A wave of increasingly sophisticated malware and RAT-driven campaigns is reshaping the threat landscape, as seen in recent operations where North Korean actors are weaponizing the React2Shell vulnerability to deploy EtherRAT, using Ethereum smart contracts. At the same time, Makop ransomware is zeroing in on Indian organizations by abusing weak RDP credentials and chaining privilege-escalation exploits with loaders like GuLoader to gain a foothold and encrypt data. In parallel, SEO poisoning campaigns are pushing spoofed Microsoft Teams and Google Meet installers that rely on revoked certificates to appear trustworthy, silently drop trojanized components, establish persistence via scheduled tasks, and ultimately install the Oyster backdoor. Keep reading further.
01
North Korean hackers are exploiting the React2Shell flaw to deploy EtherRAT malware, leveraging Ethereum smart contracts for communication and advanced Linux persistence mechanisms.
02
Makop ransomware, a Phobos variant, is targeting Indian organizations by exploiting weak RDP credentials and using privilege-escalation exploits and GuLoader to gain access and execute encryption.
03
Four threat clusters are using CastleLoader under GrayBravo’s MaaS model, with the rapidly evolving group (formerly TAG-150) leveraging tools like CastleRAT and CastleBot to deliver malware families including DeerStealer and RedLine Stealer.
04
Akira ransomware is targeting hypervisors such as VMware ESXi and Microsoft Hyper-V, exploiting vulnerabilities to mass-encrypt virtual machines as hypervisor-based incidents surge from 3% to 25% in late 2025, with attackers compromising the hypervisor layer.
05
SEO poisoning attacks are distributing fake Microsoft Teams and Google Meet installers that use revoked certificates to appear legitimate, deploy trojanized files, create persistent scheduled tasks, and ultimately deliver the Oyster backdoor malware.
06
Cybercriminals are exploiting workforce anxieties by sending HR-themed phishing emails related to layoffs and terminations, distributing malware like Remcos RAT.
07
Hackers have discovered a critical vulnerability in WhatsApp and Signal that allows them to exploit delivery receipts. The attack, called "Careless Whisper," covertly tracks user activity, monitors routines, drains battery life, and collects sensitive data using only a phone number.
08
Microsoft’s Patch Tuesday update fixes 57 vulnerabilities, including three zero-days, with the actively exploited CVE-2025-62221 in the Windows Cloud Files Mini Filter Driver enabling attackers to elevate privileges to SYSTEM.
09
SAP’s December 2025 updates address 14 vulnerabilities, including three critical issues, notably a CVSS 9.9 code injection flaw in SAP Solution Manager ST 720 that could let authenticated attackers gain full system control.
10
Fortinet has released a critical security update for FortiSandbox appliances to address a high-severity OS command injection vulnerability (CVE-2025-53949) that could enable attackers to execute malicious code.
