EvilBit Threat Digest - When Databases Leak and Developers Click: The Final Week of 2025

KryptoKat reporting in for the final week of 2025, and the cyber threat landscape is closing out the year with explosive intensity. A critical memory disclosure flaw has emerged in one of the world’s most widely used databases, a ransomware syndicate has grown into a full-fledged industry, and supply-chain attacks are compromising the very tools developers rely on daily. The unifying thread? Trust itself has become the ultimate vulnerability. From MongoDB leaks exposing heap memory to malicious backdoors hidden in developer extensions, the very foundations of our digital infrastructure are buckling under relentless, highly sophisticated attacks.

Let's break down what you need to know before the calendar flips.

MongoBleed: 87,000 Exposed Databases and Counting

The headline story this week is CVE-2025-14847, affectionately dubbed "MongoBleed" by the research community. This is a critical vulnerability in MongoDB Server that allows unauthenticated remote attackers to read uninitialized heap memory by sending malformed zlib-compressed network packets. The bug affects MongoDB Server versions spanning 3.6.x through 8.2.2--essentially every supported and many end-of-life releases.

The exploitation is straightforward but devastating. An attacker sends a crafted compressed message to a MongoDB instance. The server's zlib decompression handler fails to properly initialize memory buffers, allowing the attacker to read whatever sensitive data happens to be sitting in heap memory at that moment--credentials, session tokens, API keys, database contents, you name it. No authentication required. No interaction needed. Just send the packet and collect the secrets.

Censys telemetry shows approximately 87,000 internet-exposed MongoDB instances are potentially vulnerable. The bug was quietly patched in vendor releases (8.2.3+, 8.0.17+, 7.0.28+, 6.0.27+, 5.0.32+, 4.4.30+), and CISA has already added it to the Known Exploited Vulnerabilities catalog with a hard remediation deadline for federal agencies. A public proof-of-concept is available on GitHub, which means every script kiddie with a scanner now has the tools to exploit unpatched instances.

For defenders, the immediate actions are clear:

• Patch immediately to the fixed versions listed above
• If patching isn't immediately feasible, disable zlib compression by starting mongod/mongos with networkMessageCompressors that exclude zlib
• Restrict network access to MongoDB instances - firewall rules should allow only trusted hosts
• Rotate credentials, API keys, and tokens after applying patches or if suspicious activity is observed
• Monitor for anomalous pre-authentication connections and unusual volumes of compressed packets

The broader lesson is familiar but worth restating: databases should never be internet-facing. The fact that 87,000 instances are exposed speaks to a systemic failure in deployment practices. Segment your data tier, enforce authentication, encrypt everything, and assume that any unauthenticated access path will be weaponized.

Qilin Ransomware: 700 Attacks and Still Accelerating

If you're tracking ransomware trends, Qilin (also known as Agenda) has been impossible to miss in 2025. The group has conducted over 700 attacks this year, making it one of the most prolific ransomware-as-a-service operations currently active. The campaign has targeted healthcare (45 attacks), government (40 attacks), manufacturing, and critical infrastructure with a double-extortion model that combines data encryption with public leak threats.

The operational impact has been severe. The Synnovis/NHS incident disrupted UK healthcare operations for weeks. Multiple US state, local, tribal, and territorial (SLTT) entities have been compromised. And the group's leak site continues to publish stolen data from organizations that refuse to pay.

What makes Qilin particularly dangerous is their exploitation of known Fortinet vulnerabilities--specifically CVE-2024-21762 and CVE-2024-55591, both added to CISA's KEV catalog. The group combines initial access via VPN/firewall exploitation with living-off-the-land tools (PowerShell, PsExec, Cobalt Strike) to move laterally, dump credentials, and deploy ransomware payloads across entire networks.

