< Back
A shield with a padlock inside

Tags:

Threat intelligence
03 December 2025

Weekly Summary Cyberattacks 27 nov-03 dec

The $9M yETH Exploit: How 16 Wei Became Infinite Tokens  

Cybersecurity researchers reported a critical exploit against Yearn Finance's yETH pool on Ethereum, resulting in the theft of approximately $9 million. The incident, detected on November 30, 2025, involved an attacker minting an astronomical 235 septillion yETH tokens achieved by depositing only 16 wei, a value near $0, making this one of the most capital-efficient exploits ever seen in decentralized finance. The attacker exploited a cache storage flaw in the yETH pool's virtual balance system, specifically the packed_vbs[] array, which retained stale virtual balance values after a full liquidity withdrawal.

4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign

Cybersecurity researchers have uncovered a massive seven-year browser extension malware operation attributed to a threat actor they have named ShadyPanda, responsible for infecting at least 4.3 million Chrome and Edge browsers across multiple phases of activity since 2018. Investigators found that the group conducted four progressively sophisticated campaigns, beginning with large-scale affiliate fraud via 145 wallpaper and productivity extensions in 2023, and culminating in two major ongoing operations: a 300,000-user Remote Code Execution (RCE) backdoor campaign and a 4-million-user spyware network still active.

Tomiris Wreaks Havoc: New Tools and Techniques of the APT Group  

Cybersecurity researchers tracking the Tomiris APT group uncovered a new wave of malicious operations beginning in early 2025, targeting foreign ministries, intergovernmental bodies, and government entities. The campaign reveals a tactical evolution in which Tomiris increasingly relies on multi-language implants and command-and-control channels based on public services such as Telegram and Discord, likely to blend malicious activity with legitimate network traffic. Infections typically start with phishing emails that deliver password-protected archives containing malicious executables, including files with disguised icons or double extensions like ".doc .exe," as well as long filenames designed to obscure their true extension within archives. Once executed, victims may receive various implants depending on the case.

Threat Actors Leverage Fake Update Lures to Deliver SocGholish Malware

Threat actors are delivering the SocGholish malware via fake software-update lures: compromised legitimate websites display convincing "update your browser" or "update your software" pop-ups that trick users into downloading malicious payloads. These injected prompts typically appear seamless and trustworthy, making them highly effective at persuading users to initiate the download. The attackers rely on the credibility of the compromised sites to lower suspicion and increase infection rates. Once a user downloads and executes the provided file, the initial SocGholish loader runs on the system and begins contacting the remote attacker-controlled infrastructure.

Malicious Chrome Extension Injects Hidden SOL Fees Into Solana Swaps  

Cybersecurity researchers identified a malicious Chrome extension, Crypto Copilot, that secretly injects unauthorized SOL transfers into legitimate Solana swaps conducted through Raydium. Marketed as a tool that enables "one-click trading from your X feed," the extension has been available on the Chrome Web Store since June 18, 2024. It presents itself as a convenience tool for Solana traders by integrating with Phantom, Solflare, DexScreener, and standard wallet adapter permissions.