ZeroFox Daily Intelligence Brief - September 1, 2025

ZeroFox Daily Intelligence Brief - September 1, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• WhatsApp Fixes Zero-Click iOS and Mac Exploit Targeting Users
• TamperedChef Malware Exploits Google Ads and Trusted Platforms to Evade Detection
• Geopolitical Focus: 6.0-Magnitude Quake Strikes Eastern Afghanistan, over 600 Killed

WhatsApp Fixes Zero-Click iOS and Mac Exploit Targeting Users

Source: https://hackread.com/whatsapp-0-day-exploit-attack-targeted-ios-macos-users/

What we know: WhatsApp has patched a zero-day vulnerability, CVE-2025-55177, in its iOS and Mac apps that enabled zero-click spyware attacks. The flaw was exploited to secretly compromise fewer than 200 targeted users’ devices.

Context: The bug stemmed from incomplete authorization in linked device sync, which, when chained with an Apple image-handling flaw (CVE-2025-43300), enabled silent malware installation. Apple had already patched its part of the chain.

Analyst note: Zero-click attacks require no user interaction, making detection and prevention difficult. If left unpatched, attackers could silently steal sensitive data, track users, or take control of devices. Such exploits are very likely to be used in high-level surveillance campaigns targeting activists, journalists, or government officials in order to influence decisions, gain political advantage, and more.

TamperedChef Malware Exploits Google Ads and Trusted Platforms to Evade Detection

Source: https://www.bleepingcomputer.com/news/security/tamperedchef-infostealer-delivered-through-fraudulent-pdf-editor/

What we know: Threat actors have been using Google Ads to promote a fake AppSuite PDF Editor that secretly delivers info-stealing malware TamperedChef. More than 50 deceptive domains with fraudulent certificates were involved in the operation.

Context: The campaign was part of a broader scheme distributing interconnected malicious apps, some enrolling victims’ devices into residential proxy networks. Attackers delayed malware activation until ad campaigns matured to maximize reach.

Analyst note: Cybercriminals often abuse trusted ad platforms because users see them as safe, making it easier to spread malware widely. By leveraging fraudulent certificates, attackers evade early detection and boost infection rates. The info-stealer could exfiltrate sensitive data, like logins, financial details, and corporate information, enabling identity theft, fraud, and further intrusions.

Geopolitical Focus: 6.0-Magnitude Quake Strikes Eastern Afghanistan, over 600 Killed

• As of writing, the Taliban interior ministry has reported that over 600 people died and more than 1,300 injured after a 6.0-magnitude earthquake hit eastern Afghanistan, near its border with Pakistan.
• The quake hit at 23:47 local time on August 31, with a shallow depth of 8 km (5 miles) and an epicenter 27 km (17 miles) from Jalalabad; tremors reached Kabul and Islamabad.
• The worst hit is Kunar province, where landslides and mountainous terrain are blocking rescue access.
• The Taliban government has urged aid organisations to join rescue efforts. At least four helicopters carrying medical staff have reportedly arrived in Mazar valley, Kunar province.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Dark Storm Team: Pro-Palestinian hacktivist group “Dark Storm Team” has warned about its intentions of targeting international airports across Europe and Asia with distributed denial-of-service attacks. Even if the group does attack the airports, the DDoS attacks will very likely not cause significant interruptions in operations.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-54309: Threat actors are deploying a zero-day exploit for this bug present in CrushFTP. It has been patched in CrushFTP versions v10.8.5 or v11.3.4. The bug enables remote access, which is likely to leave unpatched systems vulnerable to complete takeover, data exfiltration and encryption, and unauthorized persistent access.

Affected products: CrushFTP version 10 before 10.8.5 and version 11 before 11.3.4_23