ThreatsDay Bulletin – Weekly Security Round‑up

The internet never stays quiet. Every week, new hacks, scams, and security problems show up somewhere. This week’s stories show how fast attackers change their tricks, how small mistakes turn into big risks, and how the same old tools keep finding new ways to break in. Read on to catch up before the next wave hits.

1. Unauthenticated RCE risk

A high‑severity security flaw has been disclosed in Redis (CVE‑2025‑62507, CVSS 8.8) that could potentially lead to remote code execution by means of a stack buffer overflow. It was fixed in version 8.3.2. JFrog’s analysis revealed that the vulnerability is triggered when using the new Redis 8.2 XACKDEL command, which was introduced to simplify and optimize stream cleanup. Specifically, it resides in the implementation of xackdelCommand(), a function responsible for parsing and processing the list of stream IDs supplied by the user.

“The core issue is that the code does not verify that the number of IDs provided by the client fits within the bounds of this stack‑allocated array,” the company said. “As a result, when more IDs are supplied than the array can hold, the function continues writing past the end of the buffer. This results in a classic stack‑based buffer overflow.”

The vulnerability can be triggered remotely in the default Redis configuration by sending a single XACKDEL command containing a sufficiently large number of message IDs. “It is also important to note that by default, Redis does not enforce any authentication, making this an unauthenticated remote code execution,” JFrog added. As of writing, there are 2,924 servers susceptible to the flaw.

2. Signed malware evasion

BaoLoader, ClickFix campaigns, and Maverick emerged as the top three threats between September 1 and November 30 2025, according to ReliaQuest. Unlike typical malware that steals certificates, BaoLoader’s operators register legitimate businesses in Panama and Malaysia specifically to purchase valid code‑signing certificates from major certificate authorities to sign their payloads.

“With these certificates, their malware appears trustworthy to both users and security tools, allowing them to operate largely undetected while being dismissed as merely potentially unwanted programs (PUPs),” ReliaQuest said.

The malware, once launched, abuses node.exe to run malicious JavaScript for reconnaissance, in‑memory command execution, and backdoor access. It also routes command‑and‑control (C2) traffic through legitimate cloud services, concealing outbound traffic as normal business activity and undermining reputation‑based blocking.

3. RMM abuse surge

Phishing emails disguised as holiday party invitations, overdue invoices, tax notices, Zoom meeting requests, or document‑signing notifications are being used to deliver Remote Monitoring and Management (RMM) tools such as LogMeIn Resolve, Naverisk, and ScreenConnect in multi‑stage attack campaigns. In some cases, ScreenConnect is used to deliver secondary tools, including other remote‑access programs, alongside HideMouse and WebBrowserPassView.

The exact strategy behind installing duplicate remote‑access tools is unclear, but it is believed threat actors may be using trial licenses and switching them to avoid expiration. In another incident analyzed by CyberProof, attackers transitioned from targeting an employee’s personal PayPal account to establishing a corporate foothold through a multi‑layered RMM strategy involving LogMeIn Rescue and AnyDesk, tricking victims into installing the software over the phone by pretending to be support personnel. The email is designed to create urgency by masquerading as PayPal alerts.

4. CAV operator caught

Dutch authorities arrested a 33‑year‑old at Schiphol for alleged involvement in the operation of AVCheck, a counter‑antivirus (CAV) service dismantled by a multinational law‑enforcement operation in May 2025.

“The service offered by the suspect enabled cybercriminals to refine the concealment of malicious files each time,” Dutch officials said. “It is very important for cybercriminals that as few antivirus programs as possible are able to detect the malicious activity, in order to maximize their chances of success in finding victims.”

5. Gemini powers Siri

Apple and Google have confirmed that the next version of Siri will use Gemini and its cloud technology in a multi‑year collaboration between the two tech giants.

“Apple and Google have entered into a multi‑year collaboration under which the next generation of Apple Foundation Models will be based on Google’s Gemini models and cloud technology,” Google said. “These models will help power future Apple Intelligence features, including a more personalized Siri coming this year.”

