Rescana Cybersecurity Threat Intelligence Report New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale Date: December 2025 Prepared by: Rescana OSINT Cybersecurity Research Team Primary Sources: The Hacker News , Zscaler ThreatLabz, Barracuda, Abnormal Security, Varonis, ANY.RUN Executive Summary In late 2025, researchers identified a new generation of advanced phishing kits— BlackForce , GhostFrame , InboxPrime AI , and Spiderman —that leve

Executive Summary Recent cybersecurity research has revealed over 30 critical vulnerabilities in leading AI coding tools and inference engines, including Meta Llama LLM , vLLM , NVIDIA TensorRT-LLM , Modular Max Server , Microsoft Sarathi-Serve , and SGLang . These flaws, collectively identified as the "ShadowMQ" pattern, enable remote code execution (RCE) and data theft, representing a significant threat to organizations deploying AI infrastructure. The vulnerabilities prima

Executive Summary A critical XML External Entity (XXE) injection vulnerability, CVE-2025-66516 (CVSS 10.0), has been identified in Apache Tika , a widely used content analysis toolkit. This vulnerability enables unauthenticated attackers to exploit the PDF parsing functionality, leading to arbitrary file disclosure, Server-Side Request Forgery (SSRF), and, under certain conditions, remote code execution. The flaw is present in multiple Apache Tika modules, including tika-co

Executive Summary A critical zero-click vulnerability has been identified in agentic browsers, most notably the Perplexity Comet Browser , which enables attackers to delete the entire contents of a victim’s Google Drive using only a carefully crafted email. This attack leverages the natural language processing capabilities of AI-powered browser agents, which, when granted OAuth access to Gmail and Google Drive , can autonomously interpret and execute instructions embedded i

Executive Summary Barts Health NHS Trust has disclosed a significant data breach following the exploitation of a zero-day vulnerability in Oracle E-Business Suite by the Cl0p ransomware group. The breach resulted in the theft and subsequent dark web exposure of files containing personal and financial information of patients, former staff, and suppliers. The attack was limited to business systems, specifically those handling invoicing and accounting, and did not impact elect

Executive Summary The React2Shell vulnerability, tracked as CVE-2025-55182, represents a critical unauthenticated remote code execution (RCE) flaw in React Server Components and frameworks such as Next.js . This vulnerability is being actively exploited in the wild, with over 77,000 Internet-exposed IP addresses confirmed as vulnerable and at least 30 organizations already breached. The exploitation campaign is notable for its rapid weaponization by advanced persistent thre

Executive Summary Dartmouth College has confirmed a data breach following an extortion attack by the Clop ransomware group, which exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) platform. The breach resulted in the unauthorized exfiltration of files containing names, Social Security Numbers, and, in some cases, financial account information of at least 1,494 individuals, with the actual number of affected persons likely higher. The attack occurred be

Executive Summary A newly identified cyber threat campaign is exploiting the popularity and extensibility of Blender —a widely used open-source 3D creation suite—by weaponizing 3D asset files to deliver the advanced StealC V2 data-stealing malware. This campaign, attributed to Russian-speaking threat actors, leverages Blender’s legitimate “Auto Run Python Scripts” feature to execute malicious code embedded within .blend files. Once executed, the malware establishes persiste

Executive Summary The emergence of the JackFix attack marks a critical escalation in the ongoing evolution of social engineering and malware delivery tactics. JackFix is a sophisticated variant of the well-documented ClickFix technique, engineered specifically to circumvent both technical and human-centric mitigations that have been deployed in response to earlier campaigns. By leveraging advanced obfuscation, multi-stage payload delivery, and cross-platform compatibility,

Executive Summary Recent open-source intelligence and technical research have confirmed that millions of Android TV streaming boxes—primarily uncertified, off-brand, and low-cost models—are being conscripted into global botnets such as BADBOX 2.0 and Vo1d . These botnets are leveraged for ad fraud, credential stuffing, residential proxy abuse, and other cybercriminal activities. The infection is often present at the factory or delivered via malicious apps from unofficial mar

