IoT Exploits, Wallet Breaches, Rogue Extensions, AI Abuse & More

Jan 05, 2026Ravie LakshmananHacking News / Cybersecurity

The year opened without a reset. The same pressure carried over, and in some places it tightened. Systems people assume are boring or stable are showing up in the wrong places. Attacks moved quietly, reused familiar paths, and kept working longer than anyone wants to admit.

This week’s stories share one pattern. Nothing flashy. No single moment. Just steady abuse of trust — updates, extensions, logins, messages — the things people click without thinking. That’s where damage starts now.

This recap pulls those signals together. Not to overwhelm, but to show where attention slipped and why it matters early in the year.

⚡ Threat of the Week

RondoDox Botnet Exploits React2Shell Flaw — A persistent nine-month-long campaign has targeted Internet of Things (IoT) devices and web applications to enroll them into a botnet known as RondoDox. As of December 2025, the activity has been observed leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) flaw as an initial access vector. React2Shell is the name assigned to a critical security vulnerability in React Server Components (RSC) and Next.js that could allow unauthenticated attackers to achieve remote code execution on susceptible devices. According to statistics from the Shadowserver Foundation, there are about 84,916 instances that remain susceptible to the vulnerability as of January 4, 2026, out of which 66,200 instances are located in the U.S., followed by Germany (3,600), France (2,500), and India (1,290).

🔔 Top News

• Trust Wallet Chrome Extension Hack Traced to Shai-Hulud Supply Chain Attack — Trust Wallet revealed that the second iteration of the Shai-Hulud (aka Sha1-Hulud) supply chain outbreak in November 2025 was likely responsible for the hack of its Google Chrome extension, ultimately resulting in the theft of approximately $8.5 million in assets. “Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said. “The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet’s standard release process, which requires internal approval/manual review.” The unknown threat actors are said to have registered a domain to exfiltrate users’ wallet mnemonic phrases. Koi’s analysis found that directly querying the server to which the data was exfiltrated returned the response “He who controls the spice controls the universe,” a Dune reference that echoes similar references observed in the Shai-Hulud npm incident. There is evidence to suggest that preparations for the hack were underway since at least December 8, 2025.
• DarkSpectre Linked to Massive Browser Extension Campaigns — A newly uncovered Chinese threat group, DarkSpectre, has been linked to one of the most widespread browser-extension malware operations discovered to date, compromising more than 8.8 million users of Chrome, Edge, Firefox, and Opera over the past seven years. DarkSpectre’s structure differs from that of traditional cybercrime operations. The group has been found to run disparate but interconnected malware clusters, each with distinct goals. The ShadyPanda campaign, responsible for 5.6 million infections, focuses on long-term user surveillance and e-commerce affiliate fraud. The second campaign, GhostPoster, spreads via Firefox and Opera extensions that conceal malicious payloads in PNG images via steganography. After lying dormant for several days, the extensions extract and execute JavaScript hidden within images, enabling stealthy remote code execution. This campaign has affected over one million users and relies on domains like gmzdaily.com and mitarchive.info for payload delivery. The most recent discovery, The Zoom Stealer, exposes around 2.2 million users to corporate espionage. The discovery reveals a highly organized criminal organization that has devoted itself to steadily churning out legitimate-looking browser extensions that sneak in malicious code.
• U.S. Treasury Lifts Sanctions on 3 Individuals Connected to Intellexa — The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) removed three individuals linked to the Intellexa Consortium, the holding company behind a commercial spyware known as Predator, from the specially designated nationals list. They included Merom Harpaz, Andrea Nicola Constantino Hermes Gambazzi, and Sara Aleksandra Fayssal Hamou. In a statement shared with Reuters, the Treasury said the removal “was done as part of the normal administrative process in response to a petition request for reconsideration.” The department added that the individuals had “demonstrated measures to separate themselves from the Intellexa Consortium.”
• Silver Fox Strikes India with Tax Lures — The Chinese cybercrime group known as Silver Fox has turned its focus to India, using income tax-themed lures in phishing campaigns to distribute a modular remote access trojan called ValleyRAT (aka Winos 4.0). In the campaign, phishing emails containing decoy PDFs purported to be from India’s Income Tax Department are used to deploy ValleyRAT, a variant of Gh0st RAT that implements a plugin-oriented architecture to extend its functionality in an ad hoc manner, thereby allowing its operators to deploy specialized capabilities to facilitate keylogging, credential harvesting, and defense evasion. The disclosure came as a link management panel associated with Silver Fox was identified as being used to keep track of the web pages used to deliver fake installers containing ValleyRAT and the number of clicks to download the installers. An analysis of the origin IP addresses that have clicked on the download links has revealed that at least 217 clicks originated from China, followed by the U.S. (39), Hong Kong (29), Taiwan (11), and Australia (7).
• Mustang Panda Uses Rootkit Driver to Deliver TONESHELL — The Chinese hacking group known as Mustang Panda (aka HoneyMyte) leveraged a previously undocumented kernel-mode rootkit driver to deliver a new variant of backdoor dubbed TONESHELL in a cyber attack detected in mid-2025 targeting an unspecified entity in Asia. The main objective of the driver is to inject a backdoor trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys. The final payload deployed as part of the attack is TONESHELL, an implant with reverse shell and downloader capabilities to fetch next-stage malware onto compromised hosts. The use of TONESHELL has been attributed to Mustang Panda since at least late 2022. The command-and-control (C2) infrastructure used for TONESHELL is said to have been erected in September 2024, although there are indications that the campaign itself did not commence until February 2025.

