Major Stories of the Month

 

The React2Shell Crisis

 

Industrial-Scale Weaponization The exploitation of the React2Shell vulnerability (CVE-2025-55182) represents the fastest vulnerability-to-weaponization cycle observed in the last year.

• Shadowserver data identified over 111,000 exposed vulnerable IP addresses globally.

• The threat transitioned from proof-of-concept to active ransomware deployment in under one week. Threat actors successfully deployed Weaxor ransomware within minutes of initial compromise.

• Google Threat Intelligence attributed attacks to five distinct China-nexus APT groups and various Iranian threat actors using the flaw for both espionage and cryptocurrency mining.
  

Read the full blog.

 

The Siege on Workflow Automation (n8n Ecosystem)

Cloud-native automation platforms became a primary attack surface, specifically targeting the n8n workflow platform. This threat evolved rapidly from direct vulnerability exploitation to sophisticated supply chain attacks.

• A cluster of three maximum-severity flaws (CVSS 9.9–10.0), including "Ni8mare" (CVE-2026-21858), exposed approximately 100,000 servers to unauthenticated remote takeover.
  
• Following the vulnerability disclosure, the ecosystem suffered a supply chain attack via malicious npm packages disguised as legitimate nodes (e.g., Google Ads connectors). These packages were designed to exfiltrate OAuth tokens and API credentials from credential stores during runtime.
   

The Era of AI-Generated Malware

This month marked a paradigm shift with the confirmation of VoidLink, a sophisticated Linux malware framework built almost entirely by artificial intelligence.

• Unlike previous AI-assisted scripts, VoidLink is a comprehensive framework with 88,000+ lines of code, featuring 30+ adaptive plugins, custom loaders, and kernel rootkits.
  
• The malware is specifically engineered for AWS, Azure, and Google Cloud environments, possessing capabilities to detect containerized environments (Docker, Kubernetes) and adjust stealth mechanisms accordingly.

 

 

Top Ransomware Groups

 

The following groups demonstrated the highest activity levels or operational innovation during the reporting period:

 

1. Qilin - Qilin added 55 new victims in the first weeks of 2026 alone, indicating a record-breaking pace. The group demonstrates no restraint, targeting critical services vital to public health and safety.

2. Akira - Akira dominated the previous campaign cycle with 34% of tracked attacks. While ransomware payments generally fell, Akira remains a persistent volume threat.

3. Lynx - Lynx claimed 740 victims across the 2025 tracking period. Their operations span Paraguay, Colombia, France, Australia, and Bangladesh, indicating a global, non-specific targeting strategy.

4. Weaxor - Weaxor is notable for leveraging the React2Shell vulnerability to deploy encryption within minutes of initial access, whose operators disable Windows Defender immediately post-encryption.

5. DeadLock - Dealdock pioneered the use of Polygon blockchain smart contracts for dynamic proxy rotation. This anti-detection method complicates traditional IP/domain tracking by defenders.

 

Linux / Cloud / Identity Attacks: Top Threats

 

These threats were selected based on their severity scores (CVSS) and their specific impact on cloud infrastructure and identity management systems.

 

1. MongoDB "MongoBleed" (CVE-2025-14847)

• Type: Cloud/Identity Data Leak

• A critical unauthenticated memory disclosure vulnerability caused by zlib compression mishandling. It allows attackers to leak passwords, API keys, and tokens from memory.

• Approximately 87,000 hosts were identified as potentially vulnerable.

• CVSS 8.7 (Active exploitation confirmed across honeypot networks), proof of concept exploit available in the open source community. 

   

2. ServiceNow AI "BodySnatcher" (CVE-2025-12420)

• Type: Identity/AI Platform

• Enables unauthenticated attackers to impersonate users within the ServiceNow AI Platform (Now Assist and Virtual Agent). This allows unauthorized querying of internal knowledge bases and manipulation of business workflows.

• Affects enterprise AI chatbot platforms widely used for internal ticketing and knowledge management.

• CVSS 9.3 (Critical authentication bypass allowing arbitrary actions as impersonated users).

Rubrik Zero Labs LLM-based analysis systems insights

 

Insights from the RZL advanced malware analysis systems.

 

Top Linux & Cloud Threats Analyzed:

 

• Full Hash (SHA256) - 4e956dd61de38c8fa823b26c2d99afb282e4353d595a83cde7bd28ed86f9e8b0
  • Analysis - Ebury (SSH Rootkit): A sophisticated backdoor that operates by replacing the libkeyutils.so shared library to intercept and steal SSH credentials. It exports the signature function recursive_session_key_scan and hooks system calls like readdir and execve to conceal its processes and files from administrators.
  • First seen - 2026-01-21

 

• Full Hash (SHA256) - 69f3d8eabd18ea0667d3ce8e37b9dd805b84f8f6c93b2c3582f59b008cf1308d
  • Analysis - ESXi Backdoor targeting VMware ESXi by scanning the PCI bus for hardware and using VMCI sockets (port 0x4a4f) to create a covert communication channel between the guest and hypervisor.
  • First seen - 2025-11-05

 

• Full Hash (SHA256) - e6e26d64ec453885b856f961fc67d2be583c451e8573281703a4ff5696cf704f
  • Analysis - A manually operated backdoor trojan featuring a custom ELF loader and strong cryptography (AES-256, Curve25519). It requires an interactive password to execute payloads.
  • First seen - 2025-05-16

 

• Full Hash (SHA256) - 11ad850cc312ba7255ae3e906f4ccdfca1cb1f8109d7a20f660ec3c8c5ae1d72
  • Analysis - A backdoor downloader utilizing PNG steganography and memfd_createfor fileless execution. It employs direct syscalls to evade API hooks and deletes itself to hide traces.
  • First seen - 2025-12-25

 

• Full Hash (SHA256) - 80fe96ce83f1f1553194fe5d967dad6d4a24e11625dc63e2b65aaf111ade8baf
  • Analysis - A generic Linux backdoor notable for being written in the Zig programming language. It uses a custom memory allocator, DNS-based C2, and ChaCha20 encryption.
  • First seen - 2026-01-05

 

• Full Hash (SHA256) - bf8135f46ecedfe5bd06fcecbb2e721c2367ff765b18f4aa3f868e6597f49e47
  • Analysis - A Linux backdoor using a custom RC4-like stream cipher and multi-threaded architecture. It uses function pointer tables for dynamic API resolution and supports remote command execution.
  • First seen - 2025-11-28

 

• Full Hash (SHA256) - b3df27fe7a4b51ec10374dfedee47cb10ef77c53ad48973f7a5c7db822c67959
  • Analysis - A Python-based Kubernetes container escape toolkit targeting Windows HostProcess containers. It exploits RBAC misconfigurations to escalate privileges to SYSTEM and create hidden accounts.
  • First seen - 2026-01-22