ZeroFox Daily Intelligence Brief - January 2, 2025

ZeroFox Daily Intelligence Brief - January 2, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• New Wave of GlassWorm Malware Targeting MacOS Users
• React2Shell Vulnerability Continues to be Exploited by RondoDox Botnet
• Geopolitical Focus: Casualties, Canceled Flights, and more

New Wave of GlassWorm Malware Targeting MacOS Users

Source: https://www.bleepingcomputer.com/news/security/new-glassworm-malware-wave-targets-macs-with-trojanized-crypto-wallets/

What we know: A fourth wave of the “GlassWorm” malware campaign is reportedly exclusively targeting macOS developers, using malicious VSCode and OpenVSX extensions to deploy trojanized versions of crypto wallet applications.

Context: The malware attempts to steal developer credentials, keychain passwords, browser data, and also targets over 50 browser crypto extensions. Threat actors reportedly appear to be still preparing macOS wallet trojans or transitioning the infrastructure.

Analyst note: Developers who have installed the affected extensions are very likely at risk of credential and financial theft. However, since the macOS wallet trojans or the infrastructure is still under preparation, it likely gives affected users some time to prevent the attack.

React2Shell Vulnerability Continues to be Exploited by RondoDox Botnet

Source: https://thehackernews.com/2026/01/rondodox-botnet-exploits-critical.html

What we know: A persistent months-long campaign has reportedly been exploiting the Reach2Shell vulnerability (CVE-2025-55182) to incorporate Internet of Things (IoT) devices and web applications into a botnet, known as RondoDox. Around 90,300 instances reportedly remain susceptible to the vulnerability across various countries.

Context: RondoDox malware botnet targets IoT devices and internet-facing servers. It is mainly used in cryptocurrency mining, botnet expansion, and maintaining long-term control of compromised systems that gains scalability by exploiting N-day vulnerabilities.

Analyst note: Multiple threat actors, both financially motivated and state-linked, are likely to target IoT devices on a large scale by leveraging this bug, to disrupt crucial processes, including critical infrastructure

Geopolitical Focus: Casualties, Canceled Flights, and more

• On January 1, 2025, around 40 people were killed and 115 injured when a fire broke out at the Le Constellation bar in Crans-Montana, southern Switzerland. Investigators have not yet determined the cause of the incident, but have confirmed it was not the result of an attack.
• Two people were killed in fireworks-related accidents in the Netherlands on December 31. New Year’s Eve was also marked by violence and the burning of a historic church in central Amsterdam.
• On January 1, 2025, the U.S. State Department, in a press statement, denounced China’s live-fire military exercises around Taiwan, stating they were destabilizing and urged China to de-escalate and pursue dialogue to maintain regional stability.
• Yemen halted flights at Yemen’s Aden International Airport on January 1, 2025, amid escalating tensions between Saudi Arabia and the UAE, stemming from disputes over flight restrictions and their rival backing of opposing factions in southern Yemen.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user LAPSUS$ GROUP: Threat collective "LAPSUS$ GROUP" has launched a new leak site and has also joined dark web platform BreachForums, following a ban on its Telegram channel. It has announced more focused targeting of European entities, especially those based in France. The group and its affiliates’ claims need to be observed for a while to assess their credibility. The group’s particular focus on France likely suggests its affiliates are Europe-based with better understanding of the French cybersecurity landscape.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-69288: This vulnerability in Titra, an open source project time tracking software, can enable an authenticated admin user to achieve remote code execution (RCE). The issue occurs when malicious input is inserted into the timeEntryRule database field and later executed as code in a NodeVM without proper sanitization. Threat actors are likely to exploit this flaw to execute arbitrary code on affected devices, leading to full system compromise, data theft, and service disruption.

Affected products: Titra versions prior to 0.99.49