Daily Drop (1198)
12-08-25
Monday, Dec 08, 2025 // (IG): BB // GITHUB // SN R&D
Chinese APTs Race to Exploit React2Shell: Amazon Warns of Sophisticated Campaigns Targeting CVE-2025-55182
NOTE:
The most critical detail in Amazon’s reporting isn’t just the rapid exploitation of React2Shell—it’s the presence of hands-on keyboard, interactive exploitation by real operators. Unlike automated scanning, which indiscriminately probes systems and moves on, these attacks involve threat actors actively troubleshooting payloads, adjusting commands, and refining their approach in real time. This marks a significant escalation. It indicates goal-oriented targeting, not opportunistic exploitation, and suggests that these actors are not just scanning for vulnerabilities—they’re hunting for footholds. Manual exploitation enables attackers to adapt dynamically to the environment, fingerprint defensive controls, and potentially chain multiple vulnerabilities to gain deeper access. Failed exploit attempts, in this context, aren’t harmless—they generate telemetry that informs future campaigns and can overwhelm defenders with noisy logs, masking successful intrusions. This activity aligns with advanced threat group tradecraft and is often a precursor to high-value intrusions, espionage, or cyber-enabled kinetic operations. Organizations running React or Next.js in self-managed environments should treat this as a high-severity threat and assume that reconnaissance and active exploitation are already underway.
Bottom Line Up Front (BLUF): Amazon threat intelligence confirms that multiple Chinese state-linked groups, including Earth Lamia and Jackpot Panda, are actively exploiting CVE-2025-55182 (aka React2Shell), a critical vulnerability (CVSS 10.0) affecting React Server Components in versions 19.x and Next.js 15.x/16.x using App Router. Observed within hours of public disclosure, exploitation attempts are both automated and manual, with actors debugging payloads in real time. While AWS services are unaffected, Amazon is urging organizations hosting React-based applications outside managed AWS environments to apply immediate patches.
Analyst Comments: What’s notable here isn’t just the exploitation of a CVSS 10.0 web flaw, but the method: AWS honeypots observed attackers manually iterating payloads for nearly an hour, indicating live troubleshooting, not just automated scanning. That level of hands-on-keyboard activity points to targeted operations, not opportunistic noise. Amazon’s telemetry also shows threat actors throwing flawed public PoCs at live targets, suggesting a shotgun approach in which even non-functional exploits help identify weak configurations or distract defenders. This has substantial implications for SOCs: expect noisy logs, decoys, and misdirection to obscure real compromise attempts. React2Shell is especially dangerous for organizations that self-host React or Next.js apps in containers or CI/CD pipelines without strong web application firewalls or runtime monitoring.
READ THE STORY: Industrial
Apache Warns of 10.0-Rated XML Injection Flaw in Tika Toolkit: Incomplete Patch Leaves Users Exposed
Bottom Line Up Front (BLUF): Apache has issued a critical advisory for CVE-2025-66516, a CVSS 10.0 vulnerability affecting its Tika metadata extraction toolkit. The flaw stems from an incomplete fix for a previously disclosed issue (CVE-2025-54988) and enables XML External Entity (XXE) injection via crafted PDFs. While users may have patched the tika-parser-pdf-module, many remain vulnerable due to a dependency mismatch—the core vulnerability resides in the tika-core library, which must be upgraded separately to version 3.2.2 or later.
Analyst Comments: Organizations using Apache Tika, especially in file ingestion or content analysis pipelines, should treat this as a high-risk exposure, particularly in environments that process untrusted PDFs. The ability to carry out XXE injection attacks gives adversaries potential access to sensitive system files, internal network resources, or backend services, depending on how Tika is integrated. Worse, the oversight in the original fix means some teams may have a false sense of security, believing they remediated the issue when they haven’t. This kind of vulnerability is attractive to APTs and red teams alike—it provides low-friction access paths into systems that routinely handle diverse document formats, such as email gateways, search engines, and legal document systems. Expect this to be added to exploit kits quickly.
