CyberWire Daily - China’s quiet crawl into critical networks.
Episode Date: December 5, 2025Chinese threat actors deploy Brickstorm malware. The critical React2Shell vulnerability is under active exploitation. Cloudflare’s emergency patch triggered a brief global outage. Phishing kits pivo...t to fake e-commerce sites. The European Commission fines X(Twitter) €120 million for violating the Digital Services Act. Predator spyware has a new bag of tricks. A Russian physicist gets 21 years in prison for cybercrimes. Twin brothers are arrested for allegedly stealing and destroying government data. Our guest is Blair Canavan, Director of Alliances - PKI & PQC Portfolio from Thales, discussing post quantum cryptography. Smart toilet encryption claims don’t hold water. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today on our Industry Voices segment, we are joined by Blair Canavan, Director of Alliances - PKI & PQC Portfolio from Thales, discussing post quantum cryptography (PQC). Listen to Blair’s full conversation here. Selected Reading Chinese hackers used Brickworm malware to breach critical US infrastructure (TechRadar) React2Shell critical flaw actively exploited in China-linked attacks (BleepingComputer) Cloudflare blames today's outage on emergency React2Shell patch (Bleeping Computer) SMS Phishers Pivot to Points, Taxes, Fake Retailers (Krebs on Security) Threat Spotlight: Introducing GhostFrame, a new super stealthy phishing kit (Barracuda) EU issues €120 million fine to Elon Musk's X under rules to tackle disinformation (The Record) Predator spyware uses new infection vector for zero-click attacks (Bleeping Computer) Russian scientist sentenced to 21 years on treason, cyber sabotage charges (The Record) Twins with hacking history charged in insider data breach affecting multiple federal agencies (Cyberscoop) ‘End-to-end encrypted’ smart toilet camera is not actually end-to-end encrypted (TechCrunch)- kicker Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post.
noticed. Indeed's sponsored jobs helps you stand out and hire fast. Your post jumps to the top
of search results, so the right candidates see it first. And it works. Sponsored jobs on Indeed
get 45% more applications than non-sponsored ones. One of the things I love about Indeed is how
fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K Cyberwire. Many
of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed,
according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75-sponsored job credit to get your job.
more visibility at indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now
and support our show by saying you heard about Indeed on this podcast.
Indeed.com slash cyberwire.
Terms and conditions apply.
Hiring?
Indeed is all you need.
Chinese threat actors deploy brickstorm malware.
The critical react-to-shell vulnerability is under active exploitation.
Cloudflare's emergency patch triggered a brief global outage.
Fishing kits pivot to fake e-commerce sites.
The European Commission fines ex-Twitter 120 million euros for violating the Digital Services Act.
Creditor spyware has a new bag of tricks.
A Russian physicist gets 21-year-old.
in prison for cyber crimes, twin brothers are arrested for allegedly stealing and destroying government
data. Our guest is Blair Canavan, director of alliances for PKI and PQC portfolio from TALIS,
discussing post-quantum cryptography. And smart toilet encryption claims don't hold water.
It's Friday, December 5th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us here today.
It is great to have you with us.
Chinese state-sponsored threat actors are deploying
brickstorm malware to maintain persistent access, steal files, and eavesdrop on government and
IT networks worldwide, according to a joint report from SISA, the NSA, and the Canadian Center for
cybersecurity. The agency's analyzed eight samples taken from victim environments. The report
says that People's Republic of China is targeting government and information technology
organizations, though it does not identify specific victims.
Crowdstrike separately observed activity against a government entity in the Asia-Pacific region.
One investigated intrusion showed PRC actors gaining long-term access to an organization's
VMware and Windows systems, compromising domain controllers and an active directory
Federation Services server to export cryptographic keys.
Officials warn the operation reflects China's intent to embed deeply for espionage disruption
or future sabotage, though China denies the allegations.
Multiple China-linked threat actors began exploiting the critical React-to-Shell vulnerability
within hours of its public disclosure.
The flaw is an insecure deserialization issue in the React Server Components Flight Protocol
that enables unauthenticated remote code execution in React and Nextjs applications.
