ThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories

Bad actors are leveraging an open-source monitoring tool named Nezha to gain remote access to compromised hosts. Its ability to allow administrators to view system health, execute commands, transfer files, and open interactive terminal sessions also makes it an attractive choice for threat actors. In one incident investigated by Ontinue, the tool was deployed as a post-exploitation remote access tool by means of a bash script, while pointing to a remote dashboard hosted on Alibaba Cloud infrastructure located in Japan. “The weaponization of Nezha reflects an emerging modern attack strategy where threat actors systematically abuse legitimate software to achieve persistence and lateral movement while evading signature-based defenses,” said Mayuresh Dani, security research manager at Qualys. The abuse of Nezha is part of broader efforts where attackers leverage legitimate tools to evade signature detection, blend with normal activity, and reduce development effort.

South Korea will begin requiring people to submit to facial recognition when signing up for a new mobile phone number in a bid to tackle scams and identity theft, according to the Ministry of Science and ICT. “By comparing the photo on an identification card with the holder’s actual face on a real-time basis, we can fully prevent the activation of phones registered under a false name using stolen or fabricated IDs,” the ministry said. The new policy, which applies to SK Telecom, Korea Telecom, and LG Uplus, and other mobile virtual network operators, takes effect on March 23 after a pilot following a trial that began this week. The science ministry has emphasized that no data will be stored as part of the new policy. “We are well aware that the public is concerned due to a series of hacking incidents at local mobile carriers,” the ministry said. “Contrary to concerns raised by some, no personal information is stored or saved, and it is immediately erased once identification is verified.”

Data from ESET has revealed that detections of NFC-abusing Android malware grew by 87% between H1 and H2 2025. This increase has been coupled with the growing sophistication of NFC-based malware, such as the harvesting of victims’ contacts, disabling of biometric verification, and bringing together NFC attacks with remote access trojan (RAT) features and Automated Transfer System (ATS) capabilities. In these campaigns, malicious apps distributing malware such as PhantomCard prompt victims to hold their payment card near the phone and enter their PIN for authentication. In the process, the captured information is relayed to the attackers. “Recent innovations in the NFC sphere demonstrate that threat actors no longer rely solely on relay attacks: they are blending NFC exploitation with advanced capabilities such as remote access and automated transfers,” ESET said. “The efficiency of the scams is further fueled by advanced social engineering and technologies that can bypass biometric verification.”

Threat actors are now targeting inexperienced professionals and students in the information security field with fake proof-of-concept (PoC) exploits for security flaws such as CVE-2025-59295, CVE-2025-10294, and CVE-2025-59230 to trick them into installing WebRAT using a ZIP archive hosted in the repositories. “To build trust, they carefully prepared the repositories, incorporating detailed vulnerability information into the descriptions,” Kaspersky said. The repositories include detailed sections with overviews of the vulnerability, system impact, install guides, usage steps, and even mitigation advice. The consistency of the format of a professional PoC write-up suggests the descriptions are machine-generated to avoid detection. Present within the ZIP file is an executable named “rasmanesc.exe,” that’s capable of escalating privileges, disabling Microsoft Defender, and fetching WebRAT from an external server. Webrat is a backdoor that allows attackers to control the infected system, as well as steal data from cryptocurrency wallets, Telegram, Discord, and Steam accounts. It can also perform spyware functions such as screen recording, surveillance via a webcam and microphone, and keylogging. WebRAT is sold by NyashTeam, which also advertises DCRat.

Campaigns distributing GuLoader (aka CloudEyE) scaled a new high between September and November 2025, according to ESET, with the highest detection peak recorded in Poland on September 18. “CloudEyE is multistage malware; the downloader is the initial stage and spreads via PowerShell scripts, JavaScript files, and NSIS executables,” the company said. “These then download the next stage, which contains the crypter component with the intended final payload packed within. All CloudEyE stages are heavily obfuscated, meaning that they are deliberately difficult to detect and analyze, with their contents being compressed, encrypted, encoded, or otherwise obscured.”

Multiple vulnerabilities have been disclosed in Eurostar’s public artificial intelligence (AI) chatbot that could allow guardrail bypass by taking advantage of the fact that the frontend relays the entire chat history to the API while running checks only on the latest message to ensure it’s safe. This opens the door to a scenario where an attacker could tamper with earlier messages, which, when fed into the model’s API, causes it to return unintended responses via a prompt injection. Other identified issues included the ability to modify message IDs to potentially lead to cross-user compromise and inject HTML code stemming from the lack of input validation. “An attacker could exfiltrate prompts, steer answers, and run scripts in the chat window,” Pen Test Partners said. “The core lesson is that old web and API weaknesses still apply even when an LLM is in the loop.” Some of these vulnerabilities have since been fixed, but not before a confusing disclosure process that saw the penetrating testing firm somehow being accused of blackmail by Eurostar’s head of security on LinkedIn after asking, “Maybe a simple acknowledgement of the original email report would have helped?”

