ZeroFox Daily Intelligence Brief - August 11, 2025

ZeroFox Daily Intelligence Brief - August 11, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - DragonForce Announces New Service Updates
• Scammers Target Older Adults in Impersonation Campaigns
• New AI Exploit Targets ChatGPT Connectors to Access Sensitive Cloud Data

ZeroFox Intelligence Flash Report - DragonForce Announces New Service Updates

Source: https://www.zerofox.com/advisories/35106/

What we know: ZeroFox has observed DragonForce, a ransomware and digital extortion (R&DE) collective, announcing new features for its existing services, including updating its crypto locker from a beta version to a stable version, on Russian-speaking dark web forum Russian Anonymous Marketplace (RAMP).

Context: The announcement coincides with a significant uptick in DragonForce’s activity, beginning in early April 2025, as observed by ZeroFox operatives. The collective is also allegedly involved in the UK retail store cyberattacks including that of M&S,according to at least one report, but the perpetrator has not been confirmed.

Analyst note: The latest announcement by DragonForce likely indicates that the collective seeks to remain a prominent threat actor in the R&DE space and attract new affiliates. The technical updates representing tactical evolution, likely indicate efforts to attain greater market share in the ransomware space. DragonForce is likely to continue disproportionately targeting North America in Q3 2025 and continue increasing its tempo.

Scammers Target Older Adults in Impersonation Campaigns

Source: https://www.bleepingcomputer.com/news/security/ftc-older-adults-lost-record-700-million-to-scammers-in-2024/

What we know: The U.S. Federal Trade Commission (FTC) is warning people, especially those older than 60, of financial scams targeting them and their life’s savings.

Context: Scammers have been impersonating trusted companies, agencies, and tech support, using fake emergencies to steal victims’ savings and pressure them into transferring money. Tactics include directing victims to Bitcoin ATMs, instructing large bank withdrawals, or having them hand over cash or gold to couriers.

Analyst note: More victims are likely to lose thousands of dollars in these irreversible transactions, with little chance of recovery once the payments are made. Using varied methods to receive victims’ funds is likely a deliberate strategy to reduce traceability and minimize the risk of operational disruption if any one payment method is blocked.

New AI Exploit Targets ChatGPT Connectors to Access Sensitive Cloud Data

Source: https://hackread.com/agentflayer-0-click-exploit-chatgpt-connectors-steal-data/

What we know: A new flaw dubbed AgentFlayer enables attackers to steal sensitive data from users’ connected accounts, like Google Drive, without any clicks. It exploits ChatGPT’s Connectors feature using hidden instructions in uploaded documents.

Context: Connectors allow ChatGPT to link with external apps to summarise or work with user files. Attackers can abuse this by embedding malicious prompts into otherwise normal-looking files.

Analyst note: This attack enables covert, automated theft of personal or corporate data without user awareness. Sensitive items like API keys, financial records, or private documents could be extracted, likely leading to account takeovers, large-scale fraud, or further targeted cyberattacks.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user Governer: Threat actor "Governer" has advertised to sell access to CARFAX for police instances on DarkForums. Buyers could obtain sensitive data, such as vehicle history records, service logs, partial license plate searches, vehicle identification number (VIN) alerts, and crash reports. This could enable identity theft, fraudulent vehicle transactions, and misuse of law enforcement-only data for criminal activities.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-8088: Threat actors are exploiting this WinRAR directory traversal flaw (fixed in version 7.13) to drop malicious executables into autorun paths. The vulnerability is being used in phishing campaigns to install RomCom malware. If fixes are not deployed, attackers could gain access to compromised systems, execute arbitrary commands, and exfiltrate sensitive data.

Affected products: WinRAR versions 0 through 7.12