SANS Stormcast Monday, December 15th, 2025: DLL Entry Points; ClickFix and Finger; Apple Patches

The Stormcast episode opens with a deep dive into Windows DLL entry points, a detail often missed during static analysis. While a DLL may be loaded without any exported function being called, its DllMain routine can execute malicious code the moment the library is mapped into memory. Analysts are urged to inspect the entry‑point code whenever a suspicious DLL appears, because this early execution path can establish persistence or download additional payloads before traditional hooks fire. Understanding this behavior sharpens detection of stealthy malware that relies on implicit loading.

The next segment examines a recent ClickFix phishing campaign that leverages the obsolete finger service on TCP port 79. Attackers embed a PowerShell payload behind a simple finger request, then trick victims into copy‑pasting the command into a Windows prompt. This technique adds a layer of obfuscation and exploits a rarely monitored outbound port. The hosts also discuss Apple’s latest security bulletin, which patches 48 vulnerabilities across macOS, iOS, and iPadOS. Highlights include two WebKit flaws that have seen limited wild exploitation and a Compressor utility bug that permits code execution from the local network.

The final discussion turns to React server components, where three new issues were disclosed. One is a denial‑of‑service flaw, while another can inadvertently leak server‑side source code when user‑supplied data is stringified. A third, lower‑scored vulnerability still poses a risk for applications already vulnerable to the earlier “React to shell” exploit. The host also notes a scheduling change for upcoming episodes, reminding listeners that publishing may shift to accommodate a European teaching calendar. Staying current on these patches and code‑review practices is essential for enterprise security teams.