ZeroFox Daily Intelligence Brief - December 19, 2025

ZeroFox Daily Intelligence Brief - December 19, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• FBI Dismantles USD 70 Million Crypto Laundering Service E-Note
• Foreign Interference Suspected in Malware Attack Against International Passenger Ferry
• Surge in North Korea–Linked Cybercriminal Activities in 2025

FBI Dismantles USD 70 Million Crypto Laundering Service E-Note

Source: https://www.theregister.com/2025/12/18/e_note_takedown/

What we know: The FBI along with its international partners have dismantled a USD 70 million crypto laundering service, called E-Note, used by cybercriminal organizations, including those targeting U.S. healthcare and critical infrastructure.

Context: E-Note helped cybercriminals move their stolen funds across borders without being detected. It also helped cybercriminals swap cryptocurrency into regular cash. The service is linked to a Russian admin and an arrest warrant has been issued against the individual. Authorities have seized servers and domains hosting E-Note’s operations.

Analyst note: The law enforcement action is very likely to help identify cybercriminals who used the service as customer databases and transaction records have been obtained. The movement of the illicit proceeds via E-Note is likely to be frozen, cutting off financial resources of various cybercriminal organizations.

Foreign Interference Suspected in Malware Attack Against International Passenger Ferry

Source: https://www.bleepingcomputer.com/news/security/france-arrests-latvian-for-installing-malware-on-italian-ferry/

What we know: France’s counterespionage agency is investigating an alleged cyberattack on an international passenger ferry, owned by Italian shipping company Grandi Navi Veloci (GNV). Authorities have arrested two crew members, one of whom was released without any charges, while the other is being held under suspicion of insider threat.

Context: GNV alerted the authorities of a remote access trojan (RAT) malware strain that had likely infected the ferry’s systems while it was docked at a port. There were speculations about internal crew members penetrating the operating system, likely indicating foreign interference.

Analyst note: Threat actors, especially state-associated ones, are likely to leverage RAT malware strains, enabling them to remotely control ferries. Threat actors are likely to create hostage situations to threaten adversarial countries or to gain strategic intelligence through such cyberattacks.

Surge in North Korea–Linked Cybercriminal Activities in 2025

Source: https://thehackernews.com/2025/12/north-korea-linked-hackers-steal-202.html

What we know: North Korea–associated cyber operations intensified significantly in 2025, driving a surge in global cryptocurrency theft, stealing a total of USD 3.4 billion. Threat actors have also infiltrated companies via fake IT workers, used job-lure malware campaigns, and laundered stolen crypto through China-linked networks and services.

Context: North Korea–linked threat actors expanded their malware operations in 2025, deploying an evolved BeaverTail malware strain in job-lure campaigns to steal financial data. They also ran mobile phishing campaigns using fake sites and QR codes to spread DocSwap Android remote access trojan (RAT) disguised as shipment-tracking and security apps.

Analyst note: North Korea is likely to continue and expand its cyber operations in 2026, funding its state activities through stolen cryptocurrency, while gathering strategic intelligence via advanced malware.

DEEP AND DARK WEB INTELLIGENCE

University of Sydney data theft: Threat actors have stolen data from University of Sydney’s online coding repository that includes personally identifiable information (PII) on over 27,000 individuals from the university community. The stolen data contains names, dates of birth, contact numbers, physical addresses, and employment details of current and former staff, affiliates, students, and alumni. Threat actors are likely to either advertise the data for sale on dark web platforms or attempt to extort the university. Furthermore, exposed individuals are likely at risk of phishing, social engineering, and identity theft attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-37164: HPE has patched this critical vulnerability in its OneView software that enables unauthenticated attackers to execute remote code. Administrators are urged to update to version 11.00 or apply security hotfixes immediately. Unpatched OneView instances are likely to enable attackers to gain full control of servers, storage, and networking devices.

Affected products: The affected products are included in this advisory.