ZeroFox Daily Intelligence Brief - October 7, 2025

ZeroFox Daily Intelligence Brief - October 7, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Scattered Lapsus$ Hunters Join Red Hat Breach Leaking Sample Data on Leak Site
• Chinese Cybercrime Group UAT-8099 Exploits Enterprise Web Servers for SEO Fraud
• Medusa Ransomware Affiliates Exploit GoAnywhere Vulnerability

Scattered Lapsus$ Hunters Join Red Hat Breach Leaking Sample Data on Leak Site

Source: https://www.bleepingcomputer.com/news/security/red-hat-data-breach-escalates-as-shinyhunters-joins-extortion/

What we know: Threat collective Scattered Lapsus$ Hunters has leaked samples of stolen data from the Red Hat data breach after partnering with threat group Crimson Collective.

Context: Samples of stolen customer engagement reports (CERs) have been published on Scattered Lapsus$ Hunters’ data leak site. Crimson Collective had claimed to have stolen 570 GB of data from Red Hat. Red Hat has since confirmed a breach affecting its GitLab instance.

Analyst note: The collaboration between threat groups indicates stolen data is very likely being shared among various members. Multiple extortion attempts are likely if affiliates decide to exploit the breach independently.

Chinese Cybercrime Group UAT-8099 Exploits Enterprise Web Servers for SEO Fraud

Source: https://thehackernews.com/2025/10/chinese-cybercrime-group-runs-global.html

What we know: Chinese-speaking group UAT-8099 is exploiting popular enterprise web servers to steal credentials, configuration files, and certificates while manipulating search rankings for search engine optimization (SEO) fraud. Incidents have been reported across multiple regions, including India, Thailand, Vietnam, Canada, and Brazil.

Context: Active since April 2025, the group targets high-value enterprise web servers used by universities, telecoms, and tech firms, deploying web shells, BadIIS malware, and Cobalt Strike to maintain persistence and enable remote desktop access.

Analyst note: These intrusions enable large-scale SEO abuse, credential theft, and potential lateral movement into enterprise networks. Stolen certificates and configurations could be weaponized for supply-chain impersonation, phishing, or code-signing attacks.

Medusa Ransomware Affiliates Exploit GoAnywhere Vulnerability

Source: https://www.theregister.com/2025/10/06/microsoft_blames_medusa_ransomware_affiliates/

What we know: Medusa ransomware affiliates are reportedly exploiting an already patched critical deserialization vulnerability in Fortra's GoAnywhere MFT software, tracked as CVE-2025-10035, to gain initial access.

Context: The flaw enables remote code execution (RCE) leading to system compromise, backdoor installation, and lateral movement. Attackers have reportedly targeted multiple organizations to install remote monitoring and management (RMM) tools SimpleHelp and MeshAgent to maintain persistence.

Analyst note: Organizations with unpatched systems externally exposed to the internet are very likely to be targeted using the vulnerability. Successful exploitation is likely to lead to data theft, file encryption, and double or even triple extortion tactics.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user ByteToBreach: Threat actor "ByteToBreach" has advertised data associated with Κυπριακά Ταχυδρομεία (Cyprus Post Office), official postal services of Cyprus. The actor claims the stolen data includes parcel, mail, invoice, and document records from multiple organizations across countries, as well as correspondence involving law enforcement agencies, embassies, and local ministries of different countries. Stolen invoices, parcel records and internal documents will likely lead to targeted espionage, supply-chain fraud, and identity theft against organisations and individuals.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-36604: A flaw in Dell UnityVSA allows unauthenticated attackers to execute arbitrary commands by exploiting improper input handling in the login redirection process. This flaw could enable attackers to gain complete control of virtual storage appliances, enabling data theft, tampering, or disruption of critical enterprise storage systems.

Affected products: Dell Unity versions 5.5 and prior