ZeroFox Daily Intelligence Brief - December 26, 2025

ZeroFox Daily Intelligence Brief - December 26, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• 2022 LastPass Breach Continues to Fuel Crypto Theft in 2025
• New SantaStealer MaaS Steals Credentials and Crypto Wallets
• Geopolitical Focus: Airstrikes in Nigeria, Turkey Detains Terror Suspects, and More

2022 LastPass Breach Continues to Fuel Crypto Theft in 2025

Source: https://thehackernews.com/2025/12/lastpass-2022-breach-led-to-years-long.html

What we know: Encrypted vault backups stolen in the 2022 LastPass breach are reportedly still being exploited. Threat actors reportedly brute-forced weak master passwords offline to decrypt vaults and steal crypto as recently as late 2025.

Context: Researchers traced over USD 35 million in stolen assets, with on-chain evidence linking the laundering activity to Russian cybercriminal infrastructure and high-risk Russian exchanges.

Analyst note: The highest risk likely remains for users with high-value vault contents protected by weak master passwords, especially those who did not rotate or strengthen their credentials after the 2022 breach.

New SantaStealer MaaS Steals Credentials and Crypto Wallets

Source: https://www.forbes.com/sites/daveywinder/2025/12/25/warning-bad-santa-steals-passwords-from-microsoft-windows-users/?ss=cybersecurity

What we know: A new malware-as-a-service (MaaS) information stealer, known as SantaStealer, is reportedly stealing credentials, documents, and crypto wallets while operating largely in memory to evade detection.

Context: The SantaStealer MaaS operates on a subscription-based model and includes capabilities such as screenshot capture and credential theft. It can bypass certain app-bound encryption protections through a user-executed embedded component, rather than a remote exploit.

Analyst note: The holiday season is likely to see increased demand for pirated software, movies, game cheats, and other unverified tools. New malware strains such as SantaStealer are likely to be distributed via pirated tools tricking users to execute malicious code and stealers.

Geopolitical Focus: Airstrikes in Nigeria, Turkey Detains Terror Suspects, and More

• The United States carried out airstrikes in northwest Nigeria's Sokoto state targeting Islamic State (IS) terrorists on December 25, 2025. The strikes were carried out in coordination with Nigerian forces.
• Turkey detained 115 Islamic State suspects on December 25 for allegedly plotting attacks during Christmas and New Year’s celebrations. Istanbul police also seized firearms, cartridges, and documents during raids across 124 locations.
• Heavy rainstorms across California caused flooding and mudslides that killed three people, forced evacuations, shut major roads, and left about 100,000 without power on December 25. The storms are expected to continue in California on December 26.
• Poland said its air defence forces intercepted and escorted a Russian reconnaissance aircraft flying over international waters near Polish airspace over the Baltic Sea, while also detecting objects entering from Belarus on December 25.
• A verdict is expected in the trial of former Malaysian Prime Minister Najib Razak, who is accused of being involved in the alleged USD 4.5 billion embezzlement from the state fund 1MDB. The ruling could further strain current Prime Minister Anwar Ibrahim’s fragile coalition government, as Najib's party United Malays National Organisation is part of the coalition.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user AgSlowly: Threat actor “AgSlowly” has advertised the sale of data allegedly associated with DINISSAN (Distribuidora Nissan), a Colombia-based automobile distributor of Nissan, on DarkForums. The dataset allegedly includes personally identifiable information (PII) of over 600,000 individuals, including names, email addresses, phone numbers, physical addresses, and more. If the data is legitimate, threat actors are likely to use it in phishing, social engineering, and identity theft attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2020-12812: Fortinet has warned that this five-year-old improper authentication vulnerability in FortiOS SSL VPN is being actively exploited in the wild under certain configurations. The flaw enables successful login without second factor authentication if the username case is changed. The flaw is likely to be exploited in attacks targeting perimeter-type devices in line with similar incidents in 2021. Successful exploitation is likely to enable threat actors to intrude into an organization’s network and move laterally, leading to disruptions and data exfiltration, among other issues.

Affected products: The affected products are listed in this advisory.