ZeroFox Daily Intelligence Brief - October 27, 2025

ZeroFox Daily Intelligence Brief - October 27, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Everest Group Alleges Data Theft from Dublin Airport and Air Arabia
• Threat Actors Targeting “Telegram X” Users with Android Backdoor
• CryptoChameleon Targets LastPass Users in Passkey Phishing Campaign

Everest Group Alleges Data Theft from Dublin Airport and Air Arabia

Source: https://hackread.com/everest-ransomware-dublin-airport-passenger-data/

What we know: Everest ransomware group has claimed responsibility for breaching Dublin Airport and Air Arabia, allegedly stealing passenger and employee data. Both incidents were listed on the group’s leak site, with access restricted by password.

Context: The group has claimed attacks in the aviation sector, including one on a major aerospace and defense technology company that caused widespread operational disruption at European airports.

Analyst note: Everest has given Dublin Airport and Air Arabia six days to communicate with it, after which it has threatened to leak the allegedly stolen data online. If leaked, the sensitive travel and personnel information could enable identity theft, targeted phishing, espionage, or credential abuse against compromised entities.

Threat Actors Targeting “Telegram X” Users with Android Backdoor

Source: https://cybersecuritynews.com/hackers-weaponizing-telegram-messenger/amp/

What we know: Threat actors are targeting users of Telegram’s alternative app, “Telegram X,” with an android backdoor that enables complete control of victim accounts.

Context: The backdoor, known as “Android.Backdoor.Baohuo.1.origin,” is deployed through malicious in-app advertisements on Telegram X as legitimate dating platforms. The ads promise “free video chats” and dating opportunities but deliver malicious APKs disguised as legitimate Telegram X apps.

Analyst note: Threat actors are able to view SMS messages, contacts, and clipboard contents on compromised devices when the Telegram X app is minimized, very likely leading to credential theft, including cryptocurrency wallet passwords.

CryptoChameleon Targets LastPass Users in Passkey Phishing Campaign

Source: https://www.bleepingcomputer.com/news/security/fake-lastpass-death-claims-used-to-breach-password-vaults/

What we know: A phishing campaign has been impersonating LastPass, targeting users with fake “legacy inheritance” access requests that claim a family member is trying to access their password vault using a death certificate. The emails include a link to a fraudulent domain (lastpassrecovery[.]com) that mimics LastPass’s site and prompts victims to enter their master password.

Context: This phishing campaign reportedly had its sights on stealing passkeys, which are used for passwordless authentication to verify identity without transmitting passwords. It has been attributed to threat group CryptoChameleon, which had previously deployed phishing kits to steal cryptocurrency credentials from major cryptocurrency platforms.

Analyst note: CryptoChameleon is likely using phishing tactics to get victims into revealing their passkeys so the attacker can intercept, replace, or reuse them for account takeover.

DEEP AND DARK WEB INTELLIGENCE

Exploit user BIG-BROTHER: Untested threat actor "BIG‑BROTHER" has advertised on Exploit that they have breached the Internal Security Forces of Qatar and is offering the data for sale. The seller claims the dump contains roughly 1,900 personnel records with names, emails, phone numbers, departments, and company details. Interested buyers could exploit this data to steal identities and carry out phishing attacks to trick personnel into further revealing sensitive information about specific targets.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-59287: Microsoft has released an out-of-band security patch for a remote code execution (RCE) vulnerability in Windows Server Update Service (WSUS). The vulnerability enables unauthenticated actors to achieve RCE with system privileges. CISA has also added the flaw to its Known Exploited Vulnerabilities Catalog. Successful exploitation of the flaw is likely to enable threat actors to move laterally within a compromised network.

Affected products: The affected products are listed in this advisory.