ZeroFox Daily Intelligence Brief - July 28, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - July 28, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Scattered Spider Tactics Rely on Targeting VMware Infrastructure
- NASCAR Data Breach Exposed SSN
- BreachForums Original Onion Address Seemingly Functional Again
Scattered Spider Tactics Rely on Targeting VMware Infrastructure
What we know: The Scattered Spider ransomware group has been targeting U.S. organizations by attacking VMware ESXi hypervisors.
Context: The group’s attack chain reportedly does not rely on exploiting vulnerabilities, but on social engineering tactics. The tactics involve posing as an employee to reach out to the IT help desk to change the employee's Active Directory password. Several U.S. organizations in retail, airline, and insurance sectors have been victims of the ransomware.
Analyst note: Scattered Spider tactics are likely to be adopted by other ransomware groups given its success rate. Since the attack chain does not rely on exploiting vulnerabilities, the technical expertise required is slightly less in comparison.
NASCAR Data Breach Exposed SSN
Source: https://hackread.com/nascar-ransomware-confirm-medusa-ransomware-data-breach/
What we know: NASCAR has confirmed that its systems were breached in March 2025, resulting in the theft of sensitive data including names and Social Security numbers. The Medusa ransomware group had claimed responsibility for the attack and demanded a USD 4 million ransom.
Context: In April 2025, ZeroFox observed a post by the Medusa ransomware group on its leak site, claiming to have stolen 1 TB of data and releasing blurred images as supposed proof. In March 2025, CISA and the FBI warned about the threat posed by Medusa and its affiliates, who have impacted over 300 victims across various critical infrastructure sectors.
Analyst note: Threat actors could conduct social engineering attacks targeting NASCAR employees to extract sensitive details, such as race strategies and internal team communications. Illegal bookmakers or gamblers could exploit this information to gain an advantage in betting on upcoming races.
BreachForums Original Onion Address Seemingly Functional Again
Source: https://cloud.zerofox.com/intelligence/advanced_dark_web/89919
What we know: BreachForums has reportedly resurfaced on its original dark web domain, with its infrastructure seemingly restored.
Context: A post on the website addresses the forum users, claiming that a now-patched vulnerability led to the forum’s shutdown. The post further states that threat actor IntelBroker, arrested in late June, is not the owner, but a ploy to “divert attention” from the actual owners.
Analyst note: The claim about the vulnerability in the forum’s infrastructure, which aligns with similar statements made before the original BreachForums domain became inaccessible, is likely true. Several old members of the forum will likely return. BreachForums will also likely see a spike in the number of members as threat actors migrate from popular dark web forum xss following a recent domain seizure operation.
DEEP AND DARK WEB INTELLIGENCE
Tea app breach: Women-to-women dating advice app “Tea” has been breached with data from its legacy storage system compromised. The app allows women to post anonymously about men they have dated, meant to inform other women on the individuals. Over 72,000 images, comments, and direct messages, excluding contact details, from prior to February 2024 have been leaked. The data is reportedly circulating on anonymous forum 4chan. Exposed men and women users are likely at risk of harassment and doxxing.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2025-7742: Successful exploitation of this vulnerability could lead threat actors to execute code remotely with administrator privileges. With such privileges, actors could take full control of the camera, manipulate its functionality, and monitor video feeds. This vulnerability is one of the six to be listed recently by CISA as a part of its Industrial Control Systems (ICS) advisories.
Affected products: All versions of LG Innotek Camera Model LNV5110R
Tags: DIB, tlp:green