ZeroFox Daily Intelligence Brief - October 14, 2025

ZeroFox Daily Intelligence Brief - October 14, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Massive Botnet from 100,000 IPs Targeting RDP Services in the United States
• Medusa Ransomware Breach Compromised Data of 1.2 Million SimonMed Patients
• Geopolitical Focus: Espionage, Conflict, and Natural Disasters

Massive Botnet from 100,000 IPs Targeting RDP Services in the United States

Source: https://www.bleepingcomputer.com/news/security/massive-multi-country-botnet-targets-rdp-services-in-the-us/

What we know: A massive botnet of over 100,000 IP addresses is targeting Remote Desktop Protocol (RDP) services in the United States. The large-scale attack, reportedly originating from at least 100 countries, including Brazil, Iran, China, and Russia, began on October 8, 2025.

Context: The attackers are reportedly using at least two methods, RD Web Access timing attacks and RDP web client login enumeration. RDP enables remote control of operating systems and is often used by remote workers and IT helpdesk staff.

Analyst note: RDP connections exposed to the public internet are likely to be more vulnerable to botnet attacks than those connected to secure networks. The massive scale of the attack likely suggests reconnaissance activity to identify weak RDP accounts, whose initial access can later be sold on the dark web.

Medusa Ransomware Breach Compromised Data of 1.2 Million SimonMed Patients

Source: https://www.hipaajournal.com/simonmed-imaging-confirms-january-2025-cyberattack/

What we know: Medical imaging provider SimonMed Imaging suffered a data breach affecting over 1.2 million individuals after threat actors gained unauthorized access to its network between January 21 and February 5, 2025.

Context: The Medusa ransomware group has claimed responsibility for stealing 212 GB of sensitive patient data, including patient IDs, financial details, medical reports, and raw scans from SimonMed Imaging. The group reportedly demanded a USD 1 million ransom, later removing the company from its leak site, suggesting a possible negotiation or payment.

Analyst note: Threat actors are likely to use the highly sensitive medical and financial data for identity theft and insurance fraud, and sell the patient records on dark web marketplaces.

Geopolitical Focus: Espionage, Conflict, and Natural Disasters

• MI5 has warned UK politicians and their staff that spies from China, Russia, and Iran are targeting them in efforts to undermine British democracy. The National Protective Security Authority has issued new guidance to help those in British politics counter espionage and foreign interference.
• At least five people were reportedly killed during clashes between Pakistani police and members of a religious group at an anti-Israel demonstration on the Grand Trunk Road.
• Heavy rains and flooding have killed at least 64 people in central and eastern Mexico, with 65 more still missing, as rivers burst their banks, triggering landslides and sweeping away infrastructure in states, including Veracruz, Hidalgo, and Puebla.
• Suspected Islamic State–linked rebels reportedly attacked the village of Mukondo in eastern Congo, killing 19 civilians overnight.
• Forty-two Zimbabwean and Malawian nationals were killed on October 12 when a bus overturned on a mountainous section of the N1 highway in South Africa’s Limpopo province.

DEEP AND DARK WEB INTELLIGENCE

SLH leak data from major firms: Threat collective “Scattered Lapsus$ Hunters” has allegedly published data stolen from six major companies, out of the 39 companies it claims to have breached. The six companies include Qantas and Vietnam Airlines among others. Analysis of the leaked data reportedly indicates that the information is genuine and includes details such as names, contact details, and physical addresses. Exposed data is likely to be sold on the dark web if affected organizations or Salesforce refuse to pay the ransom demand. Threat actors are likely to use the data for social engineering, phishing, and identity theft attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-9976: A command injection vulnerability has been discovered in the Station Launcher App of Dassault Systèmes’ 3DEXPERIENCE platform. The flaw enables attackers to execute arbitrary operating system commands on a user’s machine. Successful exploitation can lead to unauthorized code execution, data theft, or malware deployment. Attackers could gain control of engineering workstations, compromise sensitive design data, and move laterally within corporate networks.

Affected products: 3DEXPERIENCE platform, affecting versions from R2022x to R2025x