As the holiday season brings tales of goblins and mischief, a real-world goblin has surfaced in cyberspace, with the China-aligned APT group LongNosedGoblin targeting government networks in Southeast Asia and Japan. At the same time, Russia’s GRU-associated BlueDelta group has been active in credential harvesting operations using fake login pages and PDF-based phishing lures while hiding infrastructure behind free hosting services and proxy tunneling platforms. Adding to the trend, the Iranian threat group Infy, also known as Prince of Persia, has resurfaced after a prolonged hiatus, launching fresh malware campaigns against targets spanning the Middle East, Europe, India, and North America. Keep reading further.
01
LongNosedGoblin, a new China-aligned APT group, has been targeting governmental entities in Southeast Asia and Japan using Group Policy to deploy malware and move laterally across networks, with tools such as NosyHistorian and NosyDoor.
02
BlueDelta, a GRU-linked Russian threat group, conducted a credential harvesting campaign against UKR.NET users using fake login portals and PDF phishing lures, abusing free hosting services and proxy tunneling tools such as Mocky, DNS EXIT, ngrok, and Serveo to evade security controls.
03
A new Android SMS-stealing malware family, Wonderland, attacks Uzbekistan in a large-scale financial fraud using bidirectional communication for real-time command execution.
04
Arcane Werewolf, also known as Mythic Likho, has escalated cyberattacks on Russian industrial enterprises by using phishing campaigns that impersonate legitimate organizations to deliver malicious archives and redirect victims to spoofed domains, ultimately deploying the Loki 2.1 malware toolkit.
05
The Iranian hacking group Infy (aka Prince of Persia) has resurfaced after years of inactivity, with new malware campaigns targeting victims in Iran, Iraq, Turkey, India, Canada, and Europe.
06
The YouTube Ghost Network has been hijacking compromised YouTube accounts to promote malicious videos targeting users seeking game cheats and cracked software, leveraging Node.js GachiLoader to deliver secondary payloads such as Kidkadi.
07
A UEFI firmware flaw in ASUS, Gigabyte, MSI, and ASRock motherboards allows pre-boot DMA attacks by exposing systems to malicious PCIe devices when IOMMU fails to initialize properly during early boot.
08
Cybercriminals are using "Device Code Phishing" to exploit Microsoft’s OAuth 2.0 device authorization flow and gain control of Microsoft 365 accounts.
09
WatchGuard patched a critical Firebox firewall vulnerability (CVE-2025-14733), which allows unauthenticated RCE. The flaw affects Fireware OS versions 11.x, 12.x, and 2025.x, with patches available for most versions except 11.x (end-of-life).
10
Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online, making them targets for cyberattacks. Vulnerabilities CVE-2025-59718 and CVE-2025-59719 allow attackers to exploit admin accounts through malicious SAML messages, accessing sensitive data and configurations.
