In this week’s news: AI conversations were inserted in Google search results to mislead macOS users into installing the Atomic macOS Stealer, Apple has released emergency updates to patch two zero-day vulnerabilities, RaaS offering VolkLocker has vulnerability  allowing users to decrypt files without paying an extortion fee, a 16TB database exposed 4.3B professional records, Germany summoned Russia’s ambassador over alleged cyberattacks on air traffic control, Fake Microsoft Teams and Google Meet Downloads Spread Oyster Backdoor, (CISA) has urged federal agencies to patch the recent React2Shell and 40,000 Phishing Emails Disguised as SharePoint and e-Signing Services

Subscribe to this newsletter

North Korean cybercriminals have stolen more than $300 million worth of cryptocurrency by tricking victims through fake Zoom meetings, according to a report by Cointelegraph. Cybersecurity nonprofit Security Alliance (SEAL) says it is now detecting multiple such scam attempts every single day.
https://bigbreakingwire.in/north-korean-hackers-steal-over-300-million-using-fake-zoom-meetings/

Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals. The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation.
https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-day-flaws-exploited-in-sophisticated-attacks/

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol.
https://thehackernews.com/2025/12/react2shell-exploitation-escalates-into.html

The pro-Russian hacktivist group known as CyberVolk (aka GLORIAMIST) has resurfaced with a new ransomware-as-a-service (RaaS) offering called VolkLocker that suffers from implementation lapses in test artifacts, allowing users to decrypt files without paying an extortion fee.
https://thehackernews.com/2025/12/volklocker-ransomware-exposed-by-hard.html

A 16TB unsecured MongoDB database exposed about 4.3 billion professional records, mainly LinkedIn-style data, enabling large-scale AI-driven social-engineering attacks. The researcher Bob Diachenko and nexos.ai discovered the unsecured DB on November 23, 2025, and it was secured two days later.
https://securityaffairs.com/185661/data-breach/experts-found-an-unsecured-16tb-database-containing-4-3b-professional-records.html

The German government announced it has clear evidence linking an August 2024 cyberattack on Deutsche Flugsicherung, the country’s air traffic control authority, to the Russia-nexus group APT28 (aka UAC-0001, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM).
https://securityaffairs.com/185650/apt/germany-calls-in-russian-ambassador-over-air-traffic-control-hack-claims.html

Cybercriminals are tricking users into downloading malware disguised as popular office tools like Microsoft Teams and Google Meet. This dangerous campaign is mainly targeting those in the financial world and has been active since mid-November 2025, according to a new report from cybersecurity experts at CyberProof.
https://hackread.com/fake-microsoft-teams-google-meet-download-oyster-backdoor/

Researchers have found evidence that AI conversations were inserted in Google search results to mislead macOS users into installing the Atomic macOS Stealer (AMOS). Both Grok and ChatGPT were found to have been abused in these attacks.
https://www.malwarebytes.com/blog/news/2025/12/google-ads-funnel-mac-users-to-poisoned-ai-chats-that-spread-the-amos-infostealer

Email security researchers at Check Point have recently uncovered a phishing campaign where attackers impersonate file-sharing and e-signature services to deliver finance-themed lures that look like legitimate notifications.
https://blog.checkpoint.com/email-security/40000-phishing-emails-disguised-as-sharepoint-and-and-e-signing-services-a-new-wave-of-finance-themed-scams/

An email scam is abusing abusing PayPal’s "Subscriptions" billing feature to send legitimate PayPal emails that contain fake purchase notifications embedded in the Customer service URL field. Over the past couple of months, people have reported [1, 2] receiving emails from PayPal stating, "Your automatic payment is no longer active." 

The email includes a customer service URL field that was somehow modified to include a message stating that you purchased an expensive item, such as a Sony device, MacBook, or iPhone.
https://www.bleepingcomputer.com/news/security/beware-paypal-subscriptions-abused-to-send-fake-purchase-emails/