Good morning. This is your security briefing for Tuesday, December 23, 2025, covering 15 articles analyzed overnight. All attribution is by the article authors, and all article analysis is automated.
Starting with malware threats, Koi Security Inc. reports that a malicious npm package called 'lotusbail' was downloaded over 56,000 times while secretly stealing WhatsApp credentials, messages, contacts, and media. The package masqueraded as a legitimate WhatsApp Web API library and employed multi-layer obfuscation including custom RSA encryption, Unicode manipulation, and AES encryption to evade detection.
The malware also installed a persistent backdoor through hardcoded pairing codes that maintained access even after the package was removed from affected systems.
Moving to security tools, TjNel released certgraveyard_yara, an automated tool that generates daily YARA rules from the CertGraveyard database of compromised certificates. Defenders can use these rules to scan for malware that utilizes stolen or compromised code-signing certificates, including those associated with families like Emotet.
Cyberjez released the PQC Network Scanner version 2.0, a quantum vulnerability assessment tool that helps organizations evaluate their cryptographic infrastructure's readiness for post-quantum security threats. The tool performs deep inspection of TLS endpoints and includes stealth features to avoid triggering intrusion detection systems during production network scans.
Damien Van Robaeys published a PowerShell tool on systanddeploy.com for searching through Microsoft Intune remediation scripts to identify specific text strings. The tool is particularly useful for finding scripts requiring updates due to changes in PowerShell cmdlet behavior.
Peter Klapwijk at InTheCloud247.com reports that Microsoft has enabled Kerberos authentication for cloud-only identities on Azure file shares, addressing a previous limitation that only supported hybrid user identities. Organizations can enhance security by blocking public access and routing connections through Microsoft Entra Private Access, though MFA exclusion is required for the storage account's Entra app.
Peter van der Woude notes that Microsoft Intune introduced a new Admin Tasks node in its admin center to centralize administrative functions including security tasks and user elevation requests. The feature includes role-based access control to ensure administrators only see tasks they have permissions to manage.
Microsoft announced that Azure Workbooks now support querying Azure Data Explorer clusters using Kusto Query Language for data visualization and analysis. However, Microsoft advises users not to include sensitive information in JSON data source fields as they remain visible to all workbook users.
Yumlembam published a GitHub repository providing open-source tools for detecting insider threats using graph neural network models including GCN-NN and GCN-BiLSTM. The implementation utilizes the CMU CERT Insider Threat Test Dataset for identifying both explicit and implicit signals of malicious insider activities.
Xdanx released Open KLara, a community-driven fork of Kaspersky Lab's original KLara project for threat intelligence researchers. The distributed system uses a dispatcher-worker model to scan large file collections over one terabyte using Yara rules, delivering results via email and web interface.
In industry news, NIST has revised its Interagency Report 8286 series focusing on integrating cybersecurity and enterprise risk management. The three revised publications align with NIST Cybersecurity Framework 2.0 and provide updated guidance on risk identification, documentation, and enterprise-wide risk data aggregation.
Cloudflare published a post-mortem on two major network outages in November and December 2025 caused by rapid global deployment of faulty configurations. The company is implementing Health Mediated Deployment for configuration changes to enable controlled rollouts, monitoring, and automatic rollbacks.
Turning to critical vulnerabilities, researchers at hyprblog discovered 19 vulnerabilities in MediaTek WiFi chipsets, primarily stack and heap buffer overflows in kernel drivers. The flaws affect devices including Netgear WAX206 and Starlink WiFi Gen2, potentially leading to kernel code execution and denial-of-service attacks.
N8n-io disclosed CVE-2025-68613, a critical Remote Code Execution vulnerability in their workflow automation software affecting versions 0.211.0 through 1.120.3. The vulnerability stems from insufficient isolation in the expression evaluation system, and users should upgrade to version 1.120.4 or later immediately.
The Financial Security Institute published the Campaign Dark Prism intelligence report analyzing LNK malware used by state-sponsored hacking groups from January 2024 to September 2025. The report examines evolving attacker tactics and highlights how LNK malware serves as a common attack vector that splinters into different threats depending on the state-sponsored group deploying it.
Finally, Whitecat18 released a proof of concept demonstrating the Vectored Overloading technique used by Kidkadi malware in Rust. The technique manipulates legitimate DLL loading by abusing Hardware Breakpoints and Vectored Exception Handling to inject malicious code, making detection more difficult. That concludes today's briefing.