Although initially assigned a separate identity,
identifier, the next JS tracking number was rejected as a duplicate. The bug affects several
recent React versions, placing thousands of projects at risk. Whiz estimates 39% of observed cloud
environments are vulnerable. AWS reports that China Nexus Group Earth Lamia and Jackpot Panda
immediately incorporated the flaw into active campaigns, alongside additional activity from
unattributed China-based infrastructure.
Attackers are manually testing payloads, running reconnaissance commands, and adjusting exploits in real time.
Valid proof-of-concept exploits have been published, increasing risk despite available patches.
Researchers have released scanners to help organizations determine exposure.
As a follow-on to the React to Shell disclosures, Cloudflare confirmed that a brief global outage today was the unintended result of its emergency mitigation.
efforts. The company deployed a rapid patch to its web application firewall to blunt
exploitation of the vulnerability. That change meant to block malicious HTTP requests targeting
vulnerable React versions inadvertently caused sections of Cloudflare's network to return 500
internal server errors for several minutes. Cloudflare emphasized that the disruption was
not an attack but a side effect of its accelerated response.
China-based fishing groups behind persistent scam SMS campaigns are now selling fishing kits that mass-produce convincing fake e-commerce sites designed to steal payment card data and enroll victims' cards into Apple or Google mobile wallets.
Krebson Security says these groups are also pushing new lures, including fake tax refunds and mobile rewards points.
Thousands of recently registered domains spoof T-Mobile and AT&T.
directing mobile users to sites that harvest personal and card data,
then request bank one-time codes to finalize fraudulent wallet enrollment.
Experts warn that fake storefronts are harder to detect
because they blend into normal shopping behavior
and often go unnoticed until purchases fail to arrive.
Security researchers urge quick reporting of smishing messages
to help identify and block these domains.
Speaking of fishing kits, Barracuda says a previously unidentified fishing kit, now called
Ghost Frame, has fueled more than one million attacks since September of this year.
The kit hides all malicious activity inside an eye frame embedded in an otherwise harmless
HTML page, letting attackers swap fishing content, rotate targets, and evade scanners that only
inspect the outer layer.
Ghost Frame uses dynamic subdomains, anti-analysis controls, and image-based login screens to obscure credential harvesting.
A two-stage design funnels victims from benign-looking pages to concealed forms buried in large file streams.
The phishing emails use common business themes to lure clicks, and multiple kit variants are circulating.
Barracuda says the framework's stealth and adaptivity make it difficult to detect.
underscoring the need for layered defenses and careful user training.
The European Commission find X-Twitter 120 million euros for violating the Digital Services Act,
marking the law's first enforcement action.
Regulators say X misled users with its paid verification system and failed to provide required
transparency for political ads and researcher access to public data.
The Commission argues exit.
his ad repository lacks essential information and imposes barriers that hinder scrutiny of influence
operations. The penalty has sparked geopolitical tension with U.S. officials criticizing the EU's
approach and X rejecting the findings as censorship.
A joint investigation by Inside Story, Heretz and Wave Research Collective reveals that
Intellexa's predator spyware uses a powerful zero-click infection method called Aladdin,
which compromises targets through malicious advertisements.
Based on leaked Intellexa documents and research from Amnesty International, Google,
and recorded future, investigators say Aladdin abuses commercial ad networks
to deliver weaponized ads to specific users identified by IP addresses and other markers.
Viewing the ad alone triggers redirection.
to exploit servers.
The leaks also detail other vectors,
including Triton-baseband exploits
for Samsung X-Nos devices
and highlight Intellex's extensive zero-day use.
Despite sanctions,
predator development continues,
prompting experts to recommend stronger mobile defenses.
A Moscow court has sentenced physicist Artiam Khorashelov
to 21 years in prison on charges of treatment,
reason, infrastructure attacks, and plotting sabotage, according to state media.
Prosecutors accused him of donating over $9,000 to a Ukrainian charity, they say supports the
military, possessing materials for an explosive device, photographing rail lines near a military
unit, and conducting a DDoS attack on Russian postal systems.
Karashalov admitted the donations but said they were meant for civilians, denied any sabotage
intent and claimed limited technical skills.
Colleagues echoed that he lacked the ability to carry out cyber attacks.
His case reflects a series of harsh prosecutions in Russia,
targeting alleged cyber activity linked to Ukraine since the war began.
