ZeroFox Daily Intelligence Brief - June 25, 2025

ZeroFox Daily Intelligence Brief - June 25, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Chinese State Hackers Suspected to be Behind Espionage Infrastructure “LapDogs”
• New Guidance Released for Reducing Memory-Related Vulnerabilities
• Geopolitical Focus: Israel-Iran Conflict and other Global Events

Chinese State Hackers Suspected to be Behind Espionage Infrastructure “LapDogs”

Source: https://www.securityweek.com/chinese-apt-hacking-routers-to-build-espionage-infrastructure/

What we know: Suspected Chinese state hackers have built a network of botnet-like operational relay boxes (ORBs) in targeted countries, reportedly for cyber espionage purposes. The targeted countries include the United States, Taiwan, Japan, Hong Kong, and South Korea.

Context: The infrastructure building has been dubbed “LapDogs” and is thought to have started in September 2023. So far, over 1,000 Linux-based small office/home office (SOHO) devices have been affected in the media, IT, networking, and real estate sectors.

Analyst note: The campaign is very likely building a botnet-like network to obfuscate malicious activity, like carrying out anonymized browsing and command-and-control (C2) operations for larger attacks. The compromised devices are also likely to be used to gain further access into the internal network of the targeted organization.

New Guidance Released for Reducing Memory-Related Vulnerabilities

Source: https://www.cisa.gov/news-events/alerts/2025/06/24/new-guidance-released-reducing-memory-related-vulnerabilities

What we know: CISA and the National Security Agency (NSA) have released a joint guide highlighting the importance of adopting memory safe languages (MSLs) in improving software security and reducing the risk of security incidents.

Context: Memory safety vulnerabilities pose serious risks to national security and critical infrastructure. Adopting memory safe languages (MSLs) offers the most comprehensive mitigation against these vulnerabilities by providing built-in safeguards.

Analyst note: Threat actors are likely to exploit unaddressed memory safety vulnerabilities to gain unauthorized access, disrupt critical operations, and compromise sensitive data. The guide addresses key challenges in adopting memory-safe languages and offers recommendations to help secure critical infrastructure systems.

Geopolitical Focus: Israel-Iran Conflict and other Global Events

• The ceasefire between Israel and Iran is appearing to be holding as emergency restrictions were lifted, while Iran declared the end of the 12-day war. ZeroFox observes that there is a likely chance that hostilities will resume within the coming weeks. Read this ZeroFox report for further details on the ongoing conflict.
• A major heatwave is intensifying across eastern North America, affecting over 160 million people and prompting widespread health alerts due to extreme temperatures and high humidity.
• The UK government has warned that Britain must prepare for potential attacks on its own soil, citing growing threats from Russia and Iran in its latest national security strategy.
• Over 40 people were killed in a weekend attack on Al Mujlad Hospital in Sudan’s West Kordofan region. The strike, not attributed to any entity at the time of writing, caused extensive damage as fighting between the army and paramilitary forces continued.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Cyber Isnaad Front: Pro-Iran threat actor group "Cyber Isnaad Front" has claimed to have conducted a cyberattack, targeting and disabling Israel’s internal communications systems, while extracting 50TB of data. Its Telegram post claimed that it has dismantled major components of Israel’s military, surveillance, corporate, satellite, and governmental communications. If these claims are true, stolen data from military, surveillance, and satellite systems could compromise Israeli intelligence, critical infrastructure blueprints, and other strategic assets.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-5777: Citrix has patched this vulnerability in NetScaler ADC and NetScaler Gateway. The bug is described as an out-of-bounds read vulnerability due to insufficient input validation. It is being compared to the infamous “CitrixBleed” bug exploited by ransomware groups and other hackers. If left unpatched, the vulnerability is likely to enable attackers to steal valid session tokens from Internet-facing devices, resulting in sensitive information and data being stolen. It is likely to become actively exploited in the coming days.

Affected products: The affected products are listed in this advisory.