ZeroFox Daily Intelligence Brief - July 16, 2025

ZeroFox Daily Intelligence Brief - July 16, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• GLOBAL GROUP RaaS Platform Integrates AI into its Negotiation Panel
• Law Enforcement Dismantles Diskstation Ransomware Group Targeting NAS Devices
• Pro-Ukrainian Hacktivists Target Russian Drone Supply Company

GLOBAL GROUP RaaS Platform Integrates AI into its Negotiation Panel

Source: https://thehackernews.com/2025/07/newly-emerged-global-group-raas-expands.html

What we know: A new ransomware-as-a-service (RaaS) operation named “GLOBAL GROUP” has integrated AI and mobile-friendliness in its platform. The platform offers an AI-driven ransom negotiation panel and an affiliate panel.

Context: GLOBAL GROUP, which emerged in June 2025, has been found targeting multiple industrial sectors in the United States, Europe, Brazil, and Australia. The RaaS was promoted by a threat actor named “$$$” on Ramp4u forum and is reportedly linked to BlackLock and Mamona RaaS.

Analyst note: GLOBAL GROUP’s AI-driven ransom negotiation panel is very likely to appeal to a non-English speaking pool of threat actors, enabling the RaaS operators to attract more affiliates.

Law Enforcement Dismantles Diskstation Ransomware Group Targeting NAS Devices

Source: https://www.bleepingcomputer.com/news/security/police-disrupt-diskstation-ransomware-gang-attacking-nas-devices/

What we know: International law enforcement operation Operation Elicius has dismantled a Romanian ransomware gang known as Diskstation. The group had been targeting Synology NAS devices, encrypting data, and extorting companies across Europe since 2021.

Context: Diskstation operated under various aliases and exploited internet-exposed NAS devices used for centralized storage by businesses. The attacks caused severe system outages and halted operations for victims including media firms and NGOs.

Analyst note: The attacks likely halted access to critical files, disrupting daily operations, and project timelines, leading to financial losses and more for the affected businesses. Poorly secured NAS devices are very likely becoming targets for ransomware groups like Diskstation, making it necessary for organizations to secure them with firmware updates, limited services, and VPN-only access.

Pro-Ukrainian Hacktivists Target Russian Drone Supply Company

Source: https://cloud.zerofox.com/intelligence/advanced_dark_web/89527

What we know: Pro-Ukrainian hacktivist group “BO Team” claimed in a Telegram post that, in collaboration with hacktivist group “Cyber Alliance” and Ukraine’s military intelligence, it has compromised the network of a drone manufacturer allegedly supplying drones to the Russian military.

Context: BO Team claimed to have destroyed over 200 systems, wiped 47 terabytes of its data, and stolen sensitive employee information, including home addresses and family details.

Analyst note: If the group’s claims are true, this likely indicates a shift in Ukraine’s years-long offensive against Russian in a coordinated cyber counteroffensive by strategically targeting the sources of Russia’s weapons capabilities through collaboration with hacktivist groups.

DEEP AND DARK WEB INTELLIGENCE

Abacus marketplace shuts down: Dark web marketplace Abacus Market has abruptly shut down its public infrastructure, raising suspicions of an exit scam or a silent law enforcement takedown. Following its shutdown, users—both buyers and vendors—are likely to migrate to other dark web marketplaces. Additionally, buyers are likely to act with greater caution by minimizing deposits and prioritizing platforms with strong reputation systems.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-1727: This is a weak authentication vulnerability in the remote linking protocol used by systems known as End-of-Train (EoT) and Head-of-Train (HoT), used to issue and receive commands on a train, including to apply for brakes at the rear of the train. The bug enables threat actors to transmit specially crafted packets using software-defined radio to EoT devices. Successful exploitation is likely to enable attackers to manipulate operations, including bringing it to a sudden stop and inducing brake failure.

Affected products: All versions of EoT and HoT remote linking protocol