New Tooling
- Superagent: Open-Source Framework For Guardrails Around Agentic AI
"Superagent is an open-source framework for building, running, and controlling AI agents with safety built into the workflow. The project focuses on giving developers and security teams tools to manage what agents can do, what they can access, and how they behave during execution. Superagent targets environments where autonomous or semi autonomous agents interact with APIs, data sources, and external services."
https://www.helpnetsecurity.com/2025/12/29/superagent-framework-guardrails-agentic-ai/
https://github.com/superagent-ai/superagent
Malware
- Shai Hulud Strikes Again - The Golden Path
"As of 30 minutes ago, we detected what we believe to be the first instance of a new strain of Shai Hulud, which was uploaded to npm in the package @vietmoney/react-big-calendar : https://www.npmjs.com/package/@vietmoney/react-big-calendar It contains a new and novel strain of Shai Hulud. At this time, there does NOT seem to be any major spread or infections. This suggests we may have caught the attackers testing their payload. The differences in the code suggests that this was obfuscated again from original source, not modified in place. This makes it highly unlikely to be a copy-cat, but was made by somebody who had access to the original source code for the worm."
https://www.aikido.dev/blog/shai-hulud-strikes-again---the-golden-path
https://www.bankinfosecurity.com/researchers-spot-new-shai-hulud-variant-a-30409 - The HoneyMyte APT Evolves With a Kernel-Mode Rootkit And a ToneShell Backdoor
"In mid-2025, we identified a malicious driver file on computer systems in Asia. The driver file is signed with an old, stolen, or leaked digital certificate and registers as a mini-filter driver on infected machines. Its end-goal is to inject a backdoor Trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys. Our analysis indicates that the final payload injected by the driver is a new sample of the ToneShell backdoor, which connects to the attacker’s servers and provides a reverse shell, along with other capabilities. The ToneShell backdoor is a tool known to be used exclusively by the HoneyMyte (aka Mustang Panda or Bronze President) APT actor and is often used in cyberespionage campaigns targeting government organizations, particularly in Southeast and East Asia."
https://securelist.com/honeymyte-kernel-mode-rootkit/118590/
https://www.bleepingcomputer.com/news/security/chinese-state-hackers-use-rootkit-to-hide-toneshell-malware-activity/ - EmEditor Supply Chain Incident Details Disclosed: Distribution Of Information-Stealing Malware Sweeps Through Domestic Government And Enterprise Entities
"On December 23, 2025, the renowned document editor EmEditor officially released an announcement stating that between December 19th and 22nd, its official website installation packages were subjected to a supply chain attack. The MSI installation packages were replaced with malicious ones signed with a non-official signature "WALSHAM INVESTMENTS LIMITED":"
https://ti.qianxin.com/blog/articles/emeditor-supply-chain-incident-details-disclosed-en/
https://www.emeditor.com/general/important-security-incident-notice-regarding-the-emeditor-installer-download-link/
https://www.securityweek.com/infostealer-malware-delivered-in-emeditor-supply-chain-attack/
Breaches/Hacks/Leaks
- Trust Wallet Says 2,596 Wallets Drained In $7 Million Crypto Theft Attack
"Trust Wallet says attackers who compromised its browser extension right before Christmas have drained approximately $7 million from nearly 3,000 cryptocurrency wallet addresses. The cryptocurrency wallet (used by over 200 million people according to its official website) allows users to store, send, receive, and manage Bitcoin, Ethereum, Solana, and thousands of other cryptocurrencies and digital tokens using a browser extension and free iOS and Android mobile apps. Trust Wallet launched in 2017 and was acquired by Binance, one of the world's largest cryptocurrency exchanges, the following year. Despite this, it still operates as a separate, decentralized wallet application."
https://www.bleepingcomputer.com/news/security/trust-wallet-says-7-million-crypto-theft-attack-drained-2-596-wallets/ - Romanian Energy Provider Hit By Gentlemen Ransomware Attack
"A ransomware attack hit Oltenia Energy Complex (Complexul Energetic Oltenia), Romania's largest coal-based energy producer, on the second day of Christmas, taking down its IT infrastructure. The 40-year-old Romanian energy provider employs over 19,000 people, operates four power plants with an installed production capacity of 3900 MWh, and provides about 30% of Romania's electricity. "As a result of the attack, some documents and files were encrypted, and several computer applications became temporarily unavailable, including ERP systems, document management applications, the company's email service, and website," it said over the weekend."
