The threat intelligence report highlights a series of impactful cyber incidents and vulnerabilities discovered in late December 2025. The most notable event is a ransomware attack against Romanian Waters, the national water management authority, which encrypted nearly 1,000 computer systems across multiple offices. The attack affected geographic information systems, databases, email, web servers, and Windows workstations, causing significant disruption to IT services, though operational technology controlling water infrastructure remained unaffected and no data leakage was reported. This indicates a targeted ransomware campaign focused on IT disruption rather than data theft. Concurrently, France’s postal service La Poste suffered a cyber-attack by the pro-Russian hacktivist group NoName057(16), disrupting parcel tracking, mail distribution, and banking services without evidence of data compromise. Other global incidents include a major data breach at Aflac exposing sensitive insurance and health data of 22.7 million individuals, a Nissan data breach via Red Hat server compromise, and a cryptocurrency wallet attack exploiting a malicious Chrome extension update leading to $7 million in losses. Several critical vulnerabilities were disclosed: CVE-2025-14847 ('MongoBleed') affects MongoDB versions 4.0 to 8.2.3, allowing unauthenticated remote attackers to read uninitialized heap memory due to a zlib flaw, potentially leading to arbitrary code execution; CVE-2025-68664 in LangChain Core enables deserialization attacks with secret extraction and code execution (CVSS 9.3); and CVE-2025-68615 in Net-SNMP’s snmptrapd daemon allows remote code execution via crafted packets (CVSS 9.8). These vulnerabilities pose severe risks to organizations running these widely used platforms. The report also details sophisticated phishing campaigns abusing Google Cloud Application Integration to send spoofed emails leading to credential harvesting, and multi-year malware campaigns like Evasive Panda using DNS poisoning and DLL sideloading to maintain persistence and evade detection. Additional threats include the Webrat backdoor deployed via fake GitHub repos and malicious npm and NuGet packages stealing credentials and redirecting crypto funds. Check Point Harmony Endpoint is noted as providing protection against some of these threats. Overall, the report underscores a complex threat landscape combining ransomware, supply chain attacks, critical software vulnerabilities, and advanced persistent threats targeting diverse sectors globally.

European organizations, particularly those in critical infrastructure sectors such as water management and postal services, face significant operational disruption risks from ransomware attacks like the one on Romanian Waters and La Poste. The encryption of nearly 1,000 systems can halt essential services, impacting public safety and trust. The disclosed vulnerabilities in MongoDB, LangChain Core, and Net-SNMP affect widely deployed software components in enterprise environments, cloud services, and network management, potentially enabling attackers to execute arbitrary code, steal sensitive data, or disrupt services. This could lead to data breaches, service outages, and compromise of sensitive information across sectors including finance, manufacturing, and technology. The phishing campaigns abusing trusted cloud services increase the risk of credential theft and subsequent lateral movement within organizations. The presence of advanced persistent threat groups and supply chain attacks further complicates defense efforts. European organizations with limited patch management capabilities or exposed legacy systems are particularly vulnerable. The disruption of postal and banking services in France demonstrates the potential for significant economic and societal impact. Additionally, the theft of personal data in breaches like Aflac’s highlights privacy and regulatory compliance risks under GDPR, potentially leading to fines and reputational damage.

European organizations should prioritize immediate patching of critical vulnerabilities, specifically updating MongoDB to versions beyond 8.2.3, applying LangChain Core patches, and upgrading Net-SNMP to versions 5.9.5 or later. Network segmentation should be enforced to isolate critical IT systems from operational technology to limit ransomware spread. Implement strict access controls and multi-factor authentication to reduce unauthorized access risks. Monitor and restrict use of Google Cloud Application Integration workflows to prevent abuse for phishing campaigns. Employ advanced endpoint detection and response solutions like Check Point Harmony Endpoint to detect and block malware such as MgBot and Webrat. Conduct regular phishing awareness training tailored to recent attack techniques involving multi-step redirections and trusted domains. Audit and control third-party software repositories and package managers (npm, NuGet) to prevent supply chain compromises. Establish robust incident response plans including offline backups to enable recovery from ransomware. Enhance DNS security to detect and mitigate poisoning attacks. Finally, collaborate with national cybersecurity agencies and share threat intelligence to stay informed on evolving threats targeting European critical infrastructure.