Risk
-
CISA details BRICKSTORM backdoor used by PRC-linked hackers against vSphere and Windows environments
CISA has published technical details of BRICKSTORM, a Golang backdoor used by PRC-linked threat actors to maintain stealthy, long-term access to VMware vSphere and Windows environments; CrowdStrike and other firms link the tool to UNC5221 and Warp Panda, while the Chinese embassy has denied the allegations.
-
Cloudflare says emergency React2Shell patch caused brief network outage
Cloudflare said an emergency change to its Web Application Firewall to mitigate the critical React2Shell vulnerability briefly made its network unavailable, causing widespread 500 errors. The React flaw can allow unauthenticated remote code execution and researchers report active exploitation and circulating proof-of-concept exploits.
-
UK’s NCSC pilots Proactive Notifications to warn organisations of exposed devices
The UK’s National Cyber Security Centre has begun piloting Proactive Notifications, a Netcraft-delivered service that scans public internet data to warn organisations about exposed devices and recommend updates; it complements the NCSC’s Early Warning alerts but is not a replacement and has no announced end to the pilot phase.
-
Silver Fox uses fake Microsoft Teams installers in false-flag ValleyRAT campaign
Security researchers report that the Silver Fox group has run an SEO poisoning campaign since November 2025 that uses fake Microsoft Teams installers to deliver ValleyRAT to organisations in China; technical analysis from ReliaQuest and Nextron Systems details layered infection chains, false-flag indicators and the use of vulnerable drivers.
-
U.S. to release six-part national cybersecurity strategy in January, sources say
Sources say the Trump administration plans to release a five-page, six-pillar national cybersecurity strategy in January, emphasizing deterrence, workforce, procurement, infrastructure and emerging technologies; an executive order and exact timing remain unconfirmed.
-
GoldFactory modifies banking apps to spread Android remote-access trojans across Southeast Asia, Group-IB reports
Group-IB said GoldFactory has been distributing modified banking apps across Thailand, Vietnam and Indonesia to deploy Android remote-access trojans that abuse accessibility services, and researchers uncovered a pre-release variant called Gigaflower with advanced data-extraction features.
-
Cloudflare mitigates 29.7 Tbps DDoS attack linked to AISURU botnet
Cloudflare said it mitigated a 29.7 Tbps DDoS attack linked to the AISURU botnet; the UDP “carpet-bombing” assault lasted 69 seconds, the target was not disclosed, and the company flagged a rise in large, sophisticated attacks in 2025.
-
Leroy Merlin notifies French customers after data breach
Leroy Merlin has notified customers in France that personal data including names, contact details, postal addresses, dates of birth and loyalty information were exposed in a cyberattack; the company said banking data and passwords were not affected and that it has taken steps to contain the incident.
-
Freedom Mobile discloses breach after subcontractor account used to access customer data
Freedom Mobile said attackers used a subcontractor’s account to access its customer account management platform, exposing names, addresses, dates of birth, phone numbers and account numbers; the company detected the breach on October 23 and has not disclosed the number of affected customers.
-
Critical React Server Components flaw (React2shell) allows unauthenticated remote code execution; Next.js also affected
A critical deserialization flaw in React Server Components, tracked as CVE-2025-55182 and nicknamed React2shell, can allow unauthenticated remote code execution; related Next.js App Router releases are covered by CVE-2025-66478. Patches are available and vendors and security firms advise applying fixes and using WAFs or access restrictions.
