ZeroFox Daily Intelligence Brief - December 5, 2025

ZeroFox Daily Intelligence Brief - December 5, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - Proposed U.S. Legislation to Sanction Threat Actors
• Chinese State-Sponsored Malware Campaign Targets Public and IT Sectors
• Major Crypto Scam and Money Laundering Operation Disrupted Across Europe

ZeroFox Intelligence Flash Report - Proposed U.S. Legislation to Sanction Threat Actors

Source: https://www.zerofox.com/advisories/37191/

What we know: A U.S. Congressman has introduced the Cyber Deterrence and Response Act of 2025. The proposed bill is aimed at formally designating foreign entities responsible for cyberattacks against U.S. organizations as “critical cyber threat actors.”

Context: The bill would establish a standardized framework for attributing cyberattacks and taking action against cyber criminals. The government would be able to impose sanctions, freeze assets, implement export controls, and procurement bans targeting threat actors and their home countries.

Analyst note: The sanctions are likely to block access to global banking systems and cryptocurrency exchanges, among others, reducing their ability to convert stolen data or ransom into usable funds.

Chinese State-Sponsored Malware Campaign Targets Public and IT Sectors

Source: https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-australia-and-partners-author-joint-guidance-securely-integrating-artificial-intelligence

What we know: United States and Canada have released a joint alert detailing a Chinese state-sponsored cyber espionage campaign that uses the BRICKSTORM malware to maintain long-term persistence on victim systems.

Context: BRICKSTORM malware is a backdoor for VMware vSphere and Windows environments, capable of secure command and control, remote system control, and long-term persistence. Critical infrastructure, government services and facilities, and the Information Technology sectors have been the most targeted sectors.

Analyst note: CISA has outlined the indicators of compromise (IOCs) and detection signatures for the backdoor to detect malware activity. Affected entities are encouraged to ensure proper network segmentation restricting network traffic from the demilitarized zone (DMZ) to the internal network.

Major Crypto Scam and Money Laundering Operation Disrupted Across Europe

Source: https://www.europol.europa.eu/media-press/newsroom/news/international-takedown-of-cryptocurrency-fraud-network-laundering-over-eur-700-million

What we know: Authorities across Europe have successfully dismantled a cryptocurrency fraud and money laundering network responsible for laundering over EUR 700 million. The operation targeted fake cryptocurrency investment platforms, affiliated call centers, and the advertising infrastructure used to lure victims.

Context: Authorities seized illicit assets, including bank funds, cryptocurrency, cash, and devices. The operation also targeted the affiliate marketing infrastructure behind deceptive ads and deepfake-enabled campaigns used to recruit victims into the fraud network.

Analyst note: The takedown is likely to halt new victim targeting, ongoing scam communications, and further laundering of illicit cryptocurrency. With seized systems and contact databases, the network is likely to no longer be able to reuse or sell victim data for future fraud campaigns.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Scattered Lapsus$ Hunters: Threat group Scattered Lapsus$ Hunters posted two messages on its Telegram channel enquiring about botnets and inviting interested sellers to contact them. The group is known for their ransomware-as-a-service (RaaS) and extortion activities, hence, its interest in botnets likely indicates possible plans for DDoS attacks or launching a botnet-as-a-service (BaaS) business model.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Array AG Series VPN vulnerability: This is a command injection vulnerability in Array AG Series VPN devices used to plant webshells and create rogue users. The flaw was patched in a May 2025 update, but it lacks an identifier. Threat actors are reportedly exploiting this vulnerability. Japan has issued an advisory regarding its active exploitation targeting organizations in the country. Threat actors are likely to exploit the flaw to gain unauthorized remote access to an organization’s networks, applications, desktops, and cloud resources.

Affected products: ArrayOS AG versions 9.4.5.8 and earlier, including AG Series hardware and virtual appliances with ‘DesktopDirect’ remote access feature