ZeroFox Daily Intelligence Brief - November 10, 2025

ZeroFox Daily Intelligence Brief - November 10, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Spyware Campaign Leveraged Samsung Zero-Day in Middle East Attacks
• Data Breach at China’s Knownsec Exposes State-Linked Cyber Operations
• Fake “0-Day” Emails Lure Crypto Users to Execute Malicious JavaScript

Spyware Campaign Leveraged Samsung Zero-Day in Middle East Attacks

Source: https://www.darkreading.com/mobile-security/landfall-malware-targeted-samsung-galaxy-users

What we know: A now-patched zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library was reportedly exploited to deploy a commercial grade spyware tool, dubbed “Landfall,” targeting Samsung Galaxy users in Iraq, Iran, Turkey, and Morocco.

Context: The campaign operated from mid-2024 until April 2025. The spyware enables operators to record conversations, collect contacts and call logs, track device locations, capture photos, and perform other surveillance without detection. It was delivered through specially crafted Digital Negative (DNG) image files via Whatsapp.

Analyst note: Similar iOS attacks around the same time likely suggest a broader, coordinated surveillance campaign exploiting image-processing flaws across mobile devices. Researchers suspect the United Arab Emirates (UAE) government, as Landfall’s command and control (C2) infrastructure overlaps with that of the UAE-linked group Stealth Falcon.

Data Breach at China’s Knownsec Exposes State-Linked Cyber Operations

Source: https://www.theregister.com/2025/11/09/asia_tech_news_roundup/

What we know: Chinese cybersecurity company Knownsec, reportedly associated with Beijing and the Chinese military, has suffered a major data breach. The threat actors have posted the breached data online, which was then removed. However it is suspected to have resurfaced on dark web platforms.

Context: The breach exposed over 12,000 classified documents detailing Chinese state-owned cyber weapons, global hacking targets, and remote access trojans (RATs), including Android malware targeting popular messaging apps. Leaked data also included records stolen from India, South Korea, and Taiwan, and a spreadsheet listing 80 overseas targets.

Analyst note: This leaked data likely includes detailed information like sensitive government targets and IP addresses, which enables threat actors to target and exploit any exposed systems and maintain long term persistence for future attacks.

Fake “0-Day” Emails Lure Crypto Users to Execute Malicious JavaScript

Source: https://hackread.com/fake-0-day-exploit-emails-crypto-malicious-code/

What we know: A JavaScript-based scam targeted Swapzone[.]io users by sending spoofed emails and a Google Docs guide that instructed victims to paste a javascript: snippet into their browser. The snippet fetched a hidden payload that faked higher returns and silently swapped recipient wallet addresses to the attacker’s.

Context: Scammers pushed messages about a supposed “0-day glitch/0-day exploit” and a “100% working profit trick,” urging people to act before it was “patched.” They used anonymous relays and posted on private cybercrime forums; researchers saw over 100 such messages in 48 hours.

Analyst note: This technique turns social-engineering prompt into an immediate theft by getting victims to run code in their browsers, making attacks cheap for cybercriminals. If replicated widely, many users could lose funds quickly and attackers could scale theft using the same ready-made scripts and guides.

DEEP AND DARK WEB INTELLIGENCE

San Joaquin County Superior Court data breach: The Superior Court of California for the County of San Joaquin has confirmed a data breach linked to an “unauthorized” access of the court’s computer network in October 2024. Attackers stole data including Social Security numbers (SSNs), credit card numbers, and driver’s license numbers. Since the court is offering identity protection and credit monitoring services to those impacted, it is likely that the data is still in the hands of the attackers. Exposed individuals are likely to be targeted in credit card fraud, impersonation, phishing, and social engineering attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Chrome 142 patches vulnerabilities: Google Chrome version 142 has patched five vulnerabilities, including three high-severity flaws such as an out-of-bounds write in the WebGPU API (CVE-2025-12725) and memory-corruption bugs in the V8 engine and Views framework. No active exploitation has been reported yet. However, unpatched versions of these flaws could enable attackers to execute arbitrary code, crash the browser, or escape the sandbox, potentially leading to system compromise through malicious websites or advertisements.

Affected products: The affected products are listed in this advisory.