The TTPs are well-documented at this point:

• Initial access via public-facing applications (especially Fortinet, but also spearphishing)
• Credential dumping and privilege escalation
• Lateral movement via SMB and RDP
• Data exfiltration before encryption
• Deployment of custom ransomware binaries with recovery inhibition

For defenders, the mitigations are multi-layered:

• Patch Fortinet FortiOS and FortiProxy immediately for the listed CVEs
• Implement MFA on all remote access services without exception
• Deploy EDR configured to detect PowerShell abuse, PsExec, Cobalt Strike, and anomalous SMB traffic
• Segment networks to limit lateral movement and maintain offline, tested backups
• Hunt for persistence mechanisms like registry run keys and Winlogon DLLs

The surge in Qilin activity correlates with the decline of RansomHub following law enforcement action. Qilin has effectively filled the vacuum, and their operational tempo shows no signs of slowing. Multiple threat intelligence reports confirm the group is actively recruiting affiliates and expanding targeting into new sectors.

Developer Tools: False Alarm Highlights Extension Security Tensions

The Visual Studio Code community experienced significant disruption this week when Microsoft temporarily removed the popular Material Theme extension (4+ million installations) from the marketplace--but the incident turned out to be a false positive rather than the supply-chain compromise initially reported.

Security researchers initially flagged suspicious network activity to domains including v475t82f.api.sanity.io, leading to reports of credential harvesting and data exfiltration. However, subsequent investigation revealed the flagged activity was legitimate telemetry and analytics functionality, and the domain in question is part of Sanity.io's content delivery network--not an attacker-controlled server.

Microsoft restored the extension after confirming no malicious code was present. While this outcome is preferable to an actual compromise, the incident highlights important challenges in the developer tool ecosystem:

• Automated security scanning produces false positives that can disrupt millions of users
• Extension telemetry and analytics practices remain opaque and controversial
• The line between "legitimate data collection" and "privacy-invasive behavior" is contentious
• Rapid detection/removal processes can create collateral damage

For defenders managing developer fleets, this incident offers lessons beyond the specific false alarm:

• Verify threat intelligence before taking defensive action--early reports may be incomplete
• Maintain extension governance policies that balance security with developer productivity
• Establish processes to quickly assess and respond to marketplace removals
• Consider privacy and telemetry implications when approving extensions for organizational use

The developer tool supply chain remains a genuine concern (as evidenced by recent npm and Maven Central incidents), but this particular case underscores the need for measured, evidence-based responses to security alerts.

State-Sponsored Espionage: BRICKSTORM and Evasive Panda

BRICKSTORM: PRC Multi-Stage Windows Implants

CISA's Malware Analysis Report AR25-338A provides a detailed technical breakdown of BRICKSTORM, a sophisticated backdoor attributed to PRC state-sponsored actors. The malware targets government agencies, critical infrastructure, and IT providers with multi-stage implants designed for credential harvesting and network reconnaissance.

The BRICKSTORM toolset uses DNS-over-HTTPS (DoH) to NextDNS and Quad9 resolvers for command-and-control, employs DLL side-loading for persistence, and leverages .NET runtime execution to bypass application controls. The credential-harvesting module specifically targets LSASS for domain credentials and uses scheduled tasks with naming patterns that mimic legitimate Windows services.

CISA provides detailed IOCs including file hashes, C2 infrastructure (specific NextDNS and Quad9 IPs: 45.90.28.160, 45.90.30.160, 149.112.112.11, 149.112.112.112), and behavioral indicators for hunting. The mitigations are detection-focused: monitor for DoH queries to the listed IPs, hunt for scheduled tasks with suspicious naming patterns, detect DLL side-loading in system directories, and implement credential protection to limit LSASS access.

Evasive Panda: Update to DNS Poisoning Campaign

We covered Evasive Panda's DNS poisoning campaign in our December 28 edition, but this week brought additional operational details from Kaspersky's full analysis. The group's two-year campaign (November 2022–November 2024) targeted organizations in Turkey, China, and India by poisoning DNS requests for software updaters, delivering the MgBot backdoor.

The new technical details highlight the sophistication: DPAPI+RC5 encryption for system-tied payloads, in-memory process injection, and persistence mechanisms that maintained access for over one year in some infections. The malware used DLL side-loading and modified startup scripts, with some infections achieving such deep persistence that standard remediation techniques failed.

