ZeroFox Daily Intelligence Brief - December 9, 2025

ZeroFox Daily Intelligence Brief - December 9, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• U.S. Operation Gatekeeper Disrupts Nvidia Chip Smuggling Network
• Evilginx Phishing Campaign Targets 18 U.S. Universities
• Police Intercept Spy Devices and Hacking Tools in Warsaw Arrests

U.S. Operation Gatekeeper Disrupts Nvidia Chip Smuggling Network

Source: https://www.justice.gov/opa/pr/us-authorities-shut-down-major-china-linked-ai-tech-smuggling-network

What we know: The U.S. law enforcement has disrupted a smuggling network attempting to traffick export-controlled Artificial Intelligence (AI) technology out of the country to destinations such as China in ‘Operation Gatekeeper.’

Context: At least two individuals have pleaded guilty for violating U.S. export laws and over USD 50 million in Nvidia technologies and cash have been seized. The conspirators smuggled and attempted to smuggle at least USD 160 million worth of Nvidia H100 and H200 Tensor Core graphic processing units (GPUs) between October 2024 and May 2025.

Analyst note: Smuggling of export-controlled advanced GPUs almost certainly poses a national security risk, as these components are often used in military and other sensitive applications. Adversarial nations to the United States, such as China, are very likely to gain military and economic advantages by acquiring, copying, and integrating advanced U.S. technologies.

Evilginx Phishing Campaign Targets 18 U.S. Universities

Source: https://hackread.com/us-universities-domains-phishing-attacks/

What we know: Between April and November 2025, a phishing campaign targeted at least 18 U.S. universities, deploying nearly 70 phishing domains, using the Evilginx adversary-in-the-middle (AiTM) phishing kit. This campaign reportedly successfully bypassed multi-factor authentication in victim systems.

Context: The campaign impersonated university login portals using short-lived TinyURLs and single sign-on (SSO) phishing pages to harvest both credentials and post-authentication session cookies, enabling threat actors to undertake full account takeover.

Analyst note: Threat actors are likely to exploit compromised accounts to access tuition payments, payroll deposits, grants, and financial aid funds to hold this sensitive information for ransom from affected universities.

Police Intercept Spy Devices and Hacking Tools in Warsaw Arrests

Source: https://www.reuters.com/world/polish-police-arrest-three-ukrainians-found-with-hacking-equipment-2025-12-08/

What we know: Polish authorities have arrested three Ukrainian individuals in Warsaw after discovering computer hacking equipment in their vehicle.

Context: The three individuals were charged with possessing equipment and programs capable of damaging “national defense” data. The police reportedly found hacking equipment, a spy device detector, SIM cards, hard drives, and antennas capable of interfering with IT systems.

Analyst note: The arrested individuals are likely a part of ongoing cyber espionage or sabotage efforts targeting Poland’s national defense systems, with specialized equipment pointing toward preparation for IT interference, surveillance, and data theft.

DEEP AND DARK WEB INTELLIGENCE

Exploit and RAMP user zeroplayer: Threat actor "zeroplayer" has advertised an alleged Local Privileges Escalation (LPE) zero-day exploit affecting Linux Kernel, priced at USD 1, on Exploit and RAMP. Zeroplayer is known for advertising various alleged zero-day exploits with prices ranging from a dollar to hundreds of thousands of dollars. The Linux Kernel exploit is likely priced low as the flaw can only be exploited by an attacker already on the target system, albeit with low privileges.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-66516: Apache has issued an updated security patch for a critical XML External Entity (XXE) vulnerability in Apache Tika, after an earlier patch (CVE-2025-54988) failed to address the full issue. Threat actors can exploit the flaw to steal sensitive data, carry out denial-of-service (DoS) attacks, and gain persistent access to isolated internal and third party systems.

Affected products: The affected products are listed in this advisory.