ThreatsDay Bulletin: WhatsApp Hijacks, MCP Leaks, AI Recon, React2Shell Exploit and 15 More Stories

The U.K. government reportedly will “encourage” Apple and Google to prevent phones from displaying nude images except when users verify that they are adults. According to a new report from The Financial Times, the push for nudity-detection won’t be a legal requirement “for now,” but is said to be part of the government’s strategy to tackle violence against women and girls. “The U.K. government wants technology companies to block explicit images on phones and computers by default to protect children, with adults having to verify their age to create and access such content,” the report said. “Ministers want the likes of Apple and Google to incorporate nudity-detection algorithms into their device operating systems to prevent users from taking photos or sharing images of genitalia unless they are verified as adults.”

A new, modular information stealer named SantaStealer is being advertised by Russian-speaking operators on Telegram and underground forums like Lolz. “The malware collects and exfiltrates sensitive documents, credentials, wallets, and data from a broad range of applications, and aims to operate entirely in-memory to avoid file-based detection,” Rapid7 said. “Stolen data is then compressed, split into 10 MB chunks, and sent to a C2 server over unencrypted HTTP.” SantaStealer uses 14 distinct data-collection modules, each running in its own thread and exfiltrating the stolen information. It also uses an embedded DLL to bypass Chrome’s app-bound encryption protections and harvest browser credentials, including passwords, cookies, and saved credit cards from the web browser. Assessed to be a rebranding of BluelineStealer, the malware is available for $175 per month for a basic plan and $300 per month for a premium plan that lets customers edit execution delays and enable clipper functionality to substitute wallet addresses copied to the clipboard with an attacker-controlled one to reroute transactions. The threat actor has been active on Telegram since at least July 2025.

Threat actors leveraging Bulletproof Hosting (BPH) providers move faster than defenders can respond, often migrating operations, re-registering domains, and re-establishing services within hours of takedowns, Silent Push said in a new exhaustive analysis of BPH services. “Without knowledge of where this infrastructure shifts, takedowns lack the permanence they need,” Silent Push said. “And without a coordinated shift in both regulatory pressure and the law-enforcement action aimed at these providers, […] Bulletproof Hosting as a service will continue to thrive – as will the malicious operations built on top of it.”

An analysis of DDoSia’s multi-layered command-and-control (C2) infrastructure has revealed an average of 6 control servers active at any given time. “However, servers typically have a relatively short lifespan — averaging 2.53 days,” Censys said. “Some servers we have observed are active for over a week, but most instances we only see for less than a few hours.” DDoSia is a participatory distributed denial-of-service (DDoS) capability built by Russian hacktivists in 2022, coinciding with the early days of the Russo-Ukrainian war. It’s operated by the pro-Russian hacktivist group NoName057(16), which was taken down earlier this July. It has since made a comeback. Targeting of DDoSia is heavily focused on Ukraine, European allies, and NATO states in government, military, transportation, public utilities, financial, and tourism sectors.

Threat actors are using a new social engineering technique to hijack WhatsApp accounts. The new GhostPairing attack lures victims by sending messages from compromised accounts that contain a link to a Facebook-style preview. Clicking on the link takes the victim to a page that imitates a Facebook viewer and asks them to verify before the content can be served. As part of this step, they are either asked to scan a QR code that will link an attacker’s browser to the victim’s WhatsApp account, granting them unauthorized access to the victim’s account. “To abuse this flow, an attacker would open WhatsApp Web in their own browser, capture the QR code shown there, and embed it into the fake Facebook viewer page. The victim would then be told to open WhatsApp, go to Linked devices, and scan that QR in order to ‘view the photo,'” Gen Digital said. Alternately, they are instructed to enter their phone number on the bogus page, which then forwards that number to WhatsApp’s legitimate “link device via phone number” feature. Once WhatsApp generates a pairing numeric code, it’s relayed back to the fake page, along with instructions to enter the code into WhatsApp to confirm a login. The attack, which abuses the legitimate device-linking feature on the platform, is a variation of a technique that was used by Russian state-sponsored actors to intercept Signal messages earlier this year. To check for any signs of compromise, users can navigate to Settings -> Linked Devices.