Executive Summary A critical supply chain attack has been identified in the npm JavaScript ecosystem, where at least 640 packages have been compromised by a new, highly sophisticated malware campaign dubbed Shai-Hulud . This attack leverages a self-replicating worm that targets open-source developers and organizations by exfiltrating sensitive credentials and secrets to attacker-controlled GitHub repositories. The campaign, first reported by security researcher Daniel Perei

Executive Summary On November 23, 2025, Iberia , Spain’s largest airline and a member of International Airlines Group (IAG) , publicly disclosed a customer data leak resulting from a security breach at a third-party supplier. The incident led to the exposure of customer names, email addresses, and Iberia Club loyalty identification numbers. No evidence indicates that account passwords or financial data were compromised. The breach was discovered after a threat actor claimed

Executive Summary Cox Enterprises, a major U.S. conglomerate operating in telecommunications and automotive services, experienced a data breach after cybercriminals exploited a zero-day vulnerability in the Oracle E-Business Suite ( Oracle EBS ). The breach occurred between August 9 and August 14, 2025, but was not detected until late September. The Cl0p ransomware group claimed responsibility for the attack, which leveraged CVE-2025-61882, a critical vulnerability that all

Executive Summary A critical security vulnerability, identified as CVE-2025-41115 and assigned a maximum CVSS score of 10.0, has been discovered in the SCIM (System for Cross-domain Identity Management) provisioning feature of Grafana Enterprise . This flaw enables remote attackers to impersonate any user, including administrators, and escalate privileges without user interaction, provided certain configuration conditions are met. The vulnerability is not present in the ope

Executive Summary On November 20–21, 2025, Salesforce disclosed a significant security incident involving unauthorized data access through Gainsight -published applications integrated with the Salesforce platform. The incident was not the result of a vulnerability in the Salesforce platform itself, but rather stemmed from the compromise and abuse of OAuth tokens issued to trusted third-party integrations. Attackers, attributed to the ShinyHunters (UNC6240) group, leverage

Executive Summary The Tsundere botnet represents a significant evolution in Windows malware, combining advanced evasion techniques with innovative command-and-control (C2) infrastructure. Since mid-2025, this botnet has rapidly expanded by leveraging fake game installers as lures and utilizing the Ethereum blockchain to store and rotate its C2 addresses. This approach not only complicates traditional takedown efforts but also demonstrates a growing trend of cybercriminals e

Executive Summary The China-linked advanced persistent threat group APT31 (also known as Judgement Panda , Violet Typhoon , and Zirconium ) has orchestrated a sophisticated cyber-espionage campaign targeting the Russian IT sector, with a particular focus on organizations serving government agencies. Leveraging legitimate cloud services such as Yandex Cloud and Microsoft OneDrive for command-and-control (C2) and data exfiltration, APT31 has demonstrated advanced tradecraft

Executive Summary A critical vulnerability, tracked as CVE-2025-61757 , has been identified in Oracle Identity Manager (OIM), a core component of the Oracle Fusion Middleware suite. This flaw, rated with a CVSS score of 9.8, enables unauthenticated remote attackers to achieve pre-authenticated remote code execution (RCE) on affected OIM instances. The vulnerability arises from a missing authentication check on a critical function, allowing attackers to bypass security contr

Executive Summary Eurofiber France has issued a warning regarding a data breach after a threat actor attempted to sell customer data online. The incident was detected when a hacker advertised what was claimed to be customer information from Eurofiber France on a cybercrime forum. The company has confirmed that unauthorized access to its systems occurred, potentially exposing sensitive customer data. At this stage, the full scope of the breach, including the specific data ty

Executive Summary A critical zero-day vulnerability, CitrixBleed 2 (CVE-2025-5777), is wreaking havoc across global enterprise networks by targeting Citrix NetScaler ADC and Citrix NetScaler Gateway appliances. This pre-authentication memory disclosure flaw enables remote attackers to extract sensitive memory contents from vulnerable devices, potentially leading to session hijacking, credential theft, and lateral movement within affected environments. The attack is highly