Cyber Threat Intelligence 09 December 2025

NCSA_THAICERT

Financial Sector

Russian Police Bust Bank-Account Hacking Gang That Used NFCGate-Based Malware
"Russian police said they have dismantled a criminal group that stole millions from bank customers using malware built on NFCGate, a legitimate open-source tool increasingly exploited by cybercriminals worldwide. According to Russia’s Interior Ministry, police detained several suspected members of the group — including the developer and main administrator of the malicious tool — late last week. The ministry did not identify the malware variant."
https://therecord.media/russian-police-bust-banking-hackers-nfcgate-based-malware

New Tooling

The Bastion: Open-Source Access Control For Complex Infrastructure
"Operational teams know that access sprawl grows fast. Servers, virtual machines and network gear all need hands-on work and each new system adds more identities to manage. A bastion host tries to bring order to this problem. It acts as a single entry point for sysadmins and developers who connect to infrastructure through ssh. This model is old in theory, but The Bastion open-source project shows how far a purpose-built access layer can go."
https://www.helpnetsecurity.com/2025/12/08/open-source-bastion-host-security/
https://github.com/ovh/the-bastion

Vulnerabilities

Attackers Actively Exploiting Critical Vulnerability In Sneeit Framework Plugin
"On June 10th, 2025, we received a submission for a Remote Code Execution vulnerability in Sneeit Framework, a WordPress plugin with an estimated 1,700 active installations. The plugin is bundled in multiple premium themes. This vulnerability can be leveraged to execute code remotely. The vendor released the patched version on August 5th, 2025, and we publicly disclosed this vulnerability in the Wordfence Intelligence Vulnerability Database on November 24th, 2025. Our records indicate that attackers started exploiting the issue the same day on November 24th, 2025. The Wordfence Firewall has already blocked over 131,000 exploit attempts targeting this vulnerability."
https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-sneeit-framework-plugin/
https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.html
CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability
CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-exploited-vulnerabilities-catalog
Prompt Injection Is Not SQL Injection (it May Be Worse)
"The term ‘prompt injection’ was coined in 2022 to describe a new class of application vulnerability in genAI applications. Prompt injection is where developers concatenate their own instructions with untrusted content in a single prompt, and then treat the model’s response as if there were a robust boundary between ‘what the app asked for’ and anything in the untrusted content. Whilst initially reported as command execution, the underlying issue has turned out to be more fundamental than classic client/server vulnerabilities. Current large language models (LLMs) simply do not enforce a security boundary between instructions and data inside a prompt."
https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injection
https://cyberscoop.com/uk-warns-ai-prompt-injection-unfixable-security-flaw/