Bad actors have been observed hosting videos on the Russian video-sharing platform RuTube that advertise cheats for Roblox, tricking users into clicking on links that lead to Trojan and stealer malware like Salat Stealer. It’s worth noting that similar tactics have been widespread on YouTube.

Microsoft has announced that it’s deprecating RC4 (Rivest Cipher 4) encryption in Kerberos to strengthen Windows authentication. By mid-2026, domain controller defaults will be updated for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption. RC4 will be disabled by default and only used in scenarios where a domain administrator explicitly configures an account or the KDC to use it. “RC4, once a staple for compatibility, is susceptible to attacks like Kerberoasting that can be used to steal credentials and compromise networks,” the company said. “It is crucial to discontinue using RC4.” The decision also comes after U.S. Senator Ron Wyden called on the U.S. Federal Trade Commission (FTC) to investigate the company over its use of the obsolete cipher.

Serbian police have detained two Chinese nationals for driving around with an improvised IMSI catcher in their car that functioned as a fake mobile base station. The pair is alleged to have sent SMS phishing messages that tricked people into visiting phishing sites that masqueraded as mobile operators, government portals, and large companies to collect payment card details. The captured card data was later abused overseas to pay for goods and services. The names of the arrested individuals were not disclosed. But they are suspected to be part of an organized criminal group.

New research from Bitsight has found roughly 1,000 Model Context Protocol (MCP) servers exposed on the internet with no authorization in place and leaking sensitive data. Some of them could allow management of a Kubernetes cluster and its pods, access to a Customer Relationship Management (CRM) tool, send WhatsApp messages, and even achieve remote code execution. “While Anthropic authored the MCP specification, it’s not their job to enforce how every server handles authorization,” Bitsight said. “Because authorization is optional, it’s easy to skip it when moving from a demo to a real-world deployment, potentially exposing sensitive tools or data. Many MCP servers are designed for local use, but once one is exposed over HTTP, the attack surface expands dramatically.” To counter the risk, it’s essential that users do not expose MCP servers unless it’s absolutely necessary and implement OAuth protections for authorization. The development comes as exposure management company Intruder revealed that a scan of approximately 5 million single-page applications found more than 42,000 tokens exposed in their code. The tokens span 334 types of secrets.

A phishing campaign impersonating the Income Tax Department of India has been found using themes related to alleged tax irregularities to create a false sense of urgency and deceive users into clicking on malicious links that deploy legitimate remote access tools like LogMeIn Resolve (formerly GoTo Resolve) that grant attackers unauthorized control over compromised systems. “The campaign delivered a two-stage malware chain consisting of a shellcode-based RAT loader packaged in a ZIP file and a rogue remote administration executable disguised as a GoTo Resolve updater,” Raven AI said. “Traditional Secure Email Gateway defenses failed to detect these messages because the sender authenticated correctly, the attachments were password-protected, and the content imitated real government communication.”

India’s Central Bureau of Investigation (CBI) said it disrupted a large cyber fraud setup that was being used to send phishing messages across the country with the goal of tricking people into bogus schemes like fake digital arrests, loan scams, and investment frauds. Three people have been arrested in connection with the case under Operation Chakra V. The investigation identified an organized cyber gang operating from the National Capital Region (NCR) and the Chandigarh area that managed to obtain around 21,000 SIM cards in violation of the Department of Telecommunications (DoT) rules. “This gang was providing bulk SMS services to cyber criminals,” the CBI said. “It was found that even foreign cyber criminals were using this service to cheat Indian citizens. These SIM cards were controlled through an online platform to send bulk messages. The messages offered fake loans, investment opportunities, and other financial benefits, with the aim of stealing personal and banking details of innocent people.” Separately, the agency also filed charges against 17 individuals, including four foreign nationals and 58 companies, in connection with an organized transnational cyber fraud network operating across multiple States in India. “The cyber criminals adopted a highly layered and technology-driven modus operandi, involving the use of Google advertisements, bulk SMS campaigns, SIM box-based messaging systems, cloud infrastructure, fintech platforms, and multiple mule bank accounts,” the CBI said. “Each stage of the operation—from luring victims to collection and movement of funds—was deliberately structured to conceal the identities of the actual controllers and evade detection by law enforcement agencies.”