The update reinforces the fundamental risk of trusting software update mechanisms that rely on DNS and unencrypted channels. For software vendors, this is a wake-up call to enforce HTTPS with certificate pinning and code signing validation. For defenders, monitor DNS query responses for mismatches, implement DNSSEC where feasible, and hunt for the specific artifacts Kaspersky documents (files in C:\ProgramData\Microsoft\MF and C:\ProgramData\Microsoft\eHome).

The Breach Blotter: Condé Nast and the Centralized Identity Problem

The media giant Condé Nast suffered a significant data breach with 2.3 million WIRED subscriber records leaked and a hacker claiming access to 40 million more records across the publisher's brands (The New Yorker, Vogue, GQ, Vanity Fair). The breach, attributed to hacker "Lovely," demonstrates the risks of centralized identity systems.

The leaked data includes full names, email addresses, account information, and potentially hashed passwords. While the publisher claims no payment information was exposed, the scale and centralization of the breach mean a single compromise cascaded across multiple high-profile publications.

The attacker reportedly attempted responsible disclosure before leaking the data, a detail that highlights the ongoing tension between security research, extortion, and publicity. For defenders, the incident is a reminder to:

• Monitor for suspicious email activity and phishing targeting affected users (the breach provides attackers with validated email lists for future campaigns)
• Enforce MFA on centralized account systems to limit the damage from credential exposure
• Review access controls for identity platforms--least privilege matters when a breach affects millions
• Conduct security awareness training focused on credential hygiene and phishing detection

The centralized identity model offers operational efficiency but creates systemic risk. This breach is a case study in that trade-off.

Closing Thoughts: Constant Vigilance, Measured Response

This final week of 2025 delivered a familiar lesson: the systems we trust implicitly--databases, developer tools, browser extensions, software updaters--remain both critical infrastructure and persistent attack vectors. MongoDB instances leak memory because we assume network compression is safe. Browser extensions persist despite removal because cleanup is harder than infection. Users update software because DNS tells them to.

But this week also reminded us that not every alarm represents an actual breach. The VS Code Material Theme incident--initially reported as a supply-chain compromise affecting millions--turned out to be a false positive triggered by legitimate telemetry. The distinction matters: false positives create operational disruption and erode trust in threat intelligence, while real attacks demand immediate response.

The defensive playbook hasn't changed, but the execution demands both relentless attention and measured judgment: patch aggressively, segment ruthlessly, monitor continuously, and question every trust relationship--while verifying threats before taking disruptive action. MongoDB should never face the internet. Browser extensions need governance frameworks. DNS should be validated. Backups should be offline, immutable, and tested. And security alerts should be investigated, not just forwarded.

So, patch your MongoDB instances, audit your developer tools (but verify what you're actually defending against), review your OAuth integrations, and maybe--just maybe--spend some time validating that your software updates are actually coming from where you think they are.

The year is ending, but the campaigns aren't. Keep your defenses sharp, your assumptions sharper, and your threat intelligence verified.

-- KryptoKat

Vendor Patch Roundup

For teams tracking this week's security updates:

MongoDB:

• CVE-2025-14847 (MongoBleed) - Heap memory disclosure via zlib decompression (CISA KEV)
  • Fixed in 8.2.3+, 8.0.17+, 7.0.28+, 6.0.27+, 5.0.32+, 4.4.30+

Fortinet:

• CVE-2024-21762 - FortiOS Out-of-Bounds Write (exploited by Qilin)
• CVE-2024-55591 - FortiOS/FortiProxy Authentication Bypass (exploited by Qilin)

Tenable Nessus Plugins (2025-12-28):

• CVE-2025-68617 - FluidSynth use-after-free (unpatched on some distributions)
• CVE-2025-13654 - duc use-after-free (fixed in 1.4.6)
• Multiple Linux distribution updates for Debian, Ubuntu, Fedora, Red Hat

Full plugin details at Tenable's update page.