ZeroFox Daily Intelligence Brief - August 25, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - August 25, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- 1,200 Arrested in Africa Cybercrime Sweep
- Ransomware Attack Disrupts Electronics Manufacturer
- Cloud-Based Supply Chain Vendors Are Latest Targets of China-Linked Silk Typhoon
1,200 Arrested in Africa Cybercrime Sweep
What we know: A joint law enforcement campaign between African countries and the United Kingdom, Operation Serengeti 2.0, led to arrests of more than 1,200 cybercriminals targeting nearly 88,000 victims. It dismantled over 11,000 malicious infrastructures and recovered USD 97.4 million from ransomware, scams, and business email compromise (BEC) schemes.
Context: In Angola, authorities shut down an illegal crypto mining operation, in Zambia they dismantled a USD 300 million scam and trafficking network, and in Côte d’Ivoire they took down a USD 1.6 million inheritance fraud scheme.
Analyst note: With many actors likely unapprehended, criminals will rebuild their infrastructures using bulletproof hosting services and other services to evade future law enforcement action.
Ransomware Attack Disrupts Electronics Manufacturer
Source: https://www.theregister.com/2025/08/22/data_io_ransomware_attack_temporarily/
What we know: Data I/O suffered a ransomware attack on August 16 that locked portions of its IT systems. The incident disrupted communications, shipping, production, and other core operations.
Context: The manufacturer disclosed the ransomware attack in a regulatory filing, noting that it disrupted multiple business functions. While some systems are back online, others remain offline with no clear timeline for full restoration.
Analyst note: Data I/O’s systems use program critical components like automotive control units, braking systems, and IoT devices, making operational downtime highly disruptive. Extended disruptions could slow delivery of essential electronics to top tech and automotive customers, potentially affecting supply chains.
Cloud-Based Supply Chain Vendors Are Latest Targets of China-Linked Silk Typhoon
What we know: China-linked advanced persistent threat (APT) group Silk Typhoon (also known as Murky Panda) has been observed expanding its targeting to include cloud-based supply chain vendors in recent attacks.
Context: The APT is commonly known for exploiting internet-facing appliances to obtain initial access. It targeted high-profile entities in North American government, professional services, academic, and legal industries in the past. Additionally, APT Genesis has also been observed targeting cloud environments.
Analyst note: The expanded attack surface very likely means that one weak link can compromise multiple environments, emphasizing the need for stronger supply chain security. It also reflects how threat actors are evolving to become more technically-advanced.
DEEP AND DARK WEB INTELLIGENCE
APT36 targets government entities: Pakistan-linked APT36 is conducting ongoing phishing attacks against Indian government and defense entities by disguising malware as PDF files. The campaign likely enables the threat actors to carry out data theft and long-term espionage access.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2025-26496: A Type Confusion vulnerability in Salesforce Tableau Server and Tableau Desktop on Windows and Linux enables Local Code Inclusion (LCI). An attacker with local access could exploit the flaw to make Tableau misinterpret uploaded files, potentially executing unintended code. Since Tableau is widely used for business intelligence and data analytics, exploitation could lead to privilege escalation, system compromise, and exposure of sensitive enterprise data, posing significant risks to organizations.
Affected products: Tableau Server & Tableau Desktop: before 2025.1.4, before 2024.2.13, before 2023.3.20
Tags: DIB, tlp:green