ZeroFox Daily Intelligence Brief - July 17, 2025

ZeroFox Daily Intelligence Brief - July 17, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Global Operation Targets NoName057(16) Pro-Russian Cybercrime Network
• Air Serbia Hit by Cyberattack, Affects Internal Systems
• Taiwan Chip Industry Increasingly Targeted by China-Linked Hackers in Phishing Campaigns

Global Operation Targets NoName057(16) Pro-Russian Cybercrime Network

Source: https://www.europol.europa.eu/media-press/newsroom/news/global-operation-targets-noname05716-pro-russian-cybercrime-network

What we know: A joint international operation, Eastwood, has disrupted over 100 servers tied to pro-Russian hacktivist NoName057(16)’s global cybercrime infrastructure, carried out searches, and issued arrest warrants.

Context: NoName057(16) is an ideologically driven actor supporting Russia’s war against Ukraine through coordinated DDoS attacks. Backed by over 4,000 supporters and a custom-built botnet of hundreds of servers, the group floods websites to disrupt access and operations.

Analyst note: Eastwood will likely expose additional members of the group and limit further DDoS disruptions. However, NoName057(16) administrators are very likely to regroup, adapt their tactics, or migrate to new platforms and infrastructure.

Air Serbia Hit by Cyberattack, Affects Internal Systems

Source: https://www.theregister.com/2025/07/16/air_serbia_cyberattack/

What we know: An early July cyberattack compromised the internal IT infrastructure of Air Serbia, forcing the airline to delay payslip distribution. In response, the company has issued multiple password resets and other security measures to contain the breach.

Context: Since June 2025, major airlines including WestJet, Hawaiian Airlines, and Qantas have reported cyber incidents, some of which disrupted internal systems.

Analyst note: Since Air Serbia is government-owned, the cyberattack was likely carried out by a politically motivated threat actor. Threat actors could be interested in gaining long-term access to Serbian government networks through associated entities like Air Serbia.

Taiwan Chip Industry Increasingly Targeted by China-Linked Hackers in Phishing Campaigns

Source: https://www.reuters.com/sustainability/boards-policy-regulation/china-linked-hackers-target-taiwans-chip-industry-with-increasing-attacks-2025-07-16/

What we know: Between March and June 2025, China-aligned hackers were reportedly found increasingly targeting at least 15 to 20 organizations in the Taiwanese semiconductor industry and its supply chain, including a U.S.- headquartered international bank.

Context: Malicious emails targeting specific individuals in the industry have increased from one or two to 80 emails, attempting to gain information on the organization. At least one hacking group was found posing as job applicants, using compromised Taiwanese university email accounts, to deliver malware to targeted entities.

Analyst note: The increased hacking activity is likely a response to the United States’s restrictions on U.S.-designed chip imports to China. The tactics used by a hacking group involving compromised university email accounts also very likely affects the reputation of academic institutions due to lack of strong cybersecurity defenses.

DEEP AND DARK WEB INTELLIGENCE

16 Billion Credentials Leak: ZeroFox procured and carried out a preliminary analysis of the June 2025 leak of an estimated 16 billion credentials on the dark web, and identified about 2.7 billion lines of URL, login, and password (ULP) data, alluding to at least this many separate victims. Though the usability of the leaked data remains undetermined, ZeroFox analysis estimates the data is dated between January and June 2025. The majority of the data is likely to provide malicious utility to those in possession of it.

VULNERABILITY AND EXPLOIT INTELLIGENCE

UNC6148 targets patched, legacy SonicWall devices: Threat group UNC6148 has been targeting fully-patched, end-of-life SonicWall SMA 100 series appliances since at least October 2024 to deploy a backdoor, OVERSTEP. UNC6148 is likely regaining access using previously stolen credentials and OTP seeds, despite security updates. The initial access vector is unclear due to log tampering, but could involve known CVEs or a zero-day vulnerability. The exploitation of the vulnerabilities could enable persistent, covert access to corporate networks, leading to data exfiltration, lateral movement, or compromise of enterprise infrastructure.

Affected products: End-of-life SonicWall SMA 100 series