WEEKLY TOP TEN: December 08, 2025, 16:00 GMT
- ShadyPanda Browser-Extension Espionage Hits 4.3 Million
Threat group ShadyPanda ran a seven-year espionage and fraud campaign abusing trusted Google Chrome and Microsoft Edge extensions, ultimately spying on about 4.3 million users. Investigators at Koi Security found that benign extensions were later weaponized via updates, turning them into spyware and even remote-code-execution backdoors on compromised endpoints. The stolen data includes browsing history, search queries, URLs, and potentially sensitive corporate information such as API keys. Because the extensions carried “Featured” and “Verified” badges, the incident highlights systemic weaknesses in browser-extension review and monitoring that enterprises relying on managed browsers now need to treat as supply-chain risk. - Android Zero-Days Exploited in the Wild
Google’s December Android security bulletin fixed two high-severity zero-day vulnerabilities that were already exploited in targeted attacks. One flaw in the Android Framework allowed privilege escalation, while another issue enabled remote code execution. Attackers used these bugs to gain deeper access to Android devices before patches were available, though Google has not yet fully detailed the victim profiles. OEM fragmentation means devices from multiple manufacturers may be affected until updates propagate. For companies relying on Android fleets, the incident is another reminder that mobile devices are now core attack surfaces that need patch SLAs, EDR coverage, and zero-trust access controls. - ASUS Confirms Supplier Breach
Hardware vendor ASUS confirmed that a third-party supplier was breached after the Everest ransomware gang posted sample data and claimed to have stolen 1 TB of material tied to ASUS, ArcSoft, and Qualcomm. ASUS says the compromise involved camera-related source code from a supplier and asserts that its own products, internal systems, and user data were not directly impacted. However, leaked firmware and imaging code could help attackers discover future vulnerabilities in ASUS devices. The case shows how supplier compromises can expose intellectual property that later feeds exploit development, even when customer records aren’t immediately stolen. - Cloudflare Withstands Record 29.7 TBPS Aisuru DDoS Attack
Cloud-security provider Cloudflare reported that the Aisuru botnet launched a record-breaking DDoS attack peaking at 29.7 Tbps and 14.1 billion packets per second. Despite the unprecedented scale, Cloudflare’s automated defenses mitigated the attack, which targeted customers in information technology, telecommunications, gambling, and other sectors. Aisuru is estimated to control 1–4 million compromised IoT devices and is offered as a DDoS-for-hire service, enabling even low-skill actors to rent massive firepower. The campaign shows how volumetric DDoS is evolving faster than many organizations’ defenses and why enterprises need always-on, automated mitigation rather than a reactive, human-driven response. - BRICKSTORM Backdoor Exposed
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) detailed BRICKSTORM, a Golang backdoor used by state-sponsored actors from the People’s Republic of China to maintain long-term persistence in VMware vSphere and Windows environments. At one victim, attackers kept access from April 2024 to September 2025, compromising vCenter servers, domain controllers, and an ADFS server to steal cryptographic keys and move laterally. BRICKSTORM supports stealthy C2, file operations, and robust persistence mechanisms. Organizations running VMware and Windows in government and IT sectors are urged to hunt for indicators of compromise and tighten segmentation and monitoring of virtualization management planes. - Water Saci WhatsApp Malware Uses AI-Assisted Python
Brazil-focused campaign Water Saci has upgraded its self-propagating malware, now using a Python-based variant to spread via WhatsApp desktop sessions and compromise financial organizations and cryptocurrency exchanges. The attackers use AI tools and large language models to convert previous PowerShell-based scripts into more capable Python code, improving automation, error handling, and evasion. Victims receive malicious ZIP files and installers from trusted contacts; once executed, the malware (including a payload dubbed Sorvepotel) steals data, monitors desktop activity, and enables lateral movement. Banks and fintech companies across Latin America face heightened risk as social-engineering and AI-assisted malware converge. - Freedom Mobile Breach Compromises Telecom Customer Information
Canadian telecom provider Freedom Mobile disclosed a data breach affecting hundreds of thousands of customers after attackers accessed an external vendor’s system. The exposed information reportedly includes names, contact details, dates of birth, and partial credit card data tied to customers of the mobile service. Freedom Mobile says its own core network and billing platforms were not breached, but it is working with law enforcement and regulators while notifying impacted users. For telcos, this incident is another example of how third-party service providers can become the soft underbelly of otherwise hardened infrastructures, dragging regulated data into less-controlled environments. - Inotiv Ransomware Attack Steals Sensitive Personal and Medical Data
Pharmaceutical and research company Inotiv is notifying 9,542 individuals that a ransomware attack led to theft of extensive personal and health information. The data collected includes names, addresses, Social Security numbers, driver’s license details, payment card data, dates of birth, and medical and insurance information. The attack disrupted operations in early August and involved unauthorized access to internal networks and storage systems. The Qilin ransomware group later listed Inotiv on its leak site, claiming 176 GB of exfiltrated data. Even though Inotiv has restored systems, it still faces regulatory exposure and long-term liability due to the breadth of compromised PII and PHI. - Penn and the University of Phoenix Breached
University of Pennsylvania and University of Phoenix confirmed data breaches tied to a broader compromise of hosted systems operated by Oracle. Attackers exploited vulnerabilities in Oracle’s environment, exposing personal information for students and staff at both universities. While the exact types of data vary, the institutions are notifying affected individuals and coordinating with Oracle on containment and remediation. This incident, along with other victims in the same campaign, shows how higher-education institutions increasingly rely on third-party enterprise platforms that, when breached, can spill data across multiple universities simultaneously. - Barts Health NHS Hit by Cl0p
UK healthcare provider Barts Health NHS Trust confirmed that Cl0p ransomware actors stole and leaked patient and staff data after exploiting an Oracle zero-day vulnerability in a third-party system. The group exfiltrated sensitive medical details, internal documents, and other confidential information before publishing samples on its leak site. While the initial attack leveraged Oracle infrastructure, the trust now faces direct impact to patient privacy and regulatory exposure under healthcare and data-protection laws. This is one of several victims in a broader Oracle-focused campaign, highlighting the systemic risk posed by zero-days in widely used enterprise platforms.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.