ZeroFox Daily Intelligence Brief - August 28, 2025

ZeroFox Daily Intelligence Brief - August 28, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• International Advisory Warns of Chinese Cyber Operations Compromising Global Networks
• Sanctions Expose Entities Facilitating North Korean IT Worker Infiltration
• Storm-0501 Shifts to Cloud-Only Extortion

International Advisory Warns of Chinese Cyber Operations Compromising Global Networks

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a

What we know: An international advisory has addressed the involvement of China-based private entities in Beijing’s cyber espionage activities, such as those attributed to threat actors like Salt Typhoon.

Context: The advisory alleges that the Chinese private sector provides products and services to China’s People’s Liberation Army (PLA) and other entities to further hacking operations. The tactics, techniques, and procedures (TTPs) observed include successful exploits of publicly known vulnerabilities and targeting edge devices, including of entities outside core targets.

Analyst note: The TTPs used by China-nexus threat actors almost certainly indicate a focus on supply chain targeting. China’s private technology sector, including unsanctioned firms, is likely at risk of being leveraged for state-sponsored cyber espionage activities. This in turn likely presents a risk to Western technology businesses in their engagement with Chinese counterparts.

Sanctions Expose Entities Facilitating North Korean IT Worker Infiltration

Source: https://home.treasury.gov/news/press-releases/sb0230

What we know: The U.S. Treasury has sanctioned two Asian companies and two individuals for helping North Korean IT workers fraudulently obtain jobs, funneling over USD 1 million through fake salaries and thefts.

Context: North Korea reportedly deploys overseas IT workers using fake identities to infiltrate companies, steal data, and divert earnings to fund its weapons and missile programs.

Analyst note: These sanctions expose key enablers of North Korea’s IT worker schemes, likely prompting firms to strengthen due diligence when hiring remote developers and contractors, including screening applicants against sanctioned lists.

Storm-0501 Shifts to Cloud-Only Extortion

Source: https://www.bleepingcomputer.com/news/security/storm-0501-hackers-shift-to-ransomware-attacks-in-the-cloud/

What we know: Threat actor Storm-0501 has reportedly shifted tactics from deploying traditional ransomware to exploiting cloud environments, focusing on data theft, backup destruction, and extortion. The group leverages stolen accounts and weak multi-factor authentication (MFA) protections to gain complete control of cloud tenants.

Context: Active since 2021, Storm-0501 previously used Sabbath and other ransomware-as-a-service (RaaS) families, like Hive, BlackCat, and LockBit. Instead of encrypting on-premises systems, they now exploit cloud-native tools to launch faster and more covert attacks.

Analyst note: It is likely that Storm-0501 will expand its extortion tactic exploiting cloud environments to target more industries and higher-value environments. With the ability to bypass MFA and seize global admin accounts, they could refine persistence and automate attacks at scale, resulting in mass data theft, prolonged service outages, and more.

DEEP AND DARK WEB INTELLIGENCE

ShadowSilk Targets Government Entities in Asia: “ShadowSilk,” a new threat cluster, has been observed conducting spear-phishing and exploit-driven attacks against over 30 government entities in Central Asia and Asia-Pacific (APAC). Its activities include stealing sensitive data and maintaining persistent access across its targets. ShadowSilk is likely to expand beyond Central Asia and APAC, deploying its capabilities against governments in Europe or the Middle East to diversify intelligence sources.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-7775: Over 28,200 Citrix NetScaler ADC and Gateway instances are vulnerable to this critical remote code execution flaw that is already being actively exploited. Citrix has released security updates, and CISA confirmed the bug had been abused as a zero-day. Unpatched systems could enable attackers to gain full control of enterprise networks, enabling data theft, service disruptions, and follow-on ransomware or espionage campaigns.

Affected products: The affected products are listed in this advisory.