ZeroFox Daily Intelligence Brief - December 10, 2025

ZeroFox Daily Intelligence Brief - December 10, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• U.S. and Allies Release Advisory on Attacks by Pro-Russia Hacktivist Groups
• U.S. Offers USD 10 Million for Information on Two Iranian Hackers
• Spiderman Phishing Kit Streamlines Financial Fraud in Europe

U.S. and Allies Release Advisory on Attacks by Pro-Russia Hacktivist Groups

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a

What we know: The United States and allies have released a joint advisory detailing pro-Russia hacktivist groups’ attack methodology that often target minimally secured, internet-facing virtual network computing (VNC) connections, to infiltrate critical infrastructure systems.

Context: These hacktivist groups carry out lower-impact attacks compared to advanced persistent threat (APT) groups. Some notorious groups include Z-Pentest, NoName057(16), and Sector16, among others. The U.S. government has also offered rewards for information on several of these groups, including USD 10 million for NoName057(16).

Analyst note: Hacktivist groups are very likely to exaggerate claims and impact of their attacks, which can result in loss of time and resources in inspecting systems for damages. They are likely to cause some damage through relentless targeting and duplication of attacks against less secured entities such as supervisory control and data acquisition (SCADA) networks.

U.S. Offers USD 10 Million for Information on Two Iranian Hackers

Source: https://www.securityweek.com/us-posts-10-million-bounty-for-iranian-hackers/

What we know: The U.S. government is offering up to USD 10 million for information on two members of Iranian hacking group Shahid Shushtari, linked to Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).

Context: Shahid Shushtari has allegedly caused significant financial damage and disruption to businesses and government agencies in the United States, Europe, and the Middle East. They have targeted multiple sectors from energy, shipping, critical infrastructure, to news and others.

Analyst note: The amount of bounty being offered very likely indicates that the members work closely with the top IRGC command and are capable of causing significant damages. The information is likely to help the U.S. government to sanction the individuals and their network or even facilitate the arrest of the individuals in the future.

Spiderman Phishing Kit Streamlines Financial Fraud in Europe

Source: https://hackread.com/spiderman-phishing-kit-european-banks-credential-theft/

What we know: A new phishing kit, called Spiderman, has emerged on the dark web and enables even low-skill attackers to impersonate major European banks and cryptocurrency platforms.

Context: The kit can reportedly harvest credentials in real time, prompting victims to share additional data, such as credit card details and OTP and other codes through fake platforms. The kit also enables threat actors to use geo-blocking and security-network filtering to evade detection and automated scanners.

Analyst note: The dark-web community around the kit is likely to rapidly evolve, with criminal developers introducing new and improved phishing templates, evasion features, credential harvesting scripts, and automation.

DEEP AND DARK WEB INTELLIGENCE

Vitas hospice breached: A cybersecurity incident at Vitas Healthcare, a large for-profit hospice chain, has exposed personal and medical data of over 300,000 patients in the United States. The breach occurred via a compromised vendor account. The threat actors are likely to gain access to the affected vendor’s network to move laterally to other client networks and environments to steal additional sensitive information.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Microsoft December 2025 patch Tuesday: Microsoft has patched 57 vulnerabilities, including one actively exploited zero-day in Windows Cloud Files and two publicly disclosed zero-days in GitHub Copilot and PowerShell. The updates also address three remote code execution flaws and multiple privilege, information disclosure, and denial-of-service (DoS) vulnerabilities. Unpatched systems are likely to remain highly vulnerable to targeted attacks, including complete system takeover, data theft, and operational disruption.

Affected products: The affected products are listed in this advisory.