Threat Briefing: December 19, 2025

Global cyber threats are accelerating. China-linked groups are exploiting the critical React2Shell flaw (CVE-2025-55182), while North Korean actors stole $2.02B in crypto in 2025, a 51% YoY increase.

Russia’s Sandworm is targeting misconfigured cloud edge devices, and the Kimwolf botnet has hijacked 1.8M Android devices for DDoS attacks, highlighting urgent gaps in cloud and IoT security.

• Five China-Linked Threat Groups Exploiting React2Shell Vulnerability – Google reports that five China-linked threat groups are actively exploiting the critical React2Shell vulnerability (CVE-2025-55182) affecting React v19, enabling unauthenticated remote code execution. Exploitation began shortly after disclosure on December 3, 2025, with actors deploying malware such as the Minocat tunneler, Snowlight downloader, and Compood backdoor. North Korean and Iranian groups have also been linked to related attacks, while additional React flaws have since emerged, including two high-severity denial-of-service vulnerabilities. SecurityWeek
• North Korean Hackers Steal $2.02B in Crypto in 2025 – North Korean cyber actors stole an estimated $2.02B in cryptocurrency in 2025, a 51% year-over-year increase, accounting for 76% of crypto service compromises. The Bybit exchange breach alone resulted in $1.5B in losses, driving total DPRK-linked crypto theft to $6.75B since 2020. The Lazarus Group continues to lead these campaigns, leveraging insider access, advanced laundering techniques, and Chinese-language services to obscure stolen funds. The Hacker News
• Authorities Disrupt Ransomware-Linked Crypto Laundering Service – A joint operation by the FBI and international partners dismantled E-Note, a cryptocurrency exchange allegedly used to launder ransomware proceeds. Authorities say the service processed over $70M tied to attacks on healthcare and critical infrastructure since 2017. A Russian national accused of operating E-Note now faces federal money laundering charges, as law enforcement seized servers, apps, websites, and transaction records linked to the operation. The Record
• Kimwolf Botnet Targets Android Devices for DDoS – The Kimwolf botnet has compromised over 1.8 million Android devices, including TVs, tablets, and set-top boxes, to launch large-scale DDoS attacks. Research suggests a link to the AISURU botnet, and its use of the Android NDK underscores growing risks to consumer devices from malicious botnets. The Hacker News