ZeroFox Daily Intelligence Brief - December 8, 2025

ZeroFox Daily Intelligence Brief - December 8, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• LockBit Ransomware Emerges with New Leak Site
• FBI Warns of Digitally Altered Proof-of-Life Images Fueling Virtual Kidnapping Scams
• Geopolitical Focus: Ceasefire Breached, Attempted Coup, and More

LockBit Ransomware Emerges with New Leak Site

Source: https://cloud.zerofox.com/intelligence/advanced_dark_web/96711

What we know: The LockBit ransomware group has returned with a new leak site for LockBit 5.0. It announced on LockBit 3.0’s leak site that the new site is more protected against law enforcement.

Context: Despite the claims of a more secure leak site, security researchers have claimed to leak LockBit 5.0’s IP address and domain. Additionally, several new victims posted on the LockBit 5.0 leak site were from old listings on LockBit 3.0.

Analyst note: LockBit 5.0 indicates an attempt by the ransomware group to make a comeback after law enforcement action in 2024 resulting in seized internet infrastructure and arrests. The comeback also likely suggests that some developers of the ransomware have yet to be apprehended.

FBI Warns of Digitally Altered Proof-of-Life Images Fueling Virtual Kidnapping Scams

Source: hhttps://www.ic3.gov/PSA/2025/PSA251205

What we know: The FBI has warned that criminals are using “altered photos found on social media or other publicly available sites” to fabricate proof-of-life images in virtual kidnapping-for-ransom scams. The criminals pose as kidnappers, offering convincing victim photos or videos to demand ransom.

Context: The FBI noted that the scammers rely on doctored images, which are inconsistent with features of the actual targeted people, and sometimes hide them behind timed message features to reduce scrutiny. The scammers create a false sense of urgency to compel targets to pay the ransom.

Analyst note: Scams like these are likely to become more sophisticated with time as AI capabilities develop. Cybercriminals are very likely to use deepfakes or AI to correct the inconsistencies. Public advisories, like the one FBI published, are likely to raise awareness and help mitigate these scams.

Geopolitical Focus: Ceasefire Breached, Attempted Coup, and More

• Thailand carried out air strikes along the disputed border with Cambodia after both countries accused the other of breaching a ceasefire agreement. Fresh clashes broke out in two areas in the easternmost province of Ubon Ratchathani.
• Tensions between Japan and China soared after Tokyo accused Chinese military planes of locking their radar on to Japanese fighter jets near the Okinawa islands. On the other hand, China has denied Japan’s accusations claiming that Japan’s self-defence forces “maliciously followed and harassed” their aircraft carrier group during training drills.
• West African country Benin’s President Patrice Talon announced that the government has thwarted a coup attempt by a group of soldiers. The group, calling itself the Military Committee for Refoundation, had broadcasted a military takeover on December 7, 2025.
• At least 25 people, including tourists, have been killed in a nightclub blaze in the popular tourist state of Goa, India. Indoor fireworks are suspected to have caused the fire.

DEEP AND DARK WEB INTELLIGENCE

Exploit user AsukaLangley: Moderately credible threat actor "AsukaLangley" has advertised 2.3 million record data associated with a China-based insurance Software-as-a-Service (SaaS) company on Exploit. The data allegedly includes Chinese ID data, company details, contract records, and over 70 MySQL databases, which are likely to be used in large-scale financial fraud and cross-border identity abuse.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Flaws in AI-powered Integrated Development Environments (IDEs): Over 30 flaws, dubbed IDEsaster, expose AI-powered IDEs to prompt-injection-driven data theft and remote code execution. The bugs enable attackers to hijack context, auto-approved tool calls, and legitimate IDE features to leak sensitive files or execute commands. These flaws are likely to give attackers direct access to developers’ machines, via which they can poison coding workflows.

Affected products: The affected products are listed in this article.