Google emphasized that Apple Intelligence will continue to run on Apple devices and Private Cloud Compute, while maintaining Apple’s industry‑leading privacy standards.

“This seems like an unreasonable concentration of power for Google, given that they also have Android and Chrome,” Elon Musk said.

6. China bans foreign tools

China has asked domestic companies to stop using cybersecurity software made by roughly a dozen firms from the U.S. and Israel due to national‑security concerns, Reuters reported. The list includes VMware, Palo Alto Networks, Fortinet, and Check Point. Authorities have expressed concerns that the software could collect and transmit confidential information abroad.

7. RCE via AI libraries

Security flaws have been disclosed in open‑source AI/ML Python libraries published by Apple (FlexTok), NVIDIA (NeMo), and Salesforce (Uni2TS) that allow for remote code execution (RCE) when a model file with malicious metadata is loaded.

“The vulnerabilities stem from libraries using metadata to configure complex models and pipelines, where a shared third‑party library instantiates classes using this metadata,” Palo Alto Networks Unit 42 said.

Vulnerable versions simply execute the provided data as code, allowing an attacker to embed arbitrary code in model metadata that runs automatically when the libraries load the modified models. The third‑party library in question is Meta’s Hydra, specifically the function hydra.utils.instantiate(), which can run code via os.system(), builtins.eval(), and builtins.exec(). The issues (CVE‑2025‑23304 for NVIDIA and CVE‑2026‑22584 for Salesforce) have been addressed. Hydra’s documentation now states that RCE is possible when using instantiate() and includes a default blocklist of modules to mitigate the risk.

“To bypass it, set the env var HYDRA_INSTANTIATE_ALLOWLIST_OVERRIDE with a colon‑separated list of modules to allowlist,” it said.

8. AI voice evasion

A group of academics has devised a technique called VocalBridge that can bypass existing security defenses and execute voice‑cloning attacks.

“Most existing purification methods are designed to counter adversarial noise in automatic speech recognition (ASR) systems rather than speaker verification or voice cloning pipelines,” the team from the University of Texas at San Antonio said. “As a result, they fail to suppress the fine‑grained acoustic cues that define speaker identity and are often ineffective against speaker verification attacks (SVA).”

The researchers propose Diffusion‑Bridge (VocalBridge), a purification framework that learns a latent mapping from perturbed to clean speech in the EnCodec latent space, using a time‑conditioned 1‑D U‑Net with a cosine noise schedule. The model enables efficient, transcript‑free purification while preserving speaker‑discriminative structure.

9. Telecoms under scrutiny

Russia’s telecommunications watchdog Roskomnadzor has called out 33 telecom operators for failing to install traffic‑inspection and content‑filtering equipment. A total of 35 violation cases were detected.

“Courts have already taken place in four cases, and fines have been issued to violators. Materials on six facts have been sent to the court. The remaining operators were summoned to draw up protocols,” Roskomnadzor said.

Since the 2022 invasion of Ukraine, the agency has mandated that all telecom operators install equipment that inspects user traffic and blocks access to “undesired” sites.

10. Turla evasion tactics

A new analysis of the Turla malware Kazuar has revealed techniques the backdoor employs to evade security solutions and increase analysis time. These include use of the Component Object Model (COM), patchless Event Tracing for Windows (ETW), Antimalware Scan Interface (AMSI) bypass, and a control‑flow redirection trick that runs primary malicious routines during the second run of a function named Qtupnngh, which then launches three .NET payloads (KERNEL, WORKER, and BRIDGE).

“The core logic resides in the kernel, which acts as the primary orchestrator. It handles task processing, keylogging, configuration data handling, and so on,” researcher Dominik Reichel said.

The worker monitors the infected host’s environment and security posture, while the bridge functions as the communications layer, facilitating data transfer and exfiltration through compromised WordPress plugin paths.

11. PLC flaws exposed

Researchers disclosed multiple critical vulnerabilities affecting the Delta Electronics DVP‑12SE11T programmable logic controller (PLC).

