EvilBit Threat Digest - A Critical Reaction to the Week in Bugs

KryptoKat here. Some weeks feel like a controlled burn; others feel like the whole forest is on fire. This week was the latter, thanks to a vulnerability in a foundational web framework that sent just about everyone scrambling for the emergency patch hose. It served as a potent reminder that the most dangerous threats often aren't novel zero-days from shadowy APTs, but critical flaws in the open-source libraries we all build upon.

Meanwhile, the usual drumbeat of malware campaigns, data breaches, and state-sponsored phishing continued unabated. From APTs turning browser extensions into long-term spyware to the inner workings of the mercenary spyware industry getting laid bare, there was no shortage of reminders to check your logs, question your assumptions, and maybe, just maybe, not plug in that random USB stick you found.

Let's get into it.

The Main Event: Patch Now, Ask Questions Later

React Server Components Hit with Critical RCE (CVE-2025-55182)

If you heard a collective groan from every web developer on the planet this week, it was probably because of CVE-2025-55182. Researchers discovered a critical (CVSS 10.0) unauthenticated remote code execution vulnerability in React Server Components. The flaw stems from unsafe deserialization of maliciously crafted HTTP payloads sent to Server Function endpoints. An attacker could, without any authentication, execute arbitrary code on the server.

The vulnerability affects React versions 19.0.0 through 19.2.0 and frameworks that rely on them, most notably Next.js. The React team pushed out fixes with impressive speed in versions 19.0.1, 19.1.2, and 19.2.1. Major cloud and WAF providers like Cloudflare, Fastly, and AWS also rolled out emergency rules to block exploit attempts at the edge. While there's no widespread exploitation confirmed just yet, security firms like Rapid7 are warning that it's imminent. This is an all-hands-on-deck patching event. Don't rely on your WAF; update your origins.

A Quick Look Back at OpenSSH "regreSSHion" (CVE-2024-6387)

UncleSp1d3r jumping in. While everyone was rightly focused on the React fire, it’s worth remembering that critical bugs can linger in even the most battle-hardened code. Case in point: CVE-2024-6387, dubbed "regreSSHion," a pre-authentication RCE in OpenSSH's server daemon, sshd. Qualys researchers found a subtle race condition in the signal handling for unauthenticated connections that could lead to code execution.

This affects OpenSSH versions 8.5p1 through 9.7p1, primarily on glibc-based Linux systems. A patch has been available in version 9.8p1 since July, but you know how it is with infrastructure patching. If you can't update immediately, the researchers suggest setting LoginGraceTime 0 in your sshd_config to close the timing window, though it might make life harder for legitimate users with slow connections. It’s a good reminder to check your foundational services, not just the shiny new frameworks.

Malware Parade: Old Tricks and New Tools

KryptoKat: The malware ecosystem never sleeps, and this week brought us a few notable specimens that are worth a closer look for detection and hunting.

First, researchers at AhnLab spotted a Golang backdoor attributed to the group UNC5174 that uses Discord as its command-and-control channel. The malware uses the discordgo library to listen for commands in a channel, executing them with bash -c. Abusing legitimate services like Discord for C2 isn't new, but it remains a headache for network defenders trying to separate malicious traffic from legitimate chatter.

Next, Splunk's Threat Research Team published a deep dive on Castle RAT, a full-featured RAT with variants in both Python and compiled C. The malware is a nasty piece of work, capable of keylogging, screen and webcam capture, clipboard harvesting, and a clever UAC bypass using handle duplication. Splunk provided a great set of detections and an analytic story for defenders.

Finally, for the mobile side, a new Android RAT-as-a-Service called Albiriox has been making the rounds. As detailed by Cleafy, it uses VNC and Accessibility Services to gain full remote control of an infected device, targeting over 400 financial and crypto applications with overlay attacks and keylogging. The initial campaigns appear to be targeting users in Austria, but the platform is built for global reach.

