ZeroFox Daily Intelligence Brief - July 18, 2025

ZeroFox Daily Intelligence Brief - July 18, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Russia-Linked LAMEHUG Malware Using AI-Generated Commands for Attacks
• Unprotected Database Exposes 1.1 Million Texas Adoption Agency Records
• Hackers Actively Exploiting TeleMessage Flaw to Steal Passwords and Sensitive Data

Russia-Linked LAMEHUG Malware Using AI-Generated Commands for Attacks

Source: https://[email protected]/article/6284730

What we know: Ukraine’s national cyber incident response team (CERT-UA) has warned about a new Russia-linked malware family called “LAMEHUG,” which is using AI-generated computer commands, aimed at system reconnaissance and data exfiltration.

Context: LAMEHUG is reportedly the first publicly documented malware to use an LLM to carry out attacks. It used the Qwen 2.5-Coder-32B-Instruct LLM developed by Alibaba Cloud and hosted on the American company Hugging Face’s API. The malware was found in files sent to Ukraine government personnel via phishing emails using compromised ministerial accounts.

Analyst note: AI-generated dynamic commands are likely to evade detection by security software that usually inspect hardcoded commands. Generating commands using textual description is likely to lower the technical threshold required to carry out malware campaigns.

Unprotected Database Exposes 1.1 Million Texas Adoption Agency Records

Source: https://hackread.com/massive-data-leak-texas-adoption-agency-million-records/

What we know: A cybersecurity researcher has discovered an unprotected database linked to a Texas adoption agency, exposing over 1.1 million highly sensitive records. The data has been secured now.

Context: The 2.49 GB database, suspected to have originated from a customer relationship management (CRM) system, contained personal information on children, adoptive families, and staff, and was publicly accessible without a password or encryption.

Analyst note: If threat actors accessed the data before it was secured, they likely put children at risk of identity theft, social engineering, fraud, blackmail, and even physical threats. The lack of encryption and access controls likely made it easy for threat actors to locate and misuse the data.

Hackers Actively Exploiting TeleMessage Flaw to Steal Passwords and Sensitive Data

Source: https://techcrunch.com/2025/07/17/hackers-are-trying-to-steal-passwords-and-sensitive-data-from-users-of-signal-clone/

What we know: Hackers are actively exploiting CVE-2025-48927, a bug in the TeleMessage app to access sensitive user data. CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog early July.

Context: TeleMessage offers modified versions of secure messaging apps like Signal for enterprises and governments to archive chats. The vulnerability enables attackers to access plaintext usernames, passwords, and other private information.

Analyst note: If left unpatched, threat groups are likely to exploit this flaw to leak sensitive conversations, conduct espionage, or stage follow-up intrusions into government systems.

DEEP AND DARK WEB INTELLIGENCE

RAMP user blackfield: Well-regarded threat actor "blackfield" has advertised to sell data associated with Israel Defense Forces (IDF) on RAMP. The breached data allegedly includes phone numbers, emails, family information, and location of 200,000 defense personnel. The actor is allegedly selling the breached data for USD 50,000 but is offering it free to groups aligned with a pro-Iran stance. Pro-Iran groups are likely to use the data to track, intimidate, or target IDF personnel and their families.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-20337: This remote code execution vulnerability, if exploited, could enable threat actors to upload malicious files, execute arbitrary code, and gain root access via specially crafted API requests. With root access, attackers could establish persistence on affected devices, enabling them to monitor activities and exfiltrate data.

Affected products: The affected products are included in this advisory.