Anomali Cyber Watch: OWASP Agentic AI, MongoBleed, WebRAT Malware, and more

<h2 id="article-1"><a href="https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/" target="_blank" rel="noopener noreferrer">Real-World Attacks Behind OWASP Agentic AI Top 10 </a></h3> <p>(published: December 29, 2025)</p> <p> OWASP has released the first Top 10 for Agentic Applications 2026, a security framework focused on autonomous AI agents that can plan, delegate, and execute actions across systems. Unlike traditional AI models, agentic systems introduce compounding risk through autonomy, tool orchestration, and inter-agent trust. The Top 10 reflects real-world incidents already observed, including agent goal hijacking via indirect prompt injection, misuse of overprivileged tools, poisoned agent supply chains, unexpected code execution, memory and context poisoning, and cascading failures across multi-agent workflows. OWASP highlights that these failures often bypass conventional security controls because agents act with delegated authority and persist state across tasks. The framework is designed to give defenders a practical taxonomy to identify, prioritize, and mitigate agent-specific threats as organizations move AI agents from experimentation into production environments.</p><p><b>Analyst Comment:</b> The real value of the OWASP Agentic AI Top 10 is that it gives defenders a practical lens for action, not just awareness. It allows teams to stop treating AI incidents as isolated model failures and instead recognize repeatable patterns of abuse across autonomy, tools, identity, and trust. Defenders can use this framework to inventory where agentic behavior exists, map each agent’s permissions and dependencies, and identify where excessive autonomy or implicit trust creates silent risk. Just as importantly, it helps security teams explain these risks to engineers and leadership using a shared language grounded in real incidents.<br> </p> <h2 id="article-1"><a href="https://www.securityweek.com/fresh-mongodb-vulnerability-exploited-in-attacks/" target="_blank" rel="noopener noreferrer">MongoDB Memory Leak Vulnerability “MongoBleed” Actively Exploited </a></h3> <p>(published: December 29, 2025)</p> <p> A high-severity vulnerability in MongoDB Server, tracked as CVE-2025-14847, is being actively exploited to exfiltrate sensitive data directly from server memory. The flaw stems from improper handling of malformed zlib-compressed network messages, which can cause MongoDB to return uninitialized heap memory to a remote, unauthenticated attacker. This memory disclosure may expose credentials, authentication tokens, internal configuration details, and other sensitive artifacts without requiring valid access. Public proof-of-concept exploit code is available, and real-world exploitation has been observed, prompting inclusion of the vulnerability in CISA’s Known Exploited Vulnerabilities catalog. Researchers estimate that tens of thousands of MongoDB instances may be exposed, particularly those directly accessible from the internet. MongoDB has released patches addressing the issue and advises organizations to update immediately, disable zlib compression where patching is not yet possible, and restrict unnecessary external access to database services.</p><p><b>Analyst Comment:</b> This vulnerability should be treated as an immediate patching priority because it enables remote, unauthenticated memory disclosure with active exploitation already observed. Public exploit code significantly increases the likelihood of opportunistic scanning against any exposed MongoDB service. Defenders should focus first on identifying all MongoDB deployments and validating which instances are externally reachable, as exposure alone determines risk. Where patching cannot be completed immediately, disabling zlib compression provides a meaningful temporary mitigation by removing the vulnerable code path. Network-level restrictions that limit database access to trusted hosts are also critical. The key defensive takeaway is that authentication does not mitigate this issue. If the service is reachable, sensitive data may already be at risk, making rapid remediation and exposure reduction essential.