Anomali Cyber Watch: SantaStealer Threat, Christmas Scams of 2025, React2Shell Exploit, Phishing via ISO, and more
SantaStealer Infostealer Threat Gains Traction in Underground Forums
(published: December 16, 2025)
A new malware-as-a-service (MaaS) infostealer dubbed SantaStealer has emerged in the cybercrime ecosystem, actively marketed on Telegram channels and underground forums. Researchers assess the malware as a rebranding of BluelineStealer, with operators advertising production readiness before year’s end. SantaStealer operates primarily in memory to evade traditional file-based detection and includes 14 modular data- collection components targeting browser data such as passwords, cookies, and credit cards, messaging platforms including Telegram, Discord, and Steam, local documents, screenshots, and cryptocurrency wallet credentials. Stolen data is compressed and exfiltrated in chunks to hardcoded command-and-control endpoints. While promoted as fully obfuscated and undetectable, leaked samples suggest limited anti- detection effectiveness. On December 16, Rapid7 reported that SantaStealer’s developers announced the stealer’s release, indicating it is now considered production-ready and likely to appear in active campaigns.
Analyst Comment: SantaStealer’s current risk lies less in confirmed impact and more in how it may be deployed as adoption begins. While large- scale campaigns have not yet been widely reported, the malware’s release marks a transition from development to operational use. The article notes that attackers increasingly favor ClickFix-style lures that rely on user interaction rather than exploit-based delivery, a trend that could align well with SantaStealer’s in-memory, modular design. Defenders should focus on early indicators of adoption, including social engineering-driven execution, abnormal credential access, and rapid post-compromise data exfiltration behavior.
MITRE ATT&CK: T1204.002 - User Execution: Malicious File | T1620 - Reflective Code Loading | T1027 - Obfuscated Files Or Information | T1082 - System Information Discovery | T1057 - Process Discovery | T1555 - Credentials From Password Stores | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1539 - Steal Web Session Cookie | T1005 - Data From Local System | T1113 - Screen Capture | T1119 - Automated Collection | T1213.005 - Data from Information Repositories: Messaging Applications | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel | T1560 - Archive Collected Data
From Fake Deals to Phishing: The Most Effective Christmas Scams of 2025
(published: December 15, 2025)
Researchers has identified a significant uptick in holiday-themed scams this Christmas season, driven by automation and artificial intelligence. Researchers documented more than 33,500 Christmas-themed phishing emails in a two-week span and over 10,000 fraudulent social media ads being created daily, with attacks spanning emails, SMS, WhatsApp, and fake retail sites. AI-enhanced smishing that impersonates parcel delivery services (e.g., FedEx, UPS, Royal Mail) leads the charge, effectively harvesting credentials or payment data. Attackers also deploy entire fake e- commerce stores with AI chatbots and realistic checkout flows, along with social media "giveaway" schemes that coax victims into small fees for nonexistent prizes. Red flags include spoofed domains, unexpected urgent requests, and offers that seem too good to be true. Experts recommend verifying links through official channels and avoiding unsolicited requests for personal or financial information. Additional reports highlight a surge in malicious holiday phishing infrastructure and domain abuse across the same period.
Analyst Comment: AI is allowing attackers to mass-produce believable messages that abuse trust in delivery services, retailers, and seasonal promotions at exactly the moment people are most distracted. For defenders, this shifts the center of gravity away from pure detection and toward prevention through awareness. Technical controls will catch some activity, but many of these scams succeed before security tooling is ever in play. As security professionals, there is a responsibility to extend protection beyond the enterprise by actively warning family, friends, and non-technical colleagues about these tactics. Simple conversations about parcel lures, fake deals, and urgency cues can break attack chains early. During the holiday season, awareness is not supplemental defense; it is one of the most effective controls available.
React2Shell Exploitation Expands With New Payloads and Broader Targeting
(published: December 16, 2025)
Less than two weeks after initial disclosure, exploitation of the React Server Components remote code execution flaw known as React2Shell (CVE- 2025-55182) is continuing to evolve. Recent reporting indicates a shift from early proof-of-concept abuse toward more diversified and sustained attack activity. Threat actors are now deploying a wider mix of payloads, including Linux backdoors, reverse proxy tooling, and custom post- exploitation implants, alongside previously observed cryptominers. Analysts report increased automation, with scanning infrastructure rapidly identifying exposed React and Next.js instances and delivering payloads within minutes of detection. Activity has also broadened across
additional industry sectors, suggesting the vulnerability is now embedded in opportunistic exploitation toolkits rather than isolated campaigns. CISA's inclusion of CVE-2025-55182 in the Known Exploited Vulnerabilities catalog reinforces that exploitation is ongoing and operationally relevant. Organizations that delayed patching should assume heightened exposure and validate systems for signs of compromise beyond initial miner activity.
