Malware Activity
Malware via Fake Movie Torrents and Reemerging Ransomware Groups
Cybercriminals are increasingly exploiting popular movies to spread malware, with recent cases involving fake torrents of Leonardo DiCaprio’s upcoming film, “One Battle After Another.” These malicious files hide dangerous scripts that, when run, install remote access tools like AgentTesla, allowing hackers to steal sensitive information such as passwords and screenshots. The attack cleverly uses encrypted scripts and hidden files to avoid detection, highlighting how hackers are becoming more sophisticated in their methods. Meanwhile, the pro-Russian hacking group CyberVolk, also known as GLORIAMIST, has resurfaced with a new ransomware called VolkLocker. This ransomware targets both Windows and Linux systems, encrypting files and deleting backups, but has a major flaw—the encryption keys are stored openly, making it easy for anyone to decrypt files without paying. They sell their ransomware on Telegram for hundreds to thousands of dollars and have expanded their activities to include remote access tools and keyloggers. Despite efforts to shut down their channels, CyberVolk remains active, showing how politically motivated hackers continue to adapt and use accessible platforms for their operations. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Fake ‘One Battle After Another’ Torrent Hides Malware In Subtitles articles
- TheHackerNews: VolkLocker Ransomware Exposed By Hard-Coded Master Key Allowing Free Decryption article
Threat Actor Activity
Google Threat Intelligence Group Links More Groups to Recent React2Shell Vulnerability Exploits
Google’s Threat Intelligence Group (GTIG) has identified five (5) additional Chinese hacking groups exploiting the severe “React2Shell” remote code execution vulnerability, tracked as CVE-2025-55182 (written about in our report last week CTIX FLASH – December 10, 2025). This flaw affects the React JavaScript library, enabling attackers to execute arbitrary code in React and Next.js applications with a single HTTP request. Vulnerable versions include React 19.0, 19.1.0, 19.1.1, and 19.2.0. Following the disclosure of vulnerability, Palo Alto Networks reported breaches in multiple organizations, with attackers stealing AWS configuration files and credentials. AWS security warned that China-linked groups Earth Lamia and Jackpot Panda quickly began exploiting React2Shell. Google’s Threat Intelligence Group (GTIG) attributed five (5) more Chinese cyber-espionage groups involved in these attacks, including UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595. GTIG noted widespread discussions in underground forums about the vulnerability, including shared links to scanning tools and proof-of-concept code. Iranian threat actors and financially motivated attackers have also targeted the flaw, deploying XMRig cryptocurrency mining software on unpatched systems. Shadowserver has updated that they are tracking over 116,000 IP addresses vulnerable to React2Shell, with the majority in the U.S. GreyNoise observed over 670 IP addresses attempting exploitation in the past 24 hours, from countries including the U.S., India, and China. Cloudflare attributed a global website outage to emergency mitigations for this vulnerability.
Vulnerabilities
Coordinated Apple and Google WebKit Zero-Days Exploited in Sophisticated Targeted Attacks
Apple released multiple rounds of emergency security updates across iOS, iPadOS, macOS, Safari, and its broader platform ecosystem to address two (2) actively exploited WebKit zero-day vulnerabilities that were leveraged in what the company described as “extremely sophisticated” attacks targeting specific individuals running versions of iOS prior to iOS 26. The flaws, tracked as CVE-2025-43529 and CVE-2025-14174, stemming from a use-after-free remote code execution (RCE) issue and a high-severity memory corruption vulnerability, can both be triggered via maliciously crafted web content and affect all Apple platforms that rely on WebKit, including third-party browsers on iOS and iPadOS. Apple credited its Security Engineering and Architecture team alongside Google’s Threat Intelligence Group (GTIG) for discovering the issues, and confirmed that CVE-2025-14174 was the same previously undisclosed Chrome zero-day Google patched in December, identifying it as an out-of-bounds memory access flaw in the shared ANGLE graphics library (evidence of coordinated disclosure and remediation between the two (2) companies). Google, Microsoft, and other Chromium-based browser vendors subsequently issued fixes, reflecting the cross-ecosystem impact of the vulnerability. Although Apple has not released technical details on the attacks, the narrow targeting, WebKit exploitation, and reuse across mobile and desktop platforms strongly align with known commercial spyware tradecraft, and these fixes bring Apple’s total number of zero-days exploited in the wild in 2025 to at least nine (9), reinforcing the need for rapid patch adoption across all supported devices. CTIX analysts urge any affected readers to ensure they are running the latest update to prevent exploitation.
- Bleeping Computer: Apple Vulnerabilities Article
- Security Week: Apple Vulnerabilities Article
- The Hacker News: Apple Vulnerabilities Article
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