</p><p><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012">T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9593">T1552 - Unsecured Credentials</a> | <a href="https://ui.threatstream.com/attackpattern/9802">T1005 - Data From Local System</a><br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/webrat-malware-spread-via-fake-vulnerability-exploits-on-github/" target="_blank" rel="noopener noreferrer">WebRAT Malware Spread via Fake GitHub Proof of Concept Exploits</a></h3> <p>(published: December 23, 2025)</p> <p> Researchers have identified an active malware campaign distributing the WebRAT remote access trojan through fake proof of concept exploit code hosted on GitHub. The repositories falsely claim to exploit recently disclosed or high profile vulnerabilities, deliberately targeting developers, security researchers, and administrators searching for functional PoC code. In reality, the projects contain malicious Java components that install WebRAT when compiled or executed. Once deployed, WebRAT enables remote command execution, credential theft, keystroke logging, webcam access, and persistent access across Windows, Linux, and macOS systems. Additional reporting shows WebRAT has previously been distributed through cracked software, game cheats, and pirated applications, indicating operators reuse social engineering driven delivery methods rather than relying on real software flaws. GitHub has removed multiple malicious repositories, but clones and reuploads continue to surface, highlighting the effectiveness of fake exploit PoCs as a low effort, high trust infection vector.</p><p><b>Analyst Comment:</b> This campaign works because it exploits human behavior rather than technical weakness. By presenting malware as legitimate vulnerability research, the actors prey on urgency, curiosity, and professional trust, particularly among developers and security teams who are accustomed to testing PoC code quickly. The key risk is not the exploit itself, but the assumption that code shared on trusted platforms is inherently safe. Defenders should treat unverified PoCs as untrusted software, enforce isolated research environments, and avoid running exploit code on primary or privileged systems. This activity reinforces the need to apply the same caution and execution controls to research workflows as to any other unknown code, especially when it claims to exploit high profile vulnerabilities.</p><p><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9612">T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9585">T1059 - Command And Scripting Interpreter</a> | <a href="https://ui.threatstream.com/attackpattern/9673">T1056 - Input Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9842">T1125 - Video Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9714">T1071 - Application Layer Protocol</a><br> </p> <h2 id="article-1"><a href="https://thehackernews.com/2026/01/cybercriminals-abuse-google-cloud-email.html" target="_blank" rel="noopener noreferrer">Trusted Cloud Automation Weaponized for Credential Phishing</a></h3> <p>(published: January 2, 2026)</p> <p> Cybersecurity researchers have identified a large-scale phishing campaign that abused Google Cloud Application Integration workflows to deliver emails that appeared fully legitimate. Attackers leveraged the platform’s built-in automation to send messages from the trusted address noreply-application-integration@google[.]com, enabling the emails to pass SPF, DKIM, and DMARC checks and evade common secure email gateways. The lures impersonated routine business notifications such as voicemail alerts, document shares, and access requests. Embedded links led to attacker-controlled pages hosted on Google infrastructure, where victims were routed through a fake CAPTCHA step before being redirected to a spoofed Microsoft login page designed to harvest credentials. The activity affected organizations across multiple regions and sectors, including technology, manufacturing, finance, and retail. Google has since disabled the abused workflows and implemented additional safeguards to prevent further misuse.</p><p><b>Analyst Comment:</b> While Google’s response has disrupted this specific activity, the broader risk remains. This campaign demonstrates how legitimate cloud automation features can be repurposed to deliver high-trust phishing that bypasses both technical controls and human skepticism. By embedding lures into familiar notification workflows and closely mirroring Google’s formatting and language, the emails prompt habitual, task-driven responses rather than deliberate evaluation. The key intelligence insight is that modern phishing increasingly succeeds by exploiting procedural trust, not technical weaknesses. Defenders should anticipate continued abuse of trusted SaaS automation and prioritize detection of context mismatches, unexpected credential prompts, and automation-generated messages that subtly deviate from normal business behavior, rather than relying on sender reputation alone.