Analyst Comment: The intelligence value here is that React2Shell has settled into the attacker toolkit rather than faded out. Once exploitation becomes automated and payload-agnostic, the risk shifts from opportunistic noise to quiet follow-on access. The move toward backdoors and proxy tooling suggests some environments were exploited weeks ago and may still be compromised today. If React or Next.js services were internet-facing during the early disclosure window, assume exposure and hunt for persistence and unexpected outbound connections.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059.004 - Command and Scripting Interpreter: Unix Shell | T1098.004 - Account Manipulation: Ssh Authorized Keys | T1036.005 - Masquerading: Match Legitimate Name Or Location | T1070.006 - Indicator Removal on Host: Timestomp | T1082 - System Information Discovery | T1083 - File And Directory Discovery | T1046 - Network Service Scanning | T1552.005 - Unsecured Credentials: Cloud Instance Metadata Api | T1090.002 - Proxy: External Proxy | T1572 - Protocol Tunneling | T1041 - Exfiltration Over C2 Channel | T1595.001 - Active Scanning: Scanning Ip Blocks
Russian Phishing Campaign Delivers Phantom Stealer via ISO Attachments
(published: December 15, 2025)
A phishing campaign tracked as Operation MoneyMount-ISO has been observed distributing the Phantom Stealer malware through malicious ISO file attachments, primarily targeting Russian-speaking organizations. The activity focuses on finance, accounting, and payment teams, using lures that impersonate bank transfer confirmations or invoice-related communications. Targets receive a ZIP archive containing an ISO image which, when mounted, exposes a Windows executable that initiates infection. This delivery method exploits weaker inspection of virtual disk images by email and endpoint security tools. Once executed, Phantom Stealer collects credentials from Chromium-based browsers, cryptocurrency wallets, messaging applications, and system clipboards, with stolen data exfiltrated via Telegram bots, Discord webhooks, or FTP servers. Reporting from multiple security vendors indicates the malware is positioned as a commodity infostealer rather than a bespoke espionage tool, highlighting its role in scalable cybercrime operations rather than targeted intrusion campaigns.
Analyst Comment: The key takeaway for defenders is that this campaign succeeds through delivery choice and workflow abuse, not technical sophistication. ISO files continue to sit in a gray zone for many email and endpoint controls, allowing a routine finance-themed lure to translate directly into execution. While current activity appears focused on Russian-speaking targets, this delivery model is language-agnostic and likely to be adopted more broadly if it continues to prove effective. Organizations should treat ISO attachments as high-risk executables, tighten monitoring around mounted media, and prioritize finance and accounting teams for both technical controls and targeted awareness, as closing these gaps will disrupt far more commodity infostealer activity than chasing new malware variants.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1204.002 - User Execution: Malicious File | T1553.005 - Subvert Trust Controls: Mark-Of-The-Web Bypass | T1555 - Credentials From Password Stores | T1414 - Capture Clipboard Data | T1005 - Data From Local System | T1041 - Exfiltration Over C2 Channel
Target Industry: Financial services
Target Region: Europe
Target Country: Russian federation
Credential-Based Attacks Target Cisco and Palo Alto Networks VPN Gateways
(published: December 18, 2025)
Security researchers have identified a large-scale credential-based attack campaign targeting enterprise VPN authentication portals, including Cisco SSL VPN and Palo Alto Networks GlobalProtect. According to GreyNoise telemetry, the activity began on December 11 and involved millions of automated login attempts originating from thousands of IP addresses. The attacks exhibit consistent tooling, reuse of common username and
password combinations, and infrastructure clustering, indicating coordinated password spraying rather than exploitation of a software vulnerability. The activity spans multiple vendors, suggesting broad reconnaissance against exposed remote access services. GreyNoise assesses the campaign as opportunistic, aimed at identifying organizations with weak credential hygiene or missing multi-factor authentication. Vendors have emphasized that the activity is not linked to recently disclosed vulnerabilities and recommend enforcing MFA, limiting authentication attempts, monitoring login telemetry, and blocking known malicious infrastructure to reduce exposure.
Analyst Comment: The key insight here is that this activity succeeds without exploiting any software weakness. Attackers are applying constant, automated pressure to exposed VPN login pages and letting poor credential hygiene do the work for them. The cross-vendor nature of the campaign shows this is not about Cisco or Palo Alto specifically, but about identifying organizations that still rely on passwords alone or fail to monitor authentication noise. For defenders, repeated failed VPN logins should be treated as an early warning signal, not background activity. Enforcing MFA across all remote access, applying rate limiting, and actively reviewing authentication telemetry removes the attacker’s advantage and effectively opts the organization out of this entire class of opportunistic intrusion.
