ZeroFox Daily Intelligence Brief - July 22, 2025

ZeroFox Daily Intelligence Brief - July 22, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Brief - Fake Geopolitical Consultancy Jobs: China’s Espionage Tactic
• Cybercrime Group Extorts Dell; Exfiltrates Old Data
• FTC Halts Debt-Relief Scam Falsely Impersonating Trusted Entities

ZeroFox Intelligence Brief - Fake Geopolitical Consultancy Jobs: China’s Espionage Tactic

Source: https://www.zerofox.com/advisories/34752/

What we know: ZeroFox has uncovered an instance of state-sponsored actors exploiting online job platforms to recruit candidates with security clearances for intelligence-gathering under the guise of remote consultancy work. Threat actors impersonated legitimate organizations and used phishing and social engineering tactics to recruit citizens as informants.

Context: The suspected espionage campaign was observed in India, with researchers attributing the domain and IP address to an advanced persistent threat (APT) infrastructure. Similar cases have been reported in the United States and Europe, linking the activity to Chinese intelligence operations.

Analyst note: The operation likely indicates how national security threats are facilitated by the malicious use of everyday platforms. These operations very likely pose a reputational threat to the entities that are impersonated.

Cybercrime Group Extorts Dell; Exfiltrates Old Data

Source: https://www.bleepingcomputer.com/news/security/dell-confirms-breach-of-test-lab-platform-by-world-leaks-extortion-group/

What we know: Threat group World Leaks has breached Dell’s Customer Solution Centers and allegedly exfiltrated 1.3 TB of data. Dell has confirmed the breach and is currently investigating, but details on how the breach occurred remain undisclosed.

Context: Dell confirmed the breach but stated that no sensitive customer or corporate data was compromised. Researchers have found that the compromised data involves synthetic or test data and an outdated contact list.

Analyst note: It is unlikely that Dell will comply with the group’s demands, as the stolen data is neither sensitive nor current. However, test data and the outdated contact list could enable malicious actors to access users’s accounts where old passwords are reused. Dell customers are advised to update their passwords and establish multifactor authentication.

FTC Halts Debt-Relief Scam Falsely Impersonating Trusted Entities

Source: https://www.ftc.gov/news-events/news/press-releases/2025/07/ftc-halts-illegal-debt-relief-operation-falsely-impersonated-businesses-government-harming-consumers

What we know: A federal court, at the FTC’s request, has temporarily halted an “Accelerated Debt” program for allegedly defrauding seniors and veterans out of USD 100 million through deceptive debt relief services.

Context: Seven companies and three individuals operated the fraudulent program using telemarketing, direct mail, and online ads. The scheme falsely claimed to reduce debts by up to 75 percent and impersonated trusted entities.

Analyst note: The scheme exploited trust in official institutions to defraud seniors and veterans by posing as legitimate financial assistance. Victims incurred substantial losses, with their savings and sensitive personal data likely exposed—increasing the risk of further financial loss, credit damage, and identity theft.

DEEP AND DARK WEB INTELLIGENCE

Hong Kong Investigates Louis Vuitton Breach: Hong Kong’s privacy watchdog is investigating a data breach at Louis Vuitton that exposed the personal information of about 419,000 customers. Additionally, the House of Dior (Dior), part of the LVMH group, is notifying U.S. customers of a May data breach that exposed personal information. Retail brands have become lucrative targets for threat actors likely due to the high volume of customer data they hold, which can be leveraged for identity theft, phishing, or resale on illicit markets.

VULNERABILITY AND EXPLOIT INTELLIGENCE

ExpressVPN vulnerability: A bug has been fixed in the ExpressVPN app that risked exposure of users’ real IP addresses. The vulnerability enabled certain Remote Desktop Protocol (RDP) traffic to bypass the virtual private network (VPN) tunnel, exposing the real IP addresses. Unpatched VPNs under specific conditions are very likely to be rendered futile, offering no anonymity or ability to bypass censorship.

Affected products: ExpressVPN versions 12.97 to 12.101.0.2-beta