More Signal. Less Noise.

Control what runs in your environment. Reduce your attack surface.

ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.

V14 | Issue 242 | 12.22.25

Daily Briefing for 12.22.25

Summary

By the CyberWire staff

Nigerian police arrest alleged phishing kit developer.

The Nigerian police arrested an alleged developer of the RaccoonO365 phishing kit following tips from Microsoft, the FBI, and the US Secret Service, the Record reports. The police arrested Okitipi Samuel after conducting two raids in the states of Lagos and Edo. A police spokesperson stated, "Investigations reveal that [Samuel] operated a Telegram channel through which phishing links were sold in exchange for cryptocurrency and hosted fraudulent login portals on Cloudflare using stolen or fraudulently obtained email credentials."

Microsoft used a court order in September to seize 338 websites used by RaccoonO365, and identified the alleged leader of the operation along with his associates.

Inside the Q3 2025 Threat Landscape: The Trends Every Defender Must Know

Discover the key insights shaping today’s cybersecurity reality in Rapid7’s Q3 2025 Threat Landscape Report. Explore the surge in AI-driven attacks, faster vulnerability exploitation, and the expanding impact of ransomware groups across critical industries. This data-rich analysis highlights the most urgent risks and the steps defenders can take to stay ahead. Get the intelligence your team needs to prepare for what’s coming next.

MacSync Stealer gets an upgrade.

Jamf has published a report on the MacSync Stealer, noting that the malware is using a new delivery technique. The researchers explain, "Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach. Delivered as a code-signed and notarized Swift application within a disk image...it removes the need for any direct terminal interaction. Instead, the dropper retrieves an encoded script from a remote server and executes it via a Swift-built helper executable."

Humans Are Not the Weakest Link. Guess who FAIls?

Humans have been labeled the weakest link for ages. But this year showed how easily both humans and AI can be manipulated. In this session, Cato CTRL experts reveal real attacks from the wild where adversaries steered people and AI systems into harmful actions using simple prompts and inputs. The session reframes how you should think about AI risk and what to do when machines start making the mistakes, so register to join us.

Cybercriminals are offering thousands for insider access.

Check Point warns that cybercriminals are increasingly recruiting insiders to gain access to corporate environments, with darknet ads offering between $3,000 to $15,000 for access or specific data. Much of this activity targets the finance and crypto sectors, with recent listings seeking insiders at Coinbase, Binance, Kraken, and Gemini, as well as Accenture, Genpact, Spotify, and Netflix. The researchers add, "Insiders at banks are especially valuable. One darknet post offered payment for access to systems belonging to the U.S. Federal Reserve or its partner banks. Another sought full transaction histories from a major European bank. Some schemes propose long-term employment-style arrangements, including weekly payments of $1,000 to insiders at Russian tax offices."

Notes.

Today's issue includes events affecting Nigeria, Russia, and the United States.

Selected Reading

Attacks, Threats, and Vulnerabilities

MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware (Jamf Threat Labs) Jamf Threat Labs discovers MacSync Stealer's evolution to code-signed, notarized Swift applications that silently download and execute payloads, bypassing traditional macOS security measures.

Legislation, Policy, and Regulation

Dismantling Defenses: Trump 2.0 Cyber Year in Review (KrebsOnSecurity) The Trump administration has pursued a staggering range of policy pivots this past year that threaten to weaken the nation’s ability and willingness to address a broad spectrum of technology challenges, from cybersecurity and privacy to countering disinformation, fraud and…

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

SpaceCom | Space Congress: The Global Conference & Expo for the Commercial Space Industry (Orlando, Florida, USA, Jan 28 - 30, 2026) SpaceCom | Space Congress is where the business of space gets done. As the flagship event of Commercial Space Week—co-located with the Space Mobility Conference and the GSA Spaceport Summit—this event unites aerospace, defense, and commercial leaders for three days of deal-making, partnership building, and technology discovery on the expo floor, in the conference program, and through curated networking that drives real results.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.