ZeroFox Daily Intelligence Brief - October 28, 2025

ZeroFox Daily Intelligence Brief - October 28, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Fake Number, Real Damage: Europol Urges Action Against Caller ID Spoofing
• Personal Data of Cyber Spy Academy Associates Exposed in Data Breach
• Italian Spyware Vendor Exploited Google Chrome Flaw in Operation ForumTroll

Fake Number, Real Damage: Europol Urges Action Against Caller ID Spoofing

Source: https://www.europol.europa.eu/media-press/newsroom/news/fake-number-real-damage-europol-urges-action-against-caller-id-spoofing

What we know: Europol has issued a warning on the rise of caller-ID spoofing, where attackers manipulate phone numbers to impersonate trusted entities, enabling large-scale cyber-enabled fraud and social engineering attacks across Europe.

Context: Cybercriminals are increasingly exploiting Voice over Internet Protocol (VoIP) systems and weak authentication to launch scams that bypass telecom protections.

Analyst note: Caller-ID spoofing enables attackers to make fraudulent calls appear legitimate, enabling phishing, vishing, and identity-theft campaigns. Europol urges unified technical standards, stricter telecom controls, cross-border cooperation, and public vigilance to curb caller-ID spoofing.

Personal Data of Cyber Spy Academy Associates Exposed in Data Breach

Source: https://www.theregister.com/2025/10/27/breach_iran_ravin_academy/

What we know: Iran-linked Ravin Academy has experienced a data breach exposing the names, phone numbers, and usernames of its associates and students. The leak, allegedly released online by an activist, also included some national ID numbers and class details.

Context: Ravin Academy is reportedly a state-sponsored cybersecurity training institution closely tied to Iran’s Ministry of Intelligence and Security (MOIS). The academy was earlier sanctioned by the United States, United Kingdom, and European Union for recruiting cyber specialists for intelligence operations and human rights abuses.

Analyst note: The names, phone numbers, and national ID numbers revealed could help identify individuals trained or affiliated with Iran’s MOIS-linked cyber operations and track their activities to predict future attacks and targets.

Italian Spyware Vendor Exploited Google Chrome Flaw in Operation ForumTroll

Source: https://www.bleepingcomputer.com/news/security/italian-spyware-vendor-linked-to-chrome-zero-day-attacks/

What we know: Italian spyware vendor Memento Labs reportedly exploited a zero-day vulnerability in Google Chrome, tracked as CVE-2025-2783, as part of Operation ForumTroll in early 2025. Operation ForumTroll targeted Russian organizations including government and financial entities, research centres, and media outlets.

Context: Threat actors circulated fake invitations to the Primakov Readings forum containing a malicious link via phishing that delivered LeetAgent, a modular spyware. In previous attacks, LeetAgent was also used to deliver the Dante spyware linked to Memento Labs.

Analyst note: The incident indicates the now-patched vulnerability is very likely to be exploited in cyber espionage campaigns with specific targets. Google Chrome users are recommended to update their systems to the latest version to prevent intrusions.

DEEP AND DARK WEB INTELLIGENCE

BreachForums’ alleged new domain: On October 27, 2025, ZeroFox observed another attempt to revive dark web platform BreachForums with the latest domain, "breached[.]sh." Following the law enforcement takedown of previous BreachForums domains, threat actors “SEPTEMBER” and “koko” have claimed to have launched the new domain. The domain resembles the original BreachForums interface. The latest domain is likely a legitimate revival of BreachForums, but its longevity remains unknown.

VULNERABILITY AND EXPLOIT INTELLIGENCE

ChatGPT vulnerability: A newly discovered vulnerability in OpenAI’s ChatGPT Atlas web browser enables attackers to exploit a cross-site request forgery (CSRF) flaw to inject malicious instructions into the AI assistant’s persistent memory, enabling arbitrary code execution. Threat actors could exploit it to infect systems, escalate privileges, or deploy malware, with the corrupted memory persisting across sessions and devices.

Affected product: ChatGPT’s Atlas web browser