Nation-state actors dominated this week’s incident landscape, and they’re operating at every layer of the stack. PRC-linked groups are sitting inside VMware infrastructure for 17 months while simultaneously weaponizing a React zero-day within hours of disclosure. DPRK operators are running ransomware through criminal affiliates and draining cryptocurrency exchanges to fund weapons programs. Meanwhile, two separate MSP compromises cascaded into dozens of victim organizations—one hitting UK local government, the other taking down 28 South Korean financial firms in a single campaign.

This week: five incidents that show how nation-states and supply chain attacks are converging, why your patch windows have collapsed from days to hours, and what it looks like when adversaries compromise the infrastructure layer instead of endpoints.

BRICKSTORM: Chinese Threat Actors Compromise VMware Infrastructure for 17 Months

What happened:

CISA, NSA, and the Canadian Cyber Centre released a joint advisory on December 4 warning of ongoing intrusions by PRC state-sponsored actors using BRICKSTORM, a sophisticated Go-based backdoor targeting VMware vSphere environments. In one confirmed incident, attackers maintained persistent access from April 2024 through September 2025—17 months—compromising domain controllers, ADFS servers, and vCenter infrastructure across government and IT sector organizations.

The attackers initially compromised a web server in the victim’s DMZ, then moved laterally to internal systems. They successfully compromised an ADFS server and exported cryptographic keys, harvested MSP credentials from a domain controller, and used those credentials to pivot to VMware vCenter. From vCenter, they deployed BRICKSTORM and created hidden “rogue” VMs operating invisibly alongside legitimate workloads. CrowdStrike attributed recent intrusions to a newly identified China-nexus group called “Warp Panda,” which has targeted legal, technology, and manufacturing entities throughout 2025.

Technical details that matter:

• Hypervisor-layer persistence: BRICKSTORM targets VMware vCenter and ESXi, giving attackers visibility into all VMs running on compromised infrastructure, including security tools. Rogue VMs can be created that don’t appear in standard inventories
• Layered C2 encryption: Communications use HTTPS → WebSockets → nested TLS with DNS-over-HTTPS for resolution, making network-based detection extremely difficult. The malware mimics legitimate web server behavior to blend in
• Self-healing persistence: BRICKSTORM includes a self-monitoring function that automatically reinstalls or restarts if disrupted. It modifies /etc/sysconfig/init for boot persistence, standard process-based forensics will miss it; disk-based analysis required
• Credential harvesting chain: Attackers stole cloned VM snapshots for credential extraction, compromised ADFS to export cryptographic keys (enabling token forgery), and harvested MSP credentials to pivot across trust boundaries.
• VSOCK for inter-VM communication: Some variants use virtual socket interfaces for communication between VMs, enabling data exfiltration and C2 that never touches the physical network.

Why you should care:

This is infrastructure compromise at the hypervisor layer. If your VMware environment is compromised, the attacker can see everything running on it—every VM, every snapshot, every credential that passes through. The 17-month dwell time demonstrates these actors are playing long games, positioning for sustained intelligence collection or potential disruption.

The MSP credential theft component means one compromise can cascade across trust boundaries into multiple organizations. The ADFS key export enables authentication token forgery; attackers can impersonate any user without triggering password-based detections. For any organization running VMware vCenter, this advisory should trigger immediate hunting using CISA’s published YARA and Sigma rules. The question isn’t whether you’re a target; it’s whether you’d detect this level of sophistication if it was already in your environment.

