ZeroFox Daily Intelligence Brief - August 20, 2025

ZeroFox Daily Intelligence Brief - August 20, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• BCNYS Data Breach Exposes Personal, Financial, and Health Records of 47,000 People
• New GodRAT Campaign’s Stealthy Delivery
• Geopolitical Focus: Israel Mulls Ceasefire, U.S. Cracks Down on Forced Labor Imports and More

BCNYS Data Breach Exposes Personal, Financial, and Health Records of 47,000 People

Source: https://www.bleepingcomputer.com/news/security/business-council-of-new-york-state-discloses-data-breach-affecting-47-000-people/

What we know: The Business Council of New York State (BCNYS) has revealed that attackers stole personal, financial, and health data of over 47,000 individuals. According to a filing with Maine’s attorney, the BCNYS is notifying the affected people.

Context: The breach occurred between February 24 and 25, 2025, but was only discovered nearly six months later, on August 4. An investigation confirmed that threat actors had accessed and stolen sensitive files.

Analyst note: Victims are likely to face risks of financial fraud, identity theft, and medical data misuse, including insurance fraud, false medical claims, or misuse of prescription information. Since the breach went undetected for months, it is very likely that the stolen data is already being exploited or sold on the dark web.

New GodRAT Campaign’s Stealthy Delivery

Source: https://thehackernews.com/2025/08/new-godrat-trojan-targets-trading-firms.html

What we know: A new China-linked campaign is targeting financial institutions with GodRAT, a remote access trojan, which spreads via malicious screen saver files on a popular telecommunication application and hides malicious codes in images.

Context: In this ongoing campaign, the threat actors are deploying the trojan, along with secondary payloads like AsyncRAT, through a technique called Steganography. Steganography involves hiding malicious code or data inside harmless-looking files (like images, audio, or video) to evade detection and deliver attacks secretly.

Analyst note: Other threat actors could start deploying this trojan using this defense evasion technique leading to increase in its adoption. Other threat groups are likely to use it for their own operations, widening the scope of intrusions beyond financial institutions.

Geopolitical Focus: Israel Mulls Ceasefire, U.S. Cracks Down on Forced Labor Imports and More

• Israel has demanded the release of all the 50 hostages in response to Hamas accepting a 60-day ceasefire deal. This comes ahead of an Israeli cabinet decision to approve military occupation of Gaza City. Tel Aviv is likely to decide on the deal by August 22, 2025.
• The United States has banned the import of steel, copper, lithium, caustic soda, and red dates produced in China using forced labour, under the Uyghur Forced Labor Prevention Act (UFLPA). The additional products imported from China will now be subject to higher scrutiny by the Customs and Border Protection.
• An illegal immigrant from China was sentenced to prison in the United States for exporting weapons and other military items to North Korea hidden in container ships departing from the Port of Long Beach, California.
• On August 19, 2025, U.S. President Donald Trump said that Washington might provide Ukraine with air support in an attempt to end the war with Russia, but is unlikely to put U.S. troops on the ground.
• Heavy rains have continued to interrupt relief work in Pakistan’s north-western region Khyber Pakhtunkhwa province, where flash floods have killed at least 365 in the past five days.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Scattered LAPSUS$ Hunters: Threat actor collective "Scattered LAPSUS$ Hunters" have claimed to have extracted data from American cybersecurity firm CrowdStrike, as part of its ongoing data leak campaign. The data reportedly includes the firm’s employee information among other information. The data leaked is likely to be scraped data collected through various open-source portals rather than a result of a cyberattack.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2023-46604: Threat actors are exploiting this Apache ActiveMQ flaw to gain persistent access to Linux cloud systems and deploy a downloader called DripDropper. Attackers have been observed to patch the vulnerability after entry to affected devices to block rivals. By patching the exploited flaw themselves, threat actors likely ensure they maintain exclusive access while reducing the likelihood of cybersecurity defenders noticing their exploitation attempts.

Affected products: Apache ActiveMQ

CVE-2025-31324 and CVE-2025-42999: A new exploit is reportedly chaining two now-patched flaws in SAP NetWeaver, CVE-2025-31324 (missing authorization check) and CVE-2025-42999 (insecure deserialization), to bypass authentication and execute arbitrary commands, including file uploads. This enables unauthenticated attackers to gain full remote control of SAP systems, potentially leading to data theft, malware deployment, and disruption of critical business processes.

Affected products: SAP NetWeaver's Visual Composer development server