ZeroFox Daily Intelligence Brief - August 1, 2025

ZeroFox Daily Intelligence Brief - August 1, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• CISA Flags Key Cybersecurity Weaknesses in Critical Infrastructure
• Unsolicited Packages Containing QR Codes Used to Initiate Fraud Schemes
• Russian Cyber Espionage Group Targeting Foreign Embassies in Moscow

CISA Flags Key Cybersecurity Weaknesses in Critical Infrastructure

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-212a

What we know: CISA is warning critical infrastructure organizations about cybersecurity threats, like insufficient network segmentation, insecurely stored credentials, and unrestricted remote access for local admin accounts.

Context: CISA recommends encrypting credentials, securing operational technology access via bastion hosts, and ensuring detailed, centralized logging for threat detection and response.

Analyst note: Implementing CISA’s suggestions could reduce a company’s threat surface and improve endpoint security. Measures like adequate network segmentation and other mitigations will likely prevent threat actors from accessing the organization’s network and industrial control systems, reducing the risk of operational disruption.

Unsolicited Packages Containing QR Codes Used to Initiate Fraud Schemes

Source: https://www.ic3.gov/PSA/2025/PSA250731

What we know: The FBI has warned the public that criminals are sending unsolicited packages containing QR codes to trick recipients. Scanning these codes can lead to phishing sites or install malware to steal personal and financial data.

Context: This is a variation of the "brushing scam," which originally aimed to boost fake product reviews. Scammers have now weaponized it for financial fraud and identity theft using malicious QR codes.

Analyst note: Malicious actors are exploiting physical mail to launch digital attacks, putting individuals at risk of identity theft, financial fraud, and device compromise. To protect the public from QR code-based brushing scams and related cybercrime, the FBI recommends not scanning QR codes from unknown sources, avoiding suspicious packages, limiting app permissions, and monitoring credit reports for fraud.

Russian Cyber Espionage Group Targeting Foreign Embassies in Moscow

Source: https://thehackernews.com/2025/07/secret-blizzard-deploys-malware-in-isp.html

What we know: Russia-linked cyber espionage group Secret Blizzard (also known as Waterbug, Turla, and Venomous Bear) has been reportedly targeting foreign embassies in Moscow using adversary-in-the-middle (AiTM) attacks for intelligence gathering.

Context: The group is exploiting its AiTM position at the local internet service providers and telecommunications level to deploy custom ApolloShadow malware. The malware payload is disguised as an antivirus installer, tricking compromised devices into flagging malicious websites as legitimate.

Analyst note: Threat actors are likely able to eavesdrop on diplomatic discussions using compromised devices. Diplomatic missions using local internet service providers are very likely at risk of being targeted.

DEEP AND DARK WEB INTELLIGENCE

Spyware in more than 200 mobile applications: Threat actors have disguised spyware in over 200 legitimate-looking Android and iOS apps in Korea to steal personal data. In some attacks, victims were blackmailed using their sensitive information. The stolen personal data could include financial information like account numbers and other data, leading to unauthorized transactions.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-5394: This already patched vulnerability in "Alone – Charity Multipurpose Non-profit WordPress Theme" plugin is a result of a missing capability check. Successful exploitation of the bug is likely to enable complete site takeover. Political and social movements using the plugin are likely to be targeted by politically motivated threat actors aiming to derail causes and financially motivated threat actors aiming to steal donated funds.

Affected products: Plugin versions prior to and including 7.8.3.