https://www.bleepingcomputer.com/news/security/romanian-energy-provider-hit-by-gentlemen-ransomware-attack/
https://securityaffairs.com/186290/cyber-crime/romanias-oltenia-energy-complex-suffers-major-ransomware-attack.html - Korean Air Data Breach Exposes Data Of Thousands Of Employees
"Korean Air experienced a data breach affecting thousands of employees after Korean Air Catering & Duty-Free (KC&D), its in-flight catering supplier and former subsidiary, was recently hacked. Korea's flag carrier has over 20,000 employees, a fleet of over 160 aircraft, and has reported over $11 billion in revenue after carrying more than 23 million passengers in 2024. The airline issued an internal notice on Monday, disclosing a data breach after KC&D (which spun off as a separate in-flight meals and retail company in 2020) notified it that it had been recently hacked."
https://www.bleepingcomputer.com/news/security/korean-air-data-breach-exposes-data-of-thousands-of-employees/
https://securityaffairs.com/186275/data-breach/korean-air-discloses-data-breach-after-the-hack-of-its-catering-and-duty-free-supplier.html - Two More Banks Notifying Thousands Of Victims About Marquis Software Ransomware Attack
"Two U.S. banks have come forward to warn customers they were impacted by an August ransomware attack on a popular financial software company. Artisans' Bank and VeraBank informed regulators in Maine last week that recent data breaches were sourced back to a cyberattack on Marquis Software. The software company previously said it suffered a ransomware attack around August 14 that affected dozens of its corporate customers and thousands of downstream users. VeraBank explained in letters to victims that Marquis Software is their “customer communication and data analysis vendor.”"
https://therecord.media/banks-marquis-software-ransomware
General News
- Automation Forces a Reset In Security Strategy
"Enterprise security teams are working under the assumption that disruption is constant. A global study by Trellix shows that resilience has moved from a long term goal to a structural requirement for CISOs. Infrastructure design, operational integration, and the use of AI shape how organizations prepare for ongoing pressure from threats and regulation."
https://www.helpnetsecurity.com/2025/12/29/trellix-hybrid-security-infrastructure-report/ - Hacker Arrested For KMSAuto Malware Campaign With 2.8 Million Downloads
"A Lithuanian national has been arrested for his alleged involvement in infecting 2.8 million systems with clipboard-stealing malware disguised as the KMSAuto tool for illegally activating Windows and Office software. The 29-year-old man was extradited from Georgia to South Korea following a related request under Interpol’s coordination. According to the Korean National Police Agency, the suspect used KMSAuto to lure victims into downloading a malicious executable that scanned the clipboard for cryptocurrency addresses and replaced them with ones controlled by the attacker - known as 'clipper malware'."
https://www.bleepingcomputer.com/news/security/hacker-arrested-for-kmsauto-malware-campaign-with-28-million-downloads/ - Former Coinbase Support Agent Arrested For Helping Hackers
"A former Coinbase customer service agent was arrested in India for helping hackers earlier this year steal sensitive customer information from a company database. The arrest occurred in Hyderabad, the capital of India's Telangana state and a major technology center in the country, and it is expected that more individuals will be detained, according to Coinbase CEO Brian Armstrong."
https://www.bleepingcomputer.com/news/security/former-coinbase-support-agent-arrested-for-helping-hackers/
https://www.theregister.com/2025/12/29/indian_cops_cuff_coinbase_exrep/ - Cybersecurity Trends: What's In Store For Defenders In 2026?
"As the year comes to a close, what's notable over the past 12 months is how much hasn't fundamentally changed on the cyberattack front. Nation-state and cybercrime hackers are exploiting edge devices at scale. Chinese nation-state and affiliated private hackers enjoy deep access to Western critical infrastructure through networks often poorly protected due to outdated or poorly configured equipment and inadequate visibility."
https://www.bankinfosecurity.com/blogs/cybersecurity-trends-whats-in-store-for-defenders-in-2026-p-4009 - Dark Reading Confidential: Stop Secrets Creep Across Developer Platforms
"And welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading, bringing you real world stories straight from the cyber trenches. I'm Becky Bracken, your host. And today I am lucky to be joined by my colleague, Rob Wright, who has been Dark Reading's lead reporter on the topic we are taking on today, secrets creep. More particularly, sensitive enterprise information, which is being fed into software development platforms. Rob, is that a fair assessment?"
