or phishing\u2011as\u2011a\u2011service panels like BulletProofLink and Caffeine. Stolen data is aggregated, traded, and repeatedly reused for account takeover, fraud, and follow\u2011on intrusions, meaning even \u201cold\u201d phished credentials can continue to pose long\u2011term risk if not properly revoked and monitored.<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/what-happens-to-data-stolen-in-a-phishing-attack\/<\/a><\/p>\n

Cyberattack<\/strong><\/h2>\n

React2Shell RCE Actively Exploited in the Wild (CVE-2025-55182)<\/strong><\/h3>\n

A critical unsafe deserialization flaw in the React Server Components Flight protocol, dubbed \u201cReact2Shell\u201d (CVE-2025-55182), is under active exploitation across React and Next.js deployments. Attackers are using automated Mirai-style botnet kits, PowerShell \u201ccheap math\u201d probes for RCE validation, and encoded download\u2011and\u2011execute stagers that bypass AMSI by flipping AmsiUtils.amsiInitFailed<\/code> to true.\u200b
Defenders should urgently patch affected React\/Next.js stacks, block known campaign IPs where possible, and monitor for repeated PowerShell arithmetic execution and AMSI-bypass indicators on Windows endpoints.\u200b<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/react2shell-rce-vulnerability\/<\/a><\/p>\n

OceanLotus Targets China\u2019s Xinchuang Ecosystem via Supply Chain Attacks<\/strong><\/h3>\n

OceanLotus (APT32) is conducting a focused surveillance campaign against China\u2019s \u201cXinchuang\u201d IT stack, abusing domestic hardware\/software supply chains once considered resilient to foreign espionage. The group uses spear\u2011phishing with malicious .desktop<\/code> files, WPS PDF lures, and JAR archives, then chains brute\u2011forcing of internal security servers with suspected zero\u2011days to push malicious update scripts.\u200b
An N\u2011day bug in Atril (CVE-2023-52076) is weaponized via crafted EPUBs to achieve path traversal and arbitrary file write, dropping an autostart .desktop<\/code> loader and encrypted payload that decrypts to a Python downloader on login.\u200b<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/oceanlotus-hacker-group-targeting-xinchuang-it-ecosystems\/<\/a><\/p>\n

Spiderman Phishing Kit Supercharges European Banking Fraud<\/strong><\/h3>\n

A new \u201cSpiderman\u201d phishing framework is enabling low\u2011skill threat actors to build pixel\u2011perfect clones of dozens of European banking and crypto portals through a point\u2011and\u2011click interface. The kit centralizes support for major banks, adds real\u2011time session control, and includes dedicated modules to capture 2FA codes such as PhotoTAN and OTPs while operators watch sessions live.\u200b
Spiderman further evades takedowns using granular geo\/device filtering and anti\u2011analysis rules and extends fraud into crypto by harvesting wallet seed phrases for platforms like Ledger, MetaMask, and Exodus.\u200b<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/spiderman-phishing-kit-bank-login\/<\/a><\/p>\n

ChatGPT-Themed Lures Deliver AMOS InfoStealer to macOS<\/strong><\/h3>\n

A new macOS campaign abuses sponsored Google Ads and fake ChatGPT \u201csupport\u201d sessions to deliver AMOS InfoStealer under the guise of terminal troubleshooting commands. Victims looking to fix sound issues are funneled into a convincing chat flow that instructs them to run a single terminal line which silently downloads and executes a remote script to install AMOS and set up persistence.\u200b
Once deployed, AMOS harvests browser data, credentials, cookies, and other secrets from Mac endpoints, enabling account takeover and lateral movement against both consumer and enterprise environments.\u200b<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/threat-actors-leverage-chatgpt\/<\/a><\/p>\n

Cisco\u2011Trained Chinese Hackers Turn Tools Against Cisco Devices<\/strong><\/h3>\n

Two Chinese operators, Yuyang and Qiu Daibing, formerly standout Cisco Network Academy participants, have been identified as key figures behind the Salt Typhoon campaign targeting Cisco infrastructure worldwide. Leveraging deep familiarity with Cisco IOS and ASA firewalls, the operation compromised over 80 telecom providers, intercepting unencrypted communications involving US presidential candidates, staffers, and policy experts.<\/p>\n

