Daily Brief

Mustang Panda, a Chinese hacking group, has introduced a kernel-mode rootkit to deliver TONESHELL, a backdoor targeting government entities in Southeast and East Asia, including Myanmar and Thailand. Kaspersky's analysis reveals the rootkit uses a stolen digital certificate to register as a minifilter driver, enhancing its ability to inject backdoor trojans and protect malicious files. The TONESHELL implant, featuring reverse shell and downloader capabilities, is part of a broader campaign using a command-and-control infrastructure established in September 2024. The attack leverages a digital certificate from Guangzhou Kingteller Technology Co., Ltd, suggesting the use of a leaked or stolen certificate for malicious purposes. The rootkit's design allows it to bypass security checks by operating at a lower altitude in the I/O stack than antivirus components, ensuring stealthy operation. Memory forensics is crucial for detecting TONESHELL infections, as the shellcode executes entirely in memory, making traditional detection methods less effective. This development marks a strategic evolution in Mustang Panda's tactics, enhancing the stealth and resilience of their cyber espionage operations. Organizations in the targeted regions should prioritize advanced threat detection and response measures to mitigate potential impacts from such sophisticated attacks.

South Korea's Ministry of Science and ICT discovered that Korea Telecom's unsecured femtocells exposed customer communications and enabled micropayment fraud over several years. Thousands of femtocells lacked root passwords, stored keys in plaintext, and were remotely accessible, allowing attackers to clone devices and access KT's network. A single certificate, valid for ten years, was used across all devices, facilitating widespread exploitation by cybercriminals. Attackers exploited these vulnerabilities to conduct micropayment fraud, with 368 customers affected and transactions totaling $169,000. Evidence suggests that large-scale data collection and surveillance were primary motives, with fraud merely exposing the broader security lapse. The breach involved a sophisticated criminal network, leading to the arrest of 13 individuals, while the alleged leader remains at large. South Korean authorities have mandated that KT allow customers to terminate contracts without penalties due to the breach. This incident adds to South Korea's ongoing cybersecurity challenges, including data leaks and persistent threats from North Korea.

Mustang Panda, a Chinese state-sponsored group, has been using a new ToneShell backdoor variant in cyberespionage campaigns, targeting government entities in Myanmar, Thailand, and other Asian countries. Kaspersky's analysis revealed the use of a kernel-mode loader, ProjectConfiguration.sys, which employs a stolen certificate, enhancing the malware's stealth and persistence. The rootkit leverages mini-filter drivers to evade detection, blocking file operations and protecting registry keys against security software interference. ToneShell's latest variant incorporates a new host identification scheme and network traffic obfuscation, complicating detection and analysis efforts. The malware's advanced techniques include modifying Microsoft Defender's configuration and shielding user-mode payloads from monitoring. Kaspersky provides indicators of compromise (IoCs) to assist organizations in identifying and mitigating Mustang Panda intrusions. This development signals an evolution in Mustang Panda's tactics, enhancing their operational stealth and resilience against security measures.

Coupang, South Korea's largest retailer, will distribute $1.17 billion to 33.7 million customers affected by a significant data breach discovered last month. Compensation includes four single-use purchase vouchers per customer, covering various Coupang services, starting January 15, 2026. The breach, one of South Korea's worst, exposed names, email addresses, physical addresses, and order details, prompting a national police investigation. Authorities identified a 43-year-old former IT employee from China as the primary suspect, who accessed 33 million accounts but retained data from only 3,000. Coupang collaborated with Mandiant, Palo Alto Networks, and Ernst & Young to investigate, recovering the suspect's hard drives and a discarded MacBook Air. The suspect did not transfer the data to others and deleted it from his devices, according to current investigation findings. Coupang's response aims to restore customer trust and address the breach's impact on its operations and reputation in the South Korean market.

Hyderabad police arrested a former Coinbase customer service agent for allegedly selling customer data to cybercriminals, as announced by Coinbase CEO Brian Armstrong. The breach involved the theft of nearly 70,000 customer records, including personal information and limited corporate data, but no 2FA codes or wallet access were compromised. Criminals used the stolen data to impersonate Coinbase employees, tricking users into handing over cryptocurrency and attempting to extort the company for $20 million. Coinbase has established a $20 million reward fund for information leading to the arrest and conviction of those responsible, rather than paying the ransom. Criticism has surfaced regarding Coinbase's decision to outsource customer service to overseas agents, which some argue increased vulnerability to bribery and data theft. Coinbase's past customer service issues, including account takeover attacks, have been noted, raising concerns about the company's response to security incidents. A separate investigation led to the arrest of Ronald Spektor, accused of a social engineering scam that defrauded Coinbase users of nearly $16 million. Despite similarities, Coinbase clarified that the Spektor case is unrelated to the overseas customer service bribery incident.

