Falco Feeds extends the power of Falco by giving open source-focused companies access to expert-written rules that are continuously updated as new threats are discovered.
December is typically a month of pause and transition to round out the year. While others see slowdowns and change freezes, on-call security teams wait anxiously for threat actors to take advantage of shoppers, generosity, and guards being down. Attackers continued to innovate as 2025 came to a close with a handful of notable APT-level campaigns.Â
Following the disclosure of the React2Shell vulnerability in December, the Sysdig TRT identified a notable new threat. On December 8, the team published a technical analysis on a novel malware the team dubbed EtherRAT. This highly sophisticated campaign brought unique nation-state TTPs to React2Shell vulnerability exploitations. EtherRAT is a multi-stage attack chain that uses Ethereum blockchain smart contracts for command and control.
On December 16, the Sysdig TRT published an additional blog detailing the five different payloads recovered from the attacker’s C2 infrastructure. Both blogs include IOCs and other suggested detection and response actions.
December closed 2025 the same way the year began: with pressure on defenders and attackers searching for opportunity. Security work is often invisible when it’s done right, and December reinforced how little room there is in the field for complacency.Â
Three lessons come to mind after reviewing the critical application vulnerabilities and nation-state tradecraft of the month: in 2026, defenders must prioritize visibility, design for resilience, and never underestimate collaboration and information sharing. We know the threats will continue to evolve, and so must we.Â