Twin brothers Munib and Sojib Akhtar were arrested in Virginia
for allegedly stealing and destroying government data
within minutes of being fired from a federal contractor in February,
according to the Justice Department.
Prosecutors say the brothers compromised information from multiple agencies,
including DHS, the IRS, and the EEOC during a week-long spree.
Munib is accused of deleting 96 databases,
stealing sensitive files, and using an AI tool to seek guidance on covering his tracks.
Sohive allegedly trafficked a password,
granting access to an EEOC system.
Both previously served prison sentences for hacking
while working as government contractors in 2015.
Investigators say the pair abused privileged access
and technical expertise posing a significant threat to government systems.
Coming up after the break,
Canavan from Talas discussing post-quantum cryptography.
And smart toilet encryption claims don't hold water.
Stick around.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny,
at the point of execution.
With Threat Locker Allow listing,
you stop unknown executables cold.
With ring fencing, you control
how trusted applications behave,
and with Threat Locker DAC,
defense against configurations,
you get real assurance
that your environment is free of misconfigurations
and clear visibility
into whether you meet compliance standards.
Threat Locker is the simplest way
to enforce zero-trust principles
without the operational pain.
It's powerful protection
that gives SISO's real visibility, real control, and real peace of mind.
Threat Locker make zero trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
AI is transforming every industry, but it's also creating new risks that traditional frameworks can't keep up with.
Assessments today are fragmented, overlapping, and often specific to industries, geographies, or regulations.
That's why Black Kite created the BKGA3 AI Assessment Framework,
to give cybersecurity and risk teams a unified, evolving standard for measuring AI risk
across their own organizations and their vendors' AI use.
It's global, research-driven, built to evolve with the threat landscape and free to use.
Because Black Kite is committed to strengthening the entire cybersecurity community.
Learn more at Blackkite.com.
Blair Canavan is directly.
of alliances for PQI and PQC portfolio at TALIS.
In today's sponsored industry voices segment,
we discuss post-quantum cryptography.
Every year, I think we do a,
where are we at with regards to the onset
of a cryptographically relevant quantum computer?
So, CRQC, yet another acronym to think about.
And what I mean by that is,
many years ago, probably eight or nine years ago,
when I started talking about post-quantum cryptography or quantum or PQC,
I think most people's arms were crossed.
They were a little skeptical, a lot skeptical,
meaning that this was so far off in the distance, if ever,
why would we concern ourselves over this?
And these are early discussions about, well, we should be crypto-adgile,
we should be this, we should be that.
But if you fast forward to 2025,
what we've seen is a dramatic trend,
dramatic trend away from procrastination and those
that are, quite frankly, completely what's the word I'm trying to find here.
My brain's cramping.
But we're probably not all that concerned about it.
So apathy, there's the word.
So apathy has quickly and is quickly disappearing for most large organizations around the world.
You have to live under a rock if you're not aware of quantum or post-quantum cryptography these days.
Much like AI emerged into the scene a few years ago.
Post-Quantum is now becoming, and I'll speak for Talas, the number one most recognizable thing that our company is hearing.
It leads us in lead generation, clicks, downloads, you name it across the enterprise.
So this is why I would say that we're seeing now a dramatic shift towards readiness, which is, I know it's coming, I've heard it's within a few years, we've got to get started.
well when we talk about pqc readiness um how do you assess whether that readiness is real or still aspirational
well you know actions speak a lot or than words for sure so what you're going to see if not
already is is a segment of the population of the organizations that we speak to let's use the financial
sector for example or governments is that they're already undertaking various levels of
cryptographic discovery to determine, first of all, what's the problem? And where is this
crypto that we need to swap out and change out? So that's one of the major steps in determining what
the scope of the problem is for your organization, knowing and admitting full well that crypto is
everywhere. So what we're seeing is instead of just talking about it, we're starting to see
systems integration firms, the Big Five, are well entrenched in providing assessment services.
So I'm starting to see on a, it's called it a timeline or a critical path.
If you're a project management guru or somebody likes that,
you look at a series of tasks over the next few years with milestones.
And some of the major milestones that are becoming quite prevalent are cryptographic discovery.
And remediation has already begun on some of the low-lying areas that we can address.
So, for example, maybe you have some very significant applications that you're looking at
that you want to make sure or ensure our developed cryptoaggily.
