San Mateo, CA, December 22, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
BeaverTail malware boosts stealth and delivery methods
A newly observed BeaverTail malware variant has been linked to North Korean threat clusters associated with the Lazarus Group, according to Darktrace’s State of Cybersecurity report. The JavaScript-based stealer and loader targets cryptocurrency traders, developers, and retail employees, harvesting system data and then downloading additional payloads from remote servers. Recent samples from November 2025 show layered Base64 and XOR encoding that significantly increases concealment and delivery diversity. Distribution paths include trojanized npm packages, fake job interview platforms, and ClickFix lures that abuse trusted workflows. Since 2022, BeaverTail has evolved into a modular, cross-platform framework and has been observed merging with the OtterCookie strain to expand wallet theft and remote access. “This technical maturation culminates in the strategic convergence of BeaverTail with the OtterCookie strain,” said Sectigo senior fellow Jason Soroko. Read more.
U.S. shuts down E-Note crypto laundering service
Federal prosecutors in Michigan announced the takedown of online infrastructure linked to E-Note, a cryptocurrency exchange and payment service allegedly used to launder tens of millions in ransomware and other cybercrime proceeds, along with an indictment of its creator. The Eastern District of Michigan charged Russian national Mykhalio Petrovich Chudnovets with conspiracy to launder monetary instruments, alleging that he operated E-Note from about 2011 through 2025, following earlier mule-based operations dating to 2010. The FBI said more than $70 million in illicit funds from ransomware and account takeovers moved through the service since 2017. Investigators seized servers, applications, and domains, including e-note.com and e-note.ws, and obtained historical databases that may expose user networks over multiple years. Chudnovets is not believed to be in U.S. custody. Read more.
North Korea behind record $2B crypto theft in 2025
Threat actors linked to North Korea accounted for at least $2.02 billion of more than $3.4 billion in cryptocurrency stolen globally from January through early December 2025, according to Chainalysis. The total is a 51% year-over-year increase and “marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76% of all service compromises,” the company said. Cumulative estimates now place DPRK crypto theft at $6.75 billion. A single February breach of Bybit accounted for $1.5 billion and was tied to the TraderTraitor cluster, part of the Lazarus Group. Beyond theft, Lazarus continues its long-running malware campaigns, such as Operation Dream Job, to generate revenue and steal sensitive data in violation of international sanctions. Read more.
Cisco zero-day enables full takeover of email gateways
Cisco has reported on an active campaign exploiting a critical zero-day vulnerability in AsyncOS that enables full device takeover of Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances when Spam Quarantine is enabled and exposed to the internet. Cisco detected the campaign on December 10 and confirmed that no patch is available. The company has not yet disclosed how many customers are affected and said that “in case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actor’s persistence mechanism from the appliance.” Cisco Talos linked the activity to China-aligned threat actors who have been installing persistent backdoors, with exploitation ongoing since November 2025. Read more.
Kimwolf botnet hijacks 1.8M Android TVs
Security researchers at QiAnXin XLab have uncovered a DDoS botnet dubbed Kimwolf that has infected at least 1.8 million Android-based TVs, set-top boxes, and tablets worldwide. The malware, built with the Android Native Development Kit, supports DDoS attacks, proxy forwarding, reverse shell access, and file management. Between November 19 and 22, 2025, Kimwolf issued an estimated 1.7 billion attack commands, briefly pushing one of its command domains to the top of Cloudflare’s global rankings. XLab found strong links between Kimwolf and the notorious AISURU botnet, including shared infection scripts and code-signing certificates, indicating a common operator. Recent versions use the Ethereum Name Service infrastructure to evade takedowns, showing rapid evolution. Researchers report that more than 96 percent of observed commands focused on monetizing infected devices as proxy nodes rather than launching attacks. Read more.