• CVE‑2025‑15102 (CVSS 9.8) – password protection bypass

• CVE‑2025‑15103 (CVSS 9.8) – authentication bypass via partial password disclosure

• CVE‑2025‑15358 (CVSS 7.5) – denial‑of‑service

• CVE‑2025‑15359 (CVSS 9.8) – out‑of‑bounds memory write

The issues were addressed via firmware updates in late December 2025.

“Weaknesses in PLC authentication and memory handling can significantly increase operational risk in OT environments, particularly where legacy systems or limited network segmentation are present,” OPSWAT Unit 515, which discovered the flaws, said.

12. Salesforce audit tool

Mandiant has released an open‑source tool called AuraInspector to help Salesforce admins audit misconfigurations that could expose sensitive data.

“It facilitates discovering misconfigured Salesforce Experience Cloud applications as well as automates much of the testing process,” Google said.

Features include discovery of accessible records from both Guest and Authenticated contexts, enumeration of total records via an undocumented GraphQL Aura method, checks for self‑registration capabilities, and identification of “Home URLs” that could allow unauthorized access to sensitive administrative functionality.

13. Wi‑Fi DoS exploit

A high‑severity flaw (CVSS 8.4) in Broadcom Wi‑Fi chipset software can allow an unauthenticated attacker within radio range to take wireless networks offline by sending a single malicious frame, regardless of the configured network security level. The flaw affects 5 GHz networks; 2.4 GHz and Ethernet connections remain unaffected.

“This vulnerability allows an attacker to make the access point unresponsive to all clients and terminate any ongoing client connections,” Black Duck said.

The attack bypasses WPA2 and WPA3 protections and can be repeated indefinitely. Broadcom has released a patch; additional details are withheld due to the risk.

14. Smart contract exploit

Unknown threat actors stole $26 million worth of Ether from the Truebit cryptocurrency platform by exploiting a vulnerability in the platform’s five‑year‑old smart contract.

“The attacker exploited a mathematical vulnerability in the smart contract’s pricing of the TRU token, which set its value very close to zero,” Halborn said.

With access to low‑cost TRU tokens, the attacker drained value from the contract by selling them back at full price, using a series of high‑value mint requests.

15. Invoice lure campaign

A new wave of attacks leverages invoice‑themed lures in phishing emails to trick recipients into opening a PDF that displays an error message and prompts a download. The links often lead to a page masquerading as Google Drive that drops RMM tools such as Syncro, SuperOps, NinjaOne, and ScreenConnect for persistent remote access.

“As they are not malware like backdoors or Remote Access Trojans (RATs), threat actors are increasingly leveraging them,” AhnLab said. “These tools have been designed to evade detection by security products like firewalls and anti‑malware solutions, which are limited to simply detecting and blocking known malware strains.”

16. Taiwan hospitals hit

A ransomware strain dubbed CrazyHunter has compromised at least six companies in Taiwan, most of them hospitals. The Go‑based ransomware, a fork of the Prince ransomware, employs advanced encryption and delivery methods targeting Windows machines.

“The initial compromise often involves exploiting weaknesses in an organization’s Active Directory (AD) infrastructure, frequently by leveraging weak passwords on domain accounts,” Trellix said.

Threat actors use SharpGPOAbuse to distribute the payload through Group Policy Objects (GPOs) and propagate it across the network. A modified Zemana anti‑malware driver is used to elevate privileges and kill security processes as part of a Bring‑Your‑Own‑Vulnerable‑Driver (BYOVD) attack.

CrazyHunter has been active since early 2025 and is attributed to a Chinese hacker group consisting of two individuals, Luo and Xu, who sell stolen data to trafficking groups in China and Taiwan. Two Taiwanese suspects alleged to be involved in data trafficking were arrested and subsequently released on bail last August.

---

These stories show how fast things can change and how small risks can grow big if ignored. Keep your systems updated, watch for the quiet stuff, and don’t trust what looks normal too quickly.

Next Thursday, ThreatsDay will be back with more short takes from the week’s biggest moves in hacking and security.