The campaign also abused lawful\u2011intercept (CALEA) infrastructure for large\u2011scale intelligence collection, raising hard questions about the geopolitical risks of vendor training programs in adversarial markets.\u200b<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/chinese-hackers-attacking-cisco-devices\/<\/a><\/p>\n

ValleyRAT Builder Leak Fuels Stealthy Windows 11 Rootkit Campaigns<\/strong><\/h3>\n

ValleyRAT (aka Winos\/Winos4.0) has evolved into a modular backdoor with an embedded kernel\u2011mode rootkit that can retain valid signatures and load on fully patched Windows 11 systems. Following the public leak of its builder, detections have surged, with roughly 85% of samples observed in the last six months and increasing use by diverse threat actors.
The malware chains first\u2011stage beaconing modules with a driver plugin that stealthily installs a signed rootkit, injects user\u2011mode shellcode, and forcibly removes AV\/EDR drivers from vendors like Qihoo 360, Huorong, Tencent, and Kingsoft to create a blind spot.<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/valleyrat-malware-uses-stealthy-driver-install\/<\/a><\/p>\n

CyberVolk\u2019s VolkLocker Hits Linux and Windows with RaaS Model<\/strong><\/h3>\n

Pro\u2011Russia group CyberVolk has resurfaced with VolkLocker, a cross\u2011platform ransomware\u2011as\u2011a\u2011service written in Go that targets both Linux and Windows environments. Despite rushed development and leftover test artifacts, the platform combines Telegram\u2011based automation with robust encryption, giving affiliate operators an easy path to broad infrastructure compromise.
VolkLocker uses a registry\u2011based \u201cms-settings\u201d UAC bypass for stealthy privilege escalation, then performs extensive environment checks to avoid sandboxes and focus on production systems, while encouraging affiliates to apply UPX packing for additional evasion.<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/cybervolk-hackers-group-with-new-volklocker-payloads\/<\/a><\/p>\n

Vulnerability<\/strong><\/h2>\n

WatchGuard Firebox: 10 flaws enabling code execution<\/strong><\/h3>\n

WatchGuard Firebox appliances received fixes for ten vulnerabilities, including multiple out-of-bounds write bugs in the CLI and certificate daemon that let authenticated admins gain arbitrary code execution, a high-severity XPath injection exposing configuration data, and several stored XSS bugs in third\u2011party integrations. Patches are available in Fireware OS 2025.1.3, 12.11.5, and 12.5.14, and organizations with exposed management interfaces or legacy IPSec setups are urged to update immediately.\u200b<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/watchguard-firebox-vulnerabilities\/<\/a><\/p>\n

Fortinet SSO bypass across FortiOS, FortiWeb, and FortiProxy<\/strong><\/h3>\n

Fortinet disclosed a critical improper cryptographic signature verification issue in FortiCloud SSO handling that allows unauthenticated attackers to forge SAML messages and gain admin access when FortiCloud login is enabled (often auto\u2011enabled during registration). A broad range of FortiOS, FortiProxy, FortiWeb, and FortiSwitchManager releases require urgent upgrades, with disabling FortiCloud SSO offered as an interim workaround for environments that cannot patch immediately.<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/critical-fortinet-vulnerability\/<\/a><\/p>\n

FortiSandbox OS command injection<\/strong><\/h3>\n

A separate FortiSandbox issue allows attackers to exploit an OS command injection flaw to run arbitrary commands on affected appliances, threatening both sandbox integrity and adjacent monitored networks. Fortinet has issued fixed firmware versions and recommends immediate upgrades for any internet\u2011exposed or shared multi\u2011tenant sandbox deployments.<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/fortisandbox-os-command-injection-vulnerability\/<\/a><\/p>\n

AWS IAM eventual consistency is abused for stealthy persistence<\/strong><\/h3>\n

Research from OFFENSAI shows how IAM\u2019s 3\u20134 second consistency delay lets attackers keep or reestablish access even after defenders delete compromised access keys or apply deny policies, because stale state remains usable briefly across regions. Recommended mitigations include enforcing account\u2011level SCPs via AWS Organizations, favoring short\u2011lived STS and role\u2011based access over long\u2011term keys, and updating incident\u2011response playbooks to explicitly account for propagation delays.\u200b<\/p>\n

Read more: https:\/\/cybersecuritynews.com\/aws-iam-eventual-consistency-exploited\/<\/a><\/p>\n