ZeroFox Daily Intelligence Brief - July 8, 2025

ZeroFox Daily Intelligence Brief - July 8, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Alleged Silk Typhoon Member Arrested
• SatanLock Ransomware to Shutter Operations, Leak All Stolen Data Soon
• TAG-140 Targets Indian Government with Advanced Malware Campaign

Alleged Silk Typhoon Member Arrested

Source: https://www.bleepingcomputer.com/news/security/alleged-chinese-hacker-tied-to-silk-typhoon-arrested-for-cyberespionage/

What we know: An individual allegedly linked to Silk Typhoon, a cybercriminal group, has been arrested in Italy and is awaiting extradition to the United States. U.S. authorities have also requested the seizure of their documents and devices.

Context: Silk Typhoon, also dubbed as Hafnium, is a Chinese state-sponsored cyberespionage group known for targeting global healthcare, government, and technology sectors, including attempts to steal COVID-19 vaccine research.

Analyst note: With the seizure of documents and devices, this individual likely has key information about other members of the group and other operational details like future plans and attack strategies. Their arrest is likely to lead U.S. law enforcement to other cybercriminals and valuable intelligence associated with the group.

SatanLock Ransomware to Shutter Operations, Leak All Stolen Data Soon

Source: https://hackread.com/satanlock-ransomware-ends-operations-stolen-data-leak/

What we know: SatanLock ransomware group has announced that it is shutting operations, but will be leaking all stolen data soon. The ransomware group had formed only months earlier in April 2025, gaining quick notoriety for claiming 67 victims on its dark web leak site.

Context: The ransomware group’s activity reportedly indicated either collaboration with another group or claiming old breaches as its own. The SatanLock development comes just days after the Hunters International ransomware group announced its exit. However, in Hunters International case, reports suggest a rebranding move to World Leaks.

Analyst note: Affiliates of SatanLock ransomware are likely to join other groups. There’s a roughly even chance that SatanLock rebrands as a new group, with or without announcement.

TAG-140 Targets Indian Government with Advanced Malware Campaign

Source: https://thehackernews.com/2025/07/tag-140-deploys-drat-v2-rat-targeting.html

What we know: A hacking group, TAG-140, has targeted Indian government entities using a modified remote access trojan, DRAT V2. The group delivered the malware by mimicking the Ministry of Defence via a fake press release portal, compromising popular operating systems.

Context: TAG-140 reportedly has ties beyond Pakistan and has been active since at least 2019. The group has expanded its focus from military and academic institutions to critical infrastructure sectors, such as railways, oil and gas, and external affairs ministries.

Analyst note: The use of adaptive malware and deceptive delivery tactics could enable attackers to infiltrate government systems, steal sensitive data, and disrupt operations, while obscuring detection and increasing the risk of long-term compromise.

DEEP AND DARK WEB INTELLIGENCE

Batavia spyware campaign targets Russian orgs: An ongoing phishing campaign has been targeting Russian industrial firms and delivering previously unknown spyware Batavia. This multi-stage malware has been observed to steal sensitive internal documents and system data. The compromise of sensitive data could have operational and strategic implications, potentially exposing proprietary technologies, disrupting industrial processes, and enabling follow-on attacks such as espionage or ransomware.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2019-9621: This is a Server-Side Request Forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite (ZCS). CISA has added it to its Known Exploited Vulnerabilities (KEVs) catalog. Russian-state hackers are known to exploit ZCS vulnerabilities for cyberespionage. Ransomware groups and state-backed hackers are likely to exploit the vulnerability to steal sensitive information.

Affected products: The affected products are listed in this advisory.