ZeroFox Daily Intelligence Brief - December 18, 2025

ZeroFox Daily Intelligence Brief - December 18, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• CISA Releases Guide for Stadium and Arena Owners Ahead of Major Events
• Fake Facebook Lures Used in “GhostPairing” WhatsApp Account Takeover Campaign
• Geopolitical Focus: Mexican Cartel Sanctioned, Russian Intimidation Campaign, and More

CISA Releases Guide for Stadium and Arena Owners Ahead of Major Events

Source: https://www.cisa.gov/news-events/news/cisa-releases-dynamic-new-guide-stadium-and-arena-owners-fortify-operations-mitigate-vulnerabilities

What we know: CISA has released a guide for stadium and arena owners and operators to help them mitigate the consequences of potential cyber and physical disruptions to four critical lifeline sectors, Energy, Water and Wastewater Systems, Communications, and Transportation.

Context: The guide is tailored for major public gathering events, such as FIFA World Cup 2026, America 250, and 2028 Summer Olympics. It aims to address potential disruptions like cyberattacks, physical attacks, or aging infrastructure. Venue operators are advised to understand how critical infrastructure systems and assets are interconnected via dependencies.

Analyst note: CISA’s mention of upcoming major events in the United States likely indicates that there is a risk of threat actors, including nation-state actors, targeting venues and critical infrastructure during the event period with various types of cyberattacks.

Fake Facebook Lures Used in “GhostPairing” WhatsApp Account Takeover Campaign

Source: https://www.bleepingcomputer.com/news/security/whatsapp-device-linking-abused-in-account-hijacking-attacks/

What we know: Threat actors, in a campaign dubbed GhostPairing, are reportedly abusing WhatsApp’s legitimate device-linking feature to take over accounts and gain full access to chats and shared media.

Context: Victims are lured via fake Facebook pages that trigger the pairing workflow, linking the attacker’s device to their account. Researchers first observed the campaign in Czechia. Similar device-linking attacks have reportedly affected other messaging apps, like Signal, in multiple regions. Often victims fail to notice an unauthorized linked device, which can be uncovered by checking Settings and Linked Devices.

Analyst note: Such account-takeover campaigns leading to exposure of private conversations and media are likely to enable data theft, blackmail, long-term surveillance, impersonation, and fraud.

Geopolitical Focus: Mexican Cartel Sanctioned, Russian Intimidation Campaign, and More

• The U.S. government has sanctioned the Mexican cartel, Cartel de Santa Rosa de Lima (CSRL), for fuel and oil theft in the Mexican state of Guanajuato. CSRL smuggles stolen crude into the United States and Central America, enabling illicit profits for the cartel while impacting U.S. energy markets.
• An individual in the United States has been sentenced to 10 years of imprisonment for bombing electrical transformers in late 2022 and early 2023. The damage to critical energy infrastructure had resulted in power outage to homes and businesses, and also posed national security risks.
• Russian intelligence is reportedly carrying out an intimidation campaign targeting Belgian politicians and senior finance executives at securities depository Euroclear, aiming to block the use of EUR 185 billion (approx. USD 218 million) assets for Ukraine.
• European and South American law enforcement agencies are coordinating to dismantle the criminal network smuggling cocaine into Europe. Recently, authorities have targeted a Dutch-Colombian network, a Brazilian maritime smuggling operation, and a Greek at-sea transfer criminal operation, to disrupt the routes and structures used by organized crimes.
• Eurojust, in coordination with Italian and Romanian authorities, has seized and frozen assets worth EUR 40 million (approx. USD 47 million) from a suspect affiliated with the mafia families, Santapaola-Ercolano family and the Cappello Bonaccorsi clan.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Dark Warios: Pro-Russian threat group "Dark Warios" has claimed to have leaked 3.3 GB of data tied to Ukraine’s state aviation sector. Dark Warios alleges that the leaked dataset contains internal maintenance and inspection documents. The leaked data is likely to enable espionage, sabotage, and targeted attacks on Ukraine’s aviation infrastructure.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-20393: Cisco has detected threat actors targeting internet-exposed AsyncOS-based Secure Email and Web Manager appliances, executing arbitrary commands with root privileges. Cisco recommends that customers follow the guidance provided in the Recommendations section of its advisory. Attackers exploiting this vulnerability are likely to gain control of affected devices, accessing sensitive data, deploying malware, and maintaining persistent access for long-term intrusion.

Affected products: The affected products are included in Cisco’s security advisory.