🌐 Kimwolf is a new botnet that has infected over 1.8 million Android devices, mainly smart TVs and set-top boxes on home networks.

XLab says it has issued billions of DDoS commands, runs proxy and remote access functions, and uses blockchain-based ENS domains to resist takedowns.

🔗 Read → https://thehackernews.com/2025/12/kimwolf-botnet-hijacks-18-million.html

🛑 SonicWall patched an actively exploited flaw in SMA 100 series appliances.

CVE-2025-40602 lets attackers escalate privileges via the management console and was chained with a prior bug for root access.

Patches are now out for affected versions.

🔗 Read → https://thehackernews.com/2025/12/sonicwall-fixes-actively-exploited-cve.html

🛑 WARNING: CVE-2025-20393 is rated 10.0, with no patch available.

Cisco confirmed active exploitation of an AsyncOS zero-day by a China-linked APT.

The flaw allows root-level command execution on affected email security appliances and enables attackers to establish persistence.

🔗 Details and mitigations → https://thehackernews.com/2025/12/cisco-warns-of-active-attacks.html

A critical ASUS Live Update vulnerability is now on CISA’s exploited list.

CVSS 9.3, supply chain–based, and tied to ShadowHammer, it embedded malicious code in signed updates for carefully chosen devices.

🔗 Read → https://thehackernews.com/2025/12/cisa-flags-critical-asus-live-update.html

North Korea–linked Kimsuky has been tied to a new Android malware campaign.

The group is spreading a fresh DocSwap variant through QR codes on fake CJ Logistics sites. Once installed, the app deploys a full RAT with access to messages, calls, files, audio, and camera.

🔗 Read analysis here → https://thehackernews.com/2025/12/kimsuky-spreads-docswap-android-malware.html

🤖 AI copilots are now built into everyday SaaS tools. They move fast and quietly create new data paths across apps.

Static SaaS security can’t see AI activity in real time, so risk hides in normal logs—driving the shift to dynamic AI-SaaS security.

👉 Understand the risk before it hits → https://thehackernews.com/2025/12/the-case-for-dynamic-ai-saas-security.html

⚡ React2Shell. Weaxor. GhostPairing. ClickFix. RC4. RuTube. MCP leaks. DDoSia. Modbus. Google Phish. DarkGate. Token spills.

Dozens of stories from one chaotic week. Read the latest ThreatsDay Bulletin — what security teams are tracking now.

🔗 Read 15+ new stories → https://thehackernews.com/2025/12/threatsday-bulletin-whatsapp-hijacks.html

The State of Cybersecurity in 2025

Cybersecurity is entering a new phase of evolution. What was once centered on perimeter defenses and isolated tools is now defined by integration, verification, and execution speed.

This report by Papryon brings together perspectives across authentication, endpoint security, software supply chain protection, network visibility, and human risk, examining how organizations are adapting to increasingly sophisticated threats and operational complexity.

Download Full Report Here: https://thn.news/cyber-guide

Featuring:
Yubico
Metomic
usecure
Corelight
Axiado
ShadowDragon
SecureCo
Unknown Cyber
CrowdStrike
SentinelOne

💰 North Korea–linked hackers dominated crypto crime in 2025.

They stole $2.02B, more than half of all crypto taken worldwide, per Chainalysis. One breach at Bybit alone accounted for $1.5B, making this the worst year on record for DPRK theft.

🔗 Here's what the data exposes → https://thehackernews.com/2025/12/north-korea-linked-hackers-steal-202.html

⚠️ HPE patched a CRITICAL CVSS 10.0 flaw in OneView that allows unauthenticated remote code execution.

All versions before 11.00 are affected, with hotfixes for 5.20–10.20.

No active exploits reported, but patching is urgent.

🔗 Details here → https://thehackernews.com/2025/12/hpe-oneview-flaw-rated-cvss-100-allows.html

🛑 ESET has identified a China-aligned cyber espionage group, LongNosedGoblin, active since 2023 and targeting government networks in Southeast Asia and Japan.

