BMC Daily Cyber News

This is today’s cyber news for December 2nd, 2025. The brief highlights how everyday tools like browsers, developer extensions, mobile apps, and public Wi Fi are being bent into silent surveillance and credential theft channels that hit both consumers and enterprises.
 
Listeners will hear how popular browser extensions turned into spying implants, how Chinese firms are quietly selling steganography tools to state aligned hackers, and how a long running airport and in flight Wi Fi imposter has finally been sentenced. The episode also covers a record breaking Coupang retail breach, a major mixer takedown that squeezes ransomware payments, and a deep lineup of stories on mobile banking fraud, fake storefronts, malicious updates, poisoned packages, and evolving espionage tradecraft, all tied back to what leaders and defenders can do next, with the daily feed available at DailyCyber.news.

What is BMC Daily Cyber News?

The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.

This is today’s cyber news for December 2nd, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.

Researchers say commercial companies in China are selling advanced steganography products that help state aligned hacking teams hide in plain sight. These tools let operators tuck commands and stolen data inside ordinary looking images and documents that flow through email and chat every day. Instead of crafting one off tricks, espionage crews can now plug polished products into their toolchains and move faster. This industrial support deepens the connection between nominally private firms and long running state backed cyber campaigns. It also means defenders must assume that some of the most dangerous traffic will look visually harmless as it crosses their networks.

A hacker who ran fake airport and in flight Wi Fi networks for years has now received a seven year prison sentence. He set up convincing wireless hotspots that mimicked legitimate airport and airline networks, then quietly harvested passwords, session cookies, and personal data from travelers. Many people logged into corporate email, cloud apps, and bank accounts while believing they were on trusted connections. The case gives a rare inside look at how long term abuse of public Wi Fi can silently compromise both personal and business systems. It is a stark reminder that any open network in travel hubs should be treated as hostile by default.

Security teams are warning about a new Android malware family called Albiriox that is built for on device banking fraud. Once installed, it can overlay real banking and payment apps, capture logins and one time codes, and then quietly perform transactions from the victim’s own phone. Reports suggest it already targets more than four hundred financial, fintech, and digital wallet applications across several regions. Because the actions come from a recognized device using the genuine app, many bank controls see the activity as normal. This shift makes mobile devices themselves the primary battlefield for stopping account takeover, not just the login pages.

Attackers have also published a fake Material Icon Theme extension for Visual Studio Code that secretly functions as a backdoor. To developers, it looks like a simple icon pack that makes project files easier to recognize at a glance. Behind the scenes, the extension pulls down additional code and establishes persistent remote access to the workstation. That access puts source code, cached credentials, and connected corporate resources at risk whenever the editor is open. It underscores how even cosmetic looking extensions in trusted marketplaces can quietly open doors into high value development environments.

Customer support environments are in the spotlight as typo squatted domains begin to mimic Zendesk style portals. These lookalike sites copy branding and login flows in order to trick agents and customers into typing credentials into attacker controlled pages. Once passwords are captured, intruders can sign into real support systems, read sensitive tickets, and even forge replies that reset access for other accounts. That level of access lets an attacker quietly pivot into billing systems, identity providers, or internal tools that support teams routinely touch. Defenders are racing to block the spoofed domains and harden support logins before those stolen accounts are widely abused.

Ransomware operators are experimenting with a new Windows packer called TangleCrypt that is designed to outfox endpoint tools. The packer wraps payloads in layers of obfuscation and works with a malicious driver that attempts to blind or disable security products. Once deployed, this pairing lets attackers plant ransomware and supporting tools with a lower chance of early detection. That extra breathing room gives crews more time to map networks, locate backups, and clobber recovery options before they start encryption. Incident responders are now updating detection logic and driver policies to catch TangleCrypt style behavior earlier in the kill chain.

Across Central Asia, government ministries and diplomatic bodies are again being probed by a Russian speaking espionage crew. The attackers send tailored phishing messages with malicious documents that, when opened, install custom implants on official workstations. These implants quietly siphon documents, email, and credentials over long periods, focusing on policy, energy, and security topics rather than quick theft. That slow and patient collection effort aims to influence or anticipate regional decisions instead of causing visible disruption. Defenders in the region are working to upgrade mail filtering, endpoint monitoring, and user training while they hunt for existing footholds.

Operation Hanoi Thief is aiming at recruiters and information technology staff in Vietnam with malicious resume archives. The attackers send job applications that look legitimate and bundle compressed files that contain pseudo polyglot payloads which trigger when opened. After execution, the malware targets browsers and related tools, skimming stored passwords and session cookies that grant access to corporate portals. That strategy exploits the trust placed in hiring workflows and turns busy recruiters into unwitting entry points for credential theft. Companies in the region are responding by tightening sandboxing for unsolicited attachments and adding extra monitoring around the accounts and browsers used by hiring teams.

An espionage group called Tomiris has updated its implants so that command traffic is now routed through popular chat services such as Telegram and Discord. The new tools wrap instructions and stolen data inside normal looking requests to these platforms, making the traffic blend in with everyday conversations. As a result, simple domain blocks or protocol filters no longer cleanly separate malicious flows from genuine messaging use. That camouflage forces defenders to rely more on host behavior, process lineage, and unusual usage patterns for those chat applications. Governments and organizations facing Tomiris activity are starting to review where such services are allowed and how closely they are watched on high value networks.

That’s the BareMetalCyber Daily Brief for December 2nd, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at Daily Cyber dot news. We’re back tomorrow.