Threatsday: Spyware Alerts, Mirai Hits, Docker Leaks

This week’s Threatsday roundup distills 26 fast-moving cyber stories into what matters for defenders and decision-makers.

• Maritime IoT targeted: Broadside, a Mirai variant, exploits TBK DVR CVE-2024-3721 with custom C2, Netlink stealth, polymorphic payloads, host exclusivity, and credential theft.
• LLM risks endure: The UK NCSC warns prompt-injection flaws may never be fully eliminated; prioritize constraining model actions over filtering inputs.
• VaaS crackdown: Europol arrests 193 tied to violence-as-a-service networks including The Com, which recruits youths for intimidation and worse.
• Poland seizure: Three Ukrainians arrested with hacking kits after vehicle stop; suspected of attempting to sabotage strategic IT systems.
• Teen data thief: Spain nabs a 19-year-old accused of selling 64M records; Ukraine arrests a 22-year-old running a 5,000-profile bot farm and custom account stealer.
• NFC relay fraud: Russia busts an NFCGate-powered scheme using fake bank apps spread via WhatsApp and Telegram; losses exceed 200M rubles.
• React2Shell exploited: CVE-2025-55182 is under broad attack across smart devices; Mirai and RondoDox payloads, with hundreds of unique IPs probing globally.
• Linux stealth: GhostPenguin backdoor surfaces with UDP 53 C2 and remote shell; Elastic details FlipSwitch syscall-hooking to hide on modern kernels.
• Crypto laundering plea: A California resident admits to laundering for a crew that stole 263M in crypto; moved 3.5M and bought homes.
• Spyware alerts: Apple and Google issue new surveillance notifications across nearly 80 countries; few public details.
• Meta’s EU ad model: Europe greenlights an option for less data sharing and fewer personalized ads starting January 2026.
• Mass Lumma outreach: New Zealand NCSC notifies about 26,000 victims infected by Lumma Stealer.
• Notepad++ patched: Version 8.8.9 fixes an updater validation flaw abused to hijack WinGUp traffic; now enforces certificate and signature checks.
• Telegram pressure: Cybercrime channels face increased takedowns since late 2024, pushing actors to alternate platforms.
• UK sanctions: I-Soon, Integrity Tech (Flax Typhoon), Ryber, Pravfond, and a Dugin-linked think tank hit over cyber and influence operations.
• Log4Shell persists: About 13 percent of 2025 Log4j downloads remain vulnerable, nearly 40M pulls, led by CN, US, IN, JP, BR, DE, UK, CA, KR, FR.
• India tracking debate: Government weighs always-on satellite phone-location tracking for investigations; major vendors and rights groups oppose.
• Edge devices probed: Big spikes in login attempts against Palo Alto GlobalProtect portals and SonicWall APIs tied to the same actor.
• AI dual use: OpenAI warns of advancing cyber capabilities; invests in refusal training, monitoring, and end-to-end red teaming to tilt benefits to defenders.
• Android threat: DroidLock hits Spanish users with ransomware-like overlays, VNC control, admin abuse, and 15 commands, but no file encryption.
• Stronger HTTPS: Chrome Root Program and CA/B Forum will retire 11 legacy domain control validation methods by March 2028.
• Media lure malware: A fake Leonardo DiCaprio torrent installs Agent Tesla via PowerShell and image-embedded payloads; entertainment lures continue.
• Docker secrets spill: Over 10,000 Docker Hub images leak credentials; 42 percent expose 5+ secrets and nearly 4,000 LLM keys, risking cloud and CI/CD.
• VS Code trojans: Nineteen extensions used a disguised PNG and a modified npm dependency to drop Rust malware; removed from the marketplace.
• ValleyRAT revealed: A modular backdoor with a kernel-mode rootkit; some signed drivers load on fully patched Windows 11; attributed to Silver Fox.
• Poisoned AI guides: Shared ChatGPT, Grok, and DeepSeek chats are SEO-boosted to deliver macOS stealers; Lumma also spread via itch.io and Patreon links.

Bottom line: digital trust remains fragile. Patch fast, validate software sources, harden LLM-integrated workflows, and beware AI-surfaced troubleshooting guides.

Source: The Hacker News