December 8-10, 2025 | Weekly Threat Intelligence Briefing

Early this week, there is a critical convergence of threats: Microsoft's December Patch Tuesday addresses an actively exploited zero-day, a massive joint advisory warns of pro-Russia hacktivists targeting US critical infrastructure, North Korean actors deploy novel malware exploiting the React2Shell vulnerability, and a significant financial software breach affects hundreds of thousands of banking customers. Here's what IT leaders and CISOs need to know.

Microsoft December 2025 Patch Tuesday: Actively Exploited Zero-Day

Microsoft closed out 2025 on December 9 with patches for 57 vulnerabilities, including one actively exploited zero-day and two publicly disclosed flaws. This brings Microsoft's total CVE count for 2025 to over 1,275—the second consecutive year exceeding 1,000 patches.

The Actively Exploited Zero-Day

CVE-2025-62221 is a use-after-free vulnerability in the Windows Cloud Files Mini Filter Driver, rated 7.8 on the CVSS scale. Successful exploitation allows attackers to escalate privileges to the SYSTEM level on affected Windows systems. Microsoft's own Threat Intelligence Center (MSTIC) discovered this flaw under active exploitation, though specific attack details remain undisclosed.

CISA immediately added CVE-2025-62221 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies patch by December 30, 2025. Security researchers warn that attackers could chain this privilege escalation flaw with initial access vectors, such as phishing, to achieve full domain compromise.

Publicly Disclosed Zero-Days

•       CVE-2025-64671 (CVSS 8.4): Remote code execution in GitHub Copilot for JetBrains. Attackers can execute arbitrary commands via malicious cross-prompt injections in untrusted files or MCP servers. This vulnerability is part of the broader "IDEsaster" class, which affects AI-powered development tools.

•       CVE-2025-54100 (CVSS 7.8): Command injection in Windows PowerShell. Scripts embedded in webpages can execute when retrieved using Invoke-WebRequest. Given PowerShell's extensive role in offensive tooling, this represents a significant risk.

Critical Office Vulnerabilities

Two critical Microsoft Office vulnerabilities (CVE-2025-62554 and CVE-2025-62557, both CVSS 8.4) can be exploited simply by viewing a malicious email in Outlook's Preview Pane—no user interaction beyond receiving the email is required.

Immediate Actions

1. Prioritize patching CVE-2025-62221 immediately—it is under active exploitation.
2. Update Microsoft Office to address attack vectors in the Preview Pane.
3. Audit AI coding assistant usage and review GitHub Copilot configurations
4. Review PowerShell execution policies and consider adding warnings for -UseBasicParsing.

CISA Advisory: Pro-Russia Hacktivists Targeting US Critical Infrastructure

On December 9, 2025, a coalition of 26 agencies—including CISA, FBI, NSA, DOE, and EPA alongside international partners—issued a joint advisory warning that pro-Russia hacktivist groups are actively targeting US critical infrastructure with increasing coordination and intent to cause physical damage.

Threat Actors Identified

•       Cyber Army of Russia Reborn (CARR): Likely established with Russian military support; has caused physical damage to the victim's infrastructure

•       Z-Pentest: Specializes in OT intrusion operations globally; avoids DDoS in favor of more impactful SCADA attacks

•       NoName057(16): Covert operation for the Kremlin-established Center for the Study and Network Monitoring; uses proprietary DDoSia tool

•       Sector16: Formed January 2025 in collaboration with Z-Pentest; claims to have compromised U.S. energy infrastructure

Attack Methodology

These groups exploit minimally secured, internet-facing Virtual Network Computing (VNC) connections to access operational technology (OT) control devices. Primary targets include Water and Wastewater Systems, Food and Agriculture, and Energy sectors. While their technical sophistication is limited, the advisory warns: "These groups have willfully caused actual harm to vulnerable critical infrastructure," including physical damage to industrial systems.

Typical Attack Sequence

Attackers scan for vulnerable devices with open VNC ports, log in using discovered credentials, capture screenshots of HMI interfaces, modify operational parameters, including usernames and device settings, disable alarms to create "loss of view" conditions requiring manual intervention, and may shut down or restart devices before disconnecting.