This week’s list includes — CVE-2025-13915 (IBM API Connect), CVE-2025-52691 (SmarterTools SmarterMail), CVE-2025-47411 (Apache StreamPipes), CVE-2025-48769 (Apache NuttX RTOS), CVE-2025-14346 (WHILL Model C2 Electric Wheelchairs and Model F Power Chairs), CVE-2025-52871, CVE-2025-53597 (QNAP), CVE-2025-59887, and CVE-2025-59888 (Eaton UPS Companion).

📰 Around the Cyber World

• 200 Security Incidents Target Crypto in 2025 — According to “incomplete statistics” from blockchain security firm SlowMist, 200 security breaches occurred last year, impacting the crypto community, resulting in losses of around $2.935 billion. “In comparison, 2024 saw 410 incidents with around $2.013 billion in losses,” the company said. “While the number of incidents declined year-over-year, the total amount of losses increased by approximately 46%.”
• PyPI Says 52% of Active Users Have 2FA Enabled — The Python Software Foundation said 52% of active PyPI users are now using two-factor authentication to secure their accounts, and that more than 50,000 projects are using trusted publishing. Some of the other notable security measures rolled out in the Python Package Index (PyPI) include warning users about untrusted domains, preventing attacks involving malicious ZIP files, flagging potential typosquatting attempts during project creation, periodically checking for expired domains to prevent domain resurrection attacks, and prohibiting registrations from specific domains that were a source of abuse.
• TikTok Takes Down Influence Network Targeting Hungary — TikTok said it took down a network of 95 accounts with 131,342 followers that operated from Hungary and targeted audiences in the country. “The individuals behind this network created inauthentic accounts in order to amplify narratives favorable to the Fidesz political party,” the social media platform said. “The network was found to coordinate across multiple online platforms.”
• Handala Team Breaches Telegram Account of Israeli Officials — The pro-Iranian group known as Handala broke into the Telegram accounts of two prominent Israeli political figures, including former Prime Minister Naftali Bennett and Tzachi Braverman, Netanyahu’s Chief of Staff. “The most probable attack vectors include social engineering or spear phishing targeting passwords and OTPs, the exfiltration of Telegram Desktop session files (tdata) from compromised workstations, or unauthorized access to cloud backups,” KELA said. “While the scope of the breach was likely exaggerated by Handala, the incident highlights the critical need for session management and MFA, even on ‘secure’ messaging apps.” In late November 2025, the group also published a list of Israeli high-tech and aerospace professionals, misleadingly describing them as criminals.
• Flaws in Bluetooth Headphones Using Airoha Chips Detailed — More details have emerged about three vulnerabilities impacting Bluetooth headphones using Airoha chips: CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702. The flaws impacted headphones from Sony, Marshall, JBL, and Beyerdynamic, and were patched back in June. The issues could be exploited by an attacker in physical proximity to silently connect to a pair of headphones via BLE or Classic Bluetooth, exfiltrate the flash memory of the headphones, and extract the Bluetooth Link Key. This, in turn, allows the attacker to impersonate a “Bluetooth” device, connect to a target’s phone, and interact with it from the privileged position of a trusted peripheral, including even eavesdropping on conversations and extracting call history and stored contacts.
• Ransomware Turns Breaches into Bidding Wars — Ransomware’s evolution from digital extortion into a “structured, profit-driven criminal enterprise” has paved the way for an ecosystem that not only attempts to ransom stolen data, but also monetizes for maximum profit by selling it to the highest bidder through data auctions. “By opening additional profit streams and attracting more participants, these actors are amplifying both the frequency and impact of ransomware operations,” Rapid7 said. “The rise of data auctions reflects a maturing underground economy, one that mirrors legitimate market behavior, yet drives the continued expansion and professionalization of global ransomware activity.”

🎥 Cybersecurity Webinars

• Defeating “Living off the Land”: Proactive Security for 2026 – To stay ahead of evolving threats, defenders must move beyond traditional file-based detection toward proactive, AI-powered visibility. This session reveals how to catch “living off the land” and fileless attacks that use legitimate system tools to bypass legacy security. You’ll learn how to secure developer workflows and encrypted traffic using Zero Trust principles, ensuring that even the most stealthy, binary-less threats are neutralized before they reach your endpoints.
• How to Scale AI Agents Without Scaling Your Attack Surface – As developers use AI agents like Claude Code and Copilot to ship code at warp speed, they are unknowingly introducing new risks through unmanaged “MCP” servers and hidden API keys. This webinar explains how to secure these autonomous tools before they become backdoors for data theft or remote attacks. Join us to learn how to identify malicious tools in your environment and enforce the security policies needed to keep your organization fast but safe.
• Scaling