MITRE ATT&CK: T1110.003 - Brute Force: Password Spraying
GhostPoster Malware Compromises Firefox Extensions via PNG Icons
(published: December 17, 2025)
Security researchers have uncovered a large-scale malware campaign dubbed GhostPoster, which has infected at least 17 Mozilla Firefox browser extensions with embedded malicious code hidden inside their PNG logo files. These extensions, collectively downloaded by more than 50,000 users, were marketed as free VPNs, ad blockers, weather tools, and other benign utilities. The malicious code uses steganography to conceal a loader script in the image data, bypassing static scanning and manual review. Once executed, the loader contacts attacker-controlled
infrastructure to retrieve a secondary payload that can hijack affiliate links, inject tracking, strip browser security protections, and establish persistent remote control of the affected browser. Affected extensions have since been removed from Firefox’s marketplace, but existing installations still pose risk to users who have not uninstalled them.
Analyst Comment: GhostPoster’s real significance is not the malware itself, but what it exposes about defender blind spots. This campaign did not rely on a Firefox flaw or novel exploit. It succeeded by abusing trust in extension marketplaces and hiding malicious logic inside a file type most security controls treat as inert. The use of steganography in a PNG icon allowed the extensions to pass review and persist after removal from the store, turning visual assets into a delivery mechanism. For defenders, browser extensions should be treated as part of the software supply chain, not cosmetic add-ons. Reducing extension sprawl, auditing installed plugins, and monitoring runtime browser behavior will do far more to mitigate this class of threat than chasing individual malicious extensions after the fact.
MITRE ATT&CK: T1176 - Browser Extensions | T1059.007 - Command and Scripting Interpreter: Javascript | T1027.003 - Obfuscated Files or Information: Steganography | T1071.001 - Application Layer Protocol: Web Protocols
Clop Ransomware Targets Gladinet CentreStack File Servers
(published: December 18, 2025)
The Clop ransomware gang (also known as Cl0p) has launched a new data theft extortion campaign focused on Internet-exposed Gladinet CentreStack file servers. The group is actively scanning and breaching vulnerable CentreStack instances, leaving ransom notes on compromised systems and threatening public disclosure of stolen data. CentreStack, a platform used by thousands of organisations worldwide for remote file access and collaboration without VPNs, has multiple security issues, including recently exploited vulnerabilities related to insecure cryptographic key handling and remote code execution. At least 200+ unique hosts with publicly reachable CentreStack logins have been flagged as potential targets. It remains unclear which specific vulnerability Clop is exploiting in this latest campaign, with speculation that it could involve an
unpatched zero-day or an n-day bug. Clop’s history of targeting secure file transfer and collaboration infrastructure, including MOVEit, Cleo, GoAnywhere, and Oracle EBS, underscores its strategic focus on maximising impact through widely deployed enterprise platforms. Analyst Comment: The campaign underscores a shift defenders need to internalize: when collaboration infrastructure is reachable from the Internet, the question is not which vulnerability is exploited, but how quickly sensitive data can be accessed and staged once entry is gained. Clop has repeatedly shown that it does not need novel tooling to succeed, only reliable access to platforms that aggregate business-critical files. For organisations running CentreStack, the immediate priority should be validating external exposure, reviewing authentication and file access telemetry, and assuming that data theft, not encryption, is the primary risk. Treating these services as core data assets rather than supporting IT tools is essential to breaking Clop’s extortion model.
MITRE ATT&CK: T1595 - Active Scanning | T1190 - Exploit Public-Facing Application | T1213 - Data From Information Repositories | T1657 - Financial Theft
LongNosedGoblin Cyberespionage Campaign Exploits Windows Group Policy
(published: December 18, 2025)
Researchers have uncovered a previously undocumented China-aligned advanced persistent threat (APT) actor dubbed LongNosedGoblin conducting targeted cyberespionage against governmental institutions in Southeast Asia and Japan. The group has been active since at least September 2023 and abuses Windows Group Policy Objects within Active Directory environments to deploy a bespoke toolkit of malware and move laterally across compromised networks. Key components include NosyHistorian (harvests browser history to inform follow-on targeting),
NosyDoor (a backdoor using cloud services such as Microsoft OneDrive for command and control), NosyStealer (exfiltrates browser data), NosyDownloader (in-memory payload delivery), and NosyLogger (keylogging). Some tooling employs living-off-the-land techniques and evasion of antimalware scan interfaces. Initial access vectors remain undetermined, but selective deployment and execution guardrails indicate careful target profiling.
Analyst Comment: LongNosedGoblin’s malware stack reveals a deliberate intelligence-collection workflow rather than a simple persistence play. Early-stage tools like NosyHistorian and NosyStealer prioritize browser history and credential-adjacent data to map user behavior, access
patterns, and likely intelligence value before heavier backdoors are deployed. More capable implants such as NosyDoor are selectively pushed via Group Policy and leverage mainstream cloud services for command and control, allowing traffic to blend into legitimate enterprise usage. This staged deployment and reliance on trusted Windows mechanisms signals a mature espionage operator optimizing for stealth and longevity. For defenders, the most actionable signal is not the malware itself, but the sequencing: reconnaissance tooling appearing first, followed by targeted policy-based delivery. Detecting that transition point can expose intrusions before full operational access is achieved.
