Components of DOT Security’s Services
Explore each of the core elements that combine to form DOT Security’s complete offering
See how it all comes together
DOT Security’s holistic service- A plan to get back up and running if a problem occurs
- Comply with data security laws and industry regulations
- Expert planning and training to improve overall security
- Protection for a controlled internal environment
- Coverage for individual systems and devices
- Control who can get into your networks
- Improved insight into data and communications
- Extra fortification for your most sensitive data
Risk Assessment
InsightsCybersecurity insights and analyses
Dive into the world of modern cybersecurity with explanations, predictions, and expert opinions
Find blogs, infographics, videos, and more
DOT Security insights- Definitions for industry terms and acronyms
- The complete beginner’s guide to everything cybersecurity
Cybersecurity Consulting
The DOT Report: Google Patching Active Exploits, Spyware Firm Leaks
December 18, 2025
5 minute read
The DOT Report is a monthly news series from DOT Security that looks at the most important developments in cybersecurity and how these incidents affect real organizations, systems, and people.
This month, we’re looking at an actively exploited Chrome zero-day, a stealthy malware campaign abusing Google Drive for command and control, a new generation of AI-powered phishing kits designed to bypass modern defenses, and leaked documents exposing how commercial spyware vendors deploy zero-day exploits at scale.
Sign up for our newsletter!
Each of these stories highlights a different failure point from browsers and cloud platforms to identity systems and mobile devices, but together they tell a consistent story about how trust, convenience, and scale continue to be weaponized.
For even more cybersecurity news from The DOT Report, check out our video report on YouTube, or our podcast on Spotify, Apple Podcasts, or wherever you like to listen.
Chrome Zero-Day Actively Exploited in the Wild
Google closed out December by patching a critical Chrome zero-day vulnerability that was already being actively exploited in the wild. The flaw, tracked as a use-after-free bug in Chrome’s graphics rendering engine, allowed attackers to achieve arbitrary code execution simply by luring a victim to a malicious webpage.
What makes this vulnerability particularly concerning is how quickly it moved from discovery to exploitation. Researchers observed real-world attacks before a public patch was available, underscoring how closely threat actors monitor browser bug disclosures and weaponize them.
Once exploited, the flaw could allow attackers to escape Chrome’s sandbox protections and run code at the system level — a powerful foothold for follow-on malware delivery, credential theft, or surveillance.
Google’s emergency update highlights an uncomfortable reality: browsers remain one of the most reliable entry points for attackers, despite years of sandboxing and exploit mitigation work. With Chrome acting as the gateway to cloud apps, SaaS platforms, and internal systems, a single unpatched browser can effectively collapse an organization’s perimeter.
NanoRemote Malware Abuses Google Drive for Stealthy Command and Control
Security researchers also uncovered a new Windows backdoor this month, dubbed NanoRemote, notable for its use of Google Drive as a command-and-control channel.
Rather than beaconing to suspicious external servers, the malware blends into normal cloud traffic by interacting directly with the Google Drive API — uploading stolen data and retrieving attacker commands through a trusted platform.
The infection chain begins with a loader that masquerades as a legitimate Bitdefender crash handler. Once executed, it decrypts and launches the NanoRemote payload, which includes more than twenty built-in command handlers. These allow attackers to collect system information, execute files, manipulate directories, and exfiltrate data.
All under the mask of normal cloud traffic.
Researchers also identified code overlaps between NanoRemote and a previously documented espionage backdoor known as FINALDRAFT, suggesting a shared developer or threat cluster. This connection points to a more strategic use case than simple cybercrime.
By hiding malicious activity inside legitimate cloud services, NanoRemote highlights a growing blind spot for defenders.
AI-Powered Phishing Kits Push Credential Theft Past Traditional Defenses
December also brought new insight into the next evolution of phishing-as-a-service, with researchers documenting multiple advanced kits that combine AI-generated lures, real-time MFA interception, and sophisticated evasion techniques.
Toolkits such as BlackForce, GhostFrame, InboxPrime AI, and Spiderman are already being used in active campaigns targeting consumers, enterprises, and financial institutions.
Some of these kits operate as full man-in-the-browser frameworks, capturing session cookies, one-time passcodes, and MFA tokens as victims log in. Others use layered delivery techniques — embedding malicious iframes inside legitimate-looking pages or dynamically swapping phishing content to evade detection.
InboxPrime AI takes the automation further by generating customized phishing emails at scale, adapting tone and language to bypass spam filters.
The result is a phishing infrastructure that no longer relies on static templates or volume alone. Instead, these platforms are adaptive, modular, and capable of defeating controls that many organizations still consider “good enough,” including MFA and email filtering.
For defenders, the takeaway is uncomfortable but clear: phishing has become an industrialized operation, powered by AI and designed to defeat modern assumptions about user verification.
Intellexa Leaks Expose Zero-Day Exploits and Spyware Delivery Tactics
Leaked internal documents from spyware vendor Intellexa provided a rare inside look at how commercial surveillance tools like Predator are built, marketed, and deployed.
The materials revealed the company’s reliance on zero-day exploits, browser vulnerabilities, and advertising-based delivery mechanisms to infect mobile devices without user awareness.
According to the leaks, Predator infections could be initiated through malicious links sent via messaging apps or, in more advanced cases, through zero-click attacks delivered via mobile advertising networks.
Once installed, the spyware is capable of harvesting messages, call data, location information, credentials, and even activating microphones and cameras.
Perhaps most troubling was evidence suggesting Intellexa staff retained visibility into some customer deployments, raising questions about oversight, access controls, and accountability. Unlike consumer malware, these tools operate in a gray zone between national security and private industry, where transparency is minimal.
The Intellexa leaks underscore how zero-day vulnerabilities are no longer just the domain of elite intelligence agencies. They’re part of a growing commercial market, one where exploits are packaged, sold, and deployed at scale, often beyond the reach of public scrutiny or meaningful regulation.
The DOT Report Signing Off
As the year comes to a close, one pattern is impossible to ignore: attackers are no longer breaking in through the edges — they’re operating inside the platforms we trust most.
Browsers, cloud services, authentication systems, and even mobile advertising networks have become delivery mechanisms for compromise, often without obvious warning signs.
Defensive strategies going into the new year will need to account for this shift. Security can no longer rely solely on perimeter controls or static trust models — it has to assume compromise, validate continuously, and prioritize visibility across the full technology stack.
For even more cybersecurity news from The DOT Report, check out our video report on YouTube, or our podcast on Spotify, Apple Podcasts, or wherever you like to listen.