Daily Digest

Microsoft Patches Actively Exploited Zero-Day as Phishing and Malware Tactics Evolve

Microsoft Patches Actively Exploited Zero-Day as Phishing and Malware Tactics Evolve

December 18, 2025
7 articles (6 new, 1 updated)
21 min read

Summary

This cybersecurity brief for December 18, 2025, covers several critical developments. The most urgent is Microsoft's final Patch Tuesday of the year, which addresses an actively exploited zero-day (CVE-2025-62221) in Windows, prompting a CISA directive. Concurrently, threat actors are escalating phishing campaigns against Microsoft 365 using OAuth device code abuse. Other significant events include the discovery of the 'GhostPoster' malware in Firefox add-ons, the emergence of AI-powered ransomware like 'PromptLock', and an investigation by Google into malicious code found within its search infrastructure.

Filter by Category

New Articles (6)

"GhostPoster" Malware Infects 50,000+ Firefox Users via Malicious Add-ons

MEDIUM

GhostPoster Campaign Compromises Over 50,000 Firefox Users with Malicious Browser Extensions

A stealthy malware campaign named "GhostPoster" has infected over 50,000 Mozilla Firefox users by distributing 17 malicious browser extensions. The add-ons, which masqueraded as legitimate tools like VPNs and ad blockers, have been removed from the Firefox store. The malware employed a clever technique, hiding obfuscated JavaScript within the add-on's logo image file. This code would then contact command-and-control (C2) servers to download a final payload designed for hijacking affiliate links and committing ad fraud. The campaign used evasion techniques like randomized and delayed C2 callbacks to avoid detection.

December 18, 2025
4 min read
Browser ExtensionMalwareFirefoxAd FraudAffiliate Hijacking +1 more
"GhostPoster" Malware Infects 50,000+ Firefox Users via Malicious Add-ons

"Scripted Sparrow" BEC Group Targets Finance Teams with Highly Structured Attacks

HIGH

Fortra Uncovers "Scripted Sparrow," a Persistent BEC Group Targeting Finance Departments in North America and Europe

A disciplined and persistent Business Email Compromise (BEC) group, newly identified by Fortra as "Scripted Sparrow," has been systematically targeting corporate finance teams since at least June 2024. The group employs a structured and well-researched approach, sending highly credible phishing emails with fake invoices that impersonate professional services firms. To add legitimacy, the attackers often include forged prior email correspondence from a company executive authorizing the payment. The group utilizes a large network of US-based mule accounts for cashing out, indicating a well-organized and persistent financial threat.

December 18, 2025
4 min read
BECBusiness Email CompromisePhishingWire FraudSocial Engineering +1 more
"Scripted Sparrow" BEC Group Targets Finance Teams with Highly Structured Attacks

"IRLeaks" Supply Chain Attack Hits Iranian Banks, Exposing Millions of Customer Records

HIGH

"IRLeaks" Data Breach: Third-Party Vendor Compromise Leads to Massive Data Theft from Iranian Banks

A major supply chain attack dubbed "IRLeaks" has resulted in a significant data breach affecting several prominent Iranian banks and millions of their customers. Attackers first compromised a third-party IT vendor in October 2025, using it as a pivot point to infiltrate the banks' networks. Over the following month, they exfiltrated vast amounts of financial data and personally identifiable information (PII), including national IDs and bank account numbers, before the breach was discovered in late November. The incident highlights the critical risks associated with third-party vendor security and inadequate patch management.

December 18, 2025
4 min read
Data BreachSupply Chain AttackThird-Party RiskFinancial ServicesIran +1 more
"IRLeaks" Supply Chain Attack Hits Iranian Banks, Exposing Millions of Customer Records

Ransomware Evolves: "ClickFix" Social Engineering and Threat Actor Alliances on the Rise

HIGH

NCC Group Report: Ransomware Groups Adopt "ClickFix" and Form Alliances as Attack Sophistication Grows

A December 2025 threat report from NCC Group indicates that while ransomware attack volumes plateaued in November with 583 incidents, their sophistication markedly increased. Attackers are increasingly adopting the "ClickFix" (also known as ClearFake) social engineering technique, which tricks users into manually running malicious commands, bypassing many automated defenses. The report also highlights a trend of collaboration, with groups like DragonForce forming alliances with skilled affiliates from other networks. The Qilin ransomware group remained the most prolific actor, with the industrials sector and North America being the most targeted.

December 18, 2025
4 min read
RansomwareQilinClickFixClearFakeSocial Engineering +1 more
Ransomware Evolves: "ClickFix" Social Engineering and Threat Actor Alliances on the Rise

"Operation ForumTroll" APT Targets Russian Academics with Plagiarism Lure

HIGH

Operation ForumTroll APT Resurfaces, Targeting Russian Academics with Phishing Campaign Deploying Tuoni C2

The Advanced Persistent Threat (APT) group known as Operation ForumTroll has launched a new, highly targeted phishing campaign aimed at Russian political scientists and academics. Active since at least 2022, the group's latest attack uses meticulously crafted emails impersonating a major Russian scientific library, eLibrary.ru. The emails lure victims into downloading a supposed plagiarism report, which is a ZIP archive containing a malicious .LNK file. Executing the shortcut file triggers a PowerShell script that downloads and installs the Tuoni command-and-control (C2) framework, giving the attackers remote access for espionage purposes.

December 18, 2025
4 min read
APTForumTrollPhishingEspionageRussia +2 more
"Operation ForumTroll" APT Targets Russian Academics with Plagiarism Lure

Google Investigates Malicious Code Found in Search Result Infrastructure

CRITICAL

Google Probes Potential Security Breach After Malicious Code Discovered in Search Infrastructure

Google has launched an urgent investigation after cybersecurity analysts discovered anomalous, encrypted code snippets and obfuscated JavaScript embedded within its core search result payloads on December 17, 2025. The malicious code appears designed to exploit browser sandboxing vulnerabilities, which could potentially enable remote code execution or data theft on users' systems. While Google has not confirmed any user impact and states it is neutralizing the threat, the incident represents a highly sophisticated attack against critical global internet infrastructure, prompting the involvement of government agencies.

December 18, 2025
4 min read
GoogleSearchInfrastructure AttackBrowser ExploitSupply Chain Attack
Google Investigates Malicious Code Found in Search Result Infrastructure

Updated Articles (1)

2025: The Year Cybersecurity 'Crossed the AI Rubicon'

INFORMATIONAL

Analysis: 2025 Marks a Paradigm Shift as AI Redefines Cyberattacks and Defense

Update:

New intelligence from ESET's H2 2025 threat report confirms the emergence of 'PromptLock,' the first known AI-driven ransomware capable of dynamically generating malicious scripts to evade detection. This represents a tangible realization of the 'adaptive threats' discussed earlier. Additionally, the report details 'HybridPetya,' a modern successor to the destructive Petya/NotPetya wiper, now capable of compromising UEFI-based systems, significantly increasing its destructive potential and making recovery more challenging. The report also highlights the dominance of Akira and Qilin RaaS operations and a massive surge in the CloudEyE (GuLoader) malware downloader, further intensifying the threat landscape.

December 14, 2025
Updated: December 18, 2025
4 min read
AIartificial intelligencegenerative AILLMthreat landscape +2 more
2025: The Year Cybersecurity 'Crossed the AI Rubicon'

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.