Daily Security Briefing #111

December 22, 2025 | Read Online

Microsoft ends RC4 encryption, phishing abuses Google Cloud automation, BlindEagle targets government agencies with PowerShell trojans

Executive Summary

Today’s cybersecurity landscape highlights significant progress and persistent threats. Microsoft’s decision to finally retire the outdated RC4 encryption signifies a decisive step toward enhanced cryptographic security after decades of vulnerability. Phishing actors have evolved their access strategies by abusing trusted cloud automation tools, notably Google Cloud Application Integration, which poses increased risks to enterprise users. Government institutions, particularly in Colombia and India, remain prime targets for advanced persistent threat actors such as BlindEagle and SideWinder, who employ sophisticated multi-stage attacks leveraging spear-phishing and DLL side-loading techniques. Meanwhile, data breaches and malware campaigns continue to challenge defenders globally, emphasizing the need for vigilant security practices and defenses.

Top Articles

Microsoft Is Finally Killing RC4
After 26 years, Microsoft is retiring the RC4 encryption protocol from Windows servers, eliminating a long-standing vulnerability that hackers have exploited via fallback authentication mechanisms. This update completes Microsoft’s transition to stronger cryptography standards, including AES, and reduces the attack surface for interception and cryptanalysis on Windows platforms.
Schneier

Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities to Evade Detection
Attackers have abused Google Cloud Application Integration to send over 9,000 phishing emails that impersonate legitimate Google-generated notifications, such as voicemail alerts and file permission requests. This tactic leverages trusted infrastructure to bypass security filters, targeting roughly 3,200 enterprise customers, and underscores the evolving sophistication of phishing threats that exploit cloud service automation.
Checkpoint

Blind Eagle Hackers Target Government Agencies Using PowerShell Scripts
The BlindEagle APT group has been identified conducting complex cyber espionage campaigns against Colombian government institutions, employing spear-phishing to compromise internal email accounts and deploying remote access trojans via PowerShell scripts and steganography. Newly uncovered attacks show targeted exploitation within the Ministry of Commerce, Industry, and Tourism, highlighting continued risks to critical government infrastructure.
GBHackers | CyberPress

SideWinder APT Launches Cyberattacks on Indian Entities Posing as the Income Tax Department
The SideWinder group (also known as Rattlesnake or APT-C-17) has initiated a sophisticated espionage campaign targeting Indian organizations through fake Income Tax Department portals. The group uses DLL side-loading with legitimate Microsoft binaries to evade detection, marking an evolution in their tradecraft focused on bypassing traditional security measures in government and corporate sectors.
GBHackers

AI-enabled Self-software
Artificial intelligence innovations in 2025 have notably shifted software consumption models, enabling users to create personalized apps (e.g., workout or analytics tools) powered by AI. This trend is quietly reshaping software usage, potentially reducing reliance on traditional paid solutions by allowing end-users to generate and customize their own tools more autonomously.
DanielMiessler

Arcane Werewolf Expands Firepower with Loki 2.1 Malware Toolkit
The Arcane Werewolf threat actor, targeting Russian industrial firms, has upgraded its malware arsenal with the Loki 2.1 implant, compatible with Mythic and Havoc frameworks used for post-exploitation. Recent phishing campaigns have delivered this advanced toolkit, indicating a refined approach to persistent industrial espionage and cyber sabotage.
CyberPress

Coupang Breach Affecting 33.7 Million Users Raises Data Protection Questions
Coupang disclosed a data breach impacting 33.7 million customers after unauthorized access to personal data remained undetected for nearly five months. Experts warn this event highlights risks related to insider credential abuse and advocate for enhanced encryption measures surpassing minimal legal requirements to better protect customer data.
BleepingComputer

Fake WhatsApp API Package on npm Steals Messages, Contacts, and Login Tokens
A malicious npm package named “lotusbail” masquerades as a legitimate WhatsApp API but intercepts all messages and contacts, linking attackers to victims’ WhatsApp accounts. With over 56,000 downloads, this malicious package poses a significant supply-chain risk to developers and users relying on trusted package repositories.
TheHackerNews

CISA Flags ASUS Live Update CVE, But the Attack Is Years Old
An ASUS Live Update vulnerability (CVE-2025-59374) recently circulated in security feeds was revealed to be from an older supply-chain attack targeting an End-of-Life software product. This highlights the importance of verifying the relevance and timeline of disclosed vulnerabilities to avoid confusion over current threat levels.
BleepingComputer

Weekly Recap: Firewall Exploits, AI Data Theft, Android Hacks, APT Attacks, Insider Leaks & More
Last week’s cyber threat landscape showed attackers exploiting everyday tools including firewalls, browser extensions, and IoT devices like smart TVs. The growing tactic of using small, widespread vulnerabilities within trusted infrastructure underscores a shift toward numerous low-profile attacks causing cumulative damage rather than singular major breaches.
TheHackerNews

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.