ZeroFox Daily Intelligence Brief - October 29, 2025

ZeroFox Daily Intelligence Brief - October 29, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Schneider Electric Among Alleged Victims of Oracle EBS Exploit
• 183 Million Stolen Credentials Exposed on Telegram and Dark Web
• Malware Strain Herodotus Actively Deployed in the Wild

Schneider Electric Among Alleged Victims of Oracle EBS Exploit

Source: https://www.darkreading.com/vulnerabilities-threats/oracle-ebs-attack-victims-more-numerous-expected

What we know: Industrial giant Schneider Electric has been listed as one of the victims of Oracle E-Business Suite (EBS) exploitation that was listed on a leak site belonging to the Cl0p ransomware.

Context: Earlier in October 2025, Cl0p ransomware reportedly exploited the now-patched Oracle EBS vulnerability, CVE-2025-61882, enabling remote access and compromise of Oracle Concurrent Processing. Exploiting the flaw can reportedly lead to data theft.

Analyst note: Some organizations have confirmed breaches linked to Oracle EBS exploitation, though the threat group remains unnamed. Given Cl0p ransomware’s established reputation, false claims of compromise are unlikely. However, the severity of the stolen data is likely to be exaggerated.

183 Million Stolen Credentials Exposed on Telegram and Dark Web

Source: https://www.securityweek.com/cybercriminals-trade-183-million-stolen-credentials-on-telegram-dark-forums/

What we know: A massive cache of leaked credentials, including 183 million unique email addresses, has been observed. It was aggregated from info-stealer malware logs circulating across Telegram, cybercrime forums, and the dark web.

Context: These credentials were not stolen from company breaches, but from infected users’ devices and then aggregated by multiple criminal sources into a 3.5 TB dataset containing billions of login records.

Analyst note: This large-scale credential leak will likely enable widespread account takeovers, financial fraud, and identity theft across various online platforms. As users often tend to recycle passwords, these credentials can be reused in massive credential-stuffing attacks, increasing the risk of exploitation.

Malware Strain Herodotus Actively Deployed in the Wild

Source: https://www.bleepingcomputer.com/news/security/new-herodotus-android-malware-fakes-human-typing-to-avoid-detection/

What we know: New Android malware called Herodotus is being sold as malware-as-a-service (MaaS) by threat actors and is reportedly targeting Italian and Brazilian users through SMS phishing campaigns. It uses a “humanizer” feature with typing delays to mimic real user behavior and evade behavioral detection.

Context: The malware strain is capable of device takeover (DTO) and interacting with Android user interfaces for SMS-code interception, lock-screen code and pattern capture, installing APK files, and other similar activities. Researchers found Herodotus being distributed from at least seven unique web addresses and is being actively used by several threat actors.

Analyst note: Since researchers have observed this malware strain being actively exploited in the wild, it is likely that this service is gaining traction in dark web forums and will continue to be deployed against multiple targets in different sectors. In its likely expansion, there could be a surge in criminal infrastructure, where different threat actors set up additional domains and subdomains linked to its distribution.

DEEP AND DARK WEB INTELLIGENCE

10 million affected in Conduent data breach: A data breach at Conduent Business Solutions, which provides support services to multiple health organizations, has exposed health-related information of more than 10 million patients. The breach occurred after threat actors accessed part of Conduent’s network, affecting multiple healthcare entities that rely on its services.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Dassault vulnerabilities: CISA has warned that two already-patched vulnerabilities in Dassault Systèmes' DELMIA Apriso are under active exploitation by threat actors. The vulnerabilities include a critical-severity missing authorization flaw (CVE-2025-6205) and a high-severity code injection vulnerability (CVE-2025-6204). CVE-2025-6205 can enable remote and privileged access to unpatched applications, while CVE-2025-6204 can enable arbitrary code execution by attackers with high privileges. Successful exploitation of the flaws is likely to force organizations to temporarily suspect operations, resulting in manufacturing disruptions and cascading losses.

Affected products: Dassault Systèmes' DELMIA Apriso from Release 2020 through Release 2025