ZeroFox Daily Intelligence Brief - August 21, 2025

ZeroFox Daily Intelligence Brief - August 21, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure
• Rapper Bot Admin Charged and Infrastructure Seized
• Malware Disguised as Antivirus App to Spy on Specific Russian Targets

Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure

Source: https://www.ic3.gov/PSA/2025/PSA250820

What we know: The FBI has warned that Russian Federal Security Service (FSB) cyber actors exploited outdated Cisco Smart Install (CVE-2018-0171) and Simple Network Management Protocol (SNMP) vulnerabilities, collecting thousands of device configuration files and modifying some to enable unauthorized access to target entities in the United States and globally.

Context: The activity is attributed to FSB’s Center 16, also known as Berserk Bear and Dragonfly. In the past year, the FBI detected the actors collecting configuration files for thousands of networking devices associated with U.S. entities across critical infrastructure sectors.

Analyst note: Unpatched devices can give attackers persistent backdoor access, enabling them to explore and manipulate networks, steal data, deploy malware, and disrupt industrial control systems (ICS) operations, such as blackouts or supply chains.

Rapper Bot Admin Charged and Infrastructure Seized

Source: https://www.bleepingcomputer.com/news/legal/rapper-bot-malware-seized-alleged-developer-identified-and-charged/

What we know: The U.S. Justice Department has charged an individual for allegedly running the “Rapper Bot” DDoS-for-hire botnet that launched 370,000 attacks against 18,000 victims worldwide since 2021. Law enforcement seized the botnet on August 6, 2025 and shut down its operations.

Context: Rapper Bot is a Mirai-based botnet that has hijacked devices like Digital Video Recorders (DVRS) and WiFi routers to launch massive DDoS attacks worldwide.

Analyst note: Although the criminal infrastructure is likely entirely seized and no backup infrastructure exists, the Mirai codebase is still widely available. Other threat actors could replicate or rebuild a similar botnet infrastructure, leading to the emergence of large-scale DDoS-for-hire services in the future.

Malware Disguised as Antivirus App to Spy on Specific Russian Targets

Source: https://hackread.com/fake-antivirus-app-android-malware-spy-russian-users/

What we know: A fake antivirus application, called “GuardCB,” has been found spreading the Android.Backdoor.916.origin malware to target Russian business executives. The malware is able to record audio, video, messages, and detect content on popular platforms.

Context: The malware has been reportedly active since January 2025, with its icon a copy of the Russian Central Bank emblem. The fake app spreads through direct message links rather than through app stores.

Analyst note: The malware’s interface, available only in Russian, likely indicates localized or highly specific targeting. However, with the malware’s effectiveness, it is likely to be repurposed in attacks against foreign targets, especially those in Ukraine.

DEEP AND DARK WEB INTELLIGENCE

ZeroFox advisory on Workday security incident: Workday recently disclosed that attackers accessed PII through its third-party CRM platform in a social engineering campaign. The company confirmed no evidence of compromise to customer tenants containing HR or financial data. Exposed data likely included names, emails, and phone numbers, though it is still unclear if it involved customers or employees. While the data itself may not enable direct extortion, attackers could leverage it for targeted social engineering against Workday’s corporate clients, potentially impacting millions of end users.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-43300: Apple has issued an emergency patch for a zero-day vulnerability detected in the Image I/O framework. The out-of-bounds write flaw enables applications to read and write image file formats. Successful exploitation is likely to result in data corruption, the program crashing, and even enabling remote code execution (RCE).

Affected products: The affected products are listed in this advisory.