ZeroFox Daily Intelligence Brief - December 31, 2025

ZeroFox Daily Intelligence Brief - December 31, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• U.S. Cybersecurity Workers Held Responsible for Conspiring to Obstruct Commerce by Extortion
• China-Linked Threat Actor Behind “Zoom Stealer” Browser Extension Campaign
• European Space Agency Confirms Cybersecurity Incident

U.S. Cybersecurity Workers Held Responsible for Conspiring to Obstruct Commerce by Extortion

Source: https://www.justice.gov/opa/pr/two-americans-plead-guilty-targeting-multiple-us-victims-using-alphv-blackcat-ransomware

What we know: Two former employees working in cybersecurity incident response companies in the U.S. have pleaded guilty for deploying the BlackCat ransomware against U.S. healthcare organizations in 2023.

Context: The guilty along with an affiliate used trusted access and technical skills to extort American victims. The victims include a pharmaceutical company, an engineering firm, a medical device manufacturer, a drone manufacturer, and a doctor's office.

Analyst note: Malicious actors with in-depth knowledge about cybersecurity pose high risks to critical infrastructure, including healthcare entities. Under these circumstances, actors are very likely to rely on tools or TTPs developed by previous threat actors for financial extortion and gain.

China-Linked Threat Actor Behind “Zoom Stealer” Browser Extension Campaign

Source: https://www.bleepingcomputer.com/news/security/zoom-stealer-browser-extensions-harvest-corporate-meeting-intelligence/

What we know: Chinese threat actor DarkSpectre is reportedly carrying out a campaign that uses a “Zoom Stealer” browser extension to steal online meeting-related data such as embedded passwords, URLs, IDs, descriptions, session metadata, profiles, and topics.

Context: The campaign uses at least 18 browser extensions that target 28 video-conferencing platforms, including Zoom and Google Meet. The campaign affects over 2.2 million users of popular web browsers. The threat actor infrastructure is also linked to ShadyPanda, which deployed spyware payloads to users of popular web browsers.

Analyst note: Threat actors are likely to use the stolen data for corporate espionage. Threat actors are also likely to use the data in social engineering and phishing attacks.

European Space Agency Confirms Cybersecurity Incident

Source: https://x.com/esa/status/2005938460448715055

What we know: The European Space Agency (ESA) has confirmed a cybersecurity incident impacting servers outside its corporate network that supported unclassified engineering activities. This disclosure follows threat actor “888” advertising ESA-related data on dark web forum BreachForums.

Context: 888 claimed to have accessed ESA systems for about a week and exfiltrated over 200GB of data, including source code, API tokens, documents, hardcoded credentials, and internal repositories.

Analyst note: If the actor’s claims are true, unrotated API tokens and hardcoded credentials are likely to be reused to access other ESA systems and connected third-party services. Hardcoded passwords are especially high risk, as they are easily extracted and almost certain to be abused by malicious actors.

DEEP AND DARK WEB INTELLIGENCE

Exploit and XSS user Sculptor: Threat actor “Sculptor” has advertised a new crypt service, called EUROCRYPTER, targeting a specific operating system, on Russian-language cybercrime forums Exploit and XSS. If the actor’s claims are true, threat actors are likely to observe higher success rates for initial access, as heavily obfuscated payloads can bypass endpoint and security controls.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-52691: This is an unauthenticated remote code execution (RCE) zero-day vulnerability in SmarterTools SmarterMail email server software. The flaw enables attackers to upload arbitrary files on the mail server, potentially leading to remote code execution. Successful exploitation is likely to result in email data theft, server compromise, traffic monitoring, or complete system takeover affecting multiple web hosting providers like ASPnix Web Hosting, Hostek, and simplehosting[.]ch. that use the software service.

Affected products: SmarterMail versions Build 9406 and earlier