ZeroFox Daily Intelligence Brief - July 24, 2025

ZeroFox Daily Intelligence Brief - July 24, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Key Figure Behind Major Russian-Speaking Cybercrime Forum Arrested in Ukraine
• OpenAI Warns of AI Voice Phishing Frauds Targeting the Financial Industry
• FBI Warns of Criminal Group “The Com”

Key Figure Behind Major Russian-Speaking Cybercrime Forum Arrested in Ukraine

Source: https://cloud.zerofox.com/intelligence/advanced_dark_web/89838

What we know: Following the xss[.]is domain seizure and the arrest of its suspected administrator, ZeroFox researchers identified an inactive backup clearnet domain (xss[.]as). However, the forum is accessible via an onion site at the time of writing. Additionally, on July 24, an alleged admin, “#root,” claimed the main server was unaffected and infrastructure restoration was underway.

Context: Xss[.]is has been a central hub for cybercriminal activity, facilitating trade in stolen data, hacking tools, and illicit services for over 50,000 users. The administrator also operated thesecure[.]biz, a private messaging platform tailored for underground transactions. ZeroFox observed that the domain registration details for xss[.]is have reported links with the Icelandic Police.

Analyst note: The arrest disrupts a significant entity of the cybercrime ecosystem, potentially dismantling trusted networks used by many threat actors. The suspect’s longstanding connections and insider knowledge are likely to yield valuable intelligence, enabling further identification and tracking of associated actors and infrastructure.

OpenAI Warns of AI Voice Phishing Frauds Targeting the Financial Industry

Source: https://www.securityweek.com/openais-sam-altman-warns-of-ai-voice-fraud-crisis-in-banking/

What we know: OpenAI has warned that AI voice phishing is a significant threat to the banking industry, especially those that still rely on voiceprinting for identification.

Context: AI tools are able to impersonate a person’s voice and bypass voice biometrics. Banks that utilize voiceprinting require customers to speak a challenge phrase into the phone to gain access to their accounts.

Analyst note: Threat actors are likely to use AI voice modulation in combination with leaked data on a target to carry out financial thefts. Personally identifiable information exposed in data breaches are likely to aid such frauds.

FBI Warns of Criminal Group “The Com”

Source: https://www.theregister.com/2025/07/23/irl_com_recruits_teens/

What we know: The FBI is warning of an online and physical group of criminals, called The Com and its three subtypes, Hacker Com, IRL Com, and Extortion Com. The “community” provides violence-as-a-service (VaaS), often coercing members into carrying out illegal acts on its behalf.

Context: Members of The Com engage in a wide range of serious crimes, including swatting, sextortion, child sexual abuse material distribution, and cyber offenses like distributed denial-of-service attacks, SIM swapping, ransomware, and crypto theft.

Analyst note: The presence of subtypes within The Com likely suggests a modular and organized structure, allowing members to specialize in different forms of crime while operating under a shared identity. The community likely thrives and expands since it is structured with access to a broad resource pool, enabling the group to conduct and offer a wide range of criminal services.

DEEP AND DARK WEB INTELLIGENCE

Jetflicks operators sentenced: Five operators of Jetflicks, an illegal streaming service, have been sentenced to seven years in prison for their involvement in distributing pirated content to thousands of subscribers. The operation caused an estimated USD 37.5 million in damages and ran for 12 years before being shut down by the FBI. Although the operators of this illegal streaming service have been apprehended, similar services are likely to emerge. As a result, content creators and legitimate platforms are likely to continue losing revenue due to ongoing piracy.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-2775 and CVE-2025-2776: These already-patched unauthenticated XML External Entity (XXE) vulnerabilities in SysAid IT service management (ITSM) software are being actively exploited. The flaws enable threat actors to hijack administrator accounts. Hijacked accounts are likely to enable threat actors to compromise an organization’s network and encrypt and exfiltrate data.

Affected products: Versions before SysAid On-Prem version 24.4.60