ZeroFox Daily Intelligence Brief - October 21, 2025

ZeroFox Daily Intelligence Brief - October 21, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• DOJ Warns of Phishing and Spoofing Scams Following Typhoon Halong
• Salt Typhoon Suspected of Compromising European Telcom Company
• Europol Shuts Down Major SIM-Boxing Network and Arrests Seven Suspects

DOJ Warns of Phishing and Spoofing Scams Following Typhoon Halong

Source: https://www.justice.gov/usao-ak/pr/preventing-victims-flooding-caused-typhoon-halong-becoming-victims-fraud

What we know: The U.S. Department of Justice (DOJ) has warned the public and victims of Typhoon Halong that fraudsters may target them in phishing and impersonation scams in the guise of disaster relief efforts.

Context: Typhoon Halong’s devastating floods in Alaska have left over 1,500 people displaced. The DOJ’s warning states that fraudsters use phishing to steal personal and financial information and spoofing to pose as trusted agencies or charities to obtain money fraudulently.

Analyst note: Fraudsters are likely to impersonate well-known charities, government officials, insurance company representatives, and others through email, website, or caller ID spoofing to seek financial and other personal details from victims to steal money. They are also likely to solicit investments into non-existent businesses promising rebuilding of homes, etc.

Salt Typhoon Suspected of Compromising European Telcom Company

Source: https://www.theregister.com/2025/10/20/salt_typhoon_european_telco/

What we know: A Chinese state-associated hacking group, Salt Typhoon, has reportedly compromised a European telecommunications firm. The group reportedly exploited unpatched Citrix NetScaler vulnerabilities and deployed backdoors for espionage.

Context: The group used Dynamic Link Library ( DLL) sideloading disguised as legitimate antivirus files to evade detection and maintain persistence. Salt Typhoon, known for past cyberattacks against other major telecoms, was suspected of exploiting a vulnerability in its attacks in July 2025.

Analyst note: Since Salt Typhoon is observed to continue to target telecom companies, it is likely carrying out an extensive campaign against global telecom to gain access to sensitive communications and data. This data could be essential for the Chinese state for further intelligence gathering, surveillance, strategic decision-making, and geopolitical leverage.

Europol Shuts Down Major SIM-Boxing Network and Arrests Seven Suspects

Source: http://europol.europa.eu/media-press/newsroom/news/cybercrime-service-takedown-7-arrested

What we know: Europol-led international operation SIMCARTEL dismantled a major cybercrime-as-a-service network. Authorities arrested seven suspects and seized around 1,200 SIM-boxes and several servers used for large-scale telecom fraud.

Context: The network allegedly enabled thousands of scams by automating calls and SMS messages through compromised telecom systems. Perpetrators were able to hide their identities and location because of sophisticated network infrastructure.

Analyst note: The operation disrupted a network that facilitated identity theft, banking fraud, and social engineering attacks across Europe. Victims likely suffered financial losses and data exposure from scams that appeared legitimate due to real telecom routing.

DEEP AND DARK WEB INTELLIGENCE

Nintendo data breach: Nintendo has confirmed that its external web servers were breached by the hacking group Crimson Collective, but said no personal, payment or sensitive business data was stolen. The attackers allegedly accessed public-facing systems showing folder and file structures, which do not store user data or internal assets. While the breach appears low-impact, it could still give attackers useful insight into Nintendo’s network setup, which could be used in future break-in attempts or phishing schemes.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-9242: Nearly 76,000 WatchGuard Firebox security appliances remain exposed online and vulnerable to a flaw that enables unauthenticated remote code execution. Most affected devices are reportedly in Europe and North America. Attackers are likely to exploit this flaw to gain control of network gateways, potentially leading to data breaches, ransomware attacks, or wider network compromise.

Affected products: WatchGuard Firebox OS versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1