StrikeReady Labs has disclosed details of a phishing campaign that has targeted Transnistria’s governing body with a credential phishing email attachment by spoofing the Pridnestrovian Moldavian Republic. The HTML attachment shows a blurred decoy document along with a pop-up that prompts victims to enter their credentials. The entered information is transmitted to an attacker-controlled server. The campaign is believed to be active since at least 2023. Other targets likely include entities in Ukraine, Bosnia and Herzegovina, Macedonia, Montenegro, Spain, Lithuania, Bulgaria, and Moldova.

A new wave of ClickFix attacks has leveraged fake CAPTCHA checks that trick users into pasting in the Windows Run dialog, which runs the finger.exe tool to retrieve malicious PowerShell code. The attacks have been attributed to clusters tracked as KongTuke and SmartApeSG. The decades-old finger command is used to look up information about local and remote users on Unix and Linux systems via the Finger protocol. It was later added to Windows systems. In another ClickFix attack detected by Point Wild, phony browser notifications prompt users to click “How to fix” or copy-paste a PowerShell command that leads to the deployment of DarkGate malware via a malicious HTA file.

Threat actors are abusing Google’s Application Integration service to send phishing emails from authentic @google.com addresses and bypass SPF, DKIM, and DMARC checks. The technique, according to xorlab, is being used in the wild to target organizations with highly convincing lures mimicking new sign-in alerts for Google accounts, effectively deceiving them into clicking on suspicious links. “To evade detection, attackers use multi-hop redirect chains that bounce through multiple legitimate services,” the company said. “Each hop uses trusted infrastructure — Google, Microsoft, AWS – making the attack difficult to detect or block at any single point. Regardless of the entry point, victims eventually land on the Microsoft 365 login page, revealing the attackers’ primary target: M365 credentials.”

Cato Networks said it observed large-scale reconnaissance and exploitation attempts targeting Modbus devices, including string monitoring boxes that directly control solar panel output. “In such cases, a threat actor with nothing more than an internet connection and a free tool could issue a simple command, ‘SWITCH OFF,’ cutting power on a bright, cloudless day,” the company said. “What once required time, patience, and manual skill can now be scaled and accelerated through automation. With the rise of agentic AI tools, attackers can now automate reconnaissance and exploitation, reducing the time needed to execute such attacks from days to just minutes.”

The fallout from React2Shell (CVE-2025-55182) has continued to spread as multiple threat actors have jumped on the exploitation bandwagon to distribute a wide array of malware. The proliferation of public exploits and stealth backdoors has been complemented by attacks of varying origins and motivations, with cybersecurity firm S-RM revealing that the vulnerability was used as an initial access vector in a Weaxor ransomware attack on December 5, 2025. “This marks a shift from previously reported exploitation,” S-RM said. “It indicates threat actors whose modus operandi involves cyber extortion are also successfully exploiting this vulnerability, albeit on a much smaller scale and likely in an automated fashion.” Weaxor is assessed to be a rebrand of Mallox ransomware. The ransomware binary was dropped and executed on the system within less than one minute of initial access, indicating that this was likely part of an automated campaign. According to Palo Alto Networks Unit 42, more than 60 organizations have been impacted by incidents exploiting the vulnerability. Microsoft said it found “several hundred machines across a diverse set of organizations” that were compromised via React2Shell.