ZeroFox Daily Intelligence Brief - June 19, 2025

ZeroFox Daily Intelligence Brief - June 19, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Iran’s Largest Crypto Exchange Nobitex Hit by Major Cyberattack
• Phishing Attack Impersonated Government Official to Dupe UK Researcher
• Cybercriminal AI Tool “WormGPT” Variants Exploiting Grok and Mixtral for Illegal Acts

Iran’s Largest Crypto Exchange Nobitex Hit by Major Cyberattack

Source: https://www.bleepingcomputer.com/news/security/pro-israel-hackers-hit-irans-nobitex-exchange-burn-90m-in-crypto/

What we know: On June 18, 2025, hacktivist group Predatory Sparrow hacked Nobitex— Iran’s largest crypto exchange—stole over USD 90 million in crypto, and burned the funds by sending them to anti-IRGC vanity addresses. As of writing, Nobitex website is down and displaying a 504 error message.

Context: The group also breached Iran-controlled Bank Sepah on June 17. Nobitex is reportedly linked to the IRGC and Iranian leadership. Additionally, Iran also experienced a near-total internet blackout on June 18.

Analyst note: These consecutive cyberattacks signal an intensified digital offensive in the Iran-Israel conflict that targets IRGC-linked financial networks and disrupts Iran’s financial operations. Similar politically driven cyberattacks by hacktivist groups are likely to continue.

Phishing Attack Impersonated Government Official to Dupe UK Researcher

Source: https://www.reuters.com/technology/suspected-russian-hackers-used-new-tactic-against-uk-researcher-2025-06-18/

What we know: Suspected Russian cybercriminals have tricked a senior UK researcher into handing over email access by impersonating a government official in a phishing campaign.

Context: The attackers used fluent language, fake identities, and app-specific password requests to bypass traditional security protocols and gain access to emails.

Analyst note: The attackers crafted especially convincing phishing messages with strategic precision, likely heralding a more advanced form of social engineering that bypasses both technical defenses and user skepticism. This tactic could enable threat actors to exfiltrate sensitive information without detection.

Cybercriminal AI Tool “WormGPT” Variants Exploiting Grok and Mixtral for Illegal Acts

Source: https://hackread.com/wormgpt-returns-using-jailbroken-grok-mixtral-models/

What we know: New variants of WormGPT are keeping the cybercriminal AI generative tool active, even after its shutdown in 2023, by reportedly exploiting existing Large Language Model (LLMs) tools, including xAI’s Grok and Mistral AI’s Mixtral, to bypass built-in safety features.

Context: WormGPT is an AI tool, which runs without censorship, and is used for illegal acts. New variants, zin0vich-WormGPT and keanu-WormGPT, have reportedly been observed advertised on dark web forums.

Analyst note: The reemergence of malicious AI tools likely indicates that LLM security barriers are not able to keep cybercriminals out. “Jailbreak-as-a-service”—a term used to describe threat actors offering LLM jailbreaking—is likely to emerge to cater to this market, lowering the technical expertise barrier required for threat actors to abuse generative AI for illegal acts.

DEEP AND DARK WEB INTELLIGENCE

Episource data breach: U.S. healthcare services company Episource has warned of data leak following a cyberattack in January, affecting over 5 million people. Exposed data potentially includes full name, address, medical record details, email address, phone number, insurance details, date of birth, and Social Security number (SSN). Threat actors are likely to use the data to carry out phishing, social engineering, and impersonation attacks targeting exposed individuals.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-6191 and CVE-2025-6192: Google’s Chrome 137 update fixed two memory bugs, which include an integer overflow in the V8 JavaScript engine (CVE-2025-6191) and a use-after-free flaw in the Profiler component (CVE-2025-6192). These now-patched flaws could enable remote code execution, potentially giving attackers full control of the device, leading to data theft, malware installation, or espionage.

Affected products: Chrome 137 browser (V8 engine and Profiler components)