⚡ Weekly Recap: USB Malware, React2Shell, WhatsApp Worms, AI IDE Bugs & More

It’s been a week of chaos in code and calm in headlines. A bug that broke the internet’s favorite framework, hackers chasing AI tools, fake apps stealing cash, and record-breaking cyberattacks — all within days. If you blink, you’ll miss how fast the threat map is changing.

New flaws are being found, published, and exploited in hours instead of weeks. AI-powered tools meant to help developers are quickly becoming new attack surfaces. Criminal groups are recycling old tricks with fresh disguises — fake apps, fake alerts, and fake trust.

Meanwhile, defenders are racing to patch systems, block massive DDoS waves, and uncover spy campaigns hiding quietly inside networks. The fight is constant, the pace relentless.

For a deeper look at these stories, plus new cybersecurity tools and upcoming expert webinars, check out the full ThreatsDay Bulletin.

****⚡ Threat of the Week****

Max Severity React Flaw Comes Under Attack — A critical security flaw impacting React Server Components (RSC) has come under extensive exploitation within hours of publication disclosure. The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an unauthenticated attacker without requiring any special setup. It’s also tracked as React2Shell. Amazon reported that it observed attack attempts originating from infrastructure associated with Chinese hacking groups like Earth Lamia and Jackpot Panda within hours of public disclosure of the flaw. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz have also reported seeing exploitation efforts targeting the flaw, indicating that multiple threat actors are engaging in opportunistic attacks. The Shadowserver Foundation said it has detected 28,964 IP addresses vulnerable to the React2Shell flaw as of December 7, 2025, down from 77,664 on December 5, with approximately 10,100 located in the U.S., 3,200 in Germany, and 1,690 in China.

****🔔 Top News****

• Over 30 Flaws in AI-Powered IDEs — Security researcher Ari Marzouk disclosed details of more than 30 security vulnerabilities in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution. The vulnerabilities have been collectively dubbed IDEsaster. “All AI IDEs (and coding assistants that integrate with them) effectively ignore the base software (IDE) in their threat model,” Marzouk said. “They treat their features as inherently safe because they’ve been there for years. However, once you add AI agents that can act autonomously, the same features can be weaponized into data exfiltration and RCE primitives.” Patches have been released to address the issues, with Anthropic acknowledging the risk via a security warning.
• Chinese Hackers Use BRICKSTORM to Target U.S. Entities — China-linked threat actors, including UNC5221 and Warp Panda, are using a backdoor dubbed BRICKSTORM to maintain long-term persistence on compromised systems, according to an advisory from the U.S. government. “BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments,” the Cybersecurity and Infrastructure Security Agency (CISA) said. "BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command-and-control. The activity has once again revived concerns about China’s sustained ability to tunnel deeper into critical infrastructure and government agency networks undetected, often for extended periods. The attacks have also amplified enduring concerns about China’s cyber espionage activity, which has increasingly targeted edge networks and leveraged living-off-the-land techniques to fly under the radar.
• GoldFactory Targets Southeast Asia with Bogus Banking Apps — Cybercriminals associated with a financially motivated group known as GoldFactory have been observed staging a fresh round of attacks targeting mobile users in Indonesia, Thailand, and Vietnam by impersonating government services. The activity, observed since October 2024, involves distributing modified banking applications that act as a conduit for Android malware. Group-IB said it has identified more than 300 unique samples of modified banking applications that have led to almost 2,200 infections in Indonesia. The infection chains involve the impersonation of government entities and trusted local brands and approaching prospective targets over the phone to trick them into installing malware by instructing them to click on a link sent on messaging apps like Zalo. The links redirect the victims to fake landing pages that masquerade as Google Play Store app listings, resulting in the deployment of a remote access trojan like Gigabud, MMRat, or Remo, which surfaced earlier this year using the same tactics as GoldFactory. These droppers then pave the way for the main payload that abuses Android’s accessibility services to facilitate remote control.
• Cloudflare Blocks Record 29.7 Tbps DDoS Attack — Cloudflare detected and mitigated the largest ever distributed denial-of-service (DDoS) attack that measured at 29.7 terabits per second (Tbps). The activity originated from a DDoS botnet-for-hire known as AISURU, which has been linked to a number of hyper-volumetric DDoS attacks over the past year. The attack lasted for 69 seconds. It did not disclose the target of the attack. The botnet has prominently targeted telecommunication providers, gaming companies, hosting providers, and financial services. Also tackled by Cloudflare was a 14.1 Bpps DDoS attack from the same botnet. AISURU is believed to be powered by a massive network comprising an estimated 1-4 million infected hosts worldwide.
• Brazil Hit by Banking Trojan Spread via WhatsApp Worm — Brazilian users are being targeted by various campaigns that leverage WhatsApp Web as a distribution vector for banking malware. While one campaign attributed to a threat actor known as Water Saci drops a Casbaneiro variant, another set of attacks has led to the deployment of the Astaroth banking trojan. Sophos is tracking the second cluster under the moniker STAC3150 since September 24, 2025. “The lure delivers a ZIP archive that contains a malicious VBS or HTA file,” Sophos said. “When executed, this malicious file launches PowerShell to retrieve second-stage payloads, including a PowerShell or Python script that collects WhatsApp user data and, in later cases, an MSI installer that delivers the Astaroth malware.” Despite the tactical overlaps, it’s currently not clear if they are the work of the same threat actor. “In this particular campaign, the malware spreads through WhatsApp,” K7 Security Labs said. “Because the malicious file is sent by someone already in our contacts, we tend not to verify its authenticity the same way we would if it came from an unknown sender. This trust in familiar contacts reduces our caution and increases the chances of the malware being opened and executed.”

