TL;DR

• [Vulnerabilities] Active exploitation of Cisco AsyncOS zero-day and other KEV-listed edge flaws; prioritize patching email gateways, VPNs, and firewalls; hunt for perimeter webshell/tunneling artifacts.
• [OT/Critical Infrastructure] Pro-Russia hacktivists abusing exposed VNC into HMI/SCADA; Denmark attributes destructive water-utility incident to Russia-linked groups; urgently audit/lock down remote access in OT.
• [Threat Actors] China-aligned LongNosedGoblin and Iran’s Infy resurgence leverage Group Policy abuse, cloud C2 (OneDrive/Drive), DGAs/Telegram; strengthen identity/EDR/proxy detections and targeted hunts.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Current Stories

TL;DR

• [Vulnerabilities / Edge Devices] Critical Cisco AsyncOS zero‑day (CVE-2025-20393) and other KEV‑listed edge flaws drive an urgent patch/mitigation window on email gateways, VPNs, and firewalls through late December.

• [Ransomware / Critical Infrastructure] Romania’s “Romanian Waters” agency hit by BitLocker‑based ransomware, encrypting ~1,000 IT systems but leaving OT/water flow intact via manual operations.

• [APT – China] Newly exposed China‑aligned APT “LongNosedGoblin” uses Group Policy for lateral movement and cloud services (OneDrive/Google Drive) for C2 against Southeast Asian and Japanese government networks.

• [APT – Iran] SafeBreach documents large‑scale resurgence of Iranian “Prince of Persia”/Infy APT with new Foudre/Tonnerre variants, DGAs, and Telegram‑backed C2 targeting regional and diaspora networks.

References

• (2025-12-18) Cisco Zero-Day Vulnerability (CVE-2025-20393) Exploited in the Wild

• (2025-12-17) CISA Adds Three Known Exploited Vulnerabilities to Catalog (KEV catalog reference)

• (2025-12-22) Romanian water authority hit by ransomware attack over weekend

• (2025-12-18) LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan

• (2025-12-18) Prince of Persia: A Decade of Iranian Nation-State APT Campaign Activity under the Microscope

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

Suggested Pivots

How do the Cisco AsyncOS zero-day (CVE-2025-20393) and other KEV edge entries map onto our own exposed email gateways, VPNs, and firewalls and their hardening gaps?

• Why: Connects a time‑boxed federal KEV mandate and active exploitation directly to your perimeter stack, not just generic CVE chatter.
• What to expect: A prioritized list of internet‑facing devices, mitigation status vs CISA guidance, and concrete telemetry patterns (e.g., webshell/tunneler tooling) to hunt for.

What is the combined detection coverage and hunting strategy across LongNosedGoblin and Prince of Persia tradecraft (Group Policy abuse, cloud‑C2, DGAs, Telegram) in our current stack?

• Why: Both APTs lean heavily on “living off the land” and commodity cloud services, stressing behavior‑ and configuration‑based defenses.
• What to expect: A cross‑mapping of these TTPs to your EDR, identity, and proxy controls plus candidate hunts around Group Policy, cloud OAuth, and DGA/Telegram patterns.

Emerging Stories