ZeroFox Daily Intelligence Brief - October 13, 2025

ZeroFox Daily Intelligence Brief - October 13, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Over 2,000 Domains Used in Sophisticated Phishing Campaign Targeting Global Brands
• Phishing Campaign Impersonates NY Tax Department to Steal Personal Data
• China-Based Threat Group Weaponizing Open Source DFIR Tool Velociraptor

Over 2,000 Domains Used in Sophisticated Phishing Campaign Targeting Global Brands

Source: https://www.theregister.com/2025/10/10/chinese_phishing_kit_fraud/

What we know: China-linked phishing-as-a-service kit YYlaiyu, active across 2,000 domains, is impersonating 97 global brands in real-time financial scams, where threat actors manually capture OTPs and exploit messaging channels to bypass SMS filters.

Context: YYlaiyu has reportedly been active since at least September 2024, hosting multilingual, brand-tailored phishing pages. Threat actors have been interacting with victims themselves to capture OTPs and immediately cash out via digital wallets, gift cards, and stock manipulation schemes.

Analyst note: Since these threat actors interact directly with victims, any security overrides likely appear intentional and legitimate, enabling their actions to slip past existing anti-phishing protocols and automated defenses. This human involvement, combined with multilingual phishing lures, likely contributes to the campaign’s scale and global reach.

Phishing Campaign Impersonates NY Tax Department to Steal Personal Data

Source: https://www.bleepingcomputer.com/news/security/fake-inflation-refund-texts-target-new-yorkers-in-new-scam/

What we know: A smishing campaign is targeting New Yorkers with fake “Inflation Refund” texts posing as the Department of Taxation and Finance. The messages link to a phishing site that steals personal and financial information.

Context: The real Inflation Refund program automatically sends checks to eligible residents, no sign-up or personal data is required. Scammers are exploiting public awareness of this initiative to make their texts seem credible.

Analyst note: Victims of the scam are likely to have their personal and banking details stolen, leading to identity theft, tax refund fraud, and unauthorized withdrawals. Compromised data is also likely to be sold in underground forums and used for further scams targeting taxpayers.

China-Based Threat Group Weaponizing Open Source DFIR Tool Velociraptor

Source: https://www.darkreading.com/cybersecurity-operations/chinese-hackers-velociraptor-ir-tool-ransomware-attacks

What we know: A China-based threat group, known as “Storm-2603,” is reportedly exploiting an open-source digital forensics and incident response (DFIR) tool, Velociraptor, to carry out ransomware attacks.

Context: Storm-2603 is known for deploying Warlock and LockBit ransomware. After gaining initial access using on-premises SharePoint vulnerabilities, the threat group reportedly installs outdated versions of Velociraptor with a privilege escalation flaw (CVE-2025-6264), to communicate with a configured C2 server.

Analyst note: Some of the Velociraptor binaries unsigned by Rapid7, the company which maintains the tool, are very likely malicious and being used by attackers.

DEEP AND DARK WEB INTELLIGENCE

RAMP user vap0r: A previously untested threat actor, “vap0r,” has advertised remote desktop protocol (RDP) access with domain administrator privileges to an unnamed U.S.-based company. Domain administrator privileges could enable threat actors to move laterally across the company's network, create new accounts, and deploy malware.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-61884: Oracle has released a patch for a fresh vulnerability affecting its E-Business Suite (EBS). Exploitation of the vulnerability enables unauthenticated network access via HTTP to compromise Oracle Configurator. Attackers can remotely exploit the flaw without requiring authentication. The security patch follows a recent Cl0p extortion campaign that exploited a zero-day in Oracle EBS to steal sensitive data and issue a ransom demand. Successful exploitation of the vulnerability is likely to enable data theft, exfiltration, and extortion.

Affected products: Oracle EBS versions from 12.2.3 through 12.2.14