ZeroFox Daily Intelligence Brief - July 3, 2025

ZeroFox Daily Intelligence Brief - July 3, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Verizon and T-Mobile Deny U.S. Customer Data Breach
• Phishing Infrastructure Simplified Through Generative AI Tool
• North Korea Actors Wield New Malware Strain

Verizon and T-Mobile Deny U.S. Customer Data Breach

Source: https://hackread.com/verizon-t-mobile-deny-data-breaches-user-records-sold/

What we know: Major telecom networks in the United States, Verizon and T-Mobile, have reportedly dismissed claims of data breaches affecting U.S. customers. Verizon said the data is recycled from old breaches, while T-Mobile said the data does not relate to them.

Context: Threat actor “G_mic” is selling 3.1 GB data on nearly 61 million Verizon customers for USD 600 and 55 million T-Mobile customers data for USD 400. The datasets reportedly contain personally identifiable information (PII) on the customers.

Analyst note: The threat actor is likely advertising data from old breaches or scrapped data. The threat actor is likely using the dark web post to gain reputation in cybercriminal networks.

Phishing Infrastructure Simplified Through Generative AI Tool

Source: https://thehackernews.com/2025/07/vercels-v0-ai-tool-weaponized-by.html

What we know: Threat actors have been exploiting v0—a generative AI tool—to rapidly create realistic phishing pages, including replicas of known brand login portals.

Context: Unlike traditional phishing kits, which require technical skill, hosting setup, and manual customization, v0 and its clones enable threat actors to simply input natural language prompts to instantly come up with malicious login pages.

Analyst note: Threat actors are likely to deploy these phishing pages generated through v0 to harvest valid credentials and reuse them across accounts. These credentials could enable threat actors to gain unauthorized access to multiple systems and accounts to gain initial access and establish persistence on victims' networks.

North Korea Actors Wield New Malware Strain

Source: https://www.bleepingcomputer.com/news/security/nimdoor-crypto-theft-macos-malware-revives-itself-when-killed/

What we know: North Korea-linked threat actors are deploying a sophisticated new malware family called NimDoor to target web3 and crypto firms, using fake updates to lure victims.

Context: This malware strain uses advanced techniques like signal-based persistence and modular payloads to maintain access, steal data, and execute commands on victim networks.

Analyst note: These threat actors are likely deploying NimDoor to steal sensitive credentials, communications, and system data from crypto firms to support North Korea’s espionage and financial agendas. Stolen data and other resources could be used for future intrusions, asset theft, and targeting individuals and other companies for strategic gain.

DEEP AND DARK WEB INTELLIGENCE

Trading Market user 1881854: Threat actor "1881854" has advertised data associated with the Indian division of the American Express, on Chinese-language dark web market "交易市场 (Trading Market)." The data allegedly contains information on approximately 650,000 premium credit card holders. If the data is legitimate, exposed individuals are likely to be targeted in financially-motivated phishing, social engineering, and impersonation attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-48927 and CVE-2025-48928: CISA has warned that these two vulnerabilities in TeleMessage messaging and archiving platform (a clone of the Signal app) are being actively exploited. The initialization of a resource with an insecure default vulnerability and an unauthorized control sphere vulnerability enables attackers to download memory data dumps and locally access passwords sent over HTTP. The bugs are very likely being exploited by threat actors to access sensitive information from high-value targets, such as politicians and government officials.

Affected products: TeleMessage versions from 0 through 2025-05-05

CVE-2025-6554: This recently-patched zero-day vulnerability in Google Chrome browser is under active exploitation. It is a V8 Type Confusion vulnerability that could enable attackers to execute arbitrary code. Threat actors are likely to use the bug to install spyware, monitor browser activity or steal credentials stored on the browser. Successful compromise is likely to lead to financial losses, identity theft, or complete takeover of accounts.

Affected products: Google Chrome versions prior to 138.0.7204.96