Key sources:

• CISA Alert: https://www.cisa.gov/news-events/alerts/2025/12/04/prc-state-sponsored-actors-use-brickstorm-malware-across-public-sector-and-information-technology
• CISA Malware Analysis Report: https://www.cisa.gov/news-events/analysis-reports/ar25-338a
• Dark Reading coverage: https://www.darkreading.com/cyberattacks-data-breaches/cisa-ongoing-brickstorm-backdoor-attacks
• The Hacker News analysis: https://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.html

React2Shell (CVE-2025-55182): CVSS 10.0 RCE Exploited by Nation-States Within Hours

What happened:

A critical remote code execution vulnerability in React Server Components was disclosed on December 3, affecting React 19.x, Next.js 15.x/16.x, React Router, Waku, and other RSC-enabled frameworks. The vulnerability (CVE-2025-55182) received a CVSS 10.0 score: the maximum severity rating. Unsafe deserialization in the Flight protocol allows unauthenticated attackers to execute arbitrary code on servers processing RSC requests.

Within hours of public disclosure, China-nexus threat groups began active exploitation. AWS Security reported observing systematic debugging and troubleshooting by threat actors (Earth Lamia, Jackpot Panda) on December 4, indicating weaponization was already mature. The attack surface is massive: React powers approximately 40% of web development, and Next.js alone has 18-20% market share among React users. Vercel, Cloudflare, and major CDN providers pushed emergency mitigations, but self-hosted applications remain exposed until patched.

Technical details that matter:

• Unauthenticated RCE via deserialization: The Flight protocol deserializes data passed between client and server without adequate validation. Crafted payloads achieve code execution in the server context with no authentication required.
• Hours from disclosure to exploitation: Nation-state actors moved from public disclosure to active exploitation in under 24 hours. This is the new normal for high-value vulnerabilities; patch windows have collapsed from days to hours.
• Massive attack surface: Any RSC endpoint is vulnerable. This includes customer portals, internal tools, dashboards, and SaaS applications built on affected frameworks. Many organizations don’t have complete inventories of their React/Next.js deployments.
• Server-side execution context: Unlike client-side XSS, this vulnerability executes in the server environment with access to databases, internal APIs, environment variables, and secrets. Initial access leads directly to backend compromise.
• Framework diversity complicates patching: The vulnerability affects multiple frameworks (Next.js, React Router, Waku, etc.), each requiring separate patches. Organizations may have different frameworks across different applications.

Why you should care:

If you have any web applications built on React 19 or Next.js 15/16 with Server Components enabled, you’re exposed right now. This includes customer-facing applications, internal tools, and third-party SaaS products you depend on. The speed of nation-state exploitation means your security team needs to be inventorying RSC usage and prioritizing patches today, not next sprint.

The combination of unauthenticated access, server-side execution, and massive attack surface makes this one of the most significant web application vulnerabilities of the year. Even if your own applications are patched, your SaaS vendors and partners may still be vulnerable. Ask your vendors directly about their React/Next.js exposure and patch status.

Key sources:

• React official: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• AWS Security Blog: https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
• Wiz: https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
• Rapid7: https://www.rapid7.com/blog/post/etr-react2shell-cve-2025-55182-critical-unauthenticated-rce-affecting-react-server-components/

London Borough Councils: Supply Chain Ransomware via Shared IT Services

What happened:

Three London borough councils—Kensington & Chelsea, Westminster, and Hammersmith & Fulham—confirmed on December 1 that they were hit by ransomware through their shared IT services provider in late November. The attack affected services for approximately 550,000 residents across the three boroughs. Data was exfiltrated before encryption, and full recovery is expected to take weeks.

The councils share IT infrastructure and services through a joint arrangement, which created a single point of failure. Once attackers compromised the shared provider, they gained access to all three councils’ environments through trusted management connections. The specific ransomware variant and threat actor have not been publicly attributed, but the attack follows the established MSP compromise playbook seen in Kaseya, SolarWinds, and dozens of similar incidents.

Technical details that matter:

• MSP trust exploitation: Attackers compromised the shared IT provider once and pivoted into all three council networks through legitimate management connections. No need to breach each council separately—the trusted relationship provided the access path.
• Shared infrastructure as attack multiplier: The cost-efficiency of shared services creates correlated risk exposure. One security failure affects all participants simultaneously, and recovery must be coordinated across multiple organizations.
• Data exfiltration before encryption: Attackers extracted data before deploying ransomware, enabling double extortion. Even if councils restore from backups, stolen data can be leaked or sold.
• Implicit trust bypasses segmentation: Traditional network segmentation assumes MSP management traffic is legitimate. Attackers operating through MSP credentials appear as authorized administrative activity.
• Recovery complexity: Three separate organizations must coordinate incident response, forensics, and restoration while maintaining some level of service delivery to half a million residents.

