Advisories

ZeroFox Weekly Intelligence Brief – December 13, 2025

|by Alpha Team

banner image

ZeroFox Weekly Intelligence Brief – December 13, 2025

ZeroFox’s Weekly Intelligence Briefing highlights the major developments and trends across the threat landscape, including digital, cyber, and physical threats. ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 6:00 AM (EDT) on December 11, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

Read the Brief

View the full report here

United States and Allies Release Advisory on Attacks by Pro-Russia Hacktivist Groups

What we know:

  • The United States and allies have released a joint advisory detailing pro-Russia hacktivist groups’ attack methodology, which often involves targeting minimally secured, internet-facing Virtual Network Computing (VNC) connections to infiltrate critical infrastructure systems.
  • Hacktivist groups, including Z-Pentest, NoName057(16), and Sector16, carry out lower-impact attacks compared to advanced persistent threat (APT) groups.
  • The threat actors have targeted water and wastewater systems, food and agriculture, and energy sectors.

Evilginx Phishing Campaign Targets 18 U.S. Universities

What we know:

  • Between April and November 2025, a phishing campaign targeted at least 18 U.S. universities and deployed nearly 70 phishing domains using the Evilginx adversary-in-the-middle (AiTM) phishing kit.
  • This campaign reportedly successfully bypassed multi-factor authentication in victim systems.

React2Shell Vulnerability Continues to Be Actively Exploited

What we know:

  • React2Shell, a critical vulnerability in popular open source tool React Server Components (RSC) tracked as CVE-2025-55182, has continued to be actively exploited by various threat actors including those linked to North Korea and China.

Tags: tlp:green