The week of December 22–29, 2025 saw rapid exploitation of newly disclosed flaws, continued evolution of nation-state espionage tooling, and impactful supply-chain and credential-theft campaigns.
Key Highlights
MongoBleed (CVE-2025-14847): A high-severity MongoDB information-disclosure vulnerability was under active exploitation within days of public disclosure, affecting over 87 000 internet-exposed instances.
Trust Wallet Extension Breach: A malicious code injection into the Chrome extension siphoned ~$7 million in cryptocurrency across nearly 2 600 wallets before remediation.
Mustang Panda & Evasive Panda: Chinese APT groups deployed signed kernel-mode rootkits and DNS-poisoning techniques to deliver ToneShell and MgBot backdoors in Southeast Asia and beyond.
LangChain “LangGrinch” (CVE-2025-68664): A critical serialization-injection flaw in the LangChain Core library could allow secret theft and prompt manipulation in AI applications.
27 Malicious npm Packages: A sustained spear-phishing campaign abused the npm registry to host fake document-sharing and Microsoft sign-in lures targeting critical-infrastructure personnel.
Dominant Trends
Time-to-Exploit Collapse: Vendors and defenders face near-zero-day windows as attackers weaponize disclosures within hours.
AI-Supply-Chain Targets: Emerging flaws in AI/ML frameworks highlight a new attack surface as enterprises rush to integrate LLM tooling.
Signature Evasion via Signed Rootkits: State actors increasingly leverage stolen certificates to cloak kernel-mode payloads, bypassing driver-signature checks.
II. GLOBAL CYBER THREAT LANDSCAPE OVERVIEW
The final week of 2025 underscored the accelerating cadence of threat actor agility, with adversaries weaponizing fresh disclosures before many organizations could even inventory affected assets. Critical-infrastructure sectors—energy, manufacturing, healthcare—remained prime targets for both espionage and financially motivated campaigns. Nation-state groups refined stealthy delivery mechanisms, while cybercriminal syndicates demonstrated renewed focus on cryptocurrency platforms and developer-centric registries (e.g., npm). The convergence of AI adoption and security gaps in AI frameworks introduced a novel risk vector, prompting calls for “AI-native” security controls.
III. NOTABLE INCIDENTS AND DATA BREACHES
This week witnessed several significant incidents that underscore the diverse and persistent nature of cyber threats
Trust Wallet Chrome Extension (Dec 26) Malicious code injected into version 2.68 led to unauthorized transactions draining ~$7 million from 2 596 affected wallets. Trust Wallet issued v2.69 and committed to full refunds.
Coupang Data Breach (Dec 29) South Korea’s largest retailer will pay $1.17 billion to compensate 33.7 million customers exposed in a breach discovered last month.
Korean Air Employee Data Exposure (Dec 29) A hack of Korean Air Catering & Duty-Free subsidiary exposed personal data of thousands of Korean Air staff.
Romanian Energy Provider Ransomware (Dec 26) Oltenia Energy Complex, Romania’s largest coal-based energy producer, suffered a Gentlemen ransomware attack that disrupted IT systems on Boxing Day.
WIRED Alleged Database Leak (Dec 28) A hacker claimed to leak 2.3 million WIRED subscriber records and threatened further dumps of up to 40 million Condé Nast records.
Rainbow Six Siege Breach (Dec 28) Ubisoft’s R6 servers were abused to manipulate in-game currency and moderation feeds, resulting in billions of illicit credits across player accounts.
IV. Comprehensive Incident Summary Table
Date
Incident
Affected Organization
Impact
2025-12-26
Trust Wallet Extension Malicious Code
Trust Wallet
$7 M stolen across 2 596 wallets; v2.68 → v2.69 patch issued
2025-12-29
Coupang Customer Data Breach Compensation
Coupang
33.7 M customers; $1.17 B compensation fund
2025-12-29
Korean Air Employee Data Exposure
Korean Air Catering & Duty-Free
Thousands of employee records exposed
2025-12-26
Gentlemen Ransomware on Energy Provider
Oltenia Energy Complex
IT infrastructure disrupted
2025-12-28
Alleged WIRED Subscriber Database Leak
Condé Nast (WIRED)
2.3 M records leaked; up to 40 M threatened
2025-12-28
Rainbow Six Siege In-Game Currency Manipulation
Ubisoft
Billions of illicit R6 credits distributed
V. Current Threat Landscape Analysis
Emerging Trends
Race-to-Exploit: The MongoBleed campaign exemplifies how adversaries leverage automation to scan and exploit flaws within hours of publication, outpacing many patch-management cycles.
AI Framework Attacks: CVE-2025-68664 in LangChain Core highlights that as organizations rush LLM integrations, security reviews lag—exposing systems to classic injection flaws repurposed for AI contexts.
Kernel-Mode Evasion: Mustang Panda’s use of a signed, minifilter-based rootkit demonstrates an increasing barrier to detection, demanding endpoint solutions that verify driver behavior beyond signature validity.
Patch MongoDB instances per vendor guidance for CVE-2025-14847; disable zlib compression if patching delayed.
Review all LangChain Core deployments; apply patches for CVE-2025-68664.
Upgrade Mattermost instances to address multiple CSRF and redirect flaws.
Audit browser extensions in enterprise environments; block Trust Wallet v2.68.
Strategic Improvements
Implement kernel-mode driver monitoring to detect signed-but-malicious minifilter activity.
Deploy DNS-over-HTTPS/TLS to mitigate DNS-poisoning AitM vectors.
Integrate AI/ML security reviews into DevSecOps pipelines for LLM-based applications.
For Non-Technical Audiences
Security Awareness
Exercise heightened caution with browser extensions; only install from official, verified sources.
Report suspicious emails prompting extension updates or cryptocurrency transactions.
Incident Response Preparedness
Ensure clear reporting channels for suspicious extension behavior or unexpected wallet drains.
Regularly review and update security policies governing third-party software usage.
X. Analyst Notes
The convergence of near-zero-day exploitation and AI-supply-chain vulnerabilities signals a paradigm shift: adversaries now weaponize disclosures faster than many patch cycles, while simultaneously targeting emerging AI frameworks. We anticipate a rise in “AI-poisoning” attacks—where malicious model training data or compromised LLM libraries facilitate stealthy persistence. The continued use of stolen certificates to sign kernel-mode payloads suggests that driver attestation alone is insufficient; behavioral analysis and runtime integrity checks will be critical. Organizations should prepare for a landscape where the distinction between legitimate and malicious code blurs further, requiring zero-trust architectures and continuous validation.
XI. CONTACT INFORMATION
For further inquiries or guidance regarding this report, please contact the Meraal Cyber Security (MCS) Threat Intelligence Team.
Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.
