Podcasts
CyberWire Daily
Ep 2447
The CyberWire Daily Podcast 12.5.25
Ep 2447 | 12.5.25

China’s quiet crawl into critical networks.

Show Notes
Transcript

Chinese threat actors deploy Brickstorm malware. The critical React2Shell vulnerability is under active exploitation. Cloudflare’s emergency patch triggered a brief global outage. Phishing kits pivot to fake e-commerce sites. The European Commission fines X(Twitter) €120 million for violating the Digital Services Act. Predator spyware has a new bag of tricks. A Russian physicist gets 21 years in prison for cybercrimes. Twin brothers are arrested for allegedly stealing and destroying government data. Our guest is Blair Canavan, Director of Alliances - PKI & PQC Portfolio from Thales, discussing post quantum cryptography. Smart toilet encryption claims don’t hold water.

Today is Friday December 5th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Chinese threat actors deploy Brickstorm malware. 

Chinese state-sponsored threat actors are deploying Brickstorm malware to maintain persistent access, steal files, and eavesdrop on government and IT networks worldwide, according to a joint report from CISA, the NSA, and the Canadian Centre for Cyber Security. The agencies analyzed eight samples taken from victim environments. The report says the People’s Republic of China is targeting government and information technology organizations, though it does not identify specific victims. CrowdStrike separately observed activity against a government entity in the Asia-Pacific region.

One investigated intrusion showed PRC actors gaining long-term access to an organization’s VMware and Windows systems, compromising domain controllers and an Active Directory Federation Services server to export cryptographic keys. Officials warn the operation reflects China’s intent to embed deeply for espionage, disruption, or future sabotage, though China denies the allegations.

The critical React2Shell vulnerability is under active exploitation. 

Multiple China-linked threat actors began exploiting the critical React2Shell vulnerability (CVE-2025-55182) within hours of its public disclosure. The flaw is an insecure deserialization issue in the React Server Components Flight protocol that enables unauthenticated remote code execution in React and Next.js applications. Although initially assigned a separate identifier, the Next.js tracking number was rejected as a duplicate. The bug affects several recent React versions, placing thousands of projects at risk; Wiz estimates 39 percent of observed cloud environments are vulnerable. AWS reports that China-nexus groups Earth Lamia and Jackpot Panda immediately incorporated the flaw into active campaigns, alongside additional activity from unattributed China-based infrastructure. Attackers are manually testing payloads, running reconnaissance commands, and adjusting exploits in real time. Valid proof-of-concept exploits have been published, increasing risk despite available patches. Researchers have released scanners to help organizations determine exposure.

Cloudflare’s emergency patch triggered a brief global outage. 

As a follow-on to the React2Shell disclosures, Cloudflare confirmed that a brief global outage today was the unintended result of its emergency mitigation efforts. The company deployed a rapid patch to its Web Application Firewall to blunt exploitation of CVE-2025-55182, the critical remote code execution flaw in React Server Components. That change, meant to block malicious HTTP requests targeting vulnerable React versions, inadvertently caused sections of Cloudflare’s network to return 500 Internal Server Errors for several minutes.

Cloudflare emphasized that the disruption was not an attack, but a side effect of its accelerated response.

Phishing kits pivot to fake e-commerce sites. 

China-based phishing groups behind persistent scam SMS campaigns are now selling phishing kits that mass-produce convincing fake e-commerce sites designed to steal payment card data and enroll victims’ cards into Apple or Google mobile wallets. Krebs on Security says these groups are also pushing new lures, including fake tax refunds and mobile rewards points. Thousands of recently registered domains spoof T-Mobile and AT&T, directing mobile users to sites that harvest personal and card data, then request bank one-time codes to finalize fraudulent wallet enrollment. Experts warn that fake storefronts are harder to detect because they blend into normal shopping behavior and often go unnoticed until purchases fail to arrive. Security researchers urge quick reporting of smishing messages to help identify and block these domains.