The Long Game: APTs and Supply Chain Compromise

ShadyPanda Hides in Plain Sight

UncleSp1d3r here. Some threat actors play the long game. A real long game. Researchers at Koi Security uncovered a seven-year campaign by an APT dubbed "ShadyPanda" that turned popular browser extensions into spyware. Affecting over 4.3 million users of extensions for Chrome and Edge, the group would wait for an extension to gain a trusted user base before pushing a malicious update that enabled surveillance and data exfiltration. It's a stark reminder that even trusted, highly-rated software in an official marketplace can be a Trojan horse. The initial access vector is the "install" button.

Leaks Expose Mercenary Spyware Operations

KryptoKat: The world of commercial spyware got a little less opaque this week. Leaked internal documents from the sanctioned spyware maker Intellexa, analyzed by Amnesty International's Security Lab and partners like TechCrunch, revealed some damning operational details. The leak shows Intellexa employees had direct TeamViewer access to their government clients' systems, allowing them to view live dashboards of infections and access the collected data. The documents also confirmed multiple infection vectors for their Predator spyware, including an ad-based method called "Aladdin." The research provides valuable, concrete IOCs and a rare look under the hood of this shadowy industry.

SmartTube Sideloaders Get a Nasty Surprise

UncleSp1d3r: And for anyone who thinks supply chain attacks are just for big enterprise software, consider the saga of SmartTube. The developer of the popular ad-free YouTube app for Android TV had their signing key compromised. An attacker then used the key to sign and distribute malicious updates containing a data-stealing library. Because the app is sideloaded and not on the official Play Store, users rely on the app's own updater and the developer's signature for trust. Google's Play Protect eventually flagged and disabled the malicious versions, but not before countless users were likely compromised. The developer has since rotated keys and published a clean version under a new package name. A messy reminder of the risks of sideloading and the critical importance of protecting signing keys.

The Breach Blotter

KryptoKat: Finally, a quick look at who had a bad week on the breach front.

• Marquis Software Solutions: This fintech firm, which serves U.S. banks and credit unions, disclosed a ransomware attack that resulted in a data breach affecting over 400,000 customers. According to TechCrunch, the attackers initially gained access by exploiting a vulnerability in a SonicWall firewall. Stolen data included names, Social Security numbers, and financial account information.
• Freedom Mobile: The Canadian telecom provider notified customers of a data breach after an attacker used a subcontractor's credentials to access a customer account management platform. The compromised data included names, addresses, phone numbers, and account numbers, though the company stated passwords and payment information were not accessed. Another day, another third-party access incident.
• ASUS: The ransomware group Everest claimed to have breached the hardware giant and stolen over a terabyte of data, including camera source code. The claim remains unconfirmed by ASUS, and no sample data has been released, so file this one under "watching closely."

This week was a masterclass in the fragility of digital trust--trust in our development frameworks, our vendors, our browser extensions, and even our app updates. It's a good time to review your patching cadence, your vendor access policies, and your detection capabilities for threats that abuse legitimate channels.

Stay safe out there.

-- KryptoKat & UncleSp1d3r

Patch Roundup

For those keeping score at home, here are some of the notable patches and vulnerability disclosures from the past week's vendor updates.

Google Chrome 143.0.7499.40/.41

Google released a security update for Chrome patching 13 vulnerabilities, including a high-severity type confusion bug in the V8 JavaScript engine.

• CVE-2025-13630 (High, V8 Type Confusion)
• CVE-2025-13631 (Medium, Renderer Use-after-free)
• CVE-2025-13632 (Medium, Dawn Use-after-free)
• …and 10 others. See the full release notes here.

Tenable Nessus Plugin Updates (2025-12-04)

Tenable's daily plugin update included checks for a number of critical issues.

• React Server Components RCE: CVE-2025-55182
• Red Hat Enterprise Linux: Multiple kernel errata (RHSA advisories) and a local privilege escalation in ABRT (CVE-2025-64730).
• Adobe Experience Manager: RCE via Groovy Console.
• Linux Kernel: Fixes for a FUSE livelock (CVE-2025-40220) and an SCTP NULL dereference (CVE-2025-40240).
• Sony SNC-CX600W Camera: Multiple vulnerabilities (CVE-2025-62497).
• …and various other updates for Oracle Linux, Ubuntu, Debian, and SUSE. See the full list here.