ZeroFox Daily Intelligence Brief - September 10, 2025

ZeroFox Daily Intelligence Brief - September 10, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• “LockerGoga,” “MegaCortex,” and “Nefilim” Ransomware Administrator Charged with Ransomware Attacks
• Misconfigured Docker APIs Enable Larger Attacks
• Geopolitical Focus: Israel Strikes Qatar, Poland Closes Airports, and More

“LockerGoga,” “MegaCortex,” and “Nefilim” Ransomware Administrator Charged with Ransomware Attacks

Source: https://www.justice.gov/opa/pr/lockergoga-megacortex-and-nefilim-ransomware-administrator-charged-ransomware-attacks

What we know: A U.S. district court has indicted an individual with the aliases deadforz, Boba, msfv, and farnetwork for serving as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware schemes. These schemes collectively extorted over 250 U.S. companies and hundreds more worldwide between 2018 and 2021.

Context: The ransomware campaigns targeted blue-chip firms, healthcare institutions, and major industrial players, causing millions in damages. Victims faced complete operational shutdowns, ransom payments, and threats of data leaks if they refused to comply.

Analyst note: By tailoring executables and decryption keys for each victim, the attackers maximized pressure to pay. The success of this customized approach has likely influenced other ransomware operators and driven more aggressive extortion tactics.

Misconfigured Docker APIs Enable Larger Attacks

Source: https://www.bleepingcomputer.com/news/security/hackers-hide-behind-tor-in-exposed-docker-api-breaches/

What we know: Threat actors are exploiting exposed Docker APIs and have reportedly upgraded their tools to enable persistence, lateral movement, and self-replication, laying the groundwork for a potential botnet.

Context: The actors have exploited exposed Docker APIs (port 2375) to deploy malicious containers that establish Tor-based persistence, block API access, enable secure shell (SSH) keys, install scanning tools, and self-replicate.

Analyst note: If this attack is indicative of a possible botnet creation in play, it is likely that users are under the threat of having their enterprise resources stolen, monitored, and exploited for future attacks.

Geopolitical Focus: Israel Strikes Qatar, Poland Closes Airports, and More

• Israel struck Qatar’s capital Doha, reportedly killing five members of Hamas and a Qatari security official, but Hamas’s negotiating delegation was unharmed. ZeroFox assesses that the targeting of Hamas representatives during ceasefire discussions very likely reduces the possibility of a Gaza ceasefire or hostage release in the near-to-medium term. A military response from Qatar is very unlikely. However, a diplomatic blowback that further weakens ties between Israel and Middle Eastern states is likely.
• The Polish military said it struck down drones that entered its airspace during Russian strikes on Western Ukraine. On early Wednesday (September 10), warplanes were deployed after Russian drones and “drone-type objects” entered its airspace and some airports, including Warsaw International Airport, were temporarily closed.
• An individual has pleaded guilty for plotting to destroy Nashville’s energy facility using a “weapon of mass destruction (WMD)” and a drone. The accused, motivated by hate, had reportedly outlined a plan to attack “high tax cities or industrial areas” in a “manifesto.”
• A charter plane from South Korea has left for the United States to repatriate over 300 Korean workers detained in an immigration raid at a Hyundai auto plant in Georgia.

DEEP AND DARK WEB INTELLIGENCE

Illegal marketplace admin pleads guilty: A threat actor has pleaded guilty to running BlackDB[.]cc, a cybercrime marketplace selling stolen accounts, credit cards, and personally identifiable information since 2018. Since the admin of BlackDB[.]cc is apprehended, buyers and sellers are likely to migrate to other platforms under different handles and usernames to escape any follow-up investigations.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Microsoft September Patch Tuesday: Microsoft’s September 2025 Patch Tuesday addresses 86 vulnerabilities across Windows and other products, none of which have been exploited in the wild so far. Eight flaws are rated “exploitation more likely,” including privilege escalation in Windows Kernel, TCP/IP, Hyper-V, NTLM, and SMB, and a remote code execution bug in Windows NTFS. The most important security bug patched is CVE-2025-55232, a remote code execution flaw in the High Performance Compute (HPC) pack.

Affected products: The affected products are listed in this advisory.