ZeroFox Daily Intelligence Brief - July 25, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - July 25, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- ZeroFox Intelligence Flash Report - SEO Poisoning Abusing LLMs
- Database from Leak Zone Forum Exposed
- BlackSuit Ransomware’s Domains Seized in Operation Checkmate
ZeroFox Intelligence Flash Report - SEO Poisoning Abusing LLMs
Source: https://www.zerofox.com/advisories/34823/
What we know: ZeroFox has identified a surge in Search Engine Optimization poisoning campaigns where attackers inject fake contact information as PDFs into trusted domains like [.]edu and [.]gov. These documents are then widely reposted on forums and link aggregators to boost search engine visibility and deceive large language models (LLMs).
Context: The campaign uses novel tactics, techniques, and procedures to abuse artificial intelligence (AI) LLMs in order to increase the credibility of search results. This abuse targets users seeking customer support by presenting fraudulent contact details as top search results.
Analyst note: This tactic makes it very likely that users will interact with fake support contact numbers, leading to theft of personal data, financial fraud, or scams. The misuse of LLMs, which rely heavily on trusted domains, increases the threat by making fake data appear credible and harder to detect.
Database from Leak Zone Forum Exposed
What we know: Researchers have observed that Leak Zone, a cybercrime forum, has exposed over 22 million user login records due to a misconfigured or unsecured Elasticsearch database. The leak has revealed IP addresses and login timestamps in real time.
Context: Leak Zone gained popularity in 2020 for distributing breached databases, stolen credentials, and cracked accounts and claims to have over 109,000 users. The exposed database mostly contained Leak Zone user logins, while the remaining data linked to compromised streaming accounts.
Analyst note: Leak Zone users are likely aware of the database's leak, raising concerns about the forum’s overall security, leading to a mass migration to other similar forums. Continued monitoring of dark web activity could reveal threat actor preferences and behaviors, offering insights for law enforcement operations.
BlackSuit Ransomware’s Domains Seized in Operation Checkmate
What we know: BlackSuit ransomware group’s domains have been seized in an international operation, called Operation Checkmate, which also involved a U.S. law enforcement agency.
Context: BlackSuit ransomware group is reportedly linked to Chaos ransomware. BlackSuit ransomware operation is known to have targeted the networks of hundreds organizations.
Analyst note: Investigators are likely to find leads to seize Chaos ransomware group’s domains due to its association with the BlackSuit ransomware group. The seizure of the domains is unlikely to completely disrupt the ransomware’s operations, until its members are arrested.
DEEP AND DARK WEB INTELLIGENCE
Exploit user litxyz: Untested threat actor "litxyz" has advertised the exploit for zero-day CrushFTP HTTP vulnerability (CVE-2025-54309) on Exploit. CISA has warned that the vulnerability is being actively exploited in unpatched versions of the product. The threat actor is likely attempting to use the public interest in the bug to scam other users. The legitimacy of the exploit cannot be verified, but it is unlikely to appeal to buyers due to the availability of a security patch.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2025-40599: SonicWall has released patches for CVE-2025-40599 that enables threat attackers to upload arbitrary files and achieve remote code execution. At the time of writing, threat actors are targeting affected devices using stolen credentials. If left unpatched, threat actors could gain access, upload malicious files, and execute arbitrary code—leading to complete system compromise.
Affected products: SMA 100 Series (SMA 210, 410, 500v) 10.2.1.15-81sv and earlier versions.
Tags: DIB, tlp:green