Byer-Nichols Threat Brief for December 1-15 2025
Digital Rage

Byer-Nichols Threat Brief for December 1-15 2025

Season: 2 | Episode: 49

Published: December 17, 2025

By: Phish Tank Digital

"Byer-Nichols Threat Brief for December 1-15 2025," a cybersecurity intelligence report detailing threat activity over a two-week period. The brief, written by Jeremy Nichols, focuses on key trends like the re-emergence of the LockBit ransomware group and the dominance of the React2Shell vulnerability across multiple threat actors. Data tables illustrate shifts in ransomware leadership, with Qilin maintaining the top spot and Coinbase Cartel driving the construction sector to the most targeted position, while the USA remains the primary victim location. The document also lists specific trending adversaries (UNC clusters), actively exploited CVEs across major vendors, and new types of malware, all contributing to a clear picture of the current threat landscape.

Link: Byer-Nichols Threat Brief for December 1-15 2025

RSS Apple Spotify YouTube YouTube Amazon Music Overcast iHeart Radio Audacy

Keywords:

Episode Transcript

Download SRT file
00:00:00 - 00:00:05
Welcome back to Digital Rage. I am Jeff the producer here at Phish Tank Digital.
00:00:05 - 00:00:11
And today we have our latest threat intelligence brief for the first half of
00:00:11 - 00:00:18
December. Lots of moving parts here. A big actor is back in the game so let's check
00:00:18 - 00:00:23
it out. Welcome back to the deep dive. Today we're going to be tearing into a
00:00:23 - 00:00:28
really critical threat brief. It covers global cyber activity for the first
00:00:28 - 00:00:34
half of December 2025. And this isn't just a status report. It's a high-stakes
00:00:34 - 00:00:39
snapshot of very very rapidly changing landscape. It really is. So our mission
00:00:39 - 00:00:43
really is to give you the shortcut. We need to map these strategic shifts, who is
00:00:43 - 00:00:49
hitting whom, where those attacks landing, and I think most crucially what's the
00:00:49 - 00:00:52
universal entry point that just about everyone is exploiting right now. It's an
00:00:52 - 00:00:57
absolutely essential briefing because I mean in just two weeks the priorities
00:00:57 - 00:01:01
for major threat actors, they just they fundamentally shifted. If you only look
00:01:01 - 00:01:06
at the executive summary, there are three core themes that just jump right out.
00:01:06 - 00:01:09
They define this entire period. Okay let's hear them because the data suggests
00:01:09 - 00:01:13
this wasn't just you know typical activity. This was a major pivot. First the
00:01:13 - 00:01:16
sheer force of lock bits returned. They are back in the top five ransom
00:01:16 - 00:01:22
wear list. And the reentry was well it was immediate and aggressive. It just
00:01:22 - 00:01:26
confirms that these dismantled groups they don't disappear, they hibernate and
00:01:26 - 00:01:29
they rebuild and they do it fast. Okay so that's number one. What's the second big
00:01:29 - 00:01:34
theme? Second we have a total shock in the sector and geographic targeting. And
00:01:34 - 00:01:39
this was driven by a little known group called Coinbase Cartel. Coinbase Cartel.
00:01:39 - 00:01:43
I've heard that name pop up. Their sudden rise simultaneously pushed the
00:01:43 - 00:01:49
United Arab Emirates into the top five target regions globally and it elevated
00:01:49 - 00:01:54
the construction sector to the number one victim sector. And those two shifts
00:01:54 - 00:01:59
are intrinsically connected. It signals completely new strategic interests.
00:01:59 - 00:02:02
That's fascinating because it means we can't just look at the raw numbers. We have
00:02:02 - 00:02:07
to look at the motivation. So what's the third piece of intelligence? The method.
00:02:07 - 00:02:12
It's the dominance of a single universal flaw. The react to shell vulnerability.