Texas sues smart TV makers over alleged spying
Texas Attorney General Ken Paxton has sued Samsung, LG, Sony, Hisense, and TCL, alleging their smart TVs illegally spy on viewers using Automated Content Recognition (ACR) technology without meaningful consent. According to Paxton’s office, ACR software can capture screenshots every 500 milliseconds, track viewing behavior across apps and connected devices, and transmit that data back to manufacturers, who then sell it for targeted advertising. “ACR in its simplest terms is an uninvited, invisible digital invader,” the press release states, warning that the data collected could include sensitive information such as passwords and bank details. The lawsuits allege the practice violates the Texas Deceptive Trade Practices Act, with potential penalties of up to $10,000 per violation and higher for seniors. Paxton also raised national security concerns about Chinese-based manufacturers Hisense and TCL, calling the TVs “a mass surveillance system sitting in millions of American living rooms.” Read more.
Spiderman kit enables large-scale phishing attacks
A new cybercrime kit called Spiderman is lowering the barrier to large-scale phishing attacks by bundling multiple tools into a single service, according to Varonis researchers. The full-stack phishing framework enables attackers to clone dozens of European banking and government login pages, capture passwords, 2FA codes, and payment details, and manage stolen data from a single interface. Daniel Kelley of Varonis said its “scale, polish, and cross-border coverage make it one of the most dangerous we’ve analyzed this year.” The kit supports account takeover, SIM swap fraud, and identity theft. Experts warn that user awareness alone is no longer sufficient; defenses must focus on continuous exposure detection. The FBI urges users not to click on unsolicited messages and to use password managers and passkeys. Read more.
AI-powered scams surge during the holiday season
Internet users are being warned to stay alert this season as AI-powered scams surge across email, social media, and messaging platforms. Check Point said it detected 33,500 Christmas-themed phishing emails and more than 10,000 seasonal ads in just 14 days, with fake deals, charity appeals, and delivery notices leading the wave. AI is enabling attackers to craft flawless, localized emails, clone legitimate brands, build fake e-commerce sites with chatbots and checkout functionality, and enhance vishing with deepfake audio and scripts. Smishing messages that imitate UPS and FedEx alerts have doubled year over year, driving victims to credential-stealing sites. Red flags include spoofed URLs, unusual payment requests, and urgency. “If it sounds too good to be true, it probably is,” Check Point warned. Read more.
NVIDIA Merlin bugs allow code execution and DoS
Security patches have been released for the NVIDIA Merlin framework after researchers identified two high-severity deserialization vulnerabilities that could allow arbitrary code execution and denial-of-service attacks on Linux systems. The flaws, tracked as CVE-2025-33214 and CVE-2025-33213, affect NVTabular’s Workflow component and Transformers4Rec’s Trainer component, respectively, and both carry CVSS base scores of 8.8. NVIDIA said the issues stem from insecure deserialization and could, if successfully exploited, allow attackers to execute malicious code, disrupt services, access sensitive information, or manipulate data. The attack vector is network-based, low-complexity, and requires user interaction, thereby increasing enterprise risk. NVIDIA has issued fixes via GitHub, requiring updates to specific commits for each project. Administrators are urged to patch immediately. Read more.
Malicious Kindle e-books can hijack Amazon accounts
Researcher Valentino Ricotta demonstrated how a malicious e-book could hijack a user’s Amazon account by exploiting vulnerabilities in Kindle software, underscoring risks associated with sideloading content. Ricotta, an engineering analyst at Thales’ Thalium research unit, showed that crafted e-books could execute code on a Kindle, steal Amazon session cookies, and grant full account access, including payment capabilities. “What especially struck me with this device, that’s been sitting on my bedside table for years, is that it’s connected to the internet,” Ricotta said. “It’s constantly running because the battery lasts a long time and it has access to my Amazon account… Once an attacker gets a foothold inside a Kindle, it could access personal data.” Amazon classified the bugs as critical, patched them, and awarded a $20,000 bounty. Experts said overlooked connected devices can become hidden attack paths. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
