Anomali Cyber Watch: React and Next.js RCE Vulnerabilities, "Evil Twin" Wifi Networks, Record 29.7 Tbps DDoS Attack, and More
Critical React and Next.js RCE Vulnerabilities (CVE-2025-55182 and CVE-2025-66478)
(published: December 5, 2025)
Two related remote code execution vulnerabilities have been disclosed in React Server Components and the frameworks that integrate them. CVE-2025-55182 affects React itself and arises from unsafe deserialization within the Flight protocol that processes server side component data. CVE-2025-66478 was initially assigned to track the same flaw in Next.js which bundles the vulnerable React server packages but has since been rejected as a duplicate of CVE-2025-55182. An attacker can send a crafted HTTP request that triggers execution of attacker supplied JavaScript on the server without authentication and default configurations are exposed. React has issued patched versions including 19.0.1, 19.1.2 and 19.2.1 and Next.js has released updated builds (16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, 15.0.5) that remove the vulnerable code path. Proof of concept exploits are publicly available which increases the likelihood of opportunistic scanning and automated exploitation. Immediate upgrades and server side audit reviews are strongly advised.
Analyst Comment: The most important insight here is that a single design flaw in React's server side architecture silently placed thousands of Next.js applications at risk, even for teams that never intended to use server side components. The attack requires nothing more than an unauthenticated HTTP request which means exploitation is trivial and the publication of proof of concept code will accelerate broad Internet scanning. The strongest defensive move is rapid patching since updated React and Next.js releases fully remediate the issue. Every organization should inventory its React and Next.js workloads, confirm that CI pipelines are shipping patched builds and review server logs for unusual Flight protocol requests.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059 - Command And Scripting Interpreter
Australian Man Sentenced for Operating Rogue “Evil Twin” Wi Fi Networks
(published: December 1, 2025)
A 44 year old Australian man was sentenced to seven years in prison after admitting to deploying “evil twin” Wi Fi networks to steal credentials and intimate images from women across multiple airports and domestic flights. Australian Federal Police reported that he used a portable Wi Fi Pineapple to mimic legitimate access points and divert victims to fraudulent login pages. Investigators discovered thousands of stolen images, videos, and account details, along with records of malicious activity in Perth, Melbourne, and Adelaide. After his arrest, he attempted to delete stored data, remotely wipe his phone, and access online meetings between his employer and police about the investigation. Authorities warned the public to avoid open networks that request personal details and advised the use of VPNs on unsecured Wi Fi.
Analyst Comment: This case is a reminder that Wi Fi attacks never went away. Evil twin setups remain cheap, portable, and trivial to operate, and a Wi Fi Pineapple is only one of many devices an attacker can use. Anyone with basic knowledge can build a less conspicuous rig from off the shelf components and run the same playbook in crowded spaces where users rely on auto connect and assume familiar network names are safe. We rarely hear about these incidents, yet this sentencing shows they continue to happen and can persist for long periods without detection. Defenders and everyday users should treat all open Wi Fi as untrusted and recognize that proximity based attacks thrive on convenience, not technical sophistication.
MITRE ATT&CK: T1185 - Man In The Browser | T1557 - Man-In-The-Middle | T1110 - Brute Force | T1114 - Email Collection | T1115 - Clipboard Data | T1530 - Data From Cloud Storage Object | T1005 - Data From Local System | T1070 - Indicator Removal On Host | T1070.004 - Indicator Removal on Host: File Deletion | T1070.005 - Indicator Removal on Host: Network Share Connection Removal | T1105 - Ingress Tool Transfer | T1531 - Account Access Removal
Lazarus APT Fake Remote Worker Scheme Exposed
(published: December 2, 2025)
A joint investigation by BCA LTD, NorthScan and ANY.RUN exposed a covert infiltration program operated by Lazarus Group’s Famous Chollima unit. Researchers built long running sandbox laptops and tricked Lazarus recruiters into believing they belonged to real developers. The attackers used fake job offers, identity theft, AI assisted interview processes and staged onboarding to embed North Korean IT workers inside Western companies. Once hired, these operators worked inside what they believed were legitimate corporate environments while investigators observed their activity in real time. The campaign targeted finance, cryptocurrency, healthcare and engineering sectors and relied on social engineering and operational discipline rather than traditional malware.