So everything moving forward from this point on,
that's an absolute metric that we're seeing.
And also, cryptographic hygiene.
You're starting to see organizations apply what they probably should have some time ago,
which is if we're going to manage our certificates,
our public certificates, certificate lifecycle management,
we can figure that out now.
Key management, or what I jokingly say, key mismanagement,
you'll see a lot of companies that have been either using various levels of data at rest encryption capabilities
or various platforms across the enterprise but with no consistency or persistence.
So now they're starting to get smarter about making sure that we're across the board using those technologies.
And as you may know, data at rest encryption is PQC safe right now,
meaning that we can use AES-256 as a standard symmetric algorithm.
And that's for the majority of what we see out in the world.
That's already PQC safe, but it's the upfront RSA and ECC that is used to generate those keys for decrypting that data.
That's the concern.
It's always on the public key side at this point, the asymmetric side.
So I'm starting to see, we're starting to see PQC assessments, project plans being put in place.
We're starting to also see C level or board level sponsorship to make sure that we're on the right track or that we're reporting that we're on the right track.
And as I think we emerge into 2026 and 2027, this will just become normal everyday best practice for readying ourselves for this.
Well, help me understand, because I see folks talking about hybrid approaches.
What exactly do they mean by that?
Well, hybrid is an interesting term that I think a number of us are talking about.
Some organizations look at hybrid crypto as a stopgap, meaning that we can use the combination of classical or existing operational crypto we rely on today.
the RSA, the ECC, and so on.
But some countries, some governments, some organizations believe that a full pure PQC enablement
means we get rid of what we call classical crypto today and put in the next generation algorithms,
which is what they call Phipps 203, 204, 205, or dilithium, or MLDS, or MLDSA and ML Chem, or Khyber,
or whatever you want to describe those as.
But the next generation of algorithms, hybrid refers to using both.
So, for example, for public key infrastructure, we'll have hybrid certificates
or for cryptographic reasons for signatures and handshakes and so on.
We'll use hybrid.
But a lot of people think that's fraught with difficulty,
and maybe we should just go straight to PQC.
But that in effect is a leap of faith that these algorithms are going to stand the test of time.
And because we don't have soak, we don't have 25 years of seeing them in the wild, in the field, being deployed, I think we can all appreciate why some organizations are a little bit, I wouldn't say nervous, but, you know, hedging their bets per se.
So I think what we're going to see is a combination of pure, you know, what we have today, some hybrid and some pure PQC enabled going forward.
what do you see as being roadblocks here or are the delays are they coming from technology issues or a process or cost or what's keeping what's holding people back oh all the above as i mentioned earlier there are some some organizations who perceive and and believe that this is far enough out that they can just procrastinate until the last minute and i don't mean to point fingers nor would i but it depends um some have
very skeptical personnel involved and believe that this is all a hype curve that we're all worried
about, same as Y2K. Others are absolutely pragmatic about it and saying, regardless, we're going to
be ready for this because, as I said earlier, we can fix a lot of stuff on the way from a
cryptographic hygiene point of view and make ourselves crypto agile and hedge our bets because now
we have protection should this arrive in the next three, four, five years. And then there are, of course,
those who might be so pure, you know, quantum and post-quantum that they've already started on that journey.
I see very little of that. I think most organizations are being careful, as they should be.
And this also, by the way, is not just an organization what they want to do.
They rely on the vendor community. They rely on the implementation of those things.
And by the way, you can't just wave a magic wand, find all your crypto, swap it out magically overnight.
This is going to take an enormous amount of resources.
and budget. So some of the budget, some of the roadblocks are who's going to pay for it. How much
money do we need? And what's our tiger team look like, for example? Who do we have here in the
organization? Do we need to seek external advice? Things like that. Well, I mean, a lot of folks have
their fingers in this pie, right? There's standards organizations. There's vendors, researchers,
and as you say, governments, they're all involved. How do these different players shape the
pace and direction of PQC adoption?
Well, I think it's a combination of many things.
I think lead by example is what I'm starting to see not only evidence of.
I'm personally experiencing it where organizations have overcome the obstacles it's within.
