ZeroFox Daily Intelligence Brief - July 10, 2025

ZeroFox Daily Intelligence Brief - July 10, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• FBI San Antonio Issues Warning About Disaster Related Fraud Schemes
• U.S. Sanctions North Korea-Linked Hacker in IT Worker Scam
• European Government Entity Spear Phished

FBI San Antonio Issues Warning About Disaster Related Fraud Schemes

Source: https://www.fbi.gov/contact-us/field-offices/sanantonio/news/fbi-san-antonio-issues-warning-about-disaster-related-fraud-schemes

What we know: FBI San Antonio has issued a public warning about rising disaster-related fraud schemes following the July 4 floods in Texas Hill Country.

Context: Natural disasters create opportunities for fraudsters to carry out scams, such as fake donation drives, impersonating government agencies, or offering fraudulent repair services—targeting both survivors and contributors. In 2024, such scams led to USD 96 million in reported losses according to the FBI’s Internet Crime Complaint Center (IC3).

Analyst note: Scammers are likely to take advantage of the panic and anxiety surrounding the floods, by posing as charities and aid organizations to mislead victims and donors. Falling for these scams can lead to financial loss and compromise of personal or sensitive information.

U.S. Sanctions North Korea-Linked Hacker in IT Worker Scam

Source: https://www.bleepingcomputer.com/news/legal/treasury-sanctions-north-korean-over-it-worker-malware-scheme/

What we know: The United States has sanctioned a member of the North Korean hacking group, Andariel (linked to Pyongyang’s Reconnaissance General Bureau), for providing fake and stolen identities to facilitate the IT worker scam targeting U.S. companies.

Context: North Korean or contract workers based in China and Russia were provided with false identities by Andariel to gain remote employment at U.S. companies, to generate revenue for the Pyongyang regime. In certain cases, the workers introduced malware into company networks for further exploitation.

Analyst note: The impact of the U.S. sanctions very likely depends on its enforcement in countries like China and Russia. However, the sanctions will help U.S. companies—especially those operating in China—screen applicants more effectively by providing an official record of North Korea-linked actors.

European Government Entity Spear Phished

Source: https://thehackernews.com/2025/07/donot-apt-expands-operations-targets.html

What we know: Suspected India-linked advanced persistent threat (APT) group DoNot Team has targeted a European foreign affairs ministry using spear-phishing emails to deploy LoptikMod remote access trojan (RAT).

Context: These malicious emails were linked to an archive containing a fake PDF file that deployed the LoptikMod RAT, which was designed to establish persistence, conduct reconnaissance, execute commands, and exfiltrate data.

Analyst note: The threat actors are likely using phishing emails to deploy the RAT and gain access to internal communications and policy documents, to establish persistence, conduct reconnaissance, execute commands, and exfiltrate data.

DEEP AND DARK WEB INTELLIGENCE

McDonald’s bot breach via weak password: Basic security flaws in McDonald’s recruiting platform, featuring an AI chatbot, has threatened the security of databases containing up to 64 million applicant records with personal details. Moreover, weak passwords also enabled unauthorized access to sensitive chat data shared by applicants through the Paradox.ai platform, which could lead to data misuse, including phishing attempts, identity theft, or fraud.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Ruckus unpatched vulnerabilities: At least nine vulnerabilities, ranging from unauthenticated remote code execution (RCE) to hardcoded passwords, in Ruckus Wireless management products remain unpatched. The bugs enable attackers to fully compromise a network. The bugs are likely to be used in ransomware attacks, leading to data theft and operational disruptions.

Affected products: Ruckus Wireless Virtual SmartZone (vSZ) and Ruckus Network Director (RND)

CVE-2025-3648: This vulnerability in the ServiceNow Now Platform enables threat actors to access data through range queries when access control lists (ACLs) are misconfigured. ServiceNow has released fixes. If this vulnerability is left unpatched, attackers could gather sensitive company and client data to leverage it in targeted phishing and other social engineering attacks.

Affected products: ServiceNow Platform Aspen