READ THE STORY: The Register
Thymeleaf Template Injection Bypass Enables RCE in Latest Ruoyi Release (v4.8.1)
Bottom Line Up Front (BLUF): A report by Tianlu Laboratory reveals that the latest stable version of the Ruoyi framework (v4.8.1)—which uses Thymeleaf 3.0.15—is vulnerable to remote code execution (RCE) via a template injection bypass. Despite security enhancements in recent Thymeleaf versions, researchers demonstrated a successful bypass of expression filtering logic via literal substitution, enabling the execution of arbitrary system commands during template rendering.
Analyst Comments: While Thymeleaf’s upgrades since 3.0.12 were meant to block classic T() and new expressions, the 4.8.1 implementation fails to entirely prevent expression injection under certain conditions, especially in fragment rendering logic. The attack chains exploit the framework’s support for Spring MVC view resolution, allowing expressions to be evaluated during template fragment selection. Bypasses involve $${} literal substitution and specific character sequences that slip past containsExpression() logic, a defense added in 3.0.15 that can be tricked using nested characters or crafted spacing.
READ THE STORY: Freebuf
ValleyRAT Campaign Targets Chinese Users via Fake Microsoft Teams Sites
Bottom Line Up Front (BLUF): APT group Silver Fox (Void Arachne) is leveraging SEO poisoning to distribute ValleyRAT malware to Chinese users, including Western organizations operating in China. Masquerading as a Microsoft Teams installer, the loader uses Cyrillic-labeled files and false-flag attribution tactics to confuse threat analysts and evade detection. The campaign, active since November 2025, combines espionage with financially motivated activity.
Analyst Comments: Victims download a fake Microsoft Teams installer, which contains a modified ValleyRAT loader embedded in a ZIP file (MSTчamsSetup.zip). After execution, the malware disables Defender scanning, deploys decoy files, and executes a DLL payload via rundll32.exe, connecting to C2 infrastructure at Ntpckj[.]com (IP 134.122.128[.]131) over port 18852. Notably, the campaign uses indicators like JSON-config-based execution, Embarcadero folder paths for persistence, and over 20 associated domains and 18 active C2s. The loader adapts its behavior based on endpoint defenses, specifically targeting systems with Chinese-language security software.
READ THE STORY: Freebuf
Memory Webshell Planted via Legacy Upload API: Insider-Like Intrusion Revealed Through Post-Breach Log Analysis
Bottom Line Up Front (BLUF): A detailed log review by Yudays Lab has reconstructed a multi-stage intrusion that culminated in the deployment of a JSP-based memory-resident webshell. The attacker exploited a lingering file upload API in a system whose UI had been shut down for months, using session hijacking, timestamp-based brute forcing, and in-memory malware injection. Evidence suggests the attacker had intimate knowledge of the system, raising concerns about insider threats or prior exposure through third-party testing.
Analyst Comments: The web interface was decommissioned, but backend endpoints were never fully disabled. The attacker clearly had a roadmap of the system—they knew about the arbitrary-file-download flaw, the session API, the timestamped file-naming logic, and how to achieve code execution via JSP uploads. That’s not casual probing. It’s operational familiarity. The payload—an in-memory class loader using Base64-decoded bytecode and Java reflection—is stealthy and widely used in modern webshell frameworks. The attacker cycled through multiple failed upload attempts before successfully accessing their dropped JSP and triggering the memory malware. It’s a reminder that just hiding or disabling frontends isn’t enough—if the logic still lives behind the scenes, it’s in scope for attackers.
READ THE STORY: Freebuf
Former Deep-Cover Russian Spy Leads Push to Infiltrate India’s Tech Sector
Bottom Line Up Front (BLUF): Russia is actively working to co-opt India’s tech and cybersecurity sectors under the guise of strategic collaboration, according to documents obtained by European intelligence and reviewed by The Washington Post. Andrei Bezrukov leads the campaign—once a deep-cover Russian spy in the U.S.—and involves offers of tech transfers and joint development of critical systems like cybersecurity platforms, quantum cryptography, and military-grade processors. While marketed as a partnership to reduce Western dependency, the underlying intent appears to include long-term Russian influence over Indian infrastructure and potential access to sensitive systems.