MITRE ATT&CK: T1059 - Command And Scripting Interpreter | T1484.001 - Domain Policy Modification: Group Policy Modification | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1056.001 - Input Capture: Keylogging | T1217 - Browser Bookmark Discovery | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel
Target Region: Asia
Target Country: Japan
Source Country: China
Source Region: Asia
Cracked Software and YouTube Videos Fuel CountLoader Campaign Delivering ACR Stealer
(published: December 19, 2025)
Threat actors are abusing cracked software downloads and compromised YouTube channels to distribute the CountLoader malware, a modular loader now closely associated with delivery of the ACR Stealer infostealer. Targets are lured through fake software installers and video descriptions that link to password-protected archives hosted on file-sharing services. Once executed, CountLoader establishes persistence, profiles the host, and retrieves follow-on payloads, with recent reporting confirming ACR Stealer as a primary objective. The stealer focuses on harvesting browser data, credentials, and cryptocurrency wallets. Additional research indicates CountLoader has evolved with improved evasion, staged execution, and in-memory loading, making early detection difficult. The campaign highlights how trusted platforms and user demand for pirated software continue to provide reliable distribution channels for financially motivated malware operations.
Analyst Comment: This activity reinforces that cracked software and social media platforms remain some of the most dependable malware delivery channels because they align with deliberate user action, not exploitation. CountLoader is effective precisely because it blends into expected installer workflows, using staged execution and in-memory loading to delay visibility until after initial trust is established. Once active, it functions as a purpose-built gateway for ACR Stealer, which rapidly harvests browser credentials, session data, and cryptocurrency artifacts before exfiltration. For defenders, the intelligence value lies in recognizing these delivery paths as high-confidence infection signals and prioritizing monitoring around archive execution, installer-launched network activity, and early post-install behaviors, where disruption is far more impactful than chasing downstream payload indicators.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1204.002 - User Execution: Malicious File | T1027 - Obfuscated Files Or Information | T1620 - Reflective Code Loading | T1547 - Boot Or Logon Autostart Execution | T1082 - System Information Discovery | T1555 - Credentials From Password Stores | T1005 - Data From Local System | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel
RansomHouse Ransomware Upgrades Encryption to Evade Detection and Recovery
(published: December 20, 2025)
The RansomHouse ransomware operation has significantly upgraded its encryption capabilities, transitioning from simple single-pass file encryption to a sophisticated two-stage methodology. The enhanced encryptor, dubbed Mario, now employs dual encryption keys (a 32-byte primary and 8-byte secondary key) to transform target files, substantially increasing the difficulty of decryption without both keys. The upgrade introduces chunked file processing with dynamic sizing at an 8GB threshold, utilizing sparse encryption that processes only specific file blocks at calculated offsets. This non-linear approach complicates static analysis and reverse engineering efforts. RansomHouse, operated by the threat group Jolly Scorpius, specifically targets VMware ESXi hypervisors using an automated deployment tool called MrAgent, allowing attackers to simultaneously encrypt dozens or hundreds of virtual machines. The group employs a double extortion strategy, stealing sensitive data before encrypting systems, then threatening public disclosure to pressure targets. Since December 2021, at least 123 organizations across healthcare, finance, transportation, and government sectors have been publicly listed on RansomHouse's leak site, indicating successful compromises. Analyst Comment: This upgrade isn't about stronger encryption; it's about deliberately closing forensic recovery pathways. The dual-key system with sparse block processing was specifically engineered to defeat techniques that sometimes enable partial recovery from traditional ransomware. For defenders, this fundamentally changes the equation. Once Mario executes, technical decryption becomes significantly more difficult without both keys, and while offline backups remain critical for system restoration, they don't address the data theft component of this
double extortion model. If you run VMware ESXi infrastructure, understand that one compromised hypervisor can cascade into hundreds of encrypted VMs within minutes through MrAgent automation. Focus monitoring on hypervisor-level anomalies: unusual esxcli commands, unexpected scheduled tasks, firewall modification attempts, and C2 connections during the MrAgent deployment phase. Detection during the pre-encryption stages offers your best opportunity to prevent impact, making real-time visibility into ESXi environments essential.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1569.002 - System Services: Service Execution | T1068 - Exploitation For Privilege Escalation | T1027 - Obfuscated Files Or Information | T1486 - Data Encrypted For Impact | T1041 - Exfiltration Over C2 Channel Target Industry: Healthcare , Financial services , Transportation , Government
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
