ZeroFox Daily Intelligence Brief - September 22, 2025

ZeroFox Daily Intelligence Brief - September 22, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• FBI: Threat Actors are Spoofing Its IC3 Website
• 6,500 Fake IDs Sold in USD 785K Chinese Counterfeit Operation
• Over 17,500 Domains Used in Phishing Attacks Targeting 316 Global Brands

FBI: Threat Actors are Spoofing Its IC3 Website

Source: https://www.ic3.gov/PSA/2025/PSA250919

What we know: The FBI is warning the public about fake Internet Crime Complaint Center (IC3) government websites. Threat actors are reportedly spoofing legitimate government websites to carry out illegal acts, such as stealing personal information and attempting financial scams.

Context: Spoofed websites look like legitimate sites but with slightly different characteristics, like alternate spellings of words. The public can unknowingly visit these fake websites while attempting to find the FBI's IC3 website.

Analyst note: Data gathered through the fake websites is very likely to be used in phishing and social engineering attacks by financially motivated threat actors. Visitors to the fake websites are also likely to unknowingly download malware into their systems, risking system compromise and credential theft.

6,500 Fake IDs Sold in USD 785K Chinese Counterfeit Operation

Source: https://hackread.com/chinese-network-ofake-us-canadian-ids/

What we know: Researchers have exposed an ongoing China-based operation, called ForgeCraft, that sells high-quality counterfeit U.S. and Canadian driver’s licenses and Social Security cards. The group has reportedly already sold over 6,500 IDs to more than 4,500 buyers, generating about USD 785,000.

Context: The fake documents involving scannable barcodes, holograms, and UV marks were covertly shipped via unsuspecting couriers, and promoted on social platforms with tutorial videos to help buyers retrieve them.

Analyst note: These IDs will likely enable buyers like unauthorized or underaged drivers to carry out several types of fraud, such as SIM swaps, account takeovers, bypassing age and border checks, and voter fraud.

Over 17,500 Domains Used in Phishing Attacks Targeting 316 Global Brands

Source: https://thehackernews.com/2025/09/17500-phishing-domains-target-316.html

What we know: Phishing-as-a-service platforms (PhaaS) Lighthouse and Lucid have been linked to over 17,500 phishing domains targeting 316 global brands across 74 countries. The platforms provide ready-made phishing templates impersonating hundreds of companies, sold on subscription to criminals.

Context: Both services are reportedly tied to Chinese-speaking XinXin group, which has also used other phishing kits like Darcula. The platforms’ offerings include customization, real-time victim monitoring, and filters to block unintended visitors.

Analyst note: These platforms lower the barrier to entry for cybercriminals, enabling large-scale campaigns without technical expertise. By mimicking trusted institutions, they increase the risk of widespread credential theft and fraud. The use of geofencing and User-Agent filtering makes detection harder, enabling attacks to stay active longer, leading to more targeted attacks worldwide.

DEEP AND DARK WEB INTELLIGENCE

Stellantis detects breach: On September 21, 2025, automaker Stellantis said that it detected unauthorized access to a third-party platform used in its North American customer service operations. The automaker stated that only basic contact information was compromised. North American customers of Stellantis and its subsidiaries are likely at risk of phishing and social engineering attacks. The announcement comes amid ongoing Salesforce attacks affecting multiple organizations and the cyberattack on carmaker Jaguar Land Rover (JLR), which has disrupted its operations.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-10035: This is a vulnerability in GoAnywhere MFT’s License Servlet caused by deserialization of untrusted data and could enable threat actors to command injection attacks. Threat actors could gain remote code execution on exposed systems leading to data theft or complete takeover of managed file transfer environments.

Affected products: Affected products are included in this advisory.