ZeroFox Daily Intelligence Brief - June 6, 2025

ZeroFox Daily Intelligence Brief - June 6, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - BreachForums and Notorious Actors Announce Re-Emergence
• FBI Warns of China-Linked BADBOX 2.0 Botnet Targeting Home Smart Devices
• UK Lost Over USD 63 Million from Tax Office to Organized Cybercrime

ZeroFox Intelligence Flash Report - BreachForums and Notorious Actors Announce Re-Emergence

Source: https://www.zerofox.com/advisories/33689/

What we know: On June 3, 2025, an actor using the alias “darked321” posted in DarkForums claiming its counterpart, BreachForums, has been relaunched.

Context: Darked321 shared a post from “ShinyHunters” explaining the status of the original BreachForums domain and future plans. According to Darked321, BreachForums is now accessible via one clearnet and one onion domain.

Analyst note: Given the presence of ShinyHunters and IntelBroker, breach-forums[.]st is likely a relaunch effort by actors with access to infrastructure from the original domain. It is very likely the site will regain traction and restore functionality, though many users are likely to continue operating on peer domain DarkForums, where many actors migrated after BreachForum's disruption.

FBI Warns of China-Linked BADBOX 2.0 Botnet Targeting Home Smart Devices

Source: https://www.ic3.gov/PSA/2025/PSA250605

What we know: The U.S. Federal Bureau of Investigation (FBI) is warning the public about cybercriminals targeting their electronic gadgets connected to home networks to make them part of the BADBOX 2.0 botnet used for malicious activity.

Context: The BADBOX 2.0 campaign has already infected over a million devices such as digital projectors, TV streaming devices, and other smart products at home. Devices may be infected even before purchase, especially those manufactured in China, or they could be compromised using malicious downloads.

Analyst note: Infected devices are likely to become proxies used by hacktivists, nation-state actors including foreign militaries, or other malicious actors to carry out cyberattacks. Botnet activity can be detected if Google Play protect settings are disabled, there’s suspicious internet traffic, unknown app stores, and other unexplained indicators.

UK Lost Over USD 63 Million from Tax Office to Organized Cybercrime

Source: https://www.reuters.com/world/uk/britains-tax-body-detects-unauthorised-access-some-online-accounts-2025-06-04/

What we know: Cybercriminals used phishing tactics and identity thefts to steal nearly USD 63.76 million from the United Kingdom’s tax coffers in 2024, His Majesty's Revenue and Customs (HMRC) revealed in a notice.

Context: HMRC said that it was a case of organized crime, where more than 100,000 customer accounts were compromised to falsely claim payments from the government. Affected customers were informed and their accounts were locked down. The tax office clarified that no money was stolen from taxpayers and that they need not take action.

Analyst note: Cybercriminals are very likely to use information from leaked datasets, especially those containing government identity numbers, to carry out such attacks.

DEEP AND DARK WEB INTELLIGENCE

Exploit user r4cket3er: Negative reputation threat actor "r4cket3er" has advertised, on Exploit, a method of SQL injection and cross site scripting (XSS) attacks bypassing a certain security protocol. This could enable threat actors to conduct data theft, account compromise, and website defacement via SQL injection.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-5712: This SQL injection vulnerability affects the “/appointment.php” file via the “patient” parameter. The attack can be launched remotely, with proof of concept publicly disclosed. This flaw could enable unauthorized access and lead to malware deployment and data breaches—with a public proof of concept increasing the risk of exploitation.

Affected products: SourceCodester Open Source Clinic Management System affected at 1.0