ZeroFox Daily Intelligence Brief - December 30, 2025

ZeroFox Daily Intelligence Brief - December 30, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Romanian Energy Firm Hit by Gentlemen Ransomware Attack
• Korean Air Employee Data Exposed in KC&D Supplier Breach
• Phishing Campaign Targets U.S. Critical Infrastructure Using Malicious Npm Packages

Romanian Energy Firm Hit by Gentlemen Ransomware Attack

Source: https://securityaffairs.com/186290/cyber-crime/romanias-oltenia-energy-complex-suffers-major-ransomware-attack.html

What we know: Romania’s largest coal-based energy producer Oltenia Energy Complex (Complexul Energetic Oltenia) has confirmed a ransomware attack on its IT infrastructure. The attack has been attributed to the Gentlemen ransomware group.

Context: Some files have been encrypted, and systems such as ERP, document management, email, and website services are temporarily unavailable. This incident follows a recent ransomware attack on Romania’s water management authority.

Analyst note: The cyberattacks targeting Romania’s critical infrastructure entities suggest that a shared initial access vector has likely been compromised and is being exploited by multiple threat actors. The cyberattacks are also likely to be part of a coordinated attack on European critical infrastructure directly or indirectly linked to Russian state-backed entities.

Korean Air Employee Data Exposed in KC&D Supplier Breach

Source: https://www.bleepingcomputer.com/news/security/korean-air-data-breach-exposes-data-of-thousands-of-employees/

What we know: Korean Air has disclosed a data breach after its in-flight catering supplier and former subsidiary, Korean Air Catering & Duty-Free (KC&D), was compromised, exposing employee data stored in KC&D’s ERP systems.

Context: The breach has reportedly affected up to 30,000 employee records, including names and bank account numbers. The company is yet to attribute the breach to a specific threat actor. However, the Cl0p ransomware group has claimed responsibility for the breach and published the alleged stolen data on its dark web leak site.

Analyst note: Employees associated with this breach likely face increased risks of impersonation scams, fraud, and other social engineering schemes.

Phishing Campaign Targets U.S. Critical Infrastructure Using Malicious Npm Packages

Source: https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html

What we know: A sustained phishing campaign, using 27 malicious npm packages, has been reportedly targeting critical infrastructure and adjacent organizations in the United States and allied countries to steal credentials.

Context: This operation has reportedly been observed for five months. At least 25 organizations across manufacturing, healthcare, plastics, and industrial automation were impacted by credential theft. The campaign reportedly repurposed npm and packaged content delivery networks (CDNs) as hosting infrastructure to impersonate secure document-sharing embedded in phishing pages.

Analyst note: This targeted phishing campaign is likely to impact downstream organizations spiralling into a supply chain attack. Since the campaign has specifically targeted U.S. and allied critical infrastructure over a sustained period of time, it is likely to be a state-linked operation.

DEEP AND DARK WEB INTELLIGENCE

Telegram user NoName057(16): Pro-Russian threat group NoName057(16) has claimed responsibility for breaching “the French water supply management system,” allegedly using a vulnerability in the authentication system. There is a roughly even chance that NoName057(16)’s claim is legitimate due to their links to Russian-state entities and shared resources. However, it is also likely that the group is making this claim as part of a psychological operation to undermine trust and security in European critical infrastructure entities.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-54322: This is an unauthenticated remote code execution (RCE) zero-day vulnerability in XSpeeder networking devices. Over 70,000 devices worldwide are exposed publicly. The flaw gives “root” access to attackers without requiring a password. Successful exploitation is likely to lead to data theft, traffic monitoring, or complete system takeover.

Affected products: Xspeeder SXZOS versions through 2025-12-26