ZeroFox Daily Intelligence Brief - October 22, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - October 22, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- PassiveNeuron Campaign Targets Key Sectors with Custom Malware
- Over 2,000 Detained in Myanmar Cyber Scam Raid
- “I’m Not a Robot” Captcha Used as Bait in Star Blizzard’s New Espionage Tactics
PassiveNeuron Campaign Targets Key Sectors with Custom Malware
What we know: A threat campaign, dubbed PassiveNeuron, is targeting high-profile government, industrial, and financial organizations across Asia, Africa, and Latin America.
Context: Attackers exploit Windows Server systems to deploy two custom cyberespionage implants, Neursite (a C++ backdoor) and NeuralExecutor (a .NET loader), along with Cobalt Strike for post-exploitation.
Analyst note: Using Neursite’s proxying and plugins plus NeuralExecutor’s ability to run .NET payloads, attackers can move laterally and escalate privileges to reach critical systems. This access will enable follow-on operations, such as credential theft, supply-chain compromise, targeted espionage, or disruptive actions against infrastructure.
Over 2,000 Detained in Myanmar Cyber Scam Raid
What we know: Myanmar’s military raided KK Park, a cybercrime hub near the Thai border, detained over 2,000 people, and seized 30 Starlink terminals used to run global online scams involving romance and investment fraud.
Context: KK Park is part of a vast network of scam compounds across Southeast Asia that traffic workers and force them into cybercrime. The operation follows new U.S. and U.K. sanctions on a major Cambodian scam ring.
Analyst note: The use of unlicensed Starlink equipment indicates likely exploitation of satellite connectivity to bypass national controls. It likely enabled the expansion of the hub’s cybercrime operations to remote regions, thereby complicating law enforcement efforts across borders.
“I’m Not a Robot” Captcha Used as Bait in Star Blizzard’s New Espionage Tactics
What we know: Russian state-backed group Star Blizzard (aka ColdRiver, UNC4057, and Callisto) replaced its exposed LostKeys malware with new evolving strains NOROBOT, YESROBOT, and MAYBEROBOT, delivered through fake “ClickFix” CAPTCHA pages
Context: The group retooled operations between May and September 2025, using fake verification prompts to trick victims into executing malicious DLLs for persistence and remote control. Victims are lured into completing an “I am not a robot” CAPTCHA that silently launches the NOROBOT malware.
Analyst note: Star Blizzard’s tactic is likely a deliberate move to exploit user trust through subtle, interactive deception. The new toolset gives the group deeper system access and intelligence-gathering reach, enabling it to re-enter old networks and sustain long-term espionage with minimal detection.
DEEP AND DARK WEB INTELLIGENCE
Telegram user Infrastructure Destruction Squad (IDS): Pro-China threat actor Infrastructure Destruction Squad (IDS) has announced plans to launch Xypheron-92, an npm-based framework capable of generating multiple types of malware, including ransomware, trojans, and spyware. The tool’s public release could make malware creation accessible to non-technical actors, significantly widening the global cyber threat landscape.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2025-6542 and CVE-2025-8750: TP-Link has disclosed two command injection flaws in its Omada gateway devices, one of which (CVE-2025-6542) allows remote, unauthenticated code execution. The vulnerabilities enable attackers to run arbitrary OS commands, leading to full system compromise and data theft. If exploited, the flaws could disrupt small business networks and expose sensitive information.
Affected products: The affected products have been listed in this advisory.
Tags: DIB, tlp:green