00:02:12 - 00:02:17
This one exploit became the skeleton key for nearly every major threat
00:02:17 - 00:02:21
actor during this period. So if you understand react to shell you understand how
00:02:21 - 00:02:24
almost all of these attacks happen. Okay let's unpack that then. Let's start with
00:02:24 - 00:02:28
the shifting power structure among the ransomware groups. The who of this
00:02:28 - 00:02:33
equation. This is where we see who's really dominating the board. Right. We still
00:02:33 - 00:02:37
have some heavyweights holding their ground. Clylin for instance absolutely
00:02:37 - 00:02:41
dominated. They grabbed over a quarter of all disclosed victims. A quarter. Wow.
00:02:41 - 00:02:47
So that's what 26.5% roughly? About that. Yeah. And Akira also remained a top-tier
00:02:47 - 00:02:52
actor holding strong at about 13%. So you know these are consistent mature
00:02:52 - 00:02:58
operations. But the real drama, the major signal here lies in the groups that
00:02:58 - 00:03:04
surged and the immediate reappearance of lock bit is astonishing. They were
00:03:04 - 00:03:08
effectively decimated just a few months ago. It speaks volumes about their
00:03:08 - 00:03:12
resilience, the modular nature of these operations. Lock bit immediately
00:03:12 - 00:03:16
re-entered the rankings at number three. Number three just like that. Just like
00:03:16 - 00:03:21
that. Claiming over 6% of the market share. To jump from effectively zero to
00:03:21 - 00:03:25
number three in two weeks confirms they weren't truly taken down. They just
00:03:25 - 00:03:30
fragmented, restructured and and aggressively launched new attacks to prove they
00:03:30 - 00:03:35
were back. That implies they had infrastructures ready to go. So it's less a
00:03:35 - 00:03:38
rebuild and more of a reboot. It's a reboot exactly. And what are the fast
00:03:38 - 00:03:41
movers that you know the true newcomers making all the noise? That's where
00:03:41 - 00:03:45
Coinbase Cartel comes in. I mean Sonobi continued its steady climb, landing at
00:03:45 - 00:03:50
number four, but the standout jump belongs to Cartel. They vaulted dramatically
00:03:50 - 00:03:56
from 17th place, completely peripheral all the way into the top five. 17th to
00:03:56 - 00:04:00
fifth. And that movement was driven almost entirely by aggressive victim
00:04:00 - 00:04:04
disclosures targeted at very specific industries and locations. Okay, so if
00:04:04 - 00:04:08
that's the who we have to look at the where and the what because those shifts
00:04:08 - 00:04:11
are where the strategic intent is really revealed. Let's talk about the
00:04:11 - 00:04:16
victim sectors. The shift here is it's unprecedented. The construction sector
00:04:16 - 00:04:20
moved from being the fourth most targeted all the way up to number one. Number one.
00:04:20 - 00:04:26
Number one. It now accounts for more than 17% of all victims. Financial
00:04:26 - 00:04:30
services and technology, you know, they remain high targets, but construction on
00:04:30 - 00:04:34
top is a massive signal. Why construction though? I mean, that's not
00:04:34 - 00:04:38
traditionally a sector known for massive data hordes, not like tech or
00:04:38 - 00:04:43
finance. What is that signal about their strategy? It signals a few things. First,
00:04:43 - 00:04:49
construction relies heavily on tight deadlines and operational technology, OT
00:04:49 - 00:04:53
integration. That makes them highly susceptible to disruption. Okay, that
00:04:53 - 00:04:58
makes sense. Second, their IT security maturity is often well, it's lower than the
00:04:58 - 00:05:02
highly regulated financial or tech sectors. The path of least resistance. Right.
00:05:02 - 00:05:06
But most importantly, it signifies an attack on the supply chain. Construction
00:05:06 - 00:05:10
firms often deal with lucrative government or infrastructure contracts.
00:05:10 - 00:05:15