https://www.darkreading.com/cybersecurity-operations/stop-secrets-creep-across-developer-platforms - SBOMs In 2026: Some Love, Some Hate, Much Ambivalence
"A software bill of materials (SBOMs) has been touted as a critical tool in solving software supply-chain security issues, but the rapid change of software ecosystems and the complexity of creating an end-to-end verified chain of code continue to foil widespread adoption. Docker, for example, has fully embraced the software ingredient lists in their Docker Hardened Images, the company's minimal, security-focused recipes for building secure software containers. The images are built from the ground up to minimize unnecessary software components — also known as artifacts — and sport complete SBOMs and proof of provenance using Level 3 of the Supply-chain Levels for Software Artifacts (SLSA), a way to digitally ensure build integrity and provide verification of software sources."
https://www.darkreading.com/application-security/sboms-in-2026-some-love-some-hate-much-ambivalence - 5 Threats That Defined Security In 2025
"2025 marked yet another busy year in security, between big attacks, government shakeups, and dangerous flaws that echo of the past. The moments that defined this year were impactful but felt evenly spread across the year. Early in 2025, we saw China-nexus advanced persistent threat (APT) Salt Typhoon continue its assault against telecom companies as part of its espionage operations. In the summer and into the fall, we saw the Cybersecurity and Infrastructure Security Agency (CISA) face budgetary cuts and layoffs, fallout from President Trump's commitment to slim the US government at any cost. And just this past month, React2Shell was disclosed to the public — a vulnerability in React with a CVSS score of 10 that echoed of the now-infamous Log4Shell."
https://www.darkreading.com/vulnerabilities-threats/five-threats-that-defined-security-2025 - LLMs Are Automating The Human Part Of Romance Scams
"Romance scams succeed because they feel human. New research shows that feeling no longer requires a person on the other side of the chat. Romance baiting scams build emotional bonds over weeks before steering victims toward fake cryptocurrency investments. A recent study shows that most of this work consists of repeatable text exchanges that are already being augmented with language models."
https://www.helpnetsecurity.com/2025/12/29/llms-romance-baiting-scams-study/
https://arxiv.org/pdf/2512.16280 - Malware In 2025 Spread Far Beyond Windows PCs
"This blog is part of a series highlighting new and concerning trends we noticed over the last year. Trends matter because they almost always provide a good indication of what’s coming next. If there’s one thing that became very clear in 2025, it’s that malware is no longer focused on Windows alone. We’ve seen some major developments, especially in campaigns targeting Android and macOS. Unfortunately, many people still don’t realize that protecting smartphones, tablets, and other connected devices is just as essential as securing their laptops."
https://www.malwarebytes.com/blog/news/2025/12/malware-in-2025-spread-beyond-windows-pcs - Survey: Security Spending To Increase Sharply In 2026
"The good news for cybersecurity teams heading into 2026 is that despite a lot of economic uncertainty, cybersecurity budgets are expected to rise. A survey of 310 C-suite security leaders at U.S. organizations with at least $1 billion in revenue finds nearly all (99%) lead organizations that plan to increase cybersecurity budgets in the next few years, with well over half (54%) planning for significant increases of 6% to 10% as they brace for future threats."
https://blog.barracuda.com/2025/12/29/survey--security-spending-to-increase-sharply-in-2026 - Traditional Security Frameworks Leave Organizations Exposed To AI-Specific Attack Vectors
"In December 2024, the popular Ultralytics AI library was compromised, installing malicious code that hijacked system resources for cryptocurrency mining. In August 2025, malicious Nx packages leaked 2,349 GitHub, cloud, and AI credentials. Throughout 2024, ChatGPT vulnerabilities allowed unauthorized extraction of user data from AI memory. The result: 23.77 million secrets were leaked through AI systems in 2024 alone, a 25% increase from the previous year."
https://thehackernews.com/2025/12/traditional-security-frameworks-leave.html
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
️ หากช่องโหว่นี้ถูกโจมตีสำเร็จ อาจส่งผลดังนี้:
แนวทางแก้ไข (Mitigation – Recommended) SmarterTools แนะนำให้ผู้ดูแลระบบดำเนินการดังนี้:
แหล่งอ้างอิง (References)
