ZeroFox Intelligence Flash Report - Threat Collective Touts Red Hat Breach

ZeroFox Intelligence Flash Report - Threat Collective Touts Red Hat Breach

Product Serial: F-2025-10-02a

TLP:CLEAR

In this Flash report, ZeroFox researchers report on the recent claims made by "Crimson Collective" that they allegedly breached the U.S.-based software company Red Hat.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here

Key Findings

• On October 1, 2025, the threat collective known as ”Crimson Collective” claimed via their Telegram channel to have breached Red Hat’s private GitHub repositories, allegedly stealing around 570 GB of data from nearly 28,000 internal repositories and approximately 800 Consulting Engagement Reports (CERs).
• Crimson Collective is an extortion threat collective that created their Telegram channel on September 24, 2025, amassing 393 subscribers as of the writing of this report.
• Crimson Collective posted screenshots of an alleged attempt to contact Red Hat regarding the incident, along with a file named git[.]tar[.]gz they assert represents only half of the total breached data—which they likely intend to release once the files have been compressed.
• Exposure of internal repositories will very likely reveal proprietary code and security controls across Red Hat’s products and services, which would almost certainly enable threat actors to identify further exploitable weaknesses.