A hacking competition conducted by Wiz, zeroday.cloud, led to the discovery of 11 critical zero-day exploits affecting foundational open-source components used in critical cloud infrastructure, including container runtimes, AI infrastructure such as vLLM and Ollama, and databases like Redis, PostgreSQL, and MariaDB. The most severe of the flaws has been uncovered in Linux. “The vulnerability allows for a Container Escape, often enabling attackers to break out of an isolated cloud service, dedicated to one specific user, and spread to the underlying infrastructure that manages all users,” Wiz said. “This breaks the core promise of cloud computing: the guarantee that different customers running on the same hardware remain separate and inaccessible to one another. This further reinforces that containers shouldn’t be the sole security barrier in multi-tenant environments.”

Manufacturing and government organizations in Italy, Finland, and Saudi Arabia are the target of a new phishing campaign that uses a commodity loader to deliver a wide range of malware, such as PureLogs, XWorm, Katz Stealer, DCRat, and Remcos RAT. “This campaign utilizes advanced tradecraft, employing a diverse array of infection vectors including weaponized Office documents (exploiting CVE-2017-11882), malicious SVG files, and ZIP archives containing LNK shortcuts,” Cyble said. “Despite the variety of delivery methods, all vectors leverage a unified commodity loader.” The use of the loader to distribute a variety of malware indicates that the loader is likely shared or sold across different threat actor groups. A notable aspect of the campaign is the use of steganographic techniques to host image files on legitimate delivery platforms, thereby allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic. The commodity loader is assessed to be Caminho based on similar campaigns detailed by Nextron Systems and Zscaler.

Microsoft has announced that Teams will automatically enable messaging safety features by default, including weaponizable file type protection, malicious URL protection, and reporting incorrect detections. The change will roll out starting January 12, 2026, to tenants that have not previously modified messaging safety settings and are still using the default configuration. “We’re improving messaging security in Microsoft Teams by enabling key safety protections by default,” Microsoft said in a Microsoft 365 message center update. “This update helps safeguard users from malicious content and provides options to report incorrect detections.” In addition, the Windows maker said security administrators will be able to block external users in Microsoft Teams via the Tenant Allow/Block List in the Microsoft Defender portal. The feature is expected to roll out in early January 2026 and be completed by mid-January. “This centralized approach enhances security and compliance by enabling organizations to control external user access across Microsoft 365 services,” the company said.

Docker has patched a vulnerability in Ask Gordon, its AI assistant embedded in Docker Desktop and the Docker CLI. The flaw, discovered by Pillar Security in the beta version, is a case of prompt injection that enables attackers to hijack the assistant and exfiltrate sensitive data by poisoning Docker Hub repository metadata with malicious instructions. An attacker could have created a malicious Docker Hub repository that contained crafted instructions for the AI to exfiltrate sensitive data when unsuspecting developers ask the chatbot to describe the repository. “By exploiting Gordon’s inherent trust in Docker Hub content, threat actors can embed instructions that trigger automatic tool execution – fetching additional payloads from attacker-controlled servers, all without user consent or awareness,” security researcher Eilon Cohen said. The issue was addressed in version 4.50.0 released on November 6, 2025.

Researchers have demonstrated how to breach Internet of Things (IoT) devices through firewalls, without the need for any kind of software vulnerability. “We present a new attack technique that allows attackers anywhere in the world to impersonate target intranet devices, hijack cloud communication channels, spoof the cloud, and bypass companion app authentication, and ultimately achieve Remote Code Execution (RCE) with root privileges,” researchers Jincheng Wang and Nik Xe said. “Our research exposes flaws in existing cloud-device authentication mechanisms, and a widespread absence of proper channel verification mechanisms.”

Microsoft said it’s rolling out hardware-accelerated BitLocker in Windows 11 to balance robust security with minimal performance impact. “Starting with the September 2025 Windows update for Windows 11 24H2 and the release of Windows 11 25H2, in addition to existing support for UFS (Universal Flash Storage) Inline Crypto Engine technology, BitLocker will take advantage of upcoming system on chip (SoC) and central processing unit (CPU) capabilities to achieve better performance and security for current and future NVMe drives,” the company said. As part of this effort, BitLocker will hardware wrap BitLocker bulk encryption keys and offload bulk cryptographic operations from the main CPU to a dedicated crypto engine. “When enabling BitLocker, supported devices with NVMe drives, along with one of the new crypto offload capable SoCs, will use hardware-accelerated BitLocker with the XTS-AES-256 algorithm by default,” the tech giant added.

