Hello and welcome to the Tuesday, December 16th, 2025 edition of the Sands Internet Storm centers, Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida or virtually from Amsterdam, Netherlands.

And this episode is brought you by the sands.edu credit certificate program in cloud security.

And of course, React to Shell is still in the news, and I looked at what we have in current exploits in our honeypot.

There was one attempt that sort of was the most visible one in our honeypots, meaning it hit the most different honeypots.

Nothing fundamentally new here. It's of the usual malware distribution where they download a file, then mark as executable.

And this particular case, they actually kind of appear then to not launch the file

if I'm reading the code correctly.

So they may be missing a little piece here, and then use the standard ways to tuck away

an exploit or a piece of malware like this, like slash temp, slash deaf or slash

death shm, which of course the last one would be ephemeral and be deleted on each reboot.

Nothing too terribly exciting otherwise with React to Shell.

Yes, I saw the headline today that always means that exploitation pretty much has run its course.

And the headline was that Iranian actors are now taking part in scanning for React to Shell,

which of course, usually Iran, whenever they're mentioning news, it means that the exploit is old enough

where you probably don't have to worry about finding a lot of new

vulnerable systems that haven't been exploited yet.

Well, last week I talked about the new Samuel vulnerability in Ruby, which actually wasn't new

it was just an incomplete patch to a prior vulnerability.

We now have a great blog post by Port Swagger talking about what went wrong in this particular case and why there are some fundamental problems with Samel that makes it really difficult

to get it implemented correctly.

One problem with Ruby in particular is that within their SAML library, they're using

...