Good morning. Yesterday's security developments from Tuesday, December 02, 2025 cover 9 articles spanning nation-state operations, attack techniques, and malware campaigns. All attribution is by the article authors. All article analysis is automated.
ESET Research reports that MuddyWater, an Iran-aligned cyberespionage group, conducted spearphishing campaigns delivering remote monitoring software followed by custom malware including Fooder loader and MuddyViper backdoor. The group conducted a joint sub-campaign with Lyceum targeting Israeli organizations in manufacturing, government, and healthcare sectors, suggesting MuddyWater may function as an initial access broker for other Iran-aligned threat actors.
Positive Technologies identifies threat actors QuietCrabs and Thor exploiting RCE vulnerabilities in SharePoint and Ivanti to compromise organizations globally. Thor targeted approximately 110 Russian companies using LockBit and Babuk ransomware, while QuietCrabs conducted espionage campaigns across the USA, UK, Germany, and South Korea using KrustyLoader and Sliver malware.
Trail of Bits announces constant-time support for LLVM compiler infrastructure to protect cryptographic code implementations. This tooling helps developers write cryptographic software that resists timing-based side-channel attacks by ensuring operations execute in constant time regardless of input values.
Anthropic reports that AI agents including Claude Opus 4.5, Claude Sonnet 4.5, and GPT-5 successfully identified vulnerabilities in real-world blockchain smart contracts. The agents created exploits resulting in 4.6 million dollars in simulated stolen funds from 405 previously exploited smart contracts in the SCONE-bench benchmark.
Ontinue researchers discovered that Microsoft Teams B2B guest access feature allows attackers to bypass Defender for Office 365 protections by inviting users into malicious tenants with weak security configurations. When users accept invitations, they operate under the attacker's tenant security policies rather than their own organization's protections, creating unprotected zones for phishing, malware distribution, and data exfiltration.
Koi Security reveals that the ShadyPanda threat actor conducted a seven-year malware campaign infecting 4.3 million Chrome and Edge users through malicious browser extensions including Clean Master and WeTab. The campaign evolved from affiliate fraud to deploying sophisticated RCE backdoors and spyware capable of surveillance, credential theft, and Man-in-the-Middle attacks with hourly updated malicious capabilities.
Infobox Threat Intel identified malicious infrastructure hosting Evilginx phishing proxy domains used to conduct sophisticated SSO and MFA bypass attacks. The research provides specific IPv4 addresses and domain names actively used in these campaigns, which leverage the adversary-in-the-middle phishing toolkit designed to intercept credentials and session tokens.
The UK National Cyber Security Centre announces the Pall Mall Process, a collaboration with France to establish standards and accountability for Commercial Cyber Intrusion Capabilities. The initiative targets the offensive cyber industry including vulnerability researchers, exploit developers, and hacking-as-a-service providers, aiming to ensure responsible development through transparency, precision, accountability, and oversight mechanisms.