ZeroFox Daily Intelligence Brief - August 29, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - August 29, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- U.S. Government Seizes Online Marketplaces Selling Fraudulent Identity Documents Used in Cybercrime Schemes
- Swedish IT Supplier Under Ransomware Attack
- Ransomware Attack on MathWorks Exposes Data of Over 10,000 Individuals
U.S. Government Seizes Online Marketplaces Selling Fraudulent Identity Documents Used in Cybercrime Schemes
What we know: The U.S. Attorney’s Office for New Mexico has seized two domains and a blog operated by VerifTools, which sold counterfeit IDs to cybercriminals worldwide. The FBI tied the operation to USD 6.4 million in illicit proceeds.
Context: VerifTools offered fake driver’s licenses, passports, and other IDs for as little as USD 9, paid in cryptocurrency. The scheme was uncovered after the FBI traced attempts to access stolen cryptocurrency accounts in 2022.
Analyst note: Fraudulent IDs allow criminals to evade Know Your Customer (KYC) checks, enabling financial fraud and cross-border money laundering. This takedown has disrupted a major source of counterfeit documents, but it will likely drive cybercriminals toward other underground markets.
Swedish IT Supplier Under Ransomware Attack
Source: https://www.theregister.com/2025/08/28/sweden_council_ransomware/
What we know: Several municipal governments in Sweden went offline after a ransomware attack targeted an IT services provider. The attackers reportedly demanded just 1.5 Bitcoin (approximately amounting to USD 168,000) as ransom.
Context: The targeted company operates human resource operations, sick leaves, and incident reporting systems for about 80 percent of Sweden’s municipalities. Authorities continue to investigate potential leaks of sensitive employee and medical data.
Analyst note: The relatively low ransom suggests that the attackers likely anticipate higher chances of the ransom demand being met. If sensitive municipal data is leaked, it could enable follow-up cyberattacks against individuals, local businesses, and healthcare providers.
Ransomware Attack on MathWorks Exposes Data of Over 10,000 Individuals
What we know: Mathematical computing software company MathWorks has revealed that data belonging to over 10,000 individuals was stolen in the April 2025 ransomware attack.
Context: The intrusion was disclosed on May 27, after the ransomware incident resulted in service outages. The stolen data reportedly includes personally identifiable information (PII) including Social Security numbers (SSNs) and other non-U.S. national identification numbers.
Analyst note: The exposed individuals are likely to be targeted in social engineering, phishing, and identity theft attacks that could result in financial losses.
DEEP AND DARK WEB INTELLIGENCE
S1ngularity attack: A supply chain cyberattack, dubbed “s1ngularity,” has reportedly compromised popular build platform Nx leading to credentials, like GitHub tokens, npm keys, SSH private keys, and API keys, being stolen. Over 85 percent of infected systems were reportedly macOS. The cyberattack likely risks compromising the security of software projects maintained by affected developers, therefore affecting further down the supply chain. High-value projects are likely at risk of being held for ransom.
VULNERABILITY AND EXPLOIT INTELLIGENCE
Authentication bypass vulnerability: Click Studios has warned users of an authentication bypass flaw in its Passwordstate enterprise password manager that could enable attackers to access the administration section via a crafted URL. If exploited, attackers could steal credentials, enabling supply chain intrusions, credential stuffing, privilege escalation.
Affected products: Click Studios Passwordstate
Tags: DIB, tlp:green