ZeroFox Daily Intelligence Brief - December 11, 2025

ZeroFox Daily Intelligence Brief - December 11, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Former Contractor Indicted for Misrepresenting Federal Cloud Security
• U.S. Charges Individual Linked to Russian Hacktivist Attacks on Critical Infrastructure
• React2Shell Vulnerability Continues to Be Actively Exploited

Former Contractor Indicted for Misrepresenting Federal Cloud Security

Source: https://www.justice.gov/opa/pr/senior-manager-government-contractor-charged-cybersecurity-fraud-scheme

What we know: The United States has indicted an employee at a former contracting entity for allegedly running a multi-year scheme to mislead federal agencies about the security of a cloud platform. The contractor received two counts of wire fraud, one count of major government fraud, and two counts of obstruction of a federal audit.

Context: The individual presented the platform as meeting strict federal security standards (FedRAMP High and DoD Impact Level 4/5 requirements) when it actually lacked critical controls, putting sensitive government data at potential risk.

Analyst note: Misrepresenting or underreporting security controls on government-used platforms are likely to create significant blind spots enabling threat actors to operate undetected within federal systems.

U.S. Charges Individual Linked to Russian Hacktivist Attacks on Critical Infrastructure

Source: https://www.bleepingcomputer.com/news/security/ukrainian-hacker-charged-with-helping-russian-hacktivist-groups/

What we know: U.S. prosecutors have charged an individual for their alleged role in cyberattacks on critical infrastructure in the United States and elsewhere on behalf of Russian state-associated hacktivist groups “NoName057(16)” and “CyberArmyofRussia_Reborn (CARR)”.

Context: These groups reportedly carried out distributed denial-of-service (DDoS) attacks, industrial control system sabotage, and physical disruption, including contamination of drinking water and ammonia leaks at a meat processing facility, in the United States.

Analyst note: The indictment is likely to enable law enforcement to gain intelligence on the groups’ methods, members, and infrastructure, leading to further arrests or preventive actions against planned attacks.

React2Shell Vulnerability Continues to Be Actively Exploited

Source: https://thehackernews.com/2025/12/react2shell-exploitation-delivers.html

What we know: The critical vulnerability in popular open source tool React Server Components (RSC), called React2Shell and tracked as CVE-2025-55182, has continued to be actively exploited by various threat actors including those linked to North Korea and China.

Context: At least 30 organizations across various sectors (prominently in construction and entertainment sectors) have been affected. Threat actors are exploiting the flaw to deploy cryptocurrency miners and undocumented malware families. The flaw enables remote code execution in cloud environments via unsafe deserialization.

Analyst note: Threat actors are almost certainly actively scanning for vulnerable systems. The large-scale activity likely indicates an automated scanning process. In case of compromise of cloud environments, downstream entities and systems are also very likely to be impacted resulting in financial losses and disruption.

DEEP AND DARK WEB INTELLIGENCE

Exploit user Shenron: Threat actor "Shenron" has shared a link to an alleged 1.75 TB dataset belonging to Swiss manufacturer Logitech on the dark web forum Exploit. Shenron claims the dataset includes internal company data and millions of personal data records from various countries. Since the threat actor reputation is unknown, the dataset is likely to be recycled data from an old breach. Downloading the file is likely to pose risks of malicious code execution.

VULNERABILITY AND EXPLOIT INTELLIGENCE

PCIe vulnerabilities: Three vulnerabilities, tracked as CVE-2025-9612, CVE-2025-9613, and CVE-2025-9614, in Peripheral Component Interconnect Express (PCIe) are under investigation by major hardware vendors Intel and AMD. The flaws impact the PCIe Integrity and Data Encryption (IDE) standard and enable attackers to feed corrupted data to the receiver. Successful exploitation is likely to lead to information disclosure, privilege escalation, or denial of service (DoS) conditions.

Affected products: The affected products are listed in the advisory.