Holiday Havoc: 'MongoBleed' Exploit Unleashed, Chinese APTs Escalate Attacks, and Critical Infrastructure Hit by Ransomware

Chinese APT 'Evasive Panda' Uses DNS Poisoning and Adversary-in-the-Middle Attacks to Deliver MgBot Backdoor

A sophisticated, long-running cyber-espionage campaign by the China-linked threat actor 'Evasive Panda' (also known as Bronze Highland) has been detailed. Active between November 2022 and November 2024, the group targeted entities in Türkiye, China, and India. Instead of traditional phishing, the attackers used adversary-in-the-middle (AitM) attacks, specifically DNS poisoning, to hijack legitimate software update channels. This allowed them to deliver the modular MgBot backdoor, a potent espionage tool capable of file harvesting, keylogging, and credential theft, by injecting it into the legitimate 'svchost.exe' process.

Evasive PandaMgBotDNS PoisoningAitMCyber Espionage +2 more

5 min read

Evasive Panda APT Hijacks DNS to Deploy MgBot Backdoor in Multi-Country Espionage Campaign

Threat Actor

Malware

Romanian Energy Giant Hit by 'Gentlemen' Ransomware in Holiday Attack

'Gentlemen' Ransomware Group Attacks Romanian Energy Producer Oltenia Energy Complex on Christmas

Romania's largest coal-based energy producer, Oltenia Energy Complex, was struck by the 'Gentlemen' ransomware group in a targeted attack on December 26, 2025. The incident disrupted key business applications, including ERP systems and corporate email, by encrypting files. While power generation and the national energy grid were not affected, the attack highlights the increasing trend of targeting critical infrastructure during holiday periods when staffing is reduced. The company has isolated affected systems and initiated an investigation with Romania's organized crime unit.

Gentlemen RansomwareRansomwareCritical InfrastructureEnergy SectorRomania +1 more

Ransomware

Industrial Control Systems

Critical Flaws Under Fire: 'React2Shell' (CVSS 10.0) and Windows Zero-Day Actively Exploited

CRITICAL

Security Alert: 'React2Shell' (CVE-2025-55182), Windows Zero-Day (CVE-2025-62221), and FortiGate Flaws Under Active Attack

A December 26 security report highlights a convergence of critical vulnerabilities being actively exploited in the wild. Among them is 'React2Shell' (CVE-2025-55182), a CVSS 10.0 remote code execution flaw in React Server Components used to deploy cryptominers. Additionally, a Windows zero-day (CVE-2025-62221) allowing local privilege escalation to SYSTEM is being used in targeted attacks. The report also warns of two high-severity authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiGate firewalls, creating a multi-front threat for organizations.

React2ShellCVE-2025-55182CVE-2025-62221WindowsFortiGate +2 more

Critical Flaws Under Fire: 'React2Shell' (CVSS 10.0) and Windows Zero-Day Actively Exploited

Patch Management

Christmas Day Barrage: Mass Exploit Campaign Hits Adobe ColdFusion Servers

Coordinated Christmas Day Attack Campaign Targets Adobe ColdFusion Servers with JNDI/LDAP Injection

A massive, coordinated exploitation campaign targeted Adobe ColdFusion servers, peaking on Christmas Day 2025. Security firm GreyNoise reported that a single threat actor, operating almost exclusively from Japan-based infrastructure, launched nearly 6,000 exploit attempts against more than ten different ColdFusion CVEs. The primary attack vector was JNDI/LDAP injection. This activity is believed to be part of a much larger initial access broker operation, where the same actor has been observed scanning for hundreds of different vulnerabilities across numerous technology stacks to compromise systems and sell access to other cybercriminals.

Adobe ColdFusionJNDILDAP InjectionInitial Access BrokerChristmas Attack +1 more

5 min read

Christmas Day Barrage: Mass Exploit Campaign Hits Adobe ColdFusion Servers

Threat Actor

Critical Flaw in WHILL Wheelchairs Allows Remote Hijacking via Bluetooth

CRITICAL

CISA Warns of Critical Bluetooth Vulnerability (CVE-2025-14346) in WHILL Electric Wheelchairs

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory for a critical vulnerability, CVE-2025-14346, in WHILL electric wheelchairs. The flaw, rated 9.8 on the CVSS scale, stems from a missing authentication mechanism over Bluetooth. It allows an attacker within Bluetooth range (approx. 30 feet) to pair with a device and gain complete control, including issuing movement commands and overriding speed limits. This poses a direct physical safety risk to users. The manufacturer, WHILL Inc., has deployed firmware and application mitigations.

CVE-2025-14346WHILLWheelchairBluetoothIoT +2 more

Critical Flaw in WHILL Wheelchairs Allows Remote Hijacking via Bluetooth

Industrial Control Systems

IoT Security

HoneyMyte APT (Mustang Panda) Deploys New Kernel-Mode Rootkit to Hide Backdoor

HoneyMyte (Mustang Panda) APT Evolves with Kernel-Mode Rootkit to Conceal ToneShell Backdoor

The Chinese cyber-espionage group HoneyMyte (also known as Mustang Panda) has significantly upgraded its toolkit by incorporating a kernel-mode rootkit, according to research from December 26, 2025. The rootkit is used to protect and conceal a new variant of its exclusive ToneShell backdoor. The malicious driver, often signed with a stolen certificate, registers itself as a mini-filter to hide the malware's files, processes, and registry keys from security tools. This advanced technique, observed in attacks against government targets in Myanmar and Thailand, dramatically increases the malware's stealth and persistence.

HoneyMyteMustang PandaAPTRootkitKernel +2 more

5 min read

HoneyMyte APT (Mustang Panda) Deploys New Kernel-Mode Rootkit to Hide Backdoor

Threat Actor

Malware

CISA Warns of Code Execution Flaw in WatchGuard Fireware OS

MEDIUM

CISA Issues Alert for Arbitrary Code Execution Vulnerability in WatchGuard Fireware OS

On December 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert for a vulnerability in WatchGuard's Fireware OS. The flaw could potentially allow an attacker to execute arbitrary code on an affected network security appliance. Specific details such as the CVE identifier and affected versions were not included in the initial alert. CISA urges administrators of WatchGuard devices to review vendor advisories for technical details and apply recommended mitigations to protect their network perimeters.

CISAWatchGuardFireware OSVulnerabilityArbitrary Code Execution +1 more

3 min read

CISA Warns of Code Execution Flaw in WatchGuard Fireware OS

Patch Management

Security Operations

2025 in Review: Simple Errors, Not 0-Days, Caused Biggest Breaches

INFORMATIONAL

Year in Review: Cloud Misconfigurations and Supply Chain Failures Drove 2025's Biggest Data Breaches

A year-end analysis of 2025's major data breaches reveals a recurring theme: fundamental security failures, not sophisticated zero-day exploits, were the primary cause. The report, published on December 26, 2025, highlights cloud security misconfigurations and third-party supply chain attacks as the dominant root causes. High-profile incidents at McDonald's (default password '123456'), TalentHook (public Azure Blob storage), Harrods, and TransUnion (both breached via third-party vendors) serve as stark examples of how neglecting basic security hygiene leads to massive data exposure.