It spreads malware via Windows Group Policy and uses OneDrive and Google Drive as C2, with full backdoors deployed only on select targets.

🔗 Read: https://thehackernews.com/2025/12/china-aligned-threat-group-uses-windows.html

⚠️ CERT/CC disclosed a UEFI flaw affecting motherboards from ASRock, ASUS, GIGABYTE, and MSI.

The flaw allows early-boot DMA attacks, letting malicious PCIe devices read or modify memory before kernel security starts.

🔗 Read details → https://thehackernews.com/2025/12/new-uefi-flaw-enables-early-boot-dma.html

Nigeria police arrested three suspects linked to global phishing. The main suspect is the alleged developer of the RaccoonO365 phishing-as-a-service kit.

Microsoft ties the tool to 5,000+ stolen credentials across 94 countries and to domain seizures in 2025, showing rising pressure on PhaaS operators.

🔗 Read → https://thehackernews.com/2025/12/nigeria-arrests-raccoono365-phishing.html

⚠️ ALERT: WatchGuard confirmed active exploitation of CVE-2025-14733 in Fireware OS.

The bug (CVSS 9.3) allows unauthenticated attackers to execute code via IKEv2 VPN paths. WatchGuard released patches and published indicators of compromise and attacker IPs.

🔗 Read details → https://thehackernews.com/2025/12/watchguard-warns-of-active-exploitation.html

Researchers uncovered GhostPairing, a social engineering attack that links a malicious device to a WhatsApp account by abusing the official pairing flow.

The attacker gets full linked-device access—messages, media, and groups—while the victim’s phone keeps working as normal.

🔗 How the GhostPairing WhatsApp exploit works → https://thehackernews.com/2025/12/threatsday-bulletin-whatsapp-hijacks.html#whatsapp-hijack-campaign

🛑 Researchers uncovered a new malware campaign abusing cracked software sites to spread CountLoader.

The loader uses fake ZIP files and trusted Windows tools to stay hidden, then deploys ACR Stealer to steal sensitive data.

🔗 Campaign details → https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html

🛑 A Russia-aligned threat group is abusing Microsoft’s device code login to hijack M365 accounts, targeting U.S. and European institutions.

Experts say attackers use compromised state emails and Cloudflare links to drive victims into legitimate Microsoft logins.

🔗 Read → https://thehackernews.com/2025/12/russia-linked-hackers-use-microsoft-365.html

Bitsight TRACE found ~1,000 MCP servers exposed online with no authorization in place, revealing new AI-related security gaps.

These Model Context Protocol instances can expose tools, data, or even allow remote execution if reached by attackers, expanding the risk surface for AI systems built on MCP.

🔗 Read about exposed MCP servers → https://thehackernews.com/2025/12/threatsday-bulletin-whatsapp-hijacks.html#exposed-ai-servers-risk

The U.S. DOJ indicted 54 people over a nationwide ATM jackpotting scheme tied to the Venezuelan gang Tren de Aragua.

Prosecutors say the group used malware to force cash withdrawals and link 1,529 jackpotting incidents to the operation.

🔗 Read → https://thehackernews.com/2025/12/us-doj-charges-54-in-atm-jackpotting.html

Iran-linked APT Infy, also called Prince of Persia, is active again after years of silence.

New research shows operations never stopped, and the toolset quietly evolved.

Updated malware, stronger C2 defenses, and fresh global victims point to a long-term espionage program.

🔗 Here's what changed under the radar → https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.html

Android mobile malware campaigns are converging on the same playbook.

Wonderland in Uzbekistan, plus Cellik, Frogblight, and NexusRoute elsewhere, all use fake legit apps, droppers, and phishing to steal OTPs, bank data, and accounts.

This marks a shift to scalable, MaaS-style fraud, not isolated scams.

🔗 Read details here → https://thehackernews.com/2025/12/android-malware-operations-merge.html