A Chinese hacking group known as Warp Panda has come to the attention of Trellix researchers for its targeted attacks on VMware infrastructure. A key tool in the campaign was the BrickStorm malware, a backdoor specifically tailored for Linux environments. These attacks target critical virtualization components, making them particularly dangerous for companies that rely on VMware as the foundation of their IT infrastructure.

BrickStorm allows attackers to gain a foothold in a system, execute commands remotely, and remain undetected for long periods of time. The campaign is characterized by a high level of preparation and a clear interest in infrastructure targets rather than individual end users.

This incident once again highlights that virtualization has long been a full-fledged target for APT groups. Protecting VMware environments can no longer be considered a secondary task. Regular monitoring, updates, and behavioral analysis are things to pay attention to, especially during the holiday downtime when incident response can be slow.

CVE‑2025‑55182, working title React2Shell, is a critical vulnerability with the maximum severity rating (CVSS 10.0). It allows attackers to execute arbitrary code on the server without authentication via unsafe data deserialization in React Server Components (RSC).

The vulnerability affects React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, as well as any frameworks that integrate RSC, including Next.js. The vulnerability occurs at the Flight protocol processing layer, where the server incorrectly validates incoming structured data.

After the public disclosure on December 3, 2025, threat activity around the world began almost immediately. Companies encountered a whole range of malicious activity: large-scale scans, active RCE attempts, and infiltrations into environments with the installation of backdoors, cryptominers, and other auxiliary tools for further system control.

React2Shell showed how quickly critical vulnerabilities can become exploitable in the wild immediately after being disclosed. Due to the widespread popularity of React and related frameworks, the issue influences not only individual applications but also a large portion of modern web services. It is important for operators to immediately update dependencies to patched versions and review API path protection policies to reduce the risk of unauthorized access and serious consequences for business environments.

The V3G4 botnet, previously associated with the Mirai family and traditionally used for distributed “denial of service” attacks, has demonstrated an evolution of its functions in favor of financial gain.

In December 2025, Trellix researchers noticed that the operators of this botnet were not only continuing large-scale DDoS attacks but also had implemented a hidden cryptomining mechanism based on XMRig.

What does this “hybrid” mean? It means that attackers can now simultaneously heavily load network resources and invisibly use the computing power of infected hosts to mine Monero, an open-source cryptocurrency that focuses on complete anonymity.

The infection begins with a multi-architecture bootloader script that detects the platform (x86_64, ARM, or MIPS) and delivers the appropriate executable. The malicious process then disguises itself as a legitimate system service, performs a large-scale SSH scan, and establishes a stable connection to the control (C2) servers. In the final stage, the bot creates a cryptominer that runs in RAM, avoiding disk writes and making detection more difficult.

The evolution of V3G4 shows how modern botnets are moving from “noisy” DDoS attacks to “silent” monetization of victim resources. This approach makes incident detection more difficult and increases risks to enterprise Linux environments, IoT devices, and server farms.

We advise security teams to pay attention not only to anomalous network traffic but also to unnatural levels of CPU and memory usage on systems, which may be a sign of hidden mining.

During the season of intense sales, cybercriminals have put a “gift” under the Christmas tree for both customers and brands: a network of fake online stores, disguised as holiday sales and well-known brands, is now actively operating.

These sites pretend to be legit shopping platforms with cool discounts, countdown timers, and “trusted” icons, but they're really just collecting payment and personal info from visitors in their fake shopping carts. Thanks to unified templates and phishing equipment schemes, such fakes can be launched on a large scale in different domains simultaneously.

Trellix researchers found that attackers are creating and registering thousands of themed domains with terms like "holiday," "Black Friday," "flash sale," and big brand names to attract shoppers during the holiday season. These sites don’t just mimic the look of real stores—they can drive traffic through SEO-toxic chains or paid ads, increasing the reach of the attacks.

Although for most people the holiday season is a time for discounts, it is important to remember that it is also a period of increased risk for customers and brands. The activity of fake stores illustrates this perfectly. Companies should pay more attention to protecting their domains and reputation and monitor phishing campaigns.

Users should verify the authenticity of addresses and avoid suspicious offers that seem “too good to be true.” Current trends show that cybercriminals are investing in large-scale, automated operations designed to divert attention and money from holiday traffic.

The Water Saci malware has reached a new level of sophistication. It now uses artificial intelligence to automate and optimize attacks on WhatsApp users. Algorithms analyze the behavior of targeted accounts, choose the optimal time to send messages, and even modify texts to increase the likelihood of interaction. As a result, this technology allows attackers to more effectively distribute phishing links, malicious file downloaders, and financial schemes, making attacks more personalized and difficult to detect.

Water Saci shows that combining traditional malware with artificial intelligence creates a new class of cyberthreats—fast, adaptive, and difficult to detect. WhatsApp users should be especially attentive to messages from unknown contacts, check links before opening, and use multi-layered protection. We also remember antivirus solutions and access restrictions for suspicious files.

