Bulletin — December 2025

December 2025 closes a year in which the regulatory calendar moved from promise to procedure. Cl0p remains in MFT a year after Cleo. OpenAI repeats Shipmas. Anthropic refreshes Claude. Year-end reports confirming what the month-by-month was already saying. And the year summary in one table, without claiming exhaustive ranking.

Cl0p — first Cleo anniversary

December 2025. A year after the Cleo MFT zero-day, Cl0p’s extortion portal continues listing victims related to the late-2024 leak. Recent activity: exploitation of CVE-2025-31161 in CrushFTP since April (another MFT, same modus operandi) and Mandiant’s November deep-dive on the group’s industrial playbook. The pattern continues: enterprise MFT as preferred vector, opportunistic attack before disclosure, exfiltration to own S3, double extortion on the portal.

What’s operational: any managed file transfer on the corporate perimeter that hasn’t gone through a serious threat model during 2024-2025 is in queue for the next one. The lesson of MOVEit (June 2023), Cleo (December 2024) and CrushFTP (April 2025) doesn’t need more data to confirm itself.

Source: https://cloud.google.com/blog/topics/threat-intelligence/cl0p-mft-campaign-2025-update

OpenAI Shipmas — second edition

1 to 19 December. OpenAI repeats the daily stream-with-announcement format. The relevant ones for security:

• GPT-5.5 / o4 family — update of the reasoning model with longer CoT and improvements on agentic benchmarks. No structural changes in the safety API; reasoning summary remains optional for the customer.
• ChatGPT Agents 2.0 — the conversational agent with its own browser (Operator) merges with ChatGPT as a native mode. For enterprise deployments, it arrives with unified audit log and configurable action approval gates. The tool poisoning surface we saw in MCP generalises to any integration registered in the agent.
• Sora 2 GA — video generation with character consistency. C2PA watermarking is maintained; bypass via re-encoding remains trivial. AESIA and other authorities start publishing guidelines on Art. 50 of the AI Act obligations (transparency for AI-generated content).
• API security features — Anthropic-style structured outputs with JSON schema validation, scoped API keys with granular per-endpoint permissions. Catch-up with what Anthropic already had. For 2026 the platform security feature war between the three big vendors will be a competitive axis.

OpenAI’s framing for the year has been “agents to production”. The interesting part isn’t what they add, it’s what they don’t add: no Shipmas announcement on training data transparency or on post-deployment capability verification. The regulatory promise remains the minimum.

Source: https://openai.com/shipmas-2025/

Anthropic — Q4 Claude refresh + Responsible Scaling Policy v3

December 2025. Anthropic closes the year with:

• Claude Opus 4.5 / Sonnet 4.5 — refresh with extended context and improvements on agentic tasks. Extended thinking remains as default; reasoning_content remains accessible to API customers.
• Responsible Scaling Policy v3 — update of the framework with stricter metrics for ASL-4. The pre-deployment evaluation report publishes in full, including the results of the agentic misalignment harness applied to Opus 4.5 — metrics comparable to the May research. The trend: with each capability jump, the misalignment rates in controlled harness don’t drop; deployment defences have to compensate.

Anthropic signs the final version of the AI Office’s Code of Practice for GPAI in December after months of public negotiation. The difference with OpenAI / Google (which signed in July-August) and with Meta (which doesn’t sign): Anthropic publishes specific documentation on training data provenance and copyright opt-out mechanisms with more detail than the other signatories.

Source: https://www.anthropic.com/news/claude-4-5-opus · https://www.anthropic.com/policy/responsible-scaling-policy

DeepSeek — V4 and the open-weights consolidation

December 2025. DeepSeek publishes DeepSeek-V4 as open weights. MoE with architecture iterated over V3 and R1, 1M token context, native multimodal. Available on Hugging Face under MIT licence. Capabilities comparable to Claude 4.5 Opus and GPT-5.5 on public benchmarks, trained with compute reported in the 5M GPU-hours range.

What this closes from the year: the open-weights pattern with capability close to frontier is no longer exceptional. DeepSeek-R1 opened the category in January; QwQ, Llama 4 and now V4 consolidate it. For AI security, the scenario where any adversarial attack required a complicit model has ended. Any technique needing gradient access can be tried on a representative model at accessible costs.

For 2026: the operational question becomes what proportion of enterprise deployment uses open weights vs commercial API. Both options have their threat model. The difference is that open-weights leaves real weight auditing possible — something the Llama 4 / LMArena case made obligatory.

Source: https://github.com/deepseek-ai/DeepSeek-V4

LangChain LangGrinch — CVE-2025-68664, serialization injection

December 2025. Cyata publishes analysis of CVE-2025-68664 in LangChain Core (Python) — christened LangGrinch. CVSS 9.3. The dumps() and dumpd() functions don’t escape dictionaries with the 'lc' key when serializing free metadata. The lc key is LangChain’s internal marker for its serialized objects; when the attacker manages to get a structure with 'lc' into user-controlled data, on re-serializing the model treats it as a legitimate LangChain object instead of plain data.