Extortion group Lovely claims responsibility for breaching Conde Nast, exposing 2.3 million Wired subscriber emails and personal details. The breach includes names, home addresses, phone numbers, and potentially sensitive user data, raising privacy concerns for affected individuals. Lovely alleges Conde Nast ignored their initial warning about security vulnerabilities, prompting the group to release the data on Christmas Day. Security researchers confirmed the breach's authenticity, linking it to infostealer malware techniques, suggesting a sophisticated attack vector. The breach poses risks of doxxing, swatting, and phishing for affected subscribers, though no credit card information was compromised. Conde Nast has yet to respond publicly to the breach, leaving questions about their data protection practices and response strategies. The incident highlights the critical need for timely vulnerability management and robust communication channels with potential threat actors.

A Lithuanian national was arrested for distributing clipper malware disguised as the KMSAuto tool, infecting 2.8 million systems globally from April 2020 to January 2023. The malware targeted cryptocurrency transactions by altering clipboard contents, redirecting funds to addresses controlled by the attacker, resulting in $1.2 million stolen. The South Korean police, with Interpol's assistance, extradited the suspect from Georgia after a coordinated investigation that began in August 2020. The investigation revealed the malware targeted at least six cryptocurrency exchanges, affecting 3,100 virtual asset addresses through 8,400 fraudulent transactions. A raid in Lithuania in December 2024 led to the seizure of 22 items, including laptops and mobile phones, providing evidence for the hacker's arrest in April 2025. Authorities caution against using illegal software activators like KMSAuto, which can serve as vectors for malware distribution and pose significant cybersecurity risks. The case underscores the importance of using official software and maintaining robust cybersecurity practices to protect against similar threats.

Trust Wallet reported a $7 million theft affecting nearly 3,000 cryptocurrency wallets due to a compromised browser extension released on December 24, 2025. The breach involved a malicious JavaScript file in version 2.68.0 of the Chrome extension, which exfiltrated sensitive wallet data from users. Trust Wallet's CEO indicated the malicious version bypassed internal checks, likely through a leaked Chrome Web Store API key. In response, Trust Wallet expired all release APIs and reported the exfiltration domain, which was promptly suspended by the registrar. Attackers launched a phishing campaign exploiting the incident, prompting users to provide recovery seed phrases under the guise of security updates. Trust Wallet is actively verifying claims and has started reimbursing affected users, emphasizing the importance of accurate wallet ownership verification. Users are advised to avoid sharing private keys or seed phrases and to verify all communications through official Trust Wallet channels.

OWASP introduced the Agentic AI Top 10, focusing on security risks unique to autonomous AI systems, marking a significant step in AI security standardization. The framework addresses risks such as agent goal hijacking, tool misuse, identity abuse, and supply chain vulnerabilities, providing a structured approach for AI security. Real-world incidents include malware exploiting AI hallucinations and malicious code execution in AI assistants, highlighting the urgent need for robust security measures. OWASP's new framework aims to unify security language across teams, enhancing the industry's ability to respond rapidly to evolving AI threats. The report emphasizes the importance of inventorying AI tools, verifying their integrity, and implementing least privilege principles to mitigate potential risks. Organizations are advised to monitor AI agent behavior actively and have rapid response capabilities to address any security breaches effectively. The framework serves as a critical resource for organizations deploying AI agents, offering detailed mitigation strategies to safeguard against emerging threats.

A former Coinbase customer service agent in India was arrested for aiding hackers in stealing sensitive customer data from the company's database. The breach affected approximately 69,500 Coinbase customers, compromising personal details such as names, birthdates, partial SSNs, and KYC documents. Hackers demanded a $20 million ransom to prevent the publication of the stolen data, intensifying the financial and reputational risks for Coinbase. The incident was traced back to TaskUs, an outsourced customer support firm, where employees were bribed to grant unauthorized access to Coinbase systems. In response, TaskUs shut down the implicated department, affecting 226 employees, to contain the breach and prevent further unauthorized access. This arrest follows another scam involving a Brooklyn-based individual who defrauded Coinbase customers out of $16 million by impersonating the company. The breach underscores the critical need for robust internal controls and vigilant monitoring of third-party service providers to safeguard customer data.

