Executive Summary A sophisticated campaign orchestrated by Russia-linked threat actors has been observed leveraging the Microsoft 365 OAuth device code authentication flow to facilitate large-scale account takeovers. This attack, attributed to the group tracked as Storm-2372 , exploits legitimate device code login mechanisms to harvest authentication tokens, bypassing traditional credential-based security controls. The campaign, active since at least August 2024, targets a b

Executive Summary A new wave of cyberattacks is exploiting the popularity of cracked software and the reach of YouTube to distribute two highly sophisticated malware loaders: CountLoader and GachiLoader . These loaders are engineered to deliver a variety of secondary payloads, including advanced information stealers and remote access tools, while employing advanced evasion techniques such as fileless execution, signed binary proxy abuse, and novel process injection. The camp

Executive Summary Danish authorities have publicly attributed a series of cyberattacks targeting critical infrastructure and public services in Denmark to Russian state-linked threat actors. In 2024, the Tureby Alkestrup Waterworks southwest of Copenhagen suffered a destructive cyberattack that manipulated water pressure controls, resulting in burst pipes and temporary water outages for up to seven hours for some households. The attack was attributed to the pro-Russian group

Executive Summary A sophisticated and rapidly evolving wave of phishing attacks is currently targeting Microsoft 365 accounts by exploiting the OAuth device code authorization flow. This attack vector, first observed in the wild in late summer 2024, enables adversaries to bypass both traditional credential theft defenses and multi-factor authentication (MFA) controls. The campaigns are orchestrated by a mix of financially motivated and state-aligned threat actors, including

Executive Summary A newly disclosed critical vulnerability, CVE-2025-14733 , has been identified in WatchGuard Firebox firewalls, representing a significant threat to organizations relying on these devices for perimeter security. This flaw, an out-of-bounds write in the Fireware OS iked process, enables unauthenticated remote attackers to execute arbitrary code on affected appliances. The vulnerability is being actively exploited in the wild, with multiple threat actors lev

Executive Summary In the second quarter of 2024, two highly sophisticated and distinct cyber threat campaigns have been observed targeting enterprise environments globally. The first campaign exploits critical vulnerabilities in Cisco VPN infrastructure, specifically affecting Cisco ASA and Cisco Secure Firewall devices, and is attributed to the advanced persistent threat group known as ArcaneDoor . The second campaign leverages a combination of social engineering, remote

Executive Summary Between February 2024 and December 2025, a coordinated criminal campaign targeted U.S. banks and credit unions using the advanced Ploutus malware to execute ATM jackpotting attacks. The U.S. Department of Justice (DOJ) has indicted 54 individuals, all allegedly linked to the Venezuelan gang Tren de Aragua (TdA) , a group designated as a foreign terrorist organization. The attackers gained physical access to ATMs, installed Ploutus via hard drive replacemen

Executive Summary A critical security vulnerability, CVE-2025-68260 , has been discovered in the Rust implementation of the Android Binder subsystem within the Linux kernel . This marks the first known CVE affecting Rust code in the Linux kernel, highlighting both the growing adoption of Rust for system-level programming and the importance of rigorous concurrency management even in memory-safe languages. The vulnerability is a race condition in the management of linked lists

Executive Summary A highly targeted and technically advanced campaign orchestrated by the North Korean threat actor Kimsuky has been identified, leveraging QR code phishing to distribute the DocSwap Android malware. This operation primarily impersonates the reputable South Korean logistics provider CJ Logistics , tricking users into installing a trojanized delivery tracking application. The attack chain is distinguished by its seamless integration of social engineering, QR

Executive Summary Cisco has issued an urgent security advisory regarding an actively exploited, unpatched zero-day vulnerability (CVE-2025-20393, CVSS 10.0) in Cisco AsyncOS software, which underpins the Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances. This vulnerability, rooted in improper input validation (CWE-20), allows remote, unauthenticated attackers to execute arbitrary commands as root on the underlying operating system.

