Daily Security Briefing #113

December 24, 2025 | Read Online

Urban VPN spying on AI chats, Evasive Panda’s AitM campaign, Operation PCPcat hacks 59,000+ servers…

Executive Summary

Cyber threats continue escalating with highly targeted espionage and large-scale attacks dominating this week. Urban VPN’s extension covertly intercepts conversations from major AI platforms, raising serious privacy concerns. The China-linked APT group Evasive Panda has intensified its operations using adversary-in-the-middle and DNS poisoning tactics to deliver malware stealthily. Meanwhile, Operation PCPcat’s credential-stealing campaign has compromised over 59,000 Next.js servers, exploiting critical React framework vulnerabilities. Further, social engineering and phishing continue to plague enterprise sectors, alongside rising AI-driven scams on social media. This evolving landscape demands vigilant defenses and diverse cybersecurity expertise.

Top Articles

Urban VPN Proxy Surreptitiously Intercepts AI Chats
Urban VPN’s browser extension secretly captures conversations across ten AI platforms such as ChatGPT and Microsoft Copilot using embedded “executor” scripts. The data interception is enabled by default with no user option to disable it, exposing sensitive information from users unknowingly. Terminating the data collection requires uninstalling the extension completely.
Bruce Schneier

Evasive Panda APT: Malware Delivery via AitM and DNS Poisoning
The Chinese-linked group Evasive Panda (also Bronze Highland, Daggerfly, StormBamboo) has conducted a two-year campaign using advanced adversary-in-the-middle and DNS poisoning attacks to distribute its MgBot malware. Active from November 2022 to November 2024, the operation targeted organizations across China, India, and Turkey, maintaining persistent, stealthy access to victim networks.
GBHackers | CyberPress

Operation PCPcat Exploits Next.js and React, Impacting 59,000+ Servers
A widespread credential theft campaign called Operation PCPcat has exploited critical vulnerabilities in the React framework to compromise over 59,000 Next.js servers worldwide. Researchers tracked attacker infrastructures via honeypots, uncovering alarming scale and sophistication in data harvesting from these affected servers.
GBHackers

Malicious AV-Themed Documents Deployed in Targeted Attacks Against Israeli Organizations
Operation IconCat leverages fake antivirus-themed phishing documents to attack Israeli enterprises, especially IT firms and software companies. Linked to threat cluster UNG0801, the campaign originates in Western Asia and represents a targeted approach to credential theft and network infiltration using socially engineered lures.
CyberPress

New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper
A new MacSync malware variant targets macOS users through a digitally signed Swift app masquerading as a messaging installer. This enables it to bypass Apple’s Gatekeeper protections, differing from previous versions that relied on user interaction for execution, marking an evolution in macOS-specific threat delivery.
The Hacker News

Nomani Investment Scam Surges 62% Using AI Deepfake Ads on Social Media
The Nomani scam campaign has increased by 62%, extending beyond Facebook to platforms like YouTube. Using AI-generated deepfake advertisements, this fraudulent investment scheme deceives users at scale, with ESET reporting over 64,000 blocked URLs associated with these campaigns in 2025.
The Hacker News

Fake MAS Windows Activation Domain Used to Spread PowerShell Malware
Attackers employed a typosquatted domain impersonating Microsoft Activation Scripts (MAS) to distribute malicious PowerShell scripts loading the Cosmali Loader malware, compromising Windows systems through trusted domain spoofing.
BleepingComputer

OpenAI is Reportedly Testing Claude-like Skills for ChatGPT
OpenAI is developing “Skills” functionality reminiscent of Claude’s features, aiming to enhance ChatGPT’s interactivity and response capabilities through modular skill sets, which could significantly expand AI assistant usability.
BleepingComputer

Pro-Russian Hackers Claim Cyberattack on French Postal Service
DDoS attacks knocked offline central systems of France’s La Poste, with pro-Russian hacker groups claiming responsibility. The disruption affected France’s national postal network on Monday, highlighting continued geopolitical cyber tensions.
SecurityWeek

Who Does Cybersecurity Need? You!
Unit 42 emphasizes cybersecurity requires diverse talents beyond coding, welcoming professionals from writing, design, and other fields to support security efforts. This inclusive approach aims to build stronger defense teams through varied skills.
Unit42

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.