ZeroFox Daily Intelligence Brief - August 7, 2025

ZeroFox Daily Intelligence Brief - August 7, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• UAC-0099 Targets Ukraine with Multi-Stage Phishing Campaign
• Chinese Syndicate’s Digital Wallet Fraud Hits 115 Million Cards
• CISA Malware Analysis Report Associated with SharePoint Bugs

UAC-0099 Targets Ukraine with Multi-Stage Phishing Campaign

Source: https://thehackernews.com/2025/08/cert-ua-warns-of-hta-delivered-c.html

What we know: Threat actor “UAC-0099” is targeting Ukrainian government and defense entities with phishing emails delivering MATCHBOIL, MATCHWOK, and DRAGSTARE malware strains to establish persistence, execute PowerShell commands, and exfiltrate sensitive data.

Context: The attack begins with phishing emails sent from UKR[.]NET addresses, typically using urgent subjects like “court summons” to pressure recipients. The emails contain a link to a legitimate file service, from which files are downloaded that tricks systems into downloading multiple malware strains.

Analyst note: UAC-0099 is likely abusing legitimate services to stealthily deliver malware and maintain persistent access to Ukrainian networks, while bypassing basic security controls. It enables monitoring of compromised systems and intelligence gathering from government assets, military strategies, and other sensitive information.

Chinese Syndicate’s Digital Wallet Fraud Hits 115 Million Cards

Source: https://hackread.com/chinese-stole-115-million-us-cards-smishing-campaign/

What we know: A Chinese crime syndicate compromised up to 115 million U.S. payment cards between July 2023 and October 2024, causing billions in losses. The group turned stolen card data into digital wallet tokens, bypassing older fraud detection systems that monitor direct card transactions.

Context: The operation evolved from small-scale smishing scams into a coordinated fraud network by adopting phishing-as-a-service (PhaaS) tools and automation. The group used fake e-commerce sites and ads on major platforms to harvest payment details.

Analyst note: By exploiting weaknesses in digital wallet provisioning, the syndicate has created a new form of payment fraud that banks' security systems struggle to detect. This method likely enables prolonged, large-scale theft without triggering alerts, leading to significant financial losses for banks and consumers and higher fraud-related costs for merchants.

CISA Malware Analysis Report Associated with SharePoint Bugs

Source: https://www.cisa.gov/news-events/alerts/2025/08/06/cisa-releases-malware-analysis-report-associated-microsoft-sharepoint-vulnerabilities

What we know: CISA has released a Malware Analysis Report (MAR) with analysis and associated detection signatures on files related to the Microsoft SharePoint vulnerabilities CVE-2025-49704, CVE-2025-53770, CVE-2025-53771, and CVE-2025-49706.

Context: This report examines six files, including two Dynamic Link-Library (.DLL) files, one cryptographic key stealer, and three web shells. Cyber threat actors are likely to use this malware to steal cryptographic keys, execute a Base64-encoded PowerShell command, fingerprint the host system, and exfiltrate data.

Analyst note: The indicators of compromise and detection signatures detailed in the MAR are likely to help organizations identify malware and curb potential cyberattacks exploiting the SharePoint vulnerabilities.

DEEP AND DARK WEB INTELLIGENCE

KLM Airlines suffers data breach: KLM Airlines has suffered a data breach via a compromised third-party platform, exposing personal information, including names, contact details, and loyalty program data. The threat actors have not breached core systems or exfiltrated more sensitive data. However, the exposed information could be used to conduct phishing attacks, identity theft, and other scams on victims and their families.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-54948 and CVE-2025-54987: Trend Micro has disclosed two critical zero-day command injection vulnerabilities in the Apex One Management Console for Windows, one of which is actively exploited. Successful exploitation could give attackers control over enterprise endpoint security infrastructure, enabling them to disable defenses, deploy malware, or pivot deeper into corporate networks.

Affected products: The affected products and platforms are listed in this advisory.

CVE-2025-53786: This bug enables a threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations. It could impact the identity integrity of an organization’s Exchange Online service if patches are not properly configured.

Affected devices: Microsoft Exchange Server 2019 Cumulative Update 15 and Cumulative Update 14, Microsoft Exchange Server 2016 Cumulative Update 23, and Microsoft Exchange Server Subscription Edition RTM