Compromising a large construction firm provides a potential bridgehead into
00:05:15 - 00:05:19
much larger, more difficult targets. So they're hitting the weakest link to get
00:05:19 - 00:05:24
to the biggest price. Coinbase cartel clearly found a high leverage entry point
00:05:24 - 00:05:29
there. They did. Geographically, the USA is still the main target, right?
00:05:29 - 00:05:34
Absorbing nearly half the attacks. It is, yeah, about 48% of disclosed
00:05:34 - 00:05:38
victims. But the geographical expansion is also a huge story. The United Arab
00:05:38 - 00:05:42
Emirates has entered the top five victim locations for the first time ever.
00:05:42 - 00:05:46
They're coming in at nearly 3% of victims globally. And that's not a coincidence
00:05:46 - 00:05:50
I'm guessing? Not at all. It's a direct consequence of that surge in attacks,
00:05:50 - 00:05:54
targeting construction and the high value real estate sectors in the UAE. All
00:05:54 - 00:06:00
driven by Coinbase cartel. Largely. Yes. Canada, the UK, Germany, there's still
00:06:00 - 00:06:05
consistently high targets. But the UAE's entry shows certain groups are just
00:06:05 - 00:06:08
following the money regardless of geography. But if we connect all this data,
00:06:08 - 00:06:13
the who, the what, the where the single most critical detail might not be the
00:06:13 - 00:06:18
location, but the size of the organization being hit. Right. Tell us about that
00:06:18 - 00:06:21
breakdown because the numbers here are genuinely shocking. The concentration on
00:06:21 - 00:06:26
smaller targets is just overwhelming. We define small businesses as organizations
00:06:26 - 00:06:34
with 500 or fewer employees. Okay. They accounted for a staggering 81.37% of all
00:06:34 - 00:06:40
victims. And this isn't an arbitrary fluctuation. It's a sharp 9.08% jump from
00:06:40 - 00:06:45
the prior period. Wow. Over eight out of 10 attacks hit small organizations.
00:06:45 - 00:06:49
A massive strategic shift. And if we look at the inverse, it really emphasizes
00:06:49 - 00:06:54
the priority. Large enterprise targeting cell organizations with over 5,000
00:06:54 - 00:06:59
employees that dropped by over 7.5%. Precisely. This means the adversaries have
00:06:59 - 00:07:04
made a clear tactical decision. They're prioritizing high volume opportunistic
00:07:04 - 00:07:08
exploitation. It's just easier. It's easier to hit a thousand small businesses
00:07:08 - 00:07:12
with weaker security than it is to dedicate resources to one heavily defended
00:07:12 - 00:07:17
large enterprise. They are maximizing their digital surface area for quick, high
00:07:17 - 00:07:20
volume returns. Maximizing surface area over maximizing the price value. I
00:07:20 - 00:07:24
say, which leads us naturally to the how this is where it gets really interesting.
00:07:24 - 00:07:29
The method of attack all dominated by react to shell and react to shell
00:07:29 - 00:07:34
provided that flaw ubiquitously. The core vulnerability is the react server
00:07:34 - 00:07:41
components issue. It's catalogued as CVE 2025 55182. And that comes from Meta's
00:07:41 - 00:07:46
react framework, which is everywhere. It's everywhere. It allowed the specific
00:07:46 - 00:07:51
react to shell exploitation framework to execute remote code. So in simple
00:07:51 - 00:07:55
terms, it was a critical design flaw in a globally used technology that let
00:07:55 - 00:07:59
attackers tell a server to run their malicious code. And we aren't just talking
00:07:59 - 00:08:03
about one group using this. The data shows a whole constellation of adversarial
00:08:03 - 00:08:07
clusters piling onto this flaw. That's the danger of a universal vulnerability.
00:08:07 - 00:08:13
We track multiple threat clusters, UNC 5174, UNC 6588, UNC 6588 and several
00:08:13 - 00:08:17
others all showed elevated activity. And for our listeners, UNC stands for
00:08:17 - 00:08:21
