ZeroFox Daily Intelligence Brief - October 2, 2025

ZeroFox Daily Intelligence Brief - October 2, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• FIN11 Suspected Behind Emails Claiming Oracle E-Business Suite Data Theft
• Detour Dog Targets More Than 30,000 Websites With Hidden Malware
• Geopolitical Focus: Suspected Hamas Members Arrested in Germany, and More

FIN11 Suspected Behind Emails Claiming Oracle E-Business Suite Data Theft

Source: https://cloud.zerofox.com/intelligence/advanced_dark_web/93670

What we know: Executives at multiple companies have reportedly received emails claiming their data from Oracle E-Business Suite systems was stolen. The potential data includes financial, operational, and business information stored within affected Oracle environments.

Context: The extortion emails are being sent from a large number of compromised email accounts with at least one account associated with financially-motivated threat actor FIN11. Extortion emails also reportedly included contact information that appeared on Cl0p ransomware’s data leak site, suggesting a potential connection.

Analyst note: It is likely that FIN11 is threatening executives with less sensitive information, like names, job titles, or publicly available corporate details, to coerce them with urgency. Investigations are still underway to determine if any real data theft occurred, therefore it is likely this exfiltrated data could have been acquired through an old data breach as well.

Detour Dog Targets More Than 30,000 Websites With Hidden Malware

Source: https://hackread.com/detour-dog-dns-hijacking-websites-strela-stealer/

What we know: Cybercriminal group Detour Dog has been hijacking DNS records since 2020, secretly infecting over 30,000 websites worldwide. It has been using DNS TXT records to send hidden commands, making most visits look normal while selectively targeting victims.

Context: Recently, Detour Dog reportedly partnered with threat actor Hive0145 to deliver Strela Stealer malware, escalating its crimes from simple scams to credential and data theft. The campaign reportedly spans 89 countries, generating millions of covert DNS requests per hour, often evading traditional security tools.

Analyst note: The high volume and sources of traffic likely suggest Detour Dog’s campaign is largely bot-driven. Additionally, high-volume suspicious DNS queries could strain hosting services, inadvertently exposing patterns to researchers useful for mitigation.

Geopolitical Focus: Suspected Hamas Members Arrested in Germany, and More

• Three individuals allegedly linked to Hamas were arrested in Germany on suspicion of plotting attacks on Israeli or Jewish targets. The suspects have been accused of procuring weapons, including an AK-47. Hamas has denied any links to the suspects.
• Israeli naval forces boarded multiple pro-Palestinian aid flotilla boats attempting to reach the coast of Gaza. Swedish climate activist Greta Thunberg was among those taken into custody, as at least 13 vessels were intercepted until October 2.
• The U.S. Treasury has sanctioned 21 entities and 17 individuals involved in procuring sensitive and military technology to Iran’s Ministry of Defense. The sanctioned networks reportedly helped acquire technology such as surface-to-air missile systems and a U.S.-made helicopter.
• A Russian strike targeting an energy substation resulted in a three-hour blackout at the now-defunct Chornobyl Nuclear Power Plant. Ukraine President Volodymyr Zelenskyy warned that such attacks pose a global security threat, calling the strikes deliberate. On the other hand, the blackout at Zaporizhzhia Nuclear Power Plant continued into its eighth day.
• At least 72 people have been killed in the Philippines following a 6.9 earthquake that struck late on September 30. Another 294 people have been injured, power lines, several buildings, and bridges also damaged in the quake.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user BIGBROTHER: Threat actor "BIGBROTHER" has claimed to sell access to a website owned by a Saudi Arabia-based telecom company, on DarkForums. The threat actor has said they will reveal the telecom company’s name only to interested buyers privately, as disclosing it publicly could alert the organization to remove access. The sale is unlikely to be legitimate given the absence of a sample or evidence of access.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-23297: NVIDIA has released a patch for a vulnerability in one of its products affecting the FrameviewSDK installation process. The flaw enables an attacker with local unprivileged access to modify files in the Frameview SDK directory. A successful exploit of this vulnerability is likely to lead to escalation of privileges.

Affected products: Versions prior to 11.0.5.245 of NVIDIA App for Windows 10/11