Why you should care:

Shared services and managed service providers are force multipliers for attackers. One compromise equals multiple victims, and the trusted relationships that make shared services efficient are exactly what attackers exploit. This pattern is particularly relevant for government agencies, healthcare systems, and utilities that increasingly rely on shared IT infrastructure for cost efficiency.

The question isn’t whether your MSP is a target (they are), it’s whether you’ve assessed the risk of your MSP being compromised and what your detection and response capabilities look like for that scenario. Can you detect malicious activity coming through legitimate management channels? Do you have independent backups your MSP can’t access? Have you tested your ability to operate without your MSP during an incident?

Key sources:

• BleepingComputer: https://www.bleepingcomputer.com/news/security/multiple-london-councils-it-systems-disrupted-by-cyberattack/
• The Register: https://www.theregister.com/2025/11/26/cyberattack_london_councils/
• Infosecurity Magazine: https://www.infosecurity-magazine.com/news/royal-borough-kensington-chelsea/
• RBKC official: https://www.rbkc.gov.uk/newsroom/we-are-responding-cyber-security-issue

Korean Leaks: Qilin Ransomware Compromises MSP, Hits 28 Financial Firms

What happened:

Bitdefender disclosed on November 26 that a single managed service provider compromise led to ransomware attacks against 28 South Korean financial services firms. The Qilin ransomware group, operating under the “Korean Leaks” branding, exfiltrated over 2TB of data (more than 1 million files) across three attack waves between September and October 2025. The MSP, GJTec, provided IT services to asset management companies and investment firms across South Korea.

Security researchers identified potential involvement of Moonstone Sleet, a DPRK-linked threat actor, operating as a Qilin affiliate. This represents a significant convergence: nation-state actors using ransomware-as-a-service infrastructure for financial gain while maintaining plausible deniability. The affected firms manage significant assets, and the stolen data includes client information, trading strategies, and internal communications.

Technical details that matter:

• MSP privileged access exploitation (T1195): GJTec’s administrative access to client environments provided the attack path. Attackers compromised the MSP once and could deploy ransomware simultaneously across 28 client organizations.
• Three-wave campaign: Attacks occurred in distinct waves (September-October 2025), suggesting deliberate pacing—possibly to avoid detection or to maximize data collection before encryption.
• Nation-state/RaaS convergence: Potential Moonstone Sleet (DPRK) involvement as a Qilin affiliate blurs the line between nation-state espionage and criminal ransomware. Attribution becomes harder; defense becomes more complex.
• Financial sector targeting: Asset managers and investment firms hold high-value data—client lists, trading algorithms, M&A intelligence. This data has value beyond ransom payments.
• Coordinated exfiltration: 2TB+ across 28 organizations requires significant operational capacity and suggests pre-planned data staging and extraction infrastructure.

Why you should care:

This attack demonstrates two converging threats: supply chain concentration risk and nation-state/criminal convergence. Financial services firms thought they were managing their own security, but their shared MSP created correlated exposure across the entire client base. When your IT provider is compromised, your perimeter security is irrelevant.

The potential DPRK involvement adds another dimension. Nation-state actors using criminal RaaS infrastructure get deniability and revenue, while ransomware operators get sophisticated tradecraft and persistent access capabilities. For financial institutions, this means threat models need to account for adversaries with both nation-state resources and criminal profit motives. Third-party risk assessments need to explicitly address MSP compromise scenarios, and detection capabilities need to identify lateral movement from trusted management interfaces.

