ZeroFox Daily Intelligence Brief - July 1, 2025

ZeroFox Daily Intelligence Brief - July 1, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• U.S. Warns Critical Infrastructure Entities to Remain Vigilant of Iran-Linked Cyber Actors
• Law Enforcement Disrupts Illicit North-Korean IT Worker Scheme
• Crypto Investment Fraud Ring Dismantled in Spain After Defrauding 5,000 Victims Worldwide

U.S. Warns Critical Infrastructure Entities to Remain Vigilant of Iran-Linked Cyber Actors

Source: https://www.cisa.gov/news-events/alerts/2025/06/30/cisa-and-partners-urge-critical-infrastructure-stay-vigilant-current-geopolitical-environment

What we know: The U.S. government has alerted critical national infrastructure (CNI) entities in the country, especially Defence Industrial Base (DIB) companies with links to Israel, of cyberattacks by Iran-affiliated cyber actors amid the current geopolitical tensions.

Context: Pro-Iran hacktivists and state actors have a history of using password bruteforcing, distributed denial-of-service (DDoS), ransomware attacks, and data theft, against entities from the United States and allied nations.

Analyst note: Unpatched software and devices connected to the public internet are likely to be vulnerable to such attacks. Threat actors are also likely to make false claims of cyberattacks for psychological operations. ZeroFox has assessed that offensive cyber activities are very likely to continue in the Iran-Israel-U.S. conflict, despite a military ceasefire.

Law Enforcement Disrupts Illicit North-Korean IT Worker Scheme

Source: https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote

What we know: The U.S. Justice Department has disrupted North Korea’s IT worker scheme by issuing two indictments, making one arrest, raiding 29 suspected laptop farms across 16 states, and seizing 29 financial accounts and 21 fraudulent websites.

Context: North Korean operatives, aided by foreign collaborators, have used stolen identities to fraudulently secure remote IT jobs at over 100 U.S. companies.

Analyst note: The law enforcement crackdown is likely to obstruct the funneling of millions of dollars from U.S. companies to fund North Korea’s sanctioned weapons programs, thereby reducing significant national security and economic threats.

Crypto Investment Fraud Ring Dismantled in Spain After Defrauding 5,000 Victims Worldwide

Source: https://www.europol.europa.eu/media-press/newsroom/news/crypto-investment-fraud-ring-dismantled-in-spain-after-defrauding-5-000-victims-worldwide

What we know: Spanish authorities have arrested five members of a global criminal network that laundered EUR 460 million (approx. USD 541 million) from over 5,000 victims worldwide through cryptocurrency investment fraud.

Context: The group allegedly operated through a complex financial web using Hong Kong-based entities and fake user accounts to move illicit funds. AI-powered tools were reportedly used to make the scams more convincing and scalable.

Analyst note: The use of AI in large-scale online fraud makes scams harder to detect and more damaging. Europol has warned that online fraud is now among the biggest security threats in the EU, with AI accelerating its reach. Authorities will likely continue tracing laundered assets and dismantling the broader network.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Ghostnet-X: Threat actor group "Ghostnet-X" has claimed responsibility for leaking data associated with Israeli President Isaac Herzog on its official Telegram channel. The leaked information reportedly includes his name, address, blood type, family details, email, phone number, and more. The exposed details could pose a direct threat to President Herzog’s safety and facilitate targeted attacks, impersonation, or surveillance by hostile actors. The incident is likely linked to the Israel-Iran cyber conflict, where both sides have increasingly targeted the other.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-52995: This vulnerability in File Browser enables users to bypass command restrictions due to a flawed allowlist implementation and has been patched in version 2.33.10. If affected devices are left unpatched, threat actors could execute unauthorized shell commands and access files, including the File Browser database.

Affected products: File Browser versions prior to 2.33.10