Daily Threat Intel Digest - 2025-12-29

🔴 Critical Threats & Active Exploitation

[UPDATE] MongoBleed (CVE-2025-14847) exploitation intensifies following Ubisoft breach The critical MongoDB memory disclosure vulnerability, dubbed MongoBleed, is being actively exploited in the wild after Ubisoft confirmed its Rainbow Six Siege servers were compromised using this flaw, resulting in massive in-game currency fraud and data exfiltration [Cyber Press; BleepingComputer]. Attackers are exploiting the zlib decompression flaw in MongoDB versions 3.6 through 8.2 to extract sensitive data from server memory without authentication, including credentials, API keys, and session tokens. Over 87,000 MongoDB instances are exposed online, with cloud security firm Wiz reporting that 42% of cloud environments contain at least one vulnerable instance [BleepingComputer; Cyber Press]. MongoDB has released patches for versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30, with MongoDB Atlas customers receiving automatic updates [BleepingComputer].

[NEW] Threat actor “Lovely” claims massive Condé Nast breach after WIRED subscriber leak A threat actor using the alias “Lovely” has leaked a database containing 2.3 million WIRED subscriber records and claims to possess up to 40 million additional records from other Condé Nast properties including Vogue, The New Yorker, and Vanity Fair [BleepingComputer; SecurityWeek]. The leaked data includes email addresses, names, physical addresses, phone numbers, and birthdates for approximately 12% of records, with a smaller subset containing complete profile information. The actor initially claimed to be a security researcher attempting responsible disclosure before leaking the data after Condé Nast allegedly failed to respond to vulnerability reports [BleepingComputer]. The authenticity of the WIRED database has been verified through cross-reference with infostealer logs and direct record validation [BleepingComputer].

🎯 Threat Actor Activity & Campaigns

[NEW] ANY.RUN report reveals RAT surge and evolving phishing landscape in Q4 2025 The latest ANY.RUN threat landscape report shows a significant shift toward persistent access tools, with Remote Access Trojans (RATs) increasing 28% and backdoors surging 68% in Q4 2025, while traditional stealers declined 16% but remain dominant [ANY.RUN]. XWorm emerged as the top malware family with a 174% increase, outpacing traditional stealers as attackers favor adaptable, open-source toolsets. The report also highlighted sophisticated phishing-as-a-service (PhaaS) operations, with Tycoon 2FA bypass kits leading phishing activity at 41,046 detections, followed by EvilProxy with 14,258 detections [ANY.RUN]. Storm1747 continued as the most active cybercriminal group with a 51% increase in operations, likely targeting financial institutions across EU and NA regions [ANY.RUN].

[NEW] Huntress analysis exposes “messy reality” behind supposedly sophisticated attacks Contrary to narratives of precision cyberattacks, Huntress telemetry from three incidents shows the same threat actor repeatedly failing, experimenting, and learning through trial-and-error rather than executing flawlessly scripted playbooks [Cyber Press]. The actor exploited Microsoft IIS vulnerabilities to deploy Golang-based Trojans but encountered repeated failures when Microsoft Defender blocked execution attempts, requiring multiple retries with renamed executables [Cyber Press]. By the second incident, the actor had adapted by adding Defender exclusion paths via PowerShell before deployment, but persistence attempts still failed due to service installation errors [Cyber Press]. The analysis used overlapping IP addresses (188.253.126.202, 103.36.25.171, 188.253.121.101) and consistent tool usage (agent.exe, test.exe, dllhost.exe) to attribute all three incidents to the same actor [Cyber Press].

⚠️ Vulnerabilities & Patches

[NEW] Critical Windows kernel driver and named pipe privilege escalation flaws identified Security researchers from WhiteHat School have demonstrated critical privilege escalation vulnerabilities in Windows kernel drivers and named pipes that allow attackers to escalate from user mode to SYSTEM privileges [Cyber Press]. The vulnerabilities stem from insufficient validation of trust boundaries, with kernel drivers accepting user input without proper checks and named pipes configured with overly permissive access controls [Cyber Press]. Researchers successfully exploited a real-world antivirus service’s named pipe to modify critical Windows registry settings via HKLM writes, ultimately executing arbitrary code with administrator privileges [Cyber Press]. The findings underscore why Windows remains a prime target for local privilege escalation and highlight related CVEs including CVE-2023-21674 (Windows Kernel), CVE-2023-28432 (Kernel Driver Interface), and CVE-2024-1086 (Named Pipes) [Cyber Press].

[UPDATE] MongoBleed Detector tool released for compromise identification Following widespread exploitation of CVE-2025-14847, security researcher Florian Roth (Neo23x0) has released the MongoBleed Detector, an open-source tool that scans MongoDB logs to identify potential exploitation indicators without requiring network connectivity [Cyber Press; GBHackers; BleepingComputer]. The detection methodology relies on analyzing behavioral patterns - legitimate MongoDB drivers consistently send metadata immediately after establishing connections, whereas the MongoBleed exploit connects, extracts memory content, and disconnects without transmitting metadata [Cyber Press]. The tool features streaming processing capabilities for large log files, compressed log support, and configurable detection thresholds with findings classified into HIGH, MEDIUM, LOW, and INFO severity categories [Cyber Press].

🛡️ Defense & Detection

[NEW] OpenAI hardens ChatGPT Atlas against prompt injection with automated red teaming OpenAI has released a security update for ChatGPT Atlas that combines an adversarially trained model with stronger safeguards to defend against increasingly sophisticated prompt injection attacks [Cyber Press]. The update employs automated red teaming using a specialized AI attacker trained through reinforcement learning to repeatedly attempt compromising the system, discovering complex multi-step attacks that human testers might miss [Cyber Press]. Prompt injection attacks target AI logic rather than software flaws, allowing attackers to hide malicious instructions in emails, documents, or websites that trick the AI into ignoring user commands and executing attacker orders instead [Cyber Press]. While acknowledging prompt injection as a long-term challenge that may never be fully solved, OpenAI recommends users limit logged-in access where possible, review confirmation requests carefully, and provide specific rather than broad commands to reduce manipulation risk [Cyber Press].

[NEW] Research exposes hacktivist proxy operations as repeatable geopolitical pressure model A new research report highlights the emergence of “Hacktivist Proxy Operations” as a distinct threat category where non-state groups carry out cyber disruption aligned with state geopolitical interests while maintaining plausible deniability for governments [Cyber Press; GBHackers]. These campaigns follow a predictable pattern starting with geopolitical triggers (sanctions, diplomatic disputes), followed by narrative mobilization, coordination via open communication platforms, and launching technically simple but psychologically impactful DDoS attacks and website defacements [Cyber Press]. The model creates defensive cost asymmetry - attacks are cheap to mount using free tools and volunteer support but expensive to counter, exhausting defenders through repeated low-level incidents [Cyber Press]. Organizations are advised to expand cyber defense frameworks to include proxy-based disruption as a distinct threat category requiring both technical hardening and geopolitical awareness [Cyber Press].