ZeroFox Daily Intelligence Brief - August 12, 2025

ZeroFox Daily Intelligence Brief - August 12, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Justice Department Announces Coordinated Disruption Actions Against BlackSuit (Royal) Ransomware Operations
• Kimsuky Exposed—9 GB Data Released to the Public
• Law Enforcement Agencies Using TETRA Radio Risk Eavesdropping

Justice Department Announces Coordinated Disruption Actions Against BlackSuit (Royal) Ransomware Operations

Source: https://www.justice.gov/opa/pr/justice-department-announces-coordinated-disruption-actions-against-blacksuit-royal

What we know: U.S. and international law enforcement have dismantled key infrastructure of the BlackSuit (Royal) ransomware group, seizing four servers, nine domains, and over USD 1 million in cryptocurrency.

Context: BlackSuit and Royal are linked ransomware variants believed to be developed by the same Russian cybercriminal gang. Since 2022, the groups have compromised over 450 victims and extorted more than USD 370 million.

Analyst note: This operation disrupts a prolific ransomware group behind high-impact attacks on healthcare, government, education, and energy sectors, helping to limit future attacks and recover stolen assets. While the takedown has hindered the group’s ability to launch new attacks, it is very likely that the group will attempt to rebuild its infrastructure or rebrand with a new identity.

Kimsuky Exposed—9 GB Data Released to the Public

Source: https://hackread.com/north-korean-group-scarcruft-spying-ransomware-attacks/

What we know: Researchers have released 9 GB of files allegedly stolen from a cyber espionage operator, known as “KIM,” believed to be associated with the Kimsuky threat group. The leak occurred after researchers gained access to KIM’s alleged virtual workstation and a virtual private server.

Context: Kimsuky is a North Korean state-sponsored advanced persistent threat (APT) group. The files contained evidence of attempted compromises against South Korean government targets, as well as internal documentation, source code, credentials, and command scripts.

Analyst note: This leak is likely to be essential for cybersecurity researchers in studying APT activities, including their tactics, techniques, procedures, and motivations. It could also help researchers and individuals at risk from North Korean threats to be vigilant of potential dangers and reduce the likelihood of attacks in the near future.

Law Enforcement Agencies Using TETRA Radio Risk Eavesdropping

Source: https://thehackernews.com/2025/08/new-tetra-radio-encryption-flaws-expose.html

What we know: Newly detected security issues in the Terrestrial Trunked Radio (TETRA) communications protocol, widely used by law enforcement and the military in various countries, can be exploited to intercept radio communications.

Context: The new security issues make systems susceptible to packet injection attacks, replay, brute force attacks, and decryption of encrypted traffic, and also includes issues stemming from an insufficient patch for another TETRA bug. The exploit depends on use-cases and configurations of a TETRA network. So far, no exploits have been detected in the wild.

Analyst note: If successfully exploited, the vulnerabilities are likely to expose sensitive communications of security forces and enable threat actors to monitor their movement, and disrupt or jam communications temporarily.

DEEP AND DARK WEB INTELLIGENCE

Connex data breach: Connex, one of Connecticut’s largest credit unions, has notified tens of thousands of members that hackers breached its systems in early June, stealing personal and financial data such as names, account numbers, debit card details, Social Security numbers (SSNs), and government IDs. The compromised information could be exploited for identity theft, financial fraud, and phishing attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-6543: This is a patched memory overflow vulnerability in Citrix NetScaler products that was exploited to breach critical entities in the Netherlands. The Netherlands' National Cyber Security Centre’s (NCSC) recent warning indicated that threat actors used the bug to achieve remote code execution, apart from launching denial of service (DoS) attacks. Updating systems is likely insufficient to mitigate the threat of disruptions, data theft, and data encryption. Users are also advised to implement defense-in-depth management measures.

Affected products: The affected products are listed in this advisory.