Malware

The VS Code Malware That Captures Your Screen
"Over the past year we've detected dozens of malicious VS Code extensions. Most steal credentials or mine crypto. But this malware goes further - it captures your screen and sends it to the attacker. Your code. Your emails. Your Slack DMs. Whatever's on your screen, they're seeing it too. And that's just the start. It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions. All delivered through two extensions - a color theme and an AI coding assistant. Both from the same publisher."
https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen
https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/
Cydome Research Team Identified "Broadside", A New Mirai Botnet Variant, Active In The Wild
"Cydome’s Cybersecurity Research Team has identified an active campaign of a new variant of the Mirai botnet, designated as “Broadside”. This campaign targets the maritime logistics sector, exploiting a critical-severity vulnerability (CVE-2024-3721) in TBK DVR (Digital Video Recorders) devices in use by shipping companies on vessels (among others). Cydome has been tracking the associated infrastructure over the past months, observing that active IPs rise and fall in alignment with the campaign’s activity."
https://cydome.io/cydome-identifies-broadside-a-new-mirai-botnet-variant-targeting-maritime-iot/
https://www.darkreading.com/threat-intelligence/broadside-mirai-variant-maritime-logistics
Inside Shanya, a Packer-As-a-Service Fueling Modern Attacks
"We have covered packer-as-a-service offerings from the computer underworld in the past, previously dissecting impersonation campaigns and the rise of HeartCrypt, both popular among ransomware groups. However, it is a fast-changing landscape, and now we are watching a new incarnation of the same type of service: the Shanya crypter — already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit. We’ll look at its apparent origins, unpack the code, and examine a targeted infection leveraging this tool. Sophos protections against this specific packer are covered at the end of the article."
https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-shanya-exe-packer-to-hide-edr-killers/
Bellerophon Could Never Have Imagined. The ChimeraWire Trojan Boosts Website Popularity By Skillfully Pretending To Be Human
"While analyzing one of the affiliate programs, Doctor Web’s experts discovered a unique piece of malware with clicker functionality and dubbed it Trojan.ChimeraWire. This malware targets computers running Microsoft Windows and is based on the open-source projects zlsgo and Rod for automated website and web application management. Trojan.ChimeraWire allows cybercriminals to simulate user actions and boost the behavioral factor of websites by artificially increasing their rankings in search engine results. For this, the malicious app searches target Internet resources in the Google and Bing search engines and then loads them."
https://news.drweb.com/show/?i=15090&lng=en
https://hackread.com/chrimerawire-trojan-fakes-chrome-search-activity/
JS#SMUGGLER: Multi-Stage - Hidden Iframes, Obfuscated JavaScript, Silent Redirectors & NetSupport RAT Delivery
"The Securonix Threat Research team has analyzed a sophisticated web-based multi-stage malware campaign. The attack chain unfolds across three distinct stages: (1) an obfuscated JavaScript loader injected into a compromised website, (2) a stealthy HTA (HTML Application) that executes encrypted PowerShell stagers via mshta.exe, and (3) a final PowerShell payload that downloads, extracts, executes, and establishes persistence for a Windows-based remote access Trojan."
https://www.securonix.com/blog/jssmuggler-multi-stage-hidden-iframes-obfuscated-javascript-silent-redirectors-netsupport-rat-delivery/
https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html
https://hackread.com/jssmuggler-netsupport-rat-infected-sites/
How Phishers Hide Banking Scams Behind Free Cloudflare Pages
"During a recent investigation, we uncovered a phishing operation that combines free hosting on developer platforms with compromised legitimate websites to build convincing banking and insurance login portals. These fake pages don’t just grab a username and password–they also ask for answers to secret questions and other “backup” data that attackers can use to bypass multi-factor authentication and account recovery protections."
https://www.malwarebytes.com/blog/news/2025/12/how-phishers-hide-banking-scams-behind-free-cloudflare-pages
AI-Automated Threat Hunting Brings GhostPenguin Out Of The Shadows
"Hunting high-impact, advanced malware is a difficult task. It becomes even harder and more time-consuming when defenders focus on low-detection or zero-detection samples. Every day, a huge number of files are sent to platforms like VirusTotal, and the relevant ones often get lost in all that noise. Identifying malware with low or no detections is a particularly challenging process, especially when the malware is new, undocumented, and built largely from scratch. When threat actors avoid publicly available libraries, known GitHub code, or code borrowed from other malware families, they create previously unseen samples that can evade detection and make hunting them significantly harder."
https://www.trendmicro.com/en_us/research/25/l/ghostpenguin.html
LockBit 5.0 Infrastructure Exposed In New Server, IP, And Domain Leak
"LockBit 5.0 key infrastructure exposed, revealing the IP address 205[.]185[.]116[.]233, and the domain karma0[.]xyz is hosting the ransomware group’s latest leak site. According to researcher Rakesh Krishnan, hosted under AS53667 (PONYNET, operated by FranTech Solutions), a network frequently abused for illicit activities, the server displays a DDoS protection page branded with “LOCKBITS.5.0,” confirming its role in the group’s operations. This operational security lapse arrives amid LockBit’s resurgence with enhanced malware capabilities."
https://cybersecuritynews.com/lockbit-5-0-infrastructure-exposed/

Breaches/Hacks/Leaks

Space Bears Ransomware Claims Comcast Data Theft Through Quasar Breach
"Space Bears ransomware group is claiming that it obtained internal Comcast material by exploiting a breach at Quasar Inc., a telecommunications engineering contractor based in Georgia. The claims were published on the group’s dark web leak site. The same leak site also lists Quasar as an independent victim, which indicates the group is presenting two connected incidents rather than a single combined breach."
https://hackread.com/space-bears-ransomware-comcast-quasar-breach/
Tri-Century Eye Care Data Breach Impacts 200,000 Individuals
"A recently disclosed Tri-Century Eye Care data breach affects roughly 200,000 individuals, according to the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS). Tri-Century Eye Care provides comprehensive eye care services at several locations in Bucks County, Pennsylvania. In a data security incident notice posted on its website in late October, Tri-Century Eye Care informed patients and employees that their personal and protected health information may have been compromised as a result of a breach detected on September 3."
https://www.securityweek.com/tri-century-eye-care-data-breach-impacts-200000-individuals/

