ZeroFox Daily Intelligence Brief - October 9, 2025

ZeroFox Daily Intelligence Brief - October 9, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Ransomware Groups to Strengthen Capabilities Through Strategic Collaboration
• China-Linked Actor Exploits PhpMyAdmin to Deploy Nezha and Gh0stRAT
• Foreign Adversaries Exploit AI Models to Enhance Cyber Warfare Tactics

Ransomware Groups to Strengthen Capabilities Through Strategic Collaboration

Source: https://thehackernews.com/2025/10/lockbit-qilin-and-dragonforce-join.html

What we know: DragonForce, LockBit, and Qilin have formed a strategic ransomware alliance to share resources, techniques, and infrastructure, enhancing their collective attack capabilities. Furthermore, DragonForce was observed inviting other cybercriminals to join their collaboration.

Context: This collaboration follows LockBit resurfacing with the launch of LockBit 5.0 and the 2024 “Cronos” takedown that dismantled its infrastructure and exposed its members.

Analyst note: This alliance could lead to an escalation in ransomware activity against major companies. The combined resources and expertise of DragonForce, LockBit, and Qilin are likely to enable more coordinated, large-scale, and sophisticated attacks across multiple sectors.

China-Linked Actor Exploits PhpMyAdmin to Deploy Nezha and Gh0stRAT

Source: https://www.darkreading.com/cyberattacks-data-breaches/china-nexus-actors-nezha-open-source-tool

What we know: A China linked-threat actor has been exploiting an exposed phpMyAdmin instance to deploy Nezha, a legitimate open source tool used here maliciously, and malware strain Gh0stRAT, hitting more than 100 organizations globally, mainly in Southeast Asia.

Context: The attackers took advantage of unprotected web apps, like phpMyAdmin, and used log‑poisoning to install a web shell, then controlled the server with AntSword, while changing IPs for stealthy intrusions.

Analyst note: Other cybercriminals could follow suit, exploiting other open-source administrative tools to carry out similar attacks with attacks spilling over to other regions in the near future.

Foreign Adversaries Exploit AI Models to Enhance Cyber Warfare Tactics

Source: https://hackread.com/openai-ai-tools-exploitation-threat-groups/

What we know: Foreign threat groups are increasingly using AI tools to automate phishing, write malware, and run influence campaigns. Cybercriminals are exploiting both legitimate and malicious AI models to scale attacks faster and with more precision.

Context: AI variants, like WormGPT and FraudGPT, are being exploited to craft realistic scams, debug malicious code, and generate multilingual propaganda, while threat actors misuse legitimate tools, like ChatGPT, for reconnaissance. Additionally, malicious clones such as SpamGPT are being deployed to launch targeted spam and PDF-based malware attacks at scale.

Analyst note: AI-generated content can effectively replicate authentic language, tone, and context, making deceptive communications more persuasive and increasing the risk of recipients falling for the attack. This will likely lead to victims facing data breaches, financial losses, and more targeted attacks.

DEEP AND DARK WEB INTELLIGENCE

RehubCom user Big-Bro: Well-known threat actor "Big-Bro" has advertised to sell VPN access with local administrator rights to an unnamed Brazil-based healthcare company, claiming the firm earns USD 16 million annually. Such access could enable attackers to steal patient data, deploy ransomware, or disrupt healthcare operations.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-53967: This now-patched vulnerability is a command injection flaw in the Figma developer MCP server. It enables attackers to execute remote code execution with the server’s privileges, potentially giving attackers full control over affected systems. Such flaws can be used to compromise developer environments, inject malicious code, or pivot deeper into organizational networks.

Affected products: Framelink Figma MCP Server before 0.6.3