ZeroFox Daily Intelligence Brief - December 22, 2025

ZeroFox Daily Intelligence Brief - December 22, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• U.S. Charges 54 Individuals for ATM Jackpotting Using Ploutus Malware
• Threat Actors Impersonate U.S. Officials Using AI-led Malware Campaign
• Alleged Russian Cyberattack Left Danish Homes Without Water

U.S. Charges 54 Individuals for ATM Jackpotting Using Ploutus Malware

Source: https://thehackernews.com/2025/12/us-doj-charges-54-in-atm-jackpotting.html

What we know: The U.S. government has accused 54 individuals of stealing millions of dollars through ATM jackpotting, a type of cyber and physical attack, in the United States. The accused individuals are also allegedly linked to Venezuelan terrorist organization Tren de Aragua (TdA).

Context: The accused first carried out external reconnaissance at target ATMs, before opening the hood or door of the machines to install a hard drive infected with Ploutus malware. The malware would issue unauthorized commands associated with the Cash Dispensing Module of the ATM in order to force withdrawals of currency.

Analyst note: Law enforcement action is likely to help recover at least part of the stolen funds from the accused and block any associated money laundering network. The development also calls for the need for stronger external security measures and alarms to prevent criminals from physically tampering ATMs and deploying malware infected hard drives.

Threat Actors Impersonate U.S. Officials Using AI-led Malware Campaign

Source: https://www.ic3.gov/PSA/2025/PSA251219

What we know: Threat actors are increasingly impersonating active and retired U.S. officials using advanced artificial intelligence for rapport building among victims. They use smishing and vishing tactics that include AI-generated voice and persona to extract personal sensitive information from individuals.

Context: Threat actors, disguising as high-ranking officials, use encrypted communication platforms, like signal and telegram, to evade detection and lure victims by engaging them in several ways. Victims are then tricked into disclosing credentials, authentication codes, sensitive personal, or organizational documents, and even wiring funds to overseas financial institutions.

Analyst Note: Threat actors are likely to operationalize any sensitive information obtained through this scam for targeted cyber attacks against major corporate entities for financial gains and unauthorized exfiltration. Meanwhile, state-associated actors are also likely to use these tactics, posing risk to national security.

Alleged Russian Cyberattack Left Danish Homes Without Water

Source: https://apnews.com/article/russia-denmark-cyberattacks-moscow-putin-sabotage-d9776a44bf6b80574eb54a5edf64ee19

What we know: Denmark has accused Russia of carrying out cyberattacks targeting government websites and critical infrastructure in 2024 and 2025, which led to physical consequences. In November 2025, Russia allegedly carried out a series of denial-of-service (DoS) attacks targeting Danish websites ahead of regional and local elections.

Context: Last year, a cyberattack on a Danish water utility entity resulted in pipes bursting, temporarily cutting off water to homes. The accusation comes at a time when multiple European countries have blamed Russia of waging hybrid attacks targeting their critical infrastructure.

Analyst note: If the allegations against Russia are true, it suggests that Russia is likely to cause real-world impacts through cyberattacks, especially during conflict escalation. The consequences, even if limited, are also likely to have psychological ramifications, such as the public's erosion of trust in government and critical entities.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user Indra: Threat actor “Indra” has advertised a breached dataset containing about 1.5 million records associated with “France Travail Mission Locale, a French public employment service. The dataset allegedly includes full names, email addresses, physical addresses, and dates of birth among other information. If Indra’s claims are true, the individual owners of the breached data are likely to be targets in extortion attempts, identity fraud schemes, and other financial fraud campaigns.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-14733: This already-patched remote code execution (RCE) vulnerability in WatchGuard’s Firebox firewalls is reportedly under active exploitation. The flaw enables threat actors to remotely execute arbitrary commands to seize control of publicly exposed firewall devices. Successful exploitation of firewall vulnerabilities is likely to enable threat actors to breach internal networks of organizations.

Affected products: The affected products are listed in this advisory.