Analyst Comments: The involvement of Bezrukov, whose espionage in the U.S. inspired The Americans, underscores how intelligence tradecraft is being repurposed for digital-era infiltration. His collaboration with another former intelligence officer, Valentin Makarov, aims to entrench Russian software, processors (e.g., Elbrus), and operating systems like BasAlt into Indian defense and government environments. While such partnerships are framed as moves toward “technological sovereignty” for BRICS countries, leaked communications reveal Russia’s real strategy: creating dependency through control of the tech stack and reserving the ability to cut off or compromise these systems if political tensions rise. This mirrors long-standing Russian doctrine of embedding strategic access under the guise of commercial or bilateral ties. The risk here isn’t just foreign hardware—it’s deep software supply chain exposure, long-term espionage risk, and potential cyber-enabled coercion. Indian organizations should treat any proposed tech integration with Russian state-linked entities as a national security decision, not just a procurement choice.
READ THE STORY: News India
China Eyes Drone Swarms to Jam Starlink in Future Conflict Scenarios
Bottom Line Up Front (BLUF): Chinese military researchers are actively studying how to jam satellite mega-constellations like Starlink, recognizing their role as critical infrastructure in modern warfare. A new academic study concludes that, while technically feasible, neutralizing satellite coverage over contested regions (e.g., Taiwan) would require thousands of drones operating as distributed jammers—highlighting both the strategic priority and the logistical complexity of such operations.
Analyst Comments: China’s focus on countering systems like Starlink shows how deeply Ukraine’s wartime use of commercial LEO constellations has altered military doctrine globally. The study’s proposed method—1,000 to 2,000 jamming drones—is as much a warning as a proof-of-concept. It’s unlikely such a strategy would go unnoticed during execution. Still, gray-zone techniques like spoofing, limited jamming, or cyber intrusions into satellite infrastructure are far more practical in peacetime escalation scenarios. Operators should take note: hardening commercial satcom networks isn’t optional anymore. Segmentation of military vs. civilian infrastructure, OTA authentication, and anti-spoofing countermeasures must be considered part of core architecture, not bolt-ons.
READ THE STORY: Hans India
AI-Powered Browsers Too Risky for Enterprise Use—Block by Default, Analysts Urge
Bottom Line Up Front (BLUF): Gartner is advising enterprises to block AI-enabled browsers such as Perplexity’s Comet and OpenAI’s ChatGPT Atlas due to serious security and operational risks. In a recent advisory, the firm warns that these “agentic browsers”—capable of autonomously navigating, interacting with, and completing tasks on websites—pose threats including credential theft, prompt injection, and data leakage from active web sessions. Until comprehensive risk assessments are completed and controls are in place, these tools should not be used in enterprise environments.
Analyst Comments: Gartner’s warning lands at the intersection of two volatile trends: enterprise reliance on browser-based workflows and the rapid rise of AI agents with real-world autonomy. Unlike traditional browsers, these tools aren’t just displaying content—they’re making decisions on the user’s behalf, sometimes within authenticated sessions, which raises red flags for CISO teams. The AI sidebar feature alone can leak sensitive data (like tabs, cookies, or session history) to backend LLMs. In contrast, agentic features can be deceived into taking unintended actions, such as clicking on malicious links or filling out forms with erroneous data.
READ THE STORY: The Register
AS/400 “Mistake” Becomes a Breakthrough: Untrained Techie Accidentally Improves Overnight Job Efficiency
Bottom Line Up Front (BLUF): An untrained IT staffer at a specialty vehicle manufacturer in the early 1990s unknowingly improved overnight job processing on an AS/400 system by misusing a high-priority queue. The error led to faster job execution and ultimately changed the company’s standard procedures—cutting downtime, boosting resiliency, and streamlining overnight operations.