****‎️‍🔥 Trending CVEs****

Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected.

This week’s list includes — CVE-2025-6389 (Sneeit Framework plugin), CVE-2025-66516 (Apache Tika), CVE-2025-55182 (React), CVE-2025-9491 (Microsoft Windows), CVE-2025-10155, CVE-2025-10156, CVE-2025-10157 (Picklescan), CVE-2025-48633, CVE-2025-48572 (Google Android), CVE-2025-11699 (nopCommerce), CVE-2025-64775 (Apache Struts), CVE-2025-59789 (Apache bRPC), CVE-2025-13751, CVE-2025-13086, CVE-2025-12106 (OpenVPN), CVE-2025-13658 (Industrial Video & Control Longwatch), CVE-2024-36424 (K7 Ultimate Security), CVE-2025-66412 (Angular), CVE-2025-13510 (Iskra iHUB and iHUB Lite), CVE-2025-13372, CVE-2025-64460 (Django), CVE-2025-13486 (Advanced Custom Fields: Extended plugin), CVE-2025-64772 (Sony INZONE Hub), CVE-2025-64983 (SwitchBot), CVE-2025-31649, CVE-2025-31361 (Dell ControlVault), CVE-2025-47151 (Entr’ouvert Lasso), CVE-2025-66373 (Akamai), CVE-2025-13654 (Duc), CVE-2025-13032 (Avast), CVE-2025-33211, CVE-2025-33201 (NVIDIA Triton), CVE-2025-66399 (Cacti), CVE-2025-20386, CVE-2025-20387 (Splunk), and CVE-2025-66476 (Vim for Windows).

