ZeroFox Daily Intelligence Brief - September 29, 2025

ZeroFox Daily Intelligence Brief - September 29, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• LockBit Reemerges Post-Seizure with 5.0 Ransomware Strain
• China-Linked PlugX Variant Targets Critical Sectors in Central and South Asia
• Geopolitical Focus: Incursions, Conflict, Unrest, and Disruption

LockBit Reemerges Post-Seizure with 5.0 Ransomware Strain

Source: https://www.theregister.com/2025/09/26/lockbits_new_variant_is_most/?td=rt-3a

What we know: A new LockBit 5.0 ransomware strain has emerged, boasting of enhanced obfuscation, evasion, and cross-platform capabilities, potentially leading to the compromise of an entire network from workstations to critical servers.

Context: The new strain is designed to infiltrate Windows, Linux, and VMware ESXi systems, with each encrypted file ending with a randomly generated 16-character extension, which is aimed at making data recovery efforts more complex. The new strain follows law enforcement action that led to the seizure of servers, domains, and decryption keys to dismantle the group.

Analyst note: The ransomware’s multi-system targeting capability is likely to help threat actors reduce the time taken between initial breach and full data encryption, making detection and response difficult.

China-Linked PlugX Variant Targets Critical Sectors in Central and South Asia

Source: https://thehackernews.com/2025/09/china-linked-plugx-and-bookworm-malware.html

What we know: A new variant of the China-linked malware PlugX has reportedly been observed targeting telecommunications and manufacturing sectors in Central and South Asia.

Context: The new variant reportedly adopts a similar configuration format as RainyDay and Turian, which are backdoors most associated with China-linked threat actors “Lotus Panda” and “BackdoorDiplomacy” respectively. On the other hand, another China-linked actor, Mustang Panda, is best known for using PlugX malware.

Analyst note: The targeted sectors very likely indicate China-linked threat groups’ priorities in infiltrating critical infrastructure entities of geopolitically significant countries. The intrusions are also likely to help refine the technical aspects of malware in further expansion of targets.

Geopolitical Focus: Incursions, Conflict, Unrest, and Disruption

• NATO allies have reported increased Russian airspace violations near the Baltic region, prompting emergency consultations under Article 4 twice and calls for stronger integration of air and ground defenses. However, Russia denied involvement and warned that asset seizures or expanded NATO support to Ukraine would be treated as acts of war.
• Russia has launched an aerial assault on Ukraine, firing close to 600 drones and several missiles in a 12-hour attack that killed at least four in Kyiv and wounded more than 70 people.
• The U.N. has reimposed “snapback” sanctions on Iran over its nuclear program, freezing assets, blocking arms deals, and penalizing missile development, deepening the country’s economic crisis. In response, Iranian leaders threatened retaliation, debated leaving the Nuclear Nonproliferation Treaty, and warned of possible confrontation with Israel and the West.
• A gunman has attacked a Mormon church in Grand Blanc, Michigan, killing at least four people and injuring eight before being shot by the police. The individual drove into the building, opened fire on hundreds of worshippers, and set the church ablaze, with investigators treating the fire as deliberate.
• At least 40 people were killed in a stampede at a political rally in the Indian State of Tamil Nadu after the crowd surged beyond permitted numbers.
• A fire triggered by exploding batteries at South Korea’s national data center in Daejeon has shut down more than 600 government services, including tax systems, postal services, and mobile IDs.

DEEP AND DARK WEB INTELLIGENCE

Miyako claims multi-sector firewall access: Threat actor “miyako” has claimed root-level access to Linux-based firewall systems across multiple sectors, including managed services, an insurance agency, a global fintech firm, a medical device manufacturer, and a Saudi government ministry. If exploited, this access could enable threat actors to carry out data theft, disruption of critical services, financial fraud, and espionage of sensitive government and defense networks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-11074: An SQL injection flaw in Project Monitoring System 1.0’s /login[.]php (username/password parameter) enables an attacker to inject SQL remotely via the authentication input. If exploited, attackers could bypass authentication, exfiltrate or modify the database (user credentials, project data), create admin accounts, and disrupt service or breach user privacy.

Affected products: code-projects Project Monitoring System version 1.0