Daily Threat Intel Digest - 2025-12-24

🔴 Critical Threats & Active Exploitation

[NEW] Operation PCPcat compromises 59,000+ Next.js and React servers in 48 hours
Attackers are exploiting two critical vulnerabilities (CVE-2025-29927 and CVE-2025-66478) in Next.js and React frameworks to achieve remote code execution through prototype pollution, enabling mass credential theft. The campaign maintains a 64.6% success rate, harvesting between 300,000 and 590,000 sets of credentials from .env files, SSH keys, and cloud configurations. Organizations using Next.js must audit for unauthorized access, rotate exposed credentials, and block traffic to the Singapore-based C2 server at 67.217.57.240 [Operation PCPcat Exploits Next.js and React, Impacting 59,000+ Servers; Operation PCPcat Compromises 59,000+ Next.js and React Servers in Just 48 Hours].

[UPDATE] Evasive Panda APT poisons DNS requests to deliver MgBot
The Evasive Panda group (aka Bronze Highland) has refined its adversary-in-the-middle attacks by poisoning DNS responses to deliver MgBot implants, using hybrid encryption and memory injection for stealth. New loaders target victims via fake update lures for apps like SohuVA and iQIYI, exploiting encrypted configuration buffers to bypass detection. This expands the group’s persistence capabilities, affecting systems in Türkiye, China, and India since 2022. Defenders should hunt for injected svchost.exe processes and block C2 IPs like 60.28.124.21 [Evasive Panda APT poisons DNS requests to deliver MgBot].

⚠️ Vulnerabilities & Patches

[NEW] M-Files vulnerability (CVE-2025-13008) allows session token hijacking
A critical flaw in M-Files Server enables authenticated attackers to capture active session tokens via the Web interface, leading to account takeover and data exfiltration. The vulnerability (CVSS 8.6) stems from inadequate token protection and affects versions before 25.12.15491.7. Organizations must patch immediately and monitor for anomalous session activity, as exploitation requires no malware and leaves minimal traces [M-Files Vulnerability Allows Attackers to Capture Session Tokens of Active Users].

[NEW] Net-SNMP vulnerability (CVE-2025-68615) enables unauthenticated RCE
A buffer overflow in Net-SNMP’s snmptrapd daemon allows remote attackers to crash services and achieve arbitrary code execution without authentication, affecting all versions before 5.9.5 and 5.10.pre2. The flaw (CVSS 9.8) poses severe risks to network monitoring infrastructure, demanding immediate patching to prevent service disruption [Net-SNMP Vulnerability Allows Buffer Overflow, Leading to Daemon Crash].

[NEW] Critical MongoDB vulnerability (CVE-2025-14847) exposes sensitive data
MongoDB servers are vulnerable to uninitialized memory exposure via zlib compression, allowing unauthenticated attackers to extract credentials, encryption keys, or query data from heap memory. The flaw affects versions 3.6 through 8.2.2 and carries critical severity. Vendors advise disabling zlib compression as a workaround while patching to versions like 8.2.3 [Critical MongoDB Vulnerability Exposes Sensitive Data Through zlib Compression].

🎯 Threat Actor Activity & Campaigns

[NEW] NtKiller malware advertised as EDR/antivirus disabler
A new underground tool, NtKiller, is being promoted for $500–$1,100 on dark web forums to disable AV/EDR solutions like Microsoft Defender and Kaspersky. It features early-boot persistence, Silent UAC bypass, and anti-analysis techniques, potentially enabling ransomware operators to bypass enterprise defenses. Security teams should monitor for suspicious process termination and review EDR logs for evasion attempts [Dark Web Listings Promote NtKiller Malware as an Antivirus and EDR Disabler].

[NEW] HardBit 4.0 ransomware exploits RDP/SMB for long-term control
HardBit 4.0 introduces a Neshta-based dropper, wiper mode, and obfuscation techniques to encrypt or destroy data after credential theft via RDP brute-forcing. It disables Windows Defender and persistence mechanisms, increasing challenges for recovery. Defenders should isolate exposed RDP/SMB services and deploy behavioral detections for registry modifications [HardBit 4.0 Exploits Exposed RDP and SMB Services for Long-Term Network Control].

[NEW] Webrat malware spreads via GitHub fake PoC exploits
Attackers are distributing Webrat infostealer through GitHub repositories posing as proof-of-concept exploits for vulnerabilities like CVE-2025-59295. The malware steals credentials from browsers, crypto wallets, and messaging apps, using encrypted C2 channels to evade detection. Organizations must educate developers on verifying repository authenticity and scan downloads for malware [WebRAT malware spread via fake vulnerability exploits on GitHub].