Analyst Comment: The important insight here is that Lazarus did not compromise networks through exploits or malware. They compromised companies by getting hired. This shifts the threat model entirely because it turns recruitment, identity verification and remote-worker onboarding into active attack surfaces. The operators behaved like normal staff, which means traditional detection controls would have seen nothing unusual. For defenders, the path forward is clear. Treat the hiring pipeline as a security boundary, verify identities with rigor, limit early access privileges and monitor new contractors or developers more closely during their first weeks. This campaign proves that well crafted social engineering can place an adversary inside your environment without a single malicious file. The organizations that adapt their defensive mindset to include people, process and access governance will be the ones best positioned to spot this tactic before it becomes entrenched.
MITRE ATT&CK: T1589 - Gather Victim Identity Information | T1586.001 - Compromise Accounts: Social Media Accounts | T1566 - Phishing | T1078 - Valid Accounts | T1036 - Masquerading | T1102 - Web Service
Target Industry: Financial services , Technology , Healthcare , Engineering , Cryptocurrency
Target Region: Europe
Source Country: Korea, democratic people's republic of
Source Region: Asia
Iran’s MuddyWater Uses Snake Game Loader To Deploy MuddyViper Backdoor
(published: December 2, 2025)
Iran aligned espionage group MuddyWater is using a new toolkit that pairs a Snake themed loader called Fooder with a C/C++ backdoor named MuddyViper. Fooder is delivered via phishing PDFs that link to trojanized remote monitoring tools hosted on free file sharing services and then reflectively loads MuddyViper directly in memory, which avoids writing payloads to disk and hinders signature based detection. The backdoor can collect system information, steal Windows and browser credentials, move files, run shell commands, and exfiltrate data. Reporting from ESET and others links this campaign to at least seventeen victims across Israeli critical infrastructure, technology, engineering, manufacturing, local government, university, transportation, and utility sectors, along with one technology organization in Egypt.
Analyst Comment: MuddyWater has rebuilt its tooling into a memory only platform that hides behind something as ordinary as a support utility or a simple game. That shift makes their operations far more portable and far harder to detect, and it means defenders outside the Middle East should not treat this as a regional problem. The techniques scale to any environment where users can download remote tools and where monitoring stops at the file system. The real risk is not just the backdoor but the workflow it exploits, because poisoned IT tools are far more believable than malicious attachments. Organizations should view this as a warning that credential theft and quiet persistence are becoming easier for state actors and that behavioural and memory level visibility is now essential rather than optional.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1620 - Reflective Code Loading | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1070.004 - Indicator Removal on Host: File Deletion | T1003 - Os Credential Dumping | T1555 - Credentials From Password Stores | T1082 - System Information Discovery | T1005 - Data From Local System | T1041 - Exfiltration Over C2 Channel
Target Industry: Infrastructure , Technology , Engineering , Manufacturing , Government local , Education , Transportation , Utilities
Target Region: Western-asia
Source Country: Iran, islamic Republic of
Source Region: Western-asia
Aisuru Botnet Linked to Record 29.7 Tbps DDoS Attack
(published: December 5, 2025)
Cloudflare has attributed a record breaking 29.7 Tbps distributed denial of service attack to the Aisuru botnet, a rapidly expanding operation built on compromised routers, VPN appliances, and unpatched IoT devices. The attack targeted an undisclosed organization with a short but intense traffic burst that briefly exceeded the largest DDoS volume ever observed. Cloudflare reports that Aisuru has grown by exploiting weak device credentials and known vulnerabilities, including flaws in popular small office hardware. The botnet uses highly optimized packet flooding techniques that generate extreme throughput with modest device counts, suggesting a scalable and ongoing threat. Recent events indicate that Aisuru operators are stress testing infrastructure providers and can rapidly shift targets across multiple regions.
Analyst Comment: Aisuru highlights two fronts that matter. Organizations need to plan for short, high-intensity DDoS bursts and ensure their defenses are tuned for rapid spikes rather than slow floods. Reviewing upstream mitigation, validating rate limits, and securing their own edge devices are the most effective levers they control. Home users sit at the other end of the equation, as their routers and IoT devices often become the raw material for botnets like Aisuru when left unpatched or running default settings. Simple steps such as firmware updates, password changes, and retiring unsupported hardware make a genuine difference. As security professionals, we also have a responsibility in shrinking that global attack surface by helping friends and family understand why their home devices matter. Raising awareness at that level is one of the few practical ways to reduce the pool of compromised systems that power attacks of this scale.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1078 - Valid Accounts | T1498.001 - Network Denial of Service: Direct Network Flood | T1584.005 - Compromise Infrastructure: Botnet | T1090 - Proxy | T1499 - Endpoint Denial Of Service | T1498 - Network Denial Of Service
BrickStorm Backdoor PRC Linked Stealth Malware
(published: December 4, 2025)
CISA, NSA and the Canadian Cyber Centre released Malware Analysis Report AR25-338A to publicly expose and blunt an active PRC espionage capability targeting VMware vSphere and Windows systems. The agencies analyzed eight BRICKSTORM samples and published the report specifically to equip defenders with the information needed to detect and disrupt ongoing intrusions. BRICKSTORM enables long-term persistence, credential theft, command execution, file manipulation, exfiltration and SOCKS proxying. It conceals its command and control traffic inside routine HTTPS, WebSocket and DNS over HTTPS flows, making it difficult for traditional monitoring to spot. The report provides indicators of compromise, YARA rules and Sigma detections so organizations can identify, hunt and report infections.