****📰 Around the Cyber World****

• Compromised USBs Used for Crypto Miner Delivery — An ongoing campaign has been observed using USB drives to infect other hosts and deploy cryptocurrency miners since September 2024. While a previous iteration of the campaign used malware families like DIRTYBULK and CUTFAIL, the latest version spotted by AhnLab employs a batch script to launch a dropper DLL that launches PrintMiner, which then installs additional payloads, including XMRig. “The malware is hidden in a folder, and only a shortcut file named ‘USB Drive’ is visible,” AhnLab said. “When a user opens the shortcut file, they are able to see not only the malware but also the files belonging to the previous user, making it difficult for users to realize that they have been infected with malware.” The development comes as Cyble said it identified an active Linux-targeting campaign that deploys a Mirai-derived botnet codenamed V3G4 that’s paired with a stealthy, fileless-configured cryptocurrency miner. “Once active, the bot masquerades as systemd-logind, performs environment reconnaissance, conducts large-scale raw-socket SSH scanning, maintains persistent C2 communication, and ultimately launches a concealed XMRig-based Monero miner dynamically configured at runtime,” the company said.
• Fake Cryptocurrency Investment Domain Seized — The U.S. Department of Justice’s (DoJ) Scam Center Task Force seized Tickmilleas[.]com, a website used by scammers located at the Tai Chang scam compound (aka Casino Kosai) located in the village of Kyaukhat, Burma, to target and defraud Americans through cryptocurrency investment fraud (CIF) scams. “The tickmilleas[.]com domain was disguised as a legitimate investment platform to trick victims into depositing their funds,” the DoJ said. “Victims who used the domain reported to the FBI that the site showed lucrative returns on what they believed to be their investments and displayed purported deposits made by scammers to the victims 'accounts when the scammers walked the victims through supposed trades.” In tandem, Meta removed approximately 2000 accounts associated with the Tai Chang compound. The domain is also said to have redirected visitors to fraudulent apps hosted on Google Play Store and Apple App Store. Several of these apps have since been taken down. In a related move, Cambodian officials raided a cyber scam compound in the country’s capital Phnom Penh and arrested 28 suspects. Of the 28 individuals detained, 27 are Vietnamese nationals, and one is Cambodian. Cyber scam compounds in Cambodia are shifting from the country’s western border with Thailand to the east, to locations near the Vietnamese border, according to Cyber Scam Monitor.
• Portugal Modifies Cybercrime Law to Exempt Researchers — Portugal has amended its cybercrime law to establish a legal safe harbor for white hat security research and making hacking non-punishable under strict conditions, including identifying vulnerabilities aimed at improving cybersecurity through disclosure, not seeking any economic benefit, immediately reporting the vulnerability to the system owner, deleting any data obtained during the research period within 10 of the vulnerability being fixed, and not violating data privacy regulations like GDPR. Last November, Germany floated a draft law that provided similar protections to the research community when discovering and responsibly reporting security flaws to vendors.
• CastleRAT Malware Detailed — A remote access trojan called CastleRAT has been detected in the wild with two main builds: a Python version and a compiled C version. While both versions offer similar capabilities, Splunk said the C build is more powerful and can include extra features. “The malware gathers basic system information, such as computer name, username, machine GUID, public IP address, and product/version details, which it then transmits to the C2 server,” the Cisco-owned company said. “Additionally, it can download and execute further files from the server and provides a remote shell, allowing an attacker to run commands on the compromised machine.” CastleRAT is attributed to a threat actor known as TAG-150.
• DoJ Indicts Brothers for Wiping 96 Government Databases — The DoJ indicted two Virginia brothers for allegedly conspiring to steal sensitive information and deleting 96 government databases. Muneeb and Sohaib Akhter, both 34, stole data and deleted databases minutes after they were fired from their contractor roles. The incident impacted multiple government agencies, including the IRS and DHS. Bloomberg reported in May that the contractor is a software company named Opexus. “Many of these databases contained records and documents related to Freedom of Information Act matters administered by federal government departments and agencies, as well as sensitive investigative files of federal government components,” the DoJ said. The brothers allegedly asked an artificial intelligence tool how to clear system logs of their actions. In June 2015, the twin brothers were sentenced to several years in prison for conspiracy to commit wire fraud, conspiracy to access a protected computer without authorization, and conspiracy to access a government computer without authorization. They were rehired as government contractors after serving their sentences. Muneeb Akhter faces a maximum penalty of up to 45 years in prison, whereas Sohaib Akhter could get up to six years.
• U.K. NCSC Debuts Proactive Notifications — The U.K.’s National Cyber Security Center (NCSC) announced the testing phase of a new service called Proactive Notifications, designed to inform organizations in the country of vulnerabilities present in their environment. The service is delivered through cybersecurity firm Netcraft and is based on publicly available information and internet scanning. “This notification is based on scanning open source information, such as publicly available software versions,” NCSC said. “The service was launched to responsibly report vulnerabilities to system owners to help them protect their services.”
