ZeroFox Daily Intelligence Brief - December 16, 2025

ZeroFox Daily Intelligence Brief - December 16, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Russia Targeting Western Critical Infrastructure in Years-Long Cyber Espionage Campaign
• Suspected Cyberattack Hits German Parliament amid U.S.-Ukraine Talks
• Geopolitical Focus: Planned New Year’s Eve Bomb Attacks in Los Angeles Thwarted

Russia Targeting Western Critical Infrastructure in Years-Long Cyber Espionage Campaign

Source: https://www.theregister.com/2025/12/15/amazon_ongoing_gru_campaign/

What we know: A new report states that Russia’s Main Intelligence Directorate (GRU) has been carrying out a years-long cyber-espionage campaign against Western energy sector, tech providers, and telecommunication sector.

Context: Russian-state backed hackers are exploiting credentials and misconfigured cloud-hosted devices to maintain persistent access. They are largely targeting network edge devices, like VPN concentrators and enterprise routers, alongside collaboration, wiki platforms, and cloud-based project management tools.

Analyst note: Russia has likely escalated the scale and technical capability of cyberattacks against critical infrastructure in the United States and Europe, given the heightened warnings issued by affected governments in recent months.

Suspected Cyberattack Hits German Parliament amid U.S.-Ukraine Talks

Source: https://www.reuters.com/world/german-parliament-suffers-suspected-cyberattack-during-zelenskiys-visit-ft-2025-12-15/

What we know: The German parliament reportedly suffered a cyberattack on December 15, 2025, during U.S.-Ukraine talks in Berlin. The suspected cyberattack affected Germany’s lower house of parliament, resulting in a major email outage.

Context: Members of the parliament were unable to access their email accounts for nearly four hours. This incident comes on the heels of a cyberattack disrupting email servers at the French Interior Ministry. Germany had also summoned the Russian ambassador over an increase in threatening hybrid activities.

Analyst note: The incident in Germany was very likely carried out by Russia-backed hackers seeking to gain access to classified discussions between Ukraine and its Western allies. Similar cyber disruptions and attacks are almost certainly to occur during negotiations to end the war between Ukraine and Russia.

Geopolitical Focus: Planned New Year’s Eve Bomb Attacks in Los Angeles Thwarted

U.S. authorities have arrested four members of Turtle Island Liberation Front, a pro-Palestine and “anti-capitalist” group. They are accused of plotting coordinated improvised explosive device (IED) attacks against two U.S. companies and the United States Immigration and Customs Enforcement (ICE) on New Year’s Eve. Investigators say the group planned to deploy multiple backpack bombs at five or more locations across the greater Los Angeles area at midnight. The FBI disrupted the plot before execution. Certain criminal groups likely choose to escalate tensions during major celebrations, like Christmas, to draw attention to their political stance and amplify their message globally.

DEEP AND DARK WEB INTELLIGENCE

Operators claim BreachForums is back: BreachForums operators have announced to some users via email that the forum is being restored using old data backups, including legacy user accounts, posts, and discussions. At the time of writing, the forum’s clearnet and Tor sites display limited content, with more expected in the near future. This attempt follows law enforcement activities in October 2025, seizing previous clear net and onion domains.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-68115: A reflected cross-site scripting (XSS) vulnerability in Parse Server affects password reset and email verification pages. If exploited, this vulnerability is likely to enable attackers to inject and execute malicious JavaScript in a victim’s browser, leading to account takeover, credential theft, and session hijacking.

Affected products: All Parse Server versions earlier than 8.6.1; versions 9.0.0 up to 9.1.0-alpha.3