ZeroFox Daily Intelligence Brief - September 24, 2025

ZeroFox Daily Intelligence Brief - September 24, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• CISA Issues Advisory on Shai-Hulud Supply Chain Attack
• Secret Service Uncovers SIM Card Farm Near the U.N.
• European Defense and Aerospace Face Fresh Wave of Cyberattacks

CISA Issues Advisory on Shai-Hulud Supply Chain Attack

Source: https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem

What we know: CISA has issued an alert about a major software supply chain attack targeting the world’s largest JavaScript registry, npmjs[.]com, in which a self-replicating worm called “Shai-Hulud” compromised over 500 packages.

Context: Threat actors harvested sensitive credentials, uploaded them to a public GitHub repository, and used an automated process to spread rapidly through the npm ecosystem. CISA advises to review all npm dependencies and pinning them to safe versions released before September 16, 2025.

Analyst note: The recent cyber incidents targeting npm packages very likely indicate that threat actors are exploiting the widespread reach and trust-based nature of the npm ecosystem, as compromising one package can potentially impact thousands of projects downstream. GitHub has also warned about the growing attacks against npm packages.

Secret Service Uncovers SIM Card Farm Near the U.N.

Source: https://www.secretservice.gov/newsroom/releases/2025/09/us-secret-service-dismantles-imminent-telecommunications-threat-new-york

What we know: The U.S. Secret Service has dismantled an illegal communications network in New York, involving 100,000 SIM cards and 300 servers capable of sending 30 million texts per minute. The network was reportedly spread across facilities within a 35-mile radius of the U.N. headquarters.

Context: The evidence found points toward a large-scale SIM card farm, a setup where devices packed with thousands of SIMs can be used to flood phones with spam calls and texts. Officials are currently investigating whether its location near the U.N. points to possible foreign surveillance or criminal activity.

Analyst note: The network’s concentration near U.N. headquarters suggests that it was likely built for espionage during the U.N. General Assembly summit. Additionally, its scale could have strained telecom infrastructure, overwhelming cell towers and hindering emergency response and secure channels.

European Defense and Aerospace Face Fresh Wave of Cyberattacks

Source: https://hackread.com/iranian-hackers-fake-job-breach-europe-industries/

What we know: Iranian hacker group Nimbus Manticore is targeting European defense, telecom, and aerospace firms by luring victims with fake job applications that lead to malicious backdoors.

Context: The group, also called UNC1549 or Smoke Sandstorm, has been active since early 2025, previously engaging in other intelligence gathering operations, and is reportedly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). This comes as Europe’s airlines and aerospace firms are already experiencing a rise in cyberattacks.

Analyst note: The operation could give attackers long-term access to sensitive corporate systems. The stolen data is likely to include intellectual property, strategic communications, and defense project detail. State-associated threat actors are likely to use such data to fuel espionage campaigns and supply chain compromises and gain geopolitical leverage for Iran.

DEEP AND DARK WEB INTELLIGENCE

BittenForums emerge with new onion link: Dark web forum "BittenForums" has emerged with a new onion link, and resembles the interfaces of BreachForums and DarkForums. Reportedly, this forum, thought to be new, was actually shut down in July this year and is now relaunching its services. It is likely that relaunching on a new onion link is an effort to evade law enforcement, expand its reach, attract other cybercriminals, and maximize visibility.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2024-36401: CISA has disclosed that attackers breached a U.S. federal civilian executive branch (FCEB) agency last year by exploiting an unpatched GeoServer instance with a critical remote code execution vulnerability. The bug was patched in June 2024 and later added to CISA’s Known Exploited Vulnerabilities (KEV) catalog after proof-of-concept exploits appeared online. Unpatched systems leave federal networks exposed to remote code execution (RCE) attacks, data breaches, and operational disruption, creating opportunities for espionage and other malicious activity.

Affected products: GeoServer versions prior to 2.22.6, 2.23.6, 2.24.4, and 2.25.2