General News

FinCEN Says Ransomware Gangs Extorted Over $2.1B From 2022 To 2024
"A new report by the Financial Crimes Enforcement Network (FinCEN) shows that ransomware activity peaked in 2023 before falling in 2024, following a series of law enforcement actions targeting the ALPHV/BlackCat and LockBit ransomware gangs. From thousands of Bank Secrecy Act filings, the report documents 4,194 ransomware incidents between January 2022 and December 2024. These reports show that organizations paid more than $2.1 billion in ransom payments, nearly reaching the total reported over 8 years from 2013 to 2021."
https://www.bleepingcomputer.com/news/security/fincen-says-ransomware-gangs-extorted-over-21b-from-2022-to-2024/
https://www.fincen.gov/system/files/2025-12/FTA-Ransomware.pdf
https://therecord.media/fincen-treasury-2-billion-ransomware-payments-report
https://www.darkreading.com/cyberattacks-data-breaches/us-treasury-45b-ransom-payments-2013
https://cyberscoop.com/ransomware-payments-decline-2024-fincen/
https://www.securityweek.com/ransomware-payments-surpassed-4-5-billion-us-treasury/
https://securityaffairs.com/185465/cyber-crime/fincen-data-shows-4-5b-in-ransomware-payments-record-spike-in-2023.html
Poland Arrests Ukrainians Utilizing 'advanced' Hacking Equipment
"The police in Poland arrested three Ukrainian nationals for allegedly attempting to damage IT systems in the country using hacking equipment and for obtaining "computer data of particular importance to national defense." The three men, aged between 39 and 43, could not explain why they were carrying the electronic devices. They now face charges of fraud, computer fraud, and possession of devices and software intended for criminal activity. According to the police, the Ukrainians "were visibly nervous" when officers stopped them and said they were heading to Lithuania while traveling around Europe."
https://www.bleepingcomputer.com/news/security/poland-arrests-ukrainians-utilizing-advanced-hacking-equipment/
Cyber Threats To The U.S.: What Policymakers Need To Know For 2026
"Cyber attacks against the United States are no longer isolated events or technical headaches. They are now powerful tools of national strategy used by foreign governments, criminal networks, and ideological groups. A new report explains how these attacks have changed from simple hacks into coordinated campaigns aimed at shaping global politics, weakening U.S. institutions, and putting pressure on American decision-makers. This blog highlights the key takeaways for leaders responsible for national security, public policy, and critical infrastructure resilience."
https://blog.checkpoint.com/executive-insights/cyber-threats-to-the-u-s-what-policymakers-need-to-know-for-2026/
https://l.cyberint.com/threats-to-the-homeland-report
NVIDIA Research Shows How Agentic AI Fails Under Attack
"Enterprises are rushing to deploy agentic systems that plan, use tools, and make decisions with less human guidance than earlier AI models. This new class of systems also brings new kinds of risk that appear in the interactions between models, tools, data sources, and memory stores. A research team from NVIDIA and Lakera AI has released a safety and security framework that tries to map these risks and measure them inside real workflows. The work includes a new taxonomy, a dynamic evaluation method, and a detailed case study of NVIDIA’s AI-Q Research Assistant. The authors also released a dataset with more than ten thousand traces from attack and defense runs to support outside research."
https://www.helpnetsecurity.com/2025/12/08/nvidia-agentic-ai-security-framework/
https://arxiv.org/pdf/2511.21990
Invisible IT Is Becoming The Next Workplace Priority
"IT leaders want their employees to work without running into digital hurdles, but many still struggle with fragmented systems that slow teams down. A new report from Lenovo sheds light on how widespread the problem has become and what organizations can do to reduce workplace friction. Hybrid work pushed companies to adopt new tools, devices and management platforms at speed. According to the research, enterprises now manage an average of 897 applications, but only 28 percent are integrated. The report notes that this patchwork environment strains both workers and support teams, since employees must move across several systems before they can resolve problems or complete simple tasks."
https://www.helpnetsecurity.com/2025/12/08/invisible-it-workplace-priority/
CISOs Are Spending Big And Still Losing Ground
"Security leaders are entering another budget cycle with more money to work with, but many still feel no safer. A new benchmark study from Wiz shows a widening gap between investment and impact. Budgets keep rising, cloud programs keep expanding, and AI is reshaping both threats and defenses. Still, CISOs say the fundamentals of risk reduction are not improving fast enough."
https://www.helpnetsecurity.com/2025/12/08/wiz-cybersecurity-spending-priorities-report/
CISO Conversations: Keith McCammon, CSO And Co-Founder At Red Canary
"Keith McCammon was a technologist first and security guru second. He has never received any formal training in cybersecurity; but a love of technology and pleasure in solving puzzles naturally led into the subject, learning on the journey. Kyrus Tech, now owned by Sixgen, was the source of both Carbon Black and Red Canary (now a Zscaler company)."
https://www.securityweek.com/ciso-conversations-keith-mccammon-cso-and-co-founder-at-red-canary/
Three Hacking Groups, Two Vulnerabilities And All Eyes On China
"On the main stage at the Pwn2Own hacking competition in Berlin this March, researchers demonstrated it was possible to remotely compromise sensitive information via Microsoft’s on-premise SharePoint software — the first glimpse that the world got of two dangerous software vulnerabilities threatening governments and enterprises around the globe."
https://therecord.media/three-hacking-groups-two-vulnerabilities-china-microsoft
Officials Offer $10M Reward For Information On IRGC-Linked Leader And Close Associate
"The State Department is seeking help to locate a pair of hackers allegedly working for Shahid Shushtari, a malicious cyber unit operating under Iran’s Revolutionary Guard Corps Cyber-Electronic Command. Officials are offering a reward up to $10 million for information about Mohammad Bagher Shirinkar and Fatemeh Sedighian Kashi. “Help us take the smile off their faces,” the State Department’s Rewards for Justice program posted in a bulletin about the reward on social media last week."
https://cyberscoop.com/shahid-shushtari-iran-cyber-electronic-command-10m-reward/

อ้างอิง
Electronic Transactions Development Agency (ETDA)