Oltenia Energy Complex, Romania's largest coal-based energy producer, suffered a ransomware attack, disrupting IT infrastructure and encrypting critical files and applications. The attack temporarily disabled ERP systems, document management, email services, and the company website, impacting operations but not threatening the national energy system. The company initiated recovery efforts immediately, rebuilding systems with backups, and is assessing potential data theft prior to encryption. Authorities, including the National Cyber Security Directorate and the Ministry of Energy, have been notified, and a criminal complaint was filed with DIICOT. Gentlemen ransomware, active since August, uses compromised credentials for network access and has listed numerous victims but not yet Oltenia, indicating possible ransom negotiations. This incident follows a recent ransomware attack on Romanian Waters, highlighting a pattern of cyber threats targeting Romanian infrastructure. Previous attacks on Romanian entities, such as Electrica Group and healthcare systems, underscore the ongoing vulnerability of critical infrastructure to ransomware threats.

A critical vulnerability, CVE-2025-14847, in MongoDB has been actively exploited, affecting over 87,000 instances worldwide, with a CVSS score of 8.7. The flaw, named MongoBleed, allows unauthenticated attackers to remotely leak sensitive data from MongoDB server memory. Impacted countries include the U.S., China, Germany, India, and France, with a significant number of vulnerable instances identified. Security experts recommend updating to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30 to mitigate risks. Attack surface management firm Censys reports that 42% of cloud environments contain at least one vulnerable MongoDB instance. The rapid exploitation of this vulnerability underscores the importance of timely patching and proactive vulnerability management. Organizations are advised to assess their MongoDB deployments and prioritize patching to prevent potential data breaches.

Korean Air reported a data breach affecting thousands of employees following a hack on its former subsidiary, Korean Air Catering & Duty-Free (KC&D). The breach involved the compromise of personal information, including names and bank account numbers, stored in KC&D's ERP system. Approximately 30,000 data records were exfiltrated, with the Clop ransomware group claiming responsibility and publishing the data on their dark web site. Korean Air has alerted authorities and advised employees to be vigilant against phishing attempts impersonating the company or financial institutions. The breach is part of a broader attack series by Clop, which also targeted Oracle EBS instances of multiple global organizations. The U.S. Department of State has issued a $10 million reward for information linking Clop's activities to any foreign government. Korean Air is actively investigating to determine the full scope of the breach and prevent further data misuse.

Fortinet has issued a warning about ongoing exploitation of a critical FortiOS vulnerability, CVE-2020-12812, which allows attackers to bypass two-factor authentication on FortiGate firewalls. This security flaw, identified in FortiGate SSL VPN, enables unauthorized access by altering the case of usernames, bypassing the FortiToken 2FA prompt. The vulnerability affects systems configured with LDAP for remote authentication, where local user entries require 2FA and are linked to LDAP groups. Fortinet released patches in July 2020, but systems remain at risk if updates are not applied or configurations are mismanaged. The FBI and CISA have previously warned about state-backed actors exploiting this and other Fortinet vulnerabilities, emphasizing the need for robust security measures. Organizations are advised to disable username-case-sensitivity or remove unnecessary LDAP groups to mitigate potential exploitation. Fortinet's alert serves as a reminder of the persistent threat posed by unpatched vulnerabilities and the importance of maintaining up-to-date security practices.

Cybersecurity researchers have uncovered a spear-phishing campaign using 27 npm packages to target sales and commercial personnel across critical infrastructure sectors in the U.S. and Allied nations. The campaign leverages npm and package CDNs as resilient hosting infrastructure, delivering HTML and JavaScript lures that mimic document-sharing portals and Microsoft sign-in pages. Attackers employ advanced anti-analysis techniques, including obfuscation, honeypot form fields, and client-side checks, to evade detection and analysis efforts. The phishing packages hard-code 25 email addresses of individuals in manufacturing, healthcare, and other sectors, indicating a targeted approach to credential theft. The threat actors may have sourced email addresses from international trade shows and open-web reconnaissance, focusing on regional sales staff and local commercial teams. Organizations are advised to enforce strict dependency verification, monitor unusual CDN requests, and implement phishing-resistant multi-factor authentication to mitigate risks. This incident highlights the ongoing threat of malicious software in package repositories, emphasizing the need for vigilance and robust security measures.