Information Technology (IT), Managed Service Providers (MSPs), human resources, and software development companies in Israel have become the target of a threat cluster likely originating from Western Asia that has used phishing lures written in Hebrew and designed to resemble routine internal communications to infect their systems with a Python- and Rust-based implants tracked as PYTRIC and RUSTRIC. The activity has been tracked by Seqrite Labs under the monikers UNG0801 and Operation IconCat. “A recurring pattern across the observed campaigns is the actor’s heavy reliance on antivirus icon spoofing,” the company said. “Branding from well-known security vendors, most notably SentinelOne and Check Point, is abused to create a false sense of legitimacy.” The PDF attachment in the email messages instructs recipients to download a security scanner by clicking on a Dropbox link that delivers the malware. PYTRIC is equipped to scan the file system and perform a system-wide wipe. Attack chains distribute RUSTRIC leverage Microsoft Word documents with a malicious macro, which then extracts and launches the malware. Besides enumerating the antivirus programs installed on the infected host, it gathers basic system information and contacts an external server.

A threat actor known as AlphaGhoul is promoting a tool called NtKiller that they claim can stealthily terminate antivirus and security solutions, such as Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro. The core functionality, per Outpost24, is available for $500, with a rootkit add-on and a UAC Bypass add-on costing $300 each. The disclosure comes weeks after a security researcher, who goes by the name Zero Salarium, demonstrated how Endpoint Detection and Response (EDR) programs can be undermined on Windows by exploiting the Bind Filter driver (“bindflt.sys”). In recent months, the security community has also identified ways to bypass web application firewalls (WAFs) by abusing ASP.NET’s parameter pollution, subvert EDRs using an in-memory Portable Executable (PE) loader, and even manipulate Microsoft Defender Antivirus to sideload DLLs and delete executable files to prevent the service from running by exploiting its update mechanism to hijack its execution folder.

AI company Anthropic said Claude Opus 4.5, Claude Sonnet 4.5, and GPT-5 developed exploits in blockchain smart contracts that would have allowed the theft of $4.6 million worth of digital assets. “Both agents uncovered two novel zero-day vulnerabilities and produced exploits worth $3,694, with GPT-5 doing so at an API cost of $3,476,” Anthropic’s Frontier Red Team said. “This demonstrates as a proof-of-concept that profitable, real-world autonomous exploitation is technically feasible, a finding that underscores the need for proactive adoption of AI for defense.”

The North Korean threat actor known as ScarCruft has been linked to a new campaign dubbed Artemis that involves the adversary posing as a writer for Korean TV programs to reach out to targets for casting or interview arrangements. “A short self-introduction and legitimate-looking instructions are used to build trust,” Genians said. “The attacker distributes a malicious HWP file disguised as a pre-interview questionnaire or event guide document.” The end goal of these attacks is to trigger the sideloading of a rogue DLL that ultimately delivers RokRAT, which uses Yandex Cloud for command-and-control (C2). The campaign gets its name from the fact that one of the identified HWP documents has its Last Saved By field set to the value “Artemis.”

The Russian influence operation CopyCop (aka Storm-1516) is using AI tools to scale its efforts to a global reach, quietly deploying more than 300 inauthentic websites disguised as local news outlets, political parties, and even fact-checking organizations targeting audiences across North America, Europe, and other regions, including Armenia, Moldova, and parts of Africa. The primary objective is to further Russia’s geopolitical goals and erode Western support for Ukraine. “What sets CopyCop apart from earlier influence operations is its large-scale use of artificial intelligence,” Recorded Future said. “The network relies on self-hosted LLMs, specifically uncensored versions of a popular open-source model, to generate and rewrite content at scale. Thousands of fake news stories and ‘investigations’ are produced and published daily, blending factual fragments with deliberate falsehoods to create the illusion of credible journalism.”

A threat cluster dubbed SHADOW-VOID-042 has been linked to a November 2025 spear-phishing campaign featuring a Trend Micro-themed social engineering lure to trick victims in the defense, energy, chemical, cybersecurity (including Trend and a subsidiary), and ICT sectors with messages instructing them to install a fake update for alleged security issues in Trend Micro Apex One. The activity, Trend Micro said, shares overlaps with prior campaigns attributed to RomCom (aka Void Rabisu), a threat actor with both financial and espionage motivations that aligned with Russian interests. However, in the absence of a definitive connection, the latter attack waves are being tracked under a separate temporary intrusion set. What’s more, the November 2025 campaign shares tactical and infrastructure overlaps with another campaign in October 2025, which used alleged harassment complaints and research participation as social engineering lures. “The campaign utilized a multi-stage approach, tailoring every stage to the specific target machine and delivering intermediate payloads to a select number of targets,” Trend Micro said. The URLs embedded in the emails redirect victims to a fake landing page impersonating Cloudflare, while, in the background, attempts are made to exploit a now-patched Google Chrome security flaw (CVE-2018-6065) using a JavaScript file. In the event exploitation fails, they are taken to a decoy site named TDMSec, impersonating Trend Micro. The JavaScript file also contains shellcode responsible for gathering system information and contacting an external server to fetch a second-stage payload, which acts as a loader for an encrypted component that then proceeds to contact a server to obtain an unspecified next-stage malware. While Void Rabisu has exploited zero-days in the past, the new findings raise the possibility that it could be undergoing several changes.