Speaking of phishing kits, Barracuda says a previously unidentified phishing kit, now called GhostFrame, has fueled more than one million attacks since September 2025. The kit hides all malicious activity inside an iframe embedded in an otherwise harmless HTML page, letting attackers swap phishing content, rotate targets and evade scanners that only inspect the outer layer. GhostFrame uses dynamic subdomains, anti-analysis controls and image-based login screens to obscure credential harvesting. A two-stage design funnels victims from benign-looking pages to concealed forms buried in large file streams. The phishing emails use common business themes to lure clicks, and multiple kit variants are circulating. Barracuda says the framework’s stealth and adaptability make it difficult to detect, underscoring the need for layered defenses and careful user training.

The European Commission fines X(Twitter) €120 million for violating the Digital Services Act. 

The European Commission fined X €120 million for violating the Digital Services Act, marking the law’s first enforcement action. Regulators say X misled users with its paid verification system and failed to provide required transparency for political ads and researcher access to public data. The commission argues X’s ad repository lacks essential information and imposes barriers that hinder scrutiny of influence operations. The penalty has sparked geopolitical tension, with U.S. officials criticizing the EU’s approach and X rejecting the findings as censorship.

Predator spyware has a new bag of tricks. 

A joint investigation by Inside Story, Haaretz, and WAV Research Collective reveals that Intellexa’s Predator spyware uses a powerful zero-click infection method called Aladdin, which compromises targets through malicious advertisements. Based on leaked Intellexa documents and research from Amnesty International, Google, and Recorded Future, investigators say Aladdin abuses commercial ad networks to deliver weaponized ads to specific users identified by IP address and other markers. Viewing the ad alone triggers redirection to exploit servers. The leaks also detail other vectors, including Triton baseband exploits for Samsung Exynos devices, and highlight Intellexa’s extensive zero-day use. Despite sanctions, Predator development continues, prompting experts to recommend stronger mobile defenses.

A Russian physicist gets 21 years in prison for cybercrimes. 

A Moscow court has sentenced physicist Artyom Khoroshilov to 21 years in prison on charges of treason, infrastructure attacks, and plotting sabotage, according to state media. Prosecutors accused him of donating over $9,000 to a Ukrainian charity they say supports the military, possessing materials for an explosive device, photographing rail lines near a military unit, and conducting a DDoS attack on Russian postal systems. Khoroshilov admitted the donations but said they were meant for civilians, denied any sabotage intent, and claimed limited technical skills. Colleagues echoed that he lacked the ability to carry out cyberattacks. His case reflects a series of harsh prosecutions in Russia targeting alleged cyber activity linked to Ukraine since the war began.

Twin brothers are arrested for allegedly stealing and destroying government data. 

Twin brothers Muneeb and Sohaib Akhter were arrested in Virginia for allegedly stealing and destroying government data within minutes of being fired from a federal contractor in February, according to the Justice Department. Prosecutors say the brothers compromised information from multiple agencies, including DHS, the IRS, and the EEOC, during a weeklong spree. Muneeb is accused of deleting 96 databases, stealing sensitive files, and using an AI tool to seek guidance on covering his tracks. Sohaib allegedly trafficked a password granting access to an EEOC system. Both previously served prison sentences for hacking while working as government contractors in 2015. Investigators say the pair abused privileged access and technical expertise, posing a significant threat to government systems.

 

Smart toilet encryption claims don’t hold water. 

Dekoda is Kohler’s smart toilet-mounted camera that snaps photos of the bowl after use, offering gut-health insights in exchange for a few tasteful porcelain portraits. To calm privacy nerves, the company assured customers their data enjoys “end-to-end encryption,” a phrase that raised eyebrows among people who know what that actually means. Researcher Simon Fondrie-Teitler pointed out that Kohler is really talking about standard TLS encryption, not the user-to-user lockdown found in Signal or WhatsApp. Kohler later clarified that yes, it can decrypt and view your bowl data because that’s how the service works, though it stresses information is encrypted at rest and only de-identified images train its algorithms, and only with user consent. Still, at $599 plus a monthly subscription, the Dekoda may be the rare gadget that asks you to pay handsomely for the privilege of being misunderstood by a toilet.
End to end indeed…

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Thales
Sponsored by Thales

Thales is a global leader in cybersecurity, helping businesses, governments and the most trusted organizations protect critical applications, data, identities and software anywhere at scale. Learn more.