ZeroFox Daily Intelligence Brief - October 1, 2025

ZeroFox Daily Intelligence Brief - October 1, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• U.S. Regulators File Cases Against Companies Exploiting Children’s Privacy
• Chinese APT Caught Spying on Global Communications
• Russian APT28 Targets Companies in NATO Countries with New Backdoor Attack

U.S. Regulators File Cases Against Companies Exploiting Children’s Privacy

Source: https://www.justice.gov/opa/pr/justice-department-files-complaint-against-social-media-company-iconic-hearts-holdings-inc

What we know: The U.S. Department of Justice (DOJ) and Federal Trade Commission (FTC) have taken action against U.S.-based Iconic Hearts Holdings Inc. and China-based Apitor Technology for illegally collecting children’s personal data and using deceptive practices.

Context: Iconic Hearts’s social media messaging app, Sendit, allegedly generated and sent millions of fake anonymous messages to teenagers, tricking them into purchasing costly “Diamond Memberships.” Meanwhile, Apitor collected geolocation data from children using its robotic toy app without parental consent.

Analyst note: Child privacy violations are likely to expose targeted individuals and their families to manipulation and surveillance threats. Legal regulations against such violations are likely to prompt applications and connected device technology developers to enforce stricter policies, enhance transparency, and establish stronger safeguards to protect the privacy of children.

Chinese APT Caught Spying on Global Communications

Source: https://hackread.com/chinese-apt-phantom-taurus-ms-exchange-servers/

What we know: Chinese state-linked APT Phantom Taurus has been observed breaching a major company’s email servers for several years to spy on foreign ministries, embassies, and defense-related communications. The group uses custom tools like the NET-STAR malware to evade detection and gather sensitive diplomatic and military intelligence.

Context: Phantom Taurus rapidly adapts tactics, targeting regions in Central and South Asia, like Afghanistan, Pakistan, and the Middle East. Beyond email theft, the group also uses custom SQL scripts to query and export databases, stealing large volumes of sensitive data.

Analyst note: Targeting in Afghanistan, Pakistan, and the Middle East likely reflects China’s strategic interest in border security, Belt and Road projects, and military influence. It is likely that neighboring states and NATO-aligned countries are China’s next priority targets.

Fake North Korean IT Workers Expand Targets Beyond Tech Sector

Source: https://www.theregister.com/2025/09/30/north_korean_it_workers_okta/

What we know: Fake North Korean IT workers have been observed targeting companies beyond the tech sector from multiple different countries to funnel money back to Pyongyang.

Context: They are now targeting Big Tech and AI firms for sensitive intellectual property (IP) and algorithms and seeking roles in healthcare and med-tech to access personally identifiable information (PII) and medical data. They have also been pursuing positions in finance, banking, fintech, and crypto, including back-office roles, to exploit financial data and revenue streams.

Analyst note: This expansion likely suggests these IT workers are targeting both intellectual property and high-value data. Healthcare and med-tech roles provide access to PII, medical records, and hospital workflows, while public administration positions offer insights into government operations and policy, extending their intelligence value beyond software IP.

DEEP AND DARK WEB INTELLIGENCE

RemoteCOM breach exposes bulk court data: A hacker has reportedly breached RemoteCOM, a U.S.-based provider of monitoring services for pretrial, probation, and parole clients. The leaked information allegedly includes personal details of nearly 14,000 monitored clients and records of almost 6,900 criminal justice employees across 49 U.S. states.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-41244: Broadcom has patched this high-severity vulnerability, which Chinese hackers have reportedly been exploiting in zero-day attacks since October 2024. Threat actors are likely to exploit this local privilege escalation bug to gain complete system control, exfiltrate data, compromise infrastructure, and disrupt services. Unpatched systems are likely to be targeted in Chinese state-associated operations.

Affected products: VMware Aria Operations and VMware Tools