ZeroFox Weekly Intelligence Brief – July 5, 2025

ZeroFox Weekly Intelligence Brief – July 5, 2025

ZeroFox’s Weekly Intelligence Briefing highlights the major developments and trends across the threat landscape, including digital, cyber, and physical threats. ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 6:00 AM (EDT) on July 3, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

Read the Brief

View the full report here

BreachForums Is Back—Or Is It?

What we know:

• A new domain, breachforums[.]info, has gone live following a prior announcement by threat actor "Jaw"—likely the former admin of RaidForums—about relaunching BreachForums.
• The site mirrors the original BreachForums user interface, indicating an intentional recreation of its familiar environment.
• A public post by threat actor Jaw outlines staff recruitment criteria, including at least six months of prior forum registration, a minimum six-month commitment, and daily availability of around three hours for moderation duties.
• ZeroFox observed several other domains emerging; these domains use variations of the “BreachForums” name, likely to attract user attention or imitate the original brand. Among these are breached[.]ws (owned by threat actor "Hasan") and breached[.]live (owned by threat actor "MrNobody").

Law Enforcement Disrupts Illicit North-Korean IT Worker Scheme

What we know:

• The U.S. Department of Justice has disrupted North Korea’s IT worker scheme by issuing two indictments: one arrest was made after raiding 29 suspected laptop farms across 16 states and 29 financial accounts and 21 fraudulent websites were seized.

United States Warns Critical Infrastructure Entities to Remain Vigilant of Iran-Linked Cyber Actors

What we know:

• The U.S. government has alerted critical national infrastructure (CNI) entities in the country—especially Defense Industrial Base (DIB) companies with links to Israel—of cyberattacks by Iran-affiliated cyber actors amid the current geopolitical tensions.