Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 13-19 December
Google links more nation-state groups to React2Shell attacks
Google has confirmed the active and global exploitation of the React2Shell vulnerability (CVE-2025-55182) by multiple threat actors, including Earth Lamia, Jackpot Panda, and five new cyberespionage groups linked to China: UNC6600 (deploying MINOCAT), UNC6586 (SNOWLIGHT), UNC6588 (COMPOOD backdoor), UNC6603 (updated HISONIC), and UNC6595 (ANGRYREBEL.LINUX RAT), along with Iranian and financially motivated attackers deploying the XMRig miner.
This malicious activity seeks to execute commands, steal AWS configuration files and credentials, and install malware, affecting dozens of organizations and more than 116,000 vulnerable IP addresses worldwide (mainly in the US). React2Shell is an unauthenticated RCE flaw (CVSSv3 of 10.0 according to Facebook) that allows arbitrary code to be executed with a single HTTP request, affecting a large number of systems.
The spread of PoCs and scanning tools has been observed in underground forums, with the main security recommendation being to immediately patch vulnerable React Server Components (versions 19.0.1, 19.1.2, or 19.2.1 or higher).
Ink Dragon hides in European government networks
Check Point Research has identified an advanced attack infrastructure network linked to the Chinese espionage group Ink Dragon (Earth Alux, Jewelbug or REF7707), which uses a technique called "victim-based relay network". This method involves deploying a customised malicious module (ShadowPad IIS Listener Module) on compromised servers, which registers new URL listeners using the HttpAddUrl API to silently intercept legitimate IIS traffic and transform the victims' servers into active nodes in a distributed mesh for forwarding commands and C2 traffic.
The technique, recently applied against government entities in Europe, Southeast Asia and South America, allows a victim to serve as a communication bridge to attack other organisations, making attribution difficult by mixing malicious traffic with legitimate flow. In addition to exploiting persistent misconfigurations in ASP.NET ViewState and flaws in SharePoint (ToolShell), the group uses tools such as the FinalDraft Trojan for exfiltration via the Microsoft Graph API.
It is recommended to review machine keys on IIS servers, apply patches against ToolShell (CVE-2025-49706, among others) and monitor the creation of unusual services or scheduled tasks (such as "SYSCHECK").
Más info
BlindEagle intensifies espionage against Colombian government agencies with advanced phishing and memory-based malware
In September 2025, Zscaler ThreatLabz detected a spearphishing campaign attributed to BlindEagle against a Colombian government agency linked to the Ministry of Commerce. The attack originated from an email sent from a compromised internal account to evade security controls. The message used a legal decoy and an SVG file that redirected to a fake judicial portal. From there, a fileless chain based on JavaScript and PowerShell was deployed, with steganography to hide the payload.
The Caminho malware acted as a downloader, downloading the final payload from Discord into memory. The final payload was DCRAT, a .NET-based RAT with espionage and evasion capabilities. Attribution is based on infrastructure, victimology, legal lures, and tools consistent with previous BlindEagle campaigns.
Technical evolution of RansomHouse encryption
RansomHouse, a Ransomware-as-a-Service (RaaS) operation linked to the group identified as Jolly Scorpius, has increased the complexity of its encryption module ("Mario"). Traditionally, it used a single-phase linear encryption scheme, while recent samples implement a layered encryption process with dual keys (32-byte primary and 8-byte secondary) and dynamic-size file segment processing, complicating static analysis and reverse engineering.
The RaaS maintains a modular architecture consisting of a persistent management tool (MrAgent) for ESXi environments and the Mario encryptor, operating with an attack chain that encompasses development, infiltration, exfiltration/deployment, and extortion. The actor executes double extortion through data theft and encryption, followed by threats of disclosure, affecting multiple critical sectors and listing at least 123 victims on its leak site since 2021.
The update highlights a trend of technical sophistication in ransomware and the need for adaptive defense controls.
Amazon disrupts GRU campaign against critical cloud infrastructure
Amazon's Threat Intelligence team has disrupted an active campaign attributed with high confidence to actors linked to Russia's GRU, aimed at compromising critical Western infrastructure, particularly in the energy sector. The activity, observed since 2021, affected customer cloud infrastructure through initial access to perimeter devices. Until 2024, the attackers exploited vulnerabilities in products such as WatchGuard, Confluence, and Veeam, as well as misconfigured devices.
In 2025, the group reduced its use of 0-days and N-days, prioritizing the abuse of exposed management interfaces on routers, VPNs, network appliances, and collaborative platforms. The operational objective remained constant: persistence, credential theft, and lateral movement with minimal exposure. Amazon associates the activity with Sandworm and Curly COMrades, the latter allegedly responsible for post-compromise actions. No failures were detected in AWS services, but rather in devices managed by customers on EC2.
Amazon notified those affected, shared intelligence with third parties, and recommended device audits, credential reuse detection, and reinforcement of security controls on AWS.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
