ZeroFox Daily Intelligence Brief - December 23, 2025

ZeroFox Daily Intelligence Brief - December 23, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Malicious Npm Package Snoops on WhatsApp Chats, Steals Credentials
• Major Ransomware Attack on Romanian Water Management Authority
• Interpol Dismantles Cybercrime Networks across Africa Seizing USD 3 Million

Malicious Npm Package Snoops on WhatsApp Chats, Steals Credentials

Source: https://thehackernews.com/2025/12/fake-whatsapp-api-package-on-npm-steals.html

What we know: A malicious npm package designed as a fully functional WhatsApp API, named “lotusbail,” has been found to be capable of stealing WhatsApp credentials, intercepting messages, harvesting contacts, and ensuring persistent access.

Context: Users have downloaded the npm package at least 56,000 times since it was first uploaded in May 2025 by user "seiren_primrose." The npm package contains a malicious WebSocket wrapper, which routes authentication information and messages enabling the threat actor to capture credentials and messages.

Analyst note: Such malicious npm packages are very likely to aid large scale supply chain attacks through which threat actors can capture vast amounts of sensitive data and credentials. Copycat packages are likely to crop up in the future posing and functioning as legitimate tools, while hiding malicious codes.

Major Ransomware Attack on Romanian Water Management Authority

Source: https://www.theregister.com/2025/12/22/around_1000_systems_compromised_in/

What we know: Romania’s cybersecurity agency has confirmed a ransomware attack targeting approximately 1000 compromised IT systems in regional water administrative units, affecting the GIS server, databases, email, web services, Windows workstations, and other systems. The operational technology and services remained unaffected.

Context: Threat actors exploited built in Windows BitLocker encryption to lock files for ransom demand. While investigations remain ongoing, no specific threat actor or group has publicly claimed responsibility as of now.

Analyst Note: This attack on a National Infrastructure trailed by similar attacks on western nations likely indicates that the threat actors are targeting crucial systems to pressure entities to give into their demands. Other countries are also likely to face similar attacks leading to compromised infrastructure.

Interpol Dismantles Cybercrime Networks across Africa Seizing USD 3 Million

Source: https://www.bleepingcomputer.com/news/security/interpol-led-action-decrypts-6-ransomware-strains-arrests-hundreds/

What we know: Interpol-led action “Operation Sentinel” has dismantled cybercrime networks across Africa linked to extortion, ransomware activity, and business email compromise attacks. The operation led to the arrest of 574 individuals and seizure of USD 3 million.

Context: Operation Sentinel was carried out between October 27 and November 27, 2025 involving law enforcement in 19 countries. It took down over 6,000 malicious links and decrypted six distinct ransomware variants. Investigations revealed that the targeted cybercrime cases are linked to over USD 21 million in financial losses.

Analyst note: The coordinated action is likely to halt ongoing cybercrime activity of the targeted networks for the time being. Freezing linked assets is also likely to cut off financial and other infrastructure resources of affiliate crime organizations and individuals.

DEEP AND DARK WEB INTELLIGENCE

Hacktivist group Handala Hack Team: Pro-Palestinian hacktivist group "Handala Hack Team" is claiming to offer information on four Israeli politicians, including former Defense Minister of Israel Yoav Gallant. The offer was made in a post titled, "The Day of Reckoning Awaits the Child-Killers." The group is likely offering legitimate sensitive and hacked data on the listed individuals, based on their past activity and positive reputation for being a capable threat actor.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2023-52163: Threat actors are actively exploiting this command injection vulnerability in Digiever DS-2105 Pro 3.1.0.71-11 devices. This vulnerability only affects products that are no longer supported by the maintainer. Threat actors are likely to exploit this flaw and run arbitrary commands that can enable them to completely take over systems, install malware, steal data, and launch attacks on other systems.

Affected products: Digiever DS-2105 Pro 3.1.0.71-11 devices