January 06, 2026 3 Minute Read

January 2026

LevelBlue SpiderLabs is the threat intelligence unit of LevelBlue and includes a global team of threat researchers and data scientists who, combined with proprietary technology in data analytics and machine learning (ML), analyze one of the largest and most diverse collections of threat data in the world. Our research team delivers tactical threat intelligence that powers resilient threat detection and response — even as an organization’s attack surface expands, technology evolves, and adversaries change their tactics, techniques, and procedures.

The LevelBlue SpiderLabs update gives you the latest threat news, including recent updates to USM Anywhere detections and new threat intelligence published in the LevelBlue SpiderLabs Open Threat Exchange (OTX), one of the largest open threat intelligence sharing communities in the world.

LevelBlue SpiderLabs Threat Intelligence News

MongoBleed: Critical MongoDB Vulnerability Under Active Exploitation

On December 19, 2025, a severe vulnerability in MongoDB known as MongoBleed (CVE-2025-14847) was disclosed, impacting most MongoDB deployments. The flaw, rated CVSSv4 8.7, allows unauthenticated attackers to leak uninitialized heap memory, exposing sensitive data such as passwords and API keys. Public exploits appeared on December 25, and by December 28, widespread exploitation was confirmed. Despite urgent patching efforts, scans on December 30 revealed that nearly 70% of publicly accessible instances remained vulnerable, leaving thousands of organizations exposed. With over 300,000 internet-facing MongoDB servers and active exploitation underway, the risk is immediate and significant.

MongoBleed affects versions from 4.4 through 8.2, with patches available in 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. Organizations are urged to upgrade immediately or apply temporary mitigations such as disabling zlib-compressed requests and enforcing strict network segmentation (blocking TCP/27017 from the internet). Beyond patching, detection and response are critical: forensic indicators include spikes in user assertions via db.serverStatus().asserts and FTDC telemetry.

React2Shell (CVE-2025-55182): Actively Exploited Critical RCE in React.js

On December 3, 2025, a critical unauthenticated remote code execution vulnerability with CVE-2025-55182 (React2Shell) was disclosed in React Server Components, earning a CVSS v3 score of 10.0 and CVSS v4 score of 9.3. The flaw, initially reported by Lachlan Davidson, allows attackers to execute arbitrary code via a single HTTP request, impacting popular frameworks like Next.js. Within days, widespread exploitation was observed, including cybercrime actors and suspected espionage groups. Campaigns are known to deploy malware families such as MINOCAT, SNOWLIGHT, HISONIC, and COMPOOD, alongside XMRIG cryptocurrency miners. Underground forums quickly circulated PoC code and scanning tools, fueling rapid weaponization, including in-memory Next.js web shells and Unicode-obfuscated payloads.

React2Shell affects React Server Component packages react-server-dom-webpack , react-server-dom-parcel, and react-server-dom-turbopack in versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Organizations must patch immediately to versions 19.0.1, 19.1.2, or 19.2.1 (or later) to prevent RCE, and apply subsequent patches (19.2.2–19.2.3) to address related vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779). Additional mitigations include deploying WAF rules, auditing dependencies for vulnerable components, and monitoring for compromise indicators such as hidden directories ($HOME/.systemd-utils), malicious shell injections, and unauthorized persistence mechanisms.

Tracking, Detection & Hunting Capabilities

The LevelBlue SpiderLabs team created the following Adversary Trackers to automatically identify and detect malicious infrastructure deployed: VenomRat, NanoCore, Amadey and Vidar.

The team has identified the following malware/threat actors as the most active during the month of December.

Figure 1. December 2025 Malware Trend.

The LevelBlue trackers have identified over 16,353 new IOCs for the different families it tracks. The busiest trackers during the month of December have been:

Figure 2. December 2025 New IOCs from LevelBlue Trackers.

USM Anywhere Detection Improvements

In December, LevelBlue SpiderLabs added or updated 15 USM Anywhere detections. Here are a few examples of improvements and new elements LevelBlue SpiderLabs developed:

• New rules detecting the use of procdump in Office tools and the abuse of Azure Azcopy to exfiltrate data.
• Improvement to O365 rules to identify Inbox Rules created from Consumer VPNs or to identify Suspicious User Agents.

Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.

LevelBlue SpiderLabs Open Threat Exchange

New OTX Pulses

The LevelBlue SpiderLabs team is continuously publishing new pulses in OTX based on their research and discoveries. Pulses are interactive and researchable repositories of information about threats, threat actors, campaigns, and more. This includes indicators of compromise, IoCs, that are useful to members. In December, 90 new Pulses were created by the Labs team, providing coverage for the latest threats and campaigns. Here are a few examples of the most relevant new Pulses:

• Shai-Hulud V2 Poses Risk to NPM Supply Chain
• Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components
• The HoneyMyte APT now protects malware with a kernel-mode rootkit
• Evasive SideWinder APT Campaign Detected