Executive Summary The U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) has issued a critical advisory regarding a severe vulnerability in ASUS Live Update , following confirmation of active exploitation in the wild. This vulnerability, cataloged as CVE-2019-12999 and associated with the infamous Operation ShadowHammer, represents a sophisticated supply chain attack in which malicious actors compromised the ASUS software update infrastructure. By injecting troj

Executive Summary A recent surge in cryptomining campaigns has been observed targeting cloud infrastructure, with a particular focus on Amazon Web Services (AWS) environments. Attackers are leveraging stolen AWS Identity and Access Management (IAM) credentials to gain unauthorized access, rapidly deploy compute resources, and execute large-scale cryptomining operations. These campaigns are characterized by their speed, scale, and advanced evasion tactics, resulting in signi

Executive Summary The React2Shell vulnerability, formally identified as CVE-2025-55182 , represents a critical unauthenticated remote code execution (RCE) flaw in React Server Components . Since its public disclosure in early December 2025, this vulnerability has been weaponized by a spectrum of threat actors, including ransomware operators, advanced persistent threat (APT) groups, and financially motivated cybercriminals. The flaw, which carries a maximum CVSS v3.x score of

Executive Summary A sophisticated and persistent credential phishing campaign orchestrated by APT28 - also known as Fancy Bear , BlueDelta , Forest Blizzard , and several other aliases - has been targeting users of the Ukrainian webmail service UKR-net . This campaign, active from at least June 2024 through April 2025, leverages advanced social engineering, multi-stage redirection, and abuse of legitimate cloud and tunneling services to harvest credentials and two-factor auth

Executive Summary A critical zero-day vulnerability chain has been discovered and actively exploited in the wild, targeting SonicWall Secure Mobile Access (SMA) 1000 appliances. The attack leverages two distinct vulnerabilities: a pre-authentication deserialization flaw ( CVE-2025-23006 ) and a local privilege escalation issue ( CVE-2025-40602 ). When chained, these vulnerabilities enable unauthenticated remote attackers to achieve root-level code execution on affected devic

Rescana Threat Intelligence Report: Google Sees 5 Chinese Groups Exploiting React2Shell (CVE-2025-55182) for Malware Delivery Date: December 2025 Prepared by: Rescana OSINT Cybersecurity Research Team Primary Sources: Google Threat Intelligence Group, AWS, SecurityWeek, NVD, Wiz, Trend Micro Executive Summary On December 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 ("React2Shell"), was

Executive Summary The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, following confirmed reports of active exploitation in the wild. The flaw, tracked as CVE-2018-4063 , enables remote code execution (RCE) via an unrestricted file upload mechanism. This vulnerability is being actively targeted by threat actors, with exploitatio

Rescana Cybersecurity Threat Intelligence Report Apple Issues Security Updates After Two WebKit Flaws Found Exploited in the Wild Date: December 13, 2025 Prepared by: Rescana OSINT Cybersecurity Research Team Executive Summary Apple has released emergency security updates to address two zero-day vulnerabilities in WebKit, the browser engine powering Safari and all browsers on iOS. Both vulnerabilities (CVE-2025-43529 and CVE-2025-14174) have been confirmed as exploited in t

Date: December 2025 Prepared by: Rescana OSINT Cybersecurity Research Team Executive Summary A sophisticated malware campaign is leveraging fake GitHub repositories, masquerading as OSINT (Open Source Intelligence) and GPT utility tools, to distribute a new modular Remote Access Trojan (RAT) named PyStoreRAT . The campaign targets security researchers, developers, and cryptocurrency users, using deceptive social engineering and supply chain tactics to propagate the malware.

Prepared by: Rescana OSINT Cybersecurity Research Team Sources: Cloudflare, Huntress, NVD, Assetnote, Vercel, public threat intelligence feeds Executive Summary The critical React2Shell vulnerability (CVE-2025-55182) in React Server Components (RSC) has been weaponized and is being actively exploited in the wild. Within hours of public disclosure, threat actors—primarily Asia-linked groups—began mass scanning and exploitation campaigns. These attacks have resulted in the de