ZeroFox Daily Intelligence Brief - October 24, 2025

ZeroFox Daily Intelligence Brief - October 24, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• North Korean Hackers Use Fake Job Offers to Steal Sensitive Drone and Aerospace Intelligence
• Toys “R” Us Canada Data Breach Exposes Customer Details
• Hackers Launch Attacks Exploiting Adobe Commerce Flaw

North Korean Hackers Use Fake Job Offers to Steal Sensitive Drone and Aerospace Intelligence

Source: https://thehackernews.com/2025/10/north-korean-hackers-lure-defense.html

What we know: North Korean state hackers, tied to the Lazarus Group, have been impersonating defense recruiters to lure European engineers with fake job opportunities and deploy malware to steal sensitive drone and aerospace intelligence.

Context: The campaign, active since March 2025 and tracked as Operation Dream Job, uses trojanized PDF readers and DLL sideloading to deploy tools, like ScoringMathTea and MISTPEN. It specifically targets companies in the European defense supply chain involved in unmanned aerial vehicle (UAV) and metal-engineering projects.

Analyst note: The intelligence gathered in the operation is likely to be utilized in North Korea’s domestic drone production to enhance reconnaissance and strike capabilities. If successful, it could also inspire copycat recruitment-based espionage by other state actors, expanding the threat to global aerospace and defense sectors.

Toys “R” Us Canada Data Breach Exposes Customer Details

Source: https://www.bleepingcomputer.com/news/security/toys-r-us-canada-warns-customers-info-leaked-in-data-breach/

What we know: Toys “R” Us Canada has disclosed that a threat actor leaked customer records stolen from its database. It discovered a leaked data set in a dark web posting on July 30, 2025, where the threat actor had claimed the data belonged to Toys “R” Us customers.

Context: After the discovery, the company confirmed that the data was authentic and engaged third-party cybersecurity experts to investigate and contain the incident. The exposed information includes full names, physical addresses, email addresses, and phone numbers, but not passwords and payment data.

Analyst note: This breach exposes customers’ personal identifying information (PII), leaving them vulnerable to phishing, identity theft, and social-engineering attacks. The now-publicly accessible data can be accessed and misused by cybercriminals for various fraudulent activities.

Hackers Launch Attacks Exploiting Adobe Commerce Flaw

Source: https://www.securityweek.com/exploitation-of-critical-adobe-commerce-flaw-puts-many-ecommerce-sites-at-risk/

What we know: Hackers are actively exploiting a critical flaw, CVE-2025-54236 or SessionReaper, in Adobe Commerce and Magento Open Source, which allows attackers to bypass security features and take over customer accounts.

Context: The flaw affects versions 2.4.4 to 2.4.7. Adobe released a hotfix on September 9, but only 38 percent of Magento stores have been patched, leaving the majority of e-commerce sites exposed.

Analyst note: Researchers have already observed 250 attacks. Threat actors are likely to create exploitation and automated tools for such a widely exploited flaw, which will enable them to scale up their operations and disrupt online stores that have yet to deploy the hotfix.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user 888: Threat actor “888” has allegedly leaked data from Figment POS, a Jordan-based Point-of-Sale (POS) solutions provider. The leak reportedly includes the company’s source code. If verified, the breach could expose POS systems to exploitation and directly impact retailers or customers relying on Figment’s payment infrastructure.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-61932: Hackers are exploiting this critical flaw in zero-day attacks. It enables remote code execution through malicious packets. The flaw affects versions 9.4.7.2 and earlier. Its active exploitation could disrupt major Japanese enterprises, cause operational downtime, and data exposure across connected global networks. CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog.

Affected products: Lanscope Endpoint Manager