AI-enhanced attacks are becoming a real cybersecurity problem, and a lack of caution can cost users their personal data and finances.

QuietCrabs and Thor continue to operate in strategic cyberattacks targeting government and commercial organizations in Russia. Trellix found that both groups use a combination of malicious tools, including backdoors and a Remote Access Trojan (RAT) module, to gain long-term access to networks. The attacks are highly customized, with tools tailored to the specific infrastructure of the victim, making detection and response difficult.

At the same time, the groups' activity demonstrates a strategic approach: scanning networks, identifying key nodes, and gradually increasing user rights. Targeted organizations face not only data leakage but also the risk of disrupting the functionality of critical systems.

This incident shows that modern APT groups operate not randomly but strategically, targeting specific regions and industries. Therefore, organizations must constantly monitor network activity, segment infrastructure, and implement early detection tools to minimize the impact of intrusions.

Trellix researchers have discovered a series of attacks using Evilginx SSO targeting university environments in the US. The malicious tool works as a proxy for single sign-on (SSO) phishing, allowing attackers to intercept access tokens without requiring a password. This approach makes it difficult to detect attacks using traditional methods, as victims are unaware that their accounts have been compromised.

The attacks targeted university email systems, educational platforms, and distance learning services. The attackers used fake authentication pages that closely mimicked SSO portals, allowing them to harvest access tokens and gain long-term control over accounts.

Evilginx SSO demonstrates how modern phishing campaigns adapt to popular authentication mechanisms. It is critical for universities to implement multi-factor authentication, constantly monitor suspicious sessions, and train students and staff to recognize phishing scams. Attacks on SSO systems show that even seemingly secure access mechanisms can be targeted by cybercriminals.

Trellix researchers have discovered a new malicious packager, TangleCrypt, whose primary purpose is to hide tools that neutralize EDR solutions (so-called EDR Killers).

TangleCrypt uses multi-layered encryption and obfuscation to make it difficult to analyze the malware statically and dynamically. Once unpacked in memory, it activates modules aimed at disabling or bypassing endpoint protections, opening the way for further stages of the attack.

The result of this approach is that attackers can significantly increase the chances of malware surviving in the victim's infrastructure and reduce the likelihood of early incident detection.

The emergence of TangleCrypt highlights an alarming trend: attacks increasingly begin with the neutralization of protective mechanisms. Organizations should rely on multi-layered security, behavioral analysis, and continuous system monitoring, rather than relying solely on traditional signature-based methods. And during the holiday season, when response times may be slower, such tools pose a particularly serious threat.

Trellix researchers have documented a multi-stage attack chain that uses JavaScript as the primary delivery mechanism for the NetSupport RAT. The attack begins with seemingly harmless scripts that gradually load additional components, inspect the runtime environment, and only then deliver the final malicious payload. This staged model allows basic defenses to be bypassed and makes analysis difficult, as no single stage appears to be critically dangerous on its own.

NetSupport RAT gives attackers full remote control over the infected system, allowing them to manage files, record keystrokes, take screenshots, and launch additional tools. This makes the attack a convenient platform for further espionage or financially motivated operations.

The case is a reminder of how dangerous multi-stage attacks disguised as normal web activity can be. Organizations should pay attention not only to the final payload but also to the behavior of scripts in the early stages, using behavioral analysis and JavaScript execution control. Otherwise, even a “normal” script can be the first step to a complete compromise of the system.

The Calisto APT group was exposed during a phishing campaign targeting Reporters Without Borders. According to Trellix researchers, the attackers used carefully crafted phishing emails that mimicked legitimate official communications and were tailored to the context of the organization. The main goal of the campaign was to compromise credentials and gain access to internal resources and communications.

The attack was characterized by high-quality social engineering: the email texts, attachments, and domains looked convincing and did not immediately arouse suspicion. This is a typical pattern of APT groups that work not for mass distribution but for precision and long-term access.

What can we conclude from this incident? Phishing remains one of the most effective tools in the arsenal of APT groups, especially when it comes to organizations with high public importance.

Protecting such structures requires not only technical solutions but also constant employee training, domain control, and analysis of the context of electronic communication. After all, even one successful email can become an entry point for a larger operation.

All of these incidents, recorded by the Trellix threat research team, have one thing in common: attacks are becoming more targeted and technologically sophisticated. Attackers are actively using multi-stage chains, social engineering, vulnerabilities in popular platforms, and artificial intelligence to bypass defenses and remain undetected for as long as possible.

In 2025, it has become clear that cybersecurity is no longer limited to protecting endpoints or responding to incidents after the fact. True resilience is about being proactive: understanding the current threat landscape and being prepared to act before a potential attack becomes an actual incident.

If you want to understand which of these threats are most relevant to your business and build an effective cyber defense strategy with Trellix solutions, please submit a consultation request.