Analyst Comments: “Leo,” the techie in question, wasn’t trained on the AS/400 but still had to support it during off-hours. When the usual queue was unavailable, he took a chance on an unfamiliar, empty one—unknowingly triggering a high-priority job path. The result? A workload that previously took hours is completed instantly. The team realized the queue had never been fully utilized, which led to a process change. From a security and ops perspective, it’s a reminder of how much institutional knowledge can go unshared, and how systems are often under- or misconfigured by design inertia. Modern parallels exist in cloud cost optimization, job orchestration tuning, and even misused priority settings in Kubernetes or CI/CD pipelines. Accidental innovation remains a powerful force—especially when your systems are complex, tribal knowledge reigns, and documentation is sparse.
READ THE STORY: The Register
China’s First Reusable Rocket Explodes on Landing – But Its Ethernet Avionics Hold Up
Bottom Line Up Front (BLUF): China’s LandSpace saw its Zhuque-3 reusable rocket prototype explode during landing last week after a successful orbital launch. Despite the crash, the mission showcased several advanced technologies, including a new high-speed Powerlink Ethernet communication platform and a high-performance return control system derived from automotive electronics. The flight marks a step forward in China’s private space tech capabilities, with cybersecurity implications for real-time comms and critical avionics systems under high-stress environments.
Analyst Comments: For context, that’s a massive leap over the legacy MIL-STD-1553B buses (~1Mbps), and reflects the aerospace industry’s slow shift toward IP-based networking inside launch vehicles. The reliance on automotive-grade computing hardware for return control is also worth noting, as these components are increasingly used across drone, satellite, and missile systems. As space systems modernize with COTS components and networked architectures, they inherit attack surfaces familiar to cyber operators—think firmware manipulation, bus injection, or packet sniffing during OTA command streams. Expect aerospace cyberhardening to become a frontline concern, especially in dual-use commercial/military platforms.
READ THE STORY: The Register
Porsche Vehicles in Russia Immobilized by Satellite Alarm System Malfunction, Fueling Cybersecurity Concerns
Bottom Line Up Front (BLUF): A widespread malfunction in Porsche’s factory-installed satellite-based alarm systems has left hundreds of internal combustion engine (ICE) models in Russia completely immobilized. Beginning November 28, the disruption disabled engine start-ups and satellite connectivity, forcing owners to tow their vehicles to authorized service centers. The root cause remains unclear, raising concerns over firmware flaws, potential supply chain compromise, or even deliberate remote disabling.
Analyst Comments: While the official narrative points to a malfunction, the uniformity of the failure across all ICE models suggests a deeper systemic issue—possibly a botched OTA update or a latent kill-switch mechanism. With no reports affecting hybrids or EVs, the vulnerability appears localized to ICE-specific control units, such as alarm modules linked to Porsche’s Communication Management (PCM) platform. In a geopolitical context, Russia’s heavy reliance on parallel imports post-sanctions makes this look less like a coincidence and more like a potential test case for software-enforced export compliance or state-linked sabotage. Organizations managing vehicle fleets—especially cross-border or high-value assets—should reevaluate exposure from telematics and remote management features.
READ THE STORY: CSN
TL-ICScan: Localized Vulnerability Intelligence Platform Streamlines Threat Tracking for Red and Blue Teams
Bottom Line Up Front (BLUF): TyLoo Labs has released TL-ICScan, an open-source, hybrid Python–Rust tool that aggregates, normalizes, and locally indexes vulnerability intelligence from multiple sources, including NVD, CISA KEV, MSRC, Exploit-DB, and GitHub PoCs. Designed for Chinese-language security environments, it offers high-performance local querying, offline access, and automated markdown briefings—positioning it as a practical tool for SOC analysts, red teams, and defenders managing regional or air-gapped networks.
Analyst Comments: TL-ICScan solves a recurring challenge for many security teams: how to stay on top of evolving CVEs, PoCs, and exploit trends without relying on cloud-based dashboards or noisy vendor feeds. Its architecture cleanly separates concerns: Python scrapes threat sources, Rust handles fast local indexing, and a lightweight Streamlit UI gives analysts point-and-click access without needing constant connectivity. This hybrid model is especially appealing for air-gapped or compliance-heavy environments, including Chinese enterprises with limited access to global services.
