Daily Security Briefing #105

December 16, 2025 | Read Online

Chinese AI surveillance, Ink Dragon cyberespionage growth, and rising ransomware with AI-assisted tactics headline today’s briefing.

Executive Summary

Cybersecurity trends continue to reveal an unsettling rise in state-sponsored espionage, advanced ransomware tactics, and emerging threats targeting critical infrastructure. China’s expansive AI-driven surveillance technology export highlights geopolitical concerns over digital authoritarianism and human rights impacts. Meanwhile, Russian hackers are shifting focus to network edge devices in Western critical sectors, escalating risks to vital systems. The evolution of ransomware is accelerated by AI-powered tools boosting operation scale and speed, signaling increasingly sophisticated threat actors. Defensive strategies for 2026 will need to address these expanding and intersecting threat vectors.

Top Articles

Chinese Surveillance and AI
A detailed report exposes China’s role as the world’s leading exporter of AI-powered surveillance technologies, which are increasingly employed to reshape human rights conditions both domestically and abroad. This expansive digital control system challenges policymakers and civil society to recognize the global ramifications of these capabilities.
Schneier.com

Ink Dragon Expands With New Tools and a Growing Victim Network
Ink Dragon, a Chinese espionage group, has extended its operations from Asia and South America into European government networks. Employing compromised servers as relay nodes and new variants of the FinalDraft malware, the group conceals its activity within Microsoft cloud environments to maintain long-term access. This highlights a growing threat to government cybersecurity across multiple continents.
Checkpoint.com

Link11 Identifies Five Cybersecurity Trends Set to Shape European Defense Strategies in 2026
Link11’s analysis identifies five key cybersecurity trends expected to influence European defense approaches next year, based on current threat landscapes and industry research. These insights aim to guide organizations in strengthening security measures amidst evolving attack vectors and geopolitical tensions.
GBHackers.com

Russian Hackers Launch Attacks on Network Edge Devices in Western Critical Infrastructure
Russian state-sponsored actors, notably GRU-linked clusters, have intensified attacks targeting misconfigured network edge devices in critical Western infrastructure. This strategic shift deprioritizes overt vulnerability exploits, focusing on stealthy network access to facilitate broader operational impact.
GBHackers.com

OSINT Techniques Updates
A comprehensive update to the OSINT VM build includes migration to Debian 13, updated installation scripts, and transitions from pip3 to pipx for several components. These refinements improve security and usability for open-source intelligence gathering tools.
IntelTechniques.com

FreePBX Vulnerabilities Enable Authentication Bypass Leading to Remote Code Execution
Horizon3.ai researchers have disclosed critical vulnerabilities in FreePBX, enabling unauthenticated remote code execution through a series of chained exploits including authentication bypass, SQL injection, and arbitrary file upload. Affected systems must patch urgently to mitigate these serious risks.
CyberPress.org

AI Powered Tools Are Driving the Evolution of Ransomware Operations and Service Based Cybercrime
SentinelLABS research shows that LLM-based AI tools like ChatGPT and Claude are enhancing ransomware operations by increasing speed and scale across all attack phases. While the fundamentals remain the same, AI integration significantly accelerates processes from reconnaissance to extortion negotiations.
CyberPress.org

Most Parked Domains Now Serving Malicious Content
A new study reveals that the majority of parked domains—expired or dormant names plus common typos—redirect users to malicious sites distributing scams and malware. This trend increases risks for direct domain navigation and calls for increased caution in web browsing habits.
KrebsOnSecurity.com

Cellik Android malware builds malicious versions from Google Play apps
The Cellik Android malware-as-a-service framework offers cybercriminals the ability to generate malicious versions of legitimate Google Play Store apps. This MaaS platform, advertised on underground forums, expands the threat landscape for Android users globally.
BleepingComputer.com

The Hidden Risk in Virtualization: Why Hypervisors are a Ransomware Magnet
Ransomware groups are increasingly targeting hypervisors to maximize operational damage by encrypting multiple virtual machines through a single breach. Analysis of real-world incidents highlights visibility gaps and recommends hardening measures for virtualization infrastructure.
BleepingComputer.com

Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign
An ongoing campaign exploits compromised AWS IAM credentials to run unauthorized cryptocurrency mining operations. Detected by Amazon GuardDuty, this activity uses novel persistence methods to evade detection, posing significant risks to cloud resource security and costs.
TheHackerNews.com

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.