As the year closes, cybersecurity news continues to make major headlines in December 2025. This month’s recap by SWK Technologies features stories such as several state-sponsored hacking and malware campaigns, multiple breaches across different industries and more:
CISA and NSA Warn of China-backed Malware Campaign
CISA, the NSA and Canadian cybersecurity officials issued a joint warning on December 4 about BRICKSTORM malware used by Chinese state-sponsored actors. The backdoor program can steal virtual machine snapshots for credential theft and create hidden rogue VMs, and targets VMware vSphere and Windows systems specifically, affecting primarily government organizations and IT businesses. BRICKSTORM uses multiple encryption layers and DNS-over-HTTPS to hide communications while maintaining long-term access to compromised networks. In one case, threat actors obtained and maintained access from April 2024 through September 2025. CISA released detection rules and urged organizations to scan their networks, block unauthorized DNS-over-HTTPS traffic and segment networks to restrict DMZ access.
API Breach at 700Credit Exposes Over 5 Million People
700Credit, a Michigan-based credit verification provider serving over 18,000 auto dealerships, disclosed a breach affecting at least 5.6 million people. Threat actors exploited a flawed API connection to a partner’s software integration in July and then gained access to 700Credit’s electronically stored client data between May and October 2025. The API returned information for any valid consumer ID without verifying account ownership. Exposed information includes names, addresses, dates of birth and Social Security numbers. 700Credit discovered the breach on October 25 and has notified the FBI and FTC. The company is offering affected individuals one year of credit monitoring through TransUnion and has filed consolidated breach notifications on behalf of affected dealers.
Decryption Bug Found in Ransomware Strain Favored by Pro-Russia Hacktivists
Pro-Russia hacktivist group CyberVolk launched VolkLocker ransomware-as-a-service in August 2025, but researchers discovered a critical flaw allowing victims to decrypt files without paying. The Golang-based ransomware hard-codes master encryption keys into executables and writes them to a plaintext file in the system’s temp folder. SentinelOne researchers stated they believe this represents a test artifact that was not removed before deployment, suggesting quality control issues as the group recruits affiliates. VolkLocker operates entirely through Telegram and costs between $800 and $2200 depending on operating system support. CyberVolk also now sells standalone remote access trojans and keyloggers for $500 each.
React2Shell Vulnerability Exploited Within Hours of Discovery
CVE-2025-55182, dubbed React2Shell, is a maximum-severity vulnerability in React Server Components that allows unauthenticated remote code execution. Disclosed December 3, the flaw affects React 19.x and Next.js 15.x/16.x when using App Router. Applications using default configurations are vulnerable even without explicit server functions. Within hours of disclosure, China-linked groups including Earth Lamia and Jackpot Panda began exploitation attempts. Threat actors deployed cryptocurrency miners, backdoors and credential harvesters targeting cloud environment variables and metadata. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on December 5. Researchers also reported uncovering North Korean actors exploiting the flaw, while other data shows 39% of cloud environments contain vulnerable instances.
Healthcare Software Provider Confirms Breach
TriZetto Provider Solutions, a vendor of revenue management systems designed for healthcare, notified clients in December about unauthorized access to a web portal used by physicians, hospitals and health systems. The company discovered suspicious activity on October 2, 2025, but forensic analysis revealed the breach began in November 2024. Threat actors accessed historical eligibility transaction reports containing patient data including names, addresses, dates of birth, Social Security numbers and health insurance information. TriZetto engaged cybersecurity professionals for investigation and confirmed the attackers’ access was removed. The company is offering to handle breach notifications and cover credit monitoring costs for affected individuals, but the total number of victims impacted remains unclear.
Contact SWK Technologies to Learn More
Cyber threats and security regulations will continue to evolve in 2026, from state-sponsored cyber attacks to new vulnerabilities that will emerge for hackers to exploit. The experienced cybersecurity team at SWK Technologies will help you keep track of the biggest risks to your business and develop a strategy to protect your data from external and internal threats, as well as adapt to changing security regulations.
Contact SWK here to learn how our cybersecurity solutions will help strengthen your cyber defense and prepare your business for the challenges ahead in 2026.