READ THE STORY: Freebuf
Ukraine’s Sea Drone Program Forces Russian Naval Retreat, Eyes AI-Powered Expansion in 2026
Bottom Line Up Front (BLUF): Ukraine’s sea drone unit, Group 13, has significantly curtailed Russian naval operations in the Black Sea, pushing Moscow’s vessels into defensive postures near port. As Russian forces adapt, Ukraine plans to enhance its capabilities through AI integration, longer-range strike options, and expanded international drone cooperation with NATO partners in 2026.
Analyst Comments: Sea drones like the Magura V5 and V7 have already proven effective in restricting Russian naval movement and damaging high-value assets. By targeting Russia’s shadow oil fleet and leveraging modified Western weapon systems like Sidewinders, Ukraine has adapted these platforms for layered maritime and air denial roles. Russia’s apparent response—restricting naval activity to within 40km of port—confirms Ukraine’s impact. This shift has logistical and strategic implications: it limits Russia’s ability to launch maritime missile strikes and increases the cost of maintaining the fleet without operational output.
READ THE STORY: SeattlePI
EU Fines Musk’s X €120M Under Digital Services Act Over Disinformation, Research Blocking
Bottom Line Up Front (BLUF): The European Commission has imposed a €120 million fine (~$139M) on Elon Musk’s platform X (formerly Twitter) under the Digital Services Act (DSA) for failing to meet transparency obligations related to disinformation, political advertising, and researcher access to public data. This marks the first enforcement action under the DSA and signals escalating regulatory tension between the EU and major U.S.-based platforms.
Analyst Comments: While €120 million is modest relative to Musk’s empire, the Commission’s decision to target algorithmic opacity and ad transparency failures—especially the blocking of academic research access—sets a critical precedent. The EU is testing its sovereign power to regulate U.S. tech giants on the grounds of democratic integrity and societal harm. Musk’s characterization of the enforcement as “political censorship” mirrors his earlier pushback against moderation norms. Yet, the DSA doesn’t regulate content—it regulates processes, access, and transparency, and in this case, X’s paid blue-check verification system and its political ad repository were found to violate EU law.
READ THE STORY: The Record
Macron Threatens China with Tariffs Over EU Trade Deficit Surge
Bottom Line Up Front (BLUF): French President Emmanuel Macron warned that the EU could impose tariffs on Chinese imports if Beijing doesn’t address its widening trade surplus with Europe. While trade decisions fall under the EU Commission's authority, Macron’s public stance puts pressure on the EU to adopt a more protectionist policy. His remarks come amid concerns that Chinese exports redirected from the US—due to American tariffs—are now flooding European markets.
Analyst Comments: The proposed tariffs echo US policy under President Trump, whose administration imposed punitive levies on Chinese goods earlier this year. The tension highlights a core asymmetry: Europe remains a lucrative destination for Chinese exports, yet lacks cohesive action due to internal divisions—most notably Germany’s deep commercial ties with China. Macron’s comments reflect both political posturing and a potential prelude to coordinated EU trade defense measures, especially in sensitive sectors like automotive, green tech, and industrial machinery.
READ THE STORY: Telegrafi
BabyStream: Complete Cryptanalysis from LFSR to LPN Using RANSAC
Bottom Line Up Front (BLUF): A recent CTF challenge demonstrated a practical cryptanalysis of the custom BabyStream cipher using Learning Parity with Noise (LPN) techniques. By modeling the cipher’s output as a noisy linear system and applying the RANSAC algorithm, researchers successfully recovered the 128-bit secret state from encrypted output, with 100% bitstream reproduction accuracy. The attack showcases how low-noise cryptographic constructs can be vulnerable to statistical recovery methods.
