Nomani investment scams rose 62% in 2025, ESET says.

Campaigns now run on YouTube as well as Facebook, pushing fake returns with AI-made videos.
64,000+ scam URLs were blocked this year.

🔗 How the fraud chain works → https://thehackernews.com/2025/12/nomani-investment-scam-surges-62-using.html

A new MacSync malware variant hit macOS via a signed and notarized app, letting it bypass Apple Gatekeeper.

The fake messaging installer ran like a legitimate app until Apple revoked the certificate.

🔗 Read → https://thehackernews.com/2025/12/new-macsync-macos-stealer-uses-signed.html

CISA added a Digiever NVR bug to its exploited list after confirmed attacks.

CVE-2023-52163 allows remote code execution through command injection once logged in.

Researchers link it to Mirai and ShadowV2 botnets. The device is end-of-life and unpatched.

🔗 Read → https://thehackernews.com/2025/12/cisa-flags-actively-exploited-digiever.html

Fortinet confirms active exploitation of a FortiOS SSL VPN flaw that bypasses 2FA.

CVE-2020-12812 lets attackers log in by changing the case of a username when LDAP is misconfigured.

The bug can allow admin or VPN access without second-factor checks.

🔗 Read → https://thehackernews.com/2025/12/fortinet-warns-of-active-exploitation.html

Stolen vault backups from the 2022 LastPass breach are still paying out.

$35 Million+ traced as attackers crack weak master passwords years later, draining crypto through 2025.

TRM Labs links laundering to Russian exchanges and mixers, despite CoinJoin use.

🔗 Read → https://thehackernews.com/2025/12/lastpass-2022-breach-led-to-years-long.html

ThreatsDayBulletin: Cyber threats are shifting tactics this week.

Stealthy loaders now hide in trusted tools, AI chatbot flaws and Docker prompt injection exploits can leak data, and commodity loaders deliver RATs to industry targets.

Android NFC malware and fake PoCs add to the risk.

🔗 Read → https://thehackernews.com/2025/12/threatsday-bulletin-stealth-loaders-ai.html

China-linked Evasive Panda ran a targeted DNS poisoning campaign to silently push spyware through fake software updates, Kaspersky reports.

🔗 Learn how poisoned DNS enabled stealth espionage → https://thehackernews.com/2025/12/china-linked-evasive-panda-ran-dns.html

🛑 Trust Wallet confirmed a security breach in its Chrome extension.

Malicious code was inserted into version 2.68, stealing wallet recovery phrases and draining about $7 million.

Users must update to v2.69.

🔗 Read details here → https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html

⚠️ MongoDB fixed a server flaw that lets unauthenticated users read uninitialized heap memory.

The bug, CVE-2025-14847 (8.7), affects releases from 3.6 through 8.2 and is tied to zlib compression handling.

Patches are available now.

🔗 Read → https://thehackernews.com/2025/12/new-mongodb-flaw-lets-unauthenticated.html

MongoDB servers are under active exploitation via CVE-2025-14847, a pre-auth memory leak.

Censys found 87,000 exposed instances. The default zlib compression flaw can leak passwords and API keys over time.

🔗 Read → https://thehackernews.com/2025/12/mongodb-vulnerability-cve-2025-14847.html

⚠️ Attackers turned npm into phishing infrastructure over five months.

27 npm packages were used as CDN-hosted lures mimicking document sharing and Microsoft sign-in pages, targeting sales staff at 25 industrial and healthcare firms.

🔗 Read → https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html

⚡ Cyber attacks did not slow down at the end of 2025.

⚠️ Bugs were used fast
🔓 Trusted software was misused
💸 Old breaches caused new losses
📱 Cloud, crypto, mobile, insiders all showed up

This weekly recap breaks down what mattered in the final week of 2025 and what carries into 2026.

Read: https://thehackernews.com/2025/12/weekly-recap-mongodb-attacks-wallet.html

🛑 Mustang Panda is deploying TONESHELL via a kernel-mode rootkit driver.

The signed driver loads before antivirus tools, injects the backdoor into system processes, and blocks security visibility.

🔗 Read → https://thehackernews.com/2025/12/mustang-panda-uses-signed-kernel-driver.html

Silver Fox has shifted active phishing operations toward India, using income tax lures to deploy ValleyRAT.

The attack abuses legitimate Windows software and DLL sideloading to gain quiet, persistent access.

Researchers say the modular RAT enables role-based spying and credential theft.

🔗 Read → https://thehackernews.com/2025/12/silver-fox-targets-indian-users-with.html

Singapore’s CSA warns of a critical flaw in SmarterMail email servers.

The bug allows unauthenticated remote code execution via arbitrary file upload, scoring a perfect 10.0 on CVSS.

Any exposed server could be taken over without login.

🔗 Read → https://thehackernews.com/2025/12/csa-issues-alert-on-critical.html

Most SOCs are already testing AI. The problem is how it’s used.

The 2025 SANS SOC Survey shows 40% of SOCs run AI tools outside defined operations, leaving output inconsistent and hard to trust.

AI helps only when scoped, tested, and reviewed like any other system.

🔗 Why AI fails without workflow discipline → https://thehackernews.com/2025/12/how-to-integrate-ai-into-modern-soc.html

The U.S. Treasury quietly removed three people linked to Intellexa’s Predator spyware from its sanctions list, without explanation.

Weeks earlier, the same spyware was tied to an attempted WhatsApp attack on a Pakistani human rights lawyer, highlighting continued risk.

🔗 Read → https://thehackernews.com/2025/12/us-treasury-lifts-sanctions-on-three.html

Researchers found a modified Shai-Hulud malware strain hidden in an npm package updated after years of inactivity.

The malicious release was downloaded 197 times, with no signs of further spread so far.

🔗 Read → https://thehackernews.com/2025/12/researchers-spot-modified-shai-hulud.html

IBM disclosed a critical flaw in API Connect that lets attackers bypass login and gain remote access.

The issue, CVSS 9.8, affects versions 10.0.8.0–10.0.8.5 and 10.0.11.0.

No active exploitation seen, but fixes are advised now.

🔗 Read → https://thehackernews.com/2025/12/ibm-warns-of-critical-api-connect-bug.html

Researchers linked three malicious browser extension campaigns to one Chinese threat actor.

Over 8.8 million users across Chrome, Edge, and Firefox were affected over seven years, with some extensions lying dormant for years before turning malicious.

🔗Read → https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html

⚠️ Trust Wallet links its Chrome extension hack to Sha1-Hulud, an industry-wide supply-chain attack abusing developer tools.

The breach led to a malicious update and $8.5M in crypto theft before users were told to update.

🔗 Details here → https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html