ZeroFox Daily Intelligence Brief - December 25, 2025

ZeroFox Daily Intelligence Brief - December 25, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• SEC Charges Multiple Entities over USD 14M Crypto Investment Scam
• Typosquatted Domain Distributes Cosmali Loader Malware
• Geopolitical Highlights: Casualties, Shootings, and Adverse Weather Events

SEC Charges Multiple Entities over USD 14M Crypto Investment Scam

Source: https://thehackernews.com/2025/12/sec-files-charges-over-14-million.html

What we know: The U.S. Securities and Exchange Commission (SEC) has charged multiple companies and investment clubs for running cryptocurrency investment scams. The scheme used fake AI-generated trading tips and bogus platforms to defraud retail investors of more than USD 14 million.

Context: Victims were lured via social media and fake AI investment advice before being defrauded through bogus crypto platforms. When investors tried to withdraw funds, the fake platforms demanded advance fees and then cut off access entirely.

Analyst note: The involvement of multiple entities in this scam likely indicates an increasing use of AI to scale and lend credibility to fraudulent schemes. New and less-experienced investors are particularly at risk, as they often seek investment advice online and are likely to be drawn to schemes promising quick and easy returns.

Typosquatted Domain Distributes Cosmali Loader Malware

Source: https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/

What we know: Researchers have discovered that attackers used a typosquatted domain (fake website address) impersonating a certain open source troubleshooting tool to trick users into running malicious PowerShell commands, infecting systems with Cosmali Loader malware.

Context: The attackers reportedly exploited a single-character domain typo to distribute malware that enables remote access and deploys cryptomining tools and the XWorm remote access trojan (RAT). Users can verify commands and test in a sandbox to prevent infection from such typosquatted domains. Additionally, bookmarking legitimate sites can prevent users from accessing malicious sites accidently.

Analyst note: The attackers are likely to continue their malicious activities by reusing fake domains, targeting similar tools to trick more users, and exploiting infected computers to stay hidden, steal data, make money, and sell access to other cyber criminals.

Geopolitical Highlights: Casualties, Shootings, and Adverse Weather Events

• A car displaying a “Happy Chanukah” sign was firebombed in St Kilda East, Melbourne, on Christmas morning in a suspected antisemitic attack. This incident follows the very recent terrorist attack at Bondi Beach that targeted a Hanukkah celebration.
• On December 24, 2025, at least five people were killed and 35 injured in a bomb blast at a mosque in Nigeria during evening prayers. No group has claimed responsibility, but the region has been repeatedly targeted by sectarian group Boko Haram and its offshoot, Islamic State West Africa Province, in ongoing insurgency attacks.
• Torrential rains hit Southern California on December 24, 2025, triggering flash floods, debris flows, road closures, and at least one weather-related death amid widespread evacuations. A state of emergency was declared across six counties as more than 43 million people in California, southern Nevada, and northwest Arizona face flood watches, with continuing heavy rain, landslide risks, and power outages expected through the holidays.

DEEP AND DARK WEB INTELLIGENCE

Exploit user betway: Threat actor “betway” has advertised a dataset of roughly 960,000 transaction records linked to certain equipment and software companies for sale. The actor claims the dataset contains sensitive data, including name, IP addresses, email addresses, phone numbers, physical addresses, and card data. If the actor’s claims are true, interested buyers are likely to target exposed companies and individuals in fraud, identity theft, and follow‑on cyberattacks.