</p><p><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10028">T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/10088">T1556.003 - Modify Authentication Process: Pluggable Authentication Modules</a> | <a href="https://ui.threatstream.com/attackpattern/9975">T1078.004 - Valid Accounts: Cloud Accounts</a><br> <b>Target Industry:</b> Technology , Manufacturing , Financial services , Retail<br> <b>Target Region:</b> Americas<br> </p> <h2 id="article-1"><a href="https://thehackernews.com/2025/12/new-macsync-macos-stealer-uses-signed.html" target="_blank" rel="noopener noreferrer">MacSync macOS Stealer Evolves to Abuse Code Signing and Swift Execution </a></h3> <p>(published: December 24, 2025)</p> <p> Researchers have identified an evolved variant of the MacSync macOS information stealer that abuses Apple’s code signing and notarization process to evade built-in security controls. Analysis shows the malware is delivered as a signed Swift-based application embedded within a disk image that appears legitimate to users and security mechanisms alike. Once launched, the application silently executes a secondary script that downloads and deploys the MacSync payload without requiring drag-to-terminal or manual user interaction, marking a shift away from overt social engineering. The malware is a rebrand of the earlier Mac.c stealer and has expanded beyond credential theft to support remote command execution and broader system reconnaissance. Apple has since revoked the abused certificate, but the campaign demonstrates how trusted developer workflows can be repurposed to bypass macOS defenses.</p><p><b>Analyst Comment:</b> The removal of obvious social engineering steps significantly lowers user suspicion, transforming routine actions such as opening a signed installer into silent compromise points. Even though the abused certificate has been revoked, the tactic itself remains highly effective and easily repeatable. The core risk for defenders is over-reliance on platform trust signals, which attackers have shown can be weaponized at scale through legitimate developer workflows. Signed and notarized software can still execute malicious logic once launched, particularly when it retrieves secondary payloads or executes scripts at runtime. Effective defense therefore requires shifting attention away from installer reputation and toward post-execution visibility, with a focus on abnormal child process creation, unexpected script execution, and outbound network activity originating from applications that appear legitimate.</p><p><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9585">T1059 - Command And Scripting Interpreter</a> | <a href="https://ui.threatstream.com/attackpattern/9834">T1106 - Native Api</a> | <a href="https://ui.threatstream.com/attackpattern/9596">T1553.002 - Subvert Trust Controls: Code Signing</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a><br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/hackers-claim-resecurity-hack-firm-says-it-was-a-honeypot/" target="_blank" rel="noopener noreferrer">Claimed Resecurity Breach Turns Out to Be Honeypot Trap </a></h3> <p>(published: January 3, 2026)</p> <p> Threat actors operating under the name Scattered Lapsus$ Hunters publicly claimed to have breached U.S. cybersecurity firm Resecurity, alleging theft of internal data including employee records, client information, and threat intelligence. Early speculation linked the activity to ShinyHunters, however the group has denied involvement. The actors shared screenshots on Telegram to support the claim. Resecurity has denied any compromise of production systems, stating the activity occurred within a controlled deception environment designed to appear operationally realistic. According to the company, the environment was populated with synthetic data and deployed as part of an active defense strategy to observe adversary behavior. Resecurity reported detecting unauthorized access attempts in late November 2025 and monitoring continued automated activity through December, allowing collection of attacker infrastructure and tradecraft. The firm maintains there is no evidence of real customer or employee data exposure, and that the incident represents a monitored intrusion into a purpose-built honeypot rather than a confirmed breach.</p><p><b>Analyst Comment:</b> This incident is important less for the breach claim itself and more for what it demonstrates about modern defensive advantage. By using a realistic honeypot populated with synthetic data, Resecurity was able to safely observe sustained attacker behavior, including large-scale automated exfiltration attempts and proxy infrastructure failures that briefly exposed real IP addresses. That kind of telemetry is rarely available during short-lived intrusions and is far more valuable than a simple block-and-move-on response. For defenders, the lesson is clear: deception environments can turn intrusion attempts into intelligence opportunities. Monitoring automation patterns, proxy misuse, and error conditions provides reusable detection logic that applies beyond a single incident. More broadly, this case reinforces the need to treat early breach claims and screenshots with caution, as mature defenders increasingly deploy environments designed to mislead attackers rather than immediately eject them.