Zero-Days, Botnets, and AI Plagiarism: The Dec. 2025 Cyber Roundup

Show Notes

We break down Google's urgent Android patches, including two actively exploited zero-days, and analyze the appearance of the new ShadowV2 IoT botnet leveraging known flaws. Plus, we look into why an AI-generated recipe card landed Google in hot water over content scraping and monetization.

Transcript

Welcome back to Cyber Scoops & Digital Shenanigans, the podcast where we dive into the latest and greatest—or maybe the worst and most nefarious—happenings in the digital world. I’m your host, Mike Housch, and we have a jam-packed show today covering mobile threats, critical infrastructure failure, the rise of a new botnet, and a big discussion about AI ethics and content scraping.

Let’s kick things off with mobile security. Google recently released new security updates for Android users in early December 2025. And the news isn't great, folks, as we have confirmation that two resolved vulnerabilities have already been exploited in attacks.

The December 2025 Android Security Bulletin warns that two specific zero-days, tracked as CVE-2025-48633 and CVE-2025-48572, show indications of being under limited, targeted exploitation. These critical flaws impact the platform’s Framework component. One zero-day could be exploited for information disclosure, while the other allows for elevation of privilege.

While Google hasn't shared extensive details, the internet giant’s phrasing often suggests that these types of flaws might have been exploited by a commercial spyware vendor. The vulnerabilities affect Android versions 13, 14, 15, and 16.

Now, these fixes were part of a massive security update. The first part of the December 2025 update arrived and addressed 51 vulnerabilities in the Framework and System components. The total security update resolves 107 bugs. This includes a critical security vulnerability in the Framework component that could lead to remote denial of service with no additional execution privileges needed. The patches also target components from Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm. To be fully protected, devices need to be running a security patch level of 2025-12-05 or later. If you have an Android device, please, check those settings immediately. This is a big one.

Next up, let’s talk about critical services being hit, specifically public safety. A ransomware attack recently targeted a third-party emergency alert system used across the US, resulting in disruptions and a data breach.

This incident targeted the OnSolve CodeRED platform, which is provided by Crisis24. This platform is vital, used by cities, counties, and law enforcement in many states for alerts concerning public safety events like floods, gas leaks, fires, missing persons, and bomb threats. Due to the cyberattack, many organizations across the US, spanning states like Massachusetts, Texas, Florida, and California, were unable to send emergency notifications.

The good news is that the national Emergency Alert System (EAS) was not impacted. However, the human cost is significant. The notifications issued by customers revealed that the attackers, identified as the Inc Ransom group, obtained OnSolve CodeRED user data. This potentially included names, email addresses, physical addresses, phone numbers, and user profile passwords associated with a legacy platform.

Inc Ransom listed the attack on its leak website on November 22nd. They claimed they gained access on November 1st and deployed file-encrypting ransomware on November 10th. The attackers suggested that negotiations failed because the vendor was only willing to pay a $100,000 ransom. While initial customer notifications suggested the data hadn't been published, the cybercriminals have since made some files public and put the stolen data up for sale. Crisis24 confirmed the attack, stating it was contained within the legacy CodeRED environment, which has now been decommissioned. They are accelerating the rollout of their new platform and advised users to immediately change any passwords they reused from the old CodeRED platform.

Shifting gears to botnets. A new Mirai-based botnet malware, dubbed ‘ShadowV2,’ has emerged, focusing its attacks on IoT devices from vendors like D-Link and TP-Link, using exploits for known vulnerabilities.

Researchers spotted ShadowV2 activity during a major AWS outage back in October. While the outage wasn't connected, the botnet was only active during that time, suggesting it may have been a test run. The malware identifies itself as "ShadowV2 Build v1.0.0 IoT version".

ShadowV2 is spreading by leveraging at least eight vulnerabilities in multiple IoT products, including known-to-be-exploited flaws in End-of-Life (EoL) D-Link devices. In fact, D-Link confirmed that two vulnerabilities used by ShadowV2—CVE-2024-10914 and CVE-2024-10915—would not be fixed for the impacted, unsupported models. The attacks target routers, NAS devices, and DVRs globally across seven sectors, including government, technology, and telecommunications. Functionally, ShadowV2 supports Distributed Denial-of-Service (DDoS) attacks across UDP, TCP, and HTTP protocols.

This really highlights the danger of running unpatched, end-of-life IoT devices. On a positive note related to botnets, the threat monitoring firm GreyNoise Labs recently launched a free tool called GreyNoise IP Check. This tool lets users check if their IP address has been observed in malicious scanning operations, which often involves botnet and residential proxy networks.

If you visit the scanner’s webpage, you’ll get one of three results: Clean, Malicious/Suspicious, or Common Business Service. If you get a 'Malicious/Suspicious' result, GreyNoise advises investigating devices on your network, running malware scans, updating firmware, and changing admin credentials, especially on devices like routers and smart TVs. This kind of activity, where home internet connections are turned into exit points for other people's traffic, has grown significantly, often via malware snuck onto devices through nefarious apps or browser extensions.

Finally, let's wrap up with a little digital shenanigan that has big implications for content creators and AI ethics. Google recently faced backlash on X—formerly Twitter—after a promotional post for its NotebookLM product appeared to use a food blogger’s work without credit.

The now-deleted post shared an “infographic recipe card” for Classic Buttery Herb Stuffing, presented as a cozy “family recipe” generated by AI. However, upon comparison, an X user found that the ingredients list and structure were strikingly identical to a recipe from the blog HowSweetEats.

Critics argued that the AI wasn’t "thinking" but likely scraped the recipe word-for-word, ran it through Google’s model, and reformatted it into a cutesy card. One tracker of AI slop noted that Google is increasingly scraping content, republishing it in AI summary form, and sending fewer clicks to the original creators, potentially violating websites’ posted terms of use. Google quietly deleted the post after being called out.

This incident ties into the broader topic of AI monetization. Google is already testing ads in AI mode within search answers. These ads appear along with citations, making it hard to distinguish if they are organic links or paid promotions. And Google isn't alone; OpenAI is also experimenting with ads in ChatGPT. The potential issue here is that customized ads within AI answers could significantly influence buying behavior compared to traditional Google ads.

All these stories—from zero-days to CodeRED failures—revolve around one core theme in cybersecurity: communication. As Joshua Goldfarb pointed out, it's common to witness conversations that are actually two separate conversations. This "silent disconnect" weakens clarity and outcomes.

In security, we often find ourselves speaking in a language our audience doesn't understand. If we discuss "AI Security," are we talking about securing AI functionality, introducing AI to improve security operations, or governance groundwork? If we talk to executives, we need to map our technical talking points—like 107 patched Android flaws—into their frame of reference: risk to the business in terms of loss of revenue, regulatory issues, and increased costs. Security is a mission-critical business function, and bridging that language gap between security professionals and stakeholders is essential for success.

So, to recap: patch your Android devices ASAP to counter exploited zero-days; if you used CodeRED, change that reused password; update your IoT firmware to avoid being part of the next ShadowV2 DDoS attack; and remember that the conversation around AI ethics and content scraping is just getting started.

That’s all the scoops we have for today. Thank you for tuning into Cyber Scoops & Digital Shenanigans. We'll catch you next time!