ZeroFox Daily Intelligence Brief - December 29, 2025

ZeroFox Daily Intelligence Brief - December 29, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• MongoBleed Exploitation Endangers More than 80K MongoDB Instances
• Trust Wallet Chrome Extension Hack Leads to USD 7 Million Crypto Theft
• Everest Ransomware Group Announces over 1 TB Data Breach of Chrysler Systems

MongoBleed Exploitation Endangers More than 80K MongoDB Instances

Source: https://thehackernews.com/2025/12/new-mongodb-flaw-lets-unauthenticated.html

What we know: Threat actors are actively exploiting a critical MongoDB vulnerability, MongoBleed (CVE-2025-14847). The flaw enables unauthenticated attackers to remotely leak sensitive in-memory data, including database credentials and cloud secrets, from exposed servers.

Context: The flaw abuses improper handling of zlib-compressed network messages, causing MongoDB to leak in-memory data. Over 80,000 MongoDB instances are exposed and users are urged to patch the flaw affecting MongoDB versions 3.6 through 8.2.3.

Analyst note: Active exploitation of MongoBleed and failure to deploy patches is likely to lead to large-scale credential and sensitive data exposure, enabling follow-on attacks such as database compromise, cloud account takeover, data theft, and lateral movement into affected networks.

Trust Wallet Chrome Extension Hack Leads to USD 7 Million Crypto Theft

Source: https://www.bleepingcomputer.com/news/security/trust-wallet-confirms-extension-hack-led-to-7-million-crypto-theft/

What we know: Non-custodial cryptocurrency wallet Trust Wallet has confirmed that over USD 7 million in cryptocurrency has been stolen through a compromised Chrome extension update released on December 24, 2025. Multiple users have reported their wallets drained.

Context: Trust Wallet enables users to manage, store, and interact with digital assets across various blockchains and is available as a mobile application and a Chrome browser extension. Trust Wallet’s Chrome extension version 2.68.0 reportedly contained suspicious code appearing in a bundled JavaScript file, named 4482[.]js. A new version 2.69 has also been released.

Analyst note: Threat actors are reportedly already exploiting the incident and confusion among Trust Wallet users by creating phishing domains advertising fake security patches for the Chrome extension, aiming to steal user funds. Such incidents are likely to rise in the immediate aftermath.

Everest Ransomware Group Announces over 1 TB Data Breach of Chrysler Systems

Source: https://hackread.com/everest-ransomware-group-chrysler-data-breach/

What we know: Everest Ransomware Group has claimed responsibility for exfiltrating 1088 GB personal data of an American automaker company, Chrysler Systems, on its dark web leak site.

Context: Everest has claimed access to a complete operational database of Chrysler, including 105 GB Salesforce folders between 2021 to 2025. The data includes confidential internal documents and personal information of employees and customers.

Analyst note: This was a strategically executed attack during festive days, when the employee presence is low, intending to by-pass threat monitoring. The exposed data poses serious risks to customer privacy, internal operations, and third-party systems, given that personal information is involved.

DEEP AND DARK WEB INTELLIGENCE

BreachStars user Lovely: Threat actor “Lovely” has claimed to leak personal data of over 2.3 million users of American magazine and website “Wired” on dark web platform BreachStars. The leaked dataset reportedly includes names, email addresses, phone numbers, user IDs, IP addresses, and last session dates, among other fields. However, it does not include payment information or other financial information. The threat actor is likely seeking a ransom amount from the victim organization to delete and not misuse the leaked dataset. Exposed individuals are likely at risk of phishing and social engineering attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-68664: This flaw, dubbed LangGrinch, in LangChain Core enables attackers to steal secrets and manipulate LLM behavior via prompt injection. It is a serialization injection flaw (CVE-2025-68664) where unescaped user-controlled lc keys are treated as trusted LangChain objects during deserialization. This flaw is likely to enable threat actors to carry out data leaks, remote code execution, denial of service, and unauthenticated code execution.

Affected products: The affected products are included in this advisory.