ZeroFox Daily Intelligence Brief - June 17, 2025

ZeroFox Daily Intelligence Brief - June 17, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Law Enforcement Takes Down Long-Standing Dark Web Market
• U.S. Insurance Firms Reportedly Being Targeted by Scattered Spider Ransomware Group
• Personal Data of Millions Compromised in Zoomcar Data Breach

Law Enforcement Takes Down Long-Standing Dark Web Market

Source: https://www.europol.europa.eu/media-press/newsroom/news/europe-wide-takedown-hits-longest-standing-dark-web-drug-market

What we know: European authorities dismantled Archetyp Market, a major dark web marketplace. The platform’s infrastructure was taken offline, its administrator arrested, and assets worth EUR 7.8 million (approximately USD 9 million) seized.

Context: Archetyp Market was an illicit forum with over 600,000 users, facilitating anonymous global trade in substances like fentanyl and generating over EUR 250 (approximately USD 288 million) million in transactions.

Analyst note: Following the takedown of Archetyp Market, authorities will likely analyze seized data to identify and pursue other key actors—such as top vendors, buyers, and affiliated networks. This could lead to further arrests, asset seizures, and potential intelligence-sharing with international partners to dismantle related drug trafficking operations.

U.S. Insurance Firms Reportedly Being Targeted by Scattered Spider Ransomware Group

Source: https://www.theregister.com/2025/06/16/scattered_spider_targets_insurance_firms/

What we know: The Scattered Spider ransomware group is suspected to be targeting U.S. insurance firms after alleged attacks against American and British retailers, including Marks and Spencer (M&S).

Context: U.S.-based auto insurer Erie Insurance and Philadelphia Insurance Companies are among some insurance companies who have recently reported cyber incidents. Although recent cyber incidents bear some hallmarks of Scattered Spider activity, the group’s involvement is not yet confirmed.

Analyst note: Threat actors pretending to be customers are likely to engage in fake help-desk calls to infect target systems, a tactic Scattered Spider reportedly used in retail sector attacks. DragonForce ransomware, which was used in the retail sector attacks, is likely to be deployed, leading to data encryption, operational disruptions, and double extortion attempts.

Personal Data of Millions Compromised in Zoomcar Data Breach

Source: https://www.bleepingcomputer.com/news/security/zoomcar-discloses-security-breach-impacting-84-million-users/

What we know: Indian car-sharing platform Zoomcar has disclosed a data breach affecting 8.4 million users. The breach, which occurred due to unauthorized access to systems, was discovered when a threat actor alerted employees of a cyberattack.

Context: The exposed data includes personal details, such as names, phone numbers, addresses, and car registration numbers. Financial information and passwords were reportedly not compromised.

Analyst note: Threat actors are likely to exploit the exposed personal details for phishing, identity theft, social engineering, SIM swapping, or unauthorized access to online accounts. At the time of writing, no ransomware group has yet claimed the attack.

DEEP AND DARK WEB INTELLIGENCE

Handala Hack Team targets TV Network: On June 16, 2025, hacktivist group Handala Hack Team claimed to have “infiltrated and compromised” the systems of U.S.-based television network Trinity Broadcasting Network’s (TBN) Israeli unit. The cyberattack, if true, is unlikely to have a major impact on the sector or geopolitics as TBN Israel is not a major or significantly influential media network. Meanwhile, increased hacktivist activity is likely to be observed as conflict between Iran and Israel escalates.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-5943: This is an out-of-bounds write vulnerability in MicroDicom DICOM Viewer that enables remote code execution if a user opens a malicious file or webpage. This bug has been patched in version 2025.3. If the patch is not applied, this vulnerability could enable threat actors to execute code for full account or device takeover.

Affected products: MicroDicom DICOM Viewer from 0 through 2025.2 (Build 8154)