ZeroFox Daily Intelligence Brief - November 6, 2025

ZeroFox Daily Intelligence Brief - November 6, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• New Hacker Group Smudged Serpent Linked to Iran Targeting U.S. Policy Experts
• Kimsuky Deploys New HttpTroy Backdoor Against South Korean Targets
• Geopolitical Focus: Espionage, Disasters, and Political Unrest

New Hacker Group Smudged Serpent Linked to Iran Targeting U.S. Policy Experts

Source: https://thehackernews.com/2025/11/mysterious-smudgedserpent-hackers.html

What we know: New Iran-linked threat activity cluster UNK_SmudgedSerpent has been uncovered targeting Western academics and foreign policy experts between June and August 2025, coinciding with heightened geopolitical tensions between Iran and Israel.

Context: UNK_SmudgedSerpent impersonated prominent figures in Western foreign policy think tanks and used political lures, such as societal change in Iran, to phish over 20 Iran-focused U.S.-based think tank experts. Then, they attempted to steal credentials or trick targets into installing legitimate remote monitoring and management (RMM) tools.

Analyst note: UNK_SmudgedSerpent’s tactics closely resemble activity of Iranian hacker groups, such as Smoke Sandstorm, very likely indicating state-sponsored cyber espionage campaign aimed at intelligence-gathering on foreign policy discussions. The activity also likely indicates growing collaboration between Iran’s intelligence entities and cyber units.

Kimsuky Deploys New HttpTroy Backdoor Against South Korean Targets

Source: https://www.darkreading.com/vulnerabilities-threats/kimsuky-httptroy-backdoor-south-korea-users

What we know: North Korea-linked Kimsuky has deployed a new backdoor, HttpTroy, delivered via a malicious ZIP archive. The backdoor, which secretly installs a multistage payload for full remote access into devices, was deployed against targets in South Korea.

Context: The HttpTroy backdoor has been observed to enhance stealth through encrypted communication, obfuscated payloads, and in-memory execution. The development follows recent Lazarus, another North-Korea-linked group, operations deploying updated remote-access trojans.

Analyst note: Kimsuky and Lazarus deploying seemingly new and improved malware strains in recent times likely point toward North Korea trying to establish a long-term espionage and intelligence collection against its targets. These strains, in the near future, could be used on other global targets as the nation expands its espionage network.

Geopolitical Focus: Espionage, Disasters, and Political Unrest

• A federal jury found a former fiber laser expert guilty of economic espionage and theft of trade secrets for stealing sensitive defense research and attempting to exploit it for a business venture in China.
• Tanzania faced a nationwide internet blackout starting on October 29, coinciding with a disputed election. The outage lasted five days and was lifted only after the new leader was sworn in.
• Investigators have recovered the black boxes from the UPS cargo plane that crashed near Louisville, Kentucky, killing at least 12 people, including three crew members and nine on the ground. A member of the National Transportation Safety Board (NTSB) confirmed that flames were seen near the left wing shortly before one of the aircraft’s engines detached as it accelerated down the runway.
• Typhoon Kalmaegi hit the central Philippines, particularly Cebu province, causing severe flooding, and damage to homes and infrastructure. At least 114 people were killed and 127 remain missing. The region was still recovering from a September earthquake, which worsened the storm’s impact.
• Three individuals were charged for allegedly conspiring to smuggle dangerous biological materials, specifically a crop-devastating fungus and other pathogens, into the United States for research at a U.S. university lab.

DEEP AND DARK WEB INTELLIGENCE

HAEA data breach: Hyundai AutoEver America (HAEA) suffered a data breach after unauthorized access to its systems between February 22 and March 2, 2025. The incident exposed sensitive personal data, including names, Social Security numbers (SSNs), and driver’s license details. The company has notified affected individuals and offered identity protection services. The compromise of such data will likely put affected individuals at risk of identity theft, financial fraud, and targeted attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-48703: Threat actors are reportedly actively exploiting this remote command execution flaw in CentOS Web Panel, enabling unauthenticated attackers to run arbitrary commands. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Threat actors are likely to exploit this vulnerability, through remote command execution, to gain full control over affected devices and pivot to other dependencies in the supply chain.

Affected products: All CentOS Web Panel versions before 0.9.8.1204