ZeroFox Daily Intelligence Brief - June 9, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - June 9, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- iMessage Flaw Likely Part of Spyware Campaign Targeting Key Figures in U.S. and Europe
- Chaos Ransomware Hits Tax Firm Optima Tax Relief
- Geopolitical Focus: Crisis, Conflict, and Climate
iMessage Flaw Likely Part of Spyware Campaign Targeting Key Figures in U.S. and Europe
Source: https://hackread.com/nickname-zero-click-imessage-exploit-figures-us-eu/
What we know: A zero-click vulnerability in Apple’s iMessage has been reportedly used to target high-value individuals in the United States and Europe, including politicians and executives of artificial intelligence (AI) companies.
Context: China is suspected to be behind the targeting. The use-after-free memory vulnerability affects the imagent process in the nickname feature of iMessage on iPhones. The flaw is also suspected to be linked to mysterious and rare iPhone crashes observed between late 2024 and early 2025.
Analyst note: The vulnerability is likely to enable attackers to access all data on compromised devices, including conversations in end-to-end encrypted messaging apps such as WhatsApp and Signal. The already-patched vulnerability is likely to be just one part of a larger exploit chain aiming to compromise Apple devices.
Chaos Ransomware Hits Tax Firm Optima Tax Relief
What we know: U.S. tax resolution firm Optima Tax Relief was hit by a ransomware attack by the Chaos group, which stole 69 GB of data. The ransomware group reportedly leaked sensitive corporate and customer files after the breach.
Context: The newly emerged Chaos ransomware group, which emerged around March 2025, has reportedly carried out a double extortion attack—stealing data and encrypting systems likely to maximize pressure on the company to pay the ransom.
Analyst note: The stolen data includes sensitive tax documents with Social Security numbers (SSNs), addresses, and contact details, putting victims at risk of identity theft and fraud. The encryption of servers has likely disrupted ongoing case work and access to critical client information potentially leading to missed deadlines, legal complications, and financial losses for both clients and the company.
Geopolitical Focus: Crisis, Conflict, and Climate
- Colombian senator and potential presidential candidate Miguel Uribe is in intensive care after being shot twice on June 8, allegedly by a 15-year-old in Bogotá. President Petro has vowed to use all resources to find those responsible.
- The Israeli military says it has found the body of Hamas military leader Mohammed Sinwar in a tunnel beneath the European Hospital in Khan Younis. Sinwar was reportedly killed in a May 13 airstrike that left 28 dead and dozens injured.
- Storms across the southern United States have reportedly left nearly 150,000 people without power from Texas to South Carolina and have resulted in two fatalities caused by falling trees.
DEEP AND DARK WEB INTELLIGENCE
BreachForums up for sale again: The recently launched BreachForums domain, breach-forums[.]st, has reportedly been taken offline and is now listed for sale. It is very likely that the domain was either established as a honeypot by law enforcement or created by untested threat actors impersonating known entities such as ShinyHunters—possibly in an attempt to gain prominence or sow confusion within the community.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2024-3721: Command injection vulnerabilities in digital video recording devices, TBK DVR-4104 and DVR-4216, are reportedly under active exploitation by a new variant of the Mirai malware botnet. The proof-of-concept (PoC) is available publicly and it is unknown if a patch is available. The ARM32 malware binary is deployed using the flaw establishing communication with the command and control (C2) server. Compromised devices are very likely to be used in distributed denial-of-service (DDoS) attacks.
Affected products: TBK DVR-4104 and DVR-4216 up to 20240412
Tags: DIB, tlp:green