Key sources:

• Bitdefender: https://www.bitdefender.com/en-us/blog/businessinsights/korean-leaks-campaign-targets-south-korean-financial-services-qilin-ransomware
• The Hacker News: https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.html
• Cybersecurity News: https://cybersecuritynews.com/qilin-raas-exposed-1-million-files/

Upbit Exchange Hack: Lazarus Group Steals $34 Million

What happened:

On November 27, Upbit, South Korea’s largest cryptocurrency exchange by volume, disclosed a theft of approximately $34 million (50 billion won) in cryptocurrency. South Korean authorities, including the National Intelligence Service, attributed the attack to the DPRK’s Lazarus Group within days of the incident. This marks one of the fastest official nation-state attributions for a financial cyberattack.

Attackers compromised administrator credentials and accessed hot wallet management systems, draining funds before the theft was detected. The stolen cryptocurrency was rapidly moved through a series of wallet transfers and mixing services to obscure its origin. Lazarus Group has stolen over $3 billion from financial institutions over the past five years, with cryptocurrency exchanges being a primary target since 2017.

Technical details that matter:

• Administrator credential compromise: Attackers obtained legitimate admin credentials (method not disclosed) and used them to access wallet management infrastructure. All activity appeared as authorized administrative actions.
• Hot wallet targeting: Hot wallets (internet-connected for transaction processing) were targeted rather than cold storage. This is the standard Lazarus playbook: target the assets that can be moved quickly.
• Rapid extraction and laundering: Funds moved through multiple wallets within hours of theft, then into mixing services. The speed suggests pre-positioned infrastructure and rehearsed playbooks.
• Transaction pattern analysis: Lazarus reportedly used transaction analysis to infer private key relationships and wallet structures before executing the theft.
• Professional operation at scale: This is Lazarus’s business model. The group operates like a well-funded financial crimes unit with dedicated teams for reconnaissance, access, extraction, and laundering.

Why you should care:

Lazarus isn’t just a cryptocurrency threat. The credential abuse, administrator impersonation, and rapid lateral movement TTPs translate directly to traditional financial institutions. The group has previously targeted SWIFT systems, central banks, and payment processors. The cryptocurrency attacks are practice runs and funding sources for broader financial sector operations.

For any financial institution, Lazarus represents a persistent, well-resourced threat that will probe for weaknesses in privileged access management, MFA implementation, and transaction monitoring. The speed of this operation (compromise to extraction to laundering in hours) means detection and response windows are extremely tight. If your transaction monitoring can’t identify anomalous administrative behavior in near-real-time, you won’t catch this until the money is gone.

Key sources:

• The Record: https://therecord.media/officials-accuse-north-korea-hackers-of-attack-on-crypto-exchange
• UPI: https://www.upi.com/Top_News/World-News/2025/11/27/Lazarus-hacking-cryptocurrency-theft-Upbit-exchange-Korea/8391764302616/
• CoinDesk: https://www.coindesk.com/markets/2025/11/28/south-korea-suspects-north-korea-linked-lazarus-behind-usd36m-upbit-hack
• Blockhead: https://www.blockhead.co/2025/11/28/south-koreas-upbit-suffers-32-million-hack-lazarus-group-suspected/

The Pattern this Week

Nation-states aren’t waiting for you to patch anymore. They’re exploiting critical vulnerabilities within hours of disclosure while simultaneously maintaining 17-month footholds in your infrastructure. This week shows adversaries operating at both ends of the time spectrum: racing to weaponize React2Shell before defenders can respond, while BRICKSTORM actors patiently harvest credentials and forge authentication tokens from inside VMware environments. The common thread isn’t speed or stealth; it’s infrastructure-layer targeting. Hypervisors, server-side frameworks, managed service providers: attackers are compromising the platforms everything else runs on, not the endpoints sitting on top. When your MSP is the attack vector, your perimeter is irrelevant. The defender’s dilemma: you need to respond in hours to zero-days while hunting for adversaries who’ve been inside for months.

See you next week.