Exploitation vector: the attacker sends a prompt whose LLM response contains in additional_kwargs or response_metadata a structure {'lc': 1, 'type': 'constructor', 'id': [...], 'kwargs': {...}}. When the client serializes the conversation to persist or stream-respond, the round-trip loads arbitrary objects from the pre-approved langchain_core / langchain / langchain_community namespaces. With secrets_from_env=True active (default), it exfiltrates environment variables. With Jinja2 templates enabled, it executes arbitrary code.

LangChain.js has the equivalent bug as CVE-2025-68665 (CVSS 8.6). The patch introduces an allowed_objects allowlist in load()/loads(), disables Jinja2 by default and sets secrets_from_env=False as default. The minimum defensive action: pin versions, audit dumps() calls in pipelines that persist conversation, and review any integration using prompt-injectable fields as input to loads().

Source: https://github.com/advisories/GHSA-c67j-w6g6-q2cm · https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/ · https://thehackernews.com/2025/12/critical-langchain-core-vulnerability.html

Year-end reports — Mandiant, CrowdStrike, Verizon

December 2025 / January 2026. Annual reports confirming what the month-by-month already said:

• Mandiant M-Trends 2026 — average global dwell time drops to 8 days (was 10 days in 2024, 16 in 2023). The drop is largely due to ransomware with immediate encryption: when the attacker encrypts in 48 hours, detection time shortens by necessity. It’s not a good signal; it’s a signal of faster attacker operation. Most common initial vector remains vulnerability exploitation (35%), above phishing (22%).
• CrowdStrike Global Threat Report 2026 — Scattered Spider / Octo Tempest maintains sustained activity against retail and financial services. The DragonForce affiliation seen at M&S is confirmed as a stable pattern. Identity-based attacks (credential abuse, MFA bypass, session hijacking) make up 45% of documented intrusions.
• Verizon DBIR 2025 (published in May, echo here) — confirms that vulnerabilities as initial vector surpass credentials for the first time in investigated breaches. The curve came from 2024 and is confirmed.

Joint reading: the operational attacker goes faster and specialises more. The industrialisation of sector playbooks seen in UK retail and in crypto exchange during 2025 is the trend, not the exception.

Sources: https://www.mandiant.com/m-trends · https://www.crowdstrike.com/global-threat-report/ · https://www.verizon.com/business/resources/reports/dbir/

DORA / NIS2 — first inspection cycle

December 2025. Close of the first year of DORA application. Banco de España, CNMV and DGSFP start inspections of systemic entities during Q3-Q4. First public observations:

• Obligation → technical control mapping remains blurry in most entities. Documentation exists; traceability between the article and the concrete control, doesn’t.
• TLPT — first Threat-Led Penetration Testing cycle scheduled for 2026-2028. The final RTS was published in July.
• Critical ICT TPPs register — ESAs publish during the year the designation methodology. Official list of providers designated as critical remains pending at December close.

NIS2 in Spain is finally transposed via Organic Law X/2025 (published in BOE during the second half, exact date pending verification at the time of writing). For 2026 the obligations for incident reporting to INCIBE-CERT and the INCIBE sanction regime move to effective application. The operational coordination DORA ↔ NIS2 ↔ ENS for Spanish financial entities is first-quarter 2026 work.

EU AI Act — the second GPAI step consolidates during the second half. AESIA starts the first exploratory market surveillance on Annex III high-risk products. The 2 August 2026 date (high-risk obligations) is already on the operational calendar of every EU provider.

Sources: https://eur-lex.europa.eu/eli/reg/2022/2554/oj · https://www.boe.es/buscar/act.php?id=LO-X-2025

Retrospective — the year in one table

Without claiming exhaustiveness, the year’s milestones by month:

The year’s technical posts are linked above; the separate retrospectives — AI security and cyber — enter the detail.

Cross-cutting pattern — 2025 in one sentence

If I have to distil 2025 into one sentence: the regulatory calendar becomes operational and the attacker industrialises sector playbooks faster than the structural defender. DORA and AI Act stop being a promise. Lazarus has an industrial playbook against exchanges; Scattered Spider against UK retail; China-nexus against on-prem SharePoint. Each playbook is reusable against the next targets in the same sector. Industrialisation goes faster than defensive coordination.

The operational plan for 2026 coming out of 2025:

1. Explicit regulatory inventory — DORA scope, NIS2 scope, EU AI Act scope for each product and process. Without inventory, the first inspection cycle arrives and is done ad hoc.
2. Audit of financial and approval visualisation chains — UI served by third parties, helpdesk with privileged resets, SaaS secrets vaults. Three categories that 2025 proved fragile.
3. Patch hygiene on legacy on-prem with the assumption of incomplete patch. SharePoint, Exchange, enterprise MFT, Citrix appliances. Post-incident secrets rotation as default playbook.
4. Threat modelling for AI features with tools before shipping. The Recall lesson remains valid and is extended with the Project Vend lesson: agents in real production behave differently from the demo.
5. Explicit inventory of post-EoL Windows 10. ESU paid / migrated / accepting risk / unknown. The fourth category is where 2026-2027 incidents will appear.

The year closes. The first post of 2026 enters already with AESIA inspecting GPAI providers, with CRA starting to apply in blocks, with DORA finishing its first inspection cycle, and with the AI Act 2 August 2026 calendar (high-risk) six months away.