ZeroFox Daily Intelligence Brief - December 12, 2025

ZeroFox Daily Intelligence Brief - December 12, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Flaw Found in Pro-Russian Hacktivist Group CyberVolk’s Ransomware
• DroidLock Attacks Enable Full Android Takeover
• NSA Releases Secure Boot Configuration Guidance

Flaw Found in Pro-Russian Hacktivist Group CyberVolk’s Ransomware

Source: https://www.theregister.com/2025/12/11/cybervolk_ransomware_is_back/

What we know: Researchers have found that pro-Russian hacktivist group CyberVolk’s ransomware build has a flaw, stemming from hardcoded master keys, that enables victims to recover encrypted data without having to pay the ransom.

Context: The CyberVolk 2.x (aka VolkLocker) ransomware-as-a-service (RaaS) operates through Telegram, making it technically easy to use. It was launched in August 2025 after a period of inactivity. Once deployed the ransomware escalates privileges on victim systems and uses AES-256 in GCM mode (Galois/Counter Mode) for file encryption.

Analyst note: In a recent U.S. advisory, pro-Russian hacktivist groups with ties to Russia’s military intelligence were revealed to share tools, communicate, and collaborate. While CyberVolk was not mentioned in the advisory, it is also likely to share communication channels and collaborate with state-linked affiliates.

DroidLock Attacks Enable Full Android Takeover

Source: https://hackread.com/droidlock-android-malware-users-spy-camera/

What we know: A new Android malware campaign, called DroidLock, has reportedly been targeting Spanish users through malicious phishing sites. The threat actors have been hijacking devices and turning them into full-scale surveillance tools and can also capture the victim’s image with the front camera.

Context: Once installed, the malware abuses Device Administrator permissions to lock victims out, change PINs, wipe data, steal credentials, and remotely control the device, enabling a total takeover of the device without encrypting files.

Analyst note: Devices infected with DroidLock are likely to expose victim’s corporate emails, VPN access, collaboration tools, and stored authentication tokens, giving threat actors a pathway into enterprise systems and putting sensitive corporate data at significant risk.

NSA Releases Secure Boot Configuration Guidance

Source: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4356302/nsa-releases-unified-extensible-firmware-interface-secure-boot-guidance/

What we know: The U.S. National Security Agency (NSA) has released new guidance for organizations on managing Unified Extensible Firmware Interface (UEFI) Secure Boot for proper configuration to mitigate boot-level threats.

Context: The guidance states that the need for Secure Boot is underscored by recent vulnerabilities such as PKFail, BlackLotus, and BootHole.

Analyst note: Organizations neglecting Secure Boot configuration are likely at a greater risk of exposure to bootkits and other persistence techniques. Threat actors are likely to gain persistent access to victim systems, steal data, or disrupt operations using such vulnerabilities.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Dark Storm Team: Pro-Palestinian hacktivist group Dark Storm Team has claimed that it launched a distributed denial-of-service (DDoS) attack against INTERPOL’s public contact portal. The group alleged that the attack temporarily disrupted access to the organization’s general inquiry page. The attack is likely aligned with opportunistic hacktivist operations targeting high-visibility international entities for propaganda value rather than operational effect.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Chrome vulnerability 466192044: Google has released an emergency Chrome update to fix an actively exploited zero-day (publically listed as 466192044) and two other bugs, although few technical details have been disclosed, at the time of writing. Chrome users on Windows, macOS, and Linux were urged to immediately update to the latest versions. Unpatched devices are likely at high risk of remote code execution, data theft, and session hijacking, making updating to the latest versions essential.

Affected products: Google Chrome on Windows and macOS devices running versions prior to 143.0.7499.109/.110 and Linux running versions prior to 143.0.7499.109

CVE-2025-8110: This zero-day vulnerability in Gogs, a self-hosted Git service, has been exploited in the wild, enabling attackers to achieve remote code execution on Internet-facing servers. The flaw enabled threat actors to bypass previous RCE protections using a path traversal weakness resulting in over 700 confirmed compromised Gogs instances. Threat actors are likely to gain control of vulnerable Gogs servers, enabling them to execute arbitrary commands, steal or modify repositories, plant backdoors, and pivot to connected networks.

Affected products: Gogs versions 0 through 0.13.3