ZeroFox Daily Intelligence Brief - September 25, 2025

ZeroFox Daily Intelligence Brief - September 25, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• UK Arrests Suspect in Ransomware Attack Disrupting European Airports
• Digital Evidence Links Russia to Moldovan Election Disinformation Campaign
• Geopolitical Focus: Disaster, Conflict, Disruption

UK Arrests Suspect in Ransomware Attack Disrupting European Airports

Source: https://www.nationalcrimeagency.gov.uk/news/uk-arrest-following-aerospace-cyber-incident

What we know: The UK has arrested a suspect in West Sussex over a ransomware attack that recently caused widespread disruption across European airports, including in the UK. Officers later released the individual on conditional bail while investigations continue.

Context: Airports, including Heathrow, Berlin Brandenburg, and Brussels, were affected, causing hundreds of cancellations and widespread disruption. The attacker reportedly used a basic ransomware strain, but still managed to impact aviation operations.

Analyst note: The ransomware attack caused significant disruptions in airport and airline operations that could take weeks to fully resolve. The law enforcement is likely to interrogate the suspect to investigate the attack further and track other possible suspects.

Digital Evidence Links Russia to Moldovan Election Disinformation Campaign

Source: https://www.darkreading.com/cybersecurity-operations/russia-moldovan-election-disinformation

What we know: New research has tied Russia-linked threat actor Storm-1679 (aka Matryoshka) to a disinformation campaign targeting the 2025 Moldovan elections. The digital footprint of the websites involved in the campaign has been linked to Russian propaganda media organization Absatz.

Context: The disinformation campaign in Moldova reportedly involves news websites containing articles critical of the current Moldovan leadership and the possible decision to enter the European Union. Despite unclear ownership, several disinformation sites were linked by two common IP addresses, suggesting a shared operator.

Analyst note: Digital propaganda campaigns are usually anonymous or with ambiguous ownership to evade accountability and detection. Digital evidence linking disinformation websites to an entity is very likely to provide substantial evidence for legal and political action.

Geopolitical Focus: Disaster, Conflict, Disruption

• Typhoon Ragasa, at the time of writing, has killed at least 17 people in Taiwan and injured several in Hong Kong before making landfall in southern China with winds up to 241 km/h (approximately 149.75 m/h). Nearly two million people have been evacuated, and authorities warn of torrential rain, seawater intrusion, and landslides across Guangdong province.
• More than 80 Palestinians have been killed in strikes and ground operations in Gaza City. Israel reportedly says it targeted Hamas fighters as part of its effort to defeat the group and secure hostage releases.
• A Houthi drone launched from Yemen has struck the Israeli city of Eilat, a key Israeli port city on the Red Sea, injuring at least 22 people. The Israel Defense Forces (IDF) has confirmed attempts were made to intercept the drone, but did not clarify how it evaded air defenses.
• An individual has been charged with attempting to provide 3D printed firearms and parts to an individual supposedly connected with al-Qaida. They also shared over 500 pages of notes and Army manuals on tactics, weapons manufacture, and terrorism techniques, discussed creating a nuclear weapon, and offered guidance on avoiding law enforcement.
• Denmark has shut down Aalborg airport, which serves both civilian and military flights, after multiple drones entered its airspace just days after Copenhagen airport faced a similar disruption.
• Heavy rains in the Indian city of Kolkata and surrounding areas have killed at least 12 people, flooded streets, and disrupted transport, leaving residents stranded ahead of a major festival. The city experienced its heaviest rainfall since 1988, damaging festival structures, causing power outages, and prompting emergency relief efforts.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user Psych1c: Untested threat actor "Psych1c" has advertised the sale of access to twelve Telecom/IT providers in Asia. The access includes root-level remote code execution (RCE) access to a large China-based cloud provider generating approximately USD 12 billion in revenue. Such access could enable attackers to compromise critical infrastructure, steal sensitive data, or disrupt services.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-20352: Cisco has patched a zero-day vulnerability found in its Simple Network Management Protocol (SNMP) subsystem. It is a stack-based buffer overflow vulnerability. If exploited successfully, the flaw is likely to enable remote attackers to trigger denial-of-service (DoS) conditions in unpatched systems. The flaw is also likely to enable high-privileged attackers to gain full system control.

Affected products: The affected products are listed in this advisory.

CVE-2025-10643 and CVE-2025-10644: These two vulnerabilities in Wondershare RepairIt have reportedly exposed private user data and enabled attackers to bypass authentication. Threat actors could further carry out supply chain attacks, arbitrary code execution, and tampering with AI models, putting users, intellectual property, and downstream customers at risk.

Affected products: Wondershare RepairIt