So they've been, for example, you can point public examples from the likes of Wells Fargo
and HSBC and many other organizations around the world that are publicly admitting
or publicly not admitting is the wrong word, publicly explaining how they're doing this. Why is that important? Well, nobody wants to be the guinea pig, but they also want to know, is this the best practice? Should we do this first? Should we do this second, third? What's the recipe for success? So I think as it becomes more sophisticated and we start to see more organizations moving into this over the next year or two, as I said to you, personally, I'm involved with well over 100,
organizations that give me a pretty good vantage point. And with zero exception, they've all got
plans in place. What they're all determining is when did those plans start? How much do we put into
those plans, meaning people process technology, simply put resources? And do we have executive
sponsorship? I think that's incredibly important that from the C level or the board level,
we have acknowledgement that we're doing these things but also backing us up that if we run into a bit of a we get into a where we have to turn left instead of what we thought we had to turn right that's where patience is virtue is going to apply for a lot of these implementations as someone who is in this day to day what sort of signals do you think defenders should be looking out for or do you anticipate that we're going to have a sputnik moment here i haven't heard sputnik as an
example, but I think if we're old enough, most of us know when the Russians were the first,
the rest of the world, first of all, awe was the first response. Are you kidding? Is this real to
we're late or we're second? Yeah, the race to quantum is real. I think what we're concerned about
from a nation state or a bad actor is that this isn't going to be broadcast necessarily. That's
like saying, I've got the keys to, I've got the skeleton key to the world. I'm just going to tell
everybody, I have that key. I think what we have to realize is a lot of this is going to go on
behind the scenes. It's going to merge into reality. And then when this zero day or this
acknowledgement that that was a quantum computer that U-Shore's algorithm that compromised that
implementation, is that going to be Q-D-A, we'll see. Is it going to be an organization like
the government of X, Y, and Z? We don't know. But that moment is, unfortunately, that's a
crystal ball we all are looking for. But what we are seeing is progress being made, certainly from
a Western civilization point of view, and with China, I have to throw in as well. The amount of
pure billions being spent on building this next generation of quantum computing platforms is
underway. And this race to quantum can be used for good and not so good. And I think it's the same
with AI. We're in the exact parallel universe of the two paradigms.
And the paradox of both of them, which is they can do wonderful, amazing things AI does to solve for simulation and drug testing, et cetera, et cetera.
But also turned against, they can be used to build incredibly robust exploits, in fact, looking for old crypto or looking for compromise points and running scenarios of a thousand times automatically, automatically, the same applies for quantum, which we use it for, like I said, simulation and amazing things for AI and agentic.
AI and all those good things, but if used to run Shores algorithm, it is in a fact the skeleton
key that I, that I explain. That's the concern is the good, the bad, the otherwise of both
of these platforms. And when they eventually converge using quantum compute platforms to run
AI, we're in a different paradigm entirely after that. That's Blair Canavan from Talas.
This episode is brought to you by Square.
You're not just running a restaurant, you're building something big, and Square's there for all of it,
giving your customers more ways to order, whether that's in person with Square Ciosk, or online.
Instant access to your sales, plus the funding you need to go even bigger.
And real-time insights, so you know what's working, what's not, and what's next.
Because when you're doing big things, your tools,
should to. Visit square.ca to get started.
And finally, Dakota is Kohler's smart toilet-mounted camera that snaps photos of the bowl,
after use, offering gut health insights in exchange for a few tasteful porcelain portraits.
To calm privacy nerves, the company assured customers their data enjoys end to
end encryption, a phrase that raised eyebrows among people who know what that actually means.
Researcher Simon Fondry-Titler pointed out that Kohler is really talking about standard TLS
encryption, not the user-to-user lockdown found in Signal or WhatsApp.
Kohler later clarified that, yes, it can decrypt and view your bowl data because that's how
the service works, though it stresses information is encrypted at rest, and only de-identified
images train its algorithms and only with user consent. Still, at $599 plus a monthly subscription,
the Dakota may be the rare gadget that asks you to pay handsomely for the privilege of being
misunderstood by a toilet. End to end, indeed.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at the Cyberwire.com.
Be sure to check out this weekend's research Saturday in my conversation with Geron Bradley,
director of Jamp Threat Labs.
The research is titled, Chilly Hell, a deep dive into a moment.
modular macOS backdoor. That's Research Saturday. Do check it out. N2K's senior producer is Alice
Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music
by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
You know what I'm going to be.