ZeroFox Daily Intelligence Brief - August 13, 2025

ZeroFox Daily Intelligence Brief - August 13, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Threat Groups ShinyHunters, Scattered Spider, and Lapsus$ Collaborating on Next Targets
• Interlock Claims St. Paul Breach
• Insecure Devices Suspected in Pennsylvania OAG Outage

Threat Groups ShinyHunters, Scattered Spider, and Lapsus$ Collaborating on Next Targets

Source: https://thehackernews.com/2025/08/cybercrime-groups-shinyhunters.html

What we know: Threat groups ShinyHunters, Scattered Spider, and Lapsus$ are reportedly collaborating in the ongoing data extortion campaign targeting Salesforce instances. Financial services and technology service providers are allegedly the next targets of the threat actors.

Context: The newly emerged Telegram channel “Scattered LAPSUS$ Hunters,” has been the merging of the three threat groups. Threat actors have claimed to be developing a new ransomware-as-a-service (RaaS) operation and also threatened to leak data stolen from high profile targets, such as Chanel and government entities.

Analyst note: The threat groups are very likely seeking attention to attract qualified affiliates through recent developments, with increased law enforcement scrutiny and arrests of some of the members. The data leak threats are very likely an attempt to mount pressure on targeted organizations to pay ransom.

Interlock Claims St. Paul Breach

Source: https://www.bleepingcomputer.com/news/security/saint-paul-cyberattack-linked-to-interlock-ransomware-gang/

What we know: The Interlock ransomware group has claimed responsibility for a July cyberattack that crippled St. Paul’s systems, prompting the National Guard’s cyber unit to assist. Interlock claims to have stolen 43 GB of data, some of which has been leaked online.

Context: CISA and partners have issued a joint Cybersecurity Advisory warning organizations about Interlock ransomware using double extortion tactics after breaching networks. Interlock has been active since late September 2024, targeting businesses and critical infrastructure globally.

Analyst note: St. Paul could further limit the breach’s impact and protect critical services by implementing additional mitigation measures to prevent disruption to emergency communications, public health systems, and infrastructure controls. Additionally, Interlock could carry out a double extortion attack, compromising residents’ data, while increasing pressure on the city and individual victims to pay ransom.

Insecure Devices Suspected in Pennsylvania OAG Outage

Source: https://www.theregister.com/2025/08/12/major_outage_at_pennsylvania_attorney/

What we know: The Pennsylvania Office of Attorney General (OAG), at the time of writing, is experiencing a major outage affecting its website, email, and phone lines due to a suspected cyber incident, likely due to a previously flagged flaw in Citrix NetScaler systems.

Context: The Citrix vulnerability, CVE-2025-5777, is described as an out-of-bounds read vulnerability due to insufficient input validation. It is being compared to the “CitrixBleed” bug exploited in the past by ransomware groups and other threat actors.

Analyst note: If the Pennsylvania OAG outage is linked to CVE-2025-5777's exploitation, the potential fallout could involve threat actors accessing and exfiltrating sensitive case files, evidence, witness information, and ongoing investigation details.

DEEP AND DARK WEB INTELLIGENCE

Manpower data breach: Leading workforce solutions company Manpower is notifying 144,189 individuals that their personal information was stolen by threat actors in a December 2024 cyberattack. The RansomHub ransomware operation had claimed responsibility for the attack, disclosing that leaked data included passport scans, Social Security numbers (SSNs), contact details, financial statements, corporate correspondence, and more. Exposed individuals are likely at risk of identity theft and social engineering and phishing attacks aimed at extorting money.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Microsoft August 2025 Patch Tuesday: Microsoft has patched more than 100 vulnerabilities in its August Patch Tuesday security updates, including 13 critical bugs and one publicly-disclosed zero-day. Several patches are focused on fixing Remote Code Execution (RCE) vulnerabilities that enable threat actors to execute arbitrary code in target systems. Unpatched systems are likely at risk of complete system takeover, data theft, or disruption.

Affected products: The affected products are listed in this advisory.