ZeroFox Daily Intelligence Brief - October 16, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - October 16, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Elasticsearch Server Exposes 6 Billion Records from Data Breaches and Scraping
- Fashion Retailer MANGO Discloses Data Breach Affecting Customers
- Fake Job Hunters Impersonate Major Job Portal
Elasticsearch Server Exposes 6 Billion Records from Data Breaches and Scraping
Source: https://hackread.com/elasticsearch-leak-6-billion-record-scraping-breaches/
What we know: A misconfigured Elasticsearch server that collected detailed records from data breaches, website scraping, and other sources was found exposing over 6 billion records to the public without any security authentication or password.
Context: The server was reportedly operated from Russia or a Russian-speaking country. It was taken offline upon reports of the data leak. The exposed records also reportedly included banking details and personally identifiable information (PII) of users from Ukraine’s Accordbank.
Analyst note: The leak reportedly involves other databases, which are likely to contain additional data, including passwords. The server is believed to be operated by cybercriminals. Threat actors have previously been known to accidentally expose their own servers.
Fashion Retailer MANGO Discloses Data Breach Affecting Customers
What we know: Spanish fashion retailer MANGO has informed its customers of a data breach stemming from its marketing vendor. The breach has reportedly exposed details such as names, emails, contact details, and postal codes.
Context: MANGO confirmed that sensitive data, like last names, payment details, and identity numbers and its corporate servers, were not compromised. The fashion retailer operates physical and e-commerce stores across 120 countries.
Analyst note: Threat actors are likely to demand ransom from the affected company or companies in exchange for not publishing or selling the stolen data. Exposed data is also likely to be used in phishing and social engineering attacks.
Fake Job Hunters Impersonate Major Job Portal
Source: https://hackread.com/fake-google-job-offer-email-scam-workspace-microsoft-365/
What we know: A phishing campaign has been impersonating a major job platform to target job seekers with fake job offers to steal their login credentials. The scam reportedly uses multiple languages and fake recruiter identities to appear legitimate.
Context: Victims are lured through emails containing “Book a Call” links that lead to fake Cloudflare pages and spoofed login screens designed to harvest credentials. Attackers also use hidden web formatting and newly registered domains to evade email security filters and detection systems.
Analyst note: These threat actors are likely to continue to diversify their tactics to refine their phishing kits to mimic more job platforms, impersonate multiple brands, stay undetected for longer, and develop phishing templates for specific industries, roles, and languages.
DEEP AND DARK WEB INTELLIGENCE
Exploit user Mastermind100: Untested threat actor “Mastermind100” has advertised a phishing framework targeting TWINT, a Swiss mobile payment service. The toolkit reportedly includes phishing pages for over 70 Swiss banks, which could enable interested buyers to harvest large numbers of login credentials, one-time passwords, and session tokens from TWINT customers.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2025-2611: This flaw in ICTBroadcast autodialer software is reportedly being actively exploited to conduct unauthenticated remote code execution. The flaw stems from improper input validation that could enable threat actors to inject shell commands, leading to full system compromise in affected devices.
Affected products: ICTBroadcast versions 7.4 and below
Tags: DIB, tlp:green