Shanya EDR bypass packer π«, malicious VSCode extensions π», AI prompt injection flaws π€, $4.5B ransomware impact π°, CastleLoader MaaS expansion π¦
Daily Threat Intel Digest - December 9, 2025
π΄ Critical Threats
Ransomware gangs adopt Shanya EXE packer to bypass EDR solutions Multiple ransomware groups including Medusa, Qilin, Crytox, and Akira are increasingly using “Shanya,” a packer-as-a-service platform that helps hide EDR-killing payloads from security tools. The packer inserts malicious code into legitimate-looking Windows DLL files and keeps execution entirely in memory, making detection extremely difficult. Shanya also includes anti-analysis techniques that crash when run under debuggers. The service has grown significantly since late 2024, with activity detected in Tunisia, UAE, Costa Rica, Nigeria, and Pakistan. So what? This represents a new commercialization of advanced evasion techniques that lowers the technical barrier for ransomware operators to disable endpoint security. Security teams should monitor for unusual DLL loading patterns and implement memory-based detection capabilities. Ransomware gangs turn to Shanya EXE packer to hide EDR killers
Malicious VSCode extensions drop infostealers through Microsoft’s registry Two malicious extensions, “Bitcoin Black” and “Codo AI,” have been discovered in Microsoft’s Visual Studio Code Marketplace, delivering information-stealing malware that can take screenshots, steal credentials, crypto wallets, and hijack browser sessions. Published under the developer name ‘BigBlack,’ the extensions use PowerShell or batch scripts to download malicious DLL files, then employ DLL hijacking to deploy infostealers under the name runtime.exe. The malware creates an “Evelyn” directory in %APPDATA%\Local\ to store stolen data, including WiFi credentials, system information, and screenshots. So what? This represents a supply chain attack on a trusted developer platform that bypasses traditional security controls. Development teams should implement strict extension approval processes and monitor for suspicious PowerShell activity. Malicious VSCode extensions on Microsoft’s registry drop infostealers
GrayBravo’s CastleLoader MaaS ecosystem expands with four distinct activity clusters Insikt Group has identified four separate activity clusters leveraging GrayBravo’s CastleLoader malware, each with unique TTPs and victim profiles, confirming the threat actor operates a malware-as-a-service model. Cluster TAG-160 specifically targets the logistics sector through phishing and ClickFix techniques, while TAG-161 impersonates Booking.com. The group has developed multiple malware families including CastleLoader, CastleBot, and CastleRAT, with infrastructure showing deliberate redundancy through overlapping C2 servers and shared RC4 encryption keys. So what? This demonstrates how sophisticated malware operations are increasingly franchising their capabilities, making attribution more difficult while expanding their reach across sectors. Security teams should implement the provided YARA, Snort, and Sigma rules to detect these specific malware families. GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries
β οΈ Vulnerabilities & Exploits
FinCEN reports $2.1B in ransomware extortion from 2022-2024 According to new Treasury Department data, ransomware gangs extorted over $2.1 billion from 2022-2024, nearly matching the $2.4B total from the previous nine-year period (2013-2021). The report shows payments peaked in 2023 at $1.1B before dropping to $734M in 2024 following law enforcement actions against ALPHV/BlackCat and LockBit. Manufacturing, financial services, and healthcare were most targeted industries. Akira appeared in the most incident reports (376), while ALPHV/BlackCat earned the most at roughly $395M in payments. So what? This financial data underscores the continued profitability of ransomware despite increased law enforcement pressure and provides valuable threat intelligence about which variants are most successful. Organizations should use this data to prioritize defenses against the most active and profitable variants. FinCEN says ransomware gangs extorted over $2.1B from 2022 to 2024
UK cyber agency warns LLMs will always be vulnerable to prompt injection The UK’s National Cyber Security Centre issued a technical assessment stating that prompt injection is an inherent architectural flaw in large language models that may never be fully mitigated. Unlike SQL injection which has established prevention methods, LLMs fundamentally cannot distinguish between trusted instructions and untrusted data, making them susceptible to manipulation through hidden prompts. The warning highlights that even enterprise AI implementations remain vulnerable to attacks that could exfiltrate sensitive data or manipulate model behavior. So what? As organizations increasingly implement AI tools, this architectural limitation represents a fundamental security challenge that cannot be solved through traditional patching. Security teams must implement compensating controls like strict output validation, user confirmation requirements, and monitoring for anomalous AI behavior. UK cyber agency warns LLMs will always be vulnerable to prompt injection
π€ Threat Actor Activity
US offers $10M reward for IRGC-linked Iranian hackers The State Department is offering up to $10 million for information on Mohammad Bagher Shirinkar and Fatemeh Sedighian Kashi, allegedly working for Iran’s Revolutionary Guard Corps Cyber-Electronic Command under the alias “Shahid Shushtari.” This group, previously tracked as Emennet Pasargad and also known as Cotton Sandstorm and Haywire Kitten, has targeted critical infrastructure across news, shipping, travel, energy, financial, and telecom sectors worldwide. The group has been active since 2018 and attempted to influence the 2020 U.S. presidential election. So what? This substantial reward reflects the high priority the U.S. places on disrupting Iranian cyber operations and provides potential financial incentive for insiders to come forward. Security teams should review historical indicators associated with this threat actor and implement enhanced monitoring for suspected Iranian state-sponsored activity. Officials offer $10M reward for information on IRGC-linked leader and close associate
ShadyPanda campaign infected 4.3 million browsers via malicious Chrome extensions Researchers identified a seven-year campaign by the ShadyPanda threat actor that weaponized verified Chrome and Edge extensions to infect over 4.3 million devices with spyware. The malicious extensions enabled remote code execution, payload delivery, traffic redirection, credential and cookie theft, browser fingerprinting, HTTPS credential interception, and behavioral biometrics exfiltration. The campaign demonstrates how trusted browser extensions can become powerful espionage tools when compromised. So what? This highlights the need for organizations to implement browser extension management policies and monitor for unauthorized extension installations, especially in environments handling sensitive data. 8th December β Threat Intelligence Report