Analyst Comment: CISA did not publish this report for theoretical awareness. They released it because BRICKSTORM is active, stealthy and likely present in environments that have not yet detected it. The backdoor hides inside normal encrypted traffic, which means traditional perimeter tools are not enough to surface it. The most important action readers can take is to apply the supplied IOCs, YARA rules and Sigma detections and proactively hunt across VMware and Windows systems rather than waiting for alerts. The intelligence insight is simple but serious: this is an espionage tool designed to stay invisible, and the only way to break that advantage is deliberate investigation of outbound traffic and virtualization platforms. CISA’s disclosure is a signal that defenders should assume this capability is already in play and verify that their networks have not been silently compromised.
MITRE ATT&CK: T1053 - Scheduled Task/Job | T1555 - Credentials From Password Stores | T1059 - Command And Scripting Interpreter | T1082 - System Information Discovery | T1105 - Ingress Tool Transfer | T1071.001 - Application Layer Protocol: Web Protocols | T1071.004 - Application Layer Protocol: Dns | T1572 - Protocol Tunneling | T1090 - Proxy | T1041 - Exfiltration Over C2 Channel
Source Country: China
Source Region: Eastern-asia
WARP PANDA Linked to BRICKSTORM Deployments in VMware vCenter Intrusions
(published: December 5, 2025)
CrowdStrike reports that WARP PANDA, a newly identified China nexus espionage group, is responsible for multiple 2025 intrusions targeting VMware vCenter environments at US based organizations. Investigators observed the adversary deploying the BRICKSTORM backdoor, previously detailed by CISA as an active and stealthy capability, along with JSP web shells and two new ESXi implants named Junction and GuestConduit. WARP PANDA demonstrates strong operational discipline and extensive familiarity with virtualized and hybrid cloud environments, using stolen credentials and cloud aware tooling to pivot across infrastructure and maintain persistent access. CrowdStrike assesses that WARP PANDA’s operations form a coherent intrusion toolkit around VMware platforms, indicating that BRICKSTORM is part of a broader and more mature espionage program than previously documented.
Analyst Comment: WARP PANDA’s identification gives crucial context to the previous BRICKSTORM reporting. This means defenders should not only hunt for BRICKSTORM but also validate the integrity of their vCenter, ESXi, and identity pathways, since the group’s tooling is designed to blend into legitimate management activity. CrowdStrike notes that WARP PANDA maintains tight operational security, often staging credentials, tools, and cloud aware implants only when needed and removing traces to limit forensic visibility. That behavior signals an operator focused on long lasting access rather than rapid exploitation. The real insight is that VMware environments are now a targeted collection tier for PRC espionage, and traditional endpoint centric monitoring will not surface this activity.
MITRE ATT&CK: T1505.003 - Server Software Component: Web Shell | T1078 - Valid Accounts | T1021.001 - Remote Services: Remote Desktop Protocol | T1105 - Ingress Tool Transfer | T1548.003 - Abuse Elevation Control Mechanism: Sudo And Sudo Caching | T1573 - Encrypted Channel | T1071.004 - Application Layer Protocol: Dns | T1003.003 - OS Credential Dumping: Ntds | T1090 - Proxy
Target Region: Americas
Target Country: United states
Source Country: China
Source Region: Asia
Google Fixes 13 Chrome Security Issues Affecting Billions
(published: December 4, 2025)
Google has released Chrome 143 with patches for thirteen vulnerabilities that collectively impact billions of users. The update includes fixes for multiple high severity flaws including a V8 JavaScript engine type confusion bug (CVE-2025-13630), inappropriate implementation issues in Google Updater and DevTools, and a use-after-free flaw in Digital Credentials. Several issues allow attackers to gain elevated permissions or execute code after convincing a user to visit a malicious site. Independent researchers and Google's internal teams reported the bugs, with no confirmed exploitation at the time of publication. Google advises users to update Chrome to version 143.0.7499.40/41 (Windows/Mac) or 143.0.7499.40 (Linux) immediately, as exploitation windows historically narrow quickly once technical details become public.
