ZeroFox Daily Intelligence Brief - October 15, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - October 15, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Pixel-Stealing Malware Poses New Risk to Android Users
- Chinese APT Flax Typhoon Turns Geospatial Mapping Server into Backdoor
- Satellites Leak Unencrypted Data and Global Communications
Pixel-Stealing Malware Poses New Risk to Android Users
Source: https://thehackernews.com/2025/10/new-pixnapping-android-flaw-lets-rogue.html
What we know: Pixnapping is a new pixel-stealing side-channel attack targeting Android devices that can covertly exfiltrate 2FA codes, map timelines, and other sensitive on-screen data. In the attack, a malicious app exploiting Android APIs and a GPU side-channel can steal pixels in under 30 seconds without special permissions.
Context: Pixnapping enables a malicious app to overlay invisible windows on another app to covertly reconstruct that app’s on-screen pixels. A flaw, tracked as CVE-2025-48561 and fixed in September, makes android devices vulnerable to pixnapping, though researchers have observed a workaround that re-enables Pixnapping.
Analyst note: Since the attack requires no special permissions, threat actors could distribute weaponized apps via third-party stores and social-engineering campaigns to compromise devices and steal 2FA codes, financial data, and personal messages.
Chinese APT Flax Typhoon Turns Geospatial Mapping Server into Backdoor
Source: https://www.darkreading.com/application-security/chinas-flax-typhoon-geo-mapping-server-backdoor
What we know: Chinese advanced persistent threat (APT) group “Flax Typhoon” reportedly compromised geospatial mapping application ArcGIS by Esri, to create a backdoor into an organization’s network for over a year.
Context: The threat group exploited a public-facing ArcGIS server linked to an internal server, by modifying the application’s Java server object extension (SOE). Then, the group used disguised commands to create a hidden system directory in the server.
Analyst note: The attack method, involving creative modification of a legitimate application and the lack of malware use, very likely suggests the need for signature-based detection. The attack trajectory also indicates that threat actors target public-facing applications to covertly infiltrate the networks of target organizations.
Satellites Leak Unencrypted Data and Global Communications
What we know: Researchers have discovered that nearly half of all geostationary satellites are transmitting unencrypted data, thereby exposing sensitive consumer, corporate, and military communications.
Context: Using a low-cost satellite receiver, the researchers intercepted private calls, texts, and internet traffic over three years. The study revealed security gaps in satellite communication systems, affecting telecom networks, airlines, and critical infrastructure sectors such as energy and water.
Analyst note: Outdated or unsecured satellite communication protocols are leaving global data transmissions vulnerable to public interception. Attackers or hostile entities could exploit the unencrypted streams to conduct espionage, data theft, or disrupt communications.
DEEP AND DARK WEB INTELLIGENCE
Xss user LeaksPlus: An untested actor, “LeaksPlus,” has advertised source code for a cryptocurrency wallet stealer. The tool reportedly includes dynamic path discovery, recursive file harvesting, binary file handling, and AES-256-GCM decryption. With the source code, threat actors could improve or combine the code with loaders and stealers, producing many different strains with different capabilities.
VULNERABILITY AND EXPLOIT INTELLIGENCE
Microsoft Patch Tuesday: Microsoft released security patches for 172 flaws, including six zero-days, and eight critical vulnerabilities. The critical vulnerabilities include five remote code execution and three privilege escalation flaws. This is also the final patch Tuesday update for Windows 10 systems. Unpatched systems, especially those with publicly available exploits, are very likely to be targeted by threat actors.
Affected products: The affected products are listed in this advisory.
SAP October 2025 security patches: SAP has released 13 new security notes and four updates to previously released security notes as part of its October 2025 Security Patch Day. Among these, SAP reissued a fix for CVE-2025-42944, a critical insecure deserialization vulnerability in NetWeaver AS Java, which had been previously patched in September 2025.
Affected products: The affected products are listed in this advisory.
Tags: DIB, tlp:green