ZeroFox Daily Intelligence Brief - June 4, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - June 4, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Cybercriminals Defraud Hedera Hashgraph Wallet Users Through NFT Airdrops
- Crocodilus Malware Spread to Global Android Users
- Decade-Old Roundcube Webmail Vulnerability Enables Remote Code Execution
Cybercriminals Defraud Hedera Hashgraph Wallet Users Through NFT Airdrops
Source: https://www.ic3.gov/PSA/2025/PSA250603
What we know: The Federal Bureau of Investigation (FBI) has announced that cybercriminals are exploiting the nonfungible token (NFT) airdrop feature in non-custodial wallets to target Hedera Hashgraph users. These fake airdrops appear as free rewards but are used to steal user data and cryptocurrency.
Context: The Hedera Hashgraph is Hedera’s distributed ledger. The airdrop feature was originally created by the non-custodial wallet companies for marketing purposes.
Analyst note: Exploiting the NFT airdrop feature enables cybercriminals to trick users into exposing sensitive data and granting access to their wallets—leading to theft of cryptocurrency, causing financial loss. The stolen user data can be used for further targeted attacks, like fraud and identity theft.
Crocodilus Malware Spread to Global Android Users
What we know: The latest version of the Crocodilus Android malware adds fake contacts to victims’ devices, allowing threat actors to impersonate trusted entities during calls.
Context: Originally seen in Turkey, the malware is now targeting entities globally with enhanced evasion techniques and social engineering capabilities.
Analyst note: The threat actors behind the Crocodilus malware campaign are likely targeting Android users globally to steal sensitive data, gain remote control of infected devices, and conduct financial fraud on a larger scale.
Decade-Old Roundcube Webmail Vulnerability Enables Remote Code Execution
Source: https://thehackernews.com/2025/06/critical-10-year-old-roundcube-webmail.html
What we know: A critical vulnerability (CVE-2025-49113) in Roundcube Webmail, which went unnoticed for nearly ten years, enables authenticated users to execute arbitrary code.
Context: The vulnerability affects versions before 1.5.10 and 1.6.x before 1.6.11. A proof-of-concept (PoC) is expected to be made public soon. Roundcube Webmail vulnerabilities have been targeted by Russia-backed threat actors to steal information and user credentials from government and defence entities in Eastern Europe.
Analyst note: Threat actors are likely to use already compromised Roundcube Webmail accounts to actively exploit the vulnerability once the PoC is released publicly. There is a roughly even chance that the exploitation results in data theft or even complete account take over.
DEEP AND DARK WEB INTELLIGENCE
DarkForums user Chuu: ZeroFox has observed untested threat actor “chuu” claiming to have leaked data, like email ids and phone numbers, associated with the Israel National Digital Agency-managed website on DarkForums. If the claim is true, the compromised data could enable threat actors to conduct phishing attacks targeting officials and exfiltrate sensitive information.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2025-5419: This flaw enables a remote attacker to potentially trigger heap corruption by leveraging an out-of-bounds read and write via a maliciously crafted HTML page—likely leading to unauthorized code execution or browser crashes, posing security risks to users. Google has issued out-of-band patches to fix this issue.
Affected products: Google Chrome prior to 137.0.7151.68
Tags: DIB, tlp:green