Daily Security Briefing #104

December 15, 2025 | Read Online

SantaStealer malware, React2Shell exploits hit thousands of servers, and phishing scams escalate for the holidays…

Executive Summary

Today’s cybersecurity landscape reveals escalating threats through newly emerging malware campaigns and ongoing exploitation of critical vulnerabilities. The rebranded SantaStealer malware is poised to aggressively harvest sensitive data, while React2Shell vulnerabilities are being actively exploited to compromise tens of thousands of servers worldwide. Holiday-themed phishing and scams continue to rise sharply, leveraging AI-enhanced tactics to deceive users. Meanwhile, major data breaches and stealthy espionage campaigns underscore persistent risks across multiple sectors. Security teams must prioritize patching, awareness, and multifactor identity safeguards to counter these evolving challenges.

Top Articles

SantaStealer is Coming to Town: A New, Ambitious Infostealer Advertised on Underground Forums
Rapid7 Labs reports a new malware-as-a-service called SantaStealer, scheduled for release before the end of 2025. The infostealer, previously known as BluelineStealer, is promoted heavily via Telegram and underground forums. It targets a wide array of sensitive data, including documents, credentials, and digital wallets, emphasizing its broad potential impact across industries.
Rapid7

PCPcat Malware Leverages React2Shell Vulnerability to Breach 59,000+ Servers
A coordinated attack exploiting critical Next.js vulnerabilities (CVE-2025-29927 and CVE-2025-66478) has compromised over 59,000 servers globally in under 48 hours. The PCP attack group uses an industrialized command-and-control system targeting React-based applications, illustrating the severe risks posed by unpatched React2Shell flaws.
GBHackers

ZnDoor Malware Actively Exploits React2Shell to Breach Network Infrastructure
Security teams have identified ZnDoor, a new malware family exploiting the React2Shell RCE vulnerability (CVE-2025-55182), primarily targeting Japanese enterprises. Unlike initial cryptomining payloads, ZnDoor deploys backdoors and other dangerous tools designed for persistent access and lateral movement.
GBHackers

From Fake Deals to Phishing: The Most Effective Christmas Scams of 2025
Holiday scams have grown more sophisticated with AI-powered automation, driving over 33,500 phishing emails and 10,000 fraudulent social media ads spotted in two weeks. Attackers use fake retail sites and giveaway promotions, tricking users into disclosing credentials or finances. The article offers practical defense tips for consumers and enterprises during the holiday season.
Check Point

700Credit Data Breach Exposes Names, Addresses, and Social Security Numbers
700Credit disclosed a major data breach impacting users and automotive dealerships nationwide. The breach, detected in December 2024, exposed personally identifiable information through vulnerabilities in their 700Dealer.com platform. The company is conducting an ongoing investigation and notifying affected parties amid growing concerns over identity theft.
CyberPress

Featured Chrome Browser Extension Caught Intercepting Millions of Users’ AI Chats
Urban VPN Proxy, a widely used Chrome extension with over six million users, has been caught silently collecting users’ AI chatbot prompts from platforms like OpenAI ChatGPT and Google Gemini. Despite its “Featured” badge and high ratings, this extension poses privacy risks by gathering sensitive conversational data without informed consent.
The Hacker News

New Cyber Espionage Campaign Targets Exchange & IIS with Custom Backdoors
The xHunt group has resurfaced with targeted intrusions against Kuwait’s shipping and government sectors, deploying custom PowerShell backdoors on Microsoft Exchange and IIS servers. This ongoing espionage campaign, active since 2018, highlights persistent threats from state-sponsored actors conducting long-term intelligence operations.
CyberPress

2025’s Top Phishing Trends and What They Mean for Your Security Strategy
Phishing attacks have evolved beyond email in 2025, leveraging social networks, search advertisements, and browser-based methods to bypass multifactor authentication and hijack sessions. Security experts stress the need for adaptive defenses as identity-based attacks grow more sophisticated heading into 2026.
BleepingComputer

Against the Federal Moratorium on State-Level Regulation of AI
Senator Ted Cruz’s proposed ten-year federal moratorium on state AI regulations has drawn criticism for potentially stalling necessary governance. The measure raises concerns about unchecked influence of major AI companies and the need for coordinated but flexible policy frameworks to address AI’s economic and ethical impacts.
Schneier

Data Is the New Intelligence: How Three Decades of Threat Data Made Check Point Early to AI for Cyber Security
Check Point reflects on its early adoption of AI in cybersecurity, underscoring that AI’s effectiveness depends heavily on the quality and quantity of threat data it ingests. Their three decades of accumulated threat intelligence have grounded AI-driven detection, prevention, and prediction capabilities critical to safeguarding against modern threats.
Check Point

FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE
FreePBX, the open-source telephony platform, released security updates addressing multiple high-risk vulnerabilities, including a critical authentication bypass (CVE-2025-61675). These flaws potentially allowed remote code execution, underscoring the importance of timely patching in telecommunications infrastructure.
The Hacker News

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.