⚠️ Hackers are still hitting Middle East governments.

A group called WIRTE (Ashen Lepus) is expanding to Oman and Morocco with new malware named AshTag.

It hides in fake political PDFs — open one, and it steals your files.

🔗 Read ↓ https://thehackernews.com/2025/12/wirte-leverages-ashenloader-sideloading.html

🤖 Bots now outnumber people in some companies.

They work fast — but each one has access to sensitive data. Without the right controls, one weak bot can open the door to hackers.

Learn how to keep your RPA bots safe and your systems secure.

🔗 Read: https://thehackernews.com/2025/12/the-impact-of-robotic-process.html

Want a Master’s in Cybersecurity Risk Management? Apply by the priority deadline with no application fee.

Learn more: https://thn.news/georgetown-cyber-master

💻 ⚠️ Hackers are hiding inside Google Drive.

Researchers found a Windows backdoor called NANOREMOTE that uses the Google Drive API to steal files and run commands.

It even pretends to be Bitdefender software so it looks safe.

Experts say it’s linked to a Chinese hacking group targeting government and defense networks.

🔗 Read: https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html

💥 Cyber Week, unfiltered!

🔹 Malware disguised as movies.
🔹 Rootkits bypassing Windows.
🔹 AI tools turning risky.
🔹 Docker leaks spilling secrets.
🔹 Governments dialing up surveillance.

This week’s ThreatsDay Bulletin maps it all — from global crackdowns to code-level chaos.

🔗 Read → https://thehackernews.com/2025/12/threatsday-bulletin-spyware-alerts.html

🚨 CISA just confirmed active exploitation of a new GeoServer flaw (CVE-2025-58360).

It’s unauthenticated — the /geoserver/wms endpoint can be abused to access files or hit internal systems if not patched.

🔗 Read: https://thehackernews.com/2025/12/cisa-flags-actively-exploited-geoserver.html

🤖 AI is reshaping identity security.

It spots unusual behavior, adjusts access in real time, and keeps every identity in check.

Smart IAM isn’t about more tools — it’s about one connected system: the identity fabric.

🔗 Learn how it works: https://thehackernews.com/expert-insights/2025/12/ai-in-iam-is-it-truly-valuable.html

🚨 Over 137,000 servers are wide open.

Hackers are using the React2Shell bug (CVE-2025-55182) to take over web servers — no password needed.

Even U.S. government sites are being hit, and the attacks are spreading fast through Next.js apps online.

If your team hasn’t patched yet, you’re already late.

🔗 Read: https://thehackernews.com/2025/12/react2shell-exploitation-escalates-into.html

[New] React just found more bugs hiding in its last big patch.

🧩 CVE-2025-55184 & CVE-2025-67779 — can crash servers with one request.
🧩 CVE-2025-55183 — can leak source code from React Server Components.

👀 All discovered while testing the earlier CVE-2025-55182 fix.

Update to versions 19.0.3, 19.1.4, or 19.2.3 now.

🔗 Read: https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html

⚠️ Your browser is now the biggest GenAI risk.

Every day, workers paste code, emails, and files into AI tools—right inside the browser. That data can leak, get stored, or even shared outside your company.

The fix isn’t banning AI. It’s securing how it’s used—in the browser session itself.

🔗 Read: https://thehackernews.com/2025/12/securing-genai-in-browser-policy.html

🚨 Hackers are attacking CentreStack and Triofox right now using a built-in key that never changes.

It lets them break in, read the web-config file, and run code on the server.

At least 9 companies have already been hit.

🔗 Read: https://thehackernews.com/2025/12/new-advanced-phishing-kits-use-ai-and.html

🖥️ Researchers found fake Python tools on GitHub spreading a new trojan called PyStoreRAT.

The repos look real, gain stars ⭐, and run hidden malware using a Windows tool.

The malware can steal crypto wallet files 💰 and stay hidden by pretending to be an NVIDIA update.

🔗 Read: https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.html

Apple patched two bugs hackers were already using. New updates fix active attacks across iPhone, iPad, Mac, Safari, Watch, TV, and Vision Pro.

⚠️ One bug lets attackers run code from bad web pages.
⚠️ Another breaks memory.
🌐 All iPhone and iPad browsers were affected.
🕵️ Apple says the attacks were highly targeted.

This is Apple’s 9th zero-day fix in 2025.

🔗 Update now — read here ↓ https://thehackernews.com/2025/12/apple-issues-security-updates-after-two.html

🖥️⚠️ A six-year-old router flaw is being used right now.

U.S. cyber officials warn that hackers are actively attacking Sierra Wireless AirLink routers. The bug lets attackers upload a bad file and take full control of the device.

🔗 Read → https://thehackernews.com/2025/12/cisa-adds-actively-exploited-sierra.html

🚨 Poland Police detained three Ukrainian nationals after finding hacking 💻 and spying tools in their car.

Authorities say the gear could be used to attack key IT and telecom 📡 systems tied to national defense.

Charges include fraud and computer-related crimes.

🔗 Read: https://thehackernews.com/2025/12/threatsday-bulletin-spyware-alerts.html#vaas-crackdown-nets-193-arrests

⚠️ Notepad++ fixes a bug that was actively abused.

Notepad++ released version 8.8.9 to patch a critical updater flaw. Attackers hijacked update traffic and tricked users into installing malware instead of real updates.

🔗 Read: https://thehackernews.com/2025/12/threatsday-bulletin-spyware-alerts.html#update-closes-hijack-flaw

🤦 Hackers built #ransomware — then left the key behind.

CyberVolk’s new VolkLocker targets 💻 Windows and 🐧 Linux.

The flaw? the lock key is hard-coded and saved as a plain file on the system.

Files can be unlocked for free — but after 48 hours, it can wipe 🗑️ personal folders.

🔗 Read: https://thehackernews.com/2025/12/volklocker-ransomware-exposed-by-hard.html

🚨 Active phishing attacks in Russia spread Phantom Stealer.

Fake bank transfer emails use ISO attachments. The malware steals browser data, crypto wallets, passwords, and files, then sends them out via Telegram or Discord.

Finance, payroll, accounting, and legal teams are the main targets.

🔗 Read: https://thehackernews.com/2025/12/phantom-stealer-spread-by-iso-phishing.html

⚡ Your SaaS wasn’t hacked. It was impersonated via the browser.

Attackers ran clean, verified Chrome and Edge extensions for years. Millions of installs. One silent update flipped them into spyware.

Not a device attack. Not a cloud breach. Both at once. The browser sat in the middle, unseen, holding the keys.

🔗 Learn more: https://thehackernews.com/2025/12/a-browser-extension-risk-guide-after.html

Sensitive data is everywhere: SaaS, cloud, AI pipelines, and most teams can’t see it.

That’s why DSPM is becoming a top security priority for 2026.

Next-gen DSPM goes beyond visibility→ real-time context, automation, and AI-aware protection.

Learn more: https://thn.news/dspm-top-tools

FreePBX’s worst flaw isn’t a bug — it’s a legacy setting.

If AUTHTYPE is set to webserver, attackers can fake a login header and get admin access. From there, they can add their own user and run code on the system.

Default configs are safe. Old tweaks aren’t.

🔗 Read: https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html