Falco Feeds extends the power of Falco by giving open source-focused companies access to expert-written rules that are continuously updated as new threats are discovered.
Closing the year under pressure
December is typically a month of pause and transition to round out the year. While others see slowdowns and change freezes, on-call security teams wait anxiously for threat actors to take advantage of shoppers, generosity, and guards being down. Attackers continued to innovate as 2025 came to a close with a handful of notable APT-level campaigns.
Dec. 3: React2Shell CVE-2025-55182
- ReactShell is a maximum severity, unauthenticated RCE vulnerability affecting applications built with React Server Components.
- A public proof-of-concept exploit was released shortly after the vulnerability disclosure, allowing attackers to inject and execute arbitrary code and achieve RCE.
- Organizations must patch affected React and Next.js versions, but also update related frameworks and dependencies, as well as monitor for anomalous process execution or unexpected network activity.
- Sysdig’s response: On December 5, the Sysdig Threat Research Team (TRT) published a blog with recommended steps for all impacted organizations and detections for both Sysdig Secure customers and Falco users. A threat bulletin was also emailed to customers.
Dec. 4: BRICKSTORM backdoor
- News of BRICKSTORM malware resurfaced in December, following its initial discovery in September.
- The NSA, CISA, and the Canadian Centre for Cyber Security published a detailed report, including IOCs and detections, on the use of BRICKSTORM by China state-sponsored threat actors.
- The threat actors target Linux-based cloud environments in the government services, critical infrastructure, and IT sectors.
- The malware enables persistent remote system control by mounting a remote server to the victim’s local VM, extracts credentials, and enables lateral movement. It also abuses legitimate cloud tooling and APIs to evade detection and uses multiple layers of encryption to hide C2 communications.
- Initial access vectors are still unknown, so organizations are encouraged to use detections and IOCs to identify possible BRICKSTORM activity.
Dec. 28: MongoBleed CVE-2025-14847
- MongoBleed is a long-standing data exposure issue affecting nearly all versions of MongoDB since 2017.
- The vulnerability is being actively exploited with tens of thousands of instances at risk.
- It is a flaw in the MongoDB zlib message compression path, and with network access, an unauthenticated attacker can repeatedly probe the MongoDB server to leak memory fragments and gather a variety of sensitive data, such as credentials and internal application information.
- Organizations should conduct an audit and patch all MongoDB deployments, enforce authentication and segmentation, and monitor for irregular memory-read patterns.
Additional TRT findings
Following the disclosure of the React2Shell vulnerability in December, the Sysdig TRT identified a notable new threat. On December 8, the team published a technical analysis on a novel malware the team dubbed EtherRAT. This highly sophisticated campaign brought unique nation-state TTPs to React2Shell vulnerability exploitations. EtherRAT is a multi-stage attack chain that uses Ethereum blockchain smart contracts for command and control.
On December 16, the Sysdig TRT published an additional blog detailing the five different payloads recovered from the attacker’s C2 infrastructure. Both blogs include IOCs and other suggested detection and response actions.
Also in the news
- European Space Agency breach: While the incident has been downplayed, with emphasis on “external” and “unclassified,” ESA confirmed on December 30 that some of its servers were breached. An unaffiliated threat actor already claimed responsibility on BreachForums. With access for over a week to Bitbucket and JIRA, the threat actor allegedly stole over 200GB of source code, hardcoded credentials, tokens, documents, and more for the agency’s collaborative engineering projects. A breach is a breach, but on the bright side, proper network segmentation appears to have limited the blast radius and prevented impact to core, internal systems.
- Kubernetes 1.35 was released: The World Tree Release on December 17 includes a transition to WebSockets, new limitations when using the impersonation mechanism, and the default separation of kubectl user preferences from cluster credentials and server configurations.
- DDoS disrupts French national postal and banking services: On December 22, La Poste and La Banque Postale were impacted by a DDoS attack during one of the busiest times of the year. Online mail and bank services, webpages, and apps were down for hours, and package deliveries were disrupted.
Closing thoughts
December closed 2025 the same way the year began: with pressure on defenders and attackers searching for opportunity. Security work is often invisible when it’s done right, and December reinforced how little room there is in the field for complacency.
Three lessons come to mind after reviewing the critical application vulnerabilities and nation-state tradecraft of the month: in 2026, defenders must prioritize visibility, design for resilience, and never underestimate collaboration and information sharing. We know the threats will continue to evolve, and so must we.