Immediate Actions

1. Reduce OT asset exposure to the public-facing internet immediately.
2. Audit and secure all VNC connections; implement strong authentication.
3. Map data flows and access points through mature asset management processes.
4. Separate and audit view/control functions in control systems
5. Ensure comprehensive business recovery and disaster recovery plans are in place.

North Korean Actors Deploy Novel EtherRAT Malware via React2Shell

Security researchers at Sysdig have discovered a sophisticated new implant, EtherRAT, being deployed by suspected North Korean threat actors to exploit the critical React2Shell vulnerability (CVE-2025-55182). The malware was recovered from a compromised Next.js application on December 5—just two days after the vulnerability's public disclosure.

EtherRAT's Novel Capabilities

•       Blockchain-based C2: Uses Ethereum smart contracts for command-and-control resolution, querying nine public RPC endpoints simultaneously and accepting majority-response results. This makes traditional takedown methods ineffective.

•       Five persistence mechanisms: Implements Systemd, XDG, Cron, Bashrc, and Profile injection for redundant Linux persistence

•       Self-contained runtime: Downloads legitimate Node.js v20.10.0 directly from nodejs.org, trading payload size for reduced detection risk

•       Dynamic payload capability: Sends randomized URLs to C2 every 500ms and executes returned JavaScript, functioning as a fully interactive Node.js shell

Attribution Indicators

Sysdig's analysis reveals significant overlap with the North Korea-linked "Contagious Interview" campaign (Lazarus Group). The encrypted loader pattern closely matches DPRK-affiliated BeaverTail malware, and the EtherHiding C2 technique has been previously documented in North Korean operations. However, the pivot from social engineering to direct exploitation represents a significant evolution in tradecraft.

React2Shell Exploitation Update

Palo Alto Networks Unit 42 has now confirmed over 30 affected organizations across numerous sectors, with activity consistent with the Chinese hacking crew UNC5174 deploying SNOWLIGHT and VShell backdoors. Shadowserver reports vulnerable IP addresses have dropped from 77,664 on December 5 to 28,964 as of December 7—but thousands remain exposed.

Immediate Actions

1. Patch React to versions 19.0.1, 19.1.2, or 19.2.1 immediately
2. Update Next.js to patched versions (15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, 16.0.7+)
3. Monitor for outbound Ethereum RPC traffic from web servers—highly anomalous in most environments.
4. Hunt for listed persistence mechanisms and hidden files in the user's local share folders
5. Review application logs and rotate credentials for potentially affected systems.

Critical Fortinet Authentication Bypass Vulnerabilities

On December 9, 2025, Fortinet released patches for two critical authentication bypass vulnerabilities affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. While not yet exploited in the wild, the severity and historical targeting of Fortinet products warrant immediate attention.

Vulnerability Details

CVE-2025-59718 and CVE-2025-59719 (both rated CVSS 9.8) stem from improper verification of cryptographic signatures (CWE-347). An unauthenticated attacker can bypass FortiCloud Single Sign-On (SSO) authentication via crafted SAML messages when this feature is enabled.

Critical Risk Factor

While FortiCloud SSO login is disabled by default in factory settings, when an administrator registers a device with FortiCare through the GUI, FortiCloud SSO is automatically enabled unless specifically disabled during registration. This means many production environments may be vulnerable without administrators realizing it.

Immediate Actions

1. Verify FortiCloud SSO status across all Fortinet devices.
2. Disable FortiCloud SSO temporarily if patching cannot be immediate
3. Apply patches: FortiOS 7.6.3+/7.4.9+/7.2.14+, FortiProxy 7.6.3+/7.4.9+, FortiWeb 7.4.8+, FortiSwitchManager 7.2.7+
4. Monitor for follow-on exploitation given Fortinet's history as a target of threat actors.

Marquis Software Breach Affects 74 Banks and 780,000+ Customers.

Financial software provider Marquis Software Solutions disclosed a ransomware attack on August 14, 2025, that impacted over 780,000 customers across 74 banks and credit unions nationwide. The breach notifications, filed in early December, reveal significant third-party risk implications for the financial sector.

Attack Vector

Attackers gained initial access through Marquis's SonicWall firewall. While Marquis has not publicly attributed the attack, the methodology closely aligns with Akira ransomware operations, which have been actively exploiting SonicWall SSL VPN systems via CVE-2024-40766. Notably, Akira actors have demonstrated the ability to bypass MFA by stealing OTP seeds during earlier exploitation—allowing persistent access even after organizations patch.