• FinCEN Ransomware Trend Analysis Reveals Drop in Payments — According to a new analysis released by the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), ransomware incidents reported to the authority decreased in 2024, with 1,476 incidents following law enforcement’s disruption of two high-profile ransomware groups, BlackCat and LockBit. Financial institutions paid $734 million to ransomware gangs, down from $1.1 billion in 2023. “The median amount of a single ransomware transaction was $124,097 in 2022; $175,000 in 2023; and $155,257 in 2024,” FinCEN said. “Between 2022 and 2024, the most common payment amount range was below $250,000.” More than $2.1 billion was paid to ransomware groups between 2022 and 2024, with about $1.1 billion paid in 2023 alone. Akira led with the highest number of reported incidents, at 376, but BlackCat received the highest amount in payments, at approximately $395.3 million.
• Bangladeshi Student Behind New Botnet — A student hacker from Bangladesh is assessed to be behind a new botnet targeting WordPress and cPanel servers. “The perpetrator is using a botnet panel to distribute newly compromised websites to buyers, primarily Chinese threat actors,” Cyderes said. “The sites were primarily compromised via misconfigured WordPress and cPanel instances.” Some of the compromised websites are injected with a PHP-based web shell known as Beima PHP and leased to other threat actors for anywhere between $3 to $200. The PHP backdoor script is designed to provide remote control over a compromised web server, allowing an attacker to manipulate files, inject arbitrary content, and rename files. The government and education sectors are the primary targets of this campaign, accounting for 76% of the compromised websites for sale. The college student claimed he is selling access to over 5,200 compromised websites through Telegram to pay for his education. Most of the operation’s customers are Chinese threat actors.
• U.S. State Department Offers $10m Reward for Iranian Hacker Duo — The U.S. State Department announced a $10 million reward for two Iranian nationals linked to Iran’s cyber operations. Fatemeh Sedighian Kashi and Mohammad Bagher Shirinkar allegedly work for a company named Shahid Shushtari that operates with Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). “Shahid Shushtari members have caused significant financial damage and disruption to U.S. businesses and government agencies through coordinated cyber and cyber-enabled information operations,” the State Department said. “These campaigns have targeted multiple critical infrastructure sectors, including news, shipping, travel, energy, financial, and telecommunications in the United States, Europe, and the Middle East.” The front company has also been linked to a multi-faceted campaign targeting the U.S. presidential election in August 2020.
• New Arkanix and Sryxen Stealers Spotted — Two new information stealers, Arkanix and Sryxen, are being marketed as a way to steal sensitive data and make short-term, quick financial gains. “Written in C++, [Sryxen] combines DPAPI decryption for traditional browser credentials with a Chrome 127+ bypass that sidesteps Google’s new App-Bound Encryption – by simply launching Chrome headlessly and asking it to decrypt its own cookies via DevTools Protocol,” DeceptIQ said. “The anti-analysis is ‘more sophisticated’ than most commodity stealers: VEH-based code encryption means the main payload is garbage at rest, only decrypted during execution via exception handling.” The disclosures coincide with a campaign codenamed AIRedScam that uses booby-trapped AI tools shared on GitHub to deliver SmartLoader and other infostealers. “What sets AIRedScam apart is its choice in targeting Offensive Cybersecurity professionals looking for tools that can automate their enumeration and recon,” UltraViolet Cyber said.
• FBI Warns of Virtual Kidnapping Ransom Scams — The U.S. Federal Bureau of Investigation (FBI) warned that scammers are demanding ransoms in fake kidnapping schemes that alter photos found on social media or other publicly available sites to use as fake proof-of-life photos. “Criminal actors typically will contact their victims through text message, claiming they have kidnapped their loved one and demand a ransom be paid for their release,” the FBI said. “The criminal actors pose as kidnappers and provide seemingly real photos or videos of victims along with demands for ransom payments. Criminal actors will sometimes purposefully send these photos using timed message features to limit the amount of time victims have to analyze the images.”
• Russian Hackers Spoof European Security Events in Phishing Wave — Threat actors from Russia have continued to heavily target both Microsoft and Google environments by abusing OAuth and Device Code authentication workflows to phish credentials from end users. “These attacks involved the creation of fake websites masquerading as legitimate international security events taking place in Europe, with the aim of tricking users who registered for these events into granting unauthorized access to their accounts,” Volexity said. What’s notable about the new wave is that the attackers offer to provide “live support” to targeted users via messaging apps like Signal and WhatsApp to ensure they correctly return the URL, in the case of OAuth phishing workflows. The campaigns, a continuation of prior waves detected earlier this year, have been attributed to a cyber espionage group known as UTA0355.
• Shanya PaaS Fuels New Attacks — A packer-as-a-service (PaaS) offering known as Shanya has taken over the role previously played by HeartCrypt to decrypt and load a malicious program capable of killing endpoint security solutions. The attack leverages a vulnerable legitimate driver (“ThrottleStop.sys”) and a malicious unsigned kernel driver (“hlpdrv.sys”) to achieve its goals. “The user mode killer searches the running processes and installed services,” Sophos researchers Gabor Szappanos and Steeve Gaudreault said. “If it finds a match, it sends a kill command to the malicious kernel driver. The malicious kernel driver abuses the vulnerable clean driver, gaining write access that enables the termination and deletion of the processes and services of the protection products.” The first deployment of the EDR killer is said to have occurred near the end of April 2025 in a Medusa ransomware attack. It has since been put to use in multiple ransomware operations, including Akira, Qilin, and Crytox. The packer has also been employed to distribute CastleRAT as part of a Booking.com-themed ClickFix campaign.

