ZeroFox Daily Intelligence Brief - October 3, 2025

ZeroFox Daily Intelligence Brief - October 3, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - Threat Collective Touts Red Hat Breach
• ProSpy Android Spyware Targets Messenger Apps Including Signal and ToTok
• Geopolitical Focus: Global Roundup of Major Security and Unrest Incidents

ZeroFox Intelligence Flash Report - Threat Collective Touts Red Hat Breach

Source: https://www.zerofox.com/advisories/36121/

What we know: Threat collective ”Crimson Collective” has claimed to have breached software company Red Hat’s private GitHub repositories, allegedly stealing around 570 GB of data from nearly 28,000 internal repositories and approximately 800 Consulting Engagement Reports (CERs).

Context: Crimson Collective is an extortion threat collective that created its Telegram channel on September 24, 2025. The threat collective posted screenshots of an alleged attempt to contact Red Hat regarding the incident, along with the alleged sample of the breached data. Red Hat has confirmed a breach of its GitLab instance used for Red Hat Consulting.

Analyst note: Exposure of internal repositories will very likely reveal proprietary code and security controls across Red Hat’s products and services.

ProSpy Android Spyware Targets Messenger Apps Including Signal and ToTok

Source: https://www.bleepingcomputer.com/news/security/android-spyware-campaigns-impersonate-signal-and-totok-messengers/

What we know: A new Android spyware campaign has been uncovered in which attackers are distributing ProSpy malware through fraudulent websites and trojanized apps that impersonate messenger apps, including ToTok and Signal.

Context: The campaign leverages social engineering and stealth techniques to harvest sensitive data from infected devices while attempting to avoid user suspicion. Once installed, the ProSpy samples requested permissions, which granted the spyware full access to sensitive data.

Analyst note: Threat actors are likely targeting messenger apps like Signal to harvest sensitive conversations and authentication data. They likely aim to monitor high-value users, such as journalists and government officials, who use the apps expecting secure communication.

Geopolitical Focus: Global Roundup of Major Security and Unrest Incidents

• Drone sightings over Munich airport on October 2 halted operations, canceling 17 flights and stranding nearly 3,000 passengers. Another 15 flights were diverted to Stuttgart, Nuremberg, Vienna, and Frankfurt, following similar incidents in Denmark and Norway last week.
• Mediators have reached the head of Hamas’s military wing in Gaza, who have reportedly rejected the new U.S. ceasefire plan, believing it is intended to weaken or eliminate Hamas and vowing to continue fighting.
• The FBI’s “Summer Heat” initiative led to 8,629 arrests, including more than 6,500 tied to gangs and violent crime. The operation also identified 1,053 child victims and seized over 44,000 kilograms of cocaine, 421 kilograms of fentanyl, and 2,281 weapons.
• British police have reportedly identified the Manchester synagogue attacker as a British individual of Syrian descent. The attack that took place on Yom Kippur (the holiest day in the Jewish calendar) killed two people and injured several others. Police declared it a terrorist incident and shot the attacker dead within seven minutes of the first 999 call.
• In Pakistan-controlled Kashmir, four days of clashes left nine people dead, including three policemen, and more than 150 injured. Prime Minister Shehbaz Sharif called for calm as unrest grew over rising costs, elite privileges, and reserved legislative seats for outsiders.

DEEP AND DARK WEB INTELLIGENCE

Renault UK confirms third party breach: Renault UK has reported a cyberattack on a third-party service provider that could have exposed customer personal data, including names, contact details, and vehicle information. However, the company’s own systems were not breached, and no financial data was affected. Personal information accessed through third-party systems could be misused for phishing, identity theft, or social engineering attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-10547: DrayTek has warned of a security flaw in several Vigor router models that enables unauthenticated attackers to send crafted HTTP or HTTPS requests to the WebUI, potentially causing memory corruption, crashes, and in some cases, remote code execution. Successful exploitation could give attackers control over affected routers, leading to network compromise and further attacks on connected systems.

Affected products: The affected products are listed in this advisory.