ZeroFox Daily Intelligence Brief - August 15, 2025

ZeroFox Daily Intelligence Brief - August 15, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Phishing Scam Impersonates UK Home Office to Operate Immigration Scam
• Crypto24 Ransomware Group Targets Companies with Custom EDR Tool
• New Android Malware Uses NFC Relay Attacks to Steal Bank Card Details in Brazil

Phishing Scam Impersonates UK Home Office to Operate Immigration Scam

Source: https://hackread.com/home-office-phishing-scam-uk-visa-sponsorship-system/

What we know: UK organizations with visa sponsorship licenses are reportedly being targeted in a phishing campaign aimed at stealing login credentials to the UK government’s Sponsorship Management System (SMS).

Context: Threat actors are sending emails mimicking UK Home Office correspondence, leading organizations to fake portals to steal credentials. Stolen SMS accounts are then being used to send fake job offers with visa sponsorships to individuals for the sum of GBP 15,000-20,000 (approx. USD 20,330-27,000).

Analyst note: Compromised accounts very likely risk reputational damage to organizations as their name becomes involved in immigration scams. Multi-factor authentication (MFA) for account access, regularly changing credentials, and staff training are likely to mitigate the threat.

Crypto24 Ransomware Group Targets Companies with Custom EDR Tool

Source: https://www.theregister.com/2025/08/14/edr_killers_ransomware/

What we know: The Crypto24 ransomware group is reportedly targeting large organizations in finance, manufacturing, entertainment, and technology across the United States, Europe, and Asia. The group uses a custom endpoint detection and response (EDR) tool to bypass major security tools and escalate privileges.

Context: The group, using a custom RealBlindingEDR tool, disables security agents in victim systems and exfiltrates data before encrypting files and deleting shadow copies to block recovery.

Analyst note: This tactic likely enables the group to evade detection, move laterally, exfiltrate data, and deploy ransomware without being stopped or detected.

New Android Malware Uses NFC Relay Attacks to Steal Bank Card Details in Brazil

Source: https://thehackernews.com/2025/08/new-android-malware-wave-hits-banking.html

What we know: A new Android trojan called PhantomCard is targeting Brazilian banking customers. It abuses near-field communication (NFC) to perform relay attacks, stealing credit/debit card data and PINs via fake “card protection” apps.

Context: The malware is spread through counterfeit Google Play web pages with fake positive reviews. Victims are suspected to be lured through smishing campaigns and tricked into scanning their cards for “verification.”

Analyst note: PhantomCard enables attackers to clone cards and carry out fraudulent transactions in real time. By exploiting the phone’s NFC reader, it creates the illusion of a legitimate authentication process, enabling large-scale financial theft, cash withdrawals, and high-value purchases.

DEEP AND DARK WEB INTELLIGENCE

Phishing campaigns abuse foreign characters in URLs: Threat actors are using the Japanese character “ん” in phishing URLs to mimic legitimate Booking[.]com links and trick users into visiting malware sites. Threat actors likely use unfamiliar scripts to evade detection, obfuscate their payloads, and hinder researchers from tracing the attacks back to them.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-20265: A flaw in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center enables unauthenticated remote attackers to inject arbitrary shell commands. The flaw stems from improper handling of user input during authentication. By sending crafted credentials, attackers can execute commands with high-level privileges. This could give attackers full control over the device, enabling network compromise and further attacks.

Affected products: Cisco Secure FMC Software releases 7.0.7 and 7.7.0