</p><p><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a> | <a href="https://ui.threatstream.com/attackpattern/9628">T1090 - Proxy</a><br> </p> <h2 id="article-1"><a href="https://www.securityweek.com/two-us-cybersecurity-pros-plead-guilty-over-ransomware-attacks/ " target="_blank" rel="noopener noreferrer">Cybersecurity Professionals Sentenced for Enabling Ransomware Attacks</a></h3> <p>(published: January 2, 2026)</p> <p> Two U.S.-based cybersecurity professionals have pleaded guilty and received custodial sentences for their direct involvement in ransomware attacks, according to court records cited by SecurityWeek. The individuals admitted to abusing their technical expertise and trusted access to assist ransomware operations, including helping deploy malware, facilitating unauthorized access to victim networks, and supporting data theft used for extortion. Prosecutors detailed how their actions materially enabled attacks against multiple organizations, causing significant financial and operational harm. As part of the sentencing, the defendants were ordered to serve prison terms and pay restitution, reflecting the seriousness with which U.S. courts are now treating insider-enabled cybercrime. The case marks a notable escalation in legal consequences for security professionals who cross from defense into active participation in criminal activity.</p><p><b>Analyst Comment:</b> This case reinforces a hard truth in cybersecurity: technical skill can create a dangerous sense of confidence when it is misapplied. These individuals were not careless. They deliberately used professional knowledge gained in trusted roles to make ransomware attacks more effective. That expertise reduces friction for attackers, shortens intrusion timelines, and weakens safeguards by design. However, the same knowledge that enables sophisticated attacks also leaves identifiable traces. Financial activity, access patterns, and investigative correlation consistently expose misuse over time. Overconfidence in one’s ability to manage or conceal that risk is often the point of failure. For defenders and practitioners alike, the message is clear. Cybersecurity is a position of trust, not immunity. Using that knowledge for harm is not a gray area, and it is increasingly difficult to escape accountability. <br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/google/google-is-testing-a-new-image-ai-and-its-going-to-be-its-fastest-model/" target="_blank" rel="noopener noreferrer">Google Tests Nano Banana 2 Flash as Its Fastest Image AI Model </a></h3> <p>(published: January 2, 2026)</p> <p> Google is testing a new image generation model known as Nano Banana 2 Flash, positioning it as the fastest image AI it has developed to date. According to early details, the model is designed to prioritize speed and lower cost while still delivering high quality image generation, making it suitable for rapid creative workflows and large scale use. Nano Banana 2 Flash is expected to be a more streamlined alternative to the existing Nano Banana Pro model, with performance optimizations aimed at real time or near real time image creation. The testing phase suggests Google is exploring broader deployment scenarios, potentially integrating the model into consumer facing tools and developer platforms. This move reflects a wider industry trend toward faster, more accessible generative image models that reduce latency and infrastructure overhead while expanding the availability of advanced image synthesis capabilities.</p><p><b>Analyst Comment:</b> Obviously, image generation models are not inherently malicious. However, tracking the release and testing of faster generative models is valuable intelligence in itself. Advances like Nano Banana 2 Flash can act as an early signal for shifts in how visual content may be abused at scale. Reduced cost and near real time image creation lower friction for producing convincing synthetic images, which historically correlates with increased experimentation by threat actors. For organizations, this matters less because of the technology itself and more because of how quickly it can be operationalized. As generation becomes faster and more accessible, visual artifacts such as screenshots, profile images, and identity photos become easier to fabricate on demand. Awareness of these capability milestones allows defenders to anticipate potential upticks in image based social engineering and adjust verification and training practices before abuse becomes widespread.