ZeroFox Daily Intelligence Brief - December 2, 2025

ZeroFox Daily Intelligence Brief - December 2, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Student Data Breach Through Illuminate Education Prompts FTC Action
• Authorities Shut Down Cryptomixer, Seizing EUR 25 Million in Bitcoin
• Threat Actor ShadyPanda Modified Browser Extensions With Malicious Updates

Student Data Breach Through Illuminate Education Prompts FTC Action

Source: https://www.ftc.gov/news-events/news/press-releases/2025/12/ftc-takes-action-against-education-technology-provider-failing-secure-students-personal-data

What we know: The U.S. Federal Trade Commission (FTC) is taking action against Illuminate Education after a breach exposed the personal data of over 10 million students. The company reportedly stored student data in plain text, lacked proper access controls, and failed to patch known vulnerabilities.

Context: The threat actors reportedly gained access to Illuminate’s cloud-stored databases in December 2021 by using credentials from a former employee. The exposed information included student names, contact details, dates of birth, educational records, and health-related data.

Analyst note: Threat actors are likely to sell this data on criminal marketplaces for a high value, and leverage it in physical security threats against students.

Authorities Shut Down Cryptomixer, Seizing EUR 25 Million in Bitcoin

Source: https://www.europol.europa.eu/media-press/newsroom/news/europol-and-partners-shut-down-cryptomixer

What we know: Law enforcement agencies have taken down illegal cryptocurrency mixing service Cryptomixer, which was suspected of facilitating cybercrime and money laundering. During the operation, authorities seized three servers, the cryptomixer[.]io domain, over 12 TB of data, and more than EUR 25 million (approximately USD 29 million) in Bitcoin.

Context: Cryptomixer, active since 2016, was a hybrid web service that enabled criminals to hide over EUR 1.3 billion in Bitcoin. It pooled and randomized deposits, making transactions hard to trace before converting the “cleaned” funds into other cryptocurrencies or fiat.

Analyst note: Threat actors who relied on Cryptomixer will likely seek alternative mixing services, moving to smaller, lesser known platforms to evade law enforcement scrutiny.

Threat Actor ShadyPanda Modified Browser Extensions With Malicious Updates

Source: https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html

What we know: A threat actor named “ShadyPanda” reportedly abused multiple browser extensions, including some legitimate ones, over a period of seven years to distribute malware. These were downloaded over 4.3 million times during the period.

Context: The extensions reportedly execute remote code execution (RCE) every hour, monitor website visits, view browsing history, and collect browser fingerprints. This was initially used in affiliate fraud to generate commissions from user purchases. Later, search queries were redirected through browser hijacker trovi[.]com and results manipulated for profit.

Analyst note: Threat actors are likely to use malicious updates to carry out adversary-in-the-middle (AitM) attacks to steal credentials, facilitating financial theft. The campaign also underscores novel use of auto-update mechanisms by threat actors to modify legitimate and approved extensions with malicious updates.

DEEP AND DARK WEB INTELLIGENCE

Handala Hack Team threatens Israeli scientist: Iran-linked hacktivist group, the Handala Hack Team, has claimed to have targeted Dr. Issac Gertz, an alleged Israeli nuclear research scientist, by placing a bouquet of flowers in their vehicle insinuating a bomb threat. Furthermore, the group has threatened to “announce” 11 more senior experts associated with Israel’s nuclear research facility. The information the group shared about the alleged target is publicly available (though unverified), but their failure to provide exclusive details, such as the vehicle’s number plate, likely indicates false claims.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Google December 2025 patches: Google addresses 107 vulnerabilities in December security update for Android devices, which included two actively exploited zero-days, CVE-2025-48633 and CVE-2025-48572. The now-patched zero-days enable threat actors to escalate privileges and access sensitive information. Successful exploitation of the vulnerabilities, either individually or in combination, is likely to lead to data theft or system compromise.

Affected products: The affected products are listed in this advisory.