Analyst Comments: BabyStream combines a 128-bit LFSR with a nonlinear feedforward function, but most output bits are driven by linear terms—making it susceptible to LPN-based attacks. The attacker models the cipher as an LPN problem, exploits the sparsity of the noise (only ~6.25% of the bits are nonlinearly influenced), and solves it using RANSAC. This is a textbook example of where classical cryptographic constructions become weak under modern statistical analysis. What makes this especially notable is not just the academic relevance of LPN (used in post-quantum crypto research), but how bit-level optimizations and algorithmic resilience (e.g., tolerance to noise) enable key recovery in seconds on commodity hardware. The attack avoids the overhead of complete matrix computations, instead relying on bitwise operations for GF(2) Gaussian elimination and transformation vector updates.
READ THE STORY: Freebluf
Russia’s War Economy Nears Breaking Point as Sanctions Bite and War Drags On
Bottom Line Up Front (BLUF): Amid a collapsing economy and sustained military failures in Ukraine, Vladimir Putin is facing rising internal pressure that could threaten his grip on power. A detailed analysis published by The Guardian argues that Russia’s war economy is no longer sustainable, with sharp declines in revenue, rising inflation, and growing elite dissatisfaction. Failed diplomatic overtures—most notably Trump’s unofficial “peace” deal—have only prolonged Russia’s strategic decline.
Analyst Comments: Despite early resilience driven by war spending, Russia’s economic fundamentals are cracking: oil and gas revenues have fallen by 27%, inflation is at 8%, interest rates are at 16%, and strategic reserves are being rapidly depleted. Foreign investment has evaporated, sanctions have pushed Asian buyers away, and the ruble remains volatile. Crucially, the Kremlin’s internal balancing act—funding the war while suppressing dissent—is showing signs of strain. Payments to soldiers have been cut. Public discontent is rising, particularly outside Moscow. And elite factions are reportedly growing restless, especially as the promise of a quick victory has failed to materialize nearly four years into the war.
READ THE STORY: Telegrafi
Items of interest
Ex-Canadian Spy Chief: China Running ‘Industrial-Scale’ Tech Theft Ops Through Western Universities
Bottom Line Up Front (BLUF): David Vigneault, former head of the Canadian Security Intelligence Service (CSIS), has warned that hostile intelligence services—especially China’s—are increasingly targeting Western universities, research programs, and private sector innovation in systematic efforts to steal advanced technologies. Speaking to The Guardian in his first public interview since leaving CSIS, Vigneault described these efforts as “industrial-strength,” involving cyberattacks, embedded operatives, and academic recruitment, all of which feed into China’s military modernization strategy.
Analyst Comments: Vigneault’s remarks confirm what many in the intelligence community have long suspected: that universities are now prime attack surfaces for state-sponsored espionage, particularly from China’s Ministry of State Security (MSS). The strategy is clear—extract dual-use technology from open Western institutions and divert it into PLA development pipelines. Universities, often lacking the internal security postures of government agencies or private defense firms, make ideal targets. The transition from terrorism-focused intelligence to “big power espionage” is now complete, and threat models must evolve accordingly. The fact that China is using both cyber and human intelligence vectors—recruiting faculty, exploiting ideological and financial motives—demands a whole-of-institution response. National security vetting for sensitive research isn’t academic overreach; it’s now operationally necessary. And as Vigneault rightly points out, the issue is with the Chinese Communist Party, not individuals, yet failing to address the threat risks leaving critical technologies compromised before they ever reach deployment.
READ THE STORY: The Guardian
Inside China’s state-run espionage campaign against U.S. (Video)
FROM THE MEDIA: A new book, “The Great Heist,” exposes how China has carried out a long-running, large-scale espionage campaign to undermine the U.S. and its allies by stealing information and technology from companies. Author David Shedd joins “The Takeout” to discuss.
What Does China Want? | The Impossible State (Video)
FROM THE MEDIA: The Impossible State podcast, experts discussed the Trump–Xi summit held last month in Korea and China’s strategic ambitions. They also discussed whether China is a status quo power with limited global aims, or a revisionist state with goals of expanding power and reshaping the global international order, and more.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.