ZeroFox Weekly Intelligence Brief – October 18, 2025
|by Alpha Team

ZeroFox Weekly Intelligence Brief – October 18, 2025
ZeroFox’s Weekly Intelligence Briefing highlights the major developments and trends across the threat landscape, including digital, cyber, and physical threats. ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 6:00 AM (EDT) on October 16, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.
Read the Brief
View the full report here
Android Users at Risk of New Pixel Attack
What we know:
- A new attack called Pixnapping, a pixel‑stealing side‑channel attack, enables a malicious app to covertly extract rendered screen content—including two-factor authentication (2FA) codes and other app data—without any special permissions on Android devices. This is done by forcing victim devices’ pixels into the system rendering pipeline.
- The technique reportedly works on modern Android versions (demonstrated on Android 13–16) and can enable threat actors to recover sensitive information in under 30 seconds after the victim installs and opens the malicious app.
Fake Job Hunters Impersonate Major Job Portal
What we know:
- A phishing campaign has been impersonating a major job platform to target job seekers with fake job offers and steal their login credentials.
- The scam reportedly uses multiple languages and fake recruiter identities to appear legitimate.
China-Based Threat Group Weaponizing Open-Source DFIR Tool Velociraptor
What we know:
- A China-based threat group, known as “Storm-2603,” is reportedly exploiting Velociraptor, an open-source digital forensics and incident response (DFIR) tool, to carry out ransomware attacks.
Tags: tlp:green