****🎥 Cybersecurity Webinars****

• How to Detect Hidden Risks in AWS, AI, and Kubernetes — Before Attackers Do: Cloud threats are getting smarter—and harder to see. Join our experts to learn how code-to-cloud detection reveals hidden risks across identities, AI, and Kubernetes, helping you stop attacks before they reach production.
• Learn How Top Teams Secure Cloud Infrastructure While Staying Fully Compliant: Securing cloud workloads isn’t just defense — it’s about enabling innovation safely. Learn practical, proven ways to strengthen access control, maintain compliance, and protect infrastructure without slowing agility.

****🔧 Cybersecurity Tools****

• RAPTOR — It is an open-source AI-powered security tool that automates code scanning, fuzzing, vulnerability analysis, exploit generation, and OSS forensics. It’s useful when you need to quickly test software for bugs, understand whether a vulnerability is real, or gather evidence from a public GitHub repo. Instead of running many separate tools, RAPTOR chains them together and uses an AI agent to guide the process.
• Google Threat Intelligence Browser Extension — For security analysts and threat researchers: highlights suspicious IPs, URLs, domains, and file hashes directly in your browser. Get instant context, investigate without switching tabs, track threats, and collaborate — all while staying protected. Available for Chrome, Edge, and Firefox.

Disclaimer: These tools are for learning and research only. They haven’t been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws.

****Conclusion****

Each story this week points to the same truth: the line between innovation and exploitation keeps getting thinner. Every new tool brings new risks, and every fix opens the door to the next discovery. The cycle isn’t slowing — but awareness, speed, and shared knowledge still make the biggest difference.

Stay sharp, keep your systems patched, and don’t tune out the quiet warnings. The next breach always starts small.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.