Analyst Comment: The real significance of this update cycle is how quickly these types of vulnerabilities become useful to attackers once patches are released. Even without confirmed exploitation, Chrome's high severity fixes create a predictable window where adversaries race to reverse engineer the updates and build working exploits. For defenders and everyday users, the most impactful action is simply to update promptly. A single unpatched Chrome install can become an easy entry point for opportunistic actors.
MITRE ATT&CK: T1189 - Drive-By Compromise | T1190 - Exploit Public-Facing Application | T1203 - Exploitation For Client Execution | T1068 - Exploitation For Privilege Escalation
DragonForce Cartel Expands Ransomware Operations With New Variant and Scattered Spider Integration
(published: December 4, 2025)
Researchers have detailed how DragonForce has transitioned into a ransomware cartel built on leaked Conti v3 code, giving affiliates customizable payloads, shared infrastructure, and an updated encryptor that fixes known weaknesses. The latest DragonForce variant incorporates MinGW-based builds and BYOVD capability using vulnerable drivers such as truesight.sys and rentdrv2.sys to disable security tools. The group’s operational impact is amplified through its partnership with Scattered Spider, which delivers highly effective initial access through phishing, vishing, SIM swaps, MFA fatigue, and cloud identity abuse. Once inside, Scattered Spider deploys RMM tools, enumerates AD and vCenter, aggregates data for exfiltration, and then hands off access for DragonForce ransomware deployment across Windows, Linux, and ESXi systems. More than 200 victims have been listed since 2023, and the cartel continues to absorb affiliates from related families such as Mamona, Global, and Devman.
Analyst Comment: The key concern for defenders is the combination of mature ransomware tooling with highly successful identity compromise tradecraft. DragonForce no longer relies on its own intrusion capability; its cartel model lets Scattered Spider handle access while affiliates execute ransomware quickly and at scale. Organizations should prioritize identity governance, strict MFA reset validation, monitoring for RMM misuse, and controls that detect or block BYOVD exploitation. Treating identity anomalies as early-stage ransomware indicators is now essential to preventing full compromise.
MITRE ATT&CK: T1566 - Phishing | T1598 - Phishing For Information | T1650 - Acquire Access | T1078 - Valid Accounts | T1204 - User Execution | T1068 - Exploitation For Privilege Escalation | T1562 - Impair Defenses | T1556 - Modify Authentication Process | T1087 - Account Discovery | T1083 - File And Directory Discovery | T1613 - Container And Resource Discovery | T1021 - Remote Services | T1530 - Data From Cloud Storage Object | T1041 - Exfiltration Over C2 Channel | T1486 - Data Encrypted For Impact
ShadyPanda Weaponises Trusted Browser Extensions into Spyware
(published: December 2, 2025)
A multi-year campaign by the threat actor ShadyPanda has turned once trusted browser extensions for Google Chrome and Microsoft Edge into malware, impacting roughly 4.3 million users. These extensions, originally benign tools such as wallpaper utilities, productivity add-ons, and tab managers, accumulated millions of installs and carried “Featured” or “Verified” status for years. Starting in mid 2024, silent updates converted them into spyware and backdoors that exfiltrated browsing history, cookies, user behavior and enabled remote code execution in the browser environment. The actor leveraged weaknesses in marketplace review processes because only brand-new submissions receive strict scrutiny while updates often pass with minimal checks. Several extensions have now been removed although some remained available in the Edge store in early December 2025.
Analyst Comment: The most important insight from this campaign is that long-trusted browser extensions can become malicious without any user action, simply through silent updates that escape marketplace scrutiny. This shifts the risk model entirely because the danger does not come from installing the wrong extension but from assuming that a previously safe one will stay that way. Defenders should treat extensions as continuously evolving software rather than set-and-forget utilities. Maintaining an inventory, enforcing allowlists, and monitoring permission or behavior changes can prevent this kind of delayed compromise from taking root.
MITRE ATT&CK: T1195 - Supply Chain Compromise | T1203 - Exploitation For Client Execution | T1056 - Input Capture | T1539 - Steal Web Session Cookie | T1217 - Browser Bookmark Discovery | T1041 - Exfiltration Over C2 Channel | T1036 - Masquerading | T1553 - Subvert Trust Controls | T1176 - Browser Extensions
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