<br> </p> <h2 id="article-1"><a href="https://cyberwarzone.com/2026/01/04/rondodox-botnet-exploits-react2shell-cvss-10-0-to-hijack-90300-iot-devices-and-web-servers/" target="_blank" rel="noopener noreferrer">RondoDox Botnet Exploits React2Shell to Hijack 90,000+ Systems</a></h3> <p>(published: January 4, 2026)</p> <p> A persistent botnet campaign named RondoDox, active for roughly nine months, has been observed exploiting a critical remote code execution flaw called React2Shell (CVE-2025-55182, CVSS 10.0) in React Server Components and Next.js to compromise Internet of Things (IoT) devices and web servers. As of late December 2025, more than 90,300 exposed systems remain vulnerable globally, with a significant concentration in the United States. The threat actors behind RondoDox have adapted their operations over time, adding multiple vulnerabilities to their exploitation arsenal and automating scanning and payload deployment. Once a device or server is breached, the botnet installs cryptocurrency miners and botnet loaders, often terminating competing malware to maintain persistence. Public telemetry shows rapid weaponization of React2Shell shortly after its disclosure, highlighting the speed at which critical flaws are adopted in the wild.</p><p><b>Analyst Comment:</b> What stands out here is how routine this exploitation has become. RondoDox is not carefully choosing targets or waiting for mistakes. It is constantly scanning the internet and exploiting whatever is exposed as soon as a new flaw becomes public. Once React2Shell was disclosed, vulnerable systems were found and compromised at scale with little delay. If a service is internet facing and unpatched, it will be found. The most effective response is shortening exposure windows through fast patching, keeping a clear inventory of public-facing systems, and watching for post-compromise signals like new persistence mechanisms or unusual outbound traffic, where detection is still possible.</p><p><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10161">T1595 - Active Scanning</a> | <a href="https://ui.threatstream.com/attackpattern/10012">T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/10023">T1496 - Resource Hijacking</a><br> <b>Target Region:</b> Americas<br> <b>Target Country:</b> United states<br> </p> <h2 id="article-1"><a href="https://cyberwarzone.com/2026/01/04/n8n-cve-2025-68613-expression-injection-enables-arbitrary-code-execution-on-103476-workflow-automation-instances/ " target="_blank" rel="noopener noreferrer">Critical n8n Expression Injection Leads to Arbitrary Code Execution</a></h3> <p>(published: January 4, 2026)</p> <p> A critical security flaw, tracked as CVE-2025-68613 and rated CVSS 9.9, has been identified in the n8n workflow automation platform. The vulnerability stems from insufficient isolation in the workflow expression evaluation engine, allowing authenticated users to inject expressions that escape sandbox boundaries and execute arbitrary code with the privileges of the n8n process. This issue affects versions from 0.211.0 through 1.120.3 and has been patched in later releases (1.120.4, 1.121.1, 1.122.0). Internet scans estimate over 100,000 exposed instances globally, creating a significant attack surface. Exploitation could lead to full instance compromise, unauthorized data access, modification of automation logic, and potential lateral movement into integrated systems. </p><p><b>Analyst Comment:</b> This vulnerability is less about a single flawed function and more about where n8n sits in the environment. Workflow automation platforms are often trusted bridges between systems, holding API keys, credentials, and logic that touches core business processes. When expression handling breaks isolation, that trust becomes an attack path. Defenders should assume that any compromised n8n account with edit rights can translate into host-level execution and downstream access to integrated services. Patching is urgent, but it should be paired with a review of who can author or modify workflows, validation of existing automation logic, and tighter runtime isolation. </p><p><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9870">T1078 - Valid Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/9585">T1059 - Command And Scripting Interpreter</a> | <a href="https://ui.threatstream.com/attackpattern/10093">T1068 - Exploitation For Privilege Escalation</a> | <a href="https://ui.threatstream.com/attackpattern/9593">T1552 - Unsecured Credentials</a> | <a href="https://ui.threatstream.com/attackpattern/9604">T1021 - Remote Services</a><br> </p>