Poland arrests Ukrainians with advanced hacking equipment Polish authorities arrested three Ukrainian nationals found carrying “advanced hacking equipment” including Flipper Zero devices, K19 RF/GS detection tools, antennas, laptops, SIM cards, routers, and cameras. The suspects were charged with fraud, computer fraud, and possession of devices intended for criminal activity. The Flipper Zero can interact with radio frequencies, capture data, jam communications, and emulate input devices for malicious script execution. So what? This incident highlights how relatively affordable hacking tools are enabling technically unsophisticated actors to conduct sophisticated operations, and how border security is becoming a critical control for preventing the physical spread of cyber threats. Security teams should be aware that attackers may use such devices for physical proximity attacks against their organizations. Poland arrests Ukrainians utilizing ‘advanced’ hacking equipment
π‘οΈ Security Tools & Defenses
Google introduces “User Alignment Critic” for agentic AI browsing security Google has implemented a new defense layer called “User Alignment Critic” in Chrome to protect against indirect prompt injection attacks targeting agentic AI browsing features. This architecture uses a separate, isolated Gemini model that vets every action the primary AI agent wants to take by examining metadata and independently evaluating its safety. The system includes origin restrictions to limit agent access to task-relevant sites, user confirmation requirements for sensitive actions, and real-time prompt injection detection. Google is offering up to $20,000 in bounties for researchers who can bypass these protections. So what? This represents a significant advancement in AI security architecture that other vendors will likely emulate, but also acknowledges that agentic AI introduces new attack surfaces that require specialized defenses beyond traditional security measures. Architecting Security for Agentic Capabilities in Chrome
Picus Security introduces agentic AI for threat emulation Picus Security has launched an “agentic” approach to AI-driven threat emulation that maps threat intelligence to validated simulations using a multi-agent framework rather than generating potentially malicious code. The system uses specialized agents for planning, research, threat building, and validation to create safe, accurate attack chains based on external intelligence. This approach addresses concerns about AI-generated exploits while providing faster response to emerging threats. So what? This represents a more practical application of AI to security operations that leverages AI’s analytical capabilities without introducing new attack surfaces through generative code creation. Security teams should consider similar approaches when implementing AI tools in their environments. How Agentic BAS AI Turns Threat Headlines Into Defense Strategies
Tenable releases specialized tools for AI security risks Tenable has introduced Tenable AI Exposure, a specialized tool designed to detect risks specific to enterprise AI implementations that traditional security tools like DLP, CASB, and CSPM cannot address. The solution provides continuous AI discovery, prompt-level visibility, and threat detection specifically for AI platforms like ChatGPT Enterprise and Microsoft 365 Copilot. The tool can identify prompt manipulation techniques, unsafe third-party integrations, and misconfigurations that expose sensitive data. So what? This acknowledges that AI tools create a fundamentally different attack surface that requires purpose-built security solutions, as traditional tools cannot monitor AI-specific behaviors and risks. Security teams should evaluate their capabilities for detecting AI-specific threats as these tools become more prevalent in their environments. Detecting AI Security Risks Requires Specialized Tools: Time to Move Beyond DLP and CASB
π° Industry Developments
Vitas Hospice reports data breach affecting 300,000 individuals Vitas Hospice has disclosed a data breach impacting over 300,000 individuals, though specific details about the nature of the compromise or stolen information were not immediately available. The breach adds to the growing list of healthcare organizations suffering significant cybersecurity incidents in recent months. So what? Healthcare remains a prime target for cybercriminals due to the sensitive nature of patient data and often inadequate security controls. Healthcare organizations should prioritize implementing robust data protection measures and incident response plans to meet regulatory requirements and protect patient privacy. Over 300,000 Individuals Impacted by Vitas Hospice Data Breach
Ransomware payments surpassed $4.5 billion in total according to Treasury The Financial Crimes Enforcement Network reported that from 2013 through 2024, approximately $4.5 billion in ransom payments have been made to ransomware gangs, with $2.1 billion occurring in just the last three years (2022-2024). The data shows that despite increased law enforcement actions against major ransomware operations, the overall financial impact continues to grow steadily year over year. So what? This staggering figure demonstrates that ransomware remains an incredibly profitable criminal enterprise despite increased international efforts to combat it. Organizations should prioritize ransomware preparedness including robust backup strategies, employee training, and incident response planning to avoid becoming part of these statistics. Ransomware Payments Surpassed $4.5 Billion: US Treasury
Defense bill addresses cyber training and AI challenges The FY2026 National Defense Authorization Act includes several cybersecurity provisions requiring senior Defense Department leaders to use secure mobile phones, mandating cybersecurity training that includes AI-specific challenges, and ensuring cyber troops have access to mental health services. The legislation also prevents splitting leadership between Cyber Command and NSA and addresses commercial spyware use policies. So what? This reflects growing recognition that cyber operations create unique challenges requiring specialized support, and that AI introduces new cybersecurity risks that must be addressed in training programs. Other organizations should consider similar provisions for their security personnel who face similar operational stressors and emerging technology challenges. Defense bill addresses secure phones, AI training, cyber troop mental health