ZeroFox Daily Intelligence Brief - July 4, 2025

ZeroFox Daily Intelligence Brief - July 4, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Ransomware Group Hunters International Shuts Down, Offers Free Decryptors
• Fraudsters Target Online Shoppers with Fake Brand Pages
• 62,000 Customer Credentials of an Android Stalkerware App Exposed

Ransomware Group Hunters International Shuts Down, Offers Free Decryptors

Source: https://www.bleepingcomputer.com/news/security/hunters-international-ransomware-shuts-down-after-world-leaks-rebrand/

What we know: Ransomware group Hunters International has announced its shutdown and is now offering free decryption tools to victims. All extortion-related data has been wiped from their leak site.

Context: The group launched in late 2023 and is suspected to be a rebrand of Hive ransomware. It claimed nearly 300 attacks globally, becoming one of the most active ransomware operations.

Analyst note: The release of free decryptors will likely help many companies recover without paying ransoms—reducing financial and operational damage. The shutdown likely stems from mounting law-enforcement pressure. Although the group claims to have disbanded, ransomware actors often rebrand, making it likely that core members will resurface under a new name or group.

Fraudsters Target Online Shoppers with Fake Brand Pages

Source: https://hackread.com/china-fake-marketplace-mimics-top-retail-brands-fraud/

What we know: A widespread phishing campaign has been deploying thousands of fake e-commerce sites impersonating major brands to steal data from unsuspecting online shoppers.

Context: These sites simulate real online shopping experiences—including checkout pages with logos of major payment gateways and apps—but do not process actual purchases. Instead, they are designed to capture users' credit card details or steal money by accepting payments and never delivering goods.

Analyst note: Threat actors are likely to take advantage of ongoing major sales like Fourth of July sales to phish online shoppers. Threat actors could entice shoppers with fake pages promoting too-good-to-be true sales and deals. Online shoppers should remain cautious of suspicious URLs.

62,000 Customer Credentials of an Android Stalkerware App Exposed

Source: https://www.securityweek.com/undetectable-android-spyware-backfires-leaks-62000-user-logins/

What we know: An SQL injection vulnerability in Catwatchful, an Android stalkerware app marketed as parental-control software, has resulted in the breach of the app's full database. The database contains 62,000 plaintext emails and passwords used to access content on compromised devices.

Context: Catwatchful is marketed as an undetectable app, which monitors in real-time the target’s device, including microphone, cameras, and location. The majority of compromised devices were located in South American countries and India.

Analyst note: Users of the exposed devices, including children, are likely at risk of being stalked and preyed upon. Malicious actors are likely to use blackmail and other extortion attempts against exposed individuals.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user erezd: Threat actor "erezd" has advertised administrative access to 78 servers optimized for business management software developed by Creative Software based in Israel on DarkForums. These servers can be accessed remotely—either via a command-line interface (CLI) or a graphical user interface (GUI). Such access could enable attackers to steal sensitive business data, disrupt operations, or deploy ransomware, potentially leading to financial losses and supply chain compromise for affected organizations.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Grafana security patches: Grafana Labs has patched four critical Chromium vulnerabilities for their Grafana Image Renderer plugin and Synthetic Monitoring Agent. The vulnerabilities include two type confusion bugs, an integer overflow bug, and a use-after-free bug that enables remote code execution (RCE) inside a sandbox and arbitrary memory read/write among other exploits. The vulnerabilities are likely to enable an attacker to steal credentials stored on a web browser and monitor activity, if combined with a sandbox escape.

Affected products: Grafana Image Renderer versions prior to 3.12.9 and the Syntentic Monitoring Agent versions before 0.38.3