Data Exposed

•       Names, addresses, and phone numbers

•       Social Security numbers and Taxpayer Identification Numbers

•       Dates of birth

•       Financial account information (excluding access codes)

Key Concern

A now-removed filing from Community 1st Credit Union indicated that Marquis paid a ransom shortly after the attack—raising concerns about validating criminal business models. The nearly four-month delay between breach (August 14) and notification (December 3) may also violate state notification laws.

Immediate Actions

1. Financial institutions should verify if they're among the 74 affected organizations.
2. Audit SonicWall firewall configurations and ensure all patches are applied
3. Enable MFA for all firewall and VPN accounts with credential rotation.
4. Apply geo-IP filtering and implement account lockout policies.
5. Review third-party vendor security requirements and compliance frameworks.

ShadyPanda Campaign: 4.3 Million Browser Users Infected via Malicious Extensions

Security researchers at Koi Security have exposed a seven-year malicious browser extension campaign that infected 4.3 million Chrome and Edge users. The China-linked threat actor, dubbed ShadyPanda, exploited weaknesses in browser marketplace review processes to distribute spyware and remote code execution backdoors.

Attack Evolution

ShadyPanda played the long game: legitimate extensions were published as early as 2018, accumulated thousands or millions of downloads, gained "Featured" and "Verified" status, then received malicious updates in mid-2024. Because marketplace reviews occur at submission—not post-approval—these updates are deployed silently through Chrome and Edge's trusted auto-update mechanism.

Capabilities

•       Hourly RCE backdoor: Downloads and executes arbitrary JavaScript with full browser API access

•       Comprehensive surveillance: Captures every URL visited, search queries, mouse clicks, browser fingerprints, and page interactions

•       Anti-analysis: Switches to benign behavior when developer tools are opened

•       Data exfiltration: Sends data to 17 domains in China, including 8 Baidu servers

•       Adversary-in-the-middle: Can facilitate credential theft, session hijacking, and code injection into any website

Affected Extensions

Notable infected extensions include Clean Master (previously Google Featured/Verified, 200K+ users), WeTab (3 million Edge users), and Infinity New Tab Pro (650K users). Microsoft has since removed identified extensions, but users who installed them may remain compromised.

Recommendation: Organizations should audit browser extensions across their environment, remove any that appear on the published IOC list, and consider implementing browser extension allow-listing policies. Affected users should reset passwords across their entire online presence.

Key Takeaways for IT Professionals

1. Patch with urgency: Microsoft's CVE-2025-62221 is under active exploitation—prioritize this above all other December patches. The React2Shell vulnerability continues to be aggressively exploited by nation-state actors.
2. Secure OT environments: The CISA advisory makes clear that even "unsophisticated" attackers can cause physical damage to critical infrastructure. VNC exposure and weak authentication remain primary attack vectors.
3. Nation-state actors move fast: Both Chinese and North Korean groups exploited React2Shell within 48 hours of disclosure. Your patch window is measured in hours, not days.
4. Third-party risk is enterprise risk: The Marquis breach demonstrates how a single vendor compromise can cascade across hundreds of organizations. Verify your vendor security posture.
5. Trust is static, code is dynamic: ShadyPanda's success exposes fundamental weaknesses in browser extension marketplaces. Consider extension, allow-listing, and regular audits.

Sources

Microsoft Security Response Center - December 2025 Security Updates

CISA Advisory AA25-343A - Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure (December 9, 2025)

Sysdig Threat Research Team - EtherRAT: DPRK Uses Novel Ethereum Implant in React2Shell Attacks (December 8, 2025)

Fortinet PSIRT - FortiOS/FortiProxy/FortiWeb/FortiSwitchManager Authentication Bypass (December 9, 2025)

Koi Security - ShadyPanda Browser Extension Campaign Analysis (December 2025)

BleepingComputer - Marquis Data Breach Analysis (December 2025)

The Hacker News, SecurityWeek, Krebs on Security - December 2025 Patch Tuesday Coverage

CrowdStrike, Tenable, Rapid7 - Patch Tuesday Analysis (December 2025)