uncategorized ray. So these are new or unverified actors. That's right. And the
00:08:21 - 00:08:24
fact that all these new and established groups immediately use this one flaw
00:08:24 - 00:08:28
tells us it was widely shared, easy to use and highly effective. They weren't
00:08:28 - 00:08:32
just observing. They were focusing on rapid exploitation, broad scanning behavior.
00:08:32 - 00:08:36
Exactly. When a skeleton key gets passed around, everyone starts trying doors.
00:08:36 - 00:08:41
And the real world impact is sobering. We know the react to shell flaw was exploited
00:08:41 - 00:08:44
to breach at least 30 different organizations in this brief window.
00:08:44 - 00:08:48
30 confirmed breaches. And more concerningly, official confirmation showed at
00:08:48 - 00:08:54
least 77,000 IP addresses were still vulnerable to this single flaw globally.
00:08:54 - 00:08:59
It just underscores the severity. Okay, let's shift focus to the trending tools
00:08:59 - 00:09:03
adversaries you're using that, you know, the tools of the trade beyond the
00:09:03 - 00:09:07
big ransomware names. We're seeing a highly optimized and diverse toolkit.
00:09:07 - 00:09:12
It shows groups are focusing on specific functions, not just pure encryption.
00:09:12 - 00:09:16
So info Steelers for that initial compromise. Crucial for that. Yes. We saw
00:09:16 - 00:09:21
Isuru, which is highly targeted at extracting browser data and credentials,
00:09:21 - 00:09:25
the keys to the kingdom. And then there's the emergence of Shai Hulu 2.0.
00:09:25 - 00:09:28
Great name. It's an updated Steeler with significantly improved evasion
00:09:28 - 00:09:32
techniques. It's specifically designed to get past modern endpoint detection
00:09:32 - 00:09:36
and security software. So its real innovation is in its ability to hide.
00:09:36 - 00:09:40
Better it stealing, better it hiding. What about remote access,
00:09:40 - 00:09:46
establishing that long term presence? We track two significant remote access
00:09:46 - 00:09:50
Trojans or Rats. Etherat is a very lightweight option used for quick remote
00:09:50 - 00:09:55
control and data theft. But Valaratt is the modular option, specifically used in
00:09:55 - 00:10:00
long term espionage campaigns. And they're still innovating on distribution and
00:10:00 - 00:10:03
mobile too, right? Targeting that massive consumer surface area.
00:10:03 - 00:10:07
Absolutely. We have glass worm, which acts as a worm like loader, spreading
00:10:07 - 00:10:11
quickly across internal networks. And on the mobile front, droid lock is critical.
00:10:11 - 00:10:15
This is Android malware used for device locking and extortion.
00:10:15 - 00:10:19
It basically mirrors desktop ransomware tactics, but for your phone.
00:10:19 - 00:10:21
And while React 2 Shell dominated the volume,
00:10:21 - 00:10:25
specialized attackers are certainly not ignoring other high profile targets.
00:10:25 - 00:10:29
We're still seeing attacks on new flaws in Chromium, Apple, Android, Windows.
00:10:29 - 00:10:33
Correct. While React was a headline, other vulnerabilities demanded immediate
00:10:33 - 00:10:38
patching. We saw elevated targeting of WinRarer, specifically CVE 2025,
00:10:38 - 00:10:42
621, the mapping software geo server and critical flaws in enterprise
00:10:42 - 00:10:46
solutions like ArrayOS AG. So it's a very wide range of targets?
00:10:46 - 00:10:51
A very wide range. It confirms that while broad opportunistic flaws like
00:10:51 - 00:10:55
React 2 Shell capture the volume, specialized groups are still hitting
00:10:55 - 00:11:00
specific high value software products, which I think raises the ultimate question.
00:11:00 - 00:11:06
How do these cold hard statistics, the 81% target rate, the CVE numbers,
00:11:06 - 00:11:10
how do they actually translate into high impact events for organizations?
00:11:10 - 00:11:13
We saw several major real world incidents reported during this period that
