ZeroFox Daily Intelligence Brief - November 3, 2025

ZeroFox Daily Intelligence Brief - November 3, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Attacker Exploits SSO Account, Publishes Data, Sends Offensive Emails
• Russia Arrests Three Developers of Meduza Stealer Malware
• State-Backed Hackers Using Airstalk Malware in Supply Chain Attack

Attacker Exploits SSO Account, Publishes Data, Sends Offensive Emails

Source: https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-hacker-claims-1.2-million-donor-data-breach/

What we know: A threat actor has claimed responsibility for breaching the University of Pennsylvania’s systems late October 2025, allegedly compromising data on 1.2 million donors, students, and alumni. The attacker claimed they accessed internal platforms, including Salesforce, after compromising an employee’s single sign-on (SSO) account.

Context: The attacker claimed their motive was financial, targeting the school’s “wealthy donor database.” A 1.7-GB data archive has already been published, while the full donor database, reportedly could be released later. The perpetrator has also used Penn’s Salesforce Marketing Cloud to send offensive mass emails from legitimate @upenn[.]edu addresses, impersonating staff and departments.

Analyst note: The attacker likely finds the donor database valuable and highly marketable in underground markets because of potentially detailed personal and financial data, including net worth estimates, donation history, and contact information. The attacker could be aiming to sell or trade it, run targeted phishing and investment scams, and map networks within donors for financial and intelligence gain.

Russia Arrests Three Developers of Meduza Stealer Malware

Source: https://hackread.com/russia-arrests-meduza-stealer-developers/

What we know: Russian authorities reportedly arrested three alleged developers of the Meduza Stealer malware on October 30, 2025. Investigators say the suspects were caught after mistakenly targeting a Russian government organization, violating their own geo-filtering rules meant to avoid local victims.

Context: The individuals reportedly operated the info-stealing Malware-as-a-Service (MaaS) from 2023, selling access for up to USD 1,199. This event follows recent news of Russia beginning to crack down on some resident cyber threat actors.

Analyst note: The arrests are likely to lead law enforcement activity to other Meduza Stealer operators.Additionally, due to the crack downs other cyber threat groups and actors in Russia are likely to adapt by relocating operations abroad, tightening their operational security, and shifting to less visible services to avoid Russian law enforcement scrutiny.

State-Backed Hackers Using Airstalk Malware in Supply Chain Attack

Source: https://thehackernews.com/2025/10/nation-state-hackers-deploy-new.html

What we know: A suspected state-backed threat group, tracked as CL-STA-1009, has been found deploying a new malware called Airstalk as part of a possible supply chain attack.

Context: The malware exploits the AirWatch API for mobile device management (MDM), now called Workspace ONE Unified Endpoint Management, to create covert command-and-control (C2) channels. The malware is reportedly capable of capturing screenshots, monitoring browser history, and bookmarks.

Analyst note: Organizational mobile devices are more likely to be targeted by the malware than personal devices, since Airwatch is used by organizations to manage corporate and other devices used by employees. Hackers are also likely to target high-value individuals and entities like government personnel, diplomats, politicians, and others.

DEEP AND DARK WEB INTELLIGENCE

X user Keymous: North African threat group "Keymous" has claimed to have leaked data associated with France-based company, Lynred, on X. The company designs and manufactures high-performance infrared (IR) detectors for defense, space, industrial, and commercial purposes. The pro-Palestinian threat group has not shared sample data, which indicates that the claim is very likely a psychological operation, meant to undermine trust in the defense manufacturing supply chain of the perceived adversary.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-9491: This is a zero-day vulnerability in Microsoft Windows LNK file that enables remote attackers to execute arbitrary code on affected systems. A China-linked threat group is reportedly exploiting the flaw targeting European diplomats using spearphishing to deliver the PlugX malware. The flaw is likely to enable attackers to gain persistent access to targeted systems, facilitating data theft from diplomatic networks.

Affected products: Windows Operating Systems