00:11:13 - 00:11:18
clearly connect to these trends. It's hard to ignore the headline that
00:11:18 - 00:11:23
contractors were accused of wiping 96 US government databases.
00:11:23 - 00:11:26
That event alone just demonstrates the severe consequence of insider
00:11:26 - 00:11:30
threat and unchecked access. And the supply chain risk is just exploding.
00:11:30 - 00:11:34
The data shows over 10,000 docker hub images were found leaking credentials
00:11:34 - 00:11:38
and off keys. That shows how easily one small exposed component can
00:11:38 - 00:11:43
compromise an entire ecosystem. The financial sector impact was also major.
00:11:43 - 00:11:48
The Marquit data breach hit over 74 US banks and credit unions.
00:11:48 - 00:11:53
It's that ripple effect we talked about. Compromise one processor and you compromise dozens of
00:11:53 - 00:11:59
smaller institutions. And finally, the sheer scale of social engineering was just.
00:11:59 - 00:12:03
It was illustrated by the shady panda malicious browser extension campaign.
00:12:03 - 00:12:09
It got over 4 million installs. 4 million. Another example of targeting
00:12:09 - 00:12:13
massive volume over prestige. Right. It wasn't all grim news though.
00:12:13 - 00:12:17
I mean law enforcement regulators did manage to push back, which is always crucial context.
00:12:17 - 00:12:22
They did. We saw regulatory oversight with the EU finding X 140 million dollars
00:12:22 - 00:12:27
over deceptive blue check marks. That's a serious attention being paid to platform integrity.
00:12:27 - 00:12:32
Also police forces successfully took down the crypto mixer, cryptocurrency mixing service,
00:12:32 - 00:12:36
disrupting a vital money laundering tool. And the major vendors responded, which is essential
00:12:36 - 00:12:43
defense. Yes, urgent patches were issued by major players like Fortinet, Yvonne T and SAP to address
00:12:43 - 00:12:48
critical flaws. That rapid patching is the essential countermeasure against the kind of opportunistic
00:12:48 - 00:12:53
exploitation we saw with react to show. So let's summarize what we've learned from this deep dive.
00:12:53 - 00:12:58
The knowledge we walk away with confirms the ransomware hierarchy is shifting rapidly,
00:12:58 - 00:13:04
with lock bits forceful return. The geography of targeting is expanding, notably into the UAE,
00:13:04 - 00:13:09
linked directly to that construction sector surge. And the vulnerability of the moment,
00:13:09 - 00:13:15
react to show is driving a volume-based strategy across a whole array of different threat groups.
00:13:15 - 00:13:19
But the truly critical takeaway, I think, for anyone preparing for the future,
00:13:19 - 00:13:25
is the clear signal of operational priority. That dramatic nearly 10% jump in targeting small
00:13:25 - 00:13:30
businesses means the adversary strategy is now ruthlessly optimized for high volume
00:13:30 - 00:13:34
opportunistic exploitation. They're looking for the path of least resistance across the
00:13:34 - 00:13:40
widest possible field. So here's the thought I want to leave you with. Given that over 81% of observed
00:13:40 - 00:13:45
attacks hit organizations with 500 or fewer employees and groups are using broad scanning for flaws
00:13:45 - 00:13:51
like react to show, what does security look like but volume? Not prestige is the main metric for
00:13:51 - 00:13:57
attack success. Does this mean cybersecurity is now less about protecting high value targets
00:13:57 - 00:14:02
and more about successfully exploiting sheer digital surface area? Something even more
00:14:02 - 00:14:06
than you think about securing your own digital perimeter. Thanks for diving vehicles. See you next time.
00:14:07 - 00:14:13
Reach out to us at jbuyer.com for comments and questions. Follow us at buyer company on social